From 430cd9b1460e579c65d782ad4d1b5a08bf82b6a7 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 16 Feb 2012 11:14:57 -0500 Subject: [PATCH 001/200] Initial rework of packet filter framework. - Large rework on packet filter framework to make many things easier. - Removed the PacketFilter::all_packets variable because it was confusing. - New variable (PacketFilter::enable_auto_protocol_capture_filters) to re-enable the old filtering model of only sniffing ports for analyzed protocols. - In progress plugin model for adding filtering mechanisms. - New default single item for capture_filters = { ["default"] = PacketFilter::default_capture_filter }; - Mechanism and helper functions to "shunt" traffic with filters. - Created the Protocols framework to assist with reworking how base protocol scripts are registered with DPD and other things. - Protocols framework creates BPF filters for registered analyzers. (if using PacketFilter framework in that mode). --- .../base/frameworks/communication/main.bro | 5 +- .../frameworks/packet-filter/__load__.bro | 2 + .../base/frameworks/packet-filter/main.bro | 235 ++++++++++++++---- .../base/frameworks/packet-filter/shunt.bro | 74 ++++++ .../base/frameworks/packet-filter/utils.bro | 43 ++++ .../base/frameworks/protocols/__load__.bro | 1 + scripts/base/frameworks/protocols/main.bro | 49 ++++ scripts/base/init-bare.bro | 13 - scripts/base/init-default.bro | 1 + scripts/base/protocols/dns/main.bro | 23 +- scripts/base/protocols/ftp/main.bro | 12 +- scripts/base/protocols/http/main.bro | 21 +- scripts/base/protocols/irc/main.bro | 17 +- scripts/base/protocols/smtp/main.bro | 9 +- scripts/base/protocols/ssh/main.bro | 10 +- scripts/base/protocols/ssl/main.bro | 35 +-- scripts/base/protocols/syslog/main.bro | 10 +- .../tuning/defaults/packet-fragments.bro | 4 +- 18 files changed, 403 insertions(+), 161 deletions(-) create mode 100644 scripts/base/frameworks/packet-filter/shunt.bro create mode 100644 scripts/base/frameworks/packet-filter/utils.bro create mode 100644 scripts/base/frameworks/protocols/__load__.bro create mode 100644 scripts/base/frameworks/protocols/main.bro diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro index 04772f57aa..9a14b2f49f 100644 --- a/scripts/base/frameworks/communication/main.bro +++ b/scripts/base/frameworks/communication/main.bro @@ -196,12 +196,9 @@ function setup_peer(p: event_peer, node: Node) request_remote_events(p, node$events); } - if ( node?$capture_filter ) + if ( node?$capture_filter && node$capture_filter != "" ) { local filter = node$capture_filter; - if ( filter == "" ) - filter = PacketFilter::default_filter; - do_script_log(p, fmt("sending capture_filter: %s", filter)); send_capture_filter(p, filter); } diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.bro index 1d72e1ebe0..45c2488c00 100644 --- a/scripts/base/frameworks/packet-filter/__load__.bro +++ b/scripts/base/frameworks/packet-filter/__load__.bro @@ -1,2 +1,4 @@ +@load ./utils @load ./main +@load ./shunt @load ./netstats diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index 16e3ff9789..7706c2669f 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -1,10 +1,11 @@ ##! This script supports how Bro sets it's BPF capture filter. By default -##! Bro sets an unrestricted filter that allows all traffic. If a filter +##! Bro sets a capture filter that allows all traffic. If a filter ##! is set on the command line, that filter takes precedence over the default ##! open filter and all filters defined in Bro scripts with the ##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables. @load base/frameworks/notice +@load base/frameworks/protocols module PacketFilter; @@ -19,6 +20,9 @@ export { ## This notice is generated if a packet filter is fails to install. Install_Failure, + + ## Generated when a notice takes too long to compile. + Too_Long_To_Compile_Filter }; ## The record type defining columns to be logged in the packet filter @@ -41,94 +45,220 @@ export { ## Indicate if the filter was applied successfully. success: bool &log &default=T; }; - - ## By default, Bro will examine all packets. If this is set to false, - ## it will dynamically build a BPF filter that only select protocols - ## for which the user has loaded a corresponding analysis script. - ## The latter used to be default for Bro versions < 2.0. That has now - ## changed however to enable port-independent protocol analysis. - const all_packets = T &redef; + + ## The BPF filter that is used by default to define what traffic should + ## be captured. Filters defined in :bro:id:`restrict_filters` will still + ## be applied to reduce the captured traffic. + const default_capture_filter = "ip or not ip" &redef; ## Filter string which is unconditionally or'ed to the beginning of every ## dynamically built filter. const unrestricted_filter = "" &redef; + ## The maximum amount of time that you'd like to allow for filters to compile. + ## If this time is exceeded, compensation measures may be taken by the framework + ## to reduce the filter size. This threshold being crossed also results in + ## the :bro:enum:`PacketFilter::Too_Long_To_Compile_Filter` notice. + const max_filter_compile_time = 100msec &redef; + + ## Install a BPF filter to exclude some traffic. The filter should positively + ## match what is to be excluded, it will be wrapped in a "not". + ## + ## filter_id: A somewhat arbitrary string that can be used to identify + ## the filter. + ## + ## filter: A BPF expression of traffic that should be excluded. + ## + ## Returns: A boolean value to indicate if the fitler was successfully + ## installed or not. + global exclude: function(filter_id: string, filter: string): bool; + + ## Install a temporary filter to traffic which should not be passed through + ## the BPF filter. The filter should match the traffic you don't want + ## to see (it will be wrapped in a "not" condition). + ## + ## filter_id: A somewhat arbitrary string that can be used to identify + ## the filter. + ## + ## filter: A BPF expression of traffic that should be excluded. + ## + ## length: The duration for which this filter should be put in place. + ## + ## Returns: A boolean value to indicate if the filter was successfully + ## installed or not. + global exclude_for: function(filter_id: string, filter: string, span: interval): bool; + ## Call this function to build and install a new dynamically built ## packet filter. global install: function(); + ## A data structure to represent filter generating factories. + type FilterFactory: record { + ## A function that is directly called when generating the complete filter. + func : function(); + }; + + ## API function to register a new factory for dynamic restriction filters. + global register_filter_factory: function(ff: FilterFactory); + + ## Enables the old filtering approach of "only watch common ports for + ## analyzed protocols". + ## Unless you know what you are doing, leave this set to F. + const enable_auto_protocol_capture_filters = F &redef; + ## This is where the default packet filter is stored and it should not ## normally be modified by users. - global default_filter = ""; + global current_filter = ""; } +global dynamic_restrict_filters: table[string] of string = {}; + +# Set the default capture filter. +redef capture_filters += { ["default"] = default_capture_filter }; + +# Track if a filter is currenlty building so functions that would ultimately +# install a filter immediately can still be used buy they won't try to build or +# install the filter. +global currently_building = F; + +global filter_factories: set[FilterFactory] = {}; + redef enum PcapFilterID += { DefaultPcapFilter, + FilterTester, }; -function combine_filters(lfilter: string, rfilter: string, op: string): string +function test_filter(filter: string): bool { - if ( lfilter == "" && rfilter == "" ) - return ""; - else if ( lfilter == "" ) - return rfilter; - else if ( rfilter == "" ) - return lfilter; - else - return fmt("(%s) %s (%s)", lfilter, op, rfilter); + if ( ! precompile_pcap_filter(FilterTester, filter) ) + { + # The given filter was invalid + # TODO: generate a notice. + return F; + } + return T; } -function build_default_filter(): string +event bro_init() &priority=6 + { + Log::create_stream(PacketFilter::LOG, [$columns=Info]); + + # Preverify the capture and restrict filters to give more granular failure messages. + for ( id in capture_filters ) + { + if ( ! test_filter(capture_filters[id]) ) + Reporter::fatal(fmt("Invalid capture_filter named '%s' - '%s'", id, capture_filters[id])); + } + + for ( id in restrict_filters ) + { + if ( ! test_filter(restrict_filters[id]) ) + Reporter::fatal(fmt("Invalid restrict filter named '%s' - '%s'", id, restrict_filters[id])); + } + + install(); + } + +function register_filter_factory(ff: FilterFactory) + { + add filter_factories[ff]; + } + +event remove_dynamic_filter(filter_id: string) + { + if ( filter_id in dynamic_restrict_filters ) + { + delete dynamic_restrict_filters[filter_id]; + install(); + } + } + +function exclude(filter_id: string, filter: string): bool + { + if ( ! test_filter(filter) ) + return F; + + dynamic_restrict_filters[filter_id] = filter; + install(); + return T; + } + +function exclude_for(filter_id: string, filter: string, span: interval): bool + { + if ( exclude(filter_id, filter) ) + { + schedule span { remove_dynamic_filter(filter_id) }; + return T; + } + return F; + } + +function build(): string { if ( cmd_line_bpf_filter != "" ) # Return what the user specified on the command line; return cmd_line_bpf_filter; - - if ( all_packets ) - { - # Return an "always true" filter. - if ( bro_has_ipv6() ) - return "ip or not ip"; - else - return "not ip6"; - } - - # Build filter dynamically. - # First the capture_filter. + currently_building = T; + + # Install the default capture filter. local cfilter = ""; - for ( id in capture_filters ) - cfilter = combine_filters(cfilter, capture_filters[id], "or"); + + if ( |capture_filters| == 0 && ! enable_auto_protocol_capture_filters ) + cfilter = default_capture_filter; - # Then the restrict_filter. + for ( id in capture_filters ) + cfilter = combine_filters(cfilter, "or", capture_filters[id]); + + if ( enable_auto_protocol_capture_filters ) + cfilter = combine_filters(cfilter, "or", Protocols::to_bpf()); + + # Apply the restriction filters. local rfilter = ""; for ( id in restrict_filters ) - rfilter = combine_filters(rfilter, restrict_filters[id], "and"); - + rfilter = combine_filters(rfilter, "and", restrict_filters[id]); + + # Apply the dynamic restriction filters. + for ( filt in dynamic_restrict_filters ) + rfilter = combine_filters(rfilter, "and", string_cat("not (", dynamic_restrict_filters[filt], ")")); + + # Generate all of the plugin factory based filters. + for ( factory in filter_factories ) + { + factory$func(); + } + # Finally, join them into one filter. - local filter = combine_filters(rfilter, cfilter, "and"); + local filter = combine_filters(cfilter, "and", rfilter); + if ( unrestricted_filter != "" ) - filter = combine_filters(unrestricted_filter, filter, "or"); - - # Exclude IPv6 if we don't support it. - if ( ! bro_has_ipv6() ) - filter = combine_filters(filter, "not ip6", "and"); + filter = combine_filters(unrestricted_filter, "or", filter); + currently_building = F; return filter; } function install() { - default_filter = build_default_filter(); - - if ( ! precompile_pcap_filter(DefaultPcapFilter, default_filter) ) + if ( currently_building ) + return; + + current_filter = build(); + + #local ts = current_time(); + if ( ! precompile_pcap_filter(DefaultPcapFilter, current_filter) ) { NOTICE([$note=Compile_Failure, $msg=fmt("Compiling packet filter failed"), - $sub=default_filter]); - Reporter::fatal(fmt("Bad pcap filter '%s'", default_filter)); + $sub=current_filter]); + Reporter::fatal(fmt("Bad pcap filter '%s'", current_filter)); } + #local diff = current_time()-ts; + #if ( diff > max_filter_compile_time ) + # NOTICE([$note=Too_Long_To_Compile_Filter, + # $msg=fmt("A BPF filter is taking longer than %0.6f seconds to compile", diff)]); + # Do an audit log for the packet filter. local info: Info; info$ts = network_time(); @@ -138,7 +268,7 @@ function install() info$ts = current_time(); info$init = T; } - info$filter = default_filter; + info$filter = current_filter; if ( ! install_pcap_filter(DefaultPcapFilter) ) { @@ -146,15 +276,10 @@ function install() info$success = F; NOTICE([$note=Install_Failure, $msg=fmt("Installing packet filter failed"), - $sub=default_filter]); + $sub=current_filter]); } + if ( reading_live_traffic() || reading_traces() ) Log::write(PacketFilter::LOG, info); } - -event bro_init() &priority=10 - { - Log::create_stream(PacketFilter::LOG, [$columns=Info]); - PacketFilter::install(); - } diff --git a/scripts/base/frameworks/packet-filter/shunt.bro b/scripts/base/frameworks/packet-filter/shunt.bro new file mode 100644 index 0000000000..b001da0640 --- /dev/null +++ b/scripts/base/frameworks/packet-filter/shunt.bro @@ -0,0 +1,74 @@ +@load base/frameworks/notice + +module PacketFilter; + +export { + const max_bpf_shunts = 100 &redef; + + global shunt_conn: function(id: conn_id): bool; + + redef enum Notice::Type += { + ## Indicative that :bro:id:`max_bpf_shunts` connections are already + ## being shunted with BPF filters and no more are allowed. + No_More_Conn_Shunts_Available, + }; +} + +global shunted_conns: set[conn_id]; +global shunted_conns_non_flag_tracking: set[conn_id]; + +function conn_shunt_filters() + { + # TODO: this could wrongly match if a connection happens with the ports reversed. + local filter = ""; + local ipv4_tcp_filter = ""; + for ( id in shunted_conns ) + { + local prot = get_port_transport_proto(id$resp_p); + + # TODO: add ipv6 + #if ( prot == udp ) #|| is_ipv6_addr(id$orig_h) ) + # { + # next; + # shunt_for() + # } + + if ( prot == tcp ) + ipv4_tcp_filter = combine_filters(ipv4_tcp_filter, "and", fmt("host %s and port %d and host %s and port %d and %s", id$orig_h, id$orig_p, id$resp_h, id$resp_p, prot)); + } + + ipv4_tcp_filter = combine_filters(ipv4_tcp_filter, "and", "tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) == 0"); + + if ( ipv4_tcp_filter == "" ) + return; + PacketFilter::exclude("conn_shunt_filters", ipv4_tcp_filter); + } + +event bro_init() &priority=5 + { + register_filter_factory([ + $func()={ return conn_shunt_filters(); } + ]); + } + +function shunt_conn(id: conn_id): bool + { + if ( |shunted_conns| + |shunted_conns_non_flag_tracking| > max_bpf_shunts ) + { + NOTICE([$note=No_More_Conn_Shunts_Available, + $msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)]); + return F; + } + + add shunted_conns[id]; + install(); + return T; + } + +event connection_state_remove(c: connection) &priority=-5 + { + # Don't rebuild the filter right away because the packet filter framework will check every few minutes + # and update the filter if things have changed. + if ( c$id in shunted_conns ) + delete shunted_conns[c$id]; + } \ No newline at end of file diff --git a/scripts/base/frameworks/packet-filter/utils.bro b/scripts/base/frameworks/packet-filter/utils.bro new file mode 100644 index 0000000000..6ee2993050 --- /dev/null +++ b/scripts/base/frameworks/packet-filter/utils.bro @@ -0,0 +1,43 @@ +module PacketFilter; + +export { + ## Takes a :bro:type:`port` and returns a BPF expression which will + ## match the port. + ## + ## p: The port. + ## + ## Returns: A valid BPF filter string for matching the port. + global port_to_bpf: function(p: port): string; + + ## Combines two valid BPF filter strings with a string based operator + ## to form a new filter. + ## + ## lfilter: Filter which will go on the left side. + ## + ## op: Operation being applied (typically "or" or "and"). + ## + ## rfilter: Filter which will go on the right side. + ## + ## Returns: A new string representing the two filters combined with + ## the operator. Either filter being an empty string will + ## still result in a valid filter. + global combine_filters: function(lfilter: string, op: string, rfilter: string): string; +} + +function port_to_bpf(p: port): string + { + local tp = get_port_transport_proto(p); + return cat(tp, " and ", fmt("port %d", p)); + } + +function combine_filters(lfilter: string, op: string, rfilter: string): string + { + if ( lfilter == "" && rfilter == "" ) + return ""; + else if ( lfilter == "" ) + return rfilter; + else if ( rfilter == "" ) + return lfilter; + else + return fmt("(%s) %s (%s)", lfilter, op, rfilter); + } \ No newline at end of file diff --git a/scripts/base/frameworks/protocols/__load__.bro b/scripts/base/frameworks/protocols/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/frameworks/protocols/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/frameworks/protocols/main.bro b/scripts/base/frameworks/protocols/main.bro new file mode 100644 index 0000000000..8924c4c259 --- /dev/null +++ b/scripts/base/frameworks/protocols/main.bro @@ -0,0 +1,49 @@ + +@load base/frameworks/packet-filter + +module Protocols; + +export { + const common_ports: table[string] of set[port] = {} &redef; + + ## Automatically creates a BPF filter for the specified protocol based + ## on the data supplied for the protocol in the :bro:id:`common_ports` + ## variable. + ## + ## protocol: A string representation for a protocol, e.g. "HTTP" + ## + ## Returns: BPF filter string. + global protocol_to_bpf: function(protocol: string): string; + + global to_bpf: function(): string; + + ## Maps between human readable protocol identifiers (like "HTTP") + ## and the internal Bro representation for an analyzer (like ANALYZER_HTTP). + ## This is typically fully populated by the base protocol analyzer scripts. + const analyzer_map: table[string] of set[count] = {} &redef; +} + +function protocol_to_bpf(protocol: string): string + { + # Return an empty string if an undefined protocol was given. + if ( protocol !in common_ports ) + return ""; + + local output = ""; + for ( one_port in common_ports[protocol] ) + output = PacketFilter::combine_filters(output, "or", PacketFilter::port_to_bpf(one_port)); + return output; + } + +function to_bpf(): string + { + local output = ""; + for ( p in common_ports ) + output = PacketFilter::combine_filters(output, "or", protocol_to_bpf(p)); + return output; + } + + + + + \ No newline at end of file diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 200947938d..81ebf27cc8 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -607,19 +607,6 @@ global signature_files = "" &add_func = add_signature_file; ## ``p0f`` fingerprint file to use. Will be searched relative to ``BRO_PATH``. const passive_fingerprint_file = "base/misc/p0f.fp" &redef; -# todo::testing to see if I can remove these without causing problems. -#const ftp = 21/tcp; -#const ssh = 22/tcp; -#const telnet = 23/tcp; -#const smtp = 25/tcp; -#const domain = 53/tcp; # note, doesn't include UDP version -#const gopher = 70/tcp; -#const finger = 79/tcp; -#const http = 80/tcp; -#const ident = 113/tcp; -#const bgp = 179/tcp; -#const rlogin = 513/tcp; - # TCP values for :bro:see:`endpoint` *state* field. # todo::these should go into an enum to make them autodoc'able. const TCP_INACTIVE = 0; ##< Endpoint is still inactive. diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 1cf125c3ab..b2e52cedfb 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -29,6 +29,7 @@ @load base/frameworks/metrics @load base/frameworks/intel @load base/frameworks/reporter +@load base/frameworks/protocols @load base/protocols/conn @load base/protocols/dns diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 56107fd02d..4fa4b229f7 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -1,6 +1,7 @@ ##! Base DNS analysis script which tracks and logs DNS queries along with ##! their responses. +@load base/frameworks/protocols @load ./consts module DNS; @@ -109,23 +110,11 @@ redef record connection += { dns_state: State &optional; }; -# DPD configuration. -redef capture_filters += { - ["dns"] = "port 53", - ["mdns"] = "udp and port 5353", - ["llmns"] = "udp and port 5355", - ["netbios-ns"] = "udp port 137", -}; - -const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; -redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; - -const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp }; -const dns_tcp_ports = { 53/tcp }; -redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] }; -redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] }; - -redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; +# Not attaching ANALYZER_DNS_UDP_BINPAC and ANALYZER_DNS_TCP_BINPAC right now. +global analyzers = { ANALYZER_DNS }; +redef Protocols::analyzer_map["DNS"] = analyzers; +global ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; +redef Protocols::common_ports["DNS"] = ports; event bro_init() &priority=5 { diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 9e16804a32..80a0e0a796 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -3,10 +3,12 @@ ##! will take on the full path that the client is at along with the requested ##! file name. +@load base/frameworks/protocols @load ./utils-commands @load base/utils/paths @load base/utils/numbers + module FTP; export { @@ -92,12 +94,10 @@ redef record connection += { ftp: Info &optional; }; -# Configure DPD -const ports = { 21/tcp } &redef; -redef capture_filters += { ["ftp"] = "port 21" }; -redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] }; - -redef likely_server_ports += { 21/tcp }; +global analyzers = { ANALYZER_FTP }; +redef Protocols::analyzer_map["FTP"] = analyzers; +global ports = { 21/tcp }; +redef Protocols::common_ports["FTP"] = ports; # Establish the variable for tracking expected connections. global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 6571548145..dbfbe4b6ff 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -2,6 +2,7 @@ ##! to log request/response pairs and all relevant metadata together in ##! a single record. +@load base/frameworks/protocols @load base/utils/numbers @load base/utils/files @@ -110,17 +111,15 @@ event bro_init() &priority=5 Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]); } -# DPD configuration. -const ports = { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, - 8000/tcp, 8080/tcp, 8888/tcp, -}; -redef dpd_config += { - [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports], -}; -redef capture_filters += { - ["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)" -}; + +global analyzers = { ANALYZER_HTTP, ANALYZER_HTTP_BINPAC }; +redef Protocols::analyzer_map["HTTP"] = analyzers; +global ports = { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, 8000/tcp, 8080/tcp, 8888/tcp }; +redef Protocols::common_ports["HTTP"] = ports; + +#redef dpd_config += { +# [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = Protocols::common_ports["HTTP"]], +#}; redef likely_server_ports += { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index 2bf2a9bbb9..a59e5043f6 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -2,6 +2,8 @@ ##! IRC commands along with the associated response and some additional ##! metadata about the connection if it's available. +@load base/frameworks/protocols + module IRC; export { @@ -36,17 +38,10 @@ redef record connection += { irc: Info &optional; }; -# Some common IRC ports. -redef capture_filters += { ["irc-6666"] = "port 6666" }; -redef capture_filters += { ["irc-6667"] = "port 6667" }; -redef capture_filters += { ["irc-6668"] = "port 6668" }; -redef capture_filters += { ["irc-6669"] = "port 6669" }; - -# DPD configuration. -const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; -redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] }; - -redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; +global analyzers = { ANALYZER_IRC }; +redef Protocols::analyzer_map["IRC"] = analyzers; +global ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp, 7000/tcp }; +redef Protocols::common_ports["IRC"] = ports; event bro_init() &priority=5 { diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index 513b85e342..5676878b18 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -1,4 +1,5 @@ @load base/frameworks/notice +@load base/frameworks/protocols @load base/utils/addrs @load base/utils/directions-and-hosts @@ -66,11 +67,9 @@ redef record connection += { smtp_state: State &optional; }; -# Configure DPD -redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" }; -redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] }; - -redef likely_server_ports += { 25/tcp, 587/tcp }; +global analyzers = { ANALYZER_SMTP }; +redef Protocols::analyzer_map["SMTP"] = analyzers; +redef Protocols::common_ports["SMTP"] = ports; event bro_init() &priority=5 { diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 0d3439bb1f..7ca71ba9df 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -6,6 +6,7 @@ ##! is not attempted if the connection size analyzer isn't enabled. @load base/frameworks/notice +@load base/frameworks/protocols @load base/utils/site @load base/utils/thresholds @load base/utils/conn-ids @@ -73,11 +74,10 @@ export { global log_ssh: event(rec: Info); } -# Configure DPD and the packet filter -redef capture_filters += { ["ssh"] = "tcp port 22" }; -redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] }; - -redef likely_server_ports += { 22/tcp }; +global analyzers = { ANALYZER_SSH }; +redef Protocols::analyzer_map["SSH"] = analyzers; +global ports = { 22/tcp }; +redef Protocols::common_ports["SSH"] = ports; redef record connection += { ssh: Info &optional; diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 0b280a6bcf..6a75e01735 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -1,6 +1,7 @@ ##! Base SSL analysis script. This script logs information about the SSL/TLS ##! handshaking and encryption establishment process. +@load base/frameworks/protocols @load ./consts module SSL; @@ -70,35 +71,13 @@ event bro_init() &priority=5 { Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); } + +global analyzers = { ANALYZER_SSL }; +redef Protocols::analyzer_map["SSL"] = analyzers; +global ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, + 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp }; +redef Protocols::common_ports["SSL"] = ports; -redef capture_filters += { - ["ssl"] = "tcp port 443", - ["nntps"] = "tcp port 563", - ["imap4-ssl"] = "tcp port 585", - ["sshell"] = "tcp port 614", - ["ldaps"] = "tcp port 636", - ["ftps-data"] = "tcp port 989", - ["ftps"] = "tcp port 990", - ["telnets"] = "tcp port 992", - ["imaps"] = "tcp port 993", - ["ircs"] = "tcp port 994", - ["pop3s"] = "tcp port 995", - ["xmpps"] = "tcp port 5223", -}; - -const ports = { - 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, - 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; - -redef dpd_config += { - [[ANALYZER_SSL]] = [$ports = ports] -}; - -redef likely_server_ports += { - 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, - 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; function set_session(c: connection) { diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 79f89d5e71..786e3668a4 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -1,6 +1,7 @@ ##! Core script support for logging syslog messages. This script represents ##! one syslog message as one logged record. +@load base/frameworks/protocols @load ./consts module Syslog; @@ -24,11 +25,10 @@ export { }; } -redef capture_filters += { ["syslog"] = "port 514" }; -const ports = { 514/udp } &redef; -redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] }; - -redef likely_server_ports += { 514/udp }; +global analyzers = { ANALYZER_SYSLOG_BINPAC }; +redef Protocols::analyzer_map["SYSLOG"] = analyzers; +global ports = { 514/udp }; +redef Protocols::common_ports["SYSLOG"] = ports; redef record connection += { syslog: Info &optional; diff --git a/scripts/policy/tuning/defaults/packet-fragments.bro b/scripts/policy/tuning/defaults/packet-fragments.bro index 30d7e23729..24b18d5917 100644 --- a/scripts/policy/tuning/defaults/packet-fragments.bro +++ b/scripts/policy/tuning/defaults/packet-fragments.bro @@ -3,7 +3,9 @@ ## This normally isn't used because of the default open packet filter ## but we set it anyway in case the user is using a packet filter. -redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" }; +## Note: This was removed because the default model now is to have a wide +## open packet filter. +#redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" }; ## Shorten the fragment timeout from never expiring to expiring fragments after ## five minutes. From e0086005f8ff52f99a11e26169b0a35434e610ee Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 25 Apr 2012 17:12:12 -0400 Subject: [PATCH 002/200] Checkpoint on the packet filter framework. - Packet loss interval changed to 5 minutes by default. Users were getting too many notices from this. - BPF load balancing (ipv4 and ipv6). This will tie in with upcoming BroControl support for configuring this. - BPF based connection sampling. - Small improvements to how and when filters are installed. --- .../frameworks/packet-filter/__load__.bro | 1 + .../frameworks/packet-filter/load-balance.bro | 120 ++++++++++++++++ .../base/frameworks/packet-filter/main.bro | 54 +++++-- .../frameworks/packet-filter/netstats.bro | 2 +- .../base/frameworks/packet-filter/shunt.bro | 136 +++++++++++++++--- .../base/frameworks/packet-filter/utils.bro | 17 ++- 6 files changed, 296 insertions(+), 34 deletions(-) create mode 100644 scripts/base/frameworks/packet-filter/load-balance.bro diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.bro index 45c2488c00..14da4e4893 100644 --- a/scripts/base/frameworks/packet-filter/__load__.bro +++ b/scripts/base/frameworks/packet-filter/__load__.bro @@ -1,4 +1,5 @@ @load ./utils @load ./main @load ./shunt +@load ./load-balance @load ./netstats diff --git a/scripts/base/frameworks/packet-filter/load-balance.bro b/scripts/base/frameworks/packet-filter/load-balance.bro new file mode 100644 index 0000000000..105a37b617 --- /dev/null +++ b/scripts/base/frameworks/packet-filter/load-balance.bro @@ -0,0 +1,120 @@ +##! This script implements an automated BPF based load balancing solution for Bro clusters. +##! It is completely automated when multiple worker processes are configured for a single +##! interface on a host. One caveat is that in order for this script to work, your traffic +##! can't have any headers above the Ethernet header (vlan, mpls). + +@load base/frameworks/cluster +@load base/frameworks/packet-filter + +module PacketFilter; + +export { + redef record Cluster::Node += { + ## A BPF filter for load balancing traffic sniffed on a single interface + ## across a number of processes. In normal uses, this will be assigned + ## dynamically by the manager and installed by the workers. + lb_filter: string &optional; + }; + + ## Control if BPF based load balancing is enabled on cluster deployments. + const enable_BPF_load_balancing = F &redef; + + # Configure the cluster framework to enable the load balancing filter configuration. + #global send_filter: event(for_node: string, filter: string); + #global confirm_filter_installation: event(success: bool); +} + +#redef Cluster::manager2worker_events += /LoadBalancing::send_filter/; +#redef Cluster::worker2manager_events += /LoadBalancing::confirm_filter_installation/; + +@if ( Cluster::is_enabled() ) + +@if ( Cluster::local_node_type() == Cluster::MANAGER ) + +event bro_init() &priority=5 + { + if ( ! enable_BPF_load_balancing ) + return; + + local worker_ip_interface: table[addr, string] of count = table(); + for ( n in Cluster::nodes ) + { + local this_node = Cluster::nodes[n]; + + # Only workers! + if ( this_node$node_type != Cluster::WORKER || + ! this_node?$interface ) + next; + + if ( [this_node$ip, this_node$interface] !in worker_ip_interface ) + worker_ip_interface[this_node$ip, this_node$interface] = 0; + ++worker_ip_interface[this_node$ip, this_node$interface]; + } + + # Now that we've counted up how many processes are running on an interface + # let's create the filters for each worker. + local lb_proc_track: table[addr, string] of count = table(); + for ( no in Cluster::nodes ) + { + local that_node = Cluster::nodes[no]; + if ( that_node$node_type == Cluster::WORKER && + that_node?$interface && [that_node$ip, that_node$interface] in worker_ip_interface ) + { + if ( [that_node$ip, that_node$interface] !in lb_proc_track ) + lb_proc_track[that_node$ip, that_node$interface] = 0; + + local this_lb_proc = lb_proc_track[that_node$ip, that_node$interface]; + local total_lb_procs = worker_ip_interface[that_node$ip, that_node$interface]; + + ++lb_proc_track[that_node$ip, that_node$interface]; + if ( total_lb_procs > 1 ) + { + that_node$lb_filter = PacketFilter::sample_filter(total_lb_procs, this_lb_proc); + Communication::nodes[no]$capture_filter = that_node$lb_filter; + } + } + } + } + +#event remote_connection_established(p: event_peer) &priority=-5 +# { +# if ( is_remote_event() ) +# return; +# +# local for_node = p$descr; +# # Send the filter to the peer. +# if ( for_node in Cluster::nodes && +# Cluster::nodes[for_node]?$lb_filter ) +# { +# local filter = Cluster::nodes[for_node]$lb_filter; +# event LoadBalancing::send_filter(for_node, filter); +# } +# } + +#event LoadBalancing::confirm_filter_installation(success: bool) +# { +# # This doesn't really matter yet since we aren't getting back a meaningful success response. +# } + +@endif + + +@if ( Cluster::local_node_type() == Cluster::WORKER ) + +#event LoadBalancing::send_filter(for_node: string, filter: string) +event remote_capture_filter(p: event_peer, filter: string) + { + #if ( for_node !in Cluster::nodes ) + # return; + # + #if ( Cluster::node == for_node ) + # { + restrict_filters["lb_filter"] = filter; + PacketFilter::install(); + #event LoadBalancing::confirm_filter_installation(T); + # } + } + +@endif + +@endif diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index 66a557f53d..6e839c9210 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -55,6 +55,11 @@ export { ## dynamically built filter. const unrestricted_filter = "" &redef; + ## Filter string which is unconditionally and'ed to the beginning of every + ## dynamically built filter. This is mostly used when a custom filter is being + ## used but MPLS or VLAN tags are on the traffic. + const restricted_filter = "" &redef; + ## The maximum amount of time that you'd like to allow for filters to compile. ## If this time is exceeded, compensation measures may be taken by the framework ## to reduce the filter size. This threshold being crossed also results in @@ -69,7 +74,7 @@ export { ## ## filter: A BPF expression of traffic that should be excluded. ## - ## Returns: A boolean value to indicate if the fitler was successfully + ## Returns: A boolean value to indicate if the filter was successfully ## installed or not. global exclude: function(filter_id: string, filter: string): bool; @@ -90,7 +95,7 @@ export { ## Call this function to build and install a new dynamically built ## packet filter. - global install: function(); + global install: function(): bool; ## A data structure to represent filter generating factories. type FilterFactory: record { @@ -121,6 +126,9 @@ redef capture_filters += { ["default"] = default_capture_filter }; # install the filter. global currently_building = F; +# Internal tracking for if the the filter being built has possibly been changed. +global filter_changed = F; + global filter_factories: set[FilterFactory] = {}; redef enum PcapFilterID += { @@ -139,7 +147,17 @@ function test_filter(filter: string): bool return T; } -event bro_init() &priority=6 +# This tracks any changes for filtering mechanisms that play along nice +# and set filter_changed to T. +event filter_change_tracking() + { + if ( filter_changed ) + install(); + + schedule 5min { filter_change_tracking() }; + } + +event bro_init() &priority=5 { Log::create_stream(PacketFilter::LOG, [$columns=Info]); @@ -155,8 +173,13 @@ event bro_init() &priority=6 if ( ! test_filter(restrict_filters[id]) ) Reporter::fatal(fmt("Invalid restrict filter named '%s' - '%s'", id, restrict_filters[id])); } + } +event bro_init() &priority=-5 + { install(); + + event filter_change_tracking(); } function register_filter_factory(ff: FilterFactory) @@ -233,27 +256,35 @@ function build(): string if ( unrestricted_filter != "" ) filter = combine_filters(unrestricted_filter, "or", filter); + if ( restricted_filter != "" ) + filter = combine_filters(restricted_filter, "and", filter); currently_building = F; return filter; } -function install() +function install(): bool { if ( currently_building ) - return; + return F; - current_filter = build(); + local tmp_filter = build(); #local ts = current_time(); - if ( ! precompile_pcap_filter(DefaultPcapFilter, current_filter) ) + if ( ! precompile_pcap_filter(DefaultPcapFilter, tmp_filter) ) { NOTICE([$note=Compile_Failure, $msg=fmt("Compiling packet filter failed"), - $sub=current_filter]); - Reporter::fatal(fmt("Bad pcap filter '%s'", current_filter)); + $sub=tmp_filter]); + if ( network_time() == 0.0 ) + Reporter::fatal(fmt("Bad pcap filter '%s'", tmp_filter)); + else + Reporter::warning(fmt("Bad pcap filter '%s'", tmp_filter)); } + # Set it to the current filter if it passed precompiling + current_filter = tmp_filter; + #local diff = current_time()-ts; #if ( diff > max_filter_compile_time ) # NOTICE([$note=Too_Long_To_Compile_Filter, @@ -278,8 +309,11 @@ function install() $msg=fmt("Installing packet filter failed"), $sub=current_filter]); } - if ( reading_live_traffic() || reading_traces() ) Log::write(PacketFilter::LOG, info); + + # Update the filter change tracking + filter_changed = F; + return T; } diff --git a/scripts/base/frameworks/packet-filter/netstats.bro b/scripts/base/frameworks/packet-filter/netstats.bro index 9fbaa5cd1d..b5ffe24f54 100644 --- a/scripts/base/frameworks/packet-filter/netstats.bro +++ b/scripts/base/frameworks/packet-filter/netstats.bro @@ -13,7 +13,7 @@ export { }; ## This is the interval between individual statistics collection. - const stats_collection_interval = 10secs; + const stats_collection_interval = 5min; } event net_stats_update(last_stat: NetStats) diff --git a/scripts/base/frameworks/packet-filter/shunt.bro b/scripts/base/frameworks/packet-filter/shunt.bro index b001da0640..5527592642 100644 --- a/scripts/base/frameworks/packet-filter/shunt.bro +++ b/scripts/base/frameworks/packet-filter/shunt.bro @@ -3,45 +3,73 @@ module PacketFilter; export { + ## The maximum number of BPF based shunts that Bro is allowed to perform. const max_bpf_shunts = 100 &redef; - + + ## Call this function to use BPF to shunt a connection (to prevent the + ## data packets from reaching Bro). For TCP connections, control packets + ## are still allowed through so that Bro can continue logging the connection + ## and it can stop shunting once the connection ends. global shunt_conn: function(id: conn_id): bool; + ## This function will use a BPF expresssion to shunt traffic between + ## the two hosts given in the `conn_id` so that the traffic is never + ## exposed to Bro's traffic processing. + global shunt_host_pair: function(id: conn_id): bool; + + ## Remove shunting for a host pair given as a `conn_id`. The filter + ## is not immediately removed. It waits for the occassional filter + ## update done by the `PacketFilter` framework. + global unshunt_host_pair: function(id: conn_id): bool; + + ## Performs the same function as the `unshunt_host_pair` function, but + ## it forces an immediate filter update. + global force_unshunt_host_pair: function(id: conn_id): bool; + + ## Retrieve the currently shunted connections. + global current_shunted_conns: function(): set[conn_id]; + + ## Retrieve the currently shunted host pairs. + global current_shunted_host_pairs: function(): set[conn_id]; + redef enum Notice::Type += { ## Indicative that :bro:id:`max_bpf_shunts` connections are already ## being shunted with BPF filters and no more are allowed. No_More_Conn_Shunts_Available, + + ## Limitations in BPF make shunting some connections with BPF impossible. + ## This notice encompasses those various cases. + Cannot_BPF_Shunt_Conn, }; } global shunted_conns: set[conn_id]; -global shunted_conns_non_flag_tracking: set[conn_id]; +global shunted_host_pairs: set[conn_id]; function conn_shunt_filters() { - # TODO: this could wrongly match if a connection happens with the ports reversed. - local filter = ""; - local ipv4_tcp_filter = ""; + # NOTE: this could wrongly match if a connection happens with the ports reversed. + local tcp_filter = "tcp and tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) == 0"; + local udp_filter = ""; for ( id in shunted_conns ) { local prot = get_port_transport_proto(id$resp_p); - # TODO: add ipv6 - #if ( prot == udp ) #|| is_ipv6_addr(id$orig_h) ) - # { - # next; - # shunt_for() - # } - - if ( prot == tcp ) - ipv4_tcp_filter = combine_filters(ipv4_tcp_filter, "and", fmt("host %s and port %d and host %s and port %d and %s", id$orig_h, id$orig_p, id$resp_h, id$resp_p, prot)); + local filt = fmt("host %s and port %d and host %s and port %d", id$orig_h, id$orig_p, id$resp_h, id$resp_p); + if ( prot == udp ) + udp_filter = combine_filters(udp_filter, "and", filt); + else if ( prot == tcp ) + tcp_filter = combine_filters(tcp_filter, "and", filt); } + local conn_shunt_filter = combine_filters(tcp_filter, "and", udp_filter); - ipv4_tcp_filter = combine_filters(ipv4_tcp_filter, "and", "tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) == 0"); + for ( id in shunted_host_pairs ) + { + local hp_filter = fmt("host %s and host %s", id$orig_h, id$resp_h); + + } - if ( ipv4_tcp_filter == "" ) - return; - PacketFilter::exclude("conn_shunt_filters", ipv4_tcp_filter); + PacketFilter::exclude("conn_shunt_filters", conn_shunt_filter); } event bro_init() &priority=5 @@ -51,15 +79,79 @@ event bro_init() &priority=5 ]); } -function shunt_conn(id: conn_id): bool +function current_shunted_conns(): set[conn_id] { - if ( |shunted_conns| + |shunted_conns_non_flag_tracking| > max_bpf_shunts ) + return shunted_conns; + } + +function current_shunted_host_pairs(): set[conn_id] + { + return shunted_host_pairs; + } + +function reached_max_shunts(): bool + { + if ( |shunted_conns| + |shunted_host_pairs| > max_bpf_shunts ) { NOTICE([$note=No_More_Conn_Shunts_Available, $msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)]); + return T; + } + else + return F; + } + +function shunt_host_pair(id: conn_id): bool + { + PacketFilter::filter_changed = T; + + if ( reached_max_shunts() ) + return F; + + add shunted_host_pairs[id]; + install(); + return T; + } + +function unshunt_host_pair(id: conn_id): bool + { + PacketFilter::filter_changed = T; + + if ( id in shunted_host_pairs ) + { + delete shunted_host_pairs[id]; + return T; + } + else + return F; + } + +function force_unshunt_host_pair(id: conn_id): bool + { + if ( unshunt_host_pair(id) ) + { + install(); + return T; + } + else + return F; + } + +function shunt_conn(id: conn_id): bool + { + if ( is_v6_addr(id$orig_h) ) + { + NOTICE([$note=Cannot_BPF_Shunt_Conn, + $msg="IPv6 connections can't be shunted with BPF due to limitations in BPF", + $sub="ipv6_conn", + $id=id, $identifier=string_cat(id)]); return F; } + if ( reached_max_shunts() ) + return F; + + PacketFilter::filter_changed = T; add shunted_conns[id]; install(); return T; @@ -67,8 +159,8 @@ function shunt_conn(id: conn_id): bool event connection_state_remove(c: connection) &priority=-5 { - # Don't rebuild the filter right away because the packet filter framework will check every few minutes - # and update the filter if things have changed. + # Don't rebuild the filter right away because the packet filter framework + # will check every few minutes and update the filter if things have changed. if ( c$id in shunted_conns ) delete shunted_conns[c$id]; } \ No newline at end of file diff --git a/scripts/base/frameworks/packet-filter/utils.bro b/scripts/base/frameworks/packet-filter/utils.bro index 6ee2993050..242d30e45a 100644 --- a/scripts/base/frameworks/packet-filter/utils.bro +++ b/scripts/base/frameworks/packet-filter/utils.bro @@ -9,6 +9,13 @@ export { ## Returns: A valid BPF filter string for matching the port. global port_to_bpf: function(p: port): string; + ## Create a BPF filter to sample IPv4 and IPv6 traffic. + ## + ## num_parts: The number of parts the traffic should be split into. + ## + ## this_part: The part of the traffic this filter will accept. 0-based. + global sampling_filter: function(num_parts: count, this_part: count): string; + ## Combines two valid BPF filter strings with a string based operator ## to form a new filter. ## @@ -40,4 +47,12 @@ function combine_filters(lfilter: string, op: string, rfilter: string): string return lfilter; else return fmt("(%s) %s (%s)", lfilter, op, rfilter); - } \ No newline at end of file + } + +function sampling_filter(num_parts: count, this_part: count): string + { + local v4_filter = fmt("ip and ((ip[14:2]+ip[18:2]) - (%d*((ip[14:2]+ip[18:2])/%d)) == %d)", num_parts, num_parts, this_part); + # TODO: this is probably a fairly suboptimal filter, but it should work for now. + local v6_filter = fmt("ip6 and ((ip6[22:2]+ip6[38:2]) - (%d*((ip6[22:2]+ip6[38:2])/%d)) == %d)", num_parts, num_parts, this_part); + return combine_filters(v4_filter, "or", v6_filter); + } From 2ec7fbae62fb50a40a4f535fdae05f3198d0eabc Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 25 Apr 2012 23:21:53 -0400 Subject: [PATCH 003/200] Packet filter framework checkpoint. --- .../base/frameworks/packet-filter/main.bro | 20 +++++++++--------- .../base/frameworks/packet-filter/shunt.bro | 21 +++++++++---------- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index 6e839c9210..9ffd8cc4c3 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -97,14 +97,14 @@ export { ## packet filter. global install: function(): bool; - ## A data structure to represent filter generating factories. - type FilterFactory: record { + ## A data structure to represent filter generating plugins. + type FilterPlugin: record { ## A function that is directly called when generating the complete filter. func : function(); }; - ## API function to register a new factory for dynamic restriction filters. - global register_filter_factory: function(ff: FilterFactory); + ## API function to register a new pluginfor dynamic restriction filters. + global register_filter_plugin: function(fp: FilterPlugin); ## Enables the old filtering approach of "only watch common ports for ## analyzed protocols". @@ -129,7 +129,7 @@ global currently_building = F; # Internal tracking for if the the filter being built has possibly been changed. global filter_changed = F; -global filter_factories: set[FilterFactory] = {}; +global filter_plugins: set[FilterPlugin] = {}; redef enum PcapFilterID += { DefaultPcapFilter, @@ -182,9 +182,9 @@ event bro_init() &priority=-5 event filter_change_tracking(); } -function register_filter_factory(ff: FilterFactory) +function register_filter_plugin(fp: FilterPlugin) { - add filter_factories[ff]; + add filter_plugins[fp]; } event remove_dynamic_filter(filter_id: string) @@ -245,10 +245,10 @@ function build(): string for ( filt in dynamic_restrict_filters ) rfilter = combine_filters(rfilter, "and", string_cat("not (", dynamic_restrict_filters[filt], ")")); - # Generate all of the plugin factory based filters. - for ( factory in filter_factories ) + # Generate all of the plugin based filters. + for ( plugin in filter_plugins ) { - factory$func(); + plugin$func(); } # Finally, join them into one filter. diff --git a/scripts/base/frameworks/packet-filter/shunt.bro b/scripts/base/frameworks/packet-filter/shunt.bro index 5527592642..be33f8085a 100644 --- a/scripts/base/frameworks/packet-filter/shunt.bro +++ b/scripts/base/frameworks/packet-filter/shunt.bro @@ -46,7 +46,7 @@ export { global shunted_conns: set[conn_id]; global shunted_host_pairs: set[conn_id]; -function conn_shunt_filters() +function shunt_filters() { # NOTE: this could wrongly match if a connection happens with the ports reversed. local tcp_filter = "tcp and tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) == 0"; @@ -63,19 +63,18 @@ function conn_shunt_filters() } local conn_shunt_filter = combine_filters(tcp_filter, "and", udp_filter); + local hp_shunt_filter = ""; for ( id in shunted_host_pairs ) - { - local hp_filter = fmt("host %s and host %s", id$orig_h, id$resp_h); - - } - - PacketFilter::exclude("conn_shunt_filters", conn_shunt_filter); - } + hp_shunt_filter = combine_filters(hp_shunt_filter, "and", fmt("host %s and host %s", id$orig_h, id$resp_h)); + + local filter = combine_filters(conn_shunt_filter, "and", hp_shunt_filter); + PacketFilter::exclude("shunt_filters", filter); +} event bro_init() &priority=5 { - register_filter_factory([ - $func()={ return conn_shunt_filters(); } + register_filter_plugin([ + $func()={ return shunt_filters(); } ]); } @@ -144,7 +143,7 @@ function shunt_conn(id: conn_id): bool NOTICE([$note=Cannot_BPF_Shunt_Conn, $msg="IPv6 connections can't be shunted with BPF due to limitations in BPF", $sub="ipv6_conn", - $id=id, $identifier=string_cat(id)]); + $id=id, $identifier=cat(id)]); return F; } From 0c97c3c1de57cd64279cfc94b92a1f2d92c76f1b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 2 May 2012 21:16:30 -0400 Subject: [PATCH 004/200] Several final fixes for PacketFilter framework. - Fixed how the dpd_* variables are written. - Fixed a bug with the shunting code. - Updated a few tests. --- .../frameworks/packet-filter/__load__.bro | 1 - .../base/frameworks/packet-filter/main.bro | 36 +++++++++--------- .../base/frameworks/packet-filter/shunt.bro | 9 ++++- scripts/base/frameworks/protocols/main.bro | 24 ++++++++---- scripts/base/protocols/dns/main.bro | 4 +- scripts/base/protocols/ftp/main.bro | 4 +- scripts/base/protocols/http/main.bro | 8 +--- scripts/base/protocols/irc/main.bro | 4 +- scripts/base/protocols/smtp/main.bro | 8 ++-- scripts/base/protocols/ssh/main.bro | 4 +- scripts/base/protocols/ssl/main.bro | 4 +- scripts/base/protocols/syslog/main.bro | 4 +- .../misc/load-balancing.bro} | 38 ++++++++++++------- src/main.cc | 7 ++-- .../Baseline/core.print-bpf-filters/conn.log | 2 +- .../Baseline/core.print-bpf-filters/output | 14 ++----- testing/btest/core/print-bpf-filters.bro | 8 ++-- 17 files changed, 94 insertions(+), 85 deletions(-) rename scripts/{base/frameworks/packet-filter/load-balance.bro => policy/misc/load-balancing.bro} (79%) diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.bro index 14da4e4893..45c2488c00 100644 --- a/scripts/base/frameworks/packet-filter/__load__.bro +++ b/scripts/base/frameworks/packet-filter/__load__.bro @@ -1,5 +1,4 @@ @load ./utils @load ./main @load ./shunt -@load ./load-balance @load ./netstats diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index 9ffd8cc4c3..c5a0677add 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -6,6 +6,7 @@ @load base/frameworks/notice @load base/frameworks/protocols +@load ./utils module PacketFilter; @@ -15,10 +16,10 @@ export { ## Add notice types related to packet filter errors. redef enum Notice::Type += { - ## This notice is generated if a packet filter is unable to be compiled. + ## This notice is generated if a packet filter cannot be compiled. Compile_Failure, - - ## This notice is generated if a packet filter is fails to install. + + ## Generated if a packet filter is fails to install. Install_Failure, ## Generated when a notice takes too long to compile. @@ -60,7 +61,7 @@ export { ## used but MPLS or VLAN tags are on the traffic. const restricted_filter = "" &redef; - ## The maximum amount of time that you'd like to allow for filters to compile. + ## The maximum amount of time that you'd like to allow for BPF filters to compile. ## If this time is exceeded, compensation measures may be taken by the framework ## to reduce the filter size. This threshold being crossed also results in ## the :bro:enum:`PacketFilter::Too_Long_To_Compile_Filter` notice. @@ -224,12 +225,16 @@ function build(): string currently_building = T; - # Install the default capture filter. - local cfilter = ""; + # Generate all of the plugin based filters. + for ( plugin in filter_plugins ) + { + plugin$func(); + } + local cfilter = ""; if ( |capture_filters| == 0 && ! enable_auto_protocol_capture_filters ) cfilter = default_capture_filter; - + for ( id in capture_filters ) cfilter = combine_filters(cfilter, "or", capture_filters[id]); @@ -244,12 +249,6 @@ function build(): string # Apply the dynamic restriction filters. for ( filt in dynamic_restrict_filters ) rfilter = combine_filters(rfilter, "and", string_cat("not (", dynamic_restrict_filters[filt], ")")); - - # Generate all of the plugin based filters. - for ( plugin in filter_plugins ) - { - plugin$func(); - } # Finally, join them into one filter. local filter = combine_filters(cfilter, "and", rfilter); @@ -270,7 +269,7 @@ function install(): bool local tmp_filter = build(); - #local ts = current_time(); + local ts = current_time(); if ( ! precompile_pcap_filter(DefaultPcapFilter, tmp_filter) ) { NOTICE([$note=Compile_Failure, @@ -281,15 +280,14 @@ function install(): bool else Reporter::warning(fmt("Bad pcap filter '%s'", tmp_filter)); } + local diff = current_time()-ts; + if ( diff > max_filter_compile_time ) + NOTICE([$note=Too_Long_To_Compile_Filter, + $msg=fmt("A BPF filter is taking longer than %0.6f seconds to compile", diff)]); # Set it to the current filter if it passed precompiling current_filter = tmp_filter; - #local diff = current_time()-ts; - #if ( diff > max_filter_compile_time ) - # NOTICE([$note=Too_Long_To_Compile_Filter, - # $msg=fmt("A BPF filter is taking longer than %0.6f seconds to compile", diff)]); - # Do an audit log for the packet filter. local info: Info; info$ts = network_time(); diff --git a/scripts/base/frameworks/packet-filter/shunt.bro b/scripts/base/frameworks/packet-filter/shunt.bro index be33f8085a..fcbdac85aa 100644 --- a/scripts/base/frameworks/packet-filter/shunt.bro +++ b/scripts/base/frameworks/packet-filter/shunt.bro @@ -1,4 +1,6 @@ @load base/frameworks/notice +@load ./main +@load ./utils module PacketFilter; @@ -49,7 +51,7 @@ global shunted_host_pairs: set[conn_id]; function shunt_filters() { # NOTE: this could wrongly match if a connection happens with the ports reversed. - local tcp_filter = "tcp and tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) == 0"; + local tcp_filter = ""; local udp_filter = ""; for ( id in shunted_conns ) { @@ -61,6 +63,8 @@ function shunt_filters() else if ( prot == tcp ) tcp_filter = combine_filters(tcp_filter, "and", filt); } + if ( tcp_filter != "" ) + tcp_filter = combine_filters("tcp and tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) == 0", "and", tcp_filter); local conn_shunt_filter = combine_filters(tcp_filter, "and", udp_filter); local hp_shunt_filter = ""; @@ -68,7 +72,8 @@ function shunt_filters() hp_shunt_filter = combine_filters(hp_shunt_filter, "and", fmt("host %s and host %s", id$orig_h, id$resp_h)); local filter = combine_filters(conn_shunt_filter, "and", hp_shunt_filter); - PacketFilter::exclude("shunt_filters", filter); + if ( filter != "" ) + PacketFilter::exclude("shunt_filters", filter); } event bro_init() &priority=5 diff --git a/scripts/base/frameworks/protocols/main.bro b/scripts/base/frameworks/protocols/main.bro index 8924c4c259..43ea3b49f8 100644 --- a/scripts/base/frameworks/protocols/main.bro +++ b/scripts/base/frameworks/protocols/main.bro @@ -1,9 +1,10 @@ -@load base/frameworks/packet-filter +@load base/frameworks/packet-filter/utils module Protocols; export { + const common_ports: table[string] of set[port] = {} &redef; ## Automatically creates a BPF filter for the specified protocol based @@ -15,14 +16,28 @@ export { ## Returns: BPF filter string. global protocol_to_bpf: function(protocol: string): string; + ## Create a BPF filter which matches all of the ports defined + ## by the various protocol analysis scripts as "common ports" + ## for the protocol. global to_bpf: function(): string; ## Maps between human readable protocol identifiers (like "HTTP") ## and the internal Bro representation for an analyzer (like ANALYZER_HTTP). ## This is typically fully populated by the base protocol analyzer scripts. - const analyzer_map: table[string] of set[count] = {} &redef; + const analyzer_map: table[string] of set[AnalyzerTag] = {} &redef; } +event bro_init() &priority=10 + { + for ( proto in common_ports ) + { + for ( p in common_ports[proto] ) + dpd_analyzer_ports[p] = analyzer_map[proto]; + for ( a in analyzer_map[proto] ) + dpd_config[a] = [$ports=common_ports[proto]]; + } + } + function protocol_to_bpf(protocol: string): string { # Return an empty string if an undefined protocol was given. @@ -42,8 +57,3 @@ function to_bpf(): string output = PacketFilter::combine_filters(output, "or", protocol_to_bpf(p)); return output; } - - - - - \ No newline at end of file diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 95259fb2e8..d6b44323d1 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -110,9 +110,9 @@ redef record connection += { # Not attaching ANALYZER_DNS_UDP_BINPAC and ANALYZER_DNS_TCP_BINPAC right now. global analyzers = { ANALYZER_DNS }; -redef Protocols::analyzer_map["DNS"] = analyzers; +redef Protocols::analyzer_map += { ["DNS"] = analyzers }; global ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; -redef Protocols::common_ports["DNS"] = ports; +redef Protocols::common_ports += { ["DNS"] = ports }; event bro_init() &priority=5 { diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 52366d28e1..3b2f0cca61 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -95,9 +95,9 @@ redef record connection += { }; global analyzers = { ANALYZER_FTP }; -redef Protocols::analyzer_map["FTP"] = analyzers; +redef Protocols::analyzer_map += { ["FTP"] = analyzers }; global ports = { 21/tcp }; -redef Protocols::common_ports["FTP"] = ports; +redef Protocols::common_ports += { ["FTP"] = ports }; # Establish the variable for tracking expected connections. global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index dbfbe4b6ff..86b59d1f10 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -113,13 +113,9 @@ event bro_init() &priority=5 global analyzers = { ANALYZER_HTTP, ANALYZER_HTTP_BINPAC }; -redef Protocols::analyzer_map["HTTP"] = analyzers; +redef Protocols::analyzer_map += { ["HTTP"] = analyzers }; global ports = { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, 8000/tcp, 8080/tcp, 8888/tcp }; -redef Protocols::common_ports["HTTP"] = ports; - -#redef dpd_config += { -# [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = Protocols::common_ports["HTTP"]], -#}; +redef Protocols::common_ports += { ["HTTP"] = ports }; redef likely_server_ports += { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index a59e5043f6..acb0250fc8 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -39,9 +39,9 @@ redef record connection += { }; global analyzers = { ANALYZER_IRC }; -redef Protocols::analyzer_map["IRC"] = analyzers; +redef Protocols::analyzer_map += { ["IRC"] = analyzers }; global ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp, 7000/tcp }; -redef Protocols::common_ports["IRC"] = ports; +redef Protocols::common_ports += { ["IRC"] = ports }; event bro_init() &priority=5 { diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index 5676878b18..544e40bf12 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -57,9 +57,6 @@ export { const mail_path_capture = ALL_HOSTS &redef; global log_smtp: event(rec: Info); - - ## Configure the default ports for SMTP analysis. - const ports = { 25/tcp, 587/tcp } &redef; } redef record connection += { @@ -68,8 +65,9 @@ redef record connection += { }; global analyzers = { ANALYZER_SMTP }; -redef Protocols::analyzer_map["SMTP"] = analyzers; -redef Protocols::common_ports["SMTP"] = ports; +redef Protocols::analyzer_map += { ["SMTP"] = analyzers }; +const ports = { 25/tcp, 587/tcp } &redef; +redef Protocols::common_ports += { ["SMTP"] = ports }; event bro_init() &priority=5 { diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 7ca71ba9df..290b1a9c89 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -75,9 +75,9 @@ export { } global analyzers = { ANALYZER_SSH }; -redef Protocols::analyzer_map["SSH"] = analyzers; +redef Protocols::analyzer_map += { ["SSH"] = analyzers }; global ports = { 22/tcp }; -redef Protocols::common_ports["SSH"] = ports; +redef Protocols::common_ports += { ["SSH"] = ports }; redef record connection += { ssh: Info &optional; diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 6a75e01735..5c16808532 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -73,10 +73,10 @@ event bro_init() &priority=5 } global analyzers = { ANALYZER_SSL }; -redef Protocols::analyzer_map["SSL"] = analyzers; +redef Protocols::analyzer_map += { ["SSL"] = analyzers }; global ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp }; -redef Protocols::common_ports["SSL"] = ports; +redef Protocols::common_ports += { ["SSL"] = ports }; function set_session(c: connection) diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 786e3668a4..502021f851 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -26,9 +26,9 @@ export { } global analyzers = { ANALYZER_SYSLOG_BINPAC }; -redef Protocols::analyzer_map["SYSLOG"] = analyzers; +redef Protocols::analyzer_map += { ["SYSLOG"] = analyzers }; global ports = { 514/udp }; -redef Protocols::common_ports["SYSLOG"] = ports; +redef Protocols::common_ports += { ["SYSLOG"] = ports }; redef record connection += { syslog: Info &optional; diff --git a/scripts/base/frameworks/packet-filter/load-balance.bro b/scripts/policy/misc/load-balancing.bro similarity index 79% rename from scripts/base/frameworks/packet-filter/load-balance.bro rename to scripts/policy/misc/load-balancing.bro index 105a37b617..fedf075217 100644 --- a/scripts/base/frameworks/packet-filter/load-balance.bro +++ b/scripts/policy/misc/load-balancing.bro @@ -1,27 +1,39 @@ -##! This script implements an automated BPF based load balancing solution for Bro clusters. -##! It is completely automated when multiple worker processes are configured for a single -##! interface on a host. One caveat is that in order for this script to work, your traffic -##! can't have any headers above the Ethernet header (vlan, mpls). +##! This script implements the "Bro side" of several load balancing +##! approaches for Bro clusters. @load base/frameworks/cluster @load base/frameworks/packet-filter -module PacketFilter; +module LoadBalancing; export { + + type Method: enum { + ## Apply BPF filters to each worker in a way that causes them to + ## automatically flow balance traffic between them. + AUTO_BPF, + ## Load balance traffic across the workers by making each one apply + ## a restrict filter to only listen to a single MAC address. This + ## is a somewhat common deployment option for sites doing network + ## based load balancing with MAC address rewriting and passing the + ## traffic to a single interface. Multiple MAC addresses will show + ## up on the same interface and need filtered to a single address. + #MAC_ADDR_BPF, + }; + + ## Defines the method of load balancing to use. + const method = AUTO_BPF &redef; + + # Configure the cluster framework to enable the load balancing filter configuration. + #global send_filter: event(for_node: string, filter: string); + #global confirm_filter_installation: event(success: bool); + redef record Cluster::Node += { ## A BPF filter for load balancing traffic sniffed on a single interface ## across a number of processes. In normal uses, this will be assigned ## dynamically by the manager and installed by the workers. lb_filter: string &optional; }; - - ## Control if BPF based load balancing is enabled on cluster deployments. - const enable_BPF_load_balancing = F &redef; - - # Configure the cluster framework to enable the load balancing filter configuration. - #global send_filter: event(for_node: string, filter: string); - #global confirm_filter_installation: event(success: bool); } #redef Cluster::manager2worker_events += /LoadBalancing::send_filter/; @@ -33,7 +45,7 @@ export { event bro_init() &priority=5 { - if ( ! enable_BPF_load_balancing ) + if ( method != AUTO_BPF ) return; local worker_ip_interface: table[addr, string] of count = table(); diff --git a/src/main.cc b/src/main.cc index ff33a3859d..d70832efcb 100644 --- a/src/main.cc +++ b/src/main.cc @@ -1003,13 +1003,14 @@ int main(int argc, char** argv) vl->append(new Val(i->include_level, TYPE_COUNT)); mgr.QueueEvent(bro_script_loaded, vl); } - - dpm->PostScriptInit(); - + reporter->ReportViaEvents(true); + // Drain the event queue here to support the protocols framework configuring DPM mgr.Drain(); + dpm->PostScriptInit(); + have_pending_timers = ! reading_traces && timer_mgr->Size() > 0; io_sources.Register(thread_mgr, true); diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log index 5ce968d5e6..c26fd152a4 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log @@ -5,4 +5,4 @@ #path conn #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes #types time string addr port addr port enum string interval count count string bool count string count count count count -1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 730 10 9945 +1278600802.069419 UWkUyAuUGXf 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - 0 ShADadfF 7 381 7 3801 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index a2bf430fb4..5a345c9f4f 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -5,7 +5,7 @@ #path packet_filter #fields ts node filter init success #types time string string bool bool -1328294052.330721 - ip or not ip T T +1335502481.107322 - ip or not ip T T #separator \x09 #set_separator , #empty_field (empty) @@ -13,7 +13,7 @@ #path packet_filter #fields ts node filter init success #types time string string bool bool -1328294052.542418 - ((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (udp and port 5355)) or (tcp port 22)) or (tcp port 995)) or (port 21)) or (tcp port 25 or tcp port 587)) or (port 6667)) or (tcp port 614)) or (tcp port 990)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666) T T +1335502481.417564 - port 42 T T #separator \x09 #set_separator , #empty_field (empty) @@ -21,12 +21,4 @@ #path packet_filter #fields ts node filter init success #types time string string bool bool -1328294052.748480 - port 42 T T -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path packet_filter -#fields ts node filter init success -#types time string string bool bool -1328294052.952845 - port 56730 T T +1335502481.737329 - (vlan) and (ip or not ip) T T diff --git a/testing/btest/core/print-bpf-filters.bro b/testing/btest/core/print-bpf-filters.bro index 6d9cef0220..383982eddf 100644 --- a/testing/btest/core/print-bpf-filters.bro +++ b/testing/btest/core/print-bpf-filters.bro @@ -1,10 +1,8 @@ -# @TEST-EXEC: bro -r $TRACES/empty.trace -e '' >output +# @TEST-EXEC: bro -r $TRACES/empty.trace >output # @TEST-EXEC: cat packet_filter.log >>output -# @TEST-EXEC: bro -r $TRACES/empty.trace PacketFilter::all_packets=F >>output +# @TEST-EXEC: bro -r $TRACES/empty.trace -f "port 42" >>output # @TEST-EXEC: cat packet_filter.log >>output -# @TEST-EXEC: bro -r $TRACES/empty.trace -f "port 42" -e '' >>output -# @TEST-EXEC: cat packet_filter.log >>output -# @TEST-EXEC: bro -r $TRACES/empty.trace -C -f "port 56730" -r $TRACES/mixed-vlan-mpls.trace >>output +# @TEST-EXEC: bro -r $TRACES/mixed-vlan-mpls.trace PacketFilter::restricted_filter="vlan" >>output # @TEST-EXEC: cat packet_filter.log >>output # @TEST-EXEC: btest-diff output # @TEST-EXEC: btest-diff conn.log From ed2a5d6ac2fee89e92413339e5fce47a5ff303fe Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 2 May 2012 22:54:39 -0400 Subject: [PATCH 005/200] Last test update for PacketFilter framework. --- .../canonified_loaded_scripts.log | 4 +++ .../send.log | 30 ++++++++++--------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 92deb62edb..2b039e0cb2 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -48,7 +48,11 @@ scripts/base/init-default.bro scripts/base/frameworks/signatures/__load__.bro scripts/base/frameworks/signatures/./main.bro scripts/base/frameworks/packet-filter/__load__.bro + scripts/base/frameworks/packet-filter/./utils.bro scripts/base/frameworks/packet-filter/./main.bro + scripts/base/frameworks/protocols/__load__.bro + scripts/base/frameworks/protocols/./main.bro + scripts/base/frameworks/packet-filter/./shunt.bro scripts/base/frameworks/packet-filter/./netstats.bro scripts/base/frameworks/software/__load__.bro scripts/base/frameworks/software/./main.bro diff --git a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log index d3c14c8603..2b20030056 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log +++ b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log @@ -5,17 +5,19 @@ #path communication #fields ts peer src_name connected_peer_desc connected_peer_addr connected_peer_port level message #types time string string string addr port string string -1326492291.485390 bro parent - - - info [#1/127.0.0.1:47757] added peer -1326492291.491731 bro child - - - info [#1/127.0.0.1:47757] connected -1326492291.492024 bro parent - - - info [#1/127.0.0.1:47757] peer connected -1326492291.492024 bro parent - - - info [#1/127.0.0.1:47757] phase: version -1326492291.492740 bro script - - - info connection established -1326492291.492740 bro script - - - info requesting events matching /^?(NOTHING)$?/ -1326492291.492740 bro script - - - info accepting state -1326492291.493800 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake -1326492291.493800 bro parent - - - info warning: no events to request -1326492291.494161 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro -1326492291.494404 bro parent - - - info [#1/127.0.0.1:47757] peer supports keep-in-cache; using that -1326492291.494404 bro parent - - - info [#1/127.0.0.1:47757] phase: running -1326492291.494404 bro parent - - - info terminating... -1326492291.494404 bro parent - - - info [#1/127.0.0.1:47757] closing connection +1336011989.763783 bro parent - - - info [#1/127.0.0.1:47757] added peer +1336011989.763783 bro child - - - info [#1/127.0.0.1:47757] connected +1336011989.763783 bro parent - - - info [#1/127.0.0.1:47757] peer connected +1336011989.763783 bro parent - - - info [#1/127.0.0.1:47757] phase: version +1336011989.763783 bro script - - - info connection established +1336011989.763783 bro script - - - info requesting events matching /^?(NOTHING)$?/ +1336011989.763783 bro script - - - info accepting state +1336011989.863273 bro parent - - - info [#1/127.0.0.1:47757] phase: handshake +1336011989.863273 bro parent - - - info warning: no events to request +1336011989.873923 bro parent - - - info [#1/127.0.0.1:47757] peer_description is bro +1336011989.881442 bro parent - - - info [#1/127.0.0.1:47757] peer supports keep-in-cache; using that +1336011989.881442 bro parent - - - info [#1/127.0.0.1:47757] phase: running +1336011989.881442 bro parent - - - info terminating... +1336011989.881442 bro script - - - info connection closed +1336011989.881442 bro parent - - - info [#1/127.0.0.1:47757] peer disconnected +1336011989.881442 bro parent - - - info [#1/127.0.0.1:47757] closing connection From 5dd07e023dfbc01e9fe8d7026b59f1a5bfbfba4a Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Thu, 14 Mar 2013 16:14:13 -0700 Subject: [PATCH 006/200] change raw reader to use basic c io instead of fdstream encapsulation class. preparation for future changes. --- src/input/fdstream.h | 189 --------------------------------------- src/input/readers/Raw.cc | 128 +++++++++++++++++++------- src/input/readers/Raw.h | 10 ++- 3 files changed, 105 insertions(+), 222 deletions(-) delete mode 100644 src/input/fdstream.h diff --git a/src/input/fdstream.h b/src/input/fdstream.h deleted file mode 100644 index cda767dd52..0000000000 --- a/src/input/fdstream.h +++ /dev/null @@ -1,189 +0,0 @@ -/* The following code declares classes to read from and write to - * file descriptore or file handles. - * - * See - * http://www.josuttis.com/cppcode - * for details and the latest version. - * - * - open: - * - integrating BUFSIZ on some systems? - * - optimized reading of multiple characters - * - stream for reading AND writing - * - i18n - * - * (C) Copyright Nicolai M. Josuttis 2001. - * Permission to copy, use, modify, sell and distribute this software - * is granted provided this copyright notice appears in all copies. - * This software is provided "as is" without express or implied - * warranty, and with no claim as to its suitability for any purpose. - * - * Version: Jul 28, 2002 - * History: - * Jul 28, 2002: bugfix memcpy() => memmove() - * fdinbuf::underflow(): cast for return statements - * Aug 05, 2001: first public version - */ -#ifndef BOOST_FDSTREAM_HPP -#define BOOST_FDSTREAM_HPP - -#include -#include -#include -// for EOF: -#include -// for memmove(): -#include - - - -// low-level read and write functions -#ifdef _MSC_VER -# include -#else -# include -# include -//extern "C" { -// int write (int fd, const char* buf, int num); -// int read (int fd, char* buf, int num); -//} -#endif - - -// BEGIN namespace BOOST -namespace boost { - - -/************************************************************ - * fdostream - * - a stream that writes on a file descriptor - ************************************************************/ - - -class fdoutbuf : public std::streambuf { - protected: - int fd; // file descriptor - public: - // constructor - fdoutbuf (int _fd) : fd(_fd) { - } - protected: - // write one character - virtual int_type overflow (int_type c) { - if (c != EOF) { - char z = c; - if (write (fd, &z, 1) != 1) { - return EOF; - } - } - return c; - } - // write multiple characters - virtual - std::streamsize xsputn (const char* s, - std::streamsize num) { - return write(fd,s,num); - } -}; - -class fdostream : public std::ostream { - protected: - fdoutbuf buf; - public: - fdostream (int fd) : std::ostream(0), buf(fd) { - rdbuf(&buf); - } -}; - - -/************************************************************ - * fdistream - * - a stream that reads on a file descriptor - ************************************************************/ - -class fdinbuf : public std::streambuf { - protected: - int fd; // file descriptor - protected: - /* data buffer: - * - at most, pbSize characters in putback area plus - * - at most, bufSize characters in ordinary read buffer - */ - static const int pbSize = 4; // size of putback area - static const int bufSize = 1024; // size of the data buffer - char buffer[bufSize+pbSize]; // data buffer - - public: - /* constructor - * - initialize file descriptor - * - initialize empty data buffer - * - no putback area - * => force underflow() - */ - fdinbuf (int _fd) : fd(_fd) { - setg (buffer+pbSize, // beginning of putback area - buffer+pbSize, // read position - buffer+pbSize); // end position - } - - protected: - // insert new characters into the buffer - virtual int_type underflow () { -#ifndef _MSC_VER - using std::memmove; -#endif - - // is read position before end of buffer? - if (gptr() < egptr()) { - return traits_type::to_int_type(*gptr()); - } - - /* process size of putback area - * - use number of characters read - * - but at most size of putback area - */ - int numPutback; - numPutback = gptr() - eback(); - if (numPutback > pbSize) { - numPutback = pbSize; - } - - /* copy up to pbSize characters previously read into - * the putback area - */ - memmove (buffer+(pbSize-numPutback), gptr()-numPutback, - numPutback); - - // read at most bufSize new characters - int num; - num = read (fd, buffer+pbSize, bufSize); - if ( num == EAGAIN ) { - return 0; - } - if (num <= 0) { - // ERROR or EOF - return EOF; - } - - // reset buffer pointers - setg (buffer+(pbSize-numPutback), // beginning of putback area - buffer+pbSize, // read position - buffer+pbSize+num); // end of buffer - - // return next character - return traits_type::to_int_type(*gptr()); - } -}; - -class fdistream : public std::istream { - protected: - fdinbuf buf; - public: - fdistream (int fd) : std::istream(0), buf(fd) { - rdbuf(&buf); - } -}; - - -} // END namespace boost - -#endif /*BOOST_FDSTREAM_HPP*/ diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index ac96e5c0f5..7a31be8716 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -3,32 +3,32 @@ #include "Raw.h" #include "NetVar.h" -#include -#include - #include "../../threading/SerialTypes.h" -#include "../fdstream.h" #include #include #include #include #include +#include using namespace input::reader; using threading::Value; using threading::Field; +const int Raw::block_size = 512; // how big do we expect our chunks of data to be... + Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend) { file = 0; - in = 0; - separator.assign( (const char*) BifConst::InputRaw::record_separator->Bytes(), BifConst::InputRaw::record_separator->Len()); - if ( separator.size() != 1 ) - Error("separator length has to be 1. Separator will be truncated."); + sep_length = BifConst::InputRaw::record_separator->Len(); + + buf = 0; + outbuf = 0; + bufpos = 0; } Raw::~Raw() @@ -47,7 +47,7 @@ bool Raw::OpenInput() if ( execute ) { file = popen(fname.c_str(), "r"); - if ( file == NULL ) + if ( !file ) { Error(Fmt("Could not execute command %s", fname.c_str())); return false; @@ -56,16 +56,13 @@ bool Raw::OpenInput() else { file = fopen(fname.c_str(), "r"); - if ( file == NULL ) + if ( !file ) { Error(Fmt("Init: cannot open %s", fname.c_str())); return false; } } - // This is defined in input/fdstream.h - in = new boost::fdistream(fileno(file)); - if ( execute && Info().mode == MODE_STREAM ) fcntl(fileno(file), F_SETFL, O_NONBLOCK); @@ -74,7 +71,7 @@ bool Raw::OpenInput() bool Raw::CloseInput() { - if ( file == NULL ) + if ( file == 0 ) { InternalError(Fmt("Trying to close closed file for stream %s", fname.c_str())); return false; @@ -83,15 +80,12 @@ bool Raw::CloseInput() Debug(DBG_INPUT, "Raw reader starting close"); #endif - delete in; - if ( execute ) pclose(file); else fclose(file); - in = NULL; - file = NULL; + file = 0; #ifdef DEBUG Debug(DBG_INPUT, "Raw reader finished close"); @@ -169,15 +163,81 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie } -bool Raw::GetLine(string& str) +int64_t Raw::GetLine() { - if ( in->peek() == std::iostream::traits_type::eof() ) - return false; - if ( in->eofbit == true || in->failbit == true ) - return false; + errno = 0; + uint64_t pos = 0; + + if ( buf == 0 ) + buf = new char[block_size]; + + int repeats = 1; + + for (;;) + { + size_t readbytes = fread(buf+bufpos, 1, block_size-bufpos, file); + pos += bufpos + readbytes; + bufpos = 0; // read full block size in next read... + + if ( errno != 0 ) + break; + + char* token = strnstr(buf, separator.c_str(), block_size*repeats-pos); + + if ( token == 0 ) + { + // we did not find it and have to search again in the next try. resize buffer.... + // but first check if we encountered the file end - because if we did this was it. + if ( feof(file) != 0 ) + { + outbuf = buf; + buf = 0; + if ( pos == 0 ) + return -1; // signal EOF - and that we had no more data. + else + return pos; + } + + repeats++; + // bah, we cannot use realloc because we would have to change the delete in the manager to a delete :( + //char* newbuf = realloc(buf,block_size*repeats); + char * newbuf = new char[block_size*repeats]; + memcpy(newbuf, buf, block_size*(repeats-1)); + delete buf; + buf = newbuf; + } + else + { + outbuf = buf; + buf = 0; + buf = new char[block_size]; + + + if ( token - outbuf < pos ) + { + // we have leftovers. copy them into the buffer for the next line + buf = new char[block_size]; + memcpy(buf, token + sep_length, -(token - outbuf + sep_length) +pos); + bufpos = -(token - outbuf + sep_length) +pos; + } + + pos = token-outbuf; + return pos; + } + + } + + if ( errno == 0 ) { + assert(false); + } else if ( errno == EAGAIN || errno == EAGAIN || errno == EINTR ) { + return -2; + } else { + // an error code we did no expect. This probably is bad. + Error(Fmt("Reader encountered unexpected error code %d", errno)); + return -3; + } - return getline(*in, str, separator[0]); } // read the entire file and send appropriate thingies back to InputMgr @@ -211,10 +271,10 @@ bool Raw::DoUpdate() case MODE_MANUAL: case MODE_STREAM: - if ( Info().mode == MODE_STREAM && file != NULL && in != NULL ) + if ( Info().mode == MODE_STREAM && file != 0 ) { //fpurge(file); - in->clear(); // remove end of file evil bits + clearerr(file); // remove end of file evil bits break; } @@ -230,19 +290,27 @@ bool Raw::DoUpdate() } string line; - while ( GetLine(line) ) + assert (NumFields() == 1); + for ( ;; ) { - assert (NumFields() == 1); + int64_t length = GetLine(); + if ( length == -3 ) + return false; + else if ( length == -2 || length == -1 ) + // no data ready or eof + break; Value** fields = new Value*[1]; // filter has exactly one text field. convert to it. Value* val = new Value(TYPE_STRING, true); - val->val.string_val.data = copy_string(line.c_str()); - val->val.string_val.length = line.size(); + val->val.string_val.data = outbuf; + val->val.string_val.length = length; fields[0] = val; Put(fields); + + outbuf = 0; } #ifdef DEBUG diff --git a/src/input/readers/Raw.h b/src/input/readers/Raw.h index 48912b70a7..07acf1b2c0 100644 --- a/src/input/readers/Raw.h +++ b/src/input/readers/Raw.h @@ -3,7 +3,6 @@ #ifndef INPUT_READERS_RAW_H #define INPUT_READERS_RAW_H -#include #include #include "../ReaderBackend.h" @@ -30,10 +29,9 @@ protected: private: bool OpenInput(); bool CloseInput(); - bool GetLine(string& str); + int64_t GetLine(); string fname; // Source with a potential "|" removed. - istream* in; FILE* file; bool execute; bool firstrun; @@ -41,6 +39,12 @@ private: // options set from the script-level. string separator; + unsigned int sep_length; // length of the separator + + static const int block_size; + uint32_t bufpos; + char* buf; + char* outbuf; }; } From f2d67b5829f1886e94c4aee99a5b2f92b7b98892 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Fri, 15 Mar 2013 13:32:28 -0700 Subject: [PATCH 007/200] replace popen with fork and exec. Note for future: eof only gets sent when the parent closes its in-pipe after forking. --- src/input/readers/Raw.cc | 65 +++++++++++++++++++++++++++++++++++----- src/input/readers/Raw.h | 5 ++++ 2 files changed, 62 insertions(+), 8 deletions(-) diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 7a31be8716..4c0fd988d3 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -29,6 +29,15 @@ Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend) buf = 0; outbuf = 0; bufpos = 0; + + stdin_fileno = fileno(stdin); + stdout_fileno = fileno(stdout); + stderr_fileno = fileno(stderr); + + // and because we later assume this... + assert(stdin_fileno == 0); + assert(stdout_fileno == 1); + assert(stderr_fileno == 2); } Raw::~Raw() @@ -42,16 +51,53 @@ void Raw::DoClose() CloseInput(); } +bool Raw::Execute() + { + int stdout_pipe[2]; + pid_t pid; + + if (pipe(stdout_pipe) != 0) + { + Error(Fmt("Could not open pipe: %d", errno)); + return false; + } + + pid = fork(); + if ( pid < 0 ) + { + Error(Fmt("Could not create child process: %d", errno)); + return false; + } + else if ( pid == 0 ) + { + // we are the child. + close(stdout_pipe[stdin_fileno]); + dup2(stdout_pipe[stdout_fileno], stdout_fileno); + //execv("/usr/bin/uname",test); + execl("/bin/sh", "sh", "-c", fname.c_str(), NULL); + fprintf(stderr, "Exec failed :(......\n"); + exit(255); + } + else + { + // we are the parent + close(stdout_pipe[stdout_fileno]); + file = fdopen(stdout_pipe[stdin_fileno], "r"); + if ( file == 0 ) + { + Error("Could not convert fileno to file"); + return false; + } + return true; + } + } + bool Raw::OpenInput() { if ( execute ) { - file = popen(fname.c_str(), "r"); - if ( !file ) - { - Error(Fmt("Could not execute command %s", fname.c_str())); + if ( ! Execute() ) return false; - } } else { @@ -63,9 +109,10 @@ bool Raw::OpenInput() } } - if ( execute && Info().mode == MODE_STREAM ) - fcntl(fileno(file), F_SETFL, O_NONBLOCK); + //if ( execute && Info().mode == MODE_STREAM ) + // fcntl(fileno(file), F_SETFL, O_NONBLOCK); + //fcntl(fileno(file), F_SETFD, FD_CLOEXEC); return true; } @@ -130,12 +177,14 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie execute = true; fname = source.substr(0, fname.length() - 1); + /* if ( (info.mode != MODE_MANUAL) ) { Error(Fmt("Unsupported read mode %d for source %s in execution mode", info.mode, fname.c_str())); return false; } + */ result = OpenInput(); @@ -299,7 +348,7 @@ bool Raw::DoUpdate() else if ( length == -2 || length == -1 ) // no data ready or eof break; - + Value** fields = new Value*[1]; // filter has exactly one text field. convert to it. diff --git a/src/input/readers/Raw.h b/src/input/readers/Raw.h index 07acf1b2c0..bd87648493 100644 --- a/src/input/readers/Raw.h +++ b/src/input/readers/Raw.h @@ -40,11 +40,16 @@ private: // options set from the script-level. string separator; unsigned int sep_length; // length of the separator + bool Execute(); static const int block_size; uint32_t bufpos; char* buf; char* outbuf; + + int stdin_fileno; + int stdout_fileno; + int stderr_fileno; }; } From fc42c71dfa497325613a004e442391753ea9277a Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Fri, 15 Mar 2013 13:58:41 -0700 Subject: [PATCH 008/200] Streaming reads from external commands work without blocking anything. --- src/input/readers/Raw.cc | 34 ++-- src/input/readers/Raw.h | 2 + .../out | 153 ++++++++++++++++++ .../frameworks/input/executestreamraw.bro | 61 +++++++ 4 files changed, 235 insertions(+), 15 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.executestreamraw/out create mode 100644 testing/btest/scripts/base/frameworks/input/executestreamraw.bro diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 4c0fd988d3..40215dabee 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -11,6 +11,7 @@ #include #include #include +#include using namespace input::reader; using threading::Value; @@ -38,6 +39,8 @@ Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend) assert(stdin_fileno == 0); assert(stdout_fileno == 1); assert(stderr_fileno == 2); + + childpid = -1; } Raw::~Raw() @@ -49,12 +52,15 @@ void Raw::DoClose() { if ( file != 0 ) CloseInput(); + + if ( execute && childpid > 0 ) + // kill child process + kill(childpid, 9); // TERMINATOR } bool Raw::Execute() { int stdout_pipe[2]; - pid_t pid; if (pipe(stdout_pipe) != 0) { @@ -62,13 +68,13 @@ bool Raw::Execute() return false; } - pid = fork(); - if ( pid < 0 ) + childpid = fork(); + if ( childpid < 0 ) { Error(Fmt("Could not create child process: %d", errno)); return false; } - else if ( pid == 0 ) + else if ( childpid == 0 ) { // we are the child. close(stdout_pipe[stdin_fileno]); @@ -82,6 +88,10 @@ bool Raw::Execute() { // we are the parent close(stdout_pipe[stdout_fileno]); + + if ( Info().mode == MODE_STREAM ) + fcntl(stdout_pipe[stdin_fileno], F_SETFL, O_NONBLOCK); + file = fdopen(stdout_pipe[stdin_fileno], "r"); if ( file == 0 ) { @@ -102,6 +112,7 @@ bool Raw::OpenInput() else { file = fopen(fname.c_str(), "r"); + fcntl(fileno(file), F_SETFD, FD_CLOEXEC); if ( !file ) { Error(Fmt("Init: cannot open %s", fname.c_str())); @@ -177,15 +188,6 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie execute = true; fname = source.substr(0, fname.length() - 1); - /* - if ( (info.mode != MODE_MANUAL) ) - { - Error(Fmt("Unsupported read mode %d for source %s in execution mode", - info.mode, fname.c_str())); - return false; - } - */ - result = OpenInput(); } @@ -229,7 +231,7 @@ int64_t Raw::GetLine() pos += bufpos + readbytes; bufpos = 0; // read full block size in next read... - if ( errno != 0 ) + if ( pos == 0 && errno != 0 ) break; char* token = strnstr(buf, separator.c_str(), block_size*repeats-pos); @@ -279,7 +281,7 @@ int64_t Raw::GetLine() if ( errno == 0 ) { assert(false); - } else if ( errno == EAGAIN || errno == EAGAIN || errno == EINTR ) { + } else if ( errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR ) { return -2; } else { // an error code we did no expect. This probably is bad. @@ -343,6 +345,8 @@ bool Raw::DoUpdate() for ( ;; ) { int64_t length = GetLine(); + //printf("Read %lld bytes", length); + if ( length == -3 ) return false; else if ( length == -2 || length == -1 ) diff --git a/src/input/readers/Raw.h b/src/input/readers/Raw.h index bd87648493..d550716c48 100644 --- a/src/input/readers/Raw.h +++ b/src/input/readers/Raw.h @@ -50,6 +50,8 @@ private: int stdin_fileno; int stdout_fileno; int stderr_fileno; + + pid_t childpid; }; } diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.executestreamraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.executestreamraw/out new file mode 100644 index 0000000000..59a5f2c116 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.executestreamraw/out @@ -0,0 +1,153 @@ +[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +A::try = A::try + 1; +if (8 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ + +}] +Input::EVENT_NEW +sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF +[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +A::try = A::try + 1; +if (8 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ + +}] +Input::EVENT_NEW +DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF +[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +A::try = A::try + 1; +if (8 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ + +}] +Input::EVENT_NEW +q3r3057fdf +[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +A::try = A::try + 1; +if (8 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ + +}] +Input::EVENT_NEW +sdfs\d +[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +A::try = A::try + 1; +if (8 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ + +}] +Input::EVENT_NEW + +[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +A::try = A::try + 1; +if (8 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ + +}] +Input::EVENT_NEW +dfsdf +[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +A::try = A::try + 1; +if (8 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ + +}] +Input::EVENT_NEW +sdf +[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +A::try = A::try + 1; +if (8 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ + +}] +Input::EVENT_NEW +3rw43wRRERLlL#RWERERERE. +done diff --git a/testing/btest/scripts/base/frameworks/input/executestreamraw.bro b/testing/btest/scripts/base/frameworks/input/executestreamraw.bro new file mode 100644 index 0000000000..ead33018dc --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/executestreamraw.bro @@ -0,0 +1,61 @@ +# @TEST-EXEC: cp input1.log input.log +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: sleep 3 +# @TEST-EXEC: cat input2.log >> input.log +# @TEST-EXEC: sleep 3 +# @TEST-EXEC: cat input3.log >> input.log +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out + +redef exit_only_after_terminate = T; + +@TEST-START-FILE input1.log +sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF +@TEST-END-FILE + +@TEST-START-FILE input2.log +DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF +q3r3057fdf +@TEST-END-FILE + +@TEST-START-FILE input3.log +sdfs\d + +dfsdf +sdf +3rw43wRRERLlL#RWERERERE. +@TEST-END-FILE + +@load base/frameworks/communication # let network-time run + +module A; + +type Val: record { + s: string; +}; + +global try: count; +global outfile: file; + +event line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + print outfile, description; + print outfile, tpe; + print outfile, s; + + try = try + 1; + if ( try == 8 ) + { + print outfile, "done"; + close(outfile); + Input::remove("input"); + terminate(); + } + } + +event bro_init() + { + outfile = open("../out"); + try = 0; + Input::add_event([$source="tail -f ../input.log |", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line, $want_record=F]); + } From 3aeec7ec14323acc62f785c35df6d710aeeec0f1 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Fri, 15 Mar 2013 15:47:20 -0700 Subject: [PATCH 009/200] allow sending data to stdin of child process --- src/input/readers/Raw.cc | 87 ++++++++++++++----- src/input/readers/Raw.h | 21 ++++- .../out | 36 ++++++++ .../test.txt | 2 + .../base/frameworks/input/execrawstdin.bro | 44 ++++++++++ 5 files changed, 166 insertions(+), 24 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/out create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/test.txt create mode 100644 testing/btest/scripts/base/frameworks/input/execrawstdin.bro diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 40215dabee..c4dfe55b93 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -19,6 +19,7 @@ using threading::Field; const int Raw::block_size = 512; // how big do we expect our chunks of data to be... + Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend) { file = 0; @@ -41,6 +42,8 @@ Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend) assert(stderr_fileno == 2); childpid = -1; + + stdin_towrite = 0; // by default do not open stdin } Raw::~Raw() @@ -53,6 +56,7 @@ void Raw::DoClose() if ( file != 0 ) CloseInput(); + if ( execute && childpid > 0 ) // kill child process kill(childpid, 9); // TERMINATOR @@ -60,9 +64,8 @@ void Raw::DoClose() bool Raw::Execute() { - int stdout_pipe[2]; - if (pipe(stdout_pipe) != 0) + if (pipe(pipes) != 0 || pipe(pipes+2) || pipe(pipes+4) ) { Error(Fmt("Could not open pipe: %d", errno)); return false; @@ -77,8 +80,15 @@ bool Raw::Execute() else if ( childpid == 0 ) { // we are the child. - close(stdout_pipe[stdin_fileno]); - dup2(stdout_pipe[stdout_fileno], stdout_fileno); + close(pipes[stdout_in]); + dup2(pipes[stdout_out], stdout_fileno); + + if ( stdin_towrite ) + { + close(pipes[stdin_out]); + dup2(pipes[stdin_in], stdin_fileno); + } + //execv("/usr/bin/uname",test); execl("/bin/sh", "sh", "-c", fname.c_str(), NULL); fprintf(stderr, "Exec failed :(......\n"); @@ -87,12 +97,18 @@ bool Raw::Execute() else { // we are the parent - close(stdout_pipe[stdout_fileno]); + close(pipes[stdout_out]); if ( Info().mode == MODE_STREAM ) - fcntl(stdout_pipe[stdin_fileno], F_SETFL, O_NONBLOCK); + fcntl(pipes[stdout_in], F_SETFL, O_NONBLOCK); + + if ( stdin_towrite ) + { + close(pipes[stdin_in]); + fcntl(pipes[stdin_out], F_SETFL, O_NONBLOCK); + } - file = fdopen(stdout_pipe[stdin_fileno], "r"); + file = fdopen(pipes[stdout_in], "r"); if ( file == 0 ) { Error("Could not convert fileno to file"); @@ -106,8 +122,7 @@ bool Raw::OpenInput() { if ( execute ) { - if ( ! Execute() ) - return false; + return Execute(); } else { @@ -120,10 +135,6 @@ bool Raw::OpenInput() } } - //if ( execute && Info().mode == MODE_STREAM ) - // fcntl(fileno(file), F_SETFL, O_NONBLOCK); - - //fcntl(fileno(file), F_SETFD, FD_CLOEXEC); return true; } @@ -138,8 +149,11 @@ bool Raw::CloseInput() Debug(DBG_INPUT, "Raw reader starting close"); #endif - if ( execute ) - pclose(file); + if ( execute ) // we do not care if any of those fails. They should all be defined. + { + for ( int i = 0; i < 6; i ++ ) + close(pipes[i]); + } else fclose(file); @@ -166,6 +180,13 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie return false; } + map::const_iterator it = info.config.find("stdin"); // data that is sent to the child process + if ( it != info.config.end() ) + { + stdin_string = it->second; + stdin_towrite = stdin_string.length(); + } + if ( num_fields != 1 ) { Error("Filter for raw reader contains more than one field. " @@ -214,9 +235,8 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie } -int64_t Raw::GetLine() +int64_t Raw::GetLine(FILE* arg_file) { - errno = 0; uint64_t pos = 0; @@ -227,7 +247,7 @@ int64_t Raw::GetLine() for (;;) { - size_t readbytes = fread(buf+bufpos, 1, block_size-bufpos, file); + size_t readbytes = fread(buf+bufpos, 1, block_size-bufpos, arg_file); pos += bufpos + readbytes; bufpos = 0; // read full block size in next read... @@ -240,7 +260,7 @@ int64_t Raw::GetLine() { // we did not find it and have to search again in the next try. resize buffer.... // but first check if we encountered the file end - because if we did this was it. - if ( feof(file) != 0 ) + if ( feof(arg_file) != 0 ) { outbuf = buf; buf = 0; @@ -291,6 +311,28 @@ int64_t Raw::GetLine() } +// write to the stdin of the child process +void Raw::WriteToStdin() + { + assert(stdin_towrite <= stdin_string.length()); + uint64_t pos = stdin_string.length() - stdin_towrite; + + errno = 0; + ssize_t written = write(pipes[stdin_out], stdin_string.c_str() + pos, stdin_towrite); + stdin_towrite -= written; + + if ( errno != 0 && errno != EAGAIN && errno != EWOULDBLOCK ) + { + Error(Fmt("Writing to child process stdin failed: %d. Stopping writing at position %d", errno, pos)); + stdin_towrite = 0; + close(pipes[stdin_out]); + } + + if ( stdin_towrite == 0 ) // send EOF when we are done. + printf("Closing %d\n", pipes[stdin_out]); + close(pipes[stdin_out]); + } + // read the entire file and send appropriate thingies back to InputMgr bool Raw::DoUpdate() { @@ -344,8 +386,11 @@ bool Raw::DoUpdate() assert (NumFields() == 1); for ( ;; ) { - int64_t length = GetLine(); - //printf("Read %lld bytes", length); + if ( stdin_towrite > 0 ) + WriteToStdin(); + + int64_t length = GetLine(file); + //printf("Read %lld bytes\n", length); if ( length == -3 ) return false; diff --git a/src/input/readers/Raw.h b/src/input/readers/Raw.h index d550716c48..cf29609331 100644 --- a/src/input/readers/Raw.h +++ b/src/input/readers/Raw.h @@ -29,7 +29,9 @@ protected: private: bool OpenInput(); bool CloseInput(); - int64_t GetLine(); + int64_t GetLine(FILE* file); + bool Execute(); + void WriteToStdin(); string fname; // Source with a potential "|" removed. FILE* file; @@ -40,10 +42,9 @@ private: // options set from the script-level. string separator; unsigned int sep_length; // length of the separator - bool Execute(); static const int block_size; - uint32_t bufpos; + uint64_t bufpos; char* buf; char* outbuf; @@ -51,7 +52,21 @@ private: int stdout_fileno; int stderr_fileno; + string stdin_string; + uint64_t stdin_towrite; + + int pipes[6]; pid_t childpid; + + enum IoChannels { + stdout_in = 0, + stdout_out = 1, + stdin_in = 2, + stdin_out = 3, + stderr_in = 4, + stderr_out = 5 + }; + }; } diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/out b/testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/out new file mode 100644 index 0000000000..c49aee85b3 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/out @@ -0,0 +1,36 @@ +[source=cat |, reader=Input::READER_RAW, mode=Input::STREAM, name=input2, fields=, want_record=F, ev=line +{ +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (2 == try) +{ +Input::remove(input2); +close(outfile); +terminate(); +} + +}, config={ +[stdin] = hello^Jthere^A^B^C^D^E^A^B^Cyay +}] +Input::EVENT_NEW +hello +[source=cat |, reader=Input::READER_RAW, mode=Input::STREAM, name=input2, fields=, want_record=F, ev=line +{ +print outfile, A::description; +print outfile, A::tpe; +print outfile, A::s; +try = try + 1; +if (2 == try) +{ +Input::remove(input2); +close(outfile); +terminate(); +} + +}, config={ +[stdin] = hello^Jthere^A^B^C^D^E^A^B^Cyay +}] +Input::EVENT_NEW +there^A^B^C^D^E^A^B^Cyay diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/test.txt b/testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/test.txt new file mode 100644 index 0000000000..0205cd7c3a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/test.txt @@ -0,0 +1,2 @@ +hello +thereyay \ No newline at end of file diff --git a/testing/btest/scripts/base/frameworks/input/execrawstdin.bro b/testing/btest/scripts/base/frameworks/input/execrawstdin.bro new file mode 100644 index 0000000000..729844e4b4 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/execrawstdin.bro @@ -0,0 +1,44 @@ +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff test.txt +# @TEST-EXEC: btest-diff out + +redef exit_only_after_terminate = T; +@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats... + +global outfile: file; +global try: count; + +module A; + +type Val: record { + s: string; +}; + +event line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + print outfile, description; + print outfile, tpe; + print outfile, s; + try = try + 1; + if ( try == 2 ) + { + Input::remove("input2"); + close(outfile); + terminate(); + } + } + +event bro_init() + { + local config_strings: table[string] of string = { + ["stdin"] = "hello\nthere\1\2\3\4\5\1\2\3yay" + #["stdin"] = "yay" + }; + + try = 0; + outfile = open("../out"); + Input::add_event([$source="cat > ../test.txt |", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line, $want_record=F, $config=config_strings]); + Input::remove("input"); + Input::add_event([$source="cat |", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input2", $fields=Val, $ev=line, $want_record=F, $config=config_strings]); + } From 6fef99ee0337964eb8f89828d59eb7cee0d63f22 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Sat, 16 Mar 2013 09:54:48 -0700 Subject: [PATCH 010/200] make reading from stdout and stderr simultaneously work. Needs a few test-cases - but seems ok... --- src/input/readers/Raw.cc | 105 ++++++++++--- src/input/readers/Raw.h | 3 + .../out | 148 ++++++++++++++++++ .../input/executestreamrawstderr.bro | 44 ++++++ 4 files changed, 274 insertions(+), 26 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.executestreamrawstderr/out create mode 100644 testing/btest/scripts/base/frameworks/input/executestreamrawstderr.bro diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index c4dfe55b93..850dda3a39 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -44,6 +44,7 @@ Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend) childpid = -1; stdin_towrite = 0; // by default do not open stdin + use_stderr = false; } Raw::~Raw() @@ -89,6 +90,12 @@ bool Raw::Execute() dup2(pipes[stdin_in], stdin_fileno); } + if ( use_stderr ) + { + close(pipes[stderr_in]); + dup2(pipes[stderr_out], stderr_fileno); + } + //execv("/usr/bin/uname",test); execl("/bin/sh", "sh", "-c", fname.c_str(), NULL); fprintf(stderr, "Exec failed :(......\n"); @@ -107,13 +114,22 @@ bool Raw::Execute() close(pipes[stdin_in]); fcntl(pipes[stdin_out], F_SETFL, O_NONBLOCK); } + + if ( use_stderr ) + { + close(pipes[stderr_out]); + fcntl(pipes[stderr_in], F_SETFL, O_NONBLOCK); + } file = fdopen(pipes[stdout_in], "r"); - if ( file == 0 ) + stderrfile = fdopen(pipes[stderr_in], "r"); + if ( file == 0 || (stderrfile == 0 && use_stderr) ) { Error("Could not convert fileno to file"); return false; } + + return true; } } @@ -172,7 +188,17 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie mtime = 0; execute = false; firstrun = true; + int want_fields = 1; bool result; + + // do Initialization + string source = string(info.source); + char last = info.source[source.length() - 1]; + if ( last == '|' ) + { + execute = true; + fname = source.substr(0, fname.length() - 1); + } if ( ! info.source || strlen(info.source) == 0 ) { @@ -186,38 +212,35 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie stdin_string = it->second; stdin_towrite = stdin_string.length(); } - - if ( num_fields != 1 ) + + it = info.config.find("read_stderr"); // we want to read stderr + if ( it != info.config.end() && execute ) { - Error("Filter for raw reader contains more than one field. " - "Filters for the raw reader may only contain exactly one string field. " - "Filter ignored."); + use_stderr = true; + want_fields = 2; + } + + if ( num_fields != want_fields ) + { + Error(Fmt("Filter for raw reader contains wrong number of fields -- got %d, expected %d. " + "Filters for the raw reader contain one field when used in normal mode and 2 fields when using execute mode with stderr capuring. " + "Filter ignored.", num_fields, want_fields)); return false; } if ( fields[0]->type != TYPE_STRING ) { - Error("Filter for raw reader contains a field that is not of type string."); + Error("First field for raw reader always has to be of type string."); return false; } - - // do Initialization - string source = string(info.source); - char last = info.source[source.length() - 1]; - if ( last == '|' ) + if ( use_stderr && fields[1]->type != TYPE_BOOL ) { - execute = true; - fname = source.substr(0, fname.length() - 1); - - result = OpenInput(); - - } - else - { - execute = false; - result = OpenInput(); + Error("Second field for raw reader always has to be of type bool."); } + + result = OpenInput(); + if ( result == false ) return result; @@ -329,7 +352,6 @@ void Raw::WriteToStdin() } if ( stdin_towrite == 0 ) // send EOF when we are done. - printf("Closing %d\n", pipes[stdin_out]); close(pipes[stdin_out]); } @@ -383,14 +405,14 @@ bool Raw::DoUpdate() } string line; - assert (NumFields() == 1); + assert ( (NumFields() == 1 && !use_stderr) || (NumFields() == 2 && use_stderr)); for ( ;; ) { if ( stdin_towrite > 0 ) WriteToStdin(); int64_t length = GetLine(file); - //printf("Read %lld bytes\n", length); + printf("Read %lld bytes\n", length); if ( length == -3 ) return false; @@ -398,7 +420,7 @@ bool Raw::DoUpdate() // no data ready or eof break; - Value** fields = new Value*[1]; + Value** fields = new Value*[2]; // just always reserve 2. This means that our [] is too long by a count of 1 if not using stderr. But who cares... // filter has exactly one text field. convert to it. Value* val = new Value(TYPE_STRING, true); @@ -406,11 +428,42 @@ bool Raw::DoUpdate() val->val.string_val.length = length; fields[0] = val; + if ( use_stderr ) + { + Value* bval = new Value(TYPE_BOOL, true); + bval->val.int_val = 0; + fields[1] = bval; + } + Put(fields); outbuf = 0; } + if ( use_stderr ) + for ( ;; ) + { + int64_t length = GetLine(stderrfile); + printf("Read stderr %lld bytes\n", length); + if ( length == -3 ) + return false; + else if ( length == -2 || length == -1 ) + break; + + Value** fields = new Value*[2]; + Value* val = new Value(TYPE_STRING, true); + val->val.string_val.data = outbuf; + val->val.string_val.length = length; + fields[0] = val; + Value* bval = new Value(TYPE_BOOL, true); + bval->val.int_val = 1; // yes, we are stderr + fields[1] = bval; + + Put(fields); + + outbuf = 0; + } + #ifdef DEBUG Debug(DBG_INPUT, "DoUpdate finished successfully"); #endif diff --git a/src/input/readers/Raw.h b/src/input/readers/Raw.h index cf29609331..d79a80c31e 100644 --- a/src/input/readers/Raw.h +++ b/src/input/readers/Raw.h @@ -35,6 +35,7 @@ private: string fname; // Source with a potential "|" removed. FILE* file; + FILE* stderrfile; bool execute; bool firstrun; time_t mtime; @@ -55,6 +56,8 @@ private: string stdin_string; uint64_t stdin_towrite; + bool use_stderr; + int pipes[6]; pid_t childpid; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.executestreamrawstderr/out b/testing/btest/Baseline/scripts.base.frameworks.input.executestreamrawstderr/out new file mode 100644 index 0000000000..55c4167ef8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.executestreamrawstderr/out @@ -0,0 +1,148 @@ +[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +print A::outfile, A::is_stderr; +A::try = A::try + 1; +if (7 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ +[read_stderr] = 1 +}] +Input::EVENT_NEW +..: +F +[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +print A::outfile, A::is_stderr; +A::try = A::try + 1; +if (7 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ +[read_stderr] = 1 +}] +Input::EVENT_NEW +bro +F +[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +print A::outfile, A::is_stderr; +A::try = A::try + 1; +if (7 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ +[read_stderr] = 1 +}] +Input::EVENT_NEW +executestreamrawstderr.bro +F +[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +print A::outfile, A::is_stderr; +A::try = A::try + 1; +if (7 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ +[read_stderr] = 1 +}] +Input::EVENT_NEW +out +F +[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +print A::outfile, A::is_stderr; +A::try = A::try + 1; +if (7 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ +[read_stderr] = 1 +}] +Input::EVENT_NEW +ls: ../nonexistant: No such file or directory +T +[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +print A::outfile, A::is_stderr; +A::try = A::try + 1; +if (7 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ +[read_stderr] = 1 +}] +Input::EVENT_NEW +ls: ../nonexistant2: No such file or directory +T +[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line +{ +print A::outfile, A::description; +print A::outfile, A::tpe; +print A::outfile, A::s; +print A::outfile, A::is_stderr; +A::try = A::try + 1; +if (7 == A::try) +{ +print A::outfile, done; +close(A::outfile); +Input::remove(input); +terminate(); +} + +}, config={ +[read_stderr] = 1 +}] +Input::EVENT_NEW +ls: ../nonexistant3: No such file or directory +T +done diff --git a/testing/btest/scripts/base/frameworks/input/executestreamrawstderr.bro b/testing/btest/scripts/base/frameworks/input/executestreamrawstderr.bro new file mode 100644 index 0000000000..7e7c640112 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/executestreamrawstderr.bro @@ -0,0 +1,44 @@ +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out + +redef exit_only_after_terminate = T; + +module A; + +type Val: record { + s: string; + is_stderr: bool; +}; + +global try: count; +global outfile: file; + +event line(description: Input::EventDescription, tpe: Input::Event, s: string, is_stderr: bool) + { + print outfile, description; + print outfile, tpe; + print outfile, s; + print outfile, is_stderr; + + try = try + 1; + if ( try == 7 ) + { + print outfile, "done"; + close(outfile); + Input::remove("input"); + terminate(); + } + } + +event bro_init() + { + + local config_strings: table[string] of string = { + ["read_stderr"] = "1" + }; + + outfile = open("../out"); + try = 0; + Input::add_event([$source="ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |", $reader=Input::READER_RAW, $name="input", $fields=Val, $ev=line, $want_record=F, $config=config_strings]); + } From 887595375174eb0ac8405b775b17e3da8c9dc58f Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 18 Mar 2013 21:49:16 -0700 Subject: [PATCH 011/200] A bunch of more changes for the raw reader * send end_of_data event for all kind of streams * send process_finished event containing exit code of child process for executed programs * move raw-tests to separate directory * expose name of input stream to readers * better handling of some error cases in raw reader * new force_kill option for raw reader which SIGKILLs progesses on exit The ordering of events how they arrive in the main loop is a bit peculiar at the moment. The process_finished event arrives in scriptland before all of the other events, even though it should be sent last. I have not yet fully figured that out. --- scripts/base/frameworks/input/readers/raw.bro | 8 + src/input/Manager.cc | 8 + src/input/ReaderBackend.h | 7 + src/input/readers/Raw.cc | 120 +++++++++++--- src/input/readers/Raw.h | 2 + .../out | 148 ------------------ .../out | 0 .../out | 0 .../out | 0 .../test.txt | 0 .../out | 0 .../out | 0 .../out | 27 ++++ .../out | 0 .../input/{raw.bro => raw/basic.bro} | 0 .../input/{executeraw.bro => raw/execute.bro} | 0 .../executestdin.bro} | 0 .../executestream.bro} | 0 .../frameworks/input/{ => raw}/rereadraw.bro | 0 .../stderr.bro} | 20 ++- .../frameworks/input/{ => raw}/streamraw.bro | 0 21 files changed, 166 insertions(+), 174 deletions(-) delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.executestreamrawstderr/out rename testing/btest/Baseline/{scripts.base.frameworks.input.raw => scripts.base.frameworks.input.raw.basic}/out (100%) rename testing/btest/Baseline/{scripts.base.frameworks.input.executeraw => scripts.base.frameworks.input.raw.execute}/out (100%) rename testing/btest/Baseline/{scripts.base.frameworks.input.execrawstdin => scripts.base.frameworks.input.raw.executestdin}/out (100%) rename testing/btest/Baseline/{scripts.base.frameworks.input.execrawstdin => scripts.base.frameworks.input.raw.executestdin}/test.txt (100%) rename testing/btest/Baseline/{scripts.base.frameworks.input.executestreamraw => scripts.base.frameworks.input.raw.executestream}/out (100%) rename testing/btest/Baseline/{scripts.base.frameworks.input.rereadraw => scripts.base.frameworks.input.raw.rereadraw}/out (100%) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out rename testing/btest/Baseline/{scripts.base.frameworks.input.streamraw => scripts.base.frameworks.input.raw.streamraw}/out (100%) rename testing/btest/scripts/base/frameworks/input/{raw.bro => raw/basic.bro} (100%) rename testing/btest/scripts/base/frameworks/input/{executeraw.bro => raw/execute.bro} (100%) rename testing/btest/scripts/base/frameworks/input/{execrawstdin.bro => raw/executestdin.bro} (100%) rename testing/btest/scripts/base/frameworks/input/{executestreamraw.bro => raw/executestream.bro} (100%) rename testing/btest/scripts/base/frameworks/input/{ => raw}/rereadraw.bro (100%) rename testing/btest/scripts/base/frameworks/input/{executestreamrawstderr.bro => raw/stderr.bro} (64%) rename testing/btest/scripts/base/frameworks/input/{ => raw}/streamraw.bro (100%) diff --git a/scripts/base/frameworks/input/readers/raw.bro b/scripts/base/frameworks/input/readers/raw.bro index 45deed3eda..ff49032b35 100644 --- a/scripts/base/frameworks/input/readers/raw.bro +++ b/scripts/base/frameworks/input/readers/raw.bro @@ -6,4 +6,12 @@ export { ## Separator between input records. ## Please note that the separator has to be exactly one character long const record_separator = "\n" &redef; + + ## Event that is called, when a process created by the raw reader exits. + ## + ## name: name of the input stream + ## source: source of the input stream + ## exit_code: exit code of the program, or number of the signal that forced the program to exit + ## signal_exit: false when program exitted normally, true when program was forced to exit by a signal + global process_finished: event(name: string, source:string, exit_code:count, signal_exit:bool); } diff --git a/src/input/Manager.cc b/src/input/Manager.cc index f5d0e2693c..33abd7d136 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -299,6 +299,7 @@ bool Manager::CreateStream(Stream* info, RecordVal* description) ReaderBackend::ReaderInfo* rinfo = new ReaderBackend::ReaderInfo(); rinfo->source = copy_string(source.c_str()); + rinfo->name = copy_string(name.c_str()); EnumVal* mode = description->LookupWithDefault(rtype->FieldOffset("mode"))->AsEnumVal(); switch ( mode->InternalInt() ) @@ -1175,6 +1176,9 @@ void Manager::EndCurrentSend(ReaderFrontend* reader) if ( i->stream_type == EVENT_STREAM ) { +#ifdef DEBUG + DBG_LOG(DBG_INPUT, "%s is event, sending end of data", i->name.c_str()); +#endif // just signal the end of the data source SendEndOfData(i); return; @@ -1281,6 +1285,10 @@ void Manager::SendEndOfData(ReaderFrontend* reader) void Manager::SendEndOfData(const Stream *i) { +#ifdef DEBUG + DBG_LOG(DBG_INPUT, "SendEndOfData for stream %s", + i->name.c_str()); +#endif SendEvent(end_of_data, 2, new StringVal(i->name.c_str()), new StringVal(i->info->source)); } diff --git a/src/input/ReaderBackend.h b/src/input/ReaderBackend.h index 73e5475db6..5419879e13 100644 --- a/src/input/ReaderBackend.h +++ b/src/input/ReaderBackend.h @@ -85,6 +85,11 @@ public: */ const char* source; + /** + * The name of the input stream. + */ + const char* name; + /** * A map of key/value pairs corresponding to the relevant * filter's "config" table. @@ -99,12 +104,14 @@ public: ReaderInfo() { source = 0; + name = 0; mode = MODE_NONE; } ReaderInfo(const ReaderInfo& other) { source = other.source ? copy_string(other.source) : 0; + name = other.name ? copy_string(other.name) : 0; mode = other.mode; for ( config_map::const_iterator i = other.config.begin(); i != other.config.end(); i++ ) diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 850dda3a39..39d25912f8 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -6,6 +6,7 @@ #include "../../threading/SerialTypes.h" #include +#include #include #include #include @@ -23,6 +24,8 @@ const int Raw::block_size = 512; // how big do we expect our chunks of data to b Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend) { file = 0; + stderrfile = 0; + forcekill = false; separator.assign( (const char*) BifConst::InputRaw::record_separator->Bytes(), BifConst::InputRaw::record_separator->Len()); @@ -36,11 +39,6 @@ Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend) stdout_fileno = fileno(stdout); stderr_fileno = fileno(stderr); - // and because we later assume this... - assert(stdin_fileno == 0); - assert(stdout_fileno == 1); - assert(stderr_fileno == 2); - childpid = -1; stdin_towrite = 0; // by default do not open stdin @@ -58,9 +56,17 @@ void Raw::DoClose() CloseInput(); - if ( execute && childpid > 0 ) + if ( execute && childpid > 0 && kill(childpid, 0) == 0 ) + { // kill child process - kill(childpid, 9); // TERMINATOR + kill(childpid, 15); // sigterm + if ( forcekill ) + { + usleep(200); // 200 msecs should be enough for anyone ;) + if ( kill(childpid, 0) == 0 ) // perhaps it is already gone + kill(childpid, 9); // TERMINATE + } + } } bool Raw::Execute() @@ -112,22 +118,26 @@ bool Raw::Execute() if ( stdin_towrite ) { close(pipes[stdin_in]); - fcntl(pipes[stdin_out], F_SETFL, O_NONBLOCK); + fcntl(pipes[stdin_out], F_SETFL, O_NONBLOCK); // ya, just always set this to nonblocking. we do not want to block on a program receiving data. + // note that there is a small gotcha with it. More data is queued when more data is read from the program output. Hence, when having + // a program in mode_manual where the first write cannot write everything, the rest will be stuck in a queue that is never emptied. } if ( use_stderr ) { close(pipes[stderr_out]); - fcntl(pipes[stderr_in], F_SETFL, O_NONBLOCK); + fcntl(pipes[stderr_in], F_SETFL, O_NONBLOCK); // true for this too. } file = fdopen(pipes[stdout_in], "r"); - stderrfile = fdopen(pipes[stderr_in], "r"); - if ( file == 0 || (stderrfile == 0 && use_stderr) ) - { - Error("Could not convert fileno to file"); - return false; - } + + if ( use_stderr ) + stderrfile = fdopen(pipes[stderr_in], "r"); + if ( file == 0 || (stderrfile == 0 && use_stderr) ) + { + Error("Could not convert fileno to file"); + return false; + } return true; @@ -165,15 +175,19 @@ bool Raw::CloseInput() Debug(DBG_INPUT, "Raw reader starting close"); #endif + fclose(file); + + if ( use_stderr ) + fclose(stderrfile); + if ( execute ) // we do not care if any of those fails. They should all be defined. { for ( int i = 0; i < 6; i ++ ) close(pipes[i]); } - else - fclose(file); file = 0; + stderrfile = 0; #ifdef DEBUG Debug(DBG_INPUT, "Raw reader finished close"); @@ -219,11 +233,17 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie use_stderr = true; want_fields = 2; } + + it = info.config.find("force_kill"); // we want to be sure that our child is dead when we exit + if ( it != info.config.end() && execute ) + { + forcekill = true; + } if ( num_fields != want_fields ) { Error(Fmt("Filter for raw reader contains wrong number of fields -- got %d, expected %d. " - "Filters for the raw reader contain one field when used in normal mode and 2 fields when using execute mode with stderr capuring. " + "Filters for the raw reader contain one string field when used in normal mode and one string and one bool fields when using execute mode with stderr capuring. " "Filter ignored.", num_fields, want_fields)); return false; } @@ -236,6 +256,14 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie if ( use_stderr && fields[1]->type != TYPE_BOOL ) { Error("Second field for raw reader always has to be of type bool."); + return false; + } + + if ( execute && Info().mode == MODE_REREAD ) + { + // for execs this makes no sense - would have to execute each heartbeat? + Error("Rereading only supported for files, not for executables."); + return false; } @@ -353,8 +381,14 @@ void Raw::WriteToStdin() if ( stdin_towrite == 0 ) // send EOF when we are done. close(pipes[stdin_out]); + + if ( Info().mode == MODE_MANUAL && stdin_towrite != 0 ) + { + Error(Fmt("Could not write whole string to stdin of child process in one go. Please use STREAM mode to pass more data to child.")); + } } + // read the entire file and send appropriate thingies back to InputMgr bool Raw::DoUpdate() { @@ -366,6 +400,7 @@ bool Raw::DoUpdate() switch ( Info().mode ) { case MODE_REREAD: { + assert(childpid == -1); // mode may not be used to execute child programs // check if the file has changed struct stat sb; if ( stat(fname.c_str(), &sb) == -1 ) @@ -388,7 +423,6 @@ bool Raw::DoUpdate() case MODE_STREAM: if ( Info().mode == MODE_STREAM && file != 0 ) { - //fpurge(file); clearerr(file); // remove end of file evil bits break; } @@ -412,7 +446,7 @@ bool Raw::DoUpdate() WriteToStdin(); int64_t length = GetLine(file); - printf("Read %lld bytes\n", length); + //printf("Read %lld bytes\n", length); if ( length == -3 ) return false; @@ -444,7 +478,7 @@ bool Raw::DoUpdate() for ( ;; ) { int64_t length = GetLine(stderrfile); - printf("Read stderr %lld bytes\n", length); + //printf("Read stderr %lld bytes\n", length); if ( length == -3 ) return false; else if ( length == -2 || length == -1 ) @@ -464,6 +498,50 @@ bool Raw::DoUpdate() outbuf = 0; } + if ( ( Info().mode == MODE_MANUAL ) || ( Info().mode == MODE_REREAD ) ) + // done with the current data source :) + EndCurrentSend(); + + // and let's check if the child process is still alive + int return_code; + if ( waitpid(childpid, &return_code, WNOHANG) != 0 ) { + // child died :( + bool signal = false; + int code = 0; + if ( WIFEXITED(return_code) ) { + code = WEXITSTATUS(return_code); + if ( code != 0 ) + Error(Fmt("Child process exited with non-zero return code %d", code)); + } else if ( WIFSIGNALED(return_code) ) { + signal = false; + code = WTERMSIG(return_code); + Error(Fmt("Child process exited due to signal %d", code)); + } else { + assert(false); + } + + Value** vals = new Value*[4]; + vals[0] = new Value(TYPE_STRING, true); + vals[0]->val.string_val.data = copy_string(Info().name); + vals[0]->val.string_val.length = strlen(Info().name); + vals[1] = new Value(TYPE_STRING, true); + vals[1]->val.string_val.data = copy_string(Info().source); + vals[1]->val.string_val.length = strlen(Info().source); + vals[2] = new Value(TYPE_COUNT, true); + vals[2]->val.int_val = code; + vals[3] = new Value(TYPE_BOOL, true); + vals[3]->val.int_val = signal; + + // and in this case we can signal end_of_data even for the streaming reader + if ( Info().mode == MODE_STREAM ) + EndCurrentSend(); + + SendEvent("InputRaw::process_finished", 4, vals); + + } + + + #ifdef DEBUG Debug(DBG_INPUT, "DoUpdate finished successfully"); #endif diff --git a/src/input/readers/Raw.h b/src/input/readers/Raw.h index d79a80c31e..8ea03a70b4 100644 --- a/src/input/readers/Raw.h +++ b/src/input/readers/Raw.h @@ -58,6 +58,8 @@ private: bool use_stderr; + bool forcekill; + int pipes[6]; pid_t childpid; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.executestreamrawstderr/out b/testing/btest/Baseline/scripts.base.frameworks.input.executestreamrawstderr/out deleted file mode 100644 index 55c4167ef8..0000000000 --- a/testing/btest/Baseline/scripts.base.frameworks.input.executestreamrawstderr/out +++ /dev/null @@ -1,148 +0,0 @@ -[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -print A::outfile, A::is_stderr; -A::try = A::try + 1; -if (7 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -terminate(); -} - -}, config={ -[read_stderr] = 1 -}] -Input::EVENT_NEW -..: -F -[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -print A::outfile, A::is_stderr; -A::try = A::try + 1; -if (7 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -terminate(); -} - -}, config={ -[read_stderr] = 1 -}] -Input::EVENT_NEW -bro -F -[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -print A::outfile, A::is_stderr; -A::try = A::try + 1; -if (7 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -terminate(); -} - -}, config={ -[read_stderr] = 1 -}] -Input::EVENT_NEW -executestreamrawstderr.bro -F -[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -print A::outfile, A::is_stderr; -A::try = A::try + 1; -if (7 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -terminate(); -} - -}, config={ -[read_stderr] = 1 -}] -Input::EVENT_NEW -out -F -[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -print A::outfile, A::is_stderr; -A::try = A::try + 1; -if (7 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -terminate(); -} - -}, config={ -[read_stderr] = 1 -}] -Input::EVENT_NEW -ls: ../nonexistant: No such file or directory -T -[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -print A::outfile, A::is_stderr; -A::try = A::try + 1; -if (7 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -terminate(); -} - -}, config={ -[read_stderr] = 1 -}] -Input::EVENT_NEW -ls: ../nonexistant2: No such file or directory -T -[source=ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |, reader=Input::READER_RAW, mode=Input::MANUAL, name=input, fields=, want_record=F, ev=line -{ -print A::outfile, A::description; -print A::outfile, A::tpe; -print A::outfile, A::s; -print A::outfile, A::is_stderr; -A::try = A::try + 1; -if (7 == A::try) -{ -print A::outfile, done; -close(A::outfile); -Input::remove(input); -terminate(); -} - -}, config={ -[read_stderr] = 1 -}] -Input::EVENT_NEW -ls: ../nonexistant3: No such file or directory -T -done diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.basic/out similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.input.raw/out rename to testing/btest/Baseline/scripts.base.frameworks.input.raw.basic/out diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.executeraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.execute/out similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.input.executeraw/out rename to testing/btest/Baseline/scripts.base.frameworks.input.raw.execute/out diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/out rename to testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/test.txt b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/test.txt similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.input.execrawstdin/test.txt rename to testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/test.txt diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.executestreamraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.input.executestreamraw/out rename to testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.rereadraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.input.rereadraw/out rename to testing/btest/Baseline/scripts.base.frameworks.input.raw.rereadraw/out diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out new file mode 100644 index 0000000000..4900bc8ff8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out @@ -0,0 +1,27 @@ +Process finished event +input +1 +Input::EVENT_NEW +..: +F +Input::EVENT_NEW +bro +F +Input::EVENT_NEW +out +F +Input::EVENT_NEW +stderr.bro +F +Input::EVENT_NEW +ls: ../nonexistant: No such file or directory +T +Input::EVENT_NEW +ls: ../nonexistant2: No such file or directory +T +Input::EVENT_NEW +ls: ../nonexistant3: No such file or directory +T +done +End of Data event +input diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.streamraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.input.streamraw/out rename to testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out diff --git a/testing/btest/scripts/base/frameworks/input/raw.bro b/testing/btest/scripts/base/frameworks/input/raw/basic.bro similarity index 100% rename from testing/btest/scripts/base/frameworks/input/raw.bro rename to testing/btest/scripts/base/frameworks/input/raw/basic.bro diff --git a/testing/btest/scripts/base/frameworks/input/executeraw.bro b/testing/btest/scripts/base/frameworks/input/raw/execute.bro similarity index 100% rename from testing/btest/scripts/base/frameworks/input/executeraw.bro rename to testing/btest/scripts/base/frameworks/input/raw/execute.bro diff --git a/testing/btest/scripts/base/frameworks/input/execrawstdin.bro b/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro similarity index 100% rename from testing/btest/scripts/base/frameworks/input/execrawstdin.bro rename to testing/btest/scripts/base/frameworks/input/raw/executestdin.bro diff --git a/testing/btest/scripts/base/frameworks/input/executestreamraw.bro b/testing/btest/scripts/base/frameworks/input/raw/executestream.bro similarity index 100% rename from testing/btest/scripts/base/frameworks/input/executestreamraw.bro rename to testing/btest/scripts/base/frameworks/input/raw/executestream.bro diff --git a/testing/btest/scripts/base/frameworks/input/rereadraw.bro b/testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro similarity index 100% rename from testing/btest/scripts/base/frameworks/input/rereadraw.bro rename to testing/btest/scripts/base/frameworks/input/raw/rereadraw.bro diff --git a/testing/btest/scripts/base/frameworks/input/executestreamrawstderr.bro b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro similarity index 64% rename from testing/btest/scripts/base/frameworks/input/executestreamrawstderr.bro rename to testing/btest/scripts/base/frameworks/input/raw/stderr.bro index 7e7c640112..c85ee8b0ef 100644 --- a/testing/btest/scripts/base/frameworks/input/executestreamrawstderr.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro @@ -4,8 +4,6 @@ redef exit_only_after_terminate = T; -module A; - type Val: record { s: string; is_stderr: bool; @@ -16,7 +14,6 @@ global outfile: file; event line(description: Input::EventDescription, tpe: Input::Event, s: string, is_stderr: bool) { - print outfile, description; print outfile, tpe; print outfile, s; print outfile, is_stderr; @@ -25,12 +22,25 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string, i if ( try == 7 ) { print outfile, "done"; - close(outfile); Input::remove("input"); - terminate(); } } +event Input::end_of_data(name: string, source:string) + { + print outfile, "End of Data event"; + print outfile, name; + terminate(); # due to the current design, end_of_data will be called after process_finshed and all line events. + # this could potentially change + } + +event InputRaw::process_finished(name: string, source:string, exit_code:count, signal_exit:bool) + { + print outfile, "Process finished event"; + print outfile, name; + print outfile, exit_code; + } + event bro_init() { diff --git a/testing/btest/scripts/base/frameworks/input/streamraw.bro b/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro similarity index 100% rename from testing/btest/scripts/base/frameworks/input/streamraw.bro rename to testing/btest/scripts/base/frameworks/input/raw/streamraw.bro From fed914252c0d4e426069a57fd55cc4ba78113069 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 18 Mar 2013 22:11:13 -0700 Subject: [PATCH 012/200] and close only fds that are currently open (the logging framework really did not like that :) ) --- src/input/readers/Raw.cc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 39d25912f8..12f66a9b39 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -111,6 +111,7 @@ bool Raw::Execute() { // we are the parent close(pipes[stdout_out]); + pipes[stdout_out] = -1; if ( Info().mode == MODE_STREAM ) fcntl(pipes[stdout_in], F_SETFL, O_NONBLOCK); @@ -118,6 +119,7 @@ bool Raw::Execute() if ( stdin_towrite ) { close(pipes[stdin_in]); + pipes[stdin_in] = -1; fcntl(pipes[stdin_out], F_SETFL, O_NONBLOCK); // ya, just always set this to nonblocking. we do not want to block on a program receiving data. // note that there is a small gotcha with it. More data is queued when more data is read from the program output. Hence, when having // a program in mode_manual where the first write cannot write everything, the rest will be stuck in a queue that is never emptied. @@ -126,13 +128,16 @@ bool Raw::Execute() if ( use_stderr ) { close(pipes[stderr_out]); + pipes[stderr_out] = -1; fcntl(pipes[stderr_in], F_SETFL, O_NONBLOCK); // true for this too. } file = fdopen(pipes[stdout_in], "r"); + pipes[stdout_in] = -1; // will be closed by fclose if ( use_stderr ) stderrfile = fdopen(pipes[stderr_in], "r"); + pipes[stderr_in] = -1; // will be closed by fclose if ( file == 0 || (stderrfile == 0 && use_stderr) ) { Error("Could not convert fileno to file"); @@ -183,8 +188,9 @@ bool Raw::CloseInput() if ( execute ) // we do not care if any of those fails. They should all be defined. { for ( int i = 0; i < 6; i ++ ) - close(pipes[i]); - } + if ( pipes[i] != -1 ) + close(pipes[i]); + } file = 0; stderrfile = 0; From af1809aaa36c4bd37b6b1871b78776625aa188f8 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 20 Mar 2013 13:32:36 -0700 Subject: [PATCH 013/200] First prototype of new analyzer framework. This is a larger internal change that moves the analyzer infrastructure to a more flexible model where the available analyzers don't need to be hardcoded at compile time anymore. While currently they actually still are, this will in the future enable external analyzer plugins. For now, it does already add the capability to dynamically enable/disable analyzers from script-land, replacing the old Analyzer::Available() methods. There are three major parts going into this: - A new plugin infrastructure in src/plugin. This is independent of analyzers and will eventually support plugins for other parts of Bro as well (think: readers and writers). The goal is that plugins can be alternatively compiled in statically or loadead dynamically at runtime from a shared library. While the latter isn't there yet, there'll be almost no code change for a plugin to make it dynamic later (hopefully :) - New analyzer infrastructure in src/analyzer. I've moved a number of analyzer-related classes here, including Analyzer and DPM; the latter now renamed to Analyzer::Manager. More will move here later. Currently, there's only one plugin here, which provides *all* existing analyzers. We can modularize this further in the future (or not). - A new script interface in base/framework/analyzer. I think that this will eventually replace the dpm framework, but for now that's still there as well, though some parts have moved over. I've also remove the dpd_config table; ports are now configured via the analyzer framework. For exmaple, for SSH: const ports = { 22/tcp } &redef; event bro_init() &priority=5 { ... Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); } As you can see, the old ANALYZER_SSH constants have more into an enum in the Analyzer namespace. This is all hardly tested right now, and not everything works yet. There's also a lot more cleanup to do (moving more classes around; removing no longer used functionality; documenting script and C++ interfaces; regression tests). But it seems to generally work with a small trace at least. The debug stream "dpm" shows more about the loaded/enabled analyzers. A new option -N lists loaded plugins and what they provide (including those compiled in statically; i.e., right now it outputs all the analyzers). This is all not cast-in-stone yet, for some things we need to see if they make sense this way. Feedback welcome. --- scripts/base/frameworks/analyzer/__load__.bro | 1 + scripts/base/frameworks/analyzer/main.bro | 119 +++ scripts/base/frameworks/dpd/main.bro | 30 +- scripts/base/frameworks/tunnels/main.bro | 10 +- scripts/base/init-bare.bro | 44 +- scripts/base/init-default.bro | 1 + scripts/base/protocols/conn/inactivity.bro | 6 +- scripts/base/protocols/dns/main.bro | 10 +- scripts/base/protocols/ftp/main.bro | 10 +- scripts/base/protocols/http/main.bro | 27 +- scripts/base/protocols/irc/dcc-send.bro | 2 +- scripts/base/protocols/irc/main.bro | 7 +- scripts/base/protocols/modbus/main.bro | 6 +- scripts/base/protocols/smtp/main.bro | 8 +- scripts/base/protocols/socks/main.bro | 5 +- scripts/base/protocols/ssh/main.bro | 8 +- scripts/base/protocols/ssl/main.bro | 28 +- scripts/base/protocols/syslog/main.bro | 6 +- .../frameworks/dpd/detect-protocols.bro | 39 +- .../frameworks/dpd/packet-segment-logging.bro | 2 +- .../policy/protocols/conn/known-services.bro | 2 +- src/AYIYA.cc | 2 +- src/AYIYA.h | 4 +- src/AnalyzerTags.h | 57 -- src/BackDoor.cc | 2 +- src/BackDoor.h | 2 +- src/Base64.cc | 2 +- src/Base64.h | 7 +- src/BitTorrent.cc | 2 +- src/BitTorrent.h | 2 +- src/BitTorrentTracker.cc | 2 +- src/BitTorrentTracker.h | 2 +- src/CMakeLists.txt | 13 +- src/Conn.cc | 22 +- src/Conn.h | 30 +- src/ConnSizeAnalyzer.cc | 2 +- src/ConnSizeAnalyzer.h | 6 +- src/ContentLine.cc | 7 +- src/ContentLine.h | 2 +- src/DCE_RPC.cc | 15 +- src/DCE_RPC.h | 10 +- src/DHCP-binpac.cc | 2 +- src/DHCP-binpac.h | 4 +- src/DNS-binpac.cc | 4 +- src/DNS-binpac.h | 6 +- src/DNS.cc | 6 +- src/DNS.h | 6 +- src/DPM.cc | 407 ----------- src/DPM.h | 131 ---- src/Event.cc | 2 +- src/Event.h | 16 +- src/EventLauncher.cc | 4 +- src/FTP.cc | 4 +- src/FTP.h | 8 +- src/FileAnalyzer.cc | 2 +- src/FileAnalyzer.h | 4 +- src/Finger.cc | 2 +- src/Finger.h | 2 +- src/Func.cc | 3 + src/GTPv1.cc | 2 +- src/GTPv1.h | 4 +- src/Gnutella.cc | 8 +- src/Gnutella.h | 2 +- src/HTTP-binpac.cc | 2 +- src/HTTP-binpac.h | 2 +- src/HTTP.cc | 6 +- src/HTTP.h | 4 +- src/ICMP.cc | 11 +- src/ICMP.h | 10 +- src/IPAddr.cc | 5 +- src/IPAddr.h | 6 +- src/IRC.cc | 4 +- src/IRC.h | 2 +- src/Ident.cc | 2 +- src/Ident.h | 2 +- src/InterConn.cc | 2 +- src/InterConn.h | 2 +- src/Login.cc | 4 +- src/Login.h | 2 +- src/MIME.cc | 2 +- src/MIME.h | 10 +- src/Modbus.cc | 2 +- src/Modbus.h | 2 +- src/NCP.cc | 6 +- src/NCP.h | 6 +- src/NFS.cc | 2 +- src/NFS.h | 4 +- src/NTP.cc | 2 +- src/NTP.h | 4 +- src/NVT.cc | 2 +- src/NetVar.cc | 3 +- src/NetVar.h | 2 +- src/NetbiosSSN.cc | 6 +- src/NetbiosSSN.h | 6 +- src/PIA.cc | 24 +- src/PIA.h | 34 +- src/POP3.cc | 2 +- src/POP3.h | 2 +- src/Portmap.cc | 2 +- src/Portmap.h | 4 +- src/RPC.cc | 8 +- src/RPC.h | 6 +- src/RSH.cc | 4 +- src/RSH.h | 2 +- src/Rlogin.cc | 4 +- src/Rlogin.h | 2 +- src/RuleAction.cc | 37 +- src/RuleAction.h | 27 +- src/RuleCondition.cc | 4 +- src/RuleMatcher.cc | 8 +- src/RuleMatcher.h | 12 +- src/SMB.cc | 6 +- src/SMB.h | 6 +- src/SMTP.cc | 2 +- src/SMTP.h | 2 +- src/SOCKS.cc | 2 +- src/SOCKS.h | 2 +- src/SSH.cc | 2 +- src/SSH.h | 2 +- src/SSL.cc | 2 +- src/SSL.h | 2 +- src/Sessions.cc | 7 +- src/SteppingStone.cc | 2 +- src/SteppingStone.h | 2 +- src/Syslog-binpac.cc | 4 +- src/Syslog-binpac.h | 6 +- src/TCP.cc | 26 +- src/TCP.h | 34 +- src/TCP_Reassembler.cc | 4 +- src/TCP_Reassembler.h | 8 +- src/Telnet.cc | 2 +- src/Telnet.h | 2 +- src/Teredo.cc | 2 + src/Teredo.h | 9 +- src/UDP.cc | 3 +- src/UDP.h | 6 +- src/Val.cc | 5 + src/Val.h | 1 + src/ZIP.cc | 2 +- src/analyzer.bif | 39 + src/{ => analyzer}/Analyzer.cc | 276 ++----- src/{ => analyzer}/Analyzer.h | 122 ++-- src/analyzer/BuiltinAnalyzers.cc | 127 ++++ src/analyzer/BuiltinAnalyzers.h | 17 + src/analyzer/Manager.cc | 691 ++++++++++++++++++ src/analyzer/Manager.h | 182 +++++ src/analyzer/PluginComponent.cc | 37 + src/analyzer/PluginComponent.h | 51 ++ src/analyzer/Tag.cc | 69 ++ src/analyzer/Tag.h | 59 ++ src/ayiya.pac | 1 + src/binpac_bro.h | 10 +- src/bro.bif | 59 +- src/builtin-func.y | 4 +- src/event.bif | 436 +++++------ src/main.cc | 71 +- src/plugin/Component.cc | 47 ++ src/plugin/Component.h | 37 + src/plugin/DummyPlugin.cc | 28 + src/plugin/Manager.cc | 81 ++ src/plugin/Manager.h | 87 +++ src/plugin/Plugin.cc | 94 +++ src/plugin/Plugin.h | 60 ++ src/scan.l | 14 +- src/util.cc | 8 + src/util.h | 1 + 166 files changed, 2717 insertions(+), 1642 deletions(-) create mode 100644 scripts/base/frameworks/analyzer/__load__.bro create mode 100644 scripts/base/frameworks/analyzer/main.bro delete mode 100644 src/AnalyzerTags.h delete mode 100644 src/DPM.cc delete mode 100644 src/DPM.h create mode 100644 src/analyzer.bif rename src/{ => analyzer}/Analyzer.cc (65%) rename src/{ => analyzer}/Analyzer.h (81%) create mode 100644 src/analyzer/BuiltinAnalyzers.cc create mode 100644 src/analyzer/BuiltinAnalyzers.h create mode 100644 src/analyzer/Manager.cc create mode 100644 src/analyzer/Manager.h create mode 100644 src/analyzer/PluginComponent.cc create mode 100644 src/analyzer/PluginComponent.h create mode 100644 src/analyzer/Tag.cc create mode 100644 src/analyzer/Tag.h create mode 100644 src/plugin/Component.cc create mode 100644 src/plugin/Component.h create mode 100644 src/plugin/DummyPlugin.cc create mode 100644 src/plugin/Manager.cc create mode 100644 src/plugin/Manager.h create mode 100644 src/plugin/Plugin.cc create mode 100644 src/plugin/Plugin.h diff --git a/scripts/base/frameworks/analyzer/__load__.bro b/scripts/base/frameworks/analyzer/__load__.bro new file mode 100644 index 0000000000..a10fe855df --- /dev/null +++ b/scripts/base/frameworks/analyzer/__load__.bro @@ -0,0 +1 @@ +@load ./main diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro new file mode 100644 index 0000000000..b93ebcba24 --- /dev/null +++ b/scripts/base/frameworks/analyzer/main.bro @@ -0,0 +1,119 @@ + +module Analyzer; + +# Analyzer::Tag is defined in types.bif, and automatically extended by plugins +# as they are loaded. + +export { + ## XXX. + global enable_analyzer: function(tag: Analyzer::Tag) : bool; + + ## XXX. + global disable_analyzer: function(tag: Analyzer::Tag) : bool; + + ## XXX. + global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool; + + ## XXX. + global register_for_port: function(tag: Analyzer::Tag, p: port) : bool; + + ## XXX. + global registered_ports: function(tag: Analyzer::Tag) : set[port]; + + ## Translate an analyzer type to an ASCII string. + ## + ## atype: The analyzer tag. + ## + ## Returns: The analyzer *aid* as string. + global name: function(atype: Analyzer::Tag) : string; + + ## Schedules an analyzer for a future connection from a given IP address and + ## port. The function ignores the scheduling request if the connection did + ## not occur within the specified time interval. + ## + ## orig: The IP address originating a connection in the future. + ## + ## resp: The IP address responding to a connection from *orig*. + ## + ## resp_p: The destination port at *resp*. + ## + ## analyzer: The analyzer ID. + ## + ## tout: The timeout interval after which to ignore the scheduling request. + ## + ## Returns: True if succesful. + global expect_connection: function(orig: addr, resp: addr, resp_p: port, + analyzer: Analyzer::Tag, tout: interval) : bool; + + ## Analyzers to disable at startup. + global disabled_analyzers: set[Analyzer::Tag] = { + ANALYZER_INTERCONN, + ANALYZER_STEPPINGSTONE, + ANALYZER_BACKDOOR, + ANALYZER_TCPSTATS, + } + + &redef; +} + +@load base/analyzer.bif + +global ports: table[Analyzer::Tag] of set[port]; + +event bro_init() + { + for ( a in disabled_analyzers ) + disable_analyzer(a); + } + +function enable_analyzer(tag: Analyzer::Tag) : bool + { + return __enable_analyzer(tag); + } + +function disable_analyzer(tag: Analyzer::Tag) : bool + { + return __disable_analyzer(tag); + } + +function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool + { + local rc = T; + + for ( p in ports ) + { + if ( ! register_for_port(tag, p) ) + rc = F; + } + + return rc; + } + +function register_for_port(tag: Analyzer::Tag, p: port) : bool + { + if ( ! __register_for_port(tag, p) ) + return F; + + if ( tag !in ports ) + ports[tag] = set(); + + add ports[tag][p]; + return T; + } + +function registered_ports(tag: Analyzer::Tag) : set[port] + { + return tag in ports ? ports[tag] : set(); + } + +function name(atype: Analyzer::Tag) : string + { + return __name(atype); + } + +function expect_connection(orig: addr, resp: addr, resp_p: port, + analyzer: Analyzer::Tag, tout: interval) : bool + { + return __expect_connection(orig, resp, resp_p, analyzer, tout); + } + diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.bro index a5349b6cfb..b4da2ff492 100644 --- a/scripts/base/frameworks/dpd/main.bro +++ b/scripts/base/frameworks/dpd/main.bro @@ -41,33 +41,27 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(DPD::LOG, [$columns=Info]); - - # Populate the internal DPD analysis variable. - for ( a in dpd_config ) - { - for ( p in dpd_config[a]$ports ) - { - if ( p !in dpd_analyzer_ports ) - dpd_analyzer_ports[p] = set(); - add dpd_analyzer_ports[p][a]; - } - } } -event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10 +function foo() : string { - local analyzer = analyzer_name(atype); - + return "HTTP"; + } + +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10 + { + local analyzer = Analyzer::name(atype); + if ( fmt("-%s",analyzer) in c$service ) delete c$service[fmt("-%s", analyzer)]; add c$service[analyzer]; } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=10 { - local analyzer = analyzer_name(atype); + local analyzer = Analyzer::name(atype); # If the service hasn't been confirmed yet, don't generate a log message # for the protocol violation. if ( analyzer !in c$service ) @@ -86,7 +80,7 @@ event protocol_violation(c: connection, atype: count, aid: count, c$dpd = info; } -event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=5 +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5 { if ( !c?$dpd || aid in c$dpd$disabled_aids ) return; @@ -100,7 +94,7 @@ event protocol_violation(c: connection, atype: count, aid: count, reason: string add c$dpd$disabled_aids[aid]; } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=-5 { if ( c?$dpd ) diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index a8fc6c8236..faa725b3f6 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -83,19 +83,17 @@ export { } const ayiya_ports = { 5072/udp }; -redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] }; - const teredo_ports = { 3544/udp }; -redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] }; - const gtpv1_ports = { 2152/udp, 2123/udp }; -redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1_ports] }; - redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports }; event bro_init() &priority=5 { Log::create_stream(Tunnel::LOG, [$columns=Info]); + + Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b6187df0d9..d8f38ed124 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2846,34 +2846,11 @@ const remote_trace_sync_peers = 0 &redef; ## consistency check. const remote_check_sync_consistency = F &redef; -## Analyzer tags. The core automatically defines constants -## ``ANALYZER_*``, e.g., ``ANALYZER_HTTP``. -## -## .. bro:see:: dpd_config -## -## .. todo::We should autodoc these automaticallty generated constants. -type AnalyzerTag: count; - -## Set of ports activating a particular protocol analysis. -## -## .. bro:see:: dpd_config -type dpd_protocol_config: record { - ports: set[port] &optional; ##< Set of ports. -}; - -## Port configuration for Bro's "dynamic protocol detection". Protocol -## analyzers can be activated via either well-known ports or content analysis. -## This table defines the ports. -## -## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_match_only_beginning dpd_ignore_ports -const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef; - ## Reassemble the beginning of all TCP connections before doing ## signature-matching. Enabling this provides more accurate matching at the ## expensive of CPU cycles. ## -## .. bro:see:: dpd_config dpd_buffer_size +## .. bro:see:: dpd_buffer_size ## dpd_match_only_beginning dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not @@ -2888,24 +2865,24 @@ const dpd_reassemble_first_packets = T &redef; ## activated afterwards. Then only analyzers that can deal with partial ## connections will be able to analyze the session. ## -## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning +## .. bro:see:: dpd_reassemble_first_packets dpd_match_only_beginning ## dpd_ignore_ports const dpd_buffer_size = 1024 &redef; ## If true, stops signature matching if dpd_buffer_size has been reached. ## ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_config dpd_ignore_ports +## dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not ## only signatures used for dynamic protocol detection. const dpd_match_only_beginning = T &redef; ## If true, don't consider any ports for deciding which protocol analyzer to -## use. If so, the value of :bro:see:`dpd_config` is ignored. +## use. ## ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_match_only_beginning dpd_config +## dpd_match_only_beginning const dpd_ignore_ports = F &redef; ## Ports which the core considers being likely used by servers. For ports in @@ -2913,13 +2890,6 @@ const dpd_ignore_ports = F &redef; ## connection if it misses the initial handshake. const likely_server_ports: set[port] &redef; -## Deprated. Set of all ports for which we know an analyzer, built by -## :doc:`/scripts/base/frameworks/dpd/main`. -## -## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main` -## itself we still need it. -global dpd_analyzer_ports: table[port] of set[AnalyzerTag]; - ## Per-incident timer managers are drained after this amount of inactivity. const timer_mgr_inactivity_timeout = 1 min &redef; @@ -3028,9 +2998,9 @@ module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; -# Load the logging framework here because it uses fairly deep integration with +# Load these frameworks here because it uses fairly deep integration with # BiFs and script-land defined types. @load base/frameworks/logging - @load base/frameworks/input +@load base/frameworks/analyzer diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 8b36899f10..590140c486 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -20,6 +20,7 @@ # loaded in base/init-bare.bro #@load base/frameworks/logging @load base/frameworks/notice +@load base/frameworks/analyzer @load base/frameworks/dpd @load base/frameworks/signatures @load base/frameworks/packet-filter diff --git a/scripts/base/protocols/conn/inactivity.bro b/scripts/base/protocols/conn/inactivity.bro index 28df192de3..b383f1ad7c 100644 --- a/scripts/base/protocols/conn/inactivity.bro +++ b/scripts/base/protocols/conn/inactivity.bro @@ -6,9 +6,9 @@ module Conn; export { ## Define inactivity timeouts by the service detected being used over ## the connection. - const analyzer_inactivity_timeouts: table[AnalyzerTag] of interval = { + const analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = { # For interactive services, allow longer periods of inactivity. - [[ANALYZER_SSH, ANALYZER_FTP]] = 1 hrs, + [[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs, } &redef; ## Define inactivity timeouts based on common protocol ports. @@ -18,7 +18,7 @@ export { } -event protocol_confirmation(c: connection, atype: count, aid: count) +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) { if ( atype in analyzer_inactivity_timeouts ) set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]); diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index ee0e4166da..66cdbc6241 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -117,19 +117,17 @@ redef capture_filters += { ["netbios-ns"] = "udp port 137", }; -const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; -redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; - const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp }; const dns_tcp_ports = { 53/tcp }; -redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] }; -redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] }; -redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; +redef likely_server_ports += { dns_udp_ports, dns_tcp_ports }; event bro_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]); + + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports); } function new_session(c: connection, trans_id: count): Info diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 3d7b1fe61a..e2b77e0099 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -96,11 +96,10 @@ redef record connection += { }; # Configure DPD -const ports = { 21/tcp, 2811/tcp } &redef; # 2811/tcp is GridFTP. redef capture_filters += { ["ftp"] = "port 21 and port 2811" }; -redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] }; -redef likely_server_ports += { 21/tcp, 2811/tcp }; +const ports = { 21/tcp, 2811/tcp }; +redef likely_server_ports += { ports }; # Establish the variable for tracking expected connections. global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; @@ -108,6 +107,7 @@ global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; event bro_init() &priority=5 { Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]); + Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports); } ## A set of commands where the argument can be expected to refer @@ -228,7 +228,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 { c$ftp$passive=F; ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins); + Analyzer::expect_connection(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { @@ -281,7 +281,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior data$h = id$resp_h; ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins); + Analyzer::expect_connection(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 660386f901..daf546fc82 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -119,29 +119,26 @@ redef record connection += { http_state: State &optional; }; -# Initialize the HTTP logging stream. -event bro_init() &priority=5 - { - Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]); - } - # DPD configuration. -const ports = { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp, - 8000/tcp, 8080/tcp, 8888/tcp, -}; -redef dpd_config += { - [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports], -}; redef capture_filters += { ["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)" }; -redef likely_server_ports += { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, +const ports = { + 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp, 8000/tcp, 8080/tcp, 8888/tcp, }; +redef likely_server_ports += { ports }; + + +# Initialize the HTTP logging stream and ports. +event bro_init() &priority=5 + { + Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]); + Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports); + } + function code_in_range(c: count, min: count, max: count) : bool { return c >= min && c <= max; diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index d07a0edf5a..621ad42826 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool, c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; local p = count_to_port(dest_port, tcp); - expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min); + Analyzer::expect_connection(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index 1cf542b8ea..490c39f54f 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -45,14 +45,13 @@ redef capture_filters += { ["irc-6668"] = "port 6668" }; redef capture_filters += { ["irc-6669"] = "port 6669" }; # DPD configuration. -const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; -redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] }; - -redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; +const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log]); + Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports); } function new_session(c: connection): Info diff --git a/scripts/base/protocols/modbus/main.bro b/scripts/base/protocols/modbus/main.bro index aa11c5ce07..a418873306 100644 --- a/scripts/base/protocols/modbus/main.bro +++ b/scripts/base/protocols/modbus/main.bro @@ -31,12 +31,14 @@ redef record connection += { # Configure DPD and the packet filter. redef capture_filters += { ["modbus"] = "tcp port 502" }; -redef dpd_config += { [ANALYZER_MODBUS] = [$ports = set(502/tcp)] }; -redef likely_server_ports += { 502/tcp }; + +const ports = { 502/tcp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus]); + Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports); } event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &priority=5 diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index 03b3d36a24..c7b3a452d2 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -74,9 +74,6 @@ export { const mail_path_capture = ALL_HOSTS &redef; global log_smtp: event(rec: Info); - - ## Configure the default ports for SMTP analysis. - const ports = { 25/tcp, 587/tcp } &redef; } redef record connection += { @@ -86,13 +83,14 @@ redef record connection += { # Configure DPD redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" }; -redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] }; -redef likely_server_ports += { 25/tcp, 587/tcp }; +const ports = { 25/tcp, 587/tcp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports); } function find_address_in_smtp_header(header: string): string diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro index df5ee69f16..a188646515 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.bro @@ -34,9 +34,13 @@ export { global log_socks: event(rec: Info); } +const ports = { 1080/tcp }; +redef likely_server_ports += { ports }; + event bro_init() &priority=5 { Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports); } redef record connection += { @@ -45,7 +49,6 @@ redef record connection += { # Configure DPD redef capture_filters += { ["socks"] = "tcp port 1080" }; -redef dpd_config += { [ANALYZER_SOCKS] = [$ports = set(1080/tcp)] }; redef likely_server_ports += { 1080/tcp }; function set_session(c: connection, version: count) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index cd20f4e913..6f363eeb0e 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -76,10 +76,11 @@ export { } # Configure DPD and the packet filter -redef capture_filters += { ["ssh"] = "tcp port 22" }; -redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] }; -redef likely_server_ports += { 22/tcp }; +const ports = { 22/tcp }; + +redef capture_filters += { ["ssh"] = "tcp port 22" }; +redef likely_server_ports += { ports }; redef record connection += { ssh: Info &optional; @@ -88,6 +89,7 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); } function set_session(c: connection) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index c6c4091a87..36d0c3f54d 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -94,11 +94,6 @@ redef record Info += { delay_tokens: set[string] &optional; }; -event bro_init() &priority=5 - { - Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); - } - redef capture_filters += { ["ssl"] = "tcp port 443", ["nntps"] = "tcp port 563", @@ -117,16 +112,9 @@ redef capture_filters += { const ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; +} &redef; -redef dpd_config += { - [[ANALYZER_SSL]] = [$ports = ports] -}; - -redef likely_server_ports += { - 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, - 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; +redef likely_server_ports += { ports }; # A queue that buffers log records. global log_delay_queue: table[count] of Info; @@ -135,6 +123,12 @@ global log_delay_queue_head = 0; # The bottom queue index that points to the next record to be flushed. global log_delay_queue_tail = 0; +event bro_init() &priority=5 + { + Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ports); + } + function set_session(c: connection) { if ( ! c?$ssl ) @@ -288,14 +282,14 @@ event ssl_established(c: connection) &priority=-5 finish(c); } -event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5 +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5 { # Check by checking for existence of c$ssl record. - if ( c?$ssl && analyzer_name(atype) == "SSL" ) + if ( c?$ssl && atype == Analyzer::ANALYZER_SSL ) c$ssl$analyzer_id = aid; } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5 { if ( c?$ssl ) diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 61334e3f2b..8e6a807c24 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -27,10 +27,9 @@ export { } redef capture_filters += { ["syslog"] = "port 514" }; -const ports = { 514/udp } &redef; -redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] }; -redef likely_server_ports += { 514/udp }; +const ports = { 514/udp }; +redef likely_server_ports += { ports }; redef record connection += { syslog: Info &optional; @@ -39,6 +38,7 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro index 8f4e892ce4..c45486b776 100644 --- a/scripts/policy/frameworks/dpd/detect-protocols.bro +++ b/scripts/policy/frameworks/dpd/detect-protocols.bro @@ -21,22 +21,22 @@ export { type dir: enum { NONE, INCOMING, OUTGOING, BOTH }; - const valids: table[count, addr, port] of dir = { + const valids: table[Analyzer::Tag, addr, port] of dir = { # A couple of ports commonly used for benign HTTP servers. # For now we want to see everything. - # [ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING, # - # [ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella } &redef; # Set of analyzers for which we suppress Server_Found notices @@ -44,8 +44,8 @@ export { # log files, this also saves memory because for these we don't # need to remember which servers we already have reported, which # for some can be a lot. - const suppress_servers: set [count] = { - # ANALYZER_HTTP + const suppress_servers: set [Analyzer::Tag] = { + # Analyzer::ANALYZER_HTTP } &redef; # We consider a connection to use a protocol X if the analyzer for X @@ -60,7 +60,7 @@ export { # Entry point for other analyzers to report that they recognized # a certain (sub-)protocol. - global found_protocol: function(c: connection, analyzer: count, + global found_protocol: function(c: connection, analyzer: Analyzer::Tag, protocol: string); # Table keeping reported (server, port, analyzer) tuples (and their @@ -89,7 +89,7 @@ function get_protocol(c: connection, a: count) : protocol str = |str| > 0 ? fmt("%s/%s", str, p) : p; } - return [$a=analyzer_name(a), $sub=str]; + return [$a=Analyzer::name(a), $sub=str]; } function fmt_protocol(p: protocol) : string @@ -194,10 +194,10 @@ event connection_state_remove(c: connection) report_protocols(c); } -event protocol_confirmation(c: connection, atype: count, aid: count) +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) { # Don't report anything running on a well-known port. - if ( atype in dpd_config && c$id$resp_p in dpd_config[atype]$ports ) + if ( c$id$resp_p in Analyzer::registered_ports(atype) ) return; if ( c$id in conns ) @@ -214,11 +214,10 @@ event protocol_confirmation(c: connection, atype: count, aid: count) } } -function found_protocol(c: connection, analyzer: count, protocol: string) +function found_protocol(c: connection, analyzer: Analyzer::tag, protocol: string) { # Don't report anything running on a well-known port. - if ( analyzer in dpd_config && - c$id$resp_p in dpd_config[analyzer]$ports ) + if ( c$id$resp_p in Analyzer::registered_ports(atype) ) return; if ( c$id !in protocols ) diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.bro index 3883cd1207..a605d84a74 100644 --- a/scripts/policy/frameworks/dpd/packet-segment-logging.bro +++ b/scripts/policy/frameworks/dpd/packet-segment-logging.bro @@ -20,7 +20,7 @@ export { } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=4 { if ( ! c?$dpd ) return; diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro index f494a30f82..4e474f76a0 100644 --- a/scripts/policy/protocols/conn/known-services.bro +++ b/scripts/policy/protocols/conn/known-services.bro @@ -87,7 +87,7 @@ function known_services_done(c: connection) event log_it(network_time(), id$resp_h, id$resp_p, c$service); } -event protocol_confirmation(c: connection, atype: count, aid: count) &priority=-5 +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5 { known_services_done(c); } diff --git a/src/AYIYA.cc b/src/AYIYA.cc index 79fa44e743..2154ae4b30 100644 --- a/src/AYIYA.cc +++ b/src/AYIYA.cc @@ -1,7 +1,7 @@ #include "AYIYA.h" AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) -: Analyzer(AnalyzerTag::AYIYA, conn) +: Analyzer("AYIYA", conn) { interp = new binpac::AYIYA::AYIYA_Conn(this); } diff --git a/src/AYIYA.h b/src/AYIYA.h index 79b41553c7..f6025b709f 100644 --- a/src/AYIYA.h +++ b/src/AYIYA.h @@ -3,7 +3,7 @@ #include "ayiya_pac.h" -class AYIYA_Analyzer : public Analyzer { +class AYIYA_Analyzer : public analyzer::Analyzer { public: AYIYA_Analyzer(Connection* conn); virtual ~AYIYA_Analyzer(); @@ -12,7 +12,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new AYIYA_Analyzer(conn); } static bool Available() diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h deleted file mode 100644 index 38e47cf8fc..0000000000 --- a/src/AnalyzerTags.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef ANALYZERTAGS_H -#define ANALYZERTAGS_H - -// Each kind of analyzer gets a tag. When adding an analyzer here, also adapt -// the table of analyzers in Analyzer.cc. -// -// Using a namespace here is kind of a hack: ideally this would be in "class -// Analyzer {...}". But then we'd have circular dependencies across the header -// files. - -#include "util.h" - -typedef uint32 AnalyzerID; - -namespace AnalyzerTag { - enum Tag { - Error = 0, // used as error code - - // Analyzer in charge of protocol detection. - PIA_TCP, PIA_UDP, - - // Transport-layer analyzers. - ICMP, TCP, UDP, - - // Application-layer analyzers (hand-written). - BitTorrent, BitTorrentTracker, - DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC, - Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin, - RPC, Rsh, SMB, SMTP, SSH, - Telnet, - - // Application-layer analyzers, binpac-generated. - DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC, - HTTP_BINPAC, SSL, SYSLOG_BINPAC, - Modbus, - - // Decapsulation analyzers. - AYIYA, - SOCKS, - Teredo, - GTPv1, - - // Other - File, Backdoor, InterConn, SteppingStone, TCPStats, - ConnSize, - - // Support-analyzers - Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP, - Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh, - Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS, - FTP_ADAT, - // End-marker. - LastAnalyzer - }; -}; - -#endif diff --git a/src/BackDoor.cc b/src/BackDoor.cc index c218a98ce2..333dc9c806 100644 --- a/src/BackDoor.cc +++ b/src/BackDoor.cc @@ -681,7 +681,7 @@ int BackDoorEndpoint::CheckForString(const char* str, BackDoor_Analyzer::BackDoor_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::Backdoor, c) +: TCP_ApplicationAnalyzer("BACKDOOR", c) { orig_endp = resp_endp = 0; diff --git a/src/BackDoor.h b/src/BackDoor.h index 40ea3bbaa3..2286138239 100644 --- a/src/BackDoor.h +++ b/src/BackDoor.h @@ -71,7 +71,7 @@ public: virtual void Done(); void StatTimer(double t, int is_expire); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BackDoor_Analyzer(conn); } static bool Available() diff --git a/src/Base64.cc b/src/Base64.cc index d3abd9b563..cef11dab92 100644 --- a/src/Base64.cc +++ b/src/Base64.cc @@ -84,7 +84,7 @@ int* Base64Converter::InitBase64Table(const string& alphabet) -Base64Converter::Base64Converter(Analyzer* arg_analyzer, const string& arg_alphabet) +Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string& arg_alphabet) { if ( arg_alphabet.size() > 0 ) { diff --git a/src/Base64.h b/src/Base64.h index 8cfeffde74..d7e4384ac5 100644 --- a/src/Base64.h +++ b/src/Base64.h @@ -7,7 +7,8 @@ #include "util.h" #include "BroString.h" -#include "Analyzer.h" +#include "Reporter.h" +#include "analyzer/Analyzer.h" // Maybe we should have a base class for generic decoders? class Base64Converter { @@ -15,7 +16,7 @@ public: // is used for error reporting, and it should be zero when // the decoder is called by the built-in function decode_base64() or encode_base64(). // Empty alphabet indicates the default base64 alphabet. - Base64Converter(Analyzer* analyzer, const string& alphabet = ""); + Base64Converter(analyzer::Analyzer* analyzer, const string& alphabet = ""); ~Base64Converter(); // A note on Decode(): @@ -62,7 +63,7 @@ protected: int base64_after_padding; int* base64_table; int errored; // if true, we encountered an error - skip further processing - Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; diff --git a/src/BitTorrent.cc b/src/BitTorrent.cc index fa8fb09e43..de033cbbe7 100644 --- a/src/BitTorrent.cc +++ b/src/BitTorrent.cc @@ -4,7 +4,7 @@ #include "TCP_Reassembler.h" BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrent, c) +: TCP_ApplicationAnalyzer("BITTORRENT", c) { interp = new binpac::BitTorrent::BitTorrent_Conn(this); stop_orig = stop_resp = false; diff --git a/src/BitTorrent.h b/src/BitTorrent.h index f083cf4fc7..eb2aeb422e 100644 --- a/src/BitTorrent.h +++ b/src/BitTorrent.h @@ -17,7 +17,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrent_Analyzer(conn); } static bool Available() diff --git a/src/BitTorrentTracker.cc b/src/BitTorrentTracker.cc index 12c5a199de..81b97f44d4 100644 --- a/src/BitTorrentTracker.cc +++ b/src/BitTorrentTracker.cc @@ -18,7 +18,7 @@ static RecordType* bittorrent_benc_value; static TableType* bittorrent_benc_dir; BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrentTracker, c) +: TCP_ApplicationAnalyzer("BITTORRENT", c) { if ( ! bt_tracker_headers ) { diff --git a/src/BitTorrentTracker.h b/src/BitTorrentTracker.h index 3b9efe0430..cc17d98af3 100644 --- a/src/BitTorrentTracker.h +++ b/src/BitTorrentTracker.h @@ -50,7 +50,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrentTracker_Analyzer(conn); } static bool Available() diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 83a018ccde..318a014a19 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -141,6 +141,7 @@ macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar) endmacro(GET_BIF_OUTPUT_FILES) set(BIF_SRCS + analyzer.bif bro.bif logging.bif input.bif @@ -283,7 +284,6 @@ set(bro_SRCS net_util.cc util.cc module_util.cc - Analyzer.cc Anon.cc ARP.cc Attr.cc @@ -318,7 +318,6 @@ set(bro_SRCS Desc.cc Dict.cc Discard.cc - DPM.cc EquivClass.cc Event.cc EventHandler.cc @@ -447,6 +446,16 @@ set(bro_SRCS input/readers/Raw.cc input/readers/Benchmark.cc + plugin/Component.cc + plugin/Manager.cc + plugin/Plugin.cc + + analyzer/Analyzer.cc + analyzer/BuiltinAnalyzers.cc + analyzer/Manager.cc + analyzer/PluginComponent.cc + analyzer/Tag.cc + nb_dns.c digest.h ) diff --git a/src/Conn.cc b/src/Conn.cc index bc2e7fb5cf..e7687c5464 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -14,6 +14,7 @@ #include "PIA.h" #include "binpac.h" #include "TunnelEncapsulation.h" +#include "analyzer/Analyzer.h" void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer, int arg_do_expire) @@ -402,16 +403,21 @@ RecordVal* Connection::BuildConnVal() return conn_val; } -Analyzer* Connection::FindAnalyzer(AnalyzerID id) +analyzer::Analyzer* Connection::FindAnalyzer(analyzer::ID id) { return root_analyzer ? root_analyzer->FindChild(id) : 0; } -Analyzer* Connection::FindAnalyzer(AnalyzerTag::Tag tag) +analyzer::Analyzer* Connection::FindAnalyzer(analyzer::Tag tag) { return root_analyzer ? root_analyzer->FindChild(tag) : 0; } +analyzer::Analyzer* Connection::FindAnalyzer(const string& name) + { + return root_analyzer->FindChild(name); + } + void Connection::AppendAddl(const char* str) { Unref(BuildConnVal()); @@ -540,7 +546,7 @@ Val* Connection::BuildVersionVal(const char* s, int len) } int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, - Analyzer* analyzer) + analyzer::Analyzer* analyzer) { if ( ! software_version_found && ! software_parse_error ) return 1; @@ -578,7 +584,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, } int Connection::UnparsedVersionFoundEvent(const IPAddr& addr, - const char* full, int len, Analyzer* analyzer) + const char* full, int len, analyzer::Analyzer* analyzer) { // Skip leading white space. while ( len && isspace(*full) ) @@ -602,7 +608,7 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr, return 1; } -void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name) +void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name) { if ( ! f ) return; @@ -615,7 +621,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name) ConnectionEvent(f, analyzer, vl); } -void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2) +void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2) { if ( ! f ) { @@ -634,7 +640,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2) ConnectionEvent(f, analyzer, vl); } -void Connection::ConnectionEvent(EventHandlerPtr f, Analyzer* a, val_list* vl) +void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl) { if ( ! f ) { @@ -929,7 +935,7 @@ error: return false; } -void Connection::SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia) +void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia) { root_analyzer = analyzer; primary_PIA = pia; diff --git a/src/Conn.h b/src/Conn.h index 782d41a801..1989ce0b43 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -11,19 +11,22 @@ #include "Serializer.h" #include "PersistenceSerializer.h" #include "RuleMatcher.h" -#include "AnalyzerTags.h" #include "IPAddr.h" #include "TunnelEncapsulation.h" +#include "analyzer/Tag.h" +#include "analyzer/Analyzer.h" + class Connection; class ConnectionTimer; class NetSessions; class LoginConn; class RuleHdrTest; class Specific_RE_Matcher; -class TransportLayerAnalyzer; class RuleEndpointState; +namespace analyzer { class TransportLayerAnalyzer; } + typedef enum { NUL_IN_LINE, SINGULAR_CR, @@ -47,7 +50,7 @@ static inline int addr_port_canon_lt(const IPAddr& addr1, uint32 p1, return addr1 < addr2 || (addr1 == addr2 && p1 < p2); } -class Analyzer; +namespace analyzer { class Analyzer; } class Connection : public BroObj { public: @@ -102,8 +105,9 @@ public: void FlipRoles(); - Analyzer* FindAnalyzer(AnalyzerID id); - Analyzer* FindAnalyzer(AnalyzerTag::Tag tag); // find first in tree. + analyzer::Analyzer* FindAnalyzer(analyzer::ID id); + analyzer::Analyzer* FindAnalyzer(analyzer::Tag tag); // find first in tree. + analyzer::Analyzer* FindAnalyzer(const string& name); // find first in tree. TransportProto ConnTransport() const { return proto; } @@ -161,15 +165,15 @@ public: // Raises a software_version_found event based on the // given string (returns false if it's not parseable). int VersionFoundEvent(const IPAddr& addr, const char* s, int len, - Analyzer* analyzer = 0); + analyzer::Analyzer* analyzer = 0); // Raises a software_unparsed_version_found event. int UnparsedVersionFoundEvent(const IPAddr& addr, - const char* full_descr, int len, Analyzer* analyzer); + const char* full_descr, int len, analyzer::Analyzer* analyzer); - void Event(EventHandlerPtr f, Analyzer* analyzer, const char* name = 0); - void Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2 = 0); - void ConnectionEvent(EventHandlerPtr f, Analyzer* analyzer, + void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0); + void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0); + void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer, val_list* vl); void Weird(const char* name, const char* addl = ""); @@ -241,8 +245,8 @@ public: void DeleteTimer(double t); // Sets the root of the analyzer tree as well as the primary PIA. - void SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia); - TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } + void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia); + analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } PIA* GetPrimaryPIA() { return primary_PIA; } // Sets the transport protocol in use. @@ -314,7 +318,7 @@ protected: string history; uint32 hist_seen; - TransportLayerAnalyzer* root_analyzer; + analyzer::TransportLayerAnalyzer* root_analyzer; PIA* primary_PIA; uint64 uid; // Globally unique connection ID. diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc index a1b892f4db..82672dba7c 100644 --- a/src/ConnSizeAnalyzer.cc +++ b/src/ConnSizeAnalyzer.cc @@ -9,7 +9,7 @@ ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) -: Analyzer(AnalyzerTag::ConnSize, c) +: Analyzer("CONNSIZE", c) { } diff --git a/src/ConnSizeAnalyzer.h b/src/ConnSizeAnalyzer.h index 1fdd57bb15..23f7975617 100644 --- a/src/ConnSizeAnalyzer.h +++ b/src/ConnSizeAnalyzer.h @@ -4,11 +4,11 @@ #ifndef CONNSTATS_H #define CONNSTATS_H -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "NetVar.h" -class ConnSize_Analyzer : public Analyzer { +class ConnSize_Analyzer : public analyzer::Analyzer { public: ConnSize_Analyzer(Connection* c); virtual ~ConnSize_Analyzer(); @@ -20,7 +20,7 @@ public: virtual void UpdateConnVal(RecordVal *conn_val); virtual void FlipRoles(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ConnSize_Analyzer(conn); } static bool Available() { return BifConst::use_conn_size_analyzer ; } diff --git a/src/ContentLine.cc b/src/ContentLine.cc index 5601694e1d..2a79272cbd 100644 --- a/src/ContentLine.cc +++ b/src/ContentLine.cc @@ -4,14 +4,13 @@ #include "TCP.h" ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) -: TCP_SupportAnalyzer(AnalyzerTag::ContentLine, conn, orig) +: TCP_SupportAnalyzer("CONTENTLINE", conn, orig) { InitState(); } -ContentLine_Analyzer::ContentLine_Analyzer(AnalyzerTag::Tag tag, - Connection* conn, bool orig) -: TCP_SupportAnalyzer(tag, conn, orig) +ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig) +: TCP_SupportAnalyzer(name, conn, orig) { InitState(); } diff --git a/src/ContentLine.h b/src/ContentLine.h index 5e9f01945f..849f457075 100644 --- a/src/ContentLine.h +++ b/src/ContentLine.h @@ -55,7 +55,7 @@ public: { return seq + length <= seq_to_skip; } protected: - ContentLine_Analyzer(AnalyzerTag::Tag tag, Connection* conn, bool orig); + ContentLine_Analyzer(const char* name, Connection* conn, bool orig); virtual void DeliverStream(int len, const u_char* data, bool is_orig); virtual void Undelivered(int seq, int len, bool orig); diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc index 21cb3be9a0..0cb9ab3c3f 100644 --- a/src/DCE_RPC.cc +++ b/src/DCE_RPC.cc @@ -10,7 +10,8 @@ using namespace std; #include "DCE_RPC.h" #include "Sessions.h" -#include "DPM.h" + +#include "analyzer/Manager.h" #define xbyte(b, n) (((const u_char*) (b))[n]) @@ -160,11 +161,11 @@ static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr, // of the dce_rpc_endpoints table. // FIXME: Don't hard-code the timeout. - dpm->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto, - AnalyzerTag::DCE_RPC, 5 * 60, 0); + analyzer_mgr->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto, + "DCE_RPC", 5 * 60, 0); } -DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b) +DCE_RPC_Header::DCE_RPC_Header(analyzer::Analyzer* a, const u_char* b) { analyzer = a; bytes = b; @@ -183,7 +184,7 @@ DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b) frag_len = extract_uint16(LittleEndian(), bytes + 8); } -DCE_RPC_Session::DCE_RPC_Session(Analyzer* a) +DCE_RPC_Session::DCE_RPC_Session(analyzer::Analyzer* a) : analyzer(a), if_uuid("00000000-0000-0000-0000-000000000000"), if_id(BifEnum::DCE_RPC_unknown_if) @@ -442,7 +443,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse( Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* arg_session, bool speculative) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_DCE_RPC, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) { session = arg_session; msg_buf = 0; @@ -566,7 +567,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader() } DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative) -: TCP_ApplicationAnalyzer(AnalyzerTag::DCE_RPC, conn) +: TCP_ApplicationAnalyzer("DCE_RPC", conn) { session = new DCE_RPC_Session(this); speculative = arg_speculative; diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h index acdbf1637d..cfffc73c4e 100644 --- a/src/DCE_RPC.h +++ b/src/DCE_RPC.h @@ -88,7 +88,7 @@ enum DCE_RPC_PTYPE { class DCE_RPC_Header { public: - DCE_RPC_Header(Analyzer* a, const u_char* bytes); + DCE_RPC_Header(analyzer::Analyzer* a, const u_char* bytes); BifEnum::dce_rpc_ptype PTYPE() const { return ptype; } int FragLen() const { return frag_len; } @@ -99,7 +99,7 @@ public: void SetBytes(const u_char* b) { bytes = b; } protected: - Analyzer* analyzer; + analyzer::Analyzer* analyzer; const u_char* bytes; BifEnum::dce_rpc_ptype ptype; int frag_len; @@ -112,7 +112,7 @@ protected: class DCE_RPC_Session { public: - DCE_RPC_Session(Analyzer* a); + DCE_RPC_Session(analyzer::Analyzer* a); virtual ~DCE_RPC_Session() {} virtual void DeliverPDU(int is_orig, int len, const u_char* data); @@ -135,7 +135,7 @@ protected: const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu, const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; UUID if_uuid; BifEnum::dce_rpc_if_id if_id; int opnum; @@ -174,7 +174,7 @@ public: DCE_RPC_Analyzer(Connection* conn, bool speculative = false); ~DCE_RPC_Analyzer(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DCE_RPC_Analyzer(conn); } static bool Available() diff --git a/src/DHCP-binpac.cc b/src/DHCP-binpac.cc index 2aec6e6e9f..d2847966ae 100644 --- a/src/DHCP-binpac.cc +++ b/src/DHCP-binpac.cc @@ -1,7 +1,7 @@ #include "DHCP-binpac.h" DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn) -: Analyzer(AnalyzerTag::DHCP_BINPAC, conn) +: Analyzer("DHCP", conn) { interp = new binpac::DHCP::DHCP_Conn(this); } diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h index 06ddff3bb6..a3890b399d 100644 --- a/src/DHCP-binpac.h +++ b/src/DHCP-binpac.h @@ -6,7 +6,7 @@ #include "dhcp_pac.h" -class DHCP_Analyzer_binpac : public Analyzer { +class DHCP_Analyzer_binpac : public analyzer::Analyzer { public: DHCP_Analyzer_binpac(Connection* conn); virtual ~DHCP_Analyzer_binpac(); @@ -15,7 +15,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DHCP_Analyzer_binpac(conn); } static bool Available() diff --git a/src/DNS-binpac.cc b/src/DNS-binpac.cc index 999f6015c0..4ab84d1cfe 100644 --- a/src/DNS-binpac.cc +++ b/src/DNS-binpac.cc @@ -2,7 +2,7 @@ #include "TCP_Reassembler.h" DNS_UDP_Analyzer_binpac::DNS_UDP_Analyzer_binpac(Connection* conn) -: Analyzer(AnalyzerTag::DNS_UDP_BINPAC, conn) +: Analyzer("DNS_UDP_BINPAC", conn) { interp = new binpac::DNS::DNS_Conn(this); did_session_done = 0; @@ -45,7 +45,7 @@ void DNS_UDP_Analyzer_binpac::ExpireTimer(double t) } DNS_TCP_Analyzer_binpac::DNS_TCP_Analyzer_binpac(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::DNS_TCP_BINPAC, conn) +: TCP_ApplicationAnalyzer("DNS_TCP_BINPAC", conn) { interp = new binpac::DNS_on_TCP::DNS_TCP_Conn(this); } diff --git a/src/DNS-binpac.h b/src/DNS-binpac.h index 0bbacf9192..2f241b89ae 100644 --- a/src/DNS-binpac.h +++ b/src/DNS-binpac.h @@ -11,7 +11,7 @@ // change that easily? (Ideally, the TCP preprocessing would become a // support-analyzer as it is done for the traditional DNS analyzer.) -class DNS_UDP_Analyzer_binpac : public Analyzer { +class DNS_UDP_Analyzer_binpac : public analyzer::Analyzer { public: DNS_UDP_Analyzer_binpac(Connection* conn); virtual ~DNS_UDP_Analyzer_binpac(); @@ -20,7 +20,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_UDP_Analyzer_binpac(conn); } static bool Available() @@ -47,7 +47,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_TCP_Analyzer_binpac(conn); } static bool Available() diff --git a/src/DNS.cc b/src/DNS.cc index a3b0b62ef3..7cab27c4b9 100644 --- a/src/DNS.cc +++ b/src/DNS.cc @@ -12,7 +12,7 @@ #include "Sessions.h" #include "Event.h" -DNS_Interpreter::DNS_Interpreter(Analyzer* arg_analyzer) +DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; } @@ -993,7 +993,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val() Contents_DNS::Contents_DNS(Connection* conn, bool orig, DNS_Interpreter* arg_interp) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_DNS, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) { interp = arg_interp; @@ -1080,7 +1080,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig) } DNS_Analyzer::DNS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::DNS, conn) +: TCP_ApplicationAnalyzer("DNS", conn) { interp = new DNS_Interpreter(this); contents_dns_orig = contents_dns_resp = 0; diff --git a/src/DNS.h b/src/DNS.h index 83ca80911e..28e68cccad 100644 --- a/src/DNS.h +++ b/src/DNS.h @@ -149,7 +149,7 @@ public: class DNS_Interpreter { public: - DNS_Interpreter(Analyzer* analyzer); + DNS_Interpreter(analyzer::Analyzer* analyzer); int ParseMessage(const u_char* data, int len, int is_query); @@ -217,7 +217,7 @@ protected: const u_char*& data, int& len, BroString* question_name); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; @@ -266,7 +266,7 @@ public: void ExpireTimer(double t); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_Analyzer(conn); } static bool Available() diff --git a/src/DPM.cc b/src/DPM.cc deleted file mode 100644 index d7e5cd25ef..0000000000 --- a/src/DPM.cc +++ /dev/null @@ -1,407 +0,0 @@ -#include "DPM.h" -#include "PIA.h" -#include "Hash.h" -#include "ICMP.h" -#include "UDP.h" -#include "TCP.h" -#include "Val.h" -#include "BackDoor.h" -#include "InterConn.h" -#include "SteppingStone.h" -#include "ConnSizeAnalyzer.h" - - -ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto) - { - if ( _orig == IPAddr(string("0.0.0.0")) ) - // don't use the IPv4 mapping, use the literal unspecified address - // to indicate a wildcard - orig = IPAddr(string("::")); - else - orig = _orig; - resp = _resp; - resp_p = _resp_p; - proto = _proto; - } - -ExpectedConn::ExpectedConn(const ExpectedConn& c) - { - orig = c.orig; - resp = c.resp; - resp_p = c.resp_p; - proto = c.proto; - } - -DPM::DPM() -: expected_conns_queue(AssignedAnalyzer::compare) - { - } - -DPM::~DPM() - { - delete [] active_analyzers; - } - -void DPM::PreScriptInit() - { - for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ ) - { - // Create IDs ANALYZER_*. - ID* id = install_ID(fmt("ANALYZER_%s", - Analyzer::analyzer_configs[i].name), - GLOBAL_MODULE_NAME, true, false); - assert(id); - id->SetVal(new Val(i, TYPE_COUNT)); - id->SetType(id->ID_Val()->Type()->Ref()); - } - } - -void DPM::PostScriptInit() - { - active_analyzers = new bool[int(AnalyzerTag::LastAnalyzer)]; - - for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ ) - { - if ( ! Analyzer::analyzer_configs[i].available ) - continue; - - active_analyzers[i] = Analyzer::analyzer_configs[i].available(); - if ( active_analyzers[i] ) - AddConfig(Analyzer::analyzer_configs[i]); - } - } - -void DPM::AddConfig(const Analyzer::Config& cfg) - { -#ifdef USE_PERFTOOLS_DEBUG - HeapLeakChecker::Disabler disabler; -#endif - - Val* index = new Val(cfg.tag, TYPE_COUNT); - Val* v = dpd_config->Lookup(index); - -#ifdef DEBUG - ODesc desc; -#endif - if ( v ) - { - RecordVal* cfg_record = v->AsRecordVal(); - Val* ports = cfg_record->Lookup(0); - - if ( ports ) - { - ListVal* plist = ports->AsTableVal()->ConvertToPureList(); - - for ( int i = 0; i< plist->Length(); ++i ) - { - PortVal* port = plist->Index(i)->AsPortVal(); - - analyzer_map* ports = - port->IsTCP() ? &tcp_ports : &udp_ports; - - analyzer_map::iterator j = - ports->find(port->Port()); - - if ( j == ports->end() ) - { - tag_list* analyzers = new tag_list; - analyzers->push_back(cfg.tag); - ports->insert(analyzer_map::value_type(port->Port(), analyzers)); - } - else - j->second->push_back(cfg.tag); - -#ifdef DEBUG - port->Describe(&desc); - desc.SP(); -#endif - } - } - } - - DBG_LOG(DBG_DPD, "%s analyzer active on port(s) %s", cfg.name, desc.Description()); - - Unref(index); - } - -AnalyzerTag::Tag DPM::GetExpected(int proto, const Connection* conn) - { - if ( ! expected_conns.Length() ) - return AnalyzerTag::Error; - - ExpectedConn c(conn->OrigAddr(), conn->RespAddr(), - ntohs(conn->RespPort()), proto); - - HashKey* key = BuildExpectedConnHashKey(c); - AssignedAnalyzer* a = expected_conns.Lookup(key); - delete key; - - if ( ! a ) - { - // Wildcard for originator. - c.orig = IPAddr(string("::")); - - HashKey* key = BuildExpectedConnHashKey(c); - a = expected_conns.Lookup(key); - delete key; - } - - if ( ! a ) - return AnalyzerTag::Error; - - // We don't delete it here. It will be expired eventually. - return a->analyzer; - } - -bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data) - { - TCP_Analyzer* tcp = 0; - UDP_Analyzer* udp = 0; - ICMP_Analyzer* icmp = 0; - TransportLayerAnalyzer* root = 0; - AnalyzerTag::Tag expected = AnalyzerTag::Error; - analyzer_map* ports = 0; - PIA* pia = 0; - bool analyzed = false; - - switch ( proto ) { - - case TRANSPORT_TCP: - root = tcp = new TCP_Analyzer(conn); - pia = new PIA_TCP(conn); - expected = GetExpected(proto, conn); - ports = &tcp_ports; - DBG_DPD(conn, "activated TCP analyzer"); - break; - - case TRANSPORT_UDP: - root = udp = new UDP_Analyzer(conn); - pia = new PIA_UDP(conn); - expected = GetExpected(proto, conn); - ports = &udp_ports; - DBG_DPD(conn, "activated UDP analyzer"); - break; - - case TRANSPORT_ICMP: { - root = icmp = new ICMP_Analyzer(conn); - DBG_DPD(conn, "activated ICMP analyzer"); - analyzed = true; - break; - } - - default: - reporter->InternalError("unknown protocol"); - } - - if ( ! root ) - { - DBG_DPD(conn, "cannot build analyzer tree"); - return false; - } - - // Any scheduled analyzer? - if ( expected != AnalyzerTag::Error ) - { - Analyzer* analyzer = - Analyzer::InstantiateAnalyzer(expected, conn); - root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled", - Analyzer::GetTagName(expected)); - - // Hmm... Do we want *just* the expected analyzer, or all - // other potential analyzers as well? For now we only take - // the scheduled one. - } - - else - { // Let's see if it's a port we know. - if ( ports && ! dpd_ignore_ports ) - { - analyzer_map::const_iterator i = - ports->find(ntohs(conn->RespPort())); - - if ( i != ports->end() ) - { - tag_list* analyzers = i->second; - for ( tag_list::const_iterator j = analyzers->begin(); - j != analyzers->end(); j++ ) - { - Analyzer* analyzer = - Analyzer::InstantiateAnalyzer(*j, conn); - - root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", Analyzer::GetTagName(*j), conn->RespPort()); - } - } - } - } - - if ( tcp ) - { - // We have to decide whether to reassamble the stream. - // We turn it on right away if we already have an app-layer - // analyzer, reassemble_first_packets is true, or the user - // asks us to do so. In all other cases, reassembly may - // be turned on later by the TCP PIA. - - bool reass = root->GetChildren().size() || - dpd_reassemble_first_packets || - tcp_content_deliver_all_orig || - tcp_content_deliver_all_resp; - - if ( tcp_contents && ! reass ) - { - PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP); - Val* result; - - if ( ! reass ) - reass = tcp_content_delivery_ports_orig->Lookup(&dport); - - if ( ! reass ) - reass = tcp_content_delivery_ports_resp->Lookup(&dport); - } - - if ( reass ) - tcp->EnableReassembly(); - - // Add a BackDoor analyzer if requested. This analyzer - // can handle both reassembled and non-reassembled input. - if ( BackDoor_Analyzer::Available() ) - { - BackDoor_Analyzer* bd = new BackDoor_Analyzer(conn); - tcp->AddChildAnalyzer(bd, false); - } - - // Add a InterConn analyzer if requested. This analyzer - // can handle both reassembled and non-reassembled input. - if ( InterConn_Analyzer::Available() ) - { - InterConn_Analyzer* bd = new InterConn_Analyzer(conn); - tcp->AddChildAnalyzer(bd, false); - } - - // Add a SteppingStone analyzer if requested. The port - // should really not be hardcoded here, but as it can - // handle non-reassembled data, it doesn't really fit into - // our general framing ... Better would be to turn it - // on *after* we discover we have interactive traffic. - uint16 resp_port = ntohs(conn->RespPort()); - if ( SteppingStone_Analyzer::Available() && - (resp_port == 22 || resp_port == 23 || resp_port == 513) ) - { - AddrVal src(conn->OrigAddr()); - if ( ! stp_skip_src->Lookup(&src) ) - { - SteppingStone_Analyzer* bd = - new SteppingStone_Analyzer(conn); - tcp->AddChildAnalyzer(bd, false); - } - } - - // Add TCPStats analyzer. This needs to see packets so - // we cannot add it as a normal child. - if ( TCPStats_Analyzer::Available() ) - tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); - - // Add ConnSize analyzer. Needs to see packets, not stream. - if ( ConnSize_Analyzer::Available() ) - tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); - } - - else - { - if ( ConnSize_Analyzer::Available() ) - root->AddChildAnalyzer(new ConnSize_Analyzer(conn), false); - } - - if ( pia ) - root->AddChildAnalyzer(pia->AsAnalyzer(), false); - - if ( root->GetChildren().size() ) - analyzed = true; - - conn->SetRootAnalyzer(root, pia); - root->Init(); - root->InitChildren(); - - if ( ! analyzed ) - conn->SetLifetime(non_analyzed_lifetime); - - if ( expected != AnalyzerTag::Error ) - conn->Event(expected_connection_seen, 0, - new Val(expected, TYPE_COUNT)); - - return true; - } - -void DPM::ExpectConnection(const IPAddr& orig, const IPAddr& resp, - uint16 resp_p, - TransportProto proto, AnalyzerTag::Tag analyzer, - double timeout, void* cookie) - { - // Use the chance to see if the oldest entry is already expired. - if ( expected_conns_queue.size() ) - { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( a->timeout < network_time ) - { - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } - - expected_conns_queue.pop(); - - DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s", - Analyzer::GetTagName(analyzer), - fmt_conn_id(a->conn.orig, 0, - a->conn.resp, - a->conn.resp_p)); - - delete a; - } - } - - ExpectedConn c(orig, resp, resp_p, proto); - - HashKey* key = BuildExpectedConnHashKey(c); - - AssignedAnalyzer* a = expected_conns.Lookup(key); - - if ( a ) - a->deleted = true; - - a = new AssignedAnalyzer(c); - - a->analyzer = analyzer; - a->cookie = cookie; - a->timeout = network_time + timeout; - a->deleted = false; - - expected_conns.Insert(key, a); - expected_conns_queue.push(a); - delete key; - } - -void DPM::Done() - { - // Clean up expected-connection table. - while ( expected_conns_queue.size() ) - { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } - - expected_conns_queue.pop(); - delete a; - } - } - diff --git a/src/DPM.h b/src/DPM.h deleted file mode 100644 index f59d21dbfc..0000000000 --- a/src/DPM.h +++ /dev/null @@ -1,131 +0,0 @@ -// The central management unit for dynamic analyzer selection. - -#ifndef DPM_H -#define DPM_H - -#include - -#include "Analyzer.h" -#include "Dict.h" -#include "net_util.h" - -// DPM debug logging, which includes the connection id into the message. -#ifdef DEBUG -# define DBG_DPD(conn, txt) \ - DBG_LOG(DBG_DPD, "%s " txt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort()))); -# define DBG_DPD_ARGS(conn, fmt, args...) \ - DBG_LOG(DBG_DPD, "%s " fmt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort())), ##args); -#else -# define DBG_DPD(conn, txt) -# define DBG_DPD_ARGS(conn, fmt, args...) -#endif - -// Map to assign expected connections to analyzers. -class ExpectedConn { -public: - ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto); - - ExpectedConn(const ExpectedConn& c); - - IPAddr orig; - IPAddr resp; - uint16 resp_p; - uint16 proto; -}; - -// Associates an analyzer for an expected future connection. -class AssignedAnalyzer { -public: - AssignedAnalyzer(const ExpectedConn& c) - : conn(c) - { - } - - ExpectedConn conn; - AnalyzerTag::Tag analyzer; - double timeout; - void* cookie; - bool deleted; - - static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2) - { return a1->timeout > a2->timeout; } -}; - -declare(PDict, AssignedAnalyzer); - -class DPM { -public: - DPM(); - ~DPM(); - - // Setup analyzer config. - void PreScriptInit(); // To be called before scripts are parsed ... - void PostScriptInit(); // ... and after. - - // Given info about the first packet, build initial analyzer tree. - // - // It would be more flexible if we simply pass in the IP header - // and then extract the information we need. However, when this - // method is called from the session management, protocol and ports - // have already been extracted there and it would be a waste to do - // it again. - // - // Returns 0 if we can't build a tree (e.g., because the necessary - // analyzers have not been converted to the DPM framework yet...) - - bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data); - - // Schedules a particular analyzer for an upcoming connection. - // 0 acts as a wildcard for orig. (Cookie is currently unused. - // Eventually, we may pass it on to the analyzer). - void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, AnalyzerTag::Tag analyzer, - double timeout, void* cookie); - - // Activates signature matching for protocol detection. (Called when an - // DPM signatures is found.) - void ActivateSigs() { sigs_activated = true; } - bool SigsActivated() const { return sigs_activated; } - - void Done(); - -private: - // Convert script-level config into internal data structures. - void AddConfig(const Analyzer::Config& tag); - - // Return analyzer if any has been scheduled with ExpectConnection() - // AnalyzerTag::::Error if none. - AnalyzerTag::Tag GetExpected(int proto, const Connection* conn); - - // Mappings of destination port to analyzer. - typedef list tag_list; - typedef map analyzer_map; - analyzer_map tcp_ports; - analyzer_map udp_ports; - - // Array of bools indicating whether an analyzer is activated, - // indexed by AnalyzerTag::Tag. - bool* active_analyzers; - - // True if signature-matching has been activated. - bool sigs_activated; - - PDict(AssignedAnalyzer) expected_conns; - - typedef priority_queue< - AssignedAnalyzer*, - vector, - bool (*)(const AssignedAnalyzer*, - const AssignedAnalyzer*)> conn_queue; - conn_queue expected_conns_queue; -}; - -extern DPM* dpm; - -#endif diff --git a/src/Event.cc b/src/Event.cc index 97f29000d6..678c61552c 100644 --- a/src/Event.cc +++ b/src/Event.cc @@ -13,7 +13,7 @@ int num_events_queued = 0; int num_events_dispatched = 0; Event::Event(EventHandlerPtr arg_handler, val_list* arg_args, - SourceID arg_src, AnalyzerID arg_aid, TimerMgr* arg_mgr, + SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr, BroObj* arg_obj) { handler = arg_handler; diff --git a/src/Event.h b/src/Event.h index e0ce7bf555..9d0a707cda 100644 --- a/src/Event.h +++ b/src/Event.h @@ -5,14 +5,16 @@ #include "EventRegistry.h" #include "Serializer.h" -#include "AnalyzerTags.h" + +#include "analyzer/Tag.h" +#include "analyzer/Analyzer.h" class EventMgr; class Event : public BroObj { public: Event(EventHandlerPtr handler, val_list* args, - SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0, + SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, TimerMgr* mgr = 0, BroObj* obj = 0); ~Event(); @@ -20,7 +22,7 @@ public: Event* NextEvent() const { return next_event; } SourceID Source() const { return src; } - AnalyzerID Analyzer() const { return aid; } + analyzer::ID Analyzer() const { return aid; } TimerMgr* Mgr() const { return mgr; } void Describe(ODesc* d) const; @@ -62,7 +64,7 @@ protected: EventHandlerPtr handler; val_list* args; SourceID src; - AnalyzerID aid; + analyzer::ID aid; TimerMgr* mgr; BroObj* obj; Event* next_event; @@ -77,7 +79,7 @@ public: ~EventMgr(); void QueueEvent(EventHandlerPtr h, val_list* vl, - SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0, + SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, TimerMgr* mgr = 0, BroObj* obj = 0) { if ( h ) @@ -105,7 +107,7 @@ public: // Returns the ID of the analyzer which raised the last event, or 0 if // non-analyzer event. - AnalyzerID CurrentAnalyzer() const { return current_aid; } + analyzer::ID CurrentAnalyzer() const { return current_aid; } // Returns the timer mgr associated with the last raised event. TimerMgr* CurrentTimerMgr() const { return current_mgr; } @@ -124,7 +126,7 @@ protected: Event* head; Event* tail; SourceID current_src; - AnalyzerID current_aid; + analyzer::ID current_aid; TimerMgr* current_mgr; RecordVal* src_val; bool draining; diff --git a/src/EventLauncher.cc b/src/EventLauncher.cc index 246c9dc8aa..cc32efe59e 100644 --- a/src/EventLauncher.cc +++ b/src/EventLauncher.cc @@ -1,6 +1,8 @@ #include "Val.h" -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "EventLauncher.h" #include "Event.h" +#include "NetVar.h" +#include "Conn.h" #include "event.bif.func_def" diff --git a/src/FTP.cc b/src/FTP.cc index 5e7a66e304..5430b9e754 100644 --- a/src/FTP.cc +++ b/src/FTP.cc @@ -12,7 +12,7 @@ #include "Base64.h" FTP_Analyzer::FTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::FTP, conn) +: TCP_ApplicationAnalyzer("FTP", conn) { pending_reply = 0; @@ -176,7 +176,7 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { // Don't know how to parse anything but the ADAT exchanges of GSI GSSAPI, // which is basically just TLS/SSL. - if ( ! Parent()->GetTag() == AnalyzerTag::SSL ) + if ( ! Parent()->IsAnalyzer("SSL") ) { Parent()->Remove(); return; diff --git a/src/FTP.h b/src/FTP.h index f8d7644808..849b18f50b 100644 --- a/src/FTP.h +++ b/src/FTP.h @@ -13,7 +13,7 @@ public: virtual void Done(); virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new FTP_Analyzer(conn); } @@ -22,8 +22,6 @@ public: protected: - FTP_Analyzer() {} - NVT_Analyzer* nvt_orig; NVT_Analyzer* nvt_resp; uint32 pending_reply; // code associated with multi-line reply, or 0 @@ -37,10 +35,10 @@ protected: * analyzer just decodes the tokens and passes them on to the parent, which must * be an SSL analyzer instance. */ -class FTP_ADAT_Analyzer : public SupportAnalyzer { +class FTP_ADAT_Analyzer : public analyzer::SupportAnalyzer { public: FTP_ADAT_Analyzer(Connection* conn, bool arg_orig) - : SupportAnalyzer(AnalyzerTag::FTP_ADAT, conn, arg_orig), + : SupportAnalyzer("FTP_ADAT", conn, arg_orig), first_token(true) { } void DeliverStream(int len, const u_char* data, bool orig); diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc index 172f1aaa1d..9663d51260 100644 --- a/src/FileAnalyzer.cc +++ b/src/FileAnalyzer.cc @@ -8,7 +8,7 @@ magic_t File_Analyzer::magic = 0; magic_t File_Analyzer::magic_mime = 0; File_Analyzer::File_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::File, conn) +: TCP_ApplicationAnalyzer("FILE", conn) { buffer_len = 0; diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h index ac5c783e6b..6edda1646f 100644 --- a/src/FileAnalyzer.h +++ b/src/FileAnalyzer.h @@ -15,14 +15,12 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new File_Analyzer(conn); } static bool Available() { return file_transferred; } protected: - File_Analyzer() {} - void Identify(); static const int BUFFER_SIZE = 1024; diff --git a/src/Finger.cc b/src/Finger.cc index be0f3754b5..35809194d4 100644 --- a/src/Finger.cc +++ b/src/Finger.cc @@ -10,7 +10,7 @@ #include "ContentLine.h" Finger_Analyzer::Finger_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::Finger, conn) +: TCP_ApplicationAnalyzer("FINGER", conn) { did_deliver = 0; content_line_orig = new ContentLine_Analyzer(conn, true); diff --git a/src/Finger.h b/src/Finger.h index 3c61c4ad2a..5de0086dbc 100644 --- a/src/Finger.h +++ b/src/Finger.h @@ -16,7 +16,7 @@ public: // Line-based input. virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Finger_Analyzer(conn); } static bool Available() { return finger_request || finger_reply; } diff --git a/src/Func.cc b/src/Func.cc index 02f8dd4f29..cedf729301 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -548,12 +548,14 @@ void builtin_error(const char* msg, BroObj* arg) reporter->Error(msg, arg); } +#include "analyzer.bif.func_h" #include "bro.bif.func_h" #include "logging.bif.func_h" #include "input.bif.func_h" #include "reporter.bif.func_h" #include "strings.bif.func_h" +#include "analyzer.bif.func_def" #include "bro.bif.func_def" #include "logging.bif.func_def" #include "input.bif.func_def" @@ -569,6 +571,7 @@ void init_builtin_funcs() var_sizes = internal_type("var_sizes")->AsTableType(); gap_info = internal_type("gap_info")->AsRecordType(); +#include "analyzer.bif.func_init" #include "bro.bif.func_init" #include "logging.bif.func_init" #include "input.bif.func_init" diff --git a/src/GTPv1.cc b/src/GTPv1.cc index 68b6f30a0c..86a2615690 100644 --- a/src/GTPv1.cc +++ b/src/GTPv1.cc @@ -1,7 +1,7 @@ #include "GTPv1.h" GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) -: Analyzer(AnalyzerTag::GTPv1, conn) +: Analyzer("GTPV1", conn) { interp = new binpac::GTPv1::GTPv1_Conn(this); } diff --git a/src/GTPv1.h b/src/GTPv1.h index e111158833..e6c2066df0 100644 --- a/src/GTPv1.h +++ b/src/GTPv1.h @@ -3,7 +3,7 @@ #include "gtpv1_pac.h" -class GTPv1_Analyzer : public Analyzer { +class GTPv1_Analyzer : public analyzer::Analyzer { public: GTPv1_Analyzer(Connection* conn); virtual ~GTPv1_Analyzer(); @@ -12,7 +12,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new GTPv1_Analyzer(conn); } static bool Available() diff --git a/src/Gnutella.cc b/src/Gnutella.cc index 6b5e901bc5..6c8d4ee3f6 100644 --- a/src/Gnutella.cc +++ b/src/Gnutella.cc @@ -30,7 +30,7 @@ GnutellaMsgState::GnutellaMsgState() Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::Gnutella, conn) +: TCP_ApplicationAnalyzer("GNUTELLA", conn) { state = 0; new_state = 0; @@ -131,13 +131,13 @@ int Gnutella_Analyzer::IsHTTP(string header) if ( HTTP_Analyzer::Available() ) { - Analyzer* a = new HTTP_Analyzer(Conn()); + analyzer::Analyzer* a = new HTTP_Analyzer(Conn()); Parent()->AddChildAnalyzer(a); - if ( Parent()->GetTag() == AnalyzerTag::TCP ) + if ( Parent()->IsAnalyzer("TCP") ) { // Replay buffered data. - PIA* pia = static_cast(Parent())->GetPIA(); + PIA* pia = static_cast(Parent())->GetPIA(); if ( pia ) static_cast(pia)->ReplayStreamBuffer(a); } diff --git a/src/Gnutella.h b/src/Gnutella.h index 455876462d..88a8bcb4c7 100644 --- a/src/Gnutella.h +++ b/src/Gnutella.h @@ -40,7 +40,7 @@ public: virtual void Done (); virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Gnutella_Analyzer(conn); } static bool Available() diff --git a/src/HTTP-binpac.cc b/src/HTTP-binpac.cc index 47b2c479ec..a23ef0043a 100644 --- a/src/HTTP-binpac.cc +++ b/src/HTTP-binpac.cc @@ -2,7 +2,7 @@ #include "TCP_Reassembler.h" HTTP_Analyzer_binpac::HTTP_Analyzer_binpac(Connection *c) -: TCP_ApplicationAnalyzer(AnalyzerTag::HTTP_BINPAC, c) +: TCP_ApplicationAnalyzer("HTTP_BINPAC", c) { interp = new binpac::HTTP::HTTP_Conn(this); } diff --git a/src/HTTP-binpac.h b/src/HTTP-binpac.h index ef7cc7dd7d..8f0370afda 100644 --- a/src/HTTP-binpac.h +++ b/src/HTTP-binpac.h @@ -15,7 +15,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new HTTP_Analyzer_binpac(conn); } static bool Available() diff --git a/src/HTTP.cc b/src/HTTP.cc index 7e4079b853..5b49f8844e 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -161,7 +161,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) DeliverBody(len, data, trailing_CRLF); } -class HTTP_Entity::UncompressedOutput : public Analyzer::OutputHandler { +class HTTP_Entity::UncompressedOutput : public analyzer::Analyzer::OutputHandler { public: UncompressedOutput(HTTP_Entity* e) { entity = e; } virtual ~UncompressedOutput() { } @@ -787,7 +787,7 @@ void HTTP_Message::Weird(const char* msg) } HTTP_Analyzer::HTTP_Analyzer(Connection* conn) - : TCP_ApplicationAnalyzer(AnalyzerTag::HTTP, conn) +: TCP_ApplicationAnalyzer("HTTP", conn) { num_requests = num_replies = 0; num_request_lines = num_reply_lines = 0; @@ -1736,7 +1736,7 @@ void escape_URI_char(unsigned char ch, unsigned char*& p) } BroString* unescape_URI(const u_char* line, const u_char* line_end, - Analyzer* analyzer) + analyzer::Analyzer* analyzer) { byte_vec decoded_URI = new u_char[line_end - line + 1]; byte_vec URI_p = decoded_URI; diff --git a/src/HTTP.h b/src/HTTP.h index c9d8ae55d1..e8746e9d52 100644 --- a/src/HTTP.h +++ b/src/HTTP.h @@ -174,7 +174,7 @@ public: virtual void ConnectionReset(); virtual void PacketWithRST(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new HTTP_Analyzer(conn); } static bool Available() @@ -252,6 +252,6 @@ extern int is_reserved_URI_char(unsigned char ch); extern int is_unreserved_URI_char(unsigned char ch); extern void escape_URI_char(unsigned char ch, unsigned char*& p); extern BroString* unescape_URI(const u_char* line, const u_char* line_end, - Analyzer* analyzer); + analyzer::Analyzer* analyzer); #endif diff --git a/src/ICMP.cc b/src/ICMP.cc index 5634e3885f..538d25dfc3 100644 --- a/src/ICMP.cc +++ b/src/ICMP.cc @@ -8,19 +8,12 @@ #include "NetVar.h" #include "Event.h" #include "ICMP.h" +#include "Conn.h" #include ICMP_Analyzer::ICMP_Analyzer(Connection* c) -: TransportLayerAnalyzer(AnalyzerTag::ICMP, c) - { - icmp_conn_val = 0; - c->SetInactivityTimeout(icmp_inactivity_timeout); - request_len = reply_len = -1; - } - -ICMP_Analyzer::ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* c) -: TransportLayerAnalyzer(tag, c) +: TransportLayerAnalyzer("ICMP", c) { icmp_conn_val = 0; c->SetInactivityTimeout(icmp_inactivity_timeout); diff --git a/src/ICMP.h b/src/ICMP.h index 1e30b7ff54..fbf61f7993 100644 --- a/src/ICMP.h +++ b/src/ICMP.h @@ -3,7 +3,8 @@ #ifndef icmp_h #define icmp_h -#include "Analyzer.h" +#include "RuleMatcher.h" +#include "analyzer/Analyzer.h" typedef enum { ICMP_INACTIVE, // no packet seen @@ -12,20 +13,19 @@ typedef enum { // We do not have an PIA for ICMP (yet) and therefore derive from // RuleMatcherState to perform our own matching. -class ICMP_Analyzer : public TransportLayerAnalyzer { +class ICMP_Analyzer : public analyzer::TransportLayerAnalyzer { public: ICMP_Analyzer(Connection* conn); virtual void UpdateConnVal(RecordVal *conn_val); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ICMP_Analyzer(conn); } static bool Available() { return true; } protected: - ICMP_Analyzer() { } - ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* conn); + ICMP_Analyzer(analyzer::Tag tag, Connection* conn); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, diff --git a/src/IPAddr.cc b/src/IPAddr.cc index 51fb37c4d5..cc52de31ed 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -5,9 +5,10 @@ #include "IPAddr.h" #include "Reporter.h" #include "Conn.h" -#include "DPM.h" #include "bro_inet_ntop.h" +#include "analyzer/Manager.h" + const uint8_t IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff }; @@ -44,7 +45,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id) return new HashKey(&key, sizeof(key)); } -HashKey* BuildExpectedConnHashKey(const ExpectedConn& c) +HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c) { struct { in6_addr orig; diff --git a/src/IPAddr.h b/src/IPAddr.h index 5ddee70fb8..e79f3aa0a9 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -14,7 +14,7 @@ #include "threading/SerialTypes.h" struct ConnID; -class ExpectedConn; +namespace analyzer { class ExpectedConn; } typedef in_addr in4_addr; @@ -363,7 +363,7 @@ public: void ConvertToThreadingValue(threading::Value::addr_t* v) const; friend HashKey* BuildConnIDHashKey(const ConnID& id); - friend HashKey* BuildExpectedConnHashKey(const ExpectedConn& c); + friend HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); unsigned int MemoryAllocation() const { return padded_sizeof(*this); } @@ -455,7 +455,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id); /** * Returns a hash key for a given ExpectedConn instance. Passes ownership to caller. */ -HashKey* BuildExpectedConnHashKey(const ExpectedConn& c); +HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); /** * Class storing both IPv4 and IPv6 prefixes diff --git a/src/IRC.cc b/src/IRC.cc index 1918300ba2..35156ccb40 100644 --- a/src/IRC.cc +++ b/src/IRC.cc @@ -2,15 +2,15 @@ #include #include "IRC.h" -#include "DPM.h" #include "ContentLine.h" #include "NetVar.h" #include "Event.h" #include "ZIP.h" +#include "analyzer/Manager.h" IRC_Analyzer::IRC_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::IRC, conn) +: TCP_ApplicationAnalyzer("IRC", conn) { invalid_msg_count = 0; invalid_msg_max_count = 20; diff --git a/src/IRC.h b/src/IRC.h index 0fe36957de..657532f5f1 100644 --- a/src/IRC.h +++ b/src/IRC.h @@ -30,7 +30,7 @@ public: */ virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new IRC_Analyzer(conn); } diff --git a/src/Ident.cc b/src/Ident.cc index b2e82e5f12..e9ba679b0b 100644 --- a/src/Ident.cc +++ b/src/Ident.cc @@ -9,7 +9,7 @@ #include "Event.h" Ident_Analyzer::Ident_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::Ident, conn) +: TCP_ApplicationAnalyzer("IDENT", conn) { did_bad_reply = did_deliver = 0; diff --git a/src/Ident.h b/src/Ident.h index a848d233e1..e0cf44f5a4 100644 --- a/src/Ident.h +++ b/src/Ident.h @@ -13,7 +13,7 @@ public: virtual void DeliverStream(int length, const u_char* data, bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Ident_Analyzer(conn); } static bool Available() diff --git a/src/InterConn.cc b/src/InterConn.cc index 403081181a..65e814a962 100644 --- a/src/InterConn.cc +++ b/src/InterConn.cc @@ -153,7 +153,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const } InterConn_Analyzer::InterConn_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::InterConn, c) +: TCP_ApplicationAnalyzer("INTERCONN", c) { orig_endp = resp_endp = 0; orig_stream_pos = resp_stream_pos = 1; diff --git a/src/InterConn.h b/src/InterConn.h index d9cd10de27..1abec4058b 100644 --- a/src/InterConn.h +++ b/src/InterConn.h @@ -47,7 +47,7 @@ public: virtual void Done(); void StatTimer(double t, int is_expire); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new InterConn_Analyzer(conn); } static bool Available() { return interconn_stats; } diff --git a/src/Login.cc b/src/Login.cc index e626fb3a0a..2eb4900692 100644 --- a/src/Login.cc +++ b/src/Login.cc @@ -20,8 +20,8 @@ static RE_Matcher* re_login_timeouts; static RE_Matcher* init_RE(ListVal* l); -Login_Analyzer::Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn) -: TCP_ApplicationAnalyzer(tag, conn) +Login_Analyzer::Login_Analyzer(const char* name, Connection* conn) +: TCP_ApplicationAnalyzer(name, conn) { state = LOGIN_STATE_AUTHENTICATE; num_user_lines_seen = lines_scanned = 0; diff --git a/src/Login.h b/src/Login.h index b186cc52d2..6337738e7d 100644 --- a/src/Login.h +++ b/src/Login.h @@ -21,7 +21,7 @@ typedef enum { class Login_Analyzer : public TCP_ApplicationAnalyzer { public: - Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn); + Login_Analyzer(const char* name, Connection* conn); ~Login_Analyzer(); virtual void DeliverStream(int len, const u_char* data, bool orig); diff --git a/src/MIME.cc b/src/MIME.cc index ce60e74b89..011857ee6e 100644 --- a/src/MIME.cc +++ b/src/MIME.cc @@ -966,7 +966,7 @@ TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist) return t; } -MIME_Mail::MIME_Mail(Analyzer* mail_analyzer, int buf_size) +MIME_Mail::MIME_Mail(analyzer::Analyzer* mail_analyzer, int buf_size) : MIME_Message(mail_analyzer) { analyzer = mail_analyzer; diff --git a/src/MIME.h b/src/MIME.h index 17ac7fde9f..3f8c3281fc 100644 --- a/src/MIME.h +++ b/src/MIME.h @@ -10,7 +10,7 @@ using namespace std; #include "Base64.h" #include "BroString.h" -#include "Analyzer.h" +#include "analyzer/Analyzer.h" // MIME: Multipurpose Internet Mail Extensions // Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME) @@ -178,7 +178,7 @@ protected: class MIME_Message { public: - MIME_Message(Analyzer* arg_analyzer) + MIME_Message(analyzer::Analyzer* arg_analyzer) { // Cannot initialize top_level entity because we do // not know its type yet (MIME_Entity / MIME_Mail / @@ -203,7 +203,7 @@ public: top_level->Deliver(len, data, trailing_CRLF); } - Analyzer* GetAnalyzer() const { return analyzer; } + analyzer::Analyzer* GetAnalyzer() const { return analyzer; } // Events generated by MIME_Entity virtual void BeginEntity(MIME_Entity*) = 0; @@ -215,7 +215,7 @@ public: virtual void SubmitEvent(int event_type, const char* detail) = 0; protected: - Analyzer* analyzer; + analyzer::Analyzer* analyzer; MIME_Entity* top_level; int finished; @@ -226,7 +226,7 @@ protected: class MIME_Mail : public MIME_Message { public: - MIME_Mail(Analyzer* mail_conn, int buf_size = 0); + MIME_Mail(analyzer::Analyzer* mail_conn, int buf_size = 0); ~MIME_Mail(); void Done(); diff --git a/src/Modbus.cc b/src/Modbus.cc index 278eb91e57..22772daea0 100644 --- a/src/Modbus.cc +++ b/src/Modbus.cc @@ -3,7 +3,7 @@ #include "TCP_Reassembler.h" ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) - : TCP_ApplicationAnalyzer(AnalyzerTag::Modbus, c) + : TCP_ApplicationAnalyzer("MODBUS", c) { interp = new binpac::ModbusTCP::ModbusTCP_Conn(this); } diff --git a/src/Modbus.h b/src/Modbus.h index 5e3294d91c..84389b0554 100644 --- a/src/Modbus.h +++ b/src/Modbus.h @@ -15,7 +15,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ModbusTCP_Analyzer(conn); } // Put event names in this function diff --git a/src/NCP.cc b/src/NCP.cc index edd882747c..bdf484cad7 100644 --- a/src/NCP.cc +++ b/src/NCP.cc @@ -17,7 +17,7 @@ using namespace std; uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \ uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8)) -NCP_Session::NCP_Session(Analyzer* a) +NCP_Session::NCP_Session(analyzer::Analyzer* a) : analyzer(a) { req_frame_type = 0; @@ -150,7 +150,7 @@ void NCP_FrameBuffer::compute_msg_length() } Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* arg_session) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_NCP, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) { session = arg_session; resync = true; @@ -215,7 +215,7 @@ void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig) } NCP_Analyzer::NCP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::NCP, conn) +: TCP_ApplicationAnalyzer("NCP", conn) { session = new NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); diff --git a/src/NCP.h b/src/NCP.h index 1e783ee3ab..833d030394 100644 --- a/src/NCP.h +++ b/src/NCP.h @@ -29,7 +29,7 @@ class NCP_Session { public: - NCP_Session(Analyzer* analyzer); + NCP_Session(analyzer::Analyzer* analyzer); virtual ~NCP_Session() {} virtual void Deliver(int is_orig, int len, const u_char* data); @@ -42,7 +42,7 @@ public: protected: void DeliverFrame(const binpac::NCP::ncp_frame* frame); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; int req_frame_type; int req_func; }; @@ -102,7 +102,7 @@ public: NCP_Analyzer(Connection* conn); virtual ~NCP_Analyzer(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NCP_Analyzer(conn); } static bool Available() { return NCP_Session::any_ncp_event(); } diff --git a/src/NFS.cc b/src/NFS.cc index d64f7755a3..461ac44c4f 100644 --- a/src/NFS.cc +++ b/src/NFS.cc @@ -641,7 +641,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n) NFS_Analyzer::NFS_Analyzer(Connection* conn) - : RPC_Analyzer(AnalyzerTag::NFS, conn, new NFS_Interp(this)) + : RPC_Analyzer("RPC", conn, new NFS_Interp(this)) { orig_rpc = resp_rpc = 0; } diff --git a/src/NFS.h b/src/NFS.h index 6a65143808..ecb89ff7bf 100644 --- a/src/NFS.h +++ b/src/NFS.h @@ -9,7 +9,7 @@ class NFS_Interp : public RPC_Interpreter { public: - NFS_Interp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } + NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } protected: int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n); @@ -75,7 +75,7 @@ public: NFS_Analyzer(Connection* conn); virtual void Init(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NFS_Analyzer(conn); } static bool Available() diff --git a/src/NTP.cc b/src/NTP.cc index 60b7e6202d..729edee923 100644 --- a/src/NTP.cc +++ b/src/NTP.cc @@ -9,7 +9,7 @@ NTP_Analyzer::NTP_Analyzer(Connection* conn) - : Analyzer(AnalyzerTag::NTP, conn) + : Analyzer("NTP", conn) { ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer, network_time + ntp_session_timeout, 1, diff --git a/src/NTP.h b/src/NTP.h index a22a7b231b..3ae44d4cf7 100644 --- a/src/NTP.h +++ b/src/NTP.h @@ -35,11 +35,11 @@ struct ntpdata { struct l_fixedpt xmt; }; -class NTP_Analyzer : public Analyzer { +class NTP_Analyzer : public analyzer::Analyzer { public: NTP_Analyzer(Connection* conn); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NTP_Analyzer(conn); } static bool Available() { return ntp_message; } diff --git a/src/NVT.cc b/src/NVT.cc index 5ba12ac32a..641ad211e4 100644 --- a/src/NVT.cc +++ b/src/NVT.cc @@ -360,7 +360,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */) NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig) -: ContentLine_Analyzer(AnalyzerTag::NVT, conn, orig) +: ContentLine_Analyzer("NVT", conn, orig) { peer = 0; is_suboption = last_was_IAC = pending_IAC = 0; diff --git a/src/NetVar.cc b/src/NetVar.cc index 248ae15e1a..97bf9fd559 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -208,7 +208,6 @@ TableType* irc_join_list; RecordType* irc_join_info; TableVal* irc_servers; -TableVal* dpd_config; int dpd_reassemble_first_packets; int dpd_buffer_size; int dpd_match_only_beginning; @@ -239,6 +238,7 @@ TableType* record_field_table; StringVal* cmd_line_bpf_filter; +#include "analyzer.bif.netvar_def" #include "const.bif.netvar_def" #include "types.bif.netvar_def" #include "event.bif.netvar_def" @@ -512,7 +512,6 @@ void init_net_var() opt_internal_double("remote_trace_sync_interval"); remote_trace_sync_peers = opt_internal_int("remote_trace_sync_peers"); - dpd_config = internal_val("dpd_config")->AsTableVal(); dpd_reassemble_first_packets = opt_internal_int("dpd_reassemble_first_packets"); dpd_buffer_size = opt_internal_int("dpd_buffer_size"); diff --git a/src/NetVar.h b/src/NetVar.h index 2561fa0ad9..6a1103ebb9 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -212,7 +212,6 @@ extern TableType* irc_join_list; extern RecordType* irc_join_info; extern TableVal* irc_servers; -extern TableVal* dpd_config; extern int dpd_reassemble_first_packets; extern int dpd_buffer_size; extern int dpd_match_only_beginning; @@ -249,6 +248,7 @@ extern void init_general_global_var(); extern void init_event_handlers(); extern void init_net_var(); +#include "analyzer.bif.netvar_h" #include "const.bif.netvar_h" #include "types.bif.netvar_h" #include "event.bif.netvar_h" diff --git a/src/NetbiosSSN.cc b/src/NetbiosSSN.cc index 362d974956..fd3a4f6111 100644 --- a/src/NetbiosSSN.cc +++ b/src/NetbiosSSN.cc @@ -43,7 +43,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len) } -NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(Analyzer* arg_analyzer, +NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer, SMB_Session* arg_smb_session) { analyzer = arg_analyzer; @@ -340,7 +340,7 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data, Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig, NetbiosSSN_Interpreter* arg_interp) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_NetbiosSSN, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) { interp = arg_interp; type = flags = msg_size = 0; @@ -455,7 +455,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) } NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::NetbiosSSN, conn) +: TCP_ApplicationAnalyzer("NETBIOS", conn) { smb_session = new SMB_Session(this); interp = new NetbiosSSN_Interpreter(this, smb_session); diff --git a/src/NetbiosSSN.h b/src/NetbiosSSN.h index 7c4dd91b90..c3851516a0 100644 --- a/src/NetbiosSSN.h +++ b/src/NetbiosSSN.h @@ -62,7 +62,7 @@ struct NetbiosDGM_RawMsgHdr { class NetbiosSSN_Interpreter { public: - NetbiosSSN_Interpreter(Analyzer* analyzer, SMB_Session* smb_session); + NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, SMB_Session* smb_session); int ParseMessage(unsigned int type, unsigned int flags, const u_char* data, int len, int is_query); @@ -108,7 +108,7 @@ protected: u_char*& xname, int& xlen); protected: - Analyzer* analyzer; + analyzer::Analyzer* analyzer; SMB_Session* smb_session; }; @@ -157,7 +157,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NetbiosSSN_Analyzer(conn); } static bool Available() diff --git a/src/PIA.cc b/src/PIA.cc index 9adb4ccab3..f2eb633cd4 100644 --- a/src/PIA.cc +++ b/src/PIA.cc @@ -2,7 +2,7 @@ #include "RuleMatcher.h" #include "TCP_Reassembler.h" -PIA::PIA(Analyzer* arg_as_analyzer) +PIA::PIA(analyzer::Analyzer* arg_as_analyzer) { current_packet.data = 0; as_analyzer = arg_as_analyzer; @@ -61,7 +61,7 @@ void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig) AddToBuffer(buffer, -1, len, data, is_orig); } -void PIA::ReplayPacketBuffer(Analyzer* analyzer) +void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer) { DBG_LOG(DBG_DPD, "PIA replaying %d total packet bytes", pkt_buffer.size); @@ -129,7 +129,7 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol, bol, eol, clear_state); } -void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) +void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( pkt_buffer.state == MATCHING_ONLY ) { @@ -142,14 +142,14 @@ void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) if ( Parent()->HasChildAnalyzer(tag) ) return; - Analyzer* a = Parent()->AddChildAnalyzer(tag); + analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); a->SetSignature(rule); if ( a ) ReplayPacketBuffer(a); } -void PIA_UDP::DeactivateAnalyzer(AnalyzerTag::Tag tag) +void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag) { reporter->InternalError("PIA_UDP::Deact not implemented yet"); } @@ -165,7 +165,7 @@ void PIA_TCP::Init() { TCP_ApplicationAnalyzer::Init(); - if ( Parent()->GetTag() == AnalyzerTag::TCP ) + if ( Parent()->IsAnalyzer("TCP") ) { TCP_Analyzer* tcp = static_cast(Parent()); SetTCP(tcp); @@ -262,7 +262,7 @@ void PIA_TCP::Undelivered(int seq, int len, bool is_orig) // No check for buffer overrun here. I think that's ok. } -void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) +void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( stream_buffer.state == MATCHING_ONLY ) { @@ -275,7 +275,7 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) if ( Parent()->HasChildAnalyzer(tag) ) return; - Analyzer* a = Parent()->AddChildAnalyzer(tag); + analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); a->SetSignature(rule); // We have two cases here: @@ -305,13 +305,13 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) // (4) We hand the two reassemblers to the TCP Analyzer (our parent), // turning reassembly now on for all subsequent data. - DBG_LOG(DBG_DPD, "DPM_TCP switching from packet-mode to stream-mode"); + DBG_LOG(DBG_DPD, "PIA_TCP switching from packet-mode to stream-mode"); stream_mode = true; // FIXME: The reassembler will query the endpoint for state. Not sure // if this is works in all cases... - if ( Parent()->GetTag() != AnalyzerTag::TCP ) + if ( ! Parent()->IsAnalyzer("TCP") ) { // Our parent is not the TCP analyzer, which can only mean // we have been inserted somewhere further down in the @@ -371,12 +371,12 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) tcp->SetReassembler(reass_orig, reass_resp); } -void PIA_TCP::DeactivateAnalyzer(AnalyzerTag::Tag tag) +void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag) { reporter->InternalError("PIA_TCP::Deact not implemented yet"); } -void PIA_TCP::ReplayStreamBuffer(Analyzer* analyzer) +void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer) { DBG_LOG(DBG_DPD, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); diff --git a/src/PIA.h b/src/PIA.h index 907350bbdf..d0521a6885 100644 --- a/src/PIA.h +++ b/src/PIA.h @@ -3,7 +3,7 @@ #ifndef PIA_H #define PIA_H -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "TCP.h" class RuleEndpointState; @@ -17,25 +17,25 @@ class RuleEndpointState; // PIAs and then each needs its own matching-state. class PIA : public RuleMatcherState { public: - PIA(Analyzer* as_analyzer); + PIA(analyzer::Analyzer* as_analyzer); virtual ~PIA(); // Called when PIA wants to put an Analyzer in charge. rule is the // signature that triggered the activitation, if any. - virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, + virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule = 0) = 0; // Called when PIA wants to remove an Analyzer. - virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag) = 0; + virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0; void Match(Rule::PatternType type, const u_char* data, int len, bool is_orig, bool bol, bool eol, bool clear_state); - void ReplayPacketBuffer(Analyzer* analyzer); + void ReplayPacketBuffer(analyzer::Analyzer* analyzer); // Children are also derived from Analyzer. Return this object // as pointer to an Analyzer. - Analyzer* AsAnalyzer() { return as_analyzer; } + analyzer::Analyzer* AsAnalyzer() { return as_analyzer; } static bool Available() { return true; } @@ -81,20 +81,20 @@ protected: Buffer pkt_buffer; private: - Analyzer* as_analyzer; + analyzer::Analyzer* as_analyzer; Connection* conn; DataBlock current_packet; }; // PIA for UDP. -class PIA_UDP : public PIA, public Analyzer { +class PIA_UDP : public PIA, public analyzer::Analyzer { public: PIA_UDP(Connection* conn) - : PIA(this), Analyzer(AnalyzerTag::PIA_UDP, conn) + : PIA(this), Analyzer("PIA_UDP", conn) { SetConn(conn); } virtual ~PIA_UDP() { } - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new PIA_UDP(conn); } protected: @@ -111,8 +111,8 @@ protected: PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen); } - virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule); - virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag); + virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule); + virtual void DeactivateAnalyzer(analyzer::Tag tag); }; // PIA for TCP. Accepts both packet and stream input (and reassembles @@ -120,7 +120,7 @@ protected: class PIA_TCP : public PIA, public TCP_ApplicationAnalyzer { public: PIA_TCP(Connection* conn) - : PIA(this), TCP_ApplicationAnalyzer(AnalyzerTag::PIA_TCP, conn) + : PIA(this), TCP_ApplicationAnalyzer("PIA_TCP", conn) { stream_mode = false; SetConn(conn); } virtual ~PIA_TCP(); @@ -137,9 +137,9 @@ public: // to be unnecessary overhead.) void FirstPacket(bool is_orig, const IP_Hdr* ip); - void ReplayStreamBuffer(Analyzer* analyzer); + void ReplayStreamBuffer(analyzer::Analyzer* analyzer); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new PIA_TCP(conn); } protected: @@ -159,9 +159,9 @@ protected: virtual void DeliverStream(int len, const u_char* data, bool is_orig); virtual void Undelivered(int seq, int len, bool is_orig); - virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, + virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule = 0); - virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag); + virtual void DeactivateAnalyzer(analyzer::Tag tag); private: // FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer. diff --git a/src/POP3.cc b/src/POP3.cc index 3075e76507..697dc0434e 100644 --- a/src/POP3.cc +++ b/src/POP3.cc @@ -26,7 +26,7 @@ static const char* pop3_cmd_word[] = { POP3_Analyzer::POP3_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::POP3, conn) +: TCP_ApplicationAnalyzer("POP3", conn) { masterState = POP3_START; subState = POP3_WOK; diff --git a/src/POP3.h b/src/POP3.h index 8d09d5e686..bab2737fca 100644 --- a/src/POP3.h +++ b/src/POP3.h @@ -68,7 +68,7 @@ public: virtual void Done(); virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new POP3_Analyzer(conn); } diff --git a/src/Portmap.cc b/src/Portmap.cc index dd1049a361..9bebd0f8a6 100644 --- a/src/Portmap.cc +++ b/src/Portmap.cc @@ -300,7 +300,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu } Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn) -: RPC_Analyzer(AnalyzerTag::Portmapper, conn, new PortmapperInterp(this)) +: RPC_Analyzer("PORTMAPPER", conn, new PortmapperInterp(this)) { orig_rpc = resp_rpc = 0; } diff --git a/src/Portmap.h b/src/Portmap.h index 62e954bc80..1a98537153 100644 --- a/src/Portmap.h +++ b/src/Portmap.h @@ -7,7 +7,7 @@ class PortmapperInterp : public RPC_Interpreter { public: - PortmapperInterp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } + PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } protected: int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n); @@ -29,7 +29,7 @@ public: virtual ~Portmapper_Analyzer(); virtual void Init(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Portmapper_Analyzer(conn); } static bool Available() diff --git a/src/RPC.cc b/src/RPC.cc index 81fd6709b1..2dd11c215e 100644 --- a/src/RPC.cc +++ b/src/RPC.cc @@ -66,7 +66,7 @@ void rpc_callinfo_delete_func(void* v) delete (RPC_CallInfo*) v; } -RPC_Interpreter::RPC_Interpreter(Analyzer* arg_analyzer) +RPC_Interpreter::RPC_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; calls.SetDeleteFunc(rpc_callinfo_delete_func); @@ -373,7 +373,7 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len) Contents_RPC::Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* arg_interp) - : TCP_SupportAnalyzer(AnalyzerTag::Contents_RPC, conn, orig) + : TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) { interp = arg_interp; state = WAIT_FOR_MESSAGE; @@ -673,9 +673,9 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) } // end while } -RPC_Analyzer::RPC_Analyzer(AnalyzerTag::Tag tag, Connection* conn, +RPC_Analyzer::RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp) -: TCP_ApplicationAnalyzer(tag, conn) +: TCP_ApplicationAnalyzer(name, conn) { interp = arg_interp; diff --git a/src/RPC.h b/src/RPC.h index 0eee423460..960b9c744a 100644 --- a/src/RPC.h +++ b/src/RPC.h @@ -92,7 +92,7 @@ declare(PDict,RPC_CallInfo); class RPC_Interpreter { public: - RPC_Interpreter(Analyzer* analyzer); + RPC_Interpreter(analyzer::Analyzer* analyzer); virtual ~RPC_Interpreter(); // Delivers the given RPC. Returns true if "len" bytes were @@ -115,7 +115,7 @@ protected: void Weird(const char* name); PDict(RPC_CallInfo) calls; - Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; @@ -224,7 +224,7 @@ protected: class RPC_Analyzer : public TCP_ApplicationAnalyzer { public: - RPC_Analyzer(AnalyzerTag::Tag tag, Connection* conn, + RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp); virtual ~RPC_Analyzer(); diff --git a/src/RSH.cc b/src/RSH.cc index ceef3ba7a4..09d403fe59 100644 --- a/src/RSH.cc +++ b/src/RSH.cc @@ -11,7 +11,7 @@ Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* arg_analyzer) -: ContentLine_Analyzer(AnalyzerTag::Contents_Rsh, conn, orig) +: ContentLine_Analyzer("CONTENTS_RSH", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -138,7 +138,7 @@ void Contents_Rsh_Analyzer::BadProlog() } Rsh_Analyzer::Rsh_Analyzer(Connection* conn) -: Login_Analyzer(AnalyzerTag::Rsh, conn) +: Login_Analyzer("RSH", conn) { contents_orig = new Contents_Rsh_Analyzer(conn, true, this); contents_resp = new Contents_Rsh_Analyzer(conn, false, this); diff --git a/src/RSH.h b/src/RSH.h index 136d0b07f1..31e5fe683f 100644 --- a/src/RSH.h +++ b/src/RSH.h @@ -47,7 +47,7 @@ public: void ClientUserName(const char* s); void ServerUserName(const char* s); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rsh_Analyzer(conn); } static bool Available() diff --git a/src/Rlogin.cc b/src/Rlogin.cc index 1ad3f16d7e..b09e24d2cb 100644 --- a/src/Rlogin.cc +++ b/src/Rlogin.cc @@ -8,7 +8,7 @@ Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) -: ContentLine_Analyzer(AnalyzerTag::Contents_Rlogin, conn, orig) +: ContentLine_Analyzer("CONTENTLINE", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -204,7 +204,7 @@ void Contents_Rlogin_Analyzer::BadProlog() Rlogin_Analyzer::Rlogin_Analyzer(Connection* conn) -: Login_Analyzer(AnalyzerTag::Rlogin, conn) +: Login_Analyzer("RLOGIN", conn) { Contents_Rlogin_Analyzer* orig = new Contents_Rlogin_Analyzer(conn, true, this); diff --git a/src/Rlogin.h b/src/Rlogin.h index f8ad480630..04486e4262 100644 --- a/src/Rlogin.h +++ b/src/Rlogin.h @@ -60,7 +60,7 @@ public: void ServerUserName(const char* s); void TerminalType(const char* s); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rlogin_Analyzer(conn); } static bool Available() diff --git a/src/RuleAction.cc b/src/RuleAction.cc index bf90c0681e..808bead3d8 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -8,9 +8,10 @@ using std::string; #include "Conn.h" #include "Event.h" #include "NetVar.h" -#include "DPM.h" #include "PIA.h" +#include "analyzer/Manager.h" + void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { @@ -34,42 +35,42 @@ void RuleActionEvent::PrintDebug() fprintf(stderr, " RuleActionEvent: |%s|\n", msg); } -RuleActionDPM::RuleActionDPM(const char* arg_analyzer) +RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) { string str(arg_analyzer); string::size_type pos = str.find(':'); string arg = str.substr(0, pos); - analyzer = Analyzer::GetTag(arg.c_str()); + analyzer = analyzer_mgr->GetAnalyzerTag(arg); if ( pos != string::npos ) { arg = str.substr(pos + 1); - child_analyzer = Analyzer::GetTag(arg.c_str()); + child_analyzer = analyzer_mgr->GetAnalyzerTag(arg); } else - child_analyzer = AnalyzerTag::Error; + child_analyzer = analyzer::Tag::ERROR; - if ( analyzer != AnalyzerTag::Error ) - dpm->ActivateSigs(); + if ( analyzer != analyzer::Tag::ERROR ) + analyzer_mgr->ActivateSigs(); } -void RuleActionDPM::PrintDebug() +void RuleActionAnalyzer::PrintDebug() { - if ( child_analyzer == AnalyzerTag::Error ) - fprintf(stderr, "|%s|\n", Analyzer::GetTagName(analyzer)); + if ( child_analyzer == analyzer::Tag::ERROR ) + fprintf(stderr, "|%s|\n", analyzer_mgr->GetAnalyzerName(analyzer).c_str()); else fprintf(stderr, "|%s:%s|\n", - Analyzer::GetTagName(analyzer), - Analyzer::GetTagName(child_analyzer)); + analyzer_mgr->GetAnalyzerName(analyzer).c_str(), + analyzer_mgr->GetAnalyzerName(child_analyzer).c_str()); } void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == AnalyzerTag::Error ) + if ( ChildAnalyzer() == analyzer::Tag::ERROR ) { - if ( ! Analyzer::IsAvailable(Analyzer()) ) + if ( ! analyzer_mgr->IsEnabled(Analyzer()) ) return; if ( state->PIA() ) @@ -77,7 +78,7 @@ void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, } else { - if ( ! Analyzer::IsAvailable(ChildAnalyzer()) ) + if ( ! analyzer_mgr->IsEnabled(ChildAnalyzer()) ) return; // This is ugly and works only if there exists only one @@ -90,13 +91,13 @@ void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, void RuleActionEnable::PrintDebug() { fprintf(stderr, " RuleActionEnable: "); - RuleActionDPM::PrintDebug(); + RuleActionAnalyzer::PrintDebug(); } void RuleActionDisable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == AnalyzerTag::Error ) + if ( ChildAnalyzer() == analyzer::Tag::ERROR ) { if ( state->PIA() ) state->PIA()->DeactivateAnalyzer(Analyzer()); @@ -109,5 +110,5 @@ void RuleActionDisable::DoAction(const Rule* parent, RuleEndpointState* state, void RuleActionDisable::PrintDebug() { fprintf(stderr, " RuleActionDisable: "); - RuleActionDPM::PrintDebug(); + RuleActionAnalyzer::PrintDebug(); } diff --git a/src/RuleAction.h b/src/RuleAction.h index a9feb0c314..f4c2ae4cfa 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -1,11 +1,12 @@ #ifndef ruleaction_h #define ruleaction_h -#include "AnalyzerTags.h" #include "BroString.h" #include "List.h" #include "util.h" +#include "analyzer/tag.h" + class Rule; class RuleEndpointState; @@ -35,29 +36,29 @@ private: const char* msg; }; -// Base class for DPM enable/disable actions. -class RuleActionDPM : public RuleAction { +// Base class for enable/disable actions. +class RuleActionAnalyzer : public RuleAction { public: - RuleActionDPM(const char* analyzer); + RuleActionAnalyzer(const char* analyzer); virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) = 0; virtual void PrintDebug(); - AnalyzerTag::Tag Analyzer() const { return analyzer; } - AnalyzerTag::Tag ChildAnalyzer() const { return child_analyzer; } + analyzer::Tag Analyzer() const { return analyzer; } + analyzer::Tag ChildAnalyzer() const { return child_analyzer; } private: - // FIXME: This is in fact an AnalyzerID but we can't include "Analyzer.h" + // FIXME: This is in fact an analyzer::ID but we can't include "analyzer/Analyzer.h" // at this point due to circular dependenides. Fix that! - AnalyzerTag::Tag analyzer; - AnalyzerTag::Tag child_analyzer; + analyzer::Tag analyzer; + analyzer::Tag child_analyzer; }; -class RuleActionEnable : public RuleActionDPM { +class RuleActionEnable : public RuleActionAnalyzer { public: - RuleActionEnable(const char* analyzer) : RuleActionDPM(analyzer) {} + RuleActionEnable(const char* analyzer) : RuleActionAnalyzer(analyzer) {} virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len); @@ -65,9 +66,9 @@ public: virtual void PrintDebug(); }; -class RuleActionDisable : public RuleActionDPM { +class RuleActionDisable : public RuleActionAnalyzer { public: - RuleActionDisable(const char* analyzer) : RuleActionDPM(analyzer) {} + RuleActionDisable(const char* analyzer) : RuleActionAnalyzer(analyzer) {} virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len); diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 410f6a1b3e..b31976711c 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -18,9 +18,9 @@ static inline bool is_established(const TCP_Endpoint* e) bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, const u_char* data, int len) { - Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer(); + analyzer::Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer(); - if ( ! root || root->GetTag() != AnalyzerTag::TCP ) + if ( ! root || ! root->IsAnalyzer("TCP") ) return false; TCP_Analyzer* ta = static_cast(root); diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index c71f86108a..4c69576524 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -3,7 +3,7 @@ #include "config.h" -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "RuleMatcher.h" #include "DFA.h" #include "NetVar.h" @@ -159,7 +159,7 @@ void RuleHdrTest::PrintDebug() fprintf(stderr, "\n"); } -RuleEndpointState::RuleEndpointState(Analyzer* arg_analyzer, bool arg_is_orig, +RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState* arg_opposite, ::PIA* arg_PIA) { @@ -562,7 +562,7 @@ static inline bool compare(const vector& prefixes, const IPAddr& a, return false; } -RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer, +RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, RuleEndpointState* opposite, bool from_orig, PIA* pia) @@ -1300,7 +1300,7 @@ uint32 id_to_uint(const char* id) return 0; } -void RuleMatcherState::InitEndpointMatcher(Analyzer* analyzer, const IP_Hdr* ip, +void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, bool from_orig, PIA* pia) { if ( ! rule_matcher ) diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index b8895513b4..1b2756594d 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -35,7 +35,7 @@ extern const char* current_rule_file; class RuleMatcher; extern RuleMatcher* rule_matcher; -class Analyzer; +namespace analyzer { class Analyzer; } class PIA; // RuleHdrTest and associated things: @@ -140,7 +140,7 @@ class RuleEndpointState { public: ~RuleEndpointState(); - Analyzer* GetAnalyzer() const { return analyzer; } + analyzer::Analyzer* GetAnalyzer() const { return analyzer; } bool IsOrig() { return is_orig; } // For flipping roles. @@ -159,7 +159,7 @@ private: // Constructor is private; use RuleMatcher::InitEndpoint() // for creating an instance. - RuleEndpointState(Analyzer* arg_analyzer, bool arg_is_orig, + RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState* arg_opposite, ::PIA* arg_PIA); struct Matcher { @@ -171,7 +171,7 @@ private: typedef PList(Matcher) matcher_list; bool is_orig; - Analyzer* analyzer; + analyzer::Analyzer* analyzer; RuleEndpointState* opposite; ::PIA* pia; @@ -207,7 +207,7 @@ public: // the given packet (which should be the first packet encountered for // this endpoint). If the matching is triggered by an PIA, a pointer to // it needs to be given. - RuleEndpointState* InitEndpoint(Analyzer* analyzer, const IP_Hdr* ip, + RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, RuleEndpointState* opposite, bool is_orig, PIA* pia); // Finish matching for this stream. @@ -310,7 +310,7 @@ public: { delete orig_match_state; delete resp_match_state; } // ip may be nil. - void InitEndpointMatcher(Analyzer* analyzer, const IP_Hdr* ip, + void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, bool from_orig, PIA* pia = 0); // bol/eol should be set to false for type Rule::PAYLOAD; they're diff --git a/src/SMB.cc b/src/SMB.cc index a06707328a..24cbf2dc1a 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -93,7 +93,7 @@ static int lookup_IPC_name(BroString* name) return IPC_NONE; } -SMB_Session::SMB_Session(Analyzer* arg_analyzer) +SMB_Session::SMB_Session(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; dce_rpc_session = 0; @@ -1104,7 +1104,7 @@ bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data) } Contents_SMB::Contents_SMB(Connection* conn, bool orig, SMB_Session* s) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_SMB, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_SMB", conn, orig) { smb_session = s; msg_buf = 0; @@ -1221,7 +1221,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) } SMB_Analyzer::SMB_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::SMB, conn) +: TCP_ApplicationAnalyzer("SMB", conn) { smb_session = new SMB_Session(this); o_smb = new Contents_SMB(conn, true, smb_session); diff --git a/src/SMB.h b/src/SMB.h index f7287efb79..23af04720e 100644 --- a/src/SMB.h +++ b/src/SMB.h @@ -39,7 +39,7 @@ protected: class SMB_Session { public: - SMB_Session(Analyzer* analyzer); + SMB_Session(analyzer::Analyzer* analyzer); ~SMB_Session(); void Deliver(int is_orig, int len, const u_char* msg); @@ -158,7 +158,7 @@ protected: Val* BuildTransactionVal(binpac::SMB::SMB_transaction_response const &trans); Val* BuildTransactionDataVal(binpac::SMB::SMB_transaction_data* data); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; DCE_RPC_Session* dce_rpc_session; enum IPC_named_pipe IPC_pipe; int is_IPC; @@ -195,7 +195,7 @@ public: SMB_Analyzer(Connection* conn); ~SMB_Analyzer(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SMB_Analyzer(conn); } static bool Available() diff --git a/src/SMTP.cc b/src/SMTP.cc index 85a3bc79dc..16be4480dc 100644 --- a/src/SMTP.cc +++ b/src/SMTP.cc @@ -21,7 +21,7 @@ static const char* smtp_cmd_word[] = { SMTP_Analyzer::SMTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::SMTP, conn) +: TCP_ApplicationAnalyzer("SMTP", conn) { expect_sender = 0; expect_recver = 1; diff --git a/src/SMTP.h b/src/SMTP.h index 5b15dc44c0..563b99cc32 100644 --- a/src/SMTP.h +++ b/src/SMTP.h @@ -47,7 +47,7 @@ public: void SkipData() { skip_data = 1; } // skip delivery of data lines - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SMTP_Analyzer(conn); } diff --git a/src/SOCKS.cc b/src/SOCKS.cc index 4a6eda7043..0157c19cd7 100644 --- a/src/SOCKS.cc +++ b/src/SOCKS.cc @@ -3,7 +3,7 @@ #include "TCP_Reassembler.h" SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::SOCKS, conn) +: TCP_ApplicationAnalyzer("SOCKS", conn) { interp = new binpac::SOCKS::SOCKS_Conn(this); orig_done = resp_done = false; diff --git a/src/SOCKS.h b/src/SOCKS.h index 9753abb660..9557dc761d 100644 --- a/src/SOCKS.h +++ b/src/SOCKS.h @@ -25,7 +25,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SOCKS_Analyzer(conn); } static bool Available() diff --git a/src/SSH.cc b/src/SSH.cc index 3a8f468ae4..0bb710ac2f 100644 --- a/src/SSH.cc +++ b/src/SSH.cc @@ -10,7 +10,7 @@ #include "ContentLine.h" SSH_Analyzer::SSH_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::SSH, c) +: TCP_ApplicationAnalyzer("SSH", c) { orig = new ContentLine_Analyzer(c, true); orig->SetSkipPartial(true); diff --git a/src/SSH.h b/src/SSH.h index ccdcd76929..0d3fa4d6e6 100644 --- a/src/SSH.h +++ b/src/SSH.h @@ -12,7 +12,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SSH_Analyzer(conn); } static bool Available() diff --git a/src/SSL.cc b/src/SSL.cc index 4658bbbc16..7dd2e0525a 100644 --- a/src/SSL.cc +++ b/src/SSL.cc @@ -4,7 +4,7 @@ #include "util.h" SSL_Analyzer::SSL_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::SSL, c) +: TCP_ApplicationAnalyzer("SSL", c) { interp = new binpac::SSL::SSL_Conn(this); had_gap = false; diff --git a/src/SSL.h b/src/SSL.h index d0ef164877..ee2148450f 100644 --- a/src/SSL.h +++ b/src/SSL.h @@ -17,7 +17,7 @@ public: // Overriden from TCP_ApplicationAnalyzer. virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SSL_Analyzer(conn); } static bool Available() diff --git a/src/Sessions.cc b/src/Sessions.cc index 2e5a6ded30..f18d12ef90 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -27,11 +27,12 @@ #include "InterConn.h" #include "Discard.h" #include "RuleMatcher.h" -#include "DPM.h" #include "PacketSort.h" #include "TunnelEncapsulation.h" +#include "analyzer/Manager.h" + // These represent NetBIOS services on ephemeral ports. They're numbered // so that we can use a single int to hold either an actual TCP/UDP server // port or one of these. @@ -967,7 +968,7 @@ void NetSessions::Remove(Connection* c) TCP_Analyzer* ta = (TCP_Analyzer*) c->GetRootAnalyzer(); if ( ta && c->ConnTransport() == TRANSPORT_TCP ) { - assert(ta->GetTag() == AnalyzerTag::TCP); + assert(ta->IsAnalyzer("TCP")); TCP_Endpoint* to = ta->Orig(); TCP_Endpoint* tr = ta->Resp(); @@ -1178,7 +1179,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, Connection* conn = new Connection(this, k, t, id, flow_label, encapsulation); conn->SetTransport(tproto); - dpm->BuildInitialAnalyzerTree(tproto, conn, data); + analyzer_mgr->BuildInitialAnalyzerTree(tproto, conn, data); bool external = conn->IsExternal(); diff --git a/src/SteppingStone.cc b/src/SteppingStone.cc index 32850d82c6..1809b4abef 100644 --- a/src/SteppingStone.cc +++ b/src/SteppingStone.cc @@ -157,7 +157,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) } SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::SteppingStone, c) +: TCP_ApplicationAnalyzer("STEPPINGSTONE", c) { stp_manager = sessions->GetSTPManager(); diff --git a/src/SteppingStone.h b/src/SteppingStone.h index a47b268c83..aab411a46d 100644 --- a/src/SteppingStone.h +++ b/src/SteppingStone.h @@ -51,7 +51,7 @@ public: virtual void Init(); virtual void Done(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SteppingStone_Analyzer(conn); } static bool Available() { return stp_correlate_pair; } diff --git a/src/Syslog-binpac.cc b/src/Syslog-binpac.cc index c8697d0f3f..37449004c7 100644 --- a/src/Syslog-binpac.cc +++ b/src/Syslog-binpac.cc @@ -2,7 +2,7 @@ #include "TCP_Reassembler.h" Syslog_Analyzer_binpac::Syslog_Analyzer_binpac(Connection* conn) -: Analyzer(AnalyzerTag::SYSLOG_BINPAC, conn) +: Analyzer("SYSLOG_BINPAC", conn) { interp = new binpac::Syslog::Syslog_Conn(this); did_session_done = 0; @@ -45,7 +45,7 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // } //Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn) -//: TCP_ApplicationAnalyzer(AnalyzerTag::Syslog_TCP_BINPAC, conn) +//: TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h index fcd75edf0e..85caf5aaa4 100644 --- a/src/Syslog-binpac.h +++ b/src/Syslog-binpac.h @@ -6,7 +6,7 @@ #include "syslog_pac.h" -class Syslog_Analyzer_binpac : public Analyzer { +class Syslog_Analyzer_binpac : public analyzer::Analyzer { public: Syslog_Analyzer_binpac(Connection* conn); virtual ~Syslog_Analyzer_binpac(); @@ -15,7 +15,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Syslog_Analyzer_binpac(conn); } static bool Available() @@ -42,7 +42,7 @@ protected: // virtual void Undelivered(int seq, int len, bool orig); // virtual void EndpointEOF(TCP_Reassembler* endp); // -// static Analyzer* InstantiateAnalyzer(Connection* conn) +// static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) // { return new Syslog_TCP_Analyzer_binpac(conn); } // // static bool Available() diff --git a/src/TCP.cc b/src/TCP.cc index da977d8157..feb21c3271 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -32,7 +32,7 @@ static const int ORIG = 1; static const int RESP = 2; TCP_Analyzer::TCP_Analyzer(Connection* conn) -: TransportLayerAnalyzer(AnalyzerTag::TCP, conn) +: TransportLayerAnalyzer("TCP", conn) { // Set a timer to eventually time out this connection. ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer, @@ -1551,6 +1551,10 @@ void TCP_Analyzer::DeleteTimer(double /* t */) sessions->Remove(Conn()); } +void TCP_Analyzer::ConnDeleteTimer(double t) + { + Conn()->DeleteTimer(t); + } // The following need to be consistent with bro.init. #define CONTENTS_NONE 0 @@ -1847,7 +1851,7 @@ void TCP_ApplicationAnalyzer::Init() { Analyzer::Init(); - if ( Parent()->GetTag() == AnalyzerTag::TCP ) + if ( Parent()->IsAnalyzer("TCP") ) SetTCP(static_cast(Parent())); } @@ -1883,7 +1887,7 @@ void TCP_ApplicationAnalyzer::SetEnv(bool /* is_orig */, char* name, char* val) void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig) { - SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters; + analyzer::SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters; for ( ; sa; sa = sa->Sibling() ) static_cast(sa)->EndpointEOF(is_orig); } @@ -1891,7 +1895,7 @@ void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig) void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, int gen_event) { - SupportAnalyzer* sa = + analyzer::SupportAnalyzer* sa = endpoint->IsOrig() ? orig_supporters : resp_supporters; for ( ; sa; sa = sa->Sibling() ) @@ -1901,30 +1905,30 @@ void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint, void TCP_ApplicationAnalyzer::ConnectionFinished(int half_finished) { - for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa) ->ConnectionFinished(half_finished); - for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa) ->ConnectionFinished(half_finished); } void TCP_ApplicationAnalyzer::ConnectionReset() { - for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->ConnectionReset(); - for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->ConnectionReset(); } void TCP_ApplicationAnalyzer::PacketWithRST() { - for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->PacketWithRST(); - for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->PacketWithRST(); } @@ -2060,7 +2064,7 @@ RecordVal* TCPStats_Endpoint::BuildStats() } TCPStats_Analyzer::TCPStats_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::TCPStats, c) +: TCP_ApplicationAnalyzer("TCPSTATS", c) { } diff --git a/src/TCP.h b/src/TCP.h index 635fda7960..93c008af58 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -3,10 +3,12 @@ #ifndef TCP_H #define TCP_H -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "TCP.h" #include "PacketDumper.h" #include "IPAddr.h" +#include "TCP_Endpoint.h" +#include "Conn.h" // We define two classes here: // - TCP_Analyzer is the analyzer for the TCP protocol itself. @@ -16,6 +18,7 @@ class PIA_TCP; class TCP_ApplicationAnalyzer; class TCP_Reassembler; +class TCP_Endpoint; class TCP_Flags { public: @@ -32,7 +35,7 @@ protected: u_char flags; }; -class TCP_Analyzer : public TransportLayerAnalyzer { +class TCP_Analyzer : public analyzer::TransportLayerAnalyzer { public: TCP_Analyzer(Connection* conn); virtual ~TCP_Analyzer(); @@ -41,7 +44,7 @@ public: // Add a child analyzer that will always get the packets, // independently of whether we do any reassembly. - void AddChildPacketAnalyzer(Analyzer* a) + void AddChildPacketAnalyzer(analyzer::Analyzer* a) { packet_children.push_back(a); a->SetParent(this); } // True if the connection has closed in some sense, false otherwise. @@ -85,7 +88,7 @@ public: proc_tcp_option_t proc, TCP_Analyzer* analyzer, bool is_orig, void* cookie); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCP_Analyzer(conn); } static bool Available() { return true; } @@ -213,7 +216,7 @@ protected: void ExpireTimer(double t); void ResetTimer(double t); void DeleteTimer(double t); - void ConnDeleteTimer(double t) { Conn()->DeleteTimer(t); } + void ConnDeleteTimer(double t); void EndpointEOF(TCP_Reassembler* endp); void ConnectionClosed(TCP_Endpoint* endpoint, @@ -240,6 +243,7 @@ private: TCP_Endpoint* orig; TCP_Endpoint* resp; + typedef list analyzer_list; analyzer_list packet_children; unsigned int first_packet_seen: 2; @@ -259,10 +263,10 @@ private: unsigned int seen_first_ACK: 1; }; -class TCP_ApplicationAnalyzer : public Analyzer { +class TCP_ApplicationAnalyzer : public analyzer::Analyzer { public: - TCP_ApplicationAnalyzer(AnalyzerTag::Tag tag, Connection* conn) - : Analyzer(tag, conn) + TCP_ApplicationAnalyzer(const char* name, Connection* conn) + : Analyzer(name, conn) { tcp = 0; } virtual ~TCP_ApplicationAnalyzer() { } @@ -273,8 +277,7 @@ public: { return tcp ? tcp : - static_cast( - Conn()->FindAnalyzer(AnalyzerTag::TCP)); + static_cast(Conn()->FindAnalyzer("TCP")); } void SetTCP(TCP_Analyzer* arg_tcp) { tcp = arg_tcp; } @@ -308,17 +311,14 @@ public: // delete them when done with them. virtual void SetEnv(bool orig, char* name, char* val); -protected: - TCP_ApplicationAnalyzer() { }; - private: TCP_Analyzer* tcp; }; -class TCP_SupportAnalyzer : public SupportAnalyzer { +class TCP_SupportAnalyzer : public analyzer::SupportAnalyzer { public: - TCP_SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig) - : SupportAnalyzer(tag, conn, arg_orig) { } + TCP_SupportAnalyzer(const char* name, Connection* conn, bool arg_orig) + : analyzer::SupportAnalyzer(name, conn, arg_orig) { } virtual ~TCP_SupportAnalyzer() {} @@ -362,7 +362,7 @@ public: virtual void Init(); virtual void Done(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCPStats_Analyzer(conn); } static bool Available() { return conn_stats || tcp_rexmit; } diff --git a/src/TCP_Reassembler.cc b/src/TCP_Reassembler.cc index eb2709373c..a9c25781c4 100644 --- a/src/TCP_Reassembler.cc +++ b/src/TCP_Reassembler.cc @@ -1,6 +1,6 @@ #include -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "TCP_Reassembler.h" #include "TCP.h" #include "TCP_Endpoint.h" @@ -25,7 +25,7 @@ static uint64 last_ack_bytes = 0; static uint64 last_gap_events = 0; static uint64 last_gap_bytes = 0; -TCP_Reassembler::TCP_Reassembler(Analyzer* arg_dst_analyzer, +TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, TCP_Reassembler::Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp) diff --git a/src/TCP_Reassembler.h b/src/TCP_Reassembler.h index cb1750e2a2..410aa7cbbc 100644 --- a/src/TCP_Reassembler.h +++ b/src/TCP_Reassembler.h @@ -14,7 +14,7 @@ class BroFile; class Connection; class TCP_Analyzer; -class Analyzer; +namespace analyzer { class Analyzer; } const int STOP_ON_GAP = 1; const int PUNT_ON_PARTIAL = 1; @@ -26,7 +26,7 @@ public: Forward, // forward to destination analyzer's children }; - TCP_Reassembler(Analyzer* arg_dst_analyzer, + TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp); @@ -34,7 +34,7 @@ public: void Done(); - void SetDstAnalyzer(Analyzer* analyzer) { dst_analyzer = analyzer; } + void SetDstAnalyzer(analyzer::Analyzer* analyzer) { dst_analyzer = analyzer; } void SetType(Type arg_type) { type = arg_type; } TCP_Analyzer* GetTCPAnalyzer() { return tcp_analyzer; } @@ -125,7 +125,7 @@ private: BroFile* record_contents_file; // file on which to reassemble contents - Analyzer* dst_analyzer; + analyzer::Analyzer* dst_analyzer; TCP_Analyzer* tcp_analyzer; Type type; diff --git a/src/Telnet.cc b/src/Telnet.cc index 62c7d7b500..47991177f2 100644 --- a/src/Telnet.cc +++ b/src/Telnet.cc @@ -6,7 +6,7 @@ #include "NVT.h" Telnet_Analyzer::Telnet_Analyzer(Connection* conn) -: Login_Analyzer(AnalyzerTag::Telnet, conn) +: Login_Analyzer("TELNET", conn) { NVT_Analyzer* nvt_orig = new NVT_Analyzer(conn, true); NVT_Analyzer* nvt_resp = new NVT_Analyzer(conn, false); diff --git a/src/Telnet.h b/src/Telnet.h index 5675775789..6e1695be9c 100644 --- a/src/Telnet.h +++ b/src/Telnet.h @@ -10,7 +10,7 @@ public: Telnet_Analyzer(Connection* conn); virtual ~Telnet_Analyzer() {} - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Telnet_Analyzer(conn); } static bool Available() diff --git a/src/Teredo.cc b/src/Teredo.cc index 7794d1cb3b..88ed6d582e 100644 --- a/src/Teredo.cc +++ b/src/Teredo.cc @@ -1,5 +1,7 @@ #include "Teredo.h" +#include "TunnelEncapsulation.h" +#include "Conn.h" #include "IP.h" #include "Reporter.h" diff --git a/src/Teredo.h b/src/Teredo.h index e720d3f37c..d3e3336f9b 100644 --- a/src/Teredo.h +++ b/src/Teredo.h @@ -1,12 +1,13 @@ #ifndef Teredo_h #define Teredo_h -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "NetVar.h" +#include "Reporter.h" -class Teredo_Analyzer : public Analyzer { +class Teredo_Analyzer : public analyzer::Analyzer { public: - Teredo_Analyzer(Connection* conn) : Analyzer(AnalyzerTag::Teredo, conn), + Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn), valid_orig(false), valid_resp(false) {} @@ -18,7 +19,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Teredo_Analyzer(conn); } static bool Available() diff --git a/src/UDP.cc b/src/UDP.cc index d85cb39edd..2fd80cfce3 100644 --- a/src/UDP.cc +++ b/src/UDP.cc @@ -8,9 +8,10 @@ #include "NetVar.h" #include "UDP.h" #include "Reporter.h" +#include "Conn.h" UDP_Analyzer::UDP_Analyzer(Connection* conn) -: TransportLayerAnalyzer(AnalyzerTag::UDP, conn) +: TransportLayerAnalyzer("UDP", conn) { conn->EnableStatusUpdateTimer(); conn->SetInactivityTimeout(udp_inactivity_timeout); diff --git a/src/UDP.h b/src/UDP.h index b93d4da97f..36a9b84dcd 100644 --- a/src/UDP.h +++ b/src/UDP.h @@ -3,7 +3,7 @@ #ifndef udp_h #define udp_h -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include typedef enum { @@ -11,7 +11,7 @@ typedef enum { UDP_ACTIVE, // packets seen } UDP_EndpointState; -class UDP_Analyzer : public TransportLayerAnalyzer { +class UDP_Analyzer : public analyzer::TransportLayerAnalyzer { public: UDP_Analyzer(Connection* conn); virtual ~UDP_Analyzer(); @@ -20,7 +20,7 @@ public: virtual void UpdateConnVal(RecordVal *conn_val); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new UDP_Analyzer(conn); } static bool Available() { return true; } diff --git a/src/Val.cc b/src/Val.cc index 5133550236..8b55049706 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -1049,6 +1049,11 @@ StringVal::StringVal(const char* s) : Val(TYPE_STRING) val.string_val = new BroString(s); } +StringVal::StringVal(const string& s) : Val(TYPE_STRING) + { + val.string_val = new BroString(s.c_str()); + } + StringVal* StringVal::ToUpper() { val.string_val->ToUpper(); diff --git a/src/Val.h b/src/Val.h index 4b2705c5b4..019c390699 100644 --- a/src/Val.h +++ b/src/Val.h @@ -608,6 +608,7 @@ class StringVal : public Val { public: StringVal(BroString* s); StringVal(const char* s); + StringVal(const string& s); StringVal(int length, const char* s); Val* SizeVal() const diff --git a/src/ZIP.cc b/src/ZIP.cc index 0ebe93abe6..d3d9b1c38b 100644 --- a/src/ZIP.cc +++ b/src/ZIP.cc @@ -3,7 +3,7 @@ #include "ZIP.h" ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method) -: TCP_SupportAnalyzer(AnalyzerTag::Zip, conn, orig) +: TCP_SupportAnalyzer("ZIP", conn, orig) { zip = 0; zip_status = Z_OK; diff --git a/src/analyzer.bif b/src/analyzer.bif new file mode 100644 index 0000000000..2ce5af992d --- /dev/null +++ b/src/analyzer.bif @@ -0,0 +1,39 @@ +##! Internal functions and types used by the logging framework. + +module Analyzer; + +%%{ +#include "NetVar.h" + +#include "analyzer/Manager.h" +%%} + +function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool + %{ + bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal()); + return new Val(result, TYPE_BOOL); + %} + +function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool + %{ + bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal()); + return new Val(result, TYPE_BOOL); + %} + +function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool + %{ + bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p); + return new Val(result, TYPE_BOOL); + %} + +function Analyzer::__expect_connection%(orig: addr, resp: addr, resp_p: port, + analyzer: Analyzer::Tag, tout: interval%) : bool + %{ + analyzer_mgr->ExpectConnection(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout, 0); + return new Val(true, TYPE_BOOL); + %} + +function __name%(atype: Analyzer::Tag%) : string + %{ + return new StringVal(analyzer_mgr->GetAnalyzerName(atype)); + %} diff --git a/src/Analyzer.cc b/src/analyzer/Analyzer.cc similarity index 65% rename from src/Analyzer.cc rename to src/analyzer/Analyzer.cc index 15926dfa2a..ca15ad56e1 100644 --- a/src/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -1,186 +1,13 @@ + #include #include "Analyzer.h" -#include "PIA.h" -#include "Event.h" +#include "Manager.h" -#include "AYIYA.h" -#include "BackDoor.h" -#include "BitTorrent.h" -#include "BitTorrentTracker.h" -#include "Finger.h" -#include "InterConn.h" -#include "NTP.h" -#include "HTTP.h" -#include "HTTP-binpac.h" -#include "ICMP.h" -#include "SteppingStone.h" -#include "IRC.h" -#include "SMTP.h" -#include "FTP.h" -#include "FileAnalyzer.h" -#include "DNS.h" -#include "DNS-binpac.h" -#include "DHCP-binpac.h" -#include "Telnet.h" -#include "Rlogin.h" -#include "RSH.h" -#include "DCE_RPC.h" -#include "Gnutella.h" -#include "Ident.h" -#include "Modbus.h" -#include "NCP.h" -#include "NetbiosSSN.h" -#include "SMB.h" -#include "NFS.h" -#include "Portmap.h" -#include "POP3.h" -#include "SOCKS.h" -#include "SSH.h" -#include "SSL.h" -#include "Syslog-binpac.h" -#include "Teredo.h" -#include "ConnSizeAnalyzer.h" -#include "GTPv1.h" +#include "../PIA.h" +#include "../Event.h" -// Keep same order here as in AnalyzerTag definition! -const Analyzer::Config Analyzer::analyzer_configs[] = { - { AnalyzerTag::Error, "", 0, 0, 0, false }, - - { AnalyzerTag::PIA_TCP, "PIA_TCP", PIA_TCP::InstantiateAnalyzer, - PIA_TCP::Available, 0, false }, - { AnalyzerTag::PIA_UDP, "PIA_UDP", PIA_UDP::InstantiateAnalyzer, - PIA_UDP::Available, 0, false }, - - { AnalyzerTag::ICMP, "ICMP", ICMP_Analyzer::InstantiateAnalyzer, - ICMP_Analyzer::Available, 0, false }, - - { AnalyzerTag::TCP, "TCP", TCP_Analyzer::InstantiateAnalyzer, - TCP_Analyzer::Available, 0, false }, - { AnalyzerTag::UDP, "UDP", UDP_Analyzer::InstantiateAnalyzer, - UDP_Analyzer::Available, 0, false }, - - { AnalyzerTag::BitTorrent, "BITTORRENT", - BitTorrent_Analyzer::InstantiateAnalyzer, - BitTorrent_Analyzer::Available, 0, false }, - { AnalyzerTag::BitTorrentTracker, "BITTORRENTTRACKER", - BitTorrentTracker_Analyzer::InstantiateAnalyzer, - BitTorrentTracker_Analyzer::Available, 0, false }, - { AnalyzerTag::DCE_RPC, "DCE_RPC", - DCE_RPC_Analyzer::InstantiateAnalyzer, - DCE_RPC_Analyzer::Available, 0, false }, - { AnalyzerTag::DNS, "DNS", DNS_Analyzer::InstantiateAnalyzer, - DNS_Analyzer::Available, 0, false }, - { AnalyzerTag::Finger, "FINGER", Finger_Analyzer::InstantiateAnalyzer, - Finger_Analyzer::Available, 0, false }, - { AnalyzerTag::FTP, "FTP", FTP_Analyzer::InstantiateAnalyzer, - FTP_Analyzer::Available, 0, false }, - { AnalyzerTag::Gnutella, "GNUTELLA", - Gnutella_Analyzer::InstantiateAnalyzer, - Gnutella_Analyzer::Available, 0, false }, - { AnalyzerTag::HTTP, "HTTP", HTTP_Analyzer::InstantiateAnalyzer, - HTTP_Analyzer::Available, 0, false }, - { AnalyzerTag::Ident, "IDENT", Ident_Analyzer::InstantiateAnalyzer, - Ident_Analyzer::Available, 0, false }, - { AnalyzerTag::IRC, "IRC", IRC_Analyzer::InstantiateAnalyzer, - IRC_Analyzer::Available, 0, false }, - { AnalyzerTag::Login, "LOGIN", 0, 0, 0, false }, // just a base class - { AnalyzerTag::NCP, "NCP", NCP_Analyzer::InstantiateAnalyzer, - NCP_Analyzer::Available, 0, false }, - { AnalyzerTag::NetbiosSSN, "NetbiosSSN", - NetbiosSSN_Analyzer::InstantiateAnalyzer, - NetbiosSSN_Analyzer::Available, 0, false }, - { AnalyzerTag::NFS, "NFS", NFS_Analyzer::InstantiateAnalyzer, - NFS_Analyzer::Available, 0, false }, - { AnalyzerTag::NTP, "NTP", NTP_Analyzer::InstantiateAnalyzer, - NTP_Analyzer::Available, 0, false }, - { AnalyzerTag::POP3, "POP3", POP3_Analyzer::InstantiateAnalyzer, - POP3_Analyzer::Available, 0, false }, - { AnalyzerTag::Portmapper, "PORTMAPPER", - Portmapper_Analyzer::InstantiateAnalyzer, - Portmapper_Analyzer::Available, 0, false }, - { AnalyzerTag::Rlogin, "RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer, - Rlogin_Analyzer::Available, 0, false }, - { AnalyzerTag::RPC, "RPC", 0, 0, 0, false }, - { AnalyzerTag::Rsh, "RSH", Rsh_Analyzer::InstantiateAnalyzer, - Rsh_Analyzer::Available, 0, false }, - { AnalyzerTag::SMB, "SMB", SMB_Analyzer::InstantiateAnalyzer, - SMB_Analyzer::Available, 0, false }, - { AnalyzerTag::SMTP, "SMTP", SMTP_Analyzer::InstantiateAnalyzer, - SMTP_Analyzer::Available, 0, false }, - { AnalyzerTag::SSH, "SSH", SSH_Analyzer::InstantiateAnalyzer, - SSH_Analyzer::Available, 0, false }, - { AnalyzerTag::Telnet, "TELNET", Telnet_Analyzer::InstantiateAnalyzer, - Telnet_Analyzer::Available, 0, false }, - - { AnalyzerTag::DHCP_BINPAC, "DHCP_BINPAC", - DHCP_Analyzer_binpac::InstantiateAnalyzer, - DHCP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::DNS_TCP_BINPAC, "DNS_TCP_BINPAC", - DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, - DNS_TCP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::DNS_UDP_BINPAC, "DNS_UDP_BINPAC", - DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, - DNS_UDP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::HTTP_BINPAC, "HTTP_BINPAC", - HTTP_Analyzer_binpac::InstantiateAnalyzer, - HTTP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::SSL, "SSL", - SSL_Analyzer::InstantiateAnalyzer, - SSL_Analyzer::Available, 0, false }, - { AnalyzerTag::SYSLOG_BINPAC, "SYSLOG_BINPAC", - Syslog_Analyzer_binpac::InstantiateAnalyzer, - Syslog_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::Modbus, "MODBUS", - ModbusTCP_Analyzer::InstantiateAnalyzer, - ModbusTCP_Analyzer::Available, 0, false }, - - { AnalyzerTag::AYIYA, "AYIYA", - AYIYA_Analyzer::InstantiateAnalyzer, - AYIYA_Analyzer::Available, 0, false }, - { AnalyzerTag::SOCKS, "SOCKS", - SOCKS_Analyzer::InstantiateAnalyzer, - SOCKS_Analyzer::Available, 0, false }, - { AnalyzerTag::Teredo, "TEREDO", - Teredo_Analyzer::InstantiateAnalyzer, - Teredo_Analyzer::Available, 0, false }, - { AnalyzerTag::GTPv1, "GTPV1", - GTPv1_Analyzer::InstantiateAnalyzer, - GTPv1_Analyzer::Available, 0, false }, - - { AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer, - File_Analyzer::Available, 0, false }, - { AnalyzerTag::Backdoor, "BACKDOOR", - BackDoor_Analyzer::InstantiateAnalyzer, - BackDoor_Analyzer::Available, 0, false }, - { AnalyzerTag::InterConn, "INTERCONN", - InterConn_Analyzer::InstantiateAnalyzer, - InterConn_Analyzer::Available, 0, false }, - { AnalyzerTag::SteppingStone, "STEPPINGSTONE", - SteppingStone_Analyzer::InstantiateAnalyzer, - SteppingStone_Analyzer::Available, 0, false }, - { AnalyzerTag::TCPStats, "TCPSTATS", - TCPStats_Analyzer::InstantiateAnalyzer, - TCPStats_Analyzer::Available, 0, false }, - { AnalyzerTag::ConnSize, "CONNSIZE", - ConnSize_Analyzer::InstantiateAnalyzer, - ConnSize_Analyzer::Available, 0, false }, - - { AnalyzerTag::Contents, "CONTENTS", 0, 0, 0, false }, - { AnalyzerTag::ContentLine, "CONTENTLINE", 0, 0, 0, false }, - { AnalyzerTag::NVT, "NVT", 0, 0, 0, false }, - { AnalyzerTag::Zip, "ZIP", 0, 0, 0, false }, - { AnalyzerTag::Contents_DNS, "CONTENTS_DNS", 0, 0, 0, false }, - { AnalyzerTag::Contents_NetbiosSSN, "CONTENTS_NETBIOSSSN", 0, 0, 0, false }, - { AnalyzerTag::Contents_NCP, "CONTENTS_NCP", 0, 0, 0, false }, - { AnalyzerTag::Contents_Rlogin, "CONTENTS_Rlogin", 0, 0, 0, false }, - { AnalyzerTag::Contents_Rsh, "CONTENTS_RSH", 0, 0, 0, false }, - { AnalyzerTag::Contents_DCE_RPC, "CONTENTS_DCE_RPC", 0, 0, 0, false }, - { AnalyzerTag::Contents_SMB, "CONTENTS_SMB", 0, 0, 0, false }, - { AnalyzerTag::Contents_RPC, "CONTENTS_RPC", 0, 0, 0, false }, - { AnalyzerTag::Contents_NFS, "CONTENTS_NFS", 0, 0, 0, false }, - { AnalyzerTag::FTP_ADAT, "FTP_ADAT", 0, 0, 0, false }, -}; +using namespace analyzer; AnalyzerTimer::~AnalyzerTimer() { @@ -212,41 +39,25 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, Ref(analyzer->Conn()); } -AnalyzerID Analyzer::id_counter = 0;; +analyzer::ID Analyzer::id_counter = 0;; -Analyzer* Analyzer::InstantiateAnalyzer(AnalyzerTag::Tag tag, Connection* c) +bool Analyzer::IsAnalyzer(const char* name) { - Analyzer* a = analyzer_configs[tag].factory(c); - assert(a); - return a; - } - -const char* Analyzer::GetTagName(AnalyzerTag::Tag tag) - { - return analyzer_configs[tag].name; - } - -AnalyzerTag::Tag Analyzer::GetTag(const char* name) - { - for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ ) - if ( strcasecmp(analyzer_configs[i].name, name) == 0 ) - return analyzer_configs[i].tag; - - return AnalyzerTag::Error; + return analyzer_mgr->GetAnalyzerName(Tag()) == name; } // Used in debugging output. static string fmt_analyzer(Analyzer* a) { - return string(a->GetTagName()) + fmt("[%d]", a->GetID()); + return analyzer_mgr->GetAnalyzerName(a->GetTag()) + fmt("[%d]", a->GetID()); } -Analyzer::Analyzer(AnalyzerTag::Tag arg_tag, Connection* arg_conn) +Analyzer::Analyzer(const char* name, Connection* arg_conn) { // Don't Ref conn here to avoid circular ref'ing. It can't be deleted // before us. conn = arg_conn; - tag = arg_tag; + tag = analyzer_mgr->GetAnalyzerTag(name); id = ++id_counter; protocol_confirmed = false; skip = false; @@ -257,6 +68,10 @@ Analyzer::Analyzer(AnalyzerTag::Tag arg_tag, Connection* arg_conn) resp_supporters = 0; signature = 0; output_handler = 0; + + if ( ! tag ) + reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::PluginComponent?", name); + } Analyzer::~Analyzer() @@ -351,11 +166,6 @@ void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, int seq, } } -const char* Analyzer::GetTagName() const - { - return GetTagName(tag); - } - void Analyzer::NextStream(int len, const u_char* data, bool is_orig) { if ( skip ) @@ -533,12 +343,15 @@ void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) fmt_analyzer(this).c_str(), fmt_analyzer(analyzer).c_str()); } -Analyzer* Analyzer::AddChildAnalyzer(AnalyzerTag::Tag analyzer) +Analyzer* Analyzer::AddChildAnalyzer(Tag analyzer) { if ( ! HasChildAnalyzer(analyzer) ) { - Analyzer* a = InstantiateAnalyzer(analyzer, conn); - AddChildAnalyzer(a); + Analyzer* a = analyzer_mgr->InstantiateAnalyzer(analyzer, conn); + + if ( a ) + AddChildAnalyzer(a); + return a; } @@ -563,12 +376,12 @@ void Analyzer::RemoveChildAnalyzer(Analyzer* analyzer) } } -void Analyzer::RemoveChildAnalyzer(AnalyzerID id) +void Analyzer::RemoveChildAnalyzer(ID id) { LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", GetTagName(), id, + DBG_LOG(DBG_DPD, "%s disabling child %s", analyzer_mgr->GetAnalyzerName(GetTag()).c_str(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -576,7 +389,7 @@ void Analyzer::RemoveChildAnalyzer(AnalyzerID id) } } -bool Analyzer::HasChildAnalyzer(AnalyzerTag::Tag tag) +bool Analyzer::HasChildAnalyzer(Tag tag) { LOOP_OVER_CHILDREN(i) if ( (*i)->tag == tag ) @@ -589,7 +402,7 @@ bool Analyzer::HasChildAnalyzer(AnalyzerTag::Tag tag) return false; } -Analyzer* Analyzer::FindChild(AnalyzerID arg_id) +Analyzer* Analyzer::FindChild(ID arg_id) { if ( id == arg_id ) return this; @@ -604,7 +417,7 @@ Analyzer* Analyzer::FindChild(AnalyzerID arg_id) return 0; } -Analyzer* Analyzer::FindChild(AnalyzerTag::Tag arg_tag) +Analyzer* Analyzer::FindChild(Tag arg_tag) { if ( tag == arg_tag ) return this; @@ -619,6 +432,12 @@ Analyzer* Analyzer::FindChild(AnalyzerTag::Tag arg_tag) return 0; } +Analyzer* Analyzer::FindChild(const string& name) + { + Tag tag = analyzer_mgr->GetAnalyzerTag(name); + return tag != Tag::ERROR ? FindChild(tag) : 0; + } + void Analyzer::DeleteChild(analyzer_list::iterator i) { Analyzer* child = *i; @@ -707,7 +526,7 @@ void Analyzer::RemoveSupportAnalyzer(SupportAnalyzer* analyzer) return; } -bool Analyzer::HasSupportAnalyzer(AnalyzerTag::Tag tag, bool orig) +bool Analyzer::HasSupportAnalyzer(Tag tag, bool orig) { SupportAnalyzer* s = orig ? orig_supporters : resp_supporters; for ( ; s; s = s->sibling ) @@ -772,7 +591,7 @@ void Analyzer::ProtocolConfirmation() val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(new Val(tag, TYPE_COUNT)); + vl->append(tag.Val()); vl->append(new Val(id, TYPE_COUNT)); // We immediately raise the event so that the analyzer can quickly @@ -800,7 +619,7 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(new Val(tag, TYPE_COUNT)); + vl->append(tag.Val()); vl->append(new Val(id, TYPE_COUNT)); vl->append(r); @@ -872,6 +691,31 @@ void Analyzer::UpdateConnVal(RecordVal *conn_val) (*i)->UpdateConnVal(conn_val); } +RecordVal* Analyzer::BuildConnVal() + { + return conn->BuildConnVal(); + } + +void Analyzer::Event(EventHandlerPtr f, const char* name) + { + conn->Event(f, this, name); + } + +void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2) + { + conn->Event(f, this, v1, v2); + } + +void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl) + { + conn->ConnectionEvent(f, this, vl); + } + +void Analyzer::Weird(const char* name, const char* addl) + { + conn->Weird(name, addl); + } + void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { diff --git a/src/Analyzer.h b/src/analyzer/Analyzer.h similarity index 81% rename from src/Analyzer.h rename to src/analyzer/Analyzer.h index 6ccd7648d3..db65670ad6 100644 --- a/src/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -1,19 +1,30 @@ // Main analyzer interface. -#ifndef ANALYZER_H -#define ANALYZER_H +#ifndef ANALYZER_ANALYZER_H +#define ANALYZER_ANALYZER_H #include -#include "AnalyzerTags.h" -#include "Conn.h" -#include "Obj.h" +#include "Tag.h" -class DPM; +#include "../Obj.h" +#include "../EventHandler.h" +#include "../Timer.h" + +class Rule; +class Connection; class PIA; -class Analyzer; +class IP_Hdr; +class TCP_ApplicationAnalyzer; + +namespace analyzer { class Analyzer; } + +namespace analyzer { + typedef list analyzer_list; +typedef uint32 ID; + typedef void (Analyzer::*analyzer_timer_func)(double t); // FIXME: This is a copy of ConnectionTimer, which we may eventually be @@ -56,7 +67,8 @@ class OutputHandler; class Analyzer { public: - Analyzer(AnalyzerTag::Tag tag, Connection* conn); + // "name" must match the one used in + Analyzer(const char* name, Connection* conn); virtual ~Analyzer(); virtual void Init(); @@ -94,7 +106,7 @@ public: // Report a message boundary to all child analyzers virtual void ForwardEndOfData(bool orig); - AnalyzerID GetID() const { return id; } + ID GetID() const { return id; } Connection* Conn() const { return conn; } // An OutputHandler can be used to get access to data extracted by this @@ -128,12 +140,8 @@ public: bool IsFinished() const { return finished; } - AnalyzerTag::Tag GetTag() const { return tag; } - const char* GetTagName() const; - static AnalyzerTag::Tag GetTag(const char* tag); - static const char* GetTagName(AnalyzerTag::Tag tag); - static bool IsAvailable(AnalyzerTag::Tag tag) - { return analyzer_configs[tag].available(); } + Tag GetTag() const { return tag; } + bool IsAnalyzer(const char* name); // Management of the tree. // @@ -141,18 +149,21 @@ public: // of the same type. void AddChildAnalyzer(Analyzer* analyzer) { AddChildAnalyzer(analyzer, true); } - Analyzer* AddChildAnalyzer(AnalyzerTag::Tag tag); + Analyzer* AddChildAnalyzer(Tag tag); void RemoveChildAnalyzer(Analyzer* analyzer); - void RemoveChildAnalyzer(AnalyzerID id); + void RemoveChildAnalyzer(ID id); - bool HasChildAnalyzer(AnalyzerTag::Tag tag); + bool HasChildAnalyzer(Tag tag); // Recursive; returns nil if not found. - Analyzer* FindChild(AnalyzerID id); + Analyzer* FindChild(ID id); // Recursive; returns first found, or nil. - Analyzer* FindChild(AnalyzerTag::Tag tag); + Analyzer* FindChild(Tag tag); + + // Recursive; returns first found, or nil. + Analyzer* FindChild(const string& name); const analyzer_list& GetChildren() { return children; } @@ -240,27 +251,17 @@ public: // The following methods are proxies: calls are directly forwarded // to the connection instance. These are for convenience only, // allowing us to reuse more of the old analyzer code unchanged. - RecordVal* BuildConnVal() - { return conn->BuildConnVal(); } - void Event(EventHandlerPtr f, const char* name = 0) - { conn->Event(f, this, name); } - void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0) - { conn->Event(f, this, v1, v2); } - void ConnectionEvent(EventHandlerPtr f, val_list* vl) - { conn->ConnectionEvent(f, this, vl); } - void Weird(const char* name, const char* addl = "") - { conn->Weird(name, addl); } - - // Factory function to instantiate new analyzers. - static Analyzer* InstantiateAnalyzer(AnalyzerTag::Tag tag, Connection* c); + RecordVal* BuildConnVal(); + void Event(EventHandlerPtr f, const char* name = 0); + void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0); + void ConnectionEvent(EventHandlerPtr f, val_list* vl); + void Weird(const char* name, const char* addl = ""); protected: - friend class DPM; friend class Connection; friend class AnalyzerTimer; friend class TCP_ApplicationAnalyzer; - - Analyzer() { } + friend class Manager; // Associates a connection with this analyzer. Must be called if // we're using the default ctor. @@ -275,7 +276,7 @@ protected: void RemoveTimer(Timer* t); void CancelTimers(); - bool HasSupportAnalyzer(AnalyzerTag::Tag tag, bool orig); + bool HasSupportAnalyzer(Tag tag, bool orig); void AddChildAnalyzer(Analyzer* analyzer, bool init); void InitChildren(); @@ -286,8 +287,8 @@ private: // already Done(). void DeleteChild(analyzer_list::iterator i); - AnalyzerTag::Tag tag; - AnalyzerID id; + Tag tag; + ID id; Connection* conn; Analyzer* parent; @@ -308,49 +309,32 @@ private: bool finished; bool removing; - static AnalyzerID id_counter; - - typedef bool (*available_callback)(); - typedef Analyzer* (*factory_callback)(Connection* conn); - typedef bool (*match_callback)(Connection*); - - struct Config { - AnalyzerTag::Tag tag; - const char* name; - factory_callback factory; - available_callback available; - match_callback match; - bool partial; - }; - - // Table of analyzers. - static const Config analyzer_configs[]; - + static ID id_counter; }; #define ADD_ANALYZER_TIMER(timer, t, do_expire, type) \ - AddTimer(analyzer_timer_func(timer), (t), (do_expire), (type)) + AddTimer(analyzer::analyzer_timer_func(timer), (t), (do_expire), (type)) #define LOOP_OVER_CHILDREN(var) \ - for ( analyzer_list::iterator var = children.begin(); \ + for ( analyzer::analyzer_list::iterator var = children.begin(); \ var != children.end(); var++ ) #define LOOP_OVER_CONST_CHILDREN(var) \ - for ( analyzer_list::const_iterator var = children.begin(); \ + for ( analyzer::analyzer_list::const_iterator var = children.begin(); \ var != children.end(); var++ ) #define LOOP_OVER_GIVEN_CHILDREN(var, the_kids) \ - for ( analyzer_list::iterator var = the_kids.begin(); \ + for ( analyzer::analyzer_list::iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) #define LOOP_OVER_GIVEN_CONST_CHILDREN(var, the_kids) \ - for ( analyzer_list::const_iterator var = the_kids.begin(); \ + for ( analyzer::analyzer_list::const_iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) class SupportAnalyzer : public Analyzer { public: - SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig) - : Analyzer(tag, conn) { orig = arg_orig; sibling = 0; } + SupportAnalyzer(const char* name, Connection* conn, bool arg_orig) + : Analyzer(name, conn) { orig = arg_orig; sibling = 0; } virtual ~SupportAnalyzer() {} @@ -366,7 +350,6 @@ public: protected: friend class Analyzer; - SupportAnalyzer() { } private: bool orig; @@ -378,8 +361,8 @@ private: class TransportLayerAnalyzer : public Analyzer { public: - TransportLayerAnalyzer(AnalyzerTag::Tag tag, Connection* conn) - : Analyzer(tag, conn) { pia = 0; } + TransportLayerAnalyzer(const char* name, Connection* conn) + : Analyzer(name, conn) { pia = 0; } virtual void Done(); virtual bool IsReuse(double t, const u_char* pkt) = 0; @@ -393,11 +376,10 @@ public: // Raises packet_contents event. void PacketContents(const u_char* data, int len); -protected: - TransportLayerAnalyzer() { } - private: PIA* pia; }; +} + #endif diff --git a/src/analyzer/BuiltinAnalyzers.cc b/src/analyzer/BuiltinAnalyzers.cc new file mode 100644 index 0000000000..e65dbdb62e --- /dev/null +++ b/src/analyzer/BuiltinAnalyzers.cc @@ -0,0 +1,127 @@ + +#include "BuiltInAnalyzers.h" +#include "PluginComponent.h" + +#include "../binpac_bro.h" + +#include "AYIYA.h" +#include "BackDoor.h" +#include "BitTorrent.h" +#include "BitTorrentTracker.h" +#include "Finger.h" +#include "InterConn.h" +#include "NTP.h" +#include "HTTP.h" +#include "HTTP-binpac.h" +#include "ICMP.h" +#include "SteppingStone.h" +#include "IRC.h" +#include "SMTP.h" +#include "FTP.h" +#include "FileAnalyzer.h" +#include "DNS.h" +#include "DNS-binpac.h" +#include "DHCP-binpac.h" +#include "Telnet.h" +#include "Rlogin.h" +#include "RSH.h" +#include "DCE_RPC.h" +#include "Gnutella.h" +#include "Ident.h" +#include "Modbus.h" +#include "NCP.h" +#include "NetbiosSSN.h" +#include "SMB.h" +#include "NFS.h" +#include "Portmap.h" +#include "POP3.h" +#include "SOCKS.h" +#include "SSH.h" +#include "SSL.h" +#include "Syslog-binpac.h" +#include "Teredo.h" +#include "ConnSizeAnalyzer.h" +#include "GTPv1.h" + +using namespace analyzer; + +#define DEFINE_ANALYZER(name, factory, enabled, partial) \ + AddComponent(new PluginComponent(name, factory, enabled, partial)) + +void BuiltinAnalyzers::Init() + { + plugin::Description desc; + desc.name = "Core-Analyzers"; + desc.description = "Built-in protocol analyzers"; + desc.version = plugin::API_BUILTIN; + SetDescription(desc); + + DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); + DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); + DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("LOGIN", 0, true, false); // just a base class + DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("RPC", 0, true, false); + DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + DEFINE_ANALYZER("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + DEFINE_ANALYZER("HTTP_BINPAC", HTTP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + DEFINE_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("CONTENTS", 0, true, false); + DEFINE_ANALYZER("CONTENTLINE", 0, true, false); + DEFINE_ANALYZER("NVT", 0, true, false); + DEFINE_ANALYZER("ZIP", 0, true, false); + DEFINE_ANALYZER("CONTENTS_DNS", 0, true, false); + DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0, true, false); + DEFINE_ANALYZER("CONTENTS_NCP", 0, true, false); + DEFINE_ANALYZER("CONTENTS_RLOGIN", 0, true, false); + DEFINE_ANALYZER("CONTENTS_RSH", 0, true, false); + DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0, true, false); + DEFINE_ANALYZER("CONTENTS_SMB", 0, true, false); + DEFINE_ANALYZER("CONTENTS_RPC", 0, true, false); + DEFINE_ANALYZER("CONTENTS_NFS", 0, true, false); + DEFINE_ANALYZER("FTP_ADAT", 0, true, false); + } + diff --git a/src/analyzer/BuiltinAnalyzers.h b/src/analyzer/BuiltinAnalyzers.h new file mode 100644 index 0000000000..6097bfa078 --- /dev/null +++ b/src/analyzer/BuiltinAnalyzers.h @@ -0,0 +1,17 @@ + +#ifndef ANALYZER_BUILTIN_ANALYZERS_H +#define ANALYZER_BUILTIN_ANALYZERS_H + +#include "plugin/Plugin.h" + +namespace analyzer { + +class BuiltinAnalyzers : public plugin::Plugin { +public: + virtual void Init(); +}; + +} + + +#endif diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc new file mode 100644 index 0000000000..b2d35215f3 --- /dev/null +++ b/src/analyzer/Manager.cc @@ -0,0 +1,691 @@ + +#include "Manager.h" + +#include "PIA.h" +#include "Hash.h" +#include "ICMP.h" +#include "UDP.h" +#include "TCP.h" +#include "Val.h" +#include "BackDoor.h" +#include "InterConn.h" +#include "SteppingStone.h" +#include "ConnSizeAnalyzer.h" + +#include "plugin/Manager.h" + +using namespace analyzer; + +ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto) + { + if ( _orig == IPAddr(string("0.0.0.0")) ) + // don't use the IPv4 mapping, use the literal unspecified address + // to indicate a wildcard + orig = IPAddr(string("::")); + else + orig = _orig; + resp = _resp; + resp_p = _resp_p; + proto = _proto; + } + +ExpectedConn::ExpectedConn(const ExpectedConn& c) + { + orig = c.orig; + resp = c.resp; + resp_p = c.resp_p; + proto = c.proto; + } + +Manager::Manager() + : expected_conns_queue(AssignedAnalyzer::compare) + { + tag_enum_type = new EnumType("Analyzer::Tag"); + ::ID* id = install_ID("Tag", "Analyzer", true, true); + add_type(id, tag_enum_type, 0, 0); + } + +Manager::~Manager() + { + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_tcp.begin(); i != analyzers_by_port_tcp.end(); i++ ) + delete i->second; + + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_udp.begin(); i != analyzers_by_port_udp.end(); i++ ) + delete i->second; + + analyzers_by_port_udp.clear(); + analyzers_by_port_tcp.clear(); + + // Clean up expected-connection table. + while ( expected_conns_queue.size() ) + { + AssignedAnalyzer* a = expected_conns_queue.top(); + if ( ! a->deleted ) + { + HashKey* key = BuildExpectedConnHashKey(a->conn); + expected_conns.Remove(key); + delete key; + } + + expected_conns_queue.pop(); + delete a; + } + } + +void Manager::Init() + { + std::list analyzers = plugin_mgr->Components(plugin::component::ANALYZER); + + for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) + RegisterAnalyzerComponent(*i); + + // Caache these tags. + analyzer_backdoor = GetAnalyzerTag("BACKDOOR"); + analyzer_connsize = GetAnalyzerTag("CONNSIZE"); + analyzer_interconn = GetAnalyzerTag("INTERCONN"); + analyzer_stepping = GetAnalyzerTag("STEPPINGSTONE"); + analyzer_tcpstats = GetAnalyzerTag("TCPSTATS"); + } + +void Manager::DumpDebug() + { +#ifdef DEBUG + DBG_LOG(DBG_DPD, "Available analyzers after bro_init():"); + for ( analyzer_map_by_name::const_iterator i = analyzers_by_name.begin(); i != analyzers_by_name.end(); i++ ) + DBG_LOG(DBG_DPD, " %s (%s)", i->second->Name().c_str(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); + + DBG_LOG(DBG_DPD, ""); + DBG_LOG(DBG_DPD, "Analyzers by port:"); + + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_tcp.begin(); i != analyzers_by_port_tcp.end(); i++ ) + { + string s; + + for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) + s += GetAnalyzerName(*j) + " "; + + DBG_LOG(DBG_DPD, " %d/tcp: %s", i->first, s.c_str()); + } + + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_udp.begin(); i != analyzers_by_port_udp.end(); i++ ) + { + string s; + + for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) + s += GetAnalyzerName(*j) + " "; + + DBG_LOG(DBG_DPD, " %d/udp: %s", i->first, s.c_str()); + } + +#if 0 + ODesc d; + tag_enum_type->Describe(&d); + + DBG_LOG(DBG_DPD, ""); + DBG_LOG(DBG_DPD, "Analyzer::Tag type: %s", d.Description()); +#endif + +#endif + } + +void Manager::Done() + { + } + +void Manager::RegisterAnalyzerComponent(PluginComponent* component) + { + if ( Lookup(component->Name()) ) + reporter->FatalError("Analyzer %s defined more than once", component->Name().c_str()); + + DBG_LOG(DBG_DPD, "Registering analyzer %s (tag %s)", + component->Name().c_str(), component->Tag().AsString().c_str()); + + analyzers_by_name.insert(std::make_pair(component->Name(), component)); + analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); + analyzers_by_val.insert(std::make_pair(component->Tag().Val()->InternalInt(), component)); + + // Install enum "Analyzer::ANALYZER_*" + string name = to_upper(component->Name()); + string id = fmt("ANALYZER_%s", name.c_str()); + tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().Val()->InternalInt(), true); + } + +bool Manager::EnableAnalyzer(Tag tag) + { + PluginComponent* p = Lookup(tag); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + + return true; + } + +bool Manager::EnableAnalyzer(EnumVal* val) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + + return true; + } + +bool Manager::DisableAnalyzer(Tag tag) + { + PluginComponent* p = Lookup(tag); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + + return true; + } + +bool Manager::DisableAnalyzer(EnumVal* val) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + + return true; + } + +bool Manager::IsEnabled(Tag tag) + { + if ( ! tag ) + return false; + + PluginComponent* p = Lookup(tag); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + return false; + } + + return p->Enabled(); + } + +bool Manager::IsEnabled(EnumVal* val) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + return false; + } + + return p->Enabled(); + } + + +bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to register port for non-existing analyzer"); + return false; + } + + return RegisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); + } + +bool Manager::UnregisterAnalyzerForPort(EnumVal* val, PortVal* port) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to unregister port fork non-existing analyzer"); + return false; + } + + return UnregisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); + } + +bool Manager::RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port) + { + tag_set* l = LookupPort(proto, port, true); + +#ifdef DEBUG + std::string name = GetAnalyzerName(tag); + DBG_LOG(DBG_DPD, "Registering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); +#endif + + l->insert(tag); + return true; + } + +bool Manager::UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port) + { + tag_set* l = LookupPort(proto, port, true); + +#ifdef DEBUG + std::string name = GetAnalyzerName(tag); + DBG_LOG(DBG_DPD, "Unregistering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); +#endif + + l->erase(tag); + return true; + } + +Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) + { + PluginComponent* c = Lookup(tag); + + if ( ! c ) + reporter->InternalError("request to instantiate unknown analyzer"); + + if ( ! c->Enabled() ) + return 0; + + assert(c->Factory()); + Analyzer* a = c->Factory()(conn); + + if ( ! a ) + reporter->InternalError("analyzer instantiation failed"); + + return a; + } + +string Manager::GetAnalyzerName(Tag tag) + { + if ( ! tag ) + return ""; + + PluginComponent* c = Lookup(tag); + + if ( ! c ) + reporter->InternalError("request for name of unknown analyzer tag %s", tag.AsString().c_str()); + + return c->Name(); + } + +string Manager::GetAnalyzerName(Val* val) + { + return GetAnalyzerName(Tag(val->AsEnumVal())); + } + +Tag Manager::GetAnalyzerTag(const string& name) + { + PluginComponent* c = Lookup(name); + return c ? c->Tag() : Tag::ERROR; + } + +Tag Manager::GetAnalyzerTag(const char* name) + { + PluginComponent* c = Lookup(name); + return c ? c->Tag() : Tag::ERROR; + } + +EnumType* Manager::GetTagEnumType() + { + return tag_enum_type; + } + + +PluginComponent* Manager::Lookup(const string& name) + { + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + return i != analyzers_by_name.end() ? i->second : 0; + } + +PluginComponent* Manager::Lookup(const char* name) + { + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + return i != analyzers_by_name.end() ? i->second : 0; + } + +PluginComponent* Manager::Lookup(const Tag& tag) + { + analyzer_map_by_tag::const_iterator i = analyzers_by_tag.find(tag); + return i != analyzers_by_tag.end() ? i->second : 0; + } + +PluginComponent* Manager::Lookup(EnumVal* val) + { + analyzer_map_by_val::const_iterator i = analyzers_by_val.find(val->InternalInt()); + return i != analyzers_by_val.end() ? i->second : 0; + } + +Manager::tag_set* Manager::LookupPort(TransportProto proto, uint32 port, bool add_if_not_found) + { + analyzer_map_by_port* m = 0; + + switch ( proto ) { + case TRANSPORT_TCP: + m = &analyzers_by_port_tcp; + break; + + case TRANSPORT_UDP: + m = &analyzers_by_port_udp; + break; + + default: + reporter->InternalError("unsupport transport protocol in analyzer::Manager::LookupPort"); + } + + analyzer_map_by_port::const_iterator i = m->find(port); + + if ( i != m->end() ) + return i->second; + + if ( ! add_if_not_found ) + return 0; + + tag_set* l = new tag_set; + m->insert(std::make_pair(port, l)); + return l; + } + +Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found) + { + return LookupPort(val->PortType(), val->Port(), add_if_not_found); + } + +Tag Manager::GetExpected(int proto, const Connection* conn) + { + if ( ! expected_conns.Length() ) + return Tag::ERROR; + + ExpectedConn c(conn->OrigAddr(), conn->RespAddr(), + ntohs(conn->RespPort()), proto); + + HashKey* key = BuildExpectedConnHashKey(c); + AssignedAnalyzer* a = expected_conns.Lookup(key); + delete key; + + if ( ! a ) + { + // Wildcard for originator. + c.orig = IPAddr(string("::")); + + HashKey* key = BuildExpectedConnHashKey(c); + a = expected_conns.Lookup(key); + delete key; + } + + if ( ! a ) + return Tag::ERROR; + + // We don't delete it here. It will be expired eventually. + return a->analyzer; + } + +bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, + const u_char* data) + { + Analyzer* analyzer = 0; + TCP_Analyzer* tcp = 0; + UDP_Analyzer* udp = 0; + ICMP_Analyzer* icmp = 0; + TransportLayerAnalyzer* root = 0; + Tag expected = Tag::ERROR; + PIA* pia = 0; + bool analyzed = false; + bool check_port = false; + + switch ( proto ) { + + case TRANSPORT_TCP: + root = tcp = new TCP_Analyzer(conn); + pia = new PIA_TCP(conn); + expected = GetExpected(proto, conn); + check_port = true; + DBG_DPD(conn, "activated TCP analyzer"); + break; + + case TRANSPORT_UDP: + root = udp = new UDP_Analyzer(conn); + pia = new PIA_UDP(conn); + expected = GetExpected(proto, conn); + check_port = true; + DBG_DPD(conn, "activated UDP analyzer"); + break; + + case TRANSPORT_ICMP: { + root = icmp = new ICMP_Analyzer(conn); + DBG_DPD(conn, "activated ICMP analyzer"); + analyzed = true; + break; + } + + default: + reporter->InternalError("unknown protocol"); + } + + if ( ! root ) + { + DBG_DPD(conn, "cannot build analyzer tree"); + return false; + } + + // Any scheduled analyzer? + if ( expected ) + { + Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(expected, conn); + + if ( analyzer ) + { + root->AddChildAnalyzer(analyzer, false); + + DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled", + analyzer_mgr->GetAnalyzerName(expected).c_str()); + } + + // Hmm... Do we want *just* the expected analyzer, or all + // other potential analyzers as well? For now we only take + // the scheduled one. + } + + else + { // Let's see if it's a port we know. + if ( check_port && ! dpd_ignore_ports ) + { + int resp_port = ntohs(conn->RespPort()); + tag_set* ports = LookupPort(proto, resp_port, false); + + if ( ports ) + { + for ( tag_set::const_iterator j = ports->begin(); j != ports->end(); ++j ) + { + Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(*j, conn); + + if ( ! analyzer ) + continue; + + root->AddChildAnalyzer(analyzer, false); + DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", + analyzer_mgr->GetAnalyzerName(*j).c_str(), resp_port); + } + } + } + } + + if ( tcp ) + { + // We have to decide whether to reassamble the stream. + // We turn it on right away if we already have an app-layer + // analyzer, reassemble_first_packets is true, or the user + // asks us to do so. In all other cases, reassembly may + // be turned on later by the TCP PIA. + + bool reass = root->GetChildren().size() || + dpd_reassemble_first_packets || + tcp_content_deliver_all_orig || + tcp_content_deliver_all_resp; + + if ( tcp_contents && ! reass ) + { + PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP); + Val* result; + + if ( ! reass ) + reass = tcp_content_delivery_ports_orig->Lookup(&dport); + + if ( ! reass ) + reass = tcp_content_delivery_ports_resp->Lookup(&dport); + } + + if ( reass ) + tcp->EnableReassembly(); + + if ( IsEnabled(analyzer_backdoor) ) + // Add a BackDoor analyzer if requested. This analyzer + // can handle both reassembled and non-reassembled input. + tcp->AddChildAnalyzer(new BackDoor_Analyzer(conn), false); + + if ( IsEnabled(analyzer_interconn) ) + // Add a InterConn analyzer if requested. This analyzer + // can handle both reassembled and non-reassembled input. + tcp->AddChildAnalyzer(new InterConn_Analyzer(conn), false); + + if ( IsEnabled(analyzer_stepping) ) + { + // Add a SteppingStone analyzer if requested. The port + // should really not be hardcoded here, but as it can + // handle non-reassembled data, it doesn't really fit into + // our general framing ... Better would be to turn it + // on *after* we discover we have interactive traffic. + uint16 resp_port = ntohs(conn->RespPort()); + if ( resp_port == 22 || resp_port == 23 || resp_port == 513 ) + { + AddrVal src(conn->OrigAddr()); + if ( ! stp_skip_src->Lookup(&src) ) + tcp->AddChildAnalyzer(new SteppingStone_Analyzer(conn), false); + } + } + + if ( IsEnabled(analyzer_tcpstats) ) + // Add TCPStats analyzer. This needs to see packets so + // we cannot add it as a normal child. + tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); + + if ( IsEnabled(analyzer_connsize) ) + // Add ConnSize analyzer. Needs to see packets, not stream. + tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); + } + + else + { + if ( IsEnabled(analyzer_connsize) ) + // Add ConnSize analyzer. Needs to see packets, not stream. + udp->AddChildAnalyzer(new ConnSize_Analyzer(conn)); + } + + if ( pia ) + root->AddChildAnalyzer(pia->AsAnalyzer()); + + if ( root->GetChildren().size() ) + analyzed = true; + + conn->SetRootAnalyzer(root, pia); + root->Init(); + root->InitChildren(); + + if ( ! analyzed ) + conn->SetLifetime(non_analyzed_lifetime); + + if ( expected != Tag::ERROR ) + conn->Event(expected_connection_seen, 0, + new Val(expected, TYPE_COUNT)); + + return true; + } + +void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, + uint16 resp_p, + TransportProto proto, Tag analyzer, + double timeout, void* cookie) + { + // Use the chance to see if the oldest entry is already expired. + if ( expected_conns_queue.size() ) + { + AssignedAnalyzer* a = expected_conns_queue.top(); + if ( a->timeout < network_time ) + { + if ( ! a->deleted ) + { + HashKey* key = BuildExpectedConnHashKey(a->conn); + expected_conns.Remove(key); + delete key; + } + + expected_conns_queue.pop(); + + DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s", + analyzer_mgr->GetAnalyzerName(analyzer).c_str(), + fmt_conn_id(a->conn.orig, 0, + a->conn.resp, + a->conn.resp_p)); + + delete a; + } + } + + ExpectedConn c(orig, resp, resp_p, proto); + + HashKey* key = BuildExpectedConnHashKey(c); + + AssignedAnalyzer* a = expected_conns.Lookup(key); + + if ( a ) + a->deleted = true; + + a = new AssignedAnalyzer(c); + + a->analyzer = analyzer; + a->cookie = cookie; + a->timeout = network_time + timeout; + a->deleted = false; + + expected_conns.Insert(key, a); + expected_conns_queue.push(a); + delete key; + } + +void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, + uint16 resp_p, + TransportProto proto, const string& analyzer, + double timeout, void* cookie) + { + Tag tag = GetAnalyzerTag(analyzer); + + if ( tag != Tag::ERROR ) + ExpectConnection(orig, resp, resp_p, proto, tag, timeout, cookie); + } + +void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* analyzer, double timeout, void* cookie) + { + EnumVal* ev = analyzer->AsEnumVal(); + return ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(), Tag(ev), timeout, cookie); + } diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h new file mode 100644 index 0000000000..e6143cada6 --- /dev/null +++ b/src/analyzer/Manager.h @@ -0,0 +1,182 @@ +// The central management unit for dynamic analyzer selection. + +#ifndef ANALYZER_MANAGER_H +#define ANALYZER_MANAGER_H + +#include + +#include "Tag.h" +#include "PluginComponent.h" + +#include "Analyzer.h" +#include "../Dict.h" +#include "../net_util.h" +#include "../IP.h" + +namespace analyzer { + +// Manager debug logging, which includes the connection id into the message. +#ifdef DEBUG +# define DBG_DPD(conn, txt) \ + DBG_LOG(DBG_DPD, "%s " txt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort()))); +# define DBG_DPD_ARGS(conn, fmt, args...) \ + DBG_LOG(DBG_DPD, "%s " fmt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort())), ##args); +#else +# define DBG_DPD(conn, txt) +# define DBG_DPD_ARGS(conn, fmt, args...) +#endif + +// Map index to assign expected connections to analyzers. +class ExpectedConn { +public: + ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto); + + ExpectedConn(const ExpectedConn& c); + + IPAddr orig; + IPAddr resp; + uint16 resp_p; + uint16 proto; +}; + +// Associates an analyzer for an expected future connection. +class AssignedAnalyzer { +public: + AssignedAnalyzer(const ExpectedConn& c) + : conn(c) { } + + ExpectedConn conn; + Tag analyzer; + double timeout; + void* cookie; + bool deleted; + + static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2) + { return a1->timeout > a2->timeout; } +}; + +declare(PDict, AssignedAnalyzer); + +class Manager { +public: + Manager(); + ~Manager(); + + void Init(); // Called before script's are parsed. + void Done(); + void DumpDebug(); // Called after bro_init() events. + + bool EnableAnalyzer(Tag tag); + bool EnableAnalyzer(EnumVal* tag); + + bool DisableAnalyzer(Tag tag); + bool DisableAnalyzer(EnumVal* tag); + + bool IsEnabled(Tag tag); + bool IsEnabled(EnumVal* tag); + + bool RegisterAnalyzerForPort(EnumVal* tag, PortVal* port); + bool RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + + bool UnregisterAnalyzerForPort(EnumVal* tag, PortVal* port); + bool UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + + Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled. + + string GetAnalyzerName(Tag tag); + string GetAnalyzerName(Val* val); + Tag GetAnalyzerTag(const string& name); // Tag::ERROR when not known. + Tag GetAnalyzerTag(const char* name); // Tag::ERROR when not known. + + EnumType* GetTagEnumType(); + + // Given info about the first packet, build initial analyzer tree. + // + // It would be more flexible if we simply pass in the IP header and + // then extract the information we need. However, when this method + // is called from the session management, protocol and ports have + // already been extracted there and it would be a waste to do it + // again. + // + // Returns 0 if we can't build a tree (e.g., because the necessary + // analyzers have not been converted to the Manager framework yet...) + bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, + const u_char* data); + + // Schedules a particular analyzer for an upcoming connection. 0 acts + // as a wildcard for orig. (Cookie is currently unused. Eventually, + // we may pass it on to the analyzer). + void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + TransportProto proto, Tag::Tag analyzer, + double timeout, void* cookie); + + void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + TransportProto proto, const string& analyzer, + double timeout, void* cookie); + + void ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* val, double timeout, void* cookie); + + // Activates signature matching for protocol detection. (Called when + // an Manager signatures is found.) + void ActivateSigs() { sigs_activated = true; } + bool SigsActivated() const { return sigs_activated; } + +private: + typedef set tag_set; + typedef map analyzer_map_by_name; + typedef map analyzer_map_by_tag; + typedef map analyzer_map_by_val; + typedef map analyzer_map_by_port; + + void RegisterAnalyzerComponent(PluginComponent* component); // Takes ownership. + + PluginComponent* Lookup(const string& name); + PluginComponent* Lookup(const char* name); + PluginComponent* Lookup(const Tag& tag); + PluginComponent* Lookup(EnumVal* val); + + tag_set* LookupPort(PortVal* val, bool add_if_not_found); + tag_set* LookupPort(TransportProto proto, uint32 port, bool add_if_not_found); + + // Return analyzer if any has been scheduled with ExpectConnection() + // Tag::::Error if none. + Tag GetExpected(int proto, const Connection* conn); + + analyzer_map_by_port analyzers_by_port_tcp; + analyzer_map_by_port analyzers_by_port_udp; + analyzer_map_by_name analyzers_by_name; + analyzer_map_by_tag analyzers_by_tag; + analyzer_map_by_val analyzers_by_val; + + Tag analyzer_backdoor; + Tag analyzer_connsize; + Tag analyzer_interconn; + Tag analyzer_stepping; + Tag analyzer_tcpstats; + + EnumType* tag_enum_type; + + // True if signature-matching has been activated. + bool sigs_activated; + + PDict(AssignedAnalyzer) expected_conns; + + typedef priority_queue< + AssignedAnalyzer*, + vector, + bool (*)(const AssignedAnalyzer*, + const AssignedAnalyzer*)> conn_queue; + conn_queue expected_conns_queue; +}; + +} + +extern analyzer::Manager* analyzer_mgr; + +#endif diff --git a/src/analyzer/PluginComponent.cc b/src/analyzer/PluginComponent.cc new file mode 100644 index 0000000000..fed3ca225a --- /dev/null +++ b/src/analyzer/PluginComponent.cc @@ -0,0 +1,37 @@ + +#include "PluginComponent.h" + +#include "../Desc.h" + +using namespace analyzer; + +Tag::type_t PluginComponent::type_counter = 0; + +PluginComponent::PluginComponent(std::string arg_name, factory_callback arg_factory, bool arg_enabled, bool arg_partial) + : Component(plugin::component::ANALYZER) + { + name = arg_name; + factory = arg_factory; + enabled = arg_enabled; + partial = arg_partial; + + tag = analyzer::Tag(++type_counter, 0); + } + +PluginComponent::PluginComponent(std::string arg_name, Tag::subtype_t arg_stype, factory_callback arg_factory, bool arg_enabled, bool arg_partial) + : Component(plugin::component::ANALYZER) + { + name = arg_name; + factory = arg_factory; + enabled = arg_enabled; + partial = arg_partial; + + tag = analyzer::Tag(++type_counter, arg_stype); + } + +void PluginComponent::Describe(ODesc* d) + { + plugin::Component::Describe(d); + d->Add(name); + } + diff --git a/src/analyzer/PluginComponent.h b/src/analyzer/PluginComponent.h new file mode 100644 index 0000000000..6db5aaf994 --- /dev/null +++ b/src/analyzer/PluginComponent.h @@ -0,0 +1,51 @@ + +#ifndef ANALYZER_PLUGIN_COMPONENT_H +#define ANALYZER_PLUGIN_COMPONENT_H + +#include + +#include "../config.h" +#include "../util.h" + +#include "plugin/Component.h" +#include "Tag.h" + +class Connection; + +namespace analyzer { + +class Analyzer; + +// This can be copied by value. +class PluginComponent : public plugin::Component { +public: + typedef bool (*available_callback)(); + typedef Analyzer* (*factory_callback)(Connection* conn); + + PluginComponent(std::string name, factory_callback factory, bool enabled, bool partial); + PluginComponent(std::string name, Tag::subtype_t subtype, factory_callback factory, bool enabled, bool partial); + + std::string Name() const { return name; } + factory_callback Factory() const { return factory; } + bool Partial() const { return partial; } + bool Enabled() const { return enabled; } + analyzer::Tag Tag() const { return tag; } + + void SetEnabled(bool arg_enabled) { enabled = arg_enabled; } + + virtual void Describe(ODesc* d); + +private: + std::string name; + factory_callback factory; + bool partial; + + analyzer::Tag tag; + bool enabled; + + static analyzer::Tag::type_t type_counter; +}; + +} + +#endif diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc new file mode 100644 index 0000000000..fbf1bcd2b7 --- /dev/null +++ b/src/analyzer/Tag.cc @@ -0,0 +1,69 @@ + +#include "Tag.h" +#include "Manager.h" + +#include "../NetVar.h" + +using namespace analyzer; + +Tag Tag::ERROR; + +Tag::Tag(type_t arg_type, subtype_t arg_subtype) + { + assert(arg_type > 0); + type = arg_type; + subtype = arg_subtype; + int64_t i = (int64)(type) | ((int64)subtype << 31); + + EnumType* etype = analyzer_mgr->GetTagEnumType(); + Ref(etype); + val = new EnumVal(i, etype); + } + +Tag::Tag(EnumVal* arg_val) + { + assert(val); + val = arg_val; + Ref(val); + + int64 i = val->InternalInt(); + type = i & 0xffffffff; + subtype = (i >> 31) & 0xffffffff; + } + +Tag::Tag(const Tag& other) : type(other.type), subtype(other.subtype) + { + type = other.type; + subtype = other.subtype; + val = other.val; + + if ( val ) + Ref(val); + } + +Tag::Tag() + { + type = 0; + subtype = 0; + val = 0; + } + +EnumVal* Tag::Val() + { + if ( ! val ) + { + assert(analyzer_mgr); + assert(type == 0 && subtype == 0); + EnumType* etype = analyzer_mgr->GetTagEnumType(); + Ref(etype); + val = new EnumVal(0, etype); + } + + return val; + } + +std::string Tag::AsString() const + { + return fmt("%" PRIu32 "/%" PRIu32, type, subtype); + } + diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h new file mode 100644 index 0000000000..dab8563982 --- /dev/null +++ b/src/analyzer/Tag.h @@ -0,0 +1,59 @@ + +#ifndef ANALYZER_TAG_H +#define ANALYZER_TAG_H + +// Each kind of analyzer gets a tag consisting of a main type and subtype. +// The former is an identifier that's unique all analyzer classes. The latter +// is passed through analyzer instances, yet not further interpreted by the +// analyzer infrastructure; it allows an analyzer to branch out into a set of +// sub-analyzers internally. Jointly, main type and subtype form an analyzer +// "tag". Each unique tag corresponds to a single "analyzer" from the user's +// perspective. + +#include "config.h" +#include "util.h" + +class EnumVal; + +namespace analyzer { + +/// This has supports all operations to be used as a map index. +class Tag { +public: + typedef uint32 type_t; + typedef uint32 subtype_t; + + Tag(type_t type, subtype_t subtype = 0); + Tag(EnumVal* val); + Tag(const Tag& other); + Tag(); // Tag::ERROR value + + type_t Type() const { return type; } + subtype_t Subtype() const { return subtype; } + + // Returns an identifying integer for this tag that's guaranteed to + // be unique across all tags. + EnumVal* Val(); + + std::string AsString() const; + + operator bool() const { return *this != Tag(); } + bool operator==(const Tag& other) const { return type == other.type && subtype == other.subtype; } + bool operator!=(const Tag& other) const { return type != other.type || subtype != other.subtype; } + bool operator<(const Tag& other) const + { + return type != other.type ? type < other.type : (subtype < other.subtype); + } + + + static Tag ERROR; + +private: + type_t type; + subtype_t subtype; + EnumVal* val; +}; + +} + +#endif diff --git a/src/ayiya.pac b/src/ayiya.pac index 58fa196c15..ff0af4d47c 100644 --- a/src/ayiya.pac +++ b/src/ayiya.pac @@ -1,3 +1,4 @@ + %include binpac.pac %include bro.pac diff --git a/src/binpac_bro.h b/src/binpac_bro.h index dcdbe94f57..5f46d8f458 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -1,20 +1,24 @@ #ifndef binpac_bro_h #define binpac_bro_h -class Analyzer; +class Connection; class Val; class PortVal; +namespace analyzer { class Analyzer; } + #include "util.h" -#include "Analyzer.h" #include "Val.h" #include "event.bif.func_h" +#include "TunnelEncapsulation.h" +#include "analyzer/Analyzer.h" +#include "Conn.h" #include "binpac.h" namespace binpac { -typedef Analyzer* BroAnalyzer; +typedef analyzer::Analyzer* BroAnalyzer; typedef Val* BroVal; typedef PortVal* BroPortVal; typedef StringVal* BroStringVal; diff --git a/src/bro.bif b/src/bro.bif index ac54da0e75..4c88a7dd77 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3353,14 +3353,14 @@ const char* conn_id_string(Val* c) ## .. bro:see:: skip_smtp_data function skip_http_entity_data%(c: connection, is_orig: bool%): any %{ - AnalyzerID id = mgr.CurrentAnalyzer(); + analyzer::ID id = mgr.CurrentAnalyzer(); if ( id ) { - Analyzer* ha = c->FindAnalyzer(id); + analyzer::Analyzer* ha = c->FindAnalyzer(id); if ( ha ) { - if ( ha->GetTag() == AnalyzerTag::HTTP ) + if ( ha->IsAnalyzer("HTTP") ) static_cast(ha)->SkipEntityData(is_orig); else reporter->Error("non-HTTP analyzer associated with connection record"); @@ -4074,36 +4074,9 @@ function file_mode%(mode: count%): string # =========================================================================== %%{ -#include "DPM.h" +#include "analyzer/Manager.h" %%} -## Schedules an analyzer for a future connection from a given IP address and -## port. The function ignores the scheduling request if the connection did -## not occur within the specified time interval. -## -## orig: The IP address originating a connection in the future. -## -## resp: The IP address responding to a connection from *orig*. -## -## resp_p: The destination port at *resp*. -## -## analyzer: The analyzer ID. -## -## tout: The timeout interval after which to ignore the scheduling request. -## -## Returns: True (unconditionally). -## -## .. bro:see:: disable_analyzer analyzer_name -## -## .. todo:: The return value should be changed to any. -function expect_connection%(orig: addr, resp: addr, resp_p: port, - analyzer: count, tout: interval%) : any - %{ - dpm->ExpectConnection(orig->AsAddr(), resp->AsAddr(), resp_p->Port(), - resp_p->PortType(), (AnalyzerTag::Tag) analyzer, tout, 0); - return new Val(1, TYPE_BOOL); - %} - ## Disables the analyzer which raised the current event (if the analyzer ## belongs to the given connection). ## @@ -4124,7 +4097,7 @@ function disable_analyzer%(cid: conn_id, aid: count%) : bool return new Val(0, TYPE_BOOL); } - Analyzer* a = c->FindAnalyzer(aid); + analyzer::Analyzer* a = c->FindAnalyzer(aid); if ( ! a ) { reporter->Error("connection does not have analyzer specified to disable"); @@ -4135,18 +4108,6 @@ function disable_analyzer%(cid: conn_id, aid: count%) : bool return new Val(1, TYPE_BOOL); %} -## Translate an analyzer type to an ASCII string. -## -## aid: The analyzer ID. -## -## Returns: The analyzer *aid* as string. -## -## .. bro:see:: expect_connection disable_analyzer current_analyzer -function analyzer_name%(aid: count%) : string - %{ - return new StringVal(Analyzer::GetTagName((AnalyzerTag::Tag) aid)); - %} - ## Informs Bro that it should skip any further processing of the contents of ## a given connection. In particular, Bro will refrain from reassembling the ## TCP byte stream and from generating events relating to any analyzers that @@ -4321,7 +4282,7 @@ function get_login_state%(cid: conn_id%): count if ( ! c ) return new Val(0, TYPE_BOOL); - Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login); + analyzer::Analyzer* la = c->FindAnalyzer("Login"); if ( ! la ) return new Val(0, TYPE_BOOL); @@ -4346,7 +4307,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool if ( ! c ) return new Val(0, TYPE_BOOL); - Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login); + analyzer::Analyzer* la = c->FindAnalyzer("Login"); if ( ! la ) return new Val(0, TYPE_BOOL); @@ -4377,7 +4338,7 @@ function get_orig_seq%(cid: conn_id%): count if ( c->ConnTransport() != TRANSPORT_TCP ) return new Val(0, TYPE_COUNT); - Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP); + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) return new Val(static_cast(tc)->OrigSeq(), TYPE_COUNT); @@ -4407,7 +4368,7 @@ function get_resp_seq%(cid: conn_id%): count if ( c->ConnTransport() != TRANSPORT_TCP ) return new Val(0, TYPE_COUNT); - Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP); + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) return new Val(static_cast(tc)->RespSeq(), TYPE_COUNT); @@ -4429,7 +4390,7 @@ function get_resp_seq%(cid: conn_id%): count ## .. bro:see:: skip_http_entity_data function skip_smtp_data%(c: connection%): any %{ - Analyzer* sa = c->FindAnalyzer(AnalyzerTag::SMTP); + analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); if ( sa ) static_cast(sa)->SkipData(); return 0; diff --git a/src/builtin-func.y b/src/builtin-func.y index 474f321ccd..b5d076a56e 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -197,11 +197,11 @@ char* concat(const char* str1, const char* str2) void print_event_c_prototype(FILE *fp, bool is_header) { if ( is_header ) - fprintf(fp, "%s void %s(Analyzer* analyzer%s", + fprintf(fp, "%s void %s(analyzer::Analyzer* analyzer%s", decl.generate_c_namespace_start.c_str(), decl.generate_bare_name.c_str(), args.size() ? ", " : "" ); else - fprintf(fp, "void %s(Analyzer* analyzer%s", + fprintf(fp, "void %s(analyzer::Analyzer* analyzer%s", decl.generate_c_fullname.c_str(), args.size() ? ", " : "" ); for ( int i = 0; i < (int) args.size(); ++i ) diff --git a/src/event.bif b/src/event.bif index 393021024a..dd7ab3c1d6 100644 --- a/src/event.bif +++ b/src/event.bif @@ -841,8 +841,8 @@ event gap_report%(dt: interval, info: gap_info%); ## c: The connection. ## ## atype: The type of the analyzer confirming that its protocol is in -## use. The value is one of the ``ANALYZER_*`` constants. For example, -## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed +## use. The value is one of the ``Analyzer::ANALYZER_*`` constants. For example, +## ``Analyzer::ANALYZER_HTTP`` means the HTTP analyzer determined that it's indeed ## parsing an HTTP connection. ## ## aid: A unique integer ID identifying the specific *instance* of the @@ -857,7 +857,7 @@ event gap_report%(dt: interval, info: gap_info%); ## Bro's default scripts use this event to determine the ``service`` column ## of :bro:type:`Conn::Info`: once confirmed, the protocol will be listed ## there (and thus in ``conn.log``). -event protocol_confirmation%(c: connection, atype: count, aid: count%); +event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); ## Generated when a protocol analyzer determines that a connection it is parsing ## is not conforming to the protocol it expects. Bro's dynamic protocol @@ -869,8 +869,8 @@ event protocol_confirmation%(c: connection, atype: count, aid: count%); ## c: The connection. ## ## atype: The type of the analyzer confirming that its protocol is in -## use. The value is one of the ``ANALYZER_*`` constants. For example, -## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed +## use. The value is one of the ``Analyzer::ANALYZER_*`` constants. For example, +## ``Analyzer::ANALYZER_HTTP`` means the HTTP analyzer determined that it's indeed ## parsing an HTTP connection. ## ## aid: A unique integer ID identifying the specific *instance* of the @@ -888,7 +888,7 @@ event protocol_confirmation%(c: connection, atype: count, aid: count%); ## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's ## however a script-level decision and not done automatically by the event ## engine. -event protocol_violation%(c: connection, atype: count, aid: count, reason: string%); +event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%); ## Generated for each packet sent by a UDP flow's originator. This a potentially ## expensive event due to the volume of UDP traffic and should be used with @@ -1389,8 +1389,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); ## TODO. @@ -1636,8 +1636,8 @@ event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event finger_request%(c: connection, full: bool, username: string, hostname: string%); ## Generated for Finger replies. @@ -1653,8 +1653,8 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event finger_reply%(c: connection, reply_line: string%); @@ -1669,8 +1669,8 @@ event finger_reply%(c: connection, reply_line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## TODO. @@ -1683,8 +1683,8 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, @@ -1700,8 +1700,8 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_partial_binary_msg%(c: connection, orig: bool, msg: string, len: count%); @@ -1715,8 +1715,8 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_establish%(c: connection%); ## TODO. @@ -1729,8 +1729,8 @@ event gnutella_establish%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_not_establish%(c: connection%); ## TODO. @@ -1743,8 +1743,8 @@ event gnutella_not_establish%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_http_notify%(c: connection%); ## Generated for Ident requests. @@ -1762,8 +1762,8 @@ event gnutella_http_notify%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ident_request%(c: connection, lport: port, rport: port%); ## Generated for Ident replies. @@ -1785,8 +1785,8 @@ event ident_request%(c: connection, lport: port, rport: port%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); ## Generated for Ident error replies. @@ -1806,8 +1806,8 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ident_error%(c: connection, lport: port, rport: port, line: string%); ## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects @@ -1840,8 +1840,8 @@ event ident_error%(c: connection, lport: port, rport: port, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects @@ -1874,8 +1874,8 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for lines of input on Telnet/Rlogin sessions. The line will have @@ -1890,8 +1890,8 @@ event login_success%(c: connection, user: string, client_user: string, password: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_input_line%(c: connection, line: string%); ## Generated for lines of output on Telnet/Rlogin sessions. The line will have @@ -1906,8 +1906,8 @@ event login_input_line%(c: connection, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_output_line%(c: connection, line: string%); ## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's @@ -1932,8 +1932,8 @@ event login_output_line%(c: connection, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_confused%(c: connection, msg: string, line: string%); ## Generated after getting confused while tracking a Telnet/Rlogin @@ -1952,8 +1952,8 @@ event login_confused%(c: connection, msg: string, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_confused_text%(c: connection, line: string%); ## Generated for clients transmitting a terminal type in a Telnet session. This @@ -1968,8 +1968,8 @@ event login_confused_text%(c: connection, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_terminal%(c: connection, terminal: string%); ## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This @@ -1984,8 +1984,8 @@ event login_terminal%(c: connection, terminal: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_display%(c: connection, display: string%); ## Generated when a Telnet authentication has been successful. The Telnet @@ -2008,8 +2008,8 @@ event login_display%(c: connection, display: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event authentication_accepted%(name: string, c: connection%); ## Generated when a Telnet authentication has been unsuccessful. The Telnet @@ -2032,8 +2032,8 @@ event authentication_accepted%(name: string, c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event authentication_rejected%(name: string, c: connection%); ## Generated for Telnet/Rlogin sessions when a pattern match indicates @@ -2055,8 +2055,8 @@ event authentication_rejected%(name: string, c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event authentication_skipped%(c: connection%); ## Generated for clients transmitting a terminal prompt in a Telnet session. @@ -2075,8 +2075,8 @@ event authentication_skipped%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_prompt%(c: connection, prompt: string%); ## Generated for Telnet sessions when encryption is activated. The Telnet @@ -2126,8 +2126,8 @@ event inconsistent_option%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event bad_option%(c: connection%); ## Generated for a Telnet option that's incorrectly terminated. @@ -2144,8 +2144,8 @@ event bad_option%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event bad_option_termination%(c: connection%); ## Generated for client side commands on an RSH connection. @@ -2174,8 +2174,8 @@ event bad_option_termination%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); ## Generated for client side commands on an RSH connection. @@ -2202,8 +2202,8 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); ## Generated for client-side FTP commands. @@ -2569,8 +2569,8 @@ event mime_content_hash%(c: connection, content_len: count, hash_value: string%) ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); ## Generated for RPC *call* messages. @@ -2595,8 +2595,8 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); ## Generated for RPC *reply* messages. @@ -2618,8 +2618,8 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); ## Generated for Portmapper requests of type *null*. @@ -2637,8 +2637,8 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_null%(r: connection%); ## Generated for Portmapper request/reply dialogues of type *set*. @@ -2662,8 +2662,8 @@ event pm_request_null%(r: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *unset*. @@ -2687,8 +2687,8 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *getport*. @@ -2710,8 +2710,8 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## Generated for Portmapper request/reply dialogues of type *dump*. @@ -2731,8 +2731,8 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_dump%(r: connection, m: pm_mappings%); ## Generated for Portmapper request/reply dialogues of type *callit*. @@ -2754,8 +2754,8 @@ event pm_request_dump%(r: connection, m: pm_mappings%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## Generated for failed Portmapper requests of type *null*. @@ -2776,8 +2776,8 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_null%(r: connection, status: rpc_status%); ## Generated for failed Portmapper requests of type *set*. @@ -2800,8 +2800,8 @@ event pm_attempt_null%(r: connection, status: rpc_status%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## Generated for failed Portmapper requests of type *unset*. @@ -2824,8 +2824,8 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## Generated for failed Portmapper requests of type *getport*. @@ -2848,8 +2848,8 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); ## Generated for failed Portmapper requests of type *dump*. @@ -2870,8 +2870,8 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_dump%(r: connection, status: rpc_status%); ## Generated for failed Portmapper requests of type *callit*. @@ -2894,8 +2894,8 @@ event pm_attempt_dump%(r: connection, status: rpc_status%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); ## Generated for Portmapper requests or replies that include an invalid port @@ -2918,8 +2918,8 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_bad_port%(r: connection, bad_p: count%); ## Generated for NFSv3 request/reply dialogues of type *null*. The event is @@ -2941,8 +2941,8 @@ event pm_bad_port%(r: connection, bad_p: count%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is @@ -2969,8 +2969,8 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); ## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is @@ -2997,8 +2997,8 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *read*. The event is @@ -3025,8 +3025,8 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is @@ -3053,8 +3053,8 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *write*. The event is @@ -3082,8 +3082,8 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *create*. The event is @@ -3110,8 +3110,8 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is @@ -3138,8 +3138,8 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *remove*. The event is @@ -3166,8 +3166,8 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is @@ -3194,8 +3194,8 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is @@ -3222,8 +3222,8 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); ## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 @@ -3245,8 +3245,8 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); ## Generated for each NFSv3 reply message received, reporting just the @@ -3263,8 +3263,8 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## Generated for all NTP messages. Different from many other of Bro's events, @@ -3284,8 +3284,8 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer @@ -3316,8 +3316,8 @@ event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); ## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS @@ -3344,8 +3344,8 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_request%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *positive session response*. Bro's @@ -3372,8 +3372,8 @@ event netbios_session_request%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_accepted%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *negative session response*. Bro's @@ -3400,8 +3400,8 @@ event netbios_session_accepted%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_rejected%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *session message* that are not @@ -3435,8 +3435,8 @@ event netbios_session_rejected%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS @@ -3465,8 +3465,8 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer @@ -3493,8 +3493,8 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_keepalive%(c: connection, msg: string%); ## Generated for all SMB/CIFS messages. @@ -3526,8 +3526,8 @@ event netbios_session_keepalive%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); ## Generated for SMB/CIFS messages of type *tree connect andx*. @@ -3553,8 +3553,8 @@ event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); ## Generated for SMB/CIFS messages of type *tree disconnect*. @@ -3576,8 +3576,8 @@ event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, serv ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *nt create andx*. @@ -3601,8 +3601,8 @@ event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## Generated for SMB/CIFS messages of type *nt transaction*. @@ -3630,8 +3630,8 @@ event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *nt transaction 2*. @@ -3659,8 +3659,8 @@ event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction mailslot*. @@ -3688,8 +3688,8 @@ event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction rap*. @@ -3717,8 +3717,8 @@ event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, dat ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction pipe*. @@ -3746,8 +3746,8 @@ event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: sm ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *read andx*. @@ -3771,8 +3771,8 @@ event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: s ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *read andx*. @@ -3796,8 +3796,8 @@ event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *get dfs referral*. @@ -3824,8 +3824,8 @@ event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); ## Generated for SMB/CIFS messages of type *negotiate*. @@ -3846,8 +3846,8 @@ event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: cou ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *negotiate response*. @@ -3870,8 +3870,8 @@ event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); ## Generated for SMB/CIFS messages of type *setup andx*. @@ -3893,8 +3893,8 @@ event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: co ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *generic andx*. @@ -3916,8 +3916,8 @@ event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *close*. @@ -3939,8 +3939,8 @@ event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_close%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *logoff andx*. @@ -3962,8 +3962,8 @@ event smb_com_close%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages that indicate an error. This event is @@ -3988,8 +3988,8 @@ event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); ## Generated for all DNS messages. @@ -4500,8 +4500,8 @@ event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## Generated for DHCP messages of type *offer*. @@ -4535,8 +4535,8 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); ## Generated for DHCP messages of type *request*. @@ -4566,8 +4566,8 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_ ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); ## Generated for DHCP messages of type *decline*. @@ -4593,8 +4593,8 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_decline%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *acknowledgment*. @@ -4628,8 +4628,8 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); ## Generated for DHCP messages of type *negative acknowledgment*. @@ -4655,8 +4655,8 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_nak%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *release*. @@ -4682,8 +4682,8 @@ event dhcp_nak%(c: connection, msg: dhcp_msg%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_release%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *inform*. @@ -4709,8 +4709,8 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_inform%(c: connection, msg: dhcp_msg%); ## Generated for HTTP requests. Bro supports persistent and pipelined HTTP @@ -5186,8 +5186,8 @@ event x509_error%(c: connection, is_orig: bool, err: count%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); ## TODO. @@ -5197,8 +5197,8 @@ event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_bind%(c: connection, uuid: string%); ## TODO. @@ -5208,8 +5208,8 @@ event dce_rpc_bind%(c: connection, uuid: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_request%(c: connection, opnum: count, stub: string%); ## TODO. @@ -5219,8 +5219,8 @@ event dce_rpc_request%(c: connection, opnum: count, stub: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_response%(c: connection, opnum: count, stub: string%); ## TODO. @@ -5230,8 +5230,8 @@ event dce_rpc_response%(c: connection, opnum: count, stub: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## Generated for NCP requests (Netware Core Protocol). @@ -5251,8 +5251,8 @@ event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ncp_request%(c: connection, frame_type: count, length: count, func: count%); ## Generated for NCP replies (Netware Core Protocol). @@ -5276,8 +5276,8 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count% ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); ## Generated for client-side commands on POP3 connections. @@ -5299,8 +5299,8 @@ event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: cou ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_request%(c: connection, is_orig: bool, command: string, arg: string%); @@ -5326,8 +5326,8 @@ event pop3_request%(c: connection, is_orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## Generated for server-side multi-line responses on POP3 connections. POP3 @@ -5349,8 +5349,8 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_data%(c: connection, is_orig: bool, data: string%); ## Generated for errors encountered on POP3 sessions. If the POP3 analyzer @@ -5373,8 +5373,8 @@ event pop3_data%(c: connection, is_orig: bool, data: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); @@ -5400,8 +5400,8 @@ event pop3_unexpected%(c: connection, is_orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## Generated for successful authentications on POP3 connections. @@ -5423,8 +5423,8 @@ event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_login_success%(c: connection, is_orig: bool, user: string, password: string%); @@ -5447,8 +5447,8 @@ event pop3_login_success%(c: connection, is_orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_login_failure%(c: connection, is_orig: bool, user: string, password: string%); diff --git a/src/main.cc b/src/main.cc index 2232180c5e..08756c1bf3 100644 --- a/src/main.cc +++ b/src/main.cc @@ -49,7 +49,6 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "PersistenceSerializer.h" #include "EventRegistry.h" #include "Stats.h" -#include "DPM.h" #include "BroDoc.h" #include "Brofiler.h" @@ -57,6 +56,9 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "input/Manager.h" #include "logging/Manager.h" #include "logging/writers/Ascii.h" +#include "analyzer/BuiltinAnalyzers.h" +#include "analyzer/Manager.h" +#include "plugin/Manager.h" #include "binpac_bro.h" @@ -86,6 +88,8 @@ TimerMgr* timer_mgr; logging::Manager* log_mgr = 0; threading::Manager* thread_mgr = 0; input::Manager* input_mgr = 0; +plugin::Manager* plugin_mgr = 0; +analyzer::Manager* analyzer_mgr = 0; Stmt* stmts; EventHandlerPtr net_done = 0; RuleMatcher* rule_matcher = 0; @@ -99,7 +103,6 @@ ProfileLogger* profiling_logger = 0; ProfileLogger* segment_logger = 0; SampleLogger* sample_logger = 0; int signal_val = 0; -DPM* dpm = 0; int optimize = 0; int do_notice_analysis = 0; int rule_bench = 0; @@ -176,6 +179,7 @@ void usage() fprintf(stderr, " -I|--print-id | print out given ID\n"); fprintf(stderr, " -K|--md5-hashkey | set key for MD5-keyed hashing\n"); fprintf(stderr, " -L|--rule-benchmark | benchmark for rules\n"); + fprintf(stderr, " -N|--print-plugins | print all available plugins and exit\n"); fprintf(stderr, " -O|--optimize | optimize policy script\n"); fprintf(stderr, " -P|--prime-dns | prime DNS\n"); fprintf(stderr, " -R|--replay | replay events\n"); @@ -233,6 +237,27 @@ void usage() exit(1); } +void show_plugins() + { + plugin::Manager::plugin_list plugins = plugin_mgr->Plugins(); + + if ( ! plugins.size() ) + { + printf("No plugins registered, not even any built-ins. This is probably a bug.\n"); + return; + } + + ODesc d; + + for ( plugin::Manager::plugin_list::const_iterator i = plugins.begin(); i != plugins.end(); i++ ) + { + (*i)->Describe(&d); + d.NL(); + } + + printf("%s", d.Description()); + } + void done_with_network() { set_processing_status("TERMINATING", "done_with_network"); @@ -262,7 +287,7 @@ void done_with_network() terminating = true; - dpm->Done(); + analyzer_mgr->Done(); timer_mgr->Expire(); dns_mgr->Flush(); mgr.Drain(); @@ -324,6 +349,8 @@ void terminate_bro() mgr.Drain(); + plugin_mgr->FinishPlugins(); + delete timer_mgr; delete dns_mgr; delete persistence_serializer; @@ -333,8 +360,9 @@ void terminate_bro() delete event_registry; delete secondary_path; delete remote_serializer; - delete dpm; + delete analyzer_mgr; delete log_mgr; + delete plugin_mgr; delete thread_mgr; delete reporter; @@ -412,6 +440,7 @@ int main(int argc, char** argv) int override_ignore_checksums = 0; int rule_debug = 0; int RE_level = 4; + int print_plugins = 0; static struct option long_opts[] = { {"bare-mode", no_argument, 0, 'b'}, @@ -440,6 +469,7 @@ int main(int argc, char** argv) {"set-seed", required_argument, 0, 'J'}, {"md5-hashkey", required_argument, 0, 'K'}, {"rule-benchmark", no_argument, 0, 'L'}, + {"print-plugins", no_argument, 0, 'N'}, {"optimize", no_argument, 0, 'O'}, {"prime-dns", no_argument, 0, 'P'}, {"replay", required_argument, 0, 'R'}, @@ -494,7 +524,7 @@ int main(int argc, char** argv) opterr = 0; char opts[256]; - safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLOPSWbdghvZ", + safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLNOPSWbdghvZ", sizeof(opts)); #ifdef USE_PERFTOOLS_DEBUG @@ -609,6 +639,10 @@ int main(int argc, char** argv) ++rule_bench; break; + case 'N': + print_plugins = 1; + break; + case 'O': optimize = 1; break; @@ -764,6 +798,8 @@ int main(int argc, char** argv) add_input_file(argv[optind++]); } + push_scope(0); + dns_mgr = new DNS_Mgr(dns_type); // It would nice if this were configurable. This is similar to the @@ -774,19 +810,28 @@ int main(int argc, char** argv) persistence_serializer = new PersistenceSerializer(); remote_serializer = new RemoteSerializer(); event_registry = new EventRegistry(); + + analyzer_mgr = new analyzer::Manager(); log_mgr = new logging::Manager(); - input_mgr = new input::Manager(); + input_mgr = new input::Manager(); + plugin_mgr = new plugin::Manager(); + + plugin_mgr->RegisterPlugin(new analyzer::BuiltinAnalyzers()); + plugin_mgr->InitPlugins(); + + if ( print_plugins ) + { + show_plugins(); + exit(1); + } + + analyzer_mgr->Init(); if ( events_file ) event_player = new EventPlayer(events_file); init_event_handlers(); - push_scope(0); - - dpm = new DPM; - dpm->PreScriptInit(); - // The leak-checker tends to produce some false // positives (memory which had already been // allocated before we start the checking is @@ -1045,12 +1090,12 @@ int main(int argc, char** argv) mgr.QueueEvent(bro_script_loaded, vl); } - dpm->PostScriptInit(); - reporter->ReportViaEvents(true); mgr.Drain(); + analyzer_mgr->DumpDebug(); + have_pending_timers = ! reading_traces && timer_mgr->Size() > 0; io_sources.Register(thread_mgr, true); diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc new file mode 100644 index 0000000000..c4276ca1ff --- /dev/null +++ b/src/plugin/Component.cc @@ -0,0 +1,47 @@ + +#include "Component.h" + +#include "../Desc.h" +#include "../Reporter.h" + +using namespace plugin; + +Component::Component(component::Type arg_type) + { + type = arg_type; + } + +Component::~Component() + { + } + +component::Type Component::Type() const + { + return type; + } + +void Component::Describe(ODesc* d) + { + d->Add(" "); + d->Add("["); + + switch ( type ) { + case component::READER: + d->Add("Reader"); + break; + + case component::WRITER: + d->Add("Writer"); + break; + + case component::ANALYZER: + d->Add("Analyzer"); + break; + + default: + reporter->InternalError("unknown component type in plugin::Component::Describe"); + } + + d->Add("]"); + d->Add(" "); + } diff --git a/src/plugin/Component.h b/src/plugin/Component.h new file mode 100644 index 0000000000..09357effd2 --- /dev/null +++ b/src/plugin/Component.h @@ -0,0 +1,37 @@ + +#ifndef PLUGIN_COMPONENT_H +#define PLUGIN_COMPONENT_H + +class ODesc; + +namespace plugin { + +namespace component { + enum Type { + READER, + WRITER, + ANALYZER + }; +} + +namespace input { class PluginComponent; } +namespace logging { class PluginComponent; } +namespace analyzer { class PluginComponent; } + +class Component +{ +public: + Component(component::Type type); + virtual ~Component(); + + component::Type Type() const; + + virtual void Describe(ODesc* d); + +private: + component::Type type; +}; + +} + +#endif diff --git a/src/plugin/DummyPlugin.cc b/src/plugin/DummyPlugin.cc new file mode 100644 index 0000000000..8a7889c682 --- /dev/null +++ b/src/plugin/DummyPlugin.cc @@ -0,0 +1,28 @@ + +#include "Plugin.h" + +class DummyPlugin { +public: + virtual void Init() + { + plugin::Description desc; + desc.name = "Dummy"; + desc.description = "My little dummy plugin"; + desc.version = 2; + desc.url = "http://dummy.bro.org"; + SetDescription(desc); + + analyzer::PluginComponent dummy("DUMMY", "Analyzer::DUMMY", dummy::Instantiate, dummy::Available, 0, false); + AddComponent(dummy); + } + +Plugin* bro_plugin() + { + return new DummyPlugin(); + } + + + + + + diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc new file mode 100644 index 0000000000..62440c0039 --- /dev/null +++ b/src/plugin/Manager.cc @@ -0,0 +1,81 @@ + +#include "Manager.h" + +#include "../Reporter.h" + +using namespace plugin; + +Manager::Manager() + { + init = false; + } + +Manager::~Manager() + { + assert(! init); + } + +bool Manager::LoadPlugin(const std::string& path) + { + assert(! init); + reporter->InternalError("plugin::Manager::LoadPlugin not yet implemented"); + return false; + } + +bool Manager::LoadPluginsFrom(const std::string& dir) + { + assert(! init); + reporter->InternalError("plugin::Manager::LoadPluginsFrom not yet implemented"); + return false; + } + +bool Manager::RegisterPlugin(Plugin *plugin) + { + assert(! init); + + plugin::Description desc = plugin->GetDescription(); + + if ( desc.version != plugin::API_BUILTIN ) + { + if ( desc.api_version == API_ERROR ) + reporter->InternalError("API version of plugin %s not initialized", desc.name.c_str()); + + if ( desc.api_version != API_VERSION ) + reporter->FatalError("API version mismatch for plugin %s: expected %d, but have %d", + desc.name.c_str(), API_VERSION, desc.version); + } + + plugins.push_back(plugin); + return true; + } + +void Manager::InitPlugins() + { + assert(! init); + + for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + (*i)->Init(); + + init = true; + } + +void Manager::FinishPlugins() + { + assert(init); + + for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + { + (*i)->Done(); + delete *i; + } + + plugins.clear(); + + init = false; + } + +Manager::plugin_list Manager::Plugins() const + { + return plugins; +} + diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h new file mode 100644 index 0000000000..26f07dc944 --- /dev/null +++ b/src/plugin/Manager.h @@ -0,0 +1,87 @@ + +#ifndef PLUGIN_MANAGER_H +#define PLUGIN_MANAGER_H + +#include "Plugin.h" +#include "Component.h" + +#include "../Reporter.h" + +namespace plugin { + +class Manager +{ +public: + typedef std::list plugin_list; + typedef Plugin::component_list component_list; + + Manager(); + ~Manager(); + + /** + */ + bool LoadPlugin(const std::string& file); + + /** + * + */ + bool LoadPluginsFrom(const std::string& dir); + + /** + * + * @param plugin: The plugin to register. The method takes ownership. + */ + bool RegisterPlugin(Plugin *plugin); // Takes ownership. + + /** + * + */ + void InitPlugins(); + + /** + * + */ + void FinishPlugins(); + + /** + * + */ + plugin_list Plugins() const; + + /** + * + */ + template + std::list Components(component::Type type) const; + +private: + bool init; + plugin_list plugins; +}; + +template +std::list Manager::Components(component::Type type) const + { + std::list result; + + for ( plugin_list::const_iterator p = plugins.begin(); p != plugins.end(); p++ ) + { + component_list components = (*p)->Components(); + + for ( component_list::const_iterator c = components.begin(); c != components.end(); c++ ) + { + T* t = dynamic_cast(*c); + + if ( t ) + result.push_back(t); + } + } + + return result; + } + +} + +extern plugin::Manager* plugin_mgr; + +#endif diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc new file mode 100644 index 0000000000..e5a09e0dcc --- /dev/null +++ b/src/plugin/Plugin.cc @@ -0,0 +1,94 @@ + +#include + +#include "Plugin.h" +#include "Component.h" + +#include "../Desc.h" + +using namespace plugin; + +Description::Description() + { + name = ""; + api_version = API_VERSION; + } + +Plugin::Plugin() + { + } + +Description Plugin::GetDescription() const + { + return description; + } + +void Plugin::SetDescription(Description& desc) + { + description = desc; + } + +Plugin::~Plugin() + { + Done(); + } + +void Plugin::Init() + { + } + +void Plugin::Done() + { + for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) + delete *i; + + components.clear(); + } + +Plugin::component_list Plugin::Components() + { + return components; + } + +void Plugin::AddComponent(Component* c) + { + components.push_back(c); + } + +void Plugin::Describe(ODesc* d) + { + d->Add("Plugin: "); + d->Add(description.name); + + if ( description.description.size() ) + { + d->Add(" - "); + d->Add(description.description); + } + + if ( description.version != API_BUILTIN ) + { + d->Add(" (version "); + d->Add(description.version); + + if ( description.url.size() ) + { + d->Add(", from "); + d->Add(description.url); + } + + d->Add(")"); + } + + else + d->Add(" (built-in)"); + + d->NL(); + + for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) + { + (*i)->Describe(d); + d->NL(); + } + } + diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h new file mode 100644 index 0000000000..f62b81772f --- /dev/null +++ b/src/plugin/Plugin.h @@ -0,0 +1,60 @@ + +#ifndef PLUGIN_PLUGIN_H +#define PLUGIN_PLUGIN_H + +#include +#include + +class ODesc; + +namespace plugin { + +class Manager; +class Component; + +static const int API_VERSION = 1; +static const int API_BUILTIN = -1; +static const int API_ERROR = -2; + +struct Description { + std::string name; + std::string description; + std::string url; + int version; + int api_version; + + Description(); + void Describe(ODesc* d); + }; + +class Plugin { +public: + typedef std::list component_list; + + Plugin(); + virtual ~Plugin(); + + Description GetDescription() const; + void SetDescription(Description& desc); + + component_list Components(); + + virtual void Init(); + virtual void Done(); + + void Describe(ODesc* d); + +protected: + /** + * Takes ownership. + */ + void AddComponent(Component* c); + +private: + plugin::Description description; + component_list components; +}; + +} + +#endif diff --git a/src/scan.l b/src/scan.l index ffbc125728..6a649fb93b 100644 --- a/src/scan.l +++ b/src/scan.l @@ -22,9 +22,11 @@ #include "PolicyFile.h" #include "broparse.h" #include "BroDoc.h" -#include "Analyzer.h" -#include "AnalyzerTags.h" #include "Reporter.h" +#include "RE.h" +#include "Net.h" + +#include "analyzer/analyzer.h" extern YYLTYPE yylloc; // holds start line and column of token extern int print_loaded_scripts; @@ -67,8 +69,10 @@ void clear_reST_doc_comments(); // Adds changes to capture_filter to the current script's reST documentation. static void check_capture_filter_changes(); +#if 0 // Adds changes to dpd_config to the current script's reST documentation. static void check_dpd_config_changes(); +#endif static const char* canon_doc_comment(const char* comment) { @@ -822,7 +826,9 @@ int yywrap() while ( input_files.length() > 0 ) { check_capture_filter_changes(); +#if 0 check_dpd_config_changes(); +#endif if ( load_files(input_files[0]) ) { @@ -838,7 +844,9 @@ int yywrap() } check_capture_filter_changes(); +#if 0 check_dpd_config_changes(); +#endif // For each file scanned so far, and for each @prefix, look for a // prefixed and flattened version of the loaded file in BROPATH. The @@ -1003,6 +1011,7 @@ static void check_capture_filter_changes() } } +#if 0 static void check_dpd_config_changes() { if ( ! generate_documentation ) @@ -1047,6 +1056,7 @@ static void check_dpd_config_changes() dpd_table->RemoveAll(); } +#endif void print_current_reST_doc_comments() { diff --git a/src/util.cc b/src/util.cc index 0051f9f6fe..5d6104ce46 100644 --- a/src/util.cc +++ b/src/util.cc @@ -16,6 +16,7 @@ #include #include +#include #include #include #include @@ -298,6 +299,13 @@ void to_upper(char* s) } } +string to_upper(const std::string& s) + { + string t = s; + std::transform(t.begin(), t.end(), t.begin(), ::toupper); + return t; + } + const char* strchr_n(const char* s, const char* end_of_s, char ch) { for ( ; s < end_of_s; ++s ) diff --git a/src/util.h b/src/util.h index f717ecd333..7e0c1ba085 100644 --- a/src/util.h +++ b/src/util.h @@ -114,6 +114,7 @@ extern char* skip_digits(char* s); extern char* get_word(char*& s); extern void get_word(int length, const char* s, int& pwlen, const char*& pw); extern void to_upper(char* s); +extern std::string to_upper(const std::string& s); extern const char* strchr_n(const char* s, const char* end_of_s, char ch); extern const char* strrchr_n(const char* s, const char* end_of_s, char ch); extern int decode_hex(char ch); From eef48586929b538baab34b95802eae7374a4ace2 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 26 Mar 2013 13:08:03 -0700 Subject: [PATCH 014/200] Fixes for non-OSX. --- aux/bro-aux | 2 +- aux/broctl | 2 +- src/CMakeLists.txt | 2 +- src/RuleAction.h | 2 +- src/analyzer/Analyzer.h | 4 ++-- src/analyzer/{BuiltinAnalyzers.cc => BuiltInAnalyzers.cc} | 0 src/analyzer/{BuiltinAnalyzers.h => BuiltInAnalyzers.h} | 0 src/analyzer/Manager.h | 8 ++++---- src/main.cc | 3 ++- src/scan.l | 2 +- 10 files changed, 13 insertions(+), 12 deletions(-) rename src/analyzer/{BuiltinAnalyzers.cc => BuiltInAnalyzers.cc} (100%) rename src/analyzer/{BuiltinAnalyzers.h => BuiltInAnalyzers.h} (100%) diff --git a/aux/bro-aux b/aux/bro-aux index ae14da422b..7068100754 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit ae14da422bfb252c8a53bd00d3e5fd7da8bc112e +Subproject commit 70681007546aad6e5648494e882b71adb9165105 diff --git a/aux/broctl b/aux/broctl index 3e3ada3c2e..2b35d03313 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 3e3ada3c2efebeda1278b8897859dd7c7d61e671 +Subproject commit 2b35d0331366865fbf0119919cc9692d55c4538c diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 318a014a19..b635360ac9 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -451,7 +451,7 @@ set(bro_SRCS plugin/Plugin.cc analyzer/Analyzer.cc - analyzer/BuiltinAnalyzers.cc + analyzer/BuiltInAnalyzers.cc analyzer/Manager.cc analyzer/PluginComponent.cc analyzer/Tag.cc diff --git a/src/RuleAction.h b/src/RuleAction.h index f4c2ae4cfa..ec7e5c3735 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -5,7 +5,7 @@ #include "List.h" #include "util.h" -#include "analyzer/tag.h" +#include "analyzer/Tag.h" class Rule; class RuleEndpointState; diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index db65670ad6..bc20d208b8 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -258,10 +258,10 @@ public: void Weird(const char* name, const char* addl = ""); protected: - friend class Connection; friend class AnalyzerTimer; - friend class TCP_ApplicationAnalyzer; friend class Manager; + friend class ::Connection; + friend class ::TCP_ApplicationAnalyzer; // Associates a connection with this analyzer. Must be called if // we're using the default ctor. diff --git a/src/analyzer/BuiltinAnalyzers.cc b/src/analyzer/BuiltInAnalyzers.cc similarity index 100% rename from src/analyzer/BuiltinAnalyzers.cc rename to src/analyzer/BuiltInAnalyzers.cc diff --git a/src/analyzer/BuiltinAnalyzers.h b/src/analyzer/BuiltInAnalyzers.h similarity index 100% rename from src/analyzer/BuiltinAnalyzers.h rename to src/analyzer/BuiltInAnalyzers.h diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index e6143cada6..47a70df716 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -5,10 +5,10 @@ #include -#include "Tag.h" -#include "PluginComponent.h" - #include "Analyzer.h" +#include "PluginComponent.h" +#include "Tag.h" + #include "../Dict.h" #include "../net_util.h" #include "../IP.h" @@ -112,7 +112,7 @@ public: // as a wildcard for orig. (Cookie is currently unused. Eventually, // we may pass it on to the analyzer). void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, Tag::Tag analyzer, + TransportProto proto, Tag analyzer, double timeout, void* cookie); void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, diff --git a/src/main.cc b/src/main.cc index 08756c1bf3..8bfc9300c4 100644 --- a/src/main.cc +++ b/src/main.cc @@ -56,8 +56,9 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "input/Manager.h" #include "logging/Manager.h" #include "logging/writers/Ascii.h" -#include "analyzer/BuiltinAnalyzers.h" +#include "analyzer/BuiltInAnalyzers.h" #include "analyzer/Manager.h" +#include "analyzer/Tag.h" #include "plugin/Manager.h" #include "binpac_bro.h" diff --git a/src/scan.l b/src/scan.l index 6a649fb93b..faa831ea93 100644 --- a/src/scan.l +++ b/src/scan.l @@ -26,7 +26,7 @@ #include "RE.h" #include "Net.h" -#include "analyzer/analyzer.h" +#include "analyzer/Analyzer.h" extern YYLTYPE yylloc; // holds start line and column of token extern int print_loaded_scripts; From 2be985433c23127cc0d129e10935ec8d7b84f751 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 26 Mar 2013 13:57:17 -0700 Subject: [PATCH 015/200] Test-suite passes. All tests pass with one exception: some Broxygen tests are broken because dpd_config doesn't exist anymore. Need to update the mechanism for auto-documenting well-known ports. --- doc/scripts/DocSourcesList.cmake | 2 ++ doc/scripts/example.bro | 12 +++++++----- scripts/base/frameworks/analyzer/main.bro | 8 ++++++++ scripts/base/protocols/dns/main.bro | 2 ++ .../policy/frameworks/dpd/detect-protocols.bro | 12 ++++++------ src/RuleAction.cc | 6 ++++++ src/analyzer/Analyzer.cc | 15 ++++++++++----- src/analyzer/Analyzer.h | 3 ++- src/analyzer/Manager.cc | 14 ++++++++------ src/analyzer/Manager.h | 4 ++-- src/analyzer/PluginComponent.h | 2 +- .../canonified_loaded_scripts.log | 7 +++++-- .../canonified_loaded_scripts.log | 7 +++++-- .../Baseline/istate.events-ssl/events.rec.log | 1 - .../Baseline/istate.events-ssl/events.snd.log | 1 - .../Baseline/istate.events-ssl/receiver.http.log | 6 +++--- .../Baseline/istate.events-ssl/sender.http.log | 6 +++--- .../btest/Baseline/istate.events/events.rec.log | 1 - .../btest/Baseline/istate.events/events.snd.log | 1 - .../Baseline/istate.events/receiver.http.log | 6 +++--- .../btest/Baseline/istate.events/sender.http.log | 6 +++--- .../btest/Baseline/signatures.dpd/dpd-ipv4.out | 4 +--- .../btest/Baseline/signatures.dpd/dpd-ipv6.out | 4 +--- .../btest/Baseline/signatures.dpd/nosig-ipv4.out | 4 +--- .../btest/Baseline/signatures.dpd/nosig-ipv6.out | 4 +--- testing/btest/bifs/analyzer_name.bro | 4 ++-- testing/btest/core/tunnels/gtp/non_recursive.test | 2 +- testing/btest/signatures/dpd.bro | 2 +- 28 files changed, 84 insertions(+), 62 deletions(-) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 117430223e..af8f2de94b 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,6 +16,7 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) @@ -24,6 +25,7 @@ rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) +rest_target(${psd} base/frameworks/analyzer/main.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro) diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro index 9f6f656ee1..4e2f533226 100644 --- a/doc/scripts/example.bro +++ b/doc/scripts/example.bro @@ -54,11 +54,13 @@ global example_ports = { 443/tcp, 562/tcp, } &redef; -# redefinitions of "dpd_config" are self-documenting and -# go into the generated doc's "Port Analysis" section -redef dpd_config += { - [ANALYZER_SSL] = [$ports = example_ports] -}; + +event bro_init() + { + # Registering a well-known port is self-documenting and + # go into the generated doc's "Port Analysis" section + Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, example_ports); + } # redefinitions of "Notice::Type" are self-documenting, but # more information can be supplied in two different ways diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index b93ebcba24..d2f2b3172b 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -20,6 +20,9 @@ export { ## XXX. global registered_ports: function(tag: Analyzer::Tag) : set[port]; + ## XXX + global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; + ## Translate an analyzer type to an ASCII string. ## ## atype: The analyzer tag. @@ -106,6 +109,11 @@ function registered_ports(tag: Analyzer::Tag) : set[port] return tag in ports ? ports[tag] : set(); } +function all_registered_ports(): table[Analyzer::Tag] of set[port] + { + return ports; + } + function name(atype: Analyzer::Tag) : string { return __name(atype); diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 66cdbc6241..6279ba4dab 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -126,6 +126,8 @@ event bro_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_tcp_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_udp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports); } diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro index c45486b776..d50e4599ed 100644 --- a/scripts/policy/frameworks/dpd/detect-protocols.bro +++ b/scripts/policy/frameworks/dpd/detect-protocols.bro @@ -70,7 +70,7 @@ export { } # Table that tracks currently active dynamic analyzers per connection. -global conns: table[conn_id] of set[count]; +global conns: table[conn_id] of set[Analyzer::Tag]; # Table of reports by other analyzers about the protocol used in a connection. global protocols: table[conn_id] of set[string]; @@ -80,7 +80,7 @@ type protocol : record { sub: string; # "sub-protocols" reported by other sources }; -function get_protocol(c: connection, a: count) : protocol +function get_protocol(c: connection, a: Analyzer::Tag) : protocol { local str = ""; if ( c$id in protocols ) @@ -97,7 +97,7 @@ function fmt_protocol(p: protocol) : string return p$sub != "" ? fmt("%s (via %s)", p$sub, p$a) : p$a; } -function do_notice(c: connection, a: count, d: dir) +function do_notice(c: connection, a: Analyzer::Tag, d: dir) { if ( d == BOTH ) return; @@ -113,7 +113,7 @@ function do_notice(c: connection, a: count, d: dir) NOTICE([$note=Protocol_Found, $msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p), - $sub=s, $conn=c, $n=a]); + $sub=s, $conn=c]); # We report multiple Server_Found's per host if we find a new # sub-protocol. @@ -129,7 +129,7 @@ function do_notice(c: connection, a: count, d: dir) NOTICE([$note=Server_Found, $msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s, c$id$resp_p, (known ? " (update)" : "")), - $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h, $n=a]); + $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h]); if ( ! known ) servers[c$id$resp_h, c$id$resp_p, p$a] = set(); @@ -214,7 +214,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) } } -function found_protocol(c: connection, analyzer: Analyzer::tag, protocol: string) +function found_protocol(c: connection, atype: Analyzer::Tag, protocol: string) { # Don't report anything running on a well-known port. if ( c$id$resp_p in Analyzer::registered_ports(atype) ) diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 808bead3d8..c0a4809c88 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -42,10 +42,16 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) string arg = str.substr(0, pos); analyzer = analyzer_mgr->GetAnalyzerTag(arg); + if ( ! analyzer ) + reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); + if ( pos != string::npos ) { arg = str.substr(pos + 1); child_analyzer = analyzer_mgr->GetAnalyzerTag(arg); + + if ( ! child_analyzer ) + reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); } else child_analyzer = analyzer::Tag::ERROR; diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index ca15ad56e1..6ef67eb497 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -41,15 +41,20 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, analyzer::ID Analyzer::id_counter = 0;; +const string& Analyzer::GetAnalyzerName() const + { + return analyzer_mgr->GetAnalyzerName(tag); + } + bool Analyzer::IsAnalyzer(const char* name) { - return analyzer_mgr->GetAnalyzerName(Tag()) == name; + return analyzer_mgr->GetAnalyzerName(tag) == name; } // Used in debugging output. static string fmt_analyzer(Analyzer* a) { - return analyzer_mgr->GetAnalyzerName(a->GetTag()) + fmt("[%d]", a->GetID()); + return a->GetAnalyzerName() + fmt("[%d]", a->GetID()); } Analyzer::Analyzer(const char* name, Connection* arg_conn) @@ -320,7 +325,7 @@ void Analyzer::ForwardEndOfData(bool orig) void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) { - if ( HasChildAnalyzer(analyzer->GetTag()) ) + if ( HasChildAnalyzer(analyzer->GetAnalyzerTag()) ) { analyzer->Done(); delete analyzer; @@ -381,7 +386,7 @@ void Analyzer::RemoveChildAnalyzer(ID id) LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", analyzer_mgr->GetAnalyzerName(GetTag()).c_str(), id, + DBG_LOG(DBG_DPD, "%s disabling child %s", GetAnalyzerName().c_str(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -460,7 +465,7 @@ void Analyzer::DeleteChild(analyzer_list::iterator i) void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer) { - if ( HasSupportAnalyzer(analyzer->GetTag(), analyzer->IsOrig()) ) + if ( HasSupportAnalyzer(analyzer->GetAnalyzerTag(), analyzer->IsOrig()) ) { DBG_LOG(DBG_DPD, "%s already has %s %s", fmt_analyzer(this).c_str(), diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index bc20d208b8..704c131bca 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -140,7 +140,8 @@ public: bool IsFinished() const { return finished; } - Tag GetTag() const { return tag; } + Tag GetAnalyzerTag() const { return tag; } + const string& GetAnalyzerName() const; bool IsAnalyzer(const char* name); // Management of the tree. diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index b2d35215f3..78c086d409 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -316,10 +316,12 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) return a; } -string Manager::GetAnalyzerName(Tag tag) +const string& Manager::GetAnalyzerName(Tag tag) { + static string error = ""; + if ( ! tag ) - return ""; + return error; PluginComponent* c = Lookup(tag); @@ -329,7 +331,7 @@ string Manager::GetAnalyzerName(Tag tag) return c->Name(); } -string Manager::GetAnalyzerName(Val* val) +const string& Manager::GetAnalyzerName(Val* val) { return GetAnalyzerName(Tag(val->AsEnumVal())); } @@ -354,13 +356,13 @@ EnumType* Manager::GetTagEnumType() PluginComponent* Manager::Lookup(const string& name) { - analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } PluginComponent* Manager::Lookup(const char* name) { - analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } @@ -598,7 +600,7 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, { if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - udp->AddChildAnalyzer(new ConnSize_Analyzer(conn)); + root->AddChildAnalyzer(new ConnSize_Analyzer(conn)); } if ( pia ) diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 47a70df716..ceca74bf0c 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -88,8 +88,8 @@ public: Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled. - string GetAnalyzerName(Tag tag); - string GetAnalyzerName(Val* val); + const string& GetAnalyzerName(Tag tag); + const string& GetAnalyzerName(Val* val); Tag GetAnalyzerTag(const string& name); // Tag::ERROR when not known. Tag GetAnalyzerTag(const char* name); // Tag::ERROR when not known. diff --git a/src/analyzer/PluginComponent.h b/src/analyzer/PluginComponent.h index 6db5aaf994..baad63f9f8 100644 --- a/src/analyzer/PluginComponent.h +++ b/src/analyzer/PluginComponent.h @@ -25,7 +25,7 @@ public: PluginComponent(std::string name, factory_callback factory, bool enabled, bool partial); PluginComponent(std::string name, Tag::subtype_t subtype, factory_callback factory, bool enabled, bool partial); - std::string Name() const { return name; } + const std::string& Name() const { return name; } factory_callback Factory() const { return factory; } bool Partial() const { return partial; } bool Enabled() const { return enabled; } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 41209a4084..b476306ae6 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2012-07-20-14-34-11 +#open 2013-03-26-20-58-03 #fields name #types string scripts/base/init-bare.bro @@ -29,5 +29,8 @@ scripts/base/init-bare.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/./main.bro + build/src/base/analyzer.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2012-07-20-14-34-11 +#close 2013-03-26-20-58-03 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index d9e8ee0703..ddcae1d0eb 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-02-11-18-44-43 +#open 2013-03-26-20-58-16 #fields name #types string scripts/base/init-bare.bro @@ -29,6 +29,9 @@ scripts/base/init-bare.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/./main.bro + build/src/base/analyzer.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -119,4 +122,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-02-11-18-44-43 +#close 2013-03-26-20-58-16 diff --git a/testing/btest/Baseline/istate.events-ssl/events.rec.log b/testing/btest/Baseline/istate.events-ssl/events.rec.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events-ssl/events.rec.log +++ b/testing/btest/Baseline/istate.events-ssl/events.rec.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events-ssl/events.snd.log b/testing/btest/Baseline/istate.events-ssl/events.snd.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events-ssl/events.snd.log +++ b/testing/btest/Baseline/istate.events-ssl/events.snd.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log index 3fc7f1b66f..5b56c38e66 100644 --- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log +++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-03 +#open 2013-03-26-21-06-26 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-04 +1364331986.091724 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-27 diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log index 3fc7f1b66f..5b56c38e66 100644 --- a/testing/btest/Baseline/istate.events-ssl/sender.http.log +++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-03 +#open 2013-03-26-21-06-26 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-04 +1364331986.091724 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-27 diff --git a/testing/btest/Baseline/istate.events/events.rec.log b/testing/btest/Baseline/istate.events/events.rec.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events/events.rec.log +++ b/testing/btest/Baseline/istate.events/events.rec.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events/events.snd.log b/testing/btest/Baseline/istate.events/events.snd.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events/events.snd.log +++ b/testing/btest/Baseline/istate.events/events.snd.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log index 6862c08b98..2863571349 100644 --- a/testing/btest/Baseline/istate.events/receiver.http.log +++ b/testing/btest/Baseline/istate.events/receiver.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-12 +#open 2013-03-26-21-06-18 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-13 +1364331977.210008 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-19 diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log index 6862c08b98..484eb11f11 100644 --- a/testing/btest/Baseline/istate.events/sender.http.log +++ b/testing/btest/Baseline/istate.events/sender.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-12 +#open 2013-03-26-21-06-17 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-13 +1364331977.210008 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-18 diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out index abb41f330c..d9f5126aab 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out @@ -1,6 +1,4 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request 141.142.220.235:50003 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out index a2227ee890..f26ff25291 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out @@ -1,6 +1,4 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out index 55566505d8..1b3be8e060 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out @@ -1,3 +1 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out index 55566505d8..1b3be8e060 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out @@ -1,3 +1 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 diff --git a/testing/btest/bifs/analyzer_name.bro b/testing/btest/bifs/analyzer_name.bro index 9297d2ca27..266d1c159f 100644 --- a/testing/btest/bifs/analyzer_name.bro +++ b/testing/btest/bifs/analyzer_name.bro @@ -4,6 +4,6 @@ event bro_init() { - local a = 1; - print analyzer_name(a); + local a = Analyzer::ANALYZER_PIA_TCP; + print Analyzer::name(a); } diff --git a/testing/btest/core/tunnels/gtp/non_recursive.test b/testing/btest/core/tunnels/gtp/non_recursive.test index d44bfce79d..0b03c0d6ae 100644 --- a/testing/btest/core/tunnels/gtp/non_recursive.test +++ b/testing/btest/core/tunnels/gtp/non_recursive.test @@ -5,7 +5,7 @@ # So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152, # it is just a UDP packet, but not another GTP tunnel. -event protocol_violation(c: connection, atype: count, aid: count, reason: string) +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) { print "protocol_violation", c$id, reason; } diff --git a/testing/btest/signatures/dpd.bro b/testing/btest/signatures/dpd.bro index d6ae02cb50..a311ae3bd3 100644 --- a/testing/btest/signatures/dpd.bro +++ b/testing/btest/signatures/dpd.bro @@ -33,7 +33,7 @@ signature my_ftp_server { event bro_init() { # no analyzer attached to any port by default, depends entirely on sigs - print "dpd_config", dpd_config; + print "|Analyzer::all_registered_ports()|", |Analyzer::all_registered_ports()|; } event signature_match(state: signature_state, msg: string, data: string) From 19c1816ebb20d574255b9c1bf2ee6cdb5f162de5 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 28 Mar 2013 21:47:44 -0700 Subject: [PATCH 016/200] Infrastructure for modularizing protocol analyzers. There's now a new directory "src/protocols/", and the plan is for each protocol analyzer to eventually have its own subdirectory in there that contains everything it defines (C++/pac/bif). The infrastructure to make that happen is in place, and two analyzers have been converted to the new model, HTTP and SSL; there's no further HTTP/SSL-specific code anywhere else in the core anymore (I believe :-) Further changes: - -N lists available plugins, -NN lists more details on what these plugins provide (analyzers, bif elements). (The latter does not work for analyzers that haven't been converted yet). - *.bif.bro files now go into scripts/base/bif/; and scripts/base/bif/plugins/ for bif files provided by plugins. - I've factored out the bifcl/binpac CMake magic from src/CMakeLists.txt to cmake/{BifCl,Binpac} - There's a new cmake/BroPlugin that contains magic to allow plugins to have a simple CMakeLists.txt. The hope is that eventually the same CMakeLists.txt can be used for compiling a plugin either statically or dynamically. - bifcl has a new option -c that changes the code it generates so that it can be used with a plugin. TODOs: - "make install" is probably broken. - Broxygen is probably broken for plugin-defined events. - event groups are broken (do we want to keep them?) --- bro-path-dev.in | 2 +- cmake | 2 +- scripts/base/frameworks/analyzer/main.bro | 2 +- scripts/base/frameworks/input/main.bro | 2 +- scripts/base/frameworks/logging/main.bro | 2 +- scripts/base/init-bare.bro | 14 +- src/CMakeLists.txt | 101 ++--- src/EventRegistry.cc | 4 +- src/FTP.cc | 13 +- src/Gnutella.cc | 7 +- src/Sessions.cc | 1 - src/analyzer/Manager.cc | 6 + src/analyzer/Manager.h | 3 +- src/bro-bif.h | 11 + src/bro.bif | 54 --- src/builtin-func.l | 151 +++++- src/builtin-func.y | 35 +- src/event.bif | 428 ------------------ src/main.cc | 32 +- src/plugin/Component.cc | 1 - src/plugin/Macros.h | 42 ++ src/plugin/Manager.cc | 47 +- src/plugin/Manager.h | 16 +- src/plugin/Plugin.cc | 80 +++- src/plugin/Plugin.h | 28 +- .../BuiltInAnalyzers.cc | 18 +- .../BuiltInAnalyzers.h | 0 src/protocols/CMakeLists.txt | 3 + src/protocols/http/CMakeLists.txt | 11 + src/{ => protocols/http}/HTTP.cc | 9 + src/{ => protocols/http}/HTTP.h | 2 + src/protocols/http/events.bif | 232 ++++++++++ src/protocols/http/functions.bif | 56 +++ src/protocols/ssl/CMakeLists.txt | 10 + src/protocols/ssl/Plugin.cc | 10 + src/{ => protocols/ssl}/SSL.cc | 1 + src/{ => protocols/ssl}/SSL.h | 2 + src/protocols/ssl/events.bif | 195 ++++++++ src/{ => protocols/ssl}/ssl-analyzer.pac | 0 src/{ => protocols/ssl}/ssl-defs.pac | 0 src/{ => protocols/ssl}/ssl-protocol.pac | 0 src/{ => protocols/ssl}/ssl.pac | 4 + src/{ => protocols/unused}/HTTP-binpac.cc | 0 src/{ => protocols/unused}/HTTP-binpac.h | 0 44 files changed, 974 insertions(+), 663 deletions(-) create mode 100644 src/bro-bif.h create mode 100644 src/plugin/Macros.h rename src/{analyzer => protocols}/BuiltInAnalyzers.cc (91%) rename src/{analyzer => protocols}/BuiltInAnalyzers.h (100%) create mode 100644 src/protocols/CMakeLists.txt create mode 100644 src/protocols/http/CMakeLists.txt rename src/{ => protocols/http}/HTTP.cc (99%) rename src/{ => protocols/http}/HTTP.h (99%) create mode 100644 src/protocols/http/events.bif create mode 100644 src/protocols/http/functions.bif create mode 100644 src/protocols/ssl/CMakeLists.txt create mode 100644 src/protocols/ssl/Plugin.cc rename src/{ => protocols/ssl}/SSL.cc (99%) rename src/{ => protocols/ssl}/SSL.h (97%) create mode 100644 src/protocols/ssl/events.bif rename src/{ => protocols/ssl}/ssl-analyzer.pac (100%) rename src/{ => protocols/ssl}/ssl-defs.pac (100%) rename src/{ => protocols/ssl}/ssl-protocol.pac (100%) rename src/{ => protocols/ssl}/ssl.pac (94%) rename src/{ => protocols/unused}/HTTP-binpac.cc (100%) rename src/{ => protocols/unused}/HTTP-binpac.h (100%) diff --git a/bro-path-dev.in b/bro-path-dev.in index 81d4f111fc..2c17d057c9 100755 --- a/bro-path-dev.in +++ b/bro-path-dev.in @@ -12,7 +12,7 @@ broPolicies=${BRO_SCRIPT_SOURCE_PATH}:${BRO_SCRIPT_SOURCE_PATH}/policy:${BRO_SCRIPT_SOURCE_PATH}/site -broGenPolicies=${CMAKE_BINARY_DIR}/src +broGenPolicies=${CMAKE_BINARY_DIR}/scripts installedPolicies=${BRO_SCRIPT_INSTALL_PATH}:${BRO_SCRIPT_INSTALL_PATH}/site diff --git a/cmake b/cmake index 94e72a3075..870dd2c240 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 94e72a3075bb0b9550ad05758963afda394bfb2c +Subproject commit 870dd2c240acaee5c2d75da0feb5fd5044177123 diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index d2f2b3172b..ea5ccb727c 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -59,7 +59,7 @@ export { &redef; } -@load base/analyzer.bif +@load base/bif/analyzer.bif global ports: table[Analyzer::Tag] of set[port]; diff --git a/scripts/base/frameworks/input/main.bro b/scripts/base/frameworks/input/main.bro index 1a05abce71..4de98ea0f2 100644 --- a/scripts/base/frameworks/input/main.bro +++ b/scripts/base/frameworks/input/main.bro @@ -149,7 +149,7 @@ export { global end_of_data: event(name: string, source:string); } -@load base/input.bif +@load base/bif/input.bif module Input; diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index 054ad4a30b..05a03ab11d 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -357,7 +357,7 @@ export { # We keep a script-level copy of all filters so that we can manipulate them. global filters: table[ID, string] of Filter; -@load base/logging.bif # Needs Filter and Stream defined. +@load base/bif/logging.bif # Needs Filter and Stream defined. module Log; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d8f38ed124..3afabd9ae0 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1,5 +1,5 @@ -@load base/const.bif -@load base/types.bif +@load base/bif/const.bif.bro +@load base/bif/types.bif # Type declarations @@ -646,9 +646,9 @@ type entropy_test_result: record { }; # Prototypes of Bro built-in functions. -@load base/strings.bif -@load base/bro.bif -@load base/reporter.bif +@load base/bif/strings.bif +@load base/bif/bro.bif +@load base/bif/reporter.bif ## Deprecated. This is superseded by the new logging framework. global log_file_name: function(tag: string): string &redef; @@ -2656,7 +2656,7 @@ export { } module GLOBAL; -@load base/event.bif +@load base/bif/event.bif ## BPF filter the user has set via the -f command line options. Empty if none. const cmd_line_bpf_filter = "" &redef; @@ -3004,3 +3004,5 @@ const snaplen = 8192 &redef; @load base/frameworks/input @load base/frameworks/analyzer +# Load BiF defined by plugins. +@load base/bif/plugins diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index b635360ac9..31192a8757 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -100,45 +100,7 @@ target_link_libraries(bifcl) ######################################################################## ## bifcl-dependent targets -# A macro to define a command that uses the BIF compiler to produce -# C++ segments and Bro language declarations from .bif file -# The outputs are appended to list ALL_BIF_OUTPUTS -# Outputs that should be installed are appended to INSTALL_BIF_OUTPUTS -macro(BIF_TARGET bifInput) - get_bif_output_files(${bifInput} bifOutputs) - add_custom_command(OUTPUT ${bifOutputs} - COMMAND bifcl - ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} || (rm -f ${bifOutputs} && exit 1) - # In order be able to run bro from the build directory, - # the generated bro script needs to be inside a - # a directory tree named the same way it will be - # referenced from an @load. - COMMAND "${CMAKE_COMMAND}" - ARGS -E copy ${bifInput}.bro base/${bifInput}.bro - COMMAND "${CMAKE_COMMAND}" - ARGS -E remove -f ${bifInput}.bro - DEPENDS ${bifInput} - DEPENDS bifcl - COMMENT "[BIFCL] Processing ${bifInput}" - ) - list(APPEND ALL_BIF_OUTPUTS ${bifOutputs}) - list(APPEND INSTALL_BIF_OUTPUTS - ${CMAKE_CURRENT_BINARY_DIR}/base/${bifInput}.bro) -endmacro(BIF_TARGET) - -# returns a list of output files that bifcl will produce -# for given input file in ${outputFileVar} -macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar) - set(${outputFileVar} - base/${inputFile}.bro - ${inputFile}.func_def - ${inputFile}.func_h - ${inputFile}.func_init - ${inputFile}.netvar_def - ${inputFile}.netvar_h - ${inputFile}.netvar_init - ) -endmacro(GET_BIF_OUTPUT_FILES) +include(BifCl) set(BIF_SRCS analyzer.bif @@ -156,36 +118,18 @@ foreach (bift ${BIF_SRCS}) bif_target(${bift}) endforeach () +add_custom_target(generate_standard_bifs DEPENDS ${ALL_BIF_OUTPUTS}) + ######################################################################## ## BinPAC-dependent targets -set(BINPAC_AUXSRC - binpac.pac - bro.pac - binpac_bro.h -) +include(BinPAC) -# A macro to define a command that uses the BinPac compiler to -# produce C++ code that implements a protocol parser/analyzer -# The outputs of the command are appended to list ALL_BINPAC_OUTPUTS -# All arguments to this macro are appended to list ALL_BINPAC_INPUTS -macro(BINPAC_TARGET pacFile) - get_filename_component(basename ${pacFile} NAME_WE) - add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h - ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc - COMMAND ${BinPAC_EXE} - ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR} - -I ${CMAKE_CURRENT_SOURCE_DIR} - ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile} - DEPENDS ${BinPAC_EXE} ${pacFile} - ${BINPAC_AUXSRC} ${ARGN} - COMMENT "[BINPAC] Processing ${pacFile}" - ) - list(APPEND ALL_BINPAC_INPUTS ${ARGV}) - list(APPEND ALL_BINPAC_OUTPUTS - ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h - ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc) -endmacro(BINPAC_TARGET) +set(BINPAC_AUXSRC + ${CMAKE_SOURCE_DIR}/src/binpac.pac + ${CMAKE_SOURCE_DIR}/src/bro.pac + ${CMAKE_SOURCE_DIR}/src/binpac_bro.h +) binpac_target(binpac-lib.pac) binpac_target(binpac_bro-lib.pac) @@ -206,8 +150,8 @@ binpac_target(dns_tcp.pac dns.pac) binpac_target(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) -binpac_target(http.pac - http-protocol.pac http-analyzer.pac) +# binpac_target(http.pac +# http-protocol.pac http-analyzer.pac) binpac_target(ncp.pac) binpac_target(netflow.pac netflow-protocol.pac netflow-analyzer.pac) @@ -215,13 +159,20 @@ binpac_target(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) binpac_target(socks.pac socks-protocol.pac socks-analyzer.pac) -binpac_target(ssl.pac - ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac) +# binpac_target(ssl.pac +# ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac) binpac_target(syslog.pac syslog-protocol.pac syslog-analyzer.pac) binpac_target(modbus.pac modbus-protocol.pac modbus-analyzer.pac) +######################################################################## +## Including plug-ins that are compiled in statically. +######################################################################## + +set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) +add_subdirectory(protocols) + ######################################################################## ## bro target @@ -334,8 +285,6 @@ set(bro_SRCS Func.cc Gnutella.cc GTPv1.cc - HTTP.cc - HTTP-binpac.cc Hash.cc ICMP.cc ID.cc @@ -390,7 +339,6 @@ set(bro_SRCS SMTP.cc SOCKS.cc SSH.cc - SSL.cc Scope.cc SerializationFormat.cc SerialObj.cc @@ -451,18 +399,19 @@ set(bro_SRCS plugin/Plugin.cc analyzer/Analyzer.cc - analyzer/BuiltInAnalyzers.cc analyzer/Manager.cc analyzer/PluginComponent.cc analyzer/Tag.cc + protocols/BuiltInAnalyzers.cc + nb_dns.c digest.h ) collect_headers(bro_HEADERS ${bro_SRCS}) -add_executable(bro ${bro_SRCS} ${bro_HEADERS}) +add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_PLUGIN_OBJECT_LIBS}) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT}) @@ -471,3 +420,7 @@ install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) + +include(BroPlugin) +bro_plugin_bif_create_loader(bif_loader ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) +add_dependencies(bro bif_loader) diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc index 4d29c5d95f..f51f624833 100644 --- a/src/EventRegistry.cc +++ b/src/EventRegistry.cc @@ -87,9 +87,11 @@ void EventRegistry::PrintDebug() void EventRegistry::SetGroup(const char* name, const char* group) { + return; // FIXME. THis triggers the error below for plugin events. + EventHandler* eh = Lookup(name); if ( ! eh ) - reporter->InternalError("unknown event handler in SetGroup()"); + reporter->InternalError("unknown event handler %s in SetGroup()", name); eh->SetGroup(group); } diff --git a/src/FTP.cc b/src/FTP.cc index 5430b9e754..a0cc25292c 100644 --- a/src/FTP.cc +++ b/src/FTP.cc @@ -8,8 +8,8 @@ #include "FTP.h" #include "NVT.h" #include "Event.h" -#include "SSL.h" #include "Base64.h" +#include "analyzer/Manager.h" FTP_Analyzer::FTP_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("FTP", conn) @@ -154,10 +154,13 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) // Server wants to proceed with an ADAT exchange and we // know how to analyze the GSI mechanism, so attach analyzer // to look for that. - SSL_Analyzer* ssl = new SSL_Analyzer(Conn()); - ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), true)); - ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), false)); - AddChildAnalyzer(ssl); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + if ( ssl ) + { + ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), true)); + ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), false)); + AddChildAnalyzer(ssl); + } } vl->append(new Val(reply_code, TYPE_COUNT)); diff --git a/src/Gnutella.cc b/src/Gnutella.cc index 6c8d4ee3f6..9cfab4ff1a 100644 --- a/src/Gnutella.cc +++ b/src/Gnutella.cc @@ -7,10 +7,10 @@ #include #include "NetVar.h" -#include "HTTP.h" #include "Gnutella.h" #include "Event.h" #include "PIA.h" +#include "analyzer/Manager.h" GnutellaMsgState::GnutellaMsgState() { @@ -129,9 +129,10 @@ int Gnutella_Analyzer::IsHTTP(string header) ConnectionEvent(gnutella_http_notify, vl); } - if ( HTTP_Analyzer::Available() ) + analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); + + if ( a ) { - analyzer::Analyzer* a = new HTTP_Analyzer(Conn()); Parent()->AddChildAnalyzer(a); if ( Parent()->IsAnalyzer("TCP") ) diff --git a/src/Sessions.cc b/src/Sessions.cc index f18d12ef90..7586899e14 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -20,7 +20,6 @@ #include "UDP.h" #include "DNS-binpac.h" -#include "HTTP-binpac.h" #include "SteppingStone.h" #include "BackDoor.h" diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 78c086d409..060595aea2 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -316,6 +316,12 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) return a; } +Analyzer* Manager::InstantiateAnalyzer(const char* name, Connection* conn) + { + Tag tag = GetAnalyzerTag(name); + return tag ? InstantiateAnalyzer(tag, conn) : 0; + } + const string& Manager::GetAnalyzerName(Tag tag) { static string error = ""; diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index ceca74bf0c..33b27ed38a 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -86,7 +86,8 @@ public: bool UnregisterAnalyzerForPort(EnumVal* tag, PortVal* port); bool UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); - Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled. + Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled or not available. + Analyzer* InstantiateAnalyzer(const char* name, Connection* c); // Null if disabled or not available. const string& GetAnalyzerName(Tag tag); const string& GetAnalyzerName(Val* val); diff --git a/src/bro-bif.h b/src/bro-bif.h new file mode 100644 index 0000000000..24312e4753 --- /dev/null +++ b/src/bro-bif.h @@ -0,0 +1,11 @@ + +#ifndef BRO_BIF_H +#define BRO_BIF_H + +// Headers to include by generated BiF code. +#include "analyzer/Analyzer.h" +#include "Conn.h" +#include "NetVar.h" +#include "Event.h" + +#endif diff --git a/src/bro.bif b/src/bro.bif index 4c88a7dd77..9b3eb946e2 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3327,8 +3327,6 @@ function lookup_connection%(cid: conn_id%): connection %} %%{ -#include "HTTP.h" - const char* conn_id_string(Val* c) { Val* id = (*(c->AsRecord()))[0]; @@ -3344,58 +3342,6 @@ const char* conn_id_string(Val* c) } %%} -## Skips the data of the HTTP entity. -## -## c: The HTTP connection. -## -## is_orig: If true, the client data is skipped, and the server data otherwise. -## -## .. bro:see:: skip_smtp_data -function skip_http_entity_data%(c: connection, is_orig: bool%): any - %{ - analyzer::ID id = mgr.CurrentAnalyzer(); - if ( id ) - { - analyzer::Analyzer* ha = c->FindAnalyzer(id); - - if ( ha ) - { - if ( ha->IsAnalyzer("HTTP") ) - static_cast(ha)->SkipEntityData(is_orig); - else - reporter->Error("non-HTTP analyzer associated with connection record"); - } - else - reporter->Error("could not find analyzer for skip_http_entity_data"); - - } - else - reporter->Error("no analyzer associated with connection record"); - - return 0; - %} - -## Unescapes all characters in a URI (decode every ``%xx`` group). -## -## URI: The URI to unescape. -## -## Returns: The unescaped URI with all ``%xx`` groups decoded. -## -## .. note:: -## -## Unescaping reserved characters may cause loss of information. RFC 2396: -## A URI is always in an "escaped" form, since escaping or unescaping a -## completed URI might change its semantics. Normally, the only time -## escape encodings can safely be made is when the URI is being created -## from its component parts. -function unescape_URI%(URI: string%): string - %{ - const u_char* line = URI->Bytes(); - const u_char* const line_end = line + URI->Len(); - - return new StringVal(unescape_URI(line, line_end, 0)); - %} - ## Writes the current packet to a file. ## ## file_name: The name of the file to write the packet to. diff --git a/src/builtin-func.l b/src/builtin-func.l index 9baeb1a9f9..ec60f1c7ec 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -27,7 +27,7 @@ int check_c_mode(int t) WS [ \t]+ /* Note, bifcl only accepts a single "::" in IDs while the policy - layer acceptes multiple. (But the policy layer doesn't have + layer acceptes multiple. (But the policy layer doesn't have a hierachy. */ IDCOMPONENT [A-Za-z_][A-Za-z_0-9]* ID {IDCOMPONENT}(::{IDCOMPONENT})? @@ -137,6 +137,8 @@ int yywrap() extern int yyparse(); char* input_filename = 0; +char* input_filename_with_path = 0; +char* plugin = 0; FILE* fp_bro_init = 0; FILE* fp_func_def = 0; @@ -168,15 +170,108 @@ FILE* open_output_file(const char* surfix) return fp; } +void usage() + { + fprintf(stderr, "usage: bifcl [-p] *.bif\n"); + exit(1); + } + +void init_plugin_mode() + { + fp_bro_init = open_output_file("bro"); + fp_func_h = open_output_file("h"); + fp_func_def = open_output_file("cc"); + fp_func_init = open_output_file("init.cc"); + + fp_netvar_h = fp_func_h; + fp_netvar_def = fp_func_def; + fp_netvar_init = fp_func_init; + + int n = 1024 + strlen(input_filename); + char auto_gen_comment[n]; + + snprintf(auto_gen_comment, n, + "This file was automatically generated by bifcl from %s (plugin mode).", + input_filename_with_path); + + fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); + fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); + fprintf(fp_func_h, "// %s\n\n", auto_gen_comment); + fprintf(fp_func_init, "// %s\n\n", auto_gen_comment); + + static char guard[1024]; + getcwd(guard, sizeof(guard)); + strncat(guard, "/", sizeof(guard)); + strncat(guard, input_filename, sizeof(guard)); + + for ( char* p = guard; *p; p++ ) + { + if ( strchr("/.", *p) ) + *p = '_'; + } + + fprintf(fp_func_h, "#ifndef %s\n", guard); + fprintf(fp_func_h, "#define %s\n", guard); + fprintf(fp_func_h, "\n"); + fprintf(fp_func_h, "#include \"bro-bif.h\"\n"); + + fprintf(fp_func_def, "\n"); + fprintf(fp_func_def, "#include \"%s.h\"\n", input_filename); + fprintf(fp_func_def, "\n"); + + static char name[1024]; + strncpy(name, input_filename, sizeof(name)); + char* dot = strchr(name, '.'); + if ( dot ) + *dot = '\0'; + + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "#include \n"); + fprintf(fp_func_init, "#include \n"); + fprintf(fp_func_init, "#include \"%s.h\"\n", input_filename); + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin); + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); + fprintf(fp_func_init, "\t{\n"); + fprintf(fp_func_init, "\tstd::list > bifs;\n"); + fprintf(fp_func_init, "\n"); + } + +void finish_plugin_mode() + { + fprintf(fp_func_h, "\n"); + fprintf(fp_func_h, "#endif\n"); + + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "\treturn bifs;\n"); + fprintf(fp_func_init, "\t}\n"); + fprintf(fp_func_init, "} }\n"); + fprintf(fp_func_init, "\n"); + } int main(int argc, char* argv[]) { - for ( int i = 1; i < argc; i++ ) + char opt; + + while ( (opt = getopt(argc, argv, "p:")) != -1 ) + { + switch ( opt ) { + case 'p': + plugin = optarg; + break; + + default: + usage(); + } + } + + for ( int i = optind; i < argc; i++ ) { FILE* fp_input; char* slash; - input_filename = argv[i]; + input_filename = input_filename_with_path = argv[i]; slash = strrchr(input_filename, '/'); if ( (fp_input = fopen(input_filename, "r")) == NULL ) @@ -189,17 +284,41 @@ int main(int argc, char* argv[]) if ( slash ) input_filename = slash + 1; - fp_bro_init = open_output_file("bro"); - fp_func_h = open_output_file("func_h"); - fp_func_def = open_output_file("func_def"); - fp_func_init = open_output_file("func_init"); - fp_netvar_h = open_output_file("netvar_h"); - fp_netvar_def = open_output_file("netvar_def"); - fp_netvar_init = open_output_file("netvar_init"); + if ( ! plugin ) + { + fp_bro_init = open_output_file("bro"); + fp_func_h = open_output_file("func_h"); + fp_func_def = open_output_file("func_def"); + fp_func_init = open_output_file("func_init"); + fp_netvar_h = open_output_file("netvar_h"); + fp_netvar_def = open_output_file("netvar_def"); + fp_netvar_init = open_output_file("netvar_init"); + + int n = 1024 + strlen(input_filename); + char auto_gen_comment[n]; + + snprintf(auto_gen_comment, n, + "This file was automatically generated by bifcl from %s.", + input_filename); + + fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); + fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); + fprintf(fp_func_h, "// %s\n\n", auto_gen_comment); + fprintf(fp_func_init, "// %s\n\n", auto_gen_comment); + fprintf(fp_netvar_def, "// %s\n\n", auto_gen_comment); + fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment); + fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment); + } + + else + init_plugin_mode(); yy_switch_to_buffer(yy_create_buffer(fp_input, YY_BUF_SIZE)); yyparse(); + if ( plugin ) + finish_plugin_mode(); + fclose(fp_input); close_all_output_files(); @@ -219,9 +338,13 @@ void close_all_output_files(void) close_if_open(&fp_func_h); close_if_open(&fp_func_def); close_if_open(&fp_func_init); - close_if_open(&fp_netvar_h); - close_if_open(&fp_netvar_def); - close_if_open(&fp_netvar_init); + + if ( ! plugin ) + { + close_if_open(&fp_netvar_h); + close_if_open(&fp_netvar_def); + close_if_open(&fp_netvar_init); + } } void remove_file(const char *surfix) @@ -232,7 +355,7 @@ void remove_file(const char *surfix) unlink(fn); } -void err_exit(void) +void err_exit(void) { close_all_output_files(); /* clean up. remove all output files we've generated so far */ diff --git a/src/builtin-func.y b/src/builtin-func.y index b5d076a56e..58acf64c8e 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -15,6 +15,7 @@ using namespace std; extern int line_number; extern char* input_filename; +extern char* plugin; #define print_line_directive(fp) fprintf(fp, "\n#line %d \"%s\"\n", line_number, input_filename) @@ -265,6 +266,15 @@ void print_event_c_body(FILE *fp) fprintf(fp, "\t} // event generation\n"); //fprintf(fp, "%s // end namespace\n", decl.generate_c_namespace_end.c_str()); } + +void record_bif_item(const char* id, int type) + { + if ( ! plugin ) + return; + + fprintf(fp_func_init, "\tbifs.push_back(std::make_pair(\"%s\", %d));\n", id, type); + } + %} %token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG @@ -304,21 +314,6 @@ definitions: definitions definition opt_ws } | opt_ws { - int n = 1024 + strlen(input_filename); - char auto_gen_comment[n]; - - snprintf(auto_gen_comment, n, - "This file was automatically generated by bifcl from %s.", - input_filename); - - fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); - fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); - fprintf(fp_func_h, "// %s\n\n", auto_gen_comment); - fprintf(fp_func_init, "// %s\n\n", auto_gen_comment); - fprintf(fp_netvar_def, "// %s\n\n", auto_gen_comment); - fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment); - fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment); - fprintf(fp_bro_init, "%s", $1); fprintf(fp_bro_init, "export {\n"); } @@ -362,6 +357,8 @@ type_def: TOK_TYPE opt_ws TOK_ID opt_ws ':' opt_ws type_def_types opt_ws ';' "\t%s = internal_type(\"%s\")->As%sType();\n", decl.c_fullname.c_str(), decl.bro_fullname.c_str(), type_name.c_str()); + + record_bif_item(decl.bro_fullname.c_str(), 5); } ; @@ -402,6 +399,8 @@ enum_def: enum_def_1 enum_list TOK_RPB fprintf(fp_netvar_init, "\t%s = internal_type(\"%s\")->AsEnumType();\n", decl.c_fullname.c_str(), decl.bro_fullname.c_str()); + + record_bif_item(decl.bro_fullname.c_str(), 5); } ; @@ -456,6 +455,8 @@ const_def: TOK_CONST opt_ws TOK_ID opt_ws ':' opt_ws TOK_ID opt_ws ';' fprintf(fp_netvar_init, "\t%s = internal_const_val(\"%s\")%s;\n", decl.c_fullname.c_str(), decl.bro_fullname.c_str(), accessor); + + record_bif_item(decl.bro_fullname.c_str(), 3); } @@ -545,6 +546,8 @@ head_1: TOK_ID opt_ws arg_begin fprintf(fp_func_def, "Val* %s(Frame* frame, val_list* %s)", decl.c_fullname.c_str(), arg_list_name); + + record_bif_item(decl.bro_fullname.c_str(), 1); } else if ( definition_type == EVENT_DEF ) { @@ -561,6 +564,8 @@ head_1: TOK_ID opt_ws arg_begin "\t%s = internal_handler(\"%s\");\n", decl.c_fullname.c_str(), decl.bro_fullname.c_str()); + record_bif_item(decl.bro_fullname.c_str(), 2); + // C++ prototypes of bro_event_* functions will // be generated later. } diff --git a/src/event.bif b/src/event.bif index dd7ab3c1d6..fbc02ef8b5 100644 --- a/src/event.bif +++ b/src/event.bif @@ -4713,238 +4713,6 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## register a port for it or add a DPD payload signature. event dhcp_inform%(c: connection, msg: dhcp_msg%); -## Generated for HTTP requests. Bro supports persistent and pipelined HTTP -## sessions and raises corresponding events as it parses client/server -## dialogues. This event is generated as soon as a request's initial line has -## been parsed, and before any :bro:id:`http_header` events are raised. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``). -## -## original_URI: The unprocessed URI as specified in the request. -## -## unescaped_URI: The URI with all percent-encodings decoded. -## -## version: The version number specified in the request (e.g., ``1.1``). -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_message_done http_reply http_stats -## truncate_http_URI -event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; - -## Generated for HTTP replies. Bro supports persistent and pipelined HTTP -## sessions and raises corresponding events as it parses client/server -## dialogues. This event is generated as soon as a reply's initial line has -## been parsed, and before any :bro:id:`http_header` events are raised. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## version: The version number specified in the reply (e.g., ``1.1``). -## -## code: The numerical response code returned by the server. -## -## reason: The textual description returned by the server along with *code*. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_message_done http_request -## http_stats -event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; - -## Generated for HTTP headers. Bro supports persistent and pipelined HTTP -## sessions and raises corresponding events as it parses client/server -## dialogues. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the header was sent by the originator of the TCP connection. -## -## name: The name of the header. -## -## value: The value of the header. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_message_done http_reply http_request -## http_stats -## -## .. note:: This event is also raised for headers found in nested body -## entities. -event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; - -## Generated for HTTP headers, passing on all headers of an HTTP message at -## once. Bro supports persistent and pipelined HTTP sessions and raises -## corresponding events as it parses client/server dialogues. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the header was sent by the originator of the TCP connection. -## -## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, -## 2 for the second, etc.). -## -## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data -## http_event http_header http_message_done http_reply http_request http_stats -## -## .. note:: This event is also raised for headers found in nested body -## entities. -event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; - -## Generated when starting to parse an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and -## potentially more than once if the body contains further nested MIME -## entities. Bro raises this event just before it starts parsing each entity's -## content. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data -## http_event http_header http_message_done http_reply http_request http_stats -## mime_begin_entity -event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; - -## Generated when finishing parsing an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and -## potentially more than once if the body contains further nested MIME -## entities. Bro raises this event at the point when it has finished parsing an -## entity's content. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data -## http_event http_header http_message_done http_reply http_request -## http_stats mime_end_entity -event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; - -## Generated when parsing an HTTP body entity, passing on the data. This event -## can potentially be raised many times for each entity, each time passing a -## chunk of the data of not further defined size. -## -## A common idiom for using this event is to first *reassemble* the data -## at the scripting layer by concatenating it to a successively growing -## string; and only perform further content analysis once the corresponding -## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so -## can be quite expensive for HTTP tranders. At the very least, one should -## impose an upper size limit on how much data is being buffered. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## length: The length of *data*. -## -## data: One chunk of raw entity data. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_event http_header http_message_done http_reply http_request http_stats -## mime_entity_data http_entity_data_delivery_size skip_http_data -event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; - -## Generated for reporting an HTTP body's content type. This event is -## generated at the end of parsing an HTTP header, passing on the MIME -## type as specified by the ``Content-Type`` header. If that header is -## missing, this event is still raised with a default value of ``text/plain``. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## ty: The main type. -## -## subty: The subtype. -## -## .. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data -## http_event http_header http_message_done http_reply http_request http_stats -## -## .. note:: This event is also raised for headers found in nested body -## entities. -event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body"; - -## Generated once at the end of parsing an HTTP message. Bro supports persistent -## and pipelined HTTP sessions and raises corresponding events as it parses -## client/server dialogues. A "message" is one top-level HTTP entity, such as a -## complete request or reply. Each message can have further nested sub-entities -## inside. This event is raised once all sub-entities belonging to a top-level -## message have been processed (and their corresponding ``http_entity_*`` events -## generated). -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## stat: Further meta information about the message. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_reply http_request http_stats -event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body"; - -## Generated for errors found when decoding HTTP requests or replies. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## event_type: A string describing the general category of the problem found -## (e.g., ``illegal format``). -## -## detail: Further more detailed description of the error. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_header http_message_done http_reply http_request -## http_stats mime_event -event http_event%(c: connection, event_type: string, detail: string%); - -## Generated at the end of an HTTP session to report statistics about it. This -## event is raised after all of an HTTP session's requests and replies have been -## fully processed. -## -## c: The connection. -## -## stats: Statistics summarizing HTTP-level properties of the finished -## connection. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_message_done http_reply -## http_request -event http_stats%(c: connection, stats: http_stats_rec%); - ## Generated when seeing an SSH client's version identification. The SSH ## protocol starts with a clear-text handshake message that reports client and ## server protocol/software versions. This event provides access to what the @@ -4983,202 +4751,6 @@ event ssh_client_version%(c: connection, version: string%); ## encrypted, Bro cannot further analyze SSH sessions. event ssh_server_version%(c: connection, version: string%); -## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions -## start with an unencrypted handshake, and Bro extracts as much information out -## of that as it can. This event provides access to the initial information -## sent by the client. -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## version: The protocol version as extracted from the client's message. The -## values are standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::version_strings` table maps them to descriptive names. -## -## possible_ts: The current time as sent by the client. Note that SSL/TLS does -## not require clocks to be set correctly, so treat with care. -## -## session_id: The session ID sent by the client (if any). -## -## ciphers: The list of ciphers the client offered to use. The values are -## standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. -## -## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); - -## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions -## start with an unencrypted handshake, and Bro extracts as much information out -## of that as it can. This event provides access to the initial information -## sent by the client. -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## version: The protocol version as extracted from the server's message. -## The values are standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::version_strings` table maps them to descriptive names. -## -## possible_ts: The current time as sent by the server. Note that SSL/TLS does -## not require clocks to be set correctly, so treat with care. -## -## session_id: The session ID as sent back by the server (if any). -## -## cipher: The cipher chosen by the server. The values are standardized as part -## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps -## them to descriptive names. -## -## comp_method: The compression method chosen by the client. The values are -## standardized as part of the SSL/TLS protocol. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); - -## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS -## sessions start with an unencrypted handshake, and Bro extracts as much -## information out of that as it can. This event provides access to any -## extensions either side sends as part of an extended *hello* message. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## code: The numerical code of the extension. The values are standardized as -## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps -## them to descriptive names. -## -## val: The raw extension value that was sent in the message. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); - -## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with -## an unencrypted handshake, and Bro extracts as much information out of that -## as it can. This event signals the time when an SSL/TLS has finished the -## handshake and its endpoints consider it as fully established. Typically, -## everything from now on will be encrypted. -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_established%(c: connection%); - -## Generated for SSL/TLS alert records. SSL/TLS sessions start with an -## unencrypted handshake, and Bro extracts as much information out of that as -## it can. If during that handshake, an endpoint encounters a fatal error, it -## sends an *alert* record, that in turn triggers this event. After an *alert*, -## any endpoint may close the connection immediately. -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## level: The severity level, as sent in the *alert*. The values are defined as -## part of the SSL/TLS protocol. -## -## desc: A numerical value identifying the cause of the *alert*. The values are -## defined as part of the SSL/TLS protocol. -## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); - -## Generated for SSL/TLS handshake messages that are a part of the -## stateless-server session resumption mechanism. SSL/TLS sessions start with -## an unencrypted handshake, and Bro extracts as much information out of that -## as it can. This event is raised when an SSL/TLS server passes a session -## ticket to the client that can later be used for resuming the session. The -## mechanism is described in :rfc:`4507` -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## ticket_lifetime_hint: A hint from the server about how long the ticket -## should be stored by the client. -## -## ticket: The raw ticket data. -## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello -## x509_certificate x509_error x509_extension ssl_alert -event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); - -## Generated for X509 certificates seen in SSL/TLS connections. During the -## initial SSL/TLS handshake, certificates are exchanged in the clear. Bro -## raises this event for each certificate seen (including both a site's primary -## cert, and further certs sent as part of the validation chain). -## -## See `Wikipedia `__ for more information -## about the X.509 format. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## cert: The parsed certificate. -## -## chain_idx: The index in the validation chain that this cert has. Index zero -## indicates an endpoint's primary cert, while higher indices -## indicate the place in the validation chain (which has length -## *chain_len*). -## -## chain_len: The total length of the validation chain that this cert is part -## of. -## -## der_cert: The complete cert encoded in `DER -## `__ -## format. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension -## ssl_server_hello x509_error x509_extension x509_verify -event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%); - -## Generated for X509 extensions seen in a certificate. -## -## See `Wikipedia `__ for more information -## about the X.509 format. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## data: The raw data associated with the extension. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension -## ssl_server_hello x509_certificate x509_error x509_verify -event x509_extension%(c: connection, is_orig: bool, data: string%); - -## Generated when errors occur during parsing an X509 certificate. -## -## See `Wikipedia `__ for more information -## about the X.509 format. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` -## maps error codes to a textual description. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension -## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify -event x509_error%(c: connection, is_orig: bool, err: count%); - ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request diff --git a/src/main.cc b/src/main.cc index 8bfc9300c4..7a86bde6da 100644 --- a/src/main.cc +++ b/src/main.cc @@ -56,7 +56,6 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "input/Manager.h" #include "logging/Manager.h" #include "logging/writers/Ascii.h" -#include "analyzer/BuiltInAnalyzers.h" #include "analyzer/Manager.h" #include "analyzer/Tag.h" #include "plugin/Manager.h" @@ -180,7 +179,7 @@ void usage() fprintf(stderr, " -I|--print-id | print out given ID\n"); fprintf(stderr, " -K|--md5-hashkey | set key for MD5-keyed hashing\n"); fprintf(stderr, " -L|--rule-benchmark | benchmark for rules\n"); - fprintf(stderr, " -N|--print-plugins | print all available plugins and exit\n"); + fprintf(stderr, " -N|--print-plugins | print available plugins and exit (-NN for verbose)\n"); fprintf(stderr, " -O|--optimize | optimize policy script\n"); fprintf(stderr, " -P|--prime-dns | prime DNS\n"); fprintf(stderr, " -R|--replay | replay events\n"); @@ -238,7 +237,7 @@ void usage() exit(1); } -void show_plugins() +void show_plugins(int level) { plugin::Manager::plugin_list plugins = plugin_mgr->Plugins(); @@ -250,10 +249,15 @@ void show_plugins() ODesc d; + if ( level == 1 ) + d.SetShort(); + for ( plugin::Manager::plugin_list::const_iterator i = plugins.begin(); i != plugins.end(); i++ ) { (*i)->Describe(&d); - d.NL(); + + if ( ! d.IsShort() ) + d.Add("\n"); } printf("%s", d.Description()); @@ -641,7 +645,7 @@ int main(int argc, char** argv) break; case 'N': - print_plugins = 1; + ++print_plugins; break; case 'O': @@ -785,7 +789,7 @@ int main(int argc, char** argv) if ( optind == argc && read_files.length() == 0 && flow_files.length() == 0 && interfaces.length() == 0 && - ! (id_name || bst_file) && ! command_line_policy ) + ! (id_name || bst_file) && ! command_line_policy && ! print_plugins ) add_input_file("-"); // Process remaining arguments. X=Y arguments indicate script @@ -816,16 +820,8 @@ int main(int argc, char** argv) log_mgr = new logging::Manager(); input_mgr = new input::Manager(); plugin_mgr = new plugin::Manager(); - - plugin_mgr->RegisterPlugin(new analyzer::BuiltinAnalyzers()); plugin_mgr->InitPlugins(); - if ( print_plugins ) - { - show_plugins(); - exit(1); - } - analyzer_mgr->Init(); if ( events_file ) @@ -846,6 +842,14 @@ int main(int argc, char** argv) yyparse(); + plugin_mgr->InitPluginsBif(); + + if ( print_plugins ) + { + show_plugins(print_plugins); + exit(1); + } + #ifdef USE_PERFTOOLS_DEBUG } #endif diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc index c4276ca1ff..ddedf7abbb 100644 --- a/src/plugin/Component.cc +++ b/src/plugin/Component.cc @@ -1,4 +1,3 @@ - #include "Component.h" #include "../Desc.h" diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h new file mode 100644 index 0000000000..f10d6adf45 --- /dev/null +++ b/src/plugin/Macros.h @@ -0,0 +1,42 @@ + +#ifndef PLUGIN_MACROS_H +#define PLUGIN_MACROS_H + +#include "analyzer/PluginComponent.h" + +#define BRO_PLUGIN_VERSION_BUILTIN -1 +#define BRO_PLUGIN_API_VERSION 1 + +#define _BRO_PLUGIN_VERSION_DEFAULT -1 + +#define BRO_PLUGIN_BEGIN(_name) \ + namespace plugin { namespace _name { \ + class Plugin : public plugin::Plugin { \ + protected: \ + void Init() \ + { \ + plugin::Description _desc; \ + _desc.name = #_name; \ + _desc.version = _BRO_PLUGIN_VERSION_DEFAULT; \ + _desc.api_version = BRO_PLUGIN_API_VERSION; + +#define BRO_PLUGIN_END \ + SetDescription(_desc); \ + } \ + }; \ + \ + static Plugin __plugin; \ + } } + +#define BRO_PLUGIN_DESCRIPTION _desc.description +#define BRO_PLUGIN_URL _desc.url +#define BRO_PLUGIN_VERSION _desc.version + +#define BRO_PLUGIN_BIF_FILE(file) \ + std::list > __bif_##file##_init(); \ + AddBifInitFunction(&__bif_##file##_init); + +#define BRO_PLUGIN_ANALYZER(tag, factory, enabled, partial) \ + AddComponent(new ::analyzer::PluginComponent(tag, factory, enabled, partial)); + +#endif diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 62440c0039..b969e581c7 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -31,21 +31,7 @@ bool Manager::LoadPluginsFrom(const std::string& dir) bool Manager::RegisterPlugin(Plugin *plugin) { - assert(! init); - - plugin::Description desc = plugin->GetDescription(); - - if ( desc.version != plugin::API_BUILTIN ) - { - if ( desc.api_version == API_ERROR ) - reporter->InternalError("API version of plugin %s not initialized", desc.name.c_str()); - - if ( desc.api_version != API_VERSION ) - reporter->FatalError("API version mismatch for plugin %s: expected %d, but have %d", - desc.name.c_str(), API_VERSION, desc.version); - } - - plugins.push_back(plugin); + Manager::PluginsInternal()->push_back(plugin); return true; } @@ -53,29 +39,48 @@ void Manager::InitPlugins() { assert(! init); - for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) (*i)->Init(); init = true; } +void Manager::InitPluginsBif() + { + assert(init); + + for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) + (*i)->InitBif(); + + init = true; + } + void Manager::FinishPlugins() { assert(init); - for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) { (*i)->Done(); - delete *i; +// delete *i; } - plugins.clear(); + Manager::PluginsInternal()->clear(); init = false; } Manager::plugin_list Manager::Plugins() const { - return plugins; -} + return *Manager::PluginsInternal(); + } +Manager::plugin_list* Manager::PluginsInternal() + { + static plugin_list* plugins = 0; + + if ( ! plugins ) + plugins = new plugin_list; + + return plugins; + } diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index 26f07dc944..44ec8913c6 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -29,15 +29,22 @@ public: /** * - * @param plugin: The plugin to register. The method takes ownership. + * @param plugin: The plugin to register. The method does not take + * ownershop but assume the pointer will leave at least until the + * Manager is destroyed. */ - bool RegisterPlugin(Plugin *plugin); // Takes ownership. + static bool RegisterPlugin(Plugin *plugin); /** * */ void InitPlugins(); + /** + * + */ + void InitPluginsBif(); + /** * */ @@ -55,8 +62,9 @@ public: std::list Components(component::Type type) const; private: + static plugin_list* PluginsInternal(); + bool init; - plugin_list plugins; }; template @@ -64,7 +72,7 @@ std::list Manager::Components(component::Type type) const { std::list result; - for ( plugin_list::const_iterator p = plugins.begin(); p != plugins.end(); p++ ) + for ( plugin_list::const_iterator p = PluginsInternal()->begin(); p != PluginsInternal()->end(); p++ ) { component_list components = (*p)->Components(); diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index e5a09e0dcc..69377fd97a 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -2,6 +2,7 @@ #include #include "Plugin.h" +#include "Manager.h" #include "Component.h" #include "../Desc.h" @@ -11,11 +12,15 @@ using namespace plugin; Description::Description() { name = ""; - api_version = API_VERSION; + + // These will be reset by the BRO_PLUGIN_* macros. + version = -9999; + api_version = -9999; } Plugin::Plugin() { + Manager::RegisterPlugin(this); } Description Plugin::GetDescription() const @@ -37,6 +42,27 @@ void Plugin::Init() { } +void Plugin::InitBif() + { + for ( bif_init_func_list::const_iterator f = bif_inits.begin(); f != bif_inits.end(); f++ ) + { + bif_init_func_result items = (**f)(); + + for ( bif_init_func_result::const_iterator i = items.begin(); i != items.end(); i++ ) + { + BifItem bi; + bi.id = (*i).first; + bi.type = (BifItem::Type)(*i).second; + bif_items.push_back(bi); + } + } + } + +const Plugin::bif_item_list& Plugin::BifItems() + { + return bif_items; + } + void Plugin::Done() { for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) @@ -55,6 +81,11 @@ void Plugin::AddComponent(Component* c) components.push_back(c); } +void Plugin::AddBifInitFunction(bif_init_func c) + { + bif_inits.push_back(c); + } + void Plugin::Describe(ODesc* d) { d->Add("Plugin: "); @@ -66,7 +97,7 @@ void Plugin::Describe(ODesc* d) d->Add(description.description); } - if ( description.version != API_BUILTIN ) + if ( description.version != BRO_PLUGIN_VERSION_BUILTIN ) { d->Add(" (version "); d->Add(description.version); @@ -83,12 +114,53 @@ void Plugin::Describe(ODesc* d) else d->Add(" (built-in)"); - d->NL(); + d->Add("\n"); + + if ( d->IsShort() ) + return; for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) { (*i)->Describe(d); - d->NL(); + d->Add("\n"); + } + + for ( bif_item_list::const_iterator i = bif_items.begin(); i != bif_items.end(); i++ ) + { + const char* type = 0; + + switch ( (*i).type ) { + case BifItem::FUNCTION: + type = "Function"; + break; + + case BifItem::EVENT: + type = "Event"; + break; + + case BifItem::CONSTANT: + type = "Constant"; + break; + + case BifItem::GLOBAL: + type = "Global"; + break; + + case BifItem::TYPE: + type = "Type"; + break; + + default: + type = ""; + } + + d->Add(" "); + d->Add("["); + d->Add(type); + d->Add("] "); + d->Add((*i).id); + d->Add("\n"); } } + diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index f62b81772f..314de47083 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -5,6 +5,8 @@ #include #include +#include "Macros.h" + class ODesc; namespace plugin { @@ -12,10 +14,6 @@ namespace plugin { class Manager; class Component; -static const int API_VERSION = 1; -static const int API_BUILTIN = -1; -static const int API_ERROR = -2; - struct Description { std::string name; std::string description; @@ -27,9 +25,18 @@ struct Description { void Describe(ODesc* d); }; +struct BifItem { + // Values must match the integers bifcl generates. + enum Type { FUNCTION = 1, EVENT = 2, CONSTANT = 3, GLOBAL = 4, TYPE = 5 }; + + std::string id; + Type type; +}; + class Plugin { public: typedef std::list component_list; + typedef std::list bif_item_list; Plugin(); virtual ~Plugin(); @@ -39,6 +46,11 @@ public: component_list Components(); + void InitBif(); + + // Must be called after InitBif() only. + const bif_item_list& BifItems(); + virtual void Init(); virtual void Done(); @@ -50,9 +62,17 @@ protected: */ void AddComponent(Component* c); + typedef std::list > bif_init_func_result; + typedef bif_init_func_result (*bif_init_func)(); + void AddBifInitFunction(bif_init_func c); + private: + typedef std::list bif_init_func_list; + plugin::Description description; component_list components; + bif_item_list bif_items; + bif_init_func_list bif_inits; }; } diff --git a/src/analyzer/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc similarity index 91% rename from src/analyzer/BuiltInAnalyzers.cc rename to src/protocols/BuiltInAnalyzers.cc index e65dbdb62e..0c96ab17e4 100644 --- a/src/analyzer/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -1,6 +1,9 @@ +// TODO: This file will eventually go away once we've converrted all +// analyzers into separate plugins. + #include "BuiltInAnalyzers.h" -#include "PluginComponent.h" +#include "analyzer/PluginComponent.h" #include "../binpac_bro.h" @@ -11,8 +14,6 @@ #include "Finger.h" #include "InterConn.h" #include "NTP.h" -#include "HTTP.h" -#include "HTTP-binpac.h" #include "ICMP.h" #include "SteppingStone.h" #include "IRC.h" @@ -37,7 +38,6 @@ #include "POP3.h" #include "SOCKS.h" #include "SSH.h" -#include "SSL.h" #include "Syslog-binpac.h" #include "Teredo.h" #include "ConnSizeAnalyzer.h" @@ -45,6 +45,8 @@ using namespace analyzer; +BuiltinAnalyzers builtin_analyzers; + #define DEFINE_ANALYZER(name, factory, enabled, partial) \ AddComponent(new PluginComponent(name, factory, enabled, partial)) @@ -53,7 +55,7 @@ void BuiltinAnalyzers::Init() plugin::Description desc; desc.name = "Core-Analyzers"; desc.description = "Built-in protocol analyzers"; - desc.version = plugin::API_BUILTIN; + desc.version = BRO_PLUGIN_VERSION_BUILTIN; SetDescription(desc); DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer, true, false); @@ -71,7 +73,7 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); + // DEFINE_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("LOGIN", 0, true, false); // just a base class @@ -92,8 +94,8 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); DEFINE_ANALYZER("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - DEFINE_ANALYZER("HTTP_BINPAC", HTTP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - DEFINE_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); + // DEFINE_ANALYZER("HTTP_BINPAC", HTTP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + // DEFINE_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer, true, false); diff --git a/src/analyzer/BuiltInAnalyzers.h b/src/protocols/BuiltInAnalyzers.h similarity index 100% rename from src/analyzer/BuiltInAnalyzers.h rename to src/protocols/BuiltInAnalyzers.h diff --git a/src/protocols/CMakeLists.txt b/src/protocols/CMakeLists.txt new file mode 100644 index 0000000000..35db6549fa --- /dev/null +++ b/src/protocols/CMakeLists.txt @@ -0,0 +1,3 @@ + +add_subdirectory(http) +add_subdirectory(ssl) diff --git a/src/protocols/http/CMakeLists.txt b/src/protocols/http/CMakeLists.txt new file mode 100644 index 0000000000..b6d877cdd7 --- /dev/null +++ b/src/protocols/http/CMakeLists.txt @@ -0,0 +1,11 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(HTTP) +bro_plugin_cc(HTTP.cc) +bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) +bro_plugin_end() + diff --git a/src/HTTP.cc b/src/protocols/http/HTTP.cc similarity index 99% rename from src/HTTP.cc rename to src/protocols/http/HTTP.cc index 5b49f8844e..2812f3662b 100644 --- a/src/HTTP.cc +++ b/src/protocols/http/HTTP.cc @@ -13,6 +13,15 @@ #include "Event.h" #include "MIME.h" +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(HTTP) + BRO_PLUGIN_DESCRIPTION = "HTTP Analyzer"; + BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, true, false); + BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); +BRO_PLUGIN_END + const bool DEBUG_http = false; // The EXPECT_*_NOTHING states are used to prevent further parsing. Used if a diff --git a/src/HTTP.h b/src/protocols/http/HTTP.h similarity index 99% rename from src/HTTP.h rename to src/protocols/http/HTTP.h index e8746e9d52..6cb2199696 100644 --- a/src/HTTP.h +++ b/src/protocols/http/HTTP.h @@ -9,6 +9,8 @@ #include "binpac_bro.h" #include "ZIP.h" #include "IPAddr.h" +#include "HTTP.h" +#include "events.bif.h" enum CHUNKED_TRANSFER_STATE { NON_CHUNKED_TRANSFER, diff --git a/src/protocols/http/events.bif b/src/protocols/http/events.bif new file mode 100644 index 0000000000..e4f71f70fc --- /dev/null +++ b/src/protocols/http/events.bif @@ -0,0 +1,232 @@ + +## Generated for HTTP requests. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a request's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``). +## +## original_URI: The unprocessed URI as specified in the request. +## +## unescaped_URI: The URI with all percent-encodings decoded. +## +## version: The version number specified in the request (e.g., ``1.1``). +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_header http_message_done ply http_stats +## truncate_http_URI +event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; + +## Generated for HTTP replies. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a reply's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## version: The version number specified in the reply (e.g., ``1.1``). +## +## code: The numerical response code returned by the server. +## +## reason: The textual description returned by the server along with *code*. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_header http_message_done http_request +## http_stats +event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; + +## Generated for HTTP headers. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the header was sent by the originator of the TCP connection. +## +## name: The name of the header. +## +## value: The value of the header. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_message_done http_reply http_request +## http_stats +## +## .. note:: This event is also raised for headers found in nested body +## entities. +event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; + +## Generated for HTTP headers, passing on all headers of an HTTP message at +## once. Bro supports persistent and pipelined HTTP sessions and raises +## corresponding events as it parses client/server dialogues. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the header was sent by the originator of the TCP connection. +## +## hlist: A *table* containing all headers extracted from the current entity. +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). +## +## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data +## http_event http_header http_message_done http_reply http_request http_stats +## +## .. note:: This event is also raised for headers found in nested body +## entities. +event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; + +## Generated when starting to parse an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event just before it starts parsing each entity's +## content. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data +## http_event http_header http_message_done http_reply http_request http_stats +## mime_begin_entity +event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; + +## Generated when finishing parsing an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event at the point when it has finished parsing an +## entity's content. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data +## http_event http_header http_message_done http_reply http_request +## http_stats mime_end_entity +event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; + +## Generated when parsing an HTTP body entity, passing on the data. This event +## can potentially be raised many times for each entity, each time passing a +## chunk of the data of not further defined size. +## +## A common idiom for using this event is to first *reassemble* the data +## at the scripting layer by concatenating it to a successively growing +## string; and only perform further content analysis once the corresponding +## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so +## can be quite expensive for HTTP tranders. At the very least, one should +## impose an upper size limit on how much data is being buffered. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## length: The length of *data*. +## +## data: One chunk of raw entity data. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_event http_header http_message_done http_reply http_request http_stats +## mime_entity_data http_entity_data_delivery_size skip_http_data +event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; + +## Generated for reporting an HTTP body's content type. This event is +## generated at the end of parsing an HTTP header, passing on the MIME +## type as specified by the ``Content-Type`` header. If that header is +## missing, this event is still raised with a default value of ``text/plain``. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## ty: The main type. +## +## subty: The subtype. +## +## .. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data +## http_event http_header http_message_done http_reply http_request http_stats +## +## .. note:: This event is also raised for headers found in nested body +## entities. +event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body"; + +## Generated once at the end of parsing an HTTP message. Bro supports persistent +## and pipelined HTTP sessions and raises corresponding events as it parses +## client/server dialogues. A "message" is one top-level HTTP entity, such as a +## complete request or reply. Each message can have further nested sub-entities +## inside. This event is raised once all sub-entities belonging to a top-level +## message have been processed (and their corresponding ``http_entity_*`` events +## generated). +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## stat: Further meta information about the message. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_header http_reply http_request http_stats +event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body"; + +## Generated for errors found when decoding HTTP requests or replies. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). +## +## detail: Further more detailed description of the error. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_header http_message_done http_reply http_request +## http_stats mime_event +event http_event%(c: connection, event_type: string, detail: string%); + +## Generated at the end of an HTTP session to report statistics about it. This +## event is raised after all of an HTTP session's requests and replies have been +## fully processed. +## +## c: The connection. +## +## stats: Statistics summarizing HTTP-level properties of the finished +## connection. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_header http_message_done http_reply +## http_request +event http_stats%(c: connection, stats: http_stats_rec%); diff --git a/src/protocols/http/functions.bif b/src/protocols/http/functions.bif new file mode 100644 index 0000000000..0e1c63f721 --- /dev/null +++ b/src/protocols/http/functions.bif @@ -0,0 +1,56 @@ + +%%{ +#include "protocols/http/HTTP.h" +%%} + +## Skips the data of the HTTP entity. +## +## c: The HTTP connection. +## +## is_orig: If true, the client data is skipped, and the server data otherwise. +## +## .. bro:see:: skip_smtp_data +function skip_http_entity_data%(c: connection, is_orig: bool%): any + %{ + analyzer::ID id = mgr.CurrentAnalyzer(); + if ( id ) + { + analyzer::Analyzer* ha = c->FindAnalyzer(id); + + if ( ha ) + { + if ( ha->IsAnalyzer("HTTP") ) + static_cast(ha)->SkipEntityData(is_orig); + else + reporter->Error("non-HTTP analyzer associated with connection record"); + } + else + reporter->Error("could not find analyzer for skip_http_entity_data"); + + } + else + reporter->Error("no analyzer associated with connection record"); + + return 0; + %} + +## Unescapes all characters in a URI (decode every ``%xx`` group). +## +## URI: The URI to unescape. +## +## Returns: The unescaped URI with all ``%xx`` groups decoded. +## +## .. note:: +## +## Unescaping reserved characters may cause loss of information. RFC 2396: +## A URI is always in an "escaped" form, since escaping or unescaping a +## completed URI might change its semantics. Normally, the only time +## escape encodings can safely be made is when the URI is being created +## from its component parts. +function unescape_URI%(URI: string%): string + %{ + const u_char* line = URI->Bytes(); + const u_char* const line_end = line + URI->Len(); + + return new StringVal(unescape_URI(line, line_end, 0)); + %} diff --git a/src/protocols/ssl/CMakeLists.txt b/src/protocols/ssl/CMakeLists.txt new file mode 100644 index 0000000000..9ee8fd9b1e --- /dev/null +++ b/src/protocols/ssl/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SSL) +bro_plugin_cc(SSL.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(ssl.pac ssl-analyzer.pac ssl-protocol.pac ssl-defs.pac) +bro_plugin_end() diff --git a/src/protocols/ssl/Plugin.cc b/src/protocols/ssl/Plugin.cc new file mode 100644 index 0000000000..3e42ae0c32 --- /dev/null +++ b/src/protocols/ssl/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SSL.h" + +BRO_PLUGIN_BEGIN(SSL) + BRO_PLUGIN_DESCRIPTION = "SSL Analyzer"; + BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SSL.cc b/src/protocols/ssl/SSL.cc similarity index 99% rename from src/SSL.cc rename to src/protocols/ssl/SSL.cc index 7dd2e0525a..da3e1e55f3 100644 --- a/src/SSL.cc +++ b/src/protocols/ssl/SSL.cc @@ -1,3 +1,4 @@ + #include "SSL.h" #include "TCP_Reassembler.h" #include "Reporter.h" diff --git a/src/SSL.h b/src/protocols/ssl/SSL.h similarity index 97% rename from src/SSL.h rename to src/protocols/ssl/SSL.h index ee2148450f..cf6269a6e4 100644 --- a/src/SSL.h +++ b/src/protocols/ssl/SSL.h @@ -1,6 +1,8 @@ #ifndef ssl_h #define ssl_h +#include "events.bif.h" + #include "TCP.h" #include "ssl_pac.h" diff --git a/src/protocols/ssl/events.bif b/src/protocols/ssl/events.bif new file mode 100644 index 0000000000..3d0c7e9d6a --- /dev/null +++ b/src/protocols/ssl/events.bif @@ -0,0 +1,195 @@ +## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions +## start with an unencrypted handshake, and Bro extracts as much information out +## of that as it can. This event provides access to the initial information +## sent by the client. +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## version: The protocol version as extracted from the client's message. The +## values are standardized as part of the SSL/TLS protocol. The +## :bro:id:`SSL::version_strings` table maps them to descriptive names. +## +## possible_ts: The current time as sent by the client. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. +## +## session_id: The session ID sent by the client (if any). +## +## ciphers: The list of ciphers the client offered to use. The values are +## standardized as part of the SSL/TLS protocol. The +## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. +## +## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); + +## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions +## start with an unencrypted handshake, and Bro extracts as much information out +## of that as it can. This event provides access to the initial information +## sent by the client. +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## version: The protocol version as extracted from the server's message. +## The values are standardized as part of the SSL/TLS protocol. The +## :bro:id:`SSL::version_strings` table maps them to descriptive names. +## +## possible_ts: The current time as sent by the server. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. +## +## session_id: The session ID as sent back by the server (if any). +## +## cipher: The cipher chosen by the server. The values are standardized as part +## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps +## them to descriptive names. +## +## comp_method: The compression method chosen by the client. The values are +## standardized as part of the SSL/TLS protocol. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); + +## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS +## sessions start with an unencrypted handshake, and Bro extracts as much +## information out of that as it can. This event provides access to any +## extensions either side sends as part of an extended *hello* message. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## code: The numerical code of the extension. The values are standardized as +## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps +## them to descriptive names. +## +## val: The raw extension value that was sent in the message. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); + +## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event signals the time when an SSL/TLS has finished the +## handshake and its endpoints consider it as fully established. Typically, +## everything from now on will be encrypted. +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_established%(c: connection%); + +## Generated for SSL/TLS alert records. SSL/TLS sessions start with an +## unencrypted handshake, and Bro extracts as much information out of that as +## it can. If during that handshake, an endpoint encounters a fatal error, it +## sends an *alert* record, that in turn triggers this event. After an *alert*, +## any endpoint may close the connection immediately. +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## level: The severity level, as sent in the *alert*. The values are defined as +## part of the SSL/TLS protocol. +## +## desc: A numerical value identifying the cause of the *alert*. The values are +## defined as part of the SSL/TLS protocol. +## +## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); + +## Generated for SSL/TLS handshake messages that are a part of the +## stateless-server session resumption mechanism. SSL/TLS sessions start with +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event is raised when an SSL/TLS server passes a session +## ticket to the client that can later be used for resuming the session. The +## mechanism is described in :rfc:`4507` +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## ticket_lifetime_hint: A hint from the server about how long the ticket +## should be stored by the client. +## +## ticket: The raw ticket data. +## +## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## x509_certificate x509_error x509_extension ssl_alert +event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); + +## Generated for X509 certificates seen in SSL/TLS connections. During the +## initial SSL/TLS handshake, certificates are exchanged in the clear. Bro +## raises this event for each certificate seen (including both a site's primary +## cert, and further certs sent as part of the validation chain). +## +## See `Wikipedia `__ for more information +## about the X.509 format. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## cert: The parsed certificate. +## +## chain_idx: The index in the validation chain that this cert has. Index zero +## indicates an endpoint's primary cert, while higher indices +## indicate the place in the validation chain (which has length +## *chain_len*). +## +## chain_len: The total length of the validation chain that this cert is part +## of. +## +## der_cert: The complete cert encoded in `DER +## `__ +## format. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## ssl_server_hello x509_error x509_extension x509_verify +event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%); + +## Generated for X509 extensions seen in a certificate. +## +## See `Wikipedia `__ for more information +## about the X.509 format. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## data: The raw data associated with the extension. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## ssl_server_hello x509_certificate x509_error x509_verify +event x509_extension%(c: connection, is_orig: bool, data: string%); + +## Generated when errors occur during parsing an X509 certificate. +## +## See `Wikipedia `__ for more information +## about the X.509 format. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` +## maps error codes to a textual description. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify +event x509_error%(c: connection, is_orig: bool, err: count%); diff --git a/src/ssl-analyzer.pac b/src/protocols/ssl/ssl-analyzer.pac similarity index 100% rename from src/ssl-analyzer.pac rename to src/protocols/ssl/ssl-analyzer.pac diff --git a/src/ssl-defs.pac b/src/protocols/ssl/ssl-defs.pac similarity index 100% rename from src/ssl-defs.pac rename to src/protocols/ssl/ssl-defs.pac diff --git a/src/ssl-protocol.pac b/src/protocols/ssl/ssl-protocol.pac similarity index 100% rename from src/ssl-protocol.pac rename to src/protocols/ssl/ssl-protocol.pac diff --git a/src/ssl.pac b/src/protocols/ssl/ssl.pac similarity index 94% rename from src/ssl.pac rename to src/protocols/ssl/ssl.pac index 25aed7a66f..150dc222cb 100644 --- a/src/ssl.pac +++ b/src/protocols/ssl/ssl.pac @@ -5,6 +5,10 @@ # - ssl-analyzer.pac: contains the SSL analyzer code # - ssl-record-layer.pac: describes the SSL record layer +%extern{ + #include "events.bif.h" +%} + %include binpac.pac %include bro.pac diff --git a/src/HTTP-binpac.cc b/src/protocols/unused/HTTP-binpac.cc similarity index 100% rename from src/HTTP-binpac.cc rename to src/protocols/unused/HTTP-binpac.cc diff --git a/src/HTTP-binpac.h b/src/protocols/unused/HTTP-binpac.h similarity index 100% rename from src/HTTP-binpac.h rename to src/protocols/unused/HTTP-binpac.h From e532aff687ed3d5c8fade43f8dca441c2742f386 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 29 Mar 2013 20:00:09 -0700 Subject: [PATCH 017/200] Updating cmake submodule. --- cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake b/cmake index 870dd2c240..1a592a96f7 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 870dd2c240acaee5c2d75da0feb5fd5044177123 +Subproject commit 1a592a96f702d2cfcf1a88d7f40b4c62405735a6 From e0c4bd1a82a6887b6160ab79e32a02a75d1c9119 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 30 Mar 2013 19:29:20 -0700 Subject: [PATCH 018/200] Lots of cleanup and API documentation for the analyzer/* classes. I've used the opportunity to also cleanup DPD's expect_connection() infrastructure, and renamed that bif to schedule_analyzer(), which seems more appropiate. One can now also schedule more than one analyzer per connection. TODOs: - "make install" is probably broken. - Broxygen is probably broken for plugin-defined events. - event groups are broken (do we want to keep them?) - parallel btest is broken, but I'm not sure why ... (tests all pass individually, but lots of error when running in parallel; must be related to *.bif restructuring). - Document API for src/plugin/* - Document API for src/analyzer/Analyzer.h - Document API for scripts/base/frameworks/analyzer --- doc/scripts/DocSourcesList.cmake | 3 + scripts/base/frameworks/analyzer/main.bro | 6 +- scripts/base/protocols/ftp/main.bro | 6 +- scripts/base/protocols/irc/dcc-send.bro | 2 +- src/CMakeLists.txt | 2 +- src/DCE_RPC.cc | 4 +- src/DebugLogger.h | 2 +- src/IPAddr.cc | 17 - src/IPAddr.h | 1 - src/PIA.cc | 12 +- src/RuleAction.cc | 11 +- src/Sessions.cc | 2 +- src/TCP.cc | 2 +- src/analyzer.bif | 4 +- src/analyzer/Analyzer.cc | 32 +- src/analyzer/Component.cc | 29 ++ src/analyzer/Component.h | 121 +++++ src/analyzer/Manager.cc | 344 ++++++------- src/analyzer/Manager.h | 453 ++++++++++++++---- src/analyzer/PluginComponent.cc | 37 -- src/analyzer/PluginComponent.h | 51 -- src/analyzer/Tag.cc | 9 +- src/analyzer/Tag.h | 122 ++++- src/event.bif | 38 +- src/plugin/Macros.h | 9 +- src/protocols/BuiltInAnalyzers.cc | 128 ++--- src/protocols/http/HTTP.cc | 2 +- src/protocols/ssl/Plugin.cc | 2 +- .../canonified_loaded_scripts.log | 26 +- .../canonified_loaded_scripts.log | 26 +- .../output | 5 + .../frameworks/analyzer/schedule-analyzer.bro | 36 ++ 32 files changed, 994 insertions(+), 550 deletions(-) create mode 100644 src/analyzer/Component.cc create mode 100644 src/analyzer/Component.h delete mode 100644 src/analyzer/PluginComponent.cc delete mode 100644 src/analyzer/PluginComponent.h create mode 100644 testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output create mode 100644 testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index af8f2de94b..c71d7798ea 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -22,6 +22,9 @@ rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index ea5ccb727c..dcadb402fb 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -45,7 +45,7 @@ export { ## tout: The timeout interval after which to ignore the scheduling request. ## ## Returns: True if succesful. - global expect_connection: function(orig: addr, resp: addr, resp_p: port, + global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool; ## Analyzers to disable at startup. @@ -119,9 +119,9 @@ function name(atype: Analyzer::Tag) : string return __name(atype); } -function expect_connection(orig: addr, resp: addr, resp_p: port, +function schedule_analyzer(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool { - return __expect_connection(orig, resp, resp_p, analyzer, tout); + return __schedule_analyzer(orig, resp, resp_p, analyzer, tout); } diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index e2b77e0099..868fa99bef 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -228,7 +228,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 { c$ftp$passive=F; ftp_data_expected[data$h, data$p] = c$ftp; - Analyzer::expect_connection(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); + Analyzer::schedule_analyzer(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { @@ -281,7 +281,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior data$h = id$resp_h; ftp_data_expected[data$h, data$p] = c$ftp; - Analyzer::expect_connection(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); + Analyzer::schedule_analyzer(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { @@ -312,7 +312,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior } -event expected_connection_seen(c: connection, a: count) &priority=10 +event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10 { local id = c$id; if ( [id$resp_h, id$resp_p] in ftp_data_expected ) diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 621ad42826..45746aae2b 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool, c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; local p = count_to_port(dest_port, tcp); - Analyzer::expect_connection(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min); + Analyzer::schedule_analyzer(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 31192a8757..5109f71105 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -400,7 +400,7 @@ set(bro_SRCS analyzer/Analyzer.cc analyzer/Manager.cc - analyzer/PluginComponent.cc + analyzer/Component.cc analyzer/Tag.cc protocols/BuiltInAnalyzers.cc diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc index 0cb9ab3c3f..f01edc9c8a 100644 --- a/src/DCE_RPC.cc +++ b/src/DCE_RPC.cc @@ -161,8 +161,8 @@ static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr, // of the dce_rpc_endpoints table. // FIXME: Don't hard-code the timeout. - analyzer_mgr->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto, - "DCE_RPC", 5 * 60, 0); + analyzer_mgr->ScheduleAnalyzer(IPAddr(), addr.addr, addr.port, addr.proto, + "DCE_RPC", 5 * 60); } DCE_RPC_Header::DCE_RPC_Header(analyzer::Analyzer* a, const u_char* b) diff --git a/src/DebugLogger.h b/src/DebugLogger.h index ca422072c5..74eea4520d 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -21,7 +21,7 @@ enum DebugStream { DBG_STRING, // String code DBG_NOTIFIERS, // Notifiers (see StateAccess.h) DBG_MAINLOOP, // Main IOSource loop - DBG_DPD, // Dynamic application detection framework + DBG_ANALYZER, // Analyzer framework DBG_TM, // Time-machine packet input via Brocolli DBG_LOGGING, // Logging streams DBG_INPUT, // Input streams diff --git a/src/IPAddr.cc b/src/IPAddr.cc index cc52de31ed..7fd3755042 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -45,23 +45,6 @@ HashKey* BuildConnIDHashKey(const ConnID& id) return new HashKey(&key, sizeof(key)); } -HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c) - { - struct { - in6_addr orig; - in6_addr resp; - uint16 resp_p; - uint16 proto; - } key; - - key.orig = c.orig.in6; - key.resp = c.resp.in6; - key.resp_p = c.resp_p; - key.proto = c.proto; - - return new HashKey(&key, sizeof(key)); - } - void IPAddr::Mask(int top_bits_to_keep) { if ( top_bits_to_keep < 0 || top_bits_to_keep > 128 ) diff --git a/src/IPAddr.h b/src/IPAddr.h index e79f3aa0a9..0c6942c61e 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -363,7 +363,6 @@ public: void ConvertToThreadingValue(threading::Value::addr_t* v) const; friend HashKey* BuildConnIDHashKey(const ConnID& id); - friend HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); unsigned int MemoryAllocation() const { return padded_sizeof(*this); } diff --git a/src/PIA.cc b/src/PIA.cc index f2eb633cd4..2e4cf06e86 100644 --- a/src/PIA.cc +++ b/src/PIA.cc @@ -63,7 +63,7 @@ void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig) void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer) { - DBG_LOG(DBG_DPD, "PIA replaying %d total packet bytes", pkt_buffer.size); + DBG_LOG(DBG_ANALYZER, "PIA replaying %d total packet bytes", pkt_buffer.size); for ( DataBlock* b = pkt_buffer.head; b; b = b->next ) analyzer->DeliverPacket(b->len, b->data, b->is_orig, -1, 0, 0); @@ -133,7 +133,7 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( pkt_buffer.state == MATCHING_ONLY ) { - DBG_LOG(DBG_DPD, "analyzer found but buffer already exceeded"); + DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded"); // FIXME: This is where to check whether an analyzer // supports partial connections once we get such. return; @@ -180,7 +180,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip) static struct tcphdr* tcp4 = 0; static IP_Hdr* ip4_hdr = 0; - DBG_LOG(DBG_DPD, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F")); + DBG_LOG(DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F")); if ( ! ip ) { @@ -266,7 +266,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( stream_buffer.state == MATCHING_ONLY ) { - DBG_LOG(DBG_DPD, "analyzer found but buffer already exceeded"); + DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded"); // FIXME: This is where to check whether an analyzer supports // partial connections once we get such. return; @@ -305,7 +305,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) // (4) We hand the two reassemblers to the TCP Analyzer (our parent), // turning reassembly now on for all subsequent data. - DBG_LOG(DBG_DPD, "PIA_TCP switching from packet-mode to stream-mode"); + DBG_LOG(DBG_ANALYZER, "PIA_TCP switching from packet-mode to stream-mode"); stream_mode = true; // FIXME: The reassembler will query the endpoint for state. Not sure @@ -378,7 +378,7 @@ void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag) void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer) { - DBG_LOG(DBG_DPD, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); + DBG_LOG(DBG_ANALYZER, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); for ( DataBlock* b = stream_buffer.head; b; b = b->next ) { diff --git a/src/RuleAction.cc b/src/RuleAction.cc index c0a4809c88..7d594e695f 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -54,15 +54,12 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); } else - child_analyzer = analyzer::Tag::ERROR; - - if ( analyzer != analyzer::Tag::ERROR ) - analyzer_mgr->ActivateSigs(); + child_analyzer = analyzer::Tag(); } void RuleActionAnalyzer::PrintDebug() { - if ( child_analyzer == analyzer::Tag::ERROR ) + if ( ! child_analyzer ) fprintf(stderr, "|%s|\n", analyzer_mgr->GetAnalyzerName(analyzer).c_str()); else fprintf(stderr, "|%s:%s|\n", @@ -74,7 +71,7 @@ void RuleActionAnalyzer::PrintDebug() void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == analyzer::Tag::ERROR ) + if ( ! ChildAnalyzer() ) { if ( ! analyzer_mgr->IsEnabled(Analyzer()) ) return; @@ -103,7 +100,7 @@ void RuleActionEnable::PrintDebug() void RuleActionDisable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == analyzer::Tag::ERROR ) + if ( ! ChildAnalyzer() ) { if ( state->PIA() ) state->PIA()->DeactivateAnalyzer(Analyzer()); diff --git a/src/Sessions.cc b/src/Sessions.cc index 7586899e14..782bf4c496 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -1178,7 +1178,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, Connection* conn = new Connection(this, k, t, id, flow_label, encapsulation); conn->SetTransport(tproto); - analyzer_mgr->BuildInitialAnalyzerTree(tproto, conn, data); + analyzer_mgr->BuildInitialAnalyzerTree(conn); bool external = conn->IsExternal(); diff --git a/src/TCP.cc b/src/TCP.cc index feb21c3271..058e6608ca 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -1874,7 +1874,7 @@ void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); - DBG_LOG(DBG_DPD, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %d, %p, %d) [%s%s]", + DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %d, %p, %d) [%s%s]", len, is_orig ? "T" : "F", seq, ip, caplen, fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); } diff --git a/src/analyzer.bif b/src/analyzer.bif index 2ce5af992d..92b533308a 100644 --- a/src/analyzer.bif +++ b/src/analyzer.bif @@ -26,10 +26,10 @@ function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool return new Val(result, TYPE_BOOL); %} -function Analyzer::__expect_connection%(orig: addr, resp: addr, resp_p: port, +function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval%) : bool %{ - analyzer_mgr->ExpectConnection(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout, 0); + analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout); return new Val(true, TYPE_BOOL); %} diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 6ef67eb497..ff02e83f18 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -75,7 +75,7 @@ Analyzer::Analyzer(const char* name, Connection* arg_conn) output_handler = 0; if ( ! tag ) - reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::PluginComponent?", name); + reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::Component?", name); } @@ -344,7 +344,7 @@ void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) if ( init ) analyzer->Init(); - DBG_LOG(DBG_DPD, "%s added child %s", + DBG_LOG(DBG_ANALYZER, "%s added child %s", fmt_analyzer(this).c_str(), fmt_analyzer(analyzer).c_str()); } @@ -368,7 +368,7 @@ void Analyzer::RemoveChildAnalyzer(Analyzer* analyzer) LOOP_OVER_CHILDREN(i) if ( *i == analyzer && ! (analyzer->finished || analyzer->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", + DBG_LOG(DBG_ANALYZER, "%s disabling child %s", fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // We just flag it as being removed here but postpone // actually doing that to later. Otherwise, we'd need @@ -386,7 +386,7 @@ void Analyzer::RemoveChildAnalyzer(ID id) LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", GetAnalyzerName().c_str(), id, + DBG_LOG(DBG_ANALYZER, "%s disabling child %s", GetAnalyzerName().c_str(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -440,7 +440,7 @@ Analyzer* Analyzer::FindChild(Tag arg_tag) Analyzer* Analyzer::FindChild(const string& name) { Tag tag = analyzer_mgr->GetAnalyzerTag(name); - return tag != Tag::ERROR ? FindChild(tag) : 0; + return tag ? FindChild(tag) : 0; } void Analyzer::DeleteChild(analyzer_list::iterator i) @@ -456,7 +456,7 @@ void Analyzer::DeleteChild(analyzer_list::iterator i) child->removing = false; } - DBG_LOG(DBG_DPD, "%s deleted child %s 3", + DBG_LOG(DBG_ANALYZER, "%s deleted child %s 3", fmt_analyzer(this).c_str(), fmt_analyzer(child).c_str()); children.erase(i); @@ -467,7 +467,7 @@ void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer) { if ( HasSupportAnalyzer(analyzer->GetAnalyzerTag(), analyzer->IsOrig()) ) { - DBG_LOG(DBG_DPD, "%s already has %s %s", + DBG_LOG(DBG_ANALYZER, "%s already has %s %s", fmt_analyzer(this).c_str(), analyzer->IsOrig() ? "originator" : "responder", fmt_analyzer(analyzer).c_str()); @@ -495,7 +495,7 @@ void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer) analyzer->Init(); - DBG_LOG(DBG_DPD, "%s added %s support %s", + DBG_LOG(DBG_ANALYZER, "%s added %s support %s", fmt_analyzer(this).c_str(), analyzer->IsOrig() ? "originator" : "responder", fmt_analyzer(analyzer).c_str()); @@ -519,7 +519,7 @@ void Analyzer::RemoveSupportAnalyzer(SupportAnalyzer* analyzer) else *head = s->sibling; - DBG_LOG(DBG_DPD, "%s removed support %s", + DBG_LOG(DBG_ANALYZER, "%s removed support %s", fmt_analyzer(this).c_str(), analyzer->IsOrig() ? "originator" : "responder", fmt_analyzer(analyzer).c_str()); @@ -544,33 +544,33 @@ bool Analyzer::HasSupportAnalyzer(Tag tag, bool orig) void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { - DBG_LOG(DBG_DPD, "%s DeliverPacket(%d, %s, %d, %p, %d) [%s%s]", + DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %d, %p, %d) [%s%s]", fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen, fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); } void Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - DBG_LOG(DBG_DPD, "%s DeliverStream(%d, %s) [%s%s]", + DBG_LOG(DBG_ANALYZER, "%s DeliverStream(%d, %s) [%s%s]", fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); } void Analyzer::Undelivered(int seq, int len, bool is_orig) { - DBG_LOG(DBG_DPD, "%s Undelivered(%d, %d, %s)", + DBG_LOG(DBG_ANALYZER, "%s Undelivered(%d, %d, %s)", fmt_analyzer(this).c_str(), seq, len, is_orig ? "T" : "F"); } void Analyzer::EndOfData(bool is_orig) { - DBG_LOG(DBG_DPD, "%s EndOfData(%s)", + DBG_LOG(DBG_ANALYZER, "%s EndOfData(%s)", fmt_analyzer(this).c_str(), is_orig ? "T" : "F"); } void Analyzer::FlipRoles() { - DBG_LOG(DBG_DPD, "%s FlipRoles()"); + DBG_LOG(DBG_ANALYZER, "%s FlipRoles()"); LOOP_OVER_CHILDREN(i) (*i)->FlipRoles(); @@ -596,7 +596,7 @@ void Analyzer::ProtocolConfirmation() val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(tag.Val()); + vl->append(tag.AsEnumVal()); vl->append(new Val(id, TYPE_COUNT)); // We immediately raise the event so that the analyzer can quickly @@ -624,7 +624,7 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(tag.Val()); + vl->append(tag.AsEnumVal()); vl->append(new Val(id, TYPE_COUNT)); vl->append(r); diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc new file mode 100644 index 0000000000..9640d6d8ac --- /dev/null +++ b/src/analyzer/Component.cc @@ -0,0 +1,29 @@ + +#include "Component.h" + +#include "../Desc.h" + +using namespace analyzer; + +Tag::type_t Component::type_counter = 0; + +Component::Component(std::string arg_name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) + : plugin::Component(plugin::component::ANALYZER) + { + name = arg_name; + factory = arg_factory; + enabled = arg_enabled; + partial = arg_partial; + + tag = analyzer::Tag(++type_counter, arg_subtype); + } + +void Component::Describe(ODesc* d) + { + plugin::Component::Describe(d); + d->Add(name); + d->Add(" ("); + d->Add(enabled ? "enabled" : "disabled"); + d->Add(")"); + } + diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h new file mode 100644 index 0000000000..0a48c0546f --- /dev/null +++ b/src/analyzer/Component.h @@ -0,0 +1,121 @@ + +#ifndef ANALYZER_PLUGIN_COMPONENT_H +#define ANALYZER_PLUGIN_COMPONENT_H + +#include + +#include "Tag.h" +#include "plugin/Component.h" + +#include "../config.h" +#include "../util.h" + +class Connection; + +namespace analyzer { + +class Analyzer; + +/** + * Component description for plugins providing analyzers. + * + * A plugin can provide a specific protocol analyzer by registering this + * analyzer component, describing the analyzer. + * + * This class is safe to copy by value. + */ +class Component : public plugin::Component { +public: + typedef bool (*available_callback)(); + typedef Analyzer* (*factory_callback)(Connection* conn); + + /** + * Constructor. + * + * @param name The name of the provided analyzer. This name is used + * across the system to identify the analyzer, e.g., when calling + * analyzer::Manager::InstantiateAnalyzer with a name. + * + * @param factory A factory function to instantiate instances of the + * analyzer's class, which must be derived directly or indirectly + * from analyzer::Analyzer. This is typically a static \c + * Instatiate() method inside the class that just allocates and + * returns a new instance. + * + * @param subtype A subtype associated with this component that + * further. The subtype will be integrated into the analyzer::Tag + * that the manager associates with this analyzer, and analyzer + * instances can accordingly access it via analyzer::Tag(). If not + * used, leave at zero. + * + * @param enabled If false the analyzer starts out as disabled and + * hence won't be used. It can still be enabled later via the + * manager, including from script-land. + * + * @param partial If true, the analyzer can deal with payload from + * partial connections, i.e., when Bro enters the stream mid-way + * after not seeing the beginning. Note that handling of partial + * connections has generally not seen much testing yet as virtually + * no existing analyzer supports it. + */ + Component(std::string name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true, bool partial = false); + + /** + * Returns the name of the analyzer. This name is unique across all + * analyzers and used to identify it. + */ + const std::string& Name() const { return name; } + + /** + * Returns the analyzer's factory function. + */ + factory_callback Factory() const { return factory; } + + /** + * Returns whether the analyzer supports partial connections. Partial + * connections are those where Bro starts processing payload + * mid-stream, after missing the beginning. + */ + bool Partial() const { return partial; } + + /** + * Returns true if the analyzer is currently enabled and hence + * available for use. + */ + bool Enabled() const { return enabled; } + + /** + * Returns the analyzer's tag. Note that this is automatically + * generated for each new Components, and hence unique across all of + * them. + */ + analyzer::Tag Tag() const { return tag; } + + /** + * Enables or disables this analyzer. + * + * @param arg_enabled True to enabled, false to disable. + * + */ + void SetEnabled(bool arg_enabled) { enabled = arg_enabled; } + + /** + * Generates a human-readable description of the component's main + * parameters. This goes into the output of \c "bro -NN". + */ + virtual void Describe(ODesc* d); + +private: + std::string name; // The analyzer's name. + factory_callback factory; // The analyzer's factory callback. + bool partial; // True if the analyzer supports partial connections. + analyzer::Tag tag; // The automatically assigned analyzer tag. + bool enabled; // True if the analyzer is enabled. + + // Global counter used to generate unique tags. + static analyzer::Tag::type_t type_counter; +}; + +} + +#endif diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 060595aea2..e30976b9e3 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -16,8 +16,8 @@ using namespace analyzer; -ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto) +Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto) { if ( _orig == IPAddr(string("0.0.0.0")) ) // don't use the IPv4 mapping, use the literal unspecified address @@ -25,21 +25,37 @@ ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, orig = IPAddr(string("::")); else orig = _orig; + resp = _resp; resp_p = _resp_p; proto = _proto; } -ExpectedConn::ExpectedConn(const ExpectedConn& c) +Manager::ConnIndex::ConnIndex() { - orig = c.orig; - resp = c.resp; - resp_p = c.resp_p; - proto = c.proto; + orig = resp = IPAddr("0.0.0.0"); + resp_p = 0; + proto = 0; + } + +bool Manager::ConnIndex::operator<(const ConnIndex& other) const + { + if ( orig != other.orig ) + return orig < other.orig; + + if ( resp != other.resp ) + return resp < other.resp; + + if ( proto != other.proto ) + return proto < other.proto; + + if ( resp_p != other.resp_p ) + return resp_p < other.resp_p; + + return false; } Manager::Manager() - : expected_conns_queue(AssignedAnalyzer::compare) { tag_enum_type = new EnumType("Analyzer::Tag"); ::ID* id = install_ID("Tag", "Analyzer", true, true); @@ -58,26 +74,19 @@ Manager::~Manager() analyzers_by_port_tcp.clear(); // Clean up expected-connection table. - while ( expected_conns_queue.size() ) + while ( conns_by_timeout.size() ) { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } - - expected_conns_queue.pop(); + ScheduledAnalyzer* a = conns_by_timeout.top(); + conns_by_timeout.pop(); delete a; } } void Manager::Init() { - std::list analyzers = plugin_mgr->Components(plugin::component::ANALYZER); + std::list analyzers = plugin_mgr->Components(plugin::component::ANALYZER); - for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) + for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) RegisterAnalyzerComponent(*i); // Caache these tags. @@ -91,12 +100,12 @@ void Manager::Init() void Manager::DumpDebug() { #ifdef DEBUG - DBG_LOG(DBG_DPD, "Available analyzers after bro_init():"); + DBG_LOG(DBG_ANALYZER, "Available analyzers after bro_init():"); for ( analyzer_map_by_name::const_iterator i = analyzers_by_name.begin(); i != analyzers_by_name.end(); i++ ) - DBG_LOG(DBG_DPD, " %s (%s)", i->second->Name().c_str(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); + DBG_LOG(DBG_ANALYZER, " %s (%s)", i->second->Name().c_str(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); - DBG_LOG(DBG_DPD, ""); - DBG_LOG(DBG_DPD, "Analyzers by port:"); + DBG_LOG(DBG_ANALYZER, ""); + DBG_LOG(DBG_ANALYZER, "Analyzers by port:"); for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_tcp.begin(); i != analyzers_by_port_tcp.end(); i++ ) { @@ -105,7 +114,7 @@ void Manager::DumpDebug() for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) s += GetAnalyzerName(*j) + " "; - DBG_LOG(DBG_DPD, " %d/tcp: %s", i->first, s.c_str()); + DBG_LOG(DBG_ANALYZER, " %d/tcp: %s", i->first, s.c_str()); } for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_udp.begin(); i != analyzers_by_port_udp.end(); i++ ) @@ -115,15 +124,15 @@ void Manager::DumpDebug() for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) s += GetAnalyzerName(*j) + " "; - DBG_LOG(DBG_DPD, " %d/udp: %s", i->first, s.c_str()); + DBG_LOG(DBG_ANALYZER, " %d/udp: %s", i->first, s.c_str()); } #if 0 ODesc d; tag_enum_type->Describe(&d); - DBG_LOG(DBG_DPD, ""); - DBG_LOG(DBG_DPD, "Analyzer::Tag type: %s", d.Description()); + DBG_LOG(DBG_ANALYZER, ""); + DBG_LOG(DBG_ANALYZER, "Analyzer::Tag type: %s", d.Description()); #endif #endif @@ -133,35 +142,35 @@ void Manager::Done() { } -void Manager::RegisterAnalyzerComponent(PluginComponent* component) +void Manager::RegisterAnalyzerComponent(Component* component) { if ( Lookup(component->Name()) ) reporter->FatalError("Analyzer %s defined more than once", component->Name().c_str()); - DBG_LOG(DBG_DPD, "Registering analyzer %s (tag %s)", + DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", component->Name().c_str(), component->Tag().AsString().c_str()); analyzers_by_name.insert(std::make_pair(component->Name(), component)); analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); - analyzers_by_val.insert(std::make_pair(component->Tag().Val()->InternalInt(), component)); + analyzers_by_val.insert(std::make_pair(component->Tag().AsEnumVal()->InternalInt(), component)); // Install enum "Analyzer::ANALYZER_*" string name = to_upper(component->Name()); string id = fmt("ANALYZER_%s", name.c_str()); - tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().Val()->InternalInt(), true); + tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().AsEnumVal()->InternalInt(), true); } bool Manager::EnableAnalyzer(Tag tag) { - PluginComponent* p = Lookup(tag); + Component* p = Lookup(tag); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to enable non-existing analyzer"); return false; } - DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); return true; @@ -169,15 +178,15 @@ bool Manager::EnableAnalyzer(Tag tag) bool Manager::EnableAnalyzer(EnumVal* val) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to enable non-existing analyzer"); return false; } - DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); return true; @@ -185,15 +194,15 @@ bool Manager::EnableAnalyzer(EnumVal* val) bool Manager::DisableAnalyzer(Tag tag) { - PluginComponent* p = Lookup(tag); + Component* p = Lookup(tag); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to disable non-existing analyzer"); return false; } - DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); return true; @@ -201,15 +210,15 @@ bool Manager::DisableAnalyzer(Tag tag) bool Manager::DisableAnalyzer(EnumVal* val) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to disable non-existing analyzer"); return false; } - DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); return true; @@ -220,11 +229,11 @@ bool Manager::IsEnabled(Tag tag) if ( ! tag ) return false; - PluginComponent* p = Lookup(tag); + Component* p = Lookup(tag); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to check non-existing analyzer"); return false; } @@ -233,11 +242,11 @@ bool Manager::IsEnabled(Tag tag) bool Manager::IsEnabled(EnumVal* val) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to check non-existing analyzer"); return false; } @@ -247,11 +256,11 @@ bool Manager::IsEnabled(EnumVal* val) bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to register port for non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to register port for non-existing analyzer"); return false; } @@ -260,11 +269,11 @@ bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) bool Manager::UnregisterAnalyzerForPort(EnumVal* val, PortVal* port) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to unregister port fork non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to unregister port fork non-existing analyzer"); return false; } @@ -277,7 +286,7 @@ bool Manager::RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port #ifdef DEBUG std::string name = GetAnalyzerName(tag); - DBG_LOG(DBG_DPD, "Registering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); + DBG_LOG(DBG_ANALYZER, "Registering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); #endif l->insert(tag); @@ -290,7 +299,7 @@ bool Manager::UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 po #ifdef DEBUG std::string name = GetAnalyzerName(tag); - DBG_LOG(DBG_DPD, "Unregistering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); + DBG_LOG(DBG_ANALYZER, "Unregistering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); #endif l->erase(tag); @@ -299,7 +308,7 @@ bool Manager::UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 po Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) { - PluginComponent* c = Lookup(tag); + Component* c = Lookup(tag); if ( ! c ) reporter->InternalError("request to instantiate unknown analyzer"); @@ -329,7 +338,7 @@ const string& Manager::GetAnalyzerName(Tag tag) if ( ! tag ) return error; - PluginComponent* c = Lookup(tag); + Component* c = Lookup(tag); if ( ! c ) reporter->InternalError("request for name of unknown analyzer tag %s", tag.AsString().c_str()); @@ -344,14 +353,14 @@ const string& Manager::GetAnalyzerName(Val* val) Tag Manager::GetAnalyzerTag(const string& name) { - PluginComponent* c = Lookup(name); - return c ? c->Tag() : Tag::ERROR; + Component* c = Lookup(name); + return c ? c->Tag() : Tag(); } Tag Manager::GetAnalyzerTag(const char* name) { - PluginComponent* c = Lookup(name); - return c ? c->Tag() : Tag::ERROR; + Component* c = Lookup(name); + return c ? c->Tag() : Tag(); } EnumType* Manager::GetTagEnumType() @@ -359,26 +368,25 @@ EnumType* Manager::GetTagEnumType() return tag_enum_type; } - -PluginComponent* Manager::Lookup(const string& name) +Component* Manager::Lookup(const string& name) { analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } -PluginComponent* Manager::Lookup(const char* name) +Component* Manager::Lookup(const char* name) { analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } -PluginComponent* Manager::Lookup(const Tag& tag) +Component* Manager::Lookup(const Tag& tag) { analyzer_map_by_tag::const_iterator i = analyzers_by_tag.find(tag); return i != analyzers_by_tag.end() ? i->second : 0; } -PluginComponent* Manager::Lookup(EnumVal* val) +Component* Manager::Lookup(EnumVal* val) { analyzer_map_by_val::const_iterator i = analyzers_by_val.find(val->InternalInt()); return i != analyzers_by_val.end() ? i->second : 0; @@ -419,69 +427,39 @@ Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found) return LookupPort(val->PortType(), val->Port(), add_if_not_found); } -Tag Manager::GetExpected(int proto, const Connection* conn) - { - if ( ! expected_conns.Length() ) - return Tag::ERROR; - - ExpectedConn c(conn->OrigAddr(), conn->RespAddr(), - ntohs(conn->RespPort()), proto); - - HashKey* key = BuildExpectedConnHashKey(c); - AssignedAnalyzer* a = expected_conns.Lookup(key); - delete key; - - if ( ! a ) - { - // Wildcard for originator. - c.orig = IPAddr(string("::")); - - HashKey* key = BuildExpectedConnHashKey(c); - a = expected_conns.Lookup(key); - delete key; - } - - if ( ! a ) - return Tag::ERROR; - - // We don't delete it here. It will be expired eventually. - return a->analyzer; - } - -bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data) +bool Manager::BuildInitialAnalyzerTree(Connection* conn) { Analyzer* analyzer = 0; TCP_Analyzer* tcp = 0; UDP_Analyzer* udp = 0; ICMP_Analyzer* icmp = 0; TransportLayerAnalyzer* root = 0; - Tag expected = Tag::ERROR; + tag_set expected; PIA* pia = 0; bool analyzed = false; bool check_port = false; - switch ( proto ) { + switch ( conn->ConnTransport() ) { case TRANSPORT_TCP: root = tcp = new TCP_Analyzer(conn); pia = new PIA_TCP(conn); - expected = GetExpected(proto, conn); + expected = GetScheduled(conn); check_port = true; - DBG_DPD(conn, "activated TCP analyzer"); + DBG_ANALYZER(conn, "activated TCP analyzer"); break; case TRANSPORT_UDP: root = udp = new UDP_Analyzer(conn); pia = new PIA_UDP(conn); - expected = GetExpected(proto, conn); + expected = GetScheduled(conn); check_port = true; - DBG_DPD(conn, "activated UDP analyzer"); + DBG_ANALYZER(conn, "activated UDP analyzer"); break; case TRANSPORT_ICMP: { root = icmp = new ICMP_Analyzer(conn); - DBG_DPD(conn, "activated ICMP analyzer"); + DBG_ANALYZER(conn, "activated ICMP analyzer"); analyzed = true; break; } @@ -492,34 +470,34 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, if ( ! root ) { - DBG_DPD(conn, "cannot build analyzer tree"); + DBG_ANALYZER(conn, "cannot build analyzer tree"); return false; } // Any scheduled analyzer? - if ( expected ) + for ( tag_set::iterator i = expected.begin(); i != expected.end(); i++ ) { - Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(expected, conn); + Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(*i, conn); if ( analyzer ) { root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled", - analyzer_mgr->GetAnalyzerName(expected).c_str()); + DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled", + analyzer_mgr->GetAnalyzerName(*i).c_str()); } - // Hmm... Do we want *just* the expected analyzer, or all - // other potential analyzers as well? For now we only take - // the scheduled one. } - else + // Hmm... Do we want *just* the expected analyzer, or all + // other potential analyzers as well? For now we only take + // the scheduled ones. + if ( expected.size() == 0 ) { // Let's see if it's a port we know. if ( check_port && ! dpd_ignore_ports ) { int resp_port = ntohs(conn->RespPort()); - tag_set* ports = LookupPort(proto, resp_port, false); + tag_set* ports = LookupPort(conn->ConnTransport(), resp_port, false); if ( ports ) { @@ -531,7 +509,7 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, continue; root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", + DBG_ANALYZER_ARGS(conn, "activated %s analyzer due to port %d", analyzer_mgr->GetAnalyzerName(*j).c_str(), resp_port); } } @@ -622,78 +600,116 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, if ( ! analyzed ) conn->SetLifetime(non_analyzed_lifetime); - if ( expected != Tag::ERROR ) - conn->Event(expected_connection_seen, 0, - new Val(expected, TYPE_COUNT)); + for ( tag_set::iterator i = expected.begin(); i != expected.end(); i++ ) + conn->Event(scheduled_analyzer_applied, 0, i->AsEnumVal()); return true; } -void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, - uint16 resp_p, - TransportProto proto, Tag analyzer, - double timeout, void* cookie) +void Manager::ExpireScheduledAnalyzers() { - // Use the chance to see if the oldest entry is already expired. - if ( expected_conns_queue.size() ) + if ( ! network_time ) + return; + + while ( conns_by_timeout.size() ) { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( a->timeout < network_time ) + ScheduledAnalyzer* a = conns_by_timeout.top(); + + if ( a->timeout > network_time ) + return; + + conns_by_timeout.pop(); + + std::pair all = conns.equal_range(a->conn); + + bool found = false; + + for ( conns_map::iterator i = all.first; i != all.second; i++ ) { - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } + if ( i->second != a ) + continue; - expected_conns_queue.pop(); + conns.erase(i); - DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s", - analyzer_mgr->GetAnalyzerName(analyzer).c_str(), - fmt_conn_id(a->conn.orig, 0, - a->conn.resp, - a->conn.resp_p)); + DBG_LOG(DBG_ANALYZER, "Expiring expected analyzer %s for connection %s", + analyzer_mgr->GetAnalyzerName(a->analyzer).c_str(), + fmt_conn_id(a->conn.orig, 0, a->conn.resp, a->conn.resp_p)); delete a; + found = true; + break; } + + assert(found); } - - ExpectedConn c(orig, resp, resp_p, proto); - - HashKey* key = BuildExpectedConnHashKey(c); - - AssignedAnalyzer* a = expected_conns.Lookup(key); - - if ( a ) - a->deleted = true; - - a = new AssignedAnalyzer(c); - - a->analyzer = analyzer; - a->cookie = cookie; - a->timeout = network_time + timeout; - a->deleted = false; - - expected_conns.Insert(key, a); - expected_conns_queue.push(a); - delete key; } -void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, +void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, + uint16 resp_p, + TransportProto proto, Tag analyzer, + double timeout) + { + if ( ! network_time ) + { + reporter->Warning("cannot schedule analyzers before processing begins; ignored"); + return; + } + + assert(timeout); + + // Use the chance to see if the oldest entry is already expired. + ExpireScheduledAnalyzers(); + + ScheduledAnalyzer* a = new ScheduledAnalyzer; + a->conn = ConnIndex(orig, resp, resp_p, proto); + a->analyzer = analyzer; + a->timeout = network_time + timeout; + + conns.insert(std::make_pair(a->conn, a)); + conns_by_timeout.push(a); + } + +void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, TransportProto proto, const string& analyzer, - double timeout, void* cookie) + double timeout) { Tag tag = GetAnalyzerTag(analyzer); - if ( tag != Tag::ERROR ) - ExpectConnection(orig, resp, resp_p, proto, tag, timeout, cookie); + if ( tag != Tag() ) + ScheduleAnalyzer(orig, resp, resp_p, proto, tag, timeout); } -void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, - Val* analyzer, double timeout, void* cookie) +void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* analyzer, double timeout) { EnumVal* ev = analyzer->AsEnumVal(); - return ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(), Tag(ev), timeout, cookie); + return ScheduleAnalyzer(orig, resp, resp_p->Port(), resp_p->PortType(), Tag(ev), timeout); + } + +Manager::tag_set Manager::GetScheduled(const Connection* conn) + { + ConnIndex c(conn->OrigAddr(), conn->RespAddr(), + ntohs(conn->RespPort()), conn->ConnTransport()); + + std::pair all = conns.equal_range(c); + + tag_set result; + + for ( conns_map::iterator i = all.first; i != all.second; i++ ) + result.insert(i->second->analyzer); + + // Try wildcard for originator. + c.orig = IPAddr(string("::")); + all = conns.equal_range(c); + + for ( conns_map::iterator i = all.first; i != all.second; i++ ) + { + if ( i->second->timeout > network_time ) + result.insert(i->second->analyzer); + } + + // We don't delete scheduled analyzers here. They will be expired + // eventually. + return result; } diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 33b27ed38a..0284504f35 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -1,12 +1,28 @@ -// The central management unit for dynamic analyzer selection. - +/** + * The central management unit for registering and instantiating analyzers. + * + * For each protocol that Bro supports, there's one class derived from + * analyzer::Analyzer. Once we have decided that a connection's payload is to + * be parsed as a given protocol, we instantiate the corresponding + * analyzer-derived class and add the new instance as a child node into the + * connection's analyzer tree. + * + * In addition to the analyzer-derived class itself, for each protocol + * there's also "meta-class" derived from analyzer::Component that describes + * the analyzer, including status information on if that particular protocol + * analysis is currently enabled. + * + * To identify an analyzer (or to be precise: a component), the manager + * maintains mappings of (1) analyzer::Tag to component, and (2) + * human-readable analyzer name to component. + */ #ifndef ANALYZER_MANAGER_H #define ANALYZER_MANAGER_H #include #include "Analyzer.h" -#include "PluginComponent.h" +#include "Component.h" #include "Tag.h" #include "../Dict.h" @@ -15,139 +31,333 @@ namespace analyzer { -// Manager debug logging, which includes the connection id into the message. -#ifdef DEBUG -# define DBG_DPD(conn, txt) \ - DBG_LOG(DBG_DPD, "%s " txt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort()))); -# define DBG_DPD_ARGS(conn, fmt, args...) \ - DBG_LOG(DBG_DPD, "%s " fmt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort())), ##args); -#else -# define DBG_DPD(conn, txt) -# define DBG_DPD_ARGS(conn, fmt, args...) -#endif - -// Map index to assign expected connections to analyzers. -class ExpectedConn { -public: - ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto); - - ExpectedConn(const ExpectedConn& c); - - IPAddr orig; - IPAddr resp; - uint16 resp_p; - uint16 proto; -}; - -// Associates an analyzer for an expected future connection. -class AssignedAnalyzer { -public: - AssignedAnalyzer(const ExpectedConn& c) - : conn(c) { } - - ExpectedConn conn; - Tag analyzer; - double timeout; - void* cookie; - bool deleted; - - static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2) - { return a1->timeout > a2->timeout; } -}; - -declare(PDict, AssignedAnalyzer); - +/** + * Class maintaining and scheduling available protocol analyzers. + * + * The manager maintains a registry of all available protocol analyzers, + * including a mapping between their textual names and analyzer::Tag. It + * instantantiates new analyzers on demand. For new connections, the manager + * sets up their initial analyzer tree, including adding the right \c PIA, + * respecting well-known ports, and tracking any analyzers specifically + * scheduled for individidual connections. + */ class Manager { public: + /** + * Constructor. + */ Manager(); + + /** + * Destructor. + */ ~Manager(); - void Init(); // Called before script's are parsed. + /** + * Initializes the manager's operation. Must be called before scripts + * are parsed. + */ + void Init(); + + /** + * Finished the manager's operations. + */ void Done(); + + /** + * Dumps out the state of all registered analyzers to the \c analyzer + * debug stream. Should be called only after any \c bro_init events + * have executed to ensure that any of their changes are applied. + */ void DumpDebug(); // Called after bro_init() events. + /** + * Enables an analyzer type. Only enabled analyzers will be + * instantiated for new connections. + * + * @param tag The analyzer's tag. + * + * @return True if sucessful. + */ bool EnableAnalyzer(Tag tag); + + /** + * Enables an analyzer type. Only enabled analyzers will be + * instantiated for new connections. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @return True if sucessful. + */ bool EnableAnalyzer(EnumVal* tag); + /** + * Enables an analyzer type. Disabled analyzers will not be + * instantiated for new connections. + * + * @param tag The analyzer's tag. + * + * @return True if sucessful. + */ bool DisableAnalyzer(Tag tag); + + /** + * Enables an analyzer type. Disabled analyzers will not be + * instantiated for new connections. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @return True if sucessful. + */ bool DisableAnalyzer(EnumVal* tag); + /** + * Returns true if an analyzer is enabled. + * + * @param tag The analyzer's tag. + */ bool IsEnabled(Tag tag); + + /** + * Returns true if an analyzer is enabled. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + */ bool IsEnabled(EnumVal* tag); + /** + * Registers a well-known port for an analyzer. Once registered, + * connection on that port will start with a corresponding analyzer + * assigned. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @param port The well-known port. + * + * @return True if sucessful. + */ bool RegisterAnalyzerForPort(EnumVal* tag, PortVal* port); + + /** + * Registers a well-known port for an analyzer. Once registered, + * connection on that port will start with a corresponding analyzer + * assigned. + * + * @param tag The analyzer's tag. + * + * @param proto The port's protocol. + * + * @param port The port's number. + * + * @return True if sucessful. + */ bool RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + /** + * Unregisters a well-known port for an anlyzers. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @param port The well-known port. + * + * @return True if sucessful (incl. when the port wasn't actually + * registered for the analyzer). + * + */ bool UnregisterAnalyzerForPort(EnumVal* tag, PortVal* port); + + /** + * Unregisters a well-known port for an anlyzers. + * + * @param tag The analyzer's tag. + * + * @param proto The port's protocol. + * + * @param port The port's number. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + */ bool UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + /** + * Instantiates a new analyzer instance for a connection. + * + * @param tag The analyzer's tag. + * + * @param conn The connection the analyzer is to be associated with. + * + * @return The new analyzer instance. Note that the analyzer will not + * have been added to the connection's analyzer tree yet. Returns + * null if tag is invalid or the requested analyzer is disabled. + */ Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled or not available. + + /** + * Instantiates a new analyzer instance for a connection. + * + * @param name The name of the analyzer. + * + * @param conn The connection the analyzer is to be associated with. + * + * @return The new analyzer instance. Note that the analyzer will not + * have been added to the connection's analyzer tree yet. Returns + * null if the name is not known or if the requested analyzer that is + * disabled. + */ Analyzer* InstantiateAnalyzer(const char* name, Connection* c); // Null if disabled or not available. + /** + * Translates an analyzer tag into corresponding analyzer name. + * + * @param tag The analyzer tag. + * + * @return The name, or an empty string if the tag is invalid. + */ const string& GetAnalyzerName(Tag tag); - const string& GetAnalyzerName(Val* val); - Tag GetAnalyzerTag(const string& name); // Tag::ERROR when not known. - Tag GetAnalyzerTag(const char* name); // Tag::ERROR when not known. + /** + * Translates an script-level analyzer tag into corresponding + * analyzer name. + * + * @param val The analyzer tag as an script-level enum value of type + * \c Analyzer::Tag. + * + * @return The name, or an empty string if the tag is invalid. + */ + const string& GetAnalyzerName(Val* val); + + /** + * Translates an analyzer name into the corresponding tag. + * + * @param name The name. + * + * @return The tag. If the name does not correspond to a valid + * analyzer, the returned tag will evaluate to false. + */ + Tag GetAnalyzerTag(const string& name); + + /** + * Translates an analyzer name into the corresponding tag. + * + * @param name The name. + * + * @return The tag. If the name does not correspond to a valid + * analyzer, the returned tag will evaluate to false. + */ + Tag GetAnalyzerTag(const char* name); + + /** + * Returns the enum type that corresponds to the script-level type \c + * Analyzer::Tag. + */ EnumType* GetTagEnumType(); - // Given info about the first packet, build initial analyzer tree. - // - // It would be more flexible if we simply pass in the IP header and - // then extract the information we need. However, when this method - // is called from the session management, protocol and ports have - // already been extracted there and it would be a waste to do it - // again. - // - // Returns 0 if we can't build a tree (e.g., because the necessary - // analyzers have not been converted to the Manager framework yet...) - bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data); + /** + * Given the first packet of a connection, builds its initial + * analyzer tree. + * + * @param conn The connection to add the initial set of analyzers to. + * + * @return False if the tree cannot be build; that's usually an + * internally error. + */ + bool BuildInitialAnalyzerTree(Connection* conn); - // Schedules a particular analyzer for an upcoming connection. 0 acts - // as a wildcard for orig. (Cookie is currently unused. Eventually, - // we may pass it on to the analyzer). - void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, Tag analyzer, - double timeout, void* cookie); + /** + * Schedules a particular analyzer for an upcoming connection. Once + * the connection is seen, BuildInitAnalyzerTree() will add the + * specified analyzer to its tree. + * + * @param orig The connection's anticipated originator address. + * 0.0.0.0 can be used as a wildcard matching any originator. + * + * @param resp The connection's anticipated responder address (no + * wilcard). + * + * @param resp_p The connection's anticipated responder port. + * + * @param proto The connection's anticipated transport protocol. + * + * @param analyzer The analyzer to use once the connection is seen. + * + * @param timeout An interval after which to timeout the request to + * schedule this analyzer. Must be non-zero. + */ + void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + TransportProto proto, Tag analyzer, double timeout); - void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + /** + * Schedules a particular analyzer for an upcoming connection. Once + * the connection is seen, BuildInitAnalyzerTree() will add the + * specified analyzer to its tree. + * + * @param orig The connection's anticipated originator address. 0 can + * be used as a wildcard matching any originator. + * + * @param resp The The connection's anticipated responder address (no + * wilcard). + * + * @param resp_p The connection's anticipated responder port. + * + * @param proto The connection's anticipated transport protocol. + * + * @param analyzer The name of the analyzer to use once the + * connection is seen. + * + * @param timeout An interval after which to timeout the request to + * schedule this analyzer. Must be non-zero. + */ + void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, TransportProto proto, const string& analyzer, - double timeout, void* cookie); + double timeout); - void ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, - Val* val, double timeout, void* cookie); - - // Activates signature matching for protocol detection. (Called when - // an Manager signatures is found.) - void ActivateSigs() { sigs_activated = true; } - bool SigsActivated() const { return sigs_activated; } + /** + * Schedules a particular analyzer for an upcoming connection. Once + * the connection is seen, BuildInitAnalyzerTree() will add the + * specified analyzer to its tree. + * + * @param orig The connection's anticipated originator address. 0 can + * be used as a wildcard matching any originator. + * + * @param resp The connection's anticipated responder address (no + * wilcard). + * + * @param resp_p The connection's anticipated responder port. + * + * @param analyzer The analyzer to use once the connection is seen as + * an enum value of script-type \c Analyzer::Tag. + * + * @param timeout An interval after which to timeout the request to + * schedule this analyzer. Must be non-zero. + */ + void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* analyzer, double timeout); private: typedef set tag_set; - typedef map analyzer_map_by_name; - typedef map analyzer_map_by_tag; - typedef map analyzer_map_by_val; + typedef map analyzer_map_by_name; + typedef map analyzer_map_by_tag; + typedef map analyzer_map_by_val; typedef map analyzer_map_by_port; - void RegisterAnalyzerComponent(PluginComponent* component); // Takes ownership. + void RegisterAnalyzerComponent(Component* component); // Takes ownership. - PluginComponent* Lookup(const string& name); - PluginComponent* Lookup(const char* name); - PluginComponent* Lookup(const Tag& tag); - PluginComponent* Lookup(EnumVal* val); + Component* Lookup(const string& name); + Component* Lookup(const char* name); + Component* Lookup(const Tag& tag); + Component* Lookup(EnumVal* val); tag_set* LookupPort(PortVal* val, bool add_if_not_found); tag_set* LookupPort(TransportProto proto, uint32 port, bool add_if_not_found); - // Return analyzer if any has been scheduled with ExpectConnection() - // Tag::::Error if none. - Tag GetExpected(int proto, const Connection* conn); + tag_set GetScheduled(const Connection* conn); + void ExpireScheduledAnalyzers(); analyzer_map_by_port analyzers_by_port_tcp; analyzer_map_by_port analyzers_by_port_udp; @@ -163,21 +373,62 @@ private: EnumType* tag_enum_type; - // True if signature-matching has been activated. - bool sigs_activated; + //// Data structures to track analyzed scheduled for future connections. - PDict(AssignedAnalyzer) expected_conns; + // The index for a scheduled connection. + struct ConnIndex { + IPAddr orig; + IPAddr resp; + uint16 resp_p; + uint16 proto; - typedef priority_queue< - AssignedAnalyzer*, - vector, - bool (*)(const AssignedAnalyzer*, - const AssignedAnalyzer*)> conn_queue; - conn_queue expected_conns_queue; + ConnIndex(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto); + ConnIndex(); + + bool operator<(const ConnIndex& other) const; + }; + + // Information associated with a scheduled connection. + struct ScheduledAnalyzer { + ConnIndex conn; + Tag analyzer; + double timeout; + + struct Comparator { + bool operator() (ScheduledAnalyzer* a, ScheduledAnalyzer* b) { + return a->timeout > b->timeout; + } + }; + }; + + typedef std::multimap conns_map; + typedef std::priority_queue, + ScheduledAnalyzer::Comparator> conns_queue; + + conns_map conns; + conns_queue conns_by_timeout; }; } extern analyzer::Manager* analyzer_mgr; +// Macros for anayzer debug logging which include the connection id into the +// message. +#ifdef DEBUG +# define DBG_ANALYZER(conn, txt) \ + DBG_LOG(DBG_ANALYZER, "%s " txt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort()))); +# define DBG_ANALYZER_ARGS(conn, fmt, args...) \ + DBG_LOG(DBG_ANALYZER, "%s " fmt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort())), ##args); +#else +# define DBG_ANALYZER(conn, txt) +# define DBG_ANALYZER_ARGS(conn, fmt, args...) +#endif + #endif diff --git a/src/analyzer/PluginComponent.cc b/src/analyzer/PluginComponent.cc deleted file mode 100644 index fed3ca225a..0000000000 --- a/src/analyzer/PluginComponent.cc +++ /dev/null @@ -1,37 +0,0 @@ - -#include "PluginComponent.h" - -#include "../Desc.h" - -using namespace analyzer; - -Tag::type_t PluginComponent::type_counter = 0; - -PluginComponent::PluginComponent(std::string arg_name, factory_callback arg_factory, bool arg_enabled, bool arg_partial) - : Component(plugin::component::ANALYZER) - { - name = arg_name; - factory = arg_factory; - enabled = arg_enabled; - partial = arg_partial; - - tag = analyzer::Tag(++type_counter, 0); - } - -PluginComponent::PluginComponent(std::string arg_name, Tag::subtype_t arg_stype, factory_callback arg_factory, bool arg_enabled, bool arg_partial) - : Component(plugin::component::ANALYZER) - { - name = arg_name; - factory = arg_factory; - enabled = arg_enabled; - partial = arg_partial; - - tag = analyzer::Tag(++type_counter, arg_stype); - } - -void PluginComponent::Describe(ODesc* d) - { - plugin::Component::Describe(d); - d->Add(name); - } - diff --git a/src/analyzer/PluginComponent.h b/src/analyzer/PluginComponent.h deleted file mode 100644 index baad63f9f8..0000000000 --- a/src/analyzer/PluginComponent.h +++ /dev/null @@ -1,51 +0,0 @@ - -#ifndef ANALYZER_PLUGIN_COMPONENT_H -#define ANALYZER_PLUGIN_COMPONENT_H - -#include - -#include "../config.h" -#include "../util.h" - -#include "plugin/Component.h" -#include "Tag.h" - -class Connection; - -namespace analyzer { - -class Analyzer; - -// This can be copied by value. -class PluginComponent : public plugin::Component { -public: - typedef bool (*available_callback)(); - typedef Analyzer* (*factory_callback)(Connection* conn); - - PluginComponent(std::string name, factory_callback factory, bool enabled, bool partial); - PluginComponent(std::string name, Tag::subtype_t subtype, factory_callback factory, bool enabled, bool partial); - - const std::string& Name() const { return name; } - factory_callback Factory() const { return factory; } - bool Partial() const { return partial; } - bool Enabled() const { return enabled; } - analyzer::Tag Tag() const { return tag; } - - void SetEnabled(bool arg_enabled) { enabled = arg_enabled; } - - virtual void Describe(ODesc* d); - -private: - std::string name; - factory_callback factory; - bool partial; - - analyzer::Tag tag; - bool enabled; - - static analyzer::Tag::type_t type_counter; -}; - -} - -#endif diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index fbf1bcd2b7..0b765742dc 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -6,11 +6,10 @@ using namespace analyzer; -Tag Tag::ERROR; - Tag::Tag(type_t arg_type, subtype_t arg_subtype) { assert(arg_type > 0); + type = arg_type; subtype = arg_subtype; int64_t i = (int64)(type) | ((int64)subtype << 31); @@ -23,6 +22,7 @@ Tag::Tag(type_t arg_type, subtype_t arg_subtype) Tag::Tag(EnumVal* arg_val) { assert(val); + val = arg_val; Ref(val); @@ -37,7 +37,7 @@ Tag::Tag(const Tag& other) : type(other.type), subtype(other.subtype) subtype = other.subtype; val = other.val; - if ( val ) + if ( val ) Ref(val); } @@ -48,7 +48,7 @@ Tag::Tag() val = 0; } -EnumVal* Tag::Val() +EnumVal* Tag::AsEnumVal() const { if ( ! val ) { @@ -66,4 +66,3 @@ std::string Tag::AsString() const { return fmt("%" PRIu32 "/%" PRIu32, type, subtype); } - diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index dab8563982..90a6804dc4 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -2,14 +2,6 @@ #ifndef ANALYZER_TAG_H #define ANALYZER_TAG_H -// Each kind of analyzer gets a tag consisting of a main type and subtype. -// The former is an identifier that's unique all analyzer classes. The latter -// is passed through analyzer instances, yet not further interpreted by the -// analyzer infrastructure; it allows an analyzer to branch out into a set of -// sub-analyzers internally. Jointly, main type and subtype form an analyzer -// "tag". Each unique tag corresponds to a single "analyzer" from the user's -// perspective. - #include "config.h" #include "util.h" @@ -17,41 +9,129 @@ class EnumVal; namespace analyzer { -/// This has supports all operations to be used as a map index. +class Manager; +class Component; + +/** + * Class to identify an analyzdr type. + * + * Each analyzer type gets a tag consisting of a main type and subtype. The + * former is an identifier that's unique all analyzer classes. The latter is + * passed through to the analyzer instances for their use, yet not further + * interpreted by the analyzer infrastructure; it allows an analyzer to + * branch out into a set of sub-analyzers internally. Jointly, main type and + * subtype form an analyzer "tag". Each unique tag corresponds to a single + * "analyzer" from the user's perspective. At the script layer, these tags + * are mapped into enums of type \c Analyzer::Tag. Internally, the + * analyzer::Mangager maintains the mapping of tag to analyzer (and it also + * assigns them their main types), and analyzer::Component creates new + * tags. + * + * The Tag class supports all operations necessary to act at the index in a + * \c std::map. + */ class Tag { public: + /** + * Type for the analyzer's main type. + */ typedef uint32 type_t; + + /** + * Type for the analyzer's subtype. + */ typedef uint32 subtype_t; - Tag(type_t type, subtype_t subtype = 0); - Tag(EnumVal* val); + /* + * Copy constructor. + */ Tag(const Tag& other); - Tag(); // Tag::ERROR value + /** + * Default constructor. This initializes the tag with an error value + * that will make \c operator \c bool return false. + */ + Tag(); + + /** + * Returns the tag's main type. + */ type_t Type() const { return type; } + + /** + * Returns the tag's subtype. + */ subtype_t Subtype() const { return subtype; } - // Returns an identifying integer for this tag that's guaranteed to - // be unique across all tags. - EnumVal* Val(); + /** + * Returns the \c Analyzer::Tag enum that corresponds to this tag. + * The returned value is \a does not have its ref-count increased. + */ + EnumVal* AsEnumVal() const; + /** + * Returns the numerical values for main and subtype inside a string + * suitable for printing. This is primarily for debugging. + */ std::string AsString() const; + /** + * Returns false if the tag represents an error value rather than a + * legal analyzer type. + */ operator bool() const { return *this != Tag(); } - bool operator==(const Tag& other) const { return type == other.type && subtype == other.subtype; } - bool operator!=(const Tag& other) const { return type != other.type || subtype != other.subtype; } + + /** + * Compares two tags for equality. + */ + bool operator==(const Tag& other) const + { + return type == other.type && subtype == other.subtype; + } + + /** + * Compares two tags for inequality. + */ + bool operator!=(const Tag& other) const + { + return type != other.type || subtype != other.subtype; + } + + /** + * Compares two tags for less-than relationship. + */ bool operator<(const Tag& other) const { return type != other.type ? type < other.type : (subtype < other.subtype); } +protected: + friend class analyzer::Manager; + friend class analyzer::Component; - static Tag ERROR; + /** + * Constructor. Note + * + * @param type The main type. Note that the \a analyzer::Manager + * manages the value space internally, so noone else should assign + * any main tyoes. + * + * @param subtype The sub type, which is left to an analyzer for + * interpretation. By default it's set to zero. + */ + Tag(type_t type, subtype_t subtype = 0); + + /** + * Constructor. + * + * @param val An enuam value of script type \c Analyzer::Tag. + */ + Tag(EnumVal* val); private: - type_t type; - subtype_t subtype; - EnumVal* val; + type_t type; // Main type. + subtype_t subtype; // Subtype. + mutable EnumVal* val; // Analyzer::Tag value. }; } diff --git a/src/event.bif b/src/event.bif index fbc02ef8b5..65ff3a5731 100644 --- a/src/event.bif +++ b/src/event.bif @@ -134,7 +134,7 @@ event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection_contents partial_connection +## scheduled_analyzer_applied new_connection_contents partial_connection ## ## .. note:: ## @@ -168,7 +168,7 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection partial_connection +## scheduled_analyzer_applied new_connection partial_connection event new_connection_contents%(c: connection%); ## Generated for an unsuccessful connection attempt. This event is raised when @@ -183,7 +183,7 @@ event new_connection_contents%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); @@ -199,7 +199,7 @@ event connection_attempt%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_established%(c: connection%); @@ -215,7 +215,7 @@ event connection_established%(c: connection%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection new_connection_contents +## scheduled_analyzer_applied new_connection new_connection_contents ## event partial_connection%(c: connection%); @@ -231,7 +231,7 @@ event partial_connection%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_partial_close%(c: connection%); @@ -244,7 +244,7 @@ event connection_partial_close%(c: connection%); ## connection_established connection_external connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_finished%(c: connection%); @@ -258,7 +258,7 @@ event connection_finished%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_half_finished%(c: connection%); @@ -270,7 +270,7 @@ event connection_half_finished%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## c: The connection. @@ -294,7 +294,7 @@ event connection_rejected%(c: connection%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection new_connection_contents +## scheduled_analyzer_applied new_connection new_connection_contents ## partial_connection event connection_reset%(c: connection%); @@ -306,7 +306,7 @@ event connection_reset%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection bro_done event connection_pending%(c: connection%); @@ -323,7 +323,7 @@ event connection_pending%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection udp_inactivity_timeout ## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats event connection_state_remove%(c: connection%); @@ -339,7 +339,7 @@ event connection_state_remove%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -360,7 +360,7 @@ event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## connection_established connection_external connection_finished ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -379,7 +379,7 @@ event connection_first_ACK%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update expected_connection_seen +## connection_state_remove connection_status_update scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -402,7 +402,7 @@ event connection_timeout%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_reused%(c: connection%); @@ -416,7 +416,7 @@ event connection_reused%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_timeout expected_connection_seen +## connection_state_remove connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_status_update%(c: connection%); @@ -446,7 +446,7 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_EOF%(c: connection, is_orig: bool%); @@ -481,7 +481,7 @@ event connection_external%(c: connection, tag: string%); ## ## .. todo:: We don't have a good way to document the automatically generated ## ``ANALYZER_*`` constants right now. -event expected_connection_seen%(c: connection, a: count%); +event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%); ## Generated for every packet Bro sees. This is a very low-level and expensive ## event that should be avoided when at all possible. It's usually infeasible to diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index f10d6adf45..f132927560 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -2,7 +2,7 @@ #ifndef PLUGIN_MACROS_H #define PLUGIN_MACROS_H -#include "analyzer/PluginComponent.h" +#include "analyzer/Component.h" #define BRO_PLUGIN_VERSION_BUILTIN -1 #define BRO_PLUGIN_API_VERSION 1 @@ -36,7 +36,10 @@ std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); -#define BRO_PLUGIN_ANALYZER(tag, factory, enabled, partial) \ - AddComponent(new ::analyzer::PluginComponent(tag, factory, enabled, partial)); +#define BRO_PLUGIN_ANALYZER(tag, factory) \ + AddComponent(new ::analyzer::Component(tag, factory)); + +#define BRO_PLUGIN_ANALYZER_EXT(tag, factory, enabled, partial) \ + AddComponent(new ::analyzer::Component(tag, factory, 0, enabled, partial)); #endif diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc index 0c96ab17e4..ff7bd11c1c 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -3,7 +3,7 @@ // analyzers into separate plugins. #include "BuiltInAnalyzers.h" -#include "analyzer/PluginComponent.h" +#include "analyzer/Component.h" #include "../binpac_bro.h" @@ -47,8 +47,13 @@ using namespace analyzer; BuiltinAnalyzers builtin_analyzers; -#define DEFINE_ANALYZER(name, factory, enabled, partial) \ - AddComponent(new PluginComponent(name, factory, enabled, partial)) +#define DEFINE_ANALYZER(name, factory) \ + AddComponent(new Component(name, factory)) + +#define DEFINE_ANALYZER_VERSION_BINPAC(name, factory) \ + AddComponent(new Component(name, factory, 0, FLAGS_use_binpac)) +#define DEFINE_ANALYZER_VERSION_NON_BINPAC(name, factory) \ + AddComponent(new Component(name, factory, 0, ! FLAGS_use_binpac)) void BuiltinAnalyzers::Init() { @@ -58,72 +63,69 @@ void BuiltinAnalyzers::Init() desc.version = BRO_PLUGIN_VERSION_BUILTIN; SetDescription(desc); - DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); + DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); - DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); - DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer, true, false); - // DEFINE_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); - DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("LOGIN", 0, true, false); // just a base class - DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("RPC", 0, true, false); - DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER_VERSION_NON_BINPAC("DNS", DNS_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("LOGIN", 0); // just a base class + DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("RPC", 0); + DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - DEFINE_ANALYZER("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - // DEFINE_ANALYZER("HTTP_BINPAC", HTTP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - // DEFINE_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); + DEFINE_ANALYZER_VERSION_BINPAC("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer); + DEFINE_ANALYZER_VERSION_BINPAC("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer); + DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer); + DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("CONTENTS", 0, true, false); - DEFINE_ANALYZER("CONTENTLINE", 0, true, false); - DEFINE_ANALYZER("NVT", 0, true, false); - DEFINE_ANALYZER("ZIP", 0, true, false); - DEFINE_ANALYZER("CONTENTS_DNS", 0, true, false); - DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0, true, false); - DEFINE_ANALYZER("CONTENTS_NCP", 0, true, false); - DEFINE_ANALYZER("CONTENTS_RLOGIN", 0, true, false); - DEFINE_ANALYZER("CONTENTS_RSH", 0, true, false); - DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0, true, false); - DEFINE_ANALYZER("CONTENTS_SMB", 0, true, false); - DEFINE_ANALYZER("CONTENTS_RPC", 0, true, false); - DEFINE_ANALYZER("CONTENTS_NFS", 0, true, false); - DEFINE_ANALYZER("FTP_ADAT", 0, true, false); + DEFINE_ANALYZER("CONTENTS", 0); + DEFINE_ANALYZER("CONTENTLINE", 0); + DEFINE_ANALYZER("NVT", 0); + DEFINE_ANALYZER("ZIP", 0); + DEFINE_ANALYZER("CONTENTS_DNS", 0); + DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0); + DEFINE_ANALYZER("CONTENTS_NCP", 0); + DEFINE_ANALYZER("CONTENTS_RLOGIN", 0); + DEFINE_ANALYZER("CONTENTS_RSH", 0); + DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0); + DEFINE_ANALYZER("CONTENTS_SMB", 0); + DEFINE_ANALYZER("CONTENTS_RPC", 0); + DEFINE_ANALYZER("CONTENTS_NFS", 0); + DEFINE_ANALYZER("FTP_ADAT", 0); } diff --git a/src/protocols/http/HTTP.cc b/src/protocols/http/HTTP.cc index 2812f3662b..d5d911bbc6 100644 --- a/src/protocols/http/HTTP.cc +++ b/src/protocols/http/HTTP.cc @@ -17,7 +17,7 @@ BRO_PLUGIN_BEGIN(HTTP) BRO_PLUGIN_DESCRIPTION = "HTTP Analyzer"; - BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, true, false); + BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/protocols/ssl/Plugin.cc b/src/protocols/ssl/Plugin.cc index 3e42ae0c32..fb47c9b946 100644 --- a/src/protocols/ssl/Plugin.cc +++ b/src/protocols/ssl/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SSL) BRO_PLUGIN_DESCRIPTION = "SSL Analyzer"; - BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); + BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index b476306ae6..0482b574f8 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-03-26-20-58-03 +#open 2013-04-01-19-44-31 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/./main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/./postprocessors/__load__.bro scripts/base/frameworks/logging/./postprocessors/./scp.bro scripts/base/frameworks/logging/./postprocessors/./sftp.bro @@ -25,12 +25,16 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/./writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/./main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro scripts/base/frameworks/analyzer/__load__.bro scripts/base/frameworks/analyzer/./main.bro - build/src/base/analyzer.bif.bro + build/scripts/base/bif/analyzer.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./HTTP.events.bif.bro + build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./SSL.events.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-03-26-20-58-03 +#close 2013-04-01-19-44-31 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index ddcae1d0eb..390040ab4a 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-03-26-20-58-16 +#open 2013-04-01-19-44-38 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/./main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/./postprocessors/__load__.bro scripts/base/frameworks/logging/./postprocessors/./scp.bro scripts/base/frameworks/logging/./postprocessors/./sftp.bro @@ -25,13 +25,17 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/./writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/./main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro scripts/base/frameworks/analyzer/__load__.bro scripts/base/frameworks/analyzer/./main.bro - build/src/base/analyzer.bif.bro + build/scripts/base/bif/analyzer.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./HTTP.events.bif.bro + build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./SSL.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -122,4 +126,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-03-26-20-58-16 +#close 2013-04-01-19-44-38 diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output new file mode 100644 index 0000000000..69285a4dbe --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output @@ -0,0 +1,5 @@ +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_DNS +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_FTP +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_SSH +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_HTTP +APPLIED:, 1299499195.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=8/tcp], Analyzer::ANALYZER_DNS diff --git a/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro new file mode 100644 index 0000000000..e67a4fa82b --- /dev/null +++ b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro @@ -0,0 +1,36 @@ +# +# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT >output +# @TEST-EXEC: btest-diff output + +global x = 0; + +event new_connection(c: connection) + { + # Make sure expiration executes. + Analyzer::schedule_analyzer(1.2.3.4, 1.2.3.4, 8/tcp, Analyzer::ANALYZER_MODBUS, 100hrs); + + if ( x > 0 ) + return; + + x = 1; + + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_SSH, 100hrs); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_HTTP, 100hrs); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_DNS, 100hrs); + Analyzer::schedule_analyzer(0.0.0.0, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_FTP, 100hrs); + + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 7/tcp, Analyzer::ANALYZER_SSH, 1sec); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 8/tcp, Analyzer::ANALYZER_HTTP, 1sec); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 8/tcp, Analyzer::ANALYZER_DNS, 100hrs); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 9/tcp, Analyzer::ANALYZER_FTP, 1sec); + } + +event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) + { + print "APPLIED:", network_time(), c$id, a; + } + + + + + From bfda42b9e929e5a9dcefa8333690d51a8a14e03a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 3 Apr 2013 13:38:08 -0700 Subject: [PATCH 019/200] Removing legacy binpac analyzer for DNS and HTTP. --- scripts/base/protocols/dns/main.bro | 12 +- src/CMakeLists.txt | 9 - src/DNS-binpac.cc | 90 -------- src/DNS-binpac.h | 60 ----- src/Sessions.cc | 2 - src/dns-analyzer.pac | 343 ---------------------------- src/dns-protocol.pac | 215 ----------------- src/dns.pac | 9 - src/dns_tcp.pac | 45 ---- src/protocols/BuiltInAnalyzers.cc | 10 +- src/protocols/http/HTTP.h | 2 +- src/protocols/unused/HTTP-binpac.cc | 46 ---- src/protocols/unused/HTTP-binpac.h | 28 --- 13 files changed, 5 insertions(+), 866 deletions(-) delete mode 100644 src/DNS-binpac.cc delete mode 100644 src/DNS-binpac.h delete mode 100644 src/dns-analyzer.pac delete mode 100644 src/dns-protocol.pac delete mode 100644 src/dns.pac delete mode 100644 src/dns_tcp.pac delete mode 100644 src/protocols/unused/HTTP-binpac.cc delete mode 100644 src/protocols/unused/HTTP-binpac.h diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 6279ba4dab..f1264a9f52 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -117,19 +117,13 @@ redef capture_filters += { ["netbios-ns"] = "udp port 137", }; -const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp }; -const dns_tcp_ports = { 53/tcp }; - -redef likely_server_ports += { dns_udp_ports, dns_tcp_ports }; +const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]); - - Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_tcp_ports); - Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_udp_ports); - Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports); - Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports); } function new_session(c: connection, trans_id: count): Info diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 5109f71105..e847255258 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -144,14 +144,8 @@ binpac_target(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac) binpac_target(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac) -binpac_target(dns.pac - dns-protocol.pac dns-analyzer.pac) -binpac_target(dns_tcp.pac - dns.pac) binpac_target(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) -# binpac_target(http.pac -# http-protocol.pac http-analyzer.pac) binpac_target(ncp.pac) binpac_target(netflow.pac netflow-protocol.pac netflow-analyzer.pac) @@ -159,8 +153,6 @@ binpac_target(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) binpac_target(socks.pac socks-protocol.pac socks-analyzer.pac) -# binpac_target(ssl.pac -# ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac) binpac_target(syslog.pac syslog-protocol.pac syslog-analyzer.pac) binpac_target(modbus.pac @@ -258,7 +250,6 @@ set(bro_SRCS DFA.cc DHCP-binpac.cc DNS.cc - DNS-binpac.cc DNS_Mgr.cc DbgBreakpoint.cc DbgHelp.cc diff --git a/src/DNS-binpac.cc b/src/DNS-binpac.cc deleted file mode 100644 index 4ab84d1cfe..0000000000 --- a/src/DNS-binpac.cc +++ /dev/null @@ -1,90 +0,0 @@ -#include "DNS-binpac.h" -#include "TCP_Reassembler.h" - -DNS_UDP_Analyzer_binpac::DNS_UDP_Analyzer_binpac(Connection* conn) -: Analyzer("DNS_UDP_BINPAC", conn) - { - interp = new binpac::DNS::DNS_Conn(this); - did_session_done = 0; - ADD_ANALYZER_TIMER(&DNS_UDP_Analyzer_binpac::ExpireTimer, - network_time + dns_session_timeout, 1, TIMER_DNS_EXPIRE); - } - -DNS_UDP_Analyzer_binpac::~DNS_UDP_Analyzer_binpac() - { - delete interp; - } - -void DNS_UDP_Analyzer_binpac::Done() - { - Analyzer::Done(); - - if ( ! did_session_done ) - Event(udp_session_done); - } - -void DNS_UDP_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) - { - Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); - interp->NewData(orig, data, data + len); - } - -void DNS_UDP_Analyzer_binpac::ExpireTimer(double t) - { - // The - 1.0 in the following is to allow 1 second for the - // common case of a single request followed by a single reply, - // so we don't needlessly set the timer twice in that case. - if ( t - Conn()->LastTime() >= dns_session_timeout - 1.0 || terminating ) - { - Event(connection_timeout); - sessions->Remove(Conn()); - } - else - ADD_ANALYZER_TIMER(&DNS_UDP_Analyzer_binpac::ExpireTimer, - t + dns_session_timeout, 1, TIMER_DNS_EXPIRE); - } - -DNS_TCP_Analyzer_binpac::DNS_TCP_Analyzer_binpac(Connection* conn) -: TCP_ApplicationAnalyzer("DNS_TCP_BINPAC", conn) - { - interp = new binpac::DNS_on_TCP::DNS_TCP_Conn(this); - } - -DNS_TCP_Analyzer_binpac::~DNS_TCP_Analyzer_binpac() - { - delete interp; - } - -void DNS_TCP_Analyzer_binpac::Done() - { - TCP_ApplicationAnalyzer::Done(); - - interp->FlowEOF(true); - interp->FlowEOF(false); - } - -void DNS_TCP_Analyzer_binpac::EndpointEOF(bool is_orig) - { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); - interp->FlowEOF(is_orig); - } - -void DNS_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data, - bool orig) - { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); - - assert(TCP()); - - if ( TCP()->IsPartial() || TCP()->HadGap(orig) ) - // punt-on-partial or stop-on-gap. - return; - - interp->NewData(orig, data, data + len); - } - -void DNS_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig) - { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); - interp->NewGap(orig, len); - } diff --git a/src/DNS-binpac.h b/src/DNS-binpac.h deleted file mode 100644 index 2f241b89ae..0000000000 --- a/src/DNS-binpac.h +++ /dev/null @@ -1,60 +0,0 @@ -#ifndef dns_binpac_h -#define dns_binpac_h - -#include "UDP.h" -#include "TCP.h" - -#include "dns_pac.h" - -// FIXME: As the binpac analyer for DNS-TCP and DNS-UDP are currently -// structured, we cannot directly combine them into one analyzer. Can we -// change that easily? (Ideally, the TCP preprocessing would become a -// support-analyzer as it is done for the traditional DNS analyzer.) - -class DNS_UDP_Analyzer_binpac : public analyzer::Analyzer { -public: - DNS_UDP_Analyzer_binpac(Connection* conn); - virtual ~DNS_UDP_Analyzer_binpac(); - - virtual void Done(); - virtual void DeliverPacket(int len, const u_char* data, bool orig, - int seq, const IP_Hdr* ip, int caplen); - - static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new DNS_UDP_Analyzer_binpac(conn); } - - static bool Available() - { return (dns_request || dns_full_request) && FLAGS_use_binpac; } - -protected: - friend class AnalyzerTimer; - void ExpireTimer(double t); - - int did_session_done; - - binpac::DNS::DNS_Conn* interp; -}; - -#include "dns_tcp_pac.h" - -class DNS_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer { -public: - DNS_TCP_Analyzer_binpac(Connection* conn); - virtual ~DNS_TCP_Analyzer_binpac(); - - virtual void Done(); - virtual void DeliverStream(int len, const u_char* data, bool orig); - virtual void Undelivered(int seq, int len, bool orig); - virtual void EndpointEOF(bool is_orig); - - static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new DNS_TCP_Analyzer_binpac(conn); } - - static bool Available() - { return (dns_request || dns_full_request) && FLAGS_use_binpac; } - -protected: - binpac::DNS_on_TCP::DNS_TCP_Conn* interp; -}; - -#endif diff --git a/src/Sessions.cc b/src/Sessions.cc index 782bf4c496..dc3f54efe6 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -19,8 +19,6 @@ #include "ICMP.h" #include "UDP.h" -#include "DNS-binpac.h" - #include "SteppingStone.h" #include "BackDoor.h" #include "InterConn.h" diff --git a/src/dns-analyzer.pac b/src/dns-analyzer.pac deleted file mode 100644 index e92b6ef709..0000000000 --- a/src/dns-analyzer.pac +++ /dev/null @@ -1,343 +0,0 @@ -%extern{ -#include -%} - -%code{ -int add_to_name_buffer(DNS_name* name, char* buf, const int buf_n, int buf_i) - { - for ( int i = 0; i < int(name->labels()->size()); ++i ) - { - DNS_label* label = (*name->labels())[i]; - if ( label->label_type() == 0 ) - { - bytestring const &label_str = label->label(); - if ( buf_i > 0 && buf_i < buf_n ) - buf[buf_i++] = '.'; - BINPAC_ASSERT(buf_i + label_str.length() <= buf_n); - memcpy(buf + buf_i, label_str.begin(), - label_str.length()); - buf_i += label_str.length(); - } - else if ( label->label_type() == 3 ) - { - return add_to_name_buffer(label->ptr(), buf, - buf_n, buf_i); - } - } - - return buf_i; - } - -StringVal* name_to_val(DNS_name* name) - { - char name_buf[520]; - int n = add_to_name_buffer(name, name_buf, sizeof(name_buf), 0); - if ( n > 0 ) - --n; // remove the trailing '.' - - BINPAC_ASSERT(n < int(sizeof(name_buf))); - - name_buf[n] = 0; - for ( int i = 0; i < n; ++i ) - if ( isupper(name_buf[i]) ) - name_buf[i] = tolower(name_buf[i]); - - return new StringVal(name_buf); - } -%} - -connection DNS_Conn(bro_analyzer: BroAnalyzer) -{ - upflow = DNS_Flow; - downflow = DNS_Flow; -}; - -flow DNS_Flow -{ - datagram = DNS_message withcontext(connection, this); - - %member{ - set pointer_set; - BroVal dns_msg_val_; - %} - - %init{ - dns_msg_val_ = 0; - %} - - %cleanup{ - Unref(dns_msg_val_); - dns_msg_val_ = 0; - %} - - # Return a byte segment starting at in the original message. - function get_pointer(msgdata: const_bytestring, - offset: int): const_bytestring - %{ - if ( offset < 0 || offset >= msgdata.length() ) - return const_bytestring(0, 0); - - if ( pointer_set.find(offset) != pointer_set.end() ) - throw Exception("DNS pointer loop!"); - - pointer_set.insert(offset); - return const_bytestring(msgdata.begin() + offset, msgdata.end()); - %} - - function reset_pointer_set(): bool - %{ - pointer_set.clear(); - return true; - %} - - function process_dns_header(hdr: DNS_header): bool - %{ - Unref(dns_msg_val_); - - RecordVal* r = new RecordVal(dns_msg); - - r->Assign(0, new Val(${hdr.id}, TYPE_COUNT)); - r->Assign(1, new Val(${hdr.opcode}, TYPE_COUNT)); - r->Assign(2, new Val(${hdr.rcode}, TYPE_COUNT)); - r->Assign(3, new Val(${hdr.qr}, TYPE_BOOL)); - r->Assign(4, new Val(${hdr.aa}, TYPE_BOOL)); - r->Assign(5, new Val(${hdr.tc}, TYPE_BOOL)); - r->Assign(6, new Val(${hdr.rd}, TYPE_BOOL)); - r->Assign(7, new Val(${hdr.ra}, TYPE_BOOL)); - r->Assign(8, new Val(${hdr.z}, TYPE_COUNT)); - - r->Assign(9, new Val(${hdr.qdcount}, TYPE_COUNT)); - r->Assign(10, new Val(${hdr.ancount}, TYPE_COUNT)); - r->Assign(11, new Val(${hdr.nscount}, TYPE_COUNT)); - r->Assign(12, new Val(${hdr.arcount}, TYPE_COUNT)); - - dns_msg_val_ = r; - - return true; - %} - - function process_dns_question(question: DNS_question): bool - %{ - DNS_message* msg = question->msg(); - - if ( msg->header()->qr() == 0 ) - { - BifEvent::generate_dns_request( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - name_to_val(question->qname()), - question->qtype(), - question->qclass()); - } - - else if ( msg->header()->ancount() == 0 && - msg->header()->nscount() == 0 && - msg->header()->arcount() == 0 ) - { - BifEvent::generate_dns_rejected( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - name_to_val(question->qname()), - question->qtype(), - question->qclass()); - } - - return true; - %} - - function build_dns_answer(rr: DNS_rr): BroVal - %{ - RecordVal* r = new RecordVal(dns_answer); - - r->Assign(0, new Val(rr->answer_type(), TYPE_COUNT)); - r->Assign(1, name_to_val(rr->rr_name())); - r->Assign(2, new Val(rr->rr_type(), TYPE_COUNT)); - r->Assign(3, new Val(rr->rr_class(), TYPE_COUNT)); - r->Assign(4, new IntervalVal(double(rr->rr_ttl()), Seconds)); - - return r; - %} - - function build_dns_soa(soa: DNS_rdata_SOA): BroVal - %{ - RecordVal* r = new RecordVal(dns_soa); - - r->Assign(0, name_to_val(soa->mname())); - r->Assign(1, name_to_val(soa->rname())); - r->Assign(2, new Val(soa->serial(), TYPE_COUNT)); - r->Assign(3, new IntervalVal(double(soa->refresh()), Seconds)); - r->Assign(4, new IntervalVal(double(soa->retry()), Seconds)); - r->Assign(5, new IntervalVal(double(soa->expire()), Seconds)); - r->Assign(6, new IntervalVal(double(soa->minimum()), Seconds)); - - return r; - %} - - function build_edns_additional(rr: DNS_rr): BroVal - %{ - // We have to treat the additional record type in EDNS - // differently than a regular resource record. - RecordVal* r = new RecordVal(dns_edns_additional); - - r->Assign(0, new Val(int(rr->answer_type()), TYPE_COUNT)); - r->Assign(1, name_to_val(rr->rr_name())); - - // Type = 0x29 or 41 = EDNS - r->Assign(2, new Val(rr->rr_type(), TYPE_COUNT)); - - // Sender's UDP payload size, per RFC 2671 4.3 - r->Assign(3, new Val(rr->rr_class(), TYPE_COUNT)); - - // Need to break the TTL field into three components: - // initial: [------------- ttl (32) ---------------------] - // after: [DO][ ext rcode (7)][ver # (8)][ Z field (16)] - - unsigned int ercode = (rr->rr_ttl() & 0xff000000) >> 24; - unsigned int version = (rr->rr_ttl() & 0x00ff0000) >> 16; - unsigned int z = (rr->rr_ttl() & 0x0000ffff); - - int rcode = rr->msg()->header()->rcode(); - unsigned int return_error = (ercode << 8) | rcode; - - r->Assign(4, new Val(return_error, TYPE_COUNT)); - r->Assign(5, new Val(version, TYPE_COUNT)); - r->Assign(6, new Val(z, TYPE_COUNT)); - r->Assign(7, new IntervalVal(double(rr->rr_ttl()), Seconds)); - r->Assign(8, new Val(rr->msg()->header()->qr() == 0, TYPE_COUNT)); - - return r; - %} - - function process_dns_rr(rr: DNS_rr): bool - %{ - const DNS_rdata* rd = rr->rr_rdata(); - - switch ( rr->rr_type() ) { - case TYPE_A: - if ( dns_A_reply ) - { - ::uint32 addr = rd->type_a(); - BifEvent::generate_dns_A_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), build_dns_answer(rr), - new AddrVal(htonl(addr))); - } - break; - - case TYPE_A6: - if ( dns_A6_reply ) - { - ::uint32 addr[4]; - for ( unsigned int i = 0; i < 4; ++i ) - addr[i] = htonl((*rd->type_aaaa())[i]); - - BifEvent::generate_dns_A6_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), build_dns_answer(rr), - new AddrVal(addr)); - } - break; - - case TYPE_AAAA: - if ( dns_AAAA_reply ) - { - ::uint32 addr[4]; - for ( unsigned int i = 0; i < 4; ++i ) - addr[i] = htonl((*rd->type_aaaa())[i]); - - BifEvent::generate_dns_AAAA_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), build_dns_answer(rr), - new AddrVal(addr)); - } - break; - - case TYPE_NS: - if ( dns_NS_reply ) - { - BifEvent::generate_dns_NS_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - name_to_val(rr->rr_rdata()->type_ns())); - } - break; - - case TYPE_CNAME: - if ( dns_CNAME_reply ) - { - BifEvent::generate_dns_CNAME_reply( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - name_to_val(rr->rr_rdata()->type_cname())); - } - break; - - case TYPE_SOA: - if ( dns_SOA_reply ) - { - BifEvent::generate_dns_SOA_reply( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - build_dns_soa(rr->rr_rdata()->type_soa())); - } - break; - - case TYPE_PTR: - if ( dns_PTR_reply ) - { - BifEvent::generate_dns_PTR_reply( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - name_to_val(rr->rr_rdata()->type_ptr())); - } - break; - - case TYPE_MX: - if ( dns_MX_reply ) - { - BifEvent::generate_dns_MX_reply( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - name_to_val(rr->rr_rdata()->type_mx()->name()), - rr->rr_rdata()->type_mx()->preference()); - } - break; - - case TYPE_EDNS: - if ( dns_EDNS_addl ) - { - BifEvent::generate_dns_EDNS_addl( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_edns_additional(rr)); - } - break; - } - - return true; - %} -}; - -refine typeattr DNS_header += &let { - proc_dns_header = $context.flow.process_dns_header(this); -}; - -refine typeattr DNS_question += &let { - proc_dns_question = $context.flow.process_dns_question(this); -}; - -refine typeattr DNS_rr += &let { - proc_dns_rr = $context.flow.process_dns_rr(this); -}; diff --git a/src/dns-protocol.pac b/src/dns-protocol.pac deleted file mode 100644 index fbeb9d0fa3..0000000000 --- a/src/dns-protocol.pac +++ /dev/null @@ -1,215 +0,0 @@ -enum DNS_answer_type { - DNS_QUESTION, - DNS_ANSWER, - DNS_AUTHORITY, - DNS_ADDITIONAL, -}; - -enum DNS_rdata_type { - TYPE_A = 1, - TYPE_NS = 2, - TYPE_MD = 3, - TYPE_MF = 4, - TYPE_CNAME = 5, - TYPE_SOA = 6, - TYPE_MB = 7, - TYPE_MG = 8, - TYPE_MR = 9, - TYPE_NULL = 10, - TYPE_WKS = 11, - TYPE_PTR = 12, - TYPE_HINFO = 13, - TYPE_MINFO = 14, - TYPE_MX = 15, - TYPE_TXT = 16, - TYPE_AAAA = 28, # IPv6 (RFC 1886) - TYPE_NBS = 32, # Netbios name (RFC 1002) - TYPE_A6 = 38, # IPv6 with indirection (RFC 2874) - TYPE_EDNS = 41, # < OPT pseudo-RR (RFC 2671) -}; - -# 1 1 1 1 1 1 -# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | ID | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# |QR| Opcode |AA|TC|RD|RA| Z | RCODE | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | QDCOUNT | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | ANCOUNT | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | NSCOUNT | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | ARCOUNT | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -type DNS_header = record { - id : uint16; - qrop : uint16; - qdcount : uint16; - ancount : uint16; - nscount : uint16; - arcount : uint16; -} &let { - qr: bool = qrop >> 15; - opcode: uint8 = (qrop >> 11) & 0xf; - aa: bool = (qrop >> 10) & 0x1; - tc: bool = (qrop >> 9) & 0x1; - rd: bool = (qrop >> 8) & 0x1; - ra: bool = (qrop >> 7) & 0x1; - z: uint8 = (qrop >> 4) & 0x7; - rcode: uint8 = qrop & 0xf; -}; - -type DNS_label(msg: DNS_message) = record { - length: uint8; - data: case label_type of { - 0 -> label: bytestring &length = length; - 3 -> ptr_lo: uint8; - }; -} &let { - label_type: uint8 = length >> 6; - last: bool = (length == 0) || (label_type == 3); - - # A name pointer. - ptr: DNS_name(msg) - withinput $context.flow.get_pointer(msg.sourcedata, - ((length & 0x3f) << 8) | ptr_lo) - &if(label_type == 3); - - clear_pointer_set: bool = $context.flow.reset_pointer_set() - &if(last); -}; - -type DNS_name(msg: DNS_message) = record { - labels: DNS_label(msg)[] &until($element.last); -}; - -type DNS_char_string = record { - length: uint8; - data: bytestring &length = length; -}; - -# 1 1 1 1 1 1 -# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | | -# / QNAME / -# / / -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | QTYPE | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | QCLASS | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -type DNS_question(msg: DNS_message) = record { - qname: DNS_name(msg); - qtype: uint16; - qclass: uint16; -}; - -type DNS_rdata_MX(msg: DNS_message) = record { - preference: uint16; - name: DNS_name(msg); -}; - -type DNS_rdata_SOA(msg: DNS_message) = record { - mname: DNS_name(msg); - rname: DNS_name(msg); - serial: uint32; - refresh: uint32; - retry: uint32; - expire: uint32; - minimum: uint32; -}; - -type DNS_rdata_WKS = record { - address: uint32; - protocol: uint8; - bitmap: bytestring &restofdata; -}; - -type DNS_rdata_HINFO = record { - cpu: DNS_char_string; - os: DNS_char_string; -}; - -type DNS_rdata(msg: DNS_message, - rr_type: uint16, - rr_class: uint16) = case rr_type of { - - TYPE_A -> type_a: uint32 &check(rr_class == CLASS_IN); - TYPE_NS -> type_ns: DNS_name(msg); - TYPE_CNAME -> type_cname: DNS_name(msg); - TYPE_SOA -> type_soa: DNS_rdata_SOA(msg); - TYPE_PTR -> type_ptr: DNS_name(msg); - TYPE_MX -> type_mx: DNS_rdata_MX(msg); - TYPE_AAAA, TYPE_A6 - -> type_aaaa: uint32[4]; - - # TYPE_WKS -> type_wks: DNS_rdata_WKS; - # TYPE_HINFO -> type_hinfo: DNS_rdata_HINFO; - # TYPE_TXT -> type_txt: bytestring &restofdata; - - # 3 -> type_md: DNS_rdata_MD; - # 4 -> type_mf: DNS_rdata_MF; - # 7 -> type_mb: DNS_rdata_MB; - # 8 -> type_mg: DNS_rdata_MG; - # 9 -> type_mr: DNS_rdata_MR; - # 10 -> type_null: DNS_rdata_NULL; - # 14 -> type_minfo: DNS_rdata_MINFO; - # 32 -> type_nbs: DNS_rdata_NBS; - - default -> unknown: bytestring &restofdata; -}; - -# 1 1 1 1 1 1 -# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | | -# / / -# / NAME / -# | | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | TYPE | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | CLASS | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | TTL | -# | | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | RDLENGTH | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--| -# / RDATA / -# / / -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -type DNS_rr(msg: DNS_message, answer_type: DNS_answer_type) = record { - rr_name: DNS_name(msg); - rr_type: uint16; - rr_class: uint16; - rr_ttl: uint32; - rr_rdlength: uint16; - rr_rdata: DNS_rdata(msg, rr_type, rr_class) &length = rr_rdlength; -}; - -# +---------------------+ -# | Header | -# +---------------------+ -# | Question | the question for the name server -# +---------------------+ -# | Answer | RRs answering the question -# +---------------------+ -# | Authority | RRs pointing toward an authority -# +---------------------+ -# | Additional | RRs holding additional information -# +---------------------+ - -type DNS_message = record { - header: DNS_header; - question: DNS_question(this)[header.qdcount]; - answer: DNS_rr(this, DNS_ANSWER)[header.ancount]; - authority: DNS_rr(this, DNS_AUTHORITY)[header.nscount]; - additional: DNS_rr(this, DNS_ADDITIONAL)[header.arcount]; -} &byteorder = bigendian, &exportsourcedata; diff --git a/src/dns.pac b/src/dns.pac deleted file mode 100644 index aeffdf0bc7..0000000000 --- a/src/dns.pac +++ /dev/null @@ -1,9 +0,0 @@ -%include bro.pac - -analyzer DNS withcontext { - connection: DNS_Conn; - flow: DNS_Flow; -}; - -%include dns-protocol.pac -%include dns-analyzer.pac diff --git a/src/dns_tcp.pac b/src/dns_tcp.pac deleted file mode 100644 index d31ff58c6e..0000000000 --- a/src/dns_tcp.pac +++ /dev/null @@ -1,45 +0,0 @@ -%extern{ -#include "dns_pac.h" // for DNS_Conn -%} - -%include bro.pac - -analyzer DNS_on_TCP withcontext { - connection: DNS_TCP_Conn; - flow: DNS_TCP_Flow; -}; - -type DNS_TCP_PDU(is_orig: bool) = record { - msglen: uint16; - msg: bytestring &length = msglen; -} &byteorder = bigendian, &length = 2 + msglen, &let { - deliver: bool = $context.connection.deliver_dns_message(is_orig, msg); -}; - -connection DNS_TCP_Conn(bro_analyzer: BroAnalyzer) { - upflow = DNS_TCP_Flow(true); - downflow = DNS_TCP_Flow(false); - - %member{ - DNS::DNS_Conn *abstract_dns_connection_; - %} - - %init{ - abstract_dns_connection_ = new DNS::DNS_Conn(bro_analyzer); - %} - - %cleanup{ - delete abstract_dns_connection_; - abstract_dns_connection_ = 0; - %} - - function deliver_dns_message(is_orig: bool, msg: const_bytestring): bool - %{ - abstract_dns_connection_->NewData(is_orig, msg.begin(), msg.end()); - return true; - %} -}; - -flow DNS_TCP_Flow(is_orig: bool) { - flowunit = DNS_TCP_PDU(is_orig) withcontext(connection, this); -}; diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc index ff7bd11c1c..39e8eefac0 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -21,7 +21,6 @@ #include "FTP.h" #include "FileAnalyzer.h" #include "DNS.h" -#include "DNS-binpac.h" #include "DHCP-binpac.h" #include "Telnet.h" #include "Rlogin.h" @@ -50,11 +49,6 @@ BuiltinAnalyzers builtin_analyzers; #define DEFINE_ANALYZER(name, factory) \ AddComponent(new Component(name, factory)) -#define DEFINE_ANALYZER_VERSION_BINPAC(name, factory) \ - AddComponent(new Component(name, factory, 0, FLAGS_use_binpac)) -#define DEFINE_ANALYZER_VERSION_NON_BINPAC(name, factory) \ - AddComponent(new Component(name, factory, 0, ! FLAGS_use_binpac)) - void BuiltinAnalyzers::Init() { plugin::Description desc; @@ -74,7 +68,7 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER_VERSION_NON_BINPAC("DNS", DNS_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); @@ -96,8 +90,6 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER_VERSION_BINPAC("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER_VERSION_BINPAC("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer); DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer); DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); diff --git a/src/protocols/http/HTTP.h b/src/protocols/http/HTTP.h index 6cb2199696..66cdf091bf 100644 --- a/src/protocols/http/HTTP.h +++ b/src/protocols/http/HTTP.h @@ -183,7 +183,7 @@ public: { return (http_request || http_reply || http_header || http_all_headers || http_begin_entity || http_end_entity || http_content_type || http_entity_data || http_message_done || - http_event || http_stats) && !FLAGS_use_binpac; } + http_event || http_stats); } protected: void GenStats(); diff --git a/src/protocols/unused/HTTP-binpac.cc b/src/protocols/unused/HTTP-binpac.cc deleted file mode 100644 index a23ef0043a..0000000000 --- a/src/protocols/unused/HTTP-binpac.cc +++ /dev/null @@ -1,46 +0,0 @@ -#include "HTTP-binpac.h" -#include "TCP_Reassembler.h" - -HTTP_Analyzer_binpac::HTTP_Analyzer_binpac(Connection *c) -: TCP_ApplicationAnalyzer("HTTP_BINPAC", c) - { - interp = new binpac::HTTP::HTTP_Conn(this); - } - -HTTP_Analyzer_binpac::~HTTP_Analyzer_binpac() - { - delete interp; - } - -void HTTP_Analyzer_binpac::Done() - { - TCP_ApplicationAnalyzer::Done(); - - interp->FlowEOF(true); - interp->FlowEOF(false); - } - -void HTTP_Analyzer_binpac::EndpointEOF(bool is_orig) - { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); - interp->FlowEOF(is_orig); - } - -void HTTP_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig) - { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); - - assert(TCP()); - - if ( TCP()->IsPartial() ) - // punt on partial. - return; - - interp->NewData(orig, data, data + len); - } - -void HTTP_Analyzer_binpac::Undelivered(int seq, int len, bool orig) - { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); - interp->NewGap(orig, len); - } diff --git a/src/protocols/unused/HTTP-binpac.h b/src/protocols/unused/HTTP-binpac.h deleted file mode 100644 index 8f0370afda..0000000000 --- a/src/protocols/unused/HTTP-binpac.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef http_binpac_h -#define http_binpac_h - -#include "TCP.h" - -#include "http_pac.h" - -class HTTP_Analyzer_binpac : public TCP_ApplicationAnalyzer { -public: - HTTP_Analyzer_binpac(Connection* conn); - virtual ~HTTP_Analyzer_binpac(); - - virtual void Done(); - virtual void DeliverStream(int len, const u_char* data, bool orig); - virtual void Undelivered(int seq, int len, bool orig); - virtual void EndpointEOF(bool is_orig); - - static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new HTTP_Analyzer_binpac(conn); } - - static bool Available() - { return (http_request || http_reply) && FLAGS_use_binpac; } - -protected: - binpac::HTTP::HTTP_Conn* interp; -}; - -#endif From 40ca718e90491fbb894b27aa318db59ae6e52ffb Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 3 Apr 2013 13:40:49 -0700 Subject: [PATCH 020/200] Removing the --use-binpac switch. --- src/DHCP-binpac.h | 2 +- src/DNS.h | 3 +-- src/Syslog-binpac.h | 2 +- src/binpac_bro.h | 2 -- src/main.cc | 6 ------ 5 files changed, 3 insertions(+), 12 deletions(-) diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h index a3890b399d..df47ec7765 100644 --- a/src/DHCP-binpac.h +++ b/src/DHCP-binpac.h @@ -19,7 +19,7 @@ public: { return new DHCP_Analyzer_binpac(conn); } static bool Available() - { return dhcp_request && FLAGS_use_binpac; } + { return dhcp_request; } protected: binpac::DHCP::DHCP_Conn* interp; diff --git a/src/DNS.h b/src/DNS.h index 28e68cccad..569af906bf 100644 --- a/src/DNS.h +++ b/src/DNS.h @@ -271,8 +271,7 @@ public: static bool Available() { - return (dns_request || dns_full_request) && - ! FLAGS_use_binpac; + return (dns_request || dns_full_request); } protected: diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h index 85caf5aaa4..88b64c5f70 100644 --- a/src/Syslog-binpac.h +++ b/src/Syslog-binpac.h @@ -46,7 +46,7 @@ protected: // { return new Syslog_TCP_Analyzer_binpac(conn); } // // static bool Available() -// { return (Syslog_request || Syslog_full_request) && FLAGS_use_binpac; } +// { return (Syslog_request || Syslog_full_request); } // //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; diff --git a/src/binpac_bro.h b/src/binpac_bro.h index 5f46d8f458..5902c52113 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -35,6 +35,4 @@ inline StringVal* bytestring_to_val(const_bytestring const &str) } // namespace binpac -extern int FLAGS_use_binpac; - #endif diff --git a/src/main.cc b/src/main.cc index 7a86bde6da..cb3fbd7f6e 100644 --- a/src/main.cc +++ b/src/main.cc @@ -114,8 +114,6 @@ vector params; char* proc_status_file = 0; int snaplen = 0; // this gets set from the scripting-layer's value -int FLAGS_use_binpac = false; - extern std::list docs_generated; // Keep copy of command line @@ -204,8 +202,6 @@ void usage() fprintf(stderr, " -n|--idmef-dtd | specify path to IDMEF DTD file\n"); #endif - fprintf(stderr, " --use-binpac | use new-style BinPAC parsers when available\n"); - fprintf(stderr, " $BROPATH | file search path (%s)\n", bro_path()); fprintf(stderr, " $BRO_PREFIXES | prefix list (%s)\n", bro_prefixes()); fprintf(stderr, " $BRO_DNS_FAKE | disable DNS lookups (%s)\n", bro_dns_fake()); @@ -497,8 +493,6 @@ int main(int argc, char** argv) {"pseudo-realtime", optional_argument, 0, 'E'}, - {"use-binpac", no_argument, &FLAGS_use_binpac, 1}, - {0, 0, 0, 0}, }; From b122b39874dd0526e15382fea2677c60c3b9e5b1 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 15:15:33 -0700 Subject: [PATCH 021/200] Removing all Analyzer::Available() methods. --- src/AYIYA.h | 4 ---- src/BackDoor.h | 9 --------- src/BitTorrent.h | 3 --- src/BitTorrentTracker.h | 3 --- src/ConnSizeAnalyzer.h | 2 -- src/DCE_RPC.h | 3 --- src/DHCP-binpac.h | 3 --- src/DNS.h | 5 ----- src/FTP.h | 3 --- src/FileAnalyzer.h | 2 -- src/Finger.h | 2 -- src/GTPv1.h | 4 ---- src/Gnutella.h | 7 ------- src/ICMP.h | 2 -- src/IRC.cc | 32 -------------------------------- src/IRC.h | 2 -- src/Ident.h | 3 --- src/InterConn.h | 2 -- src/Modbus.h | 33 --------------------------------- src/NCP.h | 2 -- src/NFS.h | 10 ---------- src/NTP.h | 2 -- src/NetbiosSSN.h | 7 ------- src/PIA.h | 2 -- src/POP3.h | 5 ----- src/Portmap.h | 3 --- src/RSH.h | 3 --- src/Rlogin.h | 6 ------ src/SMB.h | 6 ------ src/SMTP.h | 6 ------ src/SOCKS.h | 5 ----- src/SSH.h | 3 --- src/SteppingStone.h | 2 -- src/Syslog-binpac.h | 6 ------ src/TCP.h | 4 ---- src/Telnet.h | 6 ------ src/Teredo.h | 4 ---- src/UDP.h | 2 -- 38 files changed, 208 deletions(-) diff --git a/src/AYIYA.h b/src/AYIYA.h index f6025b709f..563cf86613 100644 --- a/src/AYIYA.h +++ b/src/AYIYA.h @@ -15,10 +15,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new AYIYA_Analyzer(conn); } - static bool Available() - { return BifConst::Tunnel::enable_ayiya && - BifConst::Tunnel::max_depth > 0; } - protected: friend class AnalyzerTimer; void ExpireTimer(double t); diff --git a/src/BackDoor.h b/src/BackDoor.h index 2286138239..d3687bad0b 100644 --- a/src/BackDoor.h +++ b/src/BackDoor.h @@ -74,15 +74,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BackDoor_Analyzer(conn); } - static bool Available() - { - return backdoor_stats || rlogin_signature_found || - telnet_signature_found || ssh_signature_found || - root_backdoor_signature_found || ftp_signature_found || - napster_signature_found || kazaa_signature_found || - http_signature_found || http_proxy_signature_found; - } - protected: // We support both packet and stream input, and can be instantiated // even if the TCP analyzer is not yet reassembling. diff --git a/src/BitTorrent.h b/src/BitTorrent.h index eb2aeb422e..6c1ef677e1 100644 --- a/src/BitTorrent.h +++ b/src/BitTorrent.h @@ -20,9 +20,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrent_Analyzer(conn); } - static bool Available() - { return bittorrent_peer_handshake || bittorrent_peer_piece; } - protected: void DeliverWeird(const char* msg, bool orig); diff --git a/src/BitTorrentTracker.h b/src/BitTorrentTracker.h index cc17d98af3..41a902befa 100644 --- a/src/BitTorrentTracker.h +++ b/src/BitTorrentTracker.h @@ -53,9 +53,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrentTracker_Analyzer(conn); } - static bool Available() - { return bt_tracker_request || bt_tracker_response; } - protected: void ClientRequest(int len, const u_char* data); void ServerReply(int len, const u_char* data); diff --git a/src/ConnSizeAnalyzer.h b/src/ConnSizeAnalyzer.h index 23f7975617..6eac519c88 100644 --- a/src/ConnSizeAnalyzer.h +++ b/src/ConnSizeAnalyzer.h @@ -23,8 +23,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ConnSize_Analyzer(conn); } - static bool Available() { return BifConst::use_conn_size_analyzer ; } - protected: virtual void DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen); diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h index cfffc73c4e..61de358dbd 100644 --- a/src/DCE_RPC.h +++ b/src/DCE_RPC.h @@ -177,9 +177,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DCE_RPC_Analyzer(conn); } - static bool Available() - { return DCE_RPC_Session::any_dce_rpc_event(); } - protected: DCE_RPC_Session* session; bool speculative; diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h index df47ec7765..4b59ac15b2 100644 --- a/src/DHCP-binpac.h +++ b/src/DHCP-binpac.h @@ -18,9 +18,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DHCP_Analyzer_binpac(conn); } - static bool Available() - { return dhcp_request; } - protected: binpac::DHCP::DHCP_Conn* interp; }; diff --git a/src/DNS.h b/src/DNS.h index 569af906bf..7a342dc757 100644 --- a/src/DNS.h +++ b/src/DNS.h @@ -269,11 +269,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_Analyzer(conn); } - static bool Available() - { - return (dns_request || dns_full_request); - } - protected: DNS_Interpreter* interp; Contents_DNS* contents_dns_orig; diff --git a/src/FTP.h b/src/FTP.h index 849b18f50b..19393fc5aa 100644 --- a/src/FTP.h +++ b/src/FTP.h @@ -18,9 +18,6 @@ public: return new FTP_Analyzer(conn); } - static bool Available() { return ftp_request || ftp_reply; } - - protected: NVT_Analyzer* nvt_orig; NVT_Analyzer* nvt_resp; diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h index 6edda1646f..1d2a956ef2 100644 --- a/src/FileAnalyzer.h +++ b/src/FileAnalyzer.h @@ -18,8 +18,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new File_Analyzer(conn); } - static bool Available() { return file_transferred; } - protected: void Identify(); diff --git a/src/Finger.h b/src/Finger.h index 5de0086dbc..0be0c0eb19 100644 --- a/src/Finger.h +++ b/src/Finger.h @@ -19,8 +19,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Finger_Analyzer(conn); } - static bool Available() { return finger_request || finger_reply; } - protected: ContentLine_Analyzer* content_line_orig; ContentLine_Analyzer* content_line_resp; diff --git a/src/GTPv1.h b/src/GTPv1.h index e6c2066df0..89befa04bf 100644 --- a/src/GTPv1.h +++ b/src/GTPv1.h @@ -15,10 +15,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new GTPv1_Analyzer(conn); } - static bool Available() - { return BifConst::Tunnel::enable_gtpv1 && - BifConst::Tunnel::max_depth > 0; } - protected: friend class AnalyzerTimer; void ExpireTimer(double t); diff --git a/src/Gnutella.h b/src/Gnutella.h index 88a8bcb4c7..2dd2a2ad12 100644 --- a/src/Gnutella.h +++ b/src/Gnutella.h @@ -43,13 +43,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Gnutella_Analyzer(conn); } - static bool Available() - { - return gnutella_text_msg || gnutella_binary_msg || - gnutella_partial_binary_msg || gnutella_establish || - gnutella_not_establish || gnutella_http_notify; - } - private: int NextLine(const u_char* data, int len); diff --git a/src/ICMP.h b/src/ICMP.h index fbf61f7993..e798bd2c9b 100644 --- a/src/ICMP.h +++ b/src/ICMP.h @@ -22,8 +22,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ICMP_Analyzer(conn); } - static bool Available() { return true; } - protected: ICMP_Analyzer(analyzer::Tag tag, Connection* conn); diff --git a/src/IRC.cc b/src/IRC.cc index 35156ccb40..e778023553 100644 --- a/src/IRC.cc +++ b/src/IRC.cc @@ -22,38 +22,6 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn) AddSupportAnalyzer(new ContentLine_Analyzer(conn, false)); } -bool IRC_Analyzer::Available() - { - static bool did_avail = false; - static bool avail = false; - - if ( ! did_avail ) - { - // It's a lot of events, but for consistency with other - // analyzers we need to check for all of them. - avail = irc_request || irc_reply || - irc_message || irc_quit_message || - irc_privmsg_message || irc_notice_message || - irc_squery_message || irc_join_message || - irc_part_message || irc_nick_message || - irc_invalid_nick || irc_network_info || - irc_server_info || irc_channel_info || irc_who_line || - irc_who_message || irc_whois_message || - irc_whois_user_line || irc_whois_operator_line || - irc_whois_channel_line || irc_oper_message || - irc_oper_response || irc_kick_message || - irc_error_message || irc_invite_message || - irc_mode_message || irc_squit_message || - irc_names_info || irc_dcc_message || - irc_global_users || irc_user_message || - irc_channel_topic || irc_password_message; - - did_avail = true; - } - - return avail; - } - void IRC_Analyzer::Done() { TCP_ApplicationAnalyzer::Done(); diff --git a/src/IRC.h b/src/IRC.h index 657532f5f1..6a78bad025 100644 --- a/src/IRC.h +++ b/src/IRC.h @@ -35,8 +35,6 @@ public: return new IRC_Analyzer(conn); } - static bool Available(); - protected: int orig_status; int orig_zip_status; diff --git a/src/Ident.h b/src/Ident.h index e0cf44f5a4..ffc927a73c 100644 --- a/src/Ident.h +++ b/src/Ident.h @@ -16,9 +16,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Ident_Analyzer(conn); } - static bool Available() - { return ident_request || ident_reply || ident_error; } - protected: const char* ParsePair(const char* line, const char* end_of_line, int& p1, int &p2); diff --git a/src/InterConn.h b/src/InterConn.h index 1abec4058b..741bea45ba 100644 --- a/src/InterConn.h +++ b/src/InterConn.h @@ -50,8 +50,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new InterConn_Analyzer(conn); } - static bool Available() { return interconn_stats; } - protected: // We support both packet and stream input and can be put in place even // if the TCP analyzer is not yet reassembling. diff --git a/src/Modbus.h b/src/Modbus.h index 84389b0554..b00a074ada 100644 --- a/src/Modbus.h +++ b/src/Modbus.h @@ -18,39 +18,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ModbusTCP_Analyzer(conn); } - // Put event names in this function - static bool Available() - { - return modbus_message - | modbus_exception - | modbus_read_coils_request - | modbus_read_coils_response - | modbus_read_discrete_inputs_request - | modbus_read_discrete_inputs_response - | modbus_read_holding_registers_request - | modbus_read_holding_registers_response - | modbus_read_input_registers_request - | modbus_read_input_registers_response - | modbus_write_single_coil_request - | modbus_write_single_coil_response - | modbus_write_single_register_request - | modbus_write_single_register_response - | modbus_write_multiple_coils_request - | modbus_write_multiple_coils_response - | modbus_write_multiple_registers_request - | modbus_write_multiple_registers_response - | modbus_read_file_record_request - | modbus_read_file_record_response - | modbus_write_file_record_request - | modbus_write_file_record_response - | modbus_mask_write_register_request - | modbus_mask_write_register_response - | modbus_read_write_multiple_registers_request - | modbus_read_write_multiple_registers_response - | modbus_read_fifo_queue_request - | modbus_read_fifo_queue_response; - } - protected: binpac::ModbusTCP::ModbusTCP_Conn* interp; }; diff --git a/src/NCP.h b/src/NCP.h index 833d030394..4fcddfca39 100644 --- a/src/NCP.h +++ b/src/NCP.h @@ -105,8 +105,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NCP_Analyzer(conn); } - static bool Available() { return NCP_Session::any_ncp_event(); } - protected: NCP_Session* session; diff --git a/src/NFS.h b/src/NFS.h index ecb89ff7bf..18acff4b37 100644 --- a/src/NFS.h +++ b/src/NFS.h @@ -77,16 +77,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NFS_Analyzer(conn); } - - static bool Available() - { - return ( nfs_proc_null || nfs_proc_not_implemented || nfs_proc_getattr || - nfs_proc_lookup || nfs_proc_read || nfs_proc_readlink || - nfs_proc_write || nfs_proc_create || nfs_proc_mkdir || - nfs_proc_remove || nfs_proc_rmdir || nfs_proc_readdir || - nfs_reply_status || - rpc_dialogue || rpc_call || rpc_reply ); - } }; diff --git a/src/NTP.h b/src/NTP.h index 3ae44d4cf7..9dc5dc6af9 100644 --- a/src/NTP.h +++ b/src/NTP.h @@ -42,8 +42,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NTP_Analyzer(conn); } - static bool Available() { return ntp_message; } - protected: virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, diff --git a/src/NetbiosSSN.h b/src/NetbiosSSN.h index c3851516a0..8d2cc92089 100644 --- a/src/NetbiosSSN.h +++ b/src/NetbiosSSN.h @@ -160,13 +160,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NetbiosSSN_Analyzer(conn); } - static bool Available() - { - return NetbiosSSN_Interpreter::any_netbios_ssn_event() || - SMB_Session::any_smb_event() || - DCE_RPC_Session::any_dce_rpc_event(); - } - protected: virtual void ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, int gen_event); diff --git a/src/PIA.h b/src/PIA.h index d0521a6885..920bd9c976 100644 --- a/src/PIA.h +++ b/src/PIA.h @@ -37,8 +37,6 @@ public: // as pointer to an Analyzer. analyzer::Analyzer* AsAnalyzer() { return as_analyzer; } - static bool Available() { return true; } - protected: void PIA_Done(); void PIA_DeliverPacket(int len, const u_char* data, bool is_orig, diff --git a/src/POP3.h b/src/POP3.h index bab2737fca..5c10865ba3 100644 --- a/src/POP3.h +++ b/src/POP3.h @@ -73,11 +73,6 @@ public: return new POP3_Analyzer(conn); } - static bool Available() - { - return pop3_request || pop3_reply || pop3_data || pop3_unexpected; - } - protected: int masterState; int subState; diff --git a/src/Portmap.h b/src/Portmap.h index 1a98537153..bf7ab30891 100644 --- a/src/Portmap.h +++ b/src/Portmap.h @@ -31,9 +31,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Portmapper_Analyzer(conn); } - - static bool Available() - { return pm_request || rpc_call; } }; #endif diff --git a/src/RSH.h b/src/RSH.h index 31e5fe683f..c4eb8fb689 100644 --- a/src/RSH.h +++ b/src/RSH.h @@ -50,9 +50,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rsh_Analyzer(conn); } - static bool Available() - { return login_failure || login_success || login_input_line || login_output_line; } - Contents_Rsh_Analyzer* contents_orig; Contents_Rsh_Analyzer* contents_resp; }; diff --git a/src/Rlogin.h b/src/Rlogin.h index 04486e4262..5fcd209896 100644 --- a/src/Rlogin.h +++ b/src/Rlogin.h @@ -62,12 +62,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rlogin_Analyzer(conn); } - - static bool Available() - { - return login_failure || login_success || - login_input_line || login_output_line; - } }; #endif diff --git a/src/SMB.h b/src/SMB.h index 23af04720e..7e7f1cea1d 100644 --- a/src/SMB.h +++ b/src/SMB.h @@ -198,12 +198,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SMB_Analyzer(conn); } - static bool Available() - { - return SMB_Session::any_smb_event() || - DCE_RPC_Session::any_dce_rpc_event(); - } - protected: SMB_Session* smb_session; Contents_SMB* o_smb; diff --git a/src/SMTP.h b/src/SMTP.h index 563b99cc32..d4b7dd63a6 100644 --- a/src/SMTP.h +++ b/src/SMTP.h @@ -52,12 +52,6 @@ public: return new SMTP_Analyzer(conn); } - static bool Available() - { - return smtp_request || smtp_reply || - smtp_data || smtp_unexpected; - } - protected: void ProcessLine(int length, const char* line, bool orig); diff --git a/src/SOCKS.h b/src/SOCKS.h index 9557dc761d..767d0a1eb7 100644 --- a/src/SOCKS.h +++ b/src/SOCKS.h @@ -28,11 +28,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SOCKS_Analyzer(conn); } - static bool Available() - { - return socks_request || socks_reply; - } - protected: bool orig_done; diff --git a/src/SSH.h b/src/SSH.h index 0d3fa4d6e6..a6a2f4e154 100644 --- a/src/SSH.h +++ b/src/SSH.h @@ -15,9 +15,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SSH_Analyzer(conn); } - static bool Available() - { return ssh_client_version || ssh_server_version; } - private: ContentLine_Analyzer* orig; ContentLine_Analyzer* resp; diff --git a/src/SteppingStone.h b/src/SteppingStone.h index aab411a46d..4ec4dbc2e1 100644 --- a/src/SteppingStone.h +++ b/src/SteppingStone.h @@ -54,8 +54,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SteppingStone_Analyzer(conn); } - static bool Available() { return stp_correlate_pair; } - protected: // We support both packet and stream input and can be put in place even // if the TCP analyzer is not yet reassebmling. diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h index 88b64c5f70..e6d05df356 100644 --- a/src/Syslog-binpac.h +++ b/src/Syslog-binpac.h @@ -18,9 +18,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Syslog_Analyzer_binpac(conn); } - static bool Available() - { return syslog_message; } - protected: friend class AnalyzerTimer; void ExpireTimer(double t); @@ -45,9 +42,6 @@ protected: // static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) // { return new Syslog_TCP_Analyzer_binpac(conn); } // -// static bool Available() -// { return (Syslog_request || Syslog_full_request); } -// //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; //}; diff --git a/src/TCP.h b/src/TCP.h index 93c008af58..61bcd7ef7c 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -91,8 +91,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCP_Analyzer(conn); } - static bool Available() { return true; } - protected: friend class TCP_ApplicationAnalyzer; friend class TCP_Reassembler; @@ -365,8 +363,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCPStats_Analyzer(conn); } - static bool Available() { return conn_stats || tcp_rexmit; } - protected: virtual void DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen); diff --git a/src/Telnet.h b/src/Telnet.h index 6e1695be9c..290382846b 100644 --- a/src/Telnet.h +++ b/src/Telnet.h @@ -12,12 +12,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Telnet_Analyzer(conn); } - - static bool Available() - { - return login_failure || login_success || - login_input_line || login_output_line; - } }; #endif diff --git a/src/Teredo.h b/src/Teredo.h index d3e3336f9b..4f38b29947 100644 --- a/src/Teredo.h +++ b/src/Teredo.h @@ -22,10 +22,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Teredo_Analyzer(conn); } - static bool Available() - { return BifConst::Tunnel::enable_teredo && - BifConst::Tunnel::max_depth > 0; } - /** * Emits a weird only if the analyzer has previously been able to * decapsulate a Teredo packet in both directions or if *force* param is diff --git a/src/UDP.h b/src/UDP.h index 36a9b84dcd..67048781a7 100644 --- a/src/UDP.h +++ b/src/UDP.h @@ -23,8 +23,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new UDP_Analyzer(conn); } - static bool Available() { return true; } - protected: virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, From bccaea68831adf38041412fa029d4196a94125ec Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 15:24:15 -0700 Subject: [PATCH 022/200] Adding options Analyzer::disable_all to disable all analyzers at startup. One can then selectively enable the ones one wants inside a bro_init() handler. --- scripts/base/frameworks/analyzer/main.bro | 8 +++++++- src/analyzer.bif | 6 ++++++ src/analyzer/Manager.cc | 8 ++++++++ src/analyzer/Manager.h | 5 +++++ 4 files changed, 26 insertions(+), 1 deletion(-) diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index dcadb402fb..8d2df76e4f 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -5,6 +5,9 @@ module Analyzer; # as they are loaded. export { + ## XXX + global disable_all = F &redef; + ## XXX. global enable_analyzer: function(tag: Analyzer::Tag) : bool; @@ -63,8 +66,11 @@ export { global ports: table[Analyzer::Tag] of set[port]; -event bro_init() +event bro_init() &priority=-5 { + if ( disable_all ) + __disable_all_analyzers(); + for ( a in disabled_analyzers ) disable_analyzer(a); } diff --git a/src/analyzer.bif b/src/analyzer.bif index 92b533308a..69c648f7d3 100644 --- a/src/analyzer.bif +++ b/src/analyzer.bif @@ -20,6 +20,12 @@ function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool return new Val(result, TYPE_BOOL); %} +function Analyzer::__disable_all_analyzers%(%) : any + %{ + analyzer_mgr->DisableAllAnalyzers(); + return 0; + %} + function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool %{ bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p); diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index e30976b9e3..70b22bfc26 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -224,6 +224,14 @@ bool Manager::DisableAnalyzer(EnumVal* val) return true; } +void Manager::DisableAllAnalyzers() + { + DBG_LOG(DBG_ANALYZER, "Disabling all analyzers"); + + for ( analyzer_map_by_tag::const_iterator i = analyzers_by_tag.begin(); i != analyzers_by_tag.end(); i++ ) + i->second->SetEnabled(false); + } + bool Manager::IsEnabled(Tag tag) { if ( ! tag ) diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 0284504f35..cb749bab7f 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -113,6 +113,11 @@ public: */ bool DisableAnalyzer(EnumVal* tag); + /** + * Disables all currently registered analyzers. + */ + void DisableAllAnalyzers(); + /** * Returns true if an analyzer is enabled. * From 897be0e14727f9d0b3593857a9656b5848bc303e Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 16:53:21 -0700 Subject: [PATCH 023/200] Giving analyzer/ its own CMakeLists.txt. Also moving src/analyzer.bif to src/analyzer/analyzer.bif, along with the infrastructure to build/incude bif code at other locations. We should generally move to having per-directory CMakeLists.txt. I'll convert the others over later. --- src/CMakeLists.txt | 19 ++++++---- src/Func.cc | 3 -- src/NetVar.cc | 1 - src/NetVar.h | 1 - src/analyzer/CMakeLists.txt | 16 ++++++++ src/analyzer/Manager.cc | 8 +++- src/analyzer/Manager.h | 8 ++++ src/{ => analyzer}/analyzer.bif | 0 src/builtin-func.l | 66 +++++++++++++++++++-------------- src/main.cc | 1 + 10 files changed, 83 insertions(+), 40 deletions(-) create mode 100644 src/analyzer/CMakeLists.txt rename src/{ => analyzer}/analyzer.bif (100%) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index e847255258..1b26d56575 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -103,7 +103,6 @@ target_link_libraries(bifcl) include(BifCl) set(BIF_SRCS - analyzer.bif bro.bif logging.bif input.bif @@ -158,6 +157,17 @@ binpac_target(syslog.pac binpac_target(modbus.pac modbus-protocol.pac modbus-analyzer.pac) +######################################################################## +## Including subdirectories. +######################################################################## + +add_subdirectory(analyzer) + +set(bro_SUBDIRS + $ +) + + ######################################################################## ## Including plug-ins that are compiled in statically. ######################################################################## @@ -389,11 +399,6 @@ set(bro_SRCS plugin/Manager.cc plugin/Plugin.cc - analyzer/Analyzer.cc - analyzer/Manager.cc - analyzer/Component.cc - analyzer/Tag.cc - protocols/BuiltInAnalyzers.cc nb_dns.c @@ -402,7 +407,7 @@ set(bro_SRCS collect_headers(bro_HEADERS ${bro_SRCS}) -add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_PLUGIN_OBJECT_LIBS}) +add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_PLUGIN_OBJECT_LIBS} ${bro_SUBDIRS}) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT}) diff --git a/src/Func.cc b/src/Func.cc index cedf729301..02f8dd4f29 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -548,14 +548,12 @@ void builtin_error(const char* msg, BroObj* arg) reporter->Error(msg, arg); } -#include "analyzer.bif.func_h" #include "bro.bif.func_h" #include "logging.bif.func_h" #include "input.bif.func_h" #include "reporter.bif.func_h" #include "strings.bif.func_h" -#include "analyzer.bif.func_def" #include "bro.bif.func_def" #include "logging.bif.func_def" #include "input.bif.func_def" @@ -571,7 +569,6 @@ void init_builtin_funcs() var_sizes = internal_type("var_sizes")->AsTableType(); gap_info = internal_type("gap_info")->AsRecordType(); -#include "analyzer.bif.func_init" #include "bro.bif.func_init" #include "logging.bif.func_init" #include "input.bif.func_init" diff --git a/src/NetVar.cc b/src/NetVar.cc index 97bf9fd559..7483728e44 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -238,7 +238,6 @@ TableType* record_field_table; StringVal* cmd_line_bpf_filter; -#include "analyzer.bif.netvar_def" #include "const.bif.netvar_def" #include "types.bif.netvar_def" #include "event.bif.netvar_def" diff --git a/src/NetVar.h b/src/NetVar.h index 6a1103ebb9..88b5478149 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -248,7 +248,6 @@ extern void init_general_global_var(); extern void init_event_handlers(); extern void init_net_var(); -#include "analyzer.bif.netvar_h" #include "const.bif.netvar_h" #include "types.bif.netvar_h" #include "event.bif.netvar_h" diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt new file mode 100644 index 0000000000..68742116ef --- /dev/null +++ b/src/analyzer/CMakeLists.txt @@ -0,0 +1,16 @@ + +include_directories(BEFORE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR} +) + +set(analyzer_SRCS + Analyzer.cc + Manager.cc + Component.cc + Tag.cc +) + +bif_target_for_subdir(analyzer.bif) + +add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H}) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 70b22bfc26..dca4084c2c 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -89,12 +89,18 @@ void Manager::Init() for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) RegisterAnalyzerComponent(*i); - // Caache these tags. + // Cache these tags. analyzer_backdoor = GetAnalyzerTag("BACKDOOR"); analyzer_connsize = GetAnalyzerTag("CONNSIZE"); analyzer_interconn = GetAnalyzerTag("INTERCONN"); analyzer_stepping = GetAnalyzerTag("STEPPINGSTONE"); analyzer_tcpstats = GetAnalyzerTag("TCPSTATS"); + + } + +void Manager::InitBifs() + { + #include "analyzer.bif.init.cc" } void Manager::DumpDebug() diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index cb749bab7f..750ac986fb 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -29,6 +29,8 @@ #include "../net_util.h" #include "../IP.h" +#include "analyzer/analyzer.bif.h" + namespace analyzer { /** @@ -59,6 +61,12 @@ public: */ void Init(); + /** + * Initializes the analyze-related BiFs. Must be called after scripts + * are parsed. + */ + void InitBifs(); + /** * Finished the manager's operations. */ diff --git a/src/analyzer.bif b/src/analyzer/analyzer.bif similarity index 100% rename from src/analyzer.bif rename to src/analyzer/analyzer.bif diff --git a/src/builtin-func.l b/src/builtin-func.l index ec60f1c7ec..2128c21f6b 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -139,6 +139,7 @@ extern int yyparse(); char* input_filename = 0; char* input_filename_with_path = 0; char* plugin = 0; +int alternative_mode = 0; FILE* fp_bro_init = 0; FILE* fp_func_def = 0; @@ -176,7 +177,7 @@ void usage() exit(1); } -void init_plugin_mode() +void init_alternative_mode() { fp_bro_init = open_output_file("bro"); fp_func_h = open_output_file("h"); @@ -191,8 +192,8 @@ void init_plugin_mode() char auto_gen_comment[n]; snprintf(auto_gen_comment, n, - "This file was automatically generated by bifcl from %s (plugin mode).", - input_filename_with_path); + "This file was automatically generated by bifcl from %s (%s mode).", + input_filename_with_path, plugin ? "plugin" : "subdir"); fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); @@ -225,42 +226,53 @@ void init_plugin_mode() if ( dot ) *dot = '\0'; - fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "#include \n"); - fprintf(fp_func_init, "#include \n"); - fprintf(fp_func_init, "#include \"%s.h\"\n", input_filename); - fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin); - fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); - fprintf(fp_func_init, "\t{\n"); - fprintf(fp_func_init, "\tstd::list > bifs;\n"); - fprintf(fp_func_init, "\n"); + if ( plugin ) + { + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "#include \n"); + fprintf(fp_func_init, "#include \n"); + fprintf(fp_func_init, "#include \"%s.h\"\n", input_filename); + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin); + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); + fprintf(fp_func_init, "\t{\n"); + fprintf(fp_func_init, "\tstd::list > bifs;\n"); + fprintf(fp_func_init, "\n"); + } } -void finish_plugin_mode() +void finish_alternative_mode() { fprintf(fp_func_h, "\n"); fprintf(fp_func_h, "#endif\n"); - fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "\treturn bifs;\n"); - fprintf(fp_func_init, "\t}\n"); - fprintf(fp_func_init, "} }\n"); - fprintf(fp_func_init, "\n"); - } + if ( plugin ) + { + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "\treturn bifs;\n"); + fprintf(fp_func_init, "\t}\n"); + fprintf(fp_func_init, "} }\n"); + fprintf(fp_func_init, "\n"); + } + } int main(int argc, char* argv[]) { char opt; - while ( (opt = getopt(argc, argv, "p:")) != -1 ) + while ( (opt = getopt(argc, argv, "p:s")) != -1 ) { switch ( opt ) { case 'p': + alternative_mode = 1; plugin = optarg; break; + case 's': + alternative_mode = 1; + break; + default: usage(); } @@ -284,7 +296,7 @@ int main(int argc, char* argv[]) if ( slash ) input_filename = slash + 1; - if ( ! plugin ) + if ( ! alternative_mode ) { fp_bro_init = open_output_file("bro"); fp_func_h = open_output_file("func_h"); @@ -311,13 +323,13 @@ int main(int argc, char* argv[]) } else - init_plugin_mode(); + init_alternative_mode(); yy_switch_to_buffer(yy_create_buffer(fp_input, YY_BUF_SIZE)); yyparse(); - if ( plugin ) - finish_plugin_mode(); + if ( alternative_mode ) + finish_alternative_mode(); fclose(fp_input); close_all_output_files(); @@ -339,7 +351,7 @@ void close_all_output_files(void) close_if_open(&fp_func_def); close_if_open(&fp_func_init); - if ( ! plugin ) + if ( ! alternative_mode ) { close_if_open(&fp_netvar_h); close_if_open(&fp_netvar_def); diff --git a/src/main.cc b/src/main.cc index cb3fbd7f6e..59a383543c 100644 --- a/src/main.cc +++ b/src/main.cc @@ -836,6 +836,7 @@ int main(int argc, char** argv) yyparse(); + analyzer_mgr->InitBifs(); plugin_mgr->InitPluginsBif(); if ( print_plugins ) From 20be34526f39824fbd89bffba4513fb19bbb0df6 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 16:56:17 -0700 Subject: [PATCH 024/200] Updating submodule. --- cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake b/cmake index 1a592a96f7..39c1516be5 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 1a592a96f702d2cfcf1a88d7f40b4c62405735a6 +Subproject commit 39c1516be5e630bd5d78082e974fae708faa4e8c From 2bbce6b15f9bddd55f8f1c3b494413d81532989b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 18:36:44 -0700 Subject: [PATCH 025/200] Documenting Analyzer API, plus some cleanup. --- src/AYIYA.h | 1 - src/GTPv1.h | 1 - src/Syslog-binpac.h | 1 - src/TCP.cc | 6 - src/Teredo.h | 1 - src/analyzer/Analyzer.cc | 31 ++ src/analyzer/Analyzer.h | 809 ++++++++++++++++++++++++++++--------- src/protocols/http/HTTP.cc | 2 +- 8 files changed, 646 insertions(+), 206 deletions(-) diff --git a/src/AYIYA.h b/src/AYIYA.h index 563cf86613..c0897d84ff 100644 --- a/src/AYIYA.h +++ b/src/AYIYA.h @@ -16,7 +16,6 @@ public: { return new AYIYA_Analyzer(conn); } protected: - friend class AnalyzerTimer; void ExpireTimer(double t); binpac::AYIYA::AYIYA_Conn* interp; diff --git a/src/GTPv1.h b/src/GTPv1.h index 89befa04bf..2e4a405878 100644 --- a/src/GTPv1.h +++ b/src/GTPv1.h @@ -16,7 +16,6 @@ public: { return new GTPv1_Analyzer(conn); } protected: - friend class AnalyzerTimer; void ExpireTimer(double t); binpac::GTPv1::GTPv1_Conn* interp; diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h index e6d05df356..176f2d5b70 100644 --- a/src/Syslog-binpac.h +++ b/src/Syslog-binpac.h @@ -19,7 +19,6 @@ public: { return new Syslog_Analyzer_binpac(conn); } protected: - friend class AnalyzerTimer; void ExpireTimer(double t); int did_session_done; diff --git a/src/TCP.cc b/src/TCP.cc index 058e6608ca..004deb2edd 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -1556,12 +1556,6 @@ void TCP_Analyzer::ConnDeleteTimer(double t) Conn()->DeleteTimer(t); } -// The following need to be consistent with bro.init. -#define CONTENTS_NONE 0 -#define CONTENTS_ORIG 1 -#define CONTENTS_RESP 2 -#define CONTENTS_BOTH 3 - void TCP_Analyzer::SetContentsFile(unsigned int direction, BroFile* f) { if ( direction == CONTENTS_NONE ) diff --git a/src/Teredo.h b/src/Teredo.h index 4f38b29947..f8cc0a15d7 100644 --- a/src/Teredo.h +++ b/src/Teredo.h @@ -47,7 +47,6 @@ public: } protected: - friend class AnalyzerTimer; void ExpireTimer(double t); bool valid_orig; diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index ff02e83f18..0bc8d28c8f 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -7,8 +7,39 @@ #include "../PIA.h" #include "../Event.h" +namespace analyzer { + + +class AnalyzerTimer : public Timer { +public: + AnalyzerTimer(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, + double arg_t, int arg_do_expire, TimerType arg_type); + + virtual ~AnalyzerTimer(); + + void Dispatch(double t, int is_expire); + +protected: + AnalyzerTimer() {} + + void Init(Analyzer* analyzer, analyzer_timer_func timer, int do_expire); + + Analyzer* analyzer; + analyzer_timer_func timer; + int do_expire; +}; + +} + using namespace analyzer; +AnalyzerTimer::AnalyzerTimer(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, + double arg_t, int arg_do_expire, TimerType arg_type) + : Timer(arg_t, arg_type) + { + Init(arg_analyzer, arg_timer, arg_do_expire); + } + AnalyzerTimer::~AnalyzerTimer() { analyzer->RemoveTimer(this); diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 704c131bca..07e5d5acf4 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -17,270 +17,556 @@ class PIA; class IP_Hdr; class TCP_ApplicationAnalyzer; -namespace analyzer { class Analyzer; } - namespace analyzer { -typedef list analyzer_list; - -typedef uint32 ID; - -typedef void (Analyzer::*analyzer_timer_func)(double t); - -// FIXME: This is a copy of ConnectionTimer, which we may eventually be -// able to get rid of. -class AnalyzerTimer : public Timer { -public: - AnalyzerTimer(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, - double arg_t, int arg_do_expire, TimerType arg_type) - : Timer(arg_t, arg_type) - { Init(arg_analyzer, arg_timer, arg_do_expire); } - virtual ~AnalyzerTimer(); - - void Dispatch(double t, int is_expire); - -protected: - AnalyzerTimer() {} - - void Init(Analyzer* analyzer, analyzer_timer_func timer, int do_expire); - - Analyzer* analyzer; - analyzer_timer_func timer; - int do_expire; -}; - - -// Main analyzer interface. -// -// Each analyzer is part of a tree, having a parent analyzer and an -// arbitrary number of child analyzers. Each analyzer also has a list of -// *suppport analyzers*. All its input first passes through this list of -// support analyzers, which can perform arbitrary preprocessing. Support -// analyzers share the same interface as regular analyzers, except that -// they are unidirectional, i.e., they see only one side of a connection. -// -// When overiding any of these methods, always make sure to call the -// base-class version first. - +class Analyzer; +class AnalyzerTimer; class SupportAnalyzer; class OutputHandler; +typedef list analyzer_list; +typedef uint32 ID; +typedef void (Analyzer::*analyzer_timer_func)(double t); + + /** + * XXX + */ +class OutputHandler { +public: + virtual ~OutputHandler() { } + + virtual void DeliverPacket(int len, const u_char* data, + bool orig, int seq, + const IP_Hdr* ip, int caplen) + { } + virtual void DeliverStream(int len, const u_char* data, + bool orig) { } + virtual void Undelivered(int seq, int len, bool orig) { } +}; + + +/** + * Main analyzer interface. + * + * Each analyzer is part of a tree, having a parent analyzer and an arbitrary + * number of child analyzers. Each analyzer also has a list of + * SupportAnalyzer. All analyzer input first passes through this list of + * support analyzers, which can perform arbitrary preprocessing. + * + * When overiding any of the class' methods, always make sure to call the + * base-class version first. + */ class Analyzer { public: - // "name" must match the one used in + /** + * Constructor. + * + * @param name A name for the protocol the analyzer is parsing. The + * name must match the one the corresponding Component registers. + * + * @param conn The connection the analyzer is associated with. + */ Analyzer(const char* name, Connection* conn); + + /** + * Destructor. + */ virtual ~Analyzer(); + /** + * Initializes the analyzer before input processing starts. + */ virtual void Init(); + + /** + * Finishes the analyzer's operation after all input has been parsed. + */ virtual void Done(); - // Pass data to the analyzer (it's automatically passed through its - // support analyzers first). We have packet-wise and stream-wise - // interfaces. For the packet-interface, some analyzers may require - // more information than others, so IP/caplen and seq may or may - // not be set. - void NextPacket(int len, const u_char* data, bool orig, + /** + * Passes packet input to the analyzer for processing. The analyzer + * will process the input with any support analyzers first and then + * forward the data to DeliverStream(), which derived classes can + * override. + * + * Note that there is a separate method for stream input, + * NextStream(). + * + * @param len The number of bytes passed in. + * + * @param data Pointer the input to process. + * + * @param is_orig True if this is originator-side input. + * + * @param seq Current sequence number, if available (only supported + * if the data is coming from the TCP analyzer. + * + * @param ip An IP packet header associated with the data, if + * available. + * + * @param caplen The packet's capture length, if available. + */ + void NextPacket(int len, const u_char* data, bool is_orig, int seq = -1, const IP_Hdr* ip = 0, int caplen = 0); + + /** + * Passes stream input to the analyzer for processing. The analyzer + * will process the input with any support analyzers first and then + * forward the data to DeliverStream(), which derived classes can + * override. + * + * Note that there is a separate method for packet input, + * NextPacket(). + * + * @param len The number of bytes passed in. + * + * @param data Pointer the input to process. + * + * @param is_orig True if this is originator-side input. + */ void NextStream(int len, const u_char* data, bool is_orig); - // Used for data that can't be delivered (e.g., due to a previous - // sequence hole/gap). + /** + * Informs the analyzer about a gap in the TCP stream, i.e., data + * that can't be delivered. This method triggers Undelivered(), which + * derived classes can override. + * + * @param seq The sequence number of the first byte of gap. + * + * @param len The length of the gap. + * + * @param is_orig True if this is about originator-side input. + */ void NextUndelivered(int seq, int len, bool is_orig); - // Report message boundary. (See EndOfData() below.) - void NextEndOfData(bool orig); + /** + * Reports a message boundary. This is a generic method that can be + * used by an Analyzer if all data of a PDU has been delivered, e.g., + * to report that HTTP body has been delivered completely by the HTTP + * analyzer before it starts with the next body. A final EndOfData() + * is automatically generated by the analyzer's Done() method. This + * method triggers EndOfData(), which derived classes can override. + * + * @param is_orig True if this is about originator-side input. + */ + void NextEndOfData(bool is_orig); - // Pass data on to all child analyzer(s). For SupportAnalyzers (see - // below), this is overridden to pass it on to the next sibling (or - // finally to the parent, if it's the last support analyzer). - // - // If we have an associated OutputHandler (see below), the data is - // additionally passed to that, too. For SupportAnalyzers, it is *only* - // delivered to the OutputHandler. + /** + * Forwards packet input on to all child analyzers. If the analyzer + * has an associated OutputHandlers, that one receives the input as + * well. + * + * Parameters are the same as for NextPacket(). + */ virtual void ForwardPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); + + /** + * Forwards stream input on to all child analyzers. If the analyzer + * has an associated OutputHandlers, that one receives the input as + * well. + * + * Parameters are the same as for NextStream(). + */ virtual void ForwardStream(int len, const u_char* data, bool orig); + + /** + * Forwards a sequence gap on to all child analyzers. + * + * Parameters are the same as for NextUndelivered(). + */ virtual void ForwardUndelivered(int seq, int len, bool orig); - // Report a message boundary to all child analyzers + /** + * Forwards an end-of-data notification on to all child analyzers. + * + * Parameters are the same as for NextPacket(). + */ virtual void ForwardEndOfData(bool orig); - ID GetID() const { return id; } - Connection* Conn() const { return conn; } - - // An OutputHandler can be used to get access to data extracted by this - // analyzer (i.e., all data which is passed to - // Forward{Packet,Stream,Undelivered}). We take the ownership of - // the handler. - class OutputHandler { - public: - virtual ~OutputHandler() { } - - virtual void DeliverPacket(int len, const u_char* data, - bool orig, int seq, - const IP_Hdr* ip, int caplen) - { } - virtual void DeliverStream(int len, const u_char* data, - bool orig) { } - virtual void Undelivered(int seq, int len, bool orig) { } - }; - - OutputHandler* GetOutputHandler() const { return output_handler; } - void SetOutputHandler(OutputHandler* handler) - { output_handler = handler; } - - // If an analyzer was triggered by a signature match, this returns the - // name of the signature; nil if not. - const Rule* Signature() const { return signature; } - void SetSignature(const Rule* sig) { signature = sig; } - - void SetSkip(bool do_skip) { skip = do_skip; } - bool Skipping() const { return skip; } - - bool IsFinished() const { return finished; } - - Tag GetAnalyzerTag() const { return tag; } - const string& GetAnalyzerName() const; - bool IsAnalyzer(const char* name); - - // Management of the tree. - // - // We immediately discard an added analyzer if there's already a child - // of the same type. - void AddChildAnalyzer(Analyzer* analyzer) - { AddChildAnalyzer(analyzer, true); } - Analyzer* AddChildAnalyzer(Tag tag); - - void RemoveChildAnalyzer(Analyzer* analyzer); - void RemoveChildAnalyzer(ID id); - - bool HasChildAnalyzer(Tag tag); - - // Recursive; returns nil if not found. - Analyzer* FindChild(ID id); - - // Recursive; returns first found, or nil. - Analyzer* FindChild(Tag tag); - - // Recursive; returns first found, or nil. - Analyzer* FindChild(const string& name); - - const analyzer_list& GetChildren() { return children; } - - Analyzer* Parent() const { return parent; } - void SetParent(Analyzer* p) { parent = p; } - - // Remove this child analyzer from the parent's list. - void Remove() { assert(parent); parent->RemoveChildAnalyzer(this); } - - // Management of support analyzers. Support analyzers are associated - // with a direction, and will only see data in the corresponding flow. - // - // We immediately discard an added analyzer if there's already a child - // of the same type for the same direction. - - // Adds to tail of list. - void AddSupportAnalyzer(SupportAnalyzer* analyzer); - - void RemoveSupportAnalyzer(SupportAnalyzer* analyzer); - - // These are the methods where the analyzer actually gets its input. - // Each analyzer has only to implement the schemes it supports. - - // Packet-wise (or more generally chunk-wise) input. "data" points - // to the payload that the analyzer is supposed to examine. If it's - // part of a full packet, "ip" points to its IP header. An analyzer - // may or may not require to be given the full packet (and its caplen) - // as well. + /** + * Hook for accessing packet input for parsing. This is called by + * NextDeliverPacket() and can be overridden by derived classes. + * Parameters are the same. + */ virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - // Stream-wise payload input. + /** + * Hook for accessing stream input for parsing. This is called by + * NextDeliverStream() and can be overridden by derived classes. + * Parameters are the same. + */ virtual void DeliverStream(int len, const u_char* data, bool orig); - // If a parent analyzer can't turn a sequence of packets into a stream - // (e.g., due to holes), it can pass the remaining data through this - // method to the child. + /** + * Hook for accessing input gap during parsing. This is called by + * NextUndelivered() and can be overridden by derived classes. + * Parameters are the same. + */ virtual void Undelivered(int seq, int len, bool orig); - // Report a message boundary. This is a generic method that can be used - // by specific Analyzers if all data of a message has been delivered, - // e.g., to report that HTTP body has been delivered completely by the - // HTTP analyzer before it starts with the next body. EndOfData() is - // automatically generated by the analyzer's Done() method. + /** + * Hook for accessing end-of-data notifications. This is called by + * NextEndOfData() and can be overridden by derived classes. + * Parameters are the same. + */ virtual void EndOfData(bool is_orig); - // Occasionally we may find during analysis that we got the direction - // of the connection wrong. In these cases, this method is called - // to swap state if necessary. This will not happen after payload - // has already been passed on, so most analyzers don't need to care. + /** + * Signals the analyzer that its associated connection had its + * endpoint flipped. This can happen if during analysis it turns out + * that we got the direction of the connection wrong. In these + * cases, this method is called to swap state if necessary. This + * will not happen after payload has already been passed on, so most + * analyzers don't need to care. + */ virtual void FlipRoles(); - // Feedback about protocol conformance, to be called by the - // analyzer's processing. The methods raise the correspondiong - // protocol_confirmation and protocol_violation events. + /** + * Returns the analyzer instance's internal ID. These IDs are unique + * across all analyzer instantiated and can thus be used to indentify + * a specific instance. + */ + ID GetID() const { return id; } - // Report that we believe we're parsing the right protocol. This - // should be called as early as possible during a connection's - // life-time. The protocol_confirmed event is only raised once per - // analyzer, even if the method is called multiple times. - virtual void ProtocolConfirmation(); + /** + * Returns the connection that the analyzer is associated with. + */ + Connection* Conn() const { return conn; } - // Return whether the analyzer previously called ProtocolConfirmation() - // at least once before. - bool ProtocolConfirmed() const - { return protocol_confirmed; } + /** + * Returns the OutputHandler associated with the connection, or null + * if none. + */ + OutputHandler* GetOutputHandler() const { return output_handler; } - // Report that we found a significant protocol violation which might - // indicate that the analyzed data is in fact not the expected - // protocol. The protocol_violation event is raised once per call to - // this method so that the script-level may build up some notion of - // how "severely" protocol semantics are violated. + /** + * Associates an OutputHandler with the connnection. + * + * @param handler The handler. + */ + void SetOutputHandler(OutputHandler* handler) + { output_handler = handler; } + + /** + * If this analyzer was activated by a signature match, this returns + * the signature that did so. Returns null otherwise. + */ + const Rule* Signature() const { return signature; } + + /** + * Sets the signature that activated this analyzer, if any. + * + * @param sig The signature. + */ + void SetSignature(const Rule* sig) { signature = sig; } + + /** + * Signals the analyzer to skip all further input processsing. The \a + * Next*() methods check this flag and discard the input if its set. + * + * @param do_skipe If true, further processing will be skipped. + */ + void SetSkip(bool do_skip) { skip = do_skip; } + + /** + * Returns true if the analyzer has been told to skip processing all + * further input. + */ + bool Skipping() const { return skip; } + + /** + * Returns true if Done() has been called. + */ + bool IsFinished() const { return finished; } + + /** + * Returns the tag associated with the analyzer's type. + */ + Tag GetAnalyzerTag() const { return tag; } + + /** + * Returns a textual description of the analyzer's type. This is + * what's passed to the constructor and usally corresponds to the + * protocol name, e.g., "HTTP". + */ + const string& GetAnalyzerName() const; + + /** + * Returns true if this analyzer's type matches the name passes in. + * This is shortcut for comparing GetAnalyzerName() with the given + * name. + * + * @param name The name to check. + */ + bool IsAnalyzer(const char* name); + + /** + * Adds a new child analyzer to the analyzer tree. If an analyzer of + * the same type already exists, the one passes in is silenty + * discarded. + * + * @param analyzer The ananlyzer to add. Takes ownership. + */ + void AddChildAnalyzer(Analyzer* analyzer) + { AddChildAnalyzer(analyzer, true); } + + /** + * Adds a new child analyzer to the analyzer tree. If an analyzer of + * the same type already exists, the one passes in is silenty + * discarded. + * + * @param tag The type of analyzer to add. + */ + Analyzer* AddChildAnalyzer(Tag tag); + + /** + * Removes a child analyzer. It's ok for the analyzer to not to be a + * child, in which case the method does nothing. + * + * @param analyzer The analyzer to remove. + */ + void RemoveChildAnalyzer(Analyzer* analyzer); + + /** + * Removes a child analyzer. It's ok for the analyzer to not to be a + * child, in which case the method does nothing. + * + * @param tag The type of analyzer to remove. + */ + void RemoveChildAnalyzer(ID id); + + /** + * Returns true if analyzer has a direct child of a given type. + * + * @param tag The type of analyzer to check for. + */ + bool HasChildAnalyzer(Tag tag); + + /** + * Recursively searches all (direct or indirect) childs of the + * analyzer for an analyzer with a specific ID. + * + * @param id The analyzer id to search. This is the ID that GetID() + * returns. + * + * @return The analyzer, or null if not found. + */ + Analyzer* FindChild(ID id); + + /** + * Recursively searches all (direct or indirect) childs of the + * analyzer for an analyzer of a given type. + * + * @param tag The analyzer type to search. + * + * @return The first analyzer of the given type found, or null if + * none. + */ + Analyzer* FindChild(Tag tag); + + /** + * Recursively searches all (direct or indirect) childs of the + * analyzer for an analyzer of a given type. + * + * @param name The naem of the analyzer type to search (e.g., + * "HTTP"). + * + * @return The first analyzer of the given type found, or null if + * none. + */ + Analyzer* FindChild(const string& name); + + /** + * Returns a list of all direct child analyzers. + */ + const analyzer_list& GetChildren() { return children; } + + /** + * Returns a pointer to the parent analyzer, or null if this instance + * has not yet been added to an analyzer tree. + */ + Analyzer* Parent() const { return parent; } + + /** + * Sets the parent analyzer. + * + * @param p The new parent. + */ + void SetParent(Analyzer* p) { parent = p; } + + /** + * Remove the analyzer form its parent. The analyzer must have a + * parent associated with it. + */ + void Remove() { assert(parent); parent->RemoveChildAnalyzer(this); } + + /** + * Appends a support analyzer to the current list. + * + * @param analyzer The support analyzer to add. + */ + void AddSupportAnalyzer(SupportAnalyzer* analyzer); + + /** + * Remove a support analyzer. + * + * @param analyzer The analyzer to remove. The function is a no-op if + * that analyzer is not part of the list of support analyzer. + */ + void RemoveSupportAnalyzer(SupportAnalyzer* analyzer); + + /** + * Signals Bro's protocol detection that the analyzer has recognized + * the input to indeed conform to the expected protocol. This should + * be called as early as possible during a connection's life-time. It + * may turn into \c protocol_confirmed event at the script-layer (but + * only once per analyzer for each connection, even if the method is + * called multiple times). + */ + virtual void ProtocolConfirmation(); + + /** + * Signals Bro's protocol detection that the analyzer has found a + * severe protocol violation that could indicate that it's not + * parsing the expected protocol. This turns into \c + * protocol_violation events at the script-layer (one such event is + * raised for each call to this method so that the script-layer can + * built up a notion of how prevalent protocol violations are; the + * more, the less likely it's the right protocol). + * + * @param reason A textual description of the error encountered. + * + * @param data An optional pointer to the malformed data. + * + * @param len If \a data is given, the length of it. + */ virtual void ProtocolViolation(const char* reason, const char* data = 0, int len = 0); - virtual unsigned int MemoryAllocation() const; + /** + * Returns true if ProtocolConfirmation() has been called at least + * once. + */ + bool ProtocolConfirmed() const + { return protocol_confirmed; } - // Called whenever the connection value needs to be updated. Per - // default, this method will be called for each analyzer in the tree. - // Analyzers can use this method to attach additional data to the - // connections. A call to BuildConnVal will in turn trigger a call to - // UpdateConnVal. + /** + * Called whenever the connection value is updated. Per default, this + * method will be called for each analyzer in the tree. Analyzers can + * use this method to attach additional data to the connections. A + * call to BuildConnVal() will in turn trigger a call to + * UpdateConnVal(). + * + * @param conn_val The connenction value being updated. + */ virtual void UpdateConnVal(RecordVal *conn_val); - // The following methods are proxies: calls are directly forwarded - // to the connection instance. These are for convenience only, - // allowing us to reuse more of the old analyzer code unchanged. + /** + * Convinience function that forwards directly to + * Connection::BuildConnVal(). + */ RecordVal* BuildConnVal(); + + /** + * Convinience function that forwards directly to the corresponding + * Connection::Event(). + */ void Event(EventHandlerPtr f, const char* name = 0); + + /** + * Convinience function that forwards directly to the corresponding + * Connection::Event(). + */ void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0); + + /** + * Convinience function that forwards directly to + * Connection::ConnectionEvent(). + */ void ConnectionEvent(EventHandlerPtr f, val_list* vl); + + /** + * Convinience function that forwards directly to the corresponding + * Connection::Weird(). + */ void Weird(const char* name, const char* addl = ""); + /** + * Internal method. + */ + virtual unsigned int MemoryAllocation() const; + protected: friend class AnalyzerTimer; friend class Manager; friend class ::Connection; friend class ::TCP_ApplicationAnalyzer; - // Associates a connection with this analyzer. Must be called if - // we're using the default ctor. + /** + * Associates a connection with this analyzer. Must be called if + * using the default ctor. + * + * @param c The connection. + */ void SetConnection(Connection* c) { conn = c; } - // Creates the given timer to expire at time t. If do_expire - // is true, then the timer is also evaluated when Bro terminates, - // otherwise not. + /** + * Instantiates a new timer associated with the analyzer. + * + * @param timer The callback function to execute when the timer + * fires. + * + * @param t The absolute time when the timer will fire. + * + * @param do_expire If true, the timer will also fire when Bro + * terminates even if \a t has not been reache yet. + * + * @param type The timer's type. + */ void AddTimer(analyzer_timer_func timer, double t, int do_expire, TimerType type); - void RemoveTimer(Timer* t); + /** + * Cancels all timers added previously via AddTimer(). + */ void CancelTimers(); + /** + * Removes a given timer. This is an internal method and shouldn't be + * used by derived class. It does not cancel the timer. + */ + void RemoveTimer(Timer* t); + + /** + * Returnsn true if the analyzer has associated an SupportAnalyzer of a given type. + * + * @param tag The type to check for. + * + * @param orig True if asking about the originator side. + */ bool HasSupportAnalyzer(Tag tag, bool orig); + /** + * Adds a a new child analyzer with the option whether to intialize + * it. This is an internal method. + * + * @param analyzer The analyzer to add. Takes ownership. + * + * @param init If true, Init() will be calle.d + */ void AddChildAnalyzer(Analyzer* analyzer, bool init); + + /** + * Inits all child analyzers. This is an internal method. + */ void InitChildren(); + + /** + * Reorganizes the child data structure. This is an internal method. + */ void AppendNewChildren(); private: @@ -313,39 +599,109 @@ private: static ID id_counter; }; +/** + * Convenience macro to add a new timer. + */ #define ADD_ANALYZER_TIMER(timer, t, do_expire, type) \ AddTimer(analyzer::analyzer_timer_func(timer), (t), (do_expire), (type)) +/** + * Internal convenience macro to iterate over the list of child analyzers. + */ #define LOOP_OVER_CHILDREN(var) \ for ( analyzer::analyzer_list::iterator var = children.begin(); \ var != children.end(); var++ ) +/** + * Internal convenience macro to iterate over the constant list of child + * analyzers. + */ #define LOOP_OVER_CONST_CHILDREN(var) \ for ( analyzer::analyzer_list::const_iterator var = children.begin(); \ var != children.end(); var++ ) +/** + * Convenience macro to iterate over a given list of child analyzers. + */ #define LOOP_OVER_GIVEN_CHILDREN(var, the_kids) \ for ( analyzer::analyzer_list::iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) +/** + * Convenience macro to iterate over a given constant list of child + * analyzers. + */ #define LOOP_OVER_GIVEN_CONST_CHILDREN(var, the_kids) \ for ( analyzer::analyzer_list::const_iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) +/** + * Support analyzer preprocess input before it reaches an analyzer's main + * processing. They share the input interface with of an Analyzer but they + * are uni-directional: they receive data only from one side of a connection. + * + */ class SupportAnalyzer : public Analyzer { public: + /** + * Constructor. + * + * @param name A name for the protocol the analyzer is parsing. The + * name must match the one the corresponding Component registers. + * + * @param conn The connection the analyzer is associated with. + * + * @param arg_orig: If true, this is a support analyzer for the + * connection originator side, and otherwise for the responder side. + */ SupportAnalyzer(const char* name, Connection* conn, bool arg_orig) : Analyzer(name, conn) { orig = arg_orig; sibling = 0; } + /** + * Destructor. + */ virtual ~SupportAnalyzer() {} + /** + * Returns true if this is a support analyzer for the connection's + * originator side. + */ bool IsOrig() const { return orig; } + /** + * Passes packet input to the next sibling SupportAnalyzer if any, or + * on to the associated main analyzer if none. If however there's an + * output handler associated with this support analyzer, the data is + * passed only to there. + * + * Parameters same as for Analyzer::ForwardPacket. + */ virtual void ForwardPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); + + /** + * Passes stream input to the next sibling SupportAnalyzer if any, or + * on to the associated main analyzer if none. If however there's an + * output handler associated with this support analyzer, the data is + * passed only to there. + * + * Parameters same as for Analyzer::ForwardStream. + */ virtual void ForwardStream(int len, const u_char* data, bool orig); + + /** + * Passes gap information to the next sibling SupportAnalyzer if any, + * or on to the associated main analyzer if none. If however there's + * an output handler associated with this support analyzer, the gap is + * passed only to there. + * + * Parameters same as for Analyzer::ForwardPacket. + */ virtual void ForwardUndelivered(int seq, int len, bool orig); + /** + * Returns the analyzer next sibling, or null if none. + */ SupportAnalyzer* Sibling() const { return sibling; } protected: @@ -359,22 +715,85 @@ private: SupportAnalyzer* sibling; }; +// The following need to be consistent with bro.init. +#define CONTENTS_NONE 0 +#define CONTENTS_ORIG 1 +#define CONTENTS_RESP 2 +#define CONTENTS_BOTH 3 +/** + * Base class for analyzers parsing transport-layer protocols. + */ class TransportLayerAnalyzer : public Analyzer { public: + /** + * Constructor. + * + * @param name A name for the protocol the analyzer is parsing. The + * name must match the one the corresponding Component registers. + * + * @param conn The connection the analyzer is associated with. + */ TransportLayerAnalyzer(const char* name, Connection* conn) : Analyzer(name, conn) { pia = 0; } + /** + * Overridden from parent class. + */ virtual void Done(); + + /** + * Returns true if the analyzer determines that in fact a new + * connection has started without the connection statement having + * terminated the previous one, i.e., the new data is arriving at + * what's the analyzer for the previous instance. This is used only + * for TCP. + */ virtual bool IsReuse(double t, const u_char* pkt) = 0; + /** + * Associates a file with the analyzer in which to record all + * analyzed input. This must only be called with derived classes that + * overide the method; the default implementation will abort. + * + * @param direction One of the CONTENTS_* constants indicating which + * direction of the input stream is to be recorded. + * + * @param f The file to record to. + * + */ virtual void SetContentsFile(unsigned int direction, BroFile* f); + + /** + * Returns an associated contents file, if any. This must only be + * called with derived classes that overide the method; the default + * implementation will abort. + * + * @param direction One of the CONTENTS_* constants indicating which + * direction the query is for. + */ virtual BroFile* GetContentsFile(unsigned int direction) const; + /** + * Associates a PIA with this analyzer. A PIA takes the + * transport-layer input and determine which protocol analyzer(s) to + * use for parsing it. + */ void SetPIA(PIA* arg_PIA) { pia = arg_PIA; } + + /** + * Returns the associated PIA, or null of none. Does not take + * ownership. + */ PIA* GetPIA() const { return pia; } - // Raises packet_contents event. + /** + * Helper to raise a \c packet_contents event. + * + * @param data The dass to pass to the event. + * + * @param len The length of \a data. + */ void PacketContents(const u_char* data, int len); private: diff --git a/src/protocols/http/HTTP.cc b/src/protocols/http/HTTP.cc index d5d911bbc6..a58d5a6bf3 100644 --- a/src/protocols/http/HTTP.cc +++ b/src/protocols/http/HTTP.cc @@ -170,7 +170,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) DeliverBody(len, data, trailing_CRLF); } -class HTTP_Entity::UncompressedOutput : public analyzer::Analyzer::OutputHandler { +class HTTP_Entity::UncompressedOutput : public analyzer::OutputHandler { public: UncompressedOutput(HTTP_Entity* e) { entity = e; } virtual ~UncompressedOutput() { } From 86551cd42923ca88be1a216e7417eb39ca350a81 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 5 Apr 2013 12:38:21 -0700 Subject: [PATCH 026/200] Fixing test. --- doc/scripts/DocSourcesList.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index c71d7798ea..5442c1024a 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,7 +16,7 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) From d5865c67cbb64c9e3e91311214358422a3638a12 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 5 Apr 2013 12:40:09 -0700 Subject: [PATCH 027/200] Removing some debugging output. --- src/analyzer/Manager.cc | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index dca4084c2c..68869b3799 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -171,10 +171,7 @@ bool Manager::EnableAnalyzer(Tag tag) Component* p = Lookup(tag); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to enable non-existing analyzer"); return false; - } DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); @@ -187,10 +184,7 @@ bool Manager::EnableAnalyzer(EnumVal* val) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to enable non-existing analyzer"); return false; - } DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); @@ -203,10 +197,7 @@ bool Manager::DisableAnalyzer(Tag tag) Component* p = Lookup(tag); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to disable non-existing analyzer"); return false; - } DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); @@ -219,10 +210,7 @@ bool Manager::DisableAnalyzer(EnumVal* val) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to disable non-existing analyzer"); return false; - } DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); @@ -246,10 +234,7 @@ bool Manager::IsEnabled(Tag tag) Component* p = Lookup(tag); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to check non-existing analyzer"); return false; - } return p->Enabled(); } @@ -259,10 +244,7 @@ bool Manager::IsEnabled(EnumVal* val) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to check non-existing analyzer"); return false; - } return p->Enabled(); } @@ -273,11 +255,8 @@ bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to register port for non-existing analyzer"); return false; - } - + return RegisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); } @@ -286,10 +265,7 @@ bool Manager::UnregisterAnalyzerForPort(EnumVal* val, PortVal* port) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to unregister port fork non-existing analyzer"); return false; - } return UnregisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); } From 1a30a5781630124284a90cebd6dc2a3ab521d641 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 5 Apr 2013 13:12:16 -0700 Subject: [PATCH 028/200] Porting syslog analyzer as another example. The diff to this commit shows what "porting" involves ... This also adds a small test for syslog. --- scripts/base/protocols/syslog/main.bro | 2 +- src/CMakeLists.txt | 3 -- src/event.bif | 17 ---------- src/protocols/BuiltInAnalyzers.cc | 2 -- src/protocols/CMakeLists.txt | 1 + src/protocols/syslog/CMakeLists.txt | 10 ++++++ src/protocols/syslog/Plugin.cc | 10 ++++++ .../syslog/Syslog.cc} | 31 +++++++++--------- .../syslog/Syslog.h} | 21 ++++++------ src/protocols/syslog/events.bif | 17 ++++++++++ .../syslog}/syslog-analyzer.pac | 0 .../syslog}/syslog-protocol.pac | 0 src/{ => protocols/syslog}/syslog.pac | 5 +++ .../syslog.log | 10 ++++++ testing/btest/Traces/syslog-single-udp.trace | Bin 0 -> 125 bytes .../scripts/base/protocols/syslog/trace.test | 4 +++ 16 files changed, 85 insertions(+), 48 deletions(-) create mode 100644 src/protocols/syslog/CMakeLists.txt create mode 100644 src/protocols/syslog/Plugin.cc rename src/{Syslog-binpac.cc => protocols/syslog/Syslog.cc} (62%) rename src/{Syslog-binpac.h => protocols/syslog/Syslog.h} (63%) create mode 100644 src/protocols/syslog/events.bif rename src/{ => protocols/syslog}/syslog-analyzer.pac (100%) rename src/{ => protocols/syslog}/syslog-protocol.pac (100%) rename src/{ => protocols/syslog}/syslog.pac (79%) create mode 100644 testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log create mode 100644 testing/btest/Traces/syslog-single-udp.trace create mode 100644 testing/btest/scripts/base/protocols/syslog/trace.test diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 8e6a807c24..7c15fb4fae 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -38,7 +38,7 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info]); - Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 1b26d56575..c54abea7a6 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -152,8 +152,6 @@ binpac_target(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) binpac_target(socks.pac socks-protocol.pac socks-analyzer.pac) -binpac_target(syslog.pac - syslog-protocol.pac syslog-analyzer.pac) binpac_target(modbus.pac modbus-protocol.pac modbus-analyzer.pac) @@ -349,7 +347,6 @@ set(bro_SRCS Stats.cc SteppingStone.cc Stmt.cc - Syslog-binpac.cc TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc diff --git a/src/event.bif b/src/event.bif index 65ff3a5731..8a44e8723e 100644 --- a/src/event.bif +++ b/src/event.bif @@ -5828,23 +5828,6 @@ event irc_password_message%(c: connection, is_orig: bool, password: string%); ## event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); -## Generated for monitored Syslog messages. -## -## See `Wikipedia `__ for more -## information about the Syslog protocol. -## -## c: The connection record for the underlying transport-layer session/flow. -## -## facility: The "facility" included in the message. -## -## severity: The "severity" included in the message. -## -## msg: The message logged. -## -## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP -## syslog will be added soon. -event syslog_message%(c: connection, facility: count, severity: count, msg: string%); - ## Generated when a signature matches. Bro's signature engine provides ## high-performance pattern matching separately from the normal script ## processing. If a signature with an ``event`` action matches, this event is diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc index 39e8eefac0..3bc15621fd 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -37,7 +37,6 @@ #include "POP3.h" #include "SOCKS.h" #include "SSH.h" -#include "Syslog-binpac.h" #include "Teredo.h" #include "ConnSizeAnalyzer.h" #include "GTPv1.h" @@ -90,7 +89,6 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer); DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); diff --git a/src/protocols/CMakeLists.txt b/src/protocols/CMakeLists.txt index 35db6549fa..19dda0c770 100644 --- a/src/protocols/CMakeLists.txt +++ b/src/protocols/CMakeLists.txt @@ -1,3 +1,4 @@ add_subdirectory(http) add_subdirectory(ssl) +add_subdirectory(syslog) diff --git a/src/protocols/syslog/CMakeLists.txt b/src/protocols/syslog/CMakeLists.txt new file mode 100644 index 0000000000..3fc6b9ea69 --- /dev/null +++ b/src/protocols/syslog/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Syslog) +bro_plugin_cc(Syslog.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac) +bro_plugin_end() diff --git a/src/protocols/syslog/Plugin.cc b/src/protocols/syslog/Plugin.cc new file mode 100644 index 0000000000..a0a2934411 --- /dev/null +++ b/src/protocols/syslog/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Syslog.h" + +BRO_PLUGIN_BEGIN(Syslog) + BRO_PLUGIN_DESCRIPTION = "Syslog Analyzer (UDP-only currently)"; + BRO_PLUGIN_ANALYZER("SYSLOG", Syslog_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/Syslog-binpac.cc b/src/protocols/syslog/Syslog.cc similarity index 62% rename from src/Syslog-binpac.cc rename to src/protocols/syslog/Syslog.cc index 37449004c7..137cecbd18 100644 --- a/src/Syslog-binpac.cc +++ b/src/protocols/syslog/Syslog.cc @@ -1,21 +1,22 @@ -#include "Syslog-binpac.h" + +#include "Syslog.h" #include "TCP_Reassembler.h" -Syslog_Analyzer_binpac::Syslog_Analyzer_binpac(Connection* conn) -: Analyzer("SYSLOG_BINPAC", conn) +Syslog_Analyzer::Syslog_Analyzer(Connection* conn) +: Analyzer("SYSLOG", conn) { interp = new binpac::Syslog::Syslog_Conn(this); did_session_done = 0; - //ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer, + //ADD_ANALYZER_TIMER(&Syslog_Analyzer::ExpireTimer, // network_time + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); } -Syslog_Analyzer_binpac::~Syslog_Analyzer_binpac() +Syslog_Analyzer::~Syslog_Analyzer() { delete interp; } -void Syslog_Analyzer_binpac::Done() +void Syslog_Analyzer::Done() { Analyzer::Done(); @@ -23,13 +24,13 @@ void Syslog_Analyzer_binpac::Done() Event(udp_session_done); } -void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) +void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); interp->NewData(orig, data, data + len); } -//void Syslog_Analyzer_binpac::ExpireTimer(double t) +//void Syslog_Analyzer::ExpireTimer(double t) // { // // The - 1.0 in the following is to allow 1 second for the // // common case of a single request followed by a single reply, @@ -40,22 +41,22 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // sessions->Remove(Conn()); // } // else -// ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer, +// ADD_ANALYZER_TIMER(&Syslog_Analyzer::ExpireTimer, // t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); // } -//Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn) +//Syslog_TCP_Analyzer::Syslog_TCP_Analyzer(Connection* conn) //: TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } -//Syslog_TCP_Analyzer_binpac::~Syslog_TCP_Analyzer_binpac() +//Syslog_TCP_Analyzer::~Syslog_TCP_Analyzer() // { // delete interp; // } -//void Syslog_TCP_Analyzer_binpac::Done() +//void Syslog_TCP_Analyzer::Done() // { // TCP_ApplicationAnalyzer::Done(); // @@ -63,13 +64,13 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // interp->FlowEOF(false); // } -//void Syslog_TCP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp) +//void Syslog_TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) // { // TCP_ApplicationAnalyzer::EndpointEOF(endp); // interp->FlowEOF(endp->IsOrig()); // } -//void Syslog_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data, +//void Syslog_TCP_Analyzer::DeliverStream(int len, const u_char* data, // bool orig) // { // TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); @@ -83,7 +84,7 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // interp->NewData(orig, data, data + len); // } -//void Syslog_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig) +//void Syslog_TCP_Analyzer::Undelivered(int seq, int len, bool orig) // { // TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // interp->NewGap(orig, len); diff --git a/src/Syslog-binpac.h b/src/protocols/syslog/Syslog.h similarity index 63% rename from src/Syslog-binpac.h rename to src/protocols/syslog/Syslog.h index 176f2d5b70..2a96bd8ae6 100644 --- a/src/Syslog-binpac.h +++ b/src/protocols/syslog/Syslog.h @@ -1,22 +1,23 @@ -#ifndef Syslog_binpac_h -#define Syslog_binpac_h + +#ifndef Syslog_h +#define Syslog_h #include "UDP.h" #include "TCP.h" #include "syslog_pac.h" -class Syslog_Analyzer_binpac : public analyzer::Analyzer { +class Syslog_Analyzer : public analyzer::Analyzer { public: - Syslog_Analyzer_binpac(Connection* conn); - virtual ~Syslog_Analyzer_binpac(); + Syslog_Analyzer(Connection* conn); + virtual ~Syslog_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new Syslog_Analyzer_binpac(conn); } + { return new Syslog_Analyzer(conn); } protected: void ExpireTimer(double t); @@ -28,10 +29,10 @@ protected: // #include "Syslog_tcp_pac.h" // -//class Syslog_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer { +//class Syslog_TCP_Analyzer : public TCP_ApplicationAnalyzer { //public: -// Syslog_TCP_Analyzer_binpac(Connection* conn); -// virtual ~Syslog_TCP_Analyzer_binpac(); +// Syslog_TCP_Analyzer(Connection* conn); +// virtual ~Syslog_TCP_Analyzer(); // // virtual void Done(); // virtual void DeliverStream(int len, const u_char* data, bool orig); @@ -39,7 +40,7 @@ protected: // virtual void EndpointEOF(TCP_Reassembler* endp); // // static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) -// { return new Syslog_TCP_Analyzer_binpac(conn); } +// { return new Syslog_TCP_Analyzer(conn); } // //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; diff --git a/src/protocols/syslog/events.bif b/src/protocols/syslog/events.bif new file mode 100644 index 0000000000..f82adc7e69 --- /dev/null +++ b/src/protocols/syslog/events.bif @@ -0,0 +1,17 @@ + +## Generated for monitored Syslog messages. +## +## See `Wikipedia `__ for more +## information about the Syslog protocol. +## +## c: The connection record for the underlying transport-layer session/flow. +## +## facility: The "facility" included in the message. +## +## severity: The "severity" included in the message. +## +## msg: The message logged. +## +## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP +## syslog will be added soon. +event syslog_message%(c: connection, facility: count, severity: count, msg: string%); diff --git a/src/syslog-analyzer.pac b/src/protocols/syslog/syslog-analyzer.pac similarity index 100% rename from src/syslog-analyzer.pac rename to src/protocols/syslog/syslog-analyzer.pac diff --git a/src/syslog-protocol.pac b/src/protocols/syslog/syslog-protocol.pac similarity index 100% rename from src/syslog-protocol.pac rename to src/protocols/syslog/syslog-protocol.pac diff --git a/src/syslog.pac b/src/protocols/syslog/syslog.pac similarity index 79% rename from src/syslog.pac rename to src/protocols/syslog/syslog.pac index 3c0ecfb10d..5e7176da2a 100644 --- a/src/syslog.pac +++ b/src/protocols/syslog/syslog.pac @@ -1,3 +1,8 @@ + +%extern{ + #include "events.bif.h" +%} + %include binpac.pac %include bro.pac diff --git a/testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log b/testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log new file mode 100644 index 0000000000..df53ef42f6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path syslog +#open 2013-04-05-20-06-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto facility severity message +#types time string addr port addr port enum string string string +1365191811.424495 UWkUyAuUGXf 127.0.0.1 57067 127.0.0.1 514 udp LOCAL0 NOTICE Apr 5 12:56:51 robin: Hello, syslog!\x00 +#close 2013-04-05-20-06-27 diff --git a/testing/btest/Traces/syslog-single-udp.trace b/testing/btest/Traces/syslog-single-udp.trace new file mode 100644 index 0000000000000000000000000000000000000000..9e1505a38a8c761b7657ea4deac4ee3242f5a4ca GIT binary patch literal 125 zcmca|c+)~A1{MYw`2U}Qff2}Q)`<_)uVP~e1+qaH8E`PTGBCJj`a3W<2wo1U2WkM} zd#{<87>os{*ccic+c_2#DJYmK7#dlbnpv3|Diq}>W#(Bac% Date: Tue, 9 Apr 2013 15:54:31 -0700 Subject: [PATCH 029/200] Removing event groups. --- doc/scripts/DocSourcesList.cmake | 2 +- scripts/policy/misc/analysis-groups.bro | 31 ----------- scripts/test-all-policy.bro | 1 - src/EventHandler.cc | 2 - src/EventHandler.h | 5 -- src/EventRegistry.cc | 26 --------- src/EventRegistry.h | 6 --- src/ID.cc | 16 +----- src/bro.bif | 25 --------- src/event.bif | 54 +++++++++---------- src/parse.y | 6 +-- src/protocols/http/events.bif | 18 +++---- src/scan.l | 1 - .../canonified_loaded_scripts.log | 5 +- .../canonified_loaded_scripts.log | 5 +- 15 files changed, 46 insertions(+), 157 deletions(-) delete mode 100644 scripts/policy/misc/analysis-groups.bro diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 5442c1024a..0f76c1881a 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -25,6 +25,7 @@ rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/protocols/syslog/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) @@ -134,7 +135,6 @@ rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) rest_target(${psd} policy/integration/collective-intel/main.bro) -rest_target(${psd} policy/misc/analysis-groups.bro) rest_target(${psd} policy/misc/capture-loss.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) rest_target(${psd} policy/misc/profiling.bro) diff --git a/scripts/policy/misc/analysis-groups.bro b/scripts/policy/misc/analysis-groups.bro deleted file mode 100644 index 17f5bab845..0000000000 --- a/scripts/policy/misc/analysis-groups.bro +++ /dev/null @@ -1,31 +0,0 @@ -##! This script gives the capability to selectively enable and disable event -##! groups at runtime. No events will be raised for all members of a disabled -##! event group. - -module AnalysisGroups; - -export { - ## By default, all event groups are enabled. - ## We disable all groups in this table. - const disabled: set[string] &redef; -} - -# Set to remember all groups which were disabled by the last update. -global currently_disabled: set[string]; - -# This is the event that the control framework uses when it needs to indicate -# that an update control action happened. -event Control::configuration_update() - { - # Reenable those which are not to be disabled anymore. - for ( g in currently_disabled ) - if ( g !in disabled ) - enable_event_group(g); - - # Disable those which are not already disabled. - for ( g in disabled ) - if ( g !in currently_disabled ) - disable_event_group(g); - - currently_disabled = copy(disabled); - } \ No newline at end of file diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index a213031f4c..dc1b4e4154 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -34,7 +34,6 @@ @load integration/barnyard2/types.bro @load integration/collective-intel/__load__.bro @load integration/collective-intel/main.bro -@load misc/analysis-groups.bro @load misc/capture-loss.bro @load misc/loaded-scripts.bro @load misc/profiling.bro diff --git a/src/EventHandler.cc b/src/EventHandler.cc index 5598f93f98..4a74d68a08 100644 --- a/src/EventHandler.cc +++ b/src/EventHandler.cc @@ -10,7 +10,6 @@ EventHandler::EventHandler(const char* arg_name) used = false; local = 0; type = 0; - group = 0; error_handler = false; enabled = true; } @@ -19,7 +18,6 @@ EventHandler::~EventHandler() { Unref(local); delete [] name; - delete [] group; } EventHandler::operator bool() const diff --git a/src/EventHandler.h b/src/EventHandler.h index a86b8a285c..786d9f94ba 100644 --- a/src/EventHandler.h +++ b/src/EventHandler.h @@ -41,10 +41,6 @@ public: void SetErrorHandler() { error_handler = true; } bool ErrorHandler() { return error_handler; } - const char* Group() { return group; } - void SetGroup(const char* arg_group) - { group = copy_string(arg_group); } - void SetEnable(bool arg_enable) { enabled = arg_enable; } // We don't serialize the handler(s) itself here, but @@ -54,7 +50,6 @@ public: private: const char* name; - const char* group; Func* local; FuncType* type; bool used; // this handler is indeed used somewhere diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc index f51f624833..cf8aa6802e 100644 --- a/src/EventRegistry.cc +++ b/src/EventRegistry.cc @@ -85,17 +85,6 @@ void EventRegistry::PrintDebug() } } -void EventRegistry::SetGroup(const char* name, const char* group) - { - return; // FIXME. THis triggers the error below for plugin events. - - EventHandler* eh = Lookup(name); - if ( ! eh ) - reporter->InternalError("unknown event handler %s in SetGroup()", name); - - eh->SetGroup(group); - } - void EventRegistry::SetErrorHandler(const char* name) { EventHandler* eh = Lookup(name); @@ -105,18 +94,3 @@ void EventRegistry::SetErrorHandler(const char* name) eh->SetErrorHandler(); } -void EventRegistry::EnableGroup(const char* group, bool enable) - { - IterCookie* c = handlers.InitForIteration(); - - HashKey* k; - EventHandler* v; - while ( (v = handlers.NextEntry(k, c)) ) - { - delete k; - - if ( v->Group() && strcmp(v->Group(), group) == 0 ) - v->SetEnable(enable); - } - } - diff --git a/src/EventRegistry.h b/src/EventRegistry.h index 6ee5e3bcbd..3b4c8df918 100644 --- a/src/EventRegistry.h +++ b/src/EventRegistry.h @@ -26,17 +26,11 @@ public: typedef PList(constchar) string_list; string_list* Match(RE_Matcher* pattern); - // Associates a group with the given event. - void SetGroup(const char* name, const char* group); - // Marks a handler as handling errors. Error handler will not be called // recursively to avoid infinite loops in case they trigger an error // themselves. void SetErrorHandler(const char* name); - // Enable/disable all members of the group. - void EnableGroup(const char* group, bool enable); - string_list* UnusedHandlers(); string_list* UsedHandlers(); void PrintDebug(); diff --git a/src/ID.cc b/src/ID.cc index 959ad9b07d..a6e592146b 100644 --- a/src/ID.cc +++ b/src/ID.cc @@ -221,21 +221,7 @@ void ID::UpdateValAttrs() if ( Type()->Tag() == TYPE_FUNC ) { - Attr* attr = attrs->FindAttr(ATTR_GROUP); - - if ( attr ) - { - Val* group = attr->AttrExpr()->ExprVal(); - if ( group ) - { - if ( group->Type()->Tag() == TYPE_STRING ) - event_registry->SetGroup(Name(), group->AsString()->CheckString()); - else - Error("&group attribute takes string"); - } - } - - attr = attrs->FindAttr(ATTR_ERROR_HANDLER); + Attr* attr = attrs->FindAttr(ATTR_ERROR_HANDLER); if ( attr ) event_registry->SetErrorHandler(Name()); diff --git a/src/bro.bif b/src/bro.bif index 9b3eb946e2..4366d26951 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -4342,31 +4342,6 @@ function skip_smtp_data%(c: connection%): any return 0; %} -## Enables all event handlers in a given group. One can tag event handlers with -## the :bro:attr:`&group` attribute to logically group them together, e.g, -## ``event foo() &group="bar"``. This function enables all event handlers that -## belong to such a group. -## -## group: The group. -## -## .. bro:see:: disable_event_group -function enable_event_group%(group: string%) : any - %{ - event_registry->EnableGroup(group->CheckString(), true); - return 0; - %} - -## Disables all event handlers in a given group. -## -## group: The group. -## -## .. bro:see:: enable_event_group -function disable_event_group%(group: string%) : any - %{ - event_registry->EnableGroup(group->CheckString(), false); - return 0; - %} - # =========================================================================== # # Files and Directories diff --git a/src/event.bif b/src/event.bif index 8a44e8723e..ab44495fdc 100644 --- a/src/event.bif +++ b/src/event.bif @@ -2219,7 +2219,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## ## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; +event ftp_request%(c: connection, command: string, arg: string%); ## Generated for server-side FTP replies. ## @@ -2239,7 +2239,7 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; ## ## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &group="ftp"; +event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); ## Generated for client-side SMTP commands. ## @@ -2264,7 +2264,7 @@ event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &gro ## smtp_data smtp_reply ## ## .. note:: Bro does not support the newer ETRN extension yet. -event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) &group="smtp"; +event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%); ## Generated for server-side SMTP commands. ## @@ -2295,7 +2295,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) ## smtp_data smtp_request ## ## .. note:: Bro doesn't support the newer ETRN extension yet. -event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%) &group="smtp"; +event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%); ## Generated for DATA transmitted on SMTP sessions. This event is raised for ## subsequent chunks of raw data following the ``DATA`` SMTP command until the @@ -2320,7 +2320,7 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## .. note:: This event receives the unprocessed raw data. There is a separate ## set of ``mime_*`` events that strip out the outer MIME-layer of emails and ## provide structured access to their content. -event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; +event smtp_data%(c: connection, is_orig: bool, data: string%); ## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks ## the state of SMTP sessions and reports commands and other activity with this @@ -2340,7 +2340,7 @@ event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; ## detail: The actual SMTP line triggering the event. ## ## .. bro:see:: smtp_data smtp_request smtp_reply -event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp"; +event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); ## Generated when starting to parse an email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with @@ -4014,7 +4014,7 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: ## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected ## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &group="dns"; +event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); ## Generated for DNS requests. For requests with multiple queries, this event ## is raised once for each. @@ -4041,7 +4041,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &gro ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; +event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); ## Generated for DNS replies that reject a query. This event is raised if a DNS ## reply either indicates failure via its status code or does not pass on any @@ -4070,7 +4070,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; +event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); ## Generated for DNS replies with an *ok* status code but no question section. ## @@ -4097,7 +4097,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc ## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_query_reply%(c: connection, msg: dns_msg, query: string, - qtype: count, qclass: count%) &group="dns"; + qtype: count, qclass: count%); ## Generated when the DNS analyzer processes what seems to be a non-DNS packet. ## @@ -4108,7 +4108,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string, ## ## .. note:: This event is deprecated and superseded by Bro's dynamic protocol ## detection framework. -event non_dns_request%(c: connection, msg: string%) &group="dns"; +event non_dns_request%(c: connection, msg: string%); ## Generated for DNS replies of type *A*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. @@ -4133,7 +4133,7 @@ event non_dns_request%(c: connection, msg: string%) &group="dns"; ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; +event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## Generated for DNS replies of type *AAAA*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4158,7 +4158,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &grou ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; +event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## Generated for DNS replies of type *A6*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. @@ -4183,7 +4183,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &g ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; +event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## Generated for DNS replies of type *NS*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. @@ -4208,7 +4208,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &gro ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; +event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); ## Generated for DNS replies of type *CNAME*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4233,7 +4233,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; +event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); ## Generated for DNS replies of type *PTR*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4258,7 +4258,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; +event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); ## Generated for DNS replies of type *CNAME*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4283,7 +4283,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns"; +event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%); ## Generated for DNS replies of type *WKS*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4306,7 +4306,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa% ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; +event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## Generated for DNS replies of type *HINFO*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4329,7 +4329,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; +event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## Generated for DNS replies of type *MX*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. @@ -4356,7 +4356,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns"; +event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%); ## Generated for DNS replies of type *TXT*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4381,7 +4381,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns"; +event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%); ## Generated for DNS replies of type *SRV*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4404,7 +4404,7 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; +event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## Generated for DNS replies of type *EDNS*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4427,7 +4427,7 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns"; +event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); ## Generated for DNS replies of type *TSIG*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4450,7 +4450,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &gr ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns"; +event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); ## Generated at the end of processing a DNS packet. This event is the last ## ``dns_*`` event that will be raised for a DNS query/reply and signals that @@ -4472,7 +4472,7 @@ event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &gr ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_end%(c: connection, msg: dns_msg%) &group="dns"; +event dns_end%(c: connection, msg: dns_msg%); ## Generated for DHCP messages of type *discover*. ## @@ -6610,7 +6610,7 @@ event gaobot_signature_found%(c: connection%); ## ## .. todo:: Unclear what this event is for; it's never raised. We should just ## remove it. -event dns_full_request%(%) &group="dns"; +event dns_full_request%(%); ## Deprecated. Will be removed. event anonymization_mapping%(orig: addr, mapped: addr%); diff --git a/src/parse.y b/src/parse.y index 7ce1174595..520623de2c 100644 --- a/src/parse.y +++ b/src/parse.y @@ -2,7 +2,7 @@ // See the file "COPYING" in the main distribution directory for copyright. %} -%expect 88 +%expect 85 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF @@ -23,7 +23,7 @@ %token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE %token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED %token TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE -%token TOK_ATTR_PRIORITY TOK_ATTR_GROUP TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER +%token TOK_ATTR_PRIORITY TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER %token TOK_ATTR_TYPE_COLUMN %token TOK_DEBUG @@ -1362,8 +1362,6 @@ attr: { $$ = new Attr(ATTR_MERGEABLE); } | TOK_ATTR_PRIORITY '=' expr { $$ = new Attr(ATTR_PRIORITY, $3); } - | TOK_ATTR_GROUP '=' expr - { $$ = new Attr(ATTR_GROUP, $3); } | TOK_ATTR_TYPE_COLUMN '=' expr { $$ = new Attr(ATTR_TYPE_COLUMN, $3); } | TOK_ATTR_LOG diff --git a/src/protocols/http/events.bif b/src/protocols/http/events.bif index e4f71f70fc..ead8bc254b 100644 --- a/src/protocols/http/events.bif +++ b/src/protocols/http/events.bif @@ -20,7 +20,7 @@ ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done ply http_stats ## truncate_http_URI -event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; +event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%); ## Generated for HTTP replies. Bro supports persistent and pipelined HTTP ## sessions and raises corresponding events as it parses client/server @@ -41,7 +41,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_request ## http_stats -event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; +event http_reply%(c: connection, version: string, code: count, reason: string%); ## Generated for HTTP headers. Bro supports persistent and pipelined HTTP ## sessions and raises corresponding events as it parses client/server @@ -64,7 +64,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%) ## ## .. note:: This event is also raised for headers found in nested body ## entities. -event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; +event http_header%(c: connection, is_orig: bool, name: string, value: string%); ## Generated for HTTP headers, passing on all headers of an HTTP message at ## once. Bro supports persistent and pipelined HTTP sessions and raises @@ -86,7 +86,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%) & ## ## .. note:: This event is also raised for headers found in nested body ## entities. -event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; +event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%); ## Generated when starting to parse an HTTP body entity. This event is generated ## at least once for each non-empty (client or server) HTTP body; and @@ -105,7 +105,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) ## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## mime_begin_entity -event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; +event http_begin_entity%(c: connection, is_orig: bool%); ## Generated when finishing parsing an HTTP body entity. This event is generated ## at least once for each non-empty (client or server) HTTP body; and @@ -124,7 +124,7 @@ event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data ## http_event http_header http_message_done http_reply http_request ## http_stats mime_end_entity -event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; +event http_end_entity%(c: connection, is_orig: bool%); ## Generated when parsing an HTTP body entity, passing on the data. This event ## can potentially be raised many times for each entity, each time passing a @@ -152,7 +152,7 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_event http_header http_message_done http_reply http_request http_stats ## mime_entity_data http_entity_data_delivery_size skip_http_data -event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; +event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%); ## Generated for reporting an HTTP body's content type. This event is ## generated at the end of parsing an HTTP header, passing on the MIME @@ -176,7 +176,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin ## ## .. note:: This event is also raised for headers found in nested body ## entities. -event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body"; +event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%); ## Generated once at the end of parsing an HTTP message. Bro supports persistent ## and pipelined HTTP sessions and raises corresponding events as it parses @@ -198,7 +198,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_reply http_request http_stats -event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body"; +event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%); ## Generated for errors found when decoding HTTP requests or replies. ## diff --git a/src/scan.l b/src/scan.l index faa831ea93..a4d80c88ed 100644 --- a/src/scan.l +++ b/src/scan.l @@ -332,7 +332,6 @@ when return TOK_WHEN; &encrypt return TOK_ATTR_ENCRYPT; &error_handler return TOK_ATTR_ERROR_HANDLER; &expire_func return TOK_ATTR_EXPIRE_FUNC; -&group return TOK_ATTR_GROUP; &log return TOK_ATTR_LOG; &mergeable return TOK_ATTR_MERGEABLE; &optional return TOK_ATTR_OPTIONAL; diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 0482b574f8..0db69c1f17 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-01-19-44-31 +#open 2013-04-09-22-37-59 #fields name #types string scripts/base/init-bare.bro @@ -36,5 +36,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./Syslog.events.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-01-19-44-31 +#close 2013-04-09-22-37-59 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 390040ab4a..aa406976a0 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-01-19-44-38 +#open 2013-04-09-22-38-15 #fields name #types string scripts/base/init-bare.bro @@ -36,6 +36,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./Syslog.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -126,4 +127,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-01-19-44-38 +#close 2013-04-09-22-38-15 From 2002787c6ed22e98fe3a04123ecf2100146851a5 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 9 Apr 2013 16:23:20 -0700 Subject: [PATCH 030/200] A set of interface changes in preparation for merging into BinPAC++ branch. --- cmake | 2 +- src/CMakeLists.txt | 17 ++-- src/Conn.cc | 2 +- src/Conn.h | 2 +- src/EventRegistry.cc | 6 +- src/ID.h | 1 + src/RuleAction.cc | 10 +-- src/TCP.h | 4 + src/analyzer/Analyzer.cc | 56 ++++++++++--- src/analyzer/Analyzer.h | 40 ++++++++-- src/analyzer/Component.cc | 37 ++++++++- src/analyzer/Component.h | 28 ++++--- src/analyzer/Manager.cc | 56 ++++++------- src/analyzer/Manager.h | 20 ++--- src/analyzer/Tag.cc | 23 +++++- src/analyzer/Tag.h | 10 +++ src/builtin-func.l | 4 +- src/main.cc | 2 +- src/plugin/Macros.h | 15 ++-- src/plugin/Plugin.cc | 126 ++++++++++++++++++++++-------- src/plugin/Plugin.h | 68 +++++++++++----- src/protocols/BuiltInAnalyzers.cc | 8 +- src/protocols/http/HTTP.cc | 2 +- src/protocols/ssl/Plugin.cc | 2 +- src/protocols/syslog/Plugin.cc | 2 +- src/scan.l | 4 +- src/util.h | 6 ++ 27 files changed, 381 insertions(+), 172 deletions(-) diff --git a/cmake b/cmake index 39c1516be5..8cc03d64d0 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 39c1516be5e630bd5d78082e974fae708faa4e8c +Subproject commit 8cc03d64d00676cb75a38543800ac0de192557dd diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index c54abea7a6..aa51e68e91 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -117,7 +117,7 @@ foreach (bift ${BIF_SRCS}) bif_target(${bift}) endforeach () -add_custom_target(generate_standard_bifs DEPENDS ${ALL_BIF_OUTPUTS}) +add_custom_target(generate_bifs DEPENDS ${ALL_BIF_OUTPUTS}) ######################################################################## ## BinPAC-dependent targets @@ -159,20 +159,16 @@ binpac_target(modbus.pac ## Including subdirectories. ######################################################################## +set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) + add_subdirectory(analyzer) +add_subdirectory(protocols) set(bro_SUBDIRS $ + ${bro_PLUGIN_OBJECT_LIBS} ) - -######################################################################## -## Including plug-ins that are compiled in statically. -######################################################################## - -set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) -add_subdirectory(protocols) - ######################################################################## ## bro target @@ -403,8 +399,7 @@ set(bro_SRCS ) collect_headers(bro_HEADERS ${bro_SRCS}) - -add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_PLUGIN_OBJECT_LIBS} ${bro_SUBDIRS}) +add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS}) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT}) diff --git a/src/Conn.cc b/src/Conn.cc index e7687c5464..e476dd674b 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -413,7 +413,7 @@ analyzer::Analyzer* Connection::FindAnalyzer(analyzer::Tag tag) return root_analyzer ? root_analyzer->FindChild(tag) : 0; } -analyzer::Analyzer* Connection::FindAnalyzer(const string& name) +analyzer::Analyzer* Connection::FindAnalyzer(const char* name) { return root_analyzer->FindChild(name); } diff --git a/src/Conn.h b/src/Conn.h index 1989ce0b43..1b13500fad 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -107,7 +107,7 @@ public: analyzer::Analyzer* FindAnalyzer(analyzer::ID id); analyzer::Analyzer* FindAnalyzer(analyzer::Tag tag); // find first in tree. - analyzer::Analyzer* FindAnalyzer(const string& name); // find first in tree. + analyzer::Analyzer* FindAnalyzer(const char* name); // find first in tree. TransportProto ConnTransport() const { return proto; } diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc index cf8aa6802e..2da16de51d 100644 --- a/src/EventRegistry.cc +++ b/src/EventRegistry.cc @@ -80,8 +80,10 @@ void EventRegistry::PrintDebug() while ( (v = handlers.NextEntry(k, c)) ) { delete k; - fprintf(stderr, "Registered event %s (%s handler)\n", v->Name(), - v->LocalHandler()? "local" : "no"); + fprintf(stderr, "Registered event %s (%s handler / %s)\n", v->Name(), + v->LocalHandler()? "local" : "no", + *v ? "active" : "not active" + ); } } diff --git a/src/ID.h b/src/ID.h index 9c1f56e80f..57e1222511 100644 --- a/src/ID.h +++ b/src/ID.h @@ -26,6 +26,7 @@ public: bool IsGlobal() const { return scope != SCOPE_FUNCTION; } bool IsExport() const { return is_export; } + void SetExport() { is_export = true; } string ModuleName() const; diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 7d594e695f..6bbd7243cd 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -40,7 +40,7 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) string str(arg_analyzer); string::size_type pos = str.find(':'); string arg = str.substr(0, pos); - analyzer = analyzer_mgr->GetAnalyzerTag(arg); + analyzer = analyzer_mgr->GetAnalyzerTag(arg.c_str()); if ( ! analyzer ) reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); @@ -48,7 +48,7 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) if ( pos != string::npos ) { arg = str.substr(pos + 1); - child_analyzer = analyzer_mgr->GetAnalyzerTag(arg); + child_analyzer = analyzer_mgr->GetAnalyzerTag(arg.c_str()); if ( ! child_analyzer ) reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); @@ -60,11 +60,11 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) void RuleActionAnalyzer::PrintDebug() { if ( ! child_analyzer ) - fprintf(stderr, "|%s|\n", analyzer_mgr->GetAnalyzerName(analyzer).c_str()); + fprintf(stderr, "|%s|\n", analyzer_mgr->GetAnalyzerName(analyzer)); else fprintf(stderr, "|%s:%s|\n", - analyzer_mgr->GetAnalyzerName(analyzer).c_str(), - analyzer_mgr->GetAnalyzerName(child_analyzer).c_str()); + analyzer_mgr->GetAnalyzerName(analyzer), + analyzer_mgr->GetAnalyzerName(child_analyzer)); } diff --git a/src/TCP.h b/src/TCP.h index 61bcd7ef7c..be91d473c2 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -267,6 +267,10 @@ public: : Analyzer(name, conn) { tcp = 0; } + TCP_ApplicationAnalyzer(Connection* conn) + : Analyzer(conn) + { tcp = 0; } + virtual ~TCP_ApplicationAnalyzer() { } // This may be nil if we are not directly associated with a TCP diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 0bc8d28c8f..c482ddd792 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -72,28 +72,56 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, analyzer::ID Analyzer::id_counter = 0;; -const string& Analyzer::GetAnalyzerName() const +const char* Analyzer::GetAnalyzerName() const { + assert(tag); return analyzer_mgr->GetAnalyzerName(tag); } +void Analyzer::SetAnalyzerTag(const Tag& arg_tag) + { + assert(! tag || tag == arg_tag); + tag = arg_tag; + } + bool Analyzer::IsAnalyzer(const char* name) { - return analyzer_mgr->GetAnalyzerName(tag) == name; + assert(tag); + return strcmp(analyzer_mgr->GetAnalyzerName(tag), name) == 0; } // Used in debugging output. static string fmt_analyzer(Analyzer* a) { - return a->GetAnalyzerName() + fmt("[%d]", a->GetID()); + return string(a->GetAnalyzerName()) + fmt("[%d]", a->GetID()); } -Analyzer::Analyzer(const char* name, Connection* arg_conn) +Analyzer::Analyzer(const char* name, Connection* conn) + { + Tag tag = analyzer_mgr->GetAnalyzerTag(name); + + if ( ! tag ) + reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::Component?", name); + + CtorInit(tag, conn); + } + +Analyzer::Analyzer(const Tag& tag, Connection* conn) + { + CtorInit(tag, conn); + } + +Analyzer::Analyzer(Connection* conn) + { + CtorInit(Tag(), conn); + } + +void Analyzer::CtorInit(const Tag& arg_tag, Connection* arg_conn) { // Don't Ref conn here to avoid circular ref'ing. It can't be deleted // before us. conn = arg_conn; - tag = analyzer_mgr->GetAnalyzerTag(name); + tag = arg_tag; id = ++id_counter; protocol_confirmed = false; skip = false; @@ -104,10 +132,6 @@ Analyzer::Analyzer(const char* name, Connection* arg_conn) resp_supporters = 0; signature = 0; output_handler = 0; - - if ( ! tag ) - reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::Component?", name); - } Analyzer::~Analyzer() @@ -417,7 +441,7 @@ void Analyzer::RemoveChildAnalyzer(ID id) LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_ANALYZER, "%s disabling child %s", GetAnalyzerName().c_str(), id, + DBG_LOG(DBG_ANALYZER, "%s disabling child %s", GetAnalyzerName(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -468,7 +492,7 @@ Analyzer* Analyzer::FindChild(Tag arg_tag) return 0; } -Analyzer* Analyzer::FindChild(const string& name) +Analyzer* Analyzer::FindChild(const char* name) { Tag tag = analyzer_mgr->GetAnalyzerTag(name); return tag ? FindChild(tag) : 0; @@ -625,9 +649,12 @@ void Analyzer::ProtocolConfirmation() if ( protocol_confirmed ) return; + EnumVal* tval = tag.AsEnumVal(); + Ref(tval); + val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(tag.AsEnumVal()); + vl->append(tval); vl->append(new Val(id, TYPE_COUNT)); // We immediately raise the event so that the analyzer can quickly @@ -653,9 +680,12 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) else r = new StringVal(reason); + EnumVal* tval = tag.AsEnumVal(); + Ref(tval); + val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(tag.AsEnumVal()); + vl->append(tval); vl->append(new Val(id, TYPE_COUNT)); vl->append(r); diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 07e5d5acf4..f509f79941 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -61,13 +61,32 @@ public: /** * Constructor. * - * @param name A name for the protocol the analyzer is parsing. The - * name must match the one the corresponding Component registers. + * @param name The name for the type of analyzer. The name must match + * the one the corresponding Component registers. * * @param conn The connection the analyzer is associated with. */ Analyzer(const char* name, Connection* conn); + /** + * Constructor. + * + * @param tag The tag for the type of analyzer. The tag must map to + * the name the corresponding Component registers. + * + * @param conn The connection the analyzer is associated with. + */ + Analyzer(const Tag& tag, Connection* conn); + + /** + * Constructor. As this version of the constructor does not receive a + * name or tag, setTag() must be called before the instance can be + * used. + * + * @param conn The connection the analyzer is associated with. + */ + Analyzer(Connection* conn); + /** * Destructor. */ @@ -285,14 +304,22 @@ public: /** * Returns the tag associated with the analyzer's type. */ - Tag GetAnalyzerTag() const { return tag; } + Tag GetAnalyzerTag() const { assert(tag); return tag; } + + /** + * Sets the tag associated with the analyzer's type. Note that this + * can be called only right after construction, if the constructor + * did not receive a name or tag. The method cannot be used to change + * an existing tag. + */ + void SetAnalyzerTag(const Tag& tag); /** * Returns a textual description of the analyzer's type. This is * what's passed to the constructor and usally corresponds to the * protocol name, e.g., "HTTP". */ - const string& GetAnalyzerName() const; + const char* GetAnalyzerName() const; /** * Returns true if this analyzer's type matches the name passes in. @@ -377,7 +404,7 @@ public: * @return The first analyzer of the given type found, or null if * none. */ - Analyzer* FindChild(const string& name); + Analyzer* FindChild(const char* name); /** * Returns a list of all direct child analyzers. @@ -574,6 +601,9 @@ private: // already Done(). void DeleteChild(analyzer_list::iterator i); + // Helper for the ctors. + void CtorInit(const Tag& tag, Connection* conn); + Tag tag; ID id; diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc index 9640d6d8ac..6ce433a594 100644 --- a/src/analyzer/Component.cc +++ b/src/analyzer/Component.cc @@ -7,10 +7,10 @@ using namespace analyzer; Tag::type_t Component::type_counter = 0; -Component::Component(std::string arg_name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) +Component::Component(const char* arg_name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) : plugin::Component(plugin::component::ANALYZER) { - name = arg_name; + name = copy_string(arg_name); factory = arg_factory; enabled = arg_enabled; partial = arg_partial; @@ -18,6 +18,26 @@ Component::Component(std::string arg_name, factory_callback arg_factory, Tag::su tag = analyzer::Tag(++type_counter, arg_subtype); } +Component::Component(const Component& other) + : plugin::Component(Type()) + { + name = copy_string(other.name); + factory = other.factory; + enabled = other.enabled; + partial = other.partial; + tag = other.tag; + } + +Component::~Component() + { + delete [] name; + } + +analyzer::Tag Component::Tag() const + { + return tag; + } + void Component::Describe(ODesc* d) { plugin::Component::Describe(d); @@ -27,3 +47,16 @@ void Component::Describe(ODesc* d) d->Add(")"); } +Component& Component::operator=(const Component& other) + { + if ( &other != this ) + { + name = copy_string(other.name); + factory = other.factory; + enabled = other.enabled; + partial = other.partial; + tag = other.tag; + } + + return *this; + } diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index 0a48c0546f..67751e1b35 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -2,8 +2,6 @@ #ifndef ANALYZER_PLUGIN_COMPONENT_H #define ANALYZER_PLUGIN_COMPONENT_H -#include - #include "Tag.h" #include "plugin/Component.h" @@ -21,8 +19,6 @@ class Analyzer; * * A plugin can provide a specific protocol analyzer by registering this * analyzer component, describing the analyzer. - * - * This class is safe to copy by value. */ class Component : public plugin::Component { public: @@ -58,13 +54,23 @@ public: * connections has generally not seen much testing yet as virtually * no existing analyzer supports it. */ - Component(std::string name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true, bool partial = false); + Component(const char* name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true, bool partial = false); + + /** + * Copy constructor. + */ + Component(const Component& other); + + /** + * Destructor. + */ + ~Component(); /** * Returns the name of the analyzer. This name is unique across all * analyzers and used to identify it. */ - const std::string& Name() const { return name; } + const char* Name() const { return name; } /** * Returns the analyzer's factory function. @@ -74,7 +80,7 @@ public: /** * Returns whether the analyzer supports partial connections. Partial * connections are those where Bro starts processing payload - * mid-stream, after missing the beginning. + * mid-stream, after missing the beginning. */ bool Partial() const { return partial; } @@ -89,7 +95,7 @@ public: * generated for each new Components, and hence unique across all of * them. */ - analyzer::Tag Tag() const { return tag; } + analyzer::Tag Tag() const; /** * Enables or disables this analyzer. @@ -105,15 +111,17 @@ public: */ virtual void Describe(ODesc* d); + Component& operator=(const Component& other); + private: - std::string name; // The analyzer's name. + const char* name; // The analyzer's name. factory_callback factory; // The analyzer's factory callback. bool partial; // True if the analyzer supports partial connections. analyzer::Tag tag; // The automatically assigned analyzer tag. bool enabled; // True if the analyzer is enabled. // Global counter used to generate unique tags. - static analyzer::Tag::type_t type_counter; + static analyzer::Tag::type_t type_counter; }; } diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 68869b3799..056c3c2b7d 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -108,7 +108,7 @@ void Manager::DumpDebug() #ifdef DEBUG DBG_LOG(DBG_ANALYZER, "Available analyzers after bro_init():"); for ( analyzer_map_by_name::const_iterator i = analyzers_by_name.begin(); i != analyzers_by_name.end(); i++ ) - DBG_LOG(DBG_ANALYZER, " %s (%s)", i->second->Name().c_str(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); + DBG_LOG(DBG_ANALYZER, " %s (%s)", i->second->Name(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); DBG_LOG(DBG_ANALYZER, ""); DBG_LOG(DBG_ANALYZER, "Analyzers by port:"); @@ -118,7 +118,7 @@ void Manager::DumpDebug() string s; for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) - s += GetAnalyzerName(*j) + " "; + s += string(GetAnalyzerName(*j)) + " "; DBG_LOG(DBG_ANALYZER, " %d/tcp: %s", i->first, s.c_str()); } @@ -128,7 +128,7 @@ void Manager::DumpDebug() string s; for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) - s += GetAnalyzerName(*j) + " "; + s += string(GetAnalyzerName(*j)) + " "; DBG_LOG(DBG_ANALYZER, " %d/udp: %s", i->first, s.c_str()); } @@ -151,10 +151,10 @@ void Manager::Done() void Manager::RegisterAnalyzerComponent(Component* component) { if ( Lookup(component->Name()) ) - reporter->FatalError("Analyzer %s defined more than once", component->Name().c_str()); + reporter->FatalError("Analyzer %s defined more than once", component->Name()); DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", - component->Name().c_str(), component->Tag().AsString().c_str()); + component->Name(), component->Tag().AsString().c_str()); analyzers_by_name.insert(std::make_pair(component->Name(), component)); analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); @@ -173,7 +173,7 @@ bool Manager::EnableAnalyzer(Tag tag) if ( ! p ) return false; - DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name()); p->SetEnabled(true); return true; @@ -186,7 +186,7 @@ bool Manager::EnableAnalyzer(EnumVal* val) if ( ! p ) return false; - DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name()); p->SetEnabled(true); return true; @@ -199,7 +199,7 @@ bool Manager::DisableAnalyzer(Tag tag) if ( ! p ) return false; - DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name()); p->SetEnabled(false); return true; @@ -212,7 +212,7 @@ bool Manager::DisableAnalyzer(EnumVal* val) if ( ! p ) return false; - DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name()); p->SetEnabled(false); return true; @@ -256,7 +256,7 @@ bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) if ( ! p ) return false; - + return RegisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); } @@ -275,8 +275,8 @@ bool Manager::RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port tag_set* l = LookupPort(proto, port, true); #ifdef DEBUG - std::string name = GetAnalyzerName(tag); - DBG_LOG(DBG_ANALYZER, "Registering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); + const char* name = GetAnalyzerName(tag); + DBG_LOG(DBG_ANALYZER, "Registering analyzer %s for port %" PRIu32 "/%d", name, port, proto); #endif l->insert(tag); @@ -288,8 +288,8 @@ bool Manager::UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 po tag_set* l = LookupPort(proto, port, true); #ifdef DEBUG - std::string name = GetAnalyzerName(tag); - DBG_LOG(DBG_ANALYZER, "Unregistering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); + const char* name = GetAnalyzerName(tag); + DBG_LOG(DBG_ANALYZER, "Unregistering analyzer %s for port %" PRIu32 "/%d", name, port, proto); #endif l->erase(tag); @@ -312,6 +312,8 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) if ( ! a ) reporter->InternalError("analyzer instantiation failed"); + a->SetAnalyzerTag(tag); + return a; } @@ -321,9 +323,9 @@ Analyzer* Manager::InstantiateAnalyzer(const char* name, Connection* conn) return tag ? InstantiateAnalyzer(tag, conn) : 0; } -const string& Manager::GetAnalyzerName(Tag tag) +const char* Manager::GetAnalyzerName(Tag tag) { - static string error = ""; + static const char* error = ""; if ( ! tag ) return error; @@ -336,17 +338,11 @@ const string& Manager::GetAnalyzerName(Tag tag) return c->Name(); } -const string& Manager::GetAnalyzerName(Val* val) +const char* Manager::GetAnalyzerName(Val* val) { return GetAnalyzerName(Tag(val->AsEnumVal())); } -Tag Manager::GetAnalyzerTag(const string& name) - { - Component* c = Lookup(name); - return c ? c->Tag() : Tag(); - } - Tag Manager::GetAnalyzerTag(const char* name) { Component* c = Lookup(name); @@ -358,12 +354,6 @@ EnumType* Manager::GetTagEnumType() return tag_enum_type; } -Component* Manager::Lookup(const string& name) - { - analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); - return i != analyzers_by_name.end() ? i->second : 0; - } - Component* Manager::Lookup(const char* name) { analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); @@ -474,7 +464,7 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) root->AddChildAnalyzer(analyzer, false); DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled", - analyzer_mgr->GetAnalyzerName(*i).c_str()); + analyzer_mgr->GetAnalyzerName(*i)); } } @@ -500,7 +490,7 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) root->AddChildAnalyzer(analyzer, false); DBG_ANALYZER_ARGS(conn, "activated %s analyzer due to port %d", - analyzer_mgr->GetAnalyzerName(*j).c_str(), resp_port); + analyzer_mgr->GetAnalyzerName(*j), resp_port); } } } @@ -622,7 +612,7 @@ void Manager::ExpireScheduledAnalyzers() conns.erase(i); DBG_LOG(DBG_ANALYZER, "Expiring expected analyzer %s for connection %s", - analyzer_mgr->GetAnalyzerName(a->analyzer).c_str(), + analyzer_mgr->GetAnalyzerName(a->analyzer), fmt_conn_id(a->conn.orig, 0, a->conn.resp, a->conn.resp_p)); delete a; @@ -661,7 +651,7 @@ void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, const string& analyzer, + TransportProto proto, const char* analyzer, double timeout) { Tag tag = GetAnalyzerTag(analyzer); diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 750ac986fb..371cad956d 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -42,6 +42,10 @@ namespace analyzer { * sets up their initial analyzer tree, including adding the right \c PIA, * respecting well-known ports, and tracking any analyzers specifically * scheduled for individidual connections. + * + * Note that we keep the public interface of this class free of std::* + * classes. This allows to external analyzer code to potentially use a + * different C++ standard library. */ class Manager { public: @@ -232,7 +236,7 @@ public: * * @return The name, or an empty string if the tag is invalid. */ - const string& GetAnalyzerName(Tag tag); + const char* GetAnalyzerName(Tag tag); /** * Translates an script-level analyzer tag into corresponding @@ -243,17 +247,7 @@ public: * * @return The name, or an empty string if the tag is invalid. */ - const string& GetAnalyzerName(Val* val); - - /** - * Translates an analyzer name into the corresponding tag. - * - * @param name The name. - * - * @return The tag. If the name does not correspond to a valid - * analyzer, the returned tag will evaluate to false. - */ - Tag GetAnalyzerTag(const string& name); + const char* GetAnalyzerName(Val* val); /** * Translates an analyzer name into the corresponding tag. @@ -327,7 +321,7 @@ public: * schedule this analyzer. Must be non-zero. */ void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, const string& analyzer, + TransportProto proto, const char* analyzer, double timeout); /** diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index 0b765742dc..09c3c26caf 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -31,7 +31,7 @@ Tag::Tag(EnumVal* arg_val) subtype = (i >> 31) & 0xffffffff; } -Tag::Tag(const Tag& other) : type(other.type), subtype(other.subtype) +Tag::Tag(const Tag& other) { type = other.type; subtype = other.subtype; @@ -48,6 +48,27 @@ Tag::Tag() val = 0; } +Tag::~Tag() + { + Unref(val); + val = 0; + } + +Tag& Tag::operator=(const Tag& other) + { + if ( this != &other ) + { + type = other.type; + subtype = other.subtype; + val = other.val; + + if ( val ) + Ref(val); + } + + return *this; + } + EnumVal* Tag::AsEnumVal() const { if ( ! val ) diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index 90a6804dc4..ca3bc8b02f 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -53,6 +53,11 @@ public: */ Tag(); + /** + * Destructor. + */ + ~Tag(); + /** * Returns the tag's main type. */ @@ -81,6 +86,11 @@ public: */ operator bool() const { return *this != Tag(); } + /** + * Assignment operator. + */ + Tag& operator=(const Tag& other); + /** * Compares two tags for equality. */ diff --git a/src/builtin-func.l b/src/builtin-func.l index 2128c21f6b..b23ef43e22 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -235,9 +235,9 @@ void init_alternative_mode() fprintf(fp_func_init, "\n"); fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin); fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); + fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); fprintf(fp_func_init, "\t{\n"); - fprintf(fp_func_init, "\tstd::list > bifs;\n"); + fprintf(fp_func_init, "\tstd::list > bifs;\n"); fprintf(fp_func_init, "\n"); } } diff --git a/src/main.cc b/src/main.cc index 59a383543c..b3747226b3 100644 --- a/src/main.cc +++ b/src/main.cc @@ -814,8 +814,8 @@ int main(int argc, char** argv) log_mgr = new logging::Manager(); input_mgr = new input::Manager(); plugin_mgr = new plugin::Manager(); - plugin_mgr->InitPlugins(); + plugin_mgr->InitPlugins(); analyzer_mgr->Init(); if ( events_file ) diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index f132927560..1ddcb1afc8 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -15,25 +15,22 @@ protected: \ void Init() \ { \ - plugin::Description _desc; \ - _desc.name = #_name; \ - _desc.version = _BRO_PLUGIN_VERSION_DEFAULT; \ - _desc.api_version = BRO_PLUGIN_API_VERSION; + SetName(#_name); \ + SetVersion(_BRO_PLUGIN_VERSION_DEFAULT); \ + SetAPIVersion(BRO_PLUGIN_API_VERSION); #define BRO_PLUGIN_END \ - SetDescription(_desc); \ } \ }; \ \ static Plugin __plugin; \ } } -#define BRO_PLUGIN_DESCRIPTION _desc.description -#define BRO_PLUGIN_URL _desc.url -#define BRO_PLUGIN_VERSION _desc.version +#define BRO_PLUGIN_DESCRIPTION(x) SetDescription(x) +#define BRO_PLUGIN_VERSION(x) SetVersion(x) #define BRO_PLUGIN_BIF_FILE(file) \ - std::list > __bif_##file##_init(); \ + std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); #define BRO_PLUGIN_ANALYZER(tag, factory) \ diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 69377fd97a..99c73339b3 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -9,33 +9,86 @@ using namespace plugin; -Description::Description() +BifItem::BifItem(const BifItem& other) { - name = ""; + id = copy_string(other.id); + type = other.type; + } - // These will be reset by the BRO_PLUGIN_* macros. - version = -9999; - api_version = -9999; +BifItem& BifItem::operator=(const BifItem& other) + { + if ( this != &other ) + { + id = copy_string(other.id); + type = other.type; + } + + return *this; + } + +BifItem::~BifItem() + { + delete [] id; } Plugin::Plugin() { + name = copy_string(""); + description = copy_string(""); + + // These will be reset by the BRO_PLUGIN_* macros. + version = -9999; + api_version = -9999; + Manager::RegisterPlugin(this); } -Description Plugin::GetDescription() const - { - return description; - } - -void Plugin::SetDescription(Description& desc) - { - description = desc; - } - Plugin::~Plugin() { Done(); + + delete [] name; + delete [] description; + } + +const char* Plugin::Name() + { + return name; + } + +void Plugin::SetName(const char* arg_name) + { + name = copy_string(arg_name); + } + +const char* Plugin::Description() + { + return description; + } + +void Plugin::SetDescription(const char* arg_description) + { + description = copy_string(arg_description); + } + +int Plugin::Version() + { + return version; + } + +void Plugin::SetVersion(int arg_version) + { + version = arg_version; + } + +int Plugin::APIVersion() + { + return api_version; + } + +void Plugin::SetAPIVersion(int arg_version) + { + api_version = arg_version; } void Plugin::Init() @@ -50,17 +103,26 @@ void Plugin::InitBif() for ( bif_init_func_result::const_iterator i = items.begin(); i != items.end(); i++ ) { - BifItem bi; - bi.id = (*i).first; - bi.type = (BifItem::Type)(*i).second; + BifItem bi((*i).first, (BifItem::Type)(*i).second); bif_items.push_back(bi); } } } -const Plugin::bif_item_list& Plugin::BifItems() +Plugin::bif_item_list Plugin::BifItems() { - return bif_items; + bif_item_list l1 = bif_items; + bif_item_list l2 = CustomBifItems(); + + for ( bif_item_list::const_iterator i = l2.begin(); i != l2.end(); i++ ) + l1.push_back(*i); + + return l1; + } + +Plugin::bif_item_list Plugin::CustomBifItems() + { + return bif_item_list(); } void Plugin::Done() @@ -89,24 +151,18 @@ void Plugin::AddBifInitFunction(bif_init_func c) void Plugin::Describe(ODesc* d) { d->Add("Plugin: "); - d->Add(description.name); + d->Add(name); - if ( description.description.size() ) + if ( description && *description ) { d->Add(" - "); - d->Add(description.description); + d->Add(description); } - if ( description.version != BRO_PLUGIN_VERSION_BUILTIN ) + if ( version != BRO_PLUGIN_VERSION_BUILTIN ) { d->Add(" (version "); - d->Add(description.version); - - if ( description.url.size() ) - { - d->Add(", from "); - d->Add(description.url); - } + d->Add(version); d->Add(")"); } @@ -125,11 +181,13 @@ void Plugin::Describe(ODesc* d) d->Add("\n"); } - for ( bif_item_list::const_iterator i = bif_items.begin(); i != bif_items.end(); i++ ) + bif_item_list items = BifItems(); + + for ( bif_item_list::const_iterator i = items.begin(); i != items.end(); i++ ) { const char* type = 0; - switch ( (*i).type ) { + switch ( (*i).GetType() ) { case BifItem::FUNCTION: type = "Function"; break; @@ -158,7 +216,7 @@ void Plugin::Describe(ODesc* d) d->Add("["); d->Add(type); d->Add("] "); - d->Add((*i).id); + d->Add((*i).GetID()); d->Add("\n"); } } diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 314de47083..c5753767db 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -14,25 +14,30 @@ namespace plugin { class Manager; class Component; -struct Description { - std::string name; - std::string description; - std::string url; - int version; - int api_version; - - Description(); - void Describe(ODesc* d); - }; - -struct BifItem { +class BifItem { +public: // Values must match the integers bifcl generates. enum Type { FUNCTION = 1, EVENT = 2, CONSTANT = 3, GLOBAL = 4, TYPE = 5 }; - std::string id; + BifItem(const std::string& id, Type type); + BifItem(const BifItem& other); + BifItem& operator=(const BifItem& other); + ~BifItem(); + + const char* GetID() const { return id; } + Type GetType() const { return type; } + +private: + const char* id; Type type; }; +inline BifItem::BifItem(const std::string& arg_id, Type arg_type) + { + id = copy_string(arg_id.c_str()); + type = arg_type; + } + class Plugin { public: typedef std::list component_list; @@ -41,15 +46,17 @@ public: Plugin(); virtual ~Plugin(); - Description GetDescription() const; - void SetDescription(Description& desc); + const char* Name(); + const char* Description(); + int Version(); + int APIVersion(); component_list Components(); void InitBif(); // Must be called after InitBif() only. - const bif_item_list& BifItems(); + bif_item_list BifItems(); virtual void Init(); virtual void Done(); @@ -57,19 +64,42 @@ public: void Describe(ODesc* d); protected: + typedef std::list > bif_init_func_result; + typedef bif_init_func_result (*bif_init_func)(); + + void SetName(const char* name); + void SetDescription(const char* descr); + void SetVersion(int version); + void SetAPIVersion(int version); + /** * Takes ownership. */ void AddComponent(Component* c); - typedef std::list > bif_init_func_result; - typedef bif_init_func_result (*bif_init_func)(); + /** + * Can be overriden by derived class to inform the plugin about + * further BiF items they provide on their own (i.e., outside of the + * standard mechanism processing *.bif files automatically.). This + * information is for information purpuses only and will show up in + * the result of BifItem() as well as in the Describe() output. + */ + virtual bif_item_list CustomBifItems() ; + + /** + * Internal function adding an entry point for registering + * auto-generated BiFs. + */ void AddBifInitFunction(bif_init_func c); private: typedef std::list bif_init_func_list; - plugin::Description description; + const char* name; + const char* description; + int version; + int api_version; + component_list components; bif_item_list bif_items; bif_init_func_list bif_inits; diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc index 3bc15621fd..b3597c63df 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -50,11 +50,9 @@ BuiltinAnalyzers builtin_analyzers; void BuiltinAnalyzers::Init() { - plugin::Description desc; - desc.name = "Core-Analyzers"; - desc.description = "Built-in protocol analyzers"; - desc.version = BRO_PLUGIN_VERSION_BUILTIN; - SetDescription(desc); + SetName("Core-Analyzers"); + SetDescription("Built-in protocol analyzers"); + SetVersion(BRO_PLUGIN_VERSION_BUILTIN); DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); diff --git a/src/protocols/http/HTTP.cc b/src/protocols/http/HTTP.cc index a58d5a6bf3..61ce2e0833 100644 --- a/src/protocols/http/HTTP.cc +++ b/src/protocols/http/HTTP.cc @@ -16,7 +16,7 @@ #include "plugin/Plugin.h" BRO_PLUGIN_BEGIN(HTTP) - BRO_PLUGIN_DESCRIPTION = "HTTP Analyzer"; + BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); diff --git a/src/protocols/ssl/Plugin.cc b/src/protocols/ssl/Plugin.cc index fb47c9b946..743401896d 100644 --- a/src/protocols/ssl/Plugin.cc +++ b/src/protocols/ssl/Plugin.cc @@ -4,7 +4,7 @@ #include "SSL.h" BRO_PLUGIN_BEGIN(SSL) - BRO_PLUGIN_DESCRIPTION = "SSL Analyzer"; + BRO_PLUGIN_DESCRIPTION("SSL Analyzer"); BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/protocols/syslog/Plugin.cc b/src/protocols/syslog/Plugin.cc index a0a2934411..8560ee7c48 100644 --- a/src/protocols/syslog/Plugin.cc +++ b/src/protocols/syslog/Plugin.cc @@ -4,7 +4,7 @@ #include "Syslog.h" BRO_PLUGIN_BEGIN(Syslog) - BRO_PLUGIN_DESCRIPTION = "Syslog Analyzer (UDP-only currently)"; + BRO_PLUGIN_DESCRIPTION("Syslog Analyzer (UDP-only currently)"); BRO_PLUGIN_ANALYZER("SYSLOG", Syslog_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/scan.l b/src/scan.l index a4d80c88ed..babe036027 100644 --- a/src/scan.l +++ b/src/scan.l @@ -1042,6 +1042,7 @@ static void check_dpd_config_changes() valdesc.PushIndent(); v->Describe(&valdesc); +#if 0 if ( tag < AnalyzerTag::Error || tag > AnalyzerTag::LastAnalyzer ) { fprintf(stderr, "Warning: skipped bad analyzer tag: %i\n", tag); @@ -1049,8 +1050,9 @@ static void check_dpd_config_changes() } last_reST_doc->AddPortAnalysis( - Analyzer::GetTagName((AnalyzerTag::Tag)tag), + Analyzer::GetTagName((AnalyzerTag)tag), valdesc.Description()); +#endif } dpd_table->RemoveAll(); diff --git a/src/util.h b/src/util.h index 7e0c1ba085..a07d83f761 100644 --- a/src/util.h +++ b/src/util.h @@ -5,8 +5,14 @@ // Expose C99 functionality from inttypes.h, which would otherwise not be // available in C++. +#ifndef __STDC_FORMAT_MACROS #define __STDC_FORMAT_MACROS +#endif + +#ifndef __STDC_LIMIT_MACROS #define __STDC_LIMIT_MACROS +#endif + #include #include From eb94c6becd22eb9ad3e6338d4e0ae18d58a792a4 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 9 Apr 2013 17:38:01 -0700 Subject: [PATCH 031/200] Fixing ref counting bug. --- src/analyzer/Manager.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 056c3c2b7d..8ac8cbf824 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -581,7 +581,11 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) conn->SetLifetime(non_analyzed_lifetime); for ( tag_set::iterator i = expected.begin(); i != expected.end(); i++ ) - conn->Event(scheduled_analyzer_applied, 0, i->AsEnumVal()); + { + EnumVal* tag = i->AsEnumVal(); + Ref(tag); + conn->Event(scheduled_analyzer_applied, 0, tag); + } return true; } From aeddca65230e9eb463299d5c29dab92b7f6cda8e Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 13:56:24 -0700 Subject: [PATCH 032/200] More API documentation. --- scripts/base/frameworks/analyzer/main.bro | 91 +++++++++++++++++------ src/analyzer/Analyzer.h | 24 +++++- 2 files changed, 90 insertions(+), 25 deletions(-) diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index 8d2df76e4f..50ff6b775d 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -1,43 +1,90 @@ - +##! Framework for managing Bro's protocol analyzers. +##! +##! The analyzer framework allows to dynamically enable or disable analyzers, as +##! well as to manage the well-known ports which automatically active a particular +##! analyzer for new connections. +##! +##! Protocol analyzers are identified by unique tags of type +##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP` and +##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by the +##! analyzers themselves, and documented in their analyzer-specific description along with the +##! events that they generate. +##! +##! .. todo: ``The ANALYZER_*`` are in fact not yet documented, we need to add that +##! to Broxygen. module Analyzer; -# Analyzer::Tag is defined in types.bif, and automatically extended by plugins -# as they are loaded. - export { - ## XXX + ## If true, all available analyzers are initially disabled at startup. One can + ## then selectively enable them with :bro:id:`enable_analyzer`. global disable_all = F &redef; - ## XXX. + ## Enables an analyzer. Once enabled, the analyzer may be used for analysis of + ## future connections as decided by Bro's dynamic protocol detection. + ## + ## tag: The tag of the analyzer to enable. + ## + ## Returns: True if the analyzer was successfully enabled. global enable_analyzer: function(tag: Analyzer::Tag) : bool; - ## XXX. + ## Disables an analyzer. Once disabled, the analyzer will not be used + ## further for analysis of future connections. + ## + ## tag: The tag of the analyzer to disable. + ## + ## Returns: True if the analyzer was successfully disabled. global disable_analyzer: function(tag: Analyzer::Tag) : bool; - ## XXX. + ## Registers a set of well-known ports for an analyzer. If a future connection + ## on one of these ports is seen, the analyzer will be automatically assigned + ## to parsing it. The function *adds* to all ports already registered, it doesn't + ## replace them . + ## + ## tag: The tag of the analyzer. + ## + ## ports: The set of well-known ports to associate with the analyzer. + ## + ## Returns: True if the ports were sucessfully registered. global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool; - ## XXX. + ## Registers an individual well-known port for an analyzer. If a future connection + ## on this ports is seen, the analyzer will be automatically assigned to parsing + ## it. The function *adds* to all ports already registered, it doesn't + ## replace them . + ## + ## tag: The tag of the analyzer. + ## + ## p: The well-known port to associate with the analyzer. + ## + ## Returns: True if the port was sucessfully registered. global register_for_port: function(tag: Analyzer::Tag, p: port) : bool; - ## XXX. + ## Returns a set of all well-known ports currently registered for a + ## specific analyzer. + ## + ## tag: The tag of the analyzer. + ## + ## Returns: The set of ports. global registered_ports: function(tag: Analyzer::Tag) : set[port]; - ## XXX + ## Returns a table of all ports-to-analyzer mappings currently registered. + ## + ## Returns: A table mapping each analyzer to the set of ports + ## registered for it. global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; - ## Translate an analyzer type to an ASCII string. + ## Translates an analyzer type to a string with the analyzer's. ## - ## atype: The analyzer tag. + ## tag: The analyzer tag. ## - ## Returns: The analyzer *aid* as string. - global name: function(atype: Analyzer::Tag) : string; + ## Returns: The analyzer name corresponding to the tag. + global name: function(tag: Analyzer::Tag) : string; - ## Schedules an analyzer for a future connection from a given IP address and - ## port. The function ignores the scheduling request if the connection did - ## not occur within the specified time interval. + ## Schedules an analyzer for a future connection originating from a given IP + ## address and port. ## - ## orig: The IP address originating a connection in the future. + ## orig: The IP address originating a connection in the future. + ## 0.0.0.0 can be used as a wildcard to match any originator address. ## ## resp: The IP address responding to a connection from *orig*. ## @@ -45,13 +92,15 @@ export { ## ## analyzer: The analyzer ID. ## - ## tout: The timeout interval after which to ignore the scheduling request. + ## tout: A timeout interval after which the scheduling request will be + ## discarded if the connection has not yet been seen. ## ## Returns: True if succesful. global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool; - ## Analyzers to disable at startup. + ## A set of analyzers to disable by at startup. The default set + ## contains legacy analyzers that are no longer supported. global disabled_analyzers: set[Analyzer::Tag] = { ANALYZER_INTERCONN, ANALYZER_STEPPINGSTONE, diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index f509f79941..3800307c82 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -28,23 +28,39 @@ typedef list analyzer_list; typedef uint32 ID; typedef void (Analyzer::*analyzer_timer_func)(double t); - /** - * XXX - */ +/** + * Class to receive processed output from an anlyzer. + */ class OutputHandler { public: + /** + * Destructor. + */ virtual ~OutputHandler() { } + /** + * Hook for receiving packet data. Parameters are the same as for + * Analyzer::DeliverPacket(). + */ virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { } + + /** + * Hook for receiving stream data. Parameters are the same as for + * Analyzer::DeliverStream(). + */ virtual void DeliverStream(int len, const u_char* data, bool orig) { } + + /** + * Hook for receiving notification of stream gaps. Parameters are the + * same as for Analyzer::Undelivered(). + */ virtual void Undelivered(int seq, int len, bool orig) { } }; - /** * Main analyzer interface. * From e6eddbd9182fee32a962d0658d72fca38751cebc Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 13:56:35 -0700 Subject: [PATCH 033/200] Missing dependency. --- src/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index aa51e68e91..5d21c36e71 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -411,4 +411,5 @@ set(BRO_EXE bro include(BroPlugin) bro_plugin_bif_create_loader(bif_loader ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) +add_dependencies(bif_loader ${bro_SUBDIRS}) add_dependencies(bro bif_loader) From 7a95f5322c8bad9ce821088133df81daa14d661b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 14:29:11 -0700 Subject: [PATCH 034/200] Moving src/protocols to src/analyzer/protocols. This is for consistency with where readers/writers are located: inside the subdirectories of the corresponding code. --- src/CMakeLists.txt | 3 +-- src/analyzer/CMakeLists.txt | 2 ++ src/{ => analyzer}/protocols/BuiltInAnalyzers.cc | 2 +- src/{ => analyzer}/protocols/BuiltInAnalyzers.h | 0 src/{ => analyzer}/protocols/CMakeLists.txt | 0 src/{ => analyzer}/protocols/http/CMakeLists.txt | 0 src/{ => analyzer}/protocols/http/HTTP.cc | 0 src/{ => analyzer}/protocols/http/HTTP.h | 0 src/{ => analyzer}/protocols/http/events.bif | 0 src/{ => analyzer}/protocols/http/functions.bif | 0 src/{ => analyzer}/protocols/ssl/CMakeLists.txt | 0 src/{ => analyzer}/protocols/ssl/Plugin.cc | 0 src/{ => analyzer}/protocols/ssl/SSL.cc | 0 src/{ => analyzer}/protocols/ssl/SSL.h | 0 src/{ => analyzer}/protocols/ssl/events.bif | 0 src/{ => analyzer}/protocols/ssl/ssl-analyzer.pac | 0 src/{ => analyzer}/protocols/ssl/ssl-defs.pac | 0 src/{ => analyzer}/protocols/ssl/ssl-protocol.pac | 0 src/{ => analyzer}/protocols/ssl/ssl.pac | 0 src/{ => analyzer}/protocols/syslog/CMakeLists.txt | 0 src/{ => analyzer}/protocols/syslog/Plugin.cc | 0 src/{ => analyzer}/protocols/syslog/Syslog.cc | 0 src/{ => analyzer}/protocols/syslog/Syslog.h | 0 src/{ => analyzer}/protocols/syslog/events.bif | 0 src/{ => analyzer}/protocols/syslog/syslog-analyzer.pac | 0 src/{ => analyzer}/protocols/syslog/syslog-protocol.pac | 0 src/{ => analyzer}/protocols/syslog/syslog.pac | 0 27 files changed, 4 insertions(+), 3 deletions(-) rename src/{ => analyzer}/protocols/BuiltInAnalyzers.cc (99%) rename src/{ => analyzer}/protocols/BuiltInAnalyzers.h (100%) rename src/{ => analyzer}/protocols/CMakeLists.txt (100%) rename src/{ => analyzer}/protocols/http/CMakeLists.txt (100%) rename src/{ => analyzer}/protocols/http/HTTP.cc (100%) rename src/{ => analyzer}/protocols/http/HTTP.h (100%) rename src/{ => analyzer}/protocols/http/events.bif (100%) rename src/{ => analyzer}/protocols/http/functions.bif (100%) rename src/{ => analyzer}/protocols/ssl/CMakeLists.txt (100%) rename src/{ => analyzer}/protocols/ssl/Plugin.cc (100%) rename src/{ => analyzer}/protocols/ssl/SSL.cc (100%) rename src/{ => analyzer}/protocols/ssl/SSL.h (100%) rename src/{ => analyzer}/protocols/ssl/events.bif (100%) rename src/{ => analyzer}/protocols/ssl/ssl-analyzer.pac (100%) rename src/{ => analyzer}/protocols/ssl/ssl-defs.pac (100%) rename src/{ => analyzer}/protocols/ssl/ssl-protocol.pac (100%) rename src/{ => analyzer}/protocols/ssl/ssl.pac (100%) rename src/{ => analyzer}/protocols/syslog/CMakeLists.txt (100%) rename src/{ => analyzer}/protocols/syslog/Plugin.cc (100%) rename src/{ => analyzer}/protocols/syslog/Syslog.cc (100%) rename src/{ => analyzer}/protocols/syslog/Syslog.h (100%) rename src/{ => analyzer}/protocols/syslog/events.bif (100%) rename src/{ => analyzer}/protocols/syslog/syslog-analyzer.pac (100%) rename src/{ => analyzer}/protocols/syslog/syslog-protocol.pac (100%) rename src/{ => analyzer}/protocols/syslog/syslog.pac (100%) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 5d21c36e71..bc68d0d67f 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -162,7 +162,6 @@ binpac_target(modbus.pac set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) add_subdirectory(analyzer) -add_subdirectory(protocols) set(bro_SUBDIRS $ @@ -392,7 +391,7 @@ set(bro_SRCS plugin/Manager.cc plugin/Plugin.cc - protocols/BuiltInAnalyzers.cc + analyzer/protocols/BuiltInAnalyzers.cc nb_dns.c digest.h diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 68742116ef..1172b0d811 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -4,6 +4,8 @@ include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR} ) +add_subdirectory(protocols) + set(analyzer_SRCS Analyzer.cc Manager.cc diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/analyzer/protocols/BuiltInAnalyzers.cc similarity index 99% rename from src/protocols/BuiltInAnalyzers.cc rename to src/analyzer/protocols/BuiltInAnalyzers.cc index b3597c63df..8403b1bb25 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/analyzer/protocols/BuiltInAnalyzers.cc @@ -5,7 +5,7 @@ #include "BuiltInAnalyzers.h" #include "analyzer/Component.h" -#include "../binpac_bro.h" +#include "../../binpac_bro.h" #include "AYIYA.h" #include "BackDoor.h" diff --git a/src/protocols/BuiltInAnalyzers.h b/src/analyzer/protocols/BuiltInAnalyzers.h similarity index 100% rename from src/protocols/BuiltInAnalyzers.h rename to src/analyzer/protocols/BuiltInAnalyzers.h diff --git a/src/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt similarity index 100% rename from src/protocols/CMakeLists.txt rename to src/analyzer/protocols/CMakeLists.txt diff --git a/src/protocols/http/CMakeLists.txt b/src/analyzer/protocols/http/CMakeLists.txt similarity index 100% rename from src/protocols/http/CMakeLists.txt rename to src/analyzer/protocols/http/CMakeLists.txt diff --git a/src/protocols/http/HTTP.cc b/src/analyzer/protocols/http/HTTP.cc similarity index 100% rename from src/protocols/http/HTTP.cc rename to src/analyzer/protocols/http/HTTP.cc diff --git a/src/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h similarity index 100% rename from src/protocols/http/HTTP.h rename to src/analyzer/protocols/http/HTTP.h diff --git a/src/protocols/http/events.bif b/src/analyzer/protocols/http/events.bif similarity index 100% rename from src/protocols/http/events.bif rename to src/analyzer/protocols/http/events.bif diff --git a/src/protocols/http/functions.bif b/src/analyzer/protocols/http/functions.bif similarity index 100% rename from src/protocols/http/functions.bif rename to src/analyzer/protocols/http/functions.bif diff --git a/src/protocols/ssl/CMakeLists.txt b/src/analyzer/protocols/ssl/CMakeLists.txt similarity index 100% rename from src/protocols/ssl/CMakeLists.txt rename to src/analyzer/protocols/ssl/CMakeLists.txt diff --git a/src/protocols/ssl/Plugin.cc b/src/analyzer/protocols/ssl/Plugin.cc similarity index 100% rename from src/protocols/ssl/Plugin.cc rename to src/analyzer/protocols/ssl/Plugin.cc diff --git a/src/protocols/ssl/SSL.cc b/src/analyzer/protocols/ssl/SSL.cc similarity index 100% rename from src/protocols/ssl/SSL.cc rename to src/analyzer/protocols/ssl/SSL.cc diff --git a/src/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h similarity index 100% rename from src/protocols/ssl/SSL.h rename to src/analyzer/protocols/ssl/SSL.h diff --git a/src/protocols/ssl/events.bif b/src/analyzer/protocols/ssl/events.bif similarity index 100% rename from src/protocols/ssl/events.bif rename to src/analyzer/protocols/ssl/events.bif diff --git a/src/protocols/ssl/ssl-analyzer.pac b/src/analyzer/protocols/ssl/ssl-analyzer.pac similarity index 100% rename from src/protocols/ssl/ssl-analyzer.pac rename to src/analyzer/protocols/ssl/ssl-analyzer.pac diff --git a/src/protocols/ssl/ssl-defs.pac b/src/analyzer/protocols/ssl/ssl-defs.pac similarity index 100% rename from src/protocols/ssl/ssl-defs.pac rename to src/analyzer/protocols/ssl/ssl-defs.pac diff --git a/src/protocols/ssl/ssl-protocol.pac b/src/analyzer/protocols/ssl/ssl-protocol.pac similarity index 100% rename from src/protocols/ssl/ssl-protocol.pac rename to src/analyzer/protocols/ssl/ssl-protocol.pac diff --git a/src/protocols/ssl/ssl.pac b/src/analyzer/protocols/ssl/ssl.pac similarity index 100% rename from src/protocols/ssl/ssl.pac rename to src/analyzer/protocols/ssl/ssl.pac diff --git a/src/protocols/syslog/CMakeLists.txt b/src/analyzer/protocols/syslog/CMakeLists.txt similarity index 100% rename from src/protocols/syslog/CMakeLists.txt rename to src/analyzer/protocols/syslog/CMakeLists.txt diff --git a/src/protocols/syslog/Plugin.cc b/src/analyzer/protocols/syslog/Plugin.cc similarity index 100% rename from src/protocols/syslog/Plugin.cc rename to src/analyzer/protocols/syslog/Plugin.cc diff --git a/src/protocols/syslog/Syslog.cc b/src/analyzer/protocols/syslog/Syslog.cc similarity index 100% rename from src/protocols/syslog/Syslog.cc rename to src/analyzer/protocols/syslog/Syslog.cc diff --git a/src/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h similarity index 100% rename from src/protocols/syslog/Syslog.h rename to src/analyzer/protocols/syslog/Syslog.h diff --git a/src/protocols/syslog/events.bif b/src/analyzer/protocols/syslog/events.bif similarity index 100% rename from src/protocols/syslog/events.bif rename to src/analyzer/protocols/syslog/events.bif diff --git a/src/protocols/syslog/syslog-analyzer.pac b/src/analyzer/protocols/syslog/syslog-analyzer.pac similarity index 100% rename from src/protocols/syslog/syslog-analyzer.pac rename to src/analyzer/protocols/syslog/syslog-analyzer.pac diff --git a/src/protocols/syslog/syslog-protocol.pac b/src/analyzer/protocols/syslog/syslog-protocol.pac similarity index 100% rename from src/protocols/syslog/syslog-protocol.pac rename to src/analyzer/protocols/syslog/syslog-protocol.pac diff --git a/src/protocols/syslog/syslog.pac b/src/analyzer/protocols/syslog/syslog.pac similarity index 100% rename from src/protocols/syslog/syslog.pac rename to src/analyzer/protocols/syslog/syslog.pac From a191eed7db7b625d40336ef7aabbd2d245cbb54a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 14:43:20 -0700 Subject: [PATCH 035/200] Adding separate Plugin.cc for HTTP analyzer for consistency. --- src/analyzer/protocols/http/CMakeLists.txt | 2 +- src/analyzer/protocols/http/HTTP.cc | 9 --------- src/analyzer/protocols/http/Plugin.cc | 10 ++++++++++ 3 files changed, 11 insertions(+), 10 deletions(-) create mode 100644 src/analyzer/protocols/http/Plugin.cc diff --git a/src/analyzer/protocols/http/CMakeLists.txt b/src/analyzer/protocols/http/CMakeLists.txt index b6d877cdd7..68bdb632a4 100644 --- a/src/analyzer/protocols/http/CMakeLists.txt +++ b/src/analyzer/protocols/http/CMakeLists.txt @@ -4,7 +4,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(HTTP) -bro_plugin_cc(HTTP.cc) +bro_plugin_cc(HTTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/http/HTTP.cc b/src/analyzer/protocols/http/HTTP.cc index 61ce2e0833..98c8ad484e 100644 --- a/src/analyzer/protocols/http/HTTP.cc +++ b/src/analyzer/protocols/http/HTTP.cc @@ -13,15 +13,6 @@ #include "Event.h" #include "MIME.h" -#include "plugin/Plugin.h" - -BRO_PLUGIN_BEGIN(HTTP) - BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); - BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_BIF_FILE(events); - BRO_PLUGIN_BIF_FILE(functions); -BRO_PLUGIN_END - const bool DEBUG_http = false; // The EXPECT_*_NOTHING states are used to prevent further parsing. Used if a diff --git a/src/analyzer/protocols/http/Plugin.cc b/src/analyzer/protocols/http/Plugin.cc new file mode 100644 index 0000000000..5dab5c3c18 --- /dev/null +++ b/src/analyzer/protocols/http/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "HTTP.h" + +BRO_PLUGIN_BEGIN(HTTP) + BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); + BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END From 56edef16462b4fa078fc07b8cc12dfb43e40de69 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 14:47:17 -0700 Subject: [PATCH 036/200] Removing left-overs from BinPAC http analyzer. --- src/http-analyzer.pac | 430 ------------------------------------------ src/http-protocol.pac | 140 -------------- src/http.pac | 10 - 3 files changed, 580 deletions(-) delete mode 100644 src/http-analyzer.pac delete mode 100644 src/http-protocol.pac delete mode 100644 src/http.pac diff --git a/src/http-analyzer.pac b/src/http-analyzer.pac deleted file mode 100644 index e12be59438..0000000000 --- a/src/http-analyzer.pac +++ /dev/null @@ -1,430 +0,0 @@ -%extern{ -#include - -// Used by unescape_URI(). -extern int is_reserved_URI_char(unsigned char ch); -extern int is_unreserved_URI_char(unsigned char ch); -%} - -# Remember to call bytestring::free() on the result. -function to_upper(s: const_bytestring): bytestring - %{ - char* buf = new char[s.length() + 1]; - const char* sp = (const char*) s.begin(); - - for ( int i = 0; i < s.length(); ++i ) - if ( islower(sp[i]) ) - buf[i] = toupper(sp[i]); - else - buf[i] = sp[i]; - - buf[s.length()] = '\0'; - - return bytestring((uint8*) buf, s.length()); - %} - -connection HTTP_Conn(bro_analyzer: BroAnalyzer) { - upflow = HTTP_Flow(true); - downflow = HTTP_Flow(false); -}; - -flow HTTP_Flow(is_orig: bool) { - flowunit = HTTP_PDU(is_orig) withcontext (connection, this); - - # States. - %member{ - int content_length_; - DeliveryMode delivery_mode_; - bytestring end_of_multipart_; - - double msg_start_time_; - int msg_begin_seq_; - int msg_header_end_seq_; - - bool build_headers_; - vector headers_; - %} - - %init{ - content_length_ = 0; - delivery_mode_ = UNKNOWN_DELIVERY_MODE; - - msg_start_time_ = 0; - msg_begin_seq_ = 0; - msg_header_end_seq_ = -1; - - build_headers_ = (::http_all_headers != 0); - %} - - %cleanup{ - end_of_multipart_.free(); - %} - - function content_length(): int - %{ - return content_length_; - %} - - function delivery_mode(): DeliveryMode - %{ - return delivery_mode_; - %} - - function end_of_multipart(): const_bytestring - %{ - return end_of_multipart_; - %} - - # Methods. - function http_request(method: const_bytestring, uri: const_bytestring, - vers: HTTP_Version): bool - %{ - if ( ::http_request ) - { - bytestring unescaped_uri = unescape_uri(uri); - BifEvent::generate_http_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - bytestring_to_val(method), - bytestring_to_val(uri), - bytestring_to_val(unescaped_uri), - bytestring_to_val(${vers.vers_str})); - unescaped_uri.free(); - } - - http_message_begin(); - - return true; - %} - - function http_reply(vers: HTTP_Version, code: int, - reason: const_bytestring): bool - %{ - if ( ::http_reply ) - { - BifEvent::generate_http_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - bytestring_to_val(${vers.vers_str}), code, - bytestring_to_val(reason)); - } - - http_message_begin(); - - return true; - %} - - function build_http_header_val(name: const_bytestring, - value: const_bytestring): BroVal - %{ - RecordVal* header_record = new RecordVal(mime_header_rec); - - StringVal* name_val = 0; - if ( name.length() > 0 ) - { - // Make it all uppercase. - name_val = new StringVal(name.length(), - (const char*) name.begin()); - name_val->ToUpper(); - } - else - name_val = new StringVal(""); - - header_record->Assign(0, name_val); - header_record->Assign(1, bytestring_to_val(value)); - - return header_record; - %} - - function extract_boundary(value: const_bytestring): bytestring - %{ - const char* boundary_prefix = "boundary="; - const char* boundary_begin = strcasestr( - (const char*) value.begin(), - boundary_prefix); - - if ( ! boundary_begin ) - return bytestring(); - - boundary_begin += 9; - - const char* boundary_end = strcasestr(boundary_begin, ";"); - if ( ! boundary_end ) - boundary_end = (const char*) value.end(); - - return bytestring((const uint8*) boundary_begin, - (const uint8*) boundary_end); - %} - - function is_end_of_multipart(line: const_bytestring): bool - %{ - if ( line.length() < 4 + end_of_multipart_.length() ) - return false; - - int len = end_of_multipart_.length(); - - // line =?= "--" end_of_multipart_ "--" - return ( line[0] == '-' && line[1] == '-' && - line[len + 2] == '-' && line[len + 3] == '-' && - strncmp((const char*) line.begin() + 2, - (const char*) end_of_multipart_.begin(), - len) == 0 ); - %} - - function http_header(name_colon: const_bytestring, - value: const_bytestring): bool - %{ - const_bytestring name( - name_colon.begin(), - name_colon.length() > 0 ? - name_colon.end() - 1 : - name_colon.end()); - - if ( bytestring_casecmp(name, "CONTENT-LENGTH") == 0 ) - { - content_length_ = bytestring_to_int(value, 10); - delivery_mode_ = CONTENT_LENGTH; - } - - else if ( bytestring_casecmp(name, "TRANSFER-ENCODING") == 0 ) - { - if ( bytestring_caseprefix(value, "CHUNKED") ) - delivery_mode_ = CHUNKED; - } - - else if ( bytestring_casecmp(name, "CONTENT-TYPE") == 0 ) - { - if ( bytestring_caseprefix(value, "MULTIPART") ) - { - end_of_multipart_.free(); - end_of_multipart_ = extract_boundary(value); - if ( end_of_multipart_.length() > 0 ) - delivery_mode_ = MULTIPART; - } - } - - if ( ::http_header ) - { - BifEvent::generate_http_header(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - is_orig(), - bytestring_to_val(name)->ToUpper(), - bytestring_to_val(value)); - } - - if ( build_headers_ ) - headers_.push_back(build_http_header_val(name, value)); - - return true; - %} - - function build_http_headers_val(): BroVal - %{ - TableVal* t = new TableVal(mime_header_list); - - for ( unsigned int i = 0; i < headers_.size(); ++i ) - { // index starting from 1 - Val* index = new Val(i + 1, TYPE_COUNT); - t->Assign(index, headers_[i]); - Unref(index); - } - - return t; - %} - - function gen_http_all_headers(): void - %{ - if ( ::http_all_headers ) - { - BifEvent::generate_http_all_headers(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - is_orig(), - build_http_headers_val()); - } - - headers_.clear(); - %} - - function http_end_of_headers(headers: HTTP_Headers): bool - %{ - if ( delivery_mode_ != CHUNKED && build_headers_ ) - gen_http_all_headers(); - - // Check if this is the first set of headers - // (i.e. not headers after chunks). - if ( msg_header_end_seq_ == -1 ) - msg_header_end_seq_ = flow_buffer_->data_seq(); - - return true; - %} - - function http_message_begin(): void - %{ - msg_start_time_ = network_time(); - if ( ::http_begin_entity ) - { - BifEvent::generate_http_begin_entity(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), is_orig()); - } - %} - - function build_http_message_stat(): BroVal - %{ - int msg_header_length = msg_header_end_seq_ - msg_begin_seq_; - int msg_body_length = - flow_buffer_->data_seq() - msg_header_end_seq_; - - bool msg_interrupted = false; - - RecordVal* stat = new RecordVal(http_message_stat); - int field = 0; - stat->Assign(field++, new Val(msg_start_time_, TYPE_TIME)); - stat->Assign(field++, new Val(msg_interrupted, TYPE_BOOL)); - stat->Assign(field++, new StringVal("")); - stat->Assign(field++, new Val(msg_body_length, TYPE_COUNT)); - stat->Assign(field++, new Val(0, TYPE_COUNT)); - stat->Assign(field++, new Val(msg_header_length, TYPE_COUNT)); - - return stat; - %} - - function http_message_done(pdu: HTTP_PDU): bool - %{ - if ( ! headers_.empty() ) - gen_http_all_headers(); - - if ( ::http_end_entity ) - { - BifEvent::generate_http_end_entity(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), is_orig()); - } - - if ( ::http_message_done ) - { - BifEvent::generate_http_message_done(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - is_orig(), build_http_message_stat()); - } - - end_of_multipart_.free(); - - // Initialize for next message. - msg_begin_seq_ = flow_buffer_->data_seq(); - msg_header_end_seq_ = -1; - - return true; - %} - - # Remember to call bytestring::free() on the result - function unescape_uri(uri: const_bytestring): bytestring - %{ - const u_char* line = uri.begin(); - const u_char* line_end = uri.end(); - BroAnalyzer a = connection()->bro_analyzer(); - - // ### Copied from HTTP.cc - byte_vec decoded_URI = new u_char[line_end - line + 1]; - byte_vec URI_p = decoded_URI; - - // An 'unescaped_special_char' here means a character that - // *should* be escaped, but isn't in the URI. A control - // character that appears directly in the URI would be an - // example. The RFC implies that if we do not unescape the - // URI that we see in the trace, every character should be a - // printable one -- either reserved or unreserved (or '%'). - // - // Counting the number of unescaped characters and generating - // a weird event on URI's with unescaped characters (which - // are rare) will let us locate strange-looking URI's in the - // trace -- those URI's are often interesting. - - int unescaped_special_char = 0; - - while ( line < line_end ) - { - if ( *line == '%' ) - { - ++line; - - if ( line == line_end ) - { - // How to deal with % at end of line? - // *URI_p++ = '%'; - if ( a ) - a->Weird("illegal_%_at_end_of_URI"); - break; - } - - else if ( *line == '%' ) - { - // Double '%' might be either due to - // software bug, or, more likely, an - // evasion (e.g., used by Nimda). - // *URI_p++ = '%'; - if ( a ) - a->Weird("double_%_in_URI"); - --line; // ignore the first '%' - } - - else if ( isxdigit(line[0]) && isxdigit(line[1]) ) - { - *URI_p++ = (decode_hex(line[0]) << 4) + - decode_hex(line[1]); - ++line; // place line at last hex digit - } - - else - { - if ( a ) - a->Weird("unescaped_%_in_URI"); - *URI_p++ = '%'; // put back initial '%' - // Take char. without interpretation.. - *URI_p++ = *line; - } - } - - else - { - if ( ! is_reserved_URI_char(*line) && - ! is_unreserved_URI_char(*line) ) - // Count these up as a way to compress - // the corresponding Weird event to a - // single instance. - ++unescaped_special_char; - *URI_p++ = *line; - } - - ++line; - } - - URI_p[0] = 0; - - if ( unescaped_special_char && a ) - a->Weird("unescaped_special_URI_char"); - - return bytestring(decoded_URI, URI_p - decoded_URI); - %} -}; - -refine typeattr HTTP_RequestLine += &let { - process_request: bool = - $context.flow.http_request(method, uri, version); -}; - -refine typeattr HTTP_ReplyLine += &let { - process_reply: bool = - $context.flow.http_reply(version, status.stat_num, reason); -}; - -refine typeattr HTTP_Header += &let { - process_header: bool = - $context.flow.http_header(name, value); -}; - -refine typeattr HTTP_Headers += &let { - process_end_of_headers: bool = - $context.flow.http_end_of_headers(this); -}; - -refine typeattr HTTP_PDU += &let { - process_message: bool = - $context.flow.http_message_done(this); -}; diff --git a/src/http-protocol.pac b/src/http-protocol.pac deleted file mode 100644 index e4487a75e3..0000000000 --- a/src/http-protocol.pac +++ /dev/null @@ -1,140 +0,0 @@ -enum ExpectBody { - BODY_EXPECTED, - BODY_NOT_EXPECTED, - BODY_MAYBE, -}; - -enum DeliveryMode { - UNKNOWN_DELIVERY_MODE, - CONTENT_LENGTH, - CHUNKED, - MULTIPART, -}; - -## token = 1* -## separators = "(" | ")" | "<" | ">" | "@" -## | "," | ";" | ":" | "\" | <"> -## | "/" | "[" | "]" | "?" | "=" -## | "{" | "}" | SP | HT -## reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | -## "$" | "," - -type HTTP_TOKEN = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/; -type HTTP_WS = RE/[ \t]*/; -type HTTP_URI = RE/[[:alnum:][:punct:]]+/; - -type HTTP_PDU(is_orig: bool) = case is_orig of { - true -> request: HTTP_Request; - false -> reply: HTTP_Reply; -}; - -type HTTP_Request = record { - request: HTTP_RequestLine; - msg: HTTP_Message(BODY_MAYBE); -}; - -function expect_reply_body(reply_status: int): ExpectBody - %{ - // TODO: check if the request is "HEAD" - if ( (reply_status >= 100 && reply_status < 200) || - reply_status == 204 || reply_status == 304 ) - return BODY_NOT_EXPECTED; - return BODY_EXPECTED; - %} - -type HTTP_Reply = record { - reply: HTTP_ReplyLine; - msg: HTTP_Message(expect_reply_body(reply.status.stat_num)); -}; - -type HTTP_RequestLine = record { - method: HTTP_TOKEN; - : HTTP_WS; - uri: HTTP_URI; - : HTTP_WS; - version: HTTP_Version; -} &oneline; - -type HTTP_ReplyLine = record { - version: HTTP_Version; - : HTTP_WS; - status: HTTP_Status; - : HTTP_WS; - reason: bytestring &restofdata; -} &oneline; - -type HTTP_Status = record { - stat_str: RE/[0-9]{3}/; -} &let { - stat_num: int = bytestring_to_int(stat_str, 10); -}; - -type HTTP_Version = record { - : "HTTP/"; - vers_str: RE/[0-9]+\.[0-9]+/; -} &let { - vers_num: double = bytestring_to_double(vers_str); -}; - -type HTTP_Headers = HTTP_Header[] &until($input.length() == 0); - -type HTTP_Message(expect_body: ExpectBody) = record { - headers: HTTP_Headers; - body_or_not: case expect_body of { - BODY_NOT_EXPECTED -> none: empty; - default -> body: HTTP_Body(expect_body); - }; -}; - -# Multi-line headers are supported by allowing header names to be -# empty. -# -type HTTP_HEADER_NAME = RE/|([^: \t]+:)/; -type HTTP_Header = record { - name: HTTP_HEADER_NAME &transient; - : HTTP_WS; - value: bytestring &restofdata &transient; -} &oneline; - -type MIME_Line = record { - line: bytestring &restofdata &transient; -} &oneline; - -type MIME_Lines = MIME_Line[] - &until($context.flow.is_end_of_multipart($input)); - -# TODO: parse multipart message according to MIME -type HTTP_Body(expect_body: ExpectBody) = - case $context.flow.delivery_mode() of { - - CONTENT_LENGTH -> body: bytestring - &length = $context.flow.content_length(), - &chunked; - - CHUNKED -> chunks: HTTP_Chunks; - - MULTIPART -> multipart: MIME_Lines; - - default -> unknown: HTTP_UnknownBody(expect_body); -}; - -type HTTP_UnknownBody(expect_body: ExpectBody) = case expect_body of { - BODY_MAYBE, BODY_NOT_EXPECTED -> maybenot: empty; - BODY_EXPECTED -> rest: bytestring &restofflow &chunked; -}; - -type HTTP_Chunks = record { - chunks: HTTP_Chunk[] &until($element.chunk_length == 0); - headers: HTTP_Headers; -}; - -type HTTP_Chunk = record { - length_line: bytestring &oneline; - data: bytestring &length = chunk_length &chunked; - opt_crlf: case chunk_length of { - 0 -> none: empty; - default -> crlf: bytestring &oneline &check(trailing_crlf == ""); - }; -} &let { - chunk_length: int = bytestring_to_int(length_line, 16); -}; diff --git a/src/http.pac b/src/http.pac deleted file mode 100644 index 38e6ad0b5e..0000000000 --- a/src/http.pac +++ /dev/null @@ -1,10 +0,0 @@ -%include binpac.pac -%include bro.pac - -analyzer HTTP withcontext { - connection: HTTP_Conn; - flow: HTTP_Flow; -}; - -%include http-protocol.pac -%include http-analyzer.pac From dfc4cb08812a1658f93028693e1cc42dc67bf977 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 16:07:20 -0700 Subject: [PATCH 037/200] Moving all analyzers over to new structure. This is a checkpoint, it works but there's more cleanup to do. TODOs in src/analyzer/protocols/TODO. --- doc/scripts/DocSourcesList.cmake | 41 +++++- src/CMakeLists.txt | 67 +--------- src/Conn.cc | 2 +- src/Func.cc | 2 +- src/RuleAction.cc | 2 +- src/RuleCondition.cc | 2 +- src/Sessions.cc | 10 +- src/Sessions.h | 2 + src/Stats.cc | 78 ------------ src/Stats.h | 64 ---------- src/analyzer/Analyzer.cc | 2 +- src/analyzer/Manager.cc | 30 +++-- src/analyzer/protocols/BuiltInAnalyzers.cc | 119 ------------------ src/analyzer/protocols/BuiltInAnalyzers.h | 17 --- src/analyzer/protocols/CMakeLists.txt | 33 +++++ src/analyzer/protocols/TODO | 10 ++ src/{ => analyzer/protocols/ayiya}/AYIYA.cc | 0 src/{ => analyzer/protocols/ayiya}/AYIYA.h | 0 src/analyzer/protocols/ayiya/CMakeLists.txt | 10 ++ src/analyzer/protocols/ayiya/Plugin.cc | 10 ++ .../protocols/ayiya}/ayiya-analyzer.pac | 0 .../protocols/ayiya}/ayiya-protocol.pac | 0 src/{ => analyzer/protocols/ayiya}/ayiya.pac | 0 src/analyzer/protocols/ayiya/events.bif | 0 .../protocols/backdoor}/BackDoor.cc | 2 +- .../protocols/backdoor}/BackDoor.h | 4 +- .../protocols/backdoor/CMakeLists.txt | 9 ++ src/analyzer/protocols/backdoor/Plugin.cc | 10 ++ src/analyzer/protocols/backdoor/events.bif | 0 .../protocols/bittorrent}/BitTorrent.cc | 2 +- .../protocols/bittorrent}/BitTorrent.h | 2 +- .../bittorrent}/BitTorrentTracker.cc | 2 +- .../protocols/bittorrent}/BitTorrentTracker.h | 2 +- .../protocols/bittorrent/CMakeLists.txt | 10 ++ src/analyzer/protocols/bittorrent/Plugin.cc | 12 ++ .../bittorrent}/bittorrent-analyzer.pac | 0 .../bittorrent}/bittorrent-protocol.pac | 0 .../protocols/bittorrent}/bittorrent.pac | 0 src/analyzer/protocols/bittorrent/events.bif | 0 .../protocols/conn-size/CMakeLists.txt | 9 ++ .../protocols/conn-size/ConnSize.cc} | 4 +- .../protocols/conn-size/ConnSize.h} | 0 src/analyzer/protocols/conn-size/Plugin.cc | 10 ++ src/analyzer/protocols/conn-size/events.bif | 0 src/analyzer/protocols/dce-rpc/CMakeLists.txt | 11 ++ .../protocols/dce-rpc}/DCE_RPC.cc | 0 .../protocols/dce-rpc}/DCE_RPC.h | 2 +- src/analyzer/protocols/dce-rpc/Plugin.cc | 11 ++ .../protocols/dce-rpc}/dce_rpc-analyzer.pac | 0 .../protocols/dce-rpc}/dce_rpc-protocol.pac | 0 .../protocols/dce-rpc}/dce_rpc.pac | 0 .../protocols/dce-rpc}/dce_rpc_simple.pac | 0 .../protocols/dce-rpc}/epmapper.pac | 0 src/analyzer/protocols/dce-rpc/events.bif | 0 src/analyzer/protocols/dhcp/CMakeLists.txt | 10 ++ .../protocols/dhcp/DHCP.cc} | 11 +- .../protocols/dhcp/DHCP.h} | 11 +- src/analyzer/protocols/dhcp/Plugin.cc | 10 ++ .../protocols/dhcp}/dhcp-analyzer.pac | 0 .../protocols/dhcp}/dhcp-protocol.pac | 0 src/{ => analyzer/protocols/dhcp}/dhcp.pac | 0 src/analyzer/protocols/dhcp/events.bif | 0 src/analyzer/protocols/dns/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/dns}/DNS.cc | 0 src/{ => analyzer/protocols/dns}/DNS.h | 2 +- src/analyzer/protocols/dns/Plugin.cc | 11 ++ src/analyzer/protocols/dns/events.bif | 0 src/analyzer/protocols/file/CMakeLists.txt | 9 ++ .../protocols/file/File.cc} | 2 +- .../protocols/file/File.h} | 2 +- src/analyzer/protocols/file/Plugin.cc | 10 ++ src/analyzer/protocols/file/events.bif | 0 src/analyzer/protocols/finger/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/finger}/Finger.cc | 2 +- src/{ => analyzer/protocols/finger}/Finger.h | 2 +- src/analyzer/protocols/finger/Plugin.cc | 10 ++ src/analyzer/protocols/finger/events.bif | 0 src/analyzer/protocols/ftp/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/ftp}/FTP.cc | 2 +- src/{ => analyzer/protocols/ftp}/FTP.h | 4 +- src/analyzer/protocols/ftp/Plugin.cc | 11 ++ src/analyzer/protocols/ftp/events.bif | 0 .../protocols/gnutella/CMakeLists.txt | 9 ++ .../protocols/gnutella}/Gnutella.cc | 2 +- .../protocols/gnutella}/Gnutella.h | 2 +- src/analyzer/protocols/gnutella/Plugin.cc | 10 ++ src/analyzer/protocols/gnutella/events.bif | 0 src/analyzer/protocols/gtpv1/CMakeLists.txt | 10 ++ src/{ => analyzer/protocols/gtpv1}/GTPv1.cc | 0 src/{ => analyzer/protocols/gtpv1}/GTPv1.h | 0 src/analyzer/protocols/gtpv1/Plugin.cc | 10 ++ src/analyzer/protocols/gtpv1/events.bif | 0 .../protocols/gtpv1}/gtpv1-analyzer.pac | 0 .../protocols/gtpv1}/gtpv1-protocol.pac | 0 src/{ => analyzer/protocols/gtpv1}/gtpv1.pac | 0 src/analyzer/protocols/http/HTTP.h | 9 +- src/analyzer/protocols/icmp/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/icmp}/ICMP.cc | 0 src/{ => analyzer/protocols/icmp}/ICMP.h | 0 src/analyzer/protocols/icmp/Plugin.cc | 10 ++ src/analyzer/protocols/icmp/events.bif | 0 src/analyzer/protocols/ident/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/ident}/Ident.cc | 0 src/{ => analyzer/protocols/ident}/Ident.h | 4 +- src/analyzer/protocols/ident/Plugin.cc | 10 ++ src/analyzer/protocols/ident/events.bif | 0 .../protocols/interconn/CMakeLists.txt | 9 ++ .../protocols/interconn}/InterConn.cc | 2 +- .../protocols/interconn}/InterConn.h | 2 +- src/analyzer/protocols/interconn/Plugin.cc | 10 ++ src/analyzer/protocols/interconn/events.bif | 0 src/analyzer/protocols/irc/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/irc}/IRC.cc | 4 +- src/{ => analyzer/protocols/irc}/IRC.h | 2 +- src/analyzer/protocols/irc/Plugin.cc | 10 ++ src/analyzer/protocols/irc/events.bif | 0 src/analyzer/protocols/login/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/login}/Login.cc | 0 src/{ => analyzer/protocols/login}/Login.h | 2 +- src/{ => analyzer/protocols/login}/NVT.cc | 2 +- src/{ => analyzer/protocols/login}/NVT.h | 2 +- src/analyzer/protocols/login/Plugin.cc | 19 +++ src/{ => analyzer/protocols/login}/RSH.cc | 0 src/{ => analyzer/protocols/login}/RSH.h | 2 +- src/{ => analyzer/protocols/login}/Rlogin.cc | 0 src/{ => analyzer/protocols/login}/Rlogin.h | 2 +- src/{ => analyzer/protocols/login}/Telnet.cc | 0 src/{ => analyzer/protocols/login}/Telnet.h | 0 src/analyzer/protocols/login/events.bif | 0 src/analyzer/protocols/modbus/CMakeLists.txt | 10 ++ src/{ => analyzer/protocols/modbus}/Modbus.cc | 2 +- src/{ => analyzer/protocols/modbus}/Modbus.h | 2 +- src/analyzer/protocols/modbus/Plugin.cc | 10 ++ src/analyzer/protocols/modbus/events.bif | 0 .../protocols/modbus}/modbus-analyzer.pac | 0 .../protocols/modbus}/modbus-protocol.pac | 0 .../protocols/modbus}/modbus.pac | 0 src/analyzer/protocols/ncp/CMakeLists.txt | 10 ++ src/{ => analyzer/protocols/ncp}/NCP.cc | 0 src/{ => analyzer/protocols/ncp}/NCP.h | 2 +- src/{ => analyzer/protocols/ncp}/NCP_func.def | 0 src/analyzer/protocols/ncp/Plugin.cc | 11 ++ src/analyzer/protocols/ncp/events.bif | 0 src/{ => analyzer/protocols/ncp}/ncp.pac | 0 .../protocols/netbios-ssn/CMakeLists.txt | 9 ++ .../protocols/netbios-ssn}/NetbiosSSN.cc | 0 .../protocols/netbios-ssn}/NetbiosSSN.h | 6 +- src/analyzer/protocols/netbios-ssn/Plugin.cc | 11 ++ src/analyzer/protocols/netbios-ssn/events.bif | 0 src/analyzer/protocols/ntp/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/ntp}/NTP.cc | 0 src/{ => analyzer/protocols/ntp}/NTP.h | 2 +- src/analyzer/protocols/ntp/Plugin.cc | 10 ++ src/analyzer/protocols/ntp/events.bif | 0 src/analyzer/protocols/pia/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/pia}/PIA.cc | 2 +- src/{ => analyzer/protocols/pia}/PIA.h | 2 +- src/analyzer/protocols/pia/Plugin.cc | 11 ++ src/analyzer/protocols/pia/events.bif | 0 src/analyzer/protocols/pop3/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/pop3}/POP3.cc | 2 +- src/{ => analyzer/protocols/pop3}/POP3.h | 4 +- .../protocols/pop3}/POP3_cmd.def | 0 src/analyzer/protocols/pop3/Plugin.cc | 10 ++ src/analyzer/protocols/pop3/events.bif | 0 src/analyzer/protocols/rpc/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/rpc}/NFS.cc | 0 src/{ => analyzer/protocols/rpc}/NFS.h | 0 src/analyzer/protocols/rpc/Plugin.cc | 15 +++ src/{ => analyzer/protocols/rpc}/Portmap.cc | 0 src/{ => analyzer/protocols/rpc}/Portmap.h | 0 src/{ => analyzer/protocols/rpc}/RPC.cc | 0 src/{ => analyzer/protocols/rpc}/RPC.h | 4 +- src/{ => analyzer/protocols/rpc}/XDR.cc | 0 src/{ => analyzer/protocols/rpc}/XDR.h | 0 src/analyzer/protocols/rpc/events.bif | 0 src/analyzer/protocols/smb/CMakeLists.txt | 10 ++ src/analyzer/protocols/smb/Plugin.cc | 11 ++ src/{ => analyzer/protocols/smb}/SMB.cc | 0 src/{ => analyzer/protocols/smb}/SMB.h | 4 +- src/{ => analyzer/protocols/smb}/SMB_COM.def | 0 src/analyzer/protocols/smb/events.bif | 0 .../protocols/smb}/smb-mailslot.pac | 0 src/{ => analyzer/protocols/smb}/smb-pipe.pac | 0 .../protocols/smb}/smb-protocol.pac | 0 src/{ => analyzer/protocols/smb}/smb.pac | 0 src/analyzer/protocols/smtp/CMakeLists.txt | 9 ++ src/analyzer/protocols/smtp/Plugin.cc | 10 ++ src/{ => analyzer/protocols/smtp}/SMTP.cc | 2 +- src/{ => analyzer/protocols/smtp}/SMTP.h | 2 +- .../protocols/smtp}/SMTP_cmd.def | 0 src/analyzer/protocols/smtp/events.bif | 0 src/analyzer/protocols/socks/CMakeLists.txt | 10 ++ src/analyzer/protocols/socks/Plugin.cc | 10 ++ src/{ => analyzer/protocols/socks}/SOCKS.cc | 2 +- src/{ => analyzer/protocols/socks}/SOCKS.h | 4 +- src/analyzer/protocols/socks/events.bif | 0 .../protocols/socks}/socks-analyzer.pac | 0 .../protocols/socks}/socks-protocol.pac | 0 src/{ => analyzer/protocols/socks}/socks.pac | 0 src/analyzer/protocols/ssh/CMakeLists.txt | 9 ++ src/analyzer/protocols/ssh/Plugin.cc | 10 ++ src/{ => analyzer/protocols/ssh}/SSH.cc | 2 +- src/{ => analyzer/protocols/ssh}/SSH.h | 4 +- src/analyzer/protocols/ssh/events.bif | 0 src/analyzer/protocols/ssl/SSL.cc | 2 +- src/analyzer/protocols/ssl/SSL.h | 2 +- .../protocols/stepping-stone/CMakeLists.txt | 9 ++ .../protocols/stepping-stone/Plugin.cc | 10 ++ .../stepping-stone}/SteppingStone.cc | 2 +- .../protocols/stepping-stone}/SteppingStone.h | 2 +- .../protocols/stepping-stone/events.bif | 0 src/analyzer/protocols/syslog/Syslog.cc | 2 +- src/analyzer/protocols/syslog/Syslog.h | 4 +- src/analyzer/protocols/tcp/CMakeLists.txt | 9 ++ .../protocols/tcp}/ContentLine.cc | 2 +- .../protocols/tcp}/ContentLine.h | 2 +- src/analyzer/protocols/tcp/Plugin.cc | 13 ++ src/analyzer/protocols/tcp/Stats.cc | 79 ++++++++++++ src/analyzer/protocols/tcp/Stats.h | 67 ++++++++++ src/{ => analyzer/protocols/tcp}/TCP.cc | 7 +- src/{ => analyzer/protocols/tcp}/TCP.h | 2 +- .../protocols/tcp}/TCP_Endpoint.cc | 2 +- .../protocols/tcp}/TCP_Endpoint.h | 0 .../protocols/tcp}/TCP_Reassembler.cc | 2 +- .../protocols/tcp}/TCP_Reassembler.h | 0 src/analyzer/protocols/tcp/events.bif | 0 src/analyzer/protocols/teredo/CMakeLists.txt | 9 ++ src/analyzer/protocols/teredo/Plugin.cc | 10 ++ src/{ => analyzer/protocols/teredo}/Teredo.cc | 0 src/{ => analyzer/protocols/teredo}/Teredo.h | 0 src/analyzer/protocols/teredo/events.bif | 0 src/analyzer/protocols/udp/CMakeLists.txt | 9 ++ src/analyzer/protocols/udp/Plugin.cc | 10 ++ src/{ => analyzer/protocols/udp}/UDP.cc | 2 +- src/{ => analyzer/protocols/udp}/UDP.h | 0 src/analyzer/protocols/udp/events.bif | 0 src/analyzer/protocols/zip/CMakeLists.txt | 9 ++ src/analyzer/protocols/zip/Plugin.cc | 10 ++ src/{ => analyzer/protocols/zip}/ZIP.cc | 0 src/{ => analyzer/protocols/zip}/ZIP.h | 2 +- src/analyzer/protocols/zip/events.bif | 0 src/bro.bif | 6 +- src/builtin-func.l | 2 +- src/parse.y | 2 +- src/plugin/Macros.h | 3 + .../canonified_loaded_scripts.log | 40 +++++- .../canonified_loaded_scripts.log | 40 +++++- .../output | 2 +- .../frameworks/analyzer/schedule-analyzer.bro | 2 +- 250 files changed, 1095 insertions(+), 470 deletions(-) delete mode 100644 src/analyzer/protocols/BuiltInAnalyzers.cc delete mode 100644 src/analyzer/protocols/BuiltInAnalyzers.h create mode 100644 src/analyzer/protocols/TODO rename src/{ => analyzer/protocols/ayiya}/AYIYA.cc (100%) rename src/{ => analyzer/protocols/ayiya}/AYIYA.h (100%) create mode 100644 src/analyzer/protocols/ayiya/CMakeLists.txt create mode 100644 src/analyzer/protocols/ayiya/Plugin.cc rename src/{ => analyzer/protocols/ayiya}/ayiya-analyzer.pac (100%) rename src/{ => analyzer/protocols/ayiya}/ayiya-protocol.pac (100%) rename src/{ => analyzer/protocols/ayiya}/ayiya.pac (100%) create mode 100644 src/analyzer/protocols/ayiya/events.bif rename src/{ => analyzer/protocols/backdoor}/BackDoor.cc (99%) rename src/{ => analyzer/protocols/backdoor}/BackDoor.h (97%) create mode 100644 src/analyzer/protocols/backdoor/CMakeLists.txt create mode 100644 src/analyzer/protocols/backdoor/Plugin.cc create mode 100644 src/analyzer/protocols/backdoor/events.bif rename src/{ => analyzer/protocols/bittorrent}/BitTorrent.cc (98%) rename src/{ => analyzer/protocols/bittorrent}/BitTorrent.h (94%) rename src/{ => analyzer/protocols/bittorrent}/BitTorrentTracker.cc (99%) rename src/{ => analyzer/protocols/bittorrent}/BitTorrentTracker.h (98%) create mode 100644 src/analyzer/protocols/bittorrent/CMakeLists.txt create mode 100644 src/analyzer/protocols/bittorrent/Plugin.cc rename src/{ => analyzer/protocols/bittorrent}/bittorrent-analyzer.pac (100%) rename src/{ => analyzer/protocols/bittorrent}/bittorrent-protocol.pac (100%) rename src/{ => analyzer/protocols/bittorrent}/bittorrent.pac (100%) create mode 100644 src/analyzer/protocols/bittorrent/events.bif create mode 100644 src/analyzer/protocols/conn-size/CMakeLists.txt rename src/{ConnSizeAnalyzer.cc => analyzer/protocols/conn-size/ConnSize.cc} (96%) rename src/{ConnSizeAnalyzer.h => analyzer/protocols/conn-size/ConnSize.h} (100%) create mode 100644 src/analyzer/protocols/conn-size/Plugin.cc create mode 100644 src/analyzer/protocols/conn-size/events.bif create mode 100644 src/analyzer/protocols/dce-rpc/CMakeLists.txt rename src/{ => analyzer/protocols/dce-rpc}/DCE_RPC.cc (100%) rename src/{ => analyzer/protocols/dce-rpc}/DCE_RPC.h (99%) create mode 100644 src/analyzer/protocols/dce-rpc/Plugin.cc rename src/{ => analyzer/protocols/dce-rpc}/dce_rpc-analyzer.pac (100%) rename src/{ => analyzer/protocols/dce-rpc}/dce_rpc-protocol.pac (100%) rename src/{ => analyzer/protocols/dce-rpc}/dce_rpc.pac (100%) rename src/{ => analyzer/protocols/dce-rpc}/dce_rpc_simple.pac (100%) rename src/{ => analyzer/protocols/dce-rpc}/epmapper.pac (100%) create mode 100644 src/analyzer/protocols/dce-rpc/events.bif create mode 100644 src/analyzer/protocols/dhcp/CMakeLists.txt rename src/{DHCP-binpac.cc => analyzer/protocols/dhcp/DHCP.cc} (54%) rename src/{DHCP-binpac.h => analyzer/protocols/dhcp/DHCP.h} (63%) create mode 100644 src/analyzer/protocols/dhcp/Plugin.cc rename src/{ => analyzer/protocols/dhcp}/dhcp-analyzer.pac (100%) rename src/{ => analyzer/protocols/dhcp}/dhcp-protocol.pac (100%) rename src/{ => analyzer/protocols/dhcp}/dhcp.pac (100%) create mode 100644 src/analyzer/protocols/dhcp/events.bif create mode 100644 src/analyzer/protocols/dns/CMakeLists.txt rename src/{ => analyzer/protocols/dns}/DNS.cc (100%) rename src/{ => analyzer/protocols/dns}/DNS.h (99%) create mode 100644 src/analyzer/protocols/dns/Plugin.cc create mode 100644 src/analyzer/protocols/dns/events.bif create mode 100644 src/analyzer/protocols/file/CMakeLists.txt rename src/{FileAnalyzer.cc => analyzer/protocols/file/File.cc} (98%) rename src/{FileAnalyzer.h => analyzer/protocols/file/File.h} (93%) create mode 100644 src/analyzer/protocols/file/Plugin.cc create mode 100644 src/analyzer/protocols/file/events.bif create mode 100644 src/analyzer/protocols/finger/CMakeLists.txt rename src/{ => analyzer/protocols/finger}/Finger.cc (97%) rename src/{ => analyzer/protocols/finger}/Finger.h (93%) create mode 100644 src/analyzer/protocols/finger/Plugin.cc create mode 100644 src/analyzer/protocols/finger/events.bif create mode 100644 src/analyzer/protocols/ftp/CMakeLists.txt rename src/{ => analyzer/protocols/ftp}/FTP.cc (99%) rename src/{ => analyzer/protocols/ftp}/FTP.h (94%) create mode 100644 src/analyzer/protocols/ftp/Plugin.cc create mode 100644 src/analyzer/protocols/ftp/events.bif create mode 100644 src/analyzer/protocols/gnutella/CMakeLists.txt rename src/{ => analyzer/protocols/gnutella}/Gnutella.cc (99%) rename src/{ => analyzer/protocols/gnutella}/Gnutella.h (97%) create mode 100644 src/analyzer/protocols/gnutella/Plugin.cc create mode 100644 src/analyzer/protocols/gnutella/events.bif create mode 100644 src/analyzer/protocols/gtpv1/CMakeLists.txt rename src/{ => analyzer/protocols/gtpv1}/GTPv1.cc (100%) rename src/{ => analyzer/protocols/gtpv1}/GTPv1.h (100%) create mode 100644 src/analyzer/protocols/gtpv1/Plugin.cc create mode 100644 src/analyzer/protocols/gtpv1/events.bif rename src/{ => analyzer/protocols/gtpv1}/gtpv1-analyzer.pac (100%) rename src/{ => analyzer/protocols/gtpv1}/gtpv1-protocol.pac (100%) rename src/{ => analyzer/protocols/gtpv1}/gtpv1.pac (100%) create mode 100644 src/analyzer/protocols/icmp/CMakeLists.txt rename src/{ => analyzer/protocols/icmp}/ICMP.cc (100%) rename src/{ => analyzer/protocols/icmp}/ICMP.h (100%) create mode 100644 src/analyzer/protocols/icmp/Plugin.cc create mode 100644 src/analyzer/protocols/icmp/events.bif create mode 100644 src/analyzer/protocols/ident/CMakeLists.txt rename src/{ => analyzer/protocols/ident}/Ident.cc (100%) rename src/{ => analyzer/protocols/ident}/Ident.h (90%) create mode 100644 src/analyzer/protocols/ident/Plugin.cc create mode 100644 src/analyzer/protocols/ident/events.bif create mode 100644 src/analyzer/protocols/interconn/CMakeLists.txt rename src/{ => analyzer/protocols/interconn}/InterConn.cc (99%) rename src/{ => analyzer/protocols/interconn}/InterConn.h (97%) create mode 100644 src/analyzer/protocols/interconn/Plugin.cc create mode 100644 src/analyzer/protocols/interconn/events.bif create mode 100644 src/analyzer/protocols/irc/CMakeLists.txt rename src/{ => analyzer/protocols/irc}/IRC.cc (99%) rename src/{ => analyzer/protocols/irc}/IRC.h (97%) create mode 100644 src/analyzer/protocols/irc/Plugin.cc create mode 100644 src/analyzer/protocols/irc/events.bif create mode 100644 src/analyzer/protocols/login/CMakeLists.txt rename src/{ => analyzer/protocols/login}/Login.cc (100%) rename src/{ => analyzer/protocols/login}/Login.h (98%) rename src/{ => analyzer/protocols/login}/NVT.cc (99%) rename src/{ => analyzer/protocols/login}/NVT.h (98%) create mode 100644 src/analyzer/protocols/login/Plugin.cc rename src/{ => analyzer/protocols/login}/RSH.cc (100%) rename src/{ => analyzer/protocols/login}/RSH.h (96%) rename src/{ => analyzer/protocols/login}/Rlogin.cc (100%) rename src/{ => analyzer/protocols/login}/Rlogin.h (97%) rename src/{ => analyzer/protocols/login}/Telnet.cc (100%) rename src/{ => analyzer/protocols/login}/Telnet.h (100%) create mode 100644 src/analyzer/protocols/login/events.bif create mode 100644 src/analyzer/protocols/modbus/CMakeLists.txt rename src/{ => analyzer/protocols/modbus}/Modbus.cc (94%) rename src/{ => analyzer/protocols/modbus}/Modbus.h (93%) create mode 100644 src/analyzer/protocols/modbus/Plugin.cc create mode 100644 src/analyzer/protocols/modbus/events.bif rename src/{ => analyzer/protocols/modbus}/modbus-analyzer.pac (100%) rename src/{ => analyzer/protocols/modbus}/modbus-protocol.pac (100%) rename src/{ => analyzer/protocols/modbus}/modbus.pac (100%) create mode 100644 src/analyzer/protocols/ncp/CMakeLists.txt rename src/{ => analyzer/protocols/ncp}/NCP.cc (100%) rename src/{ => analyzer/protocols/ncp}/NCP.h (98%) rename src/{ => analyzer/protocols/ncp}/NCP_func.def (100%) create mode 100644 src/analyzer/protocols/ncp/Plugin.cc create mode 100644 src/analyzer/protocols/ncp/events.bif rename src/{ => analyzer/protocols/ncp}/ncp.pac (100%) create mode 100644 src/analyzer/protocols/netbios-ssn/CMakeLists.txt rename src/{ => analyzer/protocols/netbios-ssn}/NetbiosSSN.cc (100%) rename src/{ => analyzer/protocols/netbios-ssn}/NetbiosSSN.h (97%) create mode 100644 src/analyzer/protocols/netbios-ssn/Plugin.cc create mode 100644 src/analyzer/protocols/netbios-ssn/events.bif create mode 100644 src/analyzer/protocols/ntp/CMakeLists.txt rename src/{ => analyzer/protocols/ntp}/NTP.cc (100%) rename src/{ => analyzer/protocols/ntp}/NTP.h (97%) create mode 100644 src/analyzer/protocols/ntp/Plugin.cc create mode 100644 src/analyzer/protocols/ntp/events.bif create mode 100644 src/analyzer/protocols/pia/CMakeLists.txt rename src/{ => analyzer/protocols/pia}/PIA.cc (99%) rename src/{ => analyzer/protocols/pia}/PIA.h (99%) create mode 100644 src/analyzer/protocols/pia/Plugin.cc create mode 100644 src/analyzer/protocols/pia/events.bif create mode 100644 src/analyzer/protocols/pop3/CMakeLists.txt rename src/{ => analyzer/protocols/pop3}/POP3.cc (99%) rename src/{ => analyzer/protocols/pop3}/POP3.h (95%) rename src/{ => analyzer/protocols/pop3}/POP3_cmd.def (100%) create mode 100644 src/analyzer/protocols/pop3/Plugin.cc create mode 100644 src/analyzer/protocols/pop3/events.bif create mode 100644 src/analyzer/protocols/rpc/CMakeLists.txt rename src/{ => analyzer/protocols/rpc}/NFS.cc (100%) rename src/{ => analyzer/protocols/rpc}/NFS.h (100%) create mode 100644 src/analyzer/protocols/rpc/Plugin.cc rename src/{ => analyzer/protocols/rpc}/Portmap.cc (100%) rename src/{ => analyzer/protocols/rpc}/Portmap.h (100%) rename src/{ => analyzer/protocols/rpc}/RPC.cc (100%) rename src/{ => analyzer/protocols/rpc}/RPC.h (98%) rename src/{ => analyzer/protocols/rpc}/XDR.cc (100%) rename src/{ => analyzer/protocols/rpc}/XDR.h (100%) create mode 100644 src/analyzer/protocols/rpc/events.bif create mode 100644 src/analyzer/protocols/smb/CMakeLists.txt create mode 100644 src/analyzer/protocols/smb/Plugin.cc rename src/{ => analyzer/protocols/smb}/SMB.cc (100%) rename src/{ => analyzer/protocols/smb}/SMB.h (98%) rename src/{ => analyzer/protocols/smb}/SMB_COM.def (100%) create mode 100644 src/analyzer/protocols/smb/events.bif rename src/{ => analyzer/protocols/smb}/smb-mailslot.pac (100%) rename src/{ => analyzer/protocols/smb}/smb-pipe.pac (100%) rename src/{ => analyzer/protocols/smb}/smb-protocol.pac (100%) rename src/{ => analyzer/protocols/smb}/smb.pac (100%) create mode 100644 src/analyzer/protocols/smtp/CMakeLists.txt create mode 100644 src/analyzer/protocols/smtp/Plugin.cc rename src/{ => analyzer/protocols/smtp}/SMTP.cc (99%) rename src/{ => analyzer/protocols/smtp}/SMTP.h (98%) rename src/{ => analyzer/protocols/smtp}/SMTP_cmd.def (100%) create mode 100644 src/analyzer/protocols/smtp/events.bif create mode 100644 src/analyzer/protocols/socks/CMakeLists.txt create mode 100644 src/analyzer/protocols/socks/Plugin.cc rename src/{ => analyzer/protocols/socks}/SOCKS.cc (96%) rename src/{ => analyzer/protocols/socks}/SOCKS.h (89%) create mode 100644 src/analyzer/protocols/socks/events.bif rename src/{ => analyzer/protocols/socks}/socks-analyzer.pac (100%) rename src/{ => analyzer/protocols/socks}/socks-protocol.pac (100%) rename src/{ => analyzer/protocols/socks}/socks.pac (100%) create mode 100644 src/analyzer/protocols/ssh/CMakeLists.txt create mode 100644 src/analyzer/protocols/ssh/Plugin.cc rename src/{ => analyzer/protocols/ssh}/SSH.cc (97%) rename src/{ => analyzer/protocols/ssh}/SSH.h (83%) create mode 100644 src/analyzer/protocols/ssh/events.bif create mode 100644 src/analyzer/protocols/stepping-stone/CMakeLists.txt create mode 100644 src/analyzer/protocols/stepping-stone/Plugin.cc rename src/{ => analyzer/protocols/stepping-stone}/SteppingStone.cc (99%) rename src/{ => analyzer/protocols/stepping-stone}/SteppingStone.h (98%) create mode 100644 src/analyzer/protocols/stepping-stone/events.bif create mode 100644 src/analyzer/protocols/tcp/CMakeLists.txt rename src/{ => analyzer/protocols/tcp}/ContentLine.cc (99%) rename src/{ => analyzer/protocols/tcp}/ContentLine.h (98%) create mode 100644 src/analyzer/protocols/tcp/Plugin.cc create mode 100644 src/analyzer/protocols/tcp/Stats.cc create mode 100644 src/analyzer/protocols/tcp/Stats.h rename src/{ => analyzer/protocols/tcp}/TCP.cc (99%) rename src/{ => analyzer/protocols/tcp}/TCP.h (99%) rename src/{ => analyzer/protocols/tcp}/TCP_Endpoint.cc (99%) rename src/{ => analyzer/protocols/tcp}/TCP_Endpoint.h (100%) rename src/{ => analyzer/protocols/tcp}/TCP_Reassembler.cc (99%) rename src/{ => analyzer/protocols/tcp}/TCP_Reassembler.h (100%) create mode 100644 src/analyzer/protocols/tcp/events.bif create mode 100644 src/analyzer/protocols/teredo/CMakeLists.txt create mode 100644 src/analyzer/protocols/teredo/Plugin.cc rename src/{ => analyzer/protocols/teredo}/Teredo.cc (100%) rename src/{ => analyzer/protocols/teredo}/Teredo.h (100%) create mode 100644 src/analyzer/protocols/teredo/events.bif create mode 100644 src/analyzer/protocols/udp/CMakeLists.txt create mode 100644 src/analyzer/protocols/udp/Plugin.cc rename src/{ => analyzer/protocols/udp}/UDP.cc (99%) rename src/{ => analyzer/protocols/udp}/UDP.h (100%) create mode 100644 src/analyzer/protocols/udp/events.bif create mode 100644 src/analyzer/protocols/zip/CMakeLists.txt create mode 100644 src/analyzer/protocols/zip/Plugin.cc rename src/{ => analyzer/protocols/zip}/ZIP.cc (100%) rename src/{ => analyzer/protocols/zip}/ZIP.h (92%) create mode 100644 src/analyzer/protocols/zip/events.bif diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 0f76c1881a..00cba8bab7 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -17,15 +17,48 @@ rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ayiya/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/backdoor/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/bittorrent/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/conn-size/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dce-rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dhcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dns/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/file/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/finger/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ftp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gnutella/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gtpv1/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/icmp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ident/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/interconn/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/irc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/login/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/modbus/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ncp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/netbios-ssn/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ntp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pia/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pop3/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smb/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smtp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/socks/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssh/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssl/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/stepping-stone/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/syslog/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/tcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/teredo/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/udp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/zip/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/syslog/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index bc68d0d67f..4d3e6dd917 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -133,27 +133,8 @@ set(BINPAC_AUXSRC binpac_target(binpac-lib.pac) binpac_target(binpac_bro-lib.pac) -binpac_target(ayiya.pac - ayiya-protocol.pac ayiya-analyzer.pac) -binpac_target(bittorrent.pac - bittorrent-protocol.pac bittorrent-analyzer.pac) -binpac_target(dce_rpc.pac - dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac) -binpac_target(dce_rpc_simple.pac - dce_rpc-protocol.pac epmapper.pac) -binpac_target(dhcp.pac - dhcp-protocol.pac dhcp-analyzer.pac) -binpac_target(gtpv1.pac - gtpv1-protocol.pac gtpv1-analyzer.pac) -binpac_target(ncp.pac) binpac_target(netflow.pac netflow-protocol.pac netflow-analyzer.pac) -binpac_target(smb.pac - smb-protocol.pac smb-pipe.pac smb-mailslot.pac) -binpac_target(socks.pac - socks-protocol.pac socks-analyzer.pac) -binpac_target(modbus.pac - modbus-protocol.pac modbus-analyzer.pac) ######################################################################## ## Including subdirectories. @@ -233,11 +214,7 @@ set(bro_SRCS Anon.cc ARP.cc Attr.cc - AYIYA.cc - BackDoor.cc Base64.cc - BitTorrent.cc - BitTorrentTracker.cc BPF_Program.cc BroDoc.cc BroDocObj.cc @@ -247,13 +224,7 @@ set(bro_SRCS ChunkedIO.cc CompHash.cc Conn.cc - ConnSizeAnalyzer.cc - ContentLine.cc - DCE_RPC.cc DFA.cc - DHCP-binpac.cc - DNS.cc - DNS_Mgr.cc DbgBreakpoint.cc DbgHelp.cc DbgWatch.cc @@ -263,45 +234,30 @@ set(bro_SRCS Desc.cc Dict.cc Discard.cc + DNS_Mgr.cc EquivClass.cc Event.cc EventHandler.cc EventLauncher.cc EventRegistry.cc Expr.cc - FTP.cc File.cc - FileAnalyzer.cc - Finger.cc FlowSrc.cc Frag.cc Frame.cc Func.cc - Gnutella.cc - GTPv1.cc Hash.cc - ICMP.cc ID.cc - Ident.cc IntSet.cc - InterConn.cc IOSource.cc IP.cc IPAddr.cc - IRC.cc List.cc Reporter.cc - Login.cc MIME.cc - Modbus.cc - NCP.cc NFA.cc - NFS.cc - NTP.cc - NVT.cc Net.cc NetVar.cc - NetbiosSSN.cc Obj.cc OpaqueVal.cc OSFinger.cc @@ -309,30 +265,20 @@ set(bro_SRCS PacketSort.cc PersistenceSerializer.cc PktSrc.cc - PIA.cc PolicyFile.cc - POP3.cc - Portmap.cc PrefixTable.cc PriorityQueue.cc Queue.cc RandTest.cc RE.cc - RPC.cc Reassem.cc RemoteSerializer.cc - Rlogin.cc - RSH.cc Rule.cc RuleAction.cc RuleCondition.cc RuleMatcher.cc ScriptAnaly.cc SmithWaterman.cc - SMB.cc - SMTP.cc - SOCKS.cc - SSH.cc Scope.cc SerializationFormat.cc SerialObj.cc @@ -340,23 +286,14 @@ set(bro_SRCS Sessions.cc StateAccess.cc Stats.cc - SteppingStone.cc Stmt.cc - TCP.cc - TCP_Endpoint.cc - TCP_Reassembler.cc - Telnet.cc - Teredo.cc Timer.cc Traverse.cc Trigger.cc TunnelEncapsulation.cc Type.cc - UDP.cc Val.cc Var.cc - XDR.cc - ZIP.cc bsd-getopt-long.c bro_inet_ntop.c cq.c @@ -391,8 +328,6 @@ set(bro_SRCS plugin/Manager.cc plugin/Plugin.cc - analyzer/protocols/BuiltInAnalyzers.cc - nb_dns.c digest.h ) diff --git a/src/Conn.cc b/src/Conn.cc index e476dd674b..d6fc41c0b9 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -11,7 +11,7 @@ #include "Sessions.h" #include "Reporter.h" #include "Timer.h" -#include "PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "binpac.h" #include "TunnelEncapsulation.h" #include "analyzer/Analyzer.h" diff --git a/src/Func.cc b/src/Func.cc index 02f8dd4f29..82cd1998ce 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -38,7 +38,7 @@ #include "Func.h" #include "Frame.h" #include "Var.h" -#include "Login.h" +#include "analyzer/protocols/login/Login.h" #include "Sessions.h" #include "RE.h" #include "Serializer.h" diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 6bbd7243cd..4e279e2cab 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -8,7 +8,7 @@ using std::string; #include "Conn.h" #include "Event.h" #include "NetVar.h" -#include "PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "analyzer/Manager.h" diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index b31976711c..b26ed9c9f5 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -1,7 +1,7 @@ #include "config.h" #include "RuleCondition.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "Scope.h" static inline bool is_established(const TCP_Endpoint* e) diff --git a/src/Sessions.cc b/src/Sessions.cc index dc3f54efe6..739bbbe5e7 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -16,12 +16,12 @@ #include "Reporter.h" #include "OSFinger.h" -#include "ICMP.h" -#include "UDP.h" +#include "analyzer/protocols/icmp/ICMP.h" +#include "analyzer/protocols/udp/UDP.h" -#include "SteppingStone.h" -#include "BackDoor.h" -#include "InterConn.h" +#include "analyzer/protocols/stepping-stone/SteppingStone.h" +#include "analyzer/protocols/backdoor/BackDoor.h" +#include "analyzer/protocols/interconn/InterConn.h" #include "Discard.h" #include "RuleMatcher.h" diff --git a/src/Sessions.h b/src/Sessions.h index abaa8b49d0..5b87518033 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -12,6 +12,8 @@ #include "Stats.h" #include "NetVar.h" #include "TunnelEncapsulation.h" +#include "analyzer/protocols/tcp/Stats.h" + #include struct pcap_pkthdr; diff --git a/src/Stats.cc b/src/Stats.cc index 1bccb8f9be..9b839ec672 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -389,84 +389,6 @@ void SegmentProfiler::Report() reporter->SegmentProfile(name, loc, dtime, dmem); } - -TCPStateStats::TCPStateStats() - { - for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) - for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) - state_cnt[i][j] = 0; - } - -void TCPStateStats::ChangeState(EndpointState o_prev, EndpointState o_now, - EndpointState r_prev, EndpointState r_now) - { - --state_cnt[o_prev][r_prev]; - ++state_cnt[o_now][r_now]; - } - -void TCPStateStats::FlipState(EndpointState orig, EndpointState resp) - { - --state_cnt[orig][resp]; - ++state_cnt[resp][orig]; - } - -unsigned int TCPStateStats::NumStatePartial() const - { - unsigned int sum = 0; - for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) - { - sum += state_cnt[TCP_ENDPOINT_PARTIAL][i]; - sum += state_cnt[i][TCP_ENDPOINT_PARTIAL]; - } - - return sum; - } - -void TCPStateStats::PrintStats(BroFile* file, const char* prefix) - { - file->Write(prefix); - file->Write(" Inact. Syn. SA Part. Est. Fin. Rst.\n"); - - for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) - { - file->Write(prefix); - - switch ( i ) { -#define STATE_STRING(state, str) \ - case state: \ - file->Write(str); \ - break; - - STATE_STRING(TCP_ENDPOINT_INACTIVE, "Inact."); - STATE_STRING(TCP_ENDPOINT_SYN_SENT, "Syn. "); - STATE_STRING(TCP_ENDPOINT_SYN_ACK_SENT, "SA "); - STATE_STRING(TCP_ENDPOINT_PARTIAL, "Part. "); - STATE_STRING(TCP_ENDPOINT_ESTABLISHED, "Est. "); - STATE_STRING(TCP_ENDPOINT_CLOSED, "Fin. "); - STATE_STRING(TCP_ENDPOINT_RESET, "Rst. "); - - } - - file->Write(" "); - - for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) - { - unsigned int n = state_cnt[i][j]; - if ( n > 0 ) - { - char buf[32]; - safe_snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]); - file->Write(buf); - } - else - file->Write(" "); - } - - file->Write("\n"); - } - } - - PacketProfiler::PacketProfiler(unsigned int mode, double freq, BroFile* arg_file) { diff --git a/src/Stats.h b/src/Stats.h index a11d66828a..8137ad16cf 100644 --- a/src/Stats.h +++ b/src/Stats.h @@ -7,9 +7,6 @@ #include #include -#include "TCP_Endpoint.h" - - // Object called by SegmentProfiler when it is done and reports its // cumulative CPU/memory statistics. class SegmentStatsReporter { @@ -121,67 +118,6 @@ extern uint64 tot_ack_bytes; extern uint64 tot_gap_events; extern uint64 tot_gap_bytes; - -// A TCPStateStats object tracks the distribution of TCP states for -// the currently active connections. -class TCPStateStats { -public: - TCPStateStats(); - ~TCPStateStats() { } - - void ChangeState(EndpointState o_prev, EndpointState o_now, - EndpointState r_prev, EndpointState r_now); - void FlipState(EndpointState orig, EndpointState resp); - - void StateEntered (EndpointState o_state, EndpointState r_state) - { ++state_cnt[o_state][r_state]; } - void StateLeft (EndpointState o_state, EndpointState r_state) - { --state_cnt[o_state][r_state]; } - - unsigned int Cnt(EndpointState state) const - { return Cnt(state, state); } - unsigned int Cnt(EndpointState state1, EndpointState state2) const - { return state_cnt[state1][state2]; } - - unsigned int NumStateEstablished() const - { return Cnt(TCP_ENDPOINT_ESTABLISHED); } - unsigned int NumStateHalfClose() const - { // corresponds to S2,S3 - return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_CLOSED) + - Cnt(TCP_ENDPOINT_CLOSED, TCP_ENDPOINT_ESTABLISHED); - } - unsigned int NumStateHalfRst() const - { - return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_RESET) + - Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_ESTABLISHED); - } - unsigned int NumStateClosed() const - { return Cnt(TCP_ENDPOINT_CLOSED); } - unsigned int NumStateRequest() const - { - assert(Cnt(TCP_ENDPOINT_INACTIVE, TCP_ENDPOINT_SYN_SENT)==0); - return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_INACTIVE); - } - unsigned int NumStateSuccRequest() const - { - return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_SYN_ACK_SENT) + - Cnt(TCP_ENDPOINT_SYN_ACK_SENT, TCP_ENDPOINT_SYN_SENT); - } - unsigned int NumStateRstRequest() const - { - return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_RESET) + - Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_SYN_SENT); - } - unsigned int NumStateInactive() const - { return Cnt(TCP_ENDPOINT_INACTIVE); } - unsigned int NumStatePartial() const; - - void PrintStats(BroFile* file, const char* prefix); - -private: - unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; -}; - class PacketProfiler { public: PacketProfiler(unsigned int mode, double freq, BroFile* arg_file); diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index c482ddd792..098535d0a9 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -4,7 +4,7 @@ #include "Analyzer.h" #include "Manager.h" -#include "../PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "../Event.h" namespace analyzer { diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 8ac8cbf824..aba7f26a56 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -1,16 +1,17 @@ #include "Manager.h" -#include "PIA.h" #include "Hash.h" -#include "ICMP.h" -#include "UDP.h" -#include "TCP.h" #include "Val.h" -#include "BackDoor.h" -#include "InterConn.h" -#include "SteppingStone.h" -#include "ConnSizeAnalyzer.h" + +#include "analyzer/protocols/backdoor/BackDoor.h" +#include "analyzer/protocols/conn-size/ConnSize.h" +#include "analyzer/protocols/icmp/ICMP.h" +#include "analyzer/protocols/interconn/InterConn.h" +#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocols/stepping-stone/SteppingStone.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/udp/UDP.h" #include "plugin/Manager.h" @@ -153,15 +154,16 @@ void Manager::RegisterAnalyzerComponent(Component* component) if ( Lookup(component->Name()) ) reporter->FatalError("Analyzer %s defined more than once", component->Name()); - DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", - component->Name(), component->Tag().AsString().c_str()); + string name = to_upper(component->Name()); - analyzers_by_name.insert(std::make_pair(component->Name(), component)); + DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", + name.c_str(), component->Tag().AsString().c_str()); + + analyzers_by_name.insert(std::make_pair(name, component)); analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); analyzers_by_val.insert(std::make_pair(component->Tag().AsEnumVal()->InternalInt(), component)); // Install enum "Analyzer::ANALYZER_*" - string name = to_upper(component->Name()); string id = fmt("ANALYZER_%s", name.c_str()); tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().AsEnumVal()->InternalInt(), true); } @@ -306,7 +308,9 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) if ( ! c->Enabled() ) return 0; - assert(c->Factory()); + if ( ! c->Factory() ) + reporter->InternalError("analyzer %s cannot be instantiated dynamically", GetAnalyzerName(tag)); + Analyzer* a = c->Factory()(conn); if ( ! a ) diff --git a/src/analyzer/protocols/BuiltInAnalyzers.cc b/src/analyzer/protocols/BuiltInAnalyzers.cc deleted file mode 100644 index 8403b1bb25..0000000000 --- a/src/analyzer/protocols/BuiltInAnalyzers.cc +++ /dev/null @@ -1,119 +0,0 @@ - -// TODO: This file will eventually go away once we've converrted all -// analyzers into separate plugins. - -#include "BuiltInAnalyzers.h" -#include "analyzer/Component.h" - -#include "../../binpac_bro.h" - -#include "AYIYA.h" -#include "BackDoor.h" -#include "BitTorrent.h" -#include "BitTorrentTracker.h" -#include "Finger.h" -#include "InterConn.h" -#include "NTP.h" -#include "ICMP.h" -#include "SteppingStone.h" -#include "IRC.h" -#include "SMTP.h" -#include "FTP.h" -#include "FileAnalyzer.h" -#include "DNS.h" -#include "DHCP-binpac.h" -#include "Telnet.h" -#include "Rlogin.h" -#include "RSH.h" -#include "DCE_RPC.h" -#include "Gnutella.h" -#include "Ident.h" -#include "Modbus.h" -#include "NCP.h" -#include "NetbiosSSN.h" -#include "SMB.h" -#include "NFS.h" -#include "Portmap.h" -#include "POP3.h" -#include "SOCKS.h" -#include "SSH.h" -#include "Teredo.h" -#include "ConnSizeAnalyzer.h" -#include "GTPv1.h" - -using namespace analyzer; - -BuiltinAnalyzers builtin_analyzers; - -#define DEFINE_ANALYZER(name, factory) \ - AddComponent(new Component(name, factory)) - -void BuiltinAnalyzers::Init() - { - SetName("Core-Analyzers"); - SetDescription("Built-in protocol analyzers"); - SetVersion(BRO_PLUGIN_VERSION_BUILTIN); - - DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); - DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); - - DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("LOGIN", 0); // just a base class - DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("RPC", 0); - DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("CONTENTS", 0); - DEFINE_ANALYZER("CONTENTLINE", 0); - DEFINE_ANALYZER("NVT", 0); - DEFINE_ANALYZER("ZIP", 0); - DEFINE_ANALYZER("CONTENTS_DNS", 0); - DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0); - DEFINE_ANALYZER("CONTENTS_NCP", 0); - DEFINE_ANALYZER("CONTENTS_RLOGIN", 0); - DEFINE_ANALYZER("CONTENTS_RSH", 0); - DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0); - DEFINE_ANALYZER("CONTENTS_SMB", 0); - DEFINE_ANALYZER("CONTENTS_RPC", 0); - DEFINE_ANALYZER("CONTENTS_NFS", 0); - DEFINE_ANALYZER("FTP_ADAT", 0); - } - diff --git a/src/analyzer/protocols/BuiltInAnalyzers.h b/src/analyzer/protocols/BuiltInAnalyzers.h deleted file mode 100644 index 6097bfa078..0000000000 --- a/src/analyzer/protocols/BuiltInAnalyzers.h +++ /dev/null @@ -1,17 +0,0 @@ - -#ifndef ANALYZER_BUILTIN_ANALYZERS_H -#define ANALYZER_BUILTIN_ANALYZERS_H - -#include "plugin/Plugin.h" - -namespace analyzer { - -class BuiltinAnalyzers : public plugin::Plugin { -public: - virtual void Init(); -}; - -} - - -#endif diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt index 19dda0c770..9fcbbdd2d5 100644 --- a/src/analyzer/protocols/CMakeLists.txt +++ b/src/analyzer/protocols/CMakeLists.txt @@ -1,4 +1,37 @@ +add_subdirectory(ayiya) +add_subdirectory(backdoor) +add_subdirectory(bittorrent) +add_subdirectory(conn-size) +add_subdirectory(dce-rpc) +add_subdirectory(dhcp) +add_subdirectory(dns) +add_subdirectory(file) +add_subdirectory(finger) +add_subdirectory(ftp) +add_subdirectory(gnutella) +add_subdirectory(gtpv1) add_subdirectory(http) +add_subdirectory(icmp) +add_subdirectory(ident) +add_subdirectory(interconn) +add_subdirectory(irc) +add_subdirectory(login) +add_subdirectory(modbus) +add_subdirectory(ncp) +add_subdirectory(netbios-ssn) +add_subdirectory(ntp) +add_subdirectory(pia) +add_subdirectory(pop3) +add_subdirectory(rpc) +add_subdirectory(smb) +add_subdirectory(smtp) +add_subdirectory(socks) +add_subdirectory(ssh) add_subdirectory(ssl) +add_subdirectory(stepping-stone) add_subdirectory(syslog) +add_subdirectory(tcp) +add_subdirectory(teredo) +add_subdirectory(udp) +add_subdirectory(zip) diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocols/TODO new file mode 100644 index 0000000000..6168bf4686 --- /dev/null +++ b/src/analyzer/protocols/TODO @@ -0,0 +1,10 @@ + +- introduce namespace into analyzers +- fill events.bif +- add functions.bif where needed +- move ARP +- move NetFlow +- update *.h guards +- cleanup analyzer descriptions +- can now lower-case the analyzer name in plugin + diff --git a/src/AYIYA.cc b/src/analyzer/protocols/ayiya/AYIYA.cc similarity index 100% rename from src/AYIYA.cc rename to src/analyzer/protocols/ayiya/AYIYA.cc diff --git a/src/AYIYA.h b/src/analyzer/protocols/ayiya/AYIYA.h similarity index 100% rename from src/AYIYA.h rename to src/analyzer/protocols/ayiya/AYIYA.h diff --git a/src/analyzer/protocols/ayiya/CMakeLists.txt b/src/analyzer/protocols/ayiya/CMakeLists.txt new file mode 100644 index 0000000000..8f578a763b --- /dev/null +++ b/src/analyzer/protocols/ayiya/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(AYIYA) +bro_plugin_cc(AYIYA.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/ayiya/Plugin.cc b/src/analyzer/protocols/ayiya/Plugin.cc new file mode 100644 index 0000000000..1ec9887534 --- /dev/null +++ b/src/analyzer/protocols/ayiya/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "AYIYA.h" + +BRO_PLUGIN_BEGIN(AYIYA) + BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer"); + BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/ayiya-analyzer.pac b/src/analyzer/protocols/ayiya/ayiya-analyzer.pac similarity index 100% rename from src/ayiya-analyzer.pac rename to src/analyzer/protocols/ayiya/ayiya-analyzer.pac diff --git a/src/ayiya-protocol.pac b/src/analyzer/protocols/ayiya/ayiya-protocol.pac similarity index 100% rename from src/ayiya-protocol.pac rename to src/analyzer/protocols/ayiya/ayiya-protocol.pac diff --git a/src/ayiya.pac b/src/analyzer/protocols/ayiya/ayiya.pac similarity index 100% rename from src/ayiya.pac rename to src/analyzer/protocols/ayiya/ayiya.pac diff --git a/src/analyzer/protocols/ayiya/events.bif b/src/analyzer/protocols/ayiya/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/BackDoor.cc b/src/analyzer/protocols/backdoor/BackDoor.cc similarity index 99% rename from src/BackDoor.cc rename to src/analyzer/protocols/backdoor/BackDoor.cc index 333dc9c806..00a1319e53 100644 --- a/src/BackDoor.cc +++ b/src/analyzer/protocols/backdoor/BackDoor.cc @@ -5,7 +5,7 @@ #include "BackDoor.h" #include "Event.h" #include "Net.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e) { diff --git a/src/BackDoor.h b/src/analyzer/protocols/backdoor/BackDoor.h similarity index 97% rename from src/BackDoor.h rename to src/analyzer/protocols/backdoor/BackDoor.h index d3687bad0b..1865cdd1ef 100644 --- a/src/BackDoor.h +++ b/src/analyzer/protocols/backdoor/BackDoor.h @@ -3,10 +3,10 @@ #ifndef backdoor_h #define backdoor_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" -#include "Login.h" +#include "analyzer/protocols/login/Login.h" class BackDoorEndpoint { public: diff --git a/src/analyzer/protocols/backdoor/CMakeLists.txt b/src/analyzer/protocols/backdoor/CMakeLists.txt new file mode 100644 index 0000000000..b065cc2c95 --- /dev/null +++ b/src/analyzer/protocols/backdoor/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(BackDoor) +bro_plugin_cc(BackDoor.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/backdoor/Plugin.cc b/src/analyzer/protocols/backdoor/Plugin.cc new file mode 100644 index 0000000000..586b9ef139 --- /dev/null +++ b/src/analyzer/protocols/backdoor/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "BackDoor.h" + +BRO_PLUGIN_BEGIN(BackDoor) + BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/backdoor/events.bif b/src/analyzer/protocols/backdoor/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/BitTorrent.cc b/src/analyzer/protocols/bittorrent/BitTorrent.cc similarity index 98% rename from src/BitTorrent.cc rename to src/analyzer/protocols/bittorrent/BitTorrent.cc index de033cbbe7..05e9ae8fba 100644 --- a/src/BitTorrent.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrent.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrent.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("BITTORRENT", c) diff --git a/src/BitTorrent.h b/src/analyzer/protocols/bittorrent/BitTorrent.h similarity index 94% rename from src/BitTorrent.h rename to src/analyzer/protocols/bittorrent/BitTorrent.h index 6c1ef677e1..0a36442ab9 100644 --- a/src/BitTorrent.h +++ b/src/analyzer/protocols/bittorrent/BitTorrent.h @@ -3,7 +3,7 @@ #ifndef bittorrent_h #define bittorrent_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "bittorrent_pac.h" diff --git a/src/BitTorrentTracker.cc b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc similarity index 99% rename from src/BitTorrentTracker.cc rename to src/analyzer/protocols/bittorrent/BitTorrentTracker.cc index 81b97f44d4..cf8dcff6ba 100644 --- a/src/BitTorrentTracker.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrentTracker.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" #include #include diff --git a/src/BitTorrentTracker.h b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h similarity index 98% rename from src/BitTorrentTracker.h rename to src/analyzer/protocols/bittorrent/BitTorrentTracker.h index 41a902befa..70f3004acb 100644 --- a/src/BitTorrentTracker.h +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h @@ -3,7 +3,7 @@ #ifndef bittorrenttracker_h #define bittorrenttracker_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define BTTRACKER_BUF 2048 diff --git a/src/analyzer/protocols/bittorrent/CMakeLists.txt b/src/analyzer/protocols/bittorrent/CMakeLists.txt new file mode 100644 index 0000000000..5a3f9372bb --- /dev/null +++ b/src/analyzer/protocols/bittorrent/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(BitTorrent) +bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/bittorrent/Plugin.cc b/src/analyzer/protocols/bittorrent/Plugin.cc new file mode 100644 index 0000000000..c028956ce9 --- /dev/null +++ b/src/analyzer/protocols/bittorrent/Plugin.cc @@ -0,0 +1,12 @@ + +#include "plugin/Plugin.h" + +#include "BitTorrent.h" +#include "BitTorrentTracker.h" + +BRO_PLUGIN_BEGIN(BitTorrent) + BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); + BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/bittorrent-analyzer.pac b/src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac similarity index 100% rename from src/bittorrent-analyzer.pac rename to src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac diff --git a/src/bittorrent-protocol.pac b/src/analyzer/protocols/bittorrent/bittorrent-protocol.pac similarity index 100% rename from src/bittorrent-protocol.pac rename to src/analyzer/protocols/bittorrent/bittorrent-protocol.pac diff --git a/src/bittorrent.pac b/src/analyzer/protocols/bittorrent/bittorrent.pac similarity index 100% rename from src/bittorrent.pac rename to src/analyzer/protocols/bittorrent/bittorrent.pac diff --git a/src/analyzer/protocols/bittorrent/events.bif b/src/analyzer/protocols/bittorrent/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/conn-size/CMakeLists.txt b/src/analyzer/protocols/conn-size/CMakeLists.txt new file mode 100644 index 0000000000..e5edd9c947 --- /dev/null +++ b/src/analyzer/protocols/conn-size/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ConnSize) +bro_plugin_cc(ConnSize.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/ConnSizeAnalyzer.cc b/src/analyzer/protocols/conn-size/ConnSize.cc similarity index 96% rename from src/ConnSizeAnalyzer.cc rename to src/analyzer/protocols/conn-size/ConnSize.cc index 82672dba7c..a5a401a816 100644 --- a/src/ConnSizeAnalyzer.cc +++ b/src/analyzer/protocols/conn-size/ConnSize.cc @@ -3,8 +3,8 @@ // See ConnSize.h for more extensive comments. -#include "ConnSizeAnalyzer.h" -#include "TCP.h" +#include "ConnSize.h" +#include "analyzer/protocols/tcp/TCP.h" diff --git a/src/ConnSizeAnalyzer.h b/src/analyzer/protocols/conn-size/ConnSize.h similarity index 100% rename from src/ConnSizeAnalyzer.h rename to src/analyzer/protocols/conn-size/ConnSize.h diff --git a/src/analyzer/protocols/conn-size/Plugin.cc b/src/analyzer/protocols/conn-size/Plugin.cc new file mode 100644 index 0000000000..7520d9b7b5 --- /dev/null +++ b/src/analyzer/protocols/conn-size/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "ConnSize.h" + +BRO_PLUGIN_BEGIN(ConnSize) + BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); + BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/conn-size/events.bif b/src/analyzer/protocols/conn-size/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/dce-rpc/CMakeLists.txt b/src/analyzer/protocols/dce-rpc/CMakeLists.txt new file mode 100644 index 0000000000..61e6170640 --- /dev/null +++ b/src/analyzer/protocols/dce-rpc/CMakeLists.txt @@ -0,0 +1,11 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(DCE_RPC) +bro_plugin_cc(DCE_RPC.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac) +bro_plugin_pac(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac) +bro_plugin_end() diff --git a/src/DCE_RPC.cc b/src/analyzer/protocols/dce-rpc/DCE_RPC.cc similarity index 100% rename from src/DCE_RPC.cc rename to src/analyzer/protocols/dce-rpc/DCE_RPC.cc diff --git a/src/DCE_RPC.h b/src/analyzer/protocols/dce-rpc/DCE_RPC.h similarity index 99% rename from src/DCE_RPC.h rename to src/analyzer/protocols/dce-rpc/DCE_RPC.h index 61de358dbd..7ad3cd1e13 100644 --- a/src/DCE_RPC.h +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.h @@ -7,7 +7,7 @@ // Windows systems) and shouldn't be considered as stable. #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "IPAddr.h" #include "dce_rpc_simple_pac.h" diff --git a/src/analyzer/protocols/dce-rpc/Plugin.cc b/src/analyzer/protocols/dce-rpc/Plugin.cc new file mode 100644 index 0000000000..b818806076 --- /dev/null +++ b/src/analyzer/protocols/dce-rpc/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "DCE_RPC.h" + +BRO_PLUGIN_BEGIN(DCE_RPC) + BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer"); + BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/dce_rpc-analyzer.pac b/src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac similarity index 100% rename from src/dce_rpc-analyzer.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac diff --git a/src/dce_rpc-protocol.pac b/src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac similarity index 100% rename from src/dce_rpc-protocol.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac diff --git a/src/dce_rpc.pac b/src/analyzer/protocols/dce-rpc/dce_rpc.pac similarity index 100% rename from src/dce_rpc.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc.pac diff --git a/src/dce_rpc_simple.pac b/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac similarity index 100% rename from src/dce_rpc_simple.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac diff --git a/src/epmapper.pac b/src/analyzer/protocols/dce-rpc/epmapper.pac similarity index 100% rename from src/epmapper.pac rename to src/analyzer/protocols/dce-rpc/epmapper.pac diff --git a/src/analyzer/protocols/dce-rpc/events.bif b/src/analyzer/protocols/dce-rpc/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/dhcp/CMakeLists.txt b/src/analyzer/protocols/dhcp/CMakeLists.txt new file mode 100644 index 0000000000..f4552b666a --- /dev/null +++ b/src/analyzer/protocols/dhcp/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(DHCP) +bro_plugin_cc(DHCP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac) +bro_plugin_end() diff --git a/src/DHCP-binpac.cc b/src/analyzer/protocols/dhcp/DHCP.cc similarity index 54% rename from src/DHCP-binpac.cc rename to src/analyzer/protocols/dhcp/DHCP.cc index d2847966ae..a590db19ca 100644 --- a/src/DHCP-binpac.cc +++ b/src/analyzer/protocols/dhcp/DHCP.cc @@ -1,22 +1,23 @@ -#include "DHCP-binpac.h" -DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn) +#include "DHCP.h" + +DHCP_Analyzer::DHCP_Analyzer(Connection* conn) : Analyzer("DHCP", conn) { interp = new binpac::DHCP::DHCP_Conn(this); } -DHCP_Analyzer_binpac::~DHCP_Analyzer_binpac() +DHCP_Analyzer::~DHCP_Analyzer() { delete interp; } -void DHCP_Analyzer_binpac::Done() +void DHCP_Analyzer::Done() { Analyzer::Done(); } -void DHCP_Analyzer_binpac::DeliverPacket(int len, const u_char* data, +void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); diff --git a/src/DHCP-binpac.h b/src/analyzer/protocols/dhcp/DHCP.h similarity index 63% rename from src/DHCP-binpac.h rename to src/analyzer/protocols/dhcp/DHCP.h index 4b59ac15b2..5c12e52cc5 100644 --- a/src/DHCP-binpac.h +++ b/src/analyzer/protocols/dhcp/DHCP.h @@ -1,22 +1,21 @@ #ifndef dhcp_binpac_h #define dhcp_binpac_h -#include "UDP.h" +#include "analyzer/protocols/udp/UDP.h" #include "dhcp_pac.h" - -class DHCP_Analyzer_binpac : public analyzer::Analyzer { +class DHCP_Analyzer : public analyzer::Analyzer { public: - DHCP_Analyzer_binpac(Connection* conn); - virtual ~DHCP_Analyzer_binpac(); + DHCP_Analyzer(Connection* conn); + virtual ~DHCP_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new DHCP_Analyzer_binpac(conn); } + { return new DHCP_Analyzer(conn); } protected: binpac::DHCP::DHCP_Conn* interp; diff --git a/src/analyzer/protocols/dhcp/Plugin.cc b/src/analyzer/protocols/dhcp/Plugin.cc new file mode 100644 index 0000000000..32225d5bec --- /dev/null +++ b/src/analyzer/protocols/dhcp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "DHCP.h" + +BRO_PLUGIN_BEGIN(DHCP) + BRO_PLUGIN_DESCRIPTION("DHCP Analyzer"); + BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/dhcp-analyzer.pac b/src/analyzer/protocols/dhcp/dhcp-analyzer.pac similarity index 100% rename from src/dhcp-analyzer.pac rename to src/analyzer/protocols/dhcp/dhcp-analyzer.pac diff --git a/src/dhcp-protocol.pac b/src/analyzer/protocols/dhcp/dhcp-protocol.pac similarity index 100% rename from src/dhcp-protocol.pac rename to src/analyzer/protocols/dhcp/dhcp-protocol.pac diff --git a/src/dhcp.pac b/src/analyzer/protocols/dhcp/dhcp.pac similarity index 100% rename from src/dhcp.pac rename to src/analyzer/protocols/dhcp/dhcp.pac diff --git a/src/analyzer/protocols/dhcp/events.bif b/src/analyzer/protocols/dhcp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/dns/CMakeLists.txt b/src/analyzer/protocols/dns/CMakeLists.txt new file mode 100644 index 0000000000..38a4cedd03 --- /dev/null +++ b/src/analyzer/protocols/dns/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(DNS) +bro_plugin_cc(DNS.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/DNS.cc b/src/analyzer/protocols/dns/DNS.cc similarity index 100% rename from src/DNS.cc rename to src/analyzer/protocols/dns/DNS.cc diff --git a/src/DNS.h b/src/analyzer/protocols/dns/DNS.h similarity index 99% rename from src/DNS.h rename to src/analyzer/protocols/dns/DNS.h index 7a342dc757..ca87f862c0 100644 --- a/src/DNS.h +++ b/src/analyzer/protocols/dns/DNS.h @@ -3,7 +3,7 @@ #ifndef dns_h #define dns_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "binpac_bro.h" typedef enum { diff --git a/src/analyzer/protocols/dns/Plugin.cc b/src/analyzer/protocols/dns/Plugin.cc new file mode 100644 index 0000000000..6bd4415f0e --- /dev/null +++ b/src/analyzer/protocols/dns/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "DNS.h" + +BRO_PLUGIN_BEGIN(DNS) + BRO_PLUGIN_DESCRIPTION("DNS Analyzer"); + BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dns/events.bif b/src/analyzer/protocols/dns/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/file/CMakeLists.txt b/src/analyzer/protocols/file/CMakeLists.txt new file mode 100644 index 0000000000..924aadd406 --- /dev/null +++ b/src/analyzer/protocols/file/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(File) +bro_plugin_cc(File.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/FileAnalyzer.cc b/src/analyzer/protocols/file/File.cc similarity index 98% rename from src/FileAnalyzer.cc rename to src/analyzer/protocols/file/File.cc index 9663d51260..664e0a8c4c 100644 --- a/src/FileAnalyzer.cc +++ b/src/analyzer/protocols/file/File.cc @@ -1,6 +1,6 @@ #include -#include "FileAnalyzer.h" +#include "File.h" #include "Reporter.h" #include "util.h" diff --git a/src/FileAnalyzer.h b/src/analyzer/protocols/file/File.h similarity index 93% rename from src/FileAnalyzer.h rename to src/analyzer/protocols/file/File.h index 1d2a956ef2..ae55a34885 100644 --- a/src/FileAnalyzer.h +++ b/src/analyzer/protocols/file/File.h @@ -3,7 +3,7 @@ #ifndef FILEANALYZER_H #define FILEANALYZER_H -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include diff --git a/src/analyzer/protocols/file/Plugin.cc b/src/analyzer/protocols/file/Plugin.cc new file mode 100644 index 0000000000..a5868e0d7e --- /dev/null +++ b/src/analyzer/protocols/file/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "./File.h" + +BRO_PLUGIN_BEGIN(File) + BRO_PLUGIN_DESCRIPTION("Generic File Analyzer"); + BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/file/events.bif b/src/analyzer/protocols/file/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/finger/CMakeLists.txt b/src/analyzer/protocols/finger/CMakeLists.txt new file mode 100644 index 0000000000..f51f892390 --- /dev/null +++ b/src/analyzer/protocols/finger/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Finger) +bro_plugin_cc(Finger.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Finger.cc b/src/analyzer/protocols/finger/Finger.cc similarity index 97% rename from src/Finger.cc rename to src/analyzer/protocols/finger/Finger.cc index 35809194d4..cdebed9bb9 100644 --- a/src/Finger.cc +++ b/src/analyzer/protocols/finger/Finger.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "Finger.h" #include "Event.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" Finger_Analyzer::Finger_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("FINGER", conn) diff --git a/src/Finger.h b/src/analyzer/protocols/finger/Finger.h similarity index 93% rename from src/Finger.h rename to src/analyzer/protocols/finger/Finger.h index 0be0c0eb19..f069daa8c7 100644 --- a/src/Finger.h +++ b/src/analyzer/protocols/finger/Finger.h @@ -3,7 +3,7 @@ #ifndef finger_h #define finger_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class ContentLine_Analyzer; diff --git a/src/analyzer/protocols/finger/Plugin.cc b/src/analyzer/protocols/finger/Plugin.cc new file mode 100644 index 0000000000..98fd1f5985 --- /dev/null +++ b/src/analyzer/protocols/finger/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Finger.h" + +BRO_PLUGIN_BEGIN(Finger) + BRO_PLUGIN_DESCRIPTION("Finger Analyzer"); + BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/finger/events.bif b/src/analyzer/protocols/finger/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ftp/CMakeLists.txt b/src/analyzer/protocols/ftp/CMakeLists.txt new file mode 100644 index 0000000000..b8b2e1bb3e --- /dev/null +++ b/src/analyzer/protocols/ftp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(FTP) +bro_plugin_cc(FTP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/FTP.cc b/src/analyzer/protocols/ftp/FTP.cc similarity index 99% rename from src/FTP.cc rename to src/analyzer/protocols/ftp/FTP.cc index a0cc25292c..b371099c01 100644 --- a/src/FTP.cc +++ b/src/analyzer/protocols/ftp/FTP.cc @@ -6,10 +6,10 @@ #include "NetVar.h" #include "FTP.h" -#include "NVT.h" #include "Event.h" #include "Base64.h" #include "analyzer/Manager.h" +#include "analyzer/protocols/login/NVT.h" FTP_Analyzer::FTP_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("FTP", conn) diff --git a/src/FTP.h b/src/analyzer/protocols/ftp/FTP.h similarity index 94% rename from src/FTP.h rename to src/analyzer/protocols/ftp/FTP.h index 19393fc5aa..aaecfb98f1 100644 --- a/src/FTP.h +++ b/src/analyzer/protocols/ftp/FTP.h @@ -3,8 +3,8 @@ #ifndef ftp_h #define ftp_h -#include "NVT.h" -#include "TCP.h" +#include "analyzer/protocols/login/NVT.h" +#include "analyzer/protocols/tcp/TCP.h" class FTP_Analyzer : public TCP_ApplicationAnalyzer { public: diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocols/ftp/Plugin.cc new file mode 100644 index 0000000000..2a250b97ee --- /dev/null +++ b/src/analyzer/protocols/ftp/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "FTP.h" + +BRO_PLUGIN_BEGIN(FTP) + BRO_PLUGIN_DESCRIPTION("FTP Analyzer"); + BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ftp/events.bif b/src/analyzer/protocols/ftp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/gnutella/CMakeLists.txt b/src/analyzer/protocols/gnutella/CMakeLists.txt new file mode 100644 index 0000000000..7418ab46ba --- /dev/null +++ b/src/analyzer/protocols/gnutella/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Gnutella) +bro_plugin_cc(Gnutella.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Gnutella.cc b/src/analyzer/protocols/gnutella/Gnutella.cc similarity index 99% rename from src/Gnutella.cc rename to src/analyzer/protocols/gnutella/Gnutella.cc index 9cfab4ff1a..bf2be877c0 100644 --- a/src/Gnutella.cc +++ b/src/analyzer/protocols/gnutella/Gnutella.cc @@ -9,7 +9,7 @@ #include "NetVar.h" #include "Gnutella.h" #include "Event.h" -#include "PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "analyzer/Manager.h" GnutellaMsgState::GnutellaMsgState() diff --git a/src/Gnutella.h b/src/analyzer/protocols/gnutella/Gnutella.h similarity index 97% rename from src/Gnutella.h rename to src/analyzer/protocols/gnutella/Gnutella.h index 2dd2a2ad12..085d4fbf56 100644 --- a/src/Gnutella.h +++ b/src/analyzer/protocols/gnutella/Gnutella.h @@ -3,7 +3,7 @@ #ifndef gnutella_h #define gnutella_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define ORIG_OK 0x1 #define RESP_OK 0x2 diff --git a/src/analyzer/protocols/gnutella/Plugin.cc b/src/analyzer/protocols/gnutella/Plugin.cc new file mode 100644 index 0000000000..6cc0b02771 --- /dev/null +++ b/src/analyzer/protocols/gnutella/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Gnutella.h" + +BRO_PLUGIN_BEGIN(Gnutella) + BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer"); + BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gnutella/events.bif b/src/analyzer/protocols/gnutella/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/gtpv1/CMakeLists.txt b/src/analyzer/protocols/gtpv1/CMakeLists.txt new file mode 100644 index 0000000000..e414876df5 --- /dev/null +++ b/src/analyzer/protocols/gtpv1/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(GTPV1) +bro_plugin_cc(GTPv1.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) +bro_plugin_end() diff --git a/src/GTPv1.cc b/src/analyzer/protocols/gtpv1/GTPv1.cc similarity index 100% rename from src/GTPv1.cc rename to src/analyzer/protocols/gtpv1/GTPv1.cc diff --git a/src/GTPv1.h b/src/analyzer/protocols/gtpv1/GTPv1.h similarity index 100% rename from src/GTPv1.h rename to src/analyzer/protocols/gtpv1/GTPv1.h diff --git a/src/analyzer/protocols/gtpv1/Plugin.cc b/src/analyzer/protocols/gtpv1/Plugin.cc new file mode 100644 index 0000000000..caa9755828 --- /dev/null +++ b/src/analyzer/protocols/gtpv1/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "GTPv1.h" + +BRO_PLUGIN_BEGIN(GTPV1) + BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer"); + BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gtpv1/events.bif b/src/analyzer/protocols/gtpv1/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/gtpv1-analyzer.pac b/src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac similarity index 100% rename from src/gtpv1-analyzer.pac rename to src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac diff --git a/src/gtpv1-protocol.pac b/src/analyzer/protocols/gtpv1/gtpv1-protocol.pac similarity index 100% rename from src/gtpv1-protocol.pac rename to src/analyzer/protocols/gtpv1/gtpv1-protocol.pac diff --git a/src/gtpv1.pac b/src/analyzer/protocols/gtpv1/gtpv1.pac similarity index 100% rename from src/gtpv1.pac rename to src/analyzer/protocols/gtpv1/gtpv1.pac diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h index 66cdf091bf..dae8fc1dcf 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocols/http/HTTP.h @@ -3,15 +3,16 @@ #ifndef http_h #define http_h -#include "TCP.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocols/zip/ZIP.h" #include "MIME.h" #include "binpac_bro.h" -#include "ZIP.h" #include "IPAddr.h" -#include "HTTP.h" #include "events.bif.h" +#include "HTTP.h" + enum CHUNKED_TRANSFER_STATE { NON_CHUNKED_TRANSFER, BEFORE_CHUNK, diff --git a/src/analyzer/protocols/icmp/CMakeLists.txt b/src/analyzer/protocols/icmp/CMakeLists.txt new file mode 100644 index 0000000000..e867bac238 --- /dev/null +++ b/src/analyzer/protocols/icmp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ICMP) +bro_plugin_cc(ICMP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/ICMP.cc b/src/analyzer/protocols/icmp/ICMP.cc similarity index 100% rename from src/ICMP.cc rename to src/analyzer/protocols/icmp/ICMP.cc diff --git a/src/ICMP.h b/src/analyzer/protocols/icmp/ICMP.h similarity index 100% rename from src/ICMP.h rename to src/analyzer/protocols/icmp/ICMP.h diff --git a/src/analyzer/protocols/icmp/Plugin.cc b/src/analyzer/protocols/icmp/Plugin.cc new file mode 100644 index 0000000000..517b243e24 --- /dev/null +++ b/src/analyzer/protocols/icmp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "ICMP.h" + +BRO_PLUGIN_BEGIN(ICMP) + BRO_PLUGIN_DESCRIPTION("ICMP Analyzer"); + BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/icmp/events.bif b/src/analyzer/protocols/icmp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ident/CMakeLists.txt b/src/analyzer/protocols/ident/CMakeLists.txt new file mode 100644 index 0000000000..a8d4102a58 --- /dev/null +++ b/src/analyzer/protocols/ident/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Ident) +bro_plugin_cc(Ident.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Ident.cc b/src/analyzer/protocols/ident/Ident.cc similarity index 100% rename from src/Ident.cc rename to src/analyzer/protocols/ident/Ident.cc diff --git a/src/Ident.h b/src/analyzer/protocols/ident/Ident.h similarity index 90% rename from src/Ident.h rename to src/analyzer/protocols/ident/Ident.h index ffc927a73c..95383429ce 100644 --- a/src/Ident.h +++ b/src/analyzer/protocols/ident/Ident.h @@ -3,8 +3,8 @@ #ifndef ident_h #define ident_h -#include "TCP.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" class Ident_Analyzer : public TCP_ApplicationAnalyzer { public: diff --git a/src/analyzer/protocols/ident/Plugin.cc b/src/analyzer/protocols/ident/Plugin.cc new file mode 100644 index 0000000000..2c7ea208cd --- /dev/null +++ b/src/analyzer/protocols/ident/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Ident.h" + +BRO_PLUGIN_BEGIN(Ident) + BRO_PLUGIN_DESCRIPTION("Ident Analyzer"); + BRO_PLUGIN_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ident/events.bif b/src/analyzer/protocols/ident/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/interconn/CMakeLists.txt b/src/analyzer/protocols/interconn/CMakeLists.txt new file mode 100644 index 0000000000..6a5ae1f3fe --- /dev/null +++ b/src/analyzer/protocols/interconn/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(InterConn) +bro_plugin_cc(InterConn.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/InterConn.cc b/src/analyzer/protocols/interconn/InterConn.cc similarity index 99% rename from src/InterConn.cc rename to src/analyzer/protocols/interconn/InterConn.cc index 65e814a962..70860a6532 100644 --- a/src/InterConn.cc +++ b/src/analyzer/protocols/interconn/InterConn.cc @@ -5,7 +5,7 @@ #include "InterConn.h" #include "Event.h" #include "Net.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" InterConnEndpoint::InterConnEndpoint(TCP_Endpoint* e) { diff --git a/src/InterConn.h b/src/analyzer/protocols/interconn/InterConn.h similarity index 97% rename from src/InterConn.h rename to src/analyzer/protocols/interconn/InterConn.h index 741bea45ba..9ee73d2ae8 100644 --- a/src/InterConn.h +++ b/src/analyzer/protocols/interconn/InterConn.h @@ -3,7 +3,7 @@ #ifndef interconn_h #define interconn_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" diff --git a/src/analyzer/protocols/interconn/Plugin.cc b/src/analyzer/protocols/interconn/Plugin.cc new file mode 100644 index 0000000000..ba80cf52af --- /dev/null +++ b/src/analyzer/protocols/interconn/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "InterConn.h" + +BRO_PLUGIN_BEGIN(InterConn) + BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/interconn/events.bif b/src/analyzer/protocols/interconn/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/irc/CMakeLists.txt b/src/analyzer/protocols/irc/CMakeLists.txt new file mode 100644 index 0000000000..2e7ed7616b --- /dev/null +++ b/src/analyzer/protocols/irc/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(IRC) +bro_plugin_cc(IRC.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/IRC.cc b/src/analyzer/protocols/irc/IRC.cc similarity index 99% rename from src/IRC.cc rename to src/analyzer/protocols/irc/IRC.cc index e778023553..2411efbabb 100644 --- a/src/IRC.cc +++ b/src/analyzer/protocols/irc/IRC.cc @@ -2,10 +2,10 @@ #include #include "IRC.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" #include "NetVar.h" #include "Event.h" -#include "ZIP.h" +#include "analyzer/protocols/zip/ZIP.h" #include "analyzer/Manager.h" diff --git a/src/IRC.h b/src/analyzer/protocols/irc/IRC.h similarity index 97% rename from src/IRC.h rename to src/analyzer/protocols/irc/IRC.h index 6a78bad025..17b91f51e5 100644 --- a/src/IRC.h +++ b/src/analyzer/protocols/irc/IRC.h @@ -2,7 +2,7 @@ #ifndef irc_h #define irc_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" /** * \brief Main class for analyzing IRC traffic. diff --git a/src/analyzer/protocols/irc/Plugin.cc b/src/analyzer/protocols/irc/Plugin.cc new file mode 100644 index 0000000000..bb6ade5f1f --- /dev/null +++ b/src/analyzer/protocols/irc/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "IRC.h" + +BRO_PLUGIN_BEGIN(IRC) + BRO_PLUGIN_DESCRIPTION("IRC Analyzer"); + BRO_PLUGIN_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/irc/events.bif b/src/analyzer/protocols/irc/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/login/CMakeLists.txt b/src/analyzer/protocols/login/CMakeLists.txt new file mode 100644 index 0000000000..219c249d5e --- /dev/null +++ b/src/analyzer/protocols/login/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Login) +bro_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Login.cc b/src/analyzer/protocols/login/Login.cc similarity index 100% rename from src/Login.cc rename to src/analyzer/protocols/login/Login.cc diff --git a/src/Login.h b/src/analyzer/protocols/login/Login.h similarity index 98% rename from src/Login.h rename to src/analyzer/protocols/login/Login.h index 6337738e7d..67b6a3c094 100644 --- a/src/Login.h +++ b/src/analyzer/protocols/login/Login.h @@ -3,7 +3,7 @@ #ifndef login_h #define login_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" typedef enum { LOGIN_STATE_AUTHENTICATE, // trying to authenticate diff --git a/src/NVT.cc b/src/analyzer/protocols/login/NVT.cc similarity index 99% rename from src/NVT.cc rename to src/analyzer/protocols/login/NVT.cc index 641ad211e4..d51d562bd5 100644 --- a/src/NVT.cc +++ b/src/analyzer/protocols/login/NVT.cc @@ -7,7 +7,7 @@ #include "NVT.h" #include "NetVar.h" #include "Event.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254) diff --git a/src/NVT.h b/src/analyzer/protocols/login/NVT.h similarity index 98% rename from src/NVT.h rename to src/analyzer/protocols/login/NVT.h index 61aa1ef740..da97a251f0 100644 --- a/src/NVT.h +++ b/src/analyzer/protocols/login/NVT.h @@ -3,7 +3,7 @@ #ifndef nvt_h #define nvt_h -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" #define TELNET_OPTION_BINARY 0 diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocols/login/Plugin.cc new file mode 100644 index 0000000000..10166783c0 --- /dev/null +++ b/src/analyzer/protocols/login/Plugin.cc @@ -0,0 +1,19 @@ + +#include "plugin/Plugin.h" + +#include "Login.h" +#include "Telnet.h" +#include "RSH.h" +#include "Rlogin.h" + +BRO_PLUGIN_BEGIN(Login) + BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer"); + BRO_PLUGIN_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NVT", 0); + BRO_PLUGIN_ANALYZER("Login", 0); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/RSH.cc b/src/analyzer/protocols/login/RSH.cc similarity index 100% rename from src/RSH.cc rename to src/analyzer/protocols/login/RSH.cc diff --git a/src/RSH.h b/src/analyzer/protocols/login/RSH.h similarity index 96% rename from src/RSH.h rename to src/analyzer/protocols/login/RSH.h index c4eb8fb689..80cc4a6559 100644 --- a/src/RSH.h +++ b/src/analyzer/protocols/login/RSH.h @@ -4,7 +4,7 @@ #define rsh_h #include "Login.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" typedef enum { RSH_FIRST_NULL, // waiting to see first NUL diff --git a/src/Rlogin.cc b/src/analyzer/protocols/login/Rlogin.cc similarity index 100% rename from src/Rlogin.cc rename to src/analyzer/protocols/login/Rlogin.cc diff --git a/src/Rlogin.h b/src/analyzer/protocols/login/Rlogin.h similarity index 97% rename from src/Rlogin.h rename to src/analyzer/protocols/login/Rlogin.h index 5fcd209896..0ad72b1908 100644 --- a/src/Rlogin.h +++ b/src/analyzer/protocols/login/Rlogin.h @@ -4,7 +4,7 @@ #define rlogin_h #include "Login.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" typedef enum { RLOGIN_FIRST_NULL, // waiting to see first NUL diff --git a/src/Telnet.cc b/src/analyzer/protocols/login/Telnet.cc similarity index 100% rename from src/Telnet.cc rename to src/analyzer/protocols/login/Telnet.cc diff --git a/src/Telnet.h b/src/analyzer/protocols/login/Telnet.h similarity index 100% rename from src/Telnet.h rename to src/analyzer/protocols/login/Telnet.h diff --git a/src/analyzer/protocols/login/events.bif b/src/analyzer/protocols/login/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/modbus/CMakeLists.txt b/src/analyzer/protocols/modbus/CMakeLists.txt new file mode 100644 index 0000000000..120e352f36 --- /dev/null +++ b/src/analyzer/protocols/modbus/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Modbus) +bro_plugin_cc(Modbus.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(modbus.pac modbus-analyzer.pac modbus-protocol.pac) +bro_plugin_end() diff --git a/src/Modbus.cc b/src/analyzer/protocols/modbus/Modbus.cc similarity index 94% rename from src/Modbus.cc rename to src/analyzer/protocols/modbus/Modbus.cc index 22772daea0..841638cd0b 100644 --- a/src/Modbus.cc +++ b/src/analyzer/protocols/modbus/Modbus.cc @@ -1,6 +1,6 @@ #include "Modbus.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("MODBUS", c) diff --git a/src/Modbus.h b/src/analyzer/protocols/modbus/Modbus.h similarity index 93% rename from src/Modbus.h rename to src/analyzer/protocols/modbus/Modbus.h index b00a074ada..41b0267dc8 100644 --- a/src/Modbus.h +++ b/src/analyzer/protocols/modbus/Modbus.h @@ -1,7 +1,7 @@ #ifndef MODBUS_H #define MODBUS_H -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "modbus_pac.h" class ModbusTCP_Analyzer : public TCP_ApplicationAnalyzer { diff --git a/src/analyzer/protocols/modbus/Plugin.cc b/src/analyzer/protocols/modbus/Plugin.cc new file mode 100644 index 0000000000..9c53c8b814 --- /dev/null +++ b/src/analyzer/protocols/modbus/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Modbus.h" + +BRO_PLUGIN_BEGIN(Modbus) + BRO_PLUGIN_DESCRIPTION("Modbus Analyzer"); + BRO_PLUGIN_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/modbus/events.bif b/src/analyzer/protocols/modbus/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/modbus-analyzer.pac b/src/analyzer/protocols/modbus/modbus-analyzer.pac similarity index 100% rename from src/modbus-analyzer.pac rename to src/analyzer/protocols/modbus/modbus-analyzer.pac diff --git a/src/modbus-protocol.pac b/src/analyzer/protocols/modbus/modbus-protocol.pac similarity index 100% rename from src/modbus-protocol.pac rename to src/analyzer/protocols/modbus/modbus-protocol.pac diff --git a/src/modbus.pac b/src/analyzer/protocols/modbus/modbus.pac similarity index 100% rename from src/modbus.pac rename to src/analyzer/protocols/modbus/modbus.pac diff --git a/src/analyzer/protocols/ncp/CMakeLists.txt b/src/analyzer/protocols/ncp/CMakeLists.txt new file mode 100644 index 0000000000..021561f0aa --- /dev/null +++ b/src/analyzer/protocols/ncp/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NCP) +bro_plugin_cc(NCP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(ncp.pac) +bro_plugin_end() diff --git a/src/NCP.cc b/src/analyzer/protocols/ncp/NCP.cc similarity index 100% rename from src/NCP.cc rename to src/analyzer/protocols/ncp/NCP.cc diff --git a/src/NCP.h b/src/analyzer/protocols/ncp/NCP.h similarity index 98% rename from src/NCP.h rename to src/analyzer/protocols/ncp/NCP.h index 4fcddfca39..ae54b7b9ee 100644 --- a/src/NCP.h +++ b/src/analyzer/protocols/ncp/NCP.h @@ -19,7 +19,7 @@ // http://faydoc.tripod.com/structures/21/2149.htm #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "ncp_pac.h" diff --git a/src/NCP_func.def b/src/analyzer/protocols/ncp/NCP_func.def similarity index 100% rename from src/NCP_func.def rename to src/analyzer/protocols/ncp/NCP_func.def diff --git a/src/analyzer/protocols/ncp/Plugin.cc b/src/analyzer/protocols/ncp/Plugin.cc new file mode 100644 index 0000000000..bc52a2c065 --- /dev/null +++ b/src/analyzer/protocols/ncp/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "NCP.h" + +BRO_PLUGIN_BEGIN(NCP) + BRO_PLUGIN_DESCRIPTION("NCP Analyzer"); + BRO_PLUGIN_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ncp/events.bif b/src/analyzer/protocols/ncp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/ncp.pac b/src/analyzer/protocols/ncp/ncp.pac similarity index 100% rename from src/ncp.pac rename to src/analyzer/protocols/ncp/ncp.pac diff --git a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt new file mode 100644 index 0000000000..8292c11546 --- /dev/null +++ b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NetbiosSSN) +bro_plugin_cc(NetbiosSSN.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/NetbiosSSN.cc b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc similarity index 100% rename from src/NetbiosSSN.cc rename to src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc diff --git a/src/NetbiosSSN.h b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h similarity index 97% rename from src/NetbiosSSN.h rename to src/analyzer/protocols/netbios-ssn/NetbiosSSN.h index 8d2cc92089..9830d192ad 100644 --- a/src/NetbiosSSN.h +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h @@ -3,9 +3,9 @@ #ifndef netbios_ssn_h #define netbios_ssn_h -#include "UDP.h" -#include "TCP.h" -#include "SMB.h" +#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/smb/SMB.h" typedef enum { NETBIOS_SSN_MSG = 0x0, diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios-ssn/Plugin.cc new file mode 100644 index 0000000000..b14c3a9d8f --- /dev/null +++ b/src/analyzer/protocols/netbios-ssn/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "NetbiosSSN.h" + +BRO_PLUGIN_BEGIN(NetbiosSSN) + BRO_PLUGIN_DESCRIPTION("NetbiosSSN Analyzer"); + BRO_PLUGIN_ANALYZER("NetbiosSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netbios-ssn/events.bif b/src/analyzer/protocols/netbios-ssn/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ntp/CMakeLists.txt b/src/analyzer/protocols/ntp/CMakeLists.txt new file mode 100644 index 0000000000..b16c1edee9 --- /dev/null +++ b/src/analyzer/protocols/ntp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NTP) +bro_plugin_cc(NTP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/NTP.cc b/src/analyzer/protocols/ntp/NTP.cc similarity index 100% rename from src/NTP.cc rename to src/analyzer/protocols/ntp/NTP.cc diff --git a/src/NTP.h b/src/analyzer/protocols/ntp/NTP.h similarity index 97% rename from src/NTP.h rename to src/analyzer/protocols/ntp/NTP.h index 9dc5dc6af9..d161b4795d 100644 --- a/src/NTP.h +++ b/src/analyzer/protocols/ntp/NTP.h @@ -3,7 +3,7 @@ #ifndef ntp_h #define ntp_h -#include "UDP.h" +#include "analyzer/protocols/udp/UDP.h" // The following are from the tcpdump distribution, credited there diff --git a/src/analyzer/protocols/ntp/Plugin.cc b/src/analyzer/protocols/ntp/Plugin.cc new file mode 100644 index 0000000000..f2a0e487c9 --- /dev/null +++ b/src/analyzer/protocols/ntp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "NTP.h" + +BRO_PLUGIN_BEGIN(NTP) + BRO_PLUGIN_DESCRIPTION("NTP Analyzer"); + BRO_PLUGIN_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ntp/events.bif b/src/analyzer/protocols/ntp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/pia/CMakeLists.txt b/src/analyzer/protocols/pia/CMakeLists.txt new file mode 100644 index 0000000000..8c55deca09 --- /dev/null +++ b/src/analyzer/protocols/pia/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(PIA) +bro_plugin_cc(PIA.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/PIA.cc b/src/analyzer/protocols/pia/PIA.cc similarity index 99% rename from src/PIA.cc rename to src/analyzer/protocols/pia/PIA.cc index 2e4cf06e86..eb21fc7331 100644 --- a/src/PIA.cc +++ b/src/analyzer/protocols/pia/PIA.cc @@ -1,6 +1,6 @@ #include "PIA.h" #include "RuleMatcher.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" PIA::PIA(analyzer::Analyzer* arg_as_analyzer) { diff --git a/src/PIA.h b/src/analyzer/protocols/pia/PIA.h similarity index 99% rename from src/PIA.h rename to src/analyzer/protocols/pia/PIA.h index 920bd9c976..a91a516165 100644 --- a/src/PIA.h +++ b/src/analyzer/protocols/pia/PIA.h @@ -4,7 +4,7 @@ #define PIA_H #include "analyzer/Analyzer.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class RuleEndpointState; diff --git a/src/analyzer/protocols/pia/Plugin.cc b/src/analyzer/protocols/pia/Plugin.cc new file mode 100644 index 0000000000..a62e757164 --- /dev/null +++ b/src/analyzer/protocols/pia/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "PIA.h" + +BRO_PLUGIN_BEGIN(PIA) + BRO_PLUGIN_DESCRIPTION("Protocol Identificatin Analyzers"); + BRO_PLUGIN_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pia/events.bif b/src/analyzer/protocols/pia/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/pop3/CMakeLists.txt b/src/analyzer/protocols/pop3/CMakeLists.txt new file mode 100644 index 0000000000..5af5a7f624 --- /dev/null +++ b/src/analyzer/protocols/pop3/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(POP3) +bro_plugin_cc(POP3.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/POP3.cc b/src/analyzer/protocols/pop3/POP3.cc similarity index 99% rename from src/POP3.cc rename to src/analyzer/protocols/pop3/POP3.cc index 697dc0434e..6b4fda8169 100644 --- a/src/POP3.cc +++ b/src/analyzer/protocols/pop3/POP3.cc @@ -12,8 +12,8 @@ #include "NetVar.h" #include "POP3.h" #include "Event.h" -#include "NVT.h" #include "Reporter.h" +#include "analyzer/protocols/login/NVT.h" #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) #cmd, diff --git a/src/POP3.h b/src/analyzer/protocols/pop3/POP3.h similarity index 95% rename from src/POP3.h rename to src/analyzer/protocols/pop3/POP3.h index 5c10865ba3..10dbe9d085 100644 --- a/src/POP3.h +++ b/src/analyzer/protocols/pop3/POP3.h @@ -9,8 +9,8 @@ #include #include -#include "NVT.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/login/NVT.h" #include "MIME.h" diff --git a/src/POP3_cmd.def b/src/analyzer/protocols/pop3/POP3_cmd.def similarity index 100% rename from src/POP3_cmd.def rename to src/analyzer/protocols/pop3/POP3_cmd.def diff --git a/src/analyzer/protocols/pop3/Plugin.cc b/src/analyzer/protocols/pop3/Plugin.cc new file mode 100644 index 0000000000..5f56ade93a --- /dev/null +++ b/src/analyzer/protocols/pop3/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "POP3.h" + +BRO_PLUGIN_BEGIN(POP3) + BRO_PLUGIN_DESCRIPTION("POP3 Analyzer"); + BRO_PLUGIN_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pop3/events.bif b/src/analyzer/protocols/pop3/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/rpc/CMakeLists.txt b/src/analyzer/protocols/rpc/CMakeLists.txt new file mode 100644 index 0000000000..edf6371dd1 --- /dev/null +++ b/src/analyzer/protocols/rpc/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(RPC) +bro_plugin_cc(RPC.cc NFS.cc Portmap.cc XDR.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/NFS.cc b/src/analyzer/protocols/rpc/NFS.cc similarity index 100% rename from src/NFS.cc rename to src/analyzer/protocols/rpc/NFS.cc diff --git a/src/NFS.h b/src/analyzer/protocols/rpc/NFS.h similarity index 100% rename from src/NFS.h rename to src/analyzer/protocols/rpc/NFS.h diff --git a/src/analyzer/protocols/rpc/Plugin.cc b/src/analyzer/protocols/rpc/Plugin.cc new file mode 100644 index 0000000000..25c958859b --- /dev/null +++ b/src/analyzer/protocols/rpc/Plugin.cc @@ -0,0 +1,15 @@ + +#include "plugin/Plugin.h" + +#include "RPC.h" +#include "NFS.h" +#include "Portmap.h" + +BRO_PLUGIN_BEGIN(RPC) + BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); + BRO_PLUGIN_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_RPC"); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NFS"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/Portmap.cc b/src/analyzer/protocols/rpc/Portmap.cc similarity index 100% rename from src/Portmap.cc rename to src/analyzer/protocols/rpc/Portmap.cc diff --git a/src/Portmap.h b/src/analyzer/protocols/rpc/Portmap.h similarity index 100% rename from src/Portmap.h rename to src/analyzer/protocols/rpc/Portmap.h diff --git a/src/RPC.cc b/src/analyzer/protocols/rpc/RPC.cc similarity index 100% rename from src/RPC.cc rename to src/analyzer/protocols/rpc/RPC.cc diff --git a/src/RPC.h b/src/analyzer/protocols/rpc/RPC.h similarity index 98% rename from src/RPC.h rename to src/analyzer/protocols/rpc/RPC.h index 960b9c744a..da39e9f220 100644 --- a/src/RPC.h +++ b/src/analyzer/protocols/rpc/RPC.h @@ -3,8 +3,8 @@ #ifndef rpc_h #define rpc_h -#include "TCP.h" -#include "UDP.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/udp/UDP.h" enum { RPC_CALL = 0, diff --git a/src/XDR.cc b/src/analyzer/protocols/rpc/XDR.cc similarity index 100% rename from src/XDR.cc rename to src/analyzer/protocols/rpc/XDR.cc diff --git a/src/XDR.h b/src/analyzer/protocols/rpc/XDR.h similarity index 100% rename from src/XDR.h rename to src/analyzer/protocols/rpc/XDR.h diff --git a/src/analyzer/protocols/rpc/events.bif b/src/analyzer/protocols/rpc/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/smb/CMakeLists.txt b/src/analyzer/protocols/smb/CMakeLists.txt new file mode 100644 index 0000000000..30338d91f5 --- /dev/null +++ b/src/analyzer/protocols/smb/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SMB) +bro_plugin_cc(SMB.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/smb/Plugin.cc b/src/analyzer/protocols/smb/Plugin.cc new file mode 100644 index 0000000000..543638faf4 --- /dev/null +++ b/src/analyzer/protocols/smb/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "SMB.h" + +BRO_PLUGIN_BEGIN(SMB) + BRO_PLUGIN_DESCRIPTION("SMB Analyzer"); + BRO_PLUGIN_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SMB.cc b/src/analyzer/protocols/smb/SMB.cc similarity index 100% rename from src/SMB.cc rename to src/analyzer/protocols/smb/SMB.cc diff --git a/src/SMB.h b/src/analyzer/protocols/smb/SMB.h similarity index 98% rename from src/SMB.h rename to src/analyzer/protocols/smb/SMB.h index 7e7f1cea1d..83f3811010 100644 --- a/src/SMB.h +++ b/src/analyzer/protocols/smb/SMB.h @@ -6,8 +6,8 @@ // SMB (CIFS) analyzer. // Reference: http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf -#include "TCP.h" -#include "DCE_RPC.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/dce-rpc/DCE_RPC.h" #include "smb_pac.h" enum IPC_named_pipe { diff --git a/src/SMB_COM.def b/src/analyzer/protocols/smb/SMB_COM.def similarity index 100% rename from src/SMB_COM.def rename to src/analyzer/protocols/smb/SMB_COM.def diff --git a/src/analyzer/protocols/smb/events.bif b/src/analyzer/protocols/smb/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/smb-mailslot.pac b/src/analyzer/protocols/smb/smb-mailslot.pac similarity index 100% rename from src/smb-mailslot.pac rename to src/analyzer/protocols/smb/smb-mailslot.pac diff --git a/src/smb-pipe.pac b/src/analyzer/protocols/smb/smb-pipe.pac similarity index 100% rename from src/smb-pipe.pac rename to src/analyzer/protocols/smb/smb-pipe.pac diff --git a/src/smb-protocol.pac b/src/analyzer/protocols/smb/smb-protocol.pac similarity index 100% rename from src/smb-protocol.pac rename to src/analyzer/protocols/smb/smb-protocol.pac diff --git a/src/smb.pac b/src/analyzer/protocols/smb/smb.pac similarity index 100% rename from src/smb.pac rename to src/analyzer/protocols/smb/smb.pac diff --git a/src/analyzer/protocols/smtp/CMakeLists.txt b/src/analyzer/protocols/smtp/CMakeLists.txt new file mode 100644 index 0000000000..53f9dd1246 --- /dev/null +++ b/src/analyzer/protocols/smtp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SMTP) +bro_plugin_cc(SMTP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocols/smtp/Plugin.cc new file mode 100644 index 0000000000..6b9f7a0aeb --- /dev/null +++ b/src/analyzer/protocols/smtp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SMTP.h" + +BRO_PLUGIN_BEGIN(SMTP) + BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); + BRO_PLUGIN_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SMTP.cc b/src/analyzer/protocols/smtp/SMTP.cc similarity index 99% rename from src/SMTP.cc rename to src/analyzer/protocols/smtp/SMTP.cc index 16be4480dc..c674c120ec 100644 --- a/src/SMTP.cc +++ b/src/analyzer/protocols/smtp/SMTP.cc @@ -7,8 +7,8 @@ #include "NetVar.h" #include "SMTP.h" #include "Event.h" -#include "ContentLine.h" #include "Reporter.h" +#include "analyzer/protocols/tcp/ContentLine.h" #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) #cmd, diff --git a/src/SMTP.h b/src/analyzer/protocols/smtp/SMTP.h similarity index 98% rename from src/SMTP.h rename to src/analyzer/protocols/smtp/SMTP.h index d4b7dd63a6..d525fb11af 100644 --- a/src/SMTP.h +++ b/src/analyzer/protocols/smtp/SMTP.h @@ -6,7 +6,7 @@ #include using namespace std; -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "MIME.h" diff --git a/src/SMTP_cmd.def b/src/analyzer/protocols/smtp/SMTP_cmd.def similarity index 100% rename from src/SMTP_cmd.def rename to src/analyzer/protocols/smtp/SMTP_cmd.def diff --git a/src/analyzer/protocols/smtp/events.bif b/src/analyzer/protocols/smtp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/socks/CMakeLists.txt b/src/analyzer/protocols/socks/CMakeLists.txt new file mode 100644 index 0000000000..451dfd53f4 --- /dev/null +++ b/src/analyzer/protocols/socks/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SOCKS) +bro_plugin_cc(SOCKS.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(socks.pac socks-protocol.pac socks-analyzer.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/socks/Plugin.cc b/src/analyzer/protocols/socks/Plugin.cc new file mode 100644 index 0000000000..080a8329de --- /dev/null +++ b/src/analyzer/protocols/socks/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SOCKS.h" + +BRO_PLUGIN_BEGIN(SOCKS) + BRO_PLUGIN_DESCRIPTION("SOCKS Analyzer"); + BRO_PLUGIN_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SOCKS.cc b/src/analyzer/protocols/socks/SOCKS.cc similarity index 96% rename from src/SOCKS.cc rename to src/analyzer/protocols/socks/SOCKS.cc index 0157c19cd7..25ebf9796e 100644 --- a/src/SOCKS.cc +++ b/src/analyzer/protocols/socks/SOCKS.cc @@ -1,6 +1,6 @@ #include "SOCKS.h" #include "socks_pac.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("SOCKS", conn) diff --git a/src/SOCKS.h b/src/analyzer/protocols/socks/SOCKS.h similarity index 89% rename from src/SOCKS.h rename to src/analyzer/protocols/socks/SOCKS.h index 767d0a1eb7..8abdfe3a3f 100644 --- a/src/SOCKS.h +++ b/src/analyzer/protocols/socks/SOCKS.h @@ -3,8 +3,8 @@ // SOCKS v4 analyzer. -#include "TCP.h" -#include "PIA.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/pia/PIA.h" namespace binpac { namespace SOCKS { diff --git a/src/analyzer/protocols/socks/events.bif b/src/analyzer/protocols/socks/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/socks-analyzer.pac b/src/analyzer/protocols/socks/socks-analyzer.pac similarity index 100% rename from src/socks-analyzer.pac rename to src/analyzer/protocols/socks/socks-analyzer.pac diff --git a/src/socks-protocol.pac b/src/analyzer/protocols/socks/socks-protocol.pac similarity index 100% rename from src/socks-protocol.pac rename to src/analyzer/protocols/socks/socks-protocol.pac diff --git a/src/socks.pac b/src/analyzer/protocols/socks/socks.pac similarity index 100% rename from src/socks.pac rename to src/analyzer/protocols/socks/socks.pac diff --git a/src/analyzer/protocols/ssh/CMakeLists.txt b/src/analyzer/protocols/ssh/CMakeLists.txt new file mode 100644 index 0000000000..659e3207ab --- /dev/null +++ b/src/analyzer/protocols/ssh/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SSH) +bro_plugin_cc(SSH.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/ssh/Plugin.cc b/src/analyzer/protocols/ssh/Plugin.cc new file mode 100644 index 0000000000..76603220d3 --- /dev/null +++ b/src/analyzer/protocols/ssh/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SSH.h" + +BRO_PLUGIN_BEGIN(SSH) + BRO_PLUGIN_DESCRIPTION("SSH Analyzer"); + BRO_PLUGIN_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SSH.cc b/src/analyzer/protocols/ssh/SSH.cc similarity index 97% rename from src/SSH.cc rename to src/analyzer/protocols/ssh/SSH.cc index 0bb710ac2f..3b89422d5a 100644 --- a/src/SSH.cc +++ b/src/analyzer/protocols/ssh/SSH.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "SSH.h" #include "Event.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" SSH_Analyzer::SSH_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("SSH", c) diff --git a/src/SSH.h b/src/analyzer/protocols/ssh/SSH.h similarity index 83% rename from src/SSH.h rename to src/analyzer/protocols/ssh/SSH.h index a6a2f4e154..d3cda5f2f5 100644 --- a/src/SSH.h +++ b/src/analyzer/protocols/ssh/SSH.h @@ -3,8 +3,8 @@ #ifndef ssh_h #define ssh_h -#include "TCP.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" class SSH_Analyzer : public TCP_ApplicationAnalyzer { public: diff --git a/src/analyzer/protocols/ssh/events.bif b/src/analyzer/protocols/ssh/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ssl/SSL.cc b/src/analyzer/protocols/ssl/SSL.cc index da3e1e55f3..deec34e5d9 100644 --- a/src/analyzer/protocols/ssl/SSL.cc +++ b/src/analyzer/protocols/ssl/SSL.cc @@ -1,6 +1,6 @@ #include "SSL.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" #include "Reporter.h" #include "util.h" diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h index cf6269a6e4..1d451a40ef 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocols/ssl/SSL.h @@ -3,7 +3,7 @@ #include "events.bif.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "ssl_pac.h" class SSL_Analyzer : public TCP_ApplicationAnalyzer { diff --git a/src/analyzer/protocols/stepping-stone/CMakeLists.txt b/src/analyzer/protocols/stepping-stone/CMakeLists.txt new file mode 100644 index 0000000000..4de6210027 --- /dev/null +++ b/src/analyzer/protocols/stepping-stone/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SteppingStone) +bro_plugin_cc(SteppingStone.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/stepping-stone/Plugin.cc b/src/analyzer/protocols/stepping-stone/Plugin.cc new file mode 100644 index 0000000000..18bfa41063 --- /dev/null +++ b/src/analyzer/protocols/stepping-stone/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SteppingStone.h" + +BRO_PLUGIN_BEGIN(SteppingStone) + BRO_PLUGIN_DESCRIPTION("SteppingStone Analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SteppingStone.cc b/src/analyzer/protocols/stepping-stone/SteppingStone.cc similarity index 99% rename from src/SteppingStone.cc rename to src/analyzer/protocols/stepping-stone/SteppingStone.cc index 1809b4abef..f2f4561de6 100644 --- a/src/SteppingStone.cc +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.cc @@ -7,7 +7,7 @@ #include "Event.h" #include "Net.h" #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "SteppingStone.h" #include "util.h" diff --git a/src/SteppingStone.h b/src/analyzer/protocols/stepping-stone/SteppingStone.h similarity index 98% rename from src/SteppingStone.h rename to src/analyzer/protocols/stepping-stone/SteppingStone.h index 4ec4dbc2e1..cbf22e7715 100644 --- a/src/SteppingStone.h +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.h @@ -4,7 +4,7 @@ #define steppingstone_h #include "Queue.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class NetSessions; diff --git a/src/analyzer/protocols/stepping-stone/events.bif b/src/analyzer/protocols/stepping-stone/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/syslog/Syslog.cc b/src/analyzer/protocols/syslog/Syslog.cc index 137cecbd18..94ca996cce 100644 --- a/src/analyzer/protocols/syslog/Syslog.cc +++ b/src/analyzer/protocols/syslog/Syslog.cc @@ -1,6 +1,6 @@ #include "Syslog.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" Syslog_Analyzer::Syslog_Analyzer(Connection* conn) : Analyzer("SYSLOG", conn) diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h index 2a96bd8ae6..32b7b3439a 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocols/syslog/Syslog.h @@ -2,8 +2,8 @@ #ifndef Syslog_h #define Syslog_h -#include "UDP.h" -#include "TCP.h" +#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "syslog_pac.h" diff --git a/src/analyzer/protocols/tcp/CMakeLists.txt b/src/analyzer/protocols/tcp/CMakeLists.txt new file mode 100644 index 0000000000..b8cf0e2bf4 --- /dev/null +++ b/src/analyzer/protocols/tcp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(TCP) +bro_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/ContentLine.cc b/src/analyzer/protocols/tcp/ContentLine.cc similarity index 99% rename from src/ContentLine.cc rename to src/analyzer/protocols/tcp/ContentLine.cc index 2a79272cbd..bcfca4ecc6 100644 --- a/src/ContentLine.cc +++ b/src/analyzer/protocols/tcp/ContentLine.cc @@ -1,7 +1,7 @@ #include #include "ContentLine.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) : TCP_SupportAnalyzer("CONTENTLINE", conn, orig) diff --git a/src/ContentLine.h b/src/analyzer/protocols/tcp/ContentLine.h similarity index 98% rename from src/ContentLine.h rename to src/analyzer/protocols/tcp/ContentLine.h index 849f457075..e83251d43d 100644 --- a/src/ContentLine.h +++ b/src/analyzer/protocols/tcp/ContentLine.h @@ -3,7 +3,7 @@ #ifndef CONTENTLINE_H #define CONTENTLINE_H -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define CR_as_EOL 1 #define LF_as_EOL 2 diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocols/tcp/Plugin.cc new file mode 100644 index 0000000000..d76789bf30 --- /dev/null +++ b/src/analyzer/protocols/tcp/Plugin.cc @@ -0,0 +1,13 @@ + +#include "plugin/Plugin.h" + +#include "TCP.h" + +BRO_PLUGIN_BEGIN(TCP) + BRO_PLUGIN_DESCRIPTION("TCP Analyzer"); + BRO_PLUGIN_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("TCPStats", TCPStats_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/tcp/Stats.cc b/src/analyzer/protocols/tcp/Stats.cc new file mode 100644 index 0000000000..6157d54537 --- /dev/null +++ b/src/analyzer/protocols/tcp/Stats.cc @@ -0,0 +1,79 @@ + +#include "Stats.h" +#include "File.h" + +TCPStateStats::TCPStateStats() + { + for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) + for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) + state_cnt[i][j] = 0; + } + +void TCPStateStats::ChangeState(EndpointState o_prev, EndpointState o_now, + EndpointState r_prev, EndpointState r_now) + { + --state_cnt[o_prev][r_prev]; + ++state_cnt[o_now][r_now]; + } + +void TCPStateStats::FlipState(EndpointState orig, EndpointState resp) + { + --state_cnt[orig][resp]; + ++state_cnt[resp][orig]; + } + +unsigned int TCPStateStats::NumStatePartial() const + { + unsigned int sum = 0; + for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) + { + sum += state_cnt[TCP_ENDPOINT_PARTIAL][i]; + sum += state_cnt[i][TCP_ENDPOINT_PARTIAL]; + } + + return sum; + } + +void TCPStateStats::PrintStats(BroFile* file, const char* prefix) + { + file->Write(prefix); + file->Write(" Inact. Syn. SA Part. Est. Fin. Rst.\n"); + + for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) + { + file->Write(prefix); + + switch ( i ) { +#define STATE_STRING(state, str) \ + case state: \ + file->Write(str); \ + break; + + STATE_STRING(TCP_ENDPOINT_INACTIVE, "Inact."); + STATE_STRING(TCP_ENDPOINT_SYN_SENT, "Syn. "); + STATE_STRING(TCP_ENDPOINT_SYN_ACK_SENT, "SA "); + STATE_STRING(TCP_ENDPOINT_PARTIAL, "Part. "); + STATE_STRING(TCP_ENDPOINT_ESTABLISHED, "Est. "); + STATE_STRING(TCP_ENDPOINT_CLOSED, "Fin. "); + STATE_STRING(TCP_ENDPOINT_RESET, "Rst. "); + + } + + file->Write(" "); + + for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) + { + unsigned int n = state_cnt[i][j]; + if ( n > 0 ) + { + char buf[32]; + safe_snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]); + file->Write(buf); + } + else + file->Write(" "); + } + + file->Write("\n"); + } + } diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocols/tcp/Stats.h new file mode 100644 index 0000000000..01c95620ce --- /dev/null +++ b/src/analyzer/protocols/tcp/Stats.h @@ -0,0 +1,67 @@ + +#ifndef ANALYZER_PROTOCOLS_TCP_STATS_H +#define ANALYZER_PROTOCOLS_TCP_STATS_H + +#include "TCP_Endpoint.h" + +// A TCPStateStats object tracks the distribution of TCP states for +// the currently active connections. +class TCPStateStats { +public: + TCPStateStats(); + ~TCPStateStats() { } + + void ChangeState(EndpointState o_prev, EndpointState o_now, + EndpointState r_prev, EndpointState r_now); + void FlipState(EndpointState orig, EndpointState resp); + + void StateEntered (EndpointState o_state, EndpointState r_state) + { ++state_cnt[o_state][r_state]; } + void StateLeft (EndpointState o_state, EndpointState r_state) + { --state_cnt[o_state][r_state]; } + + unsigned int Cnt(EndpointState state) const + { return Cnt(state, state); } + unsigned int Cnt(EndpointState state1, EndpointState state2) const + { return state_cnt[state1][state2]; } + + unsigned int NumStateEstablished() const + { return Cnt(TCP_ENDPOINT_ESTABLISHED); } + unsigned int NumStateHalfClose() const + { // corresponds to S2,S3 + return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_CLOSED) + + Cnt(TCP_ENDPOINT_CLOSED, TCP_ENDPOINT_ESTABLISHED); + } + unsigned int NumStateHalfRst() const + { + return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_RESET) + + Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_ESTABLISHED); + } + unsigned int NumStateClosed() const + { return Cnt(TCP_ENDPOINT_CLOSED); } + unsigned int NumStateRequest() const + { + assert(Cnt(TCP_ENDPOINT_INACTIVE, TCP_ENDPOINT_SYN_SENT)==0); + return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_INACTIVE); + } + unsigned int NumStateSuccRequest() const + { + return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_SYN_ACK_SENT) + + Cnt(TCP_ENDPOINT_SYN_ACK_SENT, TCP_ENDPOINT_SYN_SENT); + } + unsigned int NumStateRstRequest() const + { + return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_RESET) + + Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_SYN_SENT); + } + unsigned int NumStateInactive() const + { return Cnt(TCP_ENDPOINT_INACTIVE); } + unsigned int NumStatePartial() const; + + void PrintStats(BroFile* file, const char* prefix); + +private: + unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; +}; + +#endif diff --git a/src/TCP.cc b/src/analyzer/protocols/tcp/TCP.cc similarity index 99% rename from src/TCP.cc rename to src/analyzer/protocols/tcp/TCP.cc index 004deb2edd..66bf9d2a83 100644 --- a/src/TCP.cc +++ b/src/analyzer/protocols/tcp/TCP.cc @@ -3,13 +3,14 @@ #include #include "NetVar.h" -#include "PIA.h" #include "File.h" -#include "TCP.h" -#include "TCP_Reassembler.h" #include "OSFinger.h" #include "Event.h" +#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" + namespace { // local namespace const bool DEBUG_tcp_data_sent = false; const bool DEBUG_tcp_connection_close = false; diff --git a/src/TCP.h b/src/analyzer/protocols/tcp/TCP.h similarity index 99% rename from src/TCP.h rename to src/analyzer/protocols/tcp/TCP.h index be91d473c2..ee89cef8e4 100644 --- a/src/TCP.h +++ b/src/analyzer/protocols/tcp/TCP.h @@ -4,7 +4,7 @@ #define TCP_H #include "analyzer/Analyzer.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "PacketDumper.h" #include "IPAddr.h" #include "TCP_Endpoint.h" diff --git a/src/TCP_Endpoint.cc b/src/analyzer/protocols/tcp/TCP_Endpoint.cc similarity index 99% rename from src/TCP_Endpoint.cc rename to src/analyzer/protocols/tcp/TCP_Endpoint.cc index 69c08870d9..adb2c101d4 100644 --- a/src/TCP_Endpoint.cc +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.cc @@ -2,7 +2,7 @@ #include "Net.h" #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "TCP_Reassembler.h" #include "Sessions.h" #include "Event.h" diff --git a/src/TCP_Endpoint.h b/src/analyzer/protocols/tcp/TCP_Endpoint.h similarity index 100% rename from src/TCP_Endpoint.h rename to src/analyzer/protocols/tcp/TCP_Endpoint.h diff --git a/src/TCP_Reassembler.cc b/src/analyzer/protocols/tcp/TCP_Reassembler.cc similarity index 99% rename from src/TCP_Reassembler.cc rename to src/analyzer/protocols/tcp/TCP_Reassembler.cc index a9c25781c4..5bfd536a10 100644 --- a/src/TCP_Reassembler.cc +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.cc @@ -2,7 +2,7 @@ #include "analyzer/Analyzer.h" #include "TCP_Reassembler.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "TCP_Endpoint.h" // Only needed for gap_report events. diff --git a/src/TCP_Reassembler.h b/src/analyzer/protocols/tcp/TCP_Reassembler.h similarity index 100% rename from src/TCP_Reassembler.h rename to src/analyzer/protocols/tcp/TCP_Reassembler.h diff --git a/src/analyzer/protocols/tcp/events.bif b/src/analyzer/protocols/tcp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/teredo/CMakeLists.txt b/src/analyzer/protocols/teredo/CMakeLists.txt new file mode 100644 index 0000000000..cf4d2a9bcf --- /dev/null +++ b/src/analyzer/protocols/teredo/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Teredo) +bro_plugin_cc(Teredo.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/teredo/Plugin.cc b/src/analyzer/protocols/teredo/Plugin.cc new file mode 100644 index 0000000000..9fc0fa4e7a --- /dev/null +++ b/src/analyzer/protocols/teredo/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Teredo.h" + +BRO_PLUGIN_BEGIN(Teredo) + BRO_PLUGIN_DESCRIPTION("Teredo Analyzer"); + BRO_PLUGIN_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/Teredo.cc b/src/analyzer/protocols/teredo/Teredo.cc similarity index 100% rename from src/Teredo.cc rename to src/analyzer/protocols/teredo/Teredo.cc diff --git a/src/Teredo.h b/src/analyzer/protocols/teredo/Teredo.h similarity index 100% rename from src/Teredo.h rename to src/analyzer/protocols/teredo/Teredo.h diff --git a/src/analyzer/protocols/teredo/events.bif b/src/analyzer/protocols/teredo/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/udp/CMakeLists.txt b/src/analyzer/protocols/udp/CMakeLists.txt new file mode 100644 index 0000000000..077c4136b5 --- /dev/null +++ b/src/analyzer/protocols/udp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(UDP) +bro_plugin_cc(UDP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/udp/Plugin.cc b/src/analyzer/protocols/udp/Plugin.cc new file mode 100644 index 0000000000..1a9b462013 --- /dev/null +++ b/src/analyzer/protocols/udp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "analyzer/protocols/udp/UDP.h" + +BRO_PLUGIN_BEGIN(UDP) + BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); + BRO_PLUGIN_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/UDP.cc b/src/analyzer/protocols/udp/UDP.cc similarity index 99% rename from src/UDP.cc rename to src/analyzer/protocols/udp/UDP.cc index 2fd80cfce3..f85f5ad991 100644 --- a/src/UDP.cc +++ b/src/analyzer/protocols/udp/UDP.cc @@ -6,7 +6,7 @@ #include "Net.h" #include "NetVar.h" -#include "UDP.h" +#include "analyzer/protocols/udp/UDP.h" #include "Reporter.h" #include "Conn.h" diff --git a/src/UDP.h b/src/analyzer/protocols/udp/UDP.h similarity index 100% rename from src/UDP.h rename to src/analyzer/protocols/udp/UDP.h diff --git a/src/analyzer/protocols/udp/events.bif b/src/analyzer/protocols/udp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/zip/CMakeLists.txt b/src/analyzer/protocols/zip/CMakeLists.txt new file mode 100644 index 0000000000..5b2864c618 --- /dev/null +++ b/src/analyzer/protocols/zip/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ZIP) +bro_plugin_cc(ZIP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/zip/Plugin.cc b/src/analyzer/protocols/zip/Plugin.cc new file mode 100644 index 0000000000..89382dd0cd --- /dev/null +++ b/src/analyzer/protocols/zip/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "ZIP.h" + +BRO_PLUGIN_BEGIN(ZIP) + BRO_PLUGIN_DESCRIPTION("Generic ZIP support analyzer"); + BRO_PLUGIN_ANALYZER("ZIP", 0); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/ZIP.cc b/src/analyzer/protocols/zip/ZIP.cc similarity index 100% rename from src/ZIP.cc rename to src/analyzer/protocols/zip/ZIP.cc diff --git a/src/ZIP.h b/src/analyzer/protocols/zip/ZIP.h similarity index 92% rename from src/ZIP.h rename to src/analyzer/protocols/zip/ZIP.h index 6a8a180d1a..24ec919f70 100644 --- a/src/ZIP.h +++ b/src/analyzer/protocols/zip/ZIP.h @@ -6,7 +6,7 @@ #include "config.h" #include "zlib.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class ZIP_Analyzer : public TCP_SupportAnalyzer { public: diff --git a/src/analyzer/protocols/zip/events.bif b/src/analyzer/protocols/zip/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/bro.bif b/src/bro.bif index 4366d26951..aa15443e64 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2914,7 +2914,7 @@ function decode_base64_custom%(s: string, a: string%): string %} %%{ -#include "DCE_RPC.h" +#include "analyzer/protocols/dce-rpc/DCE_RPC.h" typedef struct { uint32 time_low; @@ -4262,7 +4262,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool %} %%{ -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" %%} ## Get the originator sequence number of a TCP connection. Sequence numbers @@ -4326,7 +4326,7 @@ function get_resp_seq%(cid: conn_id%): count %} %%{ -#include "SMTP.h" +#include "analyzer/protocols/smtp/SMTP.h" %%} ## Skips SMTP data until the next email in a connection. diff --git a/src/builtin-func.l b/src/builtin-func.l index b23ef43e22..b2da7cb7c3 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -207,7 +207,7 @@ void init_alternative_mode() for ( char* p = guard; *p; p++ ) { - if ( strchr("/.", *p) ) + if ( strchr("/.-", *p) ) *p = '_'; } diff --git a/src/parse.y b/src/parse.y index 520623de2c..449b472c0c 100644 --- a/src/parse.y +++ b/src/parse.y @@ -79,7 +79,7 @@ #include "Expr.h" #include "Stmt.h" #include "Var.h" -#include "DNS.h" +/* #include "analyzer/protocols/dns/DNS.h" */ #include "RE.h" #include "Scope.h" #include "Reporter.h" diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 1ddcb1afc8..39bb190f8c 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -36,6 +36,9 @@ #define BRO_PLUGIN_ANALYZER(tag, factory) \ AddComponent(new ::analyzer::Component(tag, factory)); +#define BRO_PLUGIN_SUPPORT_ANALYZER(tag) \ + AddComponent(new ::analyzer::Component(tag, 0)); + #define BRO_PLUGIN_ANALYZER_EXT(tag, factory, enabled, partial) \ AddComponent(new ::analyzer::Component(tag, factory, 0, enabled, partial)); diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 0db69c1f17..a4933aba7b 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-09-22-37-59 +#open 2013-04-17-03-50-16 #fields name #types string scripts/base/init-bare.bro @@ -33,9 +33,45 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./AYIYA.events.bif.bro + build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro + build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro + build/scripts/base/bif/plugins/./BackDoor.events.bif.bro + build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/./ConnSize.events.bif.bro + build/scripts/base/bif/plugins/./DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/./DHCP.events.bif.bro + build/scripts/base/bif/plugins/./DNS.events.bif.bro + build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./File.events.bif.bro + build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro + build/scripts/base/bif/plugins/./Finger.events.bif.bro + build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./ICMP.events.bif.bro + build/scripts/base/bif/plugins/./IRC.events.bif.bro + build/scripts/base/bif/plugins/./Ident.events.bif.bro + build/scripts/base/bif/plugins/./InterConn.events.bif.bro + build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Modbus.events.bif.bro + build/scripts/base/bif/plugins/./NCP.events.bif.bro + build/scripts/base/bif/plugins/./NTP.events.bif.bro + build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./PIA.events.bif.bro + build/scripts/base/bif/plugins/./POP3.events.bif.bro + build/scripts/base/bif/plugins/./RPC.events.bif.bro + build/scripts/base/bif/plugins/./SMB.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SOCKS.events.bif.bro + build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro + build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./Teredo.events.bif.bro + build/scripts/base/bif/plugins/./UDP.events.bif.bro + build/scripts/base/bif/plugins/./ZIP.events.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-09-22-37-59 +#close 2013-04-17-03-50-16 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index aa406976a0..d469dad0bc 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-09-22-38-15 +#open 2013-04-17-03-50-51 #fields name #types string scripts/base/init-bare.bro @@ -33,10 +33,46 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./AYIYA.events.bif.bro + build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro + build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro + build/scripts/base/bif/plugins/./BackDoor.events.bif.bro + build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/./ConnSize.events.bif.bro + build/scripts/base/bif/plugins/./DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/./DHCP.events.bif.bro + build/scripts/base/bif/plugins/./DNS.events.bif.bro + build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./File.events.bif.bro + build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro + build/scripts/base/bif/plugins/./Finger.events.bif.bro + build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./ICMP.events.bif.bro + build/scripts/base/bif/plugins/./IRC.events.bif.bro + build/scripts/base/bif/plugins/./Ident.events.bif.bro + build/scripts/base/bif/plugins/./InterConn.events.bif.bro + build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Modbus.events.bif.bro + build/scripts/base/bif/plugins/./NCP.events.bif.bro + build/scripts/base/bif/plugins/./NTP.events.bif.bro + build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./PIA.events.bif.bro + build/scripts/base/bif/plugins/./POP3.events.bif.bro + build/scripts/base/bif/plugins/./RPC.events.bif.bro + build/scripts/base/bif/plugins/./SMB.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SOCKS.events.bif.bro + build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro + build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./Teredo.events.bif.bro + build/scripts/base/bif/plugins/./UDP.events.bif.bro + build/scripts/base/bif/plugins/./ZIP.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -127,4 +163,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-09-22-38-15 +#close 2013-04-17-03-50-51 diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output index 69285a4dbe..600f353088 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output +++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output @@ -1,5 +1,5 @@ APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_DNS APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_FTP -APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_SSH APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_HTTP +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_SSH APPLIED:, 1299499195.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=8/tcp], Analyzer::ANALYZER_DNS diff --git a/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro index e67a4fa82b..114ea73673 100644 --- a/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro +++ b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT >output +# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT | sort >output # @TEST-EXEC: btest-diff output global x = 0; From 5dc630f722e2a505bd69490532f5bebb45d63ef4 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 18 Apr 2013 14:39:32 -0700 Subject: [PATCH 038/200] Working on TODOs. - Introducing analyzer:: namespaces. - Moving protocol-specific events out of events.bif into analyzer/protocol//events.bif - Moving ARP over (even though it's not an actual analyzer). - Moving NetFlow over (even though it's not an actual analyzer). - Moving MIME over (even though it's not an actual analyzer). --- cmake | 2 +- src/CMakeLists.txt | 5 - src/Conn.cc | 2 +- src/Conn.h | 6 +- src/NetVar.cc | 9 - src/NetVar.h | 1 - src/RuleCondition.cc | 10 +- src/RuleMatcher.cc | 6 +- src/RuleMatcher.h | 16 +- src/Sessions.cc | 29 +- src/Sessions.h | 14 +- src/analyzer/Analyzer.h | 13 +- src/analyzer/CMakeLists.txt | 4 + src/analyzer/Manager.cc | 32 +- src/analyzer/protocols/CMakeLists.txt | 3 + src/analyzer/protocols/TODO | 6 +- src/{ => analyzer/protocols/arp}/ARP.cc | 3 + src/{ => analyzer/protocols/arp}/ARP.h | 4 + src/analyzer/protocols/arp/CMakeLists.txt | 15 + src/analyzer/protocols/arp/Plugin.cc | 7 + src/analyzer/protocols/arp/events.bif | 63 + src/analyzer/protocols/ayiya/AYIYA.cc | 5 + src/analyzer/protocols/ayiya/AYIYA.h | 4 + src/analyzer/protocols/ayiya/Plugin.cc | 2 +- src/analyzer/protocols/ayiya/ayiya.pac | 4 + src/analyzer/protocols/backdoor/BackDoor.cc | 14 +- src/analyzer/protocols/backdoor/BackDoor.h | 10 +- src/analyzer/protocols/backdoor/Plugin.cc | 2 +- src/analyzer/protocols/backdoor/events.bif | 32 + .../protocols/bittorrent/BitTorrent.cc | 14 +- .../protocols/bittorrent/BitTorrent.h | 6 +- .../protocols/bittorrent/BitTorrentTracker.cc | 14 +- .../protocols/bittorrent/BitTorrentTracker.h | 6 +- src/analyzer/protocols/bittorrent/Plugin.cc | 4 +- .../protocols/bittorrent/bittorrent.pac | 2 + src/analyzer/protocols/bittorrent/events.bif | 226 + src/analyzer/protocols/conn-size/ConnSize.cc | 2 + src/analyzer/protocols/conn-size/ConnSize.h | 3 + src/analyzer/protocols/conn-size/Plugin.cc | 2 +- src/analyzer/protocols/dce-rpc/DCE_RPC.cc | 16 +- src/analyzer/protocols/dce-rpc/DCE_RPC.h | 10 +- src/analyzer/protocols/dce-rpc/Plugin.cc | 2 +- src/analyzer/protocols/dce-rpc/dce_rpc.pac | 4 + .../protocols/dce-rpc/dce_rpc_simple.pac | 4 + src/analyzer/protocols/dce-rpc/events.bif | 55 + src/analyzer/protocols/dhcp/DHCP.cc | 4 + src/analyzer/protocols/dhcp/DHCP.h | 4 + src/analyzer/protocols/dhcp/Plugin.cc | 2 +- src/analyzer/protocols/dhcp/dhcp.pac | 4 + src/analyzer/protocols/dhcp/events.bif | 239 + src/analyzer/protocols/dns/DNS.cc | 16 +- src/analyzer/protocols/dns/DNS.h | 12 +- src/analyzer/protocols/dns/Plugin.cc | 2 +- src/analyzer/protocols/dns/events.bif | 482 ++ src/analyzer/protocols/file/File.cc | 10 +- src/analyzer/protocols/file/File.h | 6 +- src/analyzer/protocols/file/Plugin.cc | 2 +- src/analyzer/protocols/file/events.bif | 3 + src/analyzer/protocols/finger/Finger.cc | 16 +- src/analyzer/protocols/finger/Finger.h | 11 +- src/analyzer/protocols/finger/Plugin.cc | 2 +- src/analyzer/protocols/finger/events.bif | 38 + src/analyzer/protocols/ftp/FTP.cc | 18 +- src/analyzer/protocols/ftp/FTP.h | 10 +- src/analyzer/protocols/ftp/Plugin.cc | 2 +- src/analyzer/protocols/ftp/events.bif | 35 + src/analyzer/protocols/gnutella/Gnutella.cc | 14 +- src/analyzer/protocols/gnutella/Gnutella.h | 6 +- src/analyzer/protocols/gnutella/Plugin.cc | 2 +- src/analyzer/protocols/gnutella/events.bif | 88 + src/analyzer/protocols/gtpv1/GTPv1.cc | 6 + src/analyzer/protocols/gtpv1/GTPv1.h | 4 + src/analyzer/protocols/gtpv1/Plugin.cc | 2 +- src/analyzer/protocols/gtpv1/events.bif | 74 + src/analyzer/protocols/gtpv1/gtpv1.pac | 4 + src/analyzer/protocols/http/HTTP.cc | 144 +- src/analyzer/protocols/http/HTTP.h | 42 +- src/analyzer/protocols/http/Plugin.cc | 2 +- src/analyzer/protocols/http/functions.bif | 4 +- src/analyzer/protocols/icmp/ICMP.cc | 8 +- src/analyzer/protocols/icmp/ICMP.h | 4 + src/analyzer/protocols/icmp/Plugin.cc | 2 +- src/analyzer/protocols/icmp/events.bif | 300 + src/analyzer/protocols/ident/Ident.cc | 40 +- src/analyzer/protocols/ident/Ident.h | 10 +- src/analyzer/protocols/ident/Plugin.cc | 2 +- src/analyzer/protocols/ident/events.bif | 63 + src/analyzer/protocols/interconn/InterConn.cc | 18 +- src/analyzer/protocols/interconn/InterConn.h | 10 +- src/analyzer/protocols/interconn/Plugin.cc | 2 +- src/analyzer/protocols/interconn/events.bif | 8 + src/analyzer/protocols/irc/IRC.cc | 19 +- src/analyzer/protocols/irc/IRC.h | 6 +- src/analyzer/protocols/irc/Plugin.cc | 2 +- src/analyzer/protocols/irc/events.bif | 799 +++ src/analyzer/protocols/login/Login.cc | 14 +- src/analyzer/protocols/login/Login.h | 6 +- src/analyzer/protocols/login/NVT.cc | 8 +- src/analyzer/protocols/login/NVT.h | 8 +- src/analyzer/protocols/login/Plugin.cc | 10 +- src/analyzer/protocols/login/RSH.cc | 11 +- src/analyzer/protocols/login/RSH.h | 6 +- src/analyzer/protocols/login/Rlogin.cc | 15 +- src/analyzer/protocols/login/Rlogin.h | 6 +- src/analyzer/protocols/login/Telnet.cc | 4 + src/analyzer/protocols/login/Telnet.h | 4 + src/analyzer/protocols/login/events.bif | 395 ++ src/analyzer/protocols/mime/CMakeLists.txt | 15 + src/{ => analyzer/protocols/mime}/MIME.cc | 626 +- src/{ => analyzer/protocols/mime}/MIME.h | 4 + src/analyzer/protocols/mime/Plugin.cc | 7 + src/analyzer/protocols/mime/events.bif | 196 + src/analyzer/protocols/modbus/Modbus.cc | 4 + src/analyzer/protocols/modbus/Modbus.h | 6 +- src/analyzer/protocols/modbus/Plugin.cc | 2 +- src/analyzer/protocols/modbus/events.bif | 295 + src/analyzer/protocols/modbus/modbus.pac | 4 + src/analyzer/protocols/ncp/NCP.cc | 19 +- src/analyzer/protocols/ncp/NCP.h | 8 +- src/analyzer/protocols/ncp/Plugin.cc | 2 +- src/analyzer/protocols/ncp/events.bif | 46 + src/analyzer/protocols/ncp/ncp.pac | 4 + .../protocols/netbios-ssn/NetbiosSSN.cc | 26 +- .../protocols/netbios-ssn/NetbiosSSN.h | 29 +- src/analyzer/protocols/netbios-ssn/Plugin.cc | 2 +- src/analyzer/protocols/netbios-ssn/events.bif | 209 + src/analyzer/protocols/netflow/CMakeLists.txt | 16 + src/analyzer/protocols/netflow/Plugin.cc | 7 + src/analyzer/protocols/netflow/events.bif | 18 + .../protocols/netflow}/netflow-analyzer.pac | 0 .../protocols/netflow}/netflow-protocol.pac | 0 .../protocols/netflow}/netflow.pac | 2 + src/analyzer/protocols/ntp/NTP.cc | 3 + src/analyzer/protocols/ntp/NTP.h | 5 +- src/analyzer/protocols/ntp/Plugin.cc | 2 +- src/analyzer/protocols/ntp/events.bif | 21 + src/analyzer/protocols/pia/PIA.cc | 28 +- src/analyzer/protocols/pia/PIA.h | 8 +- src/analyzer/protocols/pia/Plugin.cc | 4 +- src/analyzer/protocols/pop3/POP3.cc | 16 +- src/analyzer/protocols/pop3/POP3.h | 11 +- src/analyzer/protocols/pop3/Plugin.cc | 2 +- src/analyzer/protocols/pop3/events.bif | 172 + src/analyzer/protocols/rpc/NFS.cc | 4 + src/analyzer/protocols/rpc/NFS.h | 4 + src/analyzer/protocols/rpc/Plugin.cc | 4 +- src/analyzer/protocols/rpc/Portmap.cc | 4 + src/analyzer/protocols/rpc/Portmap.h | 4 + src/analyzer/protocols/rpc/RPC.cc | 24 +- src/analyzer/protocols/rpc/RPC.h | 8 +- src/analyzer/protocols/rpc/XDR.cc | 16 +- src/analyzer/protocols/rpc/XDR.h | 4 + src/analyzer/protocols/rpc/events.bif | 728 ++ src/analyzer/protocols/smb/Plugin.cc | 2 +- src/analyzer/protocols/smb/SMB.cc | 12 +- src/analyzer/protocols/smb/SMB.h | 19 +- src/analyzer/protocols/smb/events.bif | 495 ++ src/analyzer/protocols/smb/smb.pac | 4 + src/analyzer/protocols/smtp/Plugin.cc | 2 +- src/analyzer/protocols/smtp/SMTP.cc | 20 +- src/analyzer/protocols/smtp/SMTP.h | 11 +- src/analyzer/protocols/smtp/events.bif | 100 + src/analyzer/protocols/socks/Plugin.cc | 2 +- src/analyzer/protocols/socks/SOCKS.cc | 16 +- src/analyzer/protocols/socks/SOCKS.h | 7 +- src/analyzer/protocols/socks/events.bif | 29 + src/analyzer/protocols/socks/socks.pac | 4 +- src/analyzer/protocols/ssh/Plugin.cc | 2 +- src/analyzer/protocols/ssh/SSH.cc | 14 +- src/analyzer/protocols/ssh/SSH.h | 10 +- src/analyzer/protocols/ssh/events.bif | 38 + src/analyzer/protocols/ssl/Plugin.cc | 2 +- src/analyzer/protocols/ssl/SSL.cc | 14 +- src/analyzer/protocols/ssl/SSL.h | 8 +- src/analyzer/protocols/ssl/ssl-defs.pac | 2 + src/analyzer/protocols/ssl/ssl.pac | 8 +- .../protocols/stepping-stone/Plugin.cc | 2 +- .../protocols/stepping-stone/SteppingStone.cc | 16 +- .../protocols/stepping-stone/SteppingStone.h | 10 +- .../protocols/stepping-stone/events.bif | 17 + src/analyzer/protocols/syslog/Plugin.cc | 2 +- src/analyzer/protocols/syslog/Syslog.cc | 26 +- src/analyzer/protocols/syslog/Syslog.h | 14 +- src/analyzer/protocols/syslog/syslog.pac | 8 +- src/analyzer/protocols/tcp/ContentLine.cc | 4 + src/analyzer/protocols/tcp/ContentLine.h | 4 + src/analyzer/protocols/tcp/Plugin.cc | 4 +- src/analyzer/protocols/tcp/Stats.cc | 4 + src/analyzer/protocols/tcp/Stats.h | 4 + src/analyzer/protocols/tcp/TCP.cc | 8 +- src/analyzer/protocols/tcp/TCP.h | 15 +- src/analyzer/protocols/tcp/TCP_Endpoint.cc | 4 + src/analyzer/protocols/tcp/TCP_Endpoint.h | 15 +- src/analyzer/protocols/tcp/TCP_Reassembler.cc | 4 + src/analyzer/protocols/tcp/TCP_Reassembler.h | 16 +- src/analyzer/protocols/tcp/events.bif | 289 + src/analyzer/protocols/teredo/Plugin.cc | 2 +- src/analyzer/protocols/teredo/Teredo.cc | 4 + src/analyzer/protocols/teredo/Teredo.h | 4 + src/analyzer/protocols/teredo/events.bif | 55 + src/analyzer/protocols/udp/Plugin.cc | 2 +- src/analyzer/protocols/udp/UDP.cc | 4 + src/analyzer/protocols/udp/UDP.h | 4 + src/analyzer/protocols/udp/events.bif | 38 + src/analyzer/protocols/zip/Plugin.cc | 2 +- src/analyzer/protocols/zip/ZIP.cc | 8 +- src/analyzer/protocols/zip/ZIP.h | 6 +- src/bro.bif | 10 +- src/event.bif | 5850 +---------------- src/plugin/Macros.h | 10 +- 210 files changed, 7080 insertions(+), 6608 deletions(-) rename src/{ => analyzer/protocols/arp}/ARP.cc (99%) rename src/{ => analyzer/protocols/arp}/ARP.h (93%) create mode 100644 src/analyzer/protocols/arp/CMakeLists.txt create mode 100644 src/analyzer/protocols/arp/Plugin.cc create mode 100644 src/analyzer/protocols/arp/events.bif create mode 100644 src/analyzer/protocols/mime/CMakeLists.txt rename src/{ => analyzer/protocols/mime}/MIME.cc (99%) rename src/{ => analyzer/protocols/mime}/MIME.h (99%) create mode 100644 src/analyzer/protocols/mime/Plugin.cc create mode 100644 src/analyzer/protocols/mime/events.bif create mode 100644 src/analyzer/protocols/netflow/CMakeLists.txt create mode 100644 src/analyzer/protocols/netflow/Plugin.cc create mode 100644 src/analyzer/protocols/netflow/events.bif rename src/{ => analyzer/protocols/netflow}/netflow-analyzer.pac (100%) rename src/{ => analyzer/protocols/netflow}/netflow-protocol.pac (100%) rename src/{ => analyzer/protocols/netflow}/netflow.pac (88%) diff --git a/cmake b/cmake index 8cc03d64d0..c50757259f 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 8cc03d64d00676cb75a38543800ac0de192557dd +Subproject commit c50757259f509f13227cf28bbd4fd281828a39d2 diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 4d3e6dd917..b374c64d2c 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -133,9 +133,6 @@ set(BINPAC_AUXSRC binpac_target(binpac-lib.pac) binpac_target(binpac_bro-lib.pac) -binpac_target(netflow.pac - netflow-protocol.pac netflow-analyzer.pac) - ######################################################################## ## Including subdirectories. ######################################################################## @@ -212,7 +209,6 @@ set(bro_SRCS util.cc module_util.cc Anon.cc - ARP.cc Attr.cc Base64.cc BPF_Program.cc @@ -254,7 +250,6 @@ set(bro_SRCS IPAddr.cc List.cc Reporter.cc - MIME.cc NFA.cc Net.cc NetVar.cc diff --git a/src/Conn.cc b/src/Conn.cc index d6fc41c0b9..1756d3860e 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -935,7 +935,7 @@ error: return false; } -void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia) +void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia) { root_analyzer = analyzer; primary_PIA = pia; diff --git a/src/Conn.h b/src/Conn.h index 1b13500fad..95c521d875 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -245,9 +245,9 @@ public: void DeleteTimer(double t); // Sets the root of the analyzer tree as well as the primary PIA. - void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia); + void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia); analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } - PIA* GetPrimaryPIA() { return primary_PIA; } + analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; } // Sets the transport protocol in use. void SetTransport(TransportProto arg_proto) { proto = arg_proto; } @@ -319,7 +319,7 @@ protected: uint32 hist_seen; analyzer::TransportLayerAnalyzer* root_analyzer; - PIA* primary_PIA; + analyzer::pia::PIA* primary_PIA; uint64 uid; // Globally unique connection ID. }; diff --git a/src/NetVar.cc b/src/NetVar.cc index 7483728e44..32ab4a63c1 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -93,7 +93,6 @@ RecordType* http_stats_rec; RecordType* http_message_stat; int truncate_http_URI; -int pm_request; RecordType* pm_mapping; TableType* pm_mappings; RecordType* pm_port_request; @@ -408,14 +407,6 @@ void init_net_var() http_message_stat = internal_type("http_message_stat")->AsRecordType(); truncate_http_URI = opt_internal_int("truncate_http_URI"); - pm_request = pm_request_null || pm_request_set || - pm_request_unset || pm_request_getport || - pm_request_dump || pm_request_callit || - pm_attempt_null || pm_attempt_set || - pm_attempt_unset || pm_attempt_getport || - pm_attempt_dump || pm_attempt_callit || - pm_bad_port; - pm_mapping = internal_type("pm_mapping")->AsRecordType(); pm_mappings = internal_type("pm_mappings")->AsTableType(); pm_port_request = internal_type("pm_port_request")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index 88b5478149..35b94e09b7 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -96,7 +96,6 @@ extern RecordType* http_stats_rec; extern RecordType* http_message_stat; extern int truncate_http_URI; -extern int pm_request; extern RecordType* pm_mapping; extern TableType* pm_mappings; extern RecordType* pm_port_request; diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index b26ed9c9f5..2296628878 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -4,15 +4,15 @@ #include "analyzer/protocols/tcp/TCP.h" #include "Scope.h" -static inline bool is_established(const TCP_Endpoint* e) +static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e) { // We more or less follow Snort here: an established session // is one for which the initial handshake has succeded (but we // add partial connections). The connection tear-down is part // of the connection. - return e->state != TCP_ENDPOINT_INACTIVE && - e->state != TCP_ENDPOINT_SYN_SENT && - e->state != TCP_ENDPOINT_SYN_ACK_SENT; + return e->state != analyzer::tcp::TCP_ENDPOINT_INACTIVE && + e->state != analyzer::tcp::TCP_ENDPOINT_SYN_SENT && + e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT; } bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, @@ -23,7 +23,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, if ( ! root || ! root->IsAnalyzer("TCP") ) return false; - TCP_Analyzer* ta = static_cast(root); + analyzer::tcp::TCP_Analyzer* ta = static_cast(root); if ( tcpstates & STATE_STATELESS ) return true; diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 4c69576524..5b6f673a8a 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -161,7 +161,7 @@ void RuleHdrTest::PrintDebug() RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState* arg_opposite, - ::PIA* arg_PIA) + analyzer::pia::PIA* arg_PIA) { payload_size = -1; analyzer = arg_analyzer; @@ -565,7 +565,7 @@ static inline bool compare(const vector& prefixes, const IPAddr& a, RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, RuleEndpointState* opposite, - bool from_orig, PIA* pia) + bool from_orig, analyzer::pia::PIA* pia) { RuleEndpointState* state = new RuleEndpointState(analyzer, from_orig, opposite, pia); @@ -1301,7 +1301,7 @@ uint32 id_to_uint(const char* id) } void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, - int caplen, bool from_orig, PIA* pia) + int caplen, bool from_orig, analyzer::pia::PIA* pia) { if ( ! rule_matcher ) return; diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index 1b2756594d..351c3c30bf 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -35,8 +35,10 @@ extern const char* current_rule_file; class RuleMatcher; extern RuleMatcher* rule_matcher; -namespace analyzer { class Analyzer; } -class PIA; +namespace analyzer { + namespace pia { class PIA; } + class Analyzer; +} // RuleHdrTest and associated things: @@ -152,7 +154,7 @@ public: // Returns -1 if no chunk has been fed yet at all. int PayloadSize() { return payload_size; } - ::PIA* PIA() const { return pia; } + analyzer::pia::PIA* PIA() const { return pia; } private: friend class RuleMatcher; @@ -160,7 +162,7 @@ private: // Constructor is private; use RuleMatcher::InitEndpoint() // for creating an instance. RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, - RuleEndpointState* arg_opposite, ::PIA* arg_PIA); + RuleEndpointState* arg_opposite, analyzer::pia::PIA* arg_PIA); struct Matcher { RE_Match_State* state; @@ -173,7 +175,7 @@ private: bool is_orig; analyzer::Analyzer* analyzer; RuleEndpointState* opposite; - ::PIA* pia; + analyzer::pia::PIA* pia; matcher_list matchers; rule_hdr_test_list hdr_tests; @@ -208,7 +210,7 @@ public: // this endpoint). If the matching is triggered by an PIA, a pointer to // it needs to be given. RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, - int caplen, RuleEndpointState* opposite, bool is_orig, PIA* pia); + int caplen, RuleEndpointState* opposite, bool is_orig, analyzer::pia::PIA* pia); // Finish matching for this stream. void FinishEndpoint(RuleEndpointState* state); @@ -311,7 +313,7 @@ public: // ip may be nil. void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, - int caplen, bool from_orig, PIA* pia = 0); + int caplen, bool from_orig, analyzer::pia::PIA* pia = 0); // bol/eol should be set to false for type Rule::PAYLOAD; they're // deduced automatically. diff --git a/src/Sessions.cc b/src/Sessions.cc index 739bbbe5e7..29c7a57e8f 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -20,8 +20,13 @@ #include "analyzer/protocols/udp/UDP.h" #include "analyzer/protocols/stepping-stone/SteppingStone.h" +#include "analyzer/protocols/stepping-stone/events.bif.h" #include "analyzer/protocols/backdoor/BackDoor.h" +#include "analyzer/protocols/backdoor/events.bif.h" #include "analyzer/protocols/interconn/InterConn.h" +#include "analyzer/protocols/interconn/events.bif.h" +#include "analyzer/protocols/arp/ARP.h" +#include "analyzer/protocols/arp/events.bif.h" #include "Discard.h" #include "RuleMatcher.h" @@ -102,7 +107,7 @@ NetSessions::NetSessions() fragments.SetDeleteFunc(bro_obj_delete_func); if ( stp_correlate_pair ) - stp_manager = new SteppingStoneManager(); + stp_manager = new analyzer::stepping_stone::SteppingStoneManager(); else stp_manager = 0; @@ -141,7 +146,7 @@ NetSessions::NetSessions() pkt_profiler = 0; if ( arp_request || arp_reply || bad_arp ) - arp_analyzer = new ARP_Analyzer(); + arp_analyzer = new analyzer::arp::ARP_Analyzer(); else arp_analyzer = 0; } @@ -254,7 +259,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr, DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0); } - else if ( ARP_Analyzer::IsARP(pkt, hdr_size) ) + else if ( analyzer::arp::ARP_Analyzer::IsARP(pkt, hdr_size) ) { if ( arp_analyzer ) arp_analyzer->NextPacket(t, hdr, pkt, hdr_size); @@ -521,9 +526,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, const struct icmp* icmpp = (const struct icmp *) data; id.src_port = icmpp->icmp_type; - id.dst_port = ICMP4_counterpart(icmpp->icmp_type, - icmpp->icmp_code, - id.is_one_way); + id.dst_port = analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type, + icmpp->icmp_code, + id.is_one_way); id.src_port = htons(id.src_port); id.dst_port = htons(id.dst_port); @@ -537,9 +542,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, const struct icmp* icmpp = (const struct icmp *) data; id.src_port = icmpp->icmp_type; - id.dst_port = ICMP6_counterpart(icmpp->icmp_type, - icmpp->icmp_code, - id.is_one_way); + id.dst_port = analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type, + icmpp->icmp_code, + id.is_one_way); id.src_port = htons(id.src_port); id.dst_port = htons(id.dst_port); @@ -962,12 +967,12 @@ void NetSessions::Remove(Connection* c) { c->CancelTimers(); - TCP_Analyzer* ta = (TCP_Analyzer*) c->GetRootAnalyzer(); + analyzer::tcp::TCP_Analyzer* ta = (analyzer::tcp::TCP_Analyzer*) c->GetRootAnalyzer(); if ( ta && c->ConnTransport() == TRANSPORT_TCP ) { assert(ta->IsAnalyzer("TCP")); - TCP_Endpoint* to = ta->Orig(); - TCP_Endpoint* tr = ta->Resp(); + analyzer::tcp::TCP_Endpoint* to = ta->Orig(); + analyzer::tcp::TCP_Endpoint* tr = ta->Resp(); tcp_stats.StateLeft(to->state, tr->state); } diff --git a/src/Sessions.h b/src/Sessions.h index 5b87518033..a5488bd188 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -6,7 +6,6 @@ #include "Dict.h" #include "CompHash.h" #include "IP.h" -#include "ARP.h" #include "Frag.h" #include "PacketFilter.h" #include "Stats.h" @@ -28,11 +27,12 @@ declare(PDict,Connection); declare(PDict,FragReassembler); class Discarder; -class SteppingStoneManager; class PacketFilter; - class PacketSortElement; +namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } } +namespace analyzer { namespace arp { class ARP_Analyzer; } } + struct SessionStats { int num_TCP_conns; int num_UDP_conns; @@ -129,7 +129,7 @@ public: void ExpireTimerMgrs(); - SteppingStoneManager* GetSTPManager() { return stp_manager; } + analyzer::stepping_stone::SteppingStoneManager* GetSTPManager() { return stp_manager; } unsigned int CurrentConnections() { @@ -185,7 +185,7 @@ public: unsigned int ConnectionMemoryUsage(); unsigned int ConnectionMemoryUsageConnVals(); unsigned int MemoryAllocation(); - TCPStateStats tcp_stats; // keeps statistics on TCP states + analyzer::tcp::TCPStateStats tcp_stats; // keeps statistics on TCP states protected: friend class RemoteSerializer; @@ -257,9 +257,9 @@ protected: typedef std::map IPTunnelMap; IPTunnelMap ip_tunnels; - ARP_Analyzer* arp_analyzer; + analyzer::arp::ARP_Analyzer* arp_analyzer; - SteppingStoneManager* stp_manager; + analyzer::stepping_stone::SteppingStoneManager* stp_manager; Discarder* discarder; PacketFilter* packet_filter; OSFingerprint* SYN_OS_Fingerprinter; diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 3800307c82..5769a6c58a 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -13,12 +13,13 @@ class Rule; class Connection; -class PIA; class IP_Hdr; -class TCP_ApplicationAnalyzer; namespace analyzer { +namespace tcp { class TCP_ApplicationAnalyzer; } +namespace pia { class PIA; } + class Analyzer; class AnalyzerTimer; class SupportAnalyzer; @@ -546,7 +547,7 @@ protected: friend class AnalyzerTimer; friend class Manager; friend class ::Connection; - friend class ::TCP_ApplicationAnalyzer; + friend class tcp::TCP_ApplicationAnalyzer; /** * Associates a connection with this analyzer. Must be called if @@ -825,13 +826,13 @@ public: * transport-layer input and determine which protocol analyzer(s) to * use for parsing it. */ - void SetPIA(PIA* arg_PIA) { pia = arg_PIA; } + void SetPIA(pia::PIA* arg_PIA) { pia = arg_PIA; } /** * Returns the associated PIA, or null of none. Does not take * ownership. */ - PIA* GetPIA() const { return pia; } + pia::PIA* GetPIA() const { return pia; } /** * Helper to raise a \c packet_contents event. @@ -843,7 +844,7 @@ public: void PacketContents(const u_char* data, int len); private: - PIA* pia; + pia::PIA* pia; }; } diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 1172b0d811..1d0589c5bf 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -15,4 +15,8 @@ set(analyzer_SRCS bif_target_for_subdir(analyzer.bif) +bro_plugin_dependencies(DCE_RPC generate_analyzer.bif) + add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H}) + +add_dependencies(bro_analyzer generate_events.bif) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index aba7f26a56..45fce936fd 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -15,6 +15,8 @@ #include "plugin/Manager.h" +#include "protocols/tcp/events.bif.h" + using namespace analyzer; Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp, @@ -414,35 +416,35 @@ Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found) bool Manager::BuildInitialAnalyzerTree(Connection* conn) { Analyzer* analyzer = 0; - TCP_Analyzer* tcp = 0; - UDP_Analyzer* udp = 0; - ICMP_Analyzer* icmp = 0; + tcp::TCP_Analyzer* tcp = 0; + udp::UDP_Analyzer* udp = 0; + icmp::ICMP_Analyzer* icmp = 0; TransportLayerAnalyzer* root = 0; tag_set expected; - PIA* pia = 0; + pia::PIA* pia = 0; bool analyzed = false; bool check_port = false; switch ( conn->ConnTransport() ) { case TRANSPORT_TCP: - root = tcp = new TCP_Analyzer(conn); - pia = new PIA_TCP(conn); + root = tcp = new tcp::TCP_Analyzer(conn); + pia = new pia::PIA_TCP(conn); expected = GetScheduled(conn); check_port = true; DBG_ANALYZER(conn, "activated TCP analyzer"); break; case TRANSPORT_UDP: - root = udp = new UDP_Analyzer(conn); - pia = new PIA_UDP(conn); + root = udp = new udp::UDP_Analyzer(conn); + pia = new pia::PIA_UDP(conn); expected = GetScheduled(conn); check_port = true; DBG_ANALYZER(conn, "activated UDP analyzer"); break; case TRANSPORT_ICMP: { - root = icmp = new ICMP_Analyzer(conn); + root = icmp = new icmp::ICMP_Analyzer(conn); DBG_ANALYZER(conn, "activated ICMP analyzer"); analyzed = true; break; @@ -531,12 +533,12 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) if ( IsEnabled(analyzer_backdoor) ) // Add a BackDoor analyzer if requested. This analyzer // can handle both reassembled and non-reassembled input. - tcp->AddChildAnalyzer(new BackDoor_Analyzer(conn), false); + tcp->AddChildAnalyzer(new backdoor::BackDoor_Analyzer(conn), false); if ( IsEnabled(analyzer_interconn) ) // Add a InterConn analyzer if requested. This analyzer // can handle both reassembled and non-reassembled input. - tcp->AddChildAnalyzer(new InterConn_Analyzer(conn), false); + tcp->AddChildAnalyzer(new interconn::InterConn_Analyzer(conn), false); if ( IsEnabled(analyzer_stepping) ) { @@ -550,25 +552,25 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) { AddrVal src(conn->OrigAddr()); if ( ! stp_skip_src->Lookup(&src) ) - tcp->AddChildAnalyzer(new SteppingStone_Analyzer(conn), false); + tcp->AddChildAnalyzer(new stepping_stone::SteppingStone_Analyzer(conn), false); } } if ( IsEnabled(analyzer_tcpstats) ) // Add TCPStats analyzer. This needs to see packets so // we cannot add it as a normal child. - tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); + tcp->AddChildPacketAnalyzer(new tcp::TCPStats_Analyzer(conn)); if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); + tcp->AddChildPacketAnalyzer(new conn_size::ConnSize_Analyzer(conn)); } else { if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - root->AddChildAnalyzer(new ConnSize_Analyzer(conn)); + root->AddChildAnalyzer(new conn_size::ConnSize_Analyzer(conn)); } if ( pia ) diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt index 9fcbbdd2d5..004ec72d35 100644 --- a/src/analyzer/protocols/CMakeLists.txt +++ b/src/analyzer/protocols/CMakeLists.txt @@ -1,4 +1,5 @@ +add_subdirectory(arp) add_subdirectory(ayiya) add_subdirectory(backdoor) add_subdirectory(bittorrent) @@ -18,7 +19,9 @@ add_subdirectory(interconn) add_subdirectory(irc) add_subdirectory(login) add_subdirectory(modbus) +add_subdirectory(mime) add_subdirectory(ncp) +add_subdirectory(netflow) add_subdirectory(netbios-ssn) add_subdirectory(ntp) add_subdirectory(pia) diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocols/TODO index 6168bf4686..41a4d579bc 100644 --- a/src/analyzer/protocols/TODO +++ b/src/analyzer/protocols/TODO @@ -1,10 +1,8 @@ -- introduce namespace into analyzers -- fill events.bif - add functions.bif where needed -- move ARP -- move NetFlow - update *.h guards - cleanup analyzer descriptions - can now lower-case the analyzer name in plugin +- not sure cmake dependencies work right yet +- rename analyzers/protocols to analyzer/protocol diff --git a/src/ARP.cc b/src/analyzer/protocols/arp/ARP.cc similarity index 99% rename from src/ARP.cc rename to src/analyzer/protocols/arp/ARP.cc index 7ffd82764c..9173e853aa 100644 --- a/src/ARP.cc +++ b/src/analyzer/protocols/arp/ARP.cc @@ -5,6 +5,9 @@ #include "Event.h" #include "Reporter.h" +#include "events.bif.h" + +using namespace analyzer::arp; ARP_Analyzer::ARP_Analyzer() { diff --git a/src/ARP.h b/src/analyzer/protocols/arp/ARP.h similarity index 93% rename from src/ARP.h rename to src/analyzer/protocols/arp/ARP.h index f4b623c513..ee01669e92 100644 --- a/src/ARP.h +++ b/src/analyzer/protocols/arp/ARP.h @@ -24,7 +24,9 @@ #endif #include "NetVar.h" +#include "PacketSort.h" +namespace analyzer { namespace arp { class ARP_Analyzer : public BroObj { public: @@ -53,4 +55,6 @@ protected: EventHandlerPtr arp_reply; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/arp/CMakeLists.txt b/src/analyzer/protocols/arp/CMakeLists.txt new file mode 100644 index 0000000000..5654802b07 --- /dev/null +++ b/src/analyzer/protocols/arp/CMakeLists.txt @@ -0,0 +1,15 @@ + +# This is not an actual analyzer, but used by the core. We still +# maintain it here along with the other analyzers because conceptually +# it's also parsing a protocol just like them. The current structure +# is merely a left-over from when this code was written. + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ARP) +bro_plugin_cc(ARP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() + diff --git a/src/analyzer/protocols/arp/Plugin.cc b/src/analyzer/protocols/arp/Plugin.cc new file mode 100644 index 0000000000..06b4940719 --- /dev/null +++ b/src/analyzer/protocols/arp/Plugin.cc @@ -0,0 +1,7 @@ + +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(ARP) + BRO_PLUGIN_DESCRIPTION("ARP Parsing Code"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/arp/events.bif b/src/analyzer/protocols/arp/events.bif new file mode 100644 index 0000000000..efee33d7f4 --- /dev/null +++ b/src/analyzer/protocols/arp/events.bif @@ -0,0 +1,63 @@ +## Generated for ARP requests. +## +## See `Wikipedia `__ +## for more information about the ARP protocol. +## +## mac_src: The request's source MAC address. +## +## mac_dst: The request's destination MAC address. +## +## SPA: The sender protocol address. +## +## SHA: The sender hardware address. +## +## TPA: The target protocol address. +## +## THA: The target hardware address. +## +## .. bro:see:: arp_reply bad_arp +event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, + TPA: addr, THA: string%); + +## Generated for ARP replies. +## +## See `Wikipedia `__ +## for more information about the ARP protocol. +## +## mac_src: The reply's source MAC address. +## +## mac_dst: The reply's destination MAC address. +## +## SPA: The sender protocol address. +## +## SHA: The sender hardware address. +## +## TPA: The target protocol address. +## +## THA: The target hardware address. +## +## .. bro:see:: arp_request bad_arp +event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, + TPA: addr, THA: string%); + +## Generated for ARP packets that Bro cannot interpret. Examples are packets +## with non-standard hardware address formats or hardware addresses that do not +## match the originator of the packet. +## +## SPA: The sender protocol address. +## +## SHA: The sender hardware address. +## +## TPA: The target protocol address. +## +## THA: The target hardware address. +## +## explanation: A short description of why the ARP packet is considered "bad". +## +## .. bro:see:: arp_reply arp_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); diff --git a/src/analyzer/protocols/ayiya/AYIYA.cc b/src/analyzer/protocols/ayiya/AYIYA.cc index 2154ae4b30..070a3ef3e1 100644 --- a/src/analyzer/protocols/ayiya/AYIYA.cc +++ b/src/analyzer/protocols/ayiya/AYIYA.cc @@ -1,4 +1,9 @@ + #include "AYIYA.h" +#include "Func.h" +#include "events.bif.h" + +using namespace analyzer::ayiya; AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) : Analyzer("AYIYA", conn) diff --git a/src/analyzer/protocols/ayiya/AYIYA.h b/src/analyzer/protocols/ayiya/AYIYA.h index c0897d84ff..2995131be5 100644 --- a/src/analyzer/protocols/ayiya/AYIYA.h +++ b/src/analyzer/protocols/ayiya/AYIYA.h @@ -3,6 +3,8 @@ #include "ayiya_pac.h" +namespace analyzer { namespace ayiya { + class AYIYA_Analyzer : public analyzer::Analyzer { public: AYIYA_Analyzer(Connection* conn); @@ -21,4 +23,6 @@ protected: binpac::AYIYA::AYIYA_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ayiya/Plugin.cc b/src/analyzer/protocols/ayiya/Plugin.cc index 1ec9887534..069aedde0a 100644 --- a/src/analyzer/protocols/ayiya/Plugin.cc +++ b/src/analyzer/protocols/ayiya/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(AYIYA) BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer"); - BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("AYIYA", ayiya::AYIYA_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ayiya/ayiya.pac b/src/analyzer/protocols/ayiya/ayiya.pac index ff0af4d47c..b1f3a6ef77 100644 --- a/src/analyzer/protocols/ayiya/ayiya.pac +++ b/src/analyzer/protocols/ayiya/ayiya.pac @@ -2,6 +2,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer AYIYA withcontext { connection: AYIYA_Conn; flow: AYIYA_Flow; diff --git a/src/analyzer/protocols/backdoor/BackDoor.cc b/src/analyzer/protocols/backdoor/BackDoor.cc index 00a1319e53..19b1a341a7 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.cc +++ b/src/analyzer/protocols/backdoor/BackDoor.cc @@ -7,7 +7,11 @@ #include "Net.h" #include "analyzer/protocols/tcp/TCP.h" -BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e) +#include "events.bif.h" + +using namespace analyzer::backdoor; + +BackDoorEndpoint::BackDoorEndpoint(tcp::TCP_Endpoint* e) { endp = e; is_partial = 0; @@ -53,7 +57,7 @@ int BackDoorEndpoint::DataSent(double /* t */, int seq, if ( len <= 0 ) return 0; - if ( endp->state == TCP_ENDPOINT_PARTIAL ) + if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL ) is_partial = 1; int ack = endp->AckSeq() - endp->StartSeq(); @@ -681,7 +685,7 @@ int BackDoorEndpoint::CheckForString(const char* str, BackDoor_Analyzer::BackDoor_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("BACKDOOR", c) +: tcp::TCP_ApplicationAnalyzer("BACKDOOR", c) { orig_endp = resp_endp = 0; @@ -701,7 +705,7 @@ BackDoor_Analyzer::~BackDoor_Analyzer() void BackDoor_Analyzer::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new BackDoorEndpoint(TCP()->Orig()); @@ -740,7 +744,7 @@ void BackDoor_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void BackDoor_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( ! IsFinished() ) { diff --git a/src/analyzer/protocols/backdoor/BackDoor.h b/src/analyzer/protocols/backdoor/BackDoor.h index 1865cdd1ef..bab981cf89 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.h +++ b/src/analyzer/protocols/backdoor/BackDoor.h @@ -8,9 +8,11 @@ #include "NetVar.h" #include "analyzer/protocols/login/Login.h" +namespace analyzer { namespace backdoor { + class BackDoorEndpoint { public: - BackDoorEndpoint(TCP_Endpoint* e); + BackDoorEndpoint(tcp::TCP_Endpoint* e); int DataSent(double t, int seq, int len, int caplen, const u_char* data, const IP_Hdr* ip, const struct tcphdr* tp); @@ -44,7 +46,7 @@ protected: int CheckForFullString(const char* str, const u_char* data, int len); int CheckForString(const char* str, const u_char* data, int len); - TCP_Endpoint* endp; + tcp::TCP_Endpoint* endp; int is_partial; int max_top_seq; @@ -62,7 +64,7 @@ protected: uint32 num_7bit_ascii; }; -class BackDoor_Analyzer : public TCP_ApplicationAnalyzer { +class BackDoor_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: BackDoor_Analyzer(Connection* c); ~BackDoor_Analyzer(); @@ -105,4 +107,6 @@ protected: BackDoor_Analyzer* analyzer; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/backdoor/Plugin.cc b/src/analyzer/protocols/backdoor/Plugin.cc index 586b9ef139..afcf60edbc 100644 --- a/src/analyzer/protocols/backdoor/Plugin.cc +++ b/src/analyzer/protocols/backdoor/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(BackDoor) BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("BACKDOOR", backdoor::BackDoor_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/backdoor/events.bif b/src/analyzer/protocols/backdoor/events.bif index e69de29bb2..81676ee43b 100644 --- a/src/analyzer/protocols/backdoor/events.bif +++ b/src/analyzer/protocols/backdoor/events.bif @@ -0,0 +1,32 @@ +## Deprecated. Will be removed. +event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%); + +## Deprecated. Will be removed. +event backdoor_remove_conn%(c: connection%); + +## Deprecated. Will be removed. +event ftp_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event gnutella_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event http_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event irc_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event telnet_signature_found%(c: connection, is_orig: bool, len: count%); + +## Deprecated. Will be removed. +event ssh_signature_found%(c: connection, is_orig: bool%); + +## Deprecated. Will be removed. +event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%); + +## Deprecated. Will be removed. +event smtp_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event http_proxy_signature_found%(c: connection%); diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.cc b/src/analyzer/protocols/bittorrent/BitTorrent.cc index 05e9ae8fba..fc66987cc7 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrent.cc @@ -3,8 +3,12 @@ #include "BitTorrent.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::bittorrent; + BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("BITTORRENT", c) +: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) { interp = new binpac::BitTorrent::BitTorrent_Conn(this); stop_orig = stop_resp = false; @@ -18,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer() void BitTorrent_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -29,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp; bool& this_stop = orig ? stop_orig : stop_resp; - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -66,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // TODO: Code commented out for now. I think that shoving data that // is definitely wrong into the parser seems like a really bad idea. @@ -108,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig) void BitTorrent_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.h b/src/analyzer/protocols/bittorrent/BitTorrent.h index 0a36442ab9..7812261f04 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.h +++ b/src/analyzer/protocols/bittorrent/BitTorrent.h @@ -7,7 +7,9 @@ #include "bittorrent_pac.h" -class BitTorrent_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace bittorrent { + +class BitTorrent_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: BitTorrent_Analyzer(Connection* conn); virtual ~BitTorrent_Analyzer(); @@ -28,4 +30,6 @@ protected: uint64 stream_len_orig, stream_len_resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc index cf8dcff6ba..18d1fe8ab9 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc @@ -3,6 +3,8 @@ #include "BitTorrentTracker.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + #include #include @@ -11,6 +13,8 @@ # define FMT_INT "%" PRId64 # define FMT_UINT "%" PRIu64 +using namespace analyzer::bittorrent; + static TableType* bt_tracker_headers = 0; static RecordType* bittorrent_peer; static TableType* bittorrent_peer_set; @@ -18,7 +22,7 @@ static RecordType* bittorrent_benc_value; static TableType* bittorrent_benc_dir; BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("BITTORRENT", c) +: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) { if ( ! bt_tracker_headers ) { @@ -74,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer() void BitTorrentTracker_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); } void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -205,7 +209,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data) void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); ProtocolViolation("BitTorrentTracker: cannot recover from content gap"); @@ -217,7 +221,7 @@ void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig) void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); } void BitTorrentTracker_Analyzer::InitBencParser(void) diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h index 70f3004acb..8db92c6af7 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h @@ -7,6 +7,8 @@ #define BTTRACKER_BUF 2048 +namespace analyzer { namespace bittorrent { + // If the following is defined, then the analyzer will store all of // the headers seen in tracker messages. //#define BTTRACKER_STORE_HEADERS 1 @@ -40,7 +42,7 @@ enum btt_benc_states { BENC_STATE_STR2, }; -class BitTorrentTracker_Analyzer : public TCP_ApplicationAnalyzer { +class BitTorrentTracker_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: BitTorrentTracker_Analyzer(Connection* conn); virtual ~BitTorrentTracker_Analyzer(); @@ -126,4 +128,6 @@ protected: bool stop_orig, stop_resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/bittorrent/Plugin.cc b/src/analyzer/protocols/bittorrent/Plugin.cc index c028956ce9..59e81749ce 100644 --- a/src/analyzer/protocols/bittorrent/Plugin.cc +++ b/src/analyzer/protocols/bittorrent/Plugin.cc @@ -6,7 +6,7 @@ BRO_PLUGIN_BEGIN(BitTorrent) BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); - BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("BitTorrent", bittorrent::BitTorrent_Analyzer); + BRO_PLUGIN_ANALYZER("BitTorrentTracker", bittorrent::BitTorrent_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/bittorrent/bittorrent.pac b/src/analyzer/protocols/bittorrent/bittorrent.pac index f6255902dd..39e53596dd 100644 --- a/src/analyzer/protocols/bittorrent/bittorrent.pac +++ b/src/analyzer/protocols/bittorrent/bittorrent.pac @@ -5,6 +5,8 @@ %extern{ #define MSGLEN_LIMIT 0x40000 + +#include "events.bif.h" %} analyzer BitTorrent withcontext { diff --git a/src/analyzer/protocols/bittorrent/events.bif b/src/analyzer/protocols/bittorrent/events.bif index e69de29bb2..8c4ddc146f 100644 --- a/src/analyzer/protocols/bittorrent/events.bif +++ b/src/analyzer/protocols/bittorrent/events.bif @@ -0,0 +1,226 @@ +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_handshake%(c: connection, is_orig: bool, + reserved: string, info_hash: string, peer_id: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bittorrent_peer_choke%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request +## bittorrent_peer_unknown bittorrent_peer_weird +event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_interested%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake +## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, + begin: count, length: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, + begin: count, piece_length: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, + begin: count, length: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_weird +event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, + data: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown +event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_request%(c: connection, uri: string, + headers: bt_tracker_headers%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_response%(c: connection, status: count, + headers: bt_tracker_headers, + peers: bittorrent_peer_set, + benc: bittorrent_benc_dir%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_response_not_ok%(c: connection, status: count, + headers: bt_tracker_headers%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); + diff --git a/src/analyzer/protocols/conn-size/ConnSize.cc b/src/analyzer/protocols/conn-size/ConnSize.cc index a5a401a816..7d85fe4a0c 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.cc +++ b/src/analyzer/protocols/conn-size/ConnSize.cc @@ -6,7 +6,9 @@ #include "ConnSize.h" #include "analyzer/protocols/tcp/TCP.h" +#include "events.bif.h" +using namespace analyzer::conn_size; ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) : Analyzer("CONNSIZE", c) diff --git a/src/analyzer/protocols/conn-size/ConnSize.h b/src/analyzer/protocols/conn-size/ConnSize.h index 6eac519c88..567895a9f5 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.h +++ b/src/analyzer/protocols/conn-size/ConnSize.h @@ -7,6 +7,7 @@ #include "analyzer/Analyzer.h" #include "NetVar.h" +namespace analyzer { namespace conn_size { class ConnSize_Analyzer : public analyzer::Analyzer { public: @@ -34,4 +35,6 @@ protected: uint64_t resp_pkts; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/conn-size/Plugin.cc b/src/analyzer/protocols/conn-size/Plugin.cc index 7520d9b7b5..5ff2ed201d 100644 --- a/src/analyzer/protocols/conn-size/Plugin.cc +++ b/src/analyzer/protocols/conn-size/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ConnSize) BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); - BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("CONNSIZE", conn_size::ConnSize_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.cc b/src/analyzer/protocols/dce-rpc/DCE_RPC.cc index f01edc9c8a..dd31cfa8a7 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.cc +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.cc @@ -13,6 +13,10 @@ using namespace std; #include "analyzer/Manager.h" +#include "events.bif.h" + +using namespace analyzer::dce_rpc; + #define xbyte(b, n) (((const u_char*) (b))[n]) #define extract_uint16(little_endian, bytes) \ @@ -27,7 +31,7 @@ static int uuid_index[] = { 12, 13, 14, 15 }; -const char* uuid_to_string(const u_char* uuid_data) +const char* analyzer::dce_rpc::uuid_to_string(const u_char* uuid_data) { static char s[1024]; char* sp = s; @@ -443,7 +447,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse( Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* arg_session, bool speculative) -: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) { session = arg_session; msg_buf = 0; @@ -475,10 +479,10 @@ Contents_DCE_RPC_Analyzer::~Contents_DCE_RPC_Analyzer() void Contents_DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = + static_cast(Parent())->TCP(); if ( tcp->HadGap(orig) || tcp->IsPartial() ) return; @@ -567,7 +571,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader() } DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative) -: TCP_ApplicationAnalyzer("DCE_RPC", conn) +: tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) { session = new DCE_RPC_Session(this); speculative = arg_speculative; diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.h b/src/analyzer/protocols/dce-rpc/DCE_RPC.h index 7ad3cd1e13..fabd68912e 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.h @@ -8,10 +8,14 @@ #include "NetVar.h" #include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/dce-rpc/events.bif.h" #include "IPAddr.h" #include "dce_rpc_simple_pac.h" + +namespace analyzer { namespace dce_rpc { + class UUID { public: UUID(); @@ -145,7 +149,7 @@ protected: } mapped; }; -class Contents_DCE_RPC_Analyzer : public TCP_SupportAnalyzer { +class Contents_DCE_RPC_Analyzer : public tcp::TCP_SupportAnalyzer { public: Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session, bool speculative); @@ -169,7 +173,7 @@ protected: DCE_RPC_Session* session; }; -class DCE_RPC_Analyzer : public TCP_ApplicationAnalyzer { +class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: DCE_RPC_Analyzer(Connection* conn, bool speculative = false); ~DCE_RPC_Analyzer(); @@ -182,4 +186,6 @@ protected: bool speculative; }; +} } // namespace analyzer::* + #endif /* dce_rpc_h */ diff --git a/src/analyzer/protocols/dce-rpc/Plugin.cc b/src/analyzer/protocols/dce-rpc/Plugin.cc index b818806076..5e35af7c0d 100644 --- a/src/analyzer/protocols/dce-rpc/Plugin.cc +++ b/src/analyzer/protocols/dce-rpc/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(DCE_RPC) BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer"); - BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("DCE_RPC", dce_rpc::DCE_RPC_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc.pac b/src/analyzer/protocols/dce-rpc/dce_rpc.pac index cbcd0cbdc4..632d2304a1 100644 --- a/src/analyzer/protocols/dce-rpc/dce_rpc.pac +++ b/src/analyzer/protocols/dce-rpc/dce_rpc.pac @@ -1,6 +1,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer DCE_RPC withcontext { connection: DCE_RPC_Conn; flow: DCE_RPC_Flow; diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac b/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac index f31c2a078b..1bf0387b1d 100644 --- a/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac +++ b/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac @@ -1,5 +1,9 @@ %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer DCE_RPC_Simple withcontext {}; %include dce_rpc-protocol.pac diff --git a/src/analyzer/protocols/dce-rpc/events.bif b/src/analyzer/protocols/dce-rpc/events.bif index e69de29bb2..bdabb674fa 100644 --- a/src/analyzer/protocols/dce-rpc/events.bif +++ b/src/analyzer/protocols/dce-rpc/events.bif @@ -0,0 +1,55 @@ +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_bind%(c: connection, uuid: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_request%(c: connection, opnum: count, stub: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message +## dce_rpc_request rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_response%(c: connection, opnum: count, stub: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message +## dce_rpc_request dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); + diff --git a/src/analyzer/protocols/dhcp/DHCP.cc b/src/analyzer/protocols/dhcp/DHCP.cc index a590db19ca..8d05aef37d 100644 --- a/src/analyzer/protocols/dhcp/DHCP.cc +++ b/src/analyzer/protocols/dhcp/DHCP.cc @@ -1,6 +1,10 @@ #include "DHCP.h" +#include "events.bif.h" + +using namespace analyzer::dhcp; + DHCP_Analyzer::DHCP_Analyzer(Connection* conn) : Analyzer("DHCP", conn) { diff --git a/src/analyzer/protocols/dhcp/DHCP.h b/src/analyzer/protocols/dhcp/DHCP.h index 5c12e52cc5..189e04ecab 100644 --- a/src/analyzer/protocols/dhcp/DHCP.h +++ b/src/analyzer/protocols/dhcp/DHCP.h @@ -5,6 +5,8 @@ #include "dhcp_pac.h" +namespace analyzer { namespace dhcp { + class DHCP_Analyzer : public analyzer::Analyzer { public: DHCP_Analyzer(Connection* conn); @@ -21,4 +23,6 @@ protected: binpac::DHCP::DHCP_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/dhcp/Plugin.cc b/src/analyzer/protocols/dhcp/Plugin.cc index 32225d5bec..e1ee02db95 100644 --- a/src/analyzer/protocols/dhcp/Plugin.cc +++ b/src/analyzer/protocols/dhcp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(DHCP) BRO_PLUGIN_DESCRIPTION("DHCP Analyzer"); - BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("DHCP", dhcp::DHCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dhcp/dhcp.pac b/src/analyzer/protocols/dhcp/dhcp.pac index 9e9d7755a4..c4a684badc 100644 --- a/src/analyzer/protocols/dhcp/dhcp.pac +++ b/src/analyzer/protocols/dhcp/dhcp.pac @@ -1,5 +1,9 @@ %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer DHCP withcontext { connection: DHCP_Conn; flow: DHCP_Flow; diff --git a/src/analyzer/protocols/dhcp/events.bif b/src/analyzer/protocols/dhcp/events.bif index e69de29bb2..741504185e 100644 --- a/src/analyzer/protocols/dhcp/events.bif +++ b/src/analyzer/protocols/dhcp/events.bif @@ -0,0 +1,239 @@ +## Generated for DHCP messages of type *discover*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## req_addr: The specific address requested by the client. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); + +## Generated for DHCP messages of type *offer*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: TODO. +## +## mask: The subnet mask specified by the message. +## +## router: The list of routers specified by the message. +## +## lease: The least interval specified by the message. +## +## serv_addr: The server address specified by the message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); + +## Generated for DHCP messages of type *request*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## req_addr: The client address specified by the message. +## +## serv_addr: The server address specified by the message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); + +## Generated for DHCP messages of type *decline*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_decline%(c: connection, msg: dhcp_msg%); + +## Generated for DHCP messages of type *acknowledgment*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## mask: The subnet mask specified by the message. +## +## router: The list of routers specified by the message. +## +## lease: The least interval specified by the message. +## +## serv_addr: The server address specified by the message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); + +## Generated for DHCP messages of type *negative acknowledgment*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_nak%(c: connection, msg: dhcp_msg%); + +## Generated for DHCP messages of type *release*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_release%(c: connection, msg: dhcp_msg%); + +## Generated for DHCP messages of type *inform*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_inform%(c: connection, msg: dhcp_msg%); + diff --git a/src/analyzer/protocols/dns/DNS.cc b/src/analyzer/protocols/dns/DNS.cc index 7cab27c4b9..4901df4417 100644 --- a/src/analyzer/protocols/dns/DNS.cc +++ b/src/analyzer/protocols/dns/DNS.cc @@ -12,6 +12,10 @@ #include "Sessions.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::dns; + DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; @@ -993,7 +997,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val() Contents_DNS::Contents_DNS(Connection* conn, bool orig, DNS_Interpreter* arg_interp) -: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) { interp = arg_interp; @@ -1080,7 +1084,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig) } DNS_Analyzer::DNS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("DNS", conn) +: tcp::TCP_ApplicationAnalyzer("DNS", conn) { interp = new DNS_Interpreter(this); contents_dns_orig = contents_dns_resp = 0; @@ -1112,7 +1116,7 @@ void DNS_Analyzer::Init() void DNS_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) Event(udp_session_done); @@ -1123,7 +1127,7 @@ void DNS_Analyzer::Done() void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); if ( orig ) { @@ -1141,10 +1145,10 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, } -void DNS_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, +void DNS_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer, int gen_event) { - TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); assert(contents_dns_orig && contents_dns_resp); contents_dns_orig->Flush(); diff --git a/src/analyzer/protocols/dns/DNS.h b/src/analyzer/protocols/dns/DNS.h index ca87f862c0..fc19fe82b3 100644 --- a/src/analyzer/protocols/dns/DNS.h +++ b/src/analyzer/protocols/dns/DNS.h @@ -6,6 +6,8 @@ #include "analyzer/protocols/tcp/TCP.h" #include "binpac_bro.h" +namespace analyzer { namespace dns { + typedef enum { DNS_OP_QUERY = 0, ///< standard query DNS_OP_IQUERY = 1, ///< reverse query @@ -229,7 +231,7 @@ typedef enum { // Support analyzer which chunks the TCP stream into "packets". // ### This should be merged with TCP_Contents_RPC. -class Contents_DNS : public TCP_SupportAnalyzer { +class Contents_DNS : public tcp::TCP_SupportAnalyzer { public: Contents_DNS(Connection* c, bool orig, DNS_Interpreter* interp); ~Contents_DNS(); @@ -251,7 +253,7 @@ protected: }; // Works for both TCP and UDP. -class DNS_Analyzer : public TCP_ApplicationAnalyzer { +class DNS_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: DNS_Analyzer(Connection* conn); ~DNS_Analyzer(); @@ -261,8 +263,8 @@ public: virtual void Init(); virtual void Done(); - virtual void ConnectionClosed(TCP_Endpoint* endpoint, - TCP_Endpoint* peer, int gen_event); + virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint, + tcp::TCP_Endpoint* peer, int gen_event); void ExpireTimer(double t); @@ -279,4 +281,6 @@ protected: // FIXME: Doesn't really fit into new analyzer structure. What to do? int IsReuse(double t, const u_char* pkt); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/dns/Plugin.cc b/src/analyzer/protocols/dns/Plugin.cc index 6bd4415f0e..e731f191da 100644 --- a/src/analyzer/protocols/dns/Plugin.cc +++ b/src/analyzer/protocols/dns/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(DNS) BRO_PLUGIN_DESCRIPTION("DNS Analyzer"); - BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("DNS", dns::DNS_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dns/events.bif b/src/analyzer/protocols/dns/events.bif index e69de29bb2..95c604a8b8 100644 --- a/src/analyzer/protocols/dns/events.bif +++ b/src/analyzer/protocols/dns/events.bif @@ -0,0 +1,482 @@ +## Generated for all DNS messages. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## msg: The parsed DNS message header. +## +## len: The length of the message's raw representation (i.e., the DNS payload). +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected +## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); + +## Generated for DNS requests. For requests with multiple queries, this event +## is raised once for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## query: The queried name. +## +## qtype: The queried resource record type. +## +## qclass: The queried resource record class. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); + +## Generated for DNS replies that reject a query. This event is raised if a DNS +## reply either indicates failure via its status code or does not pass on any +## answers to a query. Note that all of the event's parameters are parsed out of +## the reply; there's no stateful correlation with the query. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## query: The queried name. +## +## qtype: The queried resource record type. +## +## qclass: The queried resource record class. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); + +## Generated for DNS replies with an *ok* status code but no question section. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## query: The queried name. +## +## qtype: The queried resource record type. +## +## qclass: The queried resource record class. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected +## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_query_reply%(c: connection, msg: dns_msg, query: string, + qtype: count, qclass: count%); + +## Generated for DNS replies of type *A*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## a: The address returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply +## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); + +## Generated for DNS replies of type *AAAA*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## a: The address returned by the reply. +## +## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); + +## Generated for DNS replies of type *A6*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## a: The address returned by the reply. +## +## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); + +## Generated for DNS replies of type *NS*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); + +## Generated for DNS replies of type *CNAME*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); + +## Generated for DNS replies of type *PTR*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); + +## Generated for DNS replies of type *CNAME*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## soa: The parsed SOA value. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%); + +## Generated for DNS replies of type *WKS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); + +## Generated for DNS replies of type *HINFO*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); + +## Generated for DNS replies of type *MX*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## preference: The preference for *name* specified by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%); + +## Generated for DNS replies of type *TXT*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## str: The textual information returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%); + +## Generated for DNS replies of type *SRV*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%); + +## Generated for DNS replies of type *EDNS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The parsed EDNS reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); + +## Generated for DNS replies of type *TSIG*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The parsed TSIG reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); + +## Generated at the end of processing a DNS packet. This event is the last +## ``dns_*`` event that will be raised for a DNS query/reply and signals that +## all resource records have been passed on. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_end%(c: connection, msg: dns_msg%); + +## Deprecated. Will be removed. +## +## .. todo:: Unclear what this event is for; it's never raised. We should just +## remove it. +event dns_full_request%(%); + +## msg: The raw DNS payload. +## +## .. note:: This event is deprecated and superseded by Bro's dynamic protocol +## detection framework. +event non_dns_request%(c: connection, msg: string%); diff --git a/src/analyzer/protocols/file/File.cc b/src/analyzer/protocols/file/File.cc index 664e0a8c4c..66de4c2cb4 100644 --- a/src/analyzer/protocols/file/File.cc +++ b/src/analyzer/protocols/file/File.cc @@ -4,11 +4,15 @@ #include "Reporter.h" #include "util.h" +#include "events.bif.h" + +using namespace analyzer::file; + magic_t File_Analyzer::magic = 0; magic_t File_Analyzer::magic_mime = 0; File_Analyzer::File_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("FILE", conn) +: tcp::TCP_ApplicationAnalyzer("FILE", conn) { buffer_len = 0; @@ -18,7 +22,7 @@ File_Analyzer::File_Analyzer(Connection* conn) void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); int n = min(len, BUFFER_SIZE - buffer_len); @@ -35,7 +39,7 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void File_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( buffer_len && buffer_len != BUFFER_SIZE ) Identify(); diff --git a/src/analyzer/protocols/file/File.h b/src/analyzer/protocols/file/File.h index ae55a34885..ae6a815378 100644 --- a/src/analyzer/protocols/file/File.h +++ b/src/analyzer/protocols/file/File.h @@ -7,7 +7,9 @@ #include -class File_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace file { + +class File_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: File_Analyzer(Connection* conn); @@ -29,4 +31,6 @@ protected: static magic_t magic_mime; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/file/Plugin.cc b/src/analyzer/protocols/file/Plugin.cc index a5868e0d7e..ad4e917742 100644 --- a/src/analyzer/protocols/file/Plugin.cc +++ b/src/analyzer/protocols/file/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(File) BRO_PLUGIN_DESCRIPTION("Generic File Analyzer"); - BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("File", file::File_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/file/events.bif b/src/analyzer/protocols/file/events.bif index e69de29bb2..4277f1975f 100644 --- a/src/analyzer/protocols/file/events.bif +++ b/src/analyzer/protocols/file/events.bif @@ -0,0 +1,3 @@ +## TODO. +## +event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); diff --git a/src/analyzer/protocols/finger/Finger.cc b/src/analyzer/protocols/finger/Finger.cc index cdebed9bb9..dce2cfef9f 100644 --- a/src/analyzer/protocols/finger/Finger.cc +++ b/src/analyzer/protocols/finger/Finger.cc @@ -9,25 +9,29 @@ #include "Event.h" #include "analyzer/protocols/tcp/ContentLine.h" +#include "events.bif.h" + +using namespace analyzer::finger; + Finger_Analyzer::Finger_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("FINGER", conn) +: tcp::TCP_ApplicationAnalyzer("FINGER", conn) { did_deliver = 0; - content_line_orig = new ContentLine_Analyzer(conn, true); + content_line_orig = new tcp::ContentLine_Analyzer(conn, true); content_line_orig->SetIsNULSensitive(true); - content_line_resp = new ContentLine_Analyzer(conn, false); + content_line_resp = new tcp::ContentLine_Analyzer(conn, false); AddSupportAnalyzer(content_line_orig); AddSupportAnalyzer(content_line_resp); } void Finger_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || content_line_orig->HasPartialLine()) && - (TCP()->OrigState() == TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_finger_request"); } diff --git a/src/analyzer/protocols/finger/Finger.h b/src/analyzer/protocols/finger/Finger.h index f069daa8c7..d80549bb4c 100644 --- a/src/analyzer/protocols/finger/Finger.h +++ b/src/analyzer/protocols/finger/Finger.h @@ -4,10 +4,11 @@ #define finger_h #include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" -class ContentLine_Analyzer; +namespace analyzer { namespace finger { -class Finger_Analyzer : public TCP_ApplicationAnalyzer { +class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Finger_Analyzer(Connection* conn); virtual ~Finger_Analyzer() {} @@ -20,9 +21,11 @@ public: { return new Finger_Analyzer(conn); } protected: - ContentLine_Analyzer* content_line_orig; - ContentLine_Analyzer* content_line_resp; + tcp::ContentLine_Analyzer* content_line_orig; + tcp::ContentLine_Analyzer* content_line_resp; int did_deliver; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/finger/Plugin.cc b/src/analyzer/protocols/finger/Plugin.cc index 98fd1f5985..603bbd004e 100644 --- a/src/analyzer/protocols/finger/Plugin.cc +++ b/src/analyzer/protocols/finger/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Finger) BRO_PLUGIN_DESCRIPTION("Finger Analyzer"); - BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("FINGER", finger::Finger_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/finger/events.bif b/src/analyzer/protocols/finger/events.bif index e69de29bb2..e495263b12 100644 --- a/src/analyzer/protocols/finger/events.bif +++ b/src/analyzer/protocols/finger/events.bif @@ -0,0 +1,38 @@ +## Generated for Finger requests. +## +## See `Wikipedia `__ for more +## information about the Finger protocol. +## +## c: The connection. +## +## full: True if verbose information is requested (``/W`` switch). +## +## username: The request's user name. +## +## hostname: The request's host name. +## +## .. bro:see:: finger_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event finger_request%(c: connection, full: bool, username: string, hostname: string%); + +## Generated for Finger replies. +## +## See `Wikipedia `__ for more +## information about the Finger protocol. +## +## c: The connection. +## +## reply_line: The reply as returned by the server +## +## .. bro:see:: finger_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event finger_reply%(c: connection, reply_line: string%); + diff --git a/src/analyzer/protocols/ftp/FTP.cc b/src/analyzer/protocols/ftp/FTP.cc index b371099c01..aed14b8de8 100644 --- a/src/analyzer/protocols/ftp/FTP.cc +++ b/src/analyzer/protocols/ftp/FTP.cc @@ -11,18 +11,22 @@ #include "analyzer/Manager.h" #include "analyzer/protocols/login/NVT.h" +#include "events.bif.h" + +using namespace analyzer::ftp; + FTP_Analyzer::FTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("FTP", conn) +: tcp::TCP_ApplicationAnalyzer("FTP", conn) { pending_reply = 0; - nvt_orig = new NVT_Analyzer(conn, true); + nvt_orig = new login::NVT_Analyzer(conn, true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetCRLFAsEOL(LF_as_EOL); nvt_orig->SetIsNULSensitive(LF_as_EOL); - nvt_resp = new NVT_Analyzer(conn, false); + nvt_resp = new login::NVT_Analyzer(conn, false); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetCRLFAsEOL(LF_as_EOL); @@ -37,11 +41,11 @@ FTP_Analyzer::FTP_Analyzer(Connection* conn) void FTP_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( nvt_orig->HasPartialLine() && - (TCP()->OrigState() == TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_ftp_request"); } @@ -56,7 +60,7 @@ static uint32 get_reply_code(int len, const char* line) void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) ) return; diff --git a/src/analyzer/protocols/ftp/FTP.h b/src/analyzer/protocols/ftp/FTP.h index aaecfb98f1..9ebf38b2f7 100644 --- a/src/analyzer/protocols/ftp/FTP.h +++ b/src/analyzer/protocols/ftp/FTP.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/login/NVT.h" #include "analyzer/protocols/tcp/TCP.h" -class FTP_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ftp { + +class FTP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: FTP_Analyzer(Connection* conn); @@ -19,8 +21,8 @@ public: } protected: - NVT_Analyzer* nvt_orig; - NVT_Analyzer* nvt_resp; + login::NVT_Analyzer* nvt_orig; + login::NVT_Analyzer* nvt_resp; uint32 pending_reply; // code associated with multi-line reply, or 0 string auth_requested; // AUTH method requested }; @@ -47,4 +49,6 @@ protected: bool first_token; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocols/ftp/Plugin.cc index 2a250b97ee..9a58990a63 100644 --- a/src/analyzer/protocols/ftp/Plugin.cc +++ b/src/analyzer/protocols/ftp/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(FTP) BRO_PLUGIN_DESCRIPTION("FTP Analyzer"); - BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ftp/events.bif b/src/analyzer/protocols/ftp/events.bif index e69de29bb2..16faa417d3 100644 --- a/src/analyzer/protocols/ftp/events.bif +++ b/src/analyzer/protocols/ftp/events.bif @@ -0,0 +1,35 @@ +## Generated for client-side FTP commands. +## +## See `Wikipedia `__ for +## more information about the FTP protocol. +## +## c: The connection. +## +## command: The FTP command issued by the client (without any arguments). +## +## arg: The arguments going with the command. +## +## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port +## parse_ftp_epsv parse_ftp_pasv parse_ftp_port +event ftp_request%(c: connection, command: string, arg: string%); + +## Generated for server-side FTP replies. +## +## See `Wikipedia `__ for +## more information about the FTP protocol. +## +## c: The connection. +## +## code: The numerical response code the server responded with. +## +## msg: The textual message of the response. +## +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want +## to reassemble the pieces before processing the response any +## further. +## +## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port +## parse_ftp_epsv parse_ftp_pasv parse_ftp_port +event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); + diff --git a/src/analyzer/protocols/gnutella/Gnutella.cc b/src/analyzer/protocols/gnutella/Gnutella.cc index bf2be877c0..a0d8812218 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.cc +++ b/src/analyzer/protocols/gnutella/Gnutella.cc @@ -12,6 +12,10 @@ #include "analyzer/protocols/pia/PIA.h" #include "analyzer/Manager.h" +#include "events.bif.h" + +using namespace analyzer::gnutella; + GnutellaMsgState::GnutellaMsgState() { buffer = ""; @@ -30,7 +34,7 @@ GnutellaMsgState::GnutellaMsgState() Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("GNUTELLA", conn) +: tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn) { state = 0; new_state = 0; @@ -50,7 +54,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer() void Gnutella_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) { @@ -138,9 +142,9 @@ int Gnutella_Analyzer::IsHTTP(string header) if ( Parent()->IsAnalyzer("TCP") ) { // Replay buffered data. - PIA* pia = static_cast(Parent())->GetPIA(); + pia::PIA* pia = static_cast(Parent())->GetPIA(); if ( pia ) - static_cast(pia)->ReplayStreamBuffer(a); + static_cast(pia)->ReplayStreamBuffer(a); } Parent()->RemoveChildAnalyzer(this); @@ -328,7 +332,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig) void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); ms = orig ? orig_msg_state : resp_msg_state; ms->current_offset = 0; diff --git a/src/analyzer/protocols/gnutella/Gnutella.h b/src/analyzer/protocols/gnutella/Gnutella.h index 085d4fbf56..3a6e51d0c4 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.h +++ b/src/analyzer/protocols/gnutella/Gnutella.h @@ -11,6 +11,8 @@ #define GNUTELLA_MSG_SIZE 23 #define GNUTELLA_MAX_PAYLOAD 1024 +namespace analyzer { namespace gnutella { + class GnutellaMsgState { public: GnutellaMsgState (); @@ -32,7 +34,7 @@ public: }; -class Gnutella_Analyzer : public TCP_ApplicationAnalyzer { +class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Gnutella_Analyzer(Connection* conn); ~Gnutella_Analyzer(); @@ -67,4 +69,6 @@ private: GnutellaMsgState* ms; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/gnutella/Plugin.cc b/src/analyzer/protocols/gnutella/Plugin.cc index 6cc0b02771..eca9adb001 100644 --- a/src/analyzer/protocols/gnutella/Plugin.cc +++ b/src/analyzer/protocols/gnutella/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Gnutella) BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer"); - BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("GNUTELLA", gnutella::Gnutella_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gnutella/events.bif b/src/analyzer/protocols/gnutella/events.bif index e69de29bb2..9384f34e88 100644 --- a/src/analyzer/protocols/gnutella/events.bif +++ b/src/analyzer/protocols/gnutella/events.bif @@ -0,0 +1,88 @@ +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found +## +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_text_msg%(c: connection, orig: bool, headers: string%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, + ttl: count, hops: count, msg_len: count, + payload: string, payload_len: count, + trunc: bool, complete: bool%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## gnutella_not_establish gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_partial_binary_msg%(c: connection, orig: bool, + msg: string, len: count%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_establish%(c: connection%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_not_establish%(c: connection%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_http_notify%(c: connection%); diff --git a/src/analyzer/protocols/gtpv1/GTPv1.cc b/src/analyzer/protocols/gtpv1/GTPv1.cc index 86a2615690..0a94a28554 100644 --- a/src/analyzer/protocols/gtpv1/GTPv1.cc +++ b/src/analyzer/protocols/gtpv1/GTPv1.cc @@ -1,5 +1,11 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "GTPv1.h" +#include "events.bif.h" + +using namespace analyzer::gtpv1; + GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) : Analyzer("GTPV1", conn) { diff --git a/src/analyzer/protocols/gtpv1/GTPv1.h b/src/analyzer/protocols/gtpv1/GTPv1.h index 2e4a405878..3fb7634534 100644 --- a/src/analyzer/protocols/gtpv1/GTPv1.h +++ b/src/analyzer/protocols/gtpv1/GTPv1.h @@ -3,6 +3,8 @@ #include "gtpv1_pac.h" +namespace analyzer { namespace gtpv1 { + class GTPv1_Analyzer : public analyzer::Analyzer { public: GTPv1_Analyzer(Connection* conn); @@ -21,4 +23,6 @@ protected: binpac::GTPv1::GTPv1_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/gtpv1/Plugin.cc b/src/analyzer/protocols/gtpv1/Plugin.cc index caa9755828..39233384dc 100644 --- a/src/analyzer/protocols/gtpv1/Plugin.cc +++ b/src/analyzer/protocols/gtpv1/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(GTPV1) BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer"); - BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("GTPV1", gtpv1::GTPv1_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gtpv1/events.bif b/src/analyzer/protocols/gtpv1/events.bif index e69de29bb2..b3bac93a2e 100644 --- a/src/analyzer/protocols/gtpv1/events.bif +++ b/src/analyzer/protocols/gtpv1/events.bif @@ -0,0 +1,74 @@ +## Generated for any GTP message with a GTPv1 header. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +event gtpv1_message%(c: connection, hdr: gtpv1_hdr%); + +## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload +## that includes a GTP header followed by an IPv4 or IPv6 packet. +## +## outer: The GTP outer tunnel connection. +## +## inner_gtp: The GTP header. +## +## inner_ip: The inner IP and transport layer packet headers. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); + +## Generated for GTPv1-C Create PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Create PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%); + +## Generated for GTPv1-C Update PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Update PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%); + +## Generated for GTPv1-C Delete PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Delete PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%); + diff --git a/src/analyzer/protocols/gtpv1/gtpv1.pac b/src/analyzer/protocols/gtpv1/gtpv1.pac index d155ecfd67..0305951cc5 100644 --- a/src/analyzer/protocols/gtpv1/gtpv1.pac +++ b/src/analyzer/protocols/gtpv1/gtpv1.pac @@ -1,6 +1,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer GTPv1 withcontext { connection: GTPv1_Conn; flow: GTPv1_Flow; diff --git a/src/analyzer/protocols/http/HTTP.cc b/src/analyzer/protocols/http/HTTP.cc index 98c8ad484e..899c7de01f 100644 --- a/src/analyzer/protocols/http/HTTP.cc +++ b/src/analyzer/protocols/http/HTTP.cc @@ -11,7 +11,11 @@ #include "NetVar.h" #include "HTTP.h" #include "Event.h" -#include "MIME.h" +#include "analyzer/protocols/mime/MIME.h" + +#include "events.bif.h" + +using namespace analyzer::http; const bool DEBUG_http = false; @@ -77,7 +81,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) if ( end_of_data ) { // Multipart entities may have trailers - if ( content_type != CONTENT_TYPE_MULTIPART ) + if ( content_type != mime::CONTENT_TYPE_MULTIPART ) IllegalFormat("data trailing the end of entity"); return; } @@ -93,8 +97,8 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) } // Entity body. - if ( content_type == CONTENT_TYPE_MULTIPART || - content_type == CONTENT_TYPE_MESSAGE ) + if ( content_type == mime::CONTENT_TYPE_MULTIPART || + content_type == mime::CONTENT_TYPE_MESSAGE ) DeliverBody(len, data, trailing_CRLF); else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER ) @@ -177,14 +181,14 @@ void HTTP_Entity::DeliverBody(int len, const char* data, int trailing_CRLF) { if ( encoding == GZIP || encoding == DEFLATE ) { - ZIP_Analyzer::Method method = + zip::ZIP_Analyzer::Method method = encoding == GZIP ? - ZIP_Analyzer::GZIP : ZIP_Analyzer::DEFLATE; + zip::ZIP_Analyzer::GZIP : zip::ZIP_Analyzer::DEFLATE; if ( ! zip ) { // We don't care about the direction here. - zip = new ZIP_Analyzer( + zip = new zip::ZIP_Analyzer( http_message->MyHTTP_Analyzer()->Conn(), false, method); zip->SetOutputHandler(new UncompressedOutput(this)); @@ -291,12 +295,12 @@ void HTTP_Entity::SetPlainDelivery(int64_t length) // expect_data_length. } -void HTTP_Entity::SubmitHeader(MIME_Header* h) +void HTTP_Entity::SubmitHeader(mime::MIME_Header* h) { - if ( strcasecmp_n(h->get_name(), "content-length") == 0 ) + if ( mime::strcasecmp_n(h->get_name(), "content-length") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( ! is_null_data_chunk(vt) ) + if ( ! mime::is_null_data_chunk(vt) ) { int64_t n; if ( atoi_n(vt.length, vt.data, 0, 10, n) ) @@ -308,8 +312,8 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h) // Figure out content-length for HTTP 206 Partial Content response // that uses multipart/byteranges content-type. - else if ( strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() && - Parent()->MIMEContentType() == CONTENT_TYPE_MULTIPART && + else if ( mime::strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() && + Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART && http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 ) { data_chunk_t vt = h->get_value_token(); @@ -367,19 +371,19 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h) } } - else if ( strcasecmp_n(h->get_name(), "transfer-encoding") == 0 ) + else if ( mime::strcasecmp_n(h->get_name(), "transfer-encoding") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( strcasecmp_n(vt, "chunked") == 0 ) + if ( mime::strcasecmp_n(vt, "chunked") == 0 ) chunked_transfer_state = BEFORE_CHUNK; } - else if ( strcasecmp_n(h->get_name(), "content-encoding") == 0 ) + else if ( mime::strcasecmp_n(h->get_name(), "content-encoding") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( strcasecmp_n(vt, "gzip") == 0 ) + if ( mime::strcasecmp_n(vt, "gzip") == 0 ) encoding = GZIP; - if ( strcasecmp_n(vt, "deflate") == 0 ) + if ( mime::strcasecmp_n(vt, "deflate") == 0 ) encoding = DEFLATE; } @@ -413,8 +417,8 @@ void HTTP_Entity::SubmitAllHeaders() return; } - if ( content_type == CONTENT_TYPE_MULTIPART || - content_type == CONTENT_TYPE_MESSAGE ) + if ( content_type == mime::CONTENT_TYPE_MULTIPART || + content_type == mime::CONTENT_TYPE_MESSAGE ) { // Do nothing. // Make sure that we check for multiple/message contents first, @@ -463,7 +467,7 @@ void HTTP_Entity::SubmitAllHeaders() } HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer, - ContentLine_Analyzer* arg_cl, bool arg_is_orig, + tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig, int expect_body, int64_t init_header_length) : MIME_Message (arg_analyzer) { @@ -546,7 +550,7 @@ int HTTP_Message::Undelivered(int64_t len) return 0; } -void HTTP_Message::BeginEntity(MIME_Entity* entity) +void HTTP_Message::BeginEntity(mime::MIME_Entity* entity) { if ( DEBUG_http ) DEBUG_MSG("%.6f: begin entity (%d)\n", network_time, is_orig); @@ -562,7 +566,7 @@ void HTTP_Message::BeginEntity(MIME_Entity* entity) } } -void HTTP_Message::EndEntity(MIME_Entity* entity) +void HTTP_Message::EndEntity(mime::MIME_Entity* entity) { if ( DEBUG_http ) DEBUG_MSG("%.6f: end entity (%d)\n", network_time, is_orig); @@ -588,12 +592,12 @@ void HTTP_Message::EndEntity(MIME_Entity* entity) Done(); } -void HTTP_Message::SubmitHeader(MIME_Header* h) +void HTTP_Message::SubmitHeader(mime::MIME_Header* h) { MyHTTP_Analyzer()->HTTP_Header(is_orig, h); } -void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist) +void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) { if ( http_all_headers ) { @@ -620,7 +624,7 @@ void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist) } } -void HTTP_Message::SubmitTrailingHeaders(MIME_HeaderList& /* hlist */) +void HTTP_Message::SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */) { // Do nothing for now. } @@ -664,15 +668,15 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail) const char* category = ""; switch ( event_type ) { - case MIME_EVENT_ILLEGAL_FORMAT: + case mime::MIME_EVENT_ILLEGAL_FORMAT: category = "illegal format"; break; - case MIME_EVENT_ILLEGAL_ENCODING: + case mime::MIME_EVENT_ILLEGAL_ENCODING: category = "illegal encoding"; break; - case MIME_EVENT_CONTENT_GAP: + case mime::MIME_EVENT_CONTENT_GAP: category = "content gap"; break; @@ -787,7 +791,7 @@ void HTTP_Message::Weird(const char* msg) } HTTP_Analyzer::HTTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("HTTP", conn) +: tcp::TCP_ApplicationAnalyzer("HTTP", conn) { num_requests = num_replies = 0; num_request_lines = num_reply_lines = 0; @@ -807,10 +811,10 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn) reply_code = 0; reply_reason_phrase = 0; - content_line_orig = new ContentLine_Analyzer(conn, true); + content_line_orig = new tcp::ContentLine_Analyzer(conn, true); AddSupportAnalyzer(content_line_orig); - content_line_resp = new ContentLine_Analyzer(conn, false); + content_line_resp = new tcp::ContentLine_Analyzer(conn, false); content_line_resp->SetSkipPartial(true); AddSupportAnalyzer(content_line_resp); } @@ -828,7 +832,7 @@ void HTTP_Analyzer::Done() if ( IsFinished() ) return; - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); RequestMade(1, "message interrupted when connection done"); ReplyMade(1, "message interrupted when connection done"); @@ -850,7 +854,7 @@ void HTTP_Analyzer::Done() void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( TCP() && TCP()->IsPartial() ) return; @@ -858,7 +862,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) const char* line = reinterpret_cast(data); const char* end_of_line = line + len; - ContentLine_Analyzer* content_line = + tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( content_line->IsPlainDelivery() ) @@ -907,7 +911,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { if ( ! RequestExpected() ) HTTP_Event("crud_trailing_HTTP_request", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); else { // We do see HTTP requests with a @@ -986,20 +990,20 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); // DEBUG_MSG("Undelivered from %d: %d bytes\n", seq, length); HTTP_Message* msg = is_orig ? request_message : reply_message; - ContentLine_Analyzer* content_line = + tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( ! content_line->IsSkippedContents(seq, len) ) { if ( msg ) - msg->SubmitEvent(MIME_EVENT_CONTENT_GAP, + msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP, fmt("seq=%d, len=%d", seq, len)); } @@ -1030,7 +1034,7 @@ void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig) void HTTP_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); // DEBUG_MSG("%.6f eof\n", network_time); @@ -1042,7 +1046,7 @@ void HTTP_Analyzer::EndpointEOF(bool is_orig) void HTTP_Analyzer::ConnectionFinished(int half_finished) { - TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); // DEBUG_MSG("%.6f connection finished\n", network_time); RequestMade(1, "message ends as connection is finished"); @@ -1051,7 +1055,7 @@ void HTTP_Analyzer::ConnectionFinished(int half_finished) void HTTP_Analyzer::ConnectionReset() { - TCP_ApplicationAnalyzer::ConnectionReset(); + tcp::TCP_ApplicationAnalyzer::ConnectionReset(); RequestMade(1, "message interrupted by RST"); ReplyMade(1, "message interrupted by RST"); @@ -1059,7 +1063,7 @@ void HTTP_Analyzer::ConnectionReset() void HTTP_Analyzer::PacketWithRST() { - TCP_ApplicationAnalyzer::PacketWithRST(); + tcp::TCP_ApplicationAnalyzer::PacketWithRST(); RequestMade(1, "message interrupted by RST"); ReplyMade(1, "message interrupted by RST"); @@ -1203,10 +1207,10 @@ int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line) version_end = version_start + 3; if ( skip_whitespace(version_end, end_of_line) != end_of_line ) HTTP_Event("crud after HTTP version is ignored", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); } else - HTTP_Event("bad_HTTP_version", new_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_version", mime::new_string_val(line, end_of_line)); } // NormalizeURI(line, end_of_uri); @@ -1230,7 +1234,7 @@ double HTTP_Analyzer::HTTP_Version(int len, const char* data) } else { - HTTP_Event("bad_HTTP_version", new_string_val(len, data)); + HTTP_Event("bad_HTTP_version", mime::new_string_val(len, data)); return 0; } } @@ -1409,20 +1413,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line) // ##TODO: some server replies with an HTML document // without a status line and a MIME header, when the // request is malformed. - HTTP_Event("bad_HTTP_reply", new_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_reply", mime::new_string_val(line, end_of_line)); return 0; } SetVersion(reply_version, HTTP_Version(end_of_line - rest, rest)); for ( ; rest < end_of_line; ++rest ) - if ( is_lws(*rest) ) + if ( mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); return 0; } @@ -1431,20 +1435,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line) if ( rest + 3 > end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); return 0; } reply_code = HTTP_ReplyCode(rest); for ( rest += 3; rest < end_of_line; ++rest ) - if ( is_lws(*rest) ) + if ( mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_reason_phrase_missing", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); // Tolerate missing reason phrase? return 1; } @@ -1491,7 +1495,7 @@ int HTTP_Analyzer::ExpectReplyMessageBody() return HTTP_BODY_EXPECTED; } -void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) +void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h) { #if 0 // ### Only call ParseVersion if we're tracking versions: @@ -1508,16 +1512,16 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) // side, and if seen assume the connection to be persistent. // This seems fairly safe - at worst, the client does indeed // send additional requests, and the server ignores them. - if ( is_orig && strcasecmp_n(h->get_name(), "connection") == 0 ) + if ( is_orig && mime::strcasecmp_n(h->get_name(), "connection") == 0 ) { - if ( strcasecmp_n(h->get_value_token(), "keep-alive") == 0 ) + if ( mime::strcasecmp_n(h->get_value_token(), "keep-alive") == 0 ) keep_alive = 1; } if ( ! is_orig && - strcasecmp_n(h->get_name(), "connection") == 0 ) + mime::strcasecmp_n(h->get_name(), "connection") == 0 ) { - if ( strcasecmp_n(h->get_value_token(), "close") == 0 ) + if ( mime::strcasecmp_n(h->get_value_token(), "close") == 0 ) connection_close = 1; } @@ -1540,8 +1544,8 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) val_list* vl = new val_list(); vl->append(BuildConnVal()); vl->append(new Val(is_orig, TYPE_BOOL)); - vl->append(new_string_val(h->get_name())->ToUpper()); - vl->append(new_string_val(h->get_value())); + vl->append(mime::new_string_val(h->get_name())->ToUpper()); + vl->append(mime::new_string_val(h->get_value())); if ( DEBUG_http ) DEBUG_MSG("%.6f http_header\n", network_time); ConnectionEvent(http_header, vl); @@ -1570,7 +1574,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, while ( len > 0 ) { // Skip white space. - while ( len && is_lws(*data) ) + while ( len && mime::is_lws(*data) ) { ++data; --len; @@ -1583,7 +1587,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, // Find end of comment. const char* data_start = data; const char* eoc = - data + MIME_skip_lws_comments(len, data); + data + mime::MIME_skip_lws_comments(len, data); // Split into parts. // (This may get confused by nested comments, @@ -1593,7 +1597,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, while ( 1 ) { // Eat spaces. - while ( data < eoc && is_lws(*data) ) + while ( data < eoc && mime::is_lws(*data) ) ++data; // Find end of token. @@ -1606,7 +1610,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, break; // Delete spaces at end of token. - for ( ; eot > data && is_lws(*(eot-1)); --eot ) + for ( ; eot > data && mime::is_lws(*(eot-1)); --eot ) ; if ( data != eot && software_version_found ) @@ -1619,7 +1623,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, continue; } - offset = MIME_get_slash_token_pair(len, data, + offset = mime::MIME_get_slash_token_pair(len, data, &product, &product_version); if ( offset < 0 ) { @@ -1627,10 +1631,10 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, // so we do not complain in the final version if ( num_version == 0 ) HTTP_Event("bad_HTTP_version", - new_string_val(len, data)); + mime::new_string_val(len, data)); // Try to simply skip next token. - offset = MIME_get_token(len, data, &product); + offset = mime::MIME_get_token(len, data, &product); if ( offset < 0 ) break; @@ -1694,7 +1698,7 @@ void HTTP_Analyzer::HTTP_MessageDone(int is_orig, HTTP_Message* /* message */) ReplyMade(0, "message ends normally"); } -void HTTP_Analyzer::InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, +void HTTP_Analyzer::InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, int expect_body, int64_t init_header_length) { if ( message ) @@ -1718,24 +1722,24 @@ void HTTP_Analyzer::SkipEntityData(int is_orig) msg->SkipEntityData(); } -int is_reserved_URI_char(unsigned char ch) +int analyzer::http::is_reserved_URI_char(unsigned char ch) { // see RFC 2396 (definition of URI) return strchr(";/?:@&=+$,", ch) != 0; } -int is_unreserved_URI_char(unsigned char ch) +int analyzer::http::is_unreserved_URI_char(unsigned char ch) { // see RFC 2396 (definition of URI) return isalnum(ch) || strchr("-_.!~*\'()", ch) != 0; } -void escape_URI_char(unsigned char ch, unsigned char*& p) +void analyzer::http::escape_URI_char(unsigned char ch, unsigned char*& p) { *p++ = '%'; *p++ = encode_hex((ch >> 4) & 0xf); *p++ = encode_hex(ch & 0xf); } -BroString* unescape_URI(const u_char* line, const u_char* line_end, +BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_end, analyzer::Analyzer* analyzer) { byte_vec decoded_URI = new u_char[line_end - line + 1]; diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h index dae8fc1dcf..49235ae173 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocols/http/HTTP.h @@ -6,13 +6,15 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" #include "analyzer/protocols/zip/ZIP.h" -#include "MIME.h" +#include "analyzer/protocols/mime/MIME.h" #include "binpac_bro.h" #include "IPAddr.h" #include "events.bif.h" #include "HTTP.h" +namespace analyzer { namespace http { + enum CHUNKED_TRANSFER_STATE { NON_CHUNKED_TRANSFER, BEFORE_CHUNK, @@ -27,7 +29,7 @@ class HTTP_Entity; class HTTP_Message; class HTTP_Analyzer; -class HTTP_Entity : public MIME_Entity { +class HTTP_Entity : public mime::MIME_Entity { public: HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity, int expect_body); @@ -57,7 +59,7 @@ protected: int64_t header_length; int deliver_body; enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding; - ZIP_Analyzer* zip; + zip::ZIP_Analyzer* zip; MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); } @@ -68,7 +70,7 @@ protected: void SetPlainDelivery(int64_t length); - void SubmitHeader(MIME_Header* h); + void SubmitHeader(mime::MIME_Header* h); void SubmitAllHeaders(); }; @@ -89,9 +91,9 @@ enum { // HTTP_Message::EndEntity -> Message::Done // HTTP_MessageDone -> {Request,Reply}Made -class HTTP_Message : public MIME_Message { +class HTTP_Message : public mime::MIME_Message { public: - HTTP_Message(HTTP_Analyzer* analyzer, ContentLine_Analyzer* cl, + HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl, bool is_orig, int expect_body, int64_t init_header_length); ~HTTP_Message(); void Done(const int interrupted, const char* msg); @@ -99,16 +101,16 @@ public: int Undelivered(int64_t len); - void BeginEntity(MIME_Entity* /* entity */); - void EndEntity(MIME_Entity* entity); - void SubmitHeader(MIME_Header* h); - void SubmitAllHeaders(MIME_HeaderList& /* hlist */); + void BeginEntity(mime::MIME_Entity* /* entity */); + void EndEntity(mime::MIME_Entity* entity); + void SubmitHeader(mime::MIME_Header* h); + void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */); void SubmitData(int len, const char* buf); int RequestBuffer(int* plen, char** pbuf); void SubmitAllData(); void SubmitEvent(int event_type, const char* detail); - void SubmitTrailingHeaders(MIME_HeaderList& /* hlist */); + void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */); void SetPlainDelivery(int64_t length); void SkipEntityData(); @@ -120,7 +122,7 @@ public: protected: HTTP_Analyzer* analyzer; - ContentLine_Analyzer* content_line; + tcp::ContentLine_Analyzer* content_line; bool is_orig; vector buffers; @@ -148,14 +150,14 @@ protected: Val* BuildMessageStat(const int interrupted, const char* msg); }; -class HTTP_Analyzer : public TCP_ApplicationAnalyzer { +class HTTP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: HTTP_Analyzer(Connection* conn); ~HTTP_Analyzer(); - void Undelivered(TCP_Endpoint* sender, int seq, int len); + void Undelivered(tcp::TCP_Endpoint* sender, int seq, int len); - void HTTP_Header(int is_orig, MIME_Header* h); + void HTTP_Header(int is_orig, mime::MIME_Header* h); void HTTP_EntityData(int is_orig, const BroString* entity_data); void HTTP_MessageDone(int is_orig, HTTP_Message* message); void HTTP_Event(const char* category, const char* detail); @@ -171,7 +173,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(int seq, int len, bool orig); - // Overriden from TCP_ApplicationAnalyzer + // Overriden from tcp::TCP_ApplicationAnalyzer virtual void EndpointEOF(bool is_orig); virtual void ConnectionFinished(int half_finished); virtual void ConnectionReset(); @@ -192,7 +194,7 @@ protected: int HTTP_RequestLine(const char* line, const char* end_of_line); int HTTP_ReplyLine(const char* line, const char* end_of_line); - void InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, + void InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, int expect_body, int64_t init_header_length); const char* PrefixMatch(const char* line, const char* end_of_line, @@ -244,8 +246,8 @@ protected: int reply_code; Val* reply_reason_phrase; - ContentLine_Analyzer* content_line_orig; - ContentLine_Analyzer* content_line_resp; + tcp::ContentLine_Analyzer* content_line_orig; + tcp::ContentLine_Analyzer* content_line_resp; HTTP_Message* request_message; HTTP_Message* reply_message; @@ -257,4 +259,6 @@ extern void escape_URI_char(unsigned char ch, unsigned char*& p); extern BroString* unescape_URI(const u_char* line, const u_char* line_end, analyzer::Analyzer* analyzer); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/http/Plugin.cc b/src/analyzer/protocols/http/Plugin.cc index 5dab5c3c18..a0e6e28f43 100644 --- a/src/analyzer/protocols/http/Plugin.cc +++ b/src/analyzer/protocols/http/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(HTTP) BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); - BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/http/functions.bif b/src/analyzer/protocols/http/functions.bif index 0e1c63f721..eb9caf2a9a 100644 --- a/src/analyzer/protocols/http/functions.bif +++ b/src/analyzer/protocols/http/functions.bif @@ -20,7 +20,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any if ( ha ) { if ( ha->IsAnalyzer("HTTP") ) - static_cast(ha)->SkipEntityData(is_orig); + static_cast(ha)->SkipEntityData(is_orig); else reporter->Error("non-HTTP analyzer associated with connection record"); } @@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string const u_char* line = URI->Bytes(); const u_char* const line_end = line + URI->Len(); - return new StringVal(unescape_URI(line, line_end, 0)); + return new StringVal(analyzer::http::unescape_URI(line, line_end, 0)); %} diff --git a/src/analyzer/protocols/icmp/ICMP.cc b/src/analyzer/protocols/icmp/ICMP.cc index 538d25dfc3..732727d709 100644 --- a/src/analyzer/protocols/icmp/ICMP.cc +++ b/src/analyzer/protocols/icmp/ICMP.cc @@ -10,8 +10,12 @@ #include "ICMP.h" #include "Conn.h" +#include "events.bif.h" + #include +using namespace analyzer::icmp; + ICMP_Analyzer::ICMP_Analyzer(Connection* c) : TransportLayerAnalyzer("ICMP", c) { @@ -828,7 +832,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) return vv; } -int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) +int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) { is_one_way = false; @@ -855,7 +859,7 @@ int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) } } -int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) +int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) { is_one_way = false; diff --git a/src/analyzer/protocols/icmp/ICMP.h b/src/analyzer/protocols/icmp/ICMP.h index e798bd2c9b..6a9ba3282c 100644 --- a/src/analyzer/protocols/icmp/ICMP.h +++ b/src/analyzer/protocols/icmp/ICMP.h @@ -6,6 +6,8 @@ #include "RuleMatcher.h" #include "analyzer/Analyzer.h" +namespace analyzer { namespace icmp { + typedef enum { ICMP_INACTIVE, // no packet seen ICMP_ACTIVE, // packets seen @@ -92,4 +94,6 @@ private: extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/icmp/Plugin.cc b/src/analyzer/protocols/icmp/Plugin.cc index 517b243e24..0d3a90e168 100644 --- a/src/analyzer/protocols/icmp/Plugin.cc +++ b/src/analyzer/protocols/icmp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ICMP) BRO_PLUGIN_DESCRIPTION("ICMP Analyzer"); - BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("ICMP", icmp::ICMP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/icmp/events.bif b/src/analyzer/protocols/icmp/events.bif index e69de29bb2..c471ca0ee6 100644 --- a/src/analyzer/protocols/icmp/events.bif +++ b/src/analyzer/protocols/icmp/events.bif @@ -0,0 +1,300 @@ +## Generated for all ICMP messages that are not handled separately with +## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages +## directly with dedicated events. This event acts as a fallback for those it +## doesn't. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## .. bro:see:: icmp_error_message +event icmp_sent%(c: connection, icmp: icmp_conn%); + +## Generated for ICMP *echo request* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## id: The *echo request* identifier. +## +## seq: The *echo request* sequence number. +## +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. +## +## .. bro:see:: icmp_echo_reply +event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); + +## Generated for ICMP *echo reply* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## id: The *echo reply* identifier. +## +## seq: The *echo reply* sequence number. +## +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. +## +## .. bro:see:: icmp_echo_request +event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); + +## Generated for all ICMPv6 error messages that are not handled +## separately with dedicated events. Bro's ICMP analyzer handles a number +## of ICMP error messages directly with dedicated events. This event acts +## as a fallback for those it doesn't. +## +## See `Wikipedia +## `__ for more +## information about the ICMPv6 protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## code: The ICMP code of the error message. +## +## context: A record with specifics of the original packet that the message +## refers to. +## +## .. bro:see:: icmp_unreachable icmp_packet_too_big +## icmp_time_exceeded icmp_parameter_problem +event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMP *destination unreachable* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *unreachable* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *unreachable* +## includes only a partial IP header for some reason, no +## fields of *context* will be filled out. +## +## .. bro:see:: icmp_error_message icmp_packet_too_big +## icmp_time_exceeded icmp_parameter_problem +event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMPv6 *packet too big* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMPv6 protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *too big* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Too big* messages should include the original IP header +## from the packet that triggered them, and Bro parses that into +## the *context* structure. Note that if the *too big* includes only +## a partial IP header for some reason, no fields of *context* will +## be filled out. +## +## .. bro:see:: icmp_error_message icmp_unreachable +## icmp_time_exceeded icmp_parameter_problem +event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMP *time exceeded* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *exceeded* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *exceeded* includes +## only a partial IP header for some reason, no fields of *context* +## will be filled out. +## +## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## icmp_parameter_problem +event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMPv6 *parameter problem* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMPv6 protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *parameter problem* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Parameter problem* messages should include the original +## IP header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *parameter problem* +## includes only a partial IP header for some reason, no fields +## of *context* will be filled out. +## +## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## icmp_time_exceeded +event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMP *router solicitation* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_advertisement +## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect +event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); + +## Generated for ICMP *router advertisement* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## cur_hop_limit: The default value that should be placed in Hop Count field +## for outgoing IP packets. +## +## managed: Managed address configuration flag, :rfc:`4861`. +## +## other: Other stateful configuration flag, :rfc:`4861`. +## +## home_agent: Mobile IPv6 home agent flag, :rfc:`3775`. +## +## pref: Router selection preferences, :rfc:`4191`. +## +## proxy: Neighbor discovery proxy flag, :rfc:`4389`. +## +## rsv: Remaining two reserved bits of router advertisement flags. +## +## router_lifetime: How long this router should be used as a default router. +## +## reachable_time: How long a neighbor should be considered reachable. +## +## retrans_timer: How long a host should wait before retransmitting. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation +## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect +event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); + +## Generated for ICMP *neighbor solicitation* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## tgt: The IP address of the target of the solicitation. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_advertisement icmp_redirect +event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); + +## Generated for ICMP *neighbor advertisement* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## router: Flag indicating the sender is a router. +## +## solicited: Flag indicating advertisement is in response to a solicitation. +## +## override: Flag indicating advertisement should override existing caches. +## +## tgt: the Target Address in the soliciting message or the address whose +## link-layer address has changed for unsolicited adverts. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_solicitation icmp_redirect +event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); + +## Generated for ICMP *redirect* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## tgt: The address that is supposed to be a better first hop to use for +## ICMP Destination Address. +## +## dest: The address of the destination which is redirected to the target. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_solicitation icmp_neighbor_advertisement +event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); + diff --git a/src/analyzer/protocols/ident/Ident.cc b/src/analyzer/protocols/ident/Ident.cc index e9ba679b0b..8e25775af8 100644 --- a/src/analyzer/protocols/ident/Ident.cc +++ b/src/analyzer/protocols/ident/Ident.cc @@ -8,13 +8,17 @@ #include "Ident.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::ident; + Ident_Analyzer::Ident_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("IDENT", conn) +: tcp::TCP_ApplicationAnalyzer("IDENT", conn) { did_bad_reply = did_deliver = 0; - orig_ident = new ContentLine_Analyzer(conn, true); - resp_ident = new ContentLine_Analyzer(conn, false); + orig_ident = new tcp::ContentLine_Analyzer(conn, true); + resp_ident = new tcp::ContentLine_Analyzer(conn, false); orig_ident->SetIsNULSensitive(true); resp_ident->SetIsNULSensitive(true); @@ -25,29 +29,29 @@ Ident_Analyzer::Ident_Analyzer(Connection* conn) void Ident_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || orig_ident->HasPartialLine()) && - (TCP()->OrigState() == TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) && - TCP()->OrigPrevState() != TCP_ENDPOINT_PARTIAL && - TCP()->RespPrevState() != TCP_ENDPOINT_PARTIAL && - TCP()->OrigPrevState() != TCP_ENDPOINT_INACTIVE && - TCP()->RespPrevState() != TCP_ENDPOINT_INACTIVE ) + (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) && + TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_PARTIAL && + TCP()->RespPrevState() != tcp::TCP_ENDPOINT_PARTIAL && + TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_INACTIVE && + TCP()->RespPrevState() != tcp::TCP_ENDPOINT_INACTIVE ) Weird("partial_ident_request"); } void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); int remote_port, local_port; const char* line = (const char*) data; const char* orig_line = line; const char* end_of_line = line + length; - TCP_Endpoint* s = 0; + tcp::TCP_Endpoint* s = 0; if ( TCP() ) s = is_orig ? TCP()->Orig() : TCP()->Resp(); @@ -60,9 +64,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) line = ParsePair(line, end_of_line, remote_port, local_port); if ( ! line ) { - if ( s && s->state == TCP_ENDPOINT_CLOSED && - (s->prev_state == TCP_ENDPOINT_INACTIVE || - s->prev_state == TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; @@ -95,9 +99,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( ! line || line == end_of_line || line[0] != ':' ) { - if ( s && s->state == TCP_ENDPOINT_CLOSED && - (s->prev_state == TCP_ENDPOINT_INACTIVE || - s->prev_state == TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; diff --git a/src/analyzer/protocols/ident/Ident.h b/src/analyzer/protocols/ident/Ident.h index 95383429ce..473d201e65 100644 --- a/src/analyzer/protocols/ident/Ident.h +++ b/src/analyzer/protocols/ident/Ident.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" -class Ident_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ident { + +class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Ident_Analyzer(Connection* conn); virtual void Done(); @@ -25,11 +27,13 @@ protected: void BadRequest(int length, const char* line); void BadReply(int length, const char* line); - ContentLine_Analyzer* orig_ident; - ContentLine_Analyzer* resp_ident; + tcp::ContentLine_Analyzer* orig_ident; + tcp::ContentLine_Analyzer* resp_ident; unsigned int did_deliver:1; unsigned int did_bad_reply:1; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ident/Plugin.cc b/src/analyzer/protocols/ident/Plugin.cc index 2c7ea208cd..d0abef8280 100644 --- a/src/analyzer/protocols/ident/Plugin.cc +++ b/src/analyzer/protocols/ident/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Ident) BRO_PLUGIN_DESCRIPTION("Ident Analyzer"); - BRO_PLUGIN_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("IDENT", ident::Ident_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ident/events.bif b/src/analyzer/protocols/ident/events.bif index e69de29bb2..96a7f37a31 100644 --- a/src/analyzer/protocols/ident/events.bif +++ b/src/analyzer/protocols/ident/events.bif @@ -0,0 +1,63 @@ +## Generated for Ident requests. +## +## See `Wikipedia `__ for more +## information about the Ident protocol. +## +## c: The connection. +## +## lport: The request's local port. +## +## rport: The request's remote port. +## +## .. bro:see:: ident_error ident_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ident_request%(c: connection, lport: port, rport: port%); + +## Generated for Ident replies. +## +## See `Wikipedia `__ for more +## information about the Ident protocol. +## +## c: The connection. +## +## lport: The corresponding request's local port. +## +## rport: The corresponding request's remote port. +## +## user_id: The user id returned by the reply. +## +## system: The operating system returned by the reply. +## +## .. bro:see:: ident_error ident_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); + +## Generated for Ident error replies. +## +## See `Wikipedia `__ for more +## information about the Ident protocol. +## +## c: The connection. +## +## lport: The corresponding request's local port. +## +## rport: The corresponding request's remote port. +## +## line: The error description returned by the reply. +## +## .. bro:see:: ident_reply ident_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ident_error%(c: connection, lport: port, rport: port, line: string%); + diff --git a/src/analyzer/protocols/interconn/InterConn.cc b/src/analyzer/protocols/interconn/InterConn.cc index 70860a6532..58dc6c2bf0 100644 --- a/src/analyzer/protocols/interconn/InterConn.cc +++ b/src/analyzer/protocols/interconn/InterConn.cc @@ -7,7 +7,11 @@ #include "Net.h" #include "analyzer/protocols/tcp/TCP.h" -InterConnEndpoint::InterConnEndpoint(TCP_Endpoint* e) +#include "events.bif.h" + +using namespace analyzer::interconn; + +InterConnEndpoint::InterConnEndpoint(tcp::TCP_Endpoint* e) { endp = e; max_top_seq = 0; @@ -30,7 +34,7 @@ int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen, if ( len <= 0 ) return 0; - if ( endp->state == TCP_ENDPOINT_PARTIAL ) + if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL ) is_partial = 1; int ack = endp->AckSeq() - endp->StartSeq(); @@ -153,7 +157,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const } InterConn_Analyzer::InterConn_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("INTERCONN", c) +: tcp::TCP_ApplicationAnalyzer("INTERCONN", c) { orig_endp = resp_endp = 0; orig_stream_pos = resp_stream_pos = 1; @@ -172,7 +176,7 @@ InterConn_Analyzer::~InterConn_Analyzer() void InterConn_Analyzer::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new InterConnEndpoint(TCP()->Orig()); @@ -182,7 +186,7 @@ void InterConn_Analyzer::Init() void InterConn_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); if ( is_orig ) @@ -193,7 +197,7 @@ void InterConn_Analyzer::DeliverPacket(int len, const u_char* data, void InterConn_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( is_orig ) { @@ -218,7 +222,7 @@ void InterConn_Analyzer::Done() RemoveEvent(); } - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); } void InterConn_Analyzer::StatTimer(double t, int is_expire) diff --git a/src/analyzer/protocols/interconn/InterConn.h b/src/analyzer/protocols/interconn/InterConn.h index 9ee73d2ae8..c51113c156 100644 --- a/src/analyzer/protocols/interconn/InterConn.h +++ b/src/analyzer/protocols/interconn/InterConn.h @@ -7,9 +7,11 @@ #include "Timer.h" #include "NetVar.h" +namespace analyzer { namespace interconn { + class InterConnEndpoint : public BroObj { public: - InterConnEndpoint(TCP_Endpoint* e); + InterConnEndpoint(tcp::TCP_Endpoint* e); int DataSent(double t, int seq, int len, int caplen, const u_char* data, const IP_Hdr* ip, const struct tcphdr* tp); @@ -21,7 +23,7 @@ protected: int IsPotentialKeystrokePacket(int len) const; int IsNormalKeystrokeInterarrival(double t) const; - TCP_Endpoint* endp; + tcp::TCP_Endpoint* endp; double last_keystroke_time; int max_top_seq; uint32 num_pkts; @@ -38,7 +40,7 @@ protected: }; -class InterConn_Analyzer : public TCP_ApplicationAnalyzer { +class InterConn_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: InterConn_Analyzer(Connection* c); ~InterConn_Analyzer(); @@ -81,4 +83,6 @@ protected: InterConn_Analyzer* analyzer; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/interconn/Plugin.cc b/src/analyzer/protocols/interconn/Plugin.cc index ba80cf52af..cb4ac076af 100644 --- a/src/analyzer/protocols/interconn/Plugin.cc +++ b/src/analyzer/protocols/interconn/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(InterConn) BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("INTERCONN", interconn::InterConn_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/interconn/events.bif b/src/analyzer/protocols/interconn/events.bif index e69de29bb2..6e859da668 100644 --- a/src/analyzer/protocols/interconn/events.bif +++ b/src/analyzer/protocols/interconn/events.bif @@ -0,0 +1,8 @@ +# ##### Deprecated events. Proposed for removal. + +## Deprecated. Will be removed. +event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%); + +## Deprecated. Will be removed. +event interconn_remove_conn%(c: connection%); + diff --git a/src/analyzer/protocols/irc/IRC.cc b/src/analyzer/protocols/irc/IRC.cc index 2411efbabb..7ac06a708f 100644 --- a/src/analyzer/protocols/irc/IRC.cc +++ b/src/analyzer/protocols/irc/IRC.cc @@ -6,11 +6,14 @@ #include "NetVar.h" #include "Event.h" #include "analyzer/protocols/zip/ZIP.h" - #include "analyzer/Manager.h" +#include "events.bif.h" + +using namespace analyzer::irc; + IRC_Analyzer::IRC_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("IRC", conn) +: tcp::TCP_ApplicationAnalyzer("IRC", conn) { invalid_msg_count = 0; invalid_msg_max_count = 20; @@ -18,18 +21,18 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn) resp_status = WAIT_FOR_REGISTRATION; orig_zip_status = NO_ZIP; resp_zip_status = NO_ZIP; - AddSupportAnalyzer(new ContentLine_Analyzer(conn, true)); - AddSupportAnalyzer(new ContentLine_Analyzer(conn, false)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false)); } void IRC_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); } void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); // check line size if ( length > 512 ) @@ -1158,8 +1161,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { orig_zip_status = ZIP_LOADED; resp_zip_status = ZIP_LOADED; - AddSupportAnalyzer(new ZIP_Analyzer(Conn(), true)); - AddSupportAnalyzer(new ZIP_Analyzer(Conn(), false)); + AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), true)); + AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), false)); } return; diff --git a/src/analyzer/protocols/irc/IRC.h b/src/analyzer/protocols/irc/IRC.h index 17b91f51e5..d5fa3b57e5 100644 --- a/src/analyzer/protocols/irc/IRC.h +++ b/src/analyzer/protocols/irc/IRC.h @@ -4,10 +4,12 @@ #define irc_h #include "analyzer/protocols/tcp/TCP.h" +namespace analyzer { namespace irc { + /** * \brief Main class for analyzing IRC traffic. */ -class IRC_Analyzer : public TCP_ApplicationAnalyzer { +class IRC_Analyzer : public tcp::TCP_ApplicationAnalyzer { enum { WAIT_FOR_REGISTRATION, REGISTERED, }; enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, }; public: @@ -60,4 +62,6 @@ private: }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/irc/Plugin.cc b/src/analyzer/protocols/irc/Plugin.cc index bb6ade5f1f..72b89fda0e 100644 --- a/src/analyzer/protocols/irc/Plugin.cc +++ b/src/analyzer/protocols/irc/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(IRC) BRO_PLUGIN_DESCRIPTION("IRC Analyzer"); - BRO_PLUGIN_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("IRC", irc::IRC_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/irc/events.bif b/src/analyzer/protocols/irc/events.bif index e69de29bb2..4e69b9ad33 100644 --- a/src/analyzer/protocols/irc/events.bif +++ b/src/analyzer/protocols/irc/events.bif @@ -0,0 +1,799 @@ + +## Generated for all client-side IRC commands. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: Always true. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## command: The command. +## +## arguments: The arguments for the command. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +## +## .. note:: This event is generated only for messages that originate +## at the client-side. Commands coming in from remote trigger +## the :bro:id:`irc_message` event instead. +event irc_request%(c: connection, is_orig: bool, prefix: string, + command: string, arguments: string%); + +## Generated for all IRC replies. IRC replies are sent in response to a +## request and come with a reply code. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the reply. IRC uses the prefix to +## indicate the true origin of a message. +## +## code: The reply code, as specified by the protocol. +## +## params: The reply's parameters. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_reply%(c: connection, is_orig: bool, prefix: string, + code: count, params: string%); + +## Generated for IRC commands forwarded from the server to the client. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## command: The command. +## +## message: TODO. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +## +## .. note:: +## +## This event is generated only for messages that are forwarded by the server +## to the client. Commands coming from client trigger the +## :bro:id:`irc_request` event instead. +event irc_message%(c: connection, is_orig: bool, prefix: string, + command: string, message: string%); + +## Generated for IRC messages of type *quit*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname coming with the message. +## +## message: The text included with the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); + +## Generated for IRC messages of type *privmsg*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## source: The source of the private communication. +## +## target: The target of the private communication. +## +## message: The text of communication. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_privmsg_message%(c: connection, is_orig: bool, source: string, + target: string, message: string%); + +## Generated for IRC messages of type *notice*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## source: The source of the private communication. +## +## target: The target of the private communication. +## +## message: The text of communication. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_notice_message%(c: connection, is_orig: bool, source: string, + target: string, message: string%); + +## Generated for IRC messages of type *squery*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## source: The source of the private communication. +## +## target: The target of the private communication. +## +## message: The text of communication. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_squery_message%(c: connection, is_orig: bool, source: string, + target: string, message: string%); + +## Generated for IRC messages of type *join*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## info_list: The user information coming with the command. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); + +## Generated for IRC messages of type *part*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname coming with the message. +## +## chans: The set of channels affected. +## +## message: The text coming with the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_password_message +event irc_part_message%(c: connection, is_orig: bool, nick: string, + chans: string_set, message: string%); + +## Generated for IRC messages of type *nick*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## who: The user changing its nickname. +## +## newnick: The new nickname. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%); + +## Generated when a server rejects an IRC nickname. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_invalid_nick%(c: connection, is_orig: bool%); + +## Generated for an IRC reply of type *luserclient*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## users: The number of users as returned in the reply. +## +## services: The number of services as returned in the reply. +## +## servers: The number of servers as returned in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_network_info%(c: connection, is_orig: bool, users: count, + services: count, servers: count%); + +## Generated for an IRC reply of type *luserme*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## users: The number of users as returned in the reply. +## +## services: The number of services as returned in the reply. +## +## servers: The number of servers as returned in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_server_info%(c: connection, is_orig: bool, users: count, + services: count, servers: count%); + +## Generated for an IRC reply of type *luserchannels*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## chans: The number of channels as returned in the reply. +## +## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_channel_info%(c: connection, is_orig: bool, chans: count%); + +## Generated for an IRC reply of type *whoreply*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## target_nick: The target nickname. +## +## channel: The channel. +## +## user: The user. +## +## host: The host. +## +## server: The server. +## +## nick: The nickname. +## +## params: The parameters. +## +## hops: The hop count. +## +## real_name: The real name. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_who_line%(c: connection, is_orig: bool, target_nick: string, + channel: string, user: string, host: string, + server: string, nick: string, params: string, + hops: count, real_name: string%); + + +## Generated for an IRC reply of type *namereply*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## c_type: The channel type. +## +## channel: The channel. +## +## users: The set of users. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_names_info%(c: connection, is_orig: bool, c_type: string, + channel: string, users: string_set%); + +## Generated for an IRC reply of type *whoisoperator*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname specified in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); + +## Generated for an IRC reply of type *whoischannels*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname specified in the reply. +## +## chans: The set of channels returned. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, + chans: string_set%); + +## Generated for an IRC reply of type *whoisuser*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname specified in the reply. +## +## user: The user name specified in the reply. +## +## host: The host name specified in the reply. +## +## real_name: The real name specified in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, + user: string, host: string, real_name: string%); + +## Generated for IRC replies of type *youreoper* and *nooperhost*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## got_oper: True if the *oper* command was executed successfully +## (*youreport*) and false otherwise (*nooperhost*). +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_part_message +## irc_password_message +event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); + +## Generated for an IRC reply of type *globalusers*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## msg: The message coming with the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%); + +## Generated for an IRC reply of type *topic*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## channel: The channel name specified in the reply. +## +## topic: The topic specified in the reply. +## +## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); + +## Generated for IRC messages of type *who*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## mask: The mask specified in the message. +## +## oper: True if the operator flag was set. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); + +## Generated for IRC messages of type *whois*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## server: TODO. +## +## users: TODO. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); + +## Generated for IRC messages of type *oper*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## user: The user specified in the message. +## +## password: The password specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_response irc_part_message +## irc_password_message +event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); + +## Generated for IRC messages of type *kick*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## chans: The channels specified in the message. +## +## users: The users specified in the message. +## +## comment: The comment specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_kick_message%(c: connection, is_orig: bool, prefix: string, + chans: string, users: string, comment: string%); + +## Generated for IRC messages of type *error*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## message: The textual description specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%); + +## Generated for IRC messages of type *invite*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## nickname: The nickname specified in the message. +## +## channel: The channel specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_invite_message%(c: connection, is_orig: bool, prefix: string, + nickname: string, channel: string%); + +## Generated for IRC messages of type *mode*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## params: The parameters coming with the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); + +## Generated for IRC messages of type *squit*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## server: The server specified in the message. +## +## message: The textual description specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_squit_message%(c: connection, is_orig: bool, prefix: string, + server: string, message: string%); + +## Generated for IRC messages of type *dcc*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## target: The target specified in the message. +## +## dcc_type: The DCC type specified in the message. +## +## argument: The argument specified in the message. +## +## address: The address specified in the message. +## +## dest_port: The destination port specified in the message. +## +## size: The size specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_dcc_message%(c: connection, is_orig: bool, + prefix: string, target: string, + dcc_type: string, argument: string, + address: addr, dest_port: count, size: count%); + +## Generated for IRC messages of type *user*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## user: The user specified in the message. +## +## host: The host name specified in the message. +## +## server: The server name specified in the message. +## +## real_name: The real name specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%); + +## Generated for IRC messages of type *password*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## password: The password specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message +event irc_password_message%(c: connection, is_orig: bool, password: string%); diff --git a/src/analyzer/protocols/login/Login.cc b/src/analyzer/protocols/login/Login.cc index 2eb4900692..335b855f1d 100644 --- a/src/analyzer/protocols/login/Login.cc +++ b/src/analyzer/protocols/login/Login.cc @@ -10,6 +10,10 @@ #include "RE.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::login; + static RE_Matcher* re_skip_authentication = 0; static RE_Matcher* re_direct_login_prompts; static RE_Matcher* re_login_prompts; @@ -21,7 +25,7 @@ static RE_Matcher* re_login_timeouts; static RE_Matcher* init_RE(ListVal* l); Login_Analyzer::Login_Analyzer(const char* name, Connection* conn) -: TCP_ApplicationAnalyzer(name, conn) +: tcp::TCP_ApplicationAnalyzer(name, conn) { state = LOGIN_STATE_AUTHENTICATE; num_user_lines_seen = lines_scanned = 0; @@ -65,7 +69,7 @@ Login_Analyzer::~Login_Analyzer() void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); char* str = new char[length+1]; @@ -102,8 +106,8 @@ void Login_Analyzer::NewLine(bool orig, char* line) if ( state == LOGIN_STATE_AUTHENTICATE ) { - if ( TCP()->OrigState() == TCP_ENDPOINT_PARTIAL || - TCP()->RespState() == TCP_ENDPOINT_PARTIAL ) + if ( TCP()->OrigState() == tcp::TCP_ENDPOINT_PARTIAL || + TCP()->RespState() == tcp::TCP_ENDPOINT_PARTIAL ) state = LOGIN_STATE_CONFUSED; // unknown login state else { @@ -361,7 +365,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) void Login_Analyzer::EndpointEOF(bool orig) { - TCP_ApplicationAnalyzer::EndpointEOF(orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() ) { diff --git a/src/analyzer/protocols/login/Login.h b/src/analyzer/protocols/login/Login.h index 67b6a3c094..55d12c80da 100644 --- a/src/analyzer/protocols/login/Login.h +++ b/src/analyzer/protocols/login/Login.h @@ -5,6 +5,8 @@ #include "analyzer/protocols/tcp/TCP.h" +namespace analyzer { namespace login { + typedef enum { LOGIN_STATE_AUTHENTICATE, // trying to authenticate @@ -19,7 +21,7 @@ typedef enum { // Maximum # lines look after login for failure. #define MAX_LOGIN_LOOKAHEAD 10 -class Login_Analyzer : public TCP_ApplicationAnalyzer { +class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Login_Analyzer(const char* name, Connection* conn); ~Login_Analyzer(); @@ -82,4 +84,6 @@ protected: int saw_ploy; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/NVT.cc b/src/analyzer/protocols/login/NVT.cc index d51d562bd5..2c79fd7195 100644 --- a/src/analyzer/protocols/login/NVT.cc +++ b/src/analyzer/protocols/login/NVT.cc @@ -9,6 +9,8 @@ #include "Event.h" #include "analyzer/protocols/tcp/TCP.h" +#include "events.bif.h" + #define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254) #define TELNET_OPT_SB 250 @@ -24,6 +26,8 @@ #define TELNET_IAC 255 +using namespace analyzer::login; + TelnetOption::TelnetOption(NVT_Analyzer* arg_endp, unsigned int arg_code) { endp = arg_endp; @@ -287,7 +291,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len) break; } - static_cast + static_cast (endp->Parent())->SetEnv(endp->IsOrig(), var_name, var_val); } @@ -360,7 +364,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */) NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig) -: ContentLine_Analyzer("NVT", conn, orig) +: tcp::ContentLine_Analyzer("NVT", conn, orig) { peer = 0; is_suboption = last_was_IAC = pending_IAC = 0; diff --git a/src/analyzer/protocols/login/NVT.h b/src/analyzer/protocols/login/NVT.h index da97a251f0..dea4c90ad5 100644 --- a/src/analyzer/protocols/login/NVT.h +++ b/src/analyzer/protocols/login/NVT.h @@ -5,7 +5,6 @@ #include "analyzer/protocols/tcp/ContentLine.h" - #define TELNET_OPTION_BINARY 0 #define TELNET_OPTION_TERMINAL 24 #define TELNET_OPTION_AUTHENTICATE 37 @@ -13,8 +12,9 @@ #define TELNET_OPTION_ENVIRON 39 #define NUM_TELNET_OPTIONS 5 -class NVT_Analyzer; +namespace analyzer { namespace login { +class NVT_Analyzer; class TelnetOption { public: @@ -123,7 +123,7 @@ protected: void InconsistentOption(unsigned int type); }; -class NVT_Analyzer : public ContentLine_Analyzer { +class NVT_Analyzer : public tcp::ContentLine_Analyzer { public: NVT_Analyzer(Connection* conn, bool orig); ~NVT_Analyzer(); @@ -170,4 +170,6 @@ protected: int num_options; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocols/login/Plugin.cc index 10166783c0..3f98f99d2c 100644 --- a/src/analyzer/protocols/login/Plugin.cc +++ b/src/analyzer/protocols/login/Plugin.cc @@ -8,11 +8,11 @@ BRO_PLUGIN_BEGIN(Login) BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer"); - BRO_PLUGIN_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("NVT", 0); - BRO_PLUGIN_ANALYZER("Login", 0); + BRO_PLUGIN_ANALYZER("TELNET", login::Telnet_Analyzer); + BRO_PLUGIN_ANALYZER("RSH", login::Rsh_Analyzer); + BRO_PLUGIN_ANALYZER("RLOGIN", login::Rlogin_Analyzer); + BRO_PLUGIN_ANALYZER_BARE("NVT"); + BRO_PLUGIN_ANALYZER_BARE("Login"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/login/RSH.cc b/src/analyzer/protocols/login/RSH.cc index 09d403fe59..1890fc3098 100644 --- a/src/analyzer/protocols/login/RSH.cc +++ b/src/analyzer/protocols/login/RSH.cc @@ -6,12 +6,15 @@ #include "Event.h" #include "RSH.h" +#include "events.bif.h" + +using namespace analyzer::login; // FIXME: this code should probably be merged with Rlogin.cc. Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* arg_analyzer) -: ContentLine_Analyzer("CONTENTS_RSH", conn, orig) +: tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -28,7 +31,7 @@ Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer() void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) { - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -42,10 +45,10 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RSH_FIRST_NULL: - if ( endp_state == TCP_ENDPOINT_PARTIAL || + if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == TCP_ENDPOINT_CLOSED ) + endp_state == tcp::TCP_ENDPOINT_CLOSED ) { state = RSH_UNKNOWN; ++len, --data; // put back c and reprocess diff --git a/src/analyzer/protocols/login/RSH.h b/src/analyzer/protocols/login/RSH.h index 80cc4a6559..2738060a9f 100644 --- a/src/analyzer/protocols/login/RSH.h +++ b/src/analyzer/protocols/login/RSH.h @@ -6,6 +6,8 @@ #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" +namespace analyzer { namespace login { + typedef enum { RSH_FIRST_NULL, // waiting to see first NUL RSH_CLIENT_USER_NAME, // scanning client user name up to NUL @@ -21,7 +23,7 @@ typedef enum { class Rsh_Analyzer; -class Contents_Rsh_Analyzer : public ContentLine_Analyzer { +class Contents_Rsh_Analyzer : public tcp::ContentLine_Analyzer { public: Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* analyzer); ~Contents_Rsh_Analyzer(); @@ -54,4 +56,6 @@ public: Contents_Rsh_Analyzer* contents_resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/Rlogin.cc b/src/analyzer/protocols/login/Rlogin.cc index b09e24d2cb..9a31a47aa1 100644 --- a/src/analyzer/protocols/login/Rlogin.cc +++ b/src/analyzer/protocols/login/Rlogin.cc @@ -6,9 +6,12 @@ #include "Event.h" #include "Rlogin.h" +#include "events.bif.h" + +using namespace analyzer::login; Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) -: ContentLine_Analyzer("CONTENTLINE", conn, orig) +: tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -26,7 +29,7 @@ Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer() void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) { - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -40,10 +43,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RLOGIN_FIRST_NULL: - if ( endp_state == TCP_ENDPOINT_PARTIAL || + if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == TCP_ENDPOINT_CLOSED ) + endp_state == tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess @@ -85,10 +88,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) break; case RLOGIN_SERVER_ACK: - if ( endp_state == TCP_ENDPOINT_PARTIAL || + if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == TCP_ENDPOINT_CLOSED ) + endp_state == tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess diff --git a/src/analyzer/protocols/login/Rlogin.h b/src/analyzer/protocols/login/Rlogin.h index 0ad72b1908..c4cdfd7516 100644 --- a/src/analyzer/protocols/login/Rlogin.h +++ b/src/analyzer/protocols/login/Rlogin.h @@ -6,6 +6,8 @@ #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" +namespace analyzer { namespace login { + typedef enum { RLOGIN_FIRST_NULL, // waiting to see first NUL RLOGIN_CLIENT_USER_NAME, // scanning client user name up to NUL @@ -29,7 +31,7 @@ typedef enum { class Rlogin_Analyzer; -class Contents_Rlogin_Analyzer : public ContentLine_Analyzer { +class Contents_Rlogin_Analyzer : public tcp::ContentLine_Analyzer { public: Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* analyzer); @@ -64,4 +66,6 @@ public: { return new Rlogin_Analyzer(conn); } }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/Telnet.cc b/src/analyzer/protocols/login/Telnet.cc index 47991177f2..c22b2afc5e 100644 --- a/src/analyzer/protocols/login/Telnet.cc +++ b/src/analyzer/protocols/login/Telnet.cc @@ -5,6 +5,10 @@ #include "Telnet.h" #include "NVT.h" +#include "events.bif.h" + +using namespace analyzer::login; + Telnet_Analyzer::Telnet_Analyzer(Connection* conn) : Login_Analyzer("TELNET", conn) { diff --git a/src/analyzer/protocols/login/Telnet.h b/src/analyzer/protocols/login/Telnet.h index 290382846b..a13fe230af 100644 --- a/src/analyzer/protocols/login/Telnet.h +++ b/src/analyzer/protocols/login/Telnet.h @@ -5,6 +5,8 @@ #include "Login.h" +namespace analyzer { namespace login { + class Telnet_Analyzer : public Login_Analyzer { public: Telnet_Analyzer(Connection* conn); @@ -14,4 +16,6 @@ public: { return new Telnet_Analyzer(conn); } }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/events.bif b/src/analyzer/protocols/login/events.bif index e69de29bb2..084f53eaad 100644 --- a/src/analyzer/protocols/login/events.bif +++ b/src/analyzer/protocols/login/events.bif @@ -0,0 +1,395 @@ +## Generated for client side commands on an RSH connection. +## +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. +## +## c: The connection. +## +## client_user: The client-side user name as sent in the initial protocol +## handshake. +## +## server_user: The server-side user name as sent in the initial protocol +## handshake. +## +## line: The command line sent in the request. +## +## new_session: True if this is the first command of the Rsh session. +## +## .. bro:see:: rsh_reply login_confused login_confused_text login_display +## login_failure login_input_line login_output_line login_prompt login_success +## login_terminal +## +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); + +## Generated for client side commands on an RSH connection. +## +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. +## +## c: The connection. +## +## client_user: The client-side user name as sent in the initial protocol +## handshake. +## +## server_user: The server-side user name as sent in the initial protocol +## handshake. +## +## line: The command line sent in the request. +## +## .. bro:see:: rsh_request login_confused login_confused_text login_display +## login_failure login_input_line login_output_line login_prompt login_success +## login_terminal +## +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); + +## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects +## Telnet/Rlogin sessions to heuristically extract username and password +## information as well as the text returned by the login server. This event is +## raised if a login attempt appears to have been unsuccessful. +## +## c: The connection. +## +## user: The user name tried. +## +## client_user: For Telnet connections, this is an empty string, but for Rlogin +## connections, it is the client name passed in the initial authentication +## information (to check against .rhosts). +## +## password: The password tried. +## +## line: The line of text that led the analyzer to conclude that the +## authentication had failed. +## +## .. bro:see:: login_confused login_confused_text login_display login_input_line +## login_output_line login_prompt login_success login_terminal direct_login_prompts +## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs +## login_timeouts set_login_state +## +## .. note:: The login analyzer depends on a set of script-level variables that +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); + +## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects +## Telnet/Rlogin sessions to heuristically extract username and password +## information as well as the text returned by the login server. This event is +## raised if a login attempt appears to have been successful. +## +## c: The connection. +## +## user: The user name used. +## +## client_user: For Telnet connections, this is an empty string, but for Rlogin +## connections, it is the client name passed in the initial authentication +## information (to check against .rhosts). +## +## password: The password used. +## +## line: The line of text that led the analyzer to conclude that the +## authentication had succeeded. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_output_line login_prompt login_terminal +## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs +## login_prompts login_success_msgs login_timeouts set_login_state +## +## .. note:: The login analyzer depends on a set of script-level variables that +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); + +## Generated for lines of input on Telnet/Rlogin sessions. The line will have +## control characters (such as in-band Telnet options) removed. +## +## c: The connection. +## +## line: The input line. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_output_line login_prompt login_success login_terminal rsh_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_input_line%(c: connection, line: string%); + +## Generated for lines of output on Telnet/Rlogin sessions. The line will have +## control characters (such as in-band Telnet options) removed. +## +## c: The connection. +## +## line: The ouput line. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_prompt login_success login_terminal rsh_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_output_line%(c: connection, line: string%); + +## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's +## *login* analyzer uses a number of heuristics to extract authentication +## information, it may become confused. If it can no longer correctly track +## the authentication dialog, it raises this event. +## +## c: The connection. +## +## msg: Gives the particular problem the heuristics detected (for example, +## ``multiple_login_prompts`` means that the engine saw several login +## prompts in a row, without the type-ahead from the client side presumed +## necessary to cause them) +## +## line: The line of text that caused the heuristics to conclude they were +## confused. +## +## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line +## login_prompt login_success login_terminal direct_login_prompts get_login_state +## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs +## login_timeouts set_login_state +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_confused%(c: connection, msg: string, line: string%); + +## Generated after getting confused while tracking a Telnet/Rlogin +## authentication dialog. The *login* analyzer generates this even for every +## line of user input after it has reported :bro:id:`login_confused` for a +## connection. +## +## c: The connection. +## +## line: The line the user typed. +## +## .. bro:see:: login_confused login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal direct_login_prompts +## get_login_state login_failure_msgs login_non_failure_msgs login_prompts +## login_success_msgs login_timeouts set_login_state +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_confused_text%(c: connection, line: string%); + +## Generated for clients transmitting a terminal type in a Telnet session. This +## information is extracted out of environment variables sent as Telnet options. +## +## c: The connection. +## +## terminal: The TERM value transmitted. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_output_line login_prompt login_success +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_terminal%(c: connection, terminal: string%); + +## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This +## information is extracted out of environment variables sent as Telnet options. +## +## c: The connection. +## +## display: The DISPLAY transmitted. +## +## .. bro:see:: login_confused login_confused_text login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_display%(c: connection, display: string%); + +## Generated when a Telnet authentication has been successful. The Telnet +## protocol includes options for negotiating authentication. When such an +## option is sent from client to server and the server replies that it accepts +## the authentication, then the event engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## name: The authenticated name. +## +## c: The connection. +## +## .. bro:see:: authentication_rejected authentication_skipped login_success +## +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines success by watching +## session data. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event authentication_accepted%(name: string, c: connection%); + +## Generated when a Telnet authentication has been unsuccessful. The Telnet +## protocol includes options for negotiating authentication. When such an option +## is sent from client to server and the server replies that it did not accept +## the authentication, then the event engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## name: The attempted authentication name. +## +## c: The connection. +## +## .. bro:see:: authentication_accepted authentication_skipped login_failure +## +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines failure by watching +## session data. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event authentication_rejected%(name: string, c: connection%); + +## Generated for Telnet/Rlogin sessions when a pattern match indicates +## that no authentication is performed. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts +## get_login_state login_failure_msgs login_non_failure_msgs login_prompts +## login_success_msgs login_timeouts set_login_state +## +## .. note:: The login analyzer depends on a set of script-level variables that +## need to be configured with patterns identifying activity. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event authentication_skipped%(c: connection%); + +## Generated for clients transmitting a terminal prompt in a Telnet session. +## This information is extracted out of environment variables sent as Telnet +## options. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## prompt: The TTYPROMPT transmitted. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_output_line login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_prompt%(c: connection, prompt: string%); + +## Generated for Telnet sessions when encryption is activated. The Telnet +## protocol includes options for negotiating encryption. When such a series of +## options is successfully negotiated, the event engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped +## login_confused login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +event activating_encryption%(c: connection%); + +## Generated for an inconsistent Telnet option. Telnet options are specified +## by the client and server stating which options they are willing to +## support vs. which they are not, and then instructing one another which in +## fact they should or should not use for the current connection. If the event +## engine sees a peer violate either what the other peer has instructed it to +## do, or what it itself offered in terms of options in the past, then the +## engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: bad_option bad_option_termination authentication_accepted +## authentication_rejected authentication_skipped login_confused +## login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +event inconsistent_option%(c: connection%); + +## Generated for an ill-formed or unrecognized Telnet option. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted +## authentication_rejected authentication_skipped login_confused +## login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event bad_option%(c: connection%); + +## Generated for a Telnet option that's incorrectly terminated. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: inconsistent_option bad_option authentication_accepted +## authentication_rejected authentication_skipped login_confused +## login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event bad_option_termination%(c: connection%); diff --git a/src/analyzer/protocols/mime/CMakeLists.txt b/src/analyzer/protocols/mime/CMakeLists.txt new file mode 100644 index 0000000000..1df45cd395 --- /dev/null +++ b/src/analyzer/protocols/mime/CMakeLists.txt @@ -0,0 +1,15 @@ + +# This is not an actual analyzer, but used by others. We still +# maintain it here along with the other analyzers because conceptually +# it's also parsing a protocol just like them. The current structure +# is merely a left-over from when this code was written. + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(MIME) +bro_plugin_cc(MIME.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() + diff --git a/src/MIME.cc b/src/analyzer/protocols/mime/MIME.cc similarity index 99% rename from src/MIME.cc rename to src/analyzer/protocols/mime/MIME.cc index 011857ee6e..3a6a1ace13 100644 --- a/src/MIME.cc +++ b/src/analyzer/protocols/mime/MIME.cc @@ -6,6 +6,8 @@ #include "Reporter.h" #include "digest.h" +#include "events.bif.h" + // Here are a few things to do: // // 1. Add a Bro internal function 'stop_deliver_data_of_entity' so @@ -16,44 +18,10 @@ // headers of form: =; =; // =; ... (so that +namespace analyzer { namespace mime { + static const data_chunk_t null_data_chunk = { 0, 0 }; -int is_null_data_chunk(data_chunk_t b) - { - return b.data == 0; - } - -int fputs(data_chunk_t b, FILE* fp) - { - for ( int i = 0; i < b.length; ++i ) - if ( fputc(b.data[i], fp) == EOF ) - return EOF; - return 0; - } - -StringVal* new_string_val(int length, const char* data) - { - return new StringVal(length, data); - } - -StringVal* new_string_val(const char* data, const char* end_of_data) - { - return new StringVal(end_of_data - data, data); - } - -StringVal* new_string_val(const data_chunk_t buf) - { - return new_string_val(buf.length, buf.data); - } - -data_chunk_t get_data_chunk(BroString* s) - { - data_chunk_t b; - b.length = s->Len(); - b.data = (const char*) s->Bytes(); - return b; - } - int mime_header_only = 0; int mime_decode_data = 1; int mime_submit_data = 1; @@ -129,6 +97,319 @@ static const char* MIMEContentEncodingName[] = { 0, }; +int is_null_data_chunk(data_chunk_t b) + { + return b.data == 0; + } + +int is_lws(char ch) + { + return ch == 9 || ch == 32; + } + +StringVal* new_string_val(int length, const char* data) + { + return new StringVal(length, data); + } + +StringVal* new_string_val(const char* data, const char* end_of_data) + { + return new StringVal(end_of_data - data, data); + } + +StringVal* new_string_val(const data_chunk_t buf) + { + return new_string_val(buf.length, buf.data); + } + +static data_chunk_t get_data_chunk(BroString* s) + { + data_chunk_t b; + b.length = s->Len(); + b.data = (const char*) s->Bytes(); + return b; + } + +int fputs(data_chunk_t b, FILE* fp) + { + for ( int i = 0; i < b.length; ++i ) + if ( fputc(b.data[i], fp) == EOF ) + return EOF; + return 0; + } + +int strcasecmp_n(data_chunk_t s, const char* t) + { + return ::strcasecmp_n(s.length, s.data, t); + } + +int MIME_count_leading_lws(int len, const char* data) + { + int i; + for ( i = 0; i < len; ++i ) + if ( ! is_lws(data[i]) ) + break; + return i; + } + +int MIME_count_trailing_lws(int len, const char* data) + { + int i; + for ( i = 0; i < len; ++i ) + if ( ! is_lws(data[len - 1 - i]) ) + break; + return i; + } + +// See RFC 2822, page 11 +int MIME_skip_comments(int len, const char* data) + { + if ( len == 0 || data[0] != '(' ) + return 0; + + int par = 0; + for ( int i = 0; i < len; ++i ) + { + switch ( data[i] ) { + case '(': + ++par; + break; + + case ')': + --par; + if ( par == 0 ) + return i + 1; + break; + + case '\\': + ++i; + break; + } + } + + return len; + } + +// Skip over lws and comments, but not tspecials. Do not use this +// function in quoted-string or comments. +int MIME_skip_lws_comments(int len, const char* data) + { + int i = 0; + while ( i < len ) + { + if ( is_lws(data[i]) ) + ++i; + else + { + if ( data[i] == '(' ) + i += MIME_skip_comments(len - i, data + i); + else + return i; + } + } + + return len; + } + +int MIME_get_field_name(int len, const char* data, data_chunk_t* name) + { + int i = MIME_skip_lws_comments(len, data); + while ( i < len ) + { + int j; + if ( MIME_is_field_name_char(data[i]) ) + { + name->data = data + i; + + for ( j = i; j < len; ++j ) + if ( ! MIME_is_field_name_char(data[j]) ) + break; + + name->length = j - i; + return j; + } + + j = MIME_skip_lws_comments(len - i, data + i); + i += (j > 0) ? j : 1; + } + + return -1; + } + +// See RFC 2045, page 12. +int MIME_is_tspecial (char ch) + { + return ch == '(' || ch == ')' || ch == '<' || ch == '>' || ch == '@' || + ch == ',' || ch == ';' || ch == ':' || ch == '\\' || ch == '"' || + ch == '/' || ch == '[' || ch == ']' || ch == '?' || ch == '='; + } + +int MIME_is_field_name_char (char ch) + { + return ch >= 33 && ch <= 126 && ch != ':'; + } + +int MIME_is_token_char (char ch) + { + return ch >= 33 && ch <= 126 && ! MIME_is_tspecial(ch); + } + +// See RFC 2045, page 12. +// A token is composed of characters that are not SPACE, CTLs or tspecials +int MIME_get_token(int len, const char* data, data_chunk_t* token) + { + int i = MIME_skip_lws_comments(len, data); + while ( i < len ) + { + int j; + + if ( MIME_is_token_char(data[i]) ) + { + token->data = (data + i); + for ( j = i; j < len; ++j ) + { + if ( ! MIME_is_token_char(data[j]) ) + break; + } + + token->length = j - i; + return j; + } + + j = MIME_skip_lws_comments(len - i, data + i); + i += (j > 0) ? j : 1; + } + + return -1; + } + +int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second) + { + int offset; + const char* data_start = data; + + offset = MIME_get_token(len, data, first); + if ( offset < 0 ) + { + // DEBUG_MSG("first token missing in slash token pair"); + return -1; + } + + data += offset; + len -= offset; + + offset = MIME_skip_lws_comments(len, data); + if ( offset < 0 || offset >= len || data[offset] != '/' ) + { + // DEBUG_MSG("/ not found in slash token pair"); + return -1; + } + + ++offset; + data += offset; + len -= offset; + + offset = MIME_get_token(len, data, second); + if ( offset < 0 ) + { + // DEBUG_MSG("second token missing in slash token pair"); + return -1; + } + + data += offset; + len -= offset; + + return data - data_start; + } + +// See RFC 2822, page 13. +int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str) + { + int offset = MIME_skip_lws_comments(len, data); + + len -= offset; + data += offset; + + if ( len <= 0 || *data != '"' ) + return -1; + + for ( int i = 1; i < len; ++i ) + { + switch ( data[i] ) { + case '"': + str->data = data + 1; + str->length = i - 1; + return offset + i + 1; + + case '\\': + ++i; + break; + } + } + + return -1; + } + +int MIME_get_value(int len, const char* data, BroString*& buf) + { + int offset = MIME_skip_lws_comments(len, data); + + len -= offset; + data += offset; + + if ( len > 0 && *data == '"' ) + { + data_chunk_t str; + int end = MIME_get_quoted_string(len, data, &str); + if ( end < 0 ) + return -1; + + buf = MIME_decode_quoted_pairs(str); + return offset + end; + } + + else + { + data_chunk_t str; + int end = MIME_get_token(len, data, &str); + if ( end < 0 ) + return -1; + + buf = new BroString((const u_char*)str.data, str.length, 1); + return offset + end; + } + } + +// Decode each quoted-pair: a '\' followed by a character by the +// quoted character. The decoded string is returned. + +BroString* MIME_decode_quoted_pairs(data_chunk_t buf) + { + const char* data = buf.data; + char* dest = new char[buf.length+1]; + int j = 0; + for ( int i = 0; i < buf.length; ++i ) + if ( data[i] == '\\' ) + { + if ( ++i < buf.length ) + dest[j++] = data[i]; + else + { + // a trailing '\' -- don't know what + // to do with it -- ignore it. + } + } + else + dest[j++] = data[i]; + dest[j] = 0; + + return new BroString(1, (byte_vec) dest, j); + } + + +} } // namespace analyzer::* + +using namespace analyzer::mime; MIME_Multiline::MIME_Multiline() { @@ -1193,276 +1474,3 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail) } } - -int strcasecmp_n(data_chunk_t s, const char* t) - { - return strcasecmp_n(s.length, s.data, t); - } - -int is_lws(char ch) - { - return ch == 9 || ch == 32; - } - -int MIME_count_leading_lws(int len, const char* data) - { - int i; - for ( i = 0; i < len; ++i ) - if ( ! is_lws(data[i]) ) - break; - return i; - } - -int MIME_count_trailing_lws(int len, const char* data) - { - int i; - for ( i = 0; i < len; ++i ) - if ( ! is_lws(data[len - 1 - i]) ) - break; - return i; - } - -// See RFC 2822, page 11 -int MIME_skip_comments(int len, const char* data) - { - if ( len == 0 || data[0] != '(' ) - return 0; - - int par = 0; - for ( int i = 0; i < len; ++i ) - { - switch ( data[i] ) { - case '(': - ++par; - break; - - case ')': - --par; - if ( par == 0 ) - return i + 1; - break; - - case '\\': - ++i; - break; - } - } - - return len; - } - -// Skip over lws and comments, but not tspecials. Do not use this -// function in quoted-string or comments. -int MIME_skip_lws_comments(int len, const char* data) - { - int i = 0; - while ( i < len ) - { - if ( is_lws(data[i]) ) - ++i; - else - { - if ( data[i] == '(' ) - i += MIME_skip_comments(len - i, data + i); - else - return i; - } - } - - return len; - } - -int MIME_get_field_name(int len, const char* data, data_chunk_t* name) - { - int i = MIME_skip_lws_comments(len, data); - while ( i < len ) - { - int j; - if ( MIME_is_field_name_char(data[i]) ) - { - name->data = data + i; - - for ( j = i; j < len; ++j ) - if ( ! MIME_is_field_name_char(data[j]) ) - break; - - name->length = j - i; - return j; - } - - j = MIME_skip_lws_comments(len - i, data + i); - i += (j > 0) ? j : 1; - } - - return -1; - } - -// See RFC 2045, page 12. -int MIME_is_tspecial (char ch) - { - return ch == '(' || ch == ')' || ch == '<' || ch == '>' || ch == '@' || - ch == ',' || ch == ';' || ch == ':' || ch == '\\' || ch == '"' || - ch == '/' || ch == '[' || ch == ']' || ch == '?' || ch == '='; - } - -int MIME_is_field_name_char (char ch) - { - return ch >= 33 && ch <= 126 && ch != ':'; - } - -int MIME_is_token_char (char ch) - { - return ch >= 33 && ch <= 126 && ! MIME_is_tspecial(ch); - } - -// See RFC 2045, page 12. -// A token is composed of characters that are not SPACE, CTLs or tspecials -int MIME_get_token(int len, const char* data, data_chunk_t* token) - { - int i = MIME_skip_lws_comments(len, data); - while ( i < len ) - { - int j; - - if ( MIME_is_token_char(data[i]) ) - { - token->data = (data + i); - for ( j = i; j < len; ++j ) - { - if ( ! MIME_is_token_char(data[j]) ) - break; - } - - token->length = j - i; - return j; - } - - j = MIME_skip_lws_comments(len - i, data + i); - i += (j > 0) ? j : 1; - } - - return -1; - } - -int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second) - { - int offset; - const char* data_start = data; - - offset = MIME_get_token(len, data, first); - if ( offset < 0 ) - { - // DEBUG_MSG("first token missing in slash token pair"); - return -1; - } - - data += offset; - len -= offset; - - offset = MIME_skip_lws_comments(len, data); - if ( offset < 0 || offset >= len || data[offset] != '/' ) - { - // DEBUG_MSG("/ not found in slash token pair"); - return -1; - } - - ++offset; - data += offset; - len -= offset; - - offset = MIME_get_token(len, data, second); - if ( offset < 0 ) - { - // DEBUG_MSG("second token missing in slash token pair"); - return -1; - } - - data += offset; - len -= offset; - - return data - data_start; - } - -// See RFC 2822, page 13. -int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str) - { - int offset = MIME_skip_lws_comments(len, data); - - len -= offset; - data += offset; - - if ( len <= 0 || *data != '"' ) - return -1; - - for ( int i = 1; i < len; ++i ) - { - switch ( data[i] ) { - case '"': - str->data = data + 1; - str->length = i - 1; - return offset + i + 1; - - case '\\': - ++i; - break; - } - } - - return -1; - } - -int MIME_get_value(int len, const char* data, BroString*& buf) - { - int offset = MIME_skip_lws_comments(len, data); - - len -= offset; - data += offset; - - if ( len > 0 && *data == '"' ) - { - data_chunk_t str; - int end = MIME_get_quoted_string(len, data, &str); - if ( end < 0 ) - return -1; - - buf = MIME_decode_quoted_pairs(str); - return offset + end; - } - - else - { - data_chunk_t str; - int end = MIME_get_token(len, data, &str); - if ( end < 0 ) - return -1; - - buf = new BroString((const u_char*)str.data, str.length, 1); - return offset + end; - } - } - -// Decode each quoted-pair: a '\' followed by a character by the -// quoted character. The decoded string is returned. - -BroString* MIME_decode_quoted_pairs(data_chunk_t buf) - { - const char* data = buf.data; - char* dest = new char[buf.length+1]; - int j = 0; - for ( int i = 0; i < buf.length; ++i ) - if ( data[i] == '\\' ) - { - if ( ++i < buf.length ) - dest[j++] = data[i]; - else - { - // a trailing '\' -- don't know what - // to do with it -- ignore it. - } - } - else - dest[j++] = data[i]; - dest[j] = 0; - - return new BroString(1, (byte_vec) dest, j); - } diff --git a/src/MIME.h b/src/analyzer/protocols/mime/MIME.h similarity index 99% rename from src/MIME.h rename to src/analyzer/protocols/mime/MIME.h index 3f8c3281fc..d6ef2b5375 100644 --- a/src/MIME.h +++ b/src/analyzer/protocols/mime/MIME.h @@ -12,6 +12,8 @@ using namespace std; #include "BroString.h" #include "analyzer/Analyzer.h" +namespace analyzer { namespace mime { + // MIME: Multipurpose Internet Mail Extensions // Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME) // See related files: SMTP.h and SMTP.cc @@ -273,4 +275,6 @@ extern int MIME_get_value(int len, const char* data, BroString*& buf); extern int MIME_get_field_name(int len, const char* data, data_chunk_t* name); extern BroString* MIME_decode_quoted_pairs(data_chunk_t buf); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/mime/Plugin.cc b/src/analyzer/protocols/mime/Plugin.cc new file mode 100644 index 0000000000..98dee2a2eb --- /dev/null +++ b/src/analyzer/protocols/mime/Plugin.cc @@ -0,0 +1,7 @@ + +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(MIME) + BRO_PLUGIN_DESCRIPTION("MIME Parsing Code"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/mime/events.bif b/src/analyzer/protocols/mime/events.bif new file mode 100644 index 0000000000..e9e5f66fda --- /dev/null +++ b/src/analyzer/protocols/mime/events.bif @@ -0,0 +1,196 @@ +## Generated when starting to parse an email MIME entity. MIME is a +## protocol-independent data format for encoding text and files, along with +## corresponding metadata, for transmission. Bro raises this event when it +## begins parsing a MIME entity extracted from an email protocol. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data +## http_begin_entity +## +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_begin_entity` instead. +event mime_begin_entity%(c: connection%); + +## Generated when finishing parsing an email MIME entity. MIME is a +## protocol-independent data format for encoding text and files, along with +## corresponding metadata, for transmission. Bro raises this event when it +## finished parsing a MIME entity extracted from an email protocol. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data +## http_end_entity +## +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_end_entity` instead. +event mime_end_entity%(c: connection%); + +## Generated for individual MIME headers extracted from email MIME +## entities. MIME is a protocol-independent data format for encoding text and +## files, along with corresponding metadata, for transmission. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## h: The parsed MIME header. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_segment_data +## http_header http_all_headers +## +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. +event mime_one_header%(c: connection, h: mime_header_rec%); + +## Generated for MIME headers extracted from email MIME entities, passing all +## headers at once. MIME is a protocol-independent data format for encoding +## text and files, along with corresponding metadata, for transmission. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## hlist: A *table* containing all headers extracted from the current entity. +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). +## +## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data +## http_header http_all_headers +## +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. +event mime_all_headers%(c: connection, hlist: mime_header_list%); + +## Generated for chunks of decoded MIME data from email MIME entities. MIME +## is a protocol-independent data format for encoding text and files, along with +## corresponding metadata, for transmission. As Bro parses the data of an +## entity, it raises a sequence of these events, each coming as soon as a new +## chunk of data is available. In contrast, there is also +## :bro:id:`mime_entity_data`, which passes all of an entities data at once +## in a single block. While the latter is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer +## the data. Thus, if possible, this event should be preferred. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## length: The length of *data*. +## +## data: The raw data of one segment of the current entity. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data +## mime_segment_length mime_segment_overlap_length +## +## .. note:: Bro also extracts MIME data from HTTP sessions. For those, +## however, it raises :bro:id:`http_entity_data` (sic!) instead. +event mime_segment_data%(c: connection, length: count, data: string%); + +## Generated for data decoded from an email MIME entity. This event delivers +## the complete content of a single MIME entity. In contrast, there is also +## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as +## they come in. While ``mime_entity_data`` is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer the +## data. Thus, if possible, the latter should be preferred. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## length: The length of *data*. +## +## data: The raw data of the complete entity. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_event mime_one_header mime_segment_data +## +## .. note:: While Bro also decodes MIME entities extracted from HTTP +## sessions, there's no corresponding event for that currently. +event mime_entity_data%(c: connection, length: count, data: string%); + +## Generated for passing on all data decoded from a single email MIME +## message. If an email message has more than one MIME entity, this event +## combines all their data into a single value for analysis. Note that because +## of the potentially significant buffering necessary, using this event can be +## expensive. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## length: The length of *data*. +## +## data: The raw data of all MIME entities concatenated. +## +## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data +## +## .. note:: While Bro also decodes MIME entities extracted from HTTP +## sessions, there's no corresponding event for that currently. +event mime_all_data%(c: connection, length: count, data: string%); + +## Generated for errors found when decoding email MIME entities. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). +## +## detail: Further more detailed description of the error. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event +## +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_event` instead. +event mime_event%(c: connection, event_type: string, detail: string%); + +## Generated for decoded MIME entities extracted from email messages, passing on +## their MD5 checksums. Bro computes the MD5 over the complete decoded data of +## each MIME entity. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## content_len: The length of the entity being hashed. +## +## hash_value: The MD5 hash. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data +## +## .. note:: While Bro also decodes MIME entities extracted from HTTP +## sessions, there's no corresponding event for that currently. +event mime_content_hash%(c: connection, content_len: count, hash_value: string%); + diff --git a/src/analyzer/protocols/modbus/Modbus.cc b/src/analyzer/protocols/modbus/Modbus.cc index 841638cd0b..b36b916d06 100644 --- a/src/analyzer/protocols/modbus/Modbus.cc +++ b/src/analyzer/protocols/modbus/Modbus.cc @@ -2,6 +2,10 @@ #include "Modbus.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::modbus; + ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("MODBUS", c) { diff --git a/src/analyzer/protocols/modbus/Modbus.h b/src/analyzer/protocols/modbus/Modbus.h index 41b0267dc8..063014cf2b 100644 --- a/src/analyzer/protocols/modbus/Modbus.h +++ b/src/analyzer/protocols/modbus/Modbus.h @@ -4,7 +4,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "modbus_pac.h" -class ModbusTCP_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace modbus { + +class ModbusTCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: ModbusTCP_Analyzer(Connection* conn); virtual ~ModbusTCP_Analyzer(); @@ -22,4 +24,6 @@ protected: binpac::ModbusTCP::ModbusTCP_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/modbus/Plugin.cc b/src/analyzer/protocols/modbus/Plugin.cc index 9c53c8b814..ba93063560 100644 --- a/src/analyzer/protocols/modbus/Plugin.cc +++ b/src/analyzer/protocols/modbus/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Modbus) BRO_PLUGIN_DESCRIPTION("Modbus Analyzer"); - BRO_PLUGIN_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("MODBUS", modbus::ModbusTCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/modbus/events.bif b/src/analyzer/protocols/modbus/events.bif index e69de29bb2..1cd17381ee 100644 --- a/src/analyzer/protocols/modbus/events.bif +++ b/src/analyzer/protocols/modbus/events.bif @@ -0,0 +1,295 @@ +## Generated for any modbus message regardless if the particular function +## is further supported or not. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## is_orig: True if the event is raised for the originator side. +event modbus_message%(c: connection, headers: ModbusHeaders, is_orig: bool%); + +## Generated for any modbus exception message. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## code: The exception code. +event modbus_exception%(c: connection, headers: ModbusHeaders, code: count%); + +## Generated for a Modbus read coils request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address where of the first coil to be read. +## +## quantity: The number of coils to be read. +event modbus_read_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read coils response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## coils: The coil values returned from the device. +event modbus_read_coils_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); + +## Generated for a Modbus read discrete inputs request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first coil to be read. +## +## quantity: The number of coils to be read. +event modbus_read_discrete_inputs_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read discrete inputs response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## coils: The coil values returned from the device. +event modbus_read_discrete_inputs_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); + +## Generated for a Modbus read holding registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register to be read. +## +## quantity: The number of registers to be read. +event modbus_read_holding_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read holding registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## registers: The register values returned from the device. +event modbus_read_holding_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); + +## Generated for a Modbus read input registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register to be read. +## +## quantity: The number of registers to be read. +event modbus_read_input_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read input registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## registers: The register values returned from the device. +event modbus_read_input_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); + +## Generated for a Modbus write single coil request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the coil to be written. +## +## value: The value to be written to the coil. +event modbus_write_single_coil_request%(c: connection, headers: ModbusHeaders, address: count, value: bool%); + +## Generated for a Modbus write single coil response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the coil that was written. +## +## value: The value that was written to the coil. +event modbus_write_single_coil_response%(c: connection, headers: ModbusHeaders, address: count, value: bool%); + +## Generated for a Modbus write single register request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register to be written. +## +## value: The value to be written to the register. +event modbus_write_single_register_request%(c: connection, headers: ModbusHeaders, address: count, value: count%); + +## Generated for a Modbus write single register response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register that was written. +## +## value: The value that was written to the register. +event modbus_write_single_register_response%(c: connection, headers: ModbusHeaders, address: count, value: count%); + +## Generated for a Modbus write multiple coils request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first coil to be written. +## +## value: The values to be written to the coils. +event modbus_write_multiple_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils%); + +## Generated for a Modbus write multiple coils response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first coil that was written. +## +## quantity: The quantity of coils that were written. +event modbus_write_multiple_coils_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus write multiple registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register to be written. +## +## registers: The values to be written to the registers. +event modbus_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, registers: ModbusRegisters%); + +## Generated for a Modbus write multiple registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register that was written. +## +## quantity: The quantity of registers that were written. +event modbus_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read file record request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus read file record response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus write file record request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus write file record response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_write_file_record_response%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus mask write register request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register where the masks should be applied. +## +## and_mask: The value of the logical AND mask to apply to the register. +## +## or_mask: The value of the logical OR mask to apply to the register. +event modbus_mask_write_register_request%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); + +## Generated for a Modbus mask write register request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register where the masks were applied. +## +## and_mask: The value of the logical AND mask applied register. +## +## or_mask: The value of the logical OR mask applied to the register. +event modbus_mask_write_register_response%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); + +## Generated for a Modbus read/write multiple registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## read_start_address: The memory address of the first register to be read. +## +## read_quantity: The number of registers to read. +## +## write_start_address: The memory address of the first register to be written. +## +## write_registers: The values to be written to the registers. +event modbus_read_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, read_start_address: count, read_quantity: count, write_start_address: count, write_registers: ModbusRegisters%); + +## Generated for a Modbus read/write multiple registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## written_registers: The register values read from the registers specified in the request. +event modbus_read_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, written_registers: ModbusRegisters%); + +## Generated for a Modbus read FIFO queue request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The address of the FIFO queue to read. +event modbus_read_fifo_queue_request%(c: connection, headers: ModbusHeaders, start_address: count%); + +## Generated for a Modbus read FIFO queue response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## fifos: The register values read from the FIFO queue on the device. +event modbus_read_fifo_queue_response%(c: connection, headers: ModbusHeaders, fifos: ModbusRegisters%); + diff --git a/src/analyzer/protocols/modbus/modbus.pac b/src/analyzer/protocols/modbus/modbus.pac index 9148997295..28b657abc5 100644 --- a/src/analyzer/protocols/modbus/modbus.pac +++ b/src/analyzer/protocols/modbus/modbus.pac @@ -9,6 +9,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer ModbusTCP withcontext { connection: ModbusTCP_Conn; flow: ModbusTCP_Flow; diff --git a/src/analyzer/protocols/ncp/NCP.cc b/src/analyzer/protocols/ncp/NCP.cc index bdf484cad7..75b6c9f4be 100644 --- a/src/analyzer/protocols/ncp/NCP.cc +++ b/src/analyzer/protocols/ncp/NCP.cc @@ -6,7 +6,12 @@ #include #include +#include "NCP.h" + +#include "events.bif.h" + using namespace std; +using namespace analyzer::ncp; #include "NCP.h" #include "Sessions.h" @@ -150,15 +155,15 @@ void NCP_FrameBuffer::compute_msg_length() } Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* arg_session) -: TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) { session = arg_session; resync = true; - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); if ( tcp ) resync = (orig ? tcp->OrigState() : tcp->RespState()) != - TCP_ENDPOINT_ESTABLISHED; + tcp::TCP_ENDPOINT_ESTABLISHED; } Contents_NCP_Analyzer::~Contents_NCP_Analyzer() @@ -167,9 +172,9 @@ Contents_NCP_Analyzer::~Contents_NCP_Analyzer() void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); if ( tcp && tcp->HadGap(orig) ) return; @@ -208,14 +213,14 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_SupportAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); buffer.Reset(); resync = true; } NCP_Analyzer::NCP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("NCP", conn) +: tcp::TCP_ApplicationAnalyzer("NCP", conn) { session = new NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); diff --git a/src/analyzer/protocols/ncp/NCP.h b/src/analyzer/protocols/ncp/NCP.h index ae54b7b9ee..0ab73707fb 100644 --- a/src/analyzer/protocols/ncp/NCP.h +++ b/src/analyzer/protocols/ncp/NCP.h @@ -23,6 +23,8 @@ #include "ncp_pac.h" +namespace analyzer { namespace ncp { + // Create a general NCP_Session class so that it can be used in // case the RPC conversation is tunneled through other connections, // e.g., through an SMB session. @@ -81,7 +83,7 @@ protected: void compute_msg_length(); }; -class Contents_NCP_Analyzer : public TCP_SupportAnalyzer { +class Contents_NCP_Analyzer : public tcp::TCP_SupportAnalyzer { public: Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* session); ~Contents_NCP_Analyzer(); @@ -97,7 +99,7 @@ protected: bool resync; }; -class NCP_Analyzer : public TCP_ApplicationAnalyzer { +class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: NCP_Analyzer(Connection* conn); virtual ~NCP_Analyzer(); @@ -112,4 +114,6 @@ protected: Contents_NCP_Analyzer * r_ncp; }; +} } // namespace analyzer::* + #endif /* ncp_h */ diff --git a/src/analyzer/protocols/ncp/Plugin.cc b/src/analyzer/protocols/ncp/Plugin.cc index bc52a2c065..6bfc2b70f6 100644 --- a/src/analyzer/protocols/ncp/Plugin.cc +++ b/src/analyzer/protocols/ncp/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(NCP) BRO_PLUGIN_DESCRIPTION("NCP Analyzer"); - BRO_PLUGIN_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NCP", ncp::NCP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ncp/events.bif b/src/analyzer/protocols/ncp/events.bif index e69de29bb2..9b5b7d77a7 100644 --- a/src/analyzer/protocols/ncp/events.bif +++ b/src/analyzer/protocols/ncp/events.bif @@ -0,0 +1,46 @@ +## Generated for NCP requests (Netware Core Protocol). +## +## See `Wikipedia `__ for +## more information about the NCP protocol. +## +## c: The connection. +## +## frame_type: The frame type, as specified by the protocol. +## +## length: The length of the request body, excluding the frame header. +## +## func: The requested function, as specified by the protocol. +## +## .. bro:see:: ncp_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ncp_request%(c: connection, frame_type: count, length: count, func: count%); + +## Generated for NCP replies (Netware Core Protocol). +## +## See `Wikipedia `__ for +## more information about the NCP protocol. +## +## c: The connection. +## +## frame_type: The frame type, as specified by the protocol. +## +## length: The length of the request body, excluding the frame header. +## +## req_frame: The frame type from the corresponding request. +## +## req_func: The function code from the corresponding request. +## +## completion_code: The reply's completion code, as specified by the protocol. +## +## .. bro:see:: ncp_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); + diff --git a/src/analyzer/protocols/ncp/ncp.pac b/src/analyzer/protocols/ncp/ncp.pac index 86b8bca5da..d4d5734a54 100644 --- a/src/analyzer/protocols/ncp/ncp.pac +++ b/src/analyzer/protocols/ncp/ncp.pac @@ -2,6 +2,10 @@ %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer NCP withcontext {}; type ncp_request(length: uint32) = record { diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc index fd3a4f6111..01544c4b2c 100644 --- a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc @@ -9,6 +9,10 @@ #include "Sessions.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::netbios_ssn; + double netbios_ssn_session_timeout = 15.0; #define MAKE_INT16(dest, src) dest = *src; dest <<=8; src++; dest |= *src; src++; @@ -44,7 +48,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len) NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer, - SMB_Session* arg_smb_session) + smb::SMB_Session* arg_smb_session) { analyzer = arg_analyzer; smb_session = arg_smb_session; @@ -340,7 +344,7 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data, Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig, NetbiosSSN_Interpreter* arg_interp) -: TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) { interp = arg_interp; type = flags = msg_size = 0; @@ -365,7 +369,7 @@ void Contents_NetbiosSSN::Flush() void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( state == NETBIOS_SSN_TYPE ) { @@ -455,9 +459,9 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) } NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("NETBIOS", conn) +: tcp::TCP_ApplicationAnalyzer("NETBIOS", conn) { - smb_session = new SMB_Session(this); + smb_session = new smb::SMB_Session(this); interp = new NetbiosSSN_Interpreter(this, smb_session); orig_netbios = resp_netbios = 0; did_session_done = 0; @@ -485,7 +489,7 @@ NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer() void NetbiosSSN_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) @@ -496,15 +500,15 @@ void NetbiosSSN_Analyzer::Done() void NetbiosSSN_Analyzer::EndpointEOF(bool orig) { - TCP_ApplicationAnalyzer::EndpointEOF(orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); (orig ? orig_netbios : resp_netbios)->Flush(); } -void NetbiosSSN_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, - TCP_Endpoint* peer, int gen_event) +void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, + tcp::TCP_Endpoint* peer, int gen_event) { - TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); // Question: Why do we flush *both* endpoints upon connection close? // orig_netbios->Flush(); @@ -514,7 +518,7 @@ void NetbiosSSN_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); if ( orig ) interp->ParseMessageUDP(data, len, 1); diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h index 9830d192ad..df065c4348 100644 --- a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h @@ -7,6 +7,8 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/smb/SMB.h" +namespace analyzer { namespace netbios_ssn { + typedef enum { NETBIOS_SSN_MSG = 0x0, NETBIOS_DGM_DIRECT_UNIQUE = 0x10, @@ -62,7 +64,7 @@ struct NetbiosDGM_RawMsgHdr { class NetbiosSSN_Interpreter { public: - NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, SMB_Session* smb_session); + NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, smb::SMB_Session* smb_session); int ParseMessage(unsigned int type, unsigned int flags, const u_char* data, int len, int is_query); @@ -73,17 +75,6 @@ public: void Timeout() { } - static bool any_netbios_ssn_event() - { - return netbios_session_message || - netbios_session_request || - netbios_session_accepted || - netbios_session_rejected || - netbios_session_raw_message || - netbios_session_ret_arg_resp || - netbios_session_keepalive; - } - protected: int ParseSessionMsg(const u_char* data, int len, int is_query); int ParseSessionReq(const u_char* data, int len, int is_query); @@ -109,7 +100,7 @@ protected: protected: analyzer::Analyzer* analyzer; - SMB_Session* smb_session; + smb::SMB_Session* smb_session; }; @@ -122,7 +113,7 @@ typedef enum { } NetbiosSSN_State; // ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS. -class Contents_NetbiosSSN : public TCP_SupportAnalyzer { +class Contents_NetbiosSSN : public tcp::TCP_SupportAnalyzer { public: Contents_NetbiosSSN(Connection* conn, bool orig, NetbiosSSN_Interpreter* interp); @@ -148,7 +139,7 @@ protected: NetbiosSSN_State state; }; -class NetbiosSSN_Analyzer : public TCP_ApplicationAnalyzer { +class NetbiosSSN_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: NetbiosSSN_Analyzer(Connection* conn); ~NetbiosSSN_Analyzer(); @@ -161,14 +152,14 @@ public: { return new NetbiosSSN_Analyzer(conn); } protected: - virtual void ConnectionClosed(TCP_Endpoint* endpoint, - TCP_Endpoint* peer, int gen_event); + virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint, + tcp::TCP_Endpoint* peer, int gen_event); virtual void EndpointEOF(bool is_orig); void ExpireTimer(double t); NetbiosSSN_Interpreter* interp; - SMB_Session* smb_session; + smb::SMB_Session* smb_session; Contents_NetbiosSSN* orig_netbios; Contents_NetbiosSSN* resp_netbios; int did_session_done; @@ -177,4 +168,6 @@ protected: // FIXME: Doesn't really fit into new analyzer structure. What to do? int IsReuse(double t, const u_char* pkt); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios-ssn/Plugin.cc index b14c3a9d8f..8ed7824634 100644 --- a/src/analyzer/protocols/netbios-ssn/Plugin.cc +++ b/src/analyzer/protocols/netbios-ssn/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(NetbiosSSN) BRO_PLUGIN_DESCRIPTION("NetbiosSSN Analyzer"); - BRO_PLUGIN_ANALYZER("NetbiosSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netbios-ssn/events.bif b/src/analyzer/protocols/netbios-ssn/events.bif index e69de29bb2..bf382e1663 100644 --- a/src/analyzer/protocols/netbios-ssn/events.bif +++ b/src/analyzer/protocols/netbios-ssn/events.bif @@ -0,0 +1,209 @@ +## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## msg_type: The general type of message, as defined in Section 4.3.1 of +## `RFC 1002 `__. +## +## data_len: The length of the message's payload. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_raw_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); + +## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS +## analyzer processes the NetBIOS session service running on TCP port 139, and +## (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_raw_message netbios_session_rejected +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_request%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *positive session response*. Bro's +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_keepalive netbios_session_message +## netbios_session_raw_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_accepted%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *negative session response*. Bro's +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_raw_message netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_rejected%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *session message* that are not +## carrying an SMB payload. +## +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header (i.e., the ``user_data``). +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: This is an oddly named event. In fact, it's probably an odd event +## to have to begin with. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); + +## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS +## analyzer processes the NetBIOS session service running on TCP port 139, and +## (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_raw_message netbios_session_rejected +## netbios_session_request decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: This is an oddly named event. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_ret_arg_resp%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_message +## netbios_session_raw_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_keepalive%(c: connection, msg: string%); + diff --git a/src/analyzer/protocols/netflow/CMakeLists.txt b/src/analyzer/protocols/netflow/CMakeLists.txt new file mode 100644 index 0000000000..c45f410b26 --- /dev/null +++ b/src/analyzer/protocols/netflow/CMakeLists.txt @@ -0,0 +1,16 @@ + +# This is not an actual analyzer, but used by the core. We still +# maintain it here along with the other analyzers because conceptually +# it's also parsing a protocol just like them. The current structure +# is merely a left-over from when this code was written. + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NetFlow) +bro_plugin_cc(Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(netflow.pac netflow-protocol.pac netflow-analyzer.pac) +bro_plugin_end() + diff --git a/src/analyzer/protocols/netflow/Plugin.cc b/src/analyzer/protocols/netflow/Plugin.cc new file mode 100644 index 0000000000..f7c36e943a --- /dev/null +++ b/src/analyzer/protocols/netflow/Plugin.cc @@ -0,0 +1,7 @@ + +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(NetFlow) + BRO_PLUGIN_DESCRIPTION("NetFlow Parsing Code"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netflow/events.bif b/src/analyzer/protocols/netflow/events.bif new file mode 100644 index 0000000000..69c196de9e --- /dev/null +++ b/src/analyzer/protocols/netflow/events.bif @@ -0,0 +1,18 @@ +## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow header on the port it's +## listening on, or reads one from a trace file. +## +## h: The parsed NetFlow header. +## +## .. bro:see:: netflow_v5_record +event netflow_v5_header%(h: nf_v5_header%); + +## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow record on the port it's +## listening on, or reads one from a trace file. +## +## r: The parsed NetFlow record. +## +## .. bro:see:: netflow_v5_record +event netflow_v5_record%(r: nf_v5_record%); + diff --git a/src/netflow-analyzer.pac b/src/analyzer/protocols/netflow/netflow-analyzer.pac similarity index 100% rename from src/netflow-analyzer.pac rename to src/analyzer/protocols/netflow/netflow-analyzer.pac diff --git a/src/netflow-protocol.pac b/src/analyzer/protocols/netflow/netflow-protocol.pac similarity index 100% rename from src/netflow-protocol.pac rename to src/analyzer/protocols/netflow/netflow-protocol.pac diff --git a/src/netflow.pac b/src/analyzer/protocols/netflow/netflow.pac similarity index 88% rename from src/netflow.pac rename to src/analyzer/protocols/netflow/netflow.pac index 91040aadeb..57e1b71a76 100644 --- a/src/netflow.pac +++ b/src/analyzer/protocols/netflow/netflow.pac @@ -4,6 +4,8 @@ #include "net_util.h" #include "Event.h" extern RecordType* conn_id; + +#include "events.bif.h" %} %include bro.pac diff --git a/src/analyzer/protocols/ntp/NTP.cc b/src/analyzer/protocols/ntp/NTP.cc index 729edee923..b4b63d5634 100644 --- a/src/analyzer/protocols/ntp/NTP.cc +++ b/src/analyzer/protocols/ntp/NTP.cc @@ -7,6 +7,9 @@ #include "Sessions.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::ntp; NTP_Analyzer::NTP_Analyzer(Connection* conn) : Analyzer("NTP", conn) diff --git a/src/analyzer/protocols/ntp/NTP.h b/src/analyzer/protocols/ntp/NTP.h index d161b4795d..2c989da4d1 100644 --- a/src/analyzer/protocols/ntp/NTP.h +++ b/src/analyzer/protocols/ntp/NTP.h @@ -5,12 +5,13 @@ #include "analyzer/protocols/udp/UDP.h" - // The following are from the tcpdump distribution, credited there // to the U of MD implementation. #define JAN_1970 2208988800.0 /* 1970 - 1900 in seconds */ +namespace analyzer { namespace ntp { + struct l_fixedpt { unsigned int int_part; unsigned int fraction; @@ -63,4 +64,6 @@ protected: void ExpireTimer(double t); }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ntp/Plugin.cc b/src/analyzer/protocols/ntp/Plugin.cc index f2a0e487c9..8331c25dee 100644 --- a/src/analyzer/protocols/ntp/Plugin.cc +++ b/src/analyzer/protocols/ntp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(NTP) BRO_PLUGIN_DESCRIPTION("NTP Analyzer"); - BRO_PLUGIN_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NTP", ntp::NTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ntp/events.bif b/src/analyzer/protocols/ntp/events.bif index e69de29bb2..bba2dfbbe5 100644 --- a/src/analyzer/protocols/ntp/events.bif +++ b/src/analyzer/protocols/ntp/events.bif @@ -0,0 +1,21 @@ +## Generated for all NTP messages. Different from many other of Bro's events, +## this one is generated for both client-side and server-side messages. +## +## See `Wikipedia `__ for +## more information about the NTP protocol. +## +## u: The connection record describing the corresponding UDP flow. +## +## msg: The parsed NTP message. +## +## excess: The raw bytes of any optional parts of the NTP packet. Bro does not +## further parse any optional fields. +## +## .. bro:see:: ntp_session_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ntp_message%(u: connection, msg: ntp_msg, excess: string%); + diff --git a/src/analyzer/protocols/pia/PIA.cc b/src/analyzer/protocols/pia/PIA.cc index eb21fc7331..d5defc018e 100644 --- a/src/analyzer/protocols/pia/PIA.cc +++ b/src/analyzer/protocols/pia/PIA.cc @@ -2,6 +2,10 @@ #include "RuleMatcher.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::pia; + PIA::PIA(analyzer::Analyzer* arg_as_analyzer) { current_packet.data = 0; @@ -163,11 +167,11 @@ PIA_TCP::~PIA_TCP() void PIA_TCP::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); if ( Parent()->IsAnalyzer("TCP") ) { - TCP_Analyzer* tcp = static_cast(Parent()); + tcp::TCP_Analyzer* tcp = static_cast(Parent()); SetTCP(tcp); tcp->SetPIA(this); } @@ -223,7 +227,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip) void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( stream_buffer.state == SKIPPING ) return; @@ -253,7 +257,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) void PIA_TCP::Undelivered(int seq, int len, bool is_orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( stream_buffer.state == BUFFERING ) // We use data=nil to mark an undelivered. @@ -294,7 +298,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) // // Here's what we do: // - // (1) We create new TCP_Reassemblers and feed them the buffered + // (1) We create new tcp::TCP_Reassemblers and feed them the buffered // packets. // // (2) The reassembler will give us their results via the @@ -322,14 +326,14 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) return; } - TCP_Analyzer* tcp = (TCP_Analyzer*) Parent(); + tcp::TCP_Analyzer* tcp = (tcp::TCP_Analyzer*) Parent(); - TCP_Reassembler* reass_orig = - new TCP_Reassembler(this, tcp, TCP_Reassembler::Direct, + tcp::TCP_Reassembler* reass_orig = + new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct, true, tcp->Orig()); - TCP_Reassembler* reass_resp = - new TCP_Reassembler(this, tcp, TCP_Reassembler::Direct, + tcp::TCP_Reassembler* reass_resp = + new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct, false, tcp->Resp()); int orig_seq = 0; @@ -365,8 +369,8 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) reass_orig->AckReceived(orig_seq); reass_resp->AckReceived(resp_seq); - reass_orig->SetType(TCP_Reassembler::Forward); - reass_resp->SetType(TCP_Reassembler::Forward); + reass_orig->SetType(tcp::TCP_Reassembler::Forward); + reass_resp->SetType(tcp::TCP_Reassembler::Forward); tcp->SetReassembler(reass_orig, reass_resp); } diff --git a/src/analyzer/protocols/pia/PIA.h b/src/analyzer/protocols/pia/PIA.h index a91a516165..1d788d39a6 100644 --- a/src/analyzer/protocols/pia/PIA.h +++ b/src/analyzer/protocols/pia/PIA.h @@ -8,6 +8,8 @@ class RuleEndpointState; +namespace analyzer { namespace pia { + // Abstract PIA class providing common functionality for both TCP and UDP. // Accepts only packet input. // @@ -115,10 +117,10 @@ protected: // PIA for TCP. Accepts both packet and stream input (and reassembles // packets before passing payload on to children). -class PIA_TCP : public PIA, public TCP_ApplicationAnalyzer { +class PIA_TCP : public PIA, public tcp::TCP_ApplicationAnalyzer { public: PIA_TCP(Connection* conn) - : PIA(this), TCP_ApplicationAnalyzer("PIA_TCP", conn) + : PIA(this), tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn) { stream_mode = false; SetConn(conn); } virtual ~PIA_TCP(); @@ -169,4 +171,6 @@ private: bool stream_mode; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/pia/Plugin.cc b/src/analyzer/protocols/pia/Plugin.cc index a62e757164..2d56f80038 100644 --- a/src/analyzer/protocols/pia/Plugin.cc +++ b/src/analyzer/protocols/pia/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(PIA) BRO_PLUGIN_DESCRIPTION("Protocol Identificatin Analyzers"); - BRO_PLUGIN_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("PIA_TCP", pia::PIA_TCP); + BRO_PLUGIN_ANALYZER("PIA_UDP", pia::PIA_UDP); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pop3/POP3.cc b/src/analyzer/protocols/pop3/POP3.cc index 6b4fda8169..7a81da1b5e 100644 --- a/src/analyzer/protocols/pop3/POP3.cc +++ b/src/analyzer/protocols/pop3/POP3.cc @@ -15,6 +15,10 @@ #include "Reporter.h" #include "analyzer/protocols/login/NVT.h" +#include "events.bif.h" + +using namespace analyzer::pop3; + #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) #cmd, @@ -26,7 +30,7 @@ static const char* pop3_cmd_word[] = { POP3_Analyzer::POP3_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("POP3", conn) +: tcp::TCP_ApplicationAnalyzer("POP3", conn) { masterState = POP3_START; subState = POP3_WOK; @@ -41,8 +45,8 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn) mail = 0; - AddSupportAnalyzer(new ContentLine_Analyzer(conn, true)); - AddSupportAnalyzer(new ContentLine_Analyzer(conn, false)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false)); } POP3_Analyzer::~POP3_Analyzer() @@ -51,7 +55,7 @@ POP3_Analyzer::~POP3_Analyzer() void POP3_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -60,7 +64,7 @@ void POP3_Analyzer::Done() void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); if ( (TCP() && TCP()->IsPartial()) || backOff ) return; @@ -802,7 +806,7 @@ void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::BeginData() { delete mail; - mail = new MIME_Mail(this); + mail = new mime::MIME_Mail(this); } void POP3_Analyzer::EndData() diff --git a/src/analyzer/protocols/pop3/POP3.h b/src/analyzer/protocols/pop3/POP3.h index 10dbe9d085..37620c0024 100644 --- a/src/analyzer/protocols/pop3/POP3.h +++ b/src/analyzer/protocols/pop3/POP3.h @@ -11,12 +11,13 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/login/NVT.h" -#include "MIME.h" - +#include "analyzer/protocols/mime/MIME.h" #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) POP3_CMD_##cmd, +namespace analyzer { namespace pop3 { + typedef enum { #include "POP3_cmd.def" } POP3_Cmd; @@ -60,7 +61,7 @@ typedef enum { POP3_WOK, } POP3_SubState; -class POP3_Analyzer : public TCP_ApplicationAnalyzer { +class POP3_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: POP3_Analyzer(Connection* conn); ~POP3_Analyzer(); @@ -103,11 +104,13 @@ protected: void POP3Event(EventHandlerPtr event, bool is_orig, const char* arg1 = 0, const char* arg2 = 0); - MIME_Mail* mail; + mime::MIME_Mail* mail; list cmds; private: bool backOff; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/pop3/Plugin.cc b/src/analyzer/protocols/pop3/Plugin.cc index 5f56ade93a..056cb36682 100644 --- a/src/analyzer/protocols/pop3/Plugin.cc +++ b/src/analyzer/protocols/pop3/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(POP3) BRO_PLUGIN_DESCRIPTION("POP3 Analyzer"); - BRO_PLUGIN_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("POP3", pop3::POP3_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pop3/events.bif b/src/analyzer/protocols/pop3/events.bif index e69de29bb2..7692c61f6b 100644 --- a/src/analyzer/protocols/pop3/events.bif +++ b/src/analyzer/protocols/pop3/events.bif @@ -0,0 +1,172 @@ +## Generated for client-side commands on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## command: The command sent. +## +## arg: The argument to the command. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply +## pop3_terminate pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_request%(c: connection, is_orig: bool, + command: string, arg: string%); + +## Generated for server-side replies to commands on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## cmd: The success indicator sent by the server. This corresponds to the +## first token on the line sent, and should be either ``OK`` or ``ERR``. +## +## msg: The textual description the server sent along with *cmd*. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request +## pop3_terminate pop3_unexpected +## +## .. todo:: This event is receiving odd parameters, should unify. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); + +## Generated for server-side multi-line responses on POP3 connections. POP3 +## connections use multi-line responses to send bulk data, such as the actual +## mails. This event is generated once for each line that's part of such a +## response. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the data was sent by the originator of the TCP connection. +## +## data: The data sent. +## +## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request +## pop3_terminate pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_data%(c: connection, is_orig: bool, data: string%); + +## Generated for errors encountered on POP3 sessions. If the POP3 analyzer +## finds state transitions that do not conform to the protocol specification, +## or other situations it can't handle, it raises this event. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the data was sent by the originator of the TCP connection. +## +## msg: A textual description of the situation. +## +## detail: The input that triggered the event. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request +## pop3_terminate +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_unexpected%(c: connection, is_orig: bool, + msg: string, detail: string%); + +## Generated when a POP3 connection goes encrypted. While POP3 is by default a +## clear-text protocol, extensions exist to switch to encryption. This event is +## generated if that happens and the analyzer then stops processing the +## connection. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## msg: A descriptive message why processing was stopped. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request +## pop3_unexpected +## +## .. note:: Currently, only the ``STARTLS`` command is recognized and +## triggers this. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_terminate%(c: connection, is_orig: bool, msg: string%); + +## Generated for successful authentications on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## user: The user name used for authentication. The event is only generated if +## a non-empty user name was used. +## +## password: The password used for authentication. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request pop3_terminate +## pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_login_success%(c: connection, is_orig: bool, + user: string, password: string%); + +## Generated for unsuccessful authentications on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## user: The user name attempted for authentication. The event is only +## generated if a non-empty user name was used. +## +## password: The password attempted for authentication. +## +## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request pop3_terminate +## pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_login_failure%(c: connection, is_orig: bool, + user: string, password: string%); + diff --git a/src/analyzer/protocols/rpc/NFS.cc b/src/analyzer/protocols/rpc/NFS.cc index 461ac44c4f..51d1b90691 100644 --- a/src/analyzer/protocols/rpc/NFS.cc +++ b/src/analyzer/protocols/rpc/NFS.cc @@ -9,6 +9,10 @@ #include "NFS.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::rpc; + int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100003 ) diff --git a/src/analyzer/protocols/rpc/NFS.h b/src/analyzer/protocols/rpc/NFS.h index 18acff4b37..e9e978eaa2 100644 --- a/src/analyzer/protocols/rpc/NFS.h +++ b/src/analyzer/protocols/rpc/NFS.h @@ -7,6 +7,8 @@ #include "XDR.h" #include "Event.h" +namespace analyzer { namespace rpc { + class NFS_Interp : public RPC_Interpreter { public: NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } @@ -80,4 +82,6 @@ public: }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/Plugin.cc b/src/analyzer/protocols/rpc/Plugin.cc index 25c958859b..23f5d0e667 100644 --- a/src/analyzer/protocols/rpc/Plugin.cc +++ b/src/analyzer/protocols/rpc/Plugin.cc @@ -7,8 +7,8 @@ BRO_PLUGIN_BEGIN(RPC) BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); - BRO_PLUGIN_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NFS", rpc::NFS_Analyzer); + BRO_PLUGIN_ANALYZER("PORTMAPPER", rpc::Portmapper_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_RPC"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NFS"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/rpc/Portmap.cc b/src/analyzer/protocols/rpc/Portmap.cc index 9bebd0f8a6..f57d9a915c 100644 --- a/src/analyzer/protocols/rpc/Portmap.cc +++ b/src/analyzer/protocols/rpc/Portmap.cc @@ -7,6 +7,10 @@ #include "Portmap.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::rpc; + #define PMAPPROC_NULL 0 #define PMAPPROC_SET 1 #define PMAPPROC_UNSET 2 diff --git a/src/analyzer/protocols/rpc/Portmap.h b/src/analyzer/protocols/rpc/Portmap.h index bf7ab30891..6aa1173f02 100644 --- a/src/analyzer/protocols/rpc/Portmap.h +++ b/src/analyzer/protocols/rpc/Portmap.h @@ -5,6 +5,8 @@ #include "RPC.h" +namespace analyzer { namespace rpc { + class PortmapperInterp : public RPC_Interpreter { public: PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } @@ -33,4 +35,6 @@ public: { return new Portmapper_Analyzer(conn); } }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/RPC.cc b/src/analyzer/protocols/rpc/RPC.cc index 2dd11c215e..ea037c227f 100644 --- a/src/analyzer/protocols/rpc/RPC.cc +++ b/src/analyzer/protocols/rpc/RPC.cc @@ -11,6 +11,10 @@ #include "RPC.h" #include "Sessions.h" +#include "events.bif.h" + +using namespace analyzer::rpc; + namespace { // local namespace const bool DEBUG_rpc_resync = false; } @@ -373,7 +377,7 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len) Contents_RPC::Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* arg_interp) - : TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) + : tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) { interp = arg_interp; state = WAIT_FOR_MESSAGE; @@ -385,7 +389,7 @@ Contents_RPC::Contents_RPC(Connection* conn, bool orig, void Contents_RPC::Init() { - TCP_SupportAnalyzer::Init(); + tcp::TCP_SupportAnalyzer::Init(); } Contents_RPC::~Contents_RPC() @@ -394,7 +398,7 @@ Contents_RPC::~Contents_RPC() void Contents_RPC::Undelivered(int seq, int len, bool orig) { - TCP_SupportAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); NeedResync(); } @@ -413,12 +417,12 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) // is fully established we are in sync (since it's the first chunk // of data after the SYN if its not established we need to // resync. - TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = + static_cast(Parent())->TCP(); assert(tcp); if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) != - TCP_ENDPOINT_ESTABLISHED ) + tcp::TCP_ENDPOINT_ESTABLISHED ) { NeedResync(); } @@ -578,7 +582,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); uint32 marker; bool last_frag; @@ -675,7 +679,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) RPC_Analyzer::RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp) -: TCP_ApplicationAnalyzer(name, conn) +: tcp::TCP_ApplicationAnalyzer(name, conn) { interp = arg_interp; @@ -692,7 +696,7 @@ RPC_Analyzer::~RPC_Analyzer() void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); len = min(len, caplen); if ( orig ) @@ -709,7 +713,7 @@ void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void RPC_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); } diff --git a/src/analyzer/protocols/rpc/RPC.h b/src/analyzer/protocols/rpc/RPC.h index da39e9f220..504f2eb194 100644 --- a/src/analyzer/protocols/rpc/RPC.h +++ b/src/analyzer/protocols/rpc/RPC.h @@ -6,6 +6,8 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/udp/UDP.h" +namespace analyzer { namespace rpc { + enum { RPC_CALL = 0, RPC_REPLY = 1, @@ -176,7 +178,7 @@ protected: }; /* Support Analyzer for reassembling RPC-over-TCP messages */ -class Contents_RPC : public TCP_SupportAnalyzer { +class Contents_RPC : public tcp::TCP_SupportAnalyzer { public: Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* interp); virtual ~Contents_RPC(); @@ -222,7 +224,7 @@ protected: int resync_toskip; }; -class RPC_Analyzer : public TCP_ApplicationAnalyzer { +class RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp); @@ -242,4 +244,6 @@ protected: Contents_RPC* resp_rpc; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/XDR.cc b/src/analyzer/protocols/rpc/XDR.cc index 96d855ddbd..981a982716 100644 --- a/src/analyzer/protocols/rpc/XDR.cc +++ b/src/analyzer/protocols/rpc/XDR.cc @@ -6,7 +6,11 @@ #include "XDR.h" -uint32 extract_XDR_uint32(const u_char*& buf, int& len) +#include "events.bif.h" + +using namespace analyzer::rpc; + +uint32 analyzer::rpc::extract_XDR_uint32(const u_char*& buf, int& len) { if ( ! buf ) return 0; @@ -26,7 +30,7 @@ uint32 extract_XDR_uint32(const u_char*& buf, int& len) return bits32; } -uint64 extract_XDR_uint64(const u_char*& buf, int& len) +uint64 analyzer::rpc::extract_XDR_uint64(const u_char*& buf, int& len) { if ( ! buf || len < 8 ) { @@ -40,7 +44,7 @@ uint64 extract_XDR_uint64(const u_char*& buf, int& len) return (uhi << 32) + ulo; } -double extract_XDR_time(const u_char*& buf, int& len) +double analyzer::rpc::extract_XDR_time(const u_char*& buf, int& len) { if ( ! buf || len < 8 ) { @@ -54,7 +58,7 @@ double extract_XDR_time(const u_char*& buf, int& len) return double(uhi) + double(ulo) / 1e9; } -const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len, bool short_buf_ok) +const u_char* analyzer::rpc::extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len, bool short_buf_ok) { n = int(extract_XDR_uint32(buf, len)); if ( ! buf ) @@ -78,7 +82,7 @@ const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_l return opaque; } -const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) +const u_char* analyzer::rpc::extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) { if ( ! buf ) return 0; @@ -97,7 +101,7 @@ const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) } -uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len) +uint32 analyzer::rpc::skip_XDR_opaque_auth(const u_char*& buf, int& len) { uint32 auth_flavor = extract_XDR_uint32(buf, len); if ( ! buf ) diff --git a/src/analyzer/protocols/rpc/XDR.h b/src/analyzer/protocols/rpc/XDR.h index 65192d6067..2f4a7d59e4 100644 --- a/src/analyzer/protocols/rpc/XDR.h +++ b/src/analyzer/protocols/rpc/XDR.h @@ -8,6 +8,8 @@ #include "util.h" +namespace analyzer { namespace rpc { + extern uint32 extract_XDR_uint32(const u_char*& buf, int& len); extern uint64 extract_XDR_uint64(const u_char*& buf, int& len); extern double extract_XDR_time(const u_char*& buf, int& len); @@ -16,4 +18,6 @@ extern const u_char* extract_XDR_opaque(const u_char*& buf, int& len, extern const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n); extern uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/events.bif b/src/analyzer/protocols/rpc/events.bif index e69de29bb2..f0050ab446 100644 --- a/src/analyzer/protocols/rpc/events.bif +++ b/src/analyzer/protocols/rpc/events.bif @@ -0,0 +1,728 @@ +## Generated for NFSv3 request/reply dialogues of type *null*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink +## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_null%(c: connection, info: NFS3::info_t%); + +## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## fh: TODO. +## +## attrs: The attributes returned in the reply. The values may not be valid if +## the request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply file_mode +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); + +## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: The arguments passed in the request. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *read*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: The arguments passed in the request. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir +## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply +## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## fh: The file handle passed in the request. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *write*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call +## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only +## NFS3::return_data_max +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *create*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *remove*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink +## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); + +## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 +## analyzer does not implement. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## proc: The procedure called that Bro does not implement. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove +## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); + +## Generated for each NFSv3 reply message received, reporting just the +## status included. +## +## n: The connection. +## +## info: Reports the status included in the reply. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_reply_status%(n: connection, info: NFS3::info_t%); + +## Generated for Portmapper requests of type *null*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_getport pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_null%(r: connection%); + +## Generated for Portmapper request/reply dialogues of type *set*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## m: The argument to the request. +## +## success: True if the request was successful, according to the corresponding +## reply. If no reply was seen, this will be false once the request +## times out. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_set%(r: connection, m: pm_mapping, success: bool%); + +## Generated for Portmapper request/reply dialogues of type *unset*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## m: The argument to the request. +## +## success: True if the request was successful, according to the corresponding +## reply. If no reply was seen, this will be false once the request +## times out. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); + +## Generated for Portmapper request/reply dialogues of type *getport*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## pr: The argument to the request. +## +## p: The port returned by the server. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); + +## Generated for Portmapper request/reply dialogues of type *dump*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## m: The mappings returned by the server. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_dump%(r: connection, m: pm_mappings%); + +## Generated for Portmapper request/reply dialogues of type *callit*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## call: The argument to the request. +## +## p: The port value returned by the call. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); + +## Generated for failed Portmapper requests of type *null*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_null%(r: connection, status: rpc_status%); + +## Generated for failed Portmapper requests of type *set*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## m: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); + +## Generated for failed Portmapper requests of type *unset*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## m: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); + +## Generated for failed Portmapper requests of type *getport*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## pr: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); + +## Generated for failed Portmapper requests of type *dump*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_getport pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_dump%(r: connection, status: rpc_status%); + +## Generated for failed Portmapper requests of type *callit*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## call: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_dump pm_attempt_getport pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); + +## Generated for Portmapper requests or replies that include an invalid port +## number. Since ports are represented by unsigned 4-byte integers, they can +## stray outside the allowed range of 0--65535 by being >= 65536. If so, this +## event is generated. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## bad_p: The invalid port value. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_request_callit +## pm_request_dump pm_request_getport pm_request_null pm_request_set +## pm_request_unset rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_bad_port%(r: connection, bad_p: count%); + +## Generated for RPC request/reply *pairs*. The RPC analyzer associates request +## and reply by their transaction identifiers and raises this event once both +## have been seen. If there's not a reply, this event will still be generated +## eventually on timeout. In that case, *status* will be set to +## :bro:enum:`RPC_TIMEOUT`. +## +## See `Wikipedia `__ for more information +## about the ONC RPC protocol. +## +## c: The connection. +## +## prog: The remote program to call. +## +## ver: The version of the remote program to call. +## +## proc: The procedure of the remote program to call. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## start_time: The time when the *call* was seen. +## +## call_len: The size of the *call_body* PDU. +## +## reply_len: The size of the *reply_body* PDU. +## +## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); + +## Generated for RPC *call* messages. +## +## See `Wikipedia `__ for more information +## about the ONC RPC protocol. +## +## c: The connection. +## +## xid: The transaction identifier allowing to match requests with replies. +## +## prog: The remote program to call. +## +## ver: The version of the remote program to call. +## +## proc: The procedure of the remote program to call. +## +## call_len: The size of the *call_body* PDU. +## +## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); + +## Generated for RPC *reply* messages. +## +## See `Wikipedia `__ for more information +## about the ONC RPC protocol. +## +## c: The connection. +## +## xid: The transaction identifier allowing to match requests with replies. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## reply_len: The size of the *reply_body* PDU. +## +## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); diff --git a/src/analyzer/protocols/smb/Plugin.cc b/src/analyzer/protocols/smb/Plugin.cc index 543638faf4..2f83460984 100644 --- a/src/analyzer/protocols/smb/Plugin.cc +++ b/src/analyzer/protocols/smb/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(SMB) BRO_PLUGIN_DESCRIPTION("SMB Analyzer"); - BRO_PLUGIN_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SMB", smb::SMB_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/smb/SMB.cc b/src/analyzer/protocols/smb/SMB.cc index 24cbf2dc1a..798e2bfd1f 100644 --- a/src/analyzer/protocols/smb/SMB.cc +++ b/src/analyzer/protocols/smb/SMB.cc @@ -6,6 +6,10 @@ #include "Val.h" #include "Reporter.h" +#include "events.bif.h" + +using namespace analyzer::smb; + namespace { const bool DEBUG_smb_ipc = true; } @@ -1093,7 +1097,7 @@ bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data) if ( LooksLikeRPC(data_count, data) ) { if ( ! dce_rpc_session ) - dce_rpc_session = new DCE_RPC_Session(analyzer); + dce_rpc_session = new dce_rpc::DCE_RPC_Session(analyzer); dce_rpc_session->DeliverPDU(is_orig, data_count, data); @@ -1104,7 +1108,7 @@ bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data) } Contents_SMB::Contents_SMB(Connection* conn, bool orig, SMB_Session* s) -: TCP_SupportAnalyzer("CONTENTS_SMB", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_SMB", conn, orig) { smb_session = s; msg_buf = 0; @@ -1145,7 +1149,7 @@ void Contents_SMB::DeliverSMB(int len, const u_char* data) void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); while ( len > 0 ) { @@ -1221,7 +1225,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) } SMB_Analyzer::SMB_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("SMB", conn) +: tcp::TCP_ApplicationAnalyzer("SMB", conn) { smb_session = new SMB_Session(this); o_smb = new Contents_SMB(conn, true, smb_session); diff --git a/src/analyzer/protocols/smb/SMB.h b/src/analyzer/protocols/smb/SMB.h index 83f3811010..0b67c96710 100644 --- a/src/analyzer/protocols/smb/SMB.h +++ b/src/analyzer/protocols/smb/SMB.h @@ -10,6 +10,8 @@ #include "analyzer/protocols/dce-rpc/DCE_RPC.h" #include "smb_pac.h" +namespace analyzer { namespace smb { + enum IPC_named_pipe { IPC_NONE, IPC_LOCATOR, @@ -44,15 +46,6 @@ public: void Deliver(int is_orig, int len, const u_char* msg); - static bool any_smb_event() - { - return smb_message || - smb_com_tree_connect_andx || - smb_com_nt_create_andx || smb_com_transaction || - smb_com_transaction2 || smb_com_read_andx || - smb_com_write_andx; - } - protected: void ParseMessage(int is_orig, int cmd, binpac::SMB::SMB_header const &hdr, @@ -159,7 +152,7 @@ protected: Val* BuildTransactionDataVal(binpac::SMB::SMB_transaction_data* data); analyzer::Analyzer* analyzer; - DCE_RPC_Session* dce_rpc_session; + dce_rpc::DCE_RPC_Session* dce_rpc_session; enum IPC_named_pipe IPC_pipe; int is_IPC; int req_cmd; @@ -170,7 +163,7 @@ protected: binpac::SMB::SMB_andx* andx_[2]; }; -class Contents_SMB : public TCP_SupportAnalyzer { +class Contents_SMB : public tcp::TCP_SupportAnalyzer { public: Contents_SMB(Connection* conn, bool orig, SMB_Session* smb_session); ~Contents_SMB(); @@ -190,7 +183,7 @@ protected: int buf_len; // size off msg_buf }; -class SMB_Analyzer : public TCP_ApplicationAnalyzer { +class SMB_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SMB_Analyzer(Connection* conn); ~SMB_Analyzer(); @@ -204,4 +197,6 @@ protected: Contents_SMB* r_smb; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/smb/events.bif b/src/analyzer/protocols/smb/events.bif index e69de29bb2..74cb1feb77 100644 --- a/src/analyzer/protocols/smb/events.bif +++ b/src/analyzer/protocols/smb/events.bif @@ -0,0 +1,495 @@ +## Generated for all SMB/CIFS messages. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## is_orig: True if the message was sent by the originator of the underlying +## transport-level connection. +## +## cmd: A string mnemonic of the SMB command code. +## +## body_length: The length of the SMB message body, i.e. the data starting after +## the SMB header. +## +## body: The raw SMB message body, i.e., the data starting after the SMB header. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error +## smb_get_dfs_referral +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); + +## Generated for SMB/CIFS messages of type *tree connect andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## path: The ``path`` attribute specified in the message. +## +## service: The ``service`` attribute specified in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); + +## Generated for SMB/CIFS messages of type *tree disconnect*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *nt create andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## name: The ``name`` attribute specified in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); + +## Generated for SMB/CIFS messages of type *nt transaction*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe +## smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *nt transaction 2*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe +## smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *transaction mailslot*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *transaction rap*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error +## smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *transaction pipe*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *read andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## data: Always empty. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); + +## Generated for SMB/CIFS messages of type *read andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## data: Always empty. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_error +## smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); + +## Generated for SMB/CIFS messages of type *get dfs referral*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## max_referral_level: The ``max_referral_level`` attribute specified in the +## message. +## +## file_name: The ``filene_name`` attribute specified in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); + +## Generated for SMB/CIFS messages of type *negotiate*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx +## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction +## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect +## smb_com_write_andx smb_error smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_negotiate%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *negotiate response*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## dialect_index: The ``dialect`` indicated in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx +## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction +## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect +## smb_com_write_andx smb_error smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); + +## Generated for SMB/CIFS messages of type *setup andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *generic andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_logoff_andx smb_com_negotiate +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *close*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_close%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *logoff andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages that indicate an error. This event is +## triggered by an SMB header including a status that signals an error. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## cmd: The SMB command code. +## +## cmd_str: A string mnemonic of the SMB command code. +## +## data: The raw SMB message body, i.e., the data starting after the SMB header. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx +## smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); + diff --git a/src/analyzer/protocols/smb/smb.pac b/src/analyzer/protocols/smb/smb.pac index 740ad47991..1fdab27d90 100644 --- a/src/analyzer/protocols/smb/smb.pac +++ b/src/analyzer/protocols/smb/smb.pac @@ -1,6 +1,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer SMB withcontext { }; %include smb-protocol.pac diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocols/smtp/Plugin.cc index 6b9f7a0aeb..8a5095381d 100644 --- a/src/analyzer/protocols/smtp/Plugin.cc +++ b/src/analyzer/protocols/smtp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SMTP) BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); - BRO_PLUGIN_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SMTP", smtp::SMTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/smtp/SMTP.cc b/src/analyzer/protocols/smtp/SMTP.cc index c674c120ec..7bbb7ec69e 100644 --- a/src/analyzer/protocols/smtp/SMTP.cc +++ b/src/analyzer/protocols/smtp/SMTP.cc @@ -10,6 +10,10 @@ #include "Reporter.h" #include "analyzer/protocols/tcp/ContentLine.h" +#include "events.bif.h" + +using namespace analyzer::smtp; + #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) #cmd, @@ -21,7 +25,7 @@ static const char* smtp_cmd_word[] = { SMTP_Analyzer::SMTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("SMTP", conn) +: tcp::TCP_ApplicationAnalyzer("SMTP", conn) { expect_sender = 0; expect_recver = 1; @@ -40,12 +44,12 @@ SMTP_Analyzer::SMTP_Analyzer(Connection* conn) line_after_gap = 0; mail = 0; UpdateState(first_cmd, 0); - ContentLine_Analyzer* cl_orig = new ContentLine_Analyzer(conn, true); + tcp::ContentLine_Analyzer* cl_orig = new tcp::ContentLine_Analyzer(conn, true); cl_orig->SetIsNULSensitive(true); cl_orig->SetSkipPartial(true); AddSupportAnalyzer(cl_orig); - ContentLine_Analyzer* cl_resp = new ContentLine_Analyzer(conn, false); + tcp::ContentLine_Analyzer* cl_resp = new tcp::ContentLine_Analyzer(conn, false); cl_resp->SetIsNULSensitive(true); cl_resp->SetSkipPartial(true); AddSupportAnalyzer(cl_resp); @@ -53,7 +57,7 @@ SMTP_Analyzer::SMTP_Analyzer(Connection* conn) void SMTP_Analyzer::ConnectionFinished(int half_finished) { - TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); if ( ! half_finished && mail ) EndData(); @@ -66,7 +70,7 @@ SMTP_Analyzer::~SMTP_Analyzer() void SMTP_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -74,7 +78,7 @@ void SMTP_Analyzer::Done() void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( len <= 0 ) return; @@ -107,7 +111,7 @@ void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig) void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); // NOTE: do not use IsOrig() here, because of TURN command. int is_sender = orig_is_sender ? orig : ! orig; @@ -868,7 +872,7 @@ void SMTP_Analyzer::BeginData() delete mail; } - mail = new MIME_Mail(this); + mail = new mime::MIME_Mail(this); } void SMTP_Analyzer::EndData() diff --git a/src/analyzer/protocols/smtp/SMTP.h b/src/analyzer/protocols/smtp/SMTP.h index d525fb11af..02322f09c7 100644 --- a/src/analyzer/protocols/smtp/SMTP.h +++ b/src/analyzer/protocols/smtp/SMTP.h @@ -7,12 +7,13 @@ using namespace std; #include "analyzer/protocols/tcp/TCP.h" -#include "MIME.h" - +#include "analyzer/protocols/mime/MIME.h" #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) SMTP_CMD_##cmd, +namespace analyzer { namespace smtp { + typedef enum { #include "SMTP_cmd.def" } SMTP_Cmd; @@ -35,7 +36,7 @@ typedef enum { } SMTP_State; -class SMTP_Analyzer : public TCP_ApplicationAnalyzer { +class SMTP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SMTP_Analyzer(Connection* conn); ~SMTP_Analyzer(); @@ -87,7 +88,9 @@ protected: BroString* line_after_gap; // last line before the first reply // after a gap - MIME_Mail* mail; + mime::MIME_Mail* mail; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/smtp/events.bif b/src/analyzer/protocols/smtp/events.bif index e69de29bb2..4a376bcbf8 100644 --- a/src/analyzer/protocols/smtp/events.bif +++ b/src/analyzer/protocols/smtp/events.bif @@ -0,0 +1,100 @@ +## Generated for client-side SMTP commands. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the command is the originator of the TCP +## connection. Note that this is not redundant: the SMTP ``TURN`` command +## allows client and server to flip roles on established SMTP sessions, +## and hence a "request" might still come from the TCP-level responder. +## In practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. +## +## command: The request's command, without any arguments. +## +## arg: The request command's arguments. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data +## smtp_data smtp_reply +## +## .. note:: Bro does not support the newer ETRN extension yet. +event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%); + +## Generated for server-side SMTP commands. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the command is the originator of the TCP +## connection. Note that this is not redundant: the SMTP ``TURN`` command +## allows client and server to flip roles on established SMTP sessions, +## and hence a "reply" might still come from the TCP-level originator. In +## practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. +## +## code: The reply's numerical code. +## +## cmd: TODO. +## +## msg: The reply's textual description. +## +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want to +## reassemble the pieces before processing the response any further. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data +## smtp_data smtp_request +## +## .. note:: Bro doesn't support the newer ETRN extension yet. +event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%); + +## Generated for DATA transmitted on SMTP sessions. This event is raised for +## subsequent chunks of raw data following the ``DATA`` SMTP command until the +## corresponding end marker ``.`` is seen. A handler may want to reassemble +## the pieces as they come in if stream-analysis is required. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the data is the originator of the TCP +## connection. +## +## data: The raw data. Note that the size of each chunk is undefined and +## depends on specifics of the underlying TCP connection. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data +## smtp_reply smtp_request skip_smtp_data +## +## .. note:: This event receives the unprocessed raw data. There is a separate +## set of ``mime_*`` events that strip out the outer MIME-layer of emails and +## provide structured access to their content. +event smtp_data%(c: connection, is_orig: bool, data: string%); + +## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks +## the state of SMTP sessions and reports commands and other activity with this +## event that it sees even though it would not expect so at the current point +## of the communication. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the unexpected activity is the originator of +## the TCP connection. +## +## msg: A descriptive message of what was unexpected. +## +## detail: The actual SMTP line triggering the event. +## +## .. bro:see:: smtp_data smtp_request smtp_reply +event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); diff --git a/src/analyzer/protocols/socks/Plugin.cc b/src/analyzer/protocols/socks/Plugin.cc index 080a8329de..3c849e6e23 100644 --- a/src/analyzer/protocols/socks/Plugin.cc +++ b/src/analyzer/protocols/socks/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SOCKS) BRO_PLUGIN_DESCRIPTION("SOCKS Analyzer"); - BRO_PLUGIN_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SOCKS", socks::SOCKS_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/socks/SOCKS.cc b/src/analyzer/protocols/socks/SOCKS.cc index 25ebf9796e..dab464abf7 100644 --- a/src/analyzer/protocols/socks/SOCKS.cc +++ b/src/analyzer/protocols/socks/SOCKS.cc @@ -2,8 +2,12 @@ #include "socks_pac.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::socks; + SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("SOCKS", conn) +: tcp::TCP_ApplicationAnalyzer("SOCKS", conn) { interp = new binpac::SOCKS::SOCKS_Conn(this); orig_done = resp_done = false; @@ -25,7 +29,7 @@ void SOCKS_Analyzer::EndpointDone(bool orig) void SOCKS_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -33,13 +37,13 @@ void SOCKS_Analyzer::Done() void SOCKS_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -57,7 +61,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) if ( ! pia ) { - pia = new PIA_TCP(Conn()); + pia = new pia::PIA_TCP(Conn()); AddChildAnalyzer(pia); pia->FirstPacket(true, 0); pia->FirstPacket(false, 0); @@ -80,7 +84,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SOCKS_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocols/socks/SOCKS.h b/src/analyzer/protocols/socks/SOCKS.h index 8abdfe3a3f..7aed5c02a3 100644 --- a/src/analyzer/protocols/socks/SOCKS.h +++ b/src/analyzer/protocols/socks/SOCKS.h @@ -12,8 +12,9 @@ namespace binpac { } } +namespace analyzer { namespace socks { -class SOCKS_Analyzer : public TCP_ApplicationAnalyzer { +class SOCKS_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SOCKS_Analyzer(Connection* conn); ~SOCKS_Analyzer(); @@ -33,8 +34,10 @@ protected: bool orig_done; bool resp_done; - PIA_TCP *pia; + pia::PIA_TCP *pia; binpac::SOCKS::SOCKS_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/socks/events.bif b/src/analyzer/protocols/socks/events.bif index e69de29bb2..4f1f8ad1cd 100644 --- a/src/analyzer/protocols/socks/events.bif +++ b/src/analyzer/protocols/socks/events.bif @@ -0,0 +1,29 @@ +## Generated when a SOCKS request is analyzed. +## +## c: The parent connection of the proxy. +## +## version: The version of SOCKS this message used. +## +## request_type: The type of the request. +## +## sa: Address that the tunneled traffic should be sent to. +## +## p: The destination port for the proxied traffic. +## +## user: Username given for the SOCKS connection. This is not yet implemented +## for SOCKSv5. +event socks_request%(c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string%); + +## Generated when a SOCKS reply is analyzed. +## +## c: The parent connection of the proxy. +## +## version: The version of SOCKS this message used. +## +## reply: The status reply from the server. +## +## sa: The address that the server sent the traffic to. +## +## p: The destination port for the proxied traffic. +event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%); + diff --git a/src/analyzer/protocols/socks/socks.pac b/src/analyzer/protocols/socks/socks.pac index 15d3580674..a9c4099508 100644 --- a/src/analyzer/protocols/socks/socks.pac +++ b/src/analyzer/protocols/socks/socks.pac @@ -3,6 +3,8 @@ %extern{ #include "SOCKS.h" + +#include "events.bif.h" %} analyzer SOCKS withcontext { @@ -21,4 +23,4 @@ flow SOCKS_Flow(is_orig: bool) { datagram = SOCKS_Version(is_orig) withcontext(connection, this); }; -%include socks-analyzer.pac \ No newline at end of file +%include socks-analyzer.pac diff --git a/src/analyzer/protocols/ssh/Plugin.cc b/src/analyzer/protocols/ssh/Plugin.cc index 76603220d3..57acbe222c 100644 --- a/src/analyzer/protocols/ssh/Plugin.cc +++ b/src/analyzer/protocols/ssh/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SSH) BRO_PLUGIN_DESCRIPTION("SSH Analyzer"); - BRO_PLUGIN_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SSH", ssh::SSH_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ssh/SSH.cc b/src/analyzer/protocols/ssh/SSH.cc index 3b89422d5a..c2ff9a066c 100644 --- a/src/analyzer/protocols/ssh/SSH.cc +++ b/src/analyzer/protocols/ssh/SSH.cc @@ -9,15 +9,19 @@ #include "Event.h" #include "analyzer/protocols/tcp/ContentLine.h" +#include "events.bif.h" + +using namespace analyzer::ssh; + SSH_Analyzer::SSH_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("SSH", c) +: tcp::TCP_ApplicationAnalyzer("SSH", c) { - orig = new ContentLine_Analyzer(c, true); + orig = new tcp::ContentLine_Analyzer(c, true); orig->SetSkipPartial(true); orig->SetCRLFAsEOL(LF_as_EOL); AddSupportAnalyzer(orig); - resp = new ContentLine_Analyzer(c, false); + resp = new tcp::ContentLine_Analyzer(c, false); resp->SetSkipPartial(true); resp->SetCRLFAsEOL(LF_as_EOL); AddSupportAnalyzer(resp); @@ -25,7 +29,7 @@ SSH_Analyzer::SSH_Analyzer(Connection* c) void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); // We're all done processing this endpoint - flag it as such, // before we even determine whether we have any event generation @@ -38,7 +42,7 @@ void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( TCP() ) { // Don't try to parse version if there has already been a gap. - TCP_Endpoint* endp = is_orig ? TCP()->Orig() : TCP()->Resp(); + tcp::TCP_Endpoint* endp = is_orig ? TCP()->Orig() : TCP()->Resp(); if ( endp->HadGap() ) return; } diff --git a/src/analyzer/protocols/ssh/SSH.h b/src/analyzer/protocols/ssh/SSH.h index d3cda5f2f5..644444136d 100644 --- a/src/analyzer/protocols/ssh/SSH.h +++ b/src/analyzer/protocols/ssh/SSH.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" -class SSH_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ssh { + +class SSH_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SSH_Analyzer(Connection* conn); @@ -16,8 +18,10 @@ public: { return new SSH_Analyzer(conn); } private: - ContentLine_Analyzer* orig; - ContentLine_Analyzer* resp; + tcp::ContentLine_Analyzer* orig; + tcp::ContentLine_Analyzer* resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ssh/events.bif b/src/analyzer/protocols/ssh/events.bif index e69de29bb2..9d73f5e483 100644 --- a/src/analyzer/protocols/ssh/events.bif +++ b/src/analyzer/protocols/ssh/events.bif @@ -0,0 +1,38 @@ +## Generated when seeing an SSH client's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## client sent. +## +## +## See `Wikipedia `__ for more +## information about the SSH protocol. +## +## c: The connection. +## +## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`). +## +## .. bro:see:: ssh_server_version +## +## .. note:: As everything after the initial version handshake proceeds +## encrypted, Bro cannot further analyze SSH sessions. +event ssh_client_version%(c: connection, version: string%); + +## Generated when seeing an SSH server's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## server sent. +## +## See `Wikipedia `__ for more +## information about the SSH protocol. +## +## c: The connection. +## +## version: The version string the server sent (e.g., +## ``SSH-1.99-OpenSSH_3.9p1``). +## +## .. bro:see:: ssh_client_version +## +## .. note:: As everything coming after the initial version handshake proceeds +## encrypted, Bro cannot further analyze SSH sessions. +event ssh_server_version%(c: connection, version: string%); + diff --git a/src/analyzer/protocols/ssl/Plugin.cc b/src/analyzer/protocols/ssl/Plugin.cc index 743401896d..6fe3308818 100644 --- a/src/analyzer/protocols/ssl/Plugin.cc +++ b/src/analyzer/protocols/ssl/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SSL) BRO_PLUGIN_DESCRIPTION("SSL Analyzer"); - BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ssl/SSL.cc b/src/analyzer/protocols/ssl/SSL.cc index deec34e5d9..cf41f273f6 100644 --- a/src/analyzer/protocols/ssl/SSL.cc +++ b/src/analyzer/protocols/ssl/SSL.cc @@ -4,8 +4,12 @@ #include "Reporter.h" #include "util.h" +#include "events.bif.h" + +using namespace analyzer::ssl; + SSL_Analyzer::SSL_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("SSL", c) +: tcp::TCP_ApplicationAnalyzer("SSL", c) { interp = new binpac::SSL::SSL_Conn(this); had_gap = false; @@ -18,7 +22,7 @@ SSL_Analyzer::~SSL_Analyzer() void SSL_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -26,13 +30,13 @@ void SSL_Analyzer::Done() void SSL_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -55,7 +59,7 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SSL_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h index 1d451a40ef..b8d6f20db1 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocols/ssl/SSL.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "ssl_pac.h" -class SSL_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ssl { + +class SSL_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SSL_Analyzer(Connection* conn); virtual ~SSL_Analyzer(); @@ -16,7 +18,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(int seq, int len, bool orig); - // Overriden from TCP_ApplicationAnalyzer. + // Overriden from tcp::TCP_ApplicationAnalyzer. virtual void EndpointEOF(bool is_orig); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) @@ -35,4 +37,6 @@ protected: }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ssl/ssl-defs.pac b/src/analyzer/protocols/ssl/ssl-defs.pac index 4f715bbddd..c35fc56e85 100644 --- a/src/analyzer/protocols/ssl/ssl-defs.pac +++ b/src/analyzer/protocols/ssl/ssl-defs.pac @@ -3,6 +3,8 @@ %extern{ #include using std::string; + +#include "events.bif.h" %} enum ContentType { diff --git a/src/analyzer/protocols/ssl/ssl.pac b/src/analyzer/protocols/ssl/ssl.pac index 150dc222cb..4a32227088 100644 --- a/src/analyzer/protocols/ssl/ssl.pac +++ b/src/analyzer/protocols/ssl/ssl.pac @@ -5,13 +5,13 @@ # - ssl-analyzer.pac: contains the SSL analyzer code # - ssl-record-layer.pac: describes the SSL record layer -%extern{ - #include "events.bif.h" -%} - %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer SSL withcontext { connection: SSL_Conn; flow: SSL_Flow; diff --git a/src/analyzer/protocols/stepping-stone/Plugin.cc b/src/analyzer/protocols/stepping-stone/Plugin.cc index 18bfa41063..748c5fac5f 100644 --- a/src/analyzer/protocols/stepping-stone/Plugin.cc +++ b/src/analyzer/protocols/stepping-stone/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SteppingStone) BRO_PLUGIN_DESCRIPTION("SteppingStone Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("STEPPINGSTONE", stepping_stone::SteppingStone_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.cc b/src/analyzer/protocols/stepping-stone/SteppingStone.cc index f2f4561de6..2b25a2e080 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.cc @@ -11,7 +11,11 @@ #include "SteppingStone.h" #include "util.h" -SteppingStoneEndpoint::SteppingStoneEndpoint(TCP_Endpoint* e, SteppingStoneManager* m) +#include "events.bif.h" + +using namespace analyzer::stepping_stone; + +SteppingStoneEndpoint::SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m) { endp = e; stp_max_top_seq = 0; @@ -157,7 +161,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) } SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("STEPPINGSTONE", c) +: tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c) { stp_manager = sessions->GetSTPManager(); @@ -167,7 +171,7 @@ SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) void SteppingStone_Analyzer::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager); @@ -178,7 +182,7 @@ void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); if ( is_orig ) @@ -190,7 +194,7 @@ void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( is_orig ) { @@ -209,7 +213,7 @@ void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, void SteppingStone_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); orig_endp->Done(); resp_endp->Done(); diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.h b/src/analyzer/protocols/stepping-stone/SteppingStone.h index cbf22e7715..f818a0ee70 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.h @@ -8,6 +8,8 @@ class NetSessions; +namespace analyzer { namespace stepping_stone { + class SteppingStoneEndpoint; class SteppingStoneManager; @@ -16,7 +18,7 @@ declare(PDict,SteppingStoneEndpoint); class SteppingStoneEndpoint : public BroObj { public: - SteppingStoneEndpoint(TCP_Endpoint* e, SteppingStoneManager* m); + SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m); ~SteppingStoneEndpoint(); void Done(); @@ -27,7 +29,7 @@ protected: void Event(EventHandlerPtr f, int id1, int id2 = -1); void CreateEndpEvent(int is_orig); - TCP_Endpoint* endp; + tcp::TCP_Endpoint* endp; int stp_max_top_seq; double stp_last_time; double stp_resume_time; @@ -43,7 +45,7 @@ protected: PDict(SteppingStoneEndpoint) stp_outbound_endps; }; -class SteppingStone_Analyzer : public TCP_ApplicationAnalyzer { +class SteppingStone_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SteppingStone_Analyzer(Connection* c); virtual ~SteppingStone_Analyzer() {}; @@ -85,4 +87,6 @@ protected: int endp_cnt; }; +} } // namespace analyzer::* + #endif /* steppingstone_h */ diff --git a/src/analyzer/protocols/stepping-stone/events.bif b/src/analyzer/protocols/stepping-stone/events.bif index e69de29bb2..8d578eba64 100644 --- a/src/analyzer/protocols/stepping-stone/events.bif +++ b/src/analyzer/protocols/stepping-stone/events.bif @@ -0,0 +1,17 @@ +## Deprecated. Will be removed. +event stp_create_endp%(c: connection, e: int, is_orig: bool%); + +# ##### Internal events. Not further documented. + +## Event internal to the stepping stone detector. +event stp_resume_endp%(e: int%); + +## Event internal to the stepping stone detector. +event stp_correlate_pair%(e1: int, e2: int%); + +## Event internal to the stepping stone detector. +event stp_remove_pair%(e1: int, e2: int%); + +## Event internal to the stepping stone detector. +event stp_remove_endp%(e: int%); + diff --git a/src/analyzer/protocols/syslog/Plugin.cc b/src/analyzer/protocols/syslog/Plugin.cc index 8560ee7c48..f5d955942b 100644 --- a/src/analyzer/protocols/syslog/Plugin.cc +++ b/src/analyzer/protocols/syslog/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Syslog) BRO_PLUGIN_DESCRIPTION("Syslog Analyzer (UDP-only currently)"); - BRO_PLUGIN_ANALYZER("SYSLOG", Syslog_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SYSLOG", syslog::Syslog_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/syslog/Syslog.cc b/src/analyzer/protocols/syslog/Syslog.cc index 94ca996cce..e1667ea38b 100644 --- a/src/analyzer/protocols/syslog/Syslog.cc +++ b/src/analyzer/protocols/syslog/Syslog.cc @@ -2,6 +2,10 @@ #include "Syslog.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::syslog; + Syslog_Analyzer::Syslog_Analyzer(Connection* conn) : Analyzer("SYSLOG", conn) { @@ -45,35 +49,35 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int // t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); // } -//Syslog_TCP_Analyzer::Syslog_TCP_Analyzer(Connection* conn) -//: TCP_ApplicationAnalyzer(conn) +//Syslog_tcp::TCP_Analyzer::Syslog_tcp::TCP_Analyzer(Connection* conn) +//: tcp::TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } -//Syslog_TCP_Analyzer::~Syslog_TCP_Analyzer() +//Syslog_tcp::TCP_Analyzer::~Syslog_tcp::TCP_Analyzer() // { // delete interp; // } -//void Syslog_TCP_Analyzer::Done() +//void Syslog_tcp::TCP_Analyzer::Done() // { -// TCP_ApplicationAnalyzer::Done(); +// tcp::TCP_ApplicationAnalyzer::Done(); // // interp->FlowEOF(true); // interp->FlowEOF(false); // } -//void Syslog_TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) +//void Syslog_tcp::TCP_Analyzer::EndpointEOF(tcp::TCP_Reassembler* endp) // { -// TCP_ApplicationAnalyzer::EndpointEOF(endp); +// tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp); // interp->FlowEOF(endp->IsOrig()); // } -//void Syslog_TCP_Analyzer::DeliverStream(int len, const u_char* data, +//void Syslog_tcp::TCP_Analyzer::DeliverStream(int len, const u_char* data, // bool orig) // { -// TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); +// tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); // // assert(TCP()); // @@ -84,8 +88,8 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int // interp->NewData(orig, data, data + len); // } -//void Syslog_TCP_Analyzer::Undelivered(int seq, int len, bool orig) +//void Syslog_tcp::TCP_Analyzer::Undelivered(int seq, int len, bool orig) // { -// TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); +// tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // interp->NewGap(orig, len); // } diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h index 32b7b3439a..391c5115b3 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocols/syslog/Syslog.h @@ -7,6 +7,8 @@ #include "syslog_pac.h" +namespace analyzer { namespace syslog { + class Syslog_Analyzer : public analyzer::Analyzer { public: Syslog_Analyzer(Connection* conn); @@ -29,21 +31,23 @@ protected: // #include "Syslog_tcp_pac.h" // -//class Syslog_TCP_Analyzer : public TCP_ApplicationAnalyzer { +//class Syslog_tcp::TCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { //public: -// Syslog_TCP_Analyzer(Connection* conn); -// virtual ~Syslog_TCP_Analyzer(); +// Syslog_tcp::TCP_Analyzer(Connection* conn); +// virtual ~Syslog_tcp::TCP_Analyzer(); // // virtual void Done(); // virtual void DeliverStream(int len, const u_char* data, bool orig); // virtual void Undelivered(int seq, int len, bool orig); -// virtual void EndpointEOF(TCP_Reassembler* endp); +// virtual void EndpointEOF(tcp::TCP_Reassembler* endp); // // static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) -// { return new Syslog_TCP_Analyzer(conn); } +// { return new Syslog_tcp::TCP_Analyzer(conn); } // //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; //}; // +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/syslog/syslog.pac b/src/analyzer/protocols/syslog/syslog.pac index 5e7176da2a..2c1fdd10d0 100644 --- a/src/analyzer/protocols/syslog/syslog.pac +++ b/src/analyzer/protocols/syslog/syslog.pac @@ -1,11 +1,11 @@ -%extern{ - #include "events.bif.h" -%} - %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer Syslog withcontext { connection: Syslog_Conn; flow: Syslog_Flow; diff --git a/src/analyzer/protocols/tcp/ContentLine.cc b/src/analyzer/protocols/tcp/ContentLine.cc index bcfca4ecc6..c1738ccc64 100644 --- a/src/analyzer/protocols/tcp/ContentLine.cc +++ b/src/analyzer/protocols/tcp/ContentLine.cc @@ -3,6 +3,10 @@ #include "ContentLine.h" #include "analyzer/protocols/tcp/TCP.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) : TCP_SupportAnalyzer("CONTENTLINE", conn, orig) { diff --git a/src/analyzer/protocols/tcp/ContentLine.h b/src/analyzer/protocols/tcp/ContentLine.h index e83251d43d..ca48393cb4 100644 --- a/src/analyzer/protocols/tcp/ContentLine.h +++ b/src/analyzer/protocols/tcp/ContentLine.h @@ -5,6 +5,8 @@ #include "analyzer/protocols/tcp/TCP.h" +namespace analyzer { namespace tcp { + #define CR_as_EOL 1 #define LF_as_EOL 2 @@ -104,4 +106,6 @@ protected: unsigned int skip_partial:1; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocols/tcp/Plugin.cc index d76789bf30..defb0b330d 100644 --- a/src/analyzer/protocols/tcp/Plugin.cc +++ b/src/analyzer/protocols/tcp/Plugin.cc @@ -5,8 +5,8 @@ BRO_PLUGIN_BEGIN(TCP) BRO_PLUGIN_DESCRIPTION("TCP Analyzer"); - BRO_PLUGIN_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("TCPStats", TCPStats_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("TCP", tcp::TCP_Analyzer); + BRO_PLUGIN_ANALYZER("TCPStats", tcp::TCPStats_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/tcp/Stats.cc b/src/analyzer/protocols/tcp/Stats.cc index 6157d54537..b5337fa2db 100644 --- a/src/analyzer/protocols/tcp/Stats.cc +++ b/src/analyzer/protocols/tcp/Stats.cc @@ -2,6 +2,10 @@ #include "Stats.h" #include "File.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + TCPStateStats::TCPStateStats() { for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocols/tcp/Stats.h index 01c95620ce..42c03ab321 100644 --- a/src/analyzer/protocols/tcp/Stats.h +++ b/src/analyzer/protocols/tcp/Stats.h @@ -4,6 +4,8 @@ #include "TCP_Endpoint.h" +namespace analyzer { namespace tcp { + // A TCPStateStats object tracks the distribution of TCP states for // the currently active connections. class TCPStateStats { @@ -64,4 +66,6 @@ private: unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/TCP.cc b/src/analyzer/protocols/tcp/TCP.cc index 66bf9d2a83..23de51642b 100644 --- a/src/analyzer/protocols/tcp/TCP.cc +++ b/src/analyzer/protocols/tcp/TCP.cc @@ -11,6 +11,10 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + namespace { // local namespace const bool DEBUG_tcp_data_sent = false; const bool DEBUG_tcp_connection_close = false; @@ -954,7 +958,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip) { if ( is_orig && ! (first_packet_seen & ORIG) ) { - PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); + pia::PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= ORIG; @@ -962,7 +966,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip) if ( ! is_orig && ! (first_packet_seen & RESP) ) { - PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); + pia::PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= RESP; diff --git a/src/analyzer/protocols/tcp/TCP.h b/src/analyzer/protocols/tcp/TCP.h index ee89cef8e4..6b0b9e8637 100644 --- a/src/analyzer/protocols/tcp/TCP.h +++ b/src/analyzer/protocols/tcp/TCP.h @@ -14,11 +14,14 @@ // - TCP_Analyzer is the analyzer for the TCP protocol itself. // - TCP_ApplicationAnalyzer is an abstract base class for analyzers for a // protocol running on top of TCP. +// +namespace analyzer { namespace pia { class PIA_TCP; } }; -class PIA_TCP; +namespace analyzer { namespace tcp { + +class TCP_Endpoint; class TCP_ApplicationAnalyzer; class TCP_Reassembler; -class TCP_Endpoint; class TCP_Flags { public: @@ -94,7 +97,7 @@ public: protected: friend class TCP_ApplicationAnalyzer; friend class TCP_Reassembler; - friend class PIA_TCP; + friend class analyzer::pia::PIA_TCP; // Analyzer interface. virtual void Init(); @@ -223,7 +226,7 @@ protected: void ConnectionReset(); void PacketWithRST(); - void SetReassembler(TCP_Reassembler* rorig, TCP_Reassembler* rresp); + void SetReassembler(tcp::TCP_Reassembler* rorig, tcp::TCP_Reassembler* rresp); Val* BuildSYNPacketVal(int is_orig, const IP_Hdr* ip, const struct tcphdr* tcp); @@ -356,7 +359,7 @@ protected: int endian_type; }; -class TCPStats_Analyzer : public TCP_ApplicationAnalyzer { +class TCPStats_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: TCPStats_Analyzer(Connection* c); ~TCPStats_Analyzer(); @@ -375,4 +378,6 @@ protected: TCPStats_Endpoint* resp_stats; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.cc b/src/analyzer/protocols/tcp/TCP_Endpoint.cc index adb2c101d4..922c52693a 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.cc @@ -9,6 +9,10 @@ #include "File.h" #include "Val.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig) { contents_processor = 0; diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.h b/src/analyzer/protocols/tcp/TCP_Endpoint.h index 52a757b256..6cc2fefebf 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.h @@ -5,6 +5,14 @@ #include "IPAddr.h" +class Connection; +class IP_Hdr; + +namespace analyzer { namespace tcp { + +class TCP_Analyzer; +class TCP_Reassembler; + typedef enum { TCP_ENDPOINT_INACTIVE, // no SYN (or other packets) seen for this side TCP_ENDPOINT_SYN_SENT, // SYN seen, but no ack @@ -16,11 +24,6 @@ typedef enum { TCP_ENDPOINT_RESET // RST seen } EndpointState; -class Connection; -class TCP_Reassembler; -class IP_Hdr; -class TCP_Analyzer; - // One endpoint of a TCP connection. class TCP_Endpoint { public: @@ -157,4 +160,6 @@ protected: #define ENDIAN_BIG 2 #define ENDIAN_CONFUSED 3 +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.cc b/src/analyzer/protocols/tcp/TCP_Reassembler.cc index 5bfd536a10..e54a1494af 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.cc @@ -8,6 +8,10 @@ // Only needed for gap_report events. #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + // Note, sequence numbers are relative. I.e., they start with 1. // TODO: The Reassembler should start using 64 bit ints for keeping track of diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.h b/src/analyzer/protocols/tcp/TCP_Reassembler.h index 410aa7cbbc..ab6eb97b70 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.h @@ -13,8 +13,10 @@ class BroFile; class Connection; + +namespace analyzer { namespace tcp { + class TCP_Analyzer; -namespace analyzer { class Analyzer; } const int STOP_ON_GAP = 1; const int PUNT_ON_PARTIAL = 1; @@ -26,7 +28,7 @@ public: Forward, // forward to destination analyzer's children }; - TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, + TCP_Reassembler(Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp); @@ -34,7 +36,7 @@ public: void Done(); - void SetDstAnalyzer(analyzer::Analyzer* analyzer) { dst_analyzer = analyzer; } + void SetDstAnalyzer(Analyzer* analyzer) { dst_analyzer = analyzer; } void SetType(Type arg_type) { type = arg_type; } TCP_Analyzer* GetTCPAnalyzer() { return tcp_analyzer; } @@ -69,6 +71,8 @@ public: // Skip up to seq, as if there's a content gap. // Can be used to skip HTTP data for performance considerations. void SkipToSeq(int seq); +} } // namespace analyzer::* + #endif int DataSent(double t, int seq, int len, const u_char* data, @@ -95,6 +99,8 @@ public: #ifdef ENABLE_SEQ_TO_SKIP bool IsSkippedContents(int seq, int length) const { return seq + length <= seq_to_skip; } +} } // namespace analyzer::* + #endif private: @@ -125,11 +131,13 @@ private: BroFile* record_contents_file; // file on which to reassemble contents - analyzer::Analyzer* dst_analyzer; + Analyzer* dst_analyzer; TCP_Analyzer* tcp_analyzer; Type type; bool is_orig; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/events.bif b/src/analyzer/protocols/tcp/events.bif index e69de29bb2..05a280024d 100644 --- a/src/analyzer/protocols/tcp/events.bif +++ b/src/analyzer/protocols/tcp/events.bif @@ -0,0 +1,289 @@ + +## Generated when reassembly starts for a TCP connection. This event is raised +## at the moment when Bro's TCP analyzer enables stream reassembly for a +## connection. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_rejected connection_reset connection_reused +## connection_state_remove connection_status_update connection_timeout +## expected_connection_seen new_connection partial_connection +event new_connection_contents%(c: connection%); + +## Generated for an unsuccessful connection attempt. This event is raised when +## an originator unsuccessfully attempted to establish a connection. +## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds +## having elapsed since the originator first sent a connection establishment +## packet to the destination without seeing a reply. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_established +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_attempt%(c: connection%); + +## Generated when a SYN-ACK packet is seen in response to a SYN packet during +## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may +## or may not occur later, one way to tell is to check the *history* field of +## :bro:type:`connection` to see if the originator sent an ACK, indicated by +## 'A' in the history string. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_established%(c: connection%); + +## Generated for a new active TCP connection if Bro did not see the initial +## handshake. This event is raised when Bro has observed traffic from each +## endpoint, but the activity did not begin with the usual connection +## establishment. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_rejected connection_reset connection_reused +## connection_state_remove connection_status_update connection_timeout +## expected_connection_seen new_connection new_connection_contents +## +event partial_connection%(c: connection%); + +## Generated when a previously inactive endpoint attempts to close a TCP +## connection via a normal FIN handshake or an abort RST sequence. When the +## endpoint sent one of these packets, Bro waits +## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give +## the other endpoint a chance to close the connection normally. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_partial_close%(c: connection%); + +## Generated for a TCP connection that finished normally. The event is raised +## when a regular FIN handshake from both endpoints was observed. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_finished%(c: connection%); + +## Generated when one endpoint of a TCP connection attempted to gracefully close +## the connection, but the other endpoint is in the TCP_INACTIVE state. This can +## happen due to split routing, in which Bro only sees one side of a connection. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_half_finished%(c: connection%); + +## Generated for a rejected TCP connection. This event is raised when an +## originator attempted to setup a TCP connection but the responder replied +## with a RST packet denying it. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +## +## c: The connection. +## +## .. note:: +## +## If the responder does not respond at all, :bro:id:`connection_attempt` is +## raised instead. If the responder initially accepts the connection but +## aborts it later, Bro first generates :bro:id:`connection_established` +## and then :bro:id:`connection_reset`. +event connection_rejected%(c: connection%); + +## Generated when an endpoint aborted a TCP connection. The event is raised +## when one endpoint of an established TCP connection aborted by sending a RST +## packet. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_rejected connection_reused +## connection_state_remove connection_status_update connection_timeout +## expected_connection_seen new_connection new_connection_contents +## partial_connection +event connection_reset%(c: connection%); + +## Generated for each still-open TCP connection when Bro terminates. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection bro_done +event connection_pending%(c: connection%); + +## Generated for a SYN packet. Bro raises this event for every SYN packet seen +## by its TCP analyzer. +## +## c: The connection. +## +## pkt: Information extracted from the SYN packet. +## +## .. bro:see:: connection_EOF connection_attempt connection_established +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +## +## .. note:: +## +## This event has quite low-level semantics and can potentially be expensive +## to generate. It should only be used if one really needs the specific +## information passed into the handler via the ``pkt`` argument. If not, +## handling one of the other ``connection_*`` events is typically the +## better approach. +event connection_SYN_packet%(c: connection, pkt: SYN_packet%); + +## Generated for the first ACK packet seen for a TCP connection from +## its *originator*. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +## +## .. note:: +## +## This event has quite low-level semantics and should be used only rarely. +event connection_first_ACK%(c: connection%); + +## Generated at the end of reassembled TCP connections. The TCP reassembler +## raised the event once for each endpoint of a connection when it finished +## reassembling the corresponding side of the communication. +## +## c: The connection. +## +## is_orig: True if the event is raised for the originator side. +## +## .. bro:see:: connection_SYN_packet connection_attempt connection_established +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_EOF%(c: connection, is_orig: bool%); + +## Generated for every TCP packet. This is a very low-level and expensive event +## that should be avoided when at all possible. It's usually infeasible to +## handle when processing even medium volumes of traffic in real-time. It's +## slightly better than :bro:id:`new_packet` because it affects only TCP, but +## not much. That said, if you work from a trace and want to do some +## packet-level analysis, it may come in handy. +## +## c: The connection the packet is part of. +## +## is_orig: True if the packet was sent by the connection's originator. +## +## flags: A string with the packet's TCP flags. In the string, each character +## corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN; +## ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH. +## +## seq: The packet's TCP sequence number. +## +## ack: The packet's ACK number. +## +## len: The length of the TCP payload, as specified in the packet header. +## +## payload: The raw TCP payload. Note that this may be shorter than *len* if +## the packet was not fully captured. +## +## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit +event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); + +## Generated for each option found in a TCP header. Like many of the ``tcp_*`` +## events, this is a very low-level event and potentially expensive as it may +## be raised very often. +## +## c: The connection the packet is part of. +## +## is_orig: True if the packet was sent by the connection's originator. +## +## opt: The numerical option number, as found in the TCP header. +## +## optlen: The length of the options value. +## +## .. bro:see:: tcp_packet tcp_contents tcp_rexmit +## +## .. note:: There is currently no way to get the actual option value, if any. +event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); + +## Generated for each chunk of reassembled TCP payload. When content delivery is +## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`, +## :bro:id:`tcp_content_delivery_ports_resp`, +## :bro:id:`tcp_content_deliver_all_orig`, +## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk +## of in-order payload reconstructed from the packet stream. Note that this +## event is potentially expensive if many connections carry significant amounts +## of data as then all that data needs to be passed on to the scripting layer. +## +## c: The connection the payload is part of. +## +## is_orig: True if the packet was sent by the connection's originator. +## +## seq: The sequence number corresponding to the first byte of the payload +## chunk. +## +## contents: The raw payload, which will be non-empty. +## +## .. bro:see:: tcp_packet tcp_option tcp_rexmit +## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp +## tcp_content_deliver_all_resp tcp_content_deliver_all_orig +## +## .. note:: +## +## The payload received by this event is the same that is also passed into +## application-layer protocol analyzers internally. Subsequent invocations of +## this event for the same connection receive non-overlapping in-order chunks +## of its TCP payload stream. It is however undefined what size each chunk +## has; while Bro passes the data on as soon as possible, specifics depend on +## network-level effects such as latency, acknowledgements, reordering, etc. +event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); + +## TODO. +event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); + diff --git a/src/analyzer/protocols/teredo/Plugin.cc b/src/analyzer/protocols/teredo/Plugin.cc index 9fc0fa4e7a..1ea1c03238 100644 --- a/src/analyzer/protocols/teredo/Plugin.cc +++ b/src/analyzer/protocols/teredo/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Teredo) BRO_PLUGIN_DESCRIPTION("Teredo Analyzer"); - BRO_PLUGIN_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("TEREDO", teredo::Teredo_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/teredo/Teredo.cc b/src/analyzer/protocols/teredo/Teredo.cc index 88ed6d582e..d81f90d840 100644 --- a/src/analyzer/protocols/teredo/Teredo.cc +++ b/src/analyzer/protocols/teredo/Teredo.cc @@ -5,6 +5,10 @@ #include "IP.h" #include "Reporter.h" +#include "events.bif.h" + +using namespace analyzer::teredo; + void Teredo_Analyzer::Done() { Analyzer::Done(); diff --git a/src/analyzer/protocols/teredo/Teredo.h b/src/analyzer/protocols/teredo/Teredo.h index f8cc0a15d7..b202a6e729 100644 --- a/src/analyzer/protocols/teredo/Teredo.h +++ b/src/analyzer/protocols/teredo/Teredo.h @@ -5,6 +5,8 @@ #include "NetVar.h" #include "Reporter.h" +namespace analyzer { namespace teredo { + class Teredo_Analyzer : public analyzer::Analyzer { public: Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn), @@ -89,4 +91,6 @@ protected: const Teredo_Analyzer* analyzer; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/teredo/events.bif b/src/analyzer/protocols/teredo/events.bif index e69de29bb2..62bc7d06cd 100644 --- a/src/analyzer/protocols/teredo/events.bif +++ b/src/analyzer/protocols/teredo/events.bif @@ -0,0 +1,55 @@ +## Generated for any IPv6 packet encapsulated in a Teredo tunnel. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_packet%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo authentication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_authentication%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo origin indication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_authentication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); + +## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated +## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_bubble%(outer: connection, inner: teredo_hdr%); + diff --git a/src/analyzer/protocols/udp/Plugin.cc b/src/analyzer/protocols/udp/Plugin.cc index 1a9b462013..a013c55a87 100644 --- a/src/analyzer/protocols/udp/Plugin.cc +++ b/src/analyzer/protocols/udp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(UDP) BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); - BRO_PLUGIN_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("UDP", udp::UDP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/udp/UDP.cc b/src/analyzer/protocols/udp/UDP.cc index f85f5ad991..8092a511c3 100644 --- a/src/analyzer/protocols/udp/UDP.cc +++ b/src/analyzer/protocols/udp/UDP.cc @@ -10,6 +10,10 @@ #include "Reporter.h" #include "Conn.h" +#include "events.bif.h" + +using namespace analyzer::udp; + UDP_Analyzer::UDP_Analyzer(Connection* conn) : TransportLayerAnalyzer("UDP", conn) { diff --git a/src/analyzer/protocols/udp/UDP.h b/src/analyzer/protocols/udp/UDP.h index 67048781a7..b3ef3bcf2d 100644 --- a/src/analyzer/protocols/udp/UDP.h +++ b/src/analyzer/protocols/udp/UDP.h @@ -6,6 +6,8 @@ #include "analyzer/Analyzer.h" #include +namespace analyzer { namespace udp { + typedef enum { UDP_INACTIVE, // no packet seen UDP_ACTIVE, // packets seen @@ -45,4 +47,6 @@ private: #define HIST_RESP_CORRUPT_PKT 0x8 }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/udp/events.bif b/src/analyzer/protocols/udp/events.bif index e69de29bb2..394181cf5d 100644 --- a/src/analyzer/protocols/udp/events.bif +++ b/src/analyzer/protocols/udp/events.bif @@ -0,0 +1,38 @@ +## Generated for each packet sent by a UDP flow's originator. This a potentially +## expensive event due to the volume of UDP traffic and should be used with +## care. +## +## u: The connection record for the corresponding UDP flow. +## +## .. bro:see:: udp_contents udp_reply udp_session_done +event udp_request%(u: connection%); + +## Generated for each packet sent by a UDP flow's responder. This a potentially +## expensive event due to the volume of UDP traffic and should be used with +## care. +## +## u: The connection record for the corresponding UDP flow. +## +## .. bro:see:: udp_contents udp_request udp_session_done +event udp_reply%(u: connection%); + +## Generated for UDP packets to pass on their payload. As the number of UDP +## packets can be very large, this event is normally raised only for those on +## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets +## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` +## (for packets sent by the flow's responder). However, delivery can be enabled +## for all UDP request and reply packets by setting +## :bro:id:`udp_content_deliver_all_orig` or +## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this +## event is also raised for all matching UDP packets, including empty ones. +## +## u: The connection record for the corresponding UDP flow. +## +## is_orig: True if the event is raised for the originator side. +## +## contents: TODO. +## +## .. bro:see:: udp_reply udp_request udp_session_done +## udp_content_deliver_all_orig udp_content_deliver_all_resp +## udp_content_delivery_ports_orig udp_content_delivery_ports_resp +event udp_contents%(u: connection, is_orig: bool, contents: string%); diff --git a/src/analyzer/protocols/zip/Plugin.cc b/src/analyzer/protocols/zip/Plugin.cc index 89382dd0cd..5ab2b60baf 100644 --- a/src/analyzer/protocols/zip/Plugin.cc +++ b/src/analyzer/protocols/zip/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ZIP) BRO_PLUGIN_DESCRIPTION("Generic ZIP support analyzer"); - BRO_PLUGIN_ANALYZER("ZIP", 0); + BRO_PLUGIN_ANALYZER_BARE("ZIP"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/zip/ZIP.cc b/src/analyzer/protocols/zip/ZIP.cc index d3d9b1c38b..132515f29a 100644 --- a/src/analyzer/protocols/zip/ZIP.cc +++ b/src/analyzer/protocols/zip/ZIP.cc @@ -2,8 +2,12 @@ #include "ZIP.h" +#include "events.bif.h" + +using namespace analyzer::zip; + ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method) -: TCP_SupportAnalyzer("ZIP", conn, orig) +: tcp::TCP_SupportAnalyzer("ZIP", conn, orig) { zip = 0; zip_status = Z_OK; @@ -44,7 +48,7 @@ void ZIP_Analyzer::Done() void ZIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( ! len || zip_status != Z_OK ) return; diff --git a/src/analyzer/protocols/zip/ZIP.h b/src/analyzer/protocols/zip/ZIP.h index 24ec919f70..7eda1e295f 100644 --- a/src/analyzer/protocols/zip/ZIP.h +++ b/src/analyzer/protocols/zip/ZIP.h @@ -8,7 +8,9 @@ #include "zlib.h" #include "analyzer/protocols/tcp/TCP.h" -class ZIP_Analyzer : public TCP_SupportAnalyzer { +namespace analyzer { namespace zip { + +class ZIP_Analyzer : public tcp::TCP_SupportAnalyzer { public: enum Method { GZIP, DEFLATE }; @@ -26,4 +28,6 @@ protected: Method method; }; +} } // namespace analyzer::* + #endif diff --git a/src/bro.bif b/src/bro.bif index aa15443e64..aa8229f92d 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -4232,7 +4232,7 @@ function get_login_state%(cid: conn_id%): count if ( ! la ) return new Val(0, TYPE_BOOL); - return new Val(int(static_cast(la)->LoginState()), + return new Val(int(static_cast(la)->LoginState()), TYPE_COUNT); %} @@ -4257,7 +4257,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool if ( ! la ) return new Val(0, TYPE_BOOL); - static_cast(la)->SetLoginState(login_state(new_state)); + static_cast(la)->SetLoginState(analyzer::login::login_state(new_state)); return new Val(1, TYPE_BOOL); %} @@ -4286,7 +4286,7 @@ function get_orig_seq%(cid: conn_id%): count analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) - return new Val(static_cast(tc)->OrigSeq(), + return new Val(static_cast(tc)->OrigSeq(), TYPE_COUNT); else { @@ -4316,7 +4316,7 @@ function get_resp_seq%(cid: conn_id%): count analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) - return new Val(static_cast(tc)->RespSeq(), + return new Val(static_cast(tc)->RespSeq(), TYPE_COUNT); else { @@ -4338,7 +4338,7 @@ function skip_smtp_data%(c: connection%): any %{ analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); if ( sa ) - static_cast(sa)->SkipData(); + static_cast(sa)->SkipData(); return 0; %} diff --git a/src/event.bif b/src/event.bif index ab44495fdc..76c4ff09f5 100644 --- a/src/event.bif +++ b/src/event.bif @@ -1,7 +1,9 @@ -##! The events that the C/C++ core of Bro can generate. This is mostly -##! consisting of high-level network events that protocol analyzers detect, -##! but there are also several general-utility events generated by internal -##! Bro frameworks. +##! The protocol-independent events that the C/C++ core of Bro can generate. +##! +##! This is mostly events not related to a specific transport- or +##! application-layer protocol, but also includes a few that may be generated +##! by more than one protocols analyzer (like events generated by both UDP and +##! TCP analysis.) # # Documentation conventions: @@ -59,69 +61,6 @@ event bro_init%(%); ## is not generated. event bro_done%(%); -## Generated when an internal DNS lookup produces the same result as last time. -## Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when a subsequent lookup returns -## the same result as stored in the cache. -## -## dm: A record describing the new resolver result (which matches the old one). -## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified -event dns_mapping_valid%(dm: dns_mapping%); - -## Generated when an internal DNS lookup got no answer even though it had -## succeeded in the past. Bro keeps an internal DNS cache for host names and IP -## addresses it has already resolved. This event is generated when a -## subsequent lookup does not produce an answer even though we have -## already stored a result in the cache. -## -## dm: A record describing the old resolver result. -## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_valid -event dns_mapping_unverified%(dm: dns_mapping%); - -## Generated when an internal DNS lookup succeeded but an earlier attempt -## did not. Bro keeps an internal DNS cache for host names and IP -## addresses it has already resolved. This event is generated when a subsequent -## lookup produces an answer for a query that was marked as failed in the cache. -## -## dm: A record describing the new resolver result. -## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified -## dns_mapping_valid -event dns_mapping_new_name%(dm: dns_mapping%); - -## Generated when an internal DNS lookup returned zero answers even though it -## had succeeded in the past. Bro keeps an internal DNS cache for host names -## and IP addresses it has already resolved. This event is generated when -## on a subsequent lookup we receive an answer that is empty even -## though we have already stored a result in the cache. -## -## dm: A record describing the old resolver result. -## -## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid -event dns_mapping_lost_name%(dm: dns_mapping%); - -## Generated when an internal DNS lookup produced a different result than in -## the past. Bro keeps an internal DNS cache for host names and IP addresses -## it has already resolved. This event is generated when a subsequent lookup -## returns a different answer than we have stored in the cache. -## -## dm: A record describing the new resolver result. -## -## old_addrs: Addresses that used to be part of the returned set for the query -## described by *dm*, but are not anymore. -## -## new_addrs: Addresses that were not part of the returned set for the query -## described by *dm*, but now are. -## -## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid -event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); - ## Generated for every new connection. This event is raised with the first ## packet of a previously unknown connection. Bro uses a flow-based definition ## of "connection" here that includes not only TCP sessions but also UDP and @@ -157,9 +96,10 @@ event new_connection%(c: connection%); ## e: The new encapsulation. event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); -## Generated when reassembly starts for a TCP connection. This event is raised -## at the moment when Bro's TCP analyzer enables stream reassembly for a -## connection. +## Generated when a TCP connection timed out. This event is raised when +## no activity was seen for an interval of at least +## :bro:id:`tcp_connection_linger`, and either one endpoint has already +## closed the connection or one side never became active. ## ## c: The connection. ## @@ -167,148 +107,18 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update connection_timeout -## scheduled_analyzer_applied new_connection partial_connection -event new_connection_contents%(c: connection%); - -## Generated for an unsuccessful connection attempt. This event is raised when -## an originator unsuccessfully attempted to establish a connection. -## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds -## having elapsed since the originator first sent a connection establishment -## packet to the destination without seeing a reply. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_established -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied +## connection_state_remove connection_status_update expected_connection_seen ## new_connection new_connection_contents partial_connection -event connection_attempt%(c: connection%); - -## Generated when a SYN-ACK packet is seen in response to a SYN packet during -## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may -## or may not occur later, one way to tell is to check the *history* field of -## :bro:type:`connection` to see if the originator sent an ACK, indicated by -## 'A' in the history string. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_established%(c: connection%); - -## Generated for a new active TCP connection if Bro did not see the initial -## handshake. This event is raised when Bro has observed traffic from each -## endpoint, but the activity did not begin with the usual connection -## establishment. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update connection_timeout -## scheduled_analyzer_applied new_connection new_connection_contents -## -event partial_connection%(c: connection%); - -## Generated when a previously inactive endpoint attempts to close a TCP -## connection via a normal FIN handshake or an abort RST sequence. When the -## endpoint sent one of these packets, Bro waits -## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give -## the other endpoint a chance to close the connection normally. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_partial_close%(c: connection%); - -## Generated for a TCP connection that finished normally. The event is raised -## when a regular FIN handshake from both endpoints was observed. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_finished%(c: connection%); - -## Generated when one endpoint of a TCP connection attempted to gracefully close -## the connection, but the other endpoint is in the TCP_INACTIVE state. This can -## happen due to split routing, in which Bro only sees one side of a connection. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_half_finished%(c: connection%); - -## Generated for a rejected TCP connection. This event is raised when an -## originator attempted to setup a TCP connection but the responder replied -## with a RST packet denying it. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## c: The connection. ## ## .. note:: ## -## If the responder does not respond at all, :bro:id:`connection_attempt` is -## raised instead. If the responder initially accepts the connection but -## aborts it later, Bro first generates :bro:id:`connection_established` -## and then :bro:id:`connection_reset`. -event connection_rejected%(c: connection%); - -## Generated when an endpoint aborted a TCP connection. The event is raised -## when one endpoint of an established TCP connection aborted by sending a RST -## packet. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_rejected connection_reused -## connection_state_remove connection_status_update connection_timeout -## scheduled_analyzer_applied new_connection new_connection_contents -## partial_connection -event connection_reset%(c: connection%); - -## Generated for each still-open connection when Bro terminates. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection bro_done -event connection_pending%(c: connection%); +## The precise semantics of this event can be unintuitive as it only +## covers a subset of cases where a connection times out. Often, handling +## :bro:id:`connection_state_remove` is the better option. That one will be +## generated reliably when an interval of ``tcp_inactivity_timeout`` has +## passed without any activity seen (but also for all other ways a +## connection may terminate). +event connection_timeout%(c: connection%); ## Generated when a connection's internal state is about to be removed from ## memory. Bro generates this event reliably once for every connection when it @@ -328,70 +138,6 @@ event connection_pending%(c: connection%); ## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats event connection_state_remove%(c: connection%); -## Generated for a SYN packet. Bro raises this event for every SYN packet seen -## by its TCP analyzer. -## -## c: The connection. -## -## pkt: Information extracted from the SYN packet. -## -## .. bro:see:: connection_EOF connection_attempt connection_established -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## .. note:: -## -## This event has quite low-level semantics and can potentially be expensive -## to generate. It should only be used if one really needs the specific -## information passed into the handler via the ``pkt`` argument. If not, -## handling one of the other ``connection_*`` events is typically the -## better approach. -event connection_SYN_packet%(c: connection, pkt: SYN_packet%); - -## Generated for the first ACK packet seen for a TCP connection from -## its *originator*. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## .. note:: -## -## This event has quite low-level semantics and should be used only rarely. -event connection_first_ACK%(c: connection%); - -## Generated when a TCP connection timed out. This event is raised when -## no activity was seen for an interval of at least -## :bro:id:`tcp_connection_linger`, and either one endpoint has already -## closed the connection or one side never became active. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## .. note:: -## -## The precise semantics of this event can be unintuitive as it only -## covers a subset of cases where a connection times out. Often, handling -## :bro:id:`connection_state_remove` is the better option. That one will be -## generated reliably when an interval of ``tcp_inactivity_timeout`` has -## passed without any activity seen (but also for all other ways a -## connection may terminate). -event connection_timeout%(c: connection%); - ## Generated when a connection 4-tuple is reused. This event is raised when Bro ## sees a new TCP session or UDP flow using a 4-tuple matching that of an ## earlier connection it still considers active. @@ -434,22 +180,6 @@ event connection_status_update%(c: connection%); ## .. bro:see:: connection_established new_connection event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%); -## Generated at the end of reassembled TCP connections. The TCP reassembler -## raised the event once for each endpoint of a connection when it finished -## reassembling the corresponding side of the communication. -## -## c: The connection. -## -## is_orig: True if the event is raised for the originator side. -## -## .. bro:see:: connection_SYN_packet connection_attempt connection_established -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_EOF%(c: connection, is_orig: bool%); - ## Generated for a new connection received from the communication subsystem. ## Remote peers can inject packets into Bro's packet loop, for example via ## :doc:`Broccoli `. The communication system @@ -460,6 +190,16 @@ event connection_EOF%(c: connection, is_orig: bool%); ## tag: TODO. event connection_external%(c: connection, tag: string%); +## Generated when a UDP session for a supported protocol has finished. Some of +## Bro's application-layer UDP analyzers flag the end of a session by raising +## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, +## Teredo, and GTPv1 support this. +## +## u: The connection record for the corresponding UDP flow. +## +## .. bro:see:: udp_contents udp_reply udp_request +event udp_session_done%(u: connection%); + ## Generated when a connection is seen that is marked as being expected. ## The function :bro:id:`expect_connection` tells Bro to expect a particular ## connection to come up, and which analyzer to associate with it. Once the @@ -522,135 +262,6 @@ event esp_packet%(p: pkt_hdr%); ## .. bro:see:: new_packet tcp_packet ipv6_ext_headers event mobile_ipv6_message%(p: pkt_hdr%); -## Generated for any IPv6 packet encapsulated in a Teredo tunnel. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_packet%(outer: connection, inner: teredo_hdr%); - -## Generated for IPv6 packets encapsulated in a Teredo tunnel that -## use the Teredo authentication encapsulation method. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_authentication%(outer: connection, inner: teredo_hdr%); - -## Generated for IPv6 packets encapsulated in a Teredo tunnel that -## use the Teredo origin indication encapsulation method. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_packet teredo_authentication teredo_bubble -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); - -## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated -## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_bubble%(outer: connection, inner: teredo_hdr%); - -## Generated for any GTP message with a GTPv1 header. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -event gtpv1_message%(c: connection, hdr: gtpv1_hdr%); - -## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload -## that includes a GTP header followed by an IPv4 or IPv6 packet. -## -## outer: The GTP outer tunnel connection. -## -## inner_gtp: The GTP header. -## -## inner_ip: The inner IP and transport layer packet headers. -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); - -## Generated for GTPv1-C Create PDP Context Request messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%); - -## Generated for GTPv1-C Create PDP Context Response messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%); - -## Generated for GTPv1-C Update PDP Context Request messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%); - -## Generated for GTPv1-C Update PDP Context Response messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%); - -## Generated for GTPv1-C Delete PDP Context Request messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%); - -## Generated for GTPv1-C Delete PDP Context Response messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%); - ## Generated for every packet that has a non-empty transport-layer payload. ## This is a very low-level and expensive event that should be avoided when ## at all possible. It's usually infeasible to handle when processing even @@ -665,85 +276,6 @@ event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gt ## .. bro:see:: new_packet tcp_packet event packet_contents%(c: connection, contents: string%); -## Generated for every TCP packet. This is a very low-level and expensive event -## that should be avoided when at all possible. It's usually infeasible to -## handle when processing even medium volumes of traffic in real-time. It's -## slightly better than :bro:id:`new_packet` because it affects only TCP, but -## not much. That said, if you work from a trace and want to do some -## packet-level analysis, it may come in handy. -## -## c: The connection the packet is part of. -## -## is_orig: True if the packet was sent by the connection's originator. -## -## flags: A string with the packet's TCP flags. In the string, each character -## corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN; -## ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH. -## -## seq: The packet's TCP sequence number. -## -## ack: The packet's ACK number. -## -## len: The length of the TCP payload, as specified in the packet header. -## -## payload: The raw TCP payload. Note that this may be shorter than *len* if -## the packet was not fully captured. -## -## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit -event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); - -## Generated for each option found in a TCP header. Like many of the ``tcp_*`` -## events, this is a very low-level event and potentially expensive as it may -## be raised very often. -## -## c: The connection the packet is part of. -## -## is_orig: True if the packet was sent by the connection's originator. -## -## opt: The numerical option number, as found in the TCP header. -## -## optlen: The length of the options value. -## -## .. bro:see:: tcp_packet tcp_contents tcp_rexmit -## -## .. note:: There is currently no way to get the actual option value, if any. -event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); - -## Generated for each chunk of reassembled TCP payload. When content delivery is -## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`, -## :bro:id:`tcp_content_delivery_ports_resp`, -## :bro:id:`tcp_content_deliver_all_orig`, -## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk -## of in-order payload reconstructed from the packet stream. Note that this -## event is potentially expensive if many connections carry significant amounts -## of data as then all that data needs to be passed on to the scripting layer. -## -## c: The connection the payload is part of. -## -## is_orig: True if the packet was sent by the connection's originator. -## -## seq: The sequence number corresponding to the first byte of the payload -## chunk. -## -## contents: The raw payload, which will be non-empty. -## -## .. bro:see:: tcp_packet tcp_option tcp_rexmit -## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp -## tcp_content_deliver_all_resp tcp_content_deliver_all_orig -## -## .. note:: -## -## The payload received by this event is the same that is also passed into -## application-layer protocol analyzers internally. Subsequent invocations of -## this event for the same connection receive non-overlapping in-order chunks -## of its TCP payload stream. It is however undefined what size each chunk -## has; while Bro passes the data on as soon as possible, specifics depend on -## network-level effects such as latency, acknowledgements, reordering, etc. -event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); - -## TODO. -event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); - ## Generated when Bro detects a TCP retransmission inconsistency. When ## reassembling a TCP stream, Bro buffers all payload until it sees the ## responder acking it. If during that time, the sender resends a chunk of @@ -831,7 +363,6 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## is exceeded. event gap_report%(dt: interval, info: gap_info%); - ## Generated when a protocol analyzer confirms that a connection is indeed ## using that protocol. Bro's dynamic protocol detection heuristically activates ## analyzers as soon as it believes a connection *could* be using a particular @@ -890,355 +421,6 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); ## engine. event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%); -## Generated for each packet sent by a UDP flow's originator. This a potentially -## expensive event due to the volume of UDP traffic and should be used with -## care. -## -## u: The connection record for the corresponding UDP flow. -## -## .. bro:see:: udp_contents udp_reply udp_session_done -event udp_request%(u: connection%); - -## Generated for each packet sent by a UDP flow's responder. This a potentially -## expensive event due to the volume of UDP traffic and should be used with -## care. -## -## u: The connection record for the corresponding UDP flow. -## -## .. bro:see:: udp_contents udp_request udp_session_done -event udp_reply%(u: connection%); - -## Generated for UDP packets to pass on their payload. As the number of UDP -## packets can be very large, this event is normally raised only for those on -## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets -## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` -## (for packets sent by the flow's responder). However, delivery can be enabled -## for all UDP request and reply packets by setting -## :bro:id:`udp_content_deliver_all_orig` or -## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this -## event is also raised for all matching UDP packets, including empty ones. -## -## u: The connection record for the corresponding UDP flow. -## -## is_orig: True if the event is raised for the originator side. -## -## contents: TODO. -## -## .. bro:see:: udp_reply udp_request udp_session_done -## udp_content_deliver_all_orig udp_content_deliver_all_resp -## udp_content_delivery_ports_orig udp_content_delivery_ports_resp -event udp_contents%(u: connection, is_orig: bool, contents: string%); - -## Generated when a UDP session for a supported protocol has finished. Some of -## Bro's application-layer UDP analyzers flag the end of a session by raising -## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, -## Teredo, and GTPv1 support this. -## -## u: The connection record for the corresponding UDP flow. -## -## .. bro:see:: udp_contents udp_reply udp_request -event udp_session_done%(u: connection%); - -## Generated for all ICMP messages that are not handled separately with -## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages -## directly with dedicated events. This event acts as a fallback for those it -## doesn't. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard -## connection record *c*. -## -## .. bro:see:: icmp_error_message -event icmp_sent%(c: connection, icmp: icmp_conn%); - -## Generated for ICMP *echo request* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard -## connection record *c*. -## -## id: The *echo request* identifier. -## -## seq: The *echo request* sequence number. -## -## payload: The message-specific data of the packet payload, i.e., everything -## after the first 8 bytes of the ICMP header. -## -## .. bro:see:: icmp_echo_reply -event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); - -## Generated for ICMP *echo reply* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## id: The *echo reply* identifier. -## -## seq: The *echo reply* sequence number. -## -## payload: The message-specific data of the packet payload, i.e., everything -## after the first 8 bytes of the ICMP header. -## -## .. bro:see:: icmp_echo_request -event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); - -## Generated for all ICMPv6 error messages that are not handled -## separately with dedicated events. Bro's ICMP analyzer handles a number -## of ICMP error messages directly with dedicated events. This event acts -## as a fallback for those it doesn't. -## -## See `Wikipedia -## `__ for more -## information about the ICMPv6 protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard -## connection record *c*. -## -## code: The ICMP code of the error message. -## -## context: A record with specifics of the original packet that the message -## refers to. -## -## .. bro:see:: icmp_unreachable icmp_packet_too_big -## icmp_time_exceeded icmp_parameter_problem -event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMP *destination unreachable* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *unreachable* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Unreachable* messages should include the original IP -## header from the packet that triggered them, and Bro parses that -## into the *context* structure. Note that if the *unreachable* -## includes only a partial IP header for some reason, no -## fields of *context* will be filled out. -## -## .. bro:see:: icmp_error_message icmp_packet_too_big -## icmp_time_exceeded icmp_parameter_problem -event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMPv6 *packet too big* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMPv6 protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *too big* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Too big* messages should include the original IP header -## from the packet that triggered them, and Bro parses that into -## the *context* structure. Note that if the *too big* includes only -## a partial IP header for some reason, no fields of *context* will -## be filled out. -## -## .. bro:see:: icmp_error_message icmp_unreachable -## icmp_time_exceeded icmp_parameter_problem -event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMP *time exceeded* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *exceeded* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Unreachable* messages should include the original IP -## header from the packet that triggered them, and Bro parses that -## into the *context* structure. Note that if the *exceeded* includes -## only a partial IP header for some reason, no fields of *context* -## will be filled out. -## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big -## icmp_parameter_problem -event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMPv6 *parameter problem* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMPv6 protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *parameter problem* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Parameter problem* messages should include the original -## IP header from the packet that triggered them, and Bro parses that -## into the *context* structure. Note that if the *parameter problem* -## includes only a partial IP header for some reason, no fields -## of *context* will be filled out. -## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big -## icmp_time_exceeded -event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMP *router solicitation* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_advertisement -## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); - -## Generated for ICMP *router advertisement* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## cur_hop_limit: The default value that should be placed in Hop Count field -## for outgoing IP packets. -## -## managed: Managed address configuration flag, :rfc:`4861`. -## -## other: Other stateful configuration flag, :rfc:`4861`. -## -## home_agent: Mobile IPv6 home agent flag, :rfc:`3775`. -## -## pref: Router selection preferences, :rfc:`4191`. -## -## proxy: Neighbor discovery proxy flag, :rfc:`4389`. -## -## rsv: Remaining two reserved bits of router advertisement flags. -## -## router_lifetime: How long this router should be used as a default router. -## -## reachable_time: How long a neighbor should be considered reachable. -## -## retrans_timer: How long a host should wait before retransmitting. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation -## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); - -## Generated for ICMP *neighbor solicitation* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## tgt: The IP address of the target of the solicitation. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement -## icmp_neighbor_advertisement icmp_redirect -event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); - -## Generated for ICMP *neighbor advertisement* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## router: Flag indicating the sender is a router. -## -## solicited: Flag indicating advertisement is in response to a solicitation. -## -## override: Flag indicating advertisement should override existing caches. -## -## tgt: the Target Address in the soliciting message or the address whose -## link-layer address has changed for unsolicited adverts. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement -## icmp_neighbor_solicitation icmp_redirect -event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); - -## Generated for ICMP *redirect* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## tgt: The address that is supposed to be a better first hop to use for -## ICMP Destination Address. -## -## dest: The address of the destination which is redirected to the target. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement -## icmp_neighbor_solicitation icmp_neighbor_advertisement -event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); - ## Generated when a TCP connection terminated, passing on statistics about the ## two endpoints. This event is always generated when Bro flushes the internal ## connection state, independent of how a connection terminates. @@ -1329,4505 +511,6 @@ event net_weird%(name: string%); ## dmem: The difference in memory usage caused by processing the sampled packet. event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%); -## Generated for ARP requests. -## -## See `Wikipedia `__ -## for more information about the ARP protocol. -## -## mac_src: The request's source MAC address. -## -## mac_dst: The request's destination MAC address. -## -## SPA: The sender protocol address. -## -## SHA: The sender hardware address. -## -## TPA: The target protocol address. -## -## THA: The target hardware address. -## -## .. bro:see:: arp_reply bad_arp -event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string%); - -## Generated for ARP replies. -## -## See `Wikipedia `__ -## for more information about the ARP protocol. -## -## mac_src: The reply's source MAC address. -## -## mac_dst: The reply's destination MAC address. -## -## SPA: The sender protocol address. -## -## SHA: The sender hardware address. -## -## TPA: The target protocol address. -## -## THA: The target hardware address. -## -## .. bro:see:: arp_request bad_arp -event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string%); - -## Generated for ARP packets that Bro cannot interpret. Examples are packets -## with non-standard hardware address formats or hardware addresses that do not -## match the originator of the packet. -## -## SPA: The sender protocol address. -## -## SHA: The sender hardware address. -## -## TPA: The target protocol address. -## -## THA: The target hardware address. -## -## explanation: A short description of why the ARP packet is considered "bad". -## -## .. bro:see:: arp_reply arp_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_handshake%(c: connection, is_orig: bool, - reserved: string, info_hash: string, peer_id: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bittorrent_peer_choke%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request -## bittorrent_peer_unknown bittorrent_peer_weird -event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_interested%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake -## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, - begin: count, length: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, - begin: count, piece_length: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, - begin: count, length: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_weird -event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, - data: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown -event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_request%(c: connection, uri: string, - headers: bt_tracker_headers%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_response%(c: connection, status: count, - headers: bt_tracker_headers, - peers: bittorrent_peer_set, - benc: bittorrent_benc_dir%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_response_not_ok%(c: connection, status: count, - headers: bt_tracker_headers%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); - -## Generated for Finger requests. -## -## See `Wikipedia `__ for more -## information about the Finger protocol. -## -## c: The connection. -## -## full: True if verbose information is requested (``/W`` switch). -## -## username: The request's user name. -## -## hostname: The request's host name. -## -## .. bro:see:: finger_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event finger_request%(c: connection, full: bool, username: string, hostname: string%); - -## Generated for Finger replies. -## -## See `Wikipedia `__ for more -## information about the Finger protocol. -## -## c: The connection. -## -## reply_line: The reply as returned by the server -## -## .. bro:see:: finger_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event finger_reply%(c: connection, reply_line: string%); - - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found -## -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_text_msg%(c: connection, orig: bool, headers: string%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, - ttl: count, hops: count, msg_len: count, - payload: string, payload_len: count, - trunc: bool, complete: bool%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_not_establish gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_partial_binary_msg%(c: connection, orig: bool, - msg: string, len: count%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_establish%(c: connection%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_not_establish%(c: connection%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_http_notify%(c: connection%); - -## Generated for Ident requests. -## -## See `Wikipedia `__ for more -## information about the Ident protocol. -## -## c: The connection. -## -## lport: The request's local port. -## -## rport: The request's remote port. -## -## .. bro:see:: ident_error ident_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ident_request%(c: connection, lport: port, rport: port%); - -## Generated for Ident replies. -## -## See `Wikipedia `__ for more -## information about the Ident protocol. -## -## c: The connection. -## -## lport: The corresponding request's local port. -## -## rport: The corresponding request's remote port. -## -## user_id: The user id returned by the reply. -## -## system: The operating system returned by the reply. -## -## .. bro:see:: ident_error ident_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); - -## Generated for Ident error replies. -## -## See `Wikipedia `__ for more -## information about the Ident protocol. -## -## c: The connection. -## -## lport: The corresponding request's local port. -## -## rport: The corresponding request's remote port. -## -## line: The error description returned by the reply. -## -## .. bro:see:: ident_reply ident_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ident_error%(c: connection, lport: port, rport: port, line: string%); - -## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects -## Telnet/Rlogin sessions to heuristically extract username and password -## information as well as the text returned by the login server. This event is -## raised if a login attempt appears to have been unsuccessful. -## -## c: The connection. -## -## user: The user name tried. -## -## client_user: For Telnet connections, this is an empty string, but for Rlogin -## connections, it is the client name passed in the initial authentication -## information (to check against .rhosts). -## -## password: The password tried. -## -## line: The line of text that led the analyzer to conclude that the -## authentication had failed. -## -## .. bro:see:: login_confused login_confused_text login_display login_input_line -## login_output_line login_prompt login_success login_terminal direct_login_prompts -## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs -## login_timeouts set_login_state -## -## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying login attempts. This -## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and -## the analyzer is therefore not directly usable at the moment. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); - -## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects -## Telnet/Rlogin sessions to heuristically extract username and password -## information as well as the text returned by the login server. This event is -## raised if a login attempt appears to have been successful. -## -## c: The connection. -## -## user: The user name used. -## -## client_user: For Telnet connections, this is an empty string, but for Rlogin -## connections, it is the client name passed in the initial authentication -## information (to check against .rhosts). -## -## password: The password used. -## -## line: The line of text that led the analyzer to conclude that the -## authentication had succeeded. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_output_line login_prompt login_terminal -## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs -## login_prompts login_success_msgs login_timeouts set_login_state -## -## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying login attempts. This -## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and -## the analyzer is therefore not directly usable at the moment. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); - -## Generated for lines of input on Telnet/Rlogin sessions. The line will have -## control characters (such as in-band Telnet options) removed. -## -## c: The connection. -## -## line: The input line. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_output_line login_prompt login_success login_terminal rsh_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_input_line%(c: connection, line: string%); - -## Generated for lines of output on Telnet/Rlogin sessions. The line will have -## control characters (such as in-band Telnet options) removed. -## -## c: The connection. -## -## line: The ouput line. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_prompt login_success login_terminal rsh_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_output_line%(c: connection, line: string%); - -## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's -## *login* analyzer uses a number of heuristics to extract authentication -## information, it may become confused. If it can no longer correctly track -## the authentication dialog, it raises this event. -## -## c: The connection. -## -## msg: Gives the particular problem the heuristics detected (for example, -## ``multiple_login_prompts`` means that the engine saw several login -## prompts in a row, without the type-ahead from the client side presumed -## necessary to cause them) -## -## line: The line of text that caused the heuristics to conclude they were -## confused. -## -## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line -## login_prompt login_success login_terminal direct_login_prompts get_login_state -## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs -## login_timeouts set_login_state -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_confused%(c: connection, msg: string, line: string%); - -## Generated after getting confused while tracking a Telnet/Rlogin -## authentication dialog. The *login* analyzer generates this even for every -## line of user input after it has reported :bro:id:`login_confused` for a -## connection. -## -## c: The connection. -## -## line: The line the user typed. -## -## .. bro:see:: login_confused login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal direct_login_prompts -## get_login_state login_failure_msgs login_non_failure_msgs login_prompts -## login_success_msgs login_timeouts set_login_state -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_confused_text%(c: connection, line: string%); - -## Generated for clients transmitting a terminal type in a Telnet session. This -## information is extracted out of environment variables sent as Telnet options. -## -## c: The connection. -## -## terminal: The TERM value transmitted. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_output_line login_prompt login_success -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_terminal%(c: connection, terminal: string%); - -## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This -## information is extracted out of environment variables sent as Telnet options. -## -## c: The connection. -## -## display: The DISPLAY transmitted. -## -## .. bro:see:: login_confused login_confused_text login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_display%(c: connection, display: string%); - -## Generated when a Telnet authentication has been successful. The Telnet -## protocol includes options for negotiating authentication. When such an -## option is sent from client to server and the server replies that it accepts -## the authentication, then the event engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## name: The authenticated name. -## -## c: The connection. -## -## .. bro:see:: authentication_rejected authentication_skipped login_success -## -## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines success by watching -## session data. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event authentication_accepted%(name: string, c: connection%); - -## Generated when a Telnet authentication has been unsuccessful. The Telnet -## protocol includes options for negotiating authentication. When such an option -## is sent from client to server and the server replies that it did not accept -## the authentication, then the event engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## name: The attempted authentication name. -## -## c: The connection. -## -## .. bro:see:: authentication_accepted authentication_skipped login_failure -## -## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines failure by watching -## session data. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event authentication_rejected%(name: string, c: connection%); - -## Generated for Telnet/Rlogin sessions when a pattern match indicates -## that no authentication is performed. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts -## get_login_state login_failure_msgs login_non_failure_msgs login_prompts -## login_success_msgs login_timeouts set_login_state -## -## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying activity. This -## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and -## the analyzer is therefore not directly usable at the moment. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event authentication_skipped%(c: connection%); - -## Generated for clients transmitting a terminal prompt in a Telnet session. -## This information is extracted out of environment variables sent as Telnet -## options. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## prompt: The TTYPROMPT transmitted. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_output_line login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_prompt%(c: connection, prompt: string%); - -## Generated for Telnet sessions when encryption is activated. The Telnet -## protocol includes options for negotiating encryption. When such a series of -## options is successfully negotiated, the event engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped -## login_confused login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -event activating_encryption%(c: connection%); - -## Generated for an inconsistent Telnet option. Telnet options are specified -## by the client and server stating which options they are willing to -## support vs. which they are not, and then instructing one another which in -## fact they should or should not use for the current connection. If the event -## engine sees a peer violate either what the other peer has instructed it to -## do, or what it itself offered in terms of options in the past, then the -## engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: bad_option bad_option_termination authentication_accepted -## authentication_rejected authentication_skipped login_confused -## login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -event inconsistent_option%(c: connection%); - -## Generated for an ill-formed or unrecognized Telnet option. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted -## authentication_rejected authentication_skipped login_confused -## login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event bad_option%(c: connection%); - -## Generated for a Telnet option that's incorrectly terminated. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: inconsistent_option bad_option authentication_accepted -## authentication_rejected authentication_skipped login_confused -## login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event bad_option_termination%(c: connection%); - -## Generated for client side commands on an RSH connection. -## -## See `RFC 1258 `__ for more information -## about the Rlogin/Rsh protocol. -## -## c: The connection. -## -## client_user: The client-side user name as sent in the initial protocol -## handshake. -## -## server_user: The server-side user name as sent in the initial protocol -## handshake. -## -## line: The command line sent in the request. -## -## new_session: True if this is the first command of the Rsh session. -## -## .. bro:see:: rsh_reply login_confused login_confused_text login_display -## login_failure login_input_line login_output_line login_prompt login_success -## login_terminal -## -## .. note:: For historical reasons, these events are separate from the -## ``login_`` events. Ideally, they would all be handled uniquely. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); - -## Generated for client side commands on an RSH connection. -## -## See `RFC 1258 `__ for more information -## about the Rlogin/Rsh protocol. -## -## c: The connection. -## -## client_user: The client-side user name as sent in the initial protocol -## handshake. -## -## server_user: The server-side user name as sent in the initial protocol -## handshake. -## -## line: The command line sent in the request. -## -## .. bro:see:: rsh_request login_confused login_confused_text login_display -## login_failure login_input_line login_output_line login_prompt login_success -## login_terminal -## -## .. note:: For historical reasons, these events are separate from the -## ``login_`` events. Ideally, they would all be handled uniquely. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); - -## Generated for client-side FTP commands. -## -## See `Wikipedia `__ for -## more information about the FTP protocol. -## -## c: The connection. -## -## command: The FTP command issued by the client (without any arguments). -## -## arg: The arguments going with the command. -## -## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port -## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_request%(c: connection, command: string, arg: string%); - -## Generated for server-side FTP replies. -## -## See `Wikipedia `__ for -## more information about the FTP protocol. -## -## c: The connection. -## -## code: The numerical response code the server responded with. -## -## msg: The textual message of the response. -## -## cont_resp: True if the reply line is tagged as being continued to the next -## line. If so, further events will be raised and a handler may want -## to reassemble the pieces before processing the response any -## further. -## -## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port -## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); - -## Generated for client-side SMTP commands. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the command is the originator of the TCP -## connection. Note that this is not redundant: the SMTP ``TURN`` command -## allows client and server to flip roles on established SMTP sessions, -## and hence a "request" might still come from the TCP-level responder. -## In practice, however, that will rarely happen as TURN is considered -## insecure and rarely used. -## -## command: The request's command, without any arguments. -## -## arg: The request command's arguments. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data -## smtp_data smtp_reply -## -## .. note:: Bro does not support the newer ETRN extension yet. -event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%); - -## Generated for server-side SMTP commands. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the command is the originator of the TCP -## connection. Note that this is not redundant: the SMTP ``TURN`` command -## allows client and server to flip roles on established SMTP sessions, -## and hence a "reply" might still come from the TCP-level originator. In -## practice, however, that will rarely happen as TURN is considered -## insecure and rarely used. -## -## code: The reply's numerical code. -## -## cmd: TODO. -## -## msg: The reply's textual description. -## -## cont_resp: True if the reply line is tagged as being continued to the next -## line. If so, further events will be raised and a handler may want to -## reassemble the pieces before processing the response any further. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data -## smtp_data smtp_request -## -## .. note:: Bro doesn't support the newer ETRN extension yet. -event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%); - -## Generated for DATA transmitted on SMTP sessions. This event is raised for -## subsequent chunks of raw data following the ``DATA`` SMTP command until the -## corresponding end marker ``.`` is seen. A handler may want to reassemble -## the pieces as they come in if stream-analysis is required. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the data is the originator of the TCP -## connection. -## -## data: The raw data. Note that the size of each chunk is undefined and -## depends on specifics of the underlying TCP connection. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data -## smtp_reply smtp_request skip_smtp_data -## -## .. note:: This event receives the unprocessed raw data. There is a separate -## set of ``mime_*`` events that strip out the outer MIME-layer of emails and -## provide structured access to their content. -event smtp_data%(c: connection, is_orig: bool, data: string%); - -## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks -## the state of SMTP sessions and reports commands and other activity with this -## event that it sees even though it would not expect so at the current point -## of the communication. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the unexpected activity is the originator of -## the TCP connection. -## -## msg: A descriptive message of what was unexpected. -## -## detail: The actual SMTP line triggering the event. -## -## .. bro:see:: smtp_data smtp_request smtp_reply -event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); - -## Generated when starting to parse an email MIME entity. MIME is a -## protocol-independent data format for encoding text and files, along with -## corresponding metadata, for transmission. Bro raises this event when it -## begins parsing a MIME entity extracted from an email protocol. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data -## http_begin_entity -## -## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_begin_entity` instead. -event mime_begin_entity%(c: connection%); - -## Generated when finishing parsing an email MIME entity. MIME is a -## protocol-independent data format for encoding text and files, along with -## corresponding metadata, for transmission. Bro raises this event when it -## finished parsing a MIME entity extracted from an email protocol. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data -## http_end_entity -## -## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_end_entity` instead. -event mime_end_entity%(c: connection%); - -## Generated for individual MIME headers extracted from email MIME -## entities. MIME is a protocol-independent data format for encoding text and -## files, along with corresponding metadata, for transmission. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## h: The parsed MIME header. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_segment_data -## http_header http_all_headers -## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. -event mime_one_header%(c: connection, h: mime_header_rec%); - -## Generated for MIME headers extracted from email MIME entities, passing all -## headers at once. MIME is a protocol-independent data format for encoding -## text and files, along with corresponding metadata, for transmission. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, -## 2 for the second, etc.). -## -## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data -## http_header http_all_headers -## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. -event mime_all_headers%(c: connection, hlist: mime_header_list%); - -## Generated for chunks of decoded MIME data from email MIME entities. MIME -## is a protocol-independent data format for encoding text and files, along with -## corresponding metadata, for transmission. As Bro parses the data of an -## entity, it raises a sequence of these events, each coming as soon as a new -## chunk of data is available. In contrast, there is also -## :bro:id:`mime_entity_data`, which passes all of an entities data at once -## in a single block. While the latter is more convenient to handle, -## ``mime_segment_data`` is more efficient as Bro does not need to buffer -## the data. Thus, if possible, this event should be preferred. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## length: The length of *data*. -## -## data: The raw data of one segment of the current entity. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data -## mime_segment_length mime_segment_overlap_length -## -## .. note:: Bro also extracts MIME data from HTTP sessions. For those, -## however, it raises :bro:id:`http_entity_data` (sic!) instead. -event mime_segment_data%(c: connection, length: count, data: string%); - -## Generated for data decoded from an email MIME entity. This event delivers -## the complete content of a single MIME entity. In contrast, there is also -## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as -## they come in. While ``mime_entity_data`` is more convenient to handle, -## ``mime_segment_data`` is more efficient as Bro does not need to buffer the -## data. Thus, if possible, the latter should be preferred. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## length: The length of *data*. -## -## data: The raw data of the complete entity. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_event mime_one_header mime_segment_data -## -## .. note:: While Bro also decodes MIME entities extracted from HTTP -## sessions, there's no corresponding event for that currently. -event mime_entity_data%(c: connection, length: count, data: string%); - -## Generated for passing on all data decoded from a single email MIME -## message. If an email message has more than one MIME entity, this event -## combines all their data into a single value for analysis. Note that because -## of the potentially significant buffering necessary, using this event can be -## expensive. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## length: The length of *data*. -## -## data: The raw data of all MIME entities concatenated. -## -## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data -## -## .. note:: While Bro also decodes MIME entities extracted from HTTP -## sessions, there's no corresponding event for that currently. -event mime_all_data%(c: connection, length: count, data: string%); - -## Generated for errors found when decoding email MIME entities. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## event_type: A string describing the general category of the problem found -## (e.g., ``illegal format``). -## -## detail: Further more detailed description of the error. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event -## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_event` instead. -event mime_event%(c: connection, event_type: string, detail: string%); - -## Generated for decoded MIME entities extracted from email messages, passing on -## their MD5 checksums. Bro computes the MD5 over the complete decoded data of -## each MIME entity. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## content_len: The length of the entity being hashed. -## -## hash_value: The MD5 hash. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data -## -## .. note:: While Bro also decodes MIME entities extracted from HTTP -## sessions, there's no corresponding event for that currently. -event mime_content_hash%(c: connection, content_len: count, hash_value: string%); - -## Generated for RPC request/reply *pairs*. The RPC analyzer associates request -## and reply by their transaction identifiers and raises this event once both -## have been seen. If there's not a reply, this event will still be generated -## eventually on timeout. In that case, *status* will be set to -## :bro:enum:`RPC_TIMEOUT`. -## -## See `Wikipedia `__ for more information -## about the ONC RPC protocol. -## -## c: The connection. -## -## prog: The remote program to call. -## -## ver: The version of the remote program to call. -## -## proc: The procedure of the remote program to call. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## start_time: The time when the *call* was seen. -## -## call_len: The size of the *call_body* PDU. -## -## reply_len: The size of the *reply_body* PDU. -## -## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); - -## Generated for RPC *call* messages. -## -## See `Wikipedia `__ for more information -## about the ONC RPC protocol. -## -## c: The connection. -## -## xid: The transaction identifier allowing to match requests with replies. -## -## prog: The remote program to call. -## -## ver: The version of the remote program to call. -## -## proc: The procedure of the remote program to call. -## -## call_len: The size of the *call_body* PDU. -## -## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); - -## Generated for RPC *reply* messages. -## -## See `Wikipedia `__ for more information -## about the ONC RPC protocol. -## -## c: The connection. -## -## xid: The transaction identifier allowing to match requests with replies. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## reply_len: The size of the *reply_body* PDU. -## -## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); - -## Generated for Portmapper requests of type *null*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_null%(r: connection%); - -## Generated for Portmapper request/reply dialogues of type *set*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## m: The argument to the request. -## -## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request -## times out. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_set%(r: connection, m: pm_mapping, success: bool%); - -## Generated for Portmapper request/reply dialogues of type *unset*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## m: The argument to the request. -## -## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request -## times out. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); - -## Generated for Portmapper request/reply dialogues of type *getport*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## pr: The argument to the request. -## -## p: The port returned by the server. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); - -## Generated for Portmapper request/reply dialogues of type *dump*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## m: The mappings returned by the server. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_dump%(r: connection, m: pm_mappings%); - -## Generated for Portmapper request/reply dialogues of type *callit*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## call: The argument to the request. -## -## p: The port value returned by the call. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); - -## Generated for failed Portmapper requests of type *null*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_null%(r: connection, status: rpc_status%); - -## Generated for failed Portmapper requests of type *set*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## m: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); - -## Generated for failed Portmapper requests of type *unset*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## m: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); - -## Generated for failed Portmapper requests of type *getport*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## pr: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); - -## Generated for failed Portmapper requests of type *dump*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_getport pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_dump%(r: connection, status: rpc_status%); - -## Generated for failed Portmapper requests of type *callit*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## call: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_dump pm_attempt_getport pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); - -## Generated for Portmapper requests or replies that include an invalid port -## number. Since ports are represented by unsigned 4-byte integers, they can -## stray outside the allowed range of 0--65535 by being >= 65536. If so, this -## event is generated. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## bad_p: The invalid port value. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_set -## pm_request_unset rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_bad_port%(r: connection, bad_p: count%); - -## Generated for NFSv3 request/reply dialogues of type *null*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink -## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_null%(c: connection, info: NFS3::info_t%); - -## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## fh: TODO. -## -## attrs: The attributes returned in the reply. The values may not be valid if -## the request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply file_mode -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); - -## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: The arguments passed in the request. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *read*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: The arguments passed in the request. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir -## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply -## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## fh: The file handle passed in the request. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *write*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call -## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only -## NFS3::return_data_max -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *create*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *remove*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink -## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); - -## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 -## analyzer does not implement. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## proc: The procedure called that Bro does not implement. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove -## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); - -## Generated for each NFSv3 reply message received, reporting just the -## status included. -## -## n: The connection. -## -## info: Reports the status included in the reply. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_reply_status%(n: connection, info: NFS3::info_t%); - -## Generated for all NTP messages. Different from many other of Bro's events, -## this one is generated for both client-side and server-side messages. -## -## See `Wikipedia `__ for -## more information about the NTP protocol. -## -## u: The connection record describing the corresponding UDP flow. -## -## msg: The parsed NTP message. -## -## excess: The raw bytes of any optional parts of the NTP packet. Bro does not -## further parse any optional fields. -## -## .. bro:see:: ntp_session_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ntp_message%(u: connection, msg: ntp_msg, excess: string%); - -## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite -## its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## msg_type: The general type of message, as defined in Section 4.3.1 of -## `RFC 1002 `__. -## -## data_len: The length of the message's payload. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_raw_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); - -## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS -## analyzer processes the NetBIOS session service running on TCP port 139, and -## (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_raw_message netbios_session_rejected -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_request%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *positive session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port -## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_keepalive netbios_session_message -## netbios_session_raw_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_accepted%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *negative session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port -## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_raw_message netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_rejected%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *session message* that are not -## carrying an SMB payload. -## -## NetBIOS analyzer processes the NetBIOS session service running on TCP port -## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header (i.e., the ``user_data``). -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: This is an oddly named event. In fact, it's probably an odd event -## to have to begin with. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); - -## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS -## analyzer processes the NetBIOS session service running on TCP port 139, and -## (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_raw_message netbios_session_rejected -## netbios_session_request decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: This is an oddly named event. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_ret_arg_resp%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite -## its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_message -## netbios_session_raw_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_keepalive%(c: connection, msg: string%); - -## Generated for all SMB/CIFS messages. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## is_orig: True if the message was sent by the originator of the underlying -## transport-level connection. -## -## cmd: A string mnemonic of the SMB command code. -## -## body_length: The length of the SMB message body, i.e. the data starting after -## the SMB header. -## -## body: The raw SMB message body, i.e., the data starting after the SMB header. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error -## smb_get_dfs_referral -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); - -## Generated for SMB/CIFS messages of type *tree connect andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## path: The ``path`` attribute specified in the message. -## -## service: The ``service`` attribute specified in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); - -## Generated for SMB/CIFS messages of type *tree disconnect*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *nt create andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## name: The ``name`` attribute specified in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); - -## Generated for SMB/CIFS messages of type *nt transaction*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe -## smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *nt transaction 2*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe -## smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *transaction mailslot*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *transaction rap*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error -## smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *transaction pipe*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *read andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## data: Always empty. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); - -## Generated for SMB/CIFS messages of type *read andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## data: Always empty. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_error -## smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); - -## Generated for SMB/CIFS messages of type *get dfs referral*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## max_referral_level: The ``max_referral_level`` attribute specified in the -## message. -## -## file_name: The ``filene_name`` attribute specified in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); - -## Generated for SMB/CIFS messages of type *negotiate*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx -## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction -## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect -## smb_com_write_andx smb_error smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_negotiate%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *negotiate response*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## dialect_index: The ``dialect`` indicated in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx -## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction -## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect -## smb_com_write_andx smb_error smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); - -## Generated for SMB/CIFS messages of type *setup andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *generic andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_logoff_andx smb_com_negotiate -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *close*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_close%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *logoff andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages that indicate an error. This event is -## triggered by an SMB header including a status that signals an error. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## cmd: The SMB command code. -## -## cmd_str: A string mnemonic of the SMB command code. -## -## data: The raw SMB message body, i.e., the data starting after the SMB header. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx -## smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); - -## Generated for all DNS messages. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## msg: The parsed DNS message header. -## -## len: The length of the message's raw representation (i.e., the DNS payload). -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected -## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); - -## Generated for DNS requests. For requests with multiple queries, this event -## is raised once for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); - -## Generated for DNS replies that reject a query. This event is raised if a DNS -## reply either indicates failure via its status code or does not pass on any -## answers to a query. Note that all of the event's parameters are parsed out of -## the reply; there's no stateful correlation with the query. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); - -## Generated for DNS replies with an *ok* status code but no question section. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected -## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_query_reply%(c: connection, msg: dns_msg, query: string, - qtype: count, qclass: count%); - -## Generated when the DNS analyzer processes what seems to be a non-DNS packet. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The raw DNS payload. -## -## .. note:: This event is deprecated and superseded by Bro's dynamic protocol -## detection framework. -event non_dns_request%(c: connection, msg: string%); - -## Generated for DNS replies of type *A*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## a: The address returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply -## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); - -## Generated for DNS replies of type *AAAA*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## a: The address returned by the reply. -## -## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); - -## Generated for DNS replies of type *A6*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## a: The address returned by the reply. -## -## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); - -## Generated for DNS replies of type *NS*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); - -## Generated for DNS replies of type *CNAME*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); - -## Generated for DNS replies of type *PTR*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); - -## Generated for DNS replies of type *CNAME*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## soa: The parsed SOA value. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%); - -## Generated for DNS replies of type *WKS*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); - -## Generated for DNS replies of type *HINFO*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); - -## Generated for DNS replies of type *MX*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## preference: The preference for *name* specified by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%); - -## Generated for DNS replies of type *TXT*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## str: The textual information returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%); - -## Generated for DNS replies of type *SRV*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%); - -## Generated for DNS replies of type *EDNS*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The parsed EDNS reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); - -## Generated for DNS replies of type *TSIG*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The parsed TSIG reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); - -## Generated at the end of processing a DNS packet. This event is the last -## ``dns_*`` event that will be raised for a DNS query/reply and signals that -## all resource records have been passed on. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_end%(c: connection, msg: dns_msg%); - -## Generated for DHCP messages of type *discover*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## req_addr: The specific address requested by the client. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); - -## Generated for DHCP messages of type *offer*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: TODO. -## -## mask: The subnet mask specified by the message. -## -## router: The list of routers specified by the message. -## -## lease: The least interval specified by the message. -## -## serv_addr: The server address specified by the message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); - -## Generated for DHCP messages of type *request*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## req_addr: The client address specified by the message. -## -## serv_addr: The server address specified by the message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); - -## Generated for DHCP messages of type *decline*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_decline%(c: connection, msg: dhcp_msg%); - -## Generated for DHCP messages of type *acknowledgment*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## mask: The subnet mask specified by the message. -## -## router: The list of routers specified by the message. -## -## lease: The least interval specified by the message. -## -## serv_addr: The server address specified by the message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); - -## Generated for DHCP messages of type *negative acknowledgment*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_nak%(c: connection, msg: dhcp_msg%); - -## Generated for DHCP messages of type *release*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_release%(c: connection, msg: dhcp_msg%); - -## Generated for DHCP messages of type *inform*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_inform%(c: connection, msg: dhcp_msg%); - -## Generated when seeing an SSH client's version identification. The SSH -## protocol starts with a clear-text handshake message that reports client and -## server protocol/software versions. This event provides access to what the -## client sent. -## -## -## See `Wikipedia `__ for more -## information about the SSH protocol. -## -## c: The connection. -## -## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`). -## -## .. bro:see:: ssh_server_version -## -## .. note:: As everything after the initial version handshake proceeds -## encrypted, Bro cannot further analyze SSH sessions. -event ssh_client_version%(c: connection, version: string%); - -## Generated when seeing an SSH server's version identification. The SSH -## protocol starts with a clear-text handshake message that reports client and -## server protocol/software versions. This event provides access to what the -## server sent. -## -## See `Wikipedia `__ for more -## information about the SSH protocol. -## -## c: The connection. -## -## version: The version string the server sent (e.g., -## ``SSH-1.99-OpenSSH_3.9p1``). -## -## .. bro:see:: ssh_client_version -## -## .. note:: As everything coming after the initial version handshake proceeds -## encrypted, Bro cannot further analyze SSH sessions. -event ssh_server_version%(c: connection, version: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_bind%(c: connection, uuid: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_request%(c: connection, opnum: count, stub: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message -## dce_rpc_request rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_response%(c: connection, opnum: count, stub: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message -## dce_rpc_request dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); - -## Generated for NCP requests (Netware Core Protocol). -## -## See `Wikipedia `__ for -## more information about the NCP protocol. -## -## c: The connection. -## -## frame_type: The frame type, as specified by the protocol. -## -## length: The length of the request body, excluding the frame header. -## -## func: The requested function, as specified by the protocol. -## -## .. bro:see:: ncp_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ncp_request%(c: connection, frame_type: count, length: count, func: count%); - -## Generated for NCP replies (Netware Core Protocol). -## -## See `Wikipedia `__ for -## more information about the NCP protocol. -## -## c: The connection. -## -## frame_type: The frame type, as specified by the protocol. -## -## length: The length of the request body, excluding the frame header. -## -## req_frame: The frame type from the corresponding request. -## -## req_func: The function code from the corresponding request. -## -## completion_code: The reply's completion code, as specified by the protocol. -## -## .. bro:see:: ncp_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); - -## Generated for client-side commands on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## command: The command sent. -## -## arg: The argument to the command. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply -## pop3_terminate pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_request%(c: connection, is_orig: bool, - command: string, arg: string%); - -## Generated for server-side replies to commands on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## cmd: The success indicator sent by the server. This corresponds to the -## first token on the line sent, and should be either ``OK`` or ``ERR``. -## -## msg: The textual description the server sent along with *cmd*. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request -## pop3_terminate pop3_unexpected -## -## .. todo:: This event is receiving odd parameters, should unify. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); - -## Generated for server-side multi-line responses on POP3 connections. POP3 -## connections use multi-line responses to send bulk data, such as the actual -## mails. This event is generated once for each line that's part of such a -## response. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the data was sent by the originator of the TCP connection. -## -## data: The data sent. -## -## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request -## pop3_terminate pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_data%(c: connection, is_orig: bool, data: string%); - -## Generated for errors encountered on POP3 sessions. If the POP3 analyzer -## finds state transitions that do not conform to the protocol specification, -## or other situations it can't handle, it raises this event. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the data was sent by the originator of the TCP connection. -## -## msg: A textual description of the situation. -## -## detail: The input that triggered the event. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request -## pop3_terminate -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_unexpected%(c: connection, is_orig: bool, - msg: string, detail: string%); - -## Generated when a POP3 connection goes encrypted. While POP3 is by default a -## clear-text protocol, extensions exist to switch to encryption. This event is -## generated if that happens and the analyzer then stops processing the -## connection. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## msg: A descriptive message why processing was stopped. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request -## pop3_unexpected -## -## .. note:: Currently, only the ``STARTLS`` command is recognized and -## triggers this. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_terminate%(c: connection, is_orig: bool, msg: string%); - -## Generated for successful authentications on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## user: The user name used for authentication. The event is only generated if -## a non-empty user name was used. -## -## password: The password used for authentication. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request pop3_terminate -## pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_login_success%(c: connection, is_orig: bool, - user: string, password: string%); - -## Generated for unsuccessful authentications on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## user: The user name attempted for authentication. The event is only -## generated if a non-empty user name was used. -## -## password: The password attempted for authentication. -## -## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request pop3_terminate -## pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_login_failure%(c: connection, is_orig: bool, - user: string, password: string%); - - -## Generated for all client-side IRC commands. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: Always true. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## command: The command. -## -## arguments: The arguments for the command. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -## -## .. note:: This event is generated only for messages that originate -## at the client-side. Commands coming in from remote trigger -## the :bro:id:`irc_message` event instead. -event irc_request%(c: connection, is_orig: bool, prefix: string, - command: string, arguments: string%); - -## Generated for all IRC replies. IRC replies are sent in response to a -## request and come with a reply code. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the reply. IRC uses the prefix to -## indicate the true origin of a message. -## -## code: The reply code, as specified by the protocol. -## -## params: The reply's parameters. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_reply%(c: connection, is_orig: bool, prefix: string, - code: count, params: string%); - -## Generated for IRC commands forwarded from the server to the client. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## command: The command. -## -## message: TODO. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -## -## .. note:: -## -## This event is generated only for messages that are forwarded by the server -## to the client. Commands coming from client trigger the -## :bro:id:`irc_request` event instead. -event irc_message%(c: connection, is_orig: bool, prefix: string, - command: string, message: string%); - -## Generated for IRC messages of type *quit*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname coming with the message. -## -## message: The text included with the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); - -## Generated for IRC messages of type *privmsg*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## source: The source of the private communication. -## -## target: The target of the private communication. -## -## message: The text of communication. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_privmsg_message%(c: connection, is_orig: bool, source: string, - target: string, message: string%); - -## Generated for IRC messages of type *notice*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## source: The source of the private communication. -## -## target: The target of the private communication. -## -## message: The text of communication. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_notice_message%(c: connection, is_orig: bool, source: string, - target: string, message: string%); - -## Generated for IRC messages of type *squery*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## source: The source of the private communication. -## -## target: The target of the private communication. -## -## message: The text of communication. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_squery_message%(c: connection, is_orig: bool, source: string, - target: string, message: string%); - -## Generated for IRC messages of type *join*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## info_list: The user information coming with the command. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); - -## Generated for IRC messages of type *part*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname coming with the message. -## -## chans: The set of channels affected. -## -## message: The text coming with the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_password_message -event irc_part_message%(c: connection, is_orig: bool, nick: string, - chans: string_set, message: string%); - -## Generated for IRC messages of type *nick*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## who: The user changing its nickname. -## -## newnick: The new nickname. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%); - -## Generated when a server rejects an IRC nickname. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_invalid_nick%(c: connection, is_orig: bool%); - -## Generated for an IRC reply of type *luserclient*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## users: The number of users as returned in the reply. -## -## services: The number of services as returned in the reply. -## -## servers: The number of servers as returned in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_network_info%(c: connection, is_orig: bool, users: count, - services: count, servers: count%); - -## Generated for an IRC reply of type *luserme*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## users: The number of users as returned in the reply. -## -## services: The number of services as returned in the reply. -## -## servers: The number of servers as returned in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_server_info%(c: connection, is_orig: bool, users: count, - services: count, servers: count%); - -## Generated for an IRC reply of type *luserchannels*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## chans: The number of channels as returned in the reply. -## -## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_channel_info%(c: connection, is_orig: bool, chans: count%); - -## Generated for an IRC reply of type *whoreply*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## target_nick: The target nickname. -## -## channel: The channel. -## -## user: The user. -## -## host: The host. -## -## server: The server. -## -## nick: The nickname. -## -## params: The parameters. -## -## hops: The hop count. -## -## real_name: The real name. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_who_line%(c: connection, is_orig: bool, target_nick: string, - channel: string, user: string, host: string, - server: string, nick: string, params: string, - hops: count, real_name: string%); - - -## Generated for an IRC reply of type *namereply*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## c_type: The channel type. -## -## channel: The channel. -## -## users: The set of users. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_names_info%(c: connection, is_orig: bool, c_type: string, - channel: string, users: string_set%); - -## Generated for an IRC reply of type *whoisoperator*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname specified in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); - -## Generated for an IRC reply of type *whoischannels*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname specified in the reply. -## -## chans: The set of channels returned. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, - chans: string_set%); - -## Generated for an IRC reply of type *whoisuser*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname specified in the reply. -## -## user: The user name specified in the reply. -## -## host: The host name specified in the reply. -## -## real_name: The real name specified in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, - user: string, host: string, real_name: string%); - -## Generated for IRC replies of type *youreoper* and *nooperhost*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## got_oper: True if the *oper* command was executed successfully -## (*youreport*) and false otherwise (*nooperhost*). -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_part_message -## irc_password_message -event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); - -## Generated for an IRC reply of type *globalusers*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## msg: The message coming with the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%); - -## Generated for an IRC reply of type *topic*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## channel: The channel name specified in the reply. -## -## topic: The topic specified in the reply. -## -## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); - -## Generated for IRC messages of type *who*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## mask: The mask specified in the message. -## -## oper: True if the operator flag was set. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); - -## Generated for IRC messages of type *whois*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## server: TODO. -## -## users: TODO. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); - -## Generated for IRC messages of type *oper*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## user: The user specified in the message. -## -## password: The password specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_response irc_part_message -## irc_password_message -event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); - -## Generated for IRC messages of type *kick*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## chans: The channels specified in the message. -## -## users: The users specified in the message. -## -## comment: The comment specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_kick_message%(c: connection, is_orig: bool, prefix: string, - chans: string, users: string, comment: string%); - -## Generated for IRC messages of type *error*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## message: The textual description specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%); - -## Generated for IRC messages of type *invite*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## nickname: The nickname specified in the message. -## -## channel: The channel specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_invite_message%(c: connection, is_orig: bool, prefix: string, - nickname: string, channel: string%); - -## Generated for IRC messages of type *mode*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## params: The parameters coming with the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); - -## Generated for IRC messages of type *squit*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## server: The server specified in the message. -## -## message: The textual description specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_squit_message%(c: connection, is_orig: bool, prefix: string, - server: string, message: string%); - -## Generated for IRC messages of type *dcc*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## target: The target specified in the message. -## -## dcc_type: The DCC type specified in the message. -## -## argument: The argument specified in the message. -## -## address: The address specified in the message. -## -## dest_port: The destination port specified in the message. -## -## size: The size specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_dcc_message%(c: connection, is_orig: bool, - prefix: string, target: string, - dcc_type: string, argument: string, - address: addr, dest_port: count, size: count%); - -## Generated for IRC messages of type *user*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## user: The user specified in the message. -## -## host: The host name specified in the message. -## -## server: The server name specified in the message. -## -## real_name: The real name specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%); - -## Generated for IRC messages of type *password*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## password: The password specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message -event irc_password_message%(c: connection, is_orig: bool, password: string%); - -## TODO. -## -event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); - ## Generated when a signature matches. Bro's signature engine provides ## high-performance pattern matching separately from the normal script ## processing. If a signature with an ``event`` action matches, this event is @@ -5847,35 +530,6 @@ event file_transferred%(c: connection, prefix: string, descr: string, mime_type: ## triggering the match will be passed on to the event. event signature_match%(state: signature_state, msg: string, data: string%); -## Generated when a SOCKS request is analyzed. -## -## c: The parent connection of the proxy. -## -## version: The version of SOCKS this message used. -## -## request_type: The type of the request. -## -## sa: Address that the tunneled traffic should be sent to. -## -## p: The destination port for the proxied traffic. -## -## user: Username given for the SOCKS connection. This is not yet implemented -## for SOCKSv5. -event socks_request%(c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string%); - -## Generated when a SOCKS reply is analyzed. -## -## c: The parent connection of the proxy. -## -## version: The version of SOCKS this message used. -## -## reply: The status reply from the server. -## -## sa: The address that the server sent the traffic to. -## -## p: The destination port for the proxied traffic. -event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%); - ## Generated when a protocol analyzer finds an identification of a software ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and @@ -5893,7 +547,7 @@ event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Addre ## ## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found event software_version_found%(c: connection, host: addr, - s: software, descr: string%); + s: software, descr: string%); ## Generated when a protocol analyzer finds an identification of a software ## used on a system but cannot parse it. This is a protocol-independent event @@ -6004,8 +658,6 @@ event remote_event_registered%(p: event_peer, name: string%); ## remote_state_inconsistency print_hook event remote_connection_error%(p: event_peer, reason: string%); - - ## Generated when a remote peer sent us a capture filter. While this event is ## intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. @@ -6124,7 +776,7 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## remote_event_registered remote_log remote_state_access_performed ## remote_state_inconsistency print_hook event remote_pong%(p: event_peer, seq: count, - d1: interval, d2: interval, d3: interval%); + d1: interval, d2: interval, d3: interval%); ## Generated each time a remote state access has been replayed locally. This ## event is primarily intended for debugging. @@ -6151,326 +803,6 @@ event remote_state_access_performed%(id: string, v: any%); ## .. bro:see:: profiling_interval expensive_profiling_multiple event profiling_update%(f: file, expensive: bool%); -## Generated each time Bro's script interpreter opens a file. This event is -## triggered only for files opened via :bro:id:`open`, and in particular not for -## normal log files as created by log writers. -## -## f: The opened file. -event file_opened%(f: file%); - -## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises -## this event whenever it either receives a NetFlow header on the port it's -## listening on, or reads one from a trace file. -## -## h: The parsed NetFlow header. -## -## .. bro:see:: netflow_v5_record -event netflow_v5_header%(h: nf_v5_header%); - -## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises -## this event whenever it either receives a NetFlow record on the port it's -## listening on, or reads one from a trace file. -## -## r: The parsed NetFlow record. -## -## .. bro:see:: netflow_v5_record -event netflow_v5_record%(r: nf_v5_record%); - -## Generated for any modbus message regardless if the particular function -## is further supported or not. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## is_orig: True if the event is raised for the originator side. -event modbus_message%(c: connection, headers: ModbusHeaders, is_orig: bool%); - -## Generated for any modbus exception message. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## code: The exception code. -event modbus_exception%(c: connection, headers: ModbusHeaders, code: count%); - -## Generated for a Modbus read coils request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address where of the first coil to be read. -## -## quantity: The number of coils to be read. -event modbus_read_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read coils response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## coils: The coil values returned from the device. -event modbus_read_coils_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); - -## Generated for a Modbus read discrete inputs request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first coil to be read. -## -## quantity: The number of coils to be read. -event modbus_read_discrete_inputs_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read discrete inputs response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## coils: The coil values returned from the device. -event modbus_read_discrete_inputs_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); - -## Generated for a Modbus read holding registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register to be read. -## -## quantity: The number of registers to be read. -event modbus_read_holding_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read holding registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## registers: The register values returned from the device. -event modbus_read_holding_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); - -## Generated for a Modbus read input registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register to be read. -## -## quantity: The number of registers to be read. -event modbus_read_input_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read input registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## registers: The register values returned from the device. -event modbus_read_input_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); - -## Generated for a Modbus write single coil request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the coil to be written. -## -## value: The value to be written to the coil. -event modbus_write_single_coil_request%(c: connection, headers: ModbusHeaders, address: count, value: bool%); - -## Generated for a Modbus write single coil response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the coil that was written. -## -## value: The value that was written to the coil. -event modbus_write_single_coil_response%(c: connection, headers: ModbusHeaders, address: count, value: bool%); - -## Generated for a Modbus write single register request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register to be written. -## -## value: The value to be written to the register. -event modbus_write_single_register_request%(c: connection, headers: ModbusHeaders, address: count, value: count%); - -## Generated for a Modbus write single register response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register that was written. -## -## value: The value that was written to the register. -event modbus_write_single_register_response%(c: connection, headers: ModbusHeaders, address: count, value: count%); - -## Generated for a Modbus write multiple coils request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first coil to be written. -## -## value: The values to be written to the coils. -event modbus_write_multiple_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils%); - -## Generated for a Modbus write multiple coils response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first coil that was written. -## -## quantity: The quantity of coils that were written. -event modbus_write_multiple_coils_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus write multiple registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register to be written. -## -## registers: The values to be written to the registers. -event modbus_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, registers: ModbusRegisters%); - -## Generated for a Modbus write multiple registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register that was written. -## -## quantity: The quantity of registers that were written. -event modbus_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read file record request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus read file record response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus write file record request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus write file record response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_write_file_record_response%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus mask write register request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register where the masks should be applied. -## -## and_mask: The value of the logical AND mask to apply to the register. -## -## or_mask: The value of the logical OR mask to apply to the register. -event modbus_mask_write_register_request%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); - -## Generated for a Modbus mask write register request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register where the masks were applied. -## -## and_mask: The value of the logical AND mask applied register. -## -## or_mask: The value of the logical OR mask applied to the register. -event modbus_mask_write_register_response%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); - -## Generated for a Modbus read/write multiple registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## read_start_address: The memory address of the first register to be read. -## -## read_quantity: The number of registers to read. -## -## write_start_address: The memory address of the first register to be written. -## -## write_registers: The values to be written to the registers. -event modbus_read_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, read_start_address: count, read_quantity: count, write_start_address: count, write_registers: ModbusRegisters%); - -## Generated for a Modbus read/write multiple registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## written_registers: The register values read from the registers specified in the request. -event modbus_read_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, written_registers: ModbusRegisters%); - -## Generated for a Modbus read FIFO queue request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The address of the FIFO queue to read. -event modbus_read_fifo_queue_request%(c: connection, headers: ModbusHeaders, start_address: count%); - -## Generated for a Modbus read FIFO queue response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## fifos: The register values read from the FIFO queue on the device. -event modbus_read_fifo_queue_response%(c: connection, headers: ModbusHeaders, fifos: ModbusRegisters%); - ## Raised for informational messages reported via Bro's reporter framework. Such ## messages may be generated internally by the event engine and also by other ## scripts calling :bro:id:`Reporter::info`. @@ -6536,82 +868,88 @@ event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## recursively for each ``@load``. event bro_script_loaded%(path: string, level: count%); -## Deprecated. Will be removed. -event stp_create_endp%(c: connection, e: int, is_orig: bool%); +## Generated each time Bro's script interpreter opens a file. This event is +## triggered only for files opened via :bro:id:`open`, and in particular not for +## normal log files as created by log writers. +## +## f: The opened file. +event file_opened%(f: file%); -# ##### Internal events. Not further documented. +## Generated when an internal DNS lookup produces the same result as last time. +## Bro keeps an internal DNS cache for host names and IP addresses it has +## already resolved. This event is generated when a subsequent lookup returns +## the same result as stored in the cache. +## +## dm: A record describing the new resolver result (which matches the old one). +## +## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified +event dns_mapping_valid%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_resume_endp%(e: int%); +## Generated when an internal DNS lookup got no answer even though it had +## succeeded in the past. Bro keeps an internal DNS cache for host names and IP +## addresses it has already resolved. This event is generated when a +## subsequent lookup does not produce an answer even though we have +## already stored a result in the cache. +## +## dm: A record describing the old resolver result. +## +## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_valid +event dns_mapping_unverified%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_correlate_pair%(e1: int, e2: int%); +## Generated when an internal DNS lookup succeeded but an earlier attempt +## did not. Bro keeps an internal DNS cache for host names and IP +## addresses it has already resolved. This event is generated when a subsequent +## lookup produces an answer for a query that was marked as failed in the cache. +## +## dm: A record describing the new resolver result. +## +## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified +## dns_mapping_valid +event dns_mapping_new_name%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_remove_pair%(e1: int, e2: int%); +## Generated when an internal DNS lookup returned zero answers even though it +## had succeeded in the past. Bro keeps an internal DNS cache for host names +## and IP addresses it has already resolved. This event is generated when +## on a subsequent lookup we receive an answer that is empty even +## though we have already stored a result in the cache. +## +## dm: A record describing the old resolver result. +## +## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid +event dns_mapping_lost_name%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_remove_endp%(e: int%); - -# ##### Deprecated events. Proposed for removal. - -## Deprecated. Will be removed. -event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%); - -## Deprecated. Will be removed. -event interconn_remove_conn%(c: connection%); - -## Deprecated. Will be removed. -event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%); - -## Deprecated. Will be removed. -event backdoor_remove_conn%(c: connection%); - -## Deprecated. Will be removed. -event ssh_signature_found%(c: connection, is_orig: bool%); - -## Deprecated. Will be removed. -event telnet_signature_found%(c: connection, is_orig: bool, len: count%); - -## Deprecated. Will be removed. -event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%); +## Generated when an internal DNS lookup produced a different result than in +## the past. Bro keeps an internal DNS cache for host names and IP addresses +## it has already resolved. This event is generated when a subsequent lookup +## returns a different answer than we have stored in the cache. +## +## dm: A record describing the new resolver result. +## +## old_addrs: Addresses that used to be part of the returned set for the query +## described by *dm*, but are not anymore. +## +## new_addrs: Addresses that were not part of the returned set for the query +## described by *dm*, but now are. +## +## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid +event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); ## Deprecated. Will be removed. event root_backdoor_signature_found%(c: connection%); -## Deprecated. Will be removed. -event ftp_signature_found%(c: connection%); - ## Deprecated. Will be removed. event napster_signature_found%(c: connection%); -## Deprecated. Will be removed. -event gnutella_signature_found%(c: connection%); - ## Deprecated. Will be removed. event kazaa_signature_found%(c: connection%); -## Deprecated. Will be removed. -event http_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event http_proxy_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event smtp_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event irc_signature_found%(c: connection%); - ## Deprecated. Will be removed. event gaobot_signature_found%(c: connection%); -## Deprecated. Will be removed. -## -## .. todo:: Unclear what this event is for; it's never raised. We should just -## remove it. -event dns_full_request%(%); - ## Deprecated. Will be removed. event anonymization_mapping%(orig: addr, mapped: addr%); diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 39bb190f8c..6912023cc4 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -33,13 +33,13 @@ std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); -#define BRO_PLUGIN_ANALYZER(tag, factory) \ - AddComponent(new ::analyzer::Component(tag, factory)); +#define BRO_PLUGIN_ANALYZER(tag, cls) \ + AddComponent(new ::analyzer::Component(tag, ::analyzer::cls::InstantiateAnalyzer)); + +#define BRO_PLUGIN_ANALYZER_BARE(tag) \ + AddComponent(new ::analyzer::Component(tag, 0)); #define BRO_PLUGIN_SUPPORT_ANALYZER(tag) \ AddComponent(new ::analyzer::Component(tag, 0)); -#define BRO_PLUGIN_ANALYZER_EXT(tag, factory, enabled, partial) \ - AddComponent(new ::analyzer::Component(tag, factory, 0, enabled, partial)); - #endif From 3959e254e2697b13a185b0a50593a93396195d94 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:25:18 -0700 Subject: [PATCH 039/200] Moving protocol-specific BiFs out of bro.bif. I hope I found them all ... --- src/Func.cc | 1 - src/analyzer/protocols/ftp/CMakeLists.txt | 1 + src/analyzer/protocols/ftp/Plugin.cc | 1 + src/analyzer/protocols/ftp/functions.bif | 220 ++++++ src/analyzer/protocols/http/Plugin.cc | 1 + src/analyzer/protocols/login/CMakeLists.txt | 1 + src/analyzer/protocols/login/Plugin.cc | 1 + src/analyzer/protocols/login/functions.bif | 62 ++ .../protocols/netbios-ssn/CMakeLists.txt | 1 + src/analyzer/protocols/netbios-ssn/Plugin.cc | 1 + .../protocols/netbios-ssn/functions.bif | 50 ++ src/analyzer/protocols/smtp/CMakeLists.txt | 1 + src/analyzer/protocols/smtp/Plugin.cc | 1 + src/analyzer/protocols/smtp/functions.bif | 17 + .../protocols/socks/socks-analyzer.pac | 8 +- src/analyzer/protocols/ssl/CMakeLists.txt | 1 + src/analyzer/protocols/ssl/Plugin.cc | 1 + src/analyzer/protocols/ssl/functions.bif | 132 ++++ src/analyzer/protocols/tcp/CMakeLists.txt | 1 + src/analyzer/protocols/tcp/Plugin.cc | 1 + src/analyzer/protocols/tcp/functions.bif | 159 +++++ src/bro.bif | 634 ------------------ 22 files changed, 657 insertions(+), 639 deletions(-) create mode 100644 src/analyzer/protocols/ftp/functions.bif create mode 100644 src/analyzer/protocols/login/functions.bif create mode 100644 src/analyzer/protocols/netbios-ssn/functions.bif create mode 100644 src/analyzer/protocols/smtp/functions.bif create mode 100644 src/analyzer/protocols/ssl/functions.bif create mode 100644 src/analyzer/protocols/tcp/functions.bif diff --git a/src/Func.cc b/src/Func.cc index 82cd1998ce..668499d2ed 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -562,7 +562,6 @@ void builtin_error(const char* msg, BroObj* arg) void init_builtin_funcs() { - ftp_port = internal_type("ftp_port")->AsRecordType(); bro_resources = internal_type("bro_resources")->AsRecordType(); net_stats = internal_type("NetStats")->AsRecordType(); matcher_stats = internal_type("matcher_stats")->AsRecordType(); diff --git a/src/analyzer/protocols/ftp/CMakeLists.txt b/src/analyzer/protocols/ftp/CMakeLists.txt index b8b2e1bb3e..9a92d95116 100644 --- a/src/analyzer/protocols/ftp/CMakeLists.txt +++ b/src/analyzer/protocols/ftp/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(FTP) bro_plugin_cc(FTP.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocols/ftp/Plugin.cc index 9a58990a63..d6bc3313e6 100644 --- a/src/analyzer/protocols/ftp/Plugin.cc +++ b/src/analyzer/protocols/ftp/Plugin.cc @@ -8,4 +8,5 @@ BRO_PLUGIN_BEGIN(FTP) BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ftp/functions.bif b/src/analyzer/protocols/ftp/functions.bif new file mode 100644 index 0000000000..a667d8ca88 --- /dev/null +++ b/src/analyzer/protocols/ftp/functions.bif @@ -0,0 +1,220 @@ + +type ftp_port: record; + +%%{ + +static Val* parse_port(const char* line) + { + RecordVal* r = new RecordVal(BifType::Record::ftp_port); + + int bytes[6]; + if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d", + &bytes[0], &bytes[1], &bytes[2], + &bytes[3], &bytes[4], &bytes[5]) == 6 ) + { + int good = 1; + + for ( int i = 0; i < 6; ++i ) + if ( bytes[i] < 0 || bytes[i] > 255 ) + { + good = 0; + break; + } + + uint32 addr = (bytes[0] << 24) | (bytes[1] << 16) | + (bytes[2] << 8) | bytes[3]; + uint32 port = (bytes[4] << 8) | bytes[5]; + + // Since port is unsigned, no need to check for < 0. + if ( port > 65535 ) + { + port = 0; + good = 0; + } + + r->Assign(0, new AddrVal(htonl(addr))); + r->Assign(1, new PortVal(port, TRANSPORT_TCP)); + r->Assign(2, new Val(good, TYPE_BOOL)); + } + else + { + r->Assign(0, new AddrVal(uint32(0))); + r->Assign(1, new PortVal(0, TRANSPORT_TCP)); + r->Assign(2, new Val(0, TYPE_BOOL)); + } + + return r; + } + +static Val* parse_eftp(const char* line) + { + RecordVal* r = new RecordVal(BifType::Record::ftp_port); + + int net_proto = 0; // currently not used + IPAddr addr; // unspecified IPv6 address (all 128 bits zero) + int port = 0; + int good = 0; + + if ( line ) + { + while ( isspace(*line) ) // skip whitespace + ++line; + + char delimiter = *line; + char* next_delim; + + if ( *line ) + { + good = 1; + ++line; // skip delimiter + + net_proto = strtol(line, &next_delim, 10); + if ( *next_delim != delimiter ) + good = 0; + + line = next_delim; + if ( *line ) + ++line; + + if ( *line && *line != delimiter ) + { + const char* nptr = strchr(line, delimiter); + if ( nptr == NULL ) + { + nptr = line + strlen(line); + good = 0; + } + + string s(line, nptr-line); // extract IP address + IPAddr tmp(s); + // on error, "tmp" will have all 128 bits zero + if ( tmp == addr ) + good = 0; + + addr = tmp; + } + + line = strchr(line, delimiter); + + if ( line != NULL ) + { + ++line; // now the port + port = strtol(line, &next_delim, 10); + if ( *next_delim != delimiter ) + good = 0; + } + + } + + } + + r->Assign(0, new AddrVal(addr)); + r->Assign(1, new PortVal(port, TRANSPORT_TCP)); + r->Assign(2, new Val(good, TYPE_BOOL)); + + return r; + } +%%} + +## Converts a string representation of the FTP PORT command to an ``ftp_port``. +## +## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``. +## +## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` +## +## .. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port +function parse_ftp_port%(s: string%): ftp_port + %{ + return parse_port(s->CheckString()); + %} + +## Converts a string representation of the FTP EPRT command to an ``ftp_port``. +## See `RFC 2428 `_. +## The format is ``EPRT``, +## where ```` is a delimiter in the ASCII range 33-126 (usually ``|``). +## +## s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``. +## +## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` +## +## .. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port +function parse_eftp_port%(s: string%): ftp_port + %{ + return parse_eftp(s->CheckString()); + %} + +## Converts the result of the FTP PASV command to an ``ftp_port``. +## +## str: The string containing the result of the FTP PASV command. +## +## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` +## +## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port +function parse_ftp_pasv%(str: string%): ftp_port + %{ + const char* s = str->CheckString(); + const char* line = strchr(s, '('); + if ( line ) + ++line; // move past '(' + else if ( (line = strstr(s, "PORT")) ) + line += 5; // Skip over + else if ( (line = strchr(s, ',')) ) + { // Look for comma-separated list. + while ( --line >= s && isdigit(*line) ) + ; // Back up over preceding digits. + ++line; // now points to first digit, or beginning of s + } + + return parse_port(line); + %} + +## Converts the result of the FTP EPSV command to an ``ftp_port``. +## See `RFC 2428 `_. +## The format is `` ()``, where ```` is a +## delimiter in the ASCII range 33-126 (usually ``|``). +## +## str: The string containing the result of the FTP EPSV command. +## +## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` +## +## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port +function parse_ftp_epsv%(str: string%): ftp_port + %{ + const char* s = str->CheckString(); + const char* line = strchr(s, '('); + if ( line ) + ++line; // move past '(' + return parse_eftp(line); + %} + +## Formats an IP address and TCP port as an FTP PORT command. For example, +## ``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``. +## +## a: The IP address. +## +## p: The TCP port. +## +## Returns: The FTP PORT string. +## +## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv +function fmt_ftp_port%(a: addr, p: port%): string + %{ + const uint32* addr; + int len = a->AsAddr().GetBytes(&addr); + if ( len == 1 ) + { + uint32 a = ntohl(addr[0]); + uint32 pn = p->Port(); + return new StringVal(fmt("%d,%d,%d,%d,%d,%d", + a >> 24, (a >> 16) & 0xff, + (a >> 8) & 0xff, a & 0xff, + pn >> 8, pn & 0xff)); + } + else + { + builtin_error("conversion of non-IPv4 address in fmt_ftp_port", + @ARG@[0]); + return new StringVal(""); + } + %} + diff --git a/src/analyzer/protocols/http/Plugin.cc b/src/analyzer/protocols/http/Plugin.cc index a0e6e28f43..86f1cb0333 100644 --- a/src/analyzer/protocols/http/Plugin.cc +++ b/src/analyzer/protocols/http/Plugin.cc @@ -7,4 +7,5 @@ BRO_PLUGIN_BEGIN(HTTP) BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/login/CMakeLists.txt b/src/analyzer/protocols/login/CMakeLists.txt index 219c249d5e..60a5b57ec5 100644 --- a/src/analyzer/protocols/login/CMakeLists.txt +++ b/src/analyzer/protocols/login/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Login) bro_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocols/login/Plugin.cc index 3f98f99d2c..43784ba262 100644 --- a/src/analyzer/protocols/login/Plugin.cc +++ b/src/analyzer/protocols/login/Plugin.cc @@ -16,4 +16,5 @@ BRO_PLUGIN_BEGIN(Login) BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin"); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/login/functions.bif b/src/analyzer/protocols/login/functions.bif new file mode 100644 index 0000000000..c3d7cbf82b --- /dev/null +++ b/src/analyzer/protocols/login/functions.bif @@ -0,0 +1,62 @@ + +%%{ +#include "Login.h" +%%} + +## Returns the state of the given login (Telnet or Rlogin) connection. +## +## cid: The connection ID. +## +## Returns: False if the connection is not active or is not tagged as a +## login analyzer. Otherwise the function returns the state, which can +## be one of: +## +## - ``LOGIN_STATE_AUTHENTICATE``: The connection is in its +## initial authentication dialog. +## - ``LOGIN_STATE_LOGGED_IN``: The analyzer believes the user has +## successfully authenticated. +## - ``LOGIN_STATE_SKIP``: The analyzer has skipped any further +## processing of the connection. +## - ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it +## does not correctly know the state of the connection, and/or +## the username associated with it. +## +## .. bro:see:: set_login_state +function get_login_state%(cid: conn_id%): count + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_BOOL); + + analyzer::Analyzer* la = c->FindAnalyzer("Login"); + if ( ! la ) + return new Val(0, TYPE_BOOL); + + return new Val(int(static_cast(la)->LoginState()), + TYPE_COUNT); + %} + +## Sets the login state of a connection with a login analyzer. +## +## cid: The connection ID. +## +## new_state: The new state of the login analyzer. See +## :bro:id:`get_login_state` for possible values. +## +## Returns: Returns false if *cid* is not an active connection +## or is not tagged as a login analyzer, and true otherwise. +## +## .. bro:see:: get_login_state +function set_login_state%(cid: conn_id, new_state: count%): bool + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_BOOL); + + analyzer::Analyzer* la = c->FindAnalyzer("Login"); + if ( ! la ) + return new Val(0, TYPE_BOOL); + + static_cast(la)->SetLoginState(analyzer::login::login_state(new_state)); + return new Val(1, TYPE_BOOL); + %} diff --git a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt index 8292c11546..4318fa2b34 100644 --- a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt +++ b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(NetbiosSSN) bro_plugin_cc(NetbiosSSN.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios-ssn/Plugin.cc index 8ed7824634..66b4e82d51 100644 --- a/src/analyzer/protocols/netbios-ssn/Plugin.cc +++ b/src/analyzer/protocols/netbios-ssn/Plugin.cc @@ -8,4 +8,5 @@ BRO_PLUGIN_BEGIN(NetbiosSSN) BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netbios-ssn/functions.bif b/src/analyzer/protocols/netbios-ssn/functions.bif new file mode 100644 index 0000000000..d4316d0c66 --- /dev/null +++ b/src/analyzer/protocols/netbios-ssn/functions.bif @@ -0,0 +1,50 @@ + +## Decode a NetBIOS name. See http://support.microsoft.com/kb/194203. +## +## name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"``. +## +## Returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAME"``. +## +## .. bro:see:: decode_netbios_name_type +function decode_netbios_name%(name: string%): string + %{ + char buf[16]; + char result[16]; + const u_char* s = name->Bytes(); + int i, j; + + for ( i = 0, j = 0; i < 16; ++i ) + { + char c0 = (j < name->Len()) ? toupper(s[j++]) : 'A'; + char c1 = (j < name->Len()) ? toupper(s[j++]) : 'A'; + buf[i] = ((c0 - 'A') << 4) + (c1 - 'A'); + } + + for ( i = 0; i < 15; ++i ) + { + if ( isalnum(buf[i]) || ispunct(buf[i]) || + // \x01\x02 is seen in at least one case as the first two bytes. + // I think that any \x01 and \x02 should always be passed through. + buf[i] < 3 ) + result[i] = buf[i]; + else + break; + } + + return new StringVal(i, result); + %} + +## Converts a NetBIOS name type to its corresponding numeric value. +## See http://support.microsoft.com/kb/163409. +## +## name: The NetBIOS name type. +## +## Returns: The numeric value of *name*. +## +## .. bro:see:: decode_netbios_name +function decode_netbios_name_type%(name: string%): count + %{ + const u_char* s = name->Bytes(); + char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A'); + return new Val(return_val, TYPE_COUNT); + %} diff --git a/src/analyzer/protocols/smtp/CMakeLists.txt b/src/analyzer/protocols/smtp/CMakeLists.txt index 53f9dd1246..1f4779c0f8 100644 --- a/src/analyzer/protocols/smtp/CMakeLists.txt +++ b/src/analyzer/protocols/smtp/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(SMTP) bro_plugin_cc(SMTP.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocols/smtp/Plugin.cc index 8a5095381d..6550733b92 100644 --- a/src/analyzer/protocols/smtp/Plugin.cc +++ b/src/analyzer/protocols/smtp/Plugin.cc @@ -7,4 +7,5 @@ BRO_PLUGIN_BEGIN(SMTP) BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); BRO_PLUGIN_ANALYZER("SMTP", smtp::SMTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/smtp/functions.bif b/src/analyzer/protocols/smtp/functions.bif new file mode 100644 index 0000000000..2bb0c52319 --- /dev/null +++ b/src/analyzer/protocols/smtp/functions.bif @@ -0,0 +1,17 @@ + +%%{ +#include "analyzer/protocols/smtp/SMTP.h" +%%} + +## Skips SMTP data until the next email in a connection. +## +## c: The SMTP connection. +## +## .. bro:see:: skip_http_entity_data +function skip_smtp_data%(c: connection%): any + %{ + analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); + if ( sa ) + static_cast(sa)->SkipData(); + return 0; + %} diff --git a/src/analyzer/protocols/socks/socks-analyzer.pac b/src/analyzer/protocols/socks/socks-analyzer.pac index 7ce364670b..80051f0b27 100644 --- a/src/analyzer/protocols/socks/socks-analyzer.pac +++ b/src/analyzer/protocols/socks/socks-analyzer.pac @@ -35,7 +35,7 @@ refine connection SOCKS_Conn += { new PortVal(${request.port} | TCP_PORT_MASK), array_to_string(${request.user})); - static_cast(bro_analyzer())->EndpointDone(true); + static_cast(bro_analyzer())->EndpointDone(true); return true; %} @@ -53,7 +53,7 @@ refine connection SOCKS_Conn += { new PortVal(${reply.port} | TCP_PORT_MASK)); bro_analyzer()->ProtocolConfirmation(); - static_cast(bro_analyzer())->EndpointDone(false); + static_cast(bro_analyzer())->EndpointDone(false); return true; %} @@ -97,7 +97,7 @@ refine connection SOCKS_Conn += { new PortVal(${request.port} | TCP_PORT_MASK), new StringVal("")); - static_cast(bro_analyzer())->EndpointDone(true); + static_cast(bro_analyzer())->EndpointDone(true); return true; %} @@ -136,7 +136,7 @@ refine connection SOCKS_Conn += { new PortVal(${reply.port} | TCP_PORT_MASK)); bro_analyzer()->ProtocolConfirmation(); - static_cast(bro_analyzer())->EndpointDone(false); + static_cast(bro_analyzer())->EndpointDone(false); return true; %} diff --git a/src/analyzer/protocols/ssl/CMakeLists.txt b/src/analyzer/protocols/ssl/CMakeLists.txt index 9ee8fd9b1e..57f9b47e4d 100644 --- a/src/analyzer/protocols/ssl/CMakeLists.txt +++ b/src/analyzer/protocols/ssl/CMakeLists.txt @@ -6,5 +6,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(SSL) bro_plugin_cc(SSL.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_pac(ssl.pac ssl-analyzer.pac ssl-protocol.pac ssl-defs.pac) bro_plugin_end() diff --git a/src/analyzer/protocols/ssl/Plugin.cc b/src/analyzer/protocols/ssl/Plugin.cc index 6fe3308818..b406e4aa8b 100644 --- a/src/analyzer/protocols/ssl/Plugin.cc +++ b/src/analyzer/protocols/ssl/Plugin.cc @@ -7,4 +7,5 @@ BRO_PLUGIN_BEGIN(SSL) BRO_PLUGIN_DESCRIPTION("SSL Analyzer"); BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ssl/functions.bif b/src/analyzer/protocols/ssl/functions.bif new file mode 100644 index 0000000000..f2d4861007 --- /dev/null +++ b/src/analyzer/protocols/ssl/functions.bif @@ -0,0 +1,132 @@ + +%%{ +#include +#include +#include + +// This is the indexed map of X509 certificate stores. +static map x509_stores; + +// ### NOTE: while d2i_X509 does not take a const u_char** pointer, +// here we assume d2i_X509 does not write to , so it is safe to +// convert data to a non-const pointer. Could some X509 guru verify +// this? + +X509* d2i_X509_(X509** px, const u_char** in, int len) + { +#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR + return d2i_X509(px, in, len); +#else + return d2i_X509(px, (u_char**)in, len); +#endif + } + +%%} + + +## Verifies a certificate. +## +## der_cert: The X.509 certificate in DER format. +## +## cert_stack: Specifies a certificate chain to validate against, with index 0 +## typically being the root CA. Bro uses the Mozilla root CA list +## by default. +## +## root_certs: A list of additional root certificates that extends +## *cert_stack*. +## +## Returns: A status code of the verification which can be converted into an +## ASCII string via :bro:id:`x509_err2str`. +## +## .. bro:see:: x509_err2str +function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: table_string_of_string%): count + %{ + X509_STORE* ctx = 0; + int i = 0; + + // If this certificate store was built previously, just reuse the old one. + if ( x509_stores.count(root_certs) > 0 ) + ctx = x509_stores[root_certs]; + + if ( ! ctx ) // lookup to see if we have this one built already! + { + ctx = X509_STORE_new(); + TableVal* root_certs2 = root_certs->AsTableVal(); + ListVal* idxs = root_certs2->ConvertToPureList(); + + // Build the validation store + for ( i = 0; i < idxs->Length(); ++i ) + { + Val* key = idxs->Index(i); + StringVal *sv = root_certs2->Lookup(key)->AsStringVal(); + const uint8* data = sv->Bytes(); + X509* x = d2i_X509_(NULL, &data, sv->Len()); + if ( ! x ) + { + builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); + return new Val((uint64) ERR_get_error(), TYPE_COUNT); + } + X509_STORE_add_cert(ctx, x); + } + delete idxs; + + // Save the newly constructed certificate store into the cacheing map. + x509_stores[root_certs] = ctx; + } + + const uint8 *cert_data = der_cert->Bytes(); + X509* cert = d2i_X509_(NULL, &cert_data, der_cert->Len()); + if ( ! cert ) + { + builtin_error(fmt("Certificate error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); + return new Val((uint64) ERR_get_error(), TYPE_COUNT); + } + + STACK_OF(X509)* untrusted_certs = sk_X509_new_null(); + if ( ! untrusted_certs ) + { + builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); + return new Val((uint64) ERR_get_error(), TYPE_COUNT); + } + + VectorVal *cert_stack_vec = cert_stack->AsVectorVal(); + for ( i = 0; i < (int) cert_stack_vec->Size(); ++i ) + { + StringVal *sv = cert_stack_vec->Lookup(i)->AsStringVal(); + const uint8 *data = sv->Bytes(); + X509* x = d2i_X509_(NULL, &data, sv->Len()); + if ( ! x ) + { + X509_free(cert); + sk_X509_pop_free(untrusted_certs, X509_free); + builtin_error(fmt("Untrusted certificate stack creation error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); + return new Val((uint64) ERR_get_error(), TYPE_COUNT); + } + sk_X509_push(untrusted_certs, x); + } + + X509_STORE_CTX csc; + X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs); + X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time); + + int result = X509_verify_cert(&csc); + X509_STORE_CTX_cleanup(&csc); + + if ( untrusted_certs ) + sk_X509_pop_free(untrusted_certs, X509_free); + X509_free(cert); + + return new Val((uint64) csc.error, TYPE_COUNT); + %} + +## Converts a certificate verification error code into an ASCII string. +## +## err_num: The error code. +## +## Returns: A string representation of *err_num*. +## +## .. bro:see:: x509_verify +function x509_err2str%(err_num: count%): string + %{ + return new StringVal(X509_verify_cert_error_string(err_num)); + %} diff --git a/src/analyzer/protocols/tcp/CMakeLists.txt b/src/analyzer/protocols/tcp/CMakeLists.txt index b8cf0e2bf4..f61f27495b 100644 --- a/src/analyzer/protocols/tcp/CMakeLists.txt +++ b/src/analyzer/protocols/tcp/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(TCP) bro_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocols/tcp/Plugin.cc index defb0b330d..376c54d332 100644 --- a/src/analyzer/protocols/tcp/Plugin.cc +++ b/src/analyzer/protocols/tcp/Plugin.cc @@ -10,4 +10,5 @@ BRO_PLUGIN_BEGIN(TCP) BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents"); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/tcp/functions.bif b/src/analyzer/protocols/tcp/functions.bif new file mode 100644 index 0000000000..b0178a1279 --- /dev/null +++ b/src/analyzer/protocols/tcp/functions.bif @@ -0,0 +1,159 @@ + +%%{ +#include "analyzer/protocols/tcp/TCP.h" +%%} + +## Get the originator sequence number of a TCP connection. Sequence numbers +## are absolute (i.e., they reflect the values seen directly in packet headers; +## they are not relative to the beginning of the connection). +## +## cid: The connection ID. +## +## Returns: The highest sequence number sent by a connection's originator, or 0 +## if *cid* does not point to an active TCP connection. +## +## .. bro:see:: get_resp_seq +function get_orig_seq%(cid: conn_id%): count + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_COUNT); + + if ( c->ConnTransport() != TRANSPORT_TCP ) + return new Val(0, TYPE_COUNT); + + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); + if ( tc ) + return new Val(static_cast(tc)->OrigSeq(), + TYPE_COUNT); + else + { + reporter->Error("connection does not have TCP analyzer"); + return new Val(0, TYPE_COUNT); + } + %} + +## Get the responder sequence number of a TCP connection. Sequence numbers +## are absolute (i.e., they reflect the values seen directly in packet headers; +## they are not relative to the beginning of the connection). +## +## cid: The connection ID. +## +## Returns: The highest sequence number sent by a connection's responder, or 0 +## if *cid* does not point to an active TCP connection. +## +## .. bro:see:: get_orig_seq +function get_resp_seq%(cid: conn_id%): count + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_COUNT); + + if ( c->ConnTransport() != TRANSPORT_TCP ) + return new Val(0, TYPE_COUNT); + + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); + if ( tc ) + return new Val(static_cast(tc)->RespSeq(), + TYPE_COUNT); + else + { + reporter->Error("connection does not have TCP analyzer"); + return new Val(0, TYPE_COUNT); + } + %} + +## Returns statistics about TCP gaps. +## +## Returns: A record with TCP gap statistics. +## +## .. bro:see:: do_profiling +## net_stats +## resource_usage +## dump_rule_stats +## get_matcher_stats +function get_gap_summary%(%): gap_info + %{ + RecordVal* r = new RecordVal(gap_info); + r->Assign(0, new Val(tot_ack_events, TYPE_COUNT)); + r->Assign(1, new Val(tot_ack_bytes, TYPE_COUNT)); + r->Assign(2, new Val(tot_gap_events, TYPE_COUNT)); + r->Assign(3, new Val(tot_gap_bytes, TYPE_COUNT)); + + return r; + %} + +## Associates a file handle with a connection for writing TCP byte stream +## contents. +## +## cid: The connection ID. +## +## direction: Controls what sides of the connection to record. The argument can +## take one of the four values: +## +## - ``CONTENTS_NONE``: Stop recording the connection's content. +## - ``CONTENTS_ORIG``: Record the data sent by the connection +## originator (often the client). +## - ``CONTENTS_RESP``: Record the data sent by the connection +## responder (often the server). +## - ``CONTENTS_BOTH``: Record the data sent in both directions. +## Results in the two directions being +## intermixed in the file, in the order the +## data was seen by Bro. +## +## f: The file handle of the file to write the contents to. +## +## Returns: Returns false if *cid* does not point to an active connection, and +## true otherwise. +## +## .. note:: +## +## The data recorded to the file reflects the byte stream, not the +## contents of individual packets. Reordering and duplicates are +## removed. If any data is missing, the recording stops at the +## missing data; this can happen, e.g., due to an +## :bro:id:`ack_above_hole` event. +## +## .. bro:see:: get_contents_file set_record_packets +function set_contents_file%(cid: conn_id, direction: count, f: file%): bool + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_BOOL); + + c->GetRootAnalyzer()->SetContentsFile(direction, f); + return new Val(1, TYPE_BOOL); + %} + +## Returns the file handle of the contents file of a connection. +## +## cid: The connection ID. +## +## direction: Controls what sides of the connection to record. See +## :bro:id:`set_contents_file` for possible values. +## +## Returns: The :bro:type:`file` handle for the contents file of the +## connection identified by *cid*. If the connection exists +## but there is no contents file for *direction*, then the function +## generates an error and returns a file handle to ``stderr``. +## +## .. bro:see:: set_contents_file set_record_packets +function get_contents_file%(cid: conn_id, direction: count%): file + %{ + Connection* c = sessions->FindConnection(cid); + BroFile* f = c ? c->GetRootAnalyzer()->GetContentsFile(direction) : 0; + + if ( f ) + { + Ref(f); + return new Val(f); + } + + // Return some sort of error value. + if ( ! c ) + builtin_error("unknown connection id in get_contents_file()", cid); + else + builtin_error("no contents file for given direction"); + + return new Val(new BroFile(stderr, "-", "w")); + %} diff --git a/src/bro.bif b/src/bro.bif index aa8229f92d..5c39e335a6 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -20,7 +20,6 @@ using namespace std; -RecordType* ftp_port; RecordType* net_stats; RecordType* bro_resources; RecordType* matcher_stats; @@ -1786,26 +1785,6 @@ function get_matcher_stats%(%): matcher_stats return r; %} -## Returns statistics about TCP gaps. -## -## Returns: A record with TCP gap statistics. -## -## .. bro:see:: do_profiling -## net_stats -## resource_usage -## dump_rule_stats -## get_matcher_stats -function get_gap_summary%(%): gap_info - %{ - RecordVal* r = new RecordVal(gap_info); - r->Assign(0, new Val(tot_ack_events, TYPE_COUNT)); - r->Assign(1, new Val(tot_ack_bytes, TYPE_COUNT)); - r->Assign(2, new Val(tot_gap_events, TYPE_COUNT)); - r->Assign(3, new Val(tot_gap_bytes, TYPE_COUNT)); - - return r; - %} - ## Generates a table of the size of all global variables. The table index is ## the variable name and the value is the variable size in bytes. ## @@ -2541,273 +2520,6 @@ function addr_to_ptr_name%(a: addr%): string return new StringVal(a->AsAddr().PtrName().c_str()); %} - -%%{ -static Val* parse_port(const char* line) - { - RecordVal* r = new RecordVal(ftp_port); - - int bytes[6]; - if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d", - &bytes[0], &bytes[1], &bytes[2], - &bytes[3], &bytes[4], &bytes[5]) == 6 ) - { - int good = 1; - - for ( int i = 0; i < 6; ++i ) - if ( bytes[i] < 0 || bytes[i] > 255 ) - { - good = 0; - break; - } - - uint32 addr = (bytes[0] << 24) | (bytes[1] << 16) | - (bytes[2] << 8) | bytes[3]; - uint32 port = (bytes[4] << 8) | bytes[5]; - - // Since port is unsigned, no need to check for < 0. - if ( port > 65535 ) - { - port = 0; - good = 0; - } - - r->Assign(0, new AddrVal(htonl(addr))); - r->Assign(1, new PortVal(port, TRANSPORT_TCP)); - r->Assign(2, new Val(good, TYPE_BOOL)); - } - else - { - r->Assign(0, new AddrVal(uint32(0))); - r->Assign(1, new PortVal(0, TRANSPORT_TCP)); - r->Assign(2, new Val(0, TYPE_BOOL)); - } - - return r; - } - -static Val* parse_eftp(const char* line) - { - RecordVal* r = new RecordVal(ftp_port); - - int net_proto = 0; // currently not used - IPAddr addr; // unspecified IPv6 address (all 128 bits zero) - int port = 0; - int good = 0; - - if ( line ) - { - while ( isspace(*line) ) // skip whitespace - ++line; - - char delimiter = *line; - char* next_delim; - - if ( *line ) - { - good = 1; - ++line; // skip delimiter - - net_proto = strtol(line, &next_delim, 10); - if ( *next_delim != delimiter ) - good = 0; - - line = next_delim; - if ( *line ) - ++line; - - if ( *line && *line != delimiter ) - { - const char* nptr = strchr(line, delimiter); - if ( nptr == NULL ) - { - nptr = line + strlen(line); - good = 0; - } - - string s(line, nptr-line); // extract IP address - IPAddr tmp(s); - // on error, "tmp" will have all 128 bits zero - if ( tmp == addr ) - good = 0; - - addr = tmp; - } - - line = strchr(line, delimiter); - - if ( line != NULL ) - { - ++line; // now the port - port = strtol(line, &next_delim, 10); - if ( *next_delim != delimiter ) - good = 0; - } - - } - - } - - r->Assign(0, new AddrVal(addr)); - r->Assign(1, new PortVal(port, TRANSPORT_TCP)); - r->Assign(2, new Val(good, TYPE_BOOL)); - - return r; - } -%%} - -## Converts a string representation of the FTP PORT command to an ``ftp_port``. -## -## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``. -## -## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` -## -## .. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port -function parse_ftp_port%(s: string%): ftp_port - %{ - return parse_port(s->CheckString()); - %} - -## Converts a string representation of the FTP EPRT command to an ``ftp_port``. -## See `RFC 2428 `_. -## The format is ``EPRT``, -## where ```` is a delimiter in the ASCII range 33-126 (usually ``|``). -## -## s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``. -## -## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` -## -## .. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port -function parse_eftp_port%(s: string%): ftp_port - %{ - return parse_eftp(s->CheckString()); - %} - -## Converts the result of the FTP PASV command to an ``ftp_port``. -## -## str: The string containing the result of the FTP PASV command. -## -## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` -## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port -function parse_ftp_pasv%(str: string%): ftp_port - %{ - const char* s = str->CheckString(); - const char* line = strchr(s, '('); - if ( line ) - ++line; // move past '(' - else if ( (line = strstr(s, "PORT")) ) - line += 5; // Skip over - else if ( (line = strchr(s, ',')) ) - { // Look for comma-separated list. - while ( --line >= s && isdigit(*line) ) - ; // Back up over preceding digits. - ++line; // now points to first digit, or beginning of s - } - - return parse_port(line); - %} - -## Converts the result of the FTP EPSV command to an ``ftp_port``. -## See `RFC 2428 `_. -## The format is `` ()``, where ```` is a -## delimiter in the ASCII range 33-126 (usually ``|``). -## -## str: The string containing the result of the FTP EPSV command. -## -## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` -## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port -function parse_ftp_epsv%(str: string%): ftp_port - %{ - const char* s = str->CheckString(); - const char* line = strchr(s, '('); - if ( line ) - ++line; // move past '(' - return parse_eftp(line); - %} - -## Formats an IP address and TCP port as an FTP PORT command. For example, -## ``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``. -## -## a: The IP address. -## -## p: The TCP port. -## -## Returns: The FTP PORT string. -## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv -function fmt_ftp_port%(a: addr, p: port%): string - %{ - const uint32* addr; - int len = a->AsAddr().GetBytes(&addr); - if ( len == 1 ) - { - uint32 a = ntohl(addr[0]); - uint32 pn = p->Port(); - return new StringVal(fmt("%d,%d,%d,%d,%d,%d", - a >> 24, (a >> 16) & 0xff, - (a >> 8) & 0xff, a & 0xff, - pn >> 8, pn & 0xff)); - } - else - { - builtin_error("conversion of non-IPv4 address in fmt_ftp_port", - @ARG@[0]); - return new StringVal(""); - } - %} - -## Decode a NetBIOS name. See http://support.microsoft.com/kb/194203. -## -## name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"``. -## -## Returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAME"``. -## -## .. bro:see:: decode_netbios_name_type -function decode_netbios_name%(name: string%): string - %{ - char buf[16]; - char result[16]; - const u_char* s = name->Bytes(); - int i, j; - - for ( i = 0, j = 0; i < 16; ++i ) - { - char c0 = (j < name->Len()) ? toupper(s[j++]) : 'A'; - char c1 = (j < name->Len()) ? toupper(s[j++]) : 'A'; - buf[i] = ((c0 - 'A') << 4) + (c1 - 'A'); - } - - for ( i = 0; i < 15; ++i ) - { - if ( isalnum(buf[i]) || ispunct(buf[i]) || - // \x01\x02 is seen in at least one case as the first two bytes. - // I think that any \x01 and \x02 should always be passed through. - buf[i] < 3 ) - result[i] = buf[i]; - else - break; - } - - return new StringVal(i, result); - %} - -## Converts a NetBIOS name type to its corresponding numeric value. -## See http://support.microsoft.com/kb/163409. -## -## name: The NetBIOS name type. -## -## Returns: The numeric value of *name*. -## -## .. bro:see:: decode_netbios_name -function decode_netbios_name_type%(name: string%): count - %{ - const u_char* s = name->Bytes(); - char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A'); - return new Val(return_val, TYPE_COUNT); - %} - ## Converts a string of bytes into its hexadecimal representation. ## For example, ``"04"`` would be converted to ``"3034"``. ## @@ -3789,138 +3501,6 @@ function lookup_asn%(a: addr%) : count return new Val(0, TYPE_COUNT); %} -%%{ -#include -#include -#include - -// This is the indexed map of X509 certificate stores. -static map x509_stores; - -// ### NOTE: while d2i_X509 does not take a const u_char** pointer, -// here we assume d2i_X509 does not write to , so it is safe to -// convert data to a non-const pointer. Could some X509 guru verify -// this? - -X509* d2i_X509_(X509** px, const u_char** in, int len) - { -#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR - return d2i_X509(px, in, len); -#else - return d2i_X509(px, (u_char**)in, len); -#endif - } - -%%} - - -## Verifies a certificate. -## -## der_cert: The X.509 certificate in DER format. -## -## cert_stack: Specifies a certificate chain to validate against, with index 0 -## typically being the root CA. Bro uses the Mozilla root CA list -## by default. -## -## root_certs: A list of additional root certificates that extends -## *cert_stack*. -## -## Returns: A status code of the verification which can be converted into an -## ASCII string via :bro:id:`x509_err2str`. -## -## .. bro:see:: x509_err2str -function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: table_string_of_string%): count - %{ - X509_STORE* ctx = 0; - int i = 0; - - // If this certificate store was built previously, just reuse the old one. - if ( x509_stores.count(root_certs) > 0 ) - ctx = x509_stores[root_certs]; - - if ( ! ctx ) // lookup to see if we have this one built already! - { - ctx = X509_STORE_new(); - TableVal* root_certs2 = root_certs->AsTableVal(); - ListVal* idxs = root_certs2->ConvertToPureList(); - - // Build the validation store - for ( i = 0; i < idxs->Length(); ++i ) - { - Val* key = idxs->Index(i); - StringVal *sv = root_certs2->Lookup(key)->AsStringVal(); - const uint8* data = sv->Bytes(); - X509* x = d2i_X509_(NULL, &data, sv->Len()); - if ( ! x ) - { - builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); - return new Val((uint64) ERR_get_error(), TYPE_COUNT); - } - X509_STORE_add_cert(ctx, x); - } - delete idxs; - - // Save the newly constructed certificate store into the cacheing map. - x509_stores[root_certs] = ctx; - } - - const uint8 *cert_data = der_cert->Bytes(); - X509* cert = d2i_X509_(NULL, &cert_data, der_cert->Len()); - if ( ! cert ) - { - builtin_error(fmt("Certificate error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); - return new Val((uint64) ERR_get_error(), TYPE_COUNT); - } - - STACK_OF(X509)* untrusted_certs = sk_X509_new_null(); - if ( ! untrusted_certs ) - { - builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); - return new Val((uint64) ERR_get_error(), TYPE_COUNT); - } - - VectorVal *cert_stack_vec = cert_stack->AsVectorVal(); - for ( i = 0; i < (int) cert_stack_vec->Size(); ++i ) - { - StringVal *sv = cert_stack_vec->Lookup(i)->AsStringVal(); - const uint8 *data = sv->Bytes(); - X509* x = d2i_X509_(NULL, &data, sv->Len()); - if ( ! x ) - { - X509_free(cert); - sk_X509_pop_free(untrusted_certs, X509_free); - builtin_error(fmt("Untrusted certificate stack creation error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); - return new Val((uint64) ERR_get_error(), TYPE_COUNT); - } - sk_X509_push(untrusted_certs, x); - } - - X509_STORE_CTX csc; - X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs); - X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time); - - int result = X509_verify_cert(&csc); - X509_STORE_CTX_cleanup(&csc); - - if ( untrusted_certs ) - sk_X509_pop_free(untrusted_certs, X509_free); - X509_free(cert); - - return new Val((uint64) csc.error, TYPE_COUNT); - %} - -## Converts a certificate verification error code into an ASCII string. -## -## err_num: The error code. -## -## Returns: A string representation of *err_num*. -## -## .. bro:see:: x509_verify -function x509_err2str%(err_num: count%): string - %{ - return new StringVal(X509_verify_cert_error_string(err_num)); - %} - ## Converts UNIX file permissions given by a mode to an ASCII string. ## ## mode: The permissions (an octal number like 0644 converted to decimal). @@ -4108,81 +3688,6 @@ function set_record_packets%(cid: conn_id, do_record: bool%): bool return new Val(1, TYPE_BOOL); %} -## Associates a file handle with a connection for writing TCP byte stream -## contents. -## -## cid: The connection ID. -## -## direction: Controls what sides of the connection to record. The argument can -## take one of the four values: -## -## - ``CONTENTS_NONE``: Stop recording the connection's content. -## - ``CONTENTS_ORIG``: Record the data sent by the connection -## originator (often the client). -## - ``CONTENTS_RESP``: Record the data sent by the connection -## responder (often the server). -## - ``CONTENTS_BOTH``: Record the data sent in both directions. -## Results in the two directions being -## intermixed in the file, in the order the -## data was seen by Bro. -## -## f: The file handle of the file to write the contents to. -## -## Returns: Returns false if *cid* does not point to an active connection, and -## true otherwise. -## -## .. note:: -## -## The data recorded to the file reflects the byte stream, not the -## contents of individual packets. Reordering and duplicates are -## removed. If any data is missing, the recording stops at the -## missing data; this can happen, e.g., due to an -## :bro:id:`ack_above_hole` event. -## -## .. bro:see:: get_contents_file set_record_packets -function set_contents_file%(cid: conn_id, direction: count, f: file%): bool - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_BOOL); - - c->GetRootAnalyzer()->SetContentsFile(direction, f); - return new Val(1, TYPE_BOOL); - %} - -## Returns the file handle of the contents file of a connection. -## -## cid: The connection ID. -## -## direction: Controls what sides of the connection to record. See -## :bro:id:`set_contents_file` for possible values. -## -## Returns: The :bro:type:`file` handle for the contents file of the -## connection identified by *cid*. If the connection exists -## but there is no contents file for *direction*, then the function -## generates an error and returns a file handle to ``stderr``. -## -## .. bro:see:: set_contents_file set_record_packets -function get_contents_file%(cid: conn_id, direction: count%): file - %{ - Connection* c = sessions->FindConnection(cid); - BroFile* f = c ? c->GetRootAnalyzer()->GetContentsFile(direction) : 0; - - if ( f ) - { - Ref(f); - return new Val(f); - } - - // Return some sort of error value. - if ( ! c ) - builtin_error("unknown connection id in get_contents_file()", cid); - else - builtin_error("no contents file for given direction"); - - return new Val(new BroFile(stderr, "-", "w")); - %} - ## Sets an individual inactivity timeout for a connection and thus ## overrides the global inactivity timeout. ## @@ -4203,145 +3708,6 @@ function set_inactivity_timeout%(cid: conn_id, t: interval%): interval return new Val(old_timeout, TYPE_INTERVAL); %} -## Returns the state of the given login (Telnet or Rlogin) connection. -## -## cid: The connection ID. -## -## Returns: False if the connection is not active or is not tagged as a -## login analyzer. Otherwise the function returns the state, which can -## be one of: -## -## - ``LOGIN_STATE_AUTHENTICATE``: The connection is in its -## initial authentication dialog. -## - ``LOGIN_STATE_LOGGED_IN``: The analyzer believes the user has -## successfully authenticated. -## - ``LOGIN_STATE_SKIP``: The analyzer has skipped any further -## processing of the connection. -## - ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it -## does not correctly know the state of the connection, and/or -## the username associated with it. -## -## .. bro:see:: set_login_state -function get_login_state%(cid: conn_id%): count - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_BOOL); - - analyzer::Analyzer* la = c->FindAnalyzer("Login"); - if ( ! la ) - return new Val(0, TYPE_BOOL); - - return new Val(int(static_cast(la)->LoginState()), - TYPE_COUNT); - %} - -## Sets the login state of a connection with a login analyzer. -## -## cid: The connection ID. -## -## new_state: The new state of the login analyzer. See -## :bro:id:`get_login_state` for possible values. -## -## Returns: Returns false if *cid* is not an active connection -## or is not tagged as a login analyzer, and true otherwise. -## -## .. bro:see:: get_login_state -function set_login_state%(cid: conn_id, new_state: count%): bool - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_BOOL); - - analyzer::Analyzer* la = c->FindAnalyzer("Login"); - if ( ! la ) - return new Val(0, TYPE_BOOL); - - static_cast(la)->SetLoginState(analyzer::login::login_state(new_state)); - return new Val(1, TYPE_BOOL); - %} - -%%{ -#include "analyzer/protocols/tcp/TCP.h" -%%} - -## Get the originator sequence number of a TCP connection. Sequence numbers -## are absolute (i.e., they reflect the values seen directly in packet headers; -## they are not relative to the beginning of the connection). -## -## cid: The connection ID. -## -## Returns: The highest sequence number sent by a connection's originator, or 0 -## if *cid* does not point to an active TCP connection. -## -## .. bro:see:: get_resp_seq -function get_orig_seq%(cid: conn_id%): count - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_COUNT); - - if ( c->ConnTransport() != TRANSPORT_TCP ) - return new Val(0, TYPE_COUNT); - - analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); - if ( tc ) - return new Val(static_cast(tc)->OrigSeq(), - TYPE_COUNT); - else - { - reporter->Error("connection does not have TCP analyzer"); - return new Val(0, TYPE_COUNT); - } - %} - -## Get the responder sequence number of a TCP connection. Sequence numbers -## are absolute (i.e., they reflect the values seen directly in packet headers; -## they are not relative to the beginning of the connection). -## -## cid: The connection ID. -## -## Returns: The highest sequence number sent by a connection's responder, or 0 -## if *cid* does not point to an active TCP connection. -## -## .. bro:see:: get_orig_seq -function get_resp_seq%(cid: conn_id%): count - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_COUNT); - - if ( c->ConnTransport() != TRANSPORT_TCP ) - return new Val(0, TYPE_COUNT); - - analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); - if ( tc ) - return new Val(static_cast(tc)->RespSeq(), - TYPE_COUNT); - else - { - reporter->Error("connection does not have TCP analyzer"); - return new Val(0, TYPE_COUNT); - } - %} - -%%{ -#include "analyzer/protocols/smtp/SMTP.h" -%%} - -## Skips SMTP data until the next email in a connection. -## -## c: The SMTP connection. -## -## .. bro:see:: skip_http_entity_data -function skip_smtp_data%(c: connection%): any - %{ - analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); - if ( sa ) - static_cast(sa)->SkipData(); - return 0; - %} - # =========================================================================== # # Files and Directories From d8259b34ddd1713d9cf691dc22efa8cabae71471 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:38:08 -0700 Subject: [PATCH 040/200] Unifying *.h guards. --- src/analyzer/protocols/TODO | 1 - src/analyzer/protocols/arp/ARP.h | 4 ++-- src/analyzer/protocols/ayiya/AYIYA.h | 4 ++-- src/analyzer/protocols/backdoor/BackDoor.h | 4 ++-- src/analyzer/protocols/bittorrent/BitTorrent.h | 4 ++-- src/analyzer/protocols/bittorrent/BitTorrentTracker.h | 4 ++-- src/analyzer/protocols/conn-size/ConnSize.h | 4 ++-- src/analyzer/protocols/dce-rpc/DCE_RPC.h | 6 +++--- src/analyzer/protocols/dhcp/DHCP.h | 4 ++-- src/analyzer/protocols/dns/DNS.h | 4 ++-- src/analyzer/protocols/file/File.h | 4 ++-- src/analyzer/protocols/finger/Finger.h | 4 ++-- src/analyzer/protocols/ftp/FTP.h | 4 ++-- src/analyzer/protocols/gnutella/Gnutella.h | 4 ++-- src/analyzer/protocols/gtpv1/GTPv1.h | 4 ++-- src/analyzer/protocols/http/HTTP.h | 4 ++-- src/analyzer/protocols/icmp/ICMP.h | 4 ++-- src/analyzer/protocols/ident/Ident.h | 4 ++-- src/analyzer/protocols/interconn/InterConn.h | 4 ++-- src/analyzer/protocols/irc/IRC.h | 4 ++-- src/analyzer/protocols/login/Login.h | 4 ++-- src/analyzer/protocols/login/NVT.h | 4 ++-- src/analyzer/protocols/login/RSH.h | 4 ++-- src/analyzer/protocols/login/Rlogin.h | 4 ++-- src/analyzer/protocols/login/Telnet.h | 4 ++-- src/analyzer/protocols/mime/MIME.h | 4 ++-- src/analyzer/protocols/modbus/Modbus.h | 4 ++-- src/analyzer/protocols/ncp/NCP.h | 6 +++--- src/analyzer/protocols/netbios-ssn/NetbiosSSN.h | 4 ++-- src/analyzer/protocols/ntp/NTP.h | 4 ++-- src/analyzer/protocols/pia/PIA.h | 4 ++-- src/analyzer/protocols/pop3/POP3.h | 4 ++-- src/analyzer/protocols/rpc/NFS.h | 4 ++-- src/analyzer/protocols/rpc/Portmap.h | 4 ++-- src/analyzer/protocols/rpc/RPC.h | 4 ++-- src/analyzer/protocols/rpc/XDR.h | 4 ++-- src/analyzer/protocols/smb/SMB.h | 4 ++-- src/analyzer/protocols/smtp/SMTP.h | 4 ++-- src/analyzer/protocols/socks/SOCKS.h | 4 ++-- src/analyzer/protocols/ssh/SSH.h | 4 ++-- src/analyzer/protocols/ssl/SSL.h | 4 ++-- src/analyzer/protocols/stepping-stone/SteppingStone.h | 4 ++-- src/analyzer/protocols/syslog/Syslog.h | 4 ++-- src/analyzer/protocols/tcp/ContentLine.h | 4 ++-- src/analyzer/protocols/tcp/Stats.h | 4 ++-- src/analyzer/protocols/tcp/TCP.h | 4 ++-- src/analyzer/protocols/tcp/TCP_Endpoint.h | 4 ++-- src/analyzer/protocols/tcp/TCP_Reassembler.h | 4 ++-- src/analyzer/protocols/teredo/Teredo.h | 4 ++-- src/analyzer/protocols/udp/UDP.h | 4 ++-- src/analyzer/protocols/zip/ZIP.h | 4 ++-- 51 files changed, 102 insertions(+), 103 deletions(-) diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocols/TODO index 41a4d579bc..61a17a95c9 100644 --- a/src/analyzer/protocols/TODO +++ b/src/analyzer/protocols/TODO @@ -1,5 +1,4 @@ -- add functions.bif where needed - update *.h guards - cleanup analyzer descriptions - can now lower-case the analyzer name in plugin diff --git a/src/analyzer/protocols/arp/ARP.h b/src/analyzer/protocols/arp/ARP.h index ee01669e92..f09dc6c398 100644 --- a/src/analyzer/protocols/arp/ARP.h +++ b/src/analyzer/protocols/arp/ARP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef arp_h -#define arp_h +#ifndef ANALYZER_PROTOCOL_ARP_ARP_H +#define ANALYZER_PROTOCOL_ARP_ARP_H #include "config.h" #include diff --git a/src/analyzer/protocols/ayiya/AYIYA.h b/src/analyzer/protocols/ayiya/AYIYA.h index 2995131be5..f5bb379cf4 100644 --- a/src/analyzer/protocols/ayiya/AYIYA.h +++ b/src/analyzer/protocols/ayiya/AYIYA.h @@ -1,5 +1,5 @@ -#ifndef AYIYA_h -#define AYIYA_h +#ifndef ANALYZER_PROTOCOL_AYIYA_AYIYA_H +#define ANALYZER_PROTOCOL_AYIYA_AYIYA_H #include "ayiya_pac.h" diff --git a/src/analyzer/protocols/backdoor/BackDoor.h b/src/analyzer/protocols/backdoor/BackDoor.h index bab981cf89..36c8430c34 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.h +++ b/src/analyzer/protocols/backdoor/BackDoor.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef backdoor_h -#define backdoor_h +#ifndef ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H +#define ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H #include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.h b/src/analyzer/protocols/bittorrent/BitTorrent.h index 7812261f04..4065b45648 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.h +++ b/src/analyzer/protocols/bittorrent/BitTorrent.h @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. -#ifndef bittorrent_h -#define bittorrent_h +#ifndef ANALYZER_PROTOCOL_BITTORRENT_BITTORRENT_H +#define ANALYZER_PROTOCOL_BITTORRENT_BITTORRENT_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h index 8db92c6af7..572a8d2093 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. -#ifndef bittorrenttracker_h -#define bittorrenttracker_h +#ifndef ANALYZER_PROTOCOL_BITTORRENT_BITTORRENTTRACKER_H +#define ANALYZER_PROTOCOL_BITTORRENT_BITTORRENTTRACKER_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/conn-size/ConnSize.h b/src/analyzer/protocols/conn-size/ConnSize.h index 567895a9f5..25f096dd32 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.h +++ b/src/analyzer/protocols/conn-size/ConnSize.h @@ -1,8 +1,8 @@ // See the file "COPYING" in the main distribution directory for copyright. // -#ifndef CONNSTATS_H -#define CONNSTATS_H +#ifndef ANALYZER_PROTOCOL_CONN_SIZE_CONNSIZE_H +#define ANALYZER_PROTOCOL_CONN_SIZE_CONNSIZE_H #include "analyzer/Analyzer.h" #include "NetVar.h" diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.h b/src/analyzer/protocols/dce-rpc/DCE_RPC.h index fabd68912e..ff85e16ee1 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef dce_rpc_h -#define dce_rpc_h +#ifndef ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_H +#define ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_H // NOTE: This is a somewhat crude analyzer for DCE/RPC (used on Microsoft // Windows systems) and shouldn't be considered as stable. @@ -88,7 +88,7 @@ enum DCE_RPC_PTYPE { }; */ -#define DCE_RPC_HEADER_LENGTH 16 +#define ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_HEADER_LENGTH 16 class DCE_RPC_Header { public: diff --git a/src/analyzer/protocols/dhcp/DHCP.h b/src/analyzer/protocols/dhcp/DHCP.h index 189e04ecab..207651d7c1 100644 --- a/src/analyzer/protocols/dhcp/DHCP.h +++ b/src/analyzer/protocols/dhcp/DHCP.h @@ -1,5 +1,5 @@ -#ifndef dhcp_binpac_h -#define dhcp_binpac_h +#ifndef ANALYZER_PROTOCOL_DHCP_DHCP_H +#define ANALYZER_PROTOCOL_DHCP_DHCP_H #include "analyzer/protocols/udp/UDP.h" diff --git a/src/analyzer/protocols/dns/DNS.h b/src/analyzer/protocols/dns/DNS.h index fc19fe82b3..9c7874400d 100644 --- a/src/analyzer/protocols/dns/DNS.h +++ b/src/analyzer/protocols/dns/DNS.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef dns_h -#define dns_h +#ifndef ANALYZER_PROTOCOL_DNS_DNS_H +#define ANALYZER_PROTOCOL_DNS_DNS_H #include "analyzer/protocols/tcp/TCP.h" #include "binpac_bro.h" diff --git a/src/analyzer/protocols/file/File.h b/src/analyzer/protocols/file/File.h index ae6a815378..368fe22dae 100644 --- a/src/analyzer/protocols/file/File.h +++ b/src/analyzer/protocols/file/File.h @@ -1,7 +1,7 @@ // Analyzer for connections that transfer binary data. -#ifndef FILEANALYZER_H -#define FILEANALYZER_H +#ifndef ANALYZER_PROTOCOL_FILE_FILE_H +#define ANALYZER_PROTOCOL_FILE_FILE_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/finger/Finger.h b/src/analyzer/protocols/finger/Finger.h index d80549bb4c..5624030f80 100644 --- a/src/analyzer/protocols/finger/Finger.h +++ b/src/analyzer/protocols/finger/Finger.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef finger_h -#define finger_h +#ifndef ANALYZER_PROTOCOL_FINGER_FINGER_H +#define ANALYZER_PROTOCOL_FINGER_FINGER_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/ftp/FTP.h b/src/analyzer/protocols/ftp/FTP.h index 9ebf38b2f7..577082644a 100644 --- a/src/analyzer/protocols/ftp/FTP.h +++ b/src/analyzer/protocols/ftp/FTP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ftp_h -#define ftp_h +#ifndef ANALYZER_PROTOCOL_FTP_FTP_H +#define ANALYZER_PROTOCOL_FTP_FTP_H #include "analyzer/protocols/login/NVT.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/gnutella/Gnutella.h b/src/analyzer/protocols/gnutella/Gnutella.h index 3a6e51d0c4..d67d319c4e 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.h +++ b/src/analyzer/protocols/gnutella/Gnutella.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef gnutella_h -#define gnutella_h +#ifndef ANALYZER_PROTOCOL_GNUTELLA_GNUTELLA_H +#define ANALYZER_PROTOCOL_GNUTELLA_GNUTELLA_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/gtpv1/GTPv1.h b/src/analyzer/protocols/gtpv1/GTPv1.h index 3fb7634534..b58405ea7f 100644 --- a/src/analyzer/protocols/gtpv1/GTPv1.h +++ b/src/analyzer/protocols/gtpv1/GTPv1.h @@ -1,5 +1,5 @@ -#ifndef GTPv1_h -#define GTPv1_h +#ifndef ANALYZER_PROTOCOL_GTPV1_GTPV1_H +#define ANALYZER_PROTOCOL_GTPV1_GTPV1_H #include "gtpv1_pac.h" diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h index 49235ae173..cb53e30c9a 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocols/http/HTTP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef http_h -#define http_h +#ifndef ANALYZER_PROTOCOL_HTTP_HTTP_H +#define ANALYZER_PROTOCOL_HTTP_HTTP_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/icmp/ICMP.h b/src/analyzer/protocols/icmp/ICMP.h index 6a9ba3282c..e371f53889 100644 --- a/src/analyzer/protocols/icmp/ICMP.h +++ b/src/analyzer/protocols/icmp/ICMP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef icmp_h -#define icmp_h +#ifndef ANALYZER_PROTOCOL_ICMP_ICMP_H +#define ANALYZER_PROTOCOL_ICMP_ICMP_H #include "RuleMatcher.h" #include "analyzer/Analyzer.h" diff --git a/src/analyzer/protocols/ident/Ident.h b/src/analyzer/protocols/ident/Ident.h index 473d201e65..7e1b7508c5 100644 --- a/src/analyzer/protocols/ident/Ident.h +++ b/src/analyzer/protocols/ident/Ident.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ident_h -#define ident_h +#ifndef ANALYZER_PROTOCOL_IDENT_IDENT_H +#define ANALYZER_PROTOCOL_IDENT_IDENT_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/interconn/InterConn.h b/src/analyzer/protocols/interconn/InterConn.h index c51113c156..4faa684818 100644 --- a/src/analyzer/protocols/interconn/InterConn.h +++ b/src/analyzer/protocols/interconn/InterConn.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef interconn_h -#define interconn_h +#ifndef ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H +#define ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H #include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" diff --git a/src/analyzer/protocols/irc/IRC.h b/src/analyzer/protocols/irc/IRC.h index d5fa3b57e5..a0f35639d3 100644 --- a/src/analyzer/protocols/irc/IRC.h +++ b/src/analyzer/protocols/irc/IRC.h @@ -1,7 +1,7 @@ // An IRC analyzer contributed by Roland Gruber. -#ifndef irc_h -#define irc_h +#ifndef ANALYZER_PROTOCOL_IRC_IRC_H +#define ANALYZER_PROTOCOL_IRC_IRC_H #include "analyzer/protocols/tcp/TCP.h" namespace analyzer { namespace irc { diff --git a/src/analyzer/protocols/login/Login.h b/src/analyzer/protocols/login/Login.h index 55d12c80da..3d41ad94c3 100644 --- a/src/analyzer/protocols/login/Login.h +++ b/src/analyzer/protocols/login/Login.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef login_h -#define login_h +#ifndef ANALYZER_PROTOCOL_LOGIN_LOGIN_H +#define ANALYZER_PROTOCOL_LOGIN_LOGIN_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/login/NVT.h b/src/analyzer/protocols/login/NVT.h index dea4c90ad5..9fb85c8823 100644 --- a/src/analyzer/protocols/login/NVT.h +++ b/src/analyzer/protocols/login/NVT.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef nvt_h -#define nvt_h +#ifndef ANALYZER_PROTOCOL_LOGIN_NVT_H +#define ANALYZER_PROTOCOL_LOGIN_NVT_H #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/login/RSH.h b/src/analyzer/protocols/login/RSH.h index 2738060a9f..c2d19c8958 100644 --- a/src/analyzer/protocols/login/RSH.h +++ b/src/analyzer/protocols/login/RSH.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef rsh_h -#define rsh_h +#ifndef ANALYZER_PROTOCOL_LOGIN_RSH_H +#define ANALYZER_PROTOCOL_LOGIN_RSH_H #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/login/Rlogin.h b/src/analyzer/protocols/login/Rlogin.h index c4cdfd7516..3efdfa8107 100644 --- a/src/analyzer/protocols/login/Rlogin.h +++ b/src/analyzer/protocols/login/Rlogin.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef rlogin_h -#define rlogin_h +#ifndef ANALYZER_PROTOCOL_LOGIN_RLOGIN_H +#define ANALYZER_PROTOCOL_LOGIN_RLOGIN_H #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/login/Telnet.h b/src/analyzer/protocols/login/Telnet.h index a13fe230af..332281013c 100644 --- a/src/analyzer/protocols/login/Telnet.h +++ b/src/analyzer/protocols/login/Telnet.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef telnet_h -#define telnet_h +#ifndef ANALYZER_PROTOCOL_LOGIN_TELNET_H +#define ANALYZER_PROTOCOL_LOGIN_TELNET_H #include "Login.h" diff --git a/src/analyzer/protocols/mime/MIME.h b/src/analyzer/protocols/mime/MIME.h index d6ef2b5375..10d4da3fd1 100644 --- a/src/analyzer/protocols/mime/MIME.h +++ b/src/analyzer/protocols/mime/MIME.h @@ -1,5 +1,5 @@ -#ifndef mime_h -#define mime_h +#ifndef ANALYZER_PROTOCOL_MIME_MIME_H +#define ANALYZER_PROTOCOL_MIME_MIME_H #include #include diff --git a/src/analyzer/protocols/modbus/Modbus.h b/src/analyzer/protocols/modbus/Modbus.h index 063014cf2b..9ecd952e2e 100644 --- a/src/analyzer/protocols/modbus/Modbus.h +++ b/src/analyzer/protocols/modbus/Modbus.h @@ -1,5 +1,5 @@ -#ifndef MODBUS_H -#define MODBUS_H +#ifndef ANALYZER_PROTOCOL_MODBUS_MODBUS_H +#define ANALYZER_PROTOCOL_MODBUS_MODBUS_H #include "analyzer/protocols/tcp/TCP.h" #include "modbus_pac.h" diff --git a/src/analyzer/protocols/ncp/NCP.h b/src/analyzer/protocols/ncp/NCP.h index 0ab73707fb..aa667657ca 100644 --- a/src/analyzer/protocols/ncp/NCP.h +++ b/src/analyzer/protocols/ncp/NCP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ncp_h -#define ncp_h +#ifndef ANALYZER_PROTOCOL_NCP_NCP_H +#define ANALYZER_PROTOCOL_NCP_NCP_H // A very crude analyzer for NCP (Netware Core Protocol) // @@ -73,7 +73,7 @@ protected: int buf_len; // size off msg_buf }; -#define NCP_TCPIP_HEADER_LENGTH 8 +#define ANALYZER_PROTOCOL_NCP_NCP_HEADER_LENGTH 8 class NCP_FrameBuffer : public FrameBuffer { public: diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h index df065c4348..5908250669 100644 --- a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef netbios_ssn_h -#define netbios_ssn_h +#ifndef ANALYZER_PROTOCOL_NETBIOS_SSN_NETBIOSSSN_H +#define ANALYZER_PROTOCOL_NETBIOS_SSN_NETBIOSSSN_H #include "analyzer/protocols/udp/UDP.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/ntp/NTP.h b/src/analyzer/protocols/ntp/NTP.h index 2c989da4d1..25cc9bad43 100644 --- a/src/analyzer/protocols/ntp/NTP.h +++ b/src/analyzer/protocols/ntp/NTP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ntp_h -#define ntp_h +#ifndef ANALYZER_PROTOCOL_NTP_NTP_H +#define ANALYZER_PROTOCOL_NTP_NTP_H #include "analyzer/protocols/udp/UDP.h" diff --git a/src/analyzer/protocols/pia/PIA.h b/src/analyzer/protocols/pia/PIA.h index 1d788d39a6..a117a60978 100644 --- a/src/analyzer/protocols/pia/PIA.h +++ b/src/analyzer/protocols/pia/PIA.h @@ -1,7 +1,7 @@ // An analyzer for application-layer protocol-detection. -#ifndef PIA_H -#define PIA_H +#ifndef ANALYZER_PROTOCOL_PIA_PIA_H +#define ANALYZER_PROTOCOL_PIA_PIA_H #include "analyzer/Analyzer.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/pop3/POP3.h b/src/analyzer/protocols/pop3/POP3.h index 37620c0024..bd882f480b 100644 --- a/src/analyzer/protocols/pop3/POP3.h +++ b/src/analyzer/protocols/pop3/POP3.h @@ -2,8 +2,8 @@ // // An analyser for the POP3 protocol. -#ifndef pop3_h -#define pop3_h +#ifndef ANALYZER_PROTOCOL_POP3_POP3_H +#define ANALYZER_PROTOCOL_POP3_POP3_H #include #include diff --git a/src/analyzer/protocols/rpc/NFS.h b/src/analyzer/protocols/rpc/NFS.h index e9e978eaa2..7656450d94 100644 --- a/src/analyzer/protocols/rpc/NFS.h +++ b/src/analyzer/protocols/rpc/NFS.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef nfs_h -#define nfs_h +#ifndef ANALYZER_PROTOCOL_RPC_NFS_H +#define ANALYZER_PROTOCOL_RPC_NFS_H #include "RPC.h" #include "XDR.h" diff --git a/src/analyzer/protocols/rpc/Portmap.h b/src/analyzer/protocols/rpc/Portmap.h index 6aa1173f02..52d0c21a04 100644 --- a/src/analyzer/protocols/rpc/Portmap.h +++ b/src/analyzer/protocols/rpc/Portmap.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef portmap_h -#define portmap_h +#ifndef ANALYZER_PROTOCOL_RPC_PORTMAP_H +#define ANALYZER_PROTOCOL_RPC_PORTMAP_H #include "RPC.h" diff --git a/src/analyzer/protocols/rpc/RPC.h b/src/analyzer/protocols/rpc/RPC.h index 504f2eb194..0face29d50 100644 --- a/src/analyzer/protocols/rpc/RPC.h +++ b/src/analyzer/protocols/rpc/RPC.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef rpc_h -#define rpc_h +#ifndef ANALYZER_PROTOCOL_RPC_RPC_H +#define ANALYZER_PROTOCOL_RPC_RPC_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/udp/UDP.h" diff --git a/src/analyzer/protocols/rpc/XDR.h b/src/analyzer/protocols/rpc/XDR.h index 2f4a7d59e4..a1be0a1e05 100644 --- a/src/analyzer/protocols/rpc/XDR.h +++ b/src/analyzer/protocols/rpc/XDR.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef xdr_h -#define xdr_h +#ifndef ANALYZER_PROTOCOL_RPC_XDR_H +#define ANALYZER_PROTOCOL_RPC_XDR_H #include #include diff --git a/src/analyzer/protocols/smb/SMB.h b/src/analyzer/protocols/smb/SMB.h index 0b67c96710..eed1d2e5a0 100644 --- a/src/analyzer/protocols/smb/SMB.h +++ b/src/analyzer/protocols/smb/SMB.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef smb_h -#define smb_h +#ifndef ANALYZER_PROTOCOL_SMB_SMB_H +#define ANALYZER_PROTOCOL_SMB_SMB_H // SMB (CIFS) analyzer. // Reference: http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf diff --git a/src/analyzer/protocols/smtp/SMTP.h b/src/analyzer/protocols/smtp/SMTP.h index 02322f09c7..c179db4ecb 100644 --- a/src/analyzer/protocols/smtp/SMTP.h +++ b/src/analyzer/protocols/smtp/SMTP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef smtp_h -#define smtp_h +#ifndef ANALYZER_PROTOCOL_SMTP_SMTP_H +#define ANALYZER_PROTOCOL_SMTP_SMTP_H #include using namespace std; diff --git a/src/analyzer/protocols/socks/SOCKS.h b/src/analyzer/protocols/socks/SOCKS.h index 7aed5c02a3..424443c826 100644 --- a/src/analyzer/protocols/socks/SOCKS.h +++ b/src/analyzer/protocols/socks/SOCKS.h @@ -1,5 +1,5 @@ -#ifndef socks_h -#define socks_h +#ifndef ANALYZER_PROTOCOL_SOCKS_SOCKS_H +#define ANALYZER_PROTOCOL_SOCKS_SOCKS_H // SOCKS v4 analyzer. diff --git a/src/analyzer/protocols/ssh/SSH.h b/src/analyzer/protocols/ssh/SSH.h index 644444136d..6587425807 100644 --- a/src/analyzer/protocols/ssh/SSH.h +++ b/src/analyzer/protocols/ssh/SSH.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ssh_h -#define ssh_h +#ifndef ANALYZER_PROTOCOL_SSH_SSH_H +#define ANALYZER_PROTOCOL_SSH_SSH_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h index b8d6f20db1..f1323566af 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocols/ssl/SSL.h @@ -1,5 +1,5 @@ -#ifndef ssl_h -#define ssl_h +#ifndef ANALYZER_PROTOCOL_SSL_SSL_H +#define ANALYZER_PROTOCOL_SSL_SSL_H #include "events.bif.h" diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.h b/src/analyzer/protocols/stepping-stone/SteppingStone.h index f818a0ee70..212899f32c 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef steppingstone_h -#define steppingstone_h +#ifndef ANALYZER_PROTOCOL_STEPPING_STONE_STEPPINGSTONE_H +#define ANALYZER_PROTOCOL_STEPPING_STONE_STEPPINGSTONE_H #include "Queue.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h index 391c5115b3..fd929a478e 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocols/syslog/Syslog.h @@ -1,6 +1,6 @@ -#ifndef Syslog_h -#define Syslog_h +#ifndef ANALYZER_PROTOCOL_SYSLOG_SYSLOG_H +#define ANALYZER_PROTOCOL_SYSLOG_SYSLOG_H #include "analyzer/protocols/udp/UDP.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/tcp/ContentLine.h b/src/analyzer/protocols/tcp/ContentLine.h index ca48393cb4..f5d3ef8211 100644 --- a/src/analyzer/protocols/tcp/ContentLine.h +++ b/src/analyzer/protocols/tcp/ContentLine.h @@ -1,7 +1,7 @@ // Support-analyzer to split a reassembled stream into lines. -#ifndef CONTENTLINE_H -#define CONTENTLINE_H +#ifndef ANALYZER_PROTOCOL_TCP_CONTENTLINE_H +#define ANALYZER_PROTOCOL_TCP_CONTENTLINE_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocols/tcp/Stats.h index 42c03ab321..721d898d95 100644 --- a/src/analyzer/protocols/tcp/Stats.h +++ b/src/analyzer/protocols/tcp/Stats.h @@ -1,6 +1,6 @@ -#ifndef ANALYZER_PROTOCOLS_TCP_STATS_H -#define ANALYZER_PROTOCOLS_TCP_STATS_H +#ifndef ANALYZER_PROTOCOL_TCP_STATS_H +#define ANALYZER_PROTOCOL_TCP_STATS_H #include "TCP_Endpoint.h" diff --git a/src/analyzer/protocols/tcp/TCP.h b/src/analyzer/protocols/tcp/TCP.h index 6b0b9e8637..ded3cd7270 100644 --- a/src/analyzer/protocols/tcp/TCP.h +++ b/src/analyzer/protocols/tcp/TCP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef TCP_H -#define TCP_H +#ifndef ANALYZER_PROTOCOL_TCP_TCP_H +#define ANALYZER_PROTOCOL_TCP_TCP_H #include "analyzer/Analyzer.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.h b/src/analyzer/protocols/tcp/TCP_Endpoint.h index 6cc2fefebf..31e239225b 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef tcpendpoint_h -#define tcpendpoint_h +#ifndef ANALYZER_PROTOCOL_TCP_TCP_ENDPOINT_H +#define ANALYZER_PROTOCOL_TCP_TCP_ENDPOINT_H #include "IPAddr.h" diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.h b/src/analyzer/protocols/tcp/TCP_Reassembler.h index ab6eb97b70..8bb80a0570 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.h @@ -1,5 +1,5 @@ -#ifndef TCP_REASSEMBLER_H -#define TCP_REASSEMBLER_H +#ifndef ANALYZER_PROTOCOL_TCP_TCP_REASSEMBLER_H +#define ANALYZER_PROTOCOL_TCP_TCP_REASSEMBLER_H #include "Reassem.h" #include "TCP_Endpoint.h" diff --git a/src/analyzer/protocols/teredo/Teredo.h b/src/analyzer/protocols/teredo/Teredo.h index b202a6e729..0da007187d 100644 --- a/src/analyzer/protocols/teredo/Teredo.h +++ b/src/analyzer/protocols/teredo/Teredo.h @@ -1,5 +1,5 @@ -#ifndef Teredo_h -#define Teredo_h +#ifndef ANALYZER_PROTOCOL_TEREDO_TEREDO_H +#define ANALYZER_PROTOCOL_TEREDO_TEREDO_H #include "analyzer/Analyzer.h" #include "NetVar.h" diff --git a/src/analyzer/protocols/udp/UDP.h b/src/analyzer/protocols/udp/UDP.h index b3ef3bcf2d..bcfee401b0 100644 --- a/src/analyzer/protocols/udp/UDP.h +++ b/src/analyzer/protocols/udp/UDP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef udp_h -#define udp_h +#ifndef ANALYZER_PROTOCOL_UDP_UDP_H +#define ANALYZER_PROTOCOL_UDP_UDP_H #include "analyzer/Analyzer.h" #include diff --git a/src/analyzer/protocols/zip/ZIP.h b/src/analyzer/protocols/zip/ZIP.h index 7eda1e295f..7753ac2945 100644 --- a/src/analyzer/protocols/zip/ZIP.h +++ b/src/analyzer/protocols/zip/ZIP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef zip_h -#define zip_h +#ifndef ANALYZER_PROTOCOL_ZIP_ZIP_H +#define ANALYZER_PROTOCOL_ZIP_ZIP_H #include "config.h" From f7a10d915bfb9c33fa647524a33bddee232f6b00 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:40:03 -0700 Subject: [PATCH 041/200] Renaming analyzer. --- src/analyzer/protocols/CMakeLists.txt | 2 +- .../protocols/{netbios-ssn => netbios}/CMakeLists.txt | 2 +- src/analyzer/protocols/{netbios-ssn => netbios}/NetbiosSSN.cc | 0 src/analyzer/protocols/{netbios-ssn => netbios}/NetbiosSSN.h | 0 src/analyzer/protocols/{netbios-ssn => netbios}/Plugin.cc | 4 ++-- src/analyzer/protocols/{netbios-ssn => netbios}/events.bif | 0 src/analyzer/protocols/{netbios-ssn => netbios}/functions.bif | 0 7 files changed, 4 insertions(+), 4 deletions(-) rename src/analyzer/protocols/{netbios-ssn => netbios}/CMakeLists.txt (88%) rename src/analyzer/protocols/{netbios-ssn => netbios}/NetbiosSSN.cc (100%) rename src/analyzer/protocols/{netbios-ssn => netbios}/NetbiosSSN.h (100%) rename src/analyzer/protocols/{netbios-ssn => netbios}/Plugin.cc (75%) rename src/analyzer/protocols/{netbios-ssn => netbios}/events.bif (100%) rename src/analyzer/protocols/{netbios-ssn => netbios}/functions.bif (100%) diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt index 004ec72d35..a4e170f52b 100644 --- a/src/analyzer/protocols/CMakeLists.txt +++ b/src/analyzer/protocols/CMakeLists.txt @@ -22,7 +22,7 @@ add_subdirectory(modbus) add_subdirectory(mime) add_subdirectory(ncp) add_subdirectory(netflow) -add_subdirectory(netbios-ssn) +add_subdirectory(netbios) add_subdirectory(ntp) add_subdirectory(pia) add_subdirectory(pop3) diff --git a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt b/src/analyzer/protocols/netbios/CMakeLists.txt similarity index 88% rename from src/analyzer/protocols/netbios-ssn/CMakeLists.txt rename to src/analyzer/protocols/netbios/CMakeLists.txt index 4318fa2b34..6e7c5251a3 100644 --- a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt +++ b/src/analyzer/protocols/netbios/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(NetbiosSSN) +bro_plugin_begin(Netbios) bro_plugin_cc(NetbiosSSN.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc b/src/analyzer/protocols/netbios/NetbiosSSN.cc similarity index 100% rename from src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc rename to src/analyzer/protocols/netbios/NetbiosSSN.cc diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h b/src/analyzer/protocols/netbios/NetbiosSSN.h similarity index 100% rename from src/analyzer/protocols/netbios-ssn/NetbiosSSN.h rename to src/analyzer/protocols/netbios/NetbiosSSN.h diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios/Plugin.cc similarity index 75% rename from src/analyzer/protocols/netbios-ssn/Plugin.cc rename to src/analyzer/protocols/netbios/Plugin.cc index 66b4e82d51..7f71dbbe10 100644 --- a/src/analyzer/protocols/netbios-ssn/Plugin.cc +++ b/src/analyzer/protocols/netbios/Plugin.cc @@ -3,8 +3,8 @@ #include "NetbiosSSN.h" -BRO_PLUGIN_BEGIN(NetbiosSSN) - BRO_PLUGIN_DESCRIPTION("NetbiosSSN Analyzer"); +BRO_PLUGIN_BEGIN(Netbios) + BRO_PLUGIN_DESCRIPTION("Netbios Analyzer (SSN only)"); BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/netbios-ssn/events.bif b/src/analyzer/protocols/netbios/events.bif similarity index 100% rename from src/analyzer/protocols/netbios-ssn/events.bif rename to src/analyzer/protocols/netbios/events.bif diff --git a/src/analyzer/protocols/netbios-ssn/functions.bif b/src/analyzer/protocols/netbios/functions.bif similarity index 100% rename from src/analyzer/protocols/netbios-ssn/functions.bif rename to src/analyzer/protocols/netbios/functions.bif From 4bc2ba60c941d3a4f7f74a854fe3528a19d4250c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:50:57 -0700 Subject: [PATCH 042/200] Rename analyzer/protocols -> analyzer/protocol --- src/Conn.cc | 2 +- src/Func.cc | 2 +- src/RuleAction.cc | 2 +- src/RuleCondition.cc | 2 +- src/Sessions.cc | 20 +++++++++---------- src/Sessions.h | 2 +- src/analyzer/Analyzer.cc | 2 +- src/analyzer/CMakeLists.txt | 2 +- src/analyzer/Manager.cc | 16 +++++++-------- .../{protocols => protocol}/CMakeLists.txt | 0 src/analyzer/{protocols => protocol}/TODO | 2 -- .../{protocols => protocol}/arp/ARP.cc | 0 .../{protocols => protocol}/arp/ARP.h | 0 .../arp/CMakeLists.txt | 0 .../{protocols => protocol}/arp/Plugin.cc | 0 .../{protocols => protocol}/arp/events.bif | 0 .../{protocols => protocol}/ayiya/AYIYA.cc | 0 .../{protocols => protocol}/ayiya/AYIYA.h | 0 .../ayiya/CMakeLists.txt | 0 .../{protocols => protocol}/ayiya/Plugin.cc | 0 .../ayiya/ayiya-analyzer.pac | 0 .../ayiya/ayiya-protocol.pac | 0 .../{protocols => protocol}/ayiya/ayiya.pac | 0 .../{protocols => protocol}/ayiya/events.bif | 0 .../backdoor/BackDoor.cc | 2 +- .../backdoor/BackDoor.h | 4 ++-- .../backdoor/CMakeLists.txt | 0 .../backdoor/Plugin.cc | 0 .../backdoor/events.bif | 0 .../bittorrent/BitTorrent.cc | 2 +- .../bittorrent/BitTorrent.h | 2 +- .../bittorrent/BitTorrentTracker.cc | 2 +- .../bittorrent/BitTorrentTracker.h | 2 +- .../bittorrent/CMakeLists.txt | 0 .../bittorrent/Plugin.cc | 0 .../bittorrent/bittorrent-analyzer.pac | 0 .../bittorrent/bittorrent-protocol.pac | 0 .../bittorrent/bittorrent.pac | 0 .../bittorrent/events.bif | 0 .../conn-size/CMakeLists.txt | 0 .../conn-size/ConnSize.cc | 2 +- .../conn-size/ConnSize.h | 0 .../conn-size/Plugin.cc | 0 .../conn-size/events.bif | 0 .../dce-rpc/CMakeLists.txt | 0 .../dce-rpc/DCE_RPC.cc | 0 .../{protocols => protocol}/dce-rpc/DCE_RPC.h | 6 +++--- .../{protocols => protocol}/dce-rpc/Plugin.cc | 0 .../dce-rpc/dce_rpc-analyzer.pac | 0 .../dce-rpc/dce_rpc-protocol.pac | 0 .../dce-rpc/dce_rpc.pac | 0 .../dce-rpc/dce_rpc_simple.pac | 0 .../dce-rpc/epmapper.pac | 0 .../dce-rpc/events.bif | 0 .../dhcp/CMakeLists.txt | 0 .../{protocols => protocol}/dhcp/DHCP.cc | 0 .../{protocols => protocol}/dhcp/DHCP.h | 2 +- .../{protocols => protocol}/dhcp/Plugin.cc | 0 .../dhcp/dhcp-analyzer.pac | 0 .../dhcp/dhcp-protocol.pac | 0 .../{protocols => protocol}/dhcp/dhcp.pac | 0 .../{protocols => protocol}/dhcp/events.bif | 0 .../dns/CMakeLists.txt | 0 .../{protocols => protocol}/dns/DNS.cc | 0 .../{protocols => protocol}/dns/DNS.h | 2 +- .../{protocols => protocol}/dns/Plugin.cc | 0 .../{protocols => protocol}/dns/events.bif | 0 .../file/CMakeLists.txt | 0 .../{protocols => protocol}/file/File.cc | 0 .../{protocols => protocol}/file/File.h | 2 +- .../{protocols => protocol}/file/Plugin.cc | 0 .../{protocols => protocol}/file/events.bif | 0 .../finger/CMakeLists.txt | 0 .../{protocols => protocol}/finger/Finger.cc | 2 +- .../{protocols => protocol}/finger/Finger.h | 4 ++-- .../{protocols => protocol}/finger/Plugin.cc | 0 .../{protocols => protocol}/finger/events.bif | 0 .../ftp/CMakeLists.txt | 0 .../{protocols => protocol}/ftp/FTP.cc | 2 +- .../{protocols => protocol}/ftp/FTP.h | 4 ++-- .../{protocols => protocol}/ftp/Plugin.cc | 0 .../{protocols => protocol}/ftp/events.bif | 0 .../{protocols => protocol}/ftp/functions.bif | 0 .../gnutella/CMakeLists.txt | 0 .../gnutella/Gnutella.cc | 2 +- .../gnutella/Gnutella.h | 2 +- .../gnutella/Plugin.cc | 0 .../gnutella/events.bif | 0 .../gtpv1/CMakeLists.txt | 0 .../{protocols => protocol}/gtpv1/GTPv1.cc | 0 .../{protocols => protocol}/gtpv1/GTPv1.h | 0 .../{protocols => protocol}/gtpv1/Plugin.cc | 0 .../{protocols => protocol}/gtpv1/events.bif | 0 .../gtpv1/gtpv1-analyzer.pac | 0 .../gtpv1/gtpv1-protocol.pac | 0 .../{protocols => protocol}/gtpv1/gtpv1.pac | 0 .../http/CMakeLists.txt | 0 .../{protocols => protocol}/http/HTTP.cc | 2 +- .../{protocols => protocol}/http/HTTP.h | 8 ++++---- .../{protocols => protocol}/http/Plugin.cc | 0 .../{protocols => protocol}/http/events.bif | 0 .../http/functions.bif | 2 +- .../icmp/CMakeLists.txt | 0 .../{protocols => protocol}/icmp/ICMP.cc | 0 .../{protocols => protocol}/icmp/ICMP.h | 0 .../{protocols => protocol}/icmp/Plugin.cc | 0 .../{protocols => protocol}/icmp/events.bif | 0 .../ident/CMakeLists.txt | 0 .../{protocols => protocol}/ident/Ident.cc | 0 .../{protocols => protocol}/ident/Ident.h | 4 ++-- .../{protocols => protocol}/ident/Plugin.cc | 0 .../{protocols => protocol}/ident/events.bif | 0 .../interconn/CMakeLists.txt | 0 .../interconn/InterConn.cc | 2 +- .../interconn/InterConn.h | 2 +- .../interconn/Plugin.cc | 0 .../interconn/events.bif | 0 .../irc/CMakeLists.txt | 0 .../{protocols => protocol}/irc/IRC.cc | 4 ++-- .../{protocols => protocol}/irc/IRC.h | 2 +- .../{protocols => protocol}/irc/Plugin.cc | 0 .../{protocols => protocol}/irc/events.bif | 0 .../login/CMakeLists.txt | 0 .../{protocols => protocol}/login/Login.cc | 0 .../{protocols => protocol}/login/Login.h | 2 +- .../{protocols => protocol}/login/NVT.cc | 2 +- .../{protocols => protocol}/login/NVT.h | 2 +- .../{protocols => protocol}/login/Plugin.cc | 0 .../{protocols => protocol}/login/RSH.cc | 0 .../{protocols => protocol}/login/RSH.h | 2 +- .../{protocols => protocol}/login/Rlogin.cc | 0 .../{protocols => protocol}/login/Rlogin.h | 2 +- .../{protocols => protocol}/login/Telnet.cc | 0 .../{protocols => protocol}/login/Telnet.h | 0 .../{protocols => protocol}/login/events.bif | 0 .../login/functions.bif | 0 .../mime/CMakeLists.txt | 0 .../{protocols => protocol}/mime/MIME.cc | 0 .../{protocols => protocol}/mime/MIME.h | 0 .../{protocols => protocol}/mime/Plugin.cc | 0 .../{protocols => protocol}/mime/events.bif | 0 .../modbus/CMakeLists.txt | 0 .../{protocols => protocol}/modbus/Modbus.cc | 2 +- .../{protocols => protocol}/modbus/Modbus.h | 2 +- .../{protocols => protocol}/modbus/Plugin.cc | 0 .../{protocols => protocol}/modbus/events.bif | 0 .../modbus/modbus-analyzer.pac | 0 .../modbus/modbus-protocol.pac | 0 .../{protocols => protocol}/modbus/modbus.pac | 0 .../ncp/CMakeLists.txt | 0 .../{protocols => protocol}/ncp/NCP.cc | 0 .../{protocols => protocol}/ncp/NCP.h | 4 ++-- .../{protocols => protocol}/ncp/NCP_func.def | 0 .../{protocols => protocol}/ncp/Plugin.cc | 0 .../{protocols => protocol}/ncp/events.bif | 0 .../{protocols => protocol}/ncp/ncp.pac | 0 .../netbios/CMakeLists.txt | 0 .../netbios/NetbiosSSN.cc | 0 .../netbios/NetbiosSSN.h | 6 +++--- .../{protocols => protocol}/netbios/Plugin.cc | 0 .../netbios/events.bif | 0 .../netbios/functions.bif | 0 .../netflow/CMakeLists.txt | 0 .../{protocols => protocol}/netflow/Plugin.cc | 0 .../netflow/events.bif | 0 .../netflow/netflow-analyzer.pac | 0 .../netflow/netflow-protocol.pac | 0 .../netflow/netflow.pac | 0 .../ntp/CMakeLists.txt | 0 .../{protocols => protocol}/ntp/NTP.cc | 0 .../{protocols => protocol}/ntp/NTP.h | 2 +- .../{protocols => protocol}/ntp/Plugin.cc | 0 .../{protocols => protocol}/ntp/events.bif | 0 .../pia/CMakeLists.txt | 0 .../{protocols => protocol}/pia/PIA.cc | 2 +- .../{protocols => protocol}/pia/PIA.h | 2 +- .../{protocols => protocol}/pia/Plugin.cc | 0 .../{protocols => protocol}/pia/events.bif | 0 .../pop3/CMakeLists.txt | 0 .../{protocols => protocol}/pop3/POP3.cc | 2 +- .../{protocols => protocol}/pop3/POP3.h | 6 +++--- .../{protocols => protocol}/pop3/POP3_cmd.def | 0 .../{protocols => protocol}/pop3/Plugin.cc | 0 .../{protocols => protocol}/pop3/events.bif | 0 .../rpc/CMakeLists.txt | 0 .../{protocols => protocol}/rpc/NFS.cc | 0 .../{protocols => protocol}/rpc/NFS.h | 0 .../{protocols => protocol}/rpc/Plugin.cc | 0 .../{protocols => protocol}/rpc/Portmap.cc | 0 .../{protocols => protocol}/rpc/Portmap.h | 0 .../{protocols => protocol}/rpc/RPC.cc | 0 .../{protocols => protocol}/rpc/RPC.h | 4 ++-- .../{protocols => protocol}/rpc/XDR.cc | 0 .../{protocols => protocol}/rpc/XDR.h | 0 .../{protocols => protocol}/rpc/events.bif | 0 .../smb/CMakeLists.txt | 0 .../{protocols => protocol}/smb/Plugin.cc | 0 .../{protocols => protocol}/smb/SMB.cc | 0 .../{protocols => protocol}/smb/SMB.h | 4 ++-- .../{protocols => protocol}/smb/SMB_COM.def | 0 .../{protocols => protocol}/smb/events.bif | 0 .../smb/smb-mailslot.pac | 0 .../{protocols => protocol}/smb/smb-pipe.pac | 0 .../smb/smb-protocol.pac | 0 .../{protocols => protocol}/smb/smb.pac | 0 .../smtp/CMakeLists.txt | 0 .../{protocols => protocol}/smtp/Plugin.cc | 0 .../{protocols => protocol}/smtp/SMTP.cc | 2 +- .../{protocols => protocol}/smtp/SMTP.h | 4 ++-- .../{protocols => protocol}/smtp/SMTP_cmd.def | 0 .../{protocols => protocol}/smtp/events.bif | 0 .../smtp/functions.bif | 2 +- .../socks/CMakeLists.txt | 0 .../{protocols => protocol}/socks/Plugin.cc | 0 .../{protocols => protocol}/socks/SOCKS.cc | 2 +- .../{protocols => protocol}/socks/SOCKS.h | 4 ++-- .../{protocols => protocol}/socks/events.bif | 0 .../socks/socks-analyzer.pac | 0 .../socks/socks-protocol.pac | 0 .../{protocols => protocol}/socks/socks.pac | 0 .../ssh/CMakeLists.txt | 0 .../{protocols => protocol}/ssh/Plugin.cc | 0 .../{protocols => protocol}/ssh/SSH.cc | 2 +- .../{protocols => protocol}/ssh/SSH.h | 4 ++-- .../{protocols => protocol}/ssh/events.bif | 0 .../ssl/CMakeLists.txt | 0 .../{protocols => protocol}/ssl/Plugin.cc | 0 .../{protocols => protocol}/ssl/SSL.cc | 2 +- .../{protocols => protocol}/ssl/SSL.h | 2 +- .../{protocols => protocol}/ssl/events.bif | 0 .../{protocols => protocol}/ssl/functions.bif | 0 .../ssl/ssl-analyzer.pac | 0 .../{protocols => protocol}/ssl/ssl-defs.pac | 0 .../ssl/ssl-protocol.pac | 0 .../{protocols => protocol}/ssl/ssl.pac | 0 .../stepping-stone/CMakeLists.txt | 0 .../stepping-stone/Plugin.cc | 0 .../stepping-stone/SteppingStone.cc | 2 +- .../stepping-stone/SteppingStone.h | 2 +- .../stepping-stone/events.bif | 0 .../syslog/CMakeLists.txt | 0 .../{protocols => protocol}/syslog/Plugin.cc | 0 .../{protocols => protocol}/syslog/Syslog.cc | 2 +- .../{protocols => protocol}/syslog/Syslog.h | 4 ++-- .../{protocols => protocol}/syslog/events.bif | 0 .../syslog/syslog-analyzer.pac | 0 .../syslog/syslog-protocol.pac | 0 .../{protocols => protocol}/syslog/syslog.pac | 0 .../tcp/CMakeLists.txt | 0 .../tcp/ContentLine.cc | 2 +- .../{protocols => protocol}/tcp/ContentLine.h | 2 +- .../{protocols => protocol}/tcp/Plugin.cc | 0 .../{protocols => protocol}/tcp/Stats.cc | 0 .../{protocols => protocol}/tcp/Stats.h | 0 .../{protocols => protocol}/tcp/TCP.cc | 6 +++--- .../{protocols => protocol}/tcp/TCP.h | 2 +- .../tcp/TCP_Endpoint.cc | 2 +- .../tcp/TCP_Endpoint.h | 0 .../tcp/TCP_Reassembler.cc | 2 +- .../tcp/TCP_Reassembler.h | 0 .../{protocols => protocol}/tcp/events.bif | 0 .../{protocols => protocol}/tcp/functions.bif | 2 +- .../teredo/CMakeLists.txt | 0 .../{protocols => protocol}/teredo/Plugin.cc | 0 .../{protocols => protocol}/teredo/Teredo.cc | 0 .../{protocols => protocol}/teredo/Teredo.h | 0 .../{protocols => protocol}/teredo/events.bif | 0 .../udp/CMakeLists.txt | 0 .../{protocols => protocol}/udp/Plugin.cc | 2 +- .../{protocols => protocol}/udp/UDP.cc | 2 +- .../{protocols => protocol}/udp/UDP.h | 0 .../{protocols => protocol}/udp/events.bif | 0 .../zip/CMakeLists.txt | 0 .../{protocols => protocol}/zip/Plugin.cc | 0 .../{protocols => protocol}/zip/ZIP.cc | 0 .../{protocols => protocol}/zip/ZIP.h | 2 +- .../{protocols => protocol}/zip/events.bif | 0 src/bro.bif | 2 +- src/parse.y | 2 +- 279 files changed, 114 insertions(+), 116 deletions(-) rename src/analyzer/{protocols => protocol}/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/TODO (64%) rename src/analyzer/{protocols => protocol}/arp/ARP.cc (100%) rename src/analyzer/{protocols => protocol}/arp/ARP.h (100%) rename src/analyzer/{protocols => protocol}/arp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/arp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/arp/events.bif (100%) rename src/analyzer/{protocols => protocol}/ayiya/AYIYA.cc (100%) rename src/analyzer/{protocols => protocol}/ayiya/AYIYA.h (100%) rename src/analyzer/{protocols => protocol}/ayiya/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ayiya/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ayiya/ayiya-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/ayiya/ayiya-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/ayiya/ayiya.pac (100%) rename src/analyzer/{protocols => protocol}/ayiya/events.bif (100%) rename src/analyzer/{protocols => protocol}/backdoor/BackDoor.cc (99%) rename src/analyzer/{protocols => protocol}/backdoor/BackDoor.h (97%) rename src/analyzer/{protocols => protocol}/backdoor/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/backdoor/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/backdoor/events.bif (100%) rename src/analyzer/{protocols => protocol}/bittorrent/BitTorrent.cc (98%) rename src/analyzer/{protocols => protocol}/bittorrent/BitTorrent.h (95%) rename src/analyzer/{protocols => protocol}/bittorrent/BitTorrentTracker.cc (99%) rename src/analyzer/{protocols => protocol}/bittorrent/BitTorrentTracker.h (98%) rename src/analyzer/{protocols => protocol}/bittorrent/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/bittorrent/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/bittorrent/bittorrent-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/bittorrent/bittorrent-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/bittorrent/bittorrent.pac (100%) rename src/analyzer/{protocols => protocol}/bittorrent/events.bif (100%) rename src/analyzer/{protocols => protocol}/conn-size/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/conn-size/ConnSize.cc (98%) rename src/analyzer/{protocols => protocol}/conn-size/ConnSize.h (100%) rename src/analyzer/{protocols => protocol}/conn-size/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/conn-size/events.bif (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/DCE_RPC.cc (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/DCE_RPC.h (96%) rename src/analyzer/{protocols => protocol}/dce-rpc/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/dce_rpc-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/dce_rpc-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/dce_rpc.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/dce_rpc_simple.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/epmapper.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/events.bif (100%) rename src/analyzer/{protocols => protocol}/dhcp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/dhcp/DHCP.cc (100%) rename src/analyzer/{protocols => protocol}/dhcp/DHCP.h (93%) rename src/analyzer/{protocols => protocol}/dhcp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/dhcp/dhcp-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/dhcp/dhcp-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/dhcp/dhcp.pac (100%) rename src/analyzer/{protocols => protocol}/dhcp/events.bif (100%) rename src/analyzer/{protocols => protocol}/dns/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/dns/DNS.cc (100%) rename src/analyzer/{protocols => protocol}/dns/DNS.h (99%) rename src/analyzer/{protocols => protocol}/dns/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/dns/events.bif (100%) rename src/analyzer/{protocols => protocol}/file/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/file/File.cc (100%) rename src/analyzer/{protocols => protocol}/file/File.h (94%) rename src/analyzer/{protocols => protocol}/file/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/file/events.bif (100%) rename src/analyzer/{protocols => protocol}/finger/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/finger/Finger.cc (97%) rename src/analyzer/{protocols => protocol}/finger/Finger.h (89%) rename src/analyzer/{protocols => protocol}/finger/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/finger/events.bif (100%) rename src/analyzer/{protocols => protocol}/ftp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ftp/FTP.cc (99%) rename src/analyzer/{protocols => protocol}/ftp/FTP.h (94%) rename src/analyzer/{protocols => protocol}/ftp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ftp/events.bif (100%) rename src/analyzer/{protocols => protocol}/ftp/functions.bif (100%) rename src/analyzer/{protocols => protocol}/gnutella/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/gnutella/Gnutella.cc (99%) rename src/analyzer/{protocols => protocol}/gnutella/Gnutella.h (97%) rename src/analyzer/{protocols => protocol}/gnutella/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/gnutella/events.bif (100%) rename src/analyzer/{protocols => protocol}/gtpv1/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/gtpv1/GTPv1.cc (100%) rename src/analyzer/{protocols => protocol}/gtpv1/GTPv1.h (100%) rename src/analyzer/{protocols => protocol}/gtpv1/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/gtpv1/events.bif (100%) rename src/analyzer/{protocols => protocol}/gtpv1/gtpv1-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/gtpv1/gtpv1-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/gtpv1/gtpv1.pac (100%) rename src/analyzer/{protocols => protocol}/http/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/http/HTTP.cc (99%) rename src/analyzer/{protocols => protocol}/http/HTTP.h (97%) rename src/analyzer/{protocols => protocol}/http/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/http/events.bif (100%) rename src/analyzer/{protocols => protocol}/http/functions.bif (97%) rename src/analyzer/{protocols => protocol}/icmp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/icmp/ICMP.cc (100%) rename src/analyzer/{protocols => protocol}/icmp/ICMP.h (100%) rename src/analyzer/{protocols => protocol}/icmp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/icmp/events.bif (100%) rename src/analyzer/{protocols => protocol}/ident/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ident/Ident.cc (100%) rename src/analyzer/{protocols => protocol}/ident/Ident.h (91%) rename src/analyzer/{protocols => protocol}/ident/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ident/events.bif (100%) rename src/analyzer/{protocols => protocol}/interconn/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/interconn/InterConn.cc (99%) rename src/analyzer/{protocols => protocol}/interconn/InterConn.h (98%) rename src/analyzer/{protocols => protocol}/interconn/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/interconn/events.bif (100%) rename src/analyzer/{protocols => protocol}/irc/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/irc/IRC.cc (99%) rename src/analyzer/{protocols => protocol}/irc/IRC.h (97%) rename src/analyzer/{protocols => protocol}/irc/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/irc/events.bif (100%) rename src/analyzer/{protocols => protocol}/login/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/login/Login.cc (100%) rename src/analyzer/{protocols => protocol}/login/Login.h (98%) rename src/analyzer/{protocols => protocol}/login/NVT.cc (99%) rename src/analyzer/{protocols => protocol}/login/NVT.h (98%) rename src/analyzer/{protocols => protocol}/login/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/login/RSH.cc (100%) rename src/analyzer/{protocols => protocol}/login/RSH.h (96%) rename src/analyzer/{protocols => protocol}/login/Rlogin.cc (100%) rename src/analyzer/{protocols => protocol}/login/Rlogin.h (97%) rename src/analyzer/{protocols => protocol}/login/Telnet.cc (100%) rename src/analyzer/{protocols => protocol}/login/Telnet.h (100%) rename src/analyzer/{protocols => protocol}/login/events.bif (100%) rename src/analyzer/{protocols => protocol}/login/functions.bif (100%) rename src/analyzer/{protocols => protocol}/mime/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/mime/MIME.cc (100%) rename src/analyzer/{protocols => protocol}/mime/MIME.h (100%) rename src/analyzer/{protocols => protocol}/mime/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/mime/events.bif (100%) rename src/analyzer/{protocols => protocol}/modbus/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/modbus/Modbus.cc (94%) rename src/analyzer/{protocols => protocol}/modbus/Modbus.h (94%) rename src/analyzer/{protocols => protocol}/modbus/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/modbus/events.bif (100%) rename src/analyzer/{protocols => protocol}/modbus/modbus-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/modbus/modbus-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/modbus/modbus.pac (100%) rename src/analyzer/{protocols => protocol}/ncp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ncp/NCP.cc (100%) rename src/analyzer/{protocols => protocol}/ncp/NCP.h (96%) rename src/analyzer/{protocols => protocol}/ncp/NCP_func.def (100%) rename src/analyzer/{protocols => protocol}/ncp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ncp/events.bif (100%) rename src/analyzer/{protocols => protocol}/ncp/ncp.pac (100%) rename src/analyzer/{protocols => protocol}/netbios/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/netbios/NetbiosSSN.cc (100%) rename src/analyzer/{protocols => protocol}/netbios/NetbiosSSN.h (97%) rename src/analyzer/{protocols => protocol}/netbios/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/netbios/events.bif (100%) rename src/analyzer/{protocols => protocol}/netbios/functions.bif (100%) rename src/analyzer/{protocols => protocol}/netflow/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/netflow/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/netflow/events.bif (100%) rename src/analyzer/{protocols => protocol}/netflow/netflow-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/netflow/netflow-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/netflow/netflow.pac (100%) rename src/analyzer/{protocols => protocol}/ntp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ntp/NTP.cc (100%) rename src/analyzer/{protocols => protocol}/ntp/NTP.h (97%) rename src/analyzer/{protocols => protocol}/ntp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ntp/events.bif (100%) rename src/analyzer/{protocols => protocol}/pia/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/pia/PIA.cc (99%) rename src/analyzer/{protocols => protocol}/pia/PIA.h (99%) rename src/analyzer/{protocols => protocol}/pia/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/pia/events.bif (100%) rename src/analyzer/{protocols => protocol}/pop3/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/pop3/POP3.cc (99%) rename src/analyzer/{protocols => protocol}/pop3/POP3.h (94%) rename src/analyzer/{protocols => protocol}/pop3/POP3_cmd.def (100%) rename src/analyzer/{protocols => protocol}/pop3/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/pop3/events.bif (100%) rename src/analyzer/{protocols => protocol}/rpc/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/rpc/NFS.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/NFS.h (100%) rename src/analyzer/{protocols => protocol}/rpc/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/Portmap.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/Portmap.h (100%) rename src/analyzer/{protocols => protocol}/rpc/RPC.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/RPC.h (98%) rename src/analyzer/{protocols => protocol}/rpc/XDR.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/XDR.h (100%) rename src/analyzer/{protocols => protocol}/rpc/events.bif (100%) rename src/analyzer/{protocols => protocol}/smb/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/smb/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/smb/SMB.cc (100%) rename src/analyzer/{protocols => protocol}/smb/SMB.h (98%) rename src/analyzer/{protocols => protocol}/smb/SMB_COM.def (100%) rename src/analyzer/{protocols => protocol}/smb/events.bif (100%) rename src/analyzer/{protocols => protocol}/smb/smb-mailslot.pac (100%) rename src/analyzer/{protocols => protocol}/smb/smb-pipe.pac (100%) rename src/analyzer/{protocols => protocol}/smb/smb-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/smb/smb.pac (100%) rename src/analyzer/{protocols => protocol}/smtp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/smtp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/smtp/SMTP.cc (99%) rename src/analyzer/{protocols => protocol}/smtp/SMTP.h (97%) rename src/analyzer/{protocols => protocol}/smtp/SMTP_cmd.def (100%) rename src/analyzer/{protocols => protocol}/smtp/events.bif (100%) rename src/analyzer/{protocols => protocol}/smtp/functions.bif (88%) rename src/analyzer/{protocols => protocol}/socks/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/socks/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/socks/SOCKS.cc (97%) rename src/analyzer/{protocols => protocol}/socks/SOCKS.h (91%) rename src/analyzer/{protocols => protocol}/socks/events.bif (100%) rename src/analyzer/{protocols => protocol}/socks/socks-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/socks/socks-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/socks/socks.pac (100%) rename src/analyzer/{protocols => protocol}/ssh/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ssh/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ssh/SSH.cc (98%) rename src/analyzer/{protocols => protocol}/ssh/SSH.h (86%) rename src/analyzer/{protocols => protocol}/ssh/events.bif (100%) rename src/analyzer/{protocols => protocol}/ssl/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ssl/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ssl/SSL.cc (96%) rename src/analyzer/{protocols => protocol}/ssl/SSL.h (95%) rename src/analyzer/{protocols => protocol}/ssl/events.bif (100%) rename src/analyzer/{protocols => protocol}/ssl/functions.bif (100%) rename src/analyzer/{protocols => protocol}/ssl/ssl-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/ssl/ssl-defs.pac (100%) rename src/analyzer/{protocols => protocol}/ssl/ssl-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/ssl/ssl.pac (100%) rename src/analyzer/{protocols => protocol}/stepping-stone/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/stepping-stone/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/stepping-stone/SteppingStone.cc (99%) rename src/analyzer/{protocols => protocol}/stepping-stone/SteppingStone.h (98%) rename src/analyzer/{protocols => protocol}/stepping-stone/events.bif (100%) rename src/analyzer/{protocols => protocol}/syslog/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/syslog/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/syslog/Syslog.cc (97%) rename src/analyzer/{protocols => protocol}/syslog/Syslog.h (94%) rename src/analyzer/{protocols => protocol}/syslog/events.bif (100%) rename src/analyzer/{protocols => protocol}/syslog/syslog-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/syslog/syslog-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/syslog/syslog.pac (100%) rename src/analyzer/{protocols => protocol}/tcp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/tcp/ContentLine.cc (99%) rename src/analyzer/{protocols => protocol}/tcp/ContentLine.h (98%) rename src/analyzer/{protocols => protocol}/tcp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/tcp/Stats.cc (100%) rename src/analyzer/{protocols => protocol}/tcp/Stats.h (100%) rename src/analyzer/{protocols => protocol}/tcp/TCP.cc (99%) rename src/analyzer/{protocols => protocol}/tcp/TCP.h (99%) rename src/analyzer/{protocols => protocol}/tcp/TCP_Endpoint.cc (99%) rename src/analyzer/{protocols => protocol}/tcp/TCP_Endpoint.h (100%) rename src/analyzer/{protocols => protocol}/tcp/TCP_Reassembler.cc (99%) rename src/analyzer/{protocols => protocol}/tcp/TCP_Reassembler.h (100%) rename src/analyzer/{protocols => protocol}/tcp/events.bif (100%) rename src/analyzer/{protocols => protocol}/tcp/functions.bif (99%) rename src/analyzer/{protocols => protocol}/teredo/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/teredo/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/teredo/Teredo.cc (100%) rename src/analyzer/{protocols => protocol}/teredo/Teredo.h (100%) rename src/analyzer/{protocols => protocol}/teredo/events.bif (100%) rename src/analyzer/{protocols => protocol}/udp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/udp/Plugin.cc (82%) rename src/analyzer/{protocols => protocol}/udp/UDP.cc (99%) rename src/analyzer/{protocols => protocol}/udp/UDP.h (100%) rename src/analyzer/{protocols => protocol}/udp/events.bif (100%) rename src/analyzer/{protocols => protocol}/zip/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/zip/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/zip/ZIP.cc (100%) rename src/analyzer/{protocols => protocol}/zip/ZIP.h (94%) rename src/analyzer/{protocols => protocol}/zip/events.bif (100%) diff --git a/src/Conn.cc b/src/Conn.cc index 1756d3860e..fb6ca3d810 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -11,7 +11,7 @@ #include "Sessions.h" #include "Reporter.h" #include "Timer.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/pia/PIA.h" #include "binpac.h" #include "TunnelEncapsulation.h" #include "analyzer/Analyzer.h" diff --git a/src/Func.cc b/src/Func.cc index 668499d2ed..f3718fe231 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -38,7 +38,7 @@ #include "Func.h" #include "Frame.h" #include "Var.h" -#include "analyzer/protocols/login/Login.h" +#include "analyzer/protocol/login/Login.h" #include "Sessions.h" #include "RE.h" #include "Serializer.h" diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 4e279e2cab..a13392ee40 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -8,7 +8,7 @@ using std::string; #include "Conn.h" #include "Event.h" #include "NetVar.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/pia/PIA.h" #include "analyzer/Manager.h" diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 2296628878..36d8cba39d 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -1,7 +1,7 @@ #include "config.h" #include "RuleCondition.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "Scope.h" static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e) diff --git a/src/Sessions.cc b/src/Sessions.cc index 29c7a57e8f..6fa26c6f36 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -16,17 +16,17 @@ #include "Reporter.h" #include "OSFinger.h" -#include "analyzer/protocols/icmp/ICMP.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/icmp/ICMP.h" +#include "analyzer/protocol/udp/UDP.h" -#include "analyzer/protocols/stepping-stone/SteppingStone.h" -#include "analyzer/protocols/stepping-stone/events.bif.h" -#include "analyzer/protocols/backdoor/BackDoor.h" -#include "analyzer/protocols/backdoor/events.bif.h" -#include "analyzer/protocols/interconn/InterConn.h" -#include "analyzer/protocols/interconn/events.bif.h" -#include "analyzer/protocols/arp/ARP.h" -#include "analyzer/protocols/arp/events.bif.h" +#include "analyzer/protocol/stepping-stone/SteppingStone.h" +#include "analyzer/protocol/stepping-stone/events.bif.h" +#include "analyzer/protocol/backdoor/BackDoor.h" +#include "analyzer/protocol/backdoor/events.bif.h" +#include "analyzer/protocol/interconn/InterConn.h" +#include "analyzer/protocol/interconn/events.bif.h" +#include "analyzer/protocol/arp/ARP.h" +#include "analyzer/protocol/arp/events.bif.h" #include "Discard.h" #include "RuleMatcher.h" diff --git a/src/Sessions.h b/src/Sessions.h index a5488bd188..27b052ba2d 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -11,7 +11,7 @@ #include "Stats.h" #include "NetVar.h" #include "TunnelEncapsulation.h" -#include "analyzer/protocols/tcp/Stats.h" +#include "analyzer/protocol/tcp/Stats.h" #include diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 098535d0a9..72dbb2d4a5 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -4,7 +4,7 @@ #include "Analyzer.h" #include "Manager.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/pia/PIA.h" #include "../Event.h" namespace analyzer { diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 1d0589c5bf..026bbac80a 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -4,7 +4,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR} ) -add_subdirectory(protocols) +add_subdirectory(protocol) set(analyzer_SRCS Analyzer.cc diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 45fce936fd..d337c0b849 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -4,14 +4,14 @@ #include "Hash.h" #include "Val.h" -#include "analyzer/protocols/backdoor/BackDoor.h" -#include "analyzer/protocols/conn-size/ConnSize.h" -#include "analyzer/protocols/icmp/ICMP.h" -#include "analyzer/protocols/interconn/InterConn.h" -#include "analyzer/protocols/pia/PIA.h" -#include "analyzer/protocols/stepping-stone/SteppingStone.h" -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/backdoor/BackDoor.h" +#include "analyzer/protocol/conn-size/ConnSize.h" +#include "analyzer/protocol/icmp/ICMP.h" +#include "analyzer/protocol/interconn/InterConn.h" +#include "analyzer/protocol/pia/PIA.h" +#include "analyzer/protocol/stepping-stone/SteppingStone.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/udp/UDP.h" #include "plugin/Manager.h" diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/CMakeLists.txt rename to src/analyzer/protocol/CMakeLists.txt diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocol/TODO similarity index 64% rename from src/analyzer/protocols/TODO rename to src/analyzer/protocol/TODO index 61a17a95c9..4302252a49 100644 --- a/src/analyzer/protocols/TODO +++ b/src/analyzer/protocol/TODO @@ -1,7 +1,5 @@ -- update *.h guards - cleanup analyzer descriptions - can now lower-case the analyzer name in plugin - not sure cmake dependencies work right yet -- rename analyzers/protocols to analyzer/protocol diff --git a/src/analyzer/protocols/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc similarity index 100% rename from src/analyzer/protocols/arp/ARP.cc rename to src/analyzer/protocol/arp/ARP.cc diff --git a/src/analyzer/protocols/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h similarity index 100% rename from src/analyzer/protocols/arp/ARP.h rename to src/analyzer/protocol/arp/ARP.h diff --git a/src/analyzer/protocols/arp/CMakeLists.txt b/src/analyzer/protocol/arp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/arp/CMakeLists.txt rename to src/analyzer/protocol/arp/CMakeLists.txt diff --git a/src/analyzer/protocols/arp/Plugin.cc b/src/analyzer/protocol/arp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/arp/Plugin.cc rename to src/analyzer/protocol/arp/Plugin.cc diff --git a/src/analyzer/protocols/arp/events.bif b/src/analyzer/protocol/arp/events.bif similarity index 100% rename from src/analyzer/protocols/arp/events.bif rename to src/analyzer/protocol/arp/events.bif diff --git a/src/analyzer/protocols/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc similarity index 100% rename from src/analyzer/protocols/ayiya/AYIYA.cc rename to src/analyzer/protocol/ayiya/AYIYA.cc diff --git a/src/analyzer/protocols/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h similarity index 100% rename from src/analyzer/protocols/ayiya/AYIYA.h rename to src/analyzer/protocol/ayiya/AYIYA.h diff --git a/src/analyzer/protocols/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ayiya/CMakeLists.txt rename to src/analyzer/protocol/ayiya/CMakeLists.txt diff --git a/src/analyzer/protocols/ayiya/Plugin.cc b/src/analyzer/protocol/ayiya/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ayiya/Plugin.cc rename to src/analyzer/protocol/ayiya/Plugin.cc diff --git a/src/analyzer/protocols/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac similarity index 100% rename from src/analyzer/protocols/ayiya/ayiya-analyzer.pac rename to src/analyzer/protocol/ayiya/ayiya-analyzer.pac diff --git a/src/analyzer/protocols/ayiya/ayiya-protocol.pac b/src/analyzer/protocol/ayiya/ayiya-protocol.pac similarity index 100% rename from src/analyzer/protocols/ayiya/ayiya-protocol.pac rename to src/analyzer/protocol/ayiya/ayiya-protocol.pac diff --git a/src/analyzer/protocols/ayiya/ayiya.pac b/src/analyzer/protocol/ayiya/ayiya.pac similarity index 100% rename from src/analyzer/protocols/ayiya/ayiya.pac rename to src/analyzer/protocol/ayiya/ayiya.pac diff --git a/src/analyzer/protocols/ayiya/events.bif b/src/analyzer/protocol/ayiya/events.bif similarity index 100% rename from src/analyzer/protocols/ayiya/events.bif rename to src/analyzer/protocol/ayiya/events.bif diff --git a/src/analyzer/protocols/backdoor/BackDoor.cc b/src/analyzer/protocol/backdoor/BackDoor.cc similarity index 99% rename from src/analyzer/protocols/backdoor/BackDoor.cc rename to src/analyzer/protocol/backdoor/BackDoor.cc index 19b1a341a7..a466938ff6 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.cc +++ b/src/analyzer/protocol/backdoor/BackDoor.cc @@ -5,7 +5,7 @@ #include "BackDoor.h" #include "Event.h" #include "Net.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/backdoor/BackDoor.h b/src/analyzer/protocol/backdoor/BackDoor.h similarity index 97% rename from src/analyzer/protocols/backdoor/BackDoor.h rename to src/analyzer/protocol/backdoor/BackDoor.h index 36c8430c34..5bc8a67381 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.h +++ b/src/analyzer/protocol/backdoor/BackDoor.h @@ -3,10 +3,10 @@ #ifndef ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H #define ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" -#include "analyzer/protocols/login/Login.h" +#include "analyzer/protocol/login/Login.h" namespace analyzer { namespace backdoor { diff --git a/src/analyzer/protocols/backdoor/CMakeLists.txt b/src/analyzer/protocol/backdoor/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/backdoor/CMakeLists.txt rename to src/analyzer/protocol/backdoor/CMakeLists.txt diff --git a/src/analyzer/protocols/backdoor/Plugin.cc b/src/analyzer/protocol/backdoor/Plugin.cc similarity index 100% rename from src/analyzer/protocols/backdoor/Plugin.cc rename to src/analyzer/protocol/backdoor/Plugin.cc diff --git a/src/analyzer/protocols/backdoor/events.bif b/src/analyzer/protocol/backdoor/events.bif similarity index 100% rename from src/analyzer/protocols/backdoor/events.bif rename to src/analyzer/protocol/backdoor/events.bif diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc similarity index 98% rename from src/analyzer/protocols/bittorrent/BitTorrent.cc rename to src/analyzer/protocol/bittorrent/BitTorrent.cc index fc66987cc7..99fd9dc132 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrent.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.h b/src/analyzer/protocol/bittorrent/BitTorrent.h similarity index 95% rename from src/analyzer/protocols/bittorrent/BitTorrent.h rename to src/analyzer/protocol/bittorrent/BitTorrent.h index 4065b45648..7739463052 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.h +++ b/src/analyzer/protocol/bittorrent/BitTorrent.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_BITTORRENT_BITTORRENT_H #define ANALYZER_PROTOCOL_BITTORRENT_BITTORRENT_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "bittorrent_pac.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc similarity index 99% rename from src/analyzer/protocols/bittorrent/BitTorrentTracker.cc rename to src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index 18d1fe8ab9..b32db9a8bd 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrentTracker.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h similarity index 98% rename from src/analyzer/protocols/bittorrent/BitTorrentTracker.h rename to src/analyzer/protocol/bittorrent/BitTorrentTracker.h index 572a8d2093..b041e556b7 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_BITTORRENT_BITTORRENTTRACKER_H #define ANALYZER_PROTOCOL_BITTORRENT_BITTORRENTTRACKER_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #define BTTRACKER_BUF 2048 diff --git a/src/analyzer/protocols/bittorrent/CMakeLists.txt b/src/analyzer/protocol/bittorrent/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/bittorrent/CMakeLists.txt rename to src/analyzer/protocol/bittorrent/CMakeLists.txt diff --git a/src/analyzer/protocols/bittorrent/Plugin.cc b/src/analyzer/protocol/bittorrent/Plugin.cc similarity index 100% rename from src/analyzer/protocols/bittorrent/Plugin.cc rename to src/analyzer/protocol/bittorrent/Plugin.cc diff --git a/src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac similarity index 100% rename from src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac rename to src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac diff --git a/src/analyzer/protocols/bittorrent/bittorrent-protocol.pac b/src/analyzer/protocol/bittorrent/bittorrent-protocol.pac similarity index 100% rename from src/analyzer/protocols/bittorrent/bittorrent-protocol.pac rename to src/analyzer/protocol/bittorrent/bittorrent-protocol.pac diff --git a/src/analyzer/protocols/bittorrent/bittorrent.pac b/src/analyzer/protocol/bittorrent/bittorrent.pac similarity index 100% rename from src/analyzer/protocols/bittorrent/bittorrent.pac rename to src/analyzer/protocol/bittorrent/bittorrent.pac diff --git a/src/analyzer/protocols/bittorrent/events.bif b/src/analyzer/protocol/bittorrent/events.bif similarity index 100% rename from src/analyzer/protocols/bittorrent/events.bif rename to src/analyzer/protocol/bittorrent/events.bif diff --git a/src/analyzer/protocols/conn-size/CMakeLists.txt b/src/analyzer/protocol/conn-size/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/conn-size/CMakeLists.txt rename to src/analyzer/protocol/conn-size/CMakeLists.txt diff --git a/src/analyzer/protocols/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc similarity index 98% rename from src/analyzer/protocols/conn-size/ConnSize.cc rename to src/analyzer/protocol/conn-size/ConnSize.cc index 7d85fe4a0c..b912fe3d2d 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.cc +++ b/src/analyzer/protocol/conn-size/ConnSize.cc @@ -4,7 +4,7 @@ #include "ConnSize.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/conn-size/ConnSize.h b/src/analyzer/protocol/conn-size/ConnSize.h similarity index 100% rename from src/analyzer/protocols/conn-size/ConnSize.h rename to src/analyzer/protocol/conn-size/ConnSize.h diff --git a/src/analyzer/protocols/conn-size/Plugin.cc b/src/analyzer/protocol/conn-size/Plugin.cc similarity index 100% rename from src/analyzer/protocols/conn-size/Plugin.cc rename to src/analyzer/protocol/conn-size/Plugin.cc diff --git a/src/analyzer/protocols/conn-size/events.bif b/src/analyzer/protocol/conn-size/events.bif similarity index 100% rename from src/analyzer/protocols/conn-size/events.bif rename to src/analyzer/protocol/conn-size/events.bif diff --git a/src/analyzer/protocols/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/dce-rpc/CMakeLists.txt rename to src/analyzer/protocol/dce-rpc/CMakeLists.txt diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.cc b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc similarity index 100% rename from src/analyzer/protocols/dce-rpc/DCE_RPC.cc rename to src/analyzer/protocol/dce-rpc/DCE_RPC.cc diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h similarity index 96% rename from src/analyzer/protocols/dce-rpc/DCE_RPC.h rename to src/analyzer/protocol/dce-rpc/DCE_RPC.h index ff85e16ee1..2abfb584b5 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h @@ -7,8 +7,8 @@ // Windows systems) and shouldn't be considered as stable. #include "NetVar.h" -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/dce-rpc/events.bif.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/dce-rpc/events.bif.h" #include "IPAddr.h" #include "dce_rpc_simple_pac.h" @@ -88,7 +88,7 @@ enum DCE_RPC_PTYPE { }; */ -#define ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_HEADER_LENGTH 16 +#define DCE_RPC_HEADER_LENGTH 16 class DCE_RPC_Header { public: diff --git a/src/analyzer/protocols/dce-rpc/Plugin.cc b/src/analyzer/protocol/dce-rpc/Plugin.cc similarity index 100% rename from src/analyzer/protocols/dce-rpc/Plugin.cc rename to src/analyzer/protocol/dce-rpc/Plugin.cc diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac rename to src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac rename to src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc.pac b/src/analyzer/protocol/dce-rpc/dce_rpc.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/dce_rpc.pac rename to src/analyzer/protocol/dce-rpc/dce_rpc.pac diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac b/src/analyzer/protocol/dce-rpc/dce_rpc_simple.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac rename to src/analyzer/protocol/dce-rpc/dce_rpc_simple.pac diff --git a/src/analyzer/protocols/dce-rpc/epmapper.pac b/src/analyzer/protocol/dce-rpc/epmapper.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/epmapper.pac rename to src/analyzer/protocol/dce-rpc/epmapper.pac diff --git a/src/analyzer/protocols/dce-rpc/events.bif b/src/analyzer/protocol/dce-rpc/events.bif similarity index 100% rename from src/analyzer/protocols/dce-rpc/events.bif rename to src/analyzer/protocol/dce-rpc/events.bif diff --git a/src/analyzer/protocols/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/dhcp/CMakeLists.txt rename to src/analyzer/protocol/dhcp/CMakeLists.txt diff --git a/src/analyzer/protocols/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc similarity index 100% rename from src/analyzer/protocols/dhcp/DHCP.cc rename to src/analyzer/protocol/dhcp/DHCP.cc diff --git a/src/analyzer/protocols/dhcp/DHCP.h b/src/analyzer/protocol/dhcp/DHCP.h similarity index 93% rename from src/analyzer/protocols/dhcp/DHCP.h rename to src/analyzer/protocol/dhcp/DHCP.h index 207651d7c1..a1c06e8b85 100644 --- a/src/analyzer/protocols/dhcp/DHCP.h +++ b/src/analyzer/protocol/dhcp/DHCP.h @@ -1,7 +1,7 @@ #ifndef ANALYZER_PROTOCOL_DHCP_DHCP_H #define ANALYZER_PROTOCOL_DHCP_DHCP_H -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/udp/UDP.h" #include "dhcp_pac.h" diff --git a/src/analyzer/protocols/dhcp/Plugin.cc b/src/analyzer/protocol/dhcp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/dhcp/Plugin.cc rename to src/analyzer/protocol/dhcp/Plugin.cc diff --git a/src/analyzer/protocols/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac similarity index 100% rename from src/analyzer/protocols/dhcp/dhcp-analyzer.pac rename to src/analyzer/protocol/dhcp/dhcp-analyzer.pac diff --git a/src/analyzer/protocols/dhcp/dhcp-protocol.pac b/src/analyzer/protocol/dhcp/dhcp-protocol.pac similarity index 100% rename from src/analyzer/protocols/dhcp/dhcp-protocol.pac rename to src/analyzer/protocol/dhcp/dhcp-protocol.pac diff --git a/src/analyzer/protocols/dhcp/dhcp.pac b/src/analyzer/protocol/dhcp/dhcp.pac similarity index 100% rename from src/analyzer/protocols/dhcp/dhcp.pac rename to src/analyzer/protocol/dhcp/dhcp.pac diff --git a/src/analyzer/protocols/dhcp/events.bif b/src/analyzer/protocol/dhcp/events.bif similarity index 100% rename from src/analyzer/protocols/dhcp/events.bif rename to src/analyzer/protocol/dhcp/events.bif diff --git a/src/analyzer/protocols/dns/CMakeLists.txt b/src/analyzer/protocol/dns/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/dns/CMakeLists.txt rename to src/analyzer/protocol/dns/CMakeLists.txt diff --git a/src/analyzer/protocols/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc similarity index 100% rename from src/analyzer/protocols/dns/DNS.cc rename to src/analyzer/protocol/dns/DNS.cc diff --git a/src/analyzer/protocols/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h similarity index 99% rename from src/analyzer/protocols/dns/DNS.h rename to src/analyzer/protocol/dns/DNS.h index 9c7874400d..373250e8f4 100644 --- a/src/analyzer/protocols/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_DNS_DNS_H #define ANALYZER_PROTOCOL_DNS_DNS_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "binpac_bro.h" namespace analyzer { namespace dns { diff --git a/src/analyzer/protocols/dns/Plugin.cc b/src/analyzer/protocol/dns/Plugin.cc similarity index 100% rename from src/analyzer/protocols/dns/Plugin.cc rename to src/analyzer/protocol/dns/Plugin.cc diff --git a/src/analyzer/protocols/dns/events.bif b/src/analyzer/protocol/dns/events.bif similarity index 100% rename from src/analyzer/protocols/dns/events.bif rename to src/analyzer/protocol/dns/events.bif diff --git a/src/analyzer/protocols/file/CMakeLists.txt b/src/analyzer/protocol/file/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/file/CMakeLists.txt rename to src/analyzer/protocol/file/CMakeLists.txt diff --git a/src/analyzer/protocols/file/File.cc b/src/analyzer/protocol/file/File.cc similarity index 100% rename from src/analyzer/protocols/file/File.cc rename to src/analyzer/protocol/file/File.cc diff --git a/src/analyzer/protocols/file/File.h b/src/analyzer/protocol/file/File.h similarity index 94% rename from src/analyzer/protocols/file/File.h rename to src/analyzer/protocol/file/File.h index 368fe22dae..a41ab380ae 100644 --- a/src/analyzer/protocols/file/File.h +++ b/src/analyzer/protocol/file/File.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_FILE_FILE_H #define ANALYZER_PROTOCOL_FILE_FILE_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include diff --git a/src/analyzer/protocols/file/Plugin.cc b/src/analyzer/protocol/file/Plugin.cc similarity index 100% rename from src/analyzer/protocols/file/Plugin.cc rename to src/analyzer/protocol/file/Plugin.cc diff --git a/src/analyzer/protocols/file/events.bif b/src/analyzer/protocol/file/events.bif similarity index 100% rename from src/analyzer/protocols/file/events.bif rename to src/analyzer/protocol/file/events.bif diff --git a/src/analyzer/protocols/finger/CMakeLists.txt b/src/analyzer/protocol/finger/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/finger/CMakeLists.txt rename to src/analyzer/protocol/finger/CMakeLists.txt diff --git a/src/analyzer/protocols/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc similarity index 97% rename from src/analyzer/protocols/finger/Finger.cc rename to src/analyzer/protocol/finger/Finger.cc index dce2cfef9f..bf9bdcc68a 100644 --- a/src/analyzer/protocols/finger/Finger.cc +++ b/src/analyzer/protocol/finger/Finger.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "Finger.h" #include "Event.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/finger/Finger.h b/src/analyzer/protocol/finger/Finger.h similarity index 89% rename from src/analyzer/protocols/finger/Finger.h rename to src/analyzer/protocol/finger/Finger.h index 5624030f80..efea0fae6b 100644 --- a/src/analyzer/protocols/finger/Finger.h +++ b/src/analyzer/protocol/finger/Finger.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_FINGER_FINGER_H #define ANALYZER_PROTOCOL_FINGER_FINGER_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace finger { diff --git a/src/analyzer/protocols/finger/Plugin.cc b/src/analyzer/protocol/finger/Plugin.cc similarity index 100% rename from src/analyzer/protocols/finger/Plugin.cc rename to src/analyzer/protocol/finger/Plugin.cc diff --git a/src/analyzer/protocols/finger/events.bif b/src/analyzer/protocol/finger/events.bif similarity index 100% rename from src/analyzer/protocols/finger/events.bif rename to src/analyzer/protocol/finger/events.bif diff --git a/src/analyzer/protocols/ftp/CMakeLists.txt b/src/analyzer/protocol/ftp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ftp/CMakeLists.txt rename to src/analyzer/protocol/ftp/CMakeLists.txt diff --git a/src/analyzer/protocols/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc similarity index 99% rename from src/analyzer/protocols/ftp/FTP.cc rename to src/analyzer/protocol/ftp/FTP.cc index aed14b8de8..91afe6f8a4 100644 --- a/src/analyzer/protocols/ftp/FTP.cc +++ b/src/analyzer/protocol/ftp/FTP.cc @@ -9,7 +9,7 @@ #include "Event.h" #include "Base64.h" #include "analyzer/Manager.h" -#include "analyzer/protocols/login/NVT.h" +#include "analyzer/protocol/login/NVT.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/ftp/FTP.h b/src/analyzer/protocol/ftp/FTP.h similarity index 94% rename from src/analyzer/protocols/ftp/FTP.h rename to src/analyzer/protocol/ftp/FTP.h index 577082644a..1cffa19b1d 100644 --- a/src/analyzer/protocols/ftp/FTP.h +++ b/src/analyzer/protocol/ftp/FTP.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_FTP_FTP_H #define ANALYZER_PROTOCOL_FTP_FTP_H -#include "analyzer/protocols/login/NVT.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/login/NVT.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace ftp { diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocol/ftp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ftp/Plugin.cc rename to src/analyzer/protocol/ftp/Plugin.cc diff --git a/src/analyzer/protocols/ftp/events.bif b/src/analyzer/protocol/ftp/events.bif similarity index 100% rename from src/analyzer/protocols/ftp/events.bif rename to src/analyzer/protocol/ftp/events.bif diff --git a/src/analyzer/protocols/ftp/functions.bif b/src/analyzer/protocol/ftp/functions.bif similarity index 100% rename from src/analyzer/protocols/ftp/functions.bif rename to src/analyzer/protocol/ftp/functions.bif diff --git a/src/analyzer/protocols/gnutella/CMakeLists.txt b/src/analyzer/protocol/gnutella/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/gnutella/CMakeLists.txt rename to src/analyzer/protocol/gnutella/CMakeLists.txt diff --git a/src/analyzer/protocols/gnutella/Gnutella.cc b/src/analyzer/protocol/gnutella/Gnutella.cc similarity index 99% rename from src/analyzer/protocols/gnutella/Gnutella.cc rename to src/analyzer/protocol/gnutella/Gnutella.cc index a0d8812218..c0bab92007 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.cc +++ b/src/analyzer/protocol/gnutella/Gnutella.cc @@ -9,7 +9,7 @@ #include "NetVar.h" #include "Gnutella.h" #include "Event.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/pia/PIA.h" #include "analyzer/Manager.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/gnutella/Gnutella.h b/src/analyzer/protocol/gnutella/Gnutella.h similarity index 97% rename from src/analyzer/protocols/gnutella/Gnutella.h rename to src/analyzer/protocol/gnutella/Gnutella.h index d67d319c4e..11d51cf276 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.h +++ b/src/analyzer/protocol/gnutella/Gnutella.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_GNUTELLA_GNUTELLA_H #define ANALYZER_PROTOCOL_GNUTELLA_GNUTELLA_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #define ORIG_OK 0x1 #define RESP_OK 0x2 diff --git a/src/analyzer/protocols/gnutella/Plugin.cc b/src/analyzer/protocol/gnutella/Plugin.cc similarity index 100% rename from src/analyzer/protocols/gnutella/Plugin.cc rename to src/analyzer/protocol/gnutella/Plugin.cc diff --git a/src/analyzer/protocols/gnutella/events.bif b/src/analyzer/protocol/gnutella/events.bif similarity index 100% rename from src/analyzer/protocols/gnutella/events.bif rename to src/analyzer/protocol/gnutella/events.bif diff --git a/src/analyzer/protocols/gtpv1/CMakeLists.txt b/src/analyzer/protocol/gtpv1/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/gtpv1/CMakeLists.txt rename to src/analyzer/protocol/gtpv1/CMakeLists.txt diff --git a/src/analyzer/protocols/gtpv1/GTPv1.cc b/src/analyzer/protocol/gtpv1/GTPv1.cc similarity index 100% rename from src/analyzer/protocols/gtpv1/GTPv1.cc rename to src/analyzer/protocol/gtpv1/GTPv1.cc diff --git a/src/analyzer/protocols/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h similarity index 100% rename from src/analyzer/protocols/gtpv1/GTPv1.h rename to src/analyzer/protocol/gtpv1/GTPv1.h diff --git a/src/analyzer/protocols/gtpv1/Plugin.cc b/src/analyzer/protocol/gtpv1/Plugin.cc similarity index 100% rename from src/analyzer/protocols/gtpv1/Plugin.cc rename to src/analyzer/protocol/gtpv1/Plugin.cc diff --git a/src/analyzer/protocols/gtpv1/events.bif b/src/analyzer/protocol/gtpv1/events.bif similarity index 100% rename from src/analyzer/protocols/gtpv1/events.bif rename to src/analyzer/protocol/gtpv1/events.bif diff --git a/src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac similarity index 100% rename from src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac rename to src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac diff --git a/src/analyzer/protocols/gtpv1/gtpv1-protocol.pac b/src/analyzer/protocol/gtpv1/gtpv1-protocol.pac similarity index 100% rename from src/analyzer/protocols/gtpv1/gtpv1-protocol.pac rename to src/analyzer/protocol/gtpv1/gtpv1-protocol.pac diff --git a/src/analyzer/protocols/gtpv1/gtpv1.pac b/src/analyzer/protocol/gtpv1/gtpv1.pac similarity index 100% rename from src/analyzer/protocols/gtpv1/gtpv1.pac rename to src/analyzer/protocol/gtpv1/gtpv1.pac diff --git a/src/analyzer/protocols/http/CMakeLists.txt b/src/analyzer/protocol/http/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/http/CMakeLists.txt rename to src/analyzer/protocol/http/CMakeLists.txt diff --git a/src/analyzer/protocols/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc similarity index 99% rename from src/analyzer/protocols/http/HTTP.cc rename to src/analyzer/protocol/http/HTTP.cc index 899c7de01f..f0d81482c0 100644 --- a/src/analyzer/protocols/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -11,7 +11,7 @@ #include "NetVar.h" #include "HTTP.h" #include "Event.h" -#include "analyzer/protocols/mime/MIME.h" +#include "analyzer/protocol/mime/MIME.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h similarity index 97% rename from src/analyzer/protocols/http/HTTP.h rename to src/analyzer/protocol/http/HTTP.h index cb53e30c9a..8896d4fa07 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocol/http/HTTP.h @@ -3,10 +3,10 @@ #ifndef ANALYZER_PROTOCOL_HTTP_HTTP_H #define ANALYZER_PROTOCOL_HTTP_HTTP_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/ContentLine.h" -#include "analyzer/protocols/zip/ZIP.h" -#include "analyzer/protocols/mime/MIME.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" +#include "analyzer/protocol/zip/ZIP.h" +#include "analyzer/protocol/mime/MIME.h" #include "binpac_bro.h" #include "IPAddr.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/http/Plugin.cc b/src/analyzer/protocol/http/Plugin.cc similarity index 100% rename from src/analyzer/protocols/http/Plugin.cc rename to src/analyzer/protocol/http/Plugin.cc diff --git a/src/analyzer/protocols/http/events.bif b/src/analyzer/protocol/http/events.bif similarity index 100% rename from src/analyzer/protocols/http/events.bif rename to src/analyzer/protocol/http/events.bif diff --git a/src/analyzer/protocols/http/functions.bif b/src/analyzer/protocol/http/functions.bif similarity index 97% rename from src/analyzer/protocols/http/functions.bif rename to src/analyzer/protocol/http/functions.bif index eb9caf2a9a..c4e5df80d5 100644 --- a/src/analyzer/protocols/http/functions.bif +++ b/src/analyzer/protocol/http/functions.bif @@ -1,6 +1,6 @@ %%{ -#include "protocols/http/HTTP.h" +#include "protocol/http/HTTP.h" %%} ## Skips the data of the HTTP entity. diff --git a/src/analyzer/protocols/icmp/CMakeLists.txt b/src/analyzer/protocol/icmp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/icmp/CMakeLists.txt rename to src/analyzer/protocol/icmp/CMakeLists.txt diff --git a/src/analyzer/protocols/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc similarity index 100% rename from src/analyzer/protocols/icmp/ICMP.cc rename to src/analyzer/protocol/icmp/ICMP.cc diff --git a/src/analyzer/protocols/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h similarity index 100% rename from src/analyzer/protocols/icmp/ICMP.h rename to src/analyzer/protocol/icmp/ICMP.h diff --git a/src/analyzer/protocols/icmp/Plugin.cc b/src/analyzer/protocol/icmp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/icmp/Plugin.cc rename to src/analyzer/protocol/icmp/Plugin.cc diff --git a/src/analyzer/protocols/icmp/events.bif b/src/analyzer/protocol/icmp/events.bif similarity index 100% rename from src/analyzer/protocols/icmp/events.bif rename to src/analyzer/protocol/icmp/events.bif diff --git a/src/analyzer/protocols/ident/CMakeLists.txt b/src/analyzer/protocol/ident/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ident/CMakeLists.txt rename to src/analyzer/protocol/ident/CMakeLists.txt diff --git a/src/analyzer/protocols/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc similarity index 100% rename from src/analyzer/protocols/ident/Ident.cc rename to src/analyzer/protocol/ident/Ident.cc diff --git a/src/analyzer/protocols/ident/Ident.h b/src/analyzer/protocol/ident/Ident.h similarity index 91% rename from src/analyzer/protocols/ident/Ident.h rename to src/analyzer/protocol/ident/Ident.h index 7e1b7508c5..31df1dcdc6 100644 --- a/src/analyzer/protocols/ident/Ident.h +++ b/src/analyzer/protocol/ident/Ident.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_IDENT_IDENT_H #define ANALYZER_PROTOCOL_IDENT_IDENT_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace ident { diff --git a/src/analyzer/protocols/ident/Plugin.cc b/src/analyzer/protocol/ident/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ident/Plugin.cc rename to src/analyzer/protocol/ident/Plugin.cc diff --git a/src/analyzer/protocols/ident/events.bif b/src/analyzer/protocol/ident/events.bif similarity index 100% rename from src/analyzer/protocols/ident/events.bif rename to src/analyzer/protocol/ident/events.bif diff --git a/src/analyzer/protocols/interconn/CMakeLists.txt b/src/analyzer/protocol/interconn/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/interconn/CMakeLists.txt rename to src/analyzer/protocol/interconn/CMakeLists.txt diff --git a/src/analyzer/protocols/interconn/InterConn.cc b/src/analyzer/protocol/interconn/InterConn.cc similarity index 99% rename from src/analyzer/protocols/interconn/InterConn.cc rename to src/analyzer/protocol/interconn/InterConn.cc index 58dc6c2bf0..4b298eaa52 100644 --- a/src/analyzer/protocols/interconn/InterConn.cc +++ b/src/analyzer/protocol/interconn/InterConn.cc @@ -5,7 +5,7 @@ #include "InterConn.h" #include "Event.h" #include "Net.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/interconn/InterConn.h b/src/analyzer/protocol/interconn/InterConn.h similarity index 98% rename from src/analyzer/protocols/interconn/InterConn.h rename to src/analyzer/protocol/interconn/InterConn.h index 4faa684818..b13abecab1 100644 --- a/src/analyzer/protocols/interconn/InterConn.h +++ b/src/analyzer/protocol/interconn/InterConn.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H #define ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" diff --git a/src/analyzer/protocols/interconn/Plugin.cc b/src/analyzer/protocol/interconn/Plugin.cc similarity index 100% rename from src/analyzer/protocols/interconn/Plugin.cc rename to src/analyzer/protocol/interconn/Plugin.cc diff --git a/src/analyzer/protocols/interconn/events.bif b/src/analyzer/protocol/interconn/events.bif similarity index 100% rename from src/analyzer/protocols/interconn/events.bif rename to src/analyzer/protocol/interconn/events.bif diff --git a/src/analyzer/protocols/irc/CMakeLists.txt b/src/analyzer/protocol/irc/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/irc/CMakeLists.txt rename to src/analyzer/protocol/irc/CMakeLists.txt diff --git a/src/analyzer/protocols/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc similarity index 99% rename from src/analyzer/protocols/irc/IRC.cc rename to src/analyzer/protocol/irc/IRC.cc index 7ac06a708f..71f591635f 100644 --- a/src/analyzer/protocols/irc/IRC.cc +++ b/src/analyzer/protocol/irc/IRC.cc @@ -2,10 +2,10 @@ #include #include "IRC.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "NetVar.h" #include "Event.h" -#include "analyzer/protocols/zip/ZIP.h" +#include "analyzer/protocol/zip/ZIP.h" #include "analyzer/Manager.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/irc/IRC.h b/src/analyzer/protocol/irc/IRC.h similarity index 97% rename from src/analyzer/protocols/irc/IRC.h rename to src/analyzer/protocol/irc/IRC.h index a0f35639d3..a4112ccb12 100644 --- a/src/analyzer/protocols/irc/IRC.h +++ b/src/analyzer/protocol/irc/IRC.h @@ -2,7 +2,7 @@ #ifndef ANALYZER_PROTOCOL_IRC_IRC_H #define ANALYZER_PROTOCOL_IRC_IRC_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace irc { diff --git a/src/analyzer/protocols/irc/Plugin.cc b/src/analyzer/protocol/irc/Plugin.cc similarity index 100% rename from src/analyzer/protocols/irc/Plugin.cc rename to src/analyzer/protocol/irc/Plugin.cc diff --git a/src/analyzer/protocols/irc/events.bif b/src/analyzer/protocol/irc/events.bif similarity index 100% rename from src/analyzer/protocols/irc/events.bif rename to src/analyzer/protocol/irc/events.bif diff --git a/src/analyzer/protocols/login/CMakeLists.txt b/src/analyzer/protocol/login/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/login/CMakeLists.txt rename to src/analyzer/protocol/login/CMakeLists.txt diff --git a/src/analyzer/protocols/login/Login.cc b/src/analyzer/protocol/login/Login.cc similarity index 100% rename from src/analyzer/protocols/login/Login.cc rename to src/analyzer/protocol/login/Login.cc diff --git a/src/analyzer/protocols/login/Login.h b/src/analyzer/protocol/login/Login.h similarity index 98% rename from src/analyzer/protocols/login/Login.h rename to src/analyzer/protocol/login/Login.h index 3d41ad94c3..2178bdff1a 100644 --- a/src/analyzer/protocols/login/Login.h +++ b/src/analyzer/protocol/login/Login.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_LOGIN_LOGIN_H #define ANALYZER_PROTOCOL_LOGIN_LOGIN_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace login { diff --git a/src/analyzer/protocols/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc similarity index 99% rename from src/analyzer/protocols/login/NVT.cc rename to src/analyzer/protocol/login/NVT.cc index 2c79fd7195..62e4d0c050 100644 --- a/src/analyzer/protocols/login/NVT.cc +++ b/src/analyzer/protocol/login/NVT.cc @@ -7,7 +7,7 @@ #include "NVT.h" #include "NetVar.h" #include "Event.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/login/NVT.h b/src/analyzer/protocol/login/NVT.h similarity index 98% rename from src/analyzer/protocols/login/NVT.h rename to src/analyzer/protocol/login/NVT.h index 9fb85c8823..3bcadcdc8e 100644 --- a/src/analyzer/protocols/login/NVT.h +++ b/src/analyzer/protocol/login/NVT.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_LOGIN_NVT_H #define ANALYZER_PROTOCOL_LOGIN_NVT_H -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #define TELNET_OPTION_BINARY 0 #define TELNET_OPTION_TERMINAL 24 diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocol/login/Plugin.cc similarity index 100% rename from src/analyzer/protocols/login/Plugin.cc rename to src/analyzer/protocol/login/Plugin.cc diff --git a/src/analyzer/protocols/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc similarity index 100% rename from src/analyzer/protocols/login/RSH.cc rename to src/analyzer/protocol/login/RSH.cc diff --git a/src/analyzer/protocols/login/RSH.h b/src/analyzer/protocol/login/RSH.h similarity index 96% rename from src/analyzer/protocols/login/RSH.h rename to src/analyzer/protocol/login/RSH.h index c2d19c8958..2036ea966a 100644 --- a/src/analyzer/protocols/login/RSH.h +++ b/src/analyzer/protocol/login/RSH.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_LOGIN_RSH_H #include "Login.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace login { diff --git a/src/analyzer/protocols/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc similarity index 100% rename from src/analyzer/protocols/login/Rlogin.cc rename to src/analyzer/protocol/login/Rlogin.cc diff --git a/src/analyzer/protocols/login/Rlogin.h b/src/analyzer/protocol/login/Rlogin.h similarity index 97% rename from src/analyzer/protocols/login/Rlogin.h rename to src/analyzer/protocol/login/Rlogin.h index 3efdfa8107..79de3b8952 100644 --- a/src/analyzer/protocols/login/Rlogin.h +++ b/src/analyzer/protocol/login/Rlogin.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_LOGIN_RLOGIN_H #include "Login.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace login { diff --git a/src/analyzer/protocols/login/Telnet.cc b/src/analyzer/protocol/login/Telnet.cc similarity index 100% rename from src/analyzer/protocols/login/Telnet.cc rename to src/analyzer/protocol/login/Telnet.cc diff --git a/src/analyzer/protocols/login/Telnet.h b/src/analyzer/protocol/login/Telnet.h similarity index 100% rename from src/analyzer/protocols/login/Telnet.h rename to src/analyzer/protocol/login/Telnet.h diff --git a/src/analyzer/protocols/login/events.bif b/src/analyzer/protocol/login/events.bif similarity index 100% rename from src/analyzer/protocols/login/events.bif rename to src/analyzer/protocol/login/events.bif diff --git a/src/analyzer/protocols/login/functions.bif b/src/analyzer/protocol/login/functions.bif similarity index 100% rename from src/analyzer/protocols/login/functions.bif rename to src/analyzer/protocol/login/functions.bif diff --git a/src/analyzer/protocols/mime/CMakeLists.txt b/src/analyzer/protocol/mime/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/mime/CMakeLists.txt rename to src/analyzer/protocol/mime/CMakeLists.txt diff --git a/src/analyzer/protocols/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc similarity index 100% rename from src/analyzer/protocols/mime/MIME.cc rename to src/analyzer/protocol/mime/MIME.cc diff --git a/src/analyzer/protocols/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h similarity index 100% rename from src/analyzer/protocols/mime/MIME.h rename to src/analyzer/protocol/mime/MIME.h diff --git a/src/analyzer/protocols/mime/Plugin.cc b/src/analyzer/protocol/mime/Plugin.cc similarity index 100% rename from src/analyzer/protocols/mime/Plugin.cc rename to src/analyzer/protocol/mime/Plugin.cc diff --git a/src/analyzer/protocols/mime/events.bif b/src/analyzer/protocol/mime/events.bif similarity index 100% rename from src/analyzer/protocols/mime/events.bif rename to src/analyzer/protocol/mime/events.bif diff --git a/src/analyzer/protocols/modbus/CMakeLists.txt b/src/analyzer/protocol/modbus/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/modbus/CMakeLists.txt rename to src/analyzer/protocol/modbus/CMakeLists.txt diff --git a/src/analyzer/protocols/modbus/Modbus.cc b/src/analyzer/protocol/modbus/Modbus.cc similarity index 94% rename from src/analyzer/protocols/modbus/Modbus.cc rename to src/analyzer/protocol/modbus/Modbus.cc index b36b916d06..9d216d356b 100644 --- a/src/analyzer/protocols/modbus/Modbus.cc +++ b/src/analyzer/protocol/modbus/Modbus.cc @@ -1,6 +1,6 @@ #include "Modbus.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/modbus/Modbus.h b/src/analyzer/protocol/modbus/Modbus.h similarity index 94% rename from src/analyzer/protocols/modbus/Modbus.h rename to src/analyzer/protocol/modbus/Modbus.h index 9ecd952e2e..6f566be828 100644 --- a/src/analyzer/protocols/modbus/Modbus.h +++ b/src/analyzer/protocol/modbus/Modbus.h @@ -1,7 +1,7 @@ #ifndef ANALYZER_PROTOCOL_MODBUS_MODBUS_H #define ANALYZER_PROTOCOL_MODBUS_MODBUS_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "modbus_pac.h" namespace analyzer { namespace modbus { diff --git a/src/analyzer/protocols/modbus/Plugin.cc b/src/analyzer/protocol/modbus/Plugin.cc similarity index 100% rename from src/analyzer/protocols/modbus/Plugin.cc rename to src/analyzer/protocol/modbus/Plugin.cc diff --git a/src/analyzer/protocols/modbus/events.bif b/src/analyzer/protocol/modbus/events.bif similarity index 100% rename from src/analyzer/protocols/modbus/events.bif rename to src/analyzer/protocol/modbus/events.bif diff --git a/src/analyzer/protocols/modbus/modbus-analyzer.pac b/src/analyzer/protocol/modbus/modbus-analyzer.pac similarity index 100% rename from src/analyzer/protocols/modbus/modbus-analyzer.pac rename to src/analyzer/protocol/modbus/modbus-analyzer.pac diff --git a/src/analyzer/protocols/modbus/modbus-protocol.pac b/src/analyzer/protocol/modbus/modbus-protocol.pac similarity index 100% rename from src/analyzer/protocols/modbus/modbus-protocol.pac rename to src/analyzer/protocol/modbus/modbus-protocol.pac diff --git a/src/analyzer/protocols/modbus/modbus.pac b/src/analyzer/protocol/modbus/modbus.pac similarity index 100% rename from src/analyzer/protocols/modbus/modbus.pac rename to src/analyzer/protocol/modbus/modbus.pac diff --git a/src/analyzer/protocols/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ncp/CMakeLists.txt rename to src/analyzer/protocol/ncp/CMakeLists.txt diff --git a/src/analyzer/protocols/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc similarity index 100% rename from src/analyzer/protocols/ncp/NCP.cc rename to src/analyzer/protocol/ncp/NCP.cc diff --git a/src/analyzer/protocols/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h similarity index 96% rename from src/analyzer/protocols/ncp/NCP.h rename to src/analyzer/protocol/ncp/NCP.h index aa667657ca..34174df74e 100644 --- a/src/analyzer/protocols/ncp/NCP.h +++ b/src/analyzer/protocol/ncp/NCP.h @@ -19,7 +19,7 @@ // http://faydoc.tripod.com/structures/21/2149.htm #include "NetVar.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "ncp_pac.h" @@ -73,7 +73,7 @@ protected: int buf_len; // size off msg_buf }; -#define ANALYZER_PROTOCOL_NCP_NCP_HEADER_LENGTH 8 +#define NCP_TCPIP_HEADER_LENGTH 8 class NCP_FrameBuffer : public FrameBuffer { public: diff --git a/src/analyzer/protocols/ncp/NCP_func.def b/src/analyzer/protocol/ncp/NCP_func.def similarity index 100% rename from src/analyzer/protocols/ncp/NCP_func.def rename to src/analyzer/protocol/ncp/NCP_func.def diff --git a/src/analyzer/protocols/ncp/Plugin.cc b/src/analyzer/protocol/ncp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ncp/Plugin.cc rename to src/analyzer/protocol/ncp/Plugin.cc diff --git a/src/analyzer/protocols/ncp/events.bif b/src/analyzer/protocol/ncp/events.bif similarity index 100% rename from src/analyzer/protocols/ncp/events.bif rename to src/analyzer/protocol/ncp/events.bif diff --git a/src/analyzer/protocols/ncp/ncp.pac b/src/analyzer/protocol/ncp/ncp.pac similarity index 100% rename from src/analyzer/protocols/ncp/ncp.pac rename to src/analyzer/protocol/ncp/ncp.pac diff --git a/src/analyzer/protocols/netbios/CMakeLists.txt b/src/analyzer/protocol/netbios/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/netbios/CMakeLists.txt rename to src/analyzer/protocol/netbios/CMakeLists.txt diff --git a/src/analyzer/protocols/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc similarity index 100% rename from src/analyzer/protocols/netbios/NetbiosSSN.cc rename to src/analyzer/protocol/netbios/NetbiosSSN.cc diff --git a/src/analyzer/protocols/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h similarity index 97% rename from src/analyzer/protocols/netbios/NetbiosSSN.h rename to src/analyzer/protocol/netbios/NetbiosSSN.h index 5908250669..7c2728ef9a 100644 --- a/src/analyzer/protocols/netbios/NetbiosSSN.h +++ b/src/analyzer/protocol/netbios/NetbiosSSN.h @@ -3,9 +3,9 @@ #ifndef ANALYZER_PROTOCOL_NETBIOS_SSN_NETBIOSSSN_H #define ANALYZER_PROTOCOL_NETBIOS_SSN_NETBIOSSSN_H -#include "analyzer/protocols/udp/UDP.h" -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/smb/SMB.h" +#include "analyzer/protocol/udp/UDP.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/smb/SMB.h" namespace analyzer { namespace netbios_ssn { diff --git a/src/analyzer/protocols/netbios/Plugin.cc b/src/analyzer/protocol/netbios/Plugin.cc similarity index 100% rename from src/analyzer/protocols/netbios/Plugin.cc rename to src/analyzer/protocol/netbios/Plugin.cc diff --git a/src/analyzer/protocols/netbios/events.bif b/src/analyzer/protocol/netbios/events.bif similarity index 100% rename from src/analyzer/protocols/netbios/events.bif rename to src/analyzer/protocol/netbios/events.bif diff --git a/src/analyzer/protocols/netbios/functions.bif b/src/analyzer/protocol/netbios/functions.bif similarity index 100% rename from src/analyzer/protocols/netbios/functions.bif rename to src/analyzer/protocol/netbios/functions.bif diff --git a/src/analyzer/protocols/netflow/CMakeLists.txt b/src/analyzer/protocol/netflow/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/netflow/CMakeLists.txt rename to src/analyzer/protocol/netflow/CMakeLists.txt diff --git a/src/analyzer/protocols/netflow/Plugin.cc b/src/analyzer/protocol/netflow/Plugin.cc similarity index 100% rename from src/analyzer/protocols/netflow/Plugin.cc rename to src/analyzer/protocol/netflow/Plugin.cc diff --git a/src/analyzer/protocols/netflow/events.bif b/src/analyzer/protocol/netflow/events.bif similarity index 100% rename from src/analyzer/protocols/netflow/events.bif rename to src/analyzer/protocol/netflow/events.bif diff --git a/src/analyzer/protocols/netflow/netflow-analyzer.pac b/src/analyzer/protocol/netflow/netflow-analyzer.pac similarity index 100% rename from src/analyzer/protocols/netflow/netflow-analyzer.pac rename to src/analyzer/protocol/netflow/netflow-analyzer.pac diff --git a/src/analyzer/protocols/netflow/netflow-protocol.pac b/src/analyzer/protocol/netflow/netflow-protocol.pac similarity index 100% rename from src/analyzer/protocols/netflow/netflow-protocol.pac rename to src/analyzer/protocol/netflow/netflow-protocol.pac diff --git a/src/analyzer/protocols/netflow/netflow.pac b/src/analyzer/protocol/netflow/netflow.pac similarity index 100% rename from src/analyzer/protocols/netflow/netflow.pac rename to src/analyzer/protocol/netflow/netflow.pac diff --git a/src/analyzer/protocols/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ntp/CMakeLists.txt rename to src/analyzer/protocol/ntp/CMakeLists.txt diff --git a/src/analyzer/protocols/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc similarity index 100% rename from src/analyzer/protocols/ntp/NTP.cc rename to src/analyzer/protocol/ntp/NTP.cc diff --git a/src/analyzer/protocols/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h similarity index 97% rename from src/analyzer/protocols/ntp/NTP.h rename to src/analyzer/protocol/ntp/NTP.h index 25cc9bad43..201c5a8774 100644 --- a/src/analyzer/protocols/ntp/NTP.h +++ b/src/analyzer/protocol/ntp/NTP.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_NTP_NTP_H #define ANALYZER_PROTOCOL_NTP_NTP_H -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/udp/UDP.h" // The following are from the tcpdump distribution, credited there // to the U of MD implementation. diff --git a/src/analyzer/protocols/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ntp/Plugin.cc rename to src/analyzer/protocol/ntp/Plugin.cc diff --git a/src/analyzer/protocols/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif similarity index 100% rename from src/analyzer/protocols/ntp/events.bif rename to src/analyzer/protocol/ntp/events.bif diff --git a/src/analyzer/protocols/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/pia/CMakeLists.txt rename to src/analyzer/protocol/pia/CMakeLists.txt diff --git a/src/analyzer/protocols/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc similarity index 99% rename from src/analyzer/protocols/pia/PIA.cc rename to src/analyzer/protocol/pia/PIA.cc index d5defc018e..cc1dd7ea0e 100644 --- a/src/analyzer/protocols/pia/PIA.cc +++ b/src/analyzer/protocol/pia/PIA.cc @@ -1,6 +1,6 @@ #include "PIA.h" #include "RuleMatcher.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h similarity index 99% rename from src/analyzer/protocols/pia/PIA.h rename to src/analyzer/protocol/pia/PIA.h index a117a60978..d8c272d219 100644 --- a/src/analyzer/protocols/pia/PIA.h +++ b/src/analyzer/protocol/pia/PIA.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_PIA_PIA_H #include "analyzer/Analyzer.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" class RuleEndpointState; diff --git a/src/analyzer/protocols/pia/Plugin.cc b/src/analyzer/protocol/pia/Plugin.cc similarity index 100% rename from src/analyzer/protocols/pia/Plugin.cc rename to src/analyzer/protocol/pia/Plugin.cc diff --git a/src/analyzer/protocols/pia/events.bif b/src/analyzer/protocol/pia/events.bif similarity index 100% rename from src/analyzer/protocols/pia/events.bif rename to src/analyzer/protocol/pia/events.bif diff --git a/src/analyzer/protocols/pop3/CMakeLists.txt b/src/analyzer/protocol/pop3/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/pop3/CMakeLists.txt rename to src/analyzer/protocol/pop3/CMakeLists.txt diff --git a/src/analyzer/protocols/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc similarity index 99% rename from src/analyzer/protocols/pop3/POP3.cc rename to src/analyzer/protocol/pop3/POP3.cc index 7a81da1b5e..652fd20e32 100644 --- a/src/analyzer/protocols/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -13,7 +13,7 @@ #include "POP3.h" #include "Event.h" #include "Reporter.h" -#include "analyzer/protocols/login/NVT.h" +#include "analyzer/protocol/login/NVT.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h similarity index 94% rename from src/analyzer/protocols/pop3/POP3.h rename to src/analyzer/protocol/pop3/POP3.h index bd882f480b..ab535420e5 100644 --- a/src/analyzer/protocols/pop3/POP3.h +++ b/src/analyzer/protocol/pop3/POP3.h @@ -9,9 +9,9 @@ #include #include -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/login/NVT.h" -#include "analyzer/protocols/mime/MIME.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/login/NVT.h" +#include "analyzer/protocol/mime/MIME.h" #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) POP3_CMD_##cmd, diff --git a/src/analyzer/protocols/pop3/POP3_cmd.def b/src/analyzer/protocol/pop3/POP3_cmd.def similarity index 100% rename from src/analyzer/protocols/pop3/POP3_cmd.def rename to src/analyzer/protocol/pop3/POP3_cmd.def diff --git a/src/analyzer/protocols/pop3/Plugin.cc b/src/analyzer/protocol/pop3/Plugin.cc similarity index 100% rename from src/analyzer/protocols/pop3/Plugin.cc rename to src/analyzer/protocol/pop3/Plugin.cc diff --git a/src/analyzer/protocols/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif similarity index 100% rename from src/analyzer/protocols/pop3/events.bif rename to src/analyzer/protocol/pop3/events.bif diff --git a/src/analyzer/protocols/rpc/CMakeLists.txt b/src/analyzer/protocol/rpc/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/rpc/CMakeLists.txt rename to src/analyzer/protocol/rpc/CMakeLists.txt diff --git a/src/analyzer/protocols/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc similarity index 100% rename from src/analyzer/protocols/rpc/NFS.cc rename to src/analyzer/protocol/rpc/NFS.cc diff --git a/src/analyzer/protocols/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h similarity index 100% rename from src/analyzer/protocols/rpc/NFS.h rename to src/analyzer/protocol/rpc/NFS.h diff --git a/src/analyzer/protocols/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc similarity index 100% rename from src/analyzer/protocols/rpc/Plugin.cc rename to src/analyzer/protocol/rpc/Plugin.cc diff --git a/src/analyzer/protocols/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc similarity index 100% rename from src/analyzer/protocols/rpc/Portmap.cc rename to src/analyzer/protocol/rpc/Portmap.cc diff --git a/src/analyzer/protocols/rpc/Portmap.h b/src/analyzer/protocol/rpc/Portmap.h similarity index 100% rename from src/analyzer/protocols/rpc/Portmap.h rename to src/analyzer/protocol/rpc/Portmap.h diff --git a/src/analyzer/protocols/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc similarity index 100% rename from src/analyzer/protocols/rpc/RPC.cc rename to src/analyzer/protocol/rpc/RPC.cc diff --git a/src/analyzer/protocols/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h similarity index 98% rename from src/analyzer/protocols/rpc/RPC.h rename to src/analyzer/protocol/rpc/RPC.h index 0face29d50..a705d272f6 100644 --- a/src/analyzer/protocols/rpc/RPC.h +++ b/src/analyzer/protocol/rpc/RPC.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_RPC_RPC_H #define ANALYZER_PROTOCOL_RPC_RPC_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/udp/UDP.h" namespace analyzer { namespace rpc { diff --git a/src/analyzer/protocols/rpc/XDR.cc b/src/analyzer/protocol/rpc/XDR.cc similarity index 100% rename from src/analyzer/protocols/rpc/XDR.cc rename to src/analyzer/protocol/rpc/XDR.cc diff --git a/src/analyzer/protocols/rpc/XDR.h b/src/analyzer/protocol/rpc/XDR.h similarity index 100% rename from src/analyzer/protocols/rpc/XDR.h rename to src/analyzer/protocol/rpc/XDR.h diff --git a/src/analyzer/protocols/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif similarity index 100% rename from src/analyzer/protocols/rpc/events.bif rename to src/analyzer/protocol/rpc/events.bif diff --git a/src/analyzer/protocols/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/smb/CMakeLists.txt rename to src/analyzer/protocol/smb/CMakeLists.txt diff --git a/src/analyzer/protocols/smb/Plugin.cc b/src/analyzer/protocol/smb/Plugin.cc similarity index 100% rename from src/analyzer/protocols/smb/Plugin.cc rename to src/analyzer/protocol/smb/Plugin.cc diff --git a/src/analyzer/protocols/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc similarity index 100% rename from src/analyzer/protocols/smb/SMB.cc rename to src/analyzer/protocol/smb/SMB.cc diff --git a/src/analyzer/protocols/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h similarity index 98% rename from src/analyzer/protocols/smb/SMB.h rename to src/analyzer/protocol/smb/SMB.h index eed1d2e5a0..b54852e5b7 100644 --- a/src/analyzer/protocols/smb/SMB.h +++ b/src/analyzer/protocol/smb/SMB.h @@ -6,8 +6,8 @@ // SMB (CIFS) analyzer. // Reference: http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/dce-rpc/DCE_RPC.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/dce-rpc/DCE_RPC.h" #include "smb_pac.h" namespace analyzer { namespace smb { diff --git a/src/analyzer/protocols/smb/SMB_COM.def b/src/analyzer/protocol/smb/SMB_COM.def similarity index 100% rename from src/analyzer/protocols/smb/SMB_COM.def rename to src/analyzer/protocol/smb/SMB_COM.def diff --git a/src/analyzer/protocols/smb/events.bif b/src/analyzer/protocol/smb/events.bif similarity index 100% rename from src/analyzer/protocols/smb/events.bif rename to src/analyzer/protocol/smb/events.bif diff --git a/src/analyzer/protocols/smb/smb-mailslot.pac b/src/analyzer/protocol/smb/smb-mailslot.pac similarity index 100% rename from src/analyzer/protocols/smb/smb-mailslot.pac rename to src/analyzer/protocol/smb/smb-mailslot.pac diff --git a/src/analyzer/protocols/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac similarity index 100% rename from src/analyzer/protocols/smb/smb-pipe.pac rename to src/analyzer/protocol/smb/smb-pipe.pac diff --git a/src/analyzer/protocols/smb/smb-protocol.pac b/src/analyzer/protocol/smb/smb-protocol.pac similarity index 100% rename from src/analyzer/protocols/smb/smb-protocol.pac rename to src/analyzer/protocol/smb/smb-protocol.pac diff --git a/src/analyzer/protocols/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac similarity index 100% rename from src/analyzer/protocols/smb/smb.pac rename to src/analyzer/protocol/smb/smb.pac diff --git a/src/analyzer/protocols/smtp/CMakeLists.txt b/src/analyzer/protocol/smtp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/smtp/CMakeLists.txt rename to src/analyzer/protocol/smtp/CMakeLists.txt diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocol/smtp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/smtp/Plugin.cc rename to src/analyzer/protocol/smtp/Plugin.cc diff --git a/src/analyzer/protocols/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc similarity index 99% rename from src/analyzer/protocols/smtp/SMTP.cc rename to src/analyzer/protocol/smtp/SMTP.cc index 7bbb7ec69e..dea418242b 100644 --- a/src/analyzer/protocols/smtp/SMTP.cc +++ b/src/analyzer/protocol/smtp/SMTP.cc @@ -8,7 +8,7 @@ #include "SMTP.h" #include "Event.h" #include "Reporter.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h similarity index 97% rename from src/analyzer/protocols/smtp/SMTP.h rename to src/analyzer/protocol/smtp/SMTP.h index c179db4ecb..cc12167d30 100644 --- a/src/analyzer/protocols/smtp/SMTP.h +++ b/src/analyzer/protocol/smtp/SMTP.h @@ -6,8 +6,8 @@ #include using namespace std; -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/mime/MIME.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/mime/MIME.h" #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) SMTP_CMD_##cmd, diff --git a/src/analyzer/protocols/smtp/SMTP_cmd.def b/src/analyzer/protocol/smtp/SMTP_cmd.def similarity index 100% rename from src/analyzer/protocols/smtp/SMTP_cmd.def rename to src/analyzer/protocol/smtp/SMTP_cmd.def diff --git a/src/analyzer/protocols/smtp/events.bif b/src/analyzer/protocol/smtp/events.bif similarity index 100% rename from src/analyzer/protocols/smtp/events.bif rename to src/analyzer/protocol/smtp/events.bif diff --git a/src/analyzer/protocols/smtp/functions.bif b/src/analyzer/protocol/smtp/functions.bif similarity index 88% rename from src/analyzer/protocols/smtp/functions.bif rename to src/analyzer/protocol/smtp/functions.bif index 2bb0c52319..8630685096 100644 --- a/src/analyzer/protocols/smtp/functions.bif +++ b/src/analyzer/protocol/smtp/functions.bif @@ -1,6 +1,6 @@ %%{ -#include "analyzer/protocols/smtp/SMTP.h" +#include "analyzer/protocol/smtp/SMTP.h" %%} ## Skips SMTP data until the next email in a connection. diff --git a/src/analyzer/protocols/socks/CMakeLists.txt b/src/analyzer/protocol/socks/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/socks/CMakeLists.txt rename to src/analyzer/protocol/socks/CMakeLists.txt diff --git a/src/analyzer/protocols/socks/Plugin.cc b/src/analyzer/protocol/socks/Plugin.cc similarity index 100% rename from src/analyzer/protocols/socks/Plugin.cc rename to src/analyzer/protocol/socks/Plugin.cc diff --git a/src/analyzer/protocols/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc similarity index 97% rename from src/analyzer/protocols/socks/SOCKS.cc rename to src/analyzer/protocol/socks/SOCKS.cc index dab464abf7..f9d81b8a16 100644 --- a/src/analyzer/protocols/socks/SOCKS.cc +++ b/src/analyzer/protocol/socks/SOCKS.cc @@ -1,6 +1,6 @@ #include "SOCKS.h" #include "socks_pac.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/socks/SOCKS.h b/src/analyzer/protocol/socks/SOCKS.h similarity index 91% rename from src/analyzer/protocols/socks/SOCKS.h rename to src/analyzer/protocol/socks/SOCKS.h index 424443c826..f005967fd8 100644 --- a/src/analyzer/protocols/socks/SOCKS.h +++ b/src/analyzer/protocol/socks/SOCKS.h @@ -3,8 +3,8 @@ // SOCKS v4 analyzer. -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/pia/PIA.h" namespace binpac { namespace SOCKS { diff --git a/src/analyzer/protocols/socks/events.bif b/src/analyzer/protocol/socks/events.bif similarity index 100% rename from src/analyzer/protocols/socks/events.bif rename to src/analyzer/protocol/socks/events.bif diff --git a/src/analyzer/protocols/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac similarity index 100% rename from src/analyzer/protocols/socks/socks-analyzer.pac rename to src/analyzer/protocol/socks/socks-analyzer.pac diff --git a/src/analyzer/protocols/socks/socks-protocol.pac b/src/analyzer/protocol/socks/socks-protocol.pac similarity index 100% rename from src/analyzer/protocols/socks/socks-protocol.pac rename to src/analyzer/protocol/socks/socks-protocol.pac diff --git a/src/analyzer/protocols/socks/socks.pac b/src/analyzer/protocol/socks/socks.pac similarity index 100% rename from src/analyzer/protocols/socks/socks.pac rename to src/analyzer/protocol/socks/socks.pac diff --git a/src/analyzer/protocols/ssh/CMakeLists.txt b/src/analyzer/protocol/ssh/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ssh/CMakeLists.txt rename to src/analyzer/protocol/ssh/CMakeLists.txt diff --git a/src/analyzer/protocols/ssh/Plugin.cc b/src/analyzer/protocol/ssh/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ssh/Plugin.cc rename to src/analyzer/protocol/ssh/Plugin.cc diff --git a/src/analyzer/protocols/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc similarity index 98% rename from src/analyzer/protocols/ssh/SSH.cc rename to src/analyzer/protocol/ssh/SSH.cc index c2ff9a066c..ab3f6a5e5b 100644 --- a/src/analyzer/protocols/ssh/SSH.cc +++ b/src/analyzer/protocol/ssh/SSH.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "SSH.h" #include "Event.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h similarity index 86% rename from src/analyzer/protocols/ssh/SSH.h rename to src/analyzer/protocol/ssh/SSH.h index 6587425807..3878881693 100644 --- a/src/analyzer/protocols/ssh/SSH.h +++ b/src/analyzer/protocol/ssh/SSH.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_SSH_SSH_H #define ANALYZER_PROTOCOL_SSH_SSH_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace ssh { diff --git a/src/analyzer/protocols/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif similarity index 100% rename from src/analyzer/protocols/ssh/events.bif rename to src/analyzer/protocol/ssh/events.bif diff --git a/src/analyzer/protocols/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ssl/CMakeLists.txt rename to src/analyzer/protocol/ssl/CMakeLists.txt diff --git a/src/analyzer/protocols/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ssl/Plugin.cc rename to src/analyzer/protocol/ssl/Plugin.cc diff --git a/src/analyzer/protocols/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc similarity index 96% rename from src/analyzer/protocols/ssl/SSL.cc rename to src/analyzer/protocol/ssl/SSL.cc index cf41f273f6..6cd2fa59f8 100644 --- a/src/analyzer/protocols/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -1,6 +1,6 @@ #include "SSL.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "Reporter.h" #include "util.h" diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h similarity index 95% rename from src/analyzer/protocols/ssl/SSL.h rename to src/analyzer/protocol/ssl/SSL.h index f1323566af..6423d1b155 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -3,7 +3,7 @@ #include "events.bif.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "ssl_pac.h" namespace analyzer { namespace ssl { diff --git a/src/analyzer/protocols/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif similarity index 100% rename from src/analyzer/protocols/ssl/events.bif rename to src/analyzer/protocol/ssl/events.bif diff --git a/src/analyzer/protocols/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif similarity index 100% rename from src/analyzer/protocols/ssl/functions.bif rename to src/analyzer/protocol/ssl/functions.bif diff --git a/src/analyzer/protocols/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac similarity index 100% rename from src/analyzer/protocols/ssl/ssl-analyzer.pac rename to src/analyzer/protocol/ssl/ssl-analyzer.pac diff --git a/src/analyzer/protocols/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac similarity index 100% rename from src/analyzer/protocols/ssl/ssl-defs.pac rename to src/analyzer/protocol/ssl/ssl-defs.pac diff --git a/src/analyzer/protocols/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac similarity index 100% rename from src/analyzer/protocols/ssl/ssl-protocol.pac rename to src/analyzer/protocol/ssl/ssl-protocol.pac diff --git a/src/analyzer/protocols/ssl/ssl.pac b/src/analyzer/protocol/ssl/ssl.pac similarity index 100% rename from src/analyzer/protocols/ssl/ssl.pac rename to src/analyzer/protocol/ssl/ssl.pac diff --git a/src/analyzer/protocols/stepping-stone/CMakeLists.txt b/src/analyzer/protocol/stepping-stone/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/stepping-stone/CMakeLists.txt rename to src/analyzer/protocol/stepping-stone/CMakeLists.txt diff --git a/src/analyzer/protocols/stepping-stone/Plugin.cc b/src/analyzer/protocol/stepping-stone/Plugin.cc similarity index 100% rename from src/analyzer/protocols/stepping-stone/Plugin.cc rename to src/analyzer/protocol/stepping-stone/Plugin.cc diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc similarity index 99% rename from src/analyzer/protocols/stepping-stone/SteppingStone.cc rename to src/analyzer/protocol/stepping-stone/SteppingStone.cc index 2b25a2e080..09a7444213 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc @@ -7,7 +7,7 @@ #include "Event.h" #include "Net.h" #include "NetVar.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "SteppingStone.h" #include "util.h" diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h similarity index 98% rename from src/analyzer/protocols/stepping-stone/SteppingStone.h rename to src/analyzer/protocol/stepping-stone/SteppingStone.h index 212899f32c..1471c08a3b 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_STEPPING_STONE_STEPPINGSTONE_H #include "Queue.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" class NetSessions; diff --git a/src/analyzer/protocols/stepping-stone/events.bif b/src/analyzer/protocol/stepping-stone/events.bif similarity index 100% rename from src/analyzer/protocols/stepping-stone/events.bif rename to src/analyzer/protocol/stepping-stone/events.bif diff --git a/src/analyzer/protocols/syslog/CMakeLists.txt b/src/analyzer/protocol/syslog/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/syslog/CMakeLists.txt rename to src/analyzer/protocol/syslog/CMakeLists.txt diff --git a/src/analyzer/protocols/syslog/Plugin.cc b/src/analyzer/protocol/syslog/Plugin.cc similarity index 100% rename from src/analyzer/protocols/syslog/Plugin.cc rename to src/analyzer/protocol/syslog/Plugin.cc diff --git a/src/analyzer/protocols/syslog/Syslog.cc b/src/analyzer/protocol/syslog/Syslog.cc similarity index 97% rename from src/analyzer/protocols/syslog/Syslog.cc rename to src/analyzer/protocol/syslog/Syslog.cc index e1667ea38b..2b783afc64 100644 --- a/src/analyzer/protocols/syslog/Syslog.cc +++ b/src/analyzer/protocol/syslog/Syslog.cc @@ -1,6 +1,6 @@ #include "Syslog.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h similarity index 94% rename from src/analyzer/protocols/syslog/Syslog.h rename to src/analyzer/protocol/syslog/Syslog.h index fd929a478e..355863e36e 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocol/syslog/Syslog.h @@ -2,8 +2,8 @@ #ifndef ANALYZER_PROTOCOL_SYSLOG_SYSLOG_H #define ANALYZER_PROTOCOL_SYSLOG_SYSLOG_H -#include "analyzer/protocols/udp/UDP.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/udp/UDP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "syslog_pac.h" diff --git a/src/analyzer/protocols/syslog/events.bif b/src/analyzer/protocol/syslog/events.bif similarity index 100% rename from src/analyzer/protocols/syslog/events.bif rename to src/analyzer/protocol/syslog/events.bif diff --git a/src/analyzer/protocols/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/syslog-analyzer.pac similarity index 100% rename from src/analyzer/protocols/syslog/syslog-analyzer.pac rename to src/analyzer/protocol/syslog/syslog-analyzer.pac diff --git a/src/analyzer/protocols/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/syslog-protocol.pac similarity index 100% rename from src/analyzer/protocols/syslog/syslog-protocol.pac rename to src/analyzer/protocol/syslog/syslog-protocol.pac diff --git a/src/analyzer/protocols/syslog/syslog.pac b/src/analyzer/protocol/syslog/syslog.pac similarity index 100% rename from src/analyzer/protocols/syslog/syslog.pac rename to src/analyzer/protocol/syslog/syslog.pac diff --git a/src/analyzer/protocols/tcp/CMakeLists.txt b/src/analyzer/protocol/tcp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/tcp/CMakeLists.txt rename to src/analyzer/protocol/tcp/CMakeLists.txt diff --git a/src/analyzer/protocols/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc similarity index 99% rename from src/analyzer/protocols/tcp/ContentLine.cc rename to src/analyzer/protocol/tcp/ContentLine.cc index c1738ccc64..2a810c5dd1 100644 --- a/src/analyzer/protocols/tcp/ContentLine.cc +++ b/src/analyzer/protocol/tcp/ContentLine.cc @@ -1,7 +1,7 @@ #include #include "ContentLine.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h similarity index 98% rename from src/analyzer/protocols/tcp/ContentLine.h rename to src/analyzer/protocol/tcp/ContentLine.h index f5d3ef8211..ecc1347984 100644 --- a/src/analyzer/protocols/tcp/ContentLine.h +++ b/src/analyzer/protocol/tcp/ContentLine.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_TCP_CONTENTLINE_H #define ANALYZER_PROTOCOL_TCP_CONTENTLINE_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace tcp { diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocol/tcp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/tcp/Plugin.cc rename to src/analyzer/protocol/tcp/Plugin.cc diff --git a/src/analyzer/protocols/tcp/Stats.cc b/src/analyzer/protocol/tcp/Stats.cc similarity index 100% rename from src/analyzer/protocols/tcp/Stats.cc rename to src/analyzer/protocol/tcp/Stats.cc diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocol/tcp/Stats.h similarity index 100% rename from src/analyzer/protocols/tcp/Stats.h rename to src/analyzer/protocol/tcp/Stats.h diff --git a/src/analyzer/protocols/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc similarity index 99% rename from src/analyzer/protocols/tcp/TCP.cc rename to src/analyzer/protocol/tcp/TCP.cc index 23de51642b..ee8a5938f5 100644 --- a/src/analyzer/protocols/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -7,9 +7,9 @@ #include "OSFinger.h" #include "Event.h" -#include "analyzer/protocols/pia/PIA.h" -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/pia/PIA.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h similarity index 99% rename from src/analyzer/protocols/tcp/TCP.h rename to src/analyzer/protocol/tcp/TCP.h index ded3cd7270..b2649b4ab8 100644 --- a/src/analyzer/protocols/tcp/TCP.h +++ b/src/analyzer/protocol/tcp/TCP.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_TCP_TCP_H #include "analyzer/Analyzer.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "PacketDumper.h" #include "IPAddr.h" #include "TCP_Endpoint.h" diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc similarity index 99% rename from src/analyzer/protocols/tcp/TCP_Endpoint.cc rename to src/analyzer/protocol/tcp/TCP_Endpoint.cc index 922c52693a..3beafdeb8a 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc @@ -2,7 +2,7 @@ #include "Net.h" #include "NetVar.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "TCP_Reassembler.h" #include "Sessions.h" #include "Event.h" diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h similarity index 100% rename from src/analyzer/protocols/tcp/TCP_Endpoint.h rename to src/analyzer/protocol/tcp/TCP_Endpoint.h diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc similarity index 99% rename from src/analyzer/protocols/tcp/TCP_Reassembler.cc rename to src/analyzer/protocol/tcp/TCP_Reassembler.cc index e54a1494af..949be9f599 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -2,7 +2,7 @@ #include "analyzer/Analyzer.h" #include "TCP_Reassembler.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "TCP_Endpoint.h" // Only needed for gap_report events. diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h similarity index 100% rename from src/analyzer/protocols/tcp/TCP_Reassembler.h rename to src/analyzer/protocol/tcp/TCP_Reassembler.h diff --git a/src/analyzer/protocols/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif similarity index 100% rename from src/analyzer/protocols/tcp/events.bif rename to src/analyzer/protocol/tcp/events.bif diff --git a/src/analyzer/protocols/tcp/functions.bif b/src/analyzer/protocol/tcp/functions.bif similarity index 99% rename from src/analyzer/protocols/tcp/functions.bif rename to src/analyzer/protocol/tcp/functions.bif index b0178a1279..ff812b80ee 100644 --- a/src/analyzer/protocols/tcp/functions.bif +++ b/src/analyzer/protocol/tcp/functions.bif @@ -1,6 +1,6 @@ %%{ -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" %%} ## Get the originator sequence number of a TCP connection. Sequence numbers diff --git a/src/analyzer/protocols/teredo/CMakeLists.txt b/src/analyzer/protocol/teredo/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/teredo/CMakeLists.txt rename to src/analyzer/protocol/teredo/CMakeLists.txt diff --git a/src/analyzer/protocols/teredo/Plugin.cc b/src/analyzer/protocol/teredo/Plugin.cc similarity index 100% rename from src/analyzer/protocols/teredo/Plugin.cc rename to src/analyzer/protocol/teredo/Plugin.cc diff --git a/src/analyzer/protocols/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc similarity index 100% rename from src/analyzer/protocols/teredo/Teredo.cc rename to src/analyzer/protocol/teredo/Teredo.cc diff --git a/src/analyzer/protocols/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h similarity index 100% rename from src/analyzer/protocols/teredo/Teredo.h rename to src/analyzer/protocol/teredo/Teredo.h diff --git a/src/analyzer/protocols/teredo/events.bif b/src/analyzer/protocol/teredo/events.bif similarity index 100% rename from src/analyzer/protocols/teredo/events.bif rename to src/analyzer/protocol/teredo/events.bif diff --git a/src/analyzer/protocols/udp/CMakeLists.txt b/src/analyzer/protocol/udp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/udp/CMakeLists.txt rename to src/analyzer/protocol/udp/CMakeLists.txt diff --git a/src/analyzer/protocols/udp/Plugin.cc b/src/analyzer/protocol/udp/Plugin.cc similarity index 82% rename from src/analyzer/protocols/udp/Plugin.cc rename to src/analyzer/protocol/udp/Plugin.cc index a013c55a87..c18a846e00 100644 --- a/src/analyzer/protocols/udp/Plugin.cc +++ b/src/analyzer/protocol/udp/Plugin.cc @@ -1,7 +1,7 @@ #include "plugin/Plugin.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/udp/UDP.h" BRO_PLUGIN_BEGIN(UDP) BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); diff --git a/src/analyzer/protocols/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc similarity index 99% rename from src/analyzer/protocols/udp/UDP.cc rename to src/analyzer/protocol/udp/UDP.cc index 8092a511c3..3050ea5648 100644 --- a/src/analyzer/protocols/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -6,7 +6,7 @@ #include "Net.h" #include "NetVar.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/udp/UDP.h" #include "Reporter.h" #include "Conn.h" diff --git a/src/analyzer/protocols/udp/UDP.h b/src/analyzer/protocol/udp/UDP.h similarity index 100% rename from src/analyzer/protocols/udp/UDP.h rename to src/analyzer/protocol/udp/UDP.h diff --git a/src/analyzer/protocols/udp/events.bif b/src/analyzer/protocol/udp/events.bif similarity index 100% rename from src/analyzer/protocols/udp/events.bif rename to src/analyzer/protocol/udp/events.bif diff --git a/src/analyzer/protocols/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/zip/CMakeLists.txt rename to src/analyzer/protocol/zip/CMakeLists.txt diff --git a/src/analyzer/protocols/zip/Plugin.cc b/src/analyzer/protocol/zip/Plugin.cc similarity index 100% rename from src/analyzer/protocols/zip/Plugin.cc rename to src/analyzer/protocol/zip/Plugin.cc diff --git a/src/analyzer/protocols/zip/ZIP.cc b/src/analyzer/protocol/zip/ZIP.cc similarity index 100% rename from src/analyzer/protocols/zip/ZIP.cc rename to src/analyzer/protocol/zip/ZIP.cc diff --git a/src/analyzer/protocols/zip/ZIP.h b/src/analyzer/protocol/zip/ZIP.h similarity index 94% rename from src/analyzer/protocols/zip/ZIP.h rename to src/analyzer/protocol/zip/ZIP.h index 7753ac2945..b284529d86 100644 --- a/src/analyzer/protocols/zip/ZIP.h +++ b/src/analyzer/protocol/zip/ZIP.h @@ -6,7 +6,7 @@ #include "config.h" #include "zlib.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace zip { diff --git a/src/analyzer/protocols/zip/events.bif b/src/analyzer/protocol/zip/events.bif similarity index 100% rename from src/analyzer/protocols/zip/events.bif rename to src/analyzer/protocol/zip/events.bif diff --git a/src/bro.bif b/src/bro.bif index 5c39e335a6..6ad7dccc3a 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2626,7 +2626,7 @@ function decode_base64_custom%(s: string, a: string%): string %} %%{ -#include "analyzer/protocols/dce-rpc/DCE_RPC.h" +#include "analyzer/protocol/dce-rpc/DCE_RPC.h" typedef struct { uint32 time_low; diff --git a/src/parse.y b/src/parse.y index 449b472c0c..5c54706168 100644 --- a/src/parse.y +++ b/src/parse.y @@ -79,7 +79,7 @@ #include "Expr.h" #include "Stmt.h" #include "Var.h" -/* #include "analyzer/protocols/dns/DNS.h" */ +/* #include "analyzer/protocol/dns/DNS.h" */ #include "RE.h" #include "Scope.h" #include "Reporter.h" From da696c4b24201bad474a776f753d50491bd14ce1 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:58:13 -0700 Subject: [PATCH 043/200] Unifying analyzer names and descriptions. --- src/analyzer/protocol/backdoor/Plugin.cc | 2 +- src/analyzer/protocol/conn-size/Plugin.cc | 2 +- src/analyzer/protocol/dce-rpc/Plugin.cc | 2 +- src/analyzer/protocol/dhcp/Plugin.cc | 2 +- src/analyzer/protocol/dns/Plugin.cc | 2 +- src/analyzer/protocol/file/Plugin.cc | 2 +- src/analyzer/protocol/finger/Plugin.cc | 4 ++-- src/analyzer/protocol/ftp/Plugin.cc | 2 +- src/analyzer/protocol/gnutella/Plugin.cc | 4 ++-- src/analyzer/protocol/gtpv1/CMakeLists.txt | 2 +- src/analyzer/protocol/gtpv1/Plugin.cc | 6 +++--- src/analyzer/protocol/http/Plugin.cc | 2 +- src/analyzer/protocol/icmp/Plugin.cc | 2 +- src/analyzer/protocol/ident/Plugin.cc | 4 ++-- src/analyzer/protocol/interconn/Plugin.cc | 4 ++-- src/analyzer/protocol/irc/Plugin.cc | 2 +- src/analyzer/protocol/login/Plugin.cc | 8 ++++---- src/analyzer/protocol/mime/Plugin.cc | 2 +- src/analyzer/protocol/modbus/Plugin.cc | 2 +- src/analyzer/protocol/ncp/Plugin.cc | 2 +- src/analyzer/protocol/netbios/CMakeLists.txt | 2 +- src/analyzer/protocol/netbios/Plugin.cc | 4 ++-- src/analyzer/protocol/netflow/Plugin.cc | 2 +- src/analyzer/protocol/ntp/Plugin.cc | 2 +- src/analyzer/protocol/pia/Plugin.cc | 2 +- src/analyzer/protocol/pop3/Plugin.cc | 2 +- src/analyzer/protocol/rpc/Plugin.cc | 2 +- src/analyzer/protocol/smb/Plugin.cc | 2 +- src/analyzer/protocol/smtp/Plugin.cc | 2 +- src/analyzer/protocol/socks/Plugin.cc | 2 +- src/analyzer/protocol/ssh/Plugin.cc | 2 +- src/analyzer/protocol/ssl/Plugin.cc | 2 +- src/analyzer/protocol/stepping-stone/Plugin.cc | 4 ++-- src/analyzer/protocol/syslog/Plugin.cc | 4 ++-- src/analyzer/protocol/tcp/Plugin.cc | 2 +- src/analyzer/protocol/teredo/Plugin.cc | 4 ++-- 36 files changed, 49 insertions(+), 49 deletions(-) diff --git a/src/analyzer/protocol/backdoor/Plugin.cc b/src/analyzer/protocol/backdoor/Plugin.cc index afcf60edbc..b350e835a1 100644 --- a/src/analyzer/protocol/backdoor/Plugin.cc +++ b/src/analyzer/protocol/backdoor/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(BackDoor) BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("BACKDOOR", backdoor::BackDoor_Analyzer); + BRO_PLUGIN_ANALYZER("BackDoor", backdoor::BackDoor_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/conn-size/Plugin.cc b/src/analyzer/protocol/conn-size/Plugin.cc index 5ff2ed201d..d72b97dac6 100644 --- a/src/analyzer/protocol/conn-size/Plugin.cc +++ b/src/analyzer/protocol/conn-size/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ConnSize) BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); - BRO_PLUGIN_ANALYZER("CONNSIZE", conn_size::ConnSize_Analyzer); + BRO_PLUGIN_ANALYZER("ConnSize", conn_size::ConnSize_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/dce-rpc/Plugin.cc b/src/analyzer/protocol/dce-rpc/Plugin.cc index 5e35af7c0d..368cffdc7f 100644 --- a/src/analyzer/protocol/dce-rpc/Plugin.cc +++ b/src/analyzer/protocol/dce-rpc/Plugin.cc @@ -4,7 +4,7 @@ #include "DCE_RPC.h" BRO_PLUGIN_BEGIN(DCE_RPC) - BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer"); + BRO_PLUGIN_DESCRIPTION("DCE-RPC analyzer"); BRO_PLUGIN_ANALYZER("DCE_RPC", dce_rpc::DCE_RPC_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/dhcp/Plugin.cc b/src/analyzer/protocol/dhcp/Plugin.cc index e1ee02db95..8bc1c68a6b 100644 --- a/src/analyzer/protocol/dhcp/Plugin.cc +++ b/src/analyzer/protocol/dhcp/Plugin.cc @@ -4,7 +4,7 @@ #include "DHCP.h" BRO_PLUGIN_BEGIN(DHCP) - BRO_PLUGIN_DESCRIPTION("DHCP Analyzer"); + BRO_PLUGIN_DESCRIPTION("DHCP analyzer"); BRO_PLUGIN_ANALYZER("DHCP", dhcp::DHCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/dns/Plugin.cc b/src/analyzer/protocol/dns/Plugin.cc index e731f191da..f4275b4181 100644 --- a/src/analyzer/protocol/dns/Plugin.cc +++ b/src/analyzer/protocol/dns/Plugin.cc @@ -4,7 +4,7 @@ #include "DNS.h" BRO_PLUGIN_BEGIN(DNS) - BRO_PLUGIN_DESCRIPTION("DNS Analyzer"); + BRO_PLUGIN_DESCRIPTION("DNS analyzer"); BRO_PLUGIN_ANALYZER("DNS", dns::DNS_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/file/Plugin.cc b/src/analyzer/protocol/file/Plugin.cc index ad4e917742..06d3ba9373 100644 --- a/src/analyzer/protocol/file/Plugin.cc +++ b/src/analyzer/protocol/file/Plugin.cc @@ -4,7 +4,7 @@ #include "./File.h" BRO_PLUGIN_BEGIN(File) - BRO_PLUGIN_DESCRIPTION("Generic File Analyzer"); + BRO_PLUGIN_DESCRIPTION("Generic file analyzer"); BRO_PLUGIN_ANALYZER("File", file::File_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/finger/Plugin.cc b/src/analyzer/protocol/finger/Plugin.cc index 603bbd004e..a20c0765c1 100644 --- a/src/analyzer/protocol/finger/Plugin.cc +++ b/src/analyzer/protocol/finger/Plugin.cc @@ -4,7 +4,7 @@ #include "Finger.h" BRO_PLUGIN_BEGIN(Finger) - BRO_PLUGIN_DESCRIPTION("Finger Analyzer"); - BRO_PLUGIN_ANALYZER("FINGER", finger::Finger_Analyzer); + BRO_PLUGIN_DESCRIPTION("Finger analyzer"); + BRO_PLUGIN_ANALYZER("Finger", finger::Finger_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ftp/Plugin.cc b/src/analyzer/protocol/ftp/Plugin.cc index d6bc3313e6..e35185d5c5 100644 --- a/src/analyzer/protocol/ftp/Plugin.cc +++ b/src/analyzer/protocol/ftp/Plugin.cc @@ -4,7 +4,7 @@ #include "FTP.h" BRO_PLUGIN_BEGIN(FTP) - BRO_PLUGIN_DESCRIPTION("FTP Analyzer"); + BRO_PLUGIN_DESCRIPTION("FTP analyzer"); BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/gnutella/Plugin.cc b/src/analyzer/protocol/gnutella/Plugin.cc index eca9adb001..b52d545bc3 100644 --- a/src/analyzer/protocol/gnutella/Plugin.cc +++ b/src/analyzer/protocol/gnutella/Plugin.cc @@ -4,7 +4,7 @@ #include "Gnutella.h" BRO_PLUGIN_BEGIN(Gnutella) - BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer"); - BRO_PLUGIN_ANALYZER("GNUTELLA", gnutella::Gnutella_Analyzer); + BRO_PLUGIN_DESCRIPTION("Gnutella analyzer"); + BRO_PLUGIN_ANALYZER("Gnutella", gnutella::Gnutella_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/gtpv1/CMakeLists.txt b/src/analyzer/protocol/gtpv1/CMakeLists.txt index e414876df5..b739330b37 100644 --- a/src/analyzer/protocol/gtpv1/CMakeLists.txt +++ b/src/analyzer/protocol/gtpv1/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(GTPV1) +bro_plugin_begin(GTPv1) bro_plugin_cc(GTPv1.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) diff --git a/src/analyzer/protocol/gtpv1/Plugin.cc b/src/analyzer/protocol/gtpv1/Plugin.cc index 39233384dc..5a39dd3980 100644 --- a/src/analyzer/protocol/gtpv1/Plugin.cc +++ b/src/analyzer/protocol/gtpv1/Plugin.cc @@ -3,8 +3,8 @@ #include "GTPv1.h" -BRO_PLUGIN_BEGIN(GTPV1) - BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer"); - BRO_PLUGIN_ANALYZER("GTPV1", gtpv1::GTPv1_Analyzer); +BRO_PLUGIN_BEGIN(GTPv1) + BRO_PLUGIN_DESCRIPTION("GTPv1 analyzer"); + BRO_PLUGIN_ANALYZER("GTPv1", gtpv1::GTPv1_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/http/Plugin.cc b/src/analyzer/protocol/http/Plugin.cc index 86f1cb0333..2908a37511 100644 --- a/src/analyzer/protocol/http/Plugin.cc +++ b/src/analyzer/protocol/http/Plugin.cc @@ -4,7 +4,7 @@ #include "HTTP.h" BRO_PLUGIN_BEGIN(HTTP) - BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); + BRO_PLUGIN_DESCRIPTION("HTTP analyzer"); BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); diff --git a/src/analyzer/protocol/icmp/Plugin.cc b/src/analyzer/protocol/icmp/Plugin.cc index 0d3a90e168..fa0c885a3e 100644 --- a/src/analyzer/protocol/icmp/Plugin.cc +++ b/src/analyzer/protocol/icmp/Plugin.cc @@ -4,7 +4,7 @@ #include "ICMP.h" BRO_PLUGIN_BEGIN(ICMP) - BRO_PLUGIN_DESCRIPTION("ICMP Analyzer"); + BRO_PLUGIN_DESCRIPTION("ICMP analyzer"); BRO_PLUGIN_ANALYZER("ICMP", icmp::ICMP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ident/Plugin.cc b/src/analyzer/protocol/ident/Plugin.cc index d0abef8280..d520374552 100644 --- a/src/analyzer/protocol/ident/Plugin.cc +++ b/src/analyzer/protocol/ident/Plugin.cc @@ -4,7 +4,7 @@ #include "Ident.h" BRO_PLUGIN_BEGIN(Ident) - BRO_PLUGIN_DESCRIPTION("Ident Analyzer"); - BRO_PLUGIN_ANALYZER("IDENT", ident::Ident_Analyzer); + BRO_PLUGIN_DESCRIPTION("Ident analyzer"); + BRO_PLUGIN_ANALYZER("Ident", ident::Ident_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/interconn/Plugin.cc b/src/analyzer/protocol/interconn/Plugin.cc index cb4ac076af..e1792dc3ef 100644 --- a/src/analyzer/protocol/interconn/Plugin.cc +++ b/src/analyzer/protocol/interconn/Plugin.cc @@ -4,7 +4,7 @@ #include "InterConn.h" BRO_PLUGIN_BEGIN(InterConn) - BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("INTERCONN", interconn::InterConn_Analyzer); + BRO_PLUGIN_DESCRIPTION("InterConn analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("InterConn", interconn::InterConn_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/irc/Plugin.cc b/src/analyzer/protocol/irc/Plugin.cc index 72b89fda0e..046d1b5a02 100644 --- a/src/analyzer/protocol/irc/Plugin.cc +++ b/src/analyzer/protocol/irc/Plugin.cc @@ -4,7 +4,7 @@ #include "IRC.h" BRO_PLUGIN_BEGIN(IRC) - BRO_PLUGIN_DESCRIPTION("IRC Analyzer"); + BRO_PLUGIN_DESCRIPTION("IRC analyzer"); BRO_PLUGIN_ANALYZER("IRC", irc::IRC_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/login/Plugin.cc b/src/analyzer/protocol/login/Plugin.cc index 43784ba262..8c7287afae 100644 --- a/src/analyzer/protocol/login/Plugin.cc +++ b/src/analyzer/protocol/login/Plugin.cc @@ -7,10 +7,10 @@ #include "Rlogin.h" BRO_PLUGIN_BEGIN(Login) - BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer"); - BRO_PLUGIN_ANALYZER("TELNET", login::Telnet_Analyzer); - BRO_PLUGIN_ANALYZER("RSH", login::Rsh_Analyzer); - BRO_PLUGIN_ANALYZER("RLOGIN", login::Rlogin_Analyzer); + BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin analyzers"); + BRO_PLUGIN_ANALYZER("Telnet", login::Telnet_Analyzer); + BRO_PLUGIN_ANALYZER("Rsh", login::Rsh_Analyzer); + BRO_PLUGIN_ANALYZER("Rlogin", login::Rlogin_Analyzer); BRO_PLUGIN_ANALYZER_BARE("NVT"); BRO_PLUGIN_ANALYZER_BARE("Login"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); diff --git a/src/analyzer/protocol/mime/Plugin.cc b/src/analyzer/protocol/mime/Plugin.cc index 98dee2a2eb..ff90d9d671 100644 --- a/src/analyzer/protocol/mime/Plugin.cc +++ b/src/analyzer/protocol/mime/Plugin.cc @@ -2,6 +2,6 @@ #include "plugin/Plugin.h" BRO_PLUGIN_BEGIN(MIME) - BRO_PLUGIN_DESCRIPTION("MIME Parsing Code"); + BRO_PLUGIN_DESCRIPTION("MIME parsing code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/modbus/Plugin.cc b/src/analyzer/protocol/modbus/Plugin.cc index ba93063560..e03f8dbb9b 100644 --- a/src/analyzer/protocol/modbus/Plugin.cc +++ b/src/analyzer/protocol/modbus/Plugin.cc @@ -4,7 +4,7 @@ #include "Modbus.h" BRO_PLUGIN_BEGIN(Modbus) - BRO_PLUGIN_DESCRIPTION("Modbus Analyzer"); + BRO_PLUGIN_DESCRIPTION("Modbus analyzer"); BRO_PLUGIN_ANALYZER("MODBUS", modbus::ModbusTCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ncp/Plugin.cc b/src/analyzer/protocol/ncp/Plugin.cc index 6bfc2b70f6..5e1a955606 100644 --- a/src/analyzer/protocol/ncp/Plugin.cc +++ b/src/analyzer/protocol/ncp/Plugin.cc @@ -4,7 +4,7 @@ #include "NCP.h" BRO_PLUGIN_BEGIN(NCP) - BRO_PLUGIN_DESCRIPTION("NCP Analyzer"); + BRO_PLUGIN_DESCRIPTION("NCP analyzer"); BRO_PLUGIN_ANALYZER("NCP", ncp::NCP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/netbios/CMakeLists.txt b/src/analyzer/protocol/netbios/CMakeLists.txt index 6e7c5251a3..ab31cd6e0a 100644 --- a/src/analyzer/protocol/netbios/CMakeLists.txt +++ b/src/analyzer/protocol/netbios/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Netbios) +bro_plugin_begin(NetBIOS) bro_plugin_cc(NetbiosSSN.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/netbios/Plugin.cc b/src/analyzer/protocol/netbios/Plugin.cc index 7f71dbbe10..36ec458138 100644 --- a/src/analyzer/protocol/netbios/Plugin.cc +++ b/src/analyzer/protocol/netbios/Plugin.cc @@ -3,8 +3,8 @@ #include "NetbiosSSN.h" -BRO_PLUGIN_BEGIN(Netbios) - BRO_PLUGIN_DESCRIPTION("Netbios Analyzer (SSN only)"); +BRO_PLUGIN_BEGIN(NetBIOS) + BRO_PLUGIN_DESCRIPTION("NetBIOS analyzer (support only SSN currently)"); BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/netflow/Plugin.cc b/src/analyzer/protocol/netflow/Plugin.cc index f7c36e943a..cd7a937171 100644 --- a/src/analyzer/protocol/netflow/Plugin.cc +++ b/src/analyzer/protocol/netflow/Plugin.cc @@ -2,6 +2,6 @@ #include "plugin/Plugin.h" BRO_PLUGIN_BEGIN(NetFlow) - BRO_PLUGIN_DESCRIPTION("NetFlow Parsing Code"); + BRO_PLUGIN_DESCRIPTION("NetFlow parsing code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc index 8331c25dee..bf2bd5df15 100644 --- a/src/analyzer/protocol/ntp/Plugin.cc +++ b/src/analyzer/protocol/ntp/Plugin.cc @@ -4,7 +4,7 @@ #include "NTP.h" BRO_PLUGIN_BEGIN(NTP) - BRO_PLUGIN_DESCRIPTION("NTP Analyzer"); + BRO_PLUGIN_DESCRIPTION("NTP analyzer"); BRO_PLUGIN_ANALYZER("NTP", ntp::NTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/pia/Plugin.cc b/src/analyzer/protocol/pia/Plugin.cc index 2d56f80038..6c4bf1a6b2 100644 --- a/src/analyzer/protocol/pia/Plugin.cc +++ b/src/analyzer/protocol/pia/Plugin.cc @@ -4,7 +4,7 @@ #include "PIA.h" BRO_PLUGIN_BEGIN(PIA) - BRO_PLUGIN_DESCRIPTION("Protocol Identificatin Analyzers"); + BRO_PLUGIN_DESCRIPTION("Analyzers implementing Dynamic Protocol Detection"); BRO_PLUGIN_ANALYZER("PIA_TCP", pia::PIA_TCP); BRO_PLUGIN_ANALYZER("PIA_UDP", pia::PIA_UDP); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/pop3/Plugin.cc b/src/analyzer/protocol/pop3/Plugin.cc index 056cb36682..b686e2fbee 100644 --- a/src/analyzer/protocol/pop3/Plugin.cc +++ b/src/analyzer/protocol/pop3/Plugin.cc @@ -4,7 +4,7 @@ #include "POP3.h" BRO_PLUGIN_BEGIN(POP3) - BRO_PLUGIN_DESCRIPTION("POP3 Analyzer"); + BRO_PLUGIN_DESCRIPTION("POP3 analyzer"); BRO_PLUGIN_ANALYZER("POP3", pop3::POP3_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc index 23f5d0e667..815cf14362 100644 --- a/src/analyzer/protocol/rpc/Plugin.cc +++ b/src/analyzer/protocol/rpc/Plugin.cc @@ -8,7 +8,7 @@ BRO_PLUGIN_BEGIN(RPC) BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); BRO_PLUGIN_ANALYZER("NFS", rpc::NFS_Analyzer); - BRO_PLUGIN_ANALYZER("PORTMAPPER", rpc::Portmapper_Analyzer); + BRO_PLUGIN_ANALYZER("Portmapper", rpc::Portmapper_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_RPC"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NFS"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/smb/Plugin.cc b/src/analyzer/protocol/smb/Plugin.cc index 2f83460984..97ea10f5d8 100644 --- a/src/analyzer/protocol/smb/Plugin.cc +++ b/src/analyzer/protocol/smb/Plugin.cc @@ -4,7 +4,7 @@ #include "SMB.h" BRO_PLUGIN_BEGIN(SMB) - BRO_PLUGIN_DESCRIPTION("SMB Analyzer"); + BRO_PLUGIN_DESCRIPTION("SMB analyzer"); BRO_PLUGIN_ANALYZER("SMB", smb::SMB_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/smtp/Plugin.cc b/src/analyzer/protocol/smtp/Plugin.cc index 6550733b92..f1567098d2 100644 --- a/src/analyzer/protocol/smtp/Plugin.cc +++ b/src/analyzer/protocol/smtp/Plugin.cc @@ -4,7 +4,7 @@ #include "SMTP.h" BRO_PLUGIN_BEGIN(SMTP) - BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); + BRO_PLUGIN_DESCRIPTION("SMTP analyzer"); BRO_PLUGIN_ANALYZER("SMTP", smtp::SMTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); diff --git a/src/analyzer/protocol/socks/Plugin.cc b/src/analyzer/protocol/socks/Plugin.cc index 3c849e6e23..3c659de628 100644 --- a/src/analyzer/protocol/socks/Plugin.cc +++ b/src/analyzer/protocol/socks/Plugin.cc @@ -4,7 +4,7 @@ #include "SOCKS.h" BRO_PLUGIN_BEGIN(SOCKS) - BRO_PLUGIN_DESCRIPTION("SOCKS Analyzer"); + BRO_PLUGIN_DESCRIPTION("SOCKS analyzer"); BRO_PLUGIN_ANALYZER("SOCKS", socks::SOCKS_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ssh/Plugin.cc b/src/analyzer/protocol/ssh/Plugin.cc index 57acbe222c..4bb2a0ffdb 100644 --- a/src/analyzer/protocol/ssh/Plugin.cc +++ b/src/analyzer/protocol/ssh/Plugin.cc @@ -4,7 +4,7 @@ #include "SSH.h" BRO_PLUGIN_BEGIN(SSH) - BRO_PLUGIN_DESCRIPTION("SSH Analyzer"); + BRO_PLUGIN_DESCRIPTION("SSH analyzer"); BRO_PLUGIN_ANALYZER("SSH", ssh::SSH_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc index b406e4aa8b..5edbecd480 100644 --- a/src/analyzer/protocol/ssl/Plugin.cc +++ b/src/analyzer/protocol/ssl/Plugin.cc @@ -4,7 +4,7 @@ #include "SSL.h" BRO_PLUGIN_BEGIN(SSL) - BRO_PLUGIN_DESCRIPTION("SSL Analyzer"); + BRO_PLUGIN_DESCRIPTION("SSL analyzer"); BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); diff --git a/src/analyzer/protocol/stepping-stone/Plugin.cc b/src/analyzer/protocol/stepping-stone/Plugin.cc index 748c5fac5f..bde87384fa 100644 --- a/src/analyzer/protocol/stepping-stone/Plugin.cc +++ b/src/analyzer/protocol/stepping-stone/Plugin.cc @@ -4,7 +4,7 @@ #include "SteppingStone.h" BRO_PLUGIN_BEGIN(SteppingStone) - BRO_PLUGIN_DESCRIPTION("SteppingStone Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("STEPPINGSTONE", stepping_stone::SteppingStone_Analyzer); + BRO_PLUGIN_DESCRIPTION("Stepping stone analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("SteppingStone", stepping_stone::SteppingStone_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/syslog/Plugin.cc b/src/analyzer/protocol/syslog/Plugin.cc index f5d955942b..0616cace14 100644 --- a/src/analyzer/protocol/syslog/Plugin.cc +++ b/src/analyzer/protocol/syslog/Plugin.cc @@ -4,7 +4,7 @@ #include "Syslog.h" BRO_PLUGIN_BEGIN(Syslog) - BRO_PLUGIN_DESCRIPTION("Syslog Analyzer (UDP-only currently)"); - BRO_PLUGIN_ANALYZER("SYSLOG", syslog::Syslog_Analyzer); + BRO_PLUGIN_DESCRIPTION("Syslog analyzer (UDP-only currently)"); + BRO_PLUGIN_ANALYZER("Syslog", syslog::Syslog_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/tcp/Plugin.cc b/src/analyzer/protocol/tcp/Plugin.cc index 376c54d332..8342f2ed3e 100644 --- a/src/analyzer/protocol/tcp/Plugin.cc +++ b/src/analyzer/protocol/tcp/Plugin.cc @@ -4,7 +4,7 @@ #include "TCP.h" BRO_PLUGIN_BEGIN(TCP) - BRO_PLUGIN_DESCRIPTION("TCP Analyzer"); + BRO_PLUGIN_DESCRIPTION("TCP analyzer"); BRO_PLUGIN_ANALYZER("TCP", tcp::TCP_Analyzer); BRO_PLUGIN_ANALYZER("TCPStats", tcp::TCPStats_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); diff --git a/src/analyzer/protocol/teredo/Plugin.cc b/src/analyzer/protocol/teredo/Plugin.cc index 1ea1c03238..38f3a8edd9 100644 --- a/src/analyzer/protocol/teredo/Plugin.cc +++ b/src/analyzer/protocol/teredo/Plugin.cc @@ -4,7 +4,7 @@ #include "Teredo.h" BRO_PLUGIN_BEGIN(Teredo) - BRO_PLUGIN_DESCRIPTION("Teredo Analyzer"); - BRO_PLUGIN_ANALYZER("TEREDO", teredo::Teredo_Analyzer); + BRO_PLUGIN_DESCRIPTION("Teredo analyzer"); + BRO_PLUGIN_ANALYZER("Teredo", teredo::Teredo_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END From eb3218590e69dcfac86ddd1eba725a259929fb86 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 16:26:19 -0700 Subject: [PATCH 044/200] Cleaning up analyzer naming. Also adding the script-level ID to the -NN output. --- src/analyzer/Component.cc | 27 +++++++++++++++++++++++++++ src/analyzer/Component.h | 13 ++++++++++++- src/analyzer/Manager.cc | 22 +++++++--------------- src/analyzer/protocol/TODO | 5 +---- 4 files changed, 47 insertions(+), 20 deletions(-) diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc index 6ce433a594..78705643e9 100644 --- a/src/analyzer/Component.cc +++ b/src/analyzer/Component.cc @@ -1,5 +1,6 @@ #include "Component.h" +#include "Manager.h" #include "../Desc.h" @@ -7,10 +8,26 @@ using namespace analyzer; Tag::type_t Component::type_counter = 0; +static const char* canonify_name(const char* name) + { + unsigned int len = strlen(name); + char* nname = new char[len + 1]; + + for ( unsigned int i = 0; i < len; i++ ) + { + char c = isalnum(name[i]) ? name[i] : '_'; + nname[i] = toupper(c); + } + + nname[len] = '\0'; + return nname; + } + Component::Component(const char* arg_name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) : plugin::Component(plugin::component::ANALYZER) { name = copy_string(arg_name); + canon_name = canonify_name(arg_name); factory = arg_factory; enabled = arg_enabled; partial = arg_partial; @@ -22,6 +39,7 @@ Component::Component(const Component& other) : plugin::Component(Type()) { name = copy_string(other.name); + canon_name = copy_string(other.canon_name); factory = other.factory; enabled = other.enabled; partial = other.partial; @@ -31,6 +49,7 @@ Component::Component(const Component& other) Component::~Component() { delete [] name; + delete [] canon_name; } analyzer::Tag Component::Tag() const @@ -43,6 +62,14 @@ void Component::Describe(ODesc* d) plugin::Component::Describe(d); d->Add(name); d->Add(" ("); + + if ( factory ) + { + d->Add("ANALYZER_"); + d->Add(canon_name); + d->Add(", "); + } + d->Add(enabled ? "enabled" : "disabled"); d->Add(")"); } diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index 67751e1b35..6e72f87155 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -68,10 +68,20 @@ public: /** * Returns the name of the analyzer. This name is unique across all - * analyzers and used to identify it. + * analyzers and used to identify it. The returned name is derived + * from what's passed to the constructor but upper-cased and + * canonified to allow being part of a script-level ID. */ const char* Name() const { return name; } + /** + * Returns a canonocalized version of the analyzer's name. The + * returned name is derived from what's passed to the constructor but + * upper-cased and transformed to allow being part of a script-level + * ID. + */ + const char* CanonicalName() const { return canon_name; } + /** * Returns the analyzer's factory function. */ @@ -115,6 +125,7 @@ public: private: const char* name; // The analyzer's name. + const char* canon_name; // The analyzer's canonical name. factory_callback factory; // The analyzer's factory callback. bool partial; // True if the analyzer supports partial connections. analyzer::Tag tag; // The automatically assigned analyzer tag. diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index d337c0b849..4f33ccef93 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -136,14 +136,6 @@ void Manager::DumpDebug() DBG_LOG(DBG_ANALYZER, " %d/udp: %s", i->first, s.c_str()); } -#if 0 - ODesc d; - tag_enum_type->Describe(&d); - - DBG_LOG(DBG_ANALYZER, ""); - DBG_LOG(DBG_ANALYZER, "Analyzer::Tag type: %s", d.Description()); -#endif - #endif } @@ -153,20 +145,20 @@ void Manager::Done() void Manager::RegisterAnalyzerComponent(Component* component) { - if ( Lookup(component->Name()) ) - reporter->FatalError("Analyzer %s defined more than once", component->Name()); + const char* cname = component->CanonicalName(); - string name = to_upper(component->Name()); + if ( Lookup(cname) ) + reporter->FatalError("Analyzer %s defined more than once", cname); DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", - name.c_str(), component->Tag().AsString().c_str()); + component->Name(), component->Tag().AsString().c_str()); - analyzers_by_name.insert(std::make_pair(name, component)); + analyzers_by_name.insert(std::make_pair(cname, component)); analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); analyzers_by_val.insert(std::make_pair(component->Tag().AsEnumVal()->InternalInt(), component)); // Install enum "Analyzer::ANALYZER_*" - string id = fmt("ANALYZER_%s", name.c_str()); + string id = fmt("ANALYZER_%s", cname); tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().AsEnumVal()->InternalInt(), true); } @@ -341,7 +333,7 @@ const char* Manager::GetAnalyzerName(Tag tag) if ( ! c ) reporter->InternalError("request for name of unknown analyzer tag %s", tag.AsString().c_str()); - return c->Name(); + return c->CanonicalName(); } const char* Manager::GetAnalyzerName(Val* val) diff --git a/src/analyzer/protocol/TODO b/src/analyzer/protocol/TODO index 4302252a49..d1888a18f1 100644 --- a/src/analyzer/protocol/TODO +++ b/src/analyzer/protocol/TODO @@ -1,5 +1,2 @@ - -- cleanup analyzer descriptions -- can now lower-case the analyzer name in plugin -- not sure cmake dependencies work right yet +- cmake dependencies don't work right yet From 10dc8b927907332aa6a70fee0dc91b9325d047c8 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 16:35:24 -0700 Subject: [PATCH 045/200] Updating tests. --- doc/scripts/DocSourcesList.cmake | 83 ++++++++++--------- .../canonified_loaded_scripts.log | 20 +++-- .../canonified_loaded_scripts.log | 20 +++-- .../scripts/base/protocols/modbus/events.bro | 2 +- 4 files changed, 73 insertions(+), 52 deletions(-) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 00cba8bab7..0dc98999ca 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -17,43 +17,52 @@ rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ayiya/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/backdoor/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/bittorrent/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/conn-size/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dce-rpc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dhcp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dns/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/file/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/finger/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ftp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gnutella/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gtpv1/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/icmp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ident/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/interconn/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/irc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/login/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/modbus/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ncp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/netbios-ssn/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ntp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pia/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pop3/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/rpc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smb/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smtp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/socks/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssh/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssl/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/stepping-stone/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/syslog/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/tcp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/teredo/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/udp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/zip/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/arp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ayiya/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/backdoor/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/bittorrent/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/conn-size/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dce-rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dhcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dns/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/file/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/finger/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ftp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ftp/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/gnutella/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/gtpv1/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/http/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/http/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/icmp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ident/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/interconn/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/irc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/login/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/login/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/mime/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/modbus/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ncp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netbios/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netbios/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netflow/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ntp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/pia/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/pop3/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smb/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smtp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smtp/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/socks/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssh/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssl/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssl/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/stepping-stone/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/syslog/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/tcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/tcp/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/teredo/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/udp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/zip/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index a4933aba7b..3843616bda 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-17-03-50-16 +#open 2013-04-19-23-31-06 #fields name #types string scripts/base/init-bare.bro @@ -33,9 +33,8 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./ARP.events.bif.bro build/scripts/base/bif/plugins/./AYIYA.events.bif.bro - build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro - build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro build/scripts/base/bif/plugins/./BackDoor.events.bif.bro build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro build/scripts/base/bif/plugins/./ConnSize.events.bif.bro @@ -43,10 +42,10 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./DHCP.events.bif.bro build/scripts/base/bif/plugins/./DNS.events.bif.bro build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./FTP.functions.bif.bro build/scripts/base/bif/plugins/./File.events.bif.bro - build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro build/scripts/base/bif/plugins/./Finger.events.bif.bro - build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./GTPv1.events.bif.bro build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro @@ -55,23 +54,30 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./Ident.events.bif.bro build/scripts/base/bif/plugins/./InterConn.events.bif.bro build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Login.functions.bif.bro + build/scripts/base/bif/plugins/./MIME.events.bif.bro build/scripts/base/bif/plugins/./Modbus.events.bif.bro build/scripts/base/bif/plugins/./NCP.events.bif.bro build/scripts/base/bif/plugins/./NTP.events.bif.bro - build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/./NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/./NetFlow.events.bif.bro build/scripts/base/bif/plugins/./PIA.events.bif.bro build/scripts/base/bif/plugins/./POP3.events.bif.bro build/scripts/base/bif/plugins/./RPC.events.bif.bro build/scripts/base/bif/plugins/./SMB.events.bif.bro build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.functions.bif.bro build/scripts/base/bif/plugins/./SOCKS.events.bif.bro build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SSL.functions.bif.bro build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./TCP.functions.bif.bro build/scripts/base/bif/plugins/./Teredo.events.bif.bro build/scripts/base/bif/plugins/./UDP.events.bif.bro build/scripts/base/bif/plugins/./ZIP.events.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-17-03-50-16 +#close 2013-04-19-23-31-06 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index d469dad0bc..af0b205971 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-17-03-50-51 +#open 2013-04-19-23-31-58 #fields name #types string scripts/base/init-bare.bro @@ -33,9 +33,8 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./ARP.events.bif.bro build/scripts/base/bif/plugins/./AYIYA.events.bif.bro - build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro - build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro build/scripts/base/bif/plugins/./BackDoor.events.bif.bro build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro build/scripts/base/bif/plugins/./ConnSize.events.bif.bro @@ -43,10 +42,10 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./DHCP.events.bif.bro build/scripts/base/bif/plugins/./DNS.events.bif.bro build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./FTP.functions.bif.bro build/scripts/base/bif/plugins/./File.events.bif.bro - build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro build/scripts/base/bif/plugins/./Finger.events.bif.bro - build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./GTPv1.events.bif.bro build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro @@ -55,21 +54,28 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./Ident.events.bif.bro build/scripts/base/bif/plugins/./InterConn.events.bif.bro build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Login.functions.bif.bro + build/scripts/base/bif/plugins/./MIME.events.bif.bro build/scripts/base/bif/plugins/./Modbus.events.bif.bro build/scripts/base/bif/plugins/./NCP.events.bif.bro build/scripts/base/bif/plugins/./NTP.events.bif.bro - build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/./NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/./NetFlow.events.bif.bro build/scripts/base/bif/plugins/./PIA.events.bif.bro build/scripts/base/bif/plugins/./POP3.events.bif.bro build/scripts/base/bif/plugins/./RPC.events.bif.bro build/scripts/base/bif/plugins/./SMB.events.bif.bro build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.functions.bif.bro build/scripts/base/bif/plugins/./SOCKS.events.bif.bro build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SSL.functions.bif.bro build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./TCP.functions.bif.bro build/scripts/base/bif/plugins/./Teredo.events.bif.bro build/scripts/base/bif/plugins/./UDP.events.bif.bro build/scripts/base/bif/plugins/./ZIP.events.bif.bro @@ -163,4 +169,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-17-03-50-51 +#close 2013-04-19-23-31-58 diff --git a/testing/btest/scripts/base/protocols/modbus/events.bro b/testing/btest/scripts/base/protocols/modbus/events.bro index f648a0adde..a0c8e20258 100644 --- a/testing/btest/scripts/base/protocols/modbus/events.bro +++ b/testing/btest/scripts/base/protocols/modbus/events.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered -# @TEST-EXEC: cat ${DIST}/src/event.bif | grep "^event modbus_" | wc -l >total +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage # @TEST-EXEC: btest-diff coverage From bdc43fc8ddd32b8ac4f162eefa49f2e78ee1e3e0 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 15 May 2013 19:04:45 -0700 Subject: [PATCH 046/200] CMake policy fix to avoid errors with older version. Looks like we could avoid this by raising the minimum cmake version to 2.6.4. --- src/CMakeLists.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 66d7022695..447b7d9ec7 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -228,8 +228,12 @@ binpac_target(modbus.pac find_package (Threads) # Avoid CMake warning about "3rdparty" looking like a number. + cmake_policy(PUSH) + +if (POLICY CMP0012) cmake_policy(SET CMP0012 NEW) +endif () # This macro stores associated headers for any C/C++ source files given # as arguments (past _var) as a list in the CMake variable named "_var". From 5ff762132836fda10a154e14eadc3884d38b2e1e Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 15 May 2013 19:13:51 -0700 Subject: [PATCH 047/200] Fix for 'fchmod undeclared here' on FreeBSD. This is from http://www.sqlite.org/cgi/src/tktview/de87b8dc7b367965c13d16becfd6996bbcd4be80 Doesn't seem applied yet, and may not be the best solution anyways. --- src/3rdparty/sqlite3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/3rdparty/sqlite3.c b/src/3rdparty/sqlite3.c index 51e54a1894..77f14da90d 100644 --- a/src/3rdparty/sqlite3.c +++ b/src/3rdparty/sqlite3.c @@ -23260,6 +23260,9 @@ static int posixFchown(int fd, uid_t uid, gid_t gid){ /* Forward reference */ static int openDirectory(const char*, int*); +/* Fix for "error: 'fchmod' undeclared here (not in a function)" on FreeBSD 9 */ +int fchmod(int, mode_t); + /* ** Many system calls are accessed through pointer-to-functions so that ** they may be overridden at runtime to facilitate fault injection during From 87528709678e450f6c9d5596af035711d627f871 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 15 May 2013 20:22:51 -0700 Subject: [PATCH 048/200] Fixing cmake dependencies and "make {install,clean}" Also includes a bunch of cleanup. --- cmake | 2 +- src/CMakeLists.txt | 34 ++++++++++++------- src/FlowSrc.cc | 2 +- src/analyzer/CMakeLists.txt | 10 ++---- src/analyzer/Manager.cc | 18 +++++----- src/analyzer/protocol/arp/CMakeLists.txt | 2 +- src/analyzer/protocol/arp/Plugin.cc | 2 +- src/analyzer/protocol/ayiya/CMakeLists.txt | 2 +- src/analyzer/protocol/ayiya/Plugin.cc | 2 +- src/analyzer/protocol/backdoor/CMakeLists.txt | 2 +- src/analyzer/protocol/backdoor/Plugin.cc | 2 +- .../protocol/bittorrent/CMakeLists.txt | 2 +- src/analyzer/protocol/bittorrent/Plugin.cc | 2 +- .../protocol/conn-size/CMakeLists.txt | 2 +- src/analyzer/protocol/conn-size/Plugin.cc | 2 +- src/analyzer/protocol/dce-rpc/CMakeLists.txt | 3 +- src/analyzer/protocol/dce-rpc/Plugin.cc | 2 +- src/analyzer/protocol/dhcp/CMakeLists.txt | 2 +- src/analyzer/protocol/dhcp/Plugin.cc | 2 +- src/analyzer/protocol/dns/CMakeLists.txt | 2 +- src/analyzer/protocol/dns/Plugin.cc | 2 +- src/analyzer/protocol/file/CMakeLists.txt | 2 +- src/analyzer/protocol/file/Plugin.cc | 2 +- src/analyzer/protocol/finger/CMakeLists.txt | 2 +- src/analyzer/protocol/finger/Plugin.cc | 2 +- src/analyzer/protocol/ftp/CMakeLists.txt | 2 +- src/analyzer/protocol/ftp/Plugin.cc | 2 +- src/analyzer/protocol/gnutella/CMakeLists.txt | 2 +- src/analyzer/protocol/gnutella/Plugin.cc | 2 +- src/analyzer/protocol/gtpv1/CMakeLists.txt | 2 +- src/analyzer/protocol/gtpv1/Plugin.cc | 2 +- src/analyzer/protocol/http/CMakeLists.txt | 2 +- src/analyzer/protocol/http/Plugin.cc | 2 +- src/analyzer/protocol/icmp/CMakeLists.txt | 2 +- src/analyzer/protocol/icmp/Plugin.cc | 2 +- src/analyzer/protocol/ident/CMakeLists.txt | 2 +- src/analyzer/protocol/ident/Plugin.cc | 2 +- .../protocol/interconn/CMakeLists.txt | 2 +- src/analyzer/protocol/interconn/Plugin.cc | 2 +- src/analyzer/protocol/irc/CMakeLists.txt | 2 +- src/analyzer/protocol/irc/Plugin.cc | 2 +- src/analyzer/protocol/login/CMakeLists.txt | 2 +- src/analyzer/protocol/login/Plugin.cc | 2 +- src/analyzer/protocol/mime/CMakeLists.txt | 2 +- src/analyzer/protocol/mime/Plugin.cc | 2 +- src/analyzer/protocol/modbus/CMakeLists.txt | 2 +- src/analyzer/protocol/modbus/Plugin.cc | 2 +- src/analyzer/protocol/ncp/CMakeLists.txt | 2 +- src/analyzer/protocol/ncp/Plugin.cc | 2 +- src/analyzer/protocol/netbios/CMakeLists.txt | 5 ++- src/analyzer/protocol/netbios/Plugin.cc | 2 +- src/analyzer/protocol/netflow/CMakeLists.txt | 2 +- src/analyzer/protocol/netflow/Plugin.cc | 2 +- src/analyzer/protocol/ntp/CMakeLists.txt | 2 +- src/analyzer/protocol/ntp/Plugin.cc | 2 +- src/analyzer/protocol/pia/CMakeLists.txt | 2 +- src/analyzer/protocol/pia/Plugin.cc | 2 +- src/analyzer/protocol/pop3/CMakeLists.txt | 2 +- src/analyzer/protocol/pop3/Plugin.cc | 2 +- src/analyzer/protocol/rpc/CMakeLists.txt | 2 +- src/analyzer/protocol/rpc/Plugin.cc | 2 +- src/analyzer/protocol/smb/CMakeLists.txt | 3 +- src/analyzer/protocol/smb/Plugin.cc | 2 +- src/analyzer/protocol/smtp/CMakeLists.txt | 2 +- src/analyzer/protocol/smtp/Plugin.cc | 2 +- src/analyzer/protocol/socks/CMakeLists.txt | 2 +- src/analyzer/protocol/socks/Plugin.cc | 2 +- src/analyzer/protocol/ssh/CMakeLists.txt | 2 +- src/analyzer/protocol/ssh/Plugin.cc | 2 +- src/analyzer/protocol/ssl/CMakeLists.txt | 2 +- src/analyzer/protocol/ssl/Plugin.cc | 2 +- .../protocol/stepping-stone/CMakeLists.txt | 2 +- .../protocol/stepping-stone/Plugin.cc | 2 +- src/analyzer/protocol/syslog/CMakeLists.txt | 2 +- src/analyzer/protocol/syslog/Plugin.cc | 2 +- src/analyzer/protocol/tcp/CMakeLists.txt | 2 +- src/analyzer/protocol/tcp/Plugin.cc | 2 +- src/analyzer/protocol/teredo/CMakeLists.txt | 2 +- src/analyzer/protocol/teredo/Plugin.cc | 2 +- src/analyzer/protocol/udp/CMakeLists.txt | 2 +- src/analyzer/protocol/udp/Plugin.cc | 2 +- src/analyzer/protocol/zip/CMakeLists.txt | 2 +- src/analyzer/protocol/zip/Plugin.cc | 2 +- src/bro.bif | 2 -- src/builtin-func.l | 9 +++-- src/plugin/Macros.h | 8 ++--- 86 files changed, 130 insertions(+), 116 deletions(-) diff --git a/cmake b/cmake index c50757259f..0034421286 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit c50757259f509f13227cf28bbd4fd281828a39d2 +Subproject commit 0034421286f23a3d7ab2044d658c3ac72797569b diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index b374c64d2c..0ab11fc85e 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -3,6 +3,9 @@ include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR} ) +# This collects generated bif and pac files from subdirectories. +set(bro_ALL_GENERATED_OUTPUTS CACHE INTERNAL "automatically generated files" FORCE) + configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c) configure_file(util-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/util-config.h) @@ -114,11 +117,9 @@ set(BIF_SRCS ) foreach (bift ${BIF_SRCS}) - bif_target(${bift}) + bif_target(${bift} "standard") endforeach () -add_custom_target(generate_bifs DEPENDS ${ALL_BIF_OUTPUTS}) - ######################################################################## ## BinPAC-dependent targets @@ -131,7 +132,10 @@ set(BINPAC_AUXSRC ) binpac_target(binpac-lib.pac) +list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}") + binpac_target(binpac_bro-lib.pac) +list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}") ######################################################################## ## Including subdirectories. @@ -156,7 +160,7 @@ find_package (Threads) macro(COLLECT_HEADERS _var) foreach (src ${ARGN}) get_filename_component(ext ${src} EXT) - if (${ext} STREQUAL ".cc" OR ${ext} STREQUAL ".c") + if ("${ext}" STREQUAL ".cc" OR "${ext}" STREQUAL ".c") get_filename_component(base ${src} NAME_WE) get_filename_component(dir ${src} PATH) if (NOT "${dir}") @@ -189,10 +193,8 @@ set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS set(bro_SRCS ${CMAKE_CURRENT_BINARY_DIR}/version.c ${BIF_SRCS} - ${ALL_BIF_OUTPUTS} ${BINPAC_AUXSRC} - ${ALL_BINPAC_INPUTS} - ${ALL_BINPAC_OUTPUTS} + ${BINPAC_OUTPUTS} ${TRANSFORMED_BISON_OUTPUTS} ${FLEX_RuleScanner_OUTPUTS} ${FLEX_RuleScanner_INPUT} @@ -333,12 +335,20 @@ add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS}) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT}) install(TARGETS bro DESTINATION bin) -install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base) set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) -include(BroPlugin) -bro_plugin_bif_create_loader(bif_loader ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) -add_dependencies(bif_loader ${bro_SUBDIRS}) -add_dependencies(bro bif_loader) +add_custom_target(generate_outputs DEPENDS ${bro_ALL_GENERATED_OUTPUTS}) + +# Build __load__.bro files for plugins/*.bif.bro. +bro_bif_create_loader(bif_loader_plugins ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) +add_dependencies(bif_loader_plugins ${bro_SUBDIRS}) +add_dependencies(bro bif_loader_plugins) + +# Install *.bif.bro. +install(DIRECTORY ${CMAKE_BINARY_DIR}/scripts/base/bif DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base) + +# Make clean removes the bif directory. +set_directory_properties(PROPERTIES ADDITIONAL_MAKE_CLEAN_FILES ${CMAKE_BINARY_DIR}/scripts/base/bif) + diff --git a/src/FlowSrc.cc b/src/FlowSrc.cc index 59ce3fd6a4..f5fb0bd1e6 100644 --- a/src/FlowSrc.cc +++ b/src/FlowSrc.cc @@ -9,7 +9,7 @@ #include "FlowSrc.h" #include "Net.h" -#include "netflow_pac.h" +#include "analyzer/protocol/netflow/netflow_pac.h" #include FlowSrc::FlowSrc() diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 026bbac80a..1e91141114 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -13,10 +13,6 @@ set(analyzer_SRCS Tag.cc ) -bif_target_for_subdir(analyzer.bif) - -bro_plugin_dependencies(DCE_RPC generate_analyzer.bif) - -add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H}) - -add_dependencies(bro_analyzer generate_events.bif) +bif_target(analyzer.bif) +add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC}) +add_dependencies(bro_analyzer generate_outputs) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 4f33ccef93..22912ad19d 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -4,18 +4,18 @@ #include "Hash.h" #include "Val.h" -#include "analyzer/protocol/backdoor/BackDoor.h" -#include "analyzer/protocol/conn-size/ConnSize.h" -#include "analyzer/protocol/icmp/ICMP.h" -#include "analyzer/protocol/interconn/InterConn.h" -#include "analyzer/protocol/pia/PIA.h" -#include "analyzer/protocol/stepping-stone/SteppingStone.h" -#include "analyzer/protocol/tcp/TCP.h" -#include "analyzer/protocol/udp/UDP.h" +#include "protocol/backdoor/BackDoor.h" +#include "protocol/conn-size/ConnSize.h" +#include "protocol/icmp/ICMP.h" +#include "protocol/interconn/InterConn.h" +#include "protocol/pia/PIA.h" +#include "protocol/stepping-stone/SteppingStone.h" +#include "protocol/tcp/TCP.h" +#include "protocol/udp/UDP.h" #include "plugin/Manager.h" -#include "protocols/tcp/events.bif.h" +#include "protocol/tcp/events.bif.h" using namespace analyzer; diff --git a/src/analyzer/protocol/arp/CMakeLists.txt b/src/analyzer/protocol/arp/CMakeLists.txt index 5654802b07..eec6755a18 100644 --- a/src/analyzer/protocol/arp/CMakeLists.txt +++ b/src/analyzer/protocol/arp/CMakeLists.txt @@ -8,7 +8,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(ARP) +bro_plugin_begin(Bro ARP) bro_plugin_cc(ARP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/arp/Plugin.cc b/src/analyzer/protocol/arp/Plugin.cc index 06b4940719..9045ef412f 100644 --- a/src/analyzer/protocol/arp/Plugin.cc +++ b/src/analyzer/protocol/arp/Plugin.cc @@ -1,7 +1,7 @@ #include "plugin/Plugin.h" -BRO_PLUGIN_BEGIN(ARP) +BRO_PLUGIN_BEGIN(Bro, ARP) BRO_PLUGIN_DESCRIPTION("ARP Parsing Code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt index 8f578a763b..ae23c25e2d 100644 --- a/src/analyzer/protocol/ayiya/CMakeLists.txt +++ b/src/analyzer/protocol/ayiya/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(AYIYA) +bro_plugin_begin(Bro AYIYA) bro_plugin_cc(AYIYA.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac) diff --git a/src/analyzer/protocol/ayiya/Plugin.cc b/src/analyzer/protocol/ayiya/Plugin.cc index 069aedde0a..0fc96eff3c 100644 --- a/src/analyzer/protocol/ayiya/Plugin.cc +++ b/src/analyzer/protocol/ayiya/Plugin.cc @@ -3,7 +3,7 @@ #include "AYIYA.h" -BRO_PLUGIN_BEGIN(AYIYA) +BRO_PLUGIN_BEGIN(Bro, AYIYA) BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer"); BRO_PLUGIN_ANALYZER("AYIYA", ayiya::AYIYA_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/backdoor/CMakeLists.txt b/src/analyzer/protocol/backdoor/CMakeLists.txt index b065cc2c95..5df04769f6 100644 --- a/src/analyzer/protocol/backdoor/CMakeLists.txt +++ b/src/analyzer/protocol/backdoor/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(BackDoor) +bro_plugin_begin(Bro BackDoor) bro_plugin_cc(BackDoor.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/backdoor/Plugin.cc b/src/analyzer/protocol/backdoor/Plugin.cc index b350e835a1..0983aaf5d3 100644 --- a/src/analyzer/protocol/backdoor/Plugin.cc +++ b/src/analyzer/protocol/backdoor/Plugin.cc @@ -3,7 +3,7 @@ #include "BackDoor.h" -BRO_PLUGIN_BEGIN(BackDoor) +BRO_PLUGIN_BEGIN(Bro, BackDoor) BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); BRO_PLUGIN_ANALYZER("BackDoor", backdoor::BackDoor_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/bittorrent/CMakeLists.txt b/src/analyzer/protocol/bittorrent/CMakeLists.txt index 5a3f9372bb..630ea03498 100644 --- a/src/analyzer/protocol/bittorrent/CMakeLists.txt +++ b/src/analyzer/protocol/bittorrent/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(BitTorrent) +bro_plugin_begin(Bro BitTorrent) bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac) diff --git a/src/analyzer/protocol/bittorrent/Plugin.cc b/src/analyzer/protocol/bittorrent/Plugin.cc index 59e81749ce..2da9972d0d 100644 --- a/src/analyzer/protocol/bittorrent/Plugin.cc +++ b/src/analyzer/protocol/bittorrent/Plugin.cc @@ -4,7 +4,7 @@ #include "BitTorrent.h" #include "BitTorrentTracker.h" -BRO_PLUGIN_BEGIN(BitTorrent) +BRO_PLUGIN_BEGIN(Bro, BitTorrent) BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); BRO_PLUGIN_ANALYZER("BitTorrent", bittorrent::BitTorrent_Analyzer); BRO_PLUGIN_ANALYZER("BitTorrentTracker", bittorrent::BitTorrent_Analyzer); diff --git a/src/analyzer/protocol/conn-size/CMakeLists.txt b/src/analyzer/protocol/conn-size/CMakeLists.txt index e5edd9c947..efaadef401 100644 --- a/src/analyzer/protocol/conn-size/CMakeLists.txt +++ b/src/analyzer/protocol/conn-size/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(ConnSize) +bro_plugin_begin(Bro ConnSize) bro_plugin_cc(ConnSize.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/conn-size/Plugin.cc b/src/analyzer/protocol/conn-size/Plugin.cc index d72b97dac6..6993e15ff8 100644 --- a/src/analyzer/protocol/conn-size/Plugin.cc +++ b/src/analyzer/protocol/conn-size/Plugin.cc @@ -3,7 +3,7 @@ #include "ConnSize.h" -BRO_PLUGIN_BEGIN(ConnSize) +BRO_PLUGIN_BEGIN(Bro, ConnSize) BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); BRO_PLUGIN_ANALYZER("ConnSize", conn_size::ConnSize_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt index 61e6170640..d9baa08acf 100644 --- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt +++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt @@ -3,9 +3,10 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(DCE_RPC) +bro_plugin_begin(Bro DCE_RPC) bro_plugin_cc(DCE_RPC.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac) bro_plugin_pac(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac) bro_plugin_end() + diff --git a/src/analyzer/protocol/dce-rpc/Plugin.cc b/src/analyzer/protocol/dce-rpc/Plugin.cc index 368cffdc7f..d9f3ce16c8 100644 --- a/src/analyzer/protocol/dce-rpc/Plugin.cc +++ b/src/analyzer/protocol/dce-rpc/Plugin.cc @@ -3,7 +3,7 @@ #include "DCE_RPC.h" -BRO_PLUGIN_BEGIN(DCE_RPC) +BRO_PLUGIN_BEGIN(Bro, DCE_RPC) BRO_PLUGIN_DESCRIPTION("DCE-RPC analyzer"); BRO_PLUGIN_ANALYZER("DCE_RPC", dce_rpc::DCE_RPC_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); diff --git a/src/analyzer/protocol/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt index f4552b666a..646a11f9ab 100644 --- a/src/analyzer/protocol/dhcp/CMakeLists.txt +++ b/src/analyzer/protocol/dhcp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(DHCP) +bro_plugin_begin(Bro DHCP) bro_plugin_cc(DHCP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac) diff --git a/src/analyzer/protocol/dhcp/Plugin.cc b/src/analyzer/protocol/dhcp/Plugin.cc index 8bc1c68a6b..73603f8cb1 100644 --- a/src/analyzer/protocol/dhcp/Plugin.cc +++ b/src/analyzer/protocol/dhcp/Plugin.cc @@ -3,7 +3,7 @@ #include "DHCP.h" -BRO_PLUGIN_BEGIN(DHCP) +BRO_PLUGIN_BEGIN(Bro, DHCP) BRO_PLUGIN_DESCRIPTION("DHCP analyzer"); BRO_PLUGIN_ANALYZER("DHCP", dhcp::DHCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/dns/CMakeLists.txt b/src/analyzer/protocol/dns/CMakeLists.txt index 38a4cedd03..c63b2dc690 100644 --- a/src/analyzer/protocol/dns/CMakeLists.txt +++ b/src/analyzer/protocol/dns/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(DNS) +bro_plugin_begin(Bro DNS) bro_plugin_cc(DNS.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/dns/Plugin.cc b/src/analyzer/protocol/dns/Plugin.cc index f4275b4181..bb96692cd0 100644 --- a/src/analyzer/protocol/dns/Plugin.cc +++ b/src/analyzer/protocol/dns/Plugin.cc @@ -3,7 +3,7 @@ #include "DNS.h" -BRO_PLUGIN_BEGIN(DNS) +BRO_PLUGIN_BEGIN(Bro, DNS) BRO_PLUGIN_DESCRIPTION("DNS analyzer"); BRO_PLUGIN_ANALYZER("DNS", dns::DNS_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); diff --git a/src/analyzer/protocol/file/CMakeLists.txt b/src/analyzer/protocol/file/CMakeLists.txt index 924aadd406..978c28c9c4 100644 --- a/src/analyzer/protocol/file/CMakeLists.txt +++ b/src/analyzer/protocol/file/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(File) +bro_plugin_begin(Bro File) bro_plugin_cc(File.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/file/Plugin.cc b/src/analyzer/protocol/file/Plugin.cc index 06d3ba9373..5a674c47c0 100644 --- a/src/analyzer/protocol/file/Plugin.cc +++ b/src/analyzer/protocol/file/Plugin.cc @@ -3,7 +3,7 @@ #include "./File.h" -BRO_PLUGIN_BEGIN(File) +BRO_PLUGIN_BEGIN(Bro, File) BRO_PLUGIN_DESCRIPTION("Generic file analyzer"); BRO_PLUGIN_ANALYZER("File", file::File_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/finger/CMakeLists.txt b/src/analyzer/protocol/finger/CMakeLists.txt index f51f892390..52dd3816f9 100644 --- a/src/analyzer/protocol/finger/CMakeLists.txt +++ b/src/analyzer/protocol/finger/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Finger) +bro_plugin_begin(Bro Finger) bro_plugin_cc(Finger.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/finger/Plugin.cc b/src/analyzer/protocol/finger/Plugin.cc index a20c0765c1..6cf909ca54 100644 --- a/src/analyzer/protocol/finger/Plugin.cc +++ b/src/analyzer/protocol/finger/Plugin.cc @@ -3,7 +3,7 @@ #include "Finger.h" -BRO_PLUGIN_BEGIN(Finger) +BRO_PLUGIN_BEGIN(Bro, Finger) BRO_PLUGIN_DESCRIPTION("Finger analyzer"); BRO_PLUGIN_ANALYZER("Finger", finger::Finger_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ftp/CMakeLists.txt b/src/analyzer/protocol/ftp/CMakeLists.txt index 9a92d95116..ab657f9260 100644 --- a/src/analyzer/protocol/ftp/CMakeLists.txt +++ b/src/analyzer/protocol/ftp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(FTP) +bro_plugin_begin(Bro FTP) bro_plugin_cc(FTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/ftp/Plugin.cc b/src/analyzer/protocol/ftp/Plugin.cc index e35185d5c5..db8e20e7ed 100644 --- a/src/analyzer/protocol/ftp/Plugin.cc +++ b/src/analyzer/protocol/ftp/Plugin.cc @@ -3,7 +3,7 @@ #include "FTP.h" -BRO_PLUGIN_BEGIN(FTP) +BRO_PLUGIN_BEGIN(Bro, FTP) BRO_PLUGIN_DESCRIPTION("FTP analyzer"); BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); diff --git a/src/analyzer/protocol/gnutella/CMakeLists.txt b/src/analyzer/protocol/gnutella/CMakeLists.txt index 7418ab46ba..ee5415b924 100644 --- a/src/analyzer/protocol/gnutella/CMakeLists.txt +++ b/src/analyzer/protocol/gnutella/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Gnutella) +bro_plugin_begin(Bro Gnutella) bro_plugin_cc(Gnutella.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/gnutella/Plugin.cc b/src/analyzer/protocol/gnutella/Plugin.cc index b52d545bc3..73b91af002 100644 --- a/src/analyzer/protocol/gnutella/Plugin.cc +++ b/src/analyzer/protocol/gnutella/Plugin.cc @@ -3,7 +3,7 @@ #include "Gnutella.h" -BRO_PLUGIN_BEGIN(Gnutella) +BRO_PLUGIN_BEGIN(Bro, Gnutella) BRO_PLUGIN_DESCRIPTION("Gnutella analyzer"); BRO_PLUGIN_ANALYZER("Gnutella", gnutella::Gnutella_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/gtpv1/CMakeLists.txt b/src/analyzer/protocol/gtpv1/CMakeLists.txt index b739330b37..b45f32e883 100644 --- a/src/analyzer/protocol/gtpv1/CMakeLists.txt +++ b/src/analyzer/protocol/gtpv1/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(GTPv1) +bro_plugin_begin(Bro GTPv1) bro_plugin_cc(GTPv1.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) diff --git a/src/analyzer/protocol/gtpv1/Plugin.cc b/src/analyzer/protocol/gtpv1/Plugin.cc index 5a39dd3980..83d1557e4d 100644 --- a/src/analyzer/protocol/gtpv1/Plugin.cc +++ b/src/analyzer/protocol/gtpv1/Plugin.cc @@ -3,7 +3,7 @@ #include "GTPv1.h" -BRO_PLUGIN_BEGIN(GTPv1) +BRO_PLUGIN_BEGIN(Bro, GTPv1) BRO_PLUGIN_DESCRIPTION("GTPv1 analyzer"); BRO_PLUGIN_ANALYZER("GTPv1", gtpv1::GTPv1_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/http/CMakeLists.txt b/src/analyzer/protocol/http/CMakeLists.txt index 68bdb632a4..d1fbed07f0 100644 --- a/src/analyzer/protocol/http/CMakeLists.txt +++ b/src/analyzer/protocol/http/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(HTTP) +bro_plugin_begin(Bro HTTP) bro_plugin_cc(HTTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/http/Plugin.cc b/src/analyzer/protocol/http/Plugin.cc index 2908a37511..1a2a05cbed 100644 --- a/src/analyzer/protocol/http/Plugin.cc +++ b/src/analyzer/protocol/http/Plugin.cc @@ -3,7 +3,7 @@ #include "HTTP.h" -BRO_PLUGIN_BEGIN(HTTP) +BRO_PLUGIN_BEGIN(Bro, HTTP) BRO_PLUGIN_DESCRIPTION("HTTP analyzer"); BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/icmp/CMakeLists.txt b/src/analyzer/protocol/icmp/CMakeLists.txt index e867bac238..7b8bd9c7fe 100644 --- a/src/analyzer/protocol/icmp/CMakeLists.txt +++ b/src/analyzer/protocol/icmp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(ICMP) +bro_plugin_begin(Bro ICMP) bro_plugin_cc(ICMP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/icmp/Plugin.cc b/src/analyzer/protocol/icmp/Plugin.cc index fa0c885a3e..f313842c2a 100644 --- a/src/analyzer/protocol/icmp/Plugin.cc +++ b/src/analyzer/protocol/icmp/Plugin.cc @@ -3,7 +3,7 @@ #include "ICMP.h" -BRO_PLUGIN_BEGIN(ICMP) +BRO_PLUGIN_BEGIN(Bro, ICMP) BRO_PLUGIN_DESCRIPTION("ICMP analyzer"); BRO_PLUGIN_ANALYZER("ICMP", icmp::ICMP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ident/CMakeLists.txt b/src/analyzer/protocol/ident/CMakeLists.txt index a8d4102a58..658dff141e 100644 --- a/src/analyzer/protocol/ident/CMakeLists.txt +++ b/src/analyzer/protocol/ident/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Ident) +bro_plugin_begin(Bro Ident) bro_plugin_cc(Ident.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/ident/Plugin.cc b/src/analyzer/protocol/ident/Plugin.cc index d520374552..c053689b8f 100644 --- a/src/analyzer/protocol/ident/Plugin.cc +++ b/src/analyzer/protocol/ident/Plugin.cc @@ -3,7 +3,7 @@ #include "Ident.h" -BRO_PLUGIN_BEGIN(Ident) +BRO_PLUGIN_BEGIN(Bro, Ident) BRO_PLUGIN_DESCRIPTION("Ident analyzer"); BRO_PLUGIN_ANALYZER("Ident", ident::Ident_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/interconn/CMakeLists.txt b/src/analyzer/protocol/interconn/CMakeLists.txt index 6a5ae1f3fe..ef5ca13a9a 100644 --- a/src/analyzer/protocol/interconn/CMakeLists.txt +++ b/src/analyzer/protocol/interconn/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(InterConn) +bro_plugin_begin(Bro InterConn) bro_plugin_cc(InterConn.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/interconn/Plugin.cc b/src/analyzer/protocol/interconn/Plugin.cc index e1792dc3ef..c135d0fb07 100644 --- a/src/analyzer/protocol/interconn/Plugin.cc +++ b/src/analyzer/protocol/interconn/Plugin.cc @@ -3,7 +3,7 @@ #include "InterConn.h" -BRO_PLUGIN_BEGIN(InterConn) +BRO_PLUGIN_BEGIN(Bro, InterConn) BRO_PLUGIN_DESCRIPTION("InterConn analyzer (deprecated)"); BRO_PLUGIN_ANALYZER("InterConn", interconn::InterConn_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/irc/CMakeLists.txt b/src/analyzer/protocol/irc/CMakeLists.txt index 2e7ed7616b..5f97482365 100644 --- a/src/analyzer/protocol/irc/CMakeLists.txt +++ b/src/analyzer/protocol/irc/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(IRC) +bro_plugin_begin(Bro IRC) bro_plugin_cc(IRC.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/irc/Plugin.cc b/src/analyzer/protocol/irc/Plugin.cc index 046d1b5a02..fc7de1bd6d 100644 --- a/src/analyzer/protocol/irc/Plugin.cc +++ b/src/analyzer/protocol/irc/Plugin.cc @@ -3,7 +3,7 @@ #include "IRC.h" -BRO_PLUGIN_BEGIN(IRC) +BRO_PLUGIN_BEGIN(Bro, IRC) BRO_PLUGIN_DESCRIPTION("IRC analyzer"); BRO_PLUGIN_ANALYZER("IRC", irc::IRC_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/login/CMakeLists.txt b/src/analyzer/protocol/login/CMakeLists.txt index 60a5b57ec5..66f8eb1568 100644 --- a/src/analyzer/protocol/login/CMakeLists.txt +++ b/src/analyzer/protocol/login/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Login) +bro_plugin_begin(Bro Login) bro_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/login/Plugin.cc b/src/analyzer/protocol/login/Plugin.cc index 8c7287afae..6b8d1a8fed 100644 --- a/src/analyzer/protocol/login/Plugin.cc +++ b/src/analyzer/protocol/login/Plugin.cc @@ -6,7 +6,7 @@ #include "RSH.h" #include "Rlogin.h" -BRO_PLUGIN_BEGIN(Login) +BRO_PLUGIN_BEGIN(Bro, Login) BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin analyzers"); BRO_PLUGIN_ANALYZER("Telnet", login::Telnet_Analyzer); BRO_PLUGIN_ANALYZER("Rsh", login::Rsh_Analyzer); diff --git a/src/analyzer/protocol/mime/CMakeLists.txt b/src/analyzer/protocol/mime/CMakeLists.txt index 1df45cd395..0a038625f8 100644 --- a/src/analyzer/protocol/mime/CMakeLists.txt +++ b/src/analyzer/protocol/mime/CMakeLists.txt @@ -8,7 +8,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(MIME) +bro_plugin_begin(Bro MIME) bro_plugin_cc(MIME.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/mime/Plugin.cc b/src/analyzer/protocol/mime/Plugin.cc index ff90d9d671..d519a8f84e 100644 --- a/src/analyzer/protocol/mime/Plugin.cc +++ b/src/analyzer/protocol/mime/Plugin.cc @@ -1,7 +1,7 @@ #include "plugin/Plugin.h" -BRO_PLUGIN_BEGIN(MIME) +BRO_PLUGIN_BEGIN(Bro, MIME) BRO_PLUGIN_DESCRIPTION("MIME parsing code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/modbus/CMakeLists.txt b/src/analyzer/protocol/modbus/CMakeLists.txt index 120e352f36..e6705cdd22 100644 --- a/src/analyzer/protocol/modbus/CMakeLists.txt +++ b/src/analyzer/protocol/modbus/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Modbus) +bro_plugin_begin(Bro Modbus) bro_plugin_cc(Modbus.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(modbus.pac modbus-analyzer.pac modbus-protocol.pac) diff --git a/src/analyzer/protocol/modbus/Plugin.cc b/src/analyzer/protocol/modbus/Plugin.cc index e03f8dbb9b..c84992cbae 100644 --- a/src/analyzer/protocol/modbus/Plugin.cc +++ b/src/analyzer/protocol/modbus/Plugin.cc @@ -3,7 +3,7 @@ #include "Modbus.h" -BRO_PLUGIN_BEGIN(Modbus) +BRO_PLUGIN_BEGIN(Bro, Modbus) BRO_PLUGIN_DESCRIPTION("Modbus analyzer"); BRO_PLUGIN_ANALYZER("MODBUS", modbus::ModbusTCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt index 021561f0aa..bd06d4e426 100644 --- a/src/analyzer/protocol/ncp/CMakeLists.txt +++ b/src/analyzer/protocol/ncp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(NCP) +bro_plugin_begin(Bro NCP) bro_plugin_cc(NCP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(ncp.pac) diff --git a/src/analyzer/protocol/ncp/Plugin.cc b/src/analyzer/protocol/ncp/Plugin.cc index 5e1a955606..85cd318fe0 100644 --- a/src/analyzer/protocol/ncp/Plugin.cc +++ b/src/analyzer/protocol/ncp/Plugin.cc @@ -3,7 +3,7 @@ #include "NCP.h" -BRO_PLUGIN_BEGIN(NCP) +BRO_PLUGIN_BEGIN(Bro, NCP) BRO_PLUGIN_DESCRIPTION("NCP analyzer"); BRO_PLUGIN_ANALYZER("NCP", ncp::NCP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); diff --git a/src/analyzer/protocol/netbios/CMakeLists.txt b/src/analyzer/protocol/netbios/CMakeLists.txt index ab31cd6e0a..ad6009d171 100644 --- a/src/analyzer/protocol/netbios/CMakeLists.txt +++ b/src/analyzer/protocol/netbios/CMakeLists.txt @@ -2,9 +2,12 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) +include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc) +include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../smb) -bro_plugin_begin(NetBIOS) +bro_plugin_begin(Bro NetBIOS) bro_plugin_cc(NetbiosSSN.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) bro_plugin_end() + diff --git a/src/analyzer/protocol/netbios/Plugin.cc b/src/analyzer/protocol/netbios/Plugin.cc index 36ec458138..15daeb1ab5 100644 --- a/src/analyzer/protocol/netbios/Plugin.cc +++ b/src/analyzer/protocol/netbios/Plugin.cc @@ -3,7 +3,7 @@ #include "NetbiosSSN.h" -BRO_PLUGIN_BEGIN(NetBIOS) +BRO_PLUGIN_BEGIN(Bro, NetBIOS) BRO_PLUGIN_DESCRIPTION("NetBIOS analyzer (support only SSN currently)"); BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); diff --git a/src/analyzer/protocol/netflow/CMakeLists.txt b/src/analyzer/protocol/netflow/CMakeLists.txt index c45f410b26..3afc9fd66a 100644 --- a/src/analyzer/protocol/netflow/CMakeLists.txt +++ b/src/analyzer/protocol/netflow/CMakeLists.txt @@ -8,7 +8,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(NetFlow) +bro_plugin_begin(Bro NetFlow) bro_plugin_cc(Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(netflow.pac netflow-protocol.pac netflow-analyzer.pac) diff --git a/src/analyzer/protocol/netflow/Plugin.cc b/src/analyzer/protocol/netflow/Plugin.cc index cd7a937171..b994caa5d8 100644 --- a/src/analyzer/protocol/netflow/Plugin.cc +++ b/src/analyzer/protocol/netflow/Plugin.cc @@ -1,7 +1,7 @@ #include "plugin/Plugin.h" -BRO_PLUGIN_BEGIN(NetFlow) +BRO_PLUGIN_BEGIN(Bro, NetFlow) BRO_PLUGIN_DESCRIPTION("NetFlow parsing code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt index b16c1edee9..a8b8bb1872 100644 --- a/src/analyzer/protocol/ntp/CMakeLists.txt +++ b/src/analyzer/protocol/ntp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(NTP) +bro_plugin_begin(Bro NTP) bro_plugin_cc(NTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc index bf2bd5df15..ce4ce5680f 100644 --- a/src/analyzer/protocol/ntp/Plugin.cc +++ b/src/analyzer/protocol/ntp/Plugin.cc @@ -3,7 +3,7 @@ #include "NTP.h" -BRO_PLUGIN_BEGIN(NTP) +BRO_PLUGIN_BEGIN(Bro, NTP) BRO_PLUGIN_DESCRIPTION("NTP analyzer"); BRO_PLUGIN_ANALYZER("NTP", ntp::NTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt index 8c55deca09..ff55bcf0aa 100644 --- a/src/analyzer/protocol/pia/CMakeLists.txt +++ b/src/analyzer/protocol/pia/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(PIA) +bro_plugin_begin(Bro PIA) bro_plugin_cc(PIA.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/pia/Plugin.cc b/src/analyzer/protocol/pia/Plugin.cc index 6c4bf1a6b2..7d52801475 100644 --- a/src/analyzer/protocol/pia/Plugin.cc +++ b/src/analyzer/protocol/pia/Plugin.cc @@ -3,7 +3,7 @@ #include "PIA.h" -BRO_PLUGIN_BEGIN(PIA) +BRO_PLUGIN_BEGIN(Bro, PIA) BRO_PLUGIN_DESCRIPTION("Analyzers implementing Dynamic Protocol Detection"); BRO_PLUGIN_ANALYZER("PIA_TCP", pia::PIA_TCP); BRO_PLUGIN_ANALYZER("PIA_UDP", pia::PIA_UDP); diff --git a/src/analyzer/protocol/pop3/CMakeLists.txt b/src/analyzer/protocol/pop3/CMakeLists.txt index 5af5a7f624..8071d6a74d 100644 --- a/src/analyzer/protocol/pop3/CMakeLists.txt +++ b/src/analyzer/protocol/pop3/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(POP3) +bro_plugin_begin(Bro POP3) bro_plugin_cc(POP3.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/pop3/Plugin.cc b/src/analyzer/protocol/pop3/Plugin.cc index b686e2fbee..edd99e2617 100644 --- a/src/analyzer/protocol/pop3/Plugin.cc +++ b/src/analyzer/protocol/pop3/Plugin.cc @@ -3,7 +3,7 @@ #include "POP3.h" -BRO_PLUGIN_BEGIN(POP3) +BRO_PLUGIN_BEGIN(Bro, POP3) BRO_PLUGIN_DESCRIPTION("POP3 analyzer"); BRO_PLUGIN_ANALYZER("POP3", pop3::POP3_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/rpc/CMakeLists.txt b/src/analyzer/protocol/rpc/CMakeLists.txt index edf6371dd1..5696a74cd6 100644 --- a/src/analyzer/protocol/rpc/CMakeLists.txt +++ b/src/analyzer/protocol/rpc/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(RPC) +bro_plugin_begin(Bro RPC) bro_plugin_cc(RPC.cc NFS.cc Portmap.cc XDR.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc index 815cf14362..9760df0623 100644 --- a/src/analyzer/protocol/rpc/Plugin.cc +++ b/src/analyzer/protocol/rpc/Plugin.cc @@ -5,7 +5,7 @@ #include "NFS.h" #include "Portmap.h" -BRO_PLUGIN_BEGIN(RPC) +BRO_PLUGIN_BEGIN(Bro, RPC) BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); BRO_PLUGIN_ANALYZER("NFS", rpc::NFS_Analyzer); BRO_PLUGIN_ANALYZER("Portmapper", rpc::Portmapper_Analyzer); diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index 30338d91f5..feec283197 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -2,8 +2,9 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) +include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc) -bro_plugin_begin(SMB) +bro_plugin_begin(Bro SMB) bro_plugin_cc(SMB.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) diff --git a/src/analyzer/protocol/smb/Plugin.cc b/src/analyzer/protocol/smb/Plugin.cc index 97ea10f5d8..af564c067c 100644 --- a/src/analyzer/protocol/smb/Plugin.cc +++ b/src/analyzer/protocol/smb/Plugin.cc @@ -3,7 +3,7 @@ #include "SMB.h" -BRO_PLUGIN_BEGIN(SMB) +BRO_PLUGIN_BEGIN(Bro, SMB) BRO_PLUGIN_DESCRIPTION("SMB analyzer"); BRO_PLUGIN_ANALYZER("SMB", smb::SMB_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); diff --git a/src/analyzer/protocol/smtp/CMakeLists.txt b/src/analyzer/protocol/smtp/CMakeLists.txt index 1f4779c0f8..82918656a0 100644 --- a/src/analyzer/protocol/smtp/CMakeLists.txt +++ b/src/analyzer/protocol/smtp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SMTP) +bro_plugin_begin(Bro SMTP) bro_plugin_cc(SMTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/smtp/Plugin.cc b/src/analyzer/protocol/smtp/Plugin.cc index f1567098d2..e089d7ffb1 100644 --- a/src/analyzer/protocol/smtp/Plugin.cc +++ b/src/analyzer/protocol/smtp/Plugin.cc @@ -3,7 +3,7 @@ #include "SMTP.h" -BRO_PLUGIN_BEGIN(SMTP) +BRO_PLUGIN_BEGIN(Bro, SMTP) BRO_PLUGIN_DESCRIPTION("SMTP analyzer"); BRO_PLUGIN_ANALYZER("SMTP", smtp::SMTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/socks/CMakeLists.txt b/src/analyzer/protocol/socks/CMakeLists.txt index 451dfd53f4..5157c8d368 100644 --- a/src/analyzer/protocol/socks/CMakeLists.txt +++ b/src/analyzer/protocol/socks/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SOCKS) +bro_plugin_begin(Bro SOCKS) bro_plugin_cc(SOCKS.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(socks.pac socks-protocol.pac socks-analyzer.pac) diff --git a/src/analyzer/protocol/socks/Plugin.cc b/src/analyzer/protocol/socks/Plugin.cc index 3c659de628..d01f4520b7 100644 --- a/src/analyzer/protocol/socks/Plugin.cc +++ b/src/analyzer/protocol/socks/Plugin.cc @@ -3,7 +3,7 @@ #include "SOCKS.h" -BRO_PLUGIN_BEGIN(SOCKS) +BRO_PLUGIN_BEGIN(Bro, SOCKS) BRO_PLUGIN_DESCRIPTION("SOCKS analyzer"); BRO_PLUGIN_ANALYZER("SOCKS", socks::SOCKS_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ssh/CMakeLists.txt b/src/analyzer/protocol/ssh/CMakeLists.txt index 659e3207ab..505c89332e 100644 --- a/src/analyzer/protocol/ssh/CMakeLists.txt +++ b/src/analyzer/protocol/ssh/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SSH) +bro_plugin_begin(Bro SSH) bro_plugin_cc(SSH.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/ssh/Plugin.cc b/src/analyzer/protocol/ssh/Plugin.cc index 4bb2a0ffdb..53a0294a88 100644 --- a/src/analyzer/protocol/ssh/Plugin.cc +++ b/src/analyzer/protocol/ssh/Plugin.cc @@ -3,7 +3,7 @@ #include "SSH.h" -BRO_PLUGIN_BEGIN(SSH) +BRO_PLUGIN_BEGIN(Bro, SSH) BRO_PLUGIN_DESCRIPTION("SSH analyzer"); BRO_PLUGIN_ANALYZER("SSH", ssh::SSH_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index 57f9b47e4d..f1838e5f3b 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SSL) +bro_plugin_begin(Bro SSL) bro_plugin_cc(SSL.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc index 5edbecd480..c63be864f8 100644 --- a/src/analyzer/protocol/ssl/Plugin.cc +++ b/src/analyzer/protocol/ssl/Plugin.cc @@ -3,7 +3,7 @@ #include "SSL.h" -BRO_PLUGIN_BEGIN(SSL) +BRO_PLUGIN_BEGIN(Bro, SSL) BRO_PLUGIN_DESCRIPTION("SSL analyzer"); BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/stepping-stone/CMakeLists.txt b/src/analyzer/protocol/stepping-stone/CMakeLists.txt index 4de6210027..042f5bc858 100644 --- a/src/analyzer/protocol/stepping-stone/CMakeLists.txt +++ b/src/analyzer/protocol/stepping-stone/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SteppingStone) +bro_plugin_begin(Bro SteppingStone) bro_plugin_cc(SteppingStone.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/stepping-stone/Plugin.cc b/src/analyzer/protocol/stepping-stone/Plugin.cc index bde87384fa..129b95fb25 100644 --- a/src/analyzer/protocol/stepping-stone/Plugin.cc +++ b/src/analyzer/protocol/stepping-stone/Plugin.cc @@ -3,7 +3,7 @@ #include "SteppingStone.h" -BRO_PLUGIN_BEGIN(SteppingStone) +BRO_PLUGIN_BEGIN(Bro, SteppingStone) BRO_PLUGIN_DESCRIPTION("Stepping stone analyzer (deprecated)"); BRO_PLUGIN_ANALYZER("SteppingStone", stepping_stone::SteppingStone_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/syslog/CMakeLists.txt b/src/analyzer/protocol/syslog/CMakeLists.txt index 3fc6b9ea69..5366f94642 100644 --- a/src/analyzer/protocol/syslog/CMakeLists.txt +++ b/src/analyzer/protocol/syslog/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Syslog) +bro_plugin_begin(Bro Syslog) bro_plugin_cc(Syslog.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac) diff --git a/src/analyzer/protocol/syslog/Plugin.cc b/src/analyzer/protocol/syslog/Plugin.cc index 0616cace14..67abaaf970 100644 --- a/src/analyzer/protocol/syslog/Plugin.cc +++ b/src/analyzer/protocol/syslog/Plugin.cc @@ -3,7 +3,7 @@ #include "Syslog.h" -BRO_PLUGIN_BEGIN(Syslog) +BRO_PLUGIN_BEGIN(Bro, Syslog) BRO_PLUGIN_DESCRIPTION("Syslog analyzer (UDP-only currently)"); BRO_PLUGIN_ANALYZER("Syslog", syslog::Syslog_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/tcp/CMakeLists.txt b/src/analyzer/protocol/tcp/CMakeLists.txt index f61f27495b..d4b2dc3eab 100644 --- a/src/analyzer/protocol/tcp/CMakeLists.txt +++ b/src/analyzer/protocol/tcp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(TCP) +bro_plugin_begin(Bro TCP) bro_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/tcp/Plugin.cc b/src/analyzer/protocol/tcp/Plugin.cc index 8342f2ed3e..6132b6f386 100644 --- a/src/analyzer/protocol/tcp/Plugin.cc +++ b/src/analyzer/protocol/tcp/Plugin.cc @@ -3,7 +3,7 @@ #include "TCP.h" -BRO_PLUGIN_BEGIN(TCP) +BRO_PLUGIN_BEGIN(Bro, TCP) BRO_PLUGIN_DESCRIPTION("TCP analyzer"); BRO_PLUGIN_ANALYZER("TCP", tcp::TCP_Analyzer); BRO_PLUGIN_ANALYZER("TCPStats", tcp::TCPStats_Analyzer); diff --git a/src/analyzer/protocol/teredo/CMakeLists.txt b/src/analyzer/protocol/teredo/CMakeLists.txt index cf4d2a9bcf..c9c4a84db6 100644 --- a/src/analyzer/protocol/teredo/CMakeLists.txt +++ b/src/analyzer/protocol/teredo/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Teredo) +bro_plugin_begin(Bro Teredo) bro_plugin_cc(Teredo.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/teredo/Plugin.cc b/src/analyzer/protocol/teredo/Plugin.cc index 38f3a8edd9..91de23b318 100644 --- a/src/analyzer/protocol/teredo/Plugin.cc +++ b/src/analyzer/protocol/teredo/Plugin.cc @@ -3,7 +3,7 @@ #include "Teredo.h" -BRO_PLUGIN_BEGIN(Teredo) +BRO_PLUGIN_BEGIN(Bro, Teredo) BRO_PLUGIN_DESCRIPTION("Teredo analyzer"); BRO_PLUGIN_ANALYZER("Teredo", teredo::Teredo_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/udp/CMakeLists.txt b/src/analyzer/protocol/udp/CMakeLists.txt index 077c4136b5..0c92be60a3 100644 --- a/src/analyzer/protocol/udp/CMakeLists.txt +++ b/src/analyzer/protocol/udp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(UDP) +bro_plugin_begin(Bro UDP) bro_plugin_cc(UDP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/udp/Plugin.cc b/src/analyzer/protocol/udp/Plugin.cc index c18a846e00..0dbf0f80ca 100644 --- a/src/analyzer/protocol/udp/Plugin.cc +++ b/src/analyzer/protocol/udp/Plugin.cc @@ -3,7 +3,7 @@ #include "analyzer/protocol/udp/UDP.h" -BRO_PLUGIN_BEGIN(UDP) +BRO_PLUGIN_BEGIN(Bro, UDP) BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); BRO_PLUGIN_ANALYZER("UDP", udp::UDP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt index 5b2864c618..814119f9f7 100644 --- a/src/analyzer/protocol/zip/CMakeLists.txt +++ b/src/analyzer/protocol/zip/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(ZIP) +bro_plugin_begin(Bro ZIP) bro_plugin_cc(ZIP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/zip/Plugin.cc b/src/analyzer/protocol/zip/Plugin.cc index 5ab2b60baf..b55accccb3 100644 --- a/src/analyzer/protocol/zip/Plugin.cc +++ b/src/analyzer/protocol/zip/Plugin.cc @@ -3,7 +3,7 @@ #include "ZIP.h" -BRO_PLUGIN_BEGIN(ZIP) +BRO_PLUGIN_BEGIN(Bro, ZIP) BRO_PLUGIN_DESCRIPTION("Generic ZIP support analyzer"); BRO_PLUGIN_ANALYZER_BARE("ZIP"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/bro.bif b/src/bro.bif index 6ad7dccc3a..4120bbdc9d 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2626,8 +2626,6 @@ function decode_base64_custom%(s: string, a: string%): string %} %%{ -#include "analyzer/protocol/dce-rpc/DCE_RPC.h" - typedef struct { uint32 time_low; uint16 time_mid; diff --git a/src/builtin-func.l b/src/builtin-func.l index b2da7cb7c3..9555103857 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -193,7 +193,7 @@ void init_alternative_mode() snprintf(auto_gen_comment, n, "This file was automatically generated by bifcl from %s (%s mode).", - input_filename_with_path, plugin ? "plugin" : "subdir"); + input_filename_with_path, plugin ? "plugin" : "alternative"); fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); @@ -211,10 +211,15 @@ void init_alternative_mode() *p = '_'; } + fprintf(fp_func_h, "#if defined(BRO_IN_NETVAR) || ! defined(%s)\n", guard); + + fprintf(fp_func_h, "#ifndef BRO_IN_NETVAR\n"); fprintf(fp_func_h, "#ifndef %s\n", guard); fprintf(fp_func_h, "#define %s\n", guard); - fprintf(fp_func_h, "\n"); fprintf(fp_func_h, "#include \"bro-bif.h\"\n"); + fprintf(fp_func_h, "#endif\n"); + fprintf(fp_func_h, "#endif\n"); + fprintf(fp_func_h, "\n"); fprintf(fp_func_def, "\n"); fprintf(fp_func_def, "#include \"%s.h\"\n", input_filename); diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 6912023cc4..4f84b037f9 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -9,14 +9,14 @@ #define _BRO_PLUGIN_VERSION_DEFAULT -1 -#define BRO_PLUGIN_BEGIN(_name) \ - namespace plugin { namespace _name { \ +#define BRO_PLUGIN_BEGIN(_ns, _name) \ + namespace plugin { namespace _ns ## _ ## _name {\ class Plugin : public plugin::Plugin { \ protected: \ void Init() \ { \ - SetName(#_name); \ - SetVersion(_BRO_PLUGIN_VERSION_DEFAULT); \ + SetName(#_ns "::" #_name); \ + SetVersion(_BRO_PLUGIN_VERSION_DEFAULT);\ SetAPIVersion(BRO_PLUGIN_API_VERSION); #define BRO_PLUGIN_END \ From 11fd12b18e16433a140f4d7bbf1f7b1546f4c001 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 16 May 2013 16:57:49 -0700 Subject: [PATCH 049/200] Band-aid to get Broxygen's bif documentation back. We'll need a different approach here eventually. --- doc/scripts/CMakeLists.txt | 6 +- doc/scripts/DocSourcesList.cmake | 110 +++++++++++++++---------------- doc/scripts/genDocSourcesList.sh | 6 +- src/BroDoc.cc | 4 +- src/plugin/Macros.h | 2 +- src/util-config.h.in | 3 +- src/util.cc | 6 +- 7 files changed, 72 insertions(+), 65 deletions(-) diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index 33d473b005..7f168f672f 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -46,7 +46,7 @@ macro(REST_TARGET srcDir broInput) set(sumTextSrc ${absSrcPath}) set(ogSourceFile ${absSrcPath}) if (${extension} STREQUAL ".bif.bro") - set(ogSourceFile ${BIF_SRC_DIR}/${basename}) + # set(ogSourceFile ${BIF_SRC_DIR}/${basename}) # the summary text is taken at configure time, but .bif.bro files # may not have been generated yet, so read .bif file instead set(sumTextSrc ${ogSourceFile}) @@ -70,7 +70,7 @@ macro(REST_TARGET srcDir broInput) if (NOT "${ARGN}" STREQUAL "") set(group ${ARGN}) - elseif (${extension} STREQUAL ".bif.bro") + elseif (${broInput} MATCHES "\\.bif\\.bro$") set(group bifs) elseif (relDstDir) set(group ${relDstDir}/index) @@ -86,6 +86,8 @@ macro(REST_TARGET srcDir broInput) set(group "") endif () + message("${broInput} ${extension} -> ${group}") + if (NOT "${group}" STREQUAL "") # add group to master group list if not already in it list(FIND MASTER_GROUP_LIST ${group} _found) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 0dc98999ca..3580a6979b 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,61 +16,61 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/arp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ayiya/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/backdoor/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/bittorrent/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/conn-size/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dce-rpc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dhcp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dns/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/file/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/finger/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ftp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ftp/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/gnutella/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/gtpv1/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/http/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/http/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/icmp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ident/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/interconn/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/irc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/login/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/login/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/mime/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/modbus/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ncp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netbios/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netbios/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netflow/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ntp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/pia/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/pop3/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/rpc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smb/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smtp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smtp/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/socks/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssh/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssl/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssl/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/stepping-stone/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/syslog/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/tcp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/tcp/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/teredo/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/udp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/zip/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/bro.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/const.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/event.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/input.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/logging.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ARP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_AYIYA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BackDoor.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BitTorrent.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ConnSize.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DCE_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DHCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DNS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_File.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Finger.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_GTPv1.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Gnutella.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ICMP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_IRC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Ident.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_InterConn.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_MIME.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Modbus.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetFlow.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_PIA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_POP3.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMB.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SOCKS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSH.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SteppingStone.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Syslog.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Teredo.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_UDP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ZIP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/reporter.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/strings.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/types.bif.bro) rest_target(${psd} base/frameworks/analyzer/main.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) diff --git a/doc/scripts/genDocSourcesList.sh b/doc/scripts/genDocSourcesList.sh index a10121221a..31905c68db 100755 --- a/doc/scripts/genDocSourcesList.sh +++ b/doc/scripts/genDocSourcesList.sh @@ -67,12 +67,12 @@ sourcedir=${thisdir}/../.. echo "$statictext" > $outfile -bifs=`( cd ${sourcedir}/src && find . -name \*\.bif | sort )` +bifs=`( cd ${sourcedir}/build/scripts/base && find . -name \*\.bif.bro | sort )` for file in $bifs do - f=${file:2}.bro - echo "rest_target(\${CMAKE_BINARY_DIR}/src base/$f)" >> $outfile + f=${file:2} + echo "rest_target(\${CMAKE_BINARY_DIR}/scripts base/$f)" >> $outfile done scriptfiles=`( cd ${sourcedir}/scripts && find . -name \*\.bro | sort )` diff --git a/src/BroDoc.cc b/src/BroDoc.cc index 23b1f56aaa..984bdc90a4 100644 --- a/src/BroDoc.cc +++ b/src/BroDoc.cc @@ -35,12 +35,14 @@ BroDoc::BroDoc(const std::string& rel, const std::string& abs) downloadable_filename = source_filename; +#if 0 size_t ext_pos = downloadable_filename.find(".bif.bro"); if ( std::string::npos != ext_pos ) downloadable_filename.erase(ext_pos + 4); +#endif reST_filename = doc_title; - ext_pos = reST_filename.find(".bro"); + size_t ext_pos = reST_filename.find(".bro"); if ( std::string::npos == ext_pos ) reST_filename += ".rst"; diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 4f84b037f9..2288af0d79 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -30,7 +30,7 @@ #define BRO_PLUGIN_VERSION(x) SetVersion(x) #define BRO_PLUGIN_BIF_FILE(file) \ - std::list > __bif_##file##_init(); \ + extern std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); #define BRO_PLUGIN_ANALYZER(tag, cls) \ diff --git a/src/util-config.h.in b/src/util-config.h.in index c50c4e6b48..23b3137018 100644 --- a/src/util-config.h.in +++ b/src/util-config.h.in @@ -1,3 +1,4 @@ #define BRO_SCRIPT_INSTALL_PATH "@BRO_SCRIPT_INSTALL_PATH@" #define BRO_SCRIPT_SOURCE_PATH "@BRO_SCRIPT_SOURCE_PATH@" -#define BRO_BUILD_PATH "@CMAKE_CURRENT_BINARY_DIR@" +#define BRO_BUILD_SOURCE_PATH "@CMAKE_BINARY_DIR@/src" +#define BRO_BUILD_SCRIPTS_PATH "@CMAKE_BINARY_DIR@/scripts" diff --git a/src/util.cc b/src/util.cc index 5d6104ce46..38da72c4b8 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1024,8 +1024,10 @@ void get_script_subpath(const std::string& full_filename, const char** subpath) my_subpath.erase(0, strlen(BRO_SCRIPT_INSTALL_PATH)); else if ( (p = my_subpath.find(BRO_SCRIPT_SOURCE_PATH)) != std::string::npos ) my_subpath.erase(0, strlen(BRO_SCRIPT_SOURCE_PATH)); - else if ( (p = my_subpath.find(BRO_BUILD_PATH)) != std::string::npos ) - my_subpath.erase(0, strlen(BRO_BUILD_PATH)); + else if ( (p = my_subpath.find(BRO_BUILD_SOURCE_PATH)) != std::string::npos ) + my_subpath.erase(0, strlen(BRO_BUILD_SOURCE_PATH)); + else if ( (p = my_subpath.find(BRO_BUILD_SCRIPTS_PATH)) != std::string::npos ) + my_subpath.erase(0, strlen(BRO_BUILD_SCRIPTS_PATH)); // if root path found, remove path separators until next path component if ( p != std::string::npos ) From 28351e8e8d59a27386d6cc5157fdfd3b9b3e7d80 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 16 May 2013 17:00:04 -0700 Subject: [PATCH 050/200] Removing debugging output. --- doc/scripts/CMakeLists.txt | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index 7f168f672f..9cce43d13a 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -86,8 +86,6 @@ macro(REST_TARGET srcDir broInput) set(group "") endif () - message("${broInput} ${extension} -> ${group}") - if (NOT "${group}" STREQUAL "") # add group to master group list if not already in it list(FIND MASTER_GROUP_LIST ${group} _found) From 7b50f97d390c47e0fe4374224c2e7fb004042d5f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 16 May 2013 21:09:44 -0700 Subject: [PATCH 051/200] Removing Broxygen's dpd_config magic. The table doesn't exist anymore. The functionality has been replaced with a function call but I can't really see how to get it out of there. We could get it from the analyzer manager, however then we can't tie it back to a script anymore. What we could do eventually is add this to the information about the analyzer plugin. --- src/parse.y | 3 +-- src/scan.l | 62 +---------------------------------------------------- 2 files changed, 2 insertions(+), 63 deletions(-) diff --git a/src/parse.y b/src/parse.y index 5c54706168..90babf3467 100644 --- a/src/parse.y +++ b/src/parse.y @@ -1081,8 +1081,7 @@ decl: add_global($2, $3, $4, $5, $6, VAR_REDEF); if ( generate_documentation && - ! streq("capture_filters", $2->Name()) && - ! streq("dpd_config", $2->Name()) ) + ! streq("capture_filters", $2->Name()) ) { ID* fake_id = create_dummy_id($2, $2->Type()); BroDocObj* o = new BroDocObj(fake_id, reST_doc_comments, true); diff --git a/src/scan.l b/src/scan.l index babe036027..8da74b3da6 100644 --- a/src/scan.l +++ b/src/scan.l @@ -69,11 +69,6 @@ void clear_reST_doc_comments(); // Adds changes to capture_filter to the current script's reST documentation. static void check_capture_filter_changes(); -#if 0 -// Adds changes to dpd_config to the current script's reST documentation. -static void check_dpd_config_changes(); -#endif - static const char* canon_doc_comment(const char* comment) { // "##Text" and "## Text" are treated the same in order to be able @@ -555,7 +550,7 @@ YYLTYPE GetCurrentLocation() static int load_files(const char* orig_file) { // Whether we pushed on a FileInfo that will restore the - // current module after the final file has been scanned. + // current module after the final file has been scanned. bool did_module_restore = false; const char* full_filename = ""; @@ -825,9 +820,6 @@ int yywrap() while ( input_files.length() > 0 ) { check_capture_filter_changes(); -#if 0 - check_dpd_config_changes(); -#endif if ( load_files(input_files[0]) ) { @@ -843,9 +835,6 @@ int yywrap() } check_capture_filter_changes(); -#if 0 - check_dpd_config_changes(); -#endif // For each file scanned so far, and for each @prefix, look for a // prefixed and flattened version of the loaded file in BROPATH. The @@ -1010,55 +999,6 @@ static void check_capture_filter_changes() } } -#if 0 -static void check_dpd_config_changes() - { - if ( ! generate_documentation ) - return; - - // Lookup the "dpd_config" identifier, if it has any defined value, - // add it to the script's documentation, and clear the table so that - // it doesn't taint the documentation for subsequent scripts. - ID* dpd_config = global_scope()->Lookup("dpd_config"); - if ( ! dpd_config ) - return; - - TableVal* dpd_table = dpd_config->ID_Val()->AsTableVal(); - ListVal* dpd_list = dpd_table->ConvertToList(); - - for ( int i = 0; i < dpd_list->Length(); ++i ) - { - Val* key = dpd_list->Index(i); - if ( ! key ) - continue; - - Val* v = dpd_table->Lookup(key); - if ( ! v ) - continue; - - int tag = key->AsListVal()->Index(0)->AsCount(); - ODesc valdesc; - valdesc.SetIndentSpaces(4); - valdesc.PushIndent(); - v->Describe(&valdesc); - -#if 0 - if ( tag < AnalyzerTag::Error || tag > AnalyzerTag::LastAnalyzer ) - { - fprintf(stderr, "Warning: skipped bad analyzer tag: %i\n", tag); - continue; - } - - last_reST_doc->AddPortAnalysis( - Analyzer::GetTagName((AnalyzerTag)tag), - valdesc.Description()); -#endif - } - - dpd_table->RemoveAll(); - } -#endif - void print_current_reST_doc_comments() { if ( ! reST_doc_comments ) From ae9a02140e0acaf803f5606448b1dfdeb31a5310 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 17 May 2013 10:35:08 -0400 Subject: [PATCH 052/200] Fix the issue with transaction ID reuse in a single DNS connection. - Each transaction ID within a connection is now maintained as a queue of DNS::Info logging records. - New function added to the queue.bro script to support peeking at the new gettable item in the queue without removing it. --- scripts/base/protocols/dns/main.bro | 103 +++++++++++------- scripts/base/utils/queue.bro | 20 +++- testing/btest/Baseline/core.ipv6-frag/dns.log | 5 +- 3 files changed, 83 insertions(+), 45 deletions(-) diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index ee0e4166da..7d69d2f9ee 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -1,6 +1,7 @@ ##! Base DNS analysis script which tracks and logs DNS queries along with ##! their responses. +@load base/utils/queue @load ./consts module DNS; @@ -73,19 +74,6 @@ export { total_replies: count &optional; }; - ## A record type which tracks the status of DNS queries for a given - ## :bro:type:`connection`. - type State: record { - ## Indexed by query id, returns Info record corresponding to - ## query/response which haven't completed yet. - pending: table[count] of Info &optional; - - ## This is the list of DNS responses that have completed based on the - ## number of responses declared and the number received. The contents - ## of the set are transaction IDs. - finished_answers: set[count] &optional; - }; - ## An event that can be handled to access the :bro:type:`DNS::Info` ## record as it is sent to the logging framework. global log_dns: event(rec: Info); @@ -102,8 +90,32 @@ export { ## ## reply: The specific response information according to RR type/class. global do_reply: event(c: connection, msg: dns_msg, ans: dns_answer, reply: string); + + ## A hook that is called whenever a session is being set. + ## This can be used if additional initialization logic needs to happen + ## when creating a new session value. + ## + ## c: The connection involved in the new session + ## + ## msg: The DNS message header information. + ## + ## is_query: Indicator for if this is being called for a query or a response. + global set_session: hook(c: connection, msg: dns_msg, is_query: bool); } +## A record type which tracks the status of DNS queries for a given +## :bro:type:`connection`. +type State: record { + ## Indexed by query id, returns Info record corresponding to + ## query/response which haven't completed yet. + pending: table[count] of Queue::Queue; + + ## This is the list of DNS responses that have completed based on the + ## number of responses declared and the number received. The contents + ## of the set are transaction IDs. + finished_answers: set[count]; +}; + redef record connection += { dns: Info &optional; dns_state: State &optional; @@ -134,14 +146,6 @@ event bro_init() &priority=5 function new_session(c: connection, trans_id: count): Info { - if ( ! c?$dns_state ) - { - local state: State; - state$pending=table(); - state$finished_answers=set(); - c$dns_state = state; - } - local info: Info; info$ts = network_time(); info$id = c$id; @@ -151,18 +155,37 @@ function new_session(c: connection, trans_id: count): Info return info; } -function set_session(c: connection, msg: dns_msg, is_query: bool) +hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5 { - if ( ! c?$dns_state || msg$id !in c$dns_state$pending ) + if ( ! c?$dns_state ) { - c$dns_state$pending[msg$id] = new_session(c, msg$id); - # Try deleting this transaction id from the set of finished answers. - # Sometimes hosts will reuse ports and transaction ids and this should - # be considered to be a legit scenario (although bad practice). - delete c$dns_state$finished_answers[msg$id]; + local state: State; + c$dns_state = state; } - c$dns = c$dns_state$pending[msg$id]; + if ( msg$id !in c$dns_state$pending ) + c$dns_state$pending[msg$id] = Queue::init(); + + local info: Info; + # If this is either a query or this is the reply but + # no Info records are in the queue (we missed the query?) + # we need to create an Info record and put it in the queue. + if ( is_query || + Queue::len(c$dns_state$pending[msg$id]) == 0 ) + { + info = new_session(c, msg$id); + Queue::put(c$dns_state$pending[msg$id], info); + } + + if ( is_query ) + # If this is a query, assign the newly created info variable + # so that the world looks correct to anything else handling + # this query. + c$dns = info; + else + # Peek at the next item in the queue for this trans_id and + # assign it to c$dns since this is a response. + c$dns = Queue::peek(c$dns_state$pending[msg$id]); if ( ! is_query ) { @@ -190,7 +213,7 @@ function set_session(c: connection, msg: dns_msg, is_query: bool) event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5 { - set_session(c, msg, is_orig); + hook set_session(c, msg, is_orig); } event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5 @@ -200,9 +223,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) c$dns$AA = msg$AA; c$dns$RA = msg$RA; - if ( msg$id in c$dns_state$finished_answers ) - event conn_weird("dns_reply_seen_after_done", c, ""); - if ( reply != "" ) { if ( ! c$dns?$answers ) @@ -217,7 +237,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) if ( c$dns?$answers && c$dns?$total_answers && |c$dns$answers| == c$dns$total_answers ) { - add c$dns_state$finished_answers[c$dns$trans_id]; # Indicate this request/reply pair is ready to be logged. c$dns$ready = T; } @@ -230,7 +249,7 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) { Log::write(DNS::LOG, c$dns); # This record is logged and no longer pending. - delete c$dns_state$pending[c$dns$trans_id]; + Queue::get(c$dns_state$pending[c$dns$trans_id]); delete c$dns; } } @@ -243,15 +262,14 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qcla c$dns$qclass_name = classes[qclass]; c$dns$qtype = qtype; c$dns$qtype_name = query_types[qtype]; + c$dns$Z = msg$Z; # Decode netbios name queries # Note: I'm ignoring the name type for now. Not sure if this should be # worked into the query/response in some fashion. if ( c$id$resp_p == 137/udp ) query = decode_netbios_name(query); - c$dns$query = query; - - c$dns$Z = msg$Z; + c$dns$query = query; } event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5 @@ -339,6 +357,13 @@ event connection_state_remove(c: connection) &priority=-5 # If Bro is expiring state, we should go ahead and log all unlogged # request/response pairs now. for ( trans_id in c$dns_state$pending ) - Log::write(DNS::LOG, c$dns_state$pending[trans_id]); + { + local infos: vector of Info; + Queue::get_vector(c$dns_state$pending[trans_id], infos); + for ( i in infos ) + { + Log::write(DNS::LOG, infos[i]); + } + } } diff --git a/scripts/base/utils/queue.bro b/scripts/base/utils/queue.bro index 11e85f229d..eb4f69a08e 100644 --- a/scripts/base/utils/queue.bro +++ b/scripts/base/utils/queue.bro @@ -19,22 +19,29 @@ export { ## s: A :bro:record:`Settings` record configuring the queue. ## ## Returns: An opaque queue record. - global init: function(s: Settings): Queue; + global init: function(s: Settings &default=[]): Queue; - ## Put a string onto the beginning of a queue. + ## Put a value onto the beginning of a queue. ## ## q: The queue to put the value into. ## ## val: The value to insert into the queue. global put: function(q: Queue, val: any); - ## Get a string from the end of a queue. + ## Get a value from the end of a queue. ## - ## q: The queue to get the string from. + ## q: The queue to get the value from. ## ## Returns: The value gotten from the queue. global get: function(q: Queue): any; + ## Peek at the value at the end of the queue without removing it. + ## + ## q: The queue to get the value from. + ## + ## Returns: The value at the end of the queue. + global peek: function(q: Queue): any; + ## Merge two queue's together. If any settings are applied ## to the queues, the settings from q1 are used for the new ## merged queue. @@ -103,6 +110,11 @@ function get(q: Queue): any return ret; } +function peek(q: Queue): any + { + return q$vals[q$bottom]; + } + function merge(q1: Queue, q2: Queue): Queue { local ret = init(q1$settings); diff --git a/testing/btest/Baseline/core.ipv6-frag/dns.log b/testing/btest/Baseline/core.ipv6-frag/dns.log index de027644e8..97fb552c0d 100644 --- a/testing/btest/Baseline/core.ipv6-frag/dns.log +++ b/testing/btest/Baseline/core.ipv6-frag/dns.log @@ -3,9 +3,10 @@ #empty_field (empty) #unset_field - #path dns -#open 2012-10-05-17-47-27 +#open 2013-05-17-14-28-17 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected #types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool 1331084278.438444 UWkUyAuUGXf 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 F 1331084293.592245 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 This TXT record should be ignored 1.000000 F -#close 2012-10-05-17-47-27 +1331084298.593081 arKYeMETxOg 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT - - F F T F 0 - - F +#close 2013-05-17-14-28-17 From 85e3eb4c579f6890049f13e6b16663ff415c3d4b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 17 May 2013 07:44:01 -0700 Subject: [PATCH 053/200] Fixing Broxygen generation. Needs to have BROMAGIC set to find the magic database. --- doc/scripts/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index 33d473b005..315f751cd1 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -107,7 +107,7 @@ macro(REST_TARGET srcDir broInput) COMMAND "${CMAKE_COMMAND}" ARGS -E remove_directory .state # generate the reST documentation using bro - COMMAND BROPATH=${BROPATH}:${srcDir} ${CMAKE_BINARY_DIR}/src/bro + COMMAND BROPATH=${BROPATH}:${srcDir} BROMAGIC=${CMAKE_SOURCE_DIR}/magic ${CMAKE_BINARY_DIR}/src/bro ARGS -b -Z ${broInput} || (rm -rf .state *.log *.rst && exit 1) # move generated doc into a new directory tree that # defines the final structure of documents From 31f94b8f371a768fb2f449c6efbc9b8af1b577b7 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 17 May 2013 07:47:14 -0700 Subject: [PATCH 054/200] Updating submodule(s). [nomail] --- CHANGES | 9 +++++++++ VERSION | 2 +- aux/bro-aux | 2 +- aux/broctl | 2 +- 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 36c1ee63cb..66a10b0fc7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,13 @@ +2.1-647 | 2013-05-17 07:47:14 -0700 + + * Fixing Broxygen generation to have BROMAGIC set. (Robin Sommer) + + * Fix for 'fchmod undeclared here' on FreeBSD. (Robin Sommer) + + * CMake policy fix to avoid errors with older versions. (Robin + Sommer) + 2.1-641 | 2013-05-15 18:15:09 -0700 * Test update. (Robin Sommer) diff --git a/VERSION b/VERSION index 66bc7b0865..a5b5bd372c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-641 +2.1-647 diff --git a/aux/bro-aux b/aux/bro-aux index 18c454981e..cfaf4eea78 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 18c454981e3b0903811c541f6e728d4ef6cee2c5 +Subproject commit cfaf4eea788bdac4ebfe9e46e3de2cd74b0bc068 diff --git a/aux/broctl b/aux/broctl index 3ea30f7a14..ee213040f0 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 3ea30f7a146343f054a3846a61ee5c67259b2de2 +Subproject commit ee213040f0c0c632bef9775f06615d53015a629f From 945aa8a5508156c260783ec74440d2bb9f3dedd4 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 17 May 2013 14:09:24 -0500 Subject: [PATCH 055/200] Fix uninitialized DPM member. Was seeing crashes due to this primarily on Ubuntu 12.04 when generating reST docs. --- src/DPM.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/DPM.cc b/src/DPM.cc index d7e5cd25ef..fdba458dd7 100644 --- a/src/DPM.cc +++ b/src/DPM.cc @@ -34,7 +34,7 @@ ExpectedConn::ExpectedConn(const ExpectedConn& c) } DPM::DPM() -: expected_conns_queue(AssignedAnalyzer::compare) +: active_analyzers(0), expected_conns_queue(AssignedAnalyzer::compare) { } From bd02da8a0c7e9b3d05d0b9d6d3889a5ac43fb785 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Fri, 17 May 2013 13:38:26 -0700 Subject: [PATCH 056/200] change sqlite3 default threading mode to no-mutex, disable memory statistics, finalize prepared statement before exitting logger. This might fix the deadlock issue, at least it did not happen for me on my tried on the test system where it happened quite regularly before. --- src/3rdparty/sqlite3.c | 3 +++ src/logging/writers/SQLite.cc | 5 ++++- src/threading/Queue.h | 5 +++-- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/3rdparty/sqlite3.c b/src/3rdparty/sqlite3.c index 77f14da90d..ba6a30e132 100644 --- a/src/3rdparty/sqlite3.c +++ b/src/3rdparty/sqlite3.c @@ -1,3 +1,6 @@ +# define SQLITE_THREADSAFE 2 +# define SQLITE_DEFAULT_MEMSTATUS 0 + /****************************************************************************** ** This file is an amalgamation of many separate C source files from SQLite ** version 3.7.16.2. By combining all the individual C code files into this diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc index 22037f029e..c395f02b86 100644 --- a/src/logging/writers/SQLite.cc +++ b/src/logging/writers/SQLite.cc @@ -35,13 +35,16 @@ SQLite::SQLite(WriterFrontend* frontend) : WriterBackend(frontend) db = 0; io = new AsciiFormatter(this, AsciiFormatter::SeparatorInfo(set_separator, unset_field, empty_field)); + st = 0; } SQLite::~SQLite() { if ( db != 0 ) { - sqlite3_close(db); + sqlite3_finalize(st); + if ( !sqlite3_close(db) ) + Error("Sqlite could not close connection"); db = 0; } diff --git a/src/threading/Queue.h b/src/threading/Queue.h index 5988c94042..792fb63f9c 100644 --- a/src/threading/Queue.h +++ b/src/threading/Queue.h @@ -113,8 +113,9 @@ private: inline static void safe_lock(pthread_mutex_t* mutex) { - if ( pthread_mutex_lock(mutex) != 0 ) - reporter->FatalErrorWithCore("cannot lock mutex"); + int res = pthread_mutex_lock(mutex); + if ( res != 0 ) + reporter->FatalErrorWithCore("cannot lock mutex: %d(%s)", res, strerror(res)); } inline static void safe_unlock(pthread_mutex_t* mutex) From 14abcc52fa7b69c598f560444db5d45caee48233 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 17 May 2013 13:38:29 -0700 Subject: [PATCH 057/200] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index ee213040f0..c25a64b173 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit ee213040f0c0c632bef9775f06615d53015a629f +Subproject commit c25a64b173652e934bcd7b88e8573b306bf59ac5 From 65b56479d2c0ee89231f2b3e9c21533f410bdddb Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Fri, 17 May 2013 14:08:43 -0700 Subject: [PATCH 058/200] (hopefully) fix mutex lock problem. log writers were removed on shutdown while frontends still had pointers to it. A similar fix will be necessary for the input framework (tomorrow :) ) --- src/logging/Manager.cc | 10 ++-------- src/logging/Manager.h | 6 ------ 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index 37cc90cd78..61e15a334f 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -1271,9 +1271,8 @@ bool Manager::Flush(EnumVal* id) return true; } -void Manager::FlushBuffers() +void Manager::Terminate() { - // Flush out cached entries in Frontend for ( vector::iterator s = streams.begin(); s != streams.end(); ++s ) { if ( ! *s ) @@ -1281,15 +1280,10 @@ void Manager::FlushBuffers() for ( Stream::WriterMap::iterator i = (*s)->writers.begin(); i != (*s)->writers.end(); i++ ) - i->second->writer->FlushWriteBuffer(); + i->second->writer->Stop(); } } -void Manager::Terminate() - { - FlushBuffers(); - } - // Timer which on dispatching rotates the filter. class RotationTimer : public Timer { public: diff --git a/src/logging/Manager.h b/src/logging/Manager.h index 5ee4318f65..61f6dcd8a7 100644 --- a/src/logging/Manager.h +++ b/src/logging/Manager.h @@ -149,12 +149,6 @@ public: */ bool Flush(EnumVal* id); - /** - * Flushes all buffers that are currently held by writer frontends - * out to the threads. Does not call the thread flush operation. - */ - void FlushBuffers(); - /** * Signals the manager to shutdown at Bro's termination. */ From 4ccd6d76fd520554aa3ae9af8654b40b0b57c799 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 17 May 2013 18:09:59 -0700 Subject: [PATCH 059/200] Fixing tests. Part of this involves making the file-analysis tests independent of specific hash values. I've done that only partially though. --- doc/scripts/DocSourcesList.cmake | 67 +++++++++++++--- scripts/base/protocols/ftp/main.bro | 70 ++++++++--------- scripts/base/protocols/irc/dcc-send.bro | 2 +- scripts/test-all-policy.bro | 1 - src/AnalyzerTags.h | 57 -------------- src/analyzer/Tag.cc | 2 + src/analyzer/Tag.h | 2 + src/file_analysis/File.h | 3 +- src/file_analysis/Manager.h | 2 +- .../canonified_loaded_scripts.log | 72 +++++++++++++++--- .../canonified_loaded_scripts.log | 72 +++++++++++++++--- .../doc.autogen-reST-example/example.rst | 11 --- .../out | 4 +- .../{Cx92a0ym5R8-file => 1-file} | 0 .../{kg59rqyYxN-file => 2-file} | 0 .../a.size | 2 +- .../b.out | 8 +- .../b.size | 2 +- .../c.out | 4 +- .../c.size | 2 +- .../{aFQKI8SPOL2-file => 1-file} | 0 .../{CCU3vUEr06l-file => 2-file} | 0 .../{HCzA0dVwDPj-file => 3-file} | Bin .../{a1Zu1fteVEf-file => 4-file} | Bin .../{xXlF7wFdsR-file => 5-file} | Bin .../{v5HLI7MxPQh-file => 1-file} | 0 .../{PZS1XGHkIf1-file => 2-file} | 0 ...-item-Rqjkzoroau4-0.dat => ftp-item-0.dat} | 0 ...-item-BTsa70Ua9x7-1.dat => ftp-item-1.dat} | 0 ...-item-VLQvJybrm38-2.dat => ftp-item-2.dat} | 0 ...-item-zrfwSs9K1yk-3.dat => ftp-item-3.dat} | 0 .../ftp.log | 12 +-- ...p-item-BFymS6bFgT3-0.dat => http-item.dat} | 0 .../http.log | 6 +- ...tem-wqKMAamJVSb-0.dat => irc-dcc-item.dat} | Bin .../irc.log | 6 +- ...ty-cwR7l6Zctxb-0.dat => smtp-entity-0.dat} | 0 ...ty-Ltd7QO7jEv3-1.dat => smtp-entity-1.dat} | 0 .../smtp_entities.log | 8 +- .../core/tunnels/teredo-known-services.test | 4 +- .../frameworks/file-analysis/http/get.bro | 12 +-- .../file-analysis/http/partial-content.bro | 8 +- .../file-analysis/http/pipeline.bro | 14 ++-- .../frameworks/file-analysis/http/post.bro | 8 +- .../base/protocols/ftp/ftp-extract.bro | 12 ++- .../protocols/http/http-extract-files.bro | 3 +- .../base/protocols/irc/dcc-extract.test | 5 +- .../base/protocols/smtp/mime-extract.test | 10 ++- 48 files changed, 294 insertions(+), 197 deletions(-) delete mode 100644 src/AnalyzerTags.h rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/{Cx92a0ym5R8-file => 1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/{kg59rqyYxN-file => 2-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{aFQKI8SPOL2-file => 1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{CCU3vUEr06l-file => 2-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{HCzA0dVwDPj-file => 3-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{a1Zu1fteVEf-file => 4-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{xXlF7wFdsR-file => 5-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/{v5HLI7MxPQh-file => 1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/{PZS1XGHkIf1-file => 2-file} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-Rqjkzoroau4-0.dat => ftp-item-0.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-BTsa70Ua9x7-1.dat => ftp-item-1.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-VLQvJybrm38-2.dat => ftp-item-2.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-zrfwSs9K1yk-3.dat => ftp-item-3.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/{http-item-BFymS6bFgT3-0.dat => http-item.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/{irc-dcc-item-wqKMAamJVSb-0.dat => irc-dcc-item.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/{smtp-entity-cwR7l6Zctxb-0.dat => smtp-entity-0.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/{smtp-entity-Ltd7QO7jEv3-1.dat => smtp-entity-1.dat} (100%) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index e4c92a0777..0b077c2c50 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,15 +16,63 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) -rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/file_analysis.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/bro.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/const.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/event.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/file_analysis.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/input.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/logging.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ARP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_AYIYA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BackDoor.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BitTorrent.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ConnSize.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DCE_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DHCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DNS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_File.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Finger.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_GTPv1.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Gnutella.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ICMP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_IRC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Ident.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_InterConn.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_MIME.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Modbus.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetFlow.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_PIA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_POP3.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMB.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SOCKS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSH.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SteppingStone.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Syslog.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Teredo.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_UDP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ZIP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/reporter.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/strings.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/types.bif.bro) +rest_target(${psd} base/frameworks/analyzer/main.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro) @@ -146,7 +194,6 @@ rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) rest_target(${psd} policy/integration/collective-intel/main.bro) -rest_target(${psd} policy/misc/analysis-groups.bro) rest_target(${psd} policy/misc/app-metrics.bro) rest_target(${psd} policy/misc/capture-loss.bro) rest_target(${psd} policy/misc/detect-traceroute/main.bro) diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 48407e39ab..88e1fbeeb8 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -1,6 +1,6 @@ ##! The logging this script does is primarily focused on logging FTP commands ##! along with metadata. For example, if files are transferred, the argument -##! will take on the full path that the client is at along with the requested +##! will take on the full path that the client is at along with the requested ##! file name. @load ./utils-commands @@ -13,16 +13,16 @@ module FTP; export { ## The FTP protocol logging stream identifier. redef enum Log::ID += { LOG }; - + ## List of commands that should have their command/response pairs logged. const logged_commands = { "APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT", "EPSV" } &redef; - + ## This setting changes if passwords used in FTP sessions are captured or not. const default_capture_password = F &redef; - + ## User IDs that can be considered "anonymous". const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef; @@ -37,7 +37,7 @@ export { ## The port at which the acceptor is listening for the data connection. resp_p: port &log; }; - + type Info: record { ## Time when the command was sent. ts: time &log; @@ -53,12 +53,12 @@ export { command: string &log &optional; ## Argument for the command if one is given. arg: string &log &optional; - + ## Libmagic "sniffed" file type if the command indicates a file transfer. mime_type: string &log &optional; ## Size of the file if the command indicates a file transfer. file_size: count &log &optional; - + ## Reply code from the server in response to the command. reply_code: count &log &optional; ## Reply message from the server in response to the command. @@ -74,31 +74,31 @@ export { ## more concrete is discovered that the existing but unknown ## directory is ok to use. cwd: string &default="."; - + ## Command that is currently waiting for a response. cmdarg: CmdArg &optional; - ## Queue for commands that have been sent but not yet responded to + ## Queue for commands that have been sent but not yet responded to ## are tracked here. pending_commands: PendingCmds; - + ## Indicates if the session is in active or passive mode. passive: bool &default=F; - + ## Determines if the password will be captured for this request. capture_password: bool &default=default_capture_password; }; - ## This record is to hold a parsed FTP reply code. For example, for the + ## This record is to hold a parsed FTP reply code. For example, for the ## 201 status code, the digits would be parsed as: x->2, y->0, z=>1. type ReplyCode: record { x: count; y: count; z: count; }; - + ## Parse FTP reply codes into the three constituent single digit values. global parse_ftp_reply_code: function(code: count): ReplyCode; - + ## Event that can be handled to access the :bro:type:`FTP::Info` ## record as it is sent on to the logging framework. global log_ftp: event(rec: Info); @@ -166,7 +166,7 @@ function set_ftp_session(c: connection) s$uid=c$uid; s$id=c$id; c$ftp=s; - + # Add a shim command so the server can respond with some init response. add_pending_cmd(c$ftp$pending_commands, "", ""); } @@ -178,13 +178,13 @@ function ftp_message(s: Info) # or it's a deliberately logged command. if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) ) { - if ( s?$password && - ! s$capture_password && + if ( s?$password && + ! s$capture_password && to_lower(s$user) !in guest_ids ) { s$password = ""; } - + local arg = s$cmdarg$arg; if ( s$cmdarg$cmd in file_cmds ) { @@ -194,7 +194,7 @@ function ftp_message(s: Info) arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path); } - + s$ts=s$cmdarg$ts; s$command=s$cmdarg$cmd; if ( arg == "" ) @@ -204,9 +204,9 @@ function ftp_message(s: Info) Log::write(FTP::LOG, s); } - - # The MIME and file_size fields are specific to file transfer commands - # and may not be used in all commands so they need reset to "blank" + + # The MIME and file_size fields are specific to file transfer commands + # and may not be used in all commands so they need reset to "blank" # values after logging. delete s$mime_type; delete s$file_size; @@ -237,19 +237,19 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 remove_pending_cmd(c$ftp$pending_commands, c$ftp$cmdarg); ftp_message(c$ftp); } - + local id = c$id; set_ftp_session(c); - + # Queue up the new command and argument add_pending_cmd(c$ftp$pending_commands, command, arg); - + if ( command == "USER" ) c$ftp$user = arg; - + else if ( command == "PASS" ) c$ftp$password = arg; - + else if ( command == "PORT" || command == "EPRT" ) { local data = (command == "PORT") ? @@ -277,7 +277,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior # TODO: figure out what to do with continued FTP response (not used much) if ( cont_resp ) return; - + # TODO: do some sort of generic clear text login processing here. local response_xyz = parse_ftp_reply_code(code); #if ( response_xyz$x == 2 && # successful @@ -293,18 +293,20 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior # if that's given as well which would be more correct. c$ftp$file_size = extract_count(msg); } - + # PASV and EPSV processing else if ( (code == 227 || code == 229) && (c$ftp$cmdarg$cmd == "PASV" || c$ftp$cmdarg$cmd == "EPSV") ) { local data = (code == 227) ? parse_ftp_pasv(msg) : parse_ftp_epsv(msg); - + if ( data$valid ) { c$ftp$passive=T; - + if ( code == 229 && data$h == [::] ) + data$h = c$id$resp_h; + add_expected_data_channel(c$ftp, [$passive=T, $orig_h=c$id$orig_h, $resp_h=data$h, $resp_p=data$p]); } @@ -325,9 +327,9 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior else if ( c$ftp$cmdarg$cmd == "PWD" || c$ftp$cmdarg$cmd == "XPWD" ) c$ftp$cwd = extract_path(msg); } - + # In case there are multiple commands queued, go ahead and remove the - # command here and log because we can't do the normal processing pipeline + # command here and log because we can't do the normal processing pipeline # to wait for a new command before logging the command/response pair. if ( |c$ftp$pending_commands| > 1 ) { @@ -359,7 +361,7 @@ event connection_reused(c: connection) &priority=5 if ( "ftp-data" in c$service ) c$ftp_data_reuse = T; } - + event connection_state_remove(c: connection) &priority=-5 { if ( c$ftp_data_reuse ) return; diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 8ec7655202..f5dc72e9ce 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -179,7 +179,7 @@ event irc_dcc_message(c: connection, is_orig: bool, dcc_expected_transfers[address, p] = c$irc; } -event expected_connection_seen(c: connection, a: count) &priority=10 +event expected_connection_seen(c: connection, a: Analyzer::Tag) &priority=10 { local id = c$id; if ( [id$resp_h, id$resp_p] in dcc_expected_transfers ) diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 7b349b64a3..daad03d9b6 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -31,7 +31,6 @@ @load integration/barnyard2/types.bro @load integration/collective-intel/__load__.bro @load integration/collective-intel/main.bro -@load misc/analysis-groups.bro @load misc/app-metrics.bro @load misc/capture-loss.bro @load misc/detect-traceroute/__load__.bro diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h deleted file mode 100644 index 8429dec335..0000000000 --- a/src/AnalyzerTags.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef ANALYZERTAGS_H -#define ANALYZERTAGS_H - -// Each kind of analyzer gets a tag. When adding an analyzer here, also adapt -// the table of analyzers in Analyzer.cc. -// -// Using a namespace here is kind of a hack: ideally this would be in "class -// Analyzer {...}". But then we'd have circular dependencies across the header -// files. - -#include "util.h" - -typedef uint32 AnalyzerID; - -namespace AnalyzerTag { - enum Tag { - Error = 0, // used as error code - - // Analyzer in charge of protocol detection. - PIA_TCP, PIA_UDP, - - // Transport-layer analyzers. - ICMP, TCP, UDP, - - // Application-layer analyzers (hand-written). - BitTorrent, BitTorrentTracker, - DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC, - Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin, - RPC, Rsh, SMB, SMTP, SSH, - Telnet, - - // Application-layer analyzers, binpac-generated. - DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC, - HTTP_BINPAC, SSL, SYSLOG_BINPAC, - Modbus, - - // Decapsulation analyzers. - AYIYA, - SOCKS, - Teredo, - GTPv1, - - // Other - File, IRC_Data, FTP_Data, Backdoor, InterConn, SteppingStone, TCPStats, - ConnSize, - - // Support-analyzers - Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP, - Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh, - Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS, - FTP_ADAT, - // End-marker. - LastAnalyzer - }; -}; - -#endif diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index 09c3c26caf..0459a91a32 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -6,6 +6,8 @@ using namespace analyzer; +Tag Tag::Error; + Tag::Tag(type_t arg_type, subtype_t arg_subtype) { assert(arg_type > 0); diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index ca3bc8b02f..4d91e19641 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -115,6 +115,8 @@ public: return type != other.type ? type < other.type : (subtype < other.subtype); } + static Tag Error; + protected: friend class analyzer::Manager; friend class analyzer::Component; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 7542d31700..40446934e1 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -6,7 +6,6 @@ #include #include -#include "AnalyzerTags.h" #include "Conn.h" #include "Val.h" #include "AnalyzerSet.h" @@ -132,7 +131,7 @@ protected: * Constructor; only file_analysis::Manager should be creating these. */ File(const string& unique, Connection* conn = 0, - analyzer::Tag tag = AnalyzerTag::Error, bool is_orig = false); + analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false); /** * Updates the "conn_ids" and "conn_uids" fields in #val record with the diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index d8d434b779..99121b8575 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -134,7 +134,7 @@ protected: * fields. */ File* GetFile(const string& unique, Connection* conn = 0, - analyzer::Tag tag = AnalyzerTag::Error, + analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false, bool update_conn = true); /** diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 840f555711..06652e37e7 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-05-15-23-01-21 +#open 2013-05-17-03-57-47 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/postprocessors/__load__.bro scripts/base/frameworks/logging/postprocessors/scp.bro scripts/base/frameworks/logging/postprocessors/sftp.bro @@ -26,15 +26,65 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/readers/ascii.bro scripts/base/frameworks/input/readers/raw.bro scripts/base/frameworks/input/readers/benchmark.bro scripts/base/frameworks/input/readers/binary.bro scripts/base/frameworks/input/readers/sqlite.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/main.bro + build/scripts/base/bif/analyzer.bif.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro - build/src/base/file_analysis.bif.bro + build/scripts/base/bif/file_analysis.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro + build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_File.events.bif.bro + build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro + build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro + build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro + build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro + build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro + build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro + build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro + build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro + build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2013-05-15-23-01-21 +#close 2013-05-17-03-57-47 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 3cfd9b58a7..cb92b663f0 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-05-16-00-19-22 +#open 2013-05-17-03-58-48 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/postprocessors/__load__.bro scripts/base/frameworks/logging/postprocessors/scp.bro scripts/base/frameworks/logging/postprocessors/sftp.bro @@ -26,15 +26,65 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/readers/ascii.bro scripts/base/frameworks/input/readers/raw.bro scripts/base/frameworks/input/readers/benchmark.bro scripts/base/frameworks/input/readers/binary.bro scripts/base/frameworks/input/readers/sqlite.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/main.bro + build/scripts/base/bif/analyzer.bif.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro - build/src/base/file_analysis.bif.bro + build/scripts/base/bif/file_analysis.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro + build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_File.events.bif.bro + build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro + build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro + build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro + build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro + build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro + build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro + build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro + build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro + build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/patterns.bro @@ -141,4 +191,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-05-16-00-19-22 +#close 2013-05-17-03-58-48 diff --git a/testing/btest/Baseline/doc.autogen-reST-example/example.rst b/testing/btest/Baseline/doc.autogen-reST-example/example.rst index 1f60efe70b..2cb75a6b9f 100644 --- a/testing/btest/Baseline/doc.autogen-reST-example/example.rst +++ b/testing/btest/Baseline/doc.autogen-reST-example/example.rst @@ -109,17 +109,6 @@ Notices Configuration Changes ##################### -Port Analysis -^^^^^^^^^^^^^ -Loading this script makes the following changes to :bro:see:`dpd_config`. - -SSL:: - - [ports={ - 443/tcp, - 562/tcp - }] - Packet Filter ^^^^^^^^^^^^^ Loading this script makes the following changes to :bro:see:`capture_filters`. diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out index 2e1907c91c..a24c711b36 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out @@ -1,11 +1,11 @@ FILE_NEW -sidhzrR4IT8, 0, 0 +5LcdtqrLA97, 0, 0 FILE_BOF_BUFFER The Nationa MIME_TYPE text/x-pascal FILE_STATE_REMOVE -sidhzrR4IT8, 16557, 0 +5LcdtqrLA97, 16557, 0 [orig_h=141.142.228.5, orig_p=50737/tcp, resp_h=141.142.192.162, resp_p=38141/tcp] source: FTP_DATA MD5: 7192a8075196267203adb3dfaa5c908d diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/Cx92a0ym5R8-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/Cx92a0ym5R8-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/kg59rqyYxN-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/kg59rqyYxN-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/2-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size index 13d0c3c958..49f10feff1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size @@ -1 +1 @@ -555523 7gZBKVUgy4l-file0 +555523 file-0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out index 8ea01332c8..5b892c7e9a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out @@ -1,19 +1,19 @@ FILE_NEW -oDwT1BbzjM1, 0, 0 +Cvu8OAp0WEd, 0, 0 MIME_TYPE application/x-dosexec FILE_STATE_REMOVE -oDwT1BbzjM1, 1022920, 0 +Cvu8OAp0WEd, 1022920, 0 [orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp] total bytes: 1022920 source: HTTP FILE_NEW -oDwT1BbzjM1, 0, 0 +Cvu8OAp0WEd, 0, 0 MIME_TYPE application/octet-stream FILE_TIMEOUT FILE_STATE_REMOVE -oDwT1BbzjM1, 206024, 0 +Cvu8OAp0WEd, 206024, 0 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] total bytes: 1022920 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size index c1c1d71db7..5066aeab6d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size @@ -1 +1 @@ -1022920 oDwT1BbzjM1-file0 +1022920 file-0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out index 1ad4f52f36..886abee0f2 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out @@ -1,10 +1,10 @@ FILE_NEW -uHS14uhRKGe, 0, 0 +me4WAjZH0Ik, 0, 0 MIME_TYPE application/octet-stream FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE -uHS14uhRKGe, 498702, 0 +me4WAjZH0Ik, 498702, 0 [orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp] [orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp] total bytes: 498668 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size index da0f4d480c..e38aaa1e25 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size @@ -1 +1 @@ -498668 uHS14uhRKGe-file0 +498668 file-0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/aFQKI8SPOL2-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/aFQKI8SPOL2-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/CCU3vUEr06l-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/CCU3vUEr06l-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/2-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/HCzA0dVwDPj-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/3-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/HCzA0dVwDPj-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/3-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/a1Zu1fteVEf-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/4-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/a1Zu1fteVEf-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/4-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/xXlF7wFdsR-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/5-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/xXlF7wFdsR-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/5-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/v5HLI7MxPQh-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/v5HLI7MxPQh-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/PZS1XGHkIf1-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/PZS1XGHkIf1-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/2-file diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-0.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-0.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-1.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-1.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-2.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-2.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-3.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-3.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log index 27fda32d84..948d737979 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path ftp -#open 2013-04-12-16-32-25 +#open 2013-05-18-00-48-19 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg tags data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p extraction_file #types time string addr port addr port string string string string string count count string table[string] bool addr addr port string 1329843175.680248 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,90) (empty) T 141.142.220.235 199.233.217.249 56666 - 1329843175.791528 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - - 1329843179.815947 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,91) (empty) T 141.142.220.235 199.233.217.249 56667 - -1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 - - - - - - - (empty) - - - - ftp-item-Rqjkzoroau4-0.dat -1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 - - - - - - - (empty) - - - - ftp-item-BTsa70Ua9x7-1.dat +1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 - - - - - - - (empty) - - - - ftp-item-pVhQhhFsB2b-0.dat +1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 - - - - - - - (empty) - - - - ftp-item-fFCPkV1sEsc-1.dat 1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - - 1329843194.040188 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,131,46 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 33582 - 1329843194.095782 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - - 1329843197.672179 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,147,203 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 37835 - -1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 - - - - - - - (empty) - - - - ftp-item-VLQvJybrm38-2.dat +1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 - - - - - - - (empty) - - - - ftp-item-g3zS3MuJFh-2.dat 1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - - -1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 - - - - - - - (empty) - - - - ftp-item-zrfwSs9K1yk-3.dat -#close 2013-04-12-16-32-25 +1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 - - - - - - - (empty) - - - - ftp-item-lMf4UWRkEO5-3.dat +#close 2013-05-18-00-48-19 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat rename to testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log index 789896072f..9c891f4c74 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-38-28 +#open 2013-05-17-23-19-09 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-BFymS6bFgT3-0.dat -#close 2013-03-22-14-38-28 +1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-54zlJFqn0x6-0.dat +#close 2013-05-17-23-19-09 diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat rename to testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log index 4e70587ff0..2d37e2626f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path irc -#open 2013-03-27-18-49-16 +#open 2013-05-17-23-19-21 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user command value addl dcc_file_name dcc_file_size dcc_mime_type extraction_file #types time string addr port addr port string string string string string string count string string 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - NICK bloed - - - - - 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - 1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje JOIN #easymovies (empty) - - - - -1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item-wqKMAamJVSb-0.dat -#close 2013-03-27-18-49-16 +1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item-A3OSdqG9zvk-0.dat +#close 2013-05-17-23-19-21 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-0.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-0.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-1.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-1.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log index 0051ddba61..039af42a2b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path smtp_entities -#open 2013-03-26-20-43-14 +#open 2013-05-17-23-19-41 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth filename content_len mime_type md5 extraction_file excerpt #types time string addr port addr port count string count string string string string -1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-cwR7l6Zctxb-0.dat (empty) +1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-mR3f2AAKo11-0.dat (empty) 1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 1918 text/html - - (empty) -1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-Ltd7QO7jEv3-1.dat (empty) -#close 2013-03-26-20-43-14 +1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-ZNp0KBSLByc-1.dat (empty) +#close 2013-05-17-23-19-41 diff --git a/testing/btest/core/tunnels/teredo-known-services.test b/testing/btest/core/tunnels/teredo-known-services.test index 862930758f..c207d9a2ab 100644 --- a/testing/btest/core/tunnels/teredo-known-services.test +++ b/testing/btest/core/tunnels/teredo-known-services.test @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: test ! -e known_services.log -# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: btest-diff known_services.log # The first case using Tunnel::delay_teredo_confirmation=T doesn't produce diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro index 317a6276e6..f7f4a0395b 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro @@ -1,13 +1,15 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out -# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT >get-gzip.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT c=1 >get.out +# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT c=2 >get-gzip.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: btest-diff get-gzip.out -# @TEST-EXEC: btest-diff Cx92a0ym5R8-file -# @TEST-EXEC: btest-diff kg59rqyYxN-file +# @TEST-EXEC: btest-diff 1-file +# @TEST-EXEC: btest-diff 2-file redef test_file_analysis_source = "HTTP"; +global c = 0 &redef; + redef test_get_file_name = function(f: fa_file): string { - return fmt("%s-file", f$id); + return fmt("%d-file", c); }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro index 1f3d54daea..93443f0ca8 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro @@ -1,16 +1,16 @@ # @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out # @TEST-EXEC: btest-diff a.out -# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 | sed 's/^[ \t]* //g' >a.size +# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >a.size # @TEST-EXEC: btest-diff a.size # @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out # @TEST-EXEC: btest-diff b.out -# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 | sed 's/^[ \t]* //g' >b.size +# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >b.size # @TEST-EXEC: btest-diff b.size # @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out # @TEST-EXEC: btest-diff c.out -# @TEST-EXEC: wc -c uHS14uhRKGe-file0 | sed 's/^[ \t]* //g' >c.size +# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >c.size # @TEST-EXEC: btest-diff c.size global cnt: count = 0; @@ -19,7 +19,7 @@ redef test_file_analysis_source = "HTTP"; redef test_get_file_name = function(f: fa_file): string { - local rval: string = fmt("%s-file%d", f$id, cnt); + local rval: string = fmt("file-%d", cnt); ++cnt; return rval; }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro index 5135b03786..36743a8bad 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro @@ -1,14 +1,16 @@ # @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out -# @TEST-EXEC: btest-diff aFQKI8SPOL2-file -# @TEST-EXEC: btest-diff CCU3vUEr06l-file -# @TEST-EXEC: btest-diff HCzA0dVwDPj-file -# @TEST-EXEC: btest-diff a1Zu1fteVEf-file -# @TEST-EXEC: btest-diff xXlF7wFdsR-file +# @TEST-EXEC: btest-diff 1-file +# @TEST-EXEC: btest-diff 2-file +# @TEST-EXEC: btest-diff 3-file +# @TEST-EXEC: btest-diff 4-file +# @TEST-EXEC: btest-diff 5-file redef test_file_analysis_source = "HTTP"; +global c = 0; + redef test_get_file_name = function(f: fa_file): string { - return fmt("%s-file", f$id); + return fmt("%d-file", ++c); }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro index 5db64c9ff0..79ac1cb5c1 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro @@ -1,11 +1,13 @@ # @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out -# @TEST-EXEC: btest-diff v5HLI7MxPQh-file -# @TEST-EXEC: btest-diff PZS1XGHkIf1-file +# @TEST-EXEC: btest-diff 1-file +# @TEST-EXEC: btest-diff 2-file redef test_file_analysis_source = "HTTP"; +global c = 0; + redef test_get_file_name = function(f: fa_file): string { - return fmt("%s-file", f$id); + return fmt("%d-file", ++c); }; diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro index 9ae5280757..de1025ed82 100644 --- a/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro +++ b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro @@ -3,10 +3,14 @@ # @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT # @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff ftp.log -# @TEST-EXEC: btest-diff ftp-item-Rqjkzoroau4-0.dat -# @TEST-EXEC: btest-diff ftp-item-BTsa70Ua9x7-1.dat -# @TEST-EXEC: btest-diff ftp-item-VLQvJybrm38-2.dat -# @TEST-EXEC: btest-diff ftp-item-zrfwSs9K1yk-3.dat +# @TEST-EXEC: mv ftp-item-*-0.dat ftp-item-0.dat +# @TEST-EXEC: mv ftp-item-*-1.dat ftp-item-1.dat +# @TEST-EXEC: mv ftp-item-*-2.dat ftp-item-2.dat +# @TEST-EXEC: mv ftp-item-*-3.dat ftp-item-3.dat +# @TEST-EXEC: btest-diff ftp-item-0.dat +# @TEST-EXEC: btest-diff ftp-item-1.dat +# @TEST-EXEC: btest-diff ftp-item-2.dat +# @TEST-EXEC: btest-diff ftp-item-3.dat redef FTP::logged_commands += {"LIST"}; redef FTP::extract_file_types=/.*/; diff --git a/testing/btest/scripts/base/protocols/http/http-extract-files.bro b/testing/btest/scripts/base/protocols/http/http-extract-files.bro index ce9d3e7e04..6156009821 100644 --- a/testing/btest/scripts/base/protocols/http/http-extract-files.bro +++ b/testing/btest/scripts/base/protocols/http/http-extract-files.bro @@ -1,5 +1,6 @@ # @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT # @TEST-EXEC: btest-diff http.log -# @TEST-EXEC: btest-diff http-item-BFymS6bFgT3-0.dat +# @TEST-EXEC: mv http-item-*.dat http-item.dat +# @TEST-EXEC: btest-diff http-item.dat redef HTTP::extract_file_types += /text\/html/; diff --git a/testing/btest/scripts/base/protocols/irc/dcc-extract.test b/testing/btest/scripts/base/protocols/irc/dcc-extract.test index 8a6680f99b..71ab1b0900 100644 --- a/testing/btest/scripts/base/protocols/irc/dcc-extract.test +++ b/testing/btest/scripts/base/protocols/irc/dcc-extract.test @@ -4,9 +4,10 @@ # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT # @TEST-EXEC: btest-diff irc.log -# @TEST-EXEC: btest-diff irc-dcc-item-wqKMAamJVSb-0.dat +# @TEST-EXEC: mv irc-dcc-item-*-0.dat irc-dcc-item.dat +# @TEST-EXEC: btest-diff irc-dcc-item.dat # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT IRC::extraction_prefix="test" -# @TEST-EXEC: test -e test-wqKMAamJVSb-0.dat +# @TEST-EXEC: test -e test-*-0.dat redef IRC::extract_file_types=/.*/; diff --git a/testing/btest/scripts/base/protocols/smtp/mime-extract.test b/testing/btest/scripts/base/protocols/smtp/mime-extract.test index 54e50d0459..149fcf67c3 100644 --- a/testing/btest/scripts/base/protocols/smtp/mime-extract.test +++ b/testing/btest/scripts/base/protocols/smtp/mime-extract.test @@ -1,10 +1,12 @@ # @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT # @TEST-EXEC: btest-diff smtp_entities.log -# @TEST-EXEC: btest-diff smtp-entity-cwR7l6Zctxb-0.dat -# @TEST-EXEC: btest-diff smtp-entity-Ltd7QO7jEv3-1.dat +# @TEST-EXEC: mv smtp-entity-*-0.dat smtp-entity-0.dat +# @TEST-EXEC: mv smtp-entity-*-1.dat smtp-entity-1.dat +# @TEST-EXEC: btest-diff smtp-entity-0.dat +# @TEST-EXEC: btest-diff smtp-entity-1.dat # @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT SMTP::extraction_prefix="test" -# @TEST-EXEC: test -e test-cwR7l6Zctxb-0.dat -# @TEST-EXEC: test -e test-Ltd7QO7jEv3-1.dat +# @TEST-EXEC: test -e test-*-0.dat +# @TEST-EXEC: test -e test-*-1.dat @load base/protocols/smtp From e46300a724d07353fa2ddb18f50b6b43ab296ffa Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 18 May 2013 16:47:04 -0700 Subject: [PATCH 060/200] Fixing test that would fail without ES/curl support. It used to special-case an error message produced in the case that ES isn't available, however with scripts/test-all-policy.bro now explicitly disabling ES output, that doesn't seem necessary anymore. --- .../coverage.bare-mode-errors/unique_errors_no_elasticsearch | 1 - testing/btest/coverage/bare-mode-errors.test | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 testing/btest/Baseline/coverage.bare-mode-errors/unique_errors_no_elasticsearch diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/unique_errors_no_elasticsearch b/testing/btest/Baseline/coverage.bare-mode-errors/unique_errors_no_elasticsearch deleted file mode 100644 index e95f88e74b..0000000000 --- a/testing/btest/Baseline/coverage.bare-mode-errors/unique_errors_no_elasticsearch +++ /dev/null @@ -1 +0,0 @@ -error: unknown writer type requested diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test index da968d5601..34ba063081 100644 --- a/testing/btest/coverage/bare-mode-errors.test +++ b/testing/btest/coverage/bare-mode-errors.test @@ -11,5 +11,4 @@ # @TEST-EXEC: test -d $DIST/scripts # @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.bro -not -path '*/site/*'`; do echo "=== $script" >>allerrors; if echo "$script" | egrep -q 'communication/listen|controllee'; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0 # @TEST-EXEC: cat allerrors | grep -v "received termination signal" | grep -v '===' | sort | uniq > unique_errors -# @TEST-EXEC: if [ $(grep -c LibCURL_INCLUDE_DIR-NOTFOUND $BUILD/CMakeCache.txt) -ne 0 ]; then cp unique_errors unique_errors_no_elasticsearch; fi -# @TEST-EXEC: if [ $(grep -c LibCURL_INCLUDE_DIR-NOTFOUND $BUILD/CMakeCache.txt) -ne 0 ]; then btest-diff unique_errors_no_elasticsearch; else btest-diff unique_errors; fi +# @TEST-EXEC: btest-diff unique_errors From 90fa331279b8a638ffa09592d1504b0877b60b2e Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 20 May 2013 12:02:48 -0500 Subject: [PATCH 061/200] File analysis framework interface simplifications. - Remove script-layer data input interface (will be managed directly by input framework later). - Only track files internally by file id hash. Chance of collision too small to justify also tracking unique file string. --- .../base/frameworks/file-analysis/main.bro | 77 ------- src/CMakeLists.txt | 1 - src/file_analysis.bif | 52 +---- src/file_analysis/File.cc | 33 +-- src/file_analysis/File.h | 15 +- src/file_analysis/FileID.h | 34 ---- src/file_analysis/FileTimer.cc | 2 +- src/file_analysis/FileTimer.h | 5 +- src/file_analysis/Manager.cc | 192 +++++++----------- src/file_analysis/Manager.h | 71 +++---- 10 files changed, 125 insertions(+), 357 deletions(-) delete mode 100644 src/file_analysis/FileID.h diff --git a/scripts/base/frameworks/file-analysis/main.bro b/scripts/base/frameworks/file-analysis/main.bro index 142709dcc4..3f6f6f10f4 100644 --- a/scripts/base/frameworks/file-analysis/main.bro +++ b/scripts/base/frameworks/file-analysis/main.bro @@ -171,58 +171,6 @@ export { ## rest of it's contents, or false if analysis for the *id* ## isn't currently active. global stop: function(f: fa_file): bool; - - ## Sends a sequential stream of data in for file analysis. - ## Meant for use when providing external file analysis input (e.g. - ## from the input framework). - ## - ## source: a string that uniquely identifies the logical file that the - ## data is a part of and describes its source. - ## - ## data: bytestring contents of the file to analyze. - global data_stream: function(source: string, data: string); - - ## Sends a non-sequential chunk of data in for file analysis. - ## Meant for use when providing external file analysis input (e.g. - ## from the input framework). - ## - ## source: a string that uniquely identifies the logical file that the - ## data is a part of and describes its source. - ## - ## data: bytestring contents of the file to analyze. - ## - ## offset: the offset within the file that this chunk starts. - global data_chunk: function(source: string, data: string, offset: count); - - ## Signals a content gap in the file bytestream. - ## Meant for use when providing external file analysis input (e.g. - ## from the input framework). - ## - ## source: a string that uniquely identifies the logical file that the - ## data is a part of and describes its source. - ## - ## offset: the offset within the file that this gap starts. - ## - ## len: the number of bytes that are missing. - global gap: function(source: string, offset: count, len: count); - - ## Signals the total size of a file. - ## Meant for use when providing external file analysis input (e.g. - ## from the input framework). - ## - ## source: a string that uniquely identifies the logical file that the - ## data is a part of and describes its source. - ## - ## size: the number of bytes that comprise the full file. - global set_size: function(source: string, size: count); - - ## Signals the end of a file. - ## Meant for use when providing external file analysis input (e.g. - ## from the input framework). - ## - ## source: a string that uniquely identifies the logical file that the - ## data is a part of and describes its source. - global eof: function(source: string); } redef record fa_file += { @@ -287,31 +235,6 @@ function stop(f: fa_file): bool return __stop(f$id); } -function data_stream(source: string, data: string) - { - __data_stream(source, data); - } - -function data_chunk(source: string, data: string, offset: count) - { - __data_chunk(source, data, offset); - } - -function gap(source: string, offset: count, len: count) - { - __gap(source, offset, len); - } - -function set_size(source: string, size: count) - { - __set_size(source, size); - } - -function eof(source: string) - { - __eof(source); - } - event bro_init() &priority=5 { Log::create_stream(FileAnalysis::LOG, diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 447b7d9ec7..c853c301eb 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -464,7 +464,6 @@ set(bro_SRCS file_analysis/Manager.cc file_analysis/File.cc file_analysis/FileTimer.cc - file_analysis/FileID.h file_analysis/Analyzer.h file_analysis/AnalyzerSet.cc file_analysis/Extract.cc diff --git a/src/file_analysis.bif b/src/file_analysis.bif index cdece0d350..3c720d17b6 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -30,27 +30,23 @@ enum Analyzer %{ ## :bro:see:`FileAnalysis::postpone_timeout`. function FileAnalysis::__postpone_timeout%(file_id: string%): bool %{ - using file_analysis::FileID; - bool result = file_mgr->PostponeTimeout(FileID(file_id->CheckString())); + bool result = file_mgr->PostponeTimeout(file_id->CheckString()); return new Val(result, TYPE_BOOL); %} ## :bro:see:`FileAnalysis::set_timeout_interval`. function FileAnalysis::__set_timeout_interval%(file_id: string, t: interval%): bool %{ - using file_analysis::FileID; - bool result = file_mgr->SetTimeoutInterval(FileID(file_id->CheckString()), - t); + bool result = file_mgr->SetTimeoutInterval(file_id->CheckString(), t); return new Val(result, TYPE_BOOL); %} ## :bro:see:`FileAnalysis::add_analyzer`. function FileAnalysis::__add_analyzer%(file_id: string, args: any%): bool %{ - using file_analysis::FileID; using BifType::Record::FileAnalysis::AnalyzerArgs; RecordVal* rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs); - bool result = file_mgr->AddAnalyzer(FileID(file_id->CheckString()), rv); + bool result = file_mgr->AddAnalyzer(file_id->CheckString(), rv); Unref(rv); return new Val(result, TYPE_BOOL); %} @@ -58,10 +54,9 @@ function FileAnalysis::__add_analyzer%(file_id: string, args: any%): bool ## :bro:see:`FileAnalysis::remove_analyzer`. function FileAnalysis::__remove_analyzer%(file_id: string, args: any%): bool %{ - using file_analysis::FileID; using BifType::Record::FileAnalysis::AnalyzerArgs; RecordVal* rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs); - bool result = file_mgr->RemoveAnalyzer(FileID(file_id->CheckString()), rv); + bool result = file_mgr->RemoveAnalyzer(file_id->CheckString(), rv); Unref(rv); return new Val(result, TYPE_BOOL); %} @@ -69,47 +64,10 @@ function FileAnalysis::__remove_analyzer%(file_id: string, args: any%): bool ## :bro:see:`FileAnalysis::stop`. function FileAnalysis::__stop%(file_id: string%): bool %{ - using file_analysis::FileID; - bool result = file_mgr->IgnoreFile(FileID(file_id->CheckString())); + bool result = file_mgr->IgnoreFile(file_id->CheckString()); return new Val(result, TYPE_BOOL); %} -## :bro:see:`FileAnalysis::data_stream`. -function FileAnalysis::__data_stream%(source: string, data: string%): any - %{ - file_mgr->DataIn(data->Bytes(), data->Len(), source->CheckString()); - return 0; - %} - -## :bro:see:`FileAnalysis::data_chunk`. -function FileAnalysis::__data_chunk%(source: string, data: string, - offset: count%): any - %{ - file_mgr->DataIn(data->Bytes(), data->Len(), offset, source->CheckString()); - return 0; - %} - -## :bro:see:`FileAnalysis::gap`. -function FileAnalysis::__gap%(source: string, offset: count, len: count%): any - %{ - file_mgr->Gap(offset, len, source->CheckString()); - return 0; - %} - -## :bro:see:`FileAnalysis::set_size`. -function FileAnalysis::__set_size%(source: string, size: count%): any - %{ - file_mgr->SetSize(size, source->CheckString()); - return 0; - %} - -## :bro:see:`FileAnalysis::eof`. -function FileAnalysis::__eof%(source: string%): any - %{ - file_mgr->EndOfFile(source->CheckString()); - return 0; - %} - module GLOBAL; ## For use within a :bro:see:`get_file_handle` handler to set a unique diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 17b01f6b39..95ea3c5926 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -1,11 +1,9 @@ // See the file "COPYING" in the main distribution directory for copyright. #include -#include #include "File.h" #include "FileTimer.h" -#include "FileID.h" #include "Analyzer.h" #include "Manager.h" #include "Reporter.h" @@ -51,8 +49,6 @@ int File::bof_buffer_size_idx = -1; int File::bof_buffer_idx = -1; int File::mime_type_idx = -1; -string File::salt; - void File::StaticInit() { if ( id_idx != -1 ) @@ -72,31 +68,19 @@ void File::StaticInit() bof_buffer_size_idx = Idx("bof_buffer_size"); bof_buffer_idx = Idx("bof_buffer"); mime_type_idx = Idx("mime_type"); - - salt = BifConst::FileAnalysis::salt->CheckString(); } -File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag, +File::File(const string& file_id, Connection* conn, AnalyzerTag::Tag tag, bool is_orig) - : id(""), unique(unique), val(0), postpone_timeout(false), - first_chunk(true), missed_bof(false), need_reassembly(false), done(false), - analyzers(this) + : id(file_id), val(0), postpone_timeout(false), first_chunk(true), + missed_bof(false), need_reassembly(false), done(false), analyzers(this) { StaticInit(); - char tmp[20]; - uint64 hash[2]; - string msg(unique + salt); - MD5(reinterpret_cast(msg.data()), msg.size(), - reinterpret_cast(hash)); - uitoa_n(hash[0], tmp, sizeof(tmp), 62); - - DBG_LOG(DBG_FILE_ANALYSIS, "Creating new File object %s (%s)", tmp, - unique.c_str()); + DBG_LOG(DBG_FILE_ANALYSIS, "Creating new File object %s", file_id.c_str()); val = new RecordVal(fa_file_type); - val->Assign(id_idx, new StringVal(tmp)); - id = FileID(tmp); + val->Assign(id_idx, new StringVal(file_id.c_str())); if ( conn ) { @@ -106,8 +90,9 @@ File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag, UpdateConnectionFields(conn); } else - // use the unique file handle as source - val->Assign(source_idx, new StringVal(unique.c_str())); + { + // TODO: what to use as source field? (input framework interface) + } UpdateLastActivityTime(); } @@ -423,7 +408,7 @@ void File::Gap(uint64 offset, uint64 len) bool File::FileEventAvailable(EventHandlerPtr h) { - return h && ! file_mgr->IsIgnored(unique); + return h && ! file_mgr->IsIgnored(id); } void File::FileEvent(EventHandlerPtr h) diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index a31f0bfa41..5fa0f80ec8 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -10,7 +10,6 @@ #include "Conn.h" #include "Val.h" #include "AnalyzerSet.h" -#include "FileID.h" #include "BroString.h" namespace file_analysis { @@ -40,12 +39,7 @@ public: /** * @return value of the "id" field from #val record. */ - FileID GetID() const { return id; } - - /** - * @return the string which uniquely identifies the file. - */ - string GetUnique() const { return unique; } + string GetID() const { return id; } /** * @return value of "last_active" field in #val record; @@ -131,7 +125,7 @@ protected: /** * Constructor; only file_analysis::Manager should be creating these. */ - File(const string& unique, Connection* conn = 0, + File(const string& file_id, Connection* conn = 0, AnalyzerTag::Tag tag = AnalyzerTag::Error, bool is_orig = false); /** @@ -186,8 +180,7 @@ protected: static void StaticInit(); private: - FileID id; /**< A pretty hash that likely identifies file */ - string unique; /**< A string that uniquely identifies file */ + string id; /**< A pretty hash that likely identifies file */ RecordVal* val; /**< \c fa_file from script layer. */ bool postpone_timeout; /**< Whether postponing timeout is requested. */ bool first_chunk; /**< Track first non-linear chunk. */ @@ -207,8 +200,6 @@ private: BroString::CVec chunks; } bof_buffer; /**< Beginning of file buffer. */ - static string salt; - static int id_idx; static int parent_id_idx; static int source_idx; diff --git a/src/file_analysis/FileID.h b/src/file_analysis/FileID.h deleted file mode 100644 index 9816437214..0000000000 --- a/src/file_analysis/FileID.h +++ /dev/null @@ -1,34 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#ifndef FILE_ANALYSIS_FILEID_H -#define FILE_ANALYSIS_FILEID_H - -namespace file_analysis { - -/** - * A simple string wrapper class to help enforce some type safety between - * methods of FileAnalysis::Manager, some of which use a unique string to - * identify files, and others which use a pretty hash (the FileID) to identify - * files. A FileID is primarily used in methods which interface with the - * script-layer, while the unique strings are used for methods which interface - * with protocol analyzers or anything that sends data to the file analysis - * framework. - */ -struct FileID { - string id; - - explicit FileID(const string arg_id) : id(arg_id) {} - FileID(const FileID& other) : id(other.id) {} - - const char* c_str() const { return id.c_str(); } - - bool operator==(const FileID& rhs) const { return id == rhs.id; } - bool operator<(const FileID& rhs) const { return id < rhs.id; } - - FileID& operator=(const FileID& rhs) { id = rhs.id; return *this; } - FileID& operator=(const string& rhs) { id = rhs; return *this; } -}; - -} // namespace file_analysis - -#endif diff --git a/src/file_analysis/FileTimer.cc b/src/file_analysis/FileTimer.cc index 84d4138616..575857fd15 100644 --- a/src/file_analysis/FileTimer.cc +++ b/src/file_analysis/FileTimer.cc @@ -5,7 +5,7 @@ using namespace file_analysis; -FileTimer::FileTimer(double t, const FileID& id, double interval) +FileTimer::FileTimer(double t, const string& id, double interval) : Timer(t + interval, TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id) { DBG_LOG(DBG_FILE_ANALYSIS, "New %f second timeout timer for %s", diff --git a/src/file_analysis/FileTimer.h b/src/file_analysis/FileTimer.h index 6ab2638e5f..32d4e63254 100644 --- a/src/file_analysis/FileTimer.h +++ b/src/file_analysis/FileTimer.h @@ -5,7 +5,6 @@ #include #include "Timer.h" -#include "FileID.h" namespace file_analysis { @@ -14,7 +13,7 @@ namespace file_analysis { */ class FileTimer : public Timer { public: - FileTimer(double t, const FileID& id, double interval); + FileTimer(double t, const string& id, double interval); /** * Check inactivity of file_analysis::File corresponding to #file_id, @@ -23,7 +22,7 @@ public: void Dispatch(double t, int is_expire); private: - FileID file_id; + string file_id; }; } // namespace file_analysis diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index d6f00e1856..91df333523 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -2,6 +2,7 @@ #include #include +#include #include "Manager.h" #include "File.h" @@ -24,7 +25,7 @@ Manager::~Manager() void Manager::Terminate() { - vector keys; + vector keys; for ( IDMap::iterator it = id_map.begin(); it != id_map.end(); ++it ) keys.push_back(it->first); @@ -32,66 +33,60 @@ void Manager::Terminate() Timeout(keys[i], true); } +string Manager::HashHandle(const string& handle) const + { + static string salt; + + if ( salt.empty() ) + salt = BifConst::FileAnalysis::salt->CheckString(); + + char tmp[20]; + uint64 hash[2]; + string msg(handle + salt); + + MD5(reinterpret_cast(msg.data()), msg.size(), + reinterpret_cast(hash)); + uitoa_n(hash[0], tmp, sizeof(tmp), 62); + + return tmp; + } + void Manager::SetHandle(const string& handle) { - current_handle = handle; + if ( handle.empty() ) + return; + + current_file_id = HashHandle(handle); } void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) - return; + File* file = GetFile(conn, tag, is_orig); - GetFileHandle(tag, conn, is_orig); - DataIn(data, len, offset, GetFile(current_handle, conn, tag, is_orig)); - } - -void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, - const string& unique) - { - DataIn(data, len, offset, GetFile(unique)); - } - -void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, - File* file) - { if ( ! file ) return; file->DataIn(data, len, offset); if ( file->IsComplete() ) - RemoveFile(file->GetUnique()); + RemoveFile(file->GetID()); } void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) - return; - - GetFileHandle(tag, conn, is_orig); - // Sequential data input shouldn't be going over multiple conns, so don't // do the check to update connection set. - DataIn(data, len, GetFile(current_handle, conn, tag, is_orig, false)); - } + File* file = GetFile(conn, tag, is_orig, false); -void Manager::DataIn(const u_char* data, uint64 len, const string& unique) - { - DataIn(data, len, GetFile(unique)); - } - -void Manager::DataIn(const u_char* data, uint64 len, File* file) - { if ( ! file ) return; file->DataIn(data, len); if ( file->IsComplete() ) - RemoveFile(file->GetUnique()); + RemoveFile(file->GetID()); } void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn) @@ -102,35 +97,16 @@ void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn) void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) - return; - + // Don't need to create a file if we're just going to remove it right away. GetFileHandle(tag, conn, is_orig); - EndOfFile(current_handle); - } - -void Manager::EndOfFile(const string& unique) - { - RemoveFile(unique); + RemoveFile(current_file_id); } void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) - return; + File* file = GetFile(conn, tag, is_orig); - GetFileHandle(tag, conn, is_orig); - Gap(offset, len, GetFile(current_handle, conn, tag, is_orig)); - } - -void Manager::Gap(uint64 offset, uint64 len, const string& unique) - { - Gap(offset, len, GetFile(unique)); - } - -void Manager::Gap(uint64 offset, uint64 len, File* file) - { if ( ! file ) return; @@ -140,30 +116,18 @@ void Manager::Gap(uint64 offset, uint64 len, File* file) void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - if ( IsDisabled(tag) ) - return; + File* file = GetFile(conn, tag, is_orig); - GetFileHandle(tag, conn, is_orig); - SetSize(size, GetFile(current_handle, conn, tag, is_orig)); - } - -void Manager::SetSize(uint64 size, const string& unique) - { - SetSize(size, GetFile(unique)); - } - -void Manager::SetSize(uint64 size, File* file) - { if ( ! file ) return; file->SetTotalBytes(size); if ( file->IsComplete() ) - RemoveFile(file->GetUnique()); + RemoveFile(file->GetID()); } -bool Manager::PostponeTimeout(const FileID& file_id) const +bool Manager::PostponeTimeout(const string& file_id) const { File* file = Lookup(file_id); @@ -174,7 +138,7 @@ bool Manager::PostponeTimeout(const FileID& file_id) const return true; } -bool Manager::SetTimeoutInterval(const FileID& file_id, double interval) const +bool Manager::SetTimeoutInterval(const string& file_id, double interval) const { File* file = Lookup(file_id); @@ -185,7 +149,7 @@ bool Manager::SetTimeoutInterval(const FileID& file_id, double interval) const return true; } -bool Manager::AddAnalyzer(const FileID& file_id, RecordVal* args) const +bool Manager::AddAnalyzer(const string& file_id, RecordVal* args) const { File* file = Lookup(file_id); @@ -195,7 +159,7 @@ bool Manager::AddAnalyzer(const FileID& file_id, RecordVal* args) const return file->AddAnalyzer(args); } -bool Manager::RemoveAnalyzer(const FileID& file_id, const RecordVal* args) const +bool Manager::RemoveAnalyzer(const string& file_id, const RecordVal* args) const { File* file = Lookup(file_id); @@ -205,32 +169,27 @@ bool Manager::RemoveAnalyzer(const FileID& file_id, const RecordVal* args) const return file->RemoveAnalyzer(args); } -File* Manager::GetFile(const string& unique, Connection* conn, - AnalyzerTag::Tag tag, bool is_orig, bool update_conn) +File* Manager::GetFile(Connection* conn, AnalyzerTag::Tag tag, bool is_orig, + bool update_conn) { - if ( unique.empty() ) + // sets current_file_id for us + GetFileHandle(tag, conn, is_orig); + + if ( current_file_id.empty() ) return 0; - if ( IsIgnored(unique) ) + if ( IsIgnored(current_file_id) ) return 0; - File* rval = str_map[unique]; + File* rval = id_map[current_file_id]; if ( ! rval ) { - rval = str_map[unique] = new File(unique, conn, tag, is_orig); - FileID id = rval->GetID(); - - if ( id_map[id] ) - { - reporter->Error("Evicted duplicate file ID: %s", id.c_str()); - RemoveFile(unique); - } - - id_map[id] = rval; + rval = id_map[current_file_id] = new File(current_file_id, conn, tag, + is_orig); rval->ScheduleInactivityTimer(); - if ( IsIgnored(unique) ) + if ( IsIgnored(current_file_id) ) return 0; } else @@ -244,7 +203,7 @@ File* Manager::GetFile(const string& unique, Connection* conn, return rval; } -File* Manager::Lookup(const FileID& file_id) const +File* Manager::Lookup(const string& file_id) const { IDMap::const_iterator it = id_map.find(file_id); @@ -254,7 +213,7 @@ File* Manager::Lookup(const FileID& file_id) const return it->second; } -void Manager::Timeout(const FileID& file_id, bool is_terminating) +void Manager::Timeout(const string& file_id, bool is_terminating) { File* file = Lookup(file_id); @@ -277,53 +236,50 @@ void Manager::Timeout(const FileID& file_id, bool is_terminating) DBG_LOG(DBG_FILE_ANALYSIS, "File analysis timeout for %s", file->GetID().c_str()); - RemoveFile(file->GetUnique()); + RemoveFile(file->GetID()); } -bool Manager::IgnoreFile(const FileID& file_id) +bool Manager::IgnoreFile(const string& file_id) + { + if ( id_map.find(file_id) == id_map.end() ) + return false; + + DBG_LOG(DBG_FILE_ANALYSIS, "Ignore FileID %s", file_id.c_str()); + + ignored.insert(file_id); + + return true; + } + +bool Manager::RemoveFile(const string& file_id) { IDMap::iterator it = id_map.find(file_id); if ( it == id_map.end() ) return false; - DBG_LOG(DBG_FILE_ANALYSIS, "Ignore FileID %s", file_id.c_str()); - - ignored.insert(it->second->GetUnique()); - - return true; - } - -bool Manager::RemoveFile(const string& unique) - { - StrMap::iterator it = str_map.find(unique); - - if ( it == str_map.end() ) - return false; + DBG_LOG(DBG_FILE_ANALYSIS, "Remove FileID %s", file_id.c_str()); it->second->EndOfFile(); - FileID id = it->second->GetID(); - - DBG_LOG(DBG_FILE_ANALYSIS, "Remove FileID %s", id.c_str()); - - if ( ! id_map.erase(id) ) - reporter->Error("No mapping for fileID %s", id.c_str()); - - ignored.erase(unique); delete it->second; - str_map.erase(unique); + id_map.erase(file_id); + ignored.erase(file_id); + return true; } -bool Manager::IsIgnored(const string& unique) +bool Manager::IsIgnored(const string& file_id) { - return ignored.find(unique) != ignored.end(); + return ignored.find(file_id) != ignored.end(); } void Manager::GetFileHandle(AnalyzerTag::Tag tag, Connection* c, bool is_orig) { - current_handle.clear(); + current_file_id.clear(); + + if ( IsDisabled(tag) ) + return; if ( ! get_file_handle ) return; diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index d2f8f6f1bf..3697f3c9b2 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -18,7 +18,6 @@ #include "File.h" #include "FileTimer.h" -#include "FileID.h" namespace file_analysis { @@ -36,7 +35,12 @@ public: void Terminate(); /** - * Take in a unique file handle string to identifiy incoming file data. + * @return a prettified MD5 hash of \a handle, truncated to 64-bits. + */ + string HashHandle(const string& handle) const; + + /** + * Take in a unique file handle string to identify incoming file data. */ void SetHandle(const string& handle); @@ -45,59 +49,48 @@ public: */ void DataIn(const u_char* data, uint64 len, uint64 offset, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); - void DataIn(const u_char* data, uint64 len, uint64 offset, - const string& unique); - void DataIn(const u_char* data, uint64 len, uint64 offset, - File* file); /** * Pass in sequential file data. */ void DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); - void DataIn(const u_char* data, uint64 len, const string& unique); - void DataIn(const u_char* data, uint64 len, File* file); /** * Signal the end of file data. */ void EndOfFile(AnalyzerTag::Tag tag, Connection* conn); void EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig); - void EndOfFile(const string& unique); /** * Signal a gap in the file data stream. */ void Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); - void Gap(uint64 offset, uint64 len, const string& unique); - void Gap(uint64 offset, uint64 len, File* file); /** * Provide the expected number of bytes that comprise a file. */ void SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); - void SetSize(uint64 size, const string& unique); - void SetSize(uint64 size, File* file); /** * Starts ignoring a file, which will finally be removed from internal * mappings on EOF or TIMEOUT. * @return false if file identifier did not map to anything, else true. */ - bool IgnoreFile(const FileID& file_id); + bool IgnoreFile(const string& file_id); /** * If called during a \c file_timeout event handler, requests deferral of * analysis timeout. */ - bool PostponeTimeout(const FileID& file_id) const; + bool PostponeTimeout(const string& file_id) const; /** * Set's an inactivity threshold for the file. */ - bool SetTimeoutInterval(const FileID& file_id, double interval) const; + bool SetTimeoutInterval(const string& file_id, double interval) const; /** * Queue attachment of an analzer to the file identifier. Multiple @@ -105,34 +98,33 @@ public: * as long as the arguments differ. * @return false if the analyzer failed to be instantiated, else true. */ - bool AddAnalyzer(const FileID& file_id, RecordVal* args) const; + bool AddAnalyzer(const string& file_id, RecordVal* args) const; /** * Queue removal of an analyzer for a given file identifier. * @return true if the analyzer is active at the time of call, else false. */ - bool RemoveAnalyzer(const FileID& file_id, const RecordVal* args) const; + bool RemoveAnalyzer(const string& file_id, const RecordVal* args) const; /** - * @return whether the file mapped to \a unique is being ignored. + * @return whether the file mapped to \a file_id is being ignored. */ - bool IsIgnored(const string& unique); + bool IsIgnored(const string& file_id); protected: friend class FileTimer; - typedef map StrMap; - typedef set StrSet; - typedef map IDMap; + typedef set IDSet; + typedef map IDMap; /** - * @return the File object mapped to \a unique or a null pointer if analysis - * is being ignored for the associated file. An File object may be - * created if a mapping doesn't exist, and if it did exist, the - * activity time is refreshed along with any connection-related - * fields. + * @return the File object mapped to #current_file_id or a null pointer if + * analysis is being ignored for the associated file. An File + * object may be created if a mapping doesn't exist, and if it did + * exist, the activity time is refreshed along with any + * connection-related fields. */ - File* GetFile(const string& unique, Connection* conn = 0, + File* GetFile(Connection* conn = 0, AnalyzerTag::Tag tag = AnalyzerTag::Error, bool is_orig = false, bool update_conn = true); @@ -140,24 +132,24 @@ protected: * @return the File object mapped to \a file_id, or a null pointer if no * mapping exists. */ - File* Lookup(const FileID& file_id) const; + File* Lookup(const string& file_id) const; /** * Evaluate timeout policy for a file and remove the File object mapped to * \a file_id if needed. */ - void Timeout(const FileID& file_id, bool is_terminating = ::terminating); + void Timeout(const string& file_id, bool is_terminating = ::terminating); /** - * Immediately remove file_analysis::File object associated with \a unique. - * @return false if file string did not map to anything, else true. + * Immediately remove file_analysis::File object associated with \a file_id. + * @return false if file id string did not map to anything, else true. */ - bool RemoveFile(const string& unique); + bool RemoveFile(const string& file_id); /** - * Sets #current_handle to a unique file handle string based on what the - * \c get_file_handle event derives from the connection params. The - * event queue is flushed so that we can get the handle value immediately. + * Sets #current_file_id to a hash of a unique file handle string based on + * what the \c get_file_handle event derives from the connection params. + * Event queue is flushed so that we can get the handle value immediately. */ void GetFileHandle(AnalyzerTag::Tag tag, Connection* c, bool is_orig); @@ -167,10 +159,9 @@ protected: static bool IsDisabled(AnalyzerTag::Tag tag); private: - StrMap str_map; /**< Map unique string to file_analysis::File. */ IDMap id_map; /**< Map file ID to file_analysis::File records. */ - StrSet ignored; /**< Ignored files. Will be finally removed on EOF. */ - string current_handle; /**< Last file handle set by get_file_handle event.*/ + IDSet ignored; /**< Ignored files. Will be finally removed on EOF. */ + string current_file_id; /**< Hash of what get_file_handle event sets.*/ static TableVal* disabled; /**< Table of disabled analyzers. */ }; From 0ef074594d7d17bbc08db688a3fbfbcc26ddc7c0 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 21 May 2013 10:29:22 -0500 Subject: [PATCH 062/200] Add input interface to forward data for file analysis. The new Input::add_analysis function is used to automatically forward input data on to the file analysis framework. --- scripts/base/frameworks/input/main.bro | 42 ++++++++++ src/file_analysis/File.cc | 18 ++-- src/file_analysis/File.h | 11 +++ src/file_analysis/Manager.cc | 52 ++++++++---- src/file_analysis/Manager.h | 11 ++- src/input.bif | 7 ++ src/input/Manager.cc | 84 ++++++++++++++++++- src/input/Manager.h | 15 +++- .../frameworks/file-analysis/input/basic.bro | 24 +----- 9 files changed, 219 insertions(+), 45 deletions(-) diff --git a/scripts/base/frameworks/input/main.bro b/scripts/base/frameworks/input/main.bro index 1a05abce71..5a12239819 100644 --- a/scripts/base/frameworks/input/main.bro +++ b/scripts/base/frameworks/input/main.bro @@ -122,6 +122,35 @@ export { config: table[string] of string &default=table(); }; + ## A file analyis input stream type used to forward input data to the + ## file analysis framework. + type AnalysisDescription: record { + + ## String that allows the reader to find the source. + ## For `READER_ASCII`, this is the filename. + source: string; + + ## Reader to use for this steam. Compatible readers must be + ## able to accept a filter of a single string type (i.e. + ## they read a byte stream). + reader: Reader &default=Input::READER_BINARY; + + ## Read mode to use for this stream + mode: Mode &default=default_mode; + + ## Descriptive name that uniquely identifies the input source. + ## Can be used used to remove a stream at a later time. + ## This will also be used for the unique *source* field of + ## :bro:see:`fa_file`. Most of the time, the best choice for this + ## field will be the same value as the *source* field. + name: string; + + ## A key/value table that will be passed on the reader. + ## Interpretation of the values is left to the writer, but + ## usually they will be used for configuration purposes. + config: table[string] of string &default=table(); + }; + ## Create a new table input from a given source. Returns true on success. ## ## description: `TableDescription` record describing the source. @@ -132,6 +161,14 @@ export { ## description: `TableDescription` record describing the source. global add_event: function(description: Input::EventDescription) : bool; + ## Create a new file analysis input from a given source. Data read from + ## the source is automatically forwarded to the file analysis framework. + ## + ## description: A record describing the source + ## + ## Returns: true on sucess. + global add_analysis: function(description: Input::AnalysisDescription) : bool; + ## Remove a input stream. Returns true on success and false if the named stream was ## not found. ## @@ -164,6 +201,11 @@ function add_event(description: Input::EventDescription) : bool return __create_event_stream(description); } +function add_analysis(description: Input::AnalysisDescription) : bool + { + return __create_analysis_stream(description); + } + function remove(id: string) : bool { return __remove_stream(id); diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 95ea3c5926..e68ee5523c 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -85,14 +85,10 @@ File::File(const string& file_id, Connection* conn, AnalyzerTag::Tag tag, if ( conn ) { // add source, connection, is_orig fields - val->Assign(source_idx, new StringVal(::Analyzer::GetTagName(tag))); + SetSource(::Analyzer::GetTagName(tag)); val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL)); UpdateConnectionFields(conn); } - else - { - // TODO: what to use as source field? (input framework interface) - } UpdateLastActivityTime(); } @@ -172,6 +168,18 @@ int File::Idx(const string& field) return rval; } +string File::GetSource() const + { + Val* v = val->Lookup(source_idx); + + return v ? v->AsString()->CheckString() : string(); + } + +void File::SetSource(const string& source) + { + val->Assign(source_idx, new StringVal(source.c_str())); + } + double File::GetTimeoutInterval() const { return LookupFieldDefaultInterval(timeout_interval_idx); diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 5fa0f80ec8..0a7b9be30d 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -26,6 +26,17 @@ public: */ RecordVal* GetVal() const { return val; } + /** + * @return the value of the "source" field from #val record or an empty + * string if it's not initialized. + */ + string GetSource() const; + + /** + * Set the "source" field from #val record to \a source. + */ + void SetSource(const string& source); + /** * @return value (seconds) of the "timeout_interval" field from #val record. */ diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 91df333523..584a599df0 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -62,7 +62,8 @@ void Manager::SetHandle(const string& handle) void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - File* file = GetFile(conn, tag, is_orig); + GetFileHandle(tag, conn, is_orig); + File* file = GetFile(current_file_id, conn, tag, is_orig); if ( ! file ) return; @@ -76,9 +77,10 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { + GetFileHandle(tag, conn, is_orig); // Sequential data input shouldn't be going over multiple conns, so don't // do the check to update connection set. - File* file = GetFile(conn, tag, is_orig, false); + File* file = GetFile(current_file_id, conn, tag, is_orig, false); if ( ! file ) return; @@ -89,6 +91,23 @@ void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, RemoveFile(file->GetID()); } +void Manager::DataIn(const u_char* data, uint64 len, const string& file_id, + const string& source) + { + File* file = GetFile(file_id); + + if ( ! file ) + return; + + if ( file->GetSource().empty() ) + file->SetSource(source); + + file->DataIn(data, len); + + if ( file->IsComplete() ) + RemoveFile(file->GetID()); + } + void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn) { EndOfFile(tag, conn, true); @@ -102,10 +121,16 @@ void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig) RemoveFile(current_file_id); } +void Manager::EndOfFile(const string& file_id) + { + RemoveFile(file_id); + } + void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - File* file = GetFile(conn, tag, is_orig); + GetFileHandle(tag, conn, is_orig); + File* file = GetFile(current_file_id, conn, tag, is_orig); if ( ! file ) return; @@ -116,7 +141,8 @@ void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - File* file = GetFile(conn, tag, is_orig); + GetFileHandle(tag, conn, is_orig); + File* file = GetFile(current_file_id, conn, tag, is_orig); if ( ! file ) return; @@ -169,27 +195,23 @@ bool Manager::RemoveAnalyzer(const string& file_id, const RecordVal* args) const return file->RemoveAnalyzer(args); } -File* Manager::GetFile(Connection* conn, AnalyzerTag::Tag tag, bool is_orig, - bool update_conn) +File* Manager::GetFile(const string& file_id, Connection* conn, + AnalyzerTag::Tag tag, bool is_orig, bool update_conn) { - // sets current_file_id for us - GetFileHandle(tag, conn, is_orig); - - if ( current_file_id.empty() ) + if ( file_id.empty() ) return 0; - if ( IsIgnored(current_file_id) ) + if ( IsIgnored(file_id) ) return 0; - File* rval = id_map[current_file_id]; + File* rval = id_map[file_id]; if ( ! rval ) { - rval = id_map[current_file_id] = new File(current_file_id, conn, tag, - is_orig); + rval = id_map[file_id] = new File(file_id, conn, tag, is_orig); rval->ScheduleInactivityTimer(); - if ( IsIgnored(current_file_id) ) + if ( IsIgnored(file_id) ) return 0; } else diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index 3697f3c9b2..17ea2ef317 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -56,11 +56,18 @@ public: void DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); + /** + * Pass in sequential file data from external source (e.g. input framework). + */ + void DataIn(const u_char* data, uint64 len, const string& file_id, + const string& source); + /** * Signal the end of file data. */ void EndOfFile(AnalyzerTag::Tag tag, Connection* conn); void EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig); + void EndOfFile(const string& file_id); /** * Signal a gap in the file data stream. @@ -118,13 +125,13 @@ protected: typedef map IDMap; /** - * @return the File object mapped to #current_file_id or a null pointer if + * @return the File object mapped to \a file_id or a null pointer if * analysis is being ignored for the associated file. An File * object may be created if a mapping doesn't exist, and if it did * exist, the activity time is refreshed along with any * connection-related fields. */ - File* GetFile(Connection* conn = 0, + File* GetFile(const string& file_id, Connection* conn = 0, AnalyzerTag::Tag tag = AnalyzerTag::Error, bool is_orig = false, bool update_conn = true); diff --git a/src/input.bif b/src/input.bif index 40d8225400..d6a880d9e9 100644 --- a/src/input.bif +++ b/src/input.bif @@ -9,6 +9,7 @@ module Input; type TableDescription: record; type EventDescription: record; +type AnalysisDescription: record; function Input::__create_table_stream%(description: Input::TableDescription%) : bool %{ @@ -22,6 +23,12 @@ function Input::__create_event_stream%(description: Input::EventDescription%) : return new Val(res, TYPE_BOOL); %} +function Input::__create_analysis_stream%(description: Input::AnalysisDescription%) : bool + %{ + bool res = input_mgr->CreateAnalysisStream(description->AsRecordVal()); + return new Val(res, TYPE_BOOL); + %} + function Input::__remove_stream%(id: string%) : bool %{ bool res = input_mgr->RemoveStream(id->AsString()->CheckString()); diff --git a/src/input/Manager.cc b/src/input/Manager.cc index 933b0b594c..8f3d4bb8e5 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -15,6 +15,7 @@ #include "EventHandler.h" #include "NetVar.h" #include "Net.h" +#include "../file_analysis/Manager.h" #include "CompHash.h" @@ -148,6 +149,14 @@ public: ~EventStream(); }; +class Manager::AnalysisStream: public Manager::Stream { +public: + string file_id; + + AnalysisStream(); + ~AnalysisStream(); +}; + Manager::TableStream::TableStream() : Manager::Stream::Stream() { stream_type = TABLE_STREAM; @@ -198,6 +207,15 @@ Manager::TableStream::~TableStream() } } +Manager::AnalysisStream::AnalysisStream() : Manager::Stream::Stream() + { + stream_type = ANALYSIS_STREAM; + } + +Manager::AnalysisStream::~AnalysisStream() + { + } + Manager::Manager() { end_of_data = internal_handler("Input::end_of_data"); @@ -274,7 +292,8 @@ bool Manager::CreateStream(Stream* info, RecordVal* description) RecordType* rtype = description->Type()->AsRecordType(); if ( ! ( same_type(rtype, BifType::Record::Input::TableDescription, 0) - || same_type(rtype, BifType::Record::Input::EventDescription, 0) ) ) + || same_type(rtype, BifType::Record::Input::EventDescription, 0) + || same_type(rtype, BifType::Record::Input::AnalysisDescription, 0) ) ) { reporter->Error("Streamdescription argument not of right type for new input stream"); return false; @@ -680,6 +699,40 @@ bool Manager::CreateTableStream(RecordVal* fval) return true; } +bool Manager::CreateAnalysisStream(RecordVal* fval) + { + RecordType* rtype = fval->Type()->AsRecordType(); + if ( ! same_type(rtype, BifType::Record::Input::AnalysisDescription, 0) ) + { + reporter->Error("AnalysisDescription argument not of right type"); + return false; + } + + AnalysisStream* stream = new AnalysisStream(); + { + if ( ! CreateStream(stream, fval) ) + { + delete stream; + return false; + } + } + + stream->file_id = file_mgr->HashHandle(stream->name); + + assert(stream->reader); + + // reader takes in a byte stream as the only field + Field** fields = new Field*[1]; + fields[0] = new Field("bytestream", 0, TYPE_STRING, TYPE_VOID, false); + stream->reader->Init(1, fields); + + readers[stream->reader] = stream; + + DBG_LOG(DBG_INPUT, "Successfully created analysis stream %s", + stream->name.c_str()); + + return true; + } bool Manager::IsCompatibleType(BroType* t, bool atomic_only) { @@ -966,6 +1019,15 @@ void Manager::SendEntry(ReaderFrontend* reader, Value* *vals) readFields = SendEventStreamEvent(i, type, vals); } + else if ( i->stream_type == ANALYSIS_STREAM ) + { + readFields = 1; + assert(vals[0]->type == TYPE_STRING); + file_mgr->DataIn(reinterpret_cast(vals[0]->val.string_val.data), + vals[0]->val.string_val.length, + static_cast(i)->file_id, i->name); + } + else assert(false); @@ -1179,7 +1241,7 @@ void Manager::EndCurrentSend(ReaderFrontend* reader) DBG_LOG(DBG_INPUT, "Got EndCurrentSend stream %s", i->name.c_str()); #endif - if ( i->stream_type == EVENT_STREAM ) + if ( i->stream_type != TABLE_STREAM ) { // just signal the end of the data source SendEndOfData(i); @@ -1288,6 +1350,9 @@ void Manager::SendEndOfData(ReaderFrontend* reader) void Manager::SendEndOfData(const Stream *i) { SendEvent(end_of_data, 2, new StringVal(i->name.c_str()), new StringVal(i->info->source)); + + if ( i->stream_type == ANALYSIS_STREAM ) + file_mgr->EndOfFile(static_cast(i)->file_id); } void Manager::Put(ReaderFrontend* reader, Value* *vals) @@ -1310,6 +1375,15 @@ void Manager::Put(ReaderFrontend* reader, Value* *vals) readFields = SendEventStreamEvent(i, type, vals); } + else if ( i->stream_type == ANALYSIS_STREAM ) + { + readFields = 1; + assert(vals[0]->type == TYPE_STRING); + file_mgr->DataIn(reinterpret_cast(vals[0]->val.string_val.data), + vals[0]->val.string_val.length, + static_cast(i)->file_id, i->name); + } + else assert(false); @@ -1577,6 +1651,12 @@ bool Manager::Delete(ReaderFrontend* reader, Value* *vals) success = true; } + else if ( i->stream_type == ANALYSIS_STREAM ) + { + // can't do anything + success = true; + } + else { assert(false); diff --git a/src/input/Manager.h b/src/input/Manager.h index 633b20f8ed..a1fbb94313 100644 --- a/src/input/Manager.h +++ b/src/input/Manager.h @@ -55,6 +55,18 @@ public: */ bool CreateEventStream(RecordVal* description); + /** + * Creates a new input stream which will forward the data from the data + * source on to the file analysis framework. The internal BiF defined + * in input.bif just forward here. For an input reader to be compatible + * with this method, it must be able to accept a filter of a single string + * type (i.e. they read a byte stream). + * + * @param description A record of the script type \c + * Input::AnalysisDescription + */ + bool CreateAnalysisStream(RecordVal* description); + /** * Force update on a input stream. Forces a re-read of the whole * input source. Usually used when an input stream is opened in @@ -138,6 +150,7 @@ private: class Stream; class TableStream; class EventStream; + class AnalysisStream; // Actual RemoveStream implementation -- the function's public and // protected definitions are wrappers around this function. @@ -202,7 +215,7 @@ private: Stream* FindStream(const string &name); Stream* FindStream(ReaderFrontend* reader); - enum StreamType { TABLE_STREAM, EVENT_STREAM }; + enum StreamType { TABLE_STREAM, EVENT_STREAM, ANALYSIS_STREAM }; map readers; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro index eedb56d359..f9ca9fb325 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro @@ -18,28 +18,12 @@ redef test_get_file_name = function(f: fa_file): string T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 @TEST-END-FILE -module A; - -type Val: record { - s: string; -}; - -event line(description: Input::EventDescription, tpe: Input::Event, s: string) - { - FileAnalysis::data_stream(description$source, s); - } - -event Input::end_of_data(name: string, source: string) - { - FileAnalysis::eof(source); - } - event bro_init() { - Input::add_event([$source="../input.log", $reader=Input::READER_BINARY, - $mode=Input::MANUAL, $name="input", $fields=Val, - $ev=line, $want_record=F]); - Input::remove("input"); + local source: string = "../input.log"; + Input::add_analysis([$source=source, $reader=Input::READER_BINARY, + $mode=Input::MANUAL, $name=source]); + Input::remove(source); } event file_state_remove(f: fa_file) &priority=-10 From bc5cd3acc86bb76c5d67c3c70d0eba55be17d92e Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 21 May 2013 10:34:19 -0500 Subject: [PATCH 063/200] Make default get_file_handle handlers &priority=5. So they're easier to override (just provide a new handler without specifying a priority). --- scripts/base/protocols/ftp/file-analysis.bro | 1 + scripts/base/protocols/http/file-analysis.bro | 1 + scripts/base/protocols/irc/file-analysis.bro | 1 + scripts/base/protocols/smtp/file-analysis.bro | 1 + 4 files changed, 4 insertions(+) diff --git a/scripts/base/protocols/ftp/file-analysis.bro b/scripts/base/protocols/ftp/file-analysis.bro index b26d8a942b..f8fa2d816b 100644 --- a/scripts/base/protocols/ftp/file-analysis.bro +++ b/scripts/base/protocols/ftp/file-analysis.bro @@ -41,6 +41,7 @@ function get_file_handle(c: connection, is_orig: bool): string module GLOBAL; event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool) + &priority=5 { if ( tag != ANALYZER_FTP_DATA ) return; set_file_handle(FTP::get_file_handle(c, is_orig)); diff --git a/scripts/base/protocols/http/file-analysis.bro b/scripts/base/protocols/http/file-analysis.bro index fc537f3477..a8d15391ab 100644 --- a/scripts/base/protocols/http/file-analysis.bro +++ b/scripts/base/protocols/http/file-analysis.bro @@ -25,6 +25,7 @@ function get_file_handle(c: connection, is_orig: bool): string module GLOBAL; event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool) + &priority=5 { if ( tag != ANALYZER_HTTP ) return; set_file_handle(HTTP::get_file_handle(c, is_orig)); diff --git a/scripts/base/protocols/irc/file-analysis.bro b/scripts/base/protocols/irc/file-analysis.bro index 94d9f95d73..5159064b27 100644 --- a/scripts/base/protocols/irc/file-analysis.bro +++ b/scripts/base/protocols/irc/file-analysis.bro @@ -18,6 +18,7 @@ function get_file_handle(c: connection, is_orig: bool): string module GLOBAL; event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool) + &priority=5 { if ( tag != ANALYZER_IRC_DATA ) return; set_file_handle(IRC::get_file_handle(c, is_orig)); diff --git a/scripts/base/protocols/smtp/file-analysis.bro b/scripts/base/protocols/smtp/file-analysis.bro index cbe109eff3..b893cbef7d 100644 --- a/scripts/base/protocols/smtp/file-analysis.bro +++ b/scripts/base/protocols/smtp/file-analysis.bro @@ -20,6 +20,7 @@ function get_file_handle(c: connection, is_orig: bool): string module GLOBAL; event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool) + &priority=5 { if ( tag != ANALYZER_SMTP ) return; set_file_handle(SMTP::get_file_handle(c, is_orig)); From 16f924c2c046f8b0092a2b272d4f63c593deb4a0 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 21 May 2013 10:50:07 -0500 Subject: [PATCH 064/200] Remove FileAnalysis::postpone_timeout. FileAnalysis::set_timeout_interval can now perform same function. --- .../base/frameworks/file-analysis/main.bro | 21 +++---------------- src/file_analysis.bif | 7 ------- src/file_analysis/Manager.cc | 14 +++---------- src/file_analysis/Manager.h | 6 ------ .../bro..stdout | 0 ...e_timeout.bro => set_timeout_interval.bro} | 2 +- 6 files changed, 7 insertions(+), 43 deletions(-) rename testing/btest/Baseline/{scripts.base.frameworks.file-analysis.bifs.postpone_timeout => scripts.base.frameworks.file-analysis.bifs.set_timeout_interval}/bro..stdout (100%) rename testing/btest/scripts/base/frameworks/file-analysis/bifs/{postpone_timeout.bro => set_timeout_interval.bro} (90%) diff --git a/scripts/base/frameworks/file-analysis/main.bro b/scripts/base/frameworks/file-analysis/main.bro index 3f6f6f10f4..0502daa186 100644 --- a/scripts/base/frameworks/file-analysis/main.bro +++ b/scripts/base/frameworks/file-analysis/main.bro @@ -120,7 +120,9 @@ export { ## Sets the *timeout_interval* field of :bro:see:`fa_file`, which is ## used to determine the length of inactivity that is allowed for a file - ## before internal state related to it is cleaned up. + ## before internal state related to it is cleaned up. When used within a + ## :bro:see:`file_timeout` handler, the analysis will delay timing out + ## again for the period specified by *t*. ## ## f: the file. ## @@ -130,18 +132,6 @@ export { ## for the *id* isn't currently active. global set_timeout_interval: function(f: fa_file, t: interval): bool; - ## Postpones the timeout of file analysis for a given file. - ## When used within a :bro:see:`file_timeout` handler for, the analysis - ## the analysis will delay timing out for the period of time indicated by - ## the *timeout_interval* field of :bro:see:`fa_file`, which can be set - ## with :bro:see:`FileAnalysis::set_timeout_interval`. - ## - ## f: the file. - ## - ## Returns: true if the timeout will be postponed, or false if analysis - ## for the *id* isn't currently active. - global postpone_timeout: function(f: fa_file): bool; - ## Adds an analyzer to the analysis of a given file. ## ## f: the file. @@ -207,11 +197,6 @@ function set_timeout_interval(f: fa_file, t: interval): bool return __set_timeout_interval(f$id, t); } -function postpone_timeout(f: fa_file): bool - { - return __postpone_timeout(f$id); - } - function add_analyzer(f: fa_file, args: AnalyzerArgs): bool { if ( ! __add_analyzer(f$id, args) ) return F; diff --git a/src/file_analysis.bif b/src/file_analysis.bif index 3c720d17b6..ef46ccf9c1 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -27,13 +27,6 @@ enum Analyzer %{ ANALYZER_DATA_EVENT, %} -## :bro:see:`FileAnalysis::postpone_timeout`. -function FileAnalysis::__postpone_timeout%(file_id: string%): bool - %{ - bool result = file_mgr->PostponeTimeout(file_id->CheckString()); - return new Val(result, TYPE_BOOL); - %} - ## :bro:see:`FileAnalysis::set_timeout_interval`. function FileAnalysis::__set_timeout_interval%(file_id: string, t: interval%): bool %{ diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 584a599df0..b247f23efc 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -153,17 +153,6 @@ void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, RemoveFile(file->GetID()); } -bool Manager::PostponeTimeout(const string& file_id) const - { - File* file = Lookup(file_id); - - if ( ! file ) - return false; - - file->postpone_timeout = true; - return true; - } - bool Manager::SetTimeoutInterval(const string& file_id, double interval) const { File* file = Lookup(file_id); @@ -171,6 +160,9 @@ bool Manager::SetTimeoutInterval(const string& file_id, double interval) const if ( ! file ) return false; + if ( interval > 0 ) + file->postpone_timeout = true; + file->SetTimeoutInterval(interval); return true; } diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index 17ea2ef317..8e985d6ce3 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -88,12 +88,6 @@ public: */ bool IgnoreFile(const string& file_id); - /** - * If called during a \c file_timeout event handler, requests deferral of - * analysis timeout. - */ - bool PostponeTimeout(const string& file_id) const; - /** * Set's an inactivity threshold for the file. */ diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.postpone_timeout/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.postpone_timeout/bro..stdout rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro similarity index 90% rename from testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro rename to testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro index eddc933658..8ec4704cdb 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro @@ -20,7 +20,7 @@ redef default_file_timeout_interval = 2sec; event file_timeout(f: fa_file) { if ( timeout_cnt < 1 ) - FileAnalysis::postpone_timeout(f); + FileAnalysis::set_timeout_interval(f, f$timeout_interval); else terminate(); ++timeout_cnt; From 28f51a9a220410a85a8904fe664cf5710b395106 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 21 May 2013 11:12:00 -0500 Subject: [PATCH 065/200] Remove extraction counter in default file extraction scripts. --- scripts/base/protocols/ftp/file-extract.bro | 5 +--- scripts/base/protocols/http/file-extract.bro | 5 +--- scripts/base/protocols/irc/dcc-send.bro | 5 +--- scripts/base/protocols/smtp/entities.bro | 6 +---- ...70Ua9x7-1.dat => ftp-item-BTsa70Ua9x7.dat} | 0 ...zoroau4-0.dat => ftp-item-Rqjkzoroau4.dat} | 0 ...Jybrm38-2.dat => ftp-item-VLQvJybrm38.dat} | 0 ...Ss9K1yk-3.dat => ftp-item-zrfwSs9K1yk.dat} | 0 .../ftp.log | 8 +++---- ...6bFgT3-0.dat => http-item-BFymS6bFgT3.dat} | 0 .../http.log | 2 +- ...VSb-0.dat => irc-dcc-item-wqKMAamJVSb.dat} | Bin .../irc.log | 2 +- ...jEv3-1.dat => smtp-entity-Ltd7QO7jEv3.dat} | 0 ...ctxb-0.dat => smtp-entity-cwR7l6Zctxb.dat} | 0 .../smtp_entities.log | 4 ++-- .../base/protocols/ftp/ftp-extract.bro | 8 +++---- .../protocols/http/http-extract-files.bro | 2 +- .../base/protocols/irc/dcc-extract.test | 22 +++--------------- .../base/protocols/smtp/mime-extract.test | 8 +++---- 20 files changed, 24 insertions(+), 53 deletions(-) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-BTsa70Ua9x7-1.dat => ftp-item-BTsa70Ua9x7.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-Rqjkzoroau4-0.dat => ftp-item-Rqjkzoroau4.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-VLQvJybrm38-2.dat => ftp-item-VLQvJybrm38.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-zrfwSs9K1yk-3.dat => ftp-item-zrfwSs9K1yk.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/{http-item-BFymS6bFgT3-0.dat => http-item-BFymS6bFgT3.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/{irc-dcc-item-wqKMAamJVSb-0.dat => irc-dcc-item-wqKMAamJVSb.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/{smtp-entity-Ltd7QO7jEv3-1.dat => smtp-entity-Ltd7QO7jEv3.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/{smtp-entity-cwR7l6Zctxb-0.dat => smtp-entity-cwR7l6Zctxb.dat} (100%) diff --git a/scripts/base/protocols/ftp/file-extract.bro b/scripts/base/protocols/ftp/file-extract.bro index f14839b616..2b7bb8cd50 100644 --- a/scripts/base/protocols/ftp/file-extract.bro +++ b/scripts/base/protocols/ftp/file-extract.bro @@ -13,8 +13,6 @@ export { const extraction_prefix = "ftp-item" &redef; } -global extract_count: count = 0; - redef record Info += { ## On disk file where it was extracted to. extraction_file: string &log &optional; @@ -26,8 +24,7 @@ redef record Info += { function get_extraction_name(f: fa_file): string { - local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count); - ++extract_count; + local r = fmt("%s-%s.dat", extraction_prefix, f$id); return r; } diff --git a/scripts/base/protocols/http/file-extract.bro b/scripts/base/protocols/http/file-extract.bro index 9c0899b2b6..011baf57b7 100644 --- a/scripts/base/protocols/http/file-extract.bro +++ b/scripts/base/protocols/http/file-extract.bro @@ -23,12 +23,9 @@ export { }; } -global extract_count: count = 0; - function get_extraction_name(f: fa_file): string { - local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count); - ++extract_count; + local r = fmt("%s-%s.dat", extraction_prefix, f$id); return r; } diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 8f3de2ac09..53381d0302 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -39,8 +39,6 @@ export { global dcc_expected_transfers: table[addr, port] of Info &read_expire=5mins; -global extract_count: count = 0; - function set_dcc_mime(f: fa_file) { if ( ! f?$conns ) return; @@ -75,8 +73,7 @@ function set_dcc_extraction_file(f: fa_file, filename: string) function get_extraction_name(f: fa_file): string { - local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count); - ++extract_count; + local r = fmt("%s-%s.dat", extraction_prefix, f$id); return r; } diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.bro index 19cca30db1..b58766e51d 100644 --- a/scripts/base/protocols/smtp/entities.bro +++ b/scripts/base/protocols/smtp/entities.bro @@ -66,8 +66,6 @@ export { global log_mime: event(rec: EntityInfo); } -global extract_count: count = 0; - event bro_init() &priority=5 { Log::create_stream(SMTP::ENTITIES_LOG, [$columns=EntityInfo, $ev=log_mime]); @@ -90,8 +88,7 @@ function set_session(c: connection, new_entity: bool) function get_extraction_name(f: fa_file): string { - local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count); - ++extract_count; + local r = fmt("%s-%s.dat", extraction_prefix, f$id); return r; } @@ -127,7 +124,6 @@ event file_new(f: fa_file) &priority=5 [$tag=FileAnalysis::ANALYZER_EXTRACT, $extract_filename=fname]); extracting = T; - ++extract_count; } c$smtp$current_entity$extraction_file = fname; diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log index 27fda32d84..c2b02ec4c8 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log @@ -9,13 +9,13 @@ 1329843175.680248 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,90) (empty) T 141.142.220.235 199.233.217.249 56666 - 1329843175.791528 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - - 1329843179.815947 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,91) (empty) T 141.142.220.235 199.233.217.249 56667 - -1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 - - - - - - - (empty) - - - - ftp-item-Rqjkzoroau4-0.dat -1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 - - - - - - - (empty) - - - - ftp-item-BTsa70Ua9x7-1.dat +1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 - - - - - - - (empty) - - - - ftp-item-Rqjkzoroau4.dat +1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 - - - - - - - (empty) - - - - ftp-item-BTsa70Ua9x7.dat 1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - - 1329843194.040188 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,131,46 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 33582 - 1329843194.095782 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - - 1329843197.672179 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,147,203 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 37835 - -1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 - - - - - - - (empty) - - - - ftp-item-VLQvJybrm38-2.dat +1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 - - - - - - - (empty) - - - - ftp-item-VLQvJybrm38.dat 1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - - -1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 - - - - - - - (empty) - - - - ftp-item-zrfwSs9K1yk-3.dat +1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 - - - - - - - (empty) - - - - ftp-item-zrfwSs9K1yk.dat #close 2013-04-12-16-32-25 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat rename to testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log index 789896072f..e438b10b96 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log @@ -6,5 +6,5 @@ #open 2013-03-22-14-38-28 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-BFymS6bFgT3-0.dat +1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-BFymS6bFgT3.dat #close 2013-03-22-14-38-28 diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat rename to testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log index 4e70587ff0..88a95d98f7 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log @@ -9,5 +9,5 @@ 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - NICK bloed - - - - - 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - 1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje JOIN #easymovies (empty) - - - - -1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item-wqKMAamJVSb-0.dat +1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 application/zip irc-dcc-item-wqKMAamJVSb.dat #close 2013-03-27-18-49-16 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log index 0051ddba61..9724dd2168 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log @@ -6,7 +6,7 @@ #open 2013-03-26-20-43-14 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth filename content_len mime_type md5 extraction_file excerpt #types time string addr port addr port count string count string string string string -1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-cwR7l6Zctxb-0.dat (empty) +1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-cwR7l6Zctxb.dat (empty) 1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 1918 text/html - - (empty) -1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-Ltd7QO7jEv3-1.dat (empty) +1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-Ltd7QO7jEv3.dat (empty) #close 2013-03-26-20-43-14 diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro index 9ae5280757..785d4009b9 100644 --- a/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro +++ b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro @@ -3,10 +3,10 @@ # @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT # @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff ftp.log -# @TEST-EXEC: btest-diff ftp-item-Rqjkzoroau4-0.dat -# @TEST-EXEC: btest-diff ftp-item-BTsa70Ua9x7-1.dat -# @TEST-EXEC: btest-diff ftp-item-VLQvJybrm38-2.dat -# @TEST-EXEC: btest-diff ftp-item-zrfwSs9K1yk-3.dat +# @TEST-EXEC: btest-diff ftp-item-Rqjkzoroau4.dat +# @TEST-EXEC: btest-diff ftp-item-BTsa70Ua9x7.dat +# @TEST-EXEC: btest-diff ftp-item-VLQvJybrm38.dat +# @TEST-EXEC: btest-diff ftp-item-zrfwSs9K1yk.dat redef FTP::logged_commands += {"LIST"}; redef FTP::extract_file_types=/.*/; diff --git a/testing/btest/scripts/base/protocols/http/http-extract-files.bro b/testing/btest/scripts/base/protocols/http/http-extract-files.bro index ce9d3e7e04..2eca91a9b2 100644 --- a/testing/btest/scripts/base/protocols/http/http-extract-files.bro +++ b/testing/btest/scripts/base/protocols/http/http-extract-files.bro @@ -1,5 +1,5 @@ # @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT # @TEST-EXEC: btest-diff http.log -# @TEST-EXEC: btest-diff http-item-BFymS6bFgT3-0.dat +# @TEST-EXEC: btest-diff http-item-BFymS6bFgT3.dat redef HTTP::extract_file_types += /text\/html/; diff --git a/testing/btest/scripts/base/protocols/irc/dcc-extract.test b/testing/btest/scripts/base/protocols/irc/dcc-extract.test index 8a6680f99b..a82b2338e9 100644 --- a/testing/btest/scripts/base/protocols/irc/dcc-extract.test +++ b/testing/btest/scripts/base/protocols/irc/dcc-extract.test @@ -1,26 +1,10 @@ # This tests that the contents of a DCC transfer negotiated with IRC can be -# correctly extracted. The mime type of the file transferred is normalized -# to prevent sensitivity to libmagic version being used. +# correctly extracted. # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT # @TEST-EXEC: btest-diff irc.log -# @TEST-EXEC: btest-diff irc-dcc-item-wqKMAamJVSb-0.dat +# @TEST-EXEC: btest-diff irc-dcc-item-wqKMAamJVSb.dat # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT IRC::extraction_prefix="test" -# @TEST-EXEC: test -e test-wqKMAamJVSb-0.dat +# @TEST-EXEC: test -e test-wqKMAamJVSb.dat redef IRC::extract_file_types=/.*/; - -event bro_init() - { - Log::remove_default_filter(IRC::LOG); - Log::add_filter(IRC::LOG, [$name="normalized-mime-types", - $pred=function(rec: IRC::Info): bool - { - if ( rec?$dcc_mime_type ) - { - rec$dcc_mime_type = "FAKE_MIME"; - } - return T; - } - ]); - } diff --git a/testing/btest/scripts/base/protocols/smtp/mime-extract.test b/testing/btest/scripts/base/protocols/smtp/mime-extract.test index 54e50d0459..9a0f9c9150 100644 --- a/testing/btest/scripts/base/protocols/smtp/mime-extract.test +++ b/testing/btest/scripts/base/protocols/smtp/mime-extract.test @@ -1,10 +1,10 @@ # @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT # @TEST-EXEC: btest-diff smtp_entities.log -# @TEST-EXEC: btest-diff smtp-entity-cwR7l6Zctxb-0.dat -# @TEST-EXEC: btest-diff smtp-entity-Ltd7QO7jEv3-1.dat +# @TEST-EXEC: btest-diff smtp-entity-cwR7l6Zctxb.dat +# @TEST-EXEC: btest-diff smtp-entity-Ltd7QO7jEv3.dat # @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT SMTP::extraction_prefix="test" -# @TEST-EXEC: test -e test-cwR7l6Zctxb-0.dat -# @TEST-EXEC: test -e test-Ltd7QO7jEv3-1.dat +# @TEST-EXEC: test -e test-cwR7l6Zctxb.dat +# @TEST-EXEC: test -e test-Ltd7QO7jEv3.dat @load base/protocols/smtp From 38ac03d5585943b701a915274331a211425dd5ac Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 21 May 2013 11:58:39 -0500 Subject: [PATCH 066/200] Remove logging of analyzers field of FileAnalysis::Info. It was mostly redundant when logged, but still can be useful to inspect at runtime. In the future, a better field for logging will be available which will be similar to the "service" field for connection records (there's not any file-format-specific analyzers that would currently make use of such a thing). --- scripts/base/frameworks/file-analysis/main.bro | 2 +- .../file_analysis.log | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/base/frameworks/file-analysis/main.bro b/scripts/base/frameworks/file-analysis/main.bro index 0502daa186..393d805133 100644 --- a/scripts/base/frameworks/file-analysis/main.bro +++ b/scripts/base/frameworks/file-analysis/main.bro @@ -87,7 +87,7 @@ export { conn_uids: set[string] &log; ## A set of analysis types done during the file analysis. - analyzers: set[Analyzer] &log; + analyzers: set[Analyzer]; ## Local filenames of extracted files. extracted_files: set[string] &log; diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log index 86f132470b..ac2a836ba5 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path file_analysis -#open 2013-04-23-15-41-01 -#fields id parent_id source is_orig last_active seen_bytes total_bytes missing_bytes overflow_bytes timeout_interval bof_buffer_size mime_type timedout conn_uids analyzers extracted_files md5 sha1 sha256 -#types string string string bool time count count count count interval count string bool table[string] table[enum] table[string] string string string -Cx92a0ym5R8 - HTTP F 1362692527.009775 4705 4705 0 0 120.000000 1024 text/plain F UWkUyAuUGXf FileAnalysis::ANALYZER_SHA1,FileAnalysis::ANALYZER_EXTRACT,FileAnalysis::ANALYZER_DATA_EVENT,FileAnalysis::ANALYZER_MD5,FileAnalysis::ANALYZER_SHA256 Cx92a0ym5R8-file 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 -#close 2013-04-23-15-41-01 +#open 2013-05-21-16-47-14 +#fields id parent_id source is_orig last_active seen_bytes total_bytes missing_bytes overflow_bytes timeout_interval bof_buffer_size mime_type timedout conn_uids extracted_files md5 sha1 sha256 +#types string string string bool time count count count count interval count string bool table[string] table[string] string string string +Cx92a0ym5R8 - HTTP F 1362692527.009775 4705 4705 0 0 120.000000 1024 text/plain F UWkUyAuUGXf Cx92a0ym5R8-file 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 +#close 2013-05-21-16-47-14 From 3cbef60f57f6355752f2a72d914ab6ffad09c1ee Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 21 May 2013 15:35:22 -0500 Subject: [PATCH 067/200] Fix HTTP multipart body file analysis. Each part now gets assigned a different file handle/id. --- scripts/base/protocols/http/file-analysis.bro | 23 +++++++- .../QJO04kPdawk-file | 1 + .../TJdltRTxco1-file | 1 + .../TaUJcEIboHh-file | 21 +++++++ .../dDH5dHdsRH4-file | 1 + .../out | 53 ++++++++++++++++++ testing/btest/Traces/http/multipart.trace | Bin 0 -> 2024 bytes .../file-analysis/http/multipart.bro | 13 +++++ 8 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/QJO04kPdawk-file create mode 100644 testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TJdltRTxco1-file create mode 100644 testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TaUJcEIboHh-file create mode 100644 testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/dDH5dHdsRH4-file create mode 100644 testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out create mode 100644 testing/btest/Traces/http/multipart.trace create mode 100644 testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro diff --git a/scripts/base/protocols/http/file-analysis.bro b/scripts/base/protocols/http/file-analysis.bro index a8d15391ab..769bb509f5 100644 --- a/scripts/base/protocols/http/file-analysis.bro +++ b/scripts/base/protocols/http/file-analysis.bro @@ -6,20 +6,41 @@ module HTTP; export { + redef record HTTP::Info += { + ## Number of MIME entities in the HTTP request message body so far. + request_mime_level: count &default=0; + ## Number of MIME entities in the HTTP response message body so far. + response_mime_level: count &default=0; + }; + ## Default file handle provider for HTTP. global get_file_handle: function(c: connection, is_orig: bool): string; } +event http_begin_entity(c: connection, is_orig: bool) &priority=5 + { + if ( ! c?$http ) return; + + if ( is_orig ) + ++c$http$request_mime_level; + else + ++c$http$response_mime_level; + } + function get_file_handle(c: connection, is_orig: bool): string { if ( ! c?$http ) return ""; + local mime_level: count = + is_orig ? c$http$request_mime_level : c$http$response_mime_level; + local mime_level_str: string = mime_level > 1 ? cat(mime_level) : ""; + if ( c$http$range_request ) return cat(ANALYZER_HTTP, " ", is_orig, " ", c$id$orig_h, " ", build_url(c$http)); return cat(ANALYZER_HTTP, " ", c$start_time, " ", is_orig, " ", - c$http$trans_depth, " ", id_string(c$id)); + c$http$trans_depth, mime_level_str, " ", id_string(c$id)); } module GLOBAL; diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/QJO04kPdawk-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/QJO04kPdawk-file new file mode 100644 index 0000000000..ac2a9e002d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/QJO04kPdawk-file @@ -0,0 +1 @@ +test2 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TJdltRTxco1-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TJdltRTxco1-file new file mode 100644 index 0000000000..77356c3140 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TJdltRTxco1-file @@ -0,0 +1 @@ +test diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TaUJcEIboHh-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TaUJcEIboHh-file new file mode 100644 index 0000000000..8f0eb247e3 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TaUJcEIboHh-file @@ -0,0 +1,21 @@ +{ + "data": "", + "form": { + "example": "test", + "example2": "test2", + "example3": "test3" + }, + "origin": "141.142.228.5", + "json": null, + "url": "http://httpbin.org/post", + "args": {}, + "headers": { + "Content-Type": "multipart/form-data; boundary=----------------------------4ebf00fbcf09", + "User-Agent": "curl/7.30.0", + "Connection": "close", + "Accept": "*/*", + "Content-Length": "350", + "Host": "httpbin.org" + }, + "files": {} +} \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/dDH5dHdsRH4-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/dDH5dHdsRH4-file new file mode 100644 index 0000000000..ae48ec8c20 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/dDH5dHdsRH4-file @@ -0,0 +1 @@ +test3 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out new file mode 100644 index 0000000000..fc34e97be2 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out @@ -0,0 +1,53 @@ +FILE_NEW +TJdltRTxco1, 0, 0 +FILE_BOF_BUFFER +test^M^J +MIME_TYPE +text/plain +FILE_STATE_REMOVE +TJdltRTxco1, 6, 0 +[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] +source: HTTP +MD5: 9f06243abcb89c70e0c331c61d871fa7 +SHA1: fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4 +SHA256: 837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b +FILE_NEW +QJO04kPdawk, 0, 0 +FILE_BOF_BUFFER +test2^M^J +MIME_TYPE +text/plain +FILE_STATE_REMOVE +QJO04kPdawk, 7, 0 +[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] +source: HTTP +MD5: d68af81ef370b3873d50f09140068810 +SHA1: 51a7b6f2d91f6a87822dc04560f2972bc14fc97e +SHA256: de0edd0ac4a705aff70f34734e90a1d0a1d8b76abe4bb53f3ea934bc105b3b17 +FILE_NEW +dDH5dHdsRH4, 0, 0 +FILE_BOF_BUFFER +test3^M^J +MIME_TYPE +text/plain +FILE_STATE_REMOVE +dDH5dHdsRH4, 7, 0 +[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] +source: HTTP +MD5: 1a3d75d44753ad246f0bd333cdaf08b0 +SHA1: 4f98809ab09272dfcc58266e3f23ae2393f70e76 +SHA256: 018c67a2c30ed9977e1dddfe98cac542165dac355cf9764c91a362613e752933 +FILE_NEW +TaUJcEIboHh, 0, 0 +FILE_BOF_BUFFER +{^J "data": +MIME_TYPE +text/plain +FILE_STATE_REMOVE +TaUJcEIboHh, 465, 0 +[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp] +total bytes: 465 +source: HTTP +MD5: 226244811006caf4ac904344841168dd +SHA1: 7222902b8b8e68e25c0422e7f8bdf344efeda54d +SHA256: dd485ecf240e12807516b0a27718fc3ab9a17c1158a452967343c98cefba07a0 diff --git a/testing/btest/Traces/http/multipart.trace b/testing/btest/Traces/http/multipart.trace new file mode 100644 index 0000000000000000000000000000000000000000..5ce8b6e16f9226ff75c3ccd55574b5579ada5e5f GIT binary patch literal 2024 zcmcJPO-vI(6vu~BO0#Ao>IEa3Ne?Cp?QXXPas2|ViXRAsYK(eW%CxL5yPNHnNC<(0 zFDqFDoP{|Km+R(m z=!YQz5d&wQA{jG~&czq@v#(LeF#C9W^L>7wOZWSN+?FpFb|4)x1+ng9e*)w!f{iL*ew3U%WsC;HlVokwEbsdb69w0?4GHLq(1Z zx+j$u4;HECnVzxxWEyLPQh08I^AK7ekx;X6SJhSxU8W^f=}JF45@I)%ep6#1q}wcO zZ(zE!Ehb0GY$4Siomm{MAqk6jr3S*? z36|(W;^c>F@(P5Dqnzk_I^KZ9=Udk$){?}?%L0)i(NipyM3Hu!D=Nj+pJJMtno{s% z3)i!T&T|RH23;m|tbs~V+O7=3$!Ls5n`JR3OU?9jdy?n6nKi&HnPzgjnldb15F^nh zw1uZ`PlxfQMrToHDOXT87&F6)rVcPv&=5yy2t^-~X(-fyGgKVRFak4AZV*PbIa`X$ z5+1{KsVorl0TYz9Z;PPDNs2qkWI z`ha^zu`*fMH00v@n9|EEXTdGqdkTDLWc?qjdlxPCA7qzwAa4VtUwL$AgJxuz7jpX% zE<;E17QJ%aFNZa-h;D%AanF~wZxw2M1h?M%7rReplK=n! literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro new file mode 100644 index 0000000000..e5200df42e --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro @@ -0,0 +1,13 @@ +# @TEST-EXEC: bro -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.bro %INPUT >out +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff TJdltRTxco1-file +# @TEST-EXEC: btest-diff QJO04kPdawk-file +# @TEST-EXEC: btest-diff dDH5dHdsRH4-file +# @TEST-EXEC: btest-diff TaUJcEIboHh-file + +redef test_file_analysis_source = "HTTP"; + +redef test_get_file_name = function(f: fa_file): string + { + return fmt("%s-file", f$id); + }; From 705a84d688fc0726459acca732a57156afad4b06 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 21 May 2013 16:42:35 -0500 Subject: [PATCH 068/200] Improve tracking of HTTP file extraction (addresses #988). http.log now has files taken from request and response bodies in different fields for each, and can now track multiple files per body. That is, the "extraction_file" field is now "extracted_request_files" and "extracted_response_files". --- scripts/base/protocols/http/file-extract.bro | 27 ++++- .../Baseline/core.tunnels.ayiya/http.log | 14 +-- .../http.log | 12 +- .../core.tunnels.gtp.outer_ip_frag/http.log | 10 +- .../Baseline/core.tunnels.teredo/http.log | 16 +-- .../http.log | 12 +- .../istate.events-ssl/receiver.http.log | 10 +- .../istate.events-ssl/sender.http.log | 10 +- .../Baseline/istate.events/receiver.http.log | 10 +- .../Baseline/istate.events/sender.http.log | 10 +- .../http.log | 10 +- .../http.select | 28 ++--- .../http.log | 36 +++--- .../http.log | 10 +- .../http.log | 10 +- .../http.log | 106 +++++++++--------- .../http.log | 18 +-- .../http.log | 18 +-- .../http-item-QJO04kPdawk.dat | 1 + .../http-item-TJdltRTxco1.dat | 1 + .../http-item-TaUJcEIboHh.dat | 21 ++++ .../http-item-dDH5dHdsRH4.dat | 1 + .../http.log | 10 ++ .../base/protocols/http/multipart-extract.bro | 8 ++ 24 files changed, 235 insertions(+), 174 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-QJO04kPdawk.dat create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-TJdltRTxco1.dat create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-TaUJcEIboHh.dat create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-dDH5dHdsRH4.dat create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log create mode 100644 testing/btest/scripts/base/protocols/http/multipart-extract.bro diff --git a/scripts/base/protocols/http/file-extract.bro b/scripts/base/protocols/http/file-extract.bro index 011baf57b7..a8c6039395 100644 --- a/scripts/base/protocols/http/file-extract.bro +++ b/scripts/base/protocols/http/file-extract.bro @@ -14,8 +14,11 @@ export { const extraction_prefix = "http-item" &redef; redef record Info += { - ## On-disk file where the response body was extracted to. - extraction_file: string &log &optional; + ## On-disk location where files in request body were extracted. + extracted_request_files: vector of string &log &optional; + + ## On-disk location where files in response body were extracted. + extracted_response_files: vector of string &log &optional; ## Indicates if the response body is to be extracted or not. Must be ## set before or by the first :bro:see:`file_new` for the file content. @@ -29,6 +32,22 @@ function get_extraction_name(f: fa_file): string return r; } +function add_extraction_file(c: connection, is_orig: bool, fn: string) + { + if ( is_orig ) + { + if ( ! c$http?$extracted_request_files ) + c$http$extracted_request_files = vector(); + c$http$extracted_request_files[|c$http$extracted_request_files|] = fn; + } + else + { + if ( ! c$http?$extracted_response_files ) + c$http$extracted_response_files = vector(); + c$http$extracted_response_files[|c$http$extracted_response_files|] = fn; + } + } + event file_new(f: fa_file) &priority=5 { if ( ! f?$source ) return; @@ -48,7 +67,7 @@ event file_new(f: fa_file) &priority=5 { c = f$conns[cid]; if ( ! c?$http ) next; - c$http$extraction_file = fname; + add_extraction_file(c, f$is_orig, fname); } return; @@ -76,6 +95,6 @@ event file_new(f: fa_file) &priority=5 { c = f$conns[cid]; if ( ! c?$http ) next; - c$http$extraction_file = fname; + add_extraction_file(c, f$is_orig, fname); } } diff --git a/testing/btest/Baseline/core.tunnels.ayiya/http.log b/testing/btest/Baseline/core.tunnels.ayiya/http.log index cab51f8224..cd49c4cc89 100644 --- a/testing/btest/Baseline/core.tunnels.ayiya/http.log +++ b/testing/btest/Baseline/core.tunnels.ayiya/http.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-38-11 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1257655301.652206 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - - (empty) - - - text/html - - -1257655302.514424 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - -1257655303.603569 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - -#close 2013-03-22-14-38-11 +#open 2013-05-21-21-11-20 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1257655301.652206 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - - (empty) - - - text/html - - - +1257655302.514424 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - - +1257655303.603569 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - - - +#close 2013-05-21-21-11-20 diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log index 51f3b28791..e88be88763 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log +++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-37-45 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1333458850.340368 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - -1333458850.399501 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - -#close 2013-03-22-14-37-45 +#open 2013-05-21-21-11-21 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1333458850.340368 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - - +1333458850.399501 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - - - +#close 2013-05-21-21-11-21 diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log index 5067915aff..8f2893caa7 100644 --- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log +++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-28-21-35-15 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1333458850.375568 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 0 56320 206 Partial Content - - - (empty) - - - application/octet-stream - - -#close 2013-03-28-21-35-15 +#open 2013-05-21-21-11-22 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1333458850.375568 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 0 56320 206 Partial Content - - - (empty) - - - application/octet-stream - - - +#close 2013-05-21-21-11-22 diff --git a/testing/btest/Baseline/core.tunnels.teredo/http.log b/testing/btest/Baseline/core.tunnels.teredo/http.log index f8be9be69b..4e3cdfd61d 100644 --- a/testing/btest/Baseline/core.tunnels.teredo/http.log +++ b/testing/btest/Baseline/core.tunnels.teredo/http.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-37-44 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1210953057.917183 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 1 POST download913.avast.com /cgi-bin/iavs4stats.cgi - Syncer/4.80 (av_pro-1169;f) 589 0 204 - - - (empty) - - - text/plain - - -1210953061.585996 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - - -1210953073.381474 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - - -1210953074.674817 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 1 GET www.wireshark.org / http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 11845 200 OK - - - (empty) - - - application/xml - - -#close 2013-03-22-14-37-44 +#open 2013-05-21-21-11-21 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1210953057.917183 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 1 POST download913.avast.com /cgi-bin/iavs4stats.cgi - Syncer/4.80 (av_pro-1169;f) 589 0 204 - - - (empty) - - - text/plain - - - +1210953061.585996 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - - - +1210953073.381474 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - - - +1210953074.674817 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 1 GET www.wireshark.org / http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 11845 200 OK - - - (empty) - - - application/xml - - - +#close 2013-05-21-21-11-21 diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log index 4ad6d6cd60..65ec33186e 100644 --- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log +++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-37-44 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1340127577.361683 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - - -1340127577.379360 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - - -#close 2013-03-22-14-37-44 +#open 2013-05-21-21-11-22 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1340127577.361683 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - - - +1340127577.379360 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - - - +#close 2013-05-21-21-11-22 diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log index aa69373171..be7e6e5692 100644 --- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log +++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-21-05-55 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1363986354.505533 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - - -#close 2013-03-22-21-05-56 +#open 2013-05-21-21-11-32 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1369170691.550143 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - - - +#close 2013-05-21-21-11-33 diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log index 5ecca912f8..be7e6e5692 100644 --- a/testing/btest/Baseline/istate.events-ssl/sender.http.log +++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-04-10-15-49-37 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1365608977.146651 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - - -#close 2013-04-10-15-49-38 +#open 2013-05-21-21-11-32 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1369170691.550143 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - - - +#close 2013-05-21-21-11-33 diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log index 2531eb4bc0..ae693399c3 100644 --- a/testing/btest/Baseline/istate.events/receiver.http.log +++ b/testing/btest/Baseline/istate.events/receiver.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-21-03-17 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1363986197.076696 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - - -#close 2013-03-22-21-03-18 +#open 2013-05-21-21-11-40 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1369170699.511968 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - - - +#close 2013-05-21-21-11-41 diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log index e8f1872b95..ae693399c3 100644 --- a/testing/btest/Baseline/istate.events/sender.http.log +++ b/testing/btest/Baseline/istate.events/sender.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-04-10-15-48-08 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1365608887.935644 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - - -#close 2013-04-10-15-48-09 +#open 2013-05-21-21-11-40 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1369170699.511968 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - - - +#close 2013-05-21-21-11-41 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log index 472dfcce39..026b25b161 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-38-21 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 346 404 Not Found - - - (empty) - - - text/html - - -#close 2013-03-22-14-38-21 +#open 2013-05-21-21-11-23 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 346 404 Not Found - - - (empty) - - - text/html - - - +#close 2013-05-21-21-11-23 diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select index 2f3c305a39..a228fa2e11 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/http.select @@ -1,14 +1,14 @@ -1300475168.78402|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.91602|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.91618|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.91836|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.9523|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.95231|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.95482|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.96269|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.97593|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.97644|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475168.97926|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475169.01459|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475169.01462|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| -1300475169.01493|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)|||||| +1300475168.78402|j4u32Pc5bif|141.142.220.118|48649|208.80.152.118|80|1|GET|bits.wikimedia.org|/skins-1.5/monobook/main.css|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.91602|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/6/63/Wikipedia-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.91618|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.91836|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/b/bd/Bookshelf-40x201_6.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.9523|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.95231|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.95482|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|1|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.96269|i2rO3KD1Syg|141.142.220.118|35642|208.80.152.2|80|1|GET|meta.wikimedia.org|/images/wikimedia-button.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.97593|VW0XPVINV8a|141.142.220.118|49997|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.97644|3PKsZ2Uye21|141.142.220.118|49996|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475168.97926|GSxOnSLghOa|141.142.220.118|49998|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475169.01459|P654jzLoe3a|141.142.220.118|49999|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475169.01462|Tw8jXtpTGu6|141.142.220.118|50000|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| +1300475169.01493|0Q4FH8sESw5|141.142.220.118|50001|208.80.152.3|80|2|GET|upload.wikimedia.org|/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png|http://www.wikipedia.org/|Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15|0|0|304|Not Modified||||(empty)||||||| diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log index 5d707d5cb8..6b7bea88c9 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log +++ b/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log @@ -3,21 +3,21 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-38-24 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.918358 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.952307 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.952296 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.954820 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.962687 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.975934 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.976436 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475168.979264 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - -#close 2013-03-22-14-38-24 +#open 2013-05-21-21-11-23 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.918358 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.952307 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.952296 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.954820 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.962687 i2rO3KD1Syg 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.975934 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.976436 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475168.979264 GSxOnSLghOa 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - - - +#close 2013-05-21-21-11-23 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log index 8053b3a287..edbee28991 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-38-28 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1237440095.634312 UWkUyAuUGXf 192.168.3.103 54102 128.146.216.51 80 1 POST www.osu.edu / - curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3 2001 60731 200 OK 100 Continue - (empty) - - - text/html - - -#close 2013-03-22-14-38-28 +#open 2013-05-21-21-11-24 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1237440095.634312 UWkUyAuUGXf 192.168.3.103 54102 128.146.216.51 80 1 POST www.osu.edu / - curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3 2001 60731 200 OK 100 Continue - (empty) - - - text/html - - - +#close 2013-05-21-21-11-24 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log index e438b10b96..fa189fcc1f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-38-28 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-BFymS6bFgT3.dat -#close 2013-03-22-14-38-28 +#open 2013-05-21-21-11-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - http-item-BFymS6bFgT3.dat +#close 2013-05-21-21-11-25 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log index 9dafcc74e0..54a75f4697 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log @@ -3,56 +3,56 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-25-20-20-22 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html - - -1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html - - -1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html - - -1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html - - -1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328924.559704 E490YZTUozc 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - -1354328928.625437 YIeWJmXWNWj 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - -1354328932.692706 ydiZblvsYri 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - - 0 0 400 Bad Request - - - (empty) - - - - - - -1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -#close 2013-03-25-20-20-22 +#open 2013-05-21-21-11-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html - - - +1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html - - - +1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html - - - +1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html - - - +1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html - - - +1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - - +1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - - +1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - - +1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - - +1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - - +1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - - +1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - - +1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - - +1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - - +1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - - +1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - - +1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - - +1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328924.559704 E490YZTUozc 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - - +1354328928.625437 YIeWJmXWNWj 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - - +1354328932.692706 ydiZblvsYri 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - - 0 0 400 Bad Request - - - (empty) - - - - - - - +1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - - +#close 2013-05-21-21-11-25 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log index 6073e9b563..97e797b4fb 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-mime-and-md5/http.log @@ -3,12 +3,12 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-16-25-59 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - text/plain - - -1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - text/plain - - -1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - image/gif - - -1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - image/png e0029eea80812e9a8e57b8d05d52938a - -1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - image/png 30aa926344f58019d047e85ba049ca1e - -#close 2013-03-22-16-25-59 +#open 2013-05-21-21-11-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - text/plain - - - +1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - text/plain - - - +1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - image/gif - - - +1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - image/png e0029eea80812e9a8e57b8d05d52938a - - +1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - image/png 30aa926344f58019d047e85ba049ca1e - - +#close 2013-05-21-21-11-25 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log index d7791097a9..e22fb53103 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log @@ -3,12 +3,12 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-38-28 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string -1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - - - -1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - - - -1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - - - -1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - - - -1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - - - -#close 2013-03-22-14-38-28 +#open 2013-05-21-21-11-25 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string vector[string] vector[string] +1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - - - - +1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - - - - +1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - - - - +1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - - - - +1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - - - - +#close 2013-05-21-21-11-25 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-QJO04kPdawk.dat b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-QJO04kPdawk.dat new file mode 100644 index 0000000000..ac2a9e002d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-QJO04kPdawk.dat @@ -0,0 +1 @@ +test2 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-TJdltRTxco1.dat b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-TJdltRTxco1.dat new file mode 100644 index 0000000000..77356c3140 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-TJdltRTxco1.dat @@ -0,0 +1 @@ +test diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-TaUJcEIboHh.dat b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-TaUJcEIboHh.dat new file mode 100644 index 0000000000..8f0eb247e3 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-TaUJcEIboHh.dat @@ -0,0 +1,21 @@ +{ + "data": "", + "form": { + "example": "test", + "example2": "test2", + "example3": "test3" + }, + "origin": "141.142.228.5", + "json": null, + "url": "http://httpbin.org/post", + "args": {}, + "headers": { + "Content-Type": "multipart/form-data; boundary=----------------------------4ebf00fbcf09", + "User-Agent": "curl/7.30.0", + "Connection": "close", + "Accept": "*/*", + "Content-Length": "350", + "Host": "httpbin.org" + }, + "files": {} +} \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-dDH5dHdsRH4.dat b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-dDH5dHdsRH4.dat new file mode 100644 index 0000000000..ae48ec8c20 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http-item-dDH5dHdsRH4.dat @@ -0,0 +1 @@ +test3 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log new file mode 100644 index 0000000000..7f71d93d9c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path http +#open 2013-05-21-21-31-32 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extracted_request_files extracted_response_files +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string vector[string] vector[string] +1369159408.455878 UWkUyAuUGXf 141.142.228.5 57262 54.243.88.146 80 1 POST httpbin.org /post - curl/7.30.0 370 465 200 OK - - - (empty) - - - text/plain - http-item-TJdltRTxco1.dat,http-item-QJO04kPdawk.dat,http-item-dDH5dHdsRH4.dat http-item-TaUJcEIboHh.dat +#close 2013-05-21-21-31-32 diff --git a/testing/btest/scripts/base/protocols/http/multipart-extract.bro b/testing/btest/scripts/base/protocols/http/multipart-extract.bro new file mode 100644 index 0000000000..5d72cb349f --- /dev/null +++ b/testing/btest/scripts/base/protocols/http/multipart-extract.bro @@ -0,0 +1,8 @@ +# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT +# @TEST-EXEC: btest-diff http.log +# @TEST-EXEC: btest-diff http-item-TJdltRTxco1.dat +# @TEST-EXEC: btest-diff http-item-QJO04kPdawk.dat +# @TEST-EXEC: btest-diff http-item-dDH5dHdsRH4.dat +# @TEST-EXEC: btest-diff http-item-TaUJcEIboHh.dat + +redef HTTP::extract_file_types += /.*/; From f82167d06715a74718e37ccd5d5a6dec03b1320d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 23 May 2013 10:22:49 -0500 Subject: [PATCH 069/200] Improve file analysis doxygen comments. --- src/file_analysis/Analyzer.h | 39 ++++++++++--- src/file_analysis/AnalyzerSet.h | 97 +++++++++++++++++++++++++++++-- src/file_analysis/DataEvent.h | 35 ++++++++++- src/file_analysis/Extract.h | 29 ++++++++- src/file_analysis/File.h | 52 +++++++++++++++-- src/file_analysis/FileTimer.h | 9 +++ src/file_analysis/Hash.h | 84 +++++++++++++++++++++++++++ src/file_analysis/Manager.h | 100 +++++++++++++++++++++++++++++++- 8 files changed, 421 insertions(+), 24 deletions(-) diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h index 6ba76317a7..d32532b264 100644 --- a/src/file_analysis/Analyzer.h +++ b/src/file_analysis/Analyzer.h @@ -17,6 +17,11 @@ class File; */ class Analyzer { public: + + /** + * Destructor. Nothing special about it. Virtual since we definitely expect + * to delete instances of derived classes via pointers to this class. + */ virtual ~Analyzer() { DBG_LOG(DBG_FILE_ANALYSIS, "Destroy file analyzer %d", tag); @@ -24,7 +29,10 @@ public: } /** - * Subclasses may override this to receive file data non-sequentially. + * Subclasses may override this metod to receive file data non-sequentially. + * @param data points to start of a chunk of file data. + * @param len length in bytes of the chunk of data pointed to by \a data. + * @param offset the byte offset within full file that data chunk starts. * @return true if the analyzer is still in a valid state to continue * receiving data/events or false if it's essentially "done". */ @@ -32,7 +40,9 @@ public: { return true; } /** - * Subclasses may override this to receive file sequentially. + * Subclasses may override this method to receive file sequentially. + * @param data points to start of the next chunk of file data. + * @param len length in bytes of the chunk of data pointed to by \a data. * @return true if the analyzer is still in a valid state to continue * receiving data/events or false if it's essentially "done". */ @@ -40,7 +50,7 @@ public: { return true; } /** - * Subclasses may override this to specifically handle an EOF signal, + * Subclasses may override this method to specifically handle an EOF signal, * which means no more data is going to be incoming and the analyzer * may be deleted/cleaned up soon. * @return true if the analyzer is still in a valid state to continue @@ -50,7 +60,10 @@ public: { return true; } /** - * Subclasses may override this to handle missing data in a file stream. + * Subclasses may override this method to handle missing data in a file. + * @param offset the byte offset within full file at which the missing + * data chunk occurs. + * @param len the number of missing bytes. * @return true if the analyzer is still in a valid state to continue * receiving data/events or false if it's essentially "done". */ @@ -73,8 +86,10 @@ public: File* GetFile() const { return file; } /** + * Retrieves an analyzer tag field from full analyzer argument record. + * @param args an \c AnalyzerArgs (script-layer type) value. * @return the analyzer tag equivalent of the 'tag' field from the - * AnalyzerArgs value \a args. + * \c AnalyzerArgs value \a args. */ static FA_Tag ArgsTag(const RecordVal* args) { @@ -84,6 +99,13 @@ public: } protected: + + /** + * Constructor. Only derived classes are meant to be instantiated. + * @param arg_args an \c AnalyzerArgs (script-layer type) value specifiying + * tunable options, if any, related to a particular analyzer type. + * @param arg_file the file to which the the analyzer is being attached. + */ Analyzer(RecordVal* arg_args, File* arg_file) : tag(file_analysis::Analyzer::ArgsTag(arg_args)), args(arg_args->Ref()->AsRecordVal()), @@ -91,9 +113,10 @@ protected: {} private: - FA_Tag tag; - RecordVal* args; - File* file; + + FA_Tag tag; /**< The particular analyzer type of the analyzer instance. */ + RecordVal* args; /**< \c AnalyzerArgs val gives tunable analyzer params. */ + File* file; /**< The file to which the analyzer is attached. */ }; typedef file_analysis::Analyzer* (*AnalyzerInstantiator)(RecordVal* args, diff --git a/src/file_analysis/AnalyzerSet.h b/src/file_analysis/AnalyzerSet.h index e982cc9f8f..7481e9020e 100644 --- a/src/file_analysis/AnalyzerSet.h +++ b/src/file_analysis/AnalyzerSet.h @@ -16,67 +16,144 @@ class File; declare(PDict,Analyzer); /** - * A set of file analysis analyzers indexed by AnalyzerArgs. Allows queueing - * of addition/removals so that those modifications can happen at well-defined - * times (e.g. to make sure a loop iterator isn't invalidated). + * A set of file analysis analyzers indexed by an \c AnalyzerArgs (script-layer + * type) value. Allows queueing of addition/removals so that those + * modifications can happen at well-defined times (e.g. to make sure a loop + * iterator isn't invalidated). */ class AnalyzerSet { public: + + /** + * Constructor. Nothing special. + * @param arg_file the file to which all analyzers in the set are attached. + */ AnalyzerSet(File* arg_file); + /** + * Destructor. Any queued analyzer additions/removals are aborted and + * will not occur. + */ ~AnalyzerSet(); /** + * Attach an analyzer to #file immediately. + * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return true if analyzer was instantiated/attached, else false. */ bool Add(RecordVal* args); /** + * Queue the attachment of an analyzer to #file. + * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return true if analyzer was able to be instantiated, else false. */ bool QueueAdd(RecordVal* args); /** + * Remove an analyzer from #file immediately. + * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return false if analyzer didn't exist and so wasn't removed, else true. */ bool Remove(const RecordVal* args); /** + * Queue the removal of an analyzer from #file. + * @param args an \c AnalyzerArgs value which specifies an analyzer. * @return true if analyzer exists at time of call, else false; */ bool QueueRemove(const RecordVal* args); /** - * Perform all queued modifications to the currently active analyzers. + * Perform all queued modifications to the current analyzer set. */ void DrainModifications(); + /** + * Prepare the analyzer set to be iterated over. + * @see Dictionary#InitForIteration + * @return an iterator that may be used to loop over analyzers in the set. + */ IterCookie* InitForIteration() const { return analyzer_map.InitForIteration(); } + /** + * Get next entry in the analyzer set. + * @see Dictionary#NextEntry + * @param c a set iterator. + * @return the next analyzer in the set or a null pointer if there is no + * more left (in that case the cookie is also deleted). + */ file_analysis::Analyzer* NextEntry(IterCookie* c) { return analyzer_map.NextEntry(c); } protected: + + /** + * Get a hash key which represents an analyzer instance. + * @param args an \c AnalyzerArgs value which specifies an analyzer. + * @return the hash key calculated from \a args + */ HashKey* GetKey(const RecordVal* args) const; + + /** + * Create an instance of a file analyzer. + * @param args an \c AnalyzerArgs value which specifies an analyzer. + * @return a new file analyzer instance. + */ file_analysis::Analyzer* InstantiateAnalyzer(RecordVal* args) const; + + /** + * Insert an analyzer instance in to the set. + * @param a an analyzer instance. + * @param key the hash key which represents the analyzer's \c AnalyzerArgs. + */ void Insert(file_analysis::Analyzer* a, HashKey* key); + + /** + * Remove an analyzer instance from the set. + * @param tag enumarator which specifies type of the analyzer to remove, + * just used for debugging messages. + * @param key the hash key which represents the analyzer's \c AnalyzerArgs. + */ bool Remove(FA_Tag tag, HashKey* key); private: - File* file; + + File* file; /**< File which owns the set */ CompositeHash* analyzer_hash; /**< AnalyzerArgs hashes. */ PDict(file_analysis::Analyzer) analyzer_map; /**< Indexed by AnalyzerArgs. */ + /** + * Abstract base class for analyzer set modifications. + */ class Modification { public: virtual ~Modification() {} + + /** + * Perform the modification on an analyzer set. + * @param set the analyzer set on which the modification will happen. + * @return true if the modification altered \a set. + */ virtual bool Perform(AnalyzerSet* set) = 0; + + /** + * Don't perform the modification on the analyzer set and clean up. + */ virtual void Abort() = 0; }; + /** + * Represents a request to add an analyzer to an analyzer set. + */ class AddMod : public Modification { public: + /** + * Construct request which can add an analyzer to an analyzer set. + * @param arg_a an analyzer instance to add to an analyzer set. + * @param arg_key hash key representing the analyzer's \c AnalyzerArgs. + */ AddMod(file_analysis::Analyzer* arg_a, HashKey* arg_key) : Modification(), a(arg_a), key(arg_key) {} virtual ~AddMod() {} @@ -88,8 +165,16 @@ private: HashKey* key; }; + /** + * Represents a request to remove an analyzer from an analyzer set. + */ class RemoveMod : public Modification { public: + /** + * Construct request which can remove an analyzer from an analyzer set. + * @param arg_a an analyzer instance to add to an analyzer set. + * @param arg_key hash key representing the analyzer's \c AnalyzerArgs. + */ RemoveMod(FA_Tag arg_tag, HashKey* arg_key) : Modification(), tag(arg_tag), key(arg_key) {} virtual ~RemoveMod() {} @@ -102,7 +187,7 @@ private: }; typedef queue ModQueue; - ModQueue mod_queue; + ModQueue mod_queue; /**< A queue of analyzer additions/removals requests. */ }; } // namespace file_analysiss diff --git a/src/file_analysis/DataEvent.h b/src/file_analysis/DataEvent.h index 40a7f5971f..60b0487a6f 100644 --- a/src/file_analysis/DataEvent.h +++ b/src/file_analysis/DataEvent.h @@ -12,17 +12,50 @@ namespace file_analysis { /** - * An analyzer to send file data to script-layer events. + * An analyzer to send file data to script-layer via events. */ class DataEvent : public file_analysis::Analyzer { public: + + /** + * Generates the event, if any, specified by the "chunk_event" field of this + * analyzer's \c AnalyzerArgs. This is for non-sequential file data input. + * @param data pointer to start of file data chunk. + * @param len number of bytes in the data chunk. + * @param offset number of bytes from start of file at which chunk occurs. + * @return always true + */ virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset); + /** + * Generates the event, if any, specified by the "stream_event" field of + * this analyzer's \c AnalyzerArgs. This is for sequential file data input. + * @param data pointer to start of file data chunk. + * @param len number of bytes in the data chunk. + * @return always true + */ virtual bool DeliverStream(const u_char* data, uint64 len); + /** + * Create a new instance of a DataEvent analyzer. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + * @return the new DataEvent analyzer instance or a null pointer if + * no "chunk_event" or "stream_event" field was specfied in \a args. + */ static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); protected: + + /** + * Constructor. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + * @param ce pointer to event handler which will be called to receive + * non-sequential file data. + * @param se pointer to event handler which will be called to receive + * sequential file data. + */ DataEvent(RecordVal* args, File* file, EventHandlerPtr ce, EventHandlerPtr se); diff --git a/src/file_analysis/Extract.h b/src/file_analysis/Extract.h index 1f5ee3a185..85d2a9e7a8 100644 --- a/src/file_analysis/Extract.h +++ b/src/file_analysis/Extract.h @@ -12,17 +12,44 @@ namespace file_analysis { /** - * An analyzer to extract files to disk. + * An analyzer to extract content of files to local disk. */ class Extract : public file_analysis::Analyzer { public: + + /** + * Destructor. Will close the file that was used for data extraction. + */ virtual ~Extract(); + /** + * Write a chunk of file data to the local extraction file. + * @param data pointer to a chunk of file data. + * @param len number of bytes in the data chunk. + * @param offset number of bytes from start of file at which chunk starts. + * @return false if there was no extraction file open and the data couldn't + * be written, else true. + */ virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset); + /** + * Create a new instance of an Extract analyzer. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + * @return the new Extract analyzer instance or a null pointer if the + * the "extraction_file" field of \a args wasn't set. + */ static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); protected: + + /** + * Constructor. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + * @param arg_filename a file system path which specifies the local file + * to which the contents of the file will be extracted/written. + */ Extract(RecordVal* args, File* file, const string& arg_filename); private: diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 0a7b9be30d..e889af3ea4 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -19,10 +19,15 @@ namespace file_analysis { */ class File { public: + + /** + * Destructor. Nothing fancy, releases a reference to the wrapped + * \c fa_file value. + */ ~File(); /** - * @return the #val record. + * @return the wrapped \c fa_file record value, #val. */ RecordVal* GetVal() const { return val; } @@ -34,6 +39,7 @@ public: /** * Set the "source" field from #val record to \a source. + * @param source the new value of the "source" field. */ void SetSource(const string& source); @@ -44,6 +50,7 @@ public: /** * Set the "timeout_interval" field from #val record to \a interval seconds. + * @param interval the new value of the "timeout_interval" field. */ void SetTimeoutInterval(double interval); @@ -64,13 +71,15 @@ public: /** * Set "total_bytes" field of #val record to \a size. + * @param size the new value of the "total_bytes" field. */ void SetTotalBytes(uint64 size); /** - * Compares "seen_bytes" field to "total_bytes" field of #val record - * and returns true if the comparison indicates the full file was seen. - * If "total_bytes" hasn't been set yet, it returns false. + * Compares "seen_bytes" field to "total_bytes" field of #val record to + * determine if the full file has been seen. + * @return false if "total_bytes" hasn't been set yet or "seen_bytes" is + * less than it, else true. */ bool IsComplete() const; @@ -84,23 +93,30 @@ public: /** * Queues attaching an analyzer. Only one analyzer per type can be attached * at a time unless the arguments differ. + * @param args an \c AnalyzerArgs value representing a file analyzer. * @return false if analyzer can't be instantiated, else true. */ bool AddAnalyzer(RecordVal* args); /** * Queues removal of an analyzer. + * @param args an \c AnalyzerArgs value representing a file analyzer. * @return true if analyzer was active at time of call, else false. */ bool RemoveAnalyzer(const RecordVal* args); /** * Pass in non-sequential data and deliver to attached analyzers. + * @param data pointer to start of a chunk of file data. + * @param len number of bytes in the data chunk. + * @param offset number of bytes from start of file at which chunk occurs. */ void DataIn(const u_char* data, uint64 len, uint64 offset); /** * Pass in sequential data and deliver to attached analyzers. + * @param data pointer to start of a chunk of file data. + * @param len number of bytes in the data chunk. */ void DataIn(const u_char* data, uint64 len); @@ -111,10 +127,13 @@ public: /** * Inform attached analyzers about a gap in file stream. + * @param offset number of bytes in to file at which missing chunk starts. + * @param len length in bytes of the missing chunk of file data. */ void Gap(uint64 offset, uint64 len); /** + * @param h pointer to an event handler. * @return true if event has a handler and the file isn't ignored. */ bool FileEventAvailable(EventHandlerPtr h); @@ -122,11 +141,14 @@ public: /** * Raises an event related to the file's life-cycle, the only parameter * to that event is the \c fa_file record.. + * @param h pointer to an event handler. */ void FileEvent(EventHandlerPtr h); /** * Raises an event related to the file's life-cycle. + * @param h pointer to an event handler. + * @param vl list of argument values to pass to event call. */ void FileEvent(EventHandlerPtr h, val_list* vl); @@ -135,6 +157,13 @@ protected: /** * Constructor; only file_analysis::Manager should be creating these. + * @param file_id an identifier string for the file in pretty hash form + * (similar to connection uids). + * @param conn a network connection over which the file is transferred. + * @param tag the network protocol over which the file is transferred. + * @param is_orig true if the file is being transferred from the originator + * of the connection to the responder. False indicates the other + * direction. */ File(const string& file_id, Connection* conn = 0, AnalyzerTag::Tag tag = AnalyzerTag::Error, bool is_orig = false); @@ -142,28 +171,37 @@ protected: /** * Updates the "conn_ids" and "conn_uids" fields in #val record with the * \c conn_id and UID taken from \a conn. + * @param conn the connection over which a part of the file has been seen. */ void UpdateConnectionFields(Connection* conn); /** * Increment a byte count field of #val record by \a size. + * @param size number of bytes by which to increment. + * @param field_idx the index of the field in \c fa_file to increment. */ void IncrementByteCount(uint64 size, int field_idx); /** * Wrapper to RecordVal::LookupWithDefault for the field in #val at index * \a idx which automatically unrefs the Val and returns a converted value. + * @param idx the index of a field of type "count" in \c fa_file. + * @return the value of the field, which may be it &default. */ uint64 LookupFieldDefaultCount(int idx) const; /** * Wrapper to RecordVal::LookupWithDefault for the field in #val at index * \a idx which automatically unrefs the Val and returns a converted value. + * @param idx the index of a field of type "interval" in \c fa_file. + * @return the value of the field, which may be it &default. */ double LookupFieldDefaultInterval(int idx) const; /** * Buffers incoming data at the beginning of a file. + * @param data pointer to a data chunk to buffer. + * @param len number of bytes in the data chunk. * @return true if buffering is still required, else false */ bool BufferBOF(const u_char* data, uint64 len); @@ -176,11 +214,15 @@ protected: /** * Does mime type detection and assigns type (if available) to \c mime_type * field in #val. + * @param data pointer to a chunk of file data. + * @param len number of bytes in the data chunk. * @return whether mime type was available. */ bool DetectMIME(const u_char* data, uint64 len); /** + * Lookup a record field index/offset by name. + * @param field_name the name of the \c fa_file record field. * @return the field offset in #val record corresponding to \a field_name. */ static int Idx(const string& field_name); @@ -198,7 +240,7 @@ private: bool missed_bof; /**< Flags that we missed start of file. */ bool need_reassembly; /**< Whether file stream reassembly is needed. */ bool done; /**< If this object is about to be deleted. */ - AnalyzerSet analyzers; + AnalyzerSet analyzers; /**< A set of attached file analyzer. */ struct BOF_Buffer { BOF_Buffer() : full(false), replayed(false), size(0) {} diff --git a/src/file_analysis/FileTimer.h b/src/file_analysis/FileTimer.h index 32d4e63254..bdfd1fe165 100644 --- a/src/file_analysis/FileTimer.h +++ b/src/file_analysis/FileTimer.h @@ -13,11 +13,20 @@ namespace file_analysis { */ class FileTimer : public Timer { public: + + /** + * Constructor, nothing interesting about it. + * @param t unix time at which the timer should start ticking. + * @param id the file identifier which will be checked for inactivity. + * @param interval amount of time after \a t to check for inactivity. + */ FileTimer(double t, const string& id, double interval); /** * Check inactivity of file_analysis::File corresponding to #file_id, * reschedule if active, else call file_analysis::Manager::Timeout. + * @param t current unix time + * @param is_expire true if all pending timers are being expired. */ void Dispatch(double t, int is_expire); diff --git a/src/file_analysis/Hash.h b/src/file_analysis/Hash.h index e4bc8f1747..e44af337aa 100644 --- a/src/file_analysis/Hash.h +++ b/src/file_analysis/Hash.h @@ -17,17 +17,50 @@ namespace file_analysis { */ class Hash : public file_analysis::Analyzer { public: + + /** + * Destructor. + */ virtual ~Hash(); + /** + * Incrementally hash next chunk of file contents. + * @param data pointer to start of a chunk of a file data. + * @param len number of bytes in the data chunk. + * @return false if the digest is in an invalid state, else true. + */ virtual bool DeliverStream(const u_char* data, uint64 len); + /** + * Finalizes the hash and raises a "file_hash" event. + * @return always false so analyze will be deteched from file. + */ virtual bool EndOfFile(); + /** + * Missing data can't be handled, so just indicate the this analyzer should + * be removed from receiving further data. The hash will not be finalized. + * @param offset byte offset in file at which missing chunk starts. + * @param len number of missing bytes. + * @return always false so analyzer will detach from file. + */ virtual bool Undelivered(uint64 offset, uint64 len); protected: + + /** + * Constructor. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + * @param hv specific hash calculator object. + * @param kind human readable name of the hash algorithm to use. + */ Hash(RecordVal* args, File* file, HashVal* hv, const char* kind); + /** + * If some file contents have been seen, finalizes the hash of them and + * raises the "file_hash" event with the results. + */ void Finalize(); private: @@ -36,34 +69,85 @@ private: const char* kind; }; +/** + * An analyzer to produce an MD5 hash of file contents. + */ class MD5 : public Hash { public: + + /** + * Create a new instance of the MD5 hashing file analyzer. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + * @return the new MD5 analyzer instance or a null pointer if there's no + * handler for the "file_hash" event. + */ static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return file_hash ? new MD5(args, file) : 0; } protected: + + /** + * Constructor. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + */ MD5(RecordVal* args, File* file) : Hash(args, file, new MD5Val(), "md5") {} }; +/** + * An analyzer to produce a SHA1 hash of file contents. + */ class SHA1 : public Hash { public: + + /** + * Create a new instance of the SHA1 hashing file analyzer. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + * @return the new MD5 analyzer instance or a null pointer if there's no + * handler for the "file_hash" event. + */ static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return file_hash ? new SHA1(args, file) : 0; } protected: + + /** + * Constructor. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + */ SHA1(RecordVal* args, File* file) : Hash(args, file, new SHA1Val(), "sha1") {} }; +/** + * An analyzer to produce a SHA256 hash of file contents. + */ class SHA256 : public Hash { public: + + /** + * Create a new instance of the SHA256 hashing file analyzer. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + * @return the new MD5 analyzer instance or a null pointer if there's no + * handler for the "file_hash" event. + */ static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) { return file_hash ? new SHA256(args, file) : 0; } protected: + + /** + * Constructor. + * @param args the \c AnalyzerArgs value which represents the analyzer. + * @param file the file to which the analyzer will be attached. + */ SHA256(RecordVal* args, File* file) : Hash(args, file, new SHA256Val(), "sha256") {} diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index 8e985d6ce3..7a5edd0783 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -26,7 +26,15 @@ namespace file_analysis { */ class Manager { public: + + /** + * Constructor. + */ Manager(); + + /** + * Destructor. Times out any currently active file analyses. + */ ~Manager(); /** @@ -35,48 +43,97 @@ public: void Terminate(); /** + * Creates a file identifier from a unique file handle string. + * @param handle a unique string which identifies a single file. * @return a prettified MD5 hash of \a handle, truncated to 64-bits. */ string HashHandle(const string& handle) const; /** - * Take in a unique file handle string to identify incoming file data. + * Take in a unique file handle string to identify next piece of + * incoming file data/information. + * @param handle a unique string which identifies a single file. */ void SetHandle(const string& handle); /** * Pass in non-sequential file data. + * @param data pointer to start of a chunk of file data. + * @param len number of bytes in the data chunk. + * @param offset number of bytes from start of file that data chunk occurs. + * @param tag network protocol over which the file data is transferred. + * @param conn network connection over which the file data is transferred. + * @param is_orig true if the file is being sent from connection originator + * or false if is being sent in the opposite direction. */ void DataIn(const u_char* data, uint64 len, uint64 offset, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); /** * Pass in sequential file data. + * @param data pointer to start of a chunk of file data. + * @param len number of bytes in the data chunk. + * @param tag network protocol over which the file data is transferred. + * @param conn network connection over which the file data is transferred. + * @param is_orig true if the file is being sent from connection originator + * or false if is being sent in the opposite direction. */ void DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); /** * Pass in sequential file data from external source (e.g. input framework). + * @param data pointer to start of a chunk of file data. + * @param len number of bytes in the data chunk. + * @param file_id an identifier for the file (usually a hash of \a source). + * @param source uniquely identifies the file and should also describe + * in human-readable form where the file input is coming from (e.g. + * a local file path). */ void DataIn(const u_char* data, uint64 len, const string& file_id, const string& source); /** - * Signal the end of file data. + * Signal the end of file data regardless of which direction it is being + * sent over the connection. + * @param tag network protocol over which the file data is transferred. + * @param conn network connection over which the file data is transferred. */ void EndOfFile(AnalyzerTag::Tag tag, Connection* conn); + + /** + * Signal the end of file data being transferred over a connection in + * a particular direction. + * @param tag network protocol over which the file data is transferred. + * @param conn network connection over which the file data is transferred. + */ void EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig); + + /** + * Signal the end of file data being transferred using the file identifier. + * @param file_id the file identifier/hash. + */ void EndOfFile(const string& file_id); /** * Signal a gap in the file data stream. + * @param offset number of bytes in to file at which missing chunk starts. + * @param len length in bytes of the missing chunk of file data. + * @param tag network protocol over which the file data is transferred. + * @param conn network connection over which the file data is transferred. + * @param is_orig true if the file is being sent from connection originator + * or false if is being sent in the opposite direction. */ void Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); /** * Provide the expected number of bytes that comprise a file. + * @param size the number of bytes in the full file. + * @param tag network protocol over which the file data is transferred. + * @param conn network connection over which the file data is transferred. + * @param is_orig true if the file is being sent from connection originator + * or false if is being sent in the opposite direction. */ void SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); @@ -84,12 +141,18 @@ public: /** * Starts ignoring a file, which will finally be removed from internal * mappings on EOF or TIMEOUT. + * @param file_id the file identifier/hash. * @return false if file identifier did not map to anything, else true. */ bool IgnoreFile(const string& file_id); /** * Set's an inactivity threshold for the file. + * @param file_id the file identifier/hash. + * @param interval the amount of time in which no activity is seen for + * the file identified by \a file_id that will cause the file + * to be considered stale, timed out, and then resource reclaimed. + * @return false if file identifier did not map to anything, else true. */ bool SetTimeoutInterval(const string& file_id, double interval) const; @@ -97,17 +160,23 @@ public: * Queue attachment of an analzer to the file identifier. Multiple * analyzers of a given type can be attached per file identifier at a time * as long as the arguments differ. + * @param file_id the file identifier/hash. + * @param args a \c AnalyzerArgs value which describes a file analyzer. * @return false if the analyzer failed to be instantiated, else true. */ bool AddAnalyzer(const string& file_id, RecordVal* args) const; /** * Queue removal of an analyzer for a given file identifier. + * @param file_id the file identifier/hash. + * @param args a \c AnalyzerArgs value which describes a file analyzer. * @return true if the analyzer is active at the time of call, else false. */ bool RemoveAnalyzer(const string& file_id, const RecordVal* args) const; /** + * Tells whether analysis for a file is active or ignored. + * @param file_id the file identifier/hash. * @return whether the file mapped to \a file_id is being ignored. */ bool IsIgnored(const string& file_id); @@ -119,6 +188,16 @@ protected: typedef map IDMap; /** + * Create a new file to be analyzed or retrieve an existing one. + * @param file_id the file identifier/hash. + * @param conn network connection, if any, over which the file is + * transferred. + * @param tag network protocol, if any, over which the file is transferred. + * @param is_orig true if the file is being sent from connection originator + * or false if is being sent in the opposite direction (or if it + * this file isn't related to a connection). + * @param update_conn whether we need to update connection-related field + * in the \c fa_file record value associated with the file. * @return the File object mapped to \a file_id or a null pointer if * analysis is being ignored for the associated file. An File * object may be created if a mapping doesn't exist, and if it did @@ -130,6 +209,8 @@ protected: bool is_orig = false, bool update_conn = true); /** + * Try to retrieve a file that's being analyzed, using its identifier/hash. + * @param file_id the file identifier/hash. * @return the File object mapped to \a file_id, or a null pointer if no * mapping exists. */ @@ -138,11 +219,15 @@ protected: /** * Evaluate timeout policy for a file and remove the File object mapped to * \a file_id if needed. + * @param file_id the file identifier/hash. + * @param is_termination whether the Manager (and probably Bro) is in a + * terminating state. If true, then the timeout cannot be postponed. */ void Timeout(const string& file_id, bool is_terminating = ::terminating); /** * Immediately remove file_analysis::File object associated with \a file_id. + * @param file_id the file identifier/hash. * @return false if file id string did not map to anything, else true. */ bool RemoveFile(const string& file_id); @@ -151,11 +236,20 @@ protected: * Sets #current_file_id to a hash of a unique file handle string based on * what the \c get_file_handle event derives from the connection params. * Event queue is flushed so that we can get the handle value immediately. + * @param tag network protocol over which the file is transferred. + * @param conn network connection over which the file is transferred. + * @param is_orig true if the file is being sent from connection originator + * or false if is being sent in the opposite direction. */ void GetFileHandle(AnalyzerTag::Tag tag, Connection* c, bool is_orig); /** - * @return whether file analysis is disabled for the given analyzer. + * Check if analysis is available for files transferred over a given + * network protocol. + * @param tag the network protocol over which files can be transferred and + * analyzed by the file analysis framework. + * @return whether file analysis is disabled for the analyzer given by + * \a tag. */ static bool IsDisabled(AnalyzerTag::Tag tag); From 9c86a3ee0e4d30edfe1105b27f0e64163c538e0d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 23 May 2013 14:29:13 -0500 Subject: [PATCH 070/200] Add a general file analysis overview/how-to document. --- doc/file-analysis.rst | 184 ++++++++++++++++++ doc/index.rst | 1 + .../base/frameworks/file-analysis/main.bro | 6 +- src/event.bif | 2 +- 4 files changed, 190 insertions(+), 3 deletions(-) create mode 100644 doc/file-analysis.rst diff --git a/doc/file-analysis.rst b/doc/file-analysis.rst new file mode 100644 index 0000000000..e3e62ceb2e --- /dev/null +++ b/doc/file-analysis.rst @@ -0,0 +1,184 @@ +============= +File Analysis +============= + +.. rst-class:: opening + + In the past, writing Bro scripts with the intent of analyzing file + content could be cumbersome because of the fact that the content + would be presented in different ways, via events, at the + script-layer depending on which network protocol was involved in the + file transfer. Scripts written to analyze files over one protocol + would have to be copied and modified to fit other protocols. The + file analysis framework (FAF) is an attempt to provide a generalized + presentation of file-related information. The information regarding + the protocol involved in transporting a file over the network is + still available, but it no longer has to dictate how one organizes + their scripting logic to handle it. A goal of the FAF is to + provide analysis specifically for files that is analogous to the + analysis Bro provides for network connections. + +.. contents:: + +File Lifecycle Events +===================== + +The key events that may occur during the lifetime of a file are: +:bro:see:`file_new`, :bro:see:`file_over_new_connection`, +:bro:see:`file_timeout`, :bro:see:`file_gap`, and +:bro:see:`file_state_remove`. Handling any of these events provides +some information about the file such as which network +:bro:see:`connection` and protocol are transporting the file, how many +bytes have been transferred so far, and its MIME type. + +.. code:: bro + + event connection_state_remove(c: connection) + { + print "connection_state_remove"; + print c$uid; + print c$id; + for ( s in c$service ) + print s; + } + + event file_state_remove(f: fa_file) + { + print "file_state_remove"; + print f$id; + for ( cid in f$conns ) + { + print f$conns[cid]$uid; + print cid; + } + print f$source; + } + +might give output like:: + + file_state_remove + Cx92a0ym5R8 + REs2LQfVW2j + [orig_h=10.0.0.7, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] + HTTP + connection_state_remove + REs2LQfVW2j + [orig_h=10.0.0.7, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] + HTTP + +This doesn't perform any interesting analysis yet, but does highlight +the similarity between analysis of connections and files. Connections +are identified by the usual 5-tuple or a convenient UID string while +files are identified just by a string of the same format as the +connection UID. So there's unique ways to identify both files and +connections and files hold references to a connection (or connections) +that transported it. + +Adding Analysis +=============== + +There are builtin file analyzers which can be attached to files. Once +attached, they start receiving the contents of the file as Bro extracts +it from an ongoing network connection. What they do with the file +contents is up to the particular file analyzer implementation, but +they'll typically either report further information about the file via +events (e.g. :bro:see:`FileAnalysis::ANALYZER_MD5` will report the +file's MD5 checksum via :bro:see:`file_hash` once calculated) or they'll +have some side effect (e.g. :bro:see:`FileAnalysis::ANALYZER_EXTRACT` +will write the contents of the file out to the local file system). + +In the future there may be file analyzers that automatically attach to +files based on heuristics, similar to the Dynamic Protocol Detection +(DPD) framework for connections, but many will always require an +explicit attachment decision: + +.. code:: bro + + event file_new(f: fa_file) + { + print "new file", f$id; + if ( f?$mime_type && f$mime_type == "text/plain" ) + FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_MD5]); + } + + event file_hash(f: fa_file, kind: string, hash: string) + { + print "file_hash", f$id, kind, hash; + } + +this script calculates MD5s for all plain text files and might give +output:: + + new file, Cx92a0ym5R8 + file_hash, Cx92a0ym5R8, md5, 397168fd09991a0e712254df7bc639ac + +Some file analyzers might have tunable parameters that need to be +specified in the call to :bro:see:`FileAnalysis::add_analyzer`: + +.. code:: bro + + event file_new(f: fa_file) + { + FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT, + $extract_filename="./myfile"]); + } + +In this case, the file extraction analyzer doesn't generate any further +events, but does have the side effect of writing out the file contents +to the local file system at the specified location of ``./myfile``. Of +course, for a network with more than a single file being transferred, +it's probably preferable to specify a different extraction path for each +file, unlike this example. + +Regardless of which file analyzers end up acting on a file, general +information about the file (e.g. size, time of last data transferred, +MIME type, etc.) are logged in ``file_analysis.log``. + +Input Framework Integration +=========================== + +The FAF comes with a simple way to integrate with the :doc:`Input +Framework `, so that Bro can analyze files from external sources +in the same way it analyzes files that it sees coming over traffic from +a network interface it's monitoring. It only requires a call to +:bro:see:`Input::add_analysis`: + +.. code:: bro + + redef exit_only_after_terminate = T; + + event file_new(f: fa_file) + { + print "new file", f$id; + FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_MD5]); + } + + event file_state_remove(f: fa_file) + { + Input::remove(f$source); + terminate(); + } + + event file_hash(f: fa_file, kind: string, hash: string) + { + print "file_hash", f$id, kind, hash; + } + + event bro_init() + { + local source: string = "./myfile"; + Input::add_analysis([$source=source, $name=source]); + } + +Note that the "source" field of :bro:see:`fa_file` corresponds to the +"name" field of :bro:see:`Input::AnalysisDescription` since that is what +the input framework uses to uniquely identify an input stream. + +The output of the above script may be:: + + new file, G1fS2xthS4l + file_hash, G1fS2xthS4l, md5, 54098b367d2e87b078671fad4afb9dbb + +Nothing that special, but it at least verifies the MD5 file analyzer +saw all the bytes of the input file and calculated the checksum +correctly! diff --git a/doc/index.rst b/doc/index.rst index 29b29541b4..78f705abfb 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -25,6 +25,7 @@ Frameworks notice logging input + file-analysis cluster signatures diff --git a/scripts/base/frameworks/file-analysis/main.bro b/scripts/base/frameworks/file-analysis/main.bro index 393d805133..24e6fc4e2f 100644 --- a/scripts/base/frameworks/file-analysis/main.bro +++ b/scripts/base/frameworks/file-analysis/main.bro @@ -22,11 +22,13 @@ export { extract_filename: string &optional; ## An event which will be generated for all new file contents, - ## chunk-wise. + ## chunk-wise. Used when *tag* is + ## :bro:see:`FileAnalysis::ANALYZER_DATA_EVENT`. chunk_event: event(f: fa_file, data: string, off: count) &optional; ## An event which will be generated for all new file contents, - ## stream-wise. + ## stream-wise. Used when *tag* is + ## :bro:see:`FileAnalysis::ANALYZER_DATA_EVENT`. stream_event: event(f: fa_file, data: string) &optional; } &redef; diff --git a/src/event.bif b/src/event.bif index 0fcbd1cb5d..d0dd2d6c33 100644 --- a/src/event.bif +++ b/src/event.bif @@ -7024,7 +7024,7 @@ event file_over_new_connection%(f: fa_file, c: connection%); ## f: The file. ## ## .. bro:see:: file_new file_over_new_connection file_gap file_state_remove -## default_file_timeout_interval FileAnalysis::postpone_timeout +## default_file_timeout_interval FileAnalysis::set_timeout_interval ## FileAnalysis::set_timeout_interval event file_timeout%(f: fa_file%); From e45933562e15a1af1ecd50bf0e8c0a4de02b4c3f Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 23 May 2013 16:53:42 -0500 Subject: [PATCH 071/200] Fix broken/missing documentation. --- doc/logging.rst | 3 +-- doc/notice.rst | 26 +++++++++---------- doc/scripts/builtins.rst | 25 ++++++++++++++++++ scripts/base/frameworks/logging/main.bro | 2 +- scripts/base/frameworks/notice/main.bro | 3 --- scripts/base/frameworks/sumstats/main.bro | 2 +- .../base/frameworks/sumstats/plugins/last.bro | 3 ++- scripts/base/protocols/dns/main.bro | 25 +++++++++--------- scripts/base/utils/queue.bro | 2 +- .../policy/misc/detect-traceroute/main.bro | 4 +-- scripts/policy/misc/scan.bro | 13 +++++----- src/bro.bif | 8 +++--- src/event.bif | 1 + 13 files changed, 71 insertions(+), 46 deletions(-) diff --git a/doc/logging.rst b/doc/logging.rst index 7fb4205b9a..b982206e85 100644 --- a/doc/logging.rst +++ b/doc/logging.rst @@ -89,8 +89,7 @@ Note the fields that are set for the filter: are generated by taking the stream's ID and munging it slightly. :bro:enum:`Conn::LOG` is converted into ``conn``, :bro:enum:`PacketFilter::LOG` is converted into - ``packet_filter``, and :bro:enum:`Notice::POLICY_LOG` is - converted into ``notice_policy``. + ``packet_filter``. ``include`` A set limiting the fields to the ones given. The names diff --git a/doc/notice.rst b/doc/notice.rst index e6d4326db1..76d5bcdecb 100644 --- a/doc/notice.rst +++ b/doc/notice.rst @@ -86,21 +86,21 @@ directly make modifications to the :bro:see:`Notice::Info` record given as the argument to the hook. Here's a simple example which tells Bro to send an email for all notices of -type :bro:see:`SSH::Login` if the server is 10.0.0.1: +type :bro:see:`SSH::Password_Guessing` if the server is 10.0.0.1: .. code:: bro hook Notice::policy(n: Notice::Info) { - if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 ) + if ( n$note == SSH::Password_Guessing && n$id$resp_h == 10.0.0.1 ) add n$actions[Notice::ACTION_EMAIL]; } .. note:: - Keep in mind that the semantics of the SSH::Login notice are - such that it is only raised when Bro heuristically detects a successful - login. No apparently failed logins will raise this notice. + Keep in mind that the semantics of the SSH::Password_Guessing notice are + such that it is only raised when Bro heuristically detects a failed + login. Hooks can also have priorities applied to order their execution like events with a default priority of 0. Greater values are executed first. Setting @@ -110,7 +110,7 @@ a hook body to run before default hook bodies might look like this: hook Notice::policy(n: Notice::Info) &priority=5 { - if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 ) + if ( n$note == SSH::Password_Guessing && n$id$resp_h == 10.0.0.1 ) add n$actions[Notice::ACTION_EMAIL]; } @@ -173,16 +173,16 @@ Raising Notices A script should raise a notice for any occurrence that a user may want to be notified about or take action on. For example, whenever the base -SSH analysis scripts sees an SSH session where it is heuristically -guessed to be a successful login, it raises a Notice of the type -:bro:see:`SSH::Login`. The code in the base SSH analysis script looks -like this: +SSH analysis scripts sees enough failed logins to a given host, it +raises a notice of the type :bro:see:`SSH::Password_Guessing`. The code +in the base SSH analysis script which raises the notice looks like this: .. code:: bro - NOTICE([$note=SSH::Login, - $msg="Heuristically detected successful SSH login.", - $conn=c]); + NOTICE([$note=Password_Guessing, + $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), + $src=key$host, + $identifier=cat(key$host)]); :bro:see:`NOTICE` is a normal function in the global namespace which wraps a function within the ``Notice`` namespace. It takes a single diff --git a/doc/scripts/builtins.rst b/doc/scripts/builtins.rst index 06d61232ad..369f38c9eb 100644 --- a/doc/scripts/builtins.rst +++ b/doc/scripts/builtins.rst @@ -402,6 +402,31 @@ The Bro scripting language supports the following built-in types. if ( r?$s ) ... +.. bro:type:: opaque + + A data type whose actual representation/implementation is + intentionally hidden, but whose values may be passed to certain + functions that can actually access the internal/hidden resources. + Opaque types are differentiated from each other by qualifying them + like ``opaque of md5`` or ``opaque of sha1``. Any valid identifier + can be used as the type qualifier. + + An example use of this type is the set of built-in functions which + perform hashing: + + .. code:: bro + + local handle: opaque of md5 = md5_hash_init(); + md5_hash_update(handle, "test"); + md5_hash_update(handle, "testing"); + print md5_hash_finish(handle); + + Here the opaque type is used to provide a handle to a particular + resource which is calculating an MD5 checksum incrementally over + time, but the details of that resource aren't relevant, it's only + necessary to have a handle as a way of identifying it and + distinguishing it from other such resources. + .. bro:type:: file Bro supports writing to files, but not reading from them. For diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index 82d3fa043b..b1d76cfb62 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -195,7 +195,7 @@ export { ## ## Returns: True if a new stream was successfully removed. ## - ## .. bro:see:: Log:create_stream + ## .. bro:see:: Log::create_stream global remove_stream: function(id: ID) : bool; ## Enables a previously disabled logging stream. Disabled streams diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index 71071df9ab..30e0013517 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -431,9 +431,6 @@ hook Notice::notice(n: Notice::Info) &priority=-5 } } -## This determines if a notice is being suppressed. It is only used -## internally as part of the mechanics for the global :bro:id:`NOTICE` -## function. function is_being_suppressed(n: Notice::Info): bool { if ( n?$identifier && [n$note, n$identifier] in suppressing ) diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro index 6864966766..cc2aba2362 100644 --- a/scripts/base/frameworks/sumstats/main.bro +++ b/scripts/base/frameworks/sumstats/main.bro @@ -99,7 +99,7 @@ export { reducers: set[Reducer]; ## Provide a function to calculate a value from the - ## :bro:see:`Result` structure which will be used + ## :bro:see:`SumStats::Result` structure which will be used ## for thresholding. ## This is required if a $threshold value is given. threshold_val: function(key: SumStats::Key, result: SumStats::Result): count &optional; diff --git a/scripts/base/frameworks/sumstats/plugins/last.bro b/scripts/base/frameworks/sumstats/plugins/last.bro index e2cf31c902..daebe30cf5 100644 --- a/scripts/base/frameworks/sumstats/plugins/last.bro +++ b/scripts/base/frameworks/sumstats/plugins/last.bro @@ -16,7 +16,8 @@ export { redef record ResultVal += { ## This is the queue where elements are maintained. Use the - ## :bro:see:`SumStats::get_elements` function to get a vector of the current element values. + ## :bro:see:`SumStats::get_last` function to get a vector of + ## the current element values. last_elements: Queue::Queue &optional; }; diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 7d69d2f9ee..fd524b49cf 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -101,20 +101,21 @@ export { ## ## is_query: Indicator for if this is being called for a query or a response. global set_session: hook(c: connection, msg: dns_msg, is_query: bool); + + ## A record type which tracks the status of DNS queries for a given + ## :bro:type:`connection`. + type State: record { + ## Indexed by query id, returns Info record corresponding to + ## query/response which haven't completed yet. + pending: table[count] of Queue::Queue; + + ## This is the list of DNS responses that have completed based on the + ## number of responses declared and the number received. The contents + ## of the set are transaction IDs. + finished_answers: set[count]; + }; } -## A record type which tracks the status of DNS queries for a given -## :bro:type:`connection`. -type State: record { - ## Indexed by query id, returns Info record corresponding to - ## query/response which haven't completed yet. - pending: table[count] of Queue::Queue; - - ## This is the list of DNS responses that have completed based on the - ## number of responses declared and the number received. The contents - ## of the set are transaction IDs. - finished_answers: set[count]; -}; redef record connection += { dns: Info &optional; diff --git a/scripts/base/utils/queue.bro b/scripts/base/utils/queue.bro index eb4f69a08e..64202c54bc 100644 --- a/scripts/base/utils/queue.bro +++ b/scripts/base/utils/queue.bro @@ -16,7 +16,7 @@ export { ## Initialize a queue record structure. ## - ## s: A :bro:record:`Settings` record configuring the queue. + ## s: A record which configures the queue. ## ## Returns: An opaque queue record. global init: function(s: Settings &default=[]): Queue; diff --git a/scripts/policy/misc/detect-traceroute/main.bro b/scripts/policy/misc/detect-traceroute/main.bro index c194d03e13..3ed315746f 100644 --- a/scripts/policy/misc/detect-traceroute/main.bro +++ b/scripts/policy/misc/detect-traceroute/main.bro @@ -32,8 +32,8 @@ export { const icmp_time_exceeded_threshold = 3 &redef; ## Interval at which to watch for the - ## :bro:id:`ICMPTimeExceeded::icmp_time_exceeded_threshold` variable to be crossed. - ## At the end of each interval the counter is reset. + ## :bro:id:`Traceroute::icmp_time_exceeded_threshold` variable to be + ## crossed. At the end of each interval the counter is reset. const icmp_time_exceeded_interval = 3min &redef; ## The log record for the traceroute log. diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index f3dcaf2291..31caf527b7 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -13,17 +13,18 @@ module Scan; export { redef enum Notice::Type += { - ## Address scans detect that a host appears to be scanning some number of - ## destinations on a single port. This notice is generated when more than - ## :bro:id:`addr_scan_threshold` unique hosts are seen over the previous - ## :bro:id:`addr_scan_interval` time range. + ## Address scans detect that a host appears to be scanning some number + ## of destinations on a single port. This notice is generated when more + ## than :bro:id:`Scan::addr_scan_threshold` unique hosts are seen over + ## the previous :bro:id:`Scan::addr_scan_interval` time range. Address_Scan, ## Port scans detect that an attacking host appears to be scanning a ## single victim host on several ports. This notice is generated when - ## an attacking host attempts to connect to :bro:id:`port_scan_threshold` + ## an attacking host attempts to connect to + ## :bro:id:`Scan::port_scan_threshold` ## unique ports on a single host over the previous - ## :bro:id:`port_scan_interval` time range. + ## :bro:id:`Scan::port_scan_interval` time range. Port_Scan, }; diff --git a/src/bro.bif b/src/bro.bif index d9558106a7..26fe16d821 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2923,7 +2923,7 @@ function bytestring_to_hexstr%(bytestring: string%): string ## ## Returns: The encoded version of *s*. ## -## .. bro:see:: encode_base64_custom, decode_base64 +## .. bro:see:: encode_base64_custom decode_base64 function encode_base64%(s: string%): string %{ BroString* t = encode_base64(s->AsString()); @@ -2946,7 +2946,7 @@ function encode_base64%(s: string%): string ## ## Returns: The encoded version of *s*. ## -## .. bro:see:: encode_base64, decode_base64_custom +## .. bro:see:: encode_base64 decode_base64_custom function encode_base64_custom%(s: string, a: string%): string %{ BroString* t = encode_base64(s->AsString(), a->AsString()); @@ -2965,7 +2965,7 @@ function encode_base64_custom%(s: string, a: string%): string ## ## Returns: The decoded version of *s*. ## -## .. bro:see:: decode_base64_custom, encode_base64 +## .. bro:see:: decode_base64_custom encode_base64 function decode_base64%(s: string%): string %{ BroString* t = decode_base64(s->AsString()); @@ -2988,7 +2988,7 @@ function decode_base64%(s: string%): string ## ## Returns: The decoded version of *s*. ## -## .. bro:see:: decode_base64, encode_base64_custom +## .. bro:see:: decode_base64 encode_base64_custom function decode_base64_custom%(s: string, a: string%): string %{ BroString* t = decode_base64(s->AsString(), a->AsString()); diff --git a/src/event.bif b/src/event.bif index 0fcbd1cb5d..2263412699 100644 --- a/src/event.bif +++ b/src/event.bif @@ -7042,6 +7042,7 @@ event file_gap%(f: fa_file, offset: count, len: count%); ## This event is generated each time file analysis is ending for a given file. ## ## f: The file. +## ## .. bro:see:: file_new file_over_new_connection file_timeout file_gap event file_state_remove%(f: fa_file%); From 4d275522c7a87f8c69b1494126cc995a20b2d66b Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 23 May 2013 16:03:26 -0700 Subject: [PATCH 072/200] Add abstraction for vector of bits. A bitvector is a vector of bits with underlying block storage. Since C++ has no notion of lvalues in the context of bits, we use a small wrapper class Reference that masks the desired bit in the corresponding block. --- src/BitVector.cc | 455 +++++++++++++++++++++++++++++++++++++++++++++ src/BitVector.h | 324 ++++++++++++++++++++++++++++++++ src/CMakeLists.txt | 1 + 3 files changed, 780 insertions(+) create mode 100644 src/BitVector.cc create mode 100644 src/BitVector.h diff --git a/src/BitVector.cc b/src/BitVector.cc new file mode 100644 index 0000000000..2f714a6c79 --- /dev/null +++ b/src/BitVector.cc @@ -0,0 +1,455 @@ +#include "BitVector.h" + +#include +#include + +BitVector::size_type BitVector::npos = static_cast(-1); +BitVector::block_type BitVector::bits_per_block = + std::numeric_limits::digits; + +namespace { + +uint8_t count_table[] = { + 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 1, 2, 2, 3, 2, 3, 3, 4, 2, + 3, 3, 4, 3, 4, 4, 5, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, + 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, + 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, + 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, + 6, 6, 7, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, + 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, + 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 2, 3, 3, 4, 3, 4, 4, 5, + 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 3, + 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 4, 5, 5, 6, 5, 6, 6, 7, 5, 6, + 6, 7, 6, 7, 7, 8 +}; + +} // namespace + +BitVector::Reference::Reference(block_type& block, block_type i) + : block_(block), + mask_(block_type(1) << i) + { + assert(i < bits_per_block); + } + +BitVector::Reference& BitVector::Reference::flip() + { + block_ ^= mask_; + return *this; + } + +BitVector::Reference::operator bool() const + { + return (block_ & mask_) != 0; + } + +bool BitVector::Reference::operator~() const + { + return (block_ & mask_) == 0; + } + +BitVector::Reference& BitVector::Reference::operator=(bool x) + { + x ? block_ |= mask_ : block_ &= ~mask_; + return *this; + } + +BitVector::Reference& BitVector::Reference::operator=(Reference const& other) + { + other ? block_ |= mask_ : block_ &= ~mask_; + return *this; + } + +BitVector::Reference& BitVector::Reference::operator|=(bool x) + { + if (x) + block_ |= mask_; + return *this; + } + +BitVector::Reference& BitVector::Reference::operator&=(bool x) + { + if (! x) + block_ &= ~mask_; + return *this; + } + +BitVector::Reference& BitVector::Reference::operator^=(bool x) + { + if (x) + block_ ^= mask_; + return *this; + } + +BitVector::Reference& BitVector::Reference::operator-=(bool x) + { + if (x) + block_ &= ~mask_; + return *this; + } + + +BitVector::BitVector() : num_bits_(0) { } + +BitVector::BitVector(size_type size, bool value) + : bits_(bits_to_blocks(size), value ? ~block_type(0) : 0), + num_bits_(size) +{ } + +BitVector::BitVector(BitVector const& other) + : bits_(other.bits_), + num_bits_(other.num_bits_) +{ } + +BitVector BitVector::operator~() const + { + BitVector b(*this); + b.flip(); + return b; + } + +BitVector& BitVector::operator=(BitVector const& other) + { + bits_ = other.bits_; + return *this; + } + +BitVector BitVector::operator<<(size_type n) const + { + BitVector b(*this); + return b <<= n; + } + +BitVector BitVector::operator>>(size_type n) const + { + BitVector b(*this); + return b >>= n; + } + +BitVector& BitVector::operator<<=(size_type n) + { + if (n >= num_bits_) + return reset(); + + if (n > 0) + { + size_type last = blocks() - 1; + size_type div = n / bits_per_block; + block_type r = bit_index(n); + block_type* b = &bits_[0]; + assert(blocks() >= 1); + assert(div <= last); + + if (r != 0) + { + for (size_type i = last - div; i > 0; --i) + b[i + div] = (b[i] << r) | (b[i - 1] >> (bits_per_block - r)); + b[div] = b[0] << r; + } + else + { + for (size_type i = last-div; i > 0; --i) + b[i + div] = b[i]; + b[div] = b[0]; + } + + std::fill_n(b, div, block_type(0)); + zero_unused_bits(); + } + + return *this; + } + +BitVector& BitVector::operator>>=(size_type n) + { + if (n >= num_bits_) + return reset(); + + if (n > 0) + { + size_type last = blocks() - 1; + size_type div = n / bits_per_block; + block_type r = bit_index(n); + block_type* b = &bits_[0]; + assert(blocks() >= 1); + assert(div <= last); + + if (r != 0) + { + for (size_type i = last - div; i > 0; --i) + b[i - div] = (b[i] >> r) | (b[i + 1] << (bits_per_block - r)); + b[last - div] = b[last] >> r; + } + else + { + for (size_type i = div; i <= last; ++i) + b[i-div] = b[i]; + } + + std::fill_n(b + (blocks() - div), div, block_type(0)); + } + return *this; + } + +BitVector& BitVector::operator&=(BitVector const& other) + { + assert(size() >= other.size()); + for (size_type i = 0; i < blocks(); ++i) + bits_[i] &= other.bits_[i]; + return *this; + } + +BitVector& BitVector::operator|=(BitVector const& other) + { + assert(size() >= other.size()); + for (size_type i = 0; i < blocks(); ++i) + bits_[i] |= other.bits_[i]; + return *this; + } + +BitVector& BitVector::operator^=(BitVector const& other) + { + assert(size() >= other.size()); + for (size_type i = 0; i < blocks(); ++i) + bits_[i] ^= other.bits_[i]; + return *this; + } + +BitVector& BitVector::operator-=(BitVector const& other) + { + assert(size() >= other.size()); + for (size_type i = 0; i < blocks(); ++i) + bits_[i] &= ~other.bits_[i]; + return *this; + } + +BitVector operator&(BitVector const& x, BitVector const& y) + { + BitVector b(x); + return b &= y; + } + +BitVector operator|(BitVector const& x, BitVector const& y) + { + BitVector b(x); + return b |= y; + } + +BitVector operator^(BitVector const& x, BitVector const& y) + { + BitVector b(x); + return b ^= y; + } + +BitVector operator-(BitVector const& x, BitVector const& y) + { + BitVector b(x); + return b -= y; + } + +bool operator==(BitVector const& x, BitVector const& y) + { + return x.num_bits_ == y.num_bits_ && x.bits_ == y.bits_; + } + +bool operator!=(BitVector const& x, BitVector const& y) + { + return ! (x == y); + } + +bool operator<(BitVector const& x, BitVector const& y) + { + assert(x.size() == y.size()); + for (BitVector::size_type r = x.blocks(); r > 0; --r) + { + BitVector::size_type i = r - 1; + if (x.bits_[i] < y.bits_[i]) + return true; + else if (x.bits_[i] > y.bits_[i]) + return false; + } + return false; + } + +void BitVector::resize(size_type n, bool value) + { + size_type old = blocks(); + size_type required = bits_to_blocks(n); + block_type block_value = value ? ~block_type(0) : block_type(0); + + if (required != old) + bits_.resize(required, block_value); + + if (value && (n > num_bits_) && extra_bits()) + bits_[old - 1] |= (block_value << extra_bits()); + + num_bits_ = n; + zero_unused_bits(); + } + +void BitVector::clear() + { + bits_.clear(); + num_bits_ = 0; + } + +void BitVector::push_back(bool bit) + { + size_type s = size(); + resize(s + 1); + set(s, bit); + } + +void BitVector::append(block_type block) + { + size_type excess = extra_bits(); + if (excess) + { + assert(! bits_.empty()); + bits_.push_back(block >> (bits_per_block - excess)); + bits_[bits_.size() - 2] |= (block << excess); + } + else + { + bits_.push_back(block); + } + num_bits_ += bits_per_block; + } + +BitVector& BitVector::set(size_type i, bool bit) + { + assert(i < num_bits_); + + if (bit) + bits_[block_index(i)] |= bit_mask(i); + else + reset(i); + + return *this; + } + +BitVector& BitVector::set() + { + std::fill(bits_.begin(), bits_.end(), ~block_type(0)); + zero_unused_bits(); + return *this; + } + +BitVector& BitVector::reset(size_type i) + { + assert(i < num_bits_); + bits_[block_index(i)] &= ~bit_mask(i); + return *this; + } + +BitVector& BitVector::reset() + { + std::fill(bits_.begin(), bits_.end(), block_type(0)); + return *this; + } + +BitVector& BitVector::flip(size_type i) + { + assert(i < num_bits_); + bits_[block_index(i)] ^= bit_mask(i); + return *this; + } + +BitVector& BitVector::flip() + { + for (size_type i = 0; i < blocks(); ++i) + bits_[i] = ~bits_[i]; + zero_unused_bits(); + return *this; + } + +bool BitVector::operator[](size_type i) const + { + assert(i < num_bits_); + return (bits_[block_index(i)] & bit_mask(i)) != 0; + } + +BitVector::Reference BitVector::operator[](size_type i) + { + assert(i < num_bits_); + return Reference(bits_[block_index(i)], bit_index(i)); + } + +BitVector::size_type BitVector::count() const + { + std::vector::const_iterator first = bits_.begin(); + size_t n = 0; + size_type length = blocks(); + while (length) + { + block_type block = *first; + while (block) + { + // TODO: use __popcnt if available. + n += count_table[block & ((1u << 8) - 1)]; + block >>= 8; + } + ++first; + --length; + } + return n; + } + +BitVector::size_type BitVector::blocks() const + { + return bits_.size(); + } + +BitVector::size_type BitVector::size() const + { + return num_bits_; + } + +bool BitVector::empty() const + { + return bits_.empty(); + } + +BitVector::size_type BitVector::find_first() const + { + return find_from(0); + } + +BitVector::size_type BitVector::find_next(size_type i) const + { + if (i >= (size() - 1) || size() == 0) + return npos; + ++i; + size_type bi = block_index(i); + block_type block = bits_[bi] & (~block_type(0) << bit_index(i)); + return block ? bi * bits_per_block + lowest_bit(block) : find_from(bi + 1); + } + +BitVector::size_type BitVector::lowest_bit(block_type block) + { + block_type x = block - (block & (block - 1)); + size_type log = 0; + while (x >>= 1) + ++log; + return log; + } + +BitVector::block_type BitVector::extra_bits() const + { + return bit_index(size()); + } + +void BitVector::zero_unused_bits() + { + if (extra_bits()) + bits_.back() &= ~(~block_type(0) << extra_bits()); + } + +BitVector::size_type BitVector::find_from(size_type i) const + { + while (i < blocks() && bits_[i] == 0) + ++i; + if (i >= blocks()) + return npos; + return i * bits_per_block + lowest_bit(bits_[i]); + } diff --git a/src/BitVector.h b/src/BitVector.h new file mode 100644 index 0000000000..46d7e2df8f --- /dev/null +++ b/src/BitVector.h @@ -0,0 +1,324 @@ +#ifndef BitVector_h +#define BitVector_h + +#include +#include + +/** + * A vector of bits. + */ +class BitVector { +public: + typedef size_t block_type; + typedef size_t size_type; + static size_type npos; + static block_type bits_per_block; + +public: + /** + * An lvalue proxy for single bits. + */ + class Reference { + friend class BitVector; + Reference(block_type& block, block_type i); + + public: + Reference& flip(); + operator bool() const; + bool operator~() const; + Reference& operator=(bool x); + Reference& operator=(Reference const& other); + Reference& operator|=(bool x); + Reference& operator&=(bool x); + Reference& operator^=(bool x); + Reference& operator-=(bool x); + + private: + void operator&(); + block_type& block_; + block_type const mask_; + }; + + typedef bool const_reference; + + /** + * Constructs an empty bit vector. + */ + BitVector(); + + /** + * Constructs a bit vector of a given size. + * @param size The number of bits. + * @param value The value for each bit. + */ + explicit BitVector(size_type size, bool value = false); + + /** + * Constructs a bit vector from a sequence of blocks. + */ + template + BitVector(InputIterator first, InputIterator last) + { + bits_.insert(bits_.end(), first, last); + num_bits_ = bits_.size() * bits_per_block; + } + + /** + * Copy-constructs a bit vector. + * @param other The bit vector to copy. + */ + BitVector(const BitVector& other); + + /** + * Assigns another bit vector to this instance. + * @param other The RHS of the assignment. + */ + BitVector& operator=(const BitVector& other); + + // + // Bitwise operations + // + BitVector operator~() const; + BitVector operator<<(size_type n) const; + BitVector operator>>(size_type n) const; + BitVector& operator<<=(size_type n); + BitVector& operator>>=(size_type n); + BitVector& operator&=(BitVector const& other); + BitVector& operator|=(BitVector const& other); + BitVector& operator^=(BitVector const& other); + BitVector& operator-=(BitVector const& other); + friend BitVector operator&(BitVector const& x, BitVector const& y); + friend BitVector operator|(BitVector const& x, BitVector const& y); + friend BitVector operator^(BitVector const& x, BitVector const& y); + friend BitVector operator-(BitVector const& x, BitVector const& y); + + // + // Relational operators + // + friend bool operator==(BitVector const& x, BitVector const& y); + friend bool operator!=(BitVector const& x, BitVector const& y); + friend bool operator<(BitVector const& x, BitVector const& y); + + // + // Basic operations + // + /** Appends the bits in a sequence of values. + * @tparam Iterator A forward iterator. + * @param first An iterator pointing to the first element of the sequence. + * @param last An iterator pointing to one past the last element of the + * sequence. + */ + template + void append(ForwardIterator first, ForwardIterator last) + { + if (first == last) + return; + + block_type excess = extra_bits(); + typename std::iterator_traits::difference_type delta = + std::distance(first, last); + + bits_.reserve(blocks() + delta); + if (excess == 0) + { + bits_.back() |= (*first << excess); + do + { + block_type b = *first++ >> (bits_per_block - excess); + bits_.push_back(b | (first == last ? 0 : *first << excess)); + } while (first != last); + } + else + { + bits_.insert(bits_.end(), first, last); + } + num_bits_ += bits_per_block * delta; + } + + /** + * Appends the bits in a given block. + * @param block The block containing bits to append. + */ + void append(block_type block); + + /** Appends a single bit to the end of the bit vector. + * @param bit The value of the bit. + */ + void push_back(bool bit); + + /** + * Clears all bits in the bitvector. + */ + void clear(); + + /** + * Resizes the bit vector to a new number of bits. + * @param n The new number of bits of the bit vector. + * @param value The bit value of new values, if the vector expands. + */ + void resize(size_type n, bool value = false); + + /** + * Sets a bit at a specific position to a given value. + * @param i The bit position. + * @param bit The value assigned to position *i*. + * @return A reference to the bit vector instance. + */ + BitVector& set(size_type i, bool bit = true); + + /** + * Sets all bits to 1. + * @return A reference to the bit vector instance. + */ + BitVector& set(); + + /** + * Resets a bit at a specific position, i.e., sets it to 0. + * @param i The bit position. + * @return A reference to the bit vector instance. + */ + BitVector& reset(size_type i); + + /** + * Sets all bits to 0. + * @return A reference to the bit vector instance. + */ + BitVector& reset(); + + /** + * Toggles/flips a bit at a specific position. + * @param i The bit position. + * @return A reference to the bit vector instance. + */ + BitVector& flip(size_type i); + + /** + * Computes the complement. + * @return A reference to the bit vector instance. + */ + BitVector& flip(); + + /** Retrieves a single bit. + * @param i The bit position. + * @return A mutable reference to the bit at position *i*. + */ + Reference operator[](size_type i); + + /** + * Retrieves a single bit. + * @param i The bit position. + * @return A const-reference to the bit at position *i*. + */ + const_reference operator[](size_type i) const; + + /** + * Counts the number of 1-bits in the bit vector. Also known as *population + * count* or *Hamming weight*. + * @return The number of bits set to 1. + */ + size_type count() const; + + /** + * Retrieves the number of blocks of the underlying storage. + * @param The number of blocks that represent `size()` bits. + */ + size_type blocks() const; + + /** + * Retrieves the number of bits the bitvector consist of. + * @return The length of the bit vector in bits. + */ + size_type size() const; + + /** + * Checks whether the bit vector is empty. + * @return `true` iff the bitvector has zero length. + */ + bool empty() const; + + /** + * Finds the bit position of of the first 1-bit. + * @return The position of the first bit that equals to one or `npos` if no + * such bit exists. + */ + size_type find_first() const; + + /** + * Finds the next 1-bit from a given starting position. + * + * @param i The index where to start looking. + * + * @return The position of the first bit that equals to 1 after position + * *i* or `npos` if no such bit exists. + */ + size_type find_next(size_type i) const; + +private: + /** + * Computes the block index for a given bit position. + */ + static size_type block_index(size_type i) + { + return i / bits_per_block; + } + + /** + * Computes the bit index within a given block for a given bit position. + */ + static block_type bit_index(size_type i) + { + return i % bits_per_block; + } + + /** + * Computes the bitmask block to extract a bit a given bit position. + */ + static block_type bit_mask(size_type i) + { + return block_type(1) << bit_index(i); + } + + /** + * Computes the number of blocks needed to represent a given number of + * bits. + * @param bits the number of bits. + * @return The number of blocks to represent *bits* number of bits. + */ + static size_type bits_to_blocks(size_type bits) + { + return bits / bits_per_block + + static_cast(bits % bits_per_block != 0); + } + + /** + * Computes the bit position first 1-bit in a given block. + * @param block The block to inspect. + * @return The bit position where *block* has its first bit set to 1. + */ + static size_type lowest_bit(block_type block); + + /** + * Computes the number of excess/unused bits in the bit vector. + */ + block_type extra_bits() const; + + /** + * If the number of bits in the vector are not not a multiple of + * bitvector::bits_per_block, then the last block exhibits unused bits which + * this function resets. + */ + void zero_unused_bits(); + + /** + * Looks for the first 1-bit starting at a given position. + * @param i The block index to start looking. + * @return The block index of the first 1-bit starting from *i* or + * `bitvector::npos` if no 1-bit exists. + */ + size_type find_from(size_type i) const; + + std::vector bits_; + size_type num_bits_; +}; + +#endif diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 447b7d9ec7..33aaab29c1 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -303,6 +303,7 @@ set(bro_SRCS Base64.cc BitTorrent.cc BitTorrentTracker.cc + BitVector.cc BPF_Program.cc BroDoc.cc BroDocObj.cc From d67123d0c300c6207a83f46930c8a78bde2f3b02 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 24 May 2013 18:07:36 -0700 Subject: [PATCH 073/200] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index c25a64b173..4d0b75afad 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit c25a64b173652e934bcd7b88e8573b306bf59ac5 +Subproject commit 4d0b75afadd6a3c6507e8ca18cb1913faa93a3b0 From 04dd363279283c56d205f0979aaa09aa70409391 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 27 May 2013 20:30:03 -0700 Subject: [PATCH 074/200] accept libmagic starting from 5.03 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index b95b637770..284cd0dfa2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -74,7 +74,7 @@ if (MISSING_PREREQS) message(FATAL_ERROR "Configuration aborted due to missing prerequisites") endif () -set(libmagic_req 5.04) +set(libmagic_req 5.03) if ( LibMagic_VERSION VERSION_LESS ${libmagic_req} ) message(FATAL_ERROR "libmagic of at least version ${libmagic_req} required " "(found ${LibMagic_VERSION})") From bcc81a1a143c2715240e9822c0c52760bc9b5006 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 27 May 2013 21:10:51 -0700 Subject: [PATCH 075/200] Sorry, that libmagic version actually might have some problems - at least on the linux distribution I have access to. So... it was a bad idea. Revert "accept libmagic starting from 5.03" This reverts commit 04dd363279283c56d205f0979aaa09aa70409391. --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 284cd0dfa2..b95b637770 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -74,7 +74,7 @@ if (MISSING_PREREQS) message(FATAL_ERROR "Configuration aborted due to missing prerequisites") endif () -set(libmagic_req 5.03) +set(libmagic_req 5.04) if ( LibMagic_VERSION VERSION_LESS ${libmagic_req} ) message(FATAL_ERROR "libmagic of at least version ${libmagic_req} required " "(found ${LibMagic_VERSION})") From d61973a92d112bed7c39baf826d591a791107684 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 27 May 2013 21:14:07 -0700 Subject: [PATCH 076/200] linux does not have strnstr --- src/input/readers/Raw.cc | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 12f66a9b39..3b79ca4bf2 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -291,11 +291,10 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie return true; } - int64_t Raw::GetLine(FILE* arg_file) { errno = 0; - uint64_t pos = 0; + int pos = 0; // strstr_n only works on ints - so no use to use something bigger here if ( buf == 0 ) buf = new char[block_size]; @@ -311,9 +310,12 @@ int64_t Raw::GetLine(FILE* arg_file) if ( pos == 0 && errno != 0 ) break; - char* token = strnstr(buf, separator.c_str(), block_size*repeats-pos); - - if ( token == 0 ) + // researching everything each time is a bit... cpu-intensive. But otherwhise we have + // to deal with situations where the separator is multi-character and split over multiple + // reads... + int found = strstr_n(pos, (unsigned char*) buf, separator.size(), (unsigned char*) separator.c_str()); + + if ( found == -1 ) { // we did not find it and have to search again in the next try. resize buffer.... // but first check if we encountered the file end - because if we did this was it. @@ -342,16 +344,15 @@ int64_t Raw::GetLine(FILE* arg_file) buf = new char[block_size]; - if ( token - outbuf < pos ) + if ( found < pos ) { // we have leftovers. copy them into the buffer for the next line buf = new char[block_size]; - memcpy(buf, token + sep_length, -(token - outbuf + sep_length) +pos); - bufpos = -(token - outbuf + sep_length) +pos; + memcpy(buf, buf + found + sep_length, pos - found - sep_length); + bufpos = pos - found - sep_length; } - pos = token-outbuf; - return pos; + return found; } } From 08656c976b7f0f5194c0bcbf6abba2eba2dbb6f2 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 27 May 2013 22:59:27 -0700 Subject: [PATCH 077/200] small fixes. --- src/input/readers/Raw.cc | 18 +++++---- src/input/readers/Raw.h | 2 +- .../out | 2 + .../base/frameworks/input/raw/long.bro | 37 +++++++++++++++++++ 4 files changed, 50 insertions(+), 9 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.raw.long/out create mode 100644 testing/btest/scripts/base/frameworks/input/raw/long.bro diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 3b79ca4bf2..435876ece1 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -18,7 +18,7 @@ using namespace input::reader; using threading::Value; using threading::Field; -const int Raw::block_size = 512; // how big do we expect our chunks of data to be... +const int Raw::block_size = 4096; // how big do we expect our chunks of data to be... Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend) @@ -102,7 +102,6 @@ bool Raw::Execute() dup2(pipes[stderr_out], stderr_fileno); } - //execv("/usr/bin/uname",test); execl("/bin/sh", "sh", "-c", fname.c_str(), NULL); fprintf(stderr, "Exec failed :(......\n"); exit(255); @@ -294,7 +293,8 @@ bool Raw::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fie int64_t Raw::GetLine(FILE* arg_file) { errno = 0; - int pos = 0; // strstr_n only works on ints - so no use to use something bigger here + int pos = 0; // strstr_n only works on ints - so no use to use something different here + int offset = 0; if ( buf == 0 ) buf = new char[block_size]; @@ -303,9 +303,10 @@ int64_t Raw::GetLine(FILE* arg_file) for (;;) { - size_t readbytes = fread(buf+bufpos, 1, block_size-bufpos, arg_file); + size_t readbytes = fread(buf+bufpos+offset, 1, block_size-bufpos, arg_file); pos += bufpos + readbytes; - bufpos = 0; // read full block size in next read... + //printf("Pos: %d\n", pos); + bufpos = offset = 0; // read full block size in next read... if ( pos == 0 && errno != 0 ) break; @@ -336,6 +337,7 @@ int64_t Raw::GetLine(FILE* arg_file) memcpy(newbuf, buf, block_size*(repeats-1)); delete buf; buf = newbuf; + offset = block_size*(repeats-1); } else { @@ -348,11 +350,11 @@ int64_t Raw::GetLine(FILE* arg_file) { // we have leftovers. copy them into the buffer for the next line buf = new char[block_size]; - memcpy(buf, buf + found + sep_length, pos - found - sep_length); + memcpy(buf, outbuf + found + sep_length, pos - found - sep_length); bufpos = pos - found - sep_length; } - return found; + return found; } } @@ -511,7 +513,7 @@ bool Raw::DoUpdate() // and let's check if the child process is still alive int return_code; - if ( waitpid(childpid, &return_code, WNOHANG) != 0 ) { + if ( childpid != -1 && waitpid(childpid, &return_code, WNOHANG) != 0 ) { // child died :( bool signal = false; int code = 0; diff --git a/src/input/readers/Raw.h b/src/input/readers/Raw.h index 8ea03a70b4..6dbae21002 100644 --- a/src/input/readers/Raw.h +++ b/src/input/readers/Raw.h @@ -45,7 +45,7 @@ private: unsigned int sep_length; // length of the separator static const int block_size; - uint64_t bufpos; + int bufpos; char* buf; char* outbuf; diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.long/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.long/out new file mode 100644 index 0000000000..fac8e79c0b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.long/out @@ -0,0 +1,2 @@ +Input::EVENT_NEW +8193 diff --git a/testing/btest/scripts/base/frameworks/input/raw/long.bro b/testing/btest/scripts/base/frameworks/input/raw/long.bro new file mode 100644 index 0000000000..ac07639f77 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/input/raw/long.bro @@ -0,0 +1,37 @@ +# @TEST-EXEC: dd if=/dev/zero of=input.log bs=8193 count=1 +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait -k 5 +# @TEST-EXEC: btest-diff out +# +# this test should be longer than one block-size. to test behavior of input-reader if it has to re-allocate stuff. + +redef exit_only_after_terminate = T; + +global outfile: file; +global try: count; + +module A; + +type Val: record { + s: string; +}; + +event line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + print outfile, tpe; + print outfile, |s|; + try = try + 1; + if ( try == 1 ) + { + close(outfile); + terminate(); + } + } + +event bro_init() + { + try = 0; + outfile = open("../out"); + Input::add_event([$source="../input.log", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line, $want_record=F]); + Input::remove("input"); + } From f1745ff488df3b9e6c7b446576d1aff446d3f4d3 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 27 May 2013 23:07:37 -0700 Subject: [PATCH 078/200] fix stderr test. ls behaves differently on errors on linux... --- .../scripts.base.frameworks.input.raw.stderr/out | 8 ++++---- .../scripts/base/frameworks/input/raw/stderr.bro | 16 ++++++++++++++-- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out index 4900bc8ff8..e7ff580dfd 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out @@ -1,6 +1,6 @@ Process finished event input -1 +Exit code != 0 Input::EVENT_NEW ..: F @@ -14,13 +14,13 @@ Input::EVENT_NEW stderr.bro F Input::EVENT_NEW -ls: ../nonexistant: No such file or directory +stderr output contained nonexistant T Input::EVENT_NEW -ls: ../nonexistant2: No such file or directory +stderr output contained nonexistant T Input::EVENT_NEW -ls: ../nonexistant3: No such file or directory +stderr output contained nonexistant T done End of Data event diff --git a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro index c85ee8b0ef..e84ed048cd 100644 --- a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro +++ b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro @@ -15,7 +15,18 @@ global outfile: file; event line(description: Input::EventDescription, tpe: Input::Event, s: string, is_stderr: bool) { print outfile, tpe; - print outfile, s; + if ( is_stderr ) + { + # work around localized error messages. and if some localization does not include the filename... well... that would be bad :) + if ( strstr(s, "nonexistant") > 0 ) + { + print outfile, "stderr output contained nonexistant"; + } + } + else + { + print outfile, s; + } print outfile, is_stderr; try = try + 1; @@ -38,7 +49,8 @@ event InputRaw::process_finished(name: string, source:string, exit_code:count, s { print outfile, "Process finished event"; print outfile, name; - print outfile, exit_code; + if ( exit_code != 0 ) + print outfile, "Exit code != 0"; } event bro_init() From 22a4113ac3e0a9c977fd51f429c385ba0f2ea1a2 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 28 May 2013 16:21:29 -0500 Subject: [PATCH 079/200] Dangling pointer fix. Addresses #1004. --- src/Sessions.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index 2e5a6ded30..00f3bd539c 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -1159,12 +1159,12 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, if ( ! WantConnection(src_h, dst_h, tproto, flags, flip) ) return 0; + ConnID flip_id = *id; + if ( flip ) { // Make a guess that we're seeing the tail half of // an analyzable connection. - ConnID flip_id = *id; - const IPAddr ta = flip_id.src_addr; flip_id.src_addr = flip_id.dst_addr; flip_id.dst_addr = ta; From 9e32eaad6db992e60a3d669c4d8c7b5016cc8cbc Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Tue, 28 May 2013 20:58:01 -0700 Subject: [PATCH 080/200] Make bitvectors serializable. --- src/BitVector.cc | 57 +++++++++++++++++++++++++++++++++++++++++++++-- src/BitVector.h | 13 ++++++++--- src/SerialTypes.h | 2 ++ 3 files changed, 67 insertions(+), 5 deletions(-) diff --git a/src/BitVector.cc b/src/BitVector.cc index 2f714a6c79..f57301d506 100644 --- a/src/BitVector.cc +++ b/src/BitVector.cc @@ -2,6 +2,7 @@ #include #include +#include "Serializer.h" BitVector::size_type BitVector::npos = static_cast(-1); BitVector::block_type BitVector::bits_per_block = @@ -62,7 +63,7 @@ BitVector::Reference& BitVector::Reference::operator=(Reference const& other) BitVector::Reference& BitVector::Reference::operator|=(bool x) { - if (x) + if (x) block_ |= mask_; return *this; } @@ -73,7 +74,7 @@ BitVector::Reference& BitVector::Reference::operator&=(bool x) block_ &= ~mask_; return *this; } - + BitVector::Reference& BitVector::Reference::operator^=(bool x) { if (x) @@ -453,3 +454,55 @@ BitVector::size_type BitVector::find_from(size_type i) const return npos; return i * bits_per_block + lowest_bit(bits_[i]); } + +bool BitVector::Serialize(SerialInfo* info) const + { + return SerialObj::Serialize(info); + } + +BitVector* BitVector::Unserialize(UnserialInfo* info) + { + return reinterpret_cast( + SerialObj::Unserialize(info, SER_BITVECTOR)); + } + +IMPLEMENT_SERIAL(BitVector, SER_BITVECTOR); + +bool BitVector::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_BITVECTOR, SerialObj); + + if ( ! SERIALIZE(static_cast(bits_.size())) ) + return false; + + for (size_t i = 0; i < bits_.size(); ++i) + if ( ! SERIALIZE(static_cast(bits_[i])) ) + return false; + + return SERIALIZE(static_cast(num_bits_)); + } + +bool BitVector::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(SerialObj); + + uint64 size; + if ( ! UNSERIALIZE(&size) ) + return false; + + bits_.resize(static_cast(size)); + uint64 block; + for ( size_t i = 0; i < bits_.size(); ++i ) + { + if ( ! UNSERIALIZE(&block) ) + return false; + bits_[i] = static_cast(block); + } + + uint64 num_bits; + if ( ! UNSERIALIZE(&num_bits) ) + return false; + num_bits_ = static_cast(num_bits); + + return true; + } diff --git a/src/BitVector.h b/src/BitVector.h index 46d7e2df8f..9900dd103e 100644 --- a/src/BitVector.h +++ b/src/BitVector.h @@ -3,11 +3,12 @@ #include #include +#include "SerialObj.h" /** * A vector of bits. */ -class BitVector { +class BitVector : SerialObj { public: typedef size_t block_type; typedef size_t size_type; @@ -42,7 +43,7 @@ public: typedef bool const_reference; /** - * Constructs an empty bit vector. + * Default-constructs an empty bit vector. */ BitVector(); @@ -253,6 +254,12 @@ public: */ size_type find_next(size_type i) const; + bool Serialize(SerialInfo* info) const; + static BitVector* Unserialize(UnserialInfo* info); + +protected: + DECLARE_SERIAL(BitVector); + private: /** * Computes the block index for a given bit position. @@ -286,7 +293,7 @@ private: */ static size_type bits_to_blocks(size_type bits) { - return bits / bits_per_block + return bits / bits_per_block + static_cast(bits % bits_per_block != 0); } diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 723badab1e..c9c0c34a33 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -49,6 +49,7 @@ SERIAL_IS(STATE_ACCESS, 0x1100) SERIAL_IS_BO(CASE, 0x1200) SERIAL_IS(LOCATION, 0x1300) SERIAL_IS(RE_MATCHER, 0x1400) +SERIAL_IS(BITVECTOR, 0x1500) // These are the externally visible types. const SerialType SER_NONE = 0; @@ -202,5 +203,6 @@ SERIAL_CONST2(STATE_ACCESS) SERIAL_CONST2(CASE) SERIAL_CONST2(LOCATION) SERIAL_CONST2(RE_MATCHER) +SERIAL_CONST2(BITVECTOR) #endif From a0ad87b4c2ac9c1028d7c22f231d57c5d6fa5184 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 29 May 2013 12:48:15 -0500 Subject: [PATCH 081/200] Allow named record constructors. Addresses #983. --- src/Expr.cc | 41 +++++++++++++++++-- src/Expr.h | 17 +++++++- src/Type.h | 5 +++ src/parse.y | 35 ++++++++++++++-- .../btest/Baseline/language.named-ctors/out | 2 + testing/btest/language/named-ctors.bro | 12 ++++++ 6 files changed, 105 insertions(+), 7 deletions(-) create mode 100644 testing/btest/Baseline/language.named-ctors/out create mode 100644 testing/btest/language/named-ctors.bro diff --git a/src/Expr.cc b/src/Expr.cc index 12d3d72304..32fc9b5acc 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3320,12 +3320,20 @@ bool HasFieldExpr::DoUnserialize(UnserialInfo* info) return UNSERIALIZE(¬_used) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field); } -RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list) +RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list, + BroType* arg_type) : UnaryExpr(EXPR_RECORD_CONSTRUCTOR, constructor_list) { if ( IsError() ) return; + if ( arg_type && arg_type->Tag() != TYPE_RECORD ) + { + Error("bad record constructor type", arg_type); + SetError(); + return; + } + // Spin through the list, which should be comprised of // either record's or record-field-assign, and build up a // record type to associate with this constructor. @@ -3365,7 +3373,17 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list) } } - SetType(new RecordType(record_types)); + ctor_type = new RecordType(record_types); + + if ( arg_type ) + SetType(arg_type->Ref()); + else + SetType(ctor_type->Ref()); + } + +RecordConstructorExpr::~RecordConstructorExpr() + { + Unref(ctor_type); } Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const @@ -3391,7 +3409,7 @@ Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const Val* RecordConstructorExpr::Fold(Val* v) const { ListVal* lv = v->AsListVal(); - RecordType* rt = type->AsRecordType(); + RecordType* rt = ctor_type->AsRecordType(); if ( lv->Length() != rt->NumFields() ) Internal("inconsistency evaluating record constructor"); @@ -3401,6 +3419,19 @@ Val* RecordConstructorExpr::Fold(Val* v) const for ( int i = 0; i < lv->Length(); ++i ) rv->Assign(i, lv->Index(i)->Ref()); + if ( ! same_type(rt, type) ) + { + RecordVal* new_val = rv->CoerceTo(type->AsRecordType()); + + if ( new_val ) + { + Unref(rv); + rv = new_val; + } + else + Internal("record constructor coercion failed"); + } + return rv; } @@ -3416,12 +3447,16 @@ IMPLEMENT_SERIAL(RecordConstructorExpr, SER_RECORD_CONSTRUCTOR_EXPR); bool RecordConstructorExpr::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_RECORD_CONSTRUCTOR_EXPR, UnaryExpr); + SERIALIZE_OPTIONAL(ctor_type); return true; } bool RecordConstructorExpr::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(UnaryExpr); + BroType* t = 0; + UNSERIALIZE_OPTIONAL(t, RecordType::Unserialize(info)); + ctor_type = t->AsRecordType(); return true; } diff --git a/src/Expr.h b/src/Expr.h index bb7526d502..edc1ced6e5 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -57,6 +57,7 @@ extern const char* expr_name(BroExprTag t); class Stmt; class Frame; class ListExpr; +class NameExpr; class CallExpr; class EventExpr; @@ -165,6 +166,17 @@ public: return (ListExpr*) this; } + const NameExpr* AsNameExpr() const + { + CHECK_TAG(tag, EXPR_NAME, "ExprVal::AsNameExpr", expr_name) + return (const NameExpr*) this; + } + NameExpr* AsNameExpr() + { + CHECK_TAG(tag, EXPR_NAME, "ExprVal::AsNameExpr", expr_name) + return (NameExpr*) this; + } + void Describe(ODesc* d) const; bool Serialize(SerialInfo* info) const; @@ -729,7 +741,8 @@ protected: class RecordConstructorExpr : public UnaryExpr { public: - RecordConstructorExpr(ListExpr* constructor_list); + RecordConstructorExpr(ListExpr* constructor_list, BroType* arg_type = 0); + ~RecordConstructorExpr(); protected: friend class Expr; @@ -741,6 +754,8 @@ protected: void ExprDescribe(ODesc* d) const; DECLARE_SERIAL(RecordConstructorExpr); + + RecordType* ctor_type; // type inferred from the ctor expression list args }; class TableConstructorExpr : public UnaryExpr { diff --git a/src/Type.h b/src/Type.h index 0b7620cd68..bad51776d9 100644 --- a/src/Type.h +++ b/src/Type.h @@ -217,6 +217,11 @@ public: return tag == TYPE_TABLE && (YieldType() == 0); } + int IsTable() const + { + return tag == TYPE_TABLE && (YieldType() != 0); + } + BroType* Ref() { ::Ref(this); return this; } virtual void Describe(ODesc* d) const; diff --git a/src/parse.y b/src/parse.y index 7ce1174595..bfaf282c6a 100644 --- a/src/parse.y +++ b/src/parse.y @@ -522,10 +522,39 @@ expr: $$ = new VectorConstructorExpr($3); } - | expr '(' opt_expr_list ')' + | expr '(' { - set_location(@1, @4); - $$ = new CallExpr($1, $3, in_hook > 0); + if ( $1->Tag() == EXPR_NAME && $1->Type()->IsTable() ) + ++in_init; + } + opt_expr_list + { + if ( $1->Tag() == EXPR_NAME && $1->Type()->IsTable() ) + --in_init; + } + ')' + { + set_location(@1, @6); + + BroType* ctor_type = 0; + + if ( $1->Tag() == EXPR_NAME && + (ctor_type = $1->AsNameExpr()->Id()->AsType()) ) + { + switch ( ctor_type->Tag() ) { + case TYPE_RECORD: + $$ = new RecordConstructorExpr($4, ctor_type); + break; + case TYPE_TABLE: + case TYPE_VECTOR: + default: + $1->Error("constructor type not implemented"); + YYERROR; + } + } + + else + $$ = new CallExpr($1, $4, in_hook > 0); } | TOK_HOOK { ++in_hook; } expr diff --git a/testing/btest/Baseline/language.named-ctors/out b/testing/btest/Baseline/language.named-ctors/out new file mode 100644 index 0000000000..39b2ed7c0b --- /dev/null +++ b/testing/btest/Baseline/language.named-ctors/out @@ -0,0 +1,2 @@ +[min=, max=2] +[min=7, max=42] diff --git a/testing/btest/language/named-ctors.bro b/testing/btest/language/named-ctors.bro new file mode 100644 index 0000000000..7f04b9d4b0 --- /dev/null +++ b/testing/btest/language/named-ctors.bro @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type MyRec: record { + min: count &optional; + max: count; +}; + +local myrec: MyRec = MyRec($max=2); +print myrec; +myrec = MyRec($min=7, $max=42); +print myrec; From b256642f273e4b53cd9520acebd3bf5b4fdde60d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 29 May 2013 15:11:44 -0500 Subject: [PATCH 082/200] Allow named set constructors. Addresses #983. --- src/Expr.cc | 59 +++++++++++++++++-- src/Expr.h | 3 +- src/parse.y | 9 +++ .../out | 0 .../Baseline/language.named-set-ctors/out | 9 +++ ...named-ctors.bro => named-record-ctors.bro} | 0 testing/btest/language/named-set-ctors.bro | 11 ++++ 7 files changed, 86 insertions(+), 5 deletions(-) rename testing/btest/Baseline/{language.named-ctors => language.named-record-ctors}/out (100%) create mode 100644 testing/btest/Baseline/language.named-set-ctors/out rename testing/btest/language/{named-ctors.bro => named-record-ctors.bro} (100%) create mode 100644 testing/btest/language/named-set-ctors.bro diff --git a/src/Expr.cc b/src/Expr.cc index 32fc9b5acc..0888ee6336 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3537,16 +3537,30 @@ bool TableConstructorExpr::DoUnserialize(UnserialInfo* info) } SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list, - attr_list* arg_attrs) + attr_list* arg_attrs, BroType* arg_type) : UnaryExpr(EXPR_SET_CONSTRUCTOR, constructor_list) { if ( IsError() ) return; - if ( constructor_list->Exprs().length() == 0 ) - SetType(new ::SetType(new TypeList(base_type(TYPE_ANY)), 0)); + if ( arg_type ) + { + if ( ! arg_type->IsSet() ) + { + Error("bad set constructor type", arg_type); + SetError(); + return; + } + + SetType(arg_type->Ref()); + } else - SetType(init_type(constructor_list)); + { + if ( constructor_list->Exprs().length() == 0 ) + SetType(new ::SetType(new TypeList(base_type(TYPE_ANY)), 0)); + else + SetType(init_type(constructor_list)); + } if ( ! type ) SetError(); @@ -3555,6 +3569,43 @@ SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list, SetError("values in set(...) constructor do not specify a set"); attrs = arg_attrs ? new Attributes(arg_attrs, type, false) : 0; + + type_list* indices = type->AsTableType()->Indices()->Types(); + expr_list& cle = constructor_list->Exprs(); + + loop_over_list(cle, i) + { + Expr* ce = cle[i]; + + if ( ce->Tag() == EXPR_LIST ) + { + // check promote each expression in composite index + expr_list& el = ce->AsListExpr()->Exprs(); + + if ( el.length() != indices->length() ) + { + ExprError("inconsistent index type length in set constructor"); + return; + } + + loop_over_list(el, j) + { + Expr* e = el[j]; + + if ( ! check_and_promote_expr(e, (*indices)[j]) ) + { + ExprError("inconsistent index type in set constructor"); + return; + } + } + } + + else if ( indices->length() == 1 ) + { + if ( ! check_and_promote_expr(ce, (*indices)[0]) ) + ExprError("inconsistent index type in set constructor"); + } + } } Val* SetConstructorExpr::Eval(Frame* f) const diff --git a/src/Expr.h b/src/Expr.h index edc1ced6e5..e2cc1375a3 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -782,7 +782,8 @@ protected: class SetConstructorExpr : public UnaryExpr { public: - SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs); + SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs, + BroType* arg_type = 0); ~SetConstructorExpr() { Unref(attrs); } Attributes* Attrs() { return attrs; } diff --git a/src/parse.y b/src/parse.y index bfaf282c6a..ac57dea5e9 100644 --- a/src/parse.y +++ b/src/parse.y @@ -546,6 +546,15 @@ expr: $$ = new RecordConstructorExpr($4, ctor_type); break; case TYPE_TABLE: + if ( ctor_type->IsTable() ) + { + $1->Error("constructor type not implemented"); + YYERROR; + } + else + $$ = new SetConstructorExpr($4, 0, ctor_type); + + break; case TYPE_VECTOR: default: $1->Error("constructor type not implemented"); diff --git a/testing/btest/Baseline/language.named-ctors/out b/testing/btest/Baseline/language.named-record-ctors/out similarity index 100% rename from testing/btest/Baseline/language.named-ctors/out rename to testing/btest/Baseline/language.named-record-ctors/out diff --git a/testing/btest/Baseline/language.named-set-ctors/out b/testing/btest/Baseline/language.named-set-ctors/out new file mode 100644 index 0000000000..e7b0ca6b67 --- /dev/null +++ b/testing/btest/Baseline/language.named-set-ctors/out @@ -0,0 +1,9 @@ +{ +1, +5, +3 +} +{ +[test, 1] , +[cool, 2] +} diff --git a/testing/btest/language/named-ctors.bro b/testing/btest/language/named-record-ctors.bro similarity index 100% rename from testing/btest/language/named-ctors.bro rename to testing/btest/language/named-record-ctors.bro diff --git a/testing/btest/language/named-set-ctors.bro b/testing/btest/language/named-set-ctors.bro new file mode 100644 index 0000000000..5c7e0b1398 --- /dev/null +++ b/testing/btest/language/named-set-ctors.bro @@ -0,0 +1,11 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type FooSet: set[count]; +type FooSetComp: set[string, count]; + +global myset: FooSet = FooSet(1, 5, 3); +global mysetcomp: FooSetComp = FooSetComp(["test", 1], ["cool", 2]); + +print myset; +print mysetcomp; From 29740d3d6e5eb311f22f3ddd7b5407371ecab7eb Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 29 May 2013 16:49:12 -0500 Subject: [PATCH 083/200] Improve set constructor argument coercion. --- src/Expr.cc | 41 ++++++++----------- .../Baseline/language.named-set-ctors/out | 4 ++ testing/btest/language/named-set-ctors.bro | 8 ++++ 3 files changed, 29 insertions(+), 24 deletions(-) diff --git a/src/Expr.cc b/src/Expr.cc index 0888ee6336..777fa5fe26 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3573,37 +3573,30 @@ SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list, type_list* indices = type->AsTableType()->Indices()->Types(); expr_list& cle = constructor_list->Exprs(); - loop_over_list(cle, i) + if ( indices->length() == 1 ) { - Expr* ce = cle[i]; + if ( ! check_and_promote_exprs_to_type(constructor_list, + (*indices)[0]) ) + ExprError("inconsistent type in set constructor"); + } - if ( ce->Tag() == EXPR_LIST ) + else if ( indices->length() > 1 ) + { + // check/promote each expression in composite index + loop_over_list(cle, i) { - // check promote each expression in composite index - expr_list& el = ce->AsListExpr()->Exprs(); + Expr* ce = cle[i]; + ListExpr* le = ce->AsListExpr(); - if ( el.length() != indices->length() ) + if ( ce->Tag() == EXPR_LIST && + check_and_promote_exprs(le, type->AsTableType()->Indices()) ) { - ExprError("inconsistent index type length in set constructor"); - return; + if ( le != cle[i] ) + cle.replace(i, le); + continue; } - loop_over_list(el, j) - { - Expr* e = el[j]; - - if ( ! check_and_promote_expr(e, (*indices)[j]) ) - { - ExprError("inconsistent index type in set constructor"); - return; - } - } - } - - else if ( indices->length() == 1 ) - { - if ( ! check_and_promote_expr(ce, (*indices)[0]) ) - ExprError("inconsistent index type in set constructor"); + ExprError("inconsistent types in set constructor"); } } } diff --git a/testing/btest/Baseline/language.named-set-ctors/out b/testing/btest/Baseline/language.named-set-ctors/out index e7b0ca6b67..66b0baed7f 100644 --- a/testing/btest/Baseline/language.named-set-ctors/out +++ b/testing/btest/Baseline/language.named-set-ctors/out @@ -4,6 +4,10 @@ 3 } { +[min=, max=5], +[min=, max=2] +} +{ [test, 1] , [cool, 2] } diff --git a/testing/btest/language/named-set-ctors.bro b/testing/btest/language/named-set-ctors.bro index 5c7e0b1398..083937c42e 100644 --- a/testing/btest/language/named-set-ctors.bro +++ b/testing/btest/language/named-set-ctors.bro @@ -1,11 +1,19 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out +type MyRec: record { + min: count &optional; + max: count; +}; + type FooSet: set[count]; +type FooSetRec: set[MyRec]; type FooSetComp: set[string, count]; global myset: FooSet = FooSet(1, 5, 3); +global mysetrec: FooSetRec = FooSetRec([$max=5], [$max=2]); global mysetcomp: FooSetComp = FooSetComp(["test", 1], ["cool", 2]); print myset; +print mysetrec; print mysetcomp; From bcf5c41786d981b04ed62629fb8db03677f3e700 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 30 May 2013 10:21:15 -0500 Subject: [PATCH 084/200] Allow named table constructors. Addresses #983. --- src/Expr.cc | 66 ++++++++++++++++--- src/Expr.h | 15 ++++- src/parse.y | 7 +- .../Baseline/language.named-table-ctors/out | 19 ++++++ testing/btest/language/named-table-ctors.bro | 24 +++++++ 5 files changed, 117 insertions(+), 14 deletions(-) create mode 100644 testing/btest/Baseline/language.named-table-ctors/out create mode 100644 testing/btest/language/named-table-ctors.bro diff --git a/src/Expr.cc b/src/Expr.cc index 777fa5fe26..ca980e5acc 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3461,27 +3461,75 @@ bool RecordConstructorExpr::DoUnserialize(UnserialInfo* info) } TableConstructorExpr::TableConstructorExpr(ListExpr* constructor_list, - attr_list* arg_attrs) + attr_list* arg_attrs, BroType* arg_type) : UnaryExpr(EXPR_TABLE_CONSTRUCTOR, constructor_list) { if ( IsError() ) return; - if ( constructor_list->Exprs().length() == 0 ) - SetType(new TableType(new TypeList(base_type(TYPE_ANY)), 0)); + if ( arg_type ) + { + if ( ! arg_type->IsTable() ) + { + Error("bad table constructor type", arg_type); + SetError(); + return; + } + + SetType(arg_type->Ref()); + } else { - SetType(init_type(constructor_list)); + if ( constructor_list->Exprs().length() == 0 ) + SetType(new TableType(new TypeList(base_type(TYPE_ANY)), 0)); + else + { + SetType(init_type(constructor_list)); - if ( ! type ) - SetError(); + if ( ! type ) + SetError(); - else if ( type->Tag() != TYPE_TABLE || - type->AsTableType()->IsSet() ) - SetError("values in table(...) constructor do not specify a table"); + else if ( type->Tag() != TYPE_TABLE || + type->AsTableType()->IsSet() ) + SetError("values in table(...) constructor do not specify a table"); + } } attrs = arg_attrs ? new Attributes(arg_attrs, type, false) : 0; + + type_list* indices = type->AsTableType()->Indices()->Types(); + expr_list& cle = constructor_list->Exprs(); + + // check and promote all index expressions in ctor list + loop_over_list(cle, i) + { + if ( cle[i]->Tag() != EXPR_ASSIGN ) + continue; + + Expr* idx_expr = cle[i]->AsAssignExpr()->Op1(); + + if ( idx_expr->Tag() != EXPR_LIST ) + continue; + + expr_list& idx_exprs = idx_expr->AsListExpr()->Exprs(); + + if ( idx_exprs.length() != indices->length() ) + continue; + + loop_over_list(idx_exprs, j) + { + Expr* idx = idx_exprs[j]; + + if ( check_and_promote_expr(idx, (*indices)[j]) ) + { + if ( idx != idx_exprs[j] ) + idx_exprs.replace(j, idx); + continue; + } + + ExprError("inconsistent types in table constructor"); + } + } } Val* TableConstructorExpr::Eval(Frame* f) const diff --git a/src/Expr.h b/src/Expr.h index e2cc1375a3..ff97c52178 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -58,6 +58,7 @@ class Stmt; class Frame; class ListExpr; class NameExpr; +class AssignExpr; class CallExpr; class EventExpr; @@ -177,6 +178,17 @@ public: return (NameExpr*) this; } + const AssignExpr* AsAssignExpr() const + { + CHECK_TAG(tag, EXPR_ASSIGN, "ExprVal::AsAssignExpr", expr_name) + return (const AssignExpr*) this; + } + AssignExpr* AsAssignExpr() + { + CHECK_TAG(tag, EXPR_ASSIGN, "ExprVal::AsAssignExpr", expr_name) + return (AssignExpr*) this; + } + void Describe(ODesc* d) const; bool Serialize(SerialInfo* info) const; @@ -760,7 +772,8 @@ protected: class TableConstructorExpr : public UnaryExpr { public: - TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs); + TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs, + BroType* arg_type = 0); ~TableConstructorExpr() { Unref(attrs); } Attributes* Attrs() { return attrs; } diff --git a/src/parse.y b/src/parse.y index ac57dea5e9..74588408fa 100644 --- a/src/parse.y +++ b/src/parse.y @@ -545,16 +545,15 @@ expr: case TYPE_RECORD: $$ = new RecordConstructorExpr($4, ctor_type); break; + case TYPE_TABLE: if ( ctor_type->IsTable() ) - { - $1->Error("constructor type not implemented"); - YYERROR; - } + $$ = new TableConstructorExpr($4, 0, ctor_type); else $$ = new SetConstructorExpr($4, 0, ctor_type); break; + case TYPE_VECTOR: default: $1->Error("constructor type not implemented"); diff --git a/testing/btest/Baseline/language.named-table-ctors/out b/testing/btest/Baseline/language.named-table-ctors/out new file mode 100644 index 0000000000..23554d10f6 --- /dev/null +++ b/testing/btest/Baseline/language.named-table-ctors/out @@ -0,0 +1,19 @@ +{ +[1] = one, +[5] = five, +[3] = three +} +{ +[[min=, max=5]] = max5, +[[min=, max=2]] = max2 +} +{ +[test, 1] = test1, +[cool, 2] = cool2 +} +{ +[two] = 2.0, +[one] = 1.0, +[three] = 3.0 +} +0 diff --git a/testing/btest/language/named-table-ctors.bro b/testing/btest/language/named-table-ctors.bro new file mode 100644 index 0000000000..83500488f1 --- /dev/null +++ b/testing/btest/language/named-table-ctors.bro @@ -0,0 +1,24 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type MyRec: record { + min: count &optional; + max: count; +}; + +type FooTable: table[count] of string; +type FooTableRec: table[MyRec] of string; +type FooTableComp: table[string, count] of string; +type FooTableY: table[string] of double; + +global mytable: FooTable = FooTable([1] = "one", [5] = "five", [3] = "three"); +global mytablerec: FooTableRec = FooTableRec([[$max=5]] = "max5", [[$max=2]] = "max2"); +global mytablecomp: FooTableComp = FooTableComp(["test", 1] = "test1", ["cool", +2] = "cool2"); +global mytabley: FooTableY = FooTableY(["one"] = 1, ["two"] = 2, ["three"] = 3) &default=0; + +print mytable; +print mytablerec; +print mytablecomp; +print mytabley; +print mytabley["test"]; From a66b7380b6690003c1b0f321f4f7459a8469a901 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 30 May 2013 10:57:28 -0500 Subject: [PATCH 085/200] Allow named vector constructors. Addresses #983. --- src/Expr.cc | 51 +++++++++++++------ src/Expr.h | 2 +- src/parse.y | 3 ++ .../Baseline/language.named-vector-ctors/out | 3 ++ testing/btest/language/named-vector-ctors.bro | 19 +++++++ 5 files changed, 61 insertions(+), 17 deletions(-) create mode 100644 testing/btest/Baseline/language.named-vector-ctors/out create mode 100644 testing/btest/language/named-vector-ctors.bro diff --git a/src/Expr.cc b/src/Expr.cc index ca980e5acc..556c153643 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3717,31 +3717,50 @@ bool SetConstructorExpr::DoUnserialize(UnserialInfo* info) return true; } -VectorConstructorExpr::VectorConstructorExpr(ListExpr* constructor_list) +VectorConstructorExpr::VectorConstructorExpr(ListExpr* constructor_list, + BroType* arg_type) : UnaryExpr(EXPR_VECTOR_CONSTRUCTOR, constructor_list) { if ( IsError() ) return; - if ( constructor_list->Exprs().length() == 0 ) + if ( arg_type ) { - // vector(). - SetType(new ::VectorType(base_type(TYPE_ANY))); - return; - } + if ( arg_type->Tag() != TYPE_VECTOR ) + { + Error("bad vector constructor type", arg_type); + SetError(); + return; + } - BroType* t = merge_type_list(constructor_list); - if ( t ) - { - SetType(new VectorType(t->Ref())); - - if ( ! check_and_promote_exprs_to_type(constructor_list, t) ) - ExprError("inconsistent types in vector constructor"); - - Unref(t); + SetType(arg_type->Ref()); } else - SetError(); + { + if ( constructor_list->Exprs().length() == 0 ) + { + // vector(). + SetType(new ::VectorType(base_type(TYPE_ANY))); + return; + } + + BroType* t = merge_type_list(constructor_list); + + if ( t ) + { + SetType(new VectorType(t->Ref())); + Unref(t); + } + else + { + SetError(); + return; + } + } + + if ( ! check_and_promote_exprs_to_type(constructor_list, + type->AsVectorType()->YieldType()) ) + ExprError("inconsistent types in vector constructor"); } Val* VectorConstructorExpr::Eval(Frame* f) const diff --git a/src/Expr.h b/src/Expr.h index ff97c52178..2dca42ef09 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -818,7 +818,7 @@ protected: class VectorConstructorExpr : public UnaryExpr { public: - VectorConstructorExpr(ListExpr* constructor_list); + VectorConstructorExpr(ListExpr* constructor_list, BroType* arg_type = 0); Val* Eval(Frame* f) const; diff --git a/src/parse.y b/src/parse.y index 74588408fa..2b86057f3c 100644 --- a/src/parse.y +++ b/src/parse.y @@ -555,6 +555,9 @@ expr: break; case TYPE_VECTOR: + $$ = new VectorConstructorExpr($4, ctor_type); + break; + default: $1->Error("constructor type not implemented"); YYERROR; diff --git a/testing/btest/Baseline/language.named-vector-ctors/out b/testing/btest/Baseline/language.named-vector-ctors/out new file mode 100644 index 0000000000..53ed260c93 --- /dev/null +++ b/testing/btest/Baseline/language.named-vector-ctors/out @@ -0,0 +1,3 @@ +[one, two, three] +[1.0, 2.0, 3.0] +[[min=, max=1], [min=, max=2], [min=, max=3]] diff --git a/testing/btest/language/named-vector-ctors.bro b/testing/btest/language/named-vector-ctors.bro new file mode 100644 index 0000000000..1e0e1e9e55 --- /dev/null +++ b/testing/btest/language/named-vector-ctors.bro @@ -0,0 +1,19 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type MyRec: record { + min: count &optional; + max: count; +}; + +type FooVector: vector of string; +type FooVectorD: vector of double; +type FooVectorRec: vector of MyRec; + +global myvec: FooVector = FooVector("one", "two", "three"); +global myvecd: FooVectorD = FooVectorD(1, 2, 3); +global myvecrec: FooVectorRec = FooVectorRec([$max=1], [$max=2], [$max=3]); + +print myvec; +print myvecd; +print myvecrec; From 4301002f1adcf31ce23c61239671a6f5e19f47e7 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 30 May 2013 11:41:22 -0500 Subject: [PATCH 086/200] Add named constructor examples to docs. --- doc/scripts/builtins.rst | 75 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/doc/scripts/builtins.rst b/doc/scripts/builtins.rst index 369f38c9eb..937c0ea00d 100644 --- a/doc/scripts/builtins.rst +++ b/doc/scripts/builtins.rst @@ -246,6 +246,31 @@ The Bro scripting language supports the following built-in types. [5] = "five", }; + A table constructor (equivalent to above example) can also be used + to create a table: + + .. code:: bro + + global t2: table[count] of string = table( + [11] = "eleven", + [5] = "five" + ); + + Table constructors can also be explicitly named by a type, which is + useful for when a more complex index type could otherwise be + ambiguous: + + .. code:: bro + + type MyRec: record { + a: count &optional; + b: count; + }; + + type MyTable: table[MyRec] of string; + + global t3 = MyTable([[$b=5]] = "b5", [[$b=7]] = "b7"); + Accessing table elements if provided by enclosing values within square brackets (``[]``), for example: @@ -308,6 +333,28 @@ The Bro scripting language supports the following built-in types. The types are explicitly shown in the example above, but they could have been left to type inference. + A set constructor (equivalent to above example) can also be used to + create a set: + + .. code:: bro + + global s3: set[port] = set(21/tcp, 23/tcp, 80/tcp 443/tcp); + + Set constructors can also be explicitly named by a type, which is + useful for when a more complex index type could otherwise be + ambiguous: + + .. code:: bro + + type MyRec: record { + a: count &optional; + b: count; + }; + + type MySet: set[MyRec]; + + global s4 = MySet([$b=1], [$b=2]); + Set membership is tested with ``in``: .. code:: bro @@ -349,6 +396,21 @@ The Bro scripting language supports the following built-in types. global v: vector of string = vector("one", "two", "three"); + Vector constructors can also be explicitly named by a type, which + is useful for when a more complex yield type could otherwise be + ambiguous. + + .. code:: bro + + type MyRec: record { + a: count &optional; + b: count; + }; + + type MyVec: vector of MyRec; + + global v2 = MyVec([$b=1], [$b=2], [$b=3]); + Adding an element to a vector involves accessing/assigning it: .. code:: bro @@ -402,6 +464,19 @@ The Bro scripting language supports the following built-in types. if ( r?$s ) ... + Records can also be created using a constructor syntax: + + .. code:: bro + + global r2: MyRecordType = record($c = 7); + + And the constructor can be explicitly named by type, too, which + is arguably more readable code: + + .. code:: bro + + global r3 = MyRecordType($c = 42); + .. bro:type:: opaque A data type whose actual representation/implementation is From e3a7e0301b289b0905b1f92bf69138fd626b5379 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 16:45:14 -0700 Subject: [PATCH 087/200] Cleanup and more API docs. --- src/analyzer/Analyzer.cc | 1 + src/analyzer/Analyzer.h | 2 +- src/analyzer/Component.cc | 1 + src/analyzer/Component.h | 1 + src/analyzer/Manager.cc | 8 +- src/analyzer/Manager.h | 14 ++-- src/analyzer/Tag.cc | 1 + src/analyzer/Tag.h | 1 + src/analyzer/protocol/TODO | 2 - src/main.cc | 9 +-- src/plugin/Component.cc | 2 + src/plugin/Component.h | 39 ++++++++- src/plugin/DummyPlugin.cc | 28 ------- src/plugin/Macros.h | 81 ++++++++++++++++++- src/plugin/Manager.cc | 9 ++- src/plugin/Manager.h | 71 +++++++++++----- src/plugin/Plugin.cc | 11 ++- src/plugin/Plugin.h | 160 +++++++++++++++++++++++++++++++++---- 18 files changed, 349 insertions(+), 92 deletions(-) delete mode 100644 src/analyzer/protocol/TODO delete mode 100644 src/plugin/DummyPlugin.cc diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 8e2cbdbbbf..ecd3c9f686 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 5769a6c58a..2d905867eb 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -1,4 +1,4 @@ -// Main analyzer interface. +// See the file "COPYING" in the main distribution directory for copyright. #ifndef ANALYZER_ANALYZER_H #define ANALYZER_ANALYZER_H diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc index 78705643e9..5844da848f 100644 --- a/src/analyzer/Component.cc +++ b/src/analyzer/Component.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include "Component.h" #include "Manager.h" diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index 6e72f87155..79d4c12fe5 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef ANALYZER_PLUGIN_COMPONENT_H #define ANALYZER_PLUGIN_COMPONENT_H diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 22912ad19d..5695dec625 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include "Manager.h" @@ -85,9 +86,9 @@ Manager::~Manager() } } -void Manager::Init() +void Manager::InitPreScript() { - std::list analyzers = plugin_mgr->Components(plugin::component::ANALYZER); + std::list analyzers = plugin_mgr->Components(); for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) RegisterAnalyzerComponent(*i); @@ -98,10 +99,9 @@ void Manager::Init() analyzer_interconn = GetAnalyzerTag("INTERCONN"); analyzer_stepping = GetAnalyzerTag("STEPPINGSTONE"); analyzer_tcpstats = GetAnalyzerTag("TCPSTATS"); - } -void Manager::InitBifs() +void Manager::InitPostScript() { #include "analyzer.bif.init.cc" } diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 371cad956d..c66fd9eafb 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + /** * The central management unit for registering and instantiating analyzers. * @@ -60,16 +62,16 @@ public: ~Manager(); /** - * Initializes the manager's operation. Must be called before scripts - * are parsed. + * First-stage initializion of the manager. This is called early on + * during Bro's initialization, before any scripts are processed. */ - void Init(); + void InitPreScript(); /** - * Initializes the analyze-related BiFs. Must be called after scripts - * are parsed. + * Second-stage initialization of the manager. This is called late + * during Bro's initialization after any scripts are processed. */ - void InitBifs(); + void InitPostScript(); /** * Finished the manager's operations. diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index 0459a91a32..469b61a6c5 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include "Tag.h" #include "Manager.h" diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index 4d91e19641..3465ddd008 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef ANALYZER_TAG_H #define ANALYZER_TAG_H diff --git a/src/analyzer/protocol/TODO b/src/analyzer/protocol/TODO deleted file mode 100644 index d1888a18f1..0000000000 --- a/src/analyzer/protocol/TODO +++ /dev/null @@ -1,2 +0,0 @@ -- cmake dependencies don't work right yet - diff --git a/src/main.cc b/src/main.cc index 60c548ba9f..79c895e7af 100644 --- a/src/main.cc +++ b/src/main.cc @@ -826,15 +826,14 @@ int main(int argc, char** argv) persistence_serializer = new PersistenceSerializer(); remote_serializer = new RemoteSerializer(); event_registry = new EventRegistry(); - analyzer_mgr = new analyzer::Manager(); log_mgr = new logging::Manager(); input_mgr = new input::Manager(); plugin_mgr = new plugin::Manager(); file_mgr = new file_analysis::Manager(); - plugin_mgr->InitPlugins(); - analyzer_mgr->Init(); + plugin_mgr->InitPreScript(); + analyzer_mgr->InitPreScript(); if ( events_file ) event_player = new EventPlayer(events_file); @@ -854,8 +853,8 @@ int main(int argc, char** argv) yyparse(); - analyzer_mgr->InitBifs(); - plugin_mgr->InitPluginsBif(); + analyzer_mgr->InitPostScript(); + plugin_mgr->InitPostScript(); if ( print_plugins ) { diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc index ddedf7abbb..7d2e69eb86 100644 --- a/src/plugin/Component.cc +++ b/src/plugin/Component.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "Component.h" #include "../Desc.h" diff --git a/src/plugin/Component.h b/src/plugin/Component.h index 09357effd2..fbeb70ebed 100644 --- a/src/plugin/Component.h +++ b/src/plugin/Component.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef PLUGIN_COMPONENT_H #define PLUGIN_COMPONENT_H @@ -7,25 +8,55 @@ class ODesc; namespace plugin { namespace component { - enum Type { - READER, - WRITER, - ANALYZER + +/** + * Component types. + */ +enum Type { + READER, /// An input reader (not currently used). + WRITER, /// An logging writer (not currenly used). + ANALYZER /// A protocol analyzer. }; } +#if 0 namespace input { class PluginComponent; } namespace logging { class PluginComponent; } namespace analyzer { class PluginComponent; } +#endif +/** + * Base class for plugin components. A component is a specific piece of + * functionality that a plugin provides, such as a protocol analyzer or a log + * writer. + */ class Component { public: + /** + * Constructor. + * + * @param type The type of the compoment. + */ Component(component::Type type); + + /** + * Destructor. + */ virtual ~Component(); + /** + * Returns the compoment's type. + */ component::Type Type() const; + /** + * Returns a textual representation of the component. The default + * version just output the type. Derived version should call the + * parent's implementation and that add further information. + * + * @param d The description object to use. + */ virtual void Describe(ODesc* d); private: diff --git a/src/plugin/DummyPlugin.cc b/src/plugin/DummyPlugin.cc deleted file mode 100644 index 8a7889c682..0000000000 --- a/src/plugin/DummyPlugin.cc +++ /dev/null @@ -1,28 +0,0 @@ - -#include "Plugin.h" - -class DummyPlugin { -public: - virtual void Init() - { - plugin::Description desc; - desc.name = "Dummy"; - desc.description = "My little dummy plugin"; - desc.version = 2; - desc.url = "http://dummy.bro.org"; - SetDescription(desc); - - analyzer::PluginComponent dummy("DUMMY", "Analyzer::DUMMY", dummy::Instantiate, dummy::Available, 0, false); - AddComponent(dummy); - } - -Plugin* bro_plugin() - { - return new DummyPlugin(); - } - - - - - - diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 2288af0d79..b8e2a42fdb 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -1,14 +1,38 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +/** + * A set of macros wrapping internal logic for defining plugins and + * components. + */ #ifndef PLUGIN_MACROS_H #define PLUGIN_MACROS_H #include "analyzer/Component.h" +/** + * Place-holder API version for plugins compiled in statically. + */ #define BRO_PLUGIN_VERSION_BUILTIN -1 + +/** + * The current plugin API version. Plugins that won't match this versions + * will be rejected. + */ #define BRO_PLUGIN_API_VERSION 1 #define _BRO_PLUGIN_VERSION_DEFAULT -1 +/** + * Starts the definition of a new plugin. + * + * @param _ns: A namespace for the plugin. All plugins compiled in statically + * must use the reserved "Bro" namespace. External plugins should define + * their own namespace to avoid collisions. + * + * @param _name: The plugin's name. The combiniation of namespace and name + * must be unique across all loaded plugins. + */ #define BRO_PLUGIN_BEGIN(_ns, _name) \ namespace plugin { namespace _ns ## _ ## _name {\ class Plugin : public plugin::Plugin { \ @@ -19,6 +43,9 @@ SetVersion(_BRO_PLUGIN_VERSION_DEFAULT);\ SetAPIVersion(BRO_PLUGIN_API_VERSION); +/** + * Ends the definition of a plugin. + */ #define BRO_PLUGIN_END \ } \ }; \ @@ -26,19 +53,69 @@ static Plugin __plugin; \ } } -#define BRO_PLUGIN_DESCRIPTION(x) SetDescription(x) -#define BRO_PLUGIN_VERSION(x) SetVersion(x) +/** + * Provides a textual description for a plugin. + * + * @param d A string with the description. + */ +#define BRO_PLUGIN_DESCRIPTION(d) SetDescription(d) +/** + * Defines a version of the plugin. The version is mostly informational for + * the user; if a plugin's functionality changes, the version should be + * increased. + * + * @param v An integer version. + */ +#define BRO_PLUGIN_VERSION(v) SetVersion(v) + +/** + * Adds scrip-level items defined in a \c *.bif file to what the plugin + * provides. + * + * @param file A string with the name of \c *.bif file. When loaded, the the + * plugin will make all items defined in the file available to Bro's script + * interpreter. + */ #define BRO_PLUGIN_BIF_FILE(file) \ extern std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); +/** + * Defines a component implementating a protocol analyzer. + * + * @param tag A string with the analyzer's tag. This must be unique across + * all loaded analyzers and will translate into a corresponding \c ANALYZER_* + * constant at the script-layer. + * + * @param cls The class that implements the analyzer. It must be derived + * (directly or indirectly) from analyzer::Analyzer. + */ #define BRO_PLUGIN_ANALYZER(tag, cls) \ AddComponent(new ::analyzer::Component(tag, ::analyzer::cls::InstantiateAnalyzer)); +/** + * Defines a component implementating an protocol analyzer class that will + * not be instantiated dynamically. This is for two use-cases: (1) abstract + * analyzer base classes that aren't instantiated directly; and (2) analyzers + * that are only instantiated explicitly by other Bro components, but not + * dynmically by the manager based on their tag (e.g., the ZIP analyzer is + * attached by the HTTP analyzer when corresponding content is found). + * + * @param tag A string with the analyzer's tag. This must be unique across + * all loaded analyzers and will translate into a corresponding \c ANALYZER_* + * constant at the script-layer. + */ #define BRO_PLUGIN_ANALYZER_BARE(tag) \ AddComponent(new ::analyzer::Component(tag, 0)); +/** + * Defines a component implementating a support analyzer. + * + * @param tag A string with the analyzer's tag. This must be unique across + * all loaded analyzers and will translate into a corresponding \c ANALYZER_* + * constant at the script-layer. + */ #define BRO_PLUGIN_SUPPORT_ANALYZER(tag) \ AddComponent(new ::analyzer::Component(tag, 0)); diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index b969e581c7..ed6b43d2c4 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include "Manager.h" @@ -35,22 +36,22 @@ bool Manager::RegisterPlugin(Plugin *plugin) return true; } -void Manager::InitPlugins() +void Manager::InitPreScript() { assert(! init); for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) - (*i)->Init(); + (*i)->InitPreScript(); init = true; } -void Manager::InitPluginsBif() +void Manager::InitPostScript() { assert(init); for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) - (*i)->InitBif(); + (*i)->InitPostScript(); init = true; } diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index 44ec8913c6..2bbcaeb0f1 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef PLUGIN_MANAGER_H #define PLUGIN_MANAGER_H @@ -9,57 +10,88 @@ namespace plugin { +/** + * A singleton object managing all plugins. + */ class Manager { public: typedef std::list plugin_list; typedef Plugin::component_list component_list; + /** + * Constructor. + */ Manager(); + + /** + * Destructor. + */ ~Manager(); /** + * Loads a plugin dynamically from a file. This must be called only + * before InitPluginsPreScript() + * + * This is not currently implemented. + * + * @param file The path to the plugin to load. */ bool LoadPlugin(const std::string& file); /** + * Loads plugins dynamically found in a directory. This must be + * called only before InitPluginsPreScript(). * + * This is not currently implemented. + * + * @param dir The directory to search for plugins. */ bool LoadPluginsFrom(const std::string& dir); /** - * - * @param plugin: The plugin to register. The method does not take - * ownershop but assume the pointer will leave at least until the - * Manager is destroyed. + * First-stage initializion of the manager. This is called early on + * during Bro's initialization, before any scripts are processed, and + * forwards to the corresponding Plugin methods. */ - static bool RegisterPlugin(Plugin *plugin); + void InitPreScript(); /** - * + * Second-stage initialization of the manager. This is called late + * during Bro's initialization after any scripts are processed, and + * forwards to the corresponding Plugin methods. */ - void InitPlugins(); + void InitPostScript(); /** - * - */ - void InitPluginsBif(); - - /** - * + * Finalizes all plugins at termination time. This forwards to the + * corresponding Plugin methods. */ void FinishPlugins(); /** - * + * Returns a list of all available plugins. This includes all that + * are compiled in statically, as well as those loaded dynamically so + * far. */ plugin_list Plugins() const; /** - * + * Returns a list of all available components, in any plugin, that + * are derived from a specific class. The class is given as the + * template parameter \c T. */ - template - std::list Components(component::Type type) const; + template std::list Components() const; + + /** + * Internal method that registers a freshly instantiated plugin with + * the manager. + * + * @param plugin The plugin to register. The method does not take + * ownership, yet assumes the pointer will stay valid at least until + * the Manager is destroyed. + */ + static bool RegisterPlugin(Plugin *plugin); private: static plugin_list* PluginsInternal(); @@ -68,7 +100,7 @@ private: }; template -std::list Manager::Components(component::Type type) const +std::list Manager::Components() const { std::list result; @@ -90,6 +122,9 @@ std::list Manager::Components(component::Type type) const } +/** + * The global plugin manager singleton. + */ extern plugin::Manager* plugin_mgr; #endif diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 99c73339b3..093a4fad62 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include @@ -9,6 +10,12 @@ using namespace plugin; +BifItem::BifItem(const std::string& arg_id, Type arg_type) + { + id = copy_string(arg_id.c_str()); + type = arg_type; + } + BifItem::BifItem(const BifItem& other) { id = copy_string(other.id); @@ -91,11 +98,11 @@ void Plugin::SetAPIVersion(int arg_version) api_version = arg_version; } -void Plugin::Init() +void Plugin::InitPreScript() { } -void Plugin::InitBif() +void Plugin::InitPostScript() { for ( bif_init_func_list::const_iterator f = bif_inits.begin(); f != bif_inits.end(); f++ ) { diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index c5753767db..189fdf5c52 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef PLUGIN_PLUGIN_H #define PLUGIN_PLUGIN_H @@ -14,17 +15,51 @@ namespace plugin { class Manager; class Component; +/** + * A class describing an item defined in \c *.bif file. + */ class BifItem { public: - // Values must match the integers bifcl generates. + /** + * Type of the item. + * + * The values here must match the integers that \c bifcl generated. + */ enum Type { FUNCTION = 1, EVENT = 2, CONSTANT = 3, GLOBAL = 4, TYPE = 5 }; + /** + * Constructor. + * + * @param id The script-level name of the item. This should be fully + * qualified. + * + * @param type The type of the item. + */ BifItem(const std::string& id, Type type); + + /** + * Copy constructor. + */ BifItem(const BifItem& other); + + /** + * Assigment operator. + */ BifItem& operator=(const BifItem& other); + + /** + * Destructor. + */ ~BifItem(); + /** + * Returns the script-level ID as passed into the constructor. + */ const char* GetID() const { return id; } + + /** + * Returns the type as passed into the constructor. + */ Type GetType() const { return type; } private: @@ -32,44 +67,136 @@ private: Type type; }; -inline BifItem::BifItem(const std::string& arg_id, Type arg_type) - { - id = copy_string(arg_id.c_str()); - type = arg_type; - } - +/** + * Base class for all plugins. + * + * Plugins encapsulate functionality that extends one of Bro's major + * subsystems, such as analysis of a specific protocol, or logging output in + * a particular format. A plugin is a logical container that can provide one + * or more \a components implementing functionality. For example, a RPC + * plugin could provide analyzer for set of related protocols (RPC, NFS, + * etc.), each of which would be a separate component. Likewise, a SQLite + * plugin could provide both a writer and reader component. In addition to + * components, a plugin can also provide of script-level elements defined in + * *.bif files. + * + * Currently, all plugins ard compiled statically into the final Bro binary. + * Later, we will extend the infrastructure to also support plugins loaded + * dynamically as shared libraries. + */ class Plugin { public: typedef std::list component_list; typedef std::list bif_item_list; + /** + * Constructor. + */ Plugin(); + + /** + * Destructor. + */ virtual ~Plugin(); + /** + * Returns the name of the plugin. + */ const char* Name(); + + /** + * Returns a short textual description of the plugin, if provided. + */ const char* Description(); + + /** + * Returns the version of the plugin. + */ int Version(); + + /** + * Returns the internal API version that this plugin relies on. Only + * plugins that match Bro's BRO_PLUGIN_API_VERSION may be used. For + * statically compiled plugins this is automatically the case, but + * dynamically loaded plugins could later cause a mismatch. + */ int APIVersion(); + /** + * Returns a list of all components the plugin provides. + * BRO_PLUGIN_VERSION_BUILTIN indiciates that it's a plugin compiled + * in statically. + */ component_list Components(); - void InitBif(); - - // Must be called after InitBif() only. + /** + * Returns a list of all BiF items that the plugin provides. This + * must be called only after InitBif() has been executed. + */ bif_item_list BifItems(); - virtual void Init(); + /** + * First-stage initialization of the plugin called early during Bro's + * startup, before scripts are parsed. This can be overridden by + * derived classes; they must however call the parent's + * implementation. + */ + virtual void InitPreScript(); + + /** + * Second-stage initialization of the plugin called late during Bro's + * startup, after scripts are parsed. This can be overridden by + * derived classes; they must however call the parent's + * implementation. + */ + virtual void InitPostScript(); + + /** + * Finalizer method that derived classes can override for performing + * custom tasks at shutdown. Implementation must call the parent's + * version. + */ virtual void Done(); + /** + * Returns a textual description of the plugin. + * + * @param d Description object to use for rendering. If "short mode" + * is disabled, the rendering will include a list of all components + * and BiF items. + */ void Describe(ODesc* d); protected: typedef std::list > bif_init_func_result; typedef bif_init_func_result (*bif_init_func)(); + /** + * Sets the plugins name. + * + * @param name The name. Makes a copy internally. + */ void SetName(const char* name); + + /** + * Sets the plugin's textual description. + * + * @param name The description. Makes a copy internally. + */ void SetDescription(const char* descr); + + /** + * Sets the plugin's version. + * + * @param version The version. + */ void SetVersion(int version); + + /** + * Sets the API version the plugin requires. + * BRO_PLUGIN_VERSION_BUILTIN indicates that it's a plugin linked in + * statically. + */ void SetAPIVersion(int version); /** @@ -78,11 +205,12 @@ protected: void AddComponent(Component* c); /** - * Can be overriden by derived class to inform the plugin about - * further BiF items they provide on their own (i.e., outside of the - * standard mechanism processing *.bif files automatically.). This - * information is for information purpuses only and will show up in - * the result of BifItem() as well as in the Describe() output. + * Virtual method that can be overriden by derived class to provide + * information about further script-level elements that the plugins + * provides on its own, i.e., outside of the standard mechanism + * processing *.bif files automatically. The returned information is + * for informational purpuses only and will show up in the result of + * BifItems() as well as in the Describe() output. */ virtual bif_item_list CustomBifItems() ; From 2e9de30bcc0156373e260b1a059960bf7dbb796d Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 17:39:37 -0700 Subject: [PATCH 088/200] New CMake variable bro_HAVE_OBJECT_LIBRARIES that switches between object and static libraries for sub directories. Default is static to support old CMakes. --- cmake | 2 +- src/CMakeLists.txt | 20 +++++++++++++++----- src/analyzer/CMakeLists.txt | 6 +++++- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/cmake b/cmake index 251cfee95c..0187b33a29 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 251cfee95c380c3c8ceac42653d3755928718f6f +Subproject commit 0187b33a29d5ec824f940feff60dc5d8c2fe314f diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 8264d6f94c..29c96099b9 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -6,6 +6,10 @@ include_directories(BEFORE # This collects generated bif and pac files from subdirectories. set(bro_ALL_GENERATED_OUTPUTS CACHE INTERNAL "automatically generated files" FORCE) +# If TRUE, use CMake's object libraries for sub-directories instead of +# static libraries. This requires CMake >= 2.8.8. +set(bro_HAVE_OBJECT_LIBRARIES FALSE) + configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c) configure_file(util-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/util-config.h) @@ -142,13 +146,14 @@ list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}") ## Including subdirectories. ######################################################################## -set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) +set(bro_SUBDIR_LIBS CACHE INTERNAL "subdir libraries" FORCE) +set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE) add_subdirectory(analyzer) set(bro_SUBDIRS - $ - ${bro_PLUGIN_OBJECT_LIBS} + ${bro_SUBDIR_LIBS} + ${bro_PLUGIN_LIBS} ) ######################################################################## @@ -356,9 +361,14 @@ set(bro_SRCS ) collect_headers(bro_HEADERS ${bro_SRCS}) -add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS}) -target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) +if ( bro_HAVE_OBJECT_LIBRARIES ) + add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS}) + target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) +else () + add_executable(bro ${bro_SRCS} ${bro_HEADERS}) + target_link_libraries(bro ${brodeps} ${bro_SUBDIRS} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) +endif () install(TARGETS bro DESTINATION bin) diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 1e91141114..20b53d7ca8 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -1,4 +1,6 @@ +include(BroSubdir) + include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} @@ -14,5 +16,7 @@ set(analyzer_SRCS ) bif_target(analyzer.bif) -add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC}) + +bro_add_subdir_library(analyzer ${analyzer_SRCS} ${BIF_OUTPUT_CC}) add_dependencies(bro_analyzer generate_outputs) + From b3370584c7d2dafa293a7a83f2e70050a86b5eff Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 17:44:09 -0700 Subject: [PATCH 089/200] Updating submodule(s). [nomail] --- cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake b/cmake index 0187b33a29..94e72a3075 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 0187b33a29d5ec824f940feff60dc5d8c2fe314f +Subproject commit 94e72a3075bb0b9550ad05758963afda394bfb2c From 23463d064c4acd19df10310fbfd5c13fce47ee2b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 19:13:08 -0700 Subject: [PATCH 090/200] Little fixes. --- cmake | 2 +- src/main.cc | 2 +- src/plugin/Macros.h | 2 +- src/plugin/Manager.cc | 2 -- 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/cmake b/cmake index 94e72a3075..0187b33a29 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 94e72a3075bb0b9550ad05758963afda394bfb2c +Subproject commit 0187b33a29d5ec824f940feff60dc5d8c2fe314f diff --git a/src/main.cc b/src/main.cc index 79c895e7af..491f8a732d 100644 --- a/src/main.cc +++ b/src/main.cc @@ -853,8 +853,8 @@ int main(int argc, char** argv) yyparse(); - analyzer_mgr->InitPostScript(); plugin_mgr->InitPostScript(); + analyzer_mgr->InitPostScript(); if ( print_plugins ) { diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index b8e2a42fdb..64f04d7645 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -37,7 +37,7 @@ namespace plugin { namespace _ns ## _ ## _name {\ class Plugin : public plugin::Plugin { \ protected: \ - void Init() \ + void InitPreScript() \ { \ SetName(#_ns "::" #_name); \ SetVersion(_BRO_PLUGIN_VERSION_DEFAULT);\ diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index ed6b43d2c4..93ed3f2b97 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -52,8 +52,6 @@ void Manager::InitPostScript() for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) (*i)->InitPostScript(); - - init = true; } void Manager::FinishPlugins() From 58ac7c80cd065bb5dee33d4be2c1a00093893e7a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 19:14:04 -0700 Subject: [PATCH 091/200] Switching back to object libs for now. --- src/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 29c96099b9..5573855740 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -8,7 +8,7 @@ set(bro_ALL_GENERATED_OUTPUTS CACHE INTERNAL "automatically generated files" FO # If TRUE, use CMake's object libraries for sub-directories instead of # static libraries. This requires CMake >= 2.8.8. -set(bro_HAVE_OBJECT_LIBRARIES FALSE) +set(bro_HAVE_OBJECT_LIBRARIES TRUE) configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c) configure_file(util-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/util-config.h) From 6d478bea57ea128cac13e4342dcee3ff95a27ad4 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 31 May 2013 17:30:43 -0700 Subject: [PATCH 092/200] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 4d0b75afad..3389de4a60 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 4d0b75afadd6a3c6507e8ca18cb1913faa93a3b0 +Subproject commit 3389de4a6045451f66b6cd52074c746ec9be551e From 45f6f11e51fec58f2c0d43c4bce10a51d6a6e3af Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 31 May 2013 17:32:27 -0700 Subject: [PATCH 093/200] Adding Makefile target test-all that also runs the BroControl test suite. Eventually "make test" should do this but let's trigger it separately for now. --- Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 455fa6ed88..adf45f84f4 100644 --- a/Makefile +++ b/Makefile @@ -61,7 +61,10 @@ distclean: rm -rf $(BUILD) test: - @(cd testing && make ) + @( cd testing && make ) + +test-all: test + test -d aux/broctl && ( cd aux/broctl && make test ) configured: @test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 ) From d873db03cef3bb09d45e789d69607487e36b6093 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Fri, 31 May 2013 18:31:14 -0700 Subject: [PATCH 094/200] Add draft of Bloom filter type hierarchy. --- src/BloomFilter.h | 266 +++++++++++++++++++++++++++++++++++++++++++++ src/CMakeLists.txt | 1 + 2 files changed, 267 insertions(+) create mode 100644 src/BloomFilter.h diff --git a/src/BloomFilter.h b/src/BloomFilter.h new file mode 100644 index 0000000000..a767c6b8b8 --- /dev/null +++ b/src/BloomFilter.h @@ -0,0 +1,266 @@ +#ifndef BloomFilter_h +#define BloomFilter_h + +#include +#include "BitVector.h" +#include "Hash.h" +#include "H3.h" + +/** + * A vector of counters, each of which have a fixed number of bits. + */ +class CounterVector : SerialObj { +public: + /** + * Constructs a counter vector having cells of a given width. + * + * @param width The number of bits that each cell occupies. + */ + explicit CounterVector(unsigned width); + + /** + * Increments a given cell. + * + * @param cell The cell to increment. + * + * @param value The value to add to the current counter in *cell*. + * + * @return `true` if adding *value* to the counter in *cell* succeeded. + */ + bool Increment(size_type cell, count_type value); + + /** + * Decrements a given cell. + * + * @param cell The cell to decrement. + * + * @param value The value to subtract from the current counter in *cell*. + * + * @return `true` if subtracting *value* from the counter in *cell* succeeded. + */ + bool Decrement(size_type cell, count_type value); + + /** + * Retrieves the counter of a given cell. + * + * @param cell The cell index to retrieve the count for. + * + * @return The counter associated with *cell*. + */ + count_type Count(size_type cell) const; + + /** + * Retrieves the number of cells in the storage. + * + * @return The number of cells. + */ + size_type Size() const; + + bool Serialize(SerialInfo* info) const; + static CounterVector* Unserialize(UnserialInfo* info); + +protected: + DECLARE_SERIAL(CounterVector); + + CounterVector(); + +private: + BitVector bits_; + unsigned width_; +}; + +/** + * The abstract base class for hash policies. + * @tparam Codomain An integral type. + */ +class HashPolicy { +public: + typedef hash_t hash_type; + virtual ~HashPolicy() { } + size_t k() const { return k; } + virtual std::vector Hash(const void* x, size_t n) const = 0; +protected: + /** + * A functor that computes a universal hash function. + * @tparam Codomain An integral type. + */ + template + class Hasher { + public: + template + Codomain operator()(const Domain& x) const + { + return h3_(&x, sizeof(x)); + } + Codomain operator()(const void* x, size_t n) const + { + return h3_(x, n); + } + private: + // FIXME: The hardcoded value of 36 comes from UHASH_KEY_SIZE defined in + // Hash.h. I do not know how this value impacts the hash function behavior + // so I'll just copy it verbatim. (Matthias) + H3 h3_; + }; + + HashPolicy(size_t k) : k_(k) { } +private: + size_t k_; +}; + +/** + * The *default* hashing policy. Performs *k* hash function computations. + */ +class DefaultHashing : public HashPolicy { +public: + DefaultHashing(size_t k) : HashPolicy(k), hashers_(k) { } + virtual ~DoubleHashing() { } + + virtual std::vector Hash(const void* x, size_t n) const + { + std::vector h(k(), 0); + for (size_t i = 0; i < h.size(); ++i) + h[i] = hashers_[i](x, n); + return h; + } + +private: + std::vector< Hasher > hashers_; +}; + +/** + * The *double-hashing* policy. Uses a linear combination of 2 hash functions. + */ +class DoubleHashing : public HashPolicy { +public: + DoubleHashing(size_t k) : HashPolicy(k), hashers_(k) { } + virtual ~DoubleHashing() { } + + virtual std::vector Hash(const void* x, size_t n) const + { + Codomain h1 = hasher1_(x); + Codomain h2 = hasher2_(x); + std::vector h(k(), 0); + for (size_t i = 0; i < h.size(); ++i) + h[i] = h1 + i * h2; + return h; + } + +private: + Hasher hasher1_; + Hasher hasher2_; +}; + +/** + * The abstract base class for Bloom filters. + */ +class BloomFilter : SerialObj { +public: + virtual ~BloomFilter() { delete hash_; } + + /** + * Adds an element of type T to the Bloom filter. + * @param x The element to add + */ + template + void Add(const T& x) + { + ++elements_; + AddImpl(hash_->Hash(x)); + } + + /** + * Retrieves the associated count of a given value. + * + * @param x The value of type `T` to check. + * + * @return The counter associated with *x*. + */ + template + size_t Count(const T& x) const + { + return CountImpl(hash_->Hash(x)); + } + + /** + * Retrieves the number of elements added to the Bloom filter. + * + * @return The number of elements in this Bloom filter. + */ + size_t Size() const + { + return elements_; + } + +protected: + typedef std::vector HashVector; + + /** + * Default-constructs a Bloom filter. + */ + BloomFilter(); + + /** + * Constructs a BloomFilter. + * @param hash The hashing policy. + */ + BloomFilter(HashPolicy* hash); + + virtual void AddImpl(const HashVector& hashes) = 0; + + virtual size_t CountImpl(const HashVector& hashes) const = 0; + + std::vector Hash(const T& x) const + { + return hash_->Hash(&x, sizeof(x)); + } + +private: + HashPolicy* hash_; // Owned by *this. + + size_t elements_; +}; + +/** + * A basic Bloom filter. + */ +class BasicBloomFilter : public BloomFilter { +public: + BasicBloomFilter(); + BasicBloomFilter(HashPolicy* hash); + +protected: + virtual void AddImpl(const HashVector& h) + { + for ( size_t i = 0; i < h.size(); ++i ) + bits_.set(h[i] % h.size()); + } + + virtual size_t CountImpl(const HashVector& h) const + { + for ( size_t i = 0; i < h.size(); ++i ) + if ( ! bits_[h[i] % h.size()] ) + return 0; + return 1; + } + +private: + BitVector bits_; +}; + +/** + * A counting Bloom filter. + */ +class CountingBloomFilter : public BloomFilter { +public: + CountingBloomFilter(unsigned width); + CountingBloomFilter(HashPolicy* hash); + +protected: + CountingBloomFilter(); + +private: + CounterVector cells_; +}; + +#endif diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 33aaab29c1..11de7772d7 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -304,6 +304,7 @@ set(bro_SRCS BitTorrent.cc BitTorrentTracker.cc BitVector.cc + BloomFilter.cc BPF_Program.cc BroDoc.cc BroDocObj.cc From c6ad731562ff5feb14798aaaba46e007c1284e0b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 2 Jun 2013 17:54:43 -0700 Subject: [PATCH 095/200] More smaller cleanup. --- doc/scripts/CMakeLists.txt | 6 -- doc/scripts/example.bro | 2 +- scripts/base/frameworks/analyzer/main.bro | 68 +++++++++++------------ scripts/base/frameworks/dpd/main.bro | 17 ++---- scripts/base/init-bare.bro | 6 +- scripts/base/protocols/irc/dcc-send.bro | 2 +- src/Base64.cc | 2 - src/CMakeLists.txt | 1 + src/RuleAction.h | 2 - src/analyzer/Tag.h | 2 +- src/analyzer/analyzer.bif | 2 +- src/analyzer/protocol/arp/ARP.cc | 1 - src/plugin/Macros.h | 4 +- 13 files changed, 50 insertions(+), 65 deletions(-) diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index 548ed1e119..64c3de92eb 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -45,12 +45,6 @@ macro(REST_TARGET srcDir broInput) set(sumTextSrc ${absSrcPath}) set(ogSourceFile ${absSrcPath}) - if (${extension} STREQUAL ".bif.bro") - # set(ogSourceFile ${BIF_SRC_DIR}/${basename}) - # the summary text is taken at configure time, but .bif.bro files - # may not have been generated yet, so read .bif file instead - set(sumTextSrc ${ogSourceFile}) - endif () if (NOT relDstDir) set(docName "${basename}") diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro index 4e2f533226..b7407a27a9 100644 --- a/doc/scripts/example.bro +++ b/doc/scripts/example.bro @@ -58,7 +58,7 @@ global example_ports = { event bro_init() { # Registering a well-known port is self-documenting and - # go into the generated doc's "Port Analysis" section + # goes into the generated doc's "Port Analysis" section. Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, example_ports); } diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index 50ff6b775d..66b3abc46e 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -2,25 +2,25 @@ ##! ##! The analyzer framework allows to dynamically enable or disable analyzers, as ##! well as to manage the well-known ports which automatically active a particular -##! analyzer for new connections. -##! +##! analyzer for new connections. +##! ##! Protocol analyzers are identified by unique tags of type ##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP` and ##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by the -##! analyzers themselves, and documented in their analyzer-specific description along with the -##! events that they generate. +##! analyzers themselves, and documented in their analyzer-specific description +##! along with the events that they generate. ##! ##! .. todo: ``The ANALYZER_*`` are in fact not yet documented, we need to add that -##! to Broxygen. +##! to Broxygen. module Analyzer; export { ## If true, all available analyzers are initially disabled at startup. One can - ## then selectively enable them with :bro:id:`enable_analyzer`. + ## then selectively enable them with :bro:id:`enable_analyzer`. global disable_all = F &redef; ## Enables an analyzer. Once enabled, the analyzer may be used for analysis of - ## future connections as decided by Bro's dynamic protocol detection. + ## future connections as decided by Bro's dynamic protocol detection. ## ## tag: The tag of the analyzer to enable. ## @@ -28,11 +28,11 @@ export { global enable_analyzer: function(tag: Analyzer::Tag) : bool; ## Disables an analyzer. Once disabled, the analyzer will not be used - ## further for analysis of future connections. + ## further for analysis of future connections. ## - ## tag: The tag of the analyzer to disable. + ## tag: The tag of the analyzer to disable. ## - ## Returns: True if the analyzer was successfully disabled. + ## Returns: True if the analyzer was successfully disabled. global disable_analyzer: function(tag: Analyzer::Tag) : bool; ## Registers a set of well-known ports for an analyzer. If a future connection @@ -40,50 +40,50 @@ export { ## to parsing it. The function *adds* to all ports already registered, it doesn't ## replace them . ## - ## tag: The tag of the analyzer. + ## tag: The tag of the analyzer. ## - ## ports: The set of well-known ports to associate with the analyzer. + ## ports: The set of well-known ports to associate with the analyzer. ## - ## Returns: True if the ports were sucessfully registered. + ## Returns: True if the ports were sucessfully registered. global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool; ## Registers an individual well-known port for an analyzer. If a future connection ## on this ports is seen, the analyzer will be automatically assigned to parsing - ## it. The function *adds* to all ports already registered, it doesn't - ## replace them . + ## it. The function *adds* to all ports already registered, it doesn't replace + ## them. ## - ## tag: The tag of the analyzer. + ## tag: The tag of the analyzer. ## - ## p: The well-known port to associate with the analyzer. + ## p: The well-known port to associate with the analyzer. ## ## Returns: True if the port was sucessfully registered. global register_for_port: function(tag: Analyzer::Tag, p: port) : bool; ## Returns a set of all well-known ports currently registered for a - ## specific analyzer. - ## - ## tag: The tag of the analyzer. + ## specific analyzer. + ## + ## tag: The tag of the analyzer. ## ## Returns: The set of ports. global registered_ports: function(tag: Analyzer::Tag) : set[port]; - ## Returns a table of all ports-to-analyzer mappings currently registered. - ## + ## Returns a table of all ports-to-analyzer mappings currently registered. + ## ## Returns: A table mapping each analyzer to the set of ports ## registered for it. - global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; + global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; - ## Translates an analyzer type to a string with the analyzer's. + ## Translates an analyzer type to a string with the analyzer's name. ## ## tag: The analyzer tag. ## - ## Returns: The analyzer name corresponding to the tag. + ## Returns: The analyzer name corresponding to the tag. global name: function(tag: Analyzer::Tag) : string; ## Schedules an analyzer for a future connection originating from a given IP - ## address and port. + ## address and port. ## - ## orig: The IP address originating a connection in the future. + ## orig: The IP address originating a connection in the future. ## 0.0.0.0 can be used as a wildcard to match any originator address. ## ## resp: The IP address responding to a connection from *orig*. @@ -99,8 +99,8 @@ export { global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool; - ## A set of analyzers to disable by at startup. The default set - ## contains legacy analyzers that are no longer supported. + ## A set of analyzers to disable by default at startup. The default set contains + ## legacy analyzers that are no longer supported. global disabled_analyzers: set[Analyzer::Tag] = { ANALYZER_INTERCONN, ANALYZER_STEPPINGSTONE, @@ -115,11 +115,11 @@ export { global ports: table[Analyzer::Tag] of set[port]; -event bro_init() &priority=-5 +event bro_init() &priority=5 { if ( disable_all ) __disable_all_analyzers(); - + for ( a in disabled_analyzers ) disable_analyzer(a); } @@ -137,8 +137,8 @@ function disable_analyzer(tag: Analyzer::Tag) : bool function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool { local rc = T; - - for ( p in ports ) + + for ( p in ports ) { if ( ! register_for_port(tag, p) ) rc = F; @@ -154,7 +154,7 @@ function register_for_port(tag: Analyzer::Tag, p: port) : bool if ( tag !in ports ) ports[tag] = set(); - + add ports[tag][p]; return T; } diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.bro index b4da2ff492..c3282a1da4 100644 --- a/scripts/base/frameworks/dpd/main.bro +++ b/scripts/base/frameworks/dpd/main.bro @@ -23,12 +23,12 @@ export { analyzer: string &log; ## The textual reason for the analysis failure. failure_reason: string &log; - - ## Disabled analyzer IDs. This is only for internal tracking + + ## Disabled analyzer IDs. This is only for internal tracking ## so as to not attempt to disable analyzers multiple times. disabled_aids: set[count]; }; - + ## Ignore violations which go this many bytes into the connection. ## Set to 0 to never ignore protocol violations. const ignore_violations_after = 10 * 1024 &redef; @@ -43,11 +43,6 @@ event bro_init() &priority=5 Log::create_stream(DPD::LOG, [$columns=Info]); } -function foo() : string - { - return "HTTP"; - } - event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10 { local analyzer = Analyzer::name(atype); @@ -66,10 +61,10 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, # for the protocol violation. if ( analyzer !in c$service ) return; - + delete c$service[analyzer]; add c$service[fmt("-%s", analyzer)]; - + local info: Info; info$ts=network_time(); info$uid=c$uid; @@ -88,7 +83,7 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason local size = c$orig$size + c$resp$size; if ( ignore_violations_after > 0 && size > ignore_violations_after ) return; - + # Disable the analyzer that raised the last core-generated event. disable_analyzer(c$id, aid); add c$dpd$disabled_aids[aid]; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 09c08befa6..d5abbef1ff 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2946,7 +2946,7 @@ const dpd_buffer_size = 1024 &redef; const dpd_match_only_beginning = T &redef; ## If true, don't consider any ports for deciding which protocol analyzer to -## use. +## use. ## ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size ## dpd_match_only_beginning @@ -3065,12 +3065,12 @@ module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; -# Load these frameworks here because it uses fairly deep integration with +# Load these frameworks here because they use fairly deep integration with # BiFs and script-land defined types. @load base/frameworks/logging @load base/frameworks/input @load base/frameworks/analyzer @load base/frameworks/file-analysis -# Load BiF defined by plugins. +# Load BiFs defined by plugins. @load base/bif/plugins diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index f5dc72e9ce..0e1d52af59 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -175,7 +175,7 @@ event irc_dcc_message(c: connection, is_orig: bool, c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; local p = count_to_port(dest_port, tcp); - Analyzer::schedule_analyzer(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_IRC_DATA, 5 min); + Analyzer::schedule_analyzer(0.0.0.0, address, p, Analyzer::ANALYZER_IRC_DATA, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/src/Base64.cc b/src/Base64.cc index cef11dab92..50732534ab 100644 --- a/src/Base64.cc +++ b/src/Base64.cc @@ -82,8 +82,6 @@ int* Base64Converter::InitBase64Table(const string& alphabet) return base64_table; } - - Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string& arg_alphabet) { if ( arg_alphabet.size() > 0 ) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 5573855740..0303a88cfe 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -375,6 +375,7 @@ install(TARGETS bro DESTINATION bin) set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) +# Target to create all the autogenerated files. add_custom_target(generate_outputs DEPENDS ${bro_ALL_GENERATED_OUTPUTS}) # Build __load__.bro files for plugins/*.bif.bro. diff --git a/src/RuleAction.h b/src/RuleAction.h index ec7e5c3735..67ceadc6f1 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -50,8 +50,6 @@ public: analyzer::Tag ChildAnalyzer() const { return child_analyzer; } private: - // FIXME: This is in fact an analyzer::ID but we can't include "analyzer/Analyzer.h" - // at this point due to circular dependenides. Fix that! analyzer::Tag analyzer; analyzer::Tag child_analyzer; }; diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index 3465ddd008..9b2fea4a9b 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -14,7 +14,7 @@ class Manager; class Component; /** - * Class to identify an analyzdr type. + * Class to identify an analyzer type. * * Each analyzer type gets a tag consisting of a main type and subtype. The * former is an identifier that's unique all analyzer classes. The latter is diff --git a/src/analyzer/analyzer.bif b/src/analyzer/analyzer.bif index 69c648f7d3..7f3cc6ed94 100644 --- a/src/analyzer/analyzer.bif +++ b/src/analyzer/analyzer.bif @@ -1,4 +1,4 @@ -##! Internal functions and types used by the logging framework. +##! Internal functions and types used by the analyzer framework. module Analyzer; diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc index 9173e853aa..b3ef5383ce 100644 --- a/src/analyzer/protocol/arp/ARP.cc +++ b/src/analyzer/protocol/arp/ARP.cc @@ -1,6 +1,5 @@ // See the file "COPYING" in the main distribution directory for copyright. - #include "ARP.h" #include "Event.h" #include "Reporter.h" diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 64f04d7645..423efbfc71 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -16,8 +16,8 @@ #define BRO_PLUGIN_VERSION_BUILTIN -1 /** - * The current plugin API version. Plugins that won't match this versions - * will be rejected. + * The current plugin API version. Plugins that won't match this version will + * be rejected. */ #define BRO_PLUGIN_API_VERSION 1 From c19779ae886c7202c4d52b6489a7cd533997d1bd Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 2 Jun 2013 18:22:08 -0700 Subject: [PATCH 096/200] More analyzer framework tests. --- testing/btest/Traces/ssh-on-port-80.trace | Bin 0 -> 11076 bytes testing/btest/btest.cfg | 2 +- .../frameworks/analyzer/disable-analyzer.bro | 14 ++++++++++++++ .../frameworks/analyzer/enable-analyzer.bro | 13 +++++++++++++ .../frameworks/analyzer/register-for-port.bro | 13 +++++++++++++ 5 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Traces/ssh-on-port-80.trace create mode 100644 testing/btest/scripts/base/frameworks/analyzer/disable-analyzer.bro create mode 100644 testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.bro create mode 100644 testing/btest/scripts/base/frameworks/analyzer/register-for-port.bro diff --git a/testing/btest/Traces/ssh-on-port-80.trace b/testing/btest/Traces/ssh-on-port-80.trace new file mode 100644 index 0000000000000000000000000000000000000000..6c0ae22e30db1c3093a602715cc90b28730b6fa4 GIT binary patch literal 11076 zcmeI2c{J2*`2Rm+Cu>PU*@w!K86>4tNcJruOSZC;v8H5ASqfPyOZGyGM5rV?Jt(3_ zvPUTq*|+9<-{Z++hWh>SJLfs)d(PK6cYVxEuls$yuj{_<`}3JvEAvyy5DMhi4<3&o zDDX>QK841>WdzXx*Ki>8J4&5Vh?f3KgoXxDL=gFNcjXazsxaGo%%dnU0?TI+tzk@> zDg1CA86I!lk04|elm#eqa&i=khHmE!Zzg&_)4o=Km@uyJGS%ir_*9j$w z5Q-a7D4mdq1;i5|3OLr7b8Myx5*ZcNC9>o3Mh}RIYeT^-3s+q&oKQ8ZvMY(sBM5gS zaV!Zq=H|zYeB64T*fA*F1`v(Nmj|hEa<#DUkmw2PWpy>WfvhI^0paSqh=n5vIV%n8 zedj8!3LRV1P{Sk4vAUfbfF-_Gwx>_qT8r9PJ2*Ike4KH0c6SlA_Oi4wcRFJ&inB4t zNJ)$QKR+a~?nfjfA>cRf5#9m{m~c27QCFO~2>ja$hXXGqnOox|FfyW+ZmuHmaxdoB zB@nZG>1uh}+1(XtGhe<0pC^14{xb_p5v-Lpj&Nb&;Ou$Y7NFs)mgYD&0vKHX0xw?@ z!0>XJCgN&q=VWDW?EwFoyn{E++|Ail%)!=O3}^knL7=UTqq(K1qm`5h;ewC_cleUD zq`Wg&hrnwwOJ~RBcU^5=tR1Z+q<542y7rThBf3|5`E!5{u7Ml>>0}&E&Q8`M=NxP; zh~&W+fRsPK3qC;d16P`8<*KH$cI`eQtX+q-Yd13-tlb4RwY6&(UxOgGz}kg_w11L^ zqw^uLbJMy+c4UG66EP92T|G+HDfj&ar+Am}KTA#>$`9Q<4ah~-mR2@|B`WG0p?q+JGSKtF~vb+-_AnewS& zOlAf+r7chxlXe*-hK3uE{E_Zsi;=cB)%GOqvbOyG)_4Asm+A1fH>ta5>Fx>b;_C^w z%1F!gx!JVAGdoj^2HPg8n{Uw6v$VyeF5SZ};RdxdTB$R7vqktpm9gFkB==N$$>7Nc zM~Beb9rT;iaL2pyEUjPlb#<%J$9LX5yk!05(#1?h*S^}|L)*KAyM=O2B0UU#gJX@SlDlufNZW!*Jk7wyRzwi8bdcCnNUUo`kQM-gV-2zDJR$Fwlh-AJ zEd598s9F^6wotw^6#C81mA}j{vfYY9KTva>y(id<9=zk z_3XE*rCnmhU7ps_3N?dAytT%)@gi}!XsYZbAY!>X9vY*NjbQ(Q zgS0xxDbNLkJ?JKJbyP$QW3nXu*ioz_B`ekOY57iu>^U_rcx?-yQUBAt!6i8g-aesF zNOeJ&O_tG=#}7GWU%Mk$KXl!`FXhHqEJ-mGG~@{;`zc8#D|#XHv?6>-}XF4`!w4&EH)9q9?(M5lB7U18TO zPd@p{x4Hw&`p@J%i)=h2I-aIp;gAfzJzlB*qg6zfJi+0!YlK7J<2PNNhl`JmGGBF- zl}Kj9DTYis3aU*}Lw9U$AM5`)U_M=5_OhvSvP#59NqkaF zepl|d@$~)*@BX@s8#3Y=`uBzEM~}bG>ube1^CXyh9SsGUU?R#73OP@1=KT5vHLLwS zzXM8hUsW6wLiU|qy8cS;SmhqNP+UG%JLc@`lC}|=$qg>MrYEeT38r6TvYFqq+;QafC(s?^5{!*3AS9E4wG>(>SzLsg# z;1R90_pZ*lm;3f9>fh_3P2yCuQw!0+B&ir#eTaQ{zQtexnl8&5M*5%HvL3Yx@u3sCQ$JAd{fd>8Shn{Zp zugm2X!e)Z{Ls!Z4hb!b%B5@DMlElVVo4~HZ1Ukq+_sv=0PWKb+Dl}FoLvrbIl-WkN?u{I`T zZdFXAE?J?A2t?_1iJKQ#`k>hpUf2^8lYel|V-|fytZI9_4Kl`t_&v@|n9$^lVhtn}ip05w ztedx9E_C1GoY+v8UT+caa#baxT)&@D-%5h6YP+$NK2+3wo$TKjNnMsi7ZY5zCUF_= zFamVZ|L92?oy3-L^;{3PU~Ca){II$z$Th-Qq5j$|Jjf9r|xq;Gy2IP zL}w5f+deiL7R{E{T^21EwBf6nY#ihj|ALv1%D16yLp^(Rqws$*e1 z+_aN&C*NiDIhCsSdHI~#XEyp%TxX&A=cO4V8T#9|eu0Fu<>&ms8A5h^`yMTfxC!hTnH%T$i=$#=i@`K zaH{0&6iUc?8R6Wg-M**fh)#ZqZXU-}5#_MW;n(t=U3DMp4$NV$H;7kHq!gVCH8>QF z4RA-P&+OH!b8SHz1kCYXNN($DzOp?YX0Ug4O^{ZpB>E|#N-asMv~d`7R{+$#D76q# zm9|5ot@t17{uzPDw=R(#C93vhh1dq_zI}cvXhYU`zc+JwuMDa<;(hg}Fr&WieYLOj zM@8$#)2->+cQk7|wQwHd!WrOIh7O4(#RQ^Di^7UIU1nKI8(E;DNTBHVbzjsD6=^6E zSLs~=Y-|k!tb3YGL{-`r28cU1Q2gP11ahrCxzpNPlzU#Z&w=__$ zCN=pG!8R~A!-K^A8qvHlSSVgcF&9HeJ>L=Rm`Aj+>xWJf90&8`r?L87L5AC1NR zH{7iORT0R9*0p!C$+V7BpJ2Q}IlC>@o2P41?w|HduCm16p=Ih%yK2X~bE@=-OMXdJSb_q!t-*ZIlsmXv#Kfd4ek=<(hM zhNUh!16-x!Q6V;5OVvARLeI{m^IM8MfLn(+OWEKoTtheulb>11(j3B- zia_EsK&$|J92_KhXGRt1_CjLb{dI{T@5b}Q#P_NN3o{cIZ{Ngs1@ABA%@*KSEAc#F zxb@vv_NKy`?OIrq;J`->jQ$O`cI8DikzG{XQKna5#XMPfxOM3pD}vE=zoIW9N6#KH zVVEi@a>!XEDK#e9m#i_A+cWFS#&mD0Y6b=Nk`7nJhw8WPJQUIlFs91n+2Ke6x?1S7df?kFbA8VOm^uK8FQ2s1t^_xFFK8 zVceBWjYs5w0EblEIRA@-oAK{A=p7zLI=h8U`ePeXLOQzm3QkAi_r)kqohH{kSJ>jV zBTc8gtlwMw-6pr7xSr$%zK^$b7;~Gy_SNhOu?yu^|MnxlWo~PBP$TWv_i?@tHjItA zUsGCC^}>sXw5yzcitojLrYn4@n11D!tP?!Qs&!27taR9}y^8F~{5H`K@8{mbFLF9b zKYRA-#S@rOrZ1~%gtST}(Ju*AYC=+_;NBw#_BT(&g{VsBAo0csC6W)y0}hh@#*Ad3 z%OSD5b6p}k%CqmEs)H2=>V9ta!B8Dpx$^nlazkAhKA)y1uQNE6*v{~U-brji7o0jf z){|4)@L|t!_V2q3w>?2{hTCXFU$X`E+bOo35SU<)V%8`-a=@M$o7(nxR_ctWnZ;xY<)a$BDMcv` zH%<9+3GavN=PvggSMo`*_TdzMTHSIgx2B5!;7_Im<=eUewuZhhrR?S}c@znSo_{sl zz7(I;+e=Y7DR3cn_bFT(<*^5~fvDnvic;713&pmf$&P}DE-E@)B-6Y?WlFI%m#r0g zE(09;z2~P0Pqs1**Lq${_>vg;=N=fk11g8m{hlf@{HYEr37&TldtM8^y#*YRM}kg4loGje$MvJ{Yn%JR_^B@yF5Kp{ zV%{JBTzwaVxk-PMik}o^@P%6D{m(eCJAE9Yv2FD@lcr{F<#A2VAX>AZuhcd3&lnjG ze67pME+^wulXr48<;a7cEP@Dr?}=_Lj38fWttWMa^BTT*r4D}rPrSnc@wMfuJ&E|q zI5T2}i-N>xwRMT0e^1E%BJz*3?M55Fe_ibtYl?k z=L{d2b?^5uf!apluKFbt@xYkSxi=``wkKRAn2|&k?q@H3sfRCYQ!;-=QTJMNbc%nt z04kvH{L|{z$$|ypx|5&+D#KL@*1B3laCHlb ztB$}`1?Z~C#uZnO09UC#r|f?7w(A*Z%S6!goXUv2hPPvr?^8c+Nt{(GeVg9$Lt8kS zf$fp@jeBuzxm*r5Vppy2l%!0ifD5EVq?0eFsAN9c-6H7l+{4~{@0eH{HCT;(l> z!~wx|iNMuogDXU8NTiy&a9MfmT70x!X+xr}P_oEf>SvyU4Q%J@#l1?x(yMA>XXq=b ziewNoD#N$la*|NNSk5X1Yh5LDwH}iHGgSxra;_V66}9pWSDGzwm73SVvTy&RiV*E- zWn&~cysCh;A%Y~ulwQu zgj!vzZopN-{=T&G%@ZH=z!nm5)J%VHbzd)ZwSH+`B5?KK+={ETkjOWBSf$ZRfSnFyXp;k8o z1*`iiIAP?1?+sC&7H?N-H4?Z=JFjIcQph^Y(4lfrsqU(LRg}t?chM%n;azMe=Ojxq zEkAF1LoE?&V=s3to=i>1umvg@01AFztHy*=Q#LP&2N}TCCD;KL|9Rd4X9pfcLL&Vp zrr+HuGlM(jdO}PjPY&yre#K<0MI6)HM0qVEA^qUc2M6iN4{1feg2e80;=I&v z`xQg-cH$WNgkD^c(EQf=HQ`uoD1VT)laJS~=WS+XoPJj~JRFykWf&D;Q}@5?u53Fp zz$m@<3oAPC(nUU(NB!Xehqg_LIMGGZo>;Y&<>1?4$!LR<%s*tD8R adg_ooMff%%(~?AEHPHA1`23Sp Date: Sun, 2 Jun 2013 19:36:25 -0700 Subject: [PATCH 097/200] A work-around for supporting plugins compiled as *.a. This is for older CMakes which don't understand object libraries yet. We auto-generate a file at the top-level that references all the global plugin objects. Once they are referenced, the linker includes them into the final executable and their ctors run to register them with the plugin manager. By default this is on. Once we can require more recent CMakes, we can turn it off (and remove) in src/CMakeLists.txt. --- src/CMakeLists.txt | 19 +++++++++++++++++-- src/plugin/Macros.h | 2 +- src/plugins.cc.in | 22 ++++++++++++++++++++++ 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 src/plugins.cc.in diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 0303a88cfe..a5b1cfc106 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -8,7 +8,7 @@ set(bro_ALL_GENERATED_OUTPUTS CACHE INTERNAL "automatically generated files" FO # If TRUE, use CMake's object libraries for sub-directories instead of # static libraries. This requires CMake >= 2.8.8. -set(bro_HAVE_OBJECT_LIBRARIES TRUE) +set(bro_HAVE_OBJECT_LIBRARIES FALSE) configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c) configure_file(util-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/util-config.h) @@ -156,6 +156,20 @@ set(bro_SUBDIRS ${bro_PLUGIN_LIBS} ) +if ( NOT bro_HAVE_OBJECT_LIBRARIES ) + foreach (_plugin ${bro_PLUGIN_LIBS}) + string(REGEX REPLACE "plugin-" "" _plugin "${_plugin}") + string(REGEX REPLACE "-" "_" _plugin "${_plugin}") + set(_decl "namespace plugin { namespace ${_plugin} { class Plugin; extern Plugin __plugin; } };") + set(_use "i += (size_t)(&(plugin::${_plugin}::__plugin));") + set(__BRO_DECL_PLUGINS "${__BRO_DECL_PLUGINS}${_decl}\n") + set(__BRO_USE_PLUGINS "${__BRO_USE_PLUGINS}${_use}\n") + endforeach() + + configure_file(plugins.cc.in ${CMAKE_CURRENT_BINARY_DIR}/plugins.cc) + set(PLUGIN_INIT ${CMAKE_CURRENT_BINARY_DIR}/plugins.cc) +endif() + ######################################################################## ## bro target @@ -222,6 +236,7 @@ set(bro_SRCS ${FLEX_Scanner_INPUT} ${BISON_Parser_INPUT} ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h + ${PLUGIN_INIT} main.cc net_util.cc util.cc @@ -367,7 +382,7 @@ if ( bro_HAVE_OBJECT_LIBRARIES ) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) else () add_executable(bro ${bro_SRCS} ${bro_HEADERS}) - target_link_libraries(bro ${brodeps} ${bro_SUBDIRS} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) + target_link_libraries(bro ${bro_SUBDIRS} ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) endif () install(TARGETS bro DESTINATION bin) diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 423efbfc71..9d063cd60a 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -50,7 +50,7 @@ } \ }; \ \ - static Plugin __plugin; \ + Plugin __plugin; \ } } /** diff --git a/src/plugins.cc.in b/src/plugins.cc.in new file mode 100644 index 0000000000..4527d5d1a9 --- /dev/null +++ b/src/plugins.cc.in @@ -0,0 +1,22 @@ + +// A work-around the problem that for static libraries unused globals +// aren't linked into the final binary. CMake automatically inserts +// code here to reference the globals that initializes each of the +// statically compiled plugins. +// +// Note: This won't be necessary anymore once we can assume CMake >2.8.8 +// as a required depencendy. If so, switch bro_HAVE_OBJECT_LIBRARIES +// in src/CMakeLists.txt to TRUE and remove this. + +#include + +${__BRO_DECL_PLUGINS} + +size_t __make_sure_to_use_plugin_globals() +{ + // This function is never actually called. + + size_t i = 0; + ${__BRO_USE_PLUGINS} + return i; +} From 4494643296b3e44d2229ceb81a3243cc2c6c678b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 2 Jun 2013 20:03:19 -0700 Subject: [PATCH 098/200] Fix a compiler warning. --- CHANGES | 10 ++++++++++ VERSION | 2 +- src/RemoteSerializer.cc | 6 ++++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 75107d2496..1c23429a43 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,14 @@ +2.1-675 | 2013-06-02 20:03:19 -0700 + + * Fix a compiler warning. (Robin Sommer) + + * Allow named vector/set/table/record constructors. Addresses #983. + (Jon Siwek) + + * Adding Makefile target test-all that also runs the BroControl test + suite. (Robin Sommer) + 2.1-664 | 2013-05-28 21:37:46 -0700 * Dangling pointer fix. Addresses #1004. (Jon Siwek) diff --git a/VERSION b/VERSION index 688d60ec69..f3667fe959 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-664 +2.1-675 diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 66f8def489..8cd34aa8fc 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -351,10 +351,12 @@ public: } char Type() { return buffer[0]; } + RemoteSerializer::PeerID Peer() { - // Wow, is this ugly... - return ntohl(*(uint32*)(buffer + 4)); + uint32 tmp; + memcpy(&tmp, buffer + 4, sizeof(tmp)); + return ntohl(tmp); } const char* Raw() { return buffer; } From f529df33e0afa930e4babff66f4a5f590b5eb6d9 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 3 Jun 2013 14:00:28 -0700 Subject: [PATCH 099/200] Stabilize Bloom filter interface. --- src/BloomFilter.cc | 33 ++++++++++++++++++ src/BloomFilter.h | 85 +++++++++++++++++----------------------------- 2 files changed, 65 insertions(+), 53 deletions(-) create mode 100644 src/BloomFilter.cc diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc new file mode 100644 index 0000000000..6873815f69 --- /dev/null +++ b/src/BloomFilter.cc @@ -0,0 +1,33 @@ +#include "BloomFilter.h" + +HashPolicy::HashVector DefaultHashing::Hash(const void* x, size_t n) const + { + HashVector h(k(), 0); + for ( size_t i = 0; i < h.size(); ++i ) + h[i] = hashers_[i](x, n); + return h; + } + +HashPolicy::HashVector DoubleHashing::Hash(const void* x, size_t n) const + { + HashType h1 = hasher1_(x); + HashType h2 = hasher2_(x); + HashVector h(k(), 0); + for ( size_t i = 0; i < h.size(); ++i ) + h[i] = h1 + i * h2; + return h; + } + +void BasicBloomFilter::AddImpl(const HashPolicy::HashVector& h) + { + for ( size_t i = 0; i < h.size(); ++i ) + bits_.set(h[i] % h.size()); + } + +size_t BasicBloomFilter::CountImpl(const HashPolicy::HashVector& h) const + { + for ( size_t i = 0; i < h.size(); ++i ) + if ( ! bits_[h[i] % h.size()] ) + return 0; + return 1; + } diff --git a/src/BloomFilter.h b/src/BloomFilter.h index a767c6b8b8..dca4eff2bd 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -11,6 +11,9 @@ */ class CounterVector : SerialObj { public: + typedef size_t size_type; + typedef uint64 count_type; + /** * Constructs a counter vector having cells of a given width. * @@ -70,21 +73,24 @@ private: }; /** - * The abstract base class for hash policies. + * The abstract base class for hash policies that hash elements *k* times. * @tparam Codomain An integral type. */ class HashPolicy { public: - typedef hash_t hash_type; + typedef hash_t HashType; + typedef std::vector HashVector; + virtual ~HashPolicy() { } - size_t k() const { return k; } - virtual std::vector Hash(const void* x, size_t n) const = 0; + size_t k() const { return k_; } + virtual HashVector Hash(const void* x, size_t n) const = 0; + protected: /** * A functor that computes a universal hash function. * @tparam Codomain An integral type. */ - template + template class Hasher { public: template @@ -104,8 +110,9 @@ protected: }; HashPolicy(size_t k) : k_(k) { } + private: - size_t k_; + const size_t k_; }; /** @@ -114,18 +121,12 @@ private: class DefaultHashing : public HashPolicy { public: DefaultHashing(size_t k) : HashPolicy(k), hashers_(k) { } - virtual ~DoubleHashing() { } + virtual ~DefaultHashing() { } - virtual std::vector Hash(const void* x, size_t n) const - { - std::vector h(k(), 0); - for (size_t i = 0; i < h.size(); ++i) - h[i] = hashers_[i](x, n); - return h; - } + virtual HashVector Hash(const void* x, size_t n) const; private: - std::vector< Hasher > hashers_; + std::vector< Hasher > hashers_; }; /** @@ -133,22 +134,14 @@ private: */ class DoubleHashing : public HashPolicy { public: - DoubleHashing(size_t k) : HashPolicy(k), hashers_(k) { } + DoubleHashing(size_t k) : HashPolicy(k) { } virtual ~DoubleHashing() { } - virtual std::vector Hash(const void* x, size_t n) const - { - Codomain h1 = hasher1_(x); - Codomain h2 = hasher2_(x); - std::vector h(k(), 0); - for (size_t i = 0; i < h.size(); ++i) - h[i] = h1 + i * h2; - return h; - } + virtual HashVector Hash(const void* x, size_t n) const; private: - Hasher hasher1_; - Hasher hasher2_; + Hasher hasher1_; + Hasher hasher2_; }; /** @@ -166,7 +159,7 @@ public: void Add(const T& x) { ++elements_; - AddImpl(hash_->Hash(x)); + AddImpl(hash_->Hash(&x, sizeof(x))); } /** @@ -179,7 +172,7 @@ public: template size_t Count(const T& x) const { - return CountImpl(hash_->Hash(x)); + return CountImpl(hash_->Hash(&x, sizeof(x))); } /** @@ -193,8 +186,6 @@ public: } protected: - typedef std::vector HashVector; - /** * Default-constructs a Bloom filter. */ @@ -206,17 +197,12 @@ protected: */ BloomFilter(HashPolicy* hash); - virtual void AddImpl(const HashVector& hashes) = 0; + virtual void AddImpl(const HashPolicy::HashVector& hashes) = 0; - virtual size_t CountImpl(const HashVector& hashes) const = 0; - - std::vector Hash(const T& x) const - { - return hash_->Hash(&x, sizeof(x)); - } + virtual size_t CountImpl(const HashPolicy::HashVector& hashes) const = 0; private: - HashPolicy* hash_; // Owned by *this. + HashPolicy* hash_; // Owned by *this. size_t elements_; }; @@ -230,19 +216,9 @@ public: BasicBloomFilter(HashPolicy* hash); protected: - virtual void AddImpl(const HashVector& h) - { - for ( size_t i = 0; i < h.size(); ++i ) - bits_.set(h[i] % h.size()); - } + virtual void AddImpl(const HashPolicy::HashVector& h); - virtual size_t CountImpl(const HashVector& h) const - { - for ( size_t i = 0; i < h.size(); ++i ) - if ( ! bits_[h[i] % h.size()] ) - return 0; - return 1; - } + virtual size_t CountImpl(const HashPolicy::HashVector& h) const; private: BitVector bits_; @@ -253,12 +229,15 @@ private: */ class CountingBloomFilter : public BloomFilter { public: - CountingBloomFilter(unsigned width); - CountingBloomFilter(HashPolicy* hash); + CountingBloomFilter(unsigned width, HashPolicy* hash); protected: CountingBloomFilter(); + virtual void AddImpl(const HashPolicy::HashVector& h); + + virtual size_t CountImpl(const HashPolicy::HashVector& h) const; + private: CounterVector cells_; }; From a5e1810aa8592dd69f2351ff4b069a6da90feb36 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 3 Jun 2013 16:03:25 -0500 Subject: [PATCH 100/200] Fix various documentation/typos; remove a few superfluous things. --- doc/scripts/example.bro | 2 - scripts/base/frameworks/analyzer/main.bro | 53 +++++++++++------------ scripts/base/frameworks/reporter/main.bro | 2 +- scripts/base/init-bare.bro | 2 +- src/IPAddr.h | 5 --- src/analyzer/Analyzer.h | 10 ++--- src/analyzer/Component.h | 8 ++-- src/analyzer/Manager.h | 18 ++++---- src/analyzer/Tag.h | 4 +- src/analyzer/protocol/http/events.bif | 2 +- src/analyzer/protocol/login/events.bif | 42 ++++++++++++------ src/analyzer/protocol/rpc/events.bif | 9 ++-- src/analyzer/protocol/tcp/events.bif | 26 +++++------ src/bro.bif | 2 +- src/event.bif | 14 +++--- src/plugin/Macros.h | 10 ++--- src/plugin/Plugin.h | 4 +- 17 files changed, 110 insertions(+), 103 deletions(-) diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro index b7407a27a9..2ff12bfa27 100644 --- a/doc/scripts/example.bro +++ b/doc/scripts/example.bro @@ -57,8 +57,6 @@ global example_ports = { event bro_init() { - # Registering a well-known port is self-documenting and - # goes into the generated doc's "Port Analysis" section. Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, example_ports); } diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index 66b3abc46e..c7bfd1ce34 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -1,26 +1,25 @@ ##! Framework for managing Bro's protocol analyzers. ##! ##! The analyzer framework allows to dynamically enable or disable analyzers, as -##! well as to manage the well-known ports which automatically active a particular -##! analyzer for new connections. +##! well as to manage the well-known ports which automatically activate a +##! particular analyzer for new connections. ##! ##! Protocol analyzers are identified by unique tags of type ##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP` and -##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by the -##! analyzers themselves, and documented in their analyzer-specific description -##! along with the events that they generate. -##! -##! .. todo: ``The ANALYZER_*`` are in fact not yet documented, we need to add that -##! to Broxygen. +##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by +##! the analyzers themselves, and documented in their analyzer-specific +##! description along with the events that they generate. + module Analyzer; export { - ## If true, all available analyzers are initially disabled at startup. One can - ## then selectively enable them with :bro:id:`enable_analyzer`. + ## If true, all available analyzers are initially disabled at startup. One + ## can then selectively enable them with + ## :bro:id:`Analyzer::enable_analyzer`. global disable_all = F &redef; - ## Enables an analyzer. Once enabled, the analyzer may be used for analysis of - ## future connections as decided by Bro's dynamic protocol detection. + ## Enables an analyzer. Once enabled, the analyzer may be used for analysis + ## of future connections as decided by Bro's dynamic protocol detection. ## ## tag: The tag of the analyzer to enable. ## @@ -35,10 +34,10 @@ export { ## Returns: True if the analyzer was successfully disabled. global disable_analyzer: function(tag: Analyzer::Tag) : bool; - ## Registers a set of well-known ports for an analyzer. If a future connection - ## on one of these ports is seen, the analyzer will be automatically assigned - ## to parsing it. The function *adds* to all ports already registered, it doesn't - ## replace them . + ## Registers a set of well-known ports for an analyzer. If a future + ## connection on one of these ports is seen, the analyzer will be + ## automatically assigned to parsing it. The function *adds* to all ports + ## already registered, it doesn't replace them. ## ## tag: The tag of the analyzer. ## @@ -47,10 +46,10 @@ export { ## Returns: True if the ports were sucessfully registered. global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool; - ## Registers an individual well-known port for an analyzer. If a future connection - ## on this ports is seen, the analyzer will be automatically assigned to parsing - ## it. The function *adds* to all ports already registered, it doesn't replace - ## them. + ## Registers an individual well-known port for an analyzer. If a future + ## connection on this port is seen, the analyzer will be automatically + ## assigned to parsing it. The function *adds* to all ports already + ## registered, it doesn't replace them. ## ## tag: The tag of the analyzer. ## @@ -70,7 +69,7 @@ export { ## Returns a table of all ports-to-analyzer mappings currently registered. ## ## Returns: A table mapping each analyzer to the set of ports - ## registered for it. + ## registered for it. global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; ## Translates an analyzer type to a string with the analyzer's name. @@ -84,7 +83,7 @@ export { ## address and port. ## ## orig: The IP address originating a connection in the future. - ## 0.0.0.0 can be used as a wildcard to match any originator address. + ## 0.0.0.0 can be used as a wildcard to match any originator address. ## ## resp: The IP address responding to a connection from *orig*. ## @@ -93,22 +92,20 @@ export { ## analyzer: The analyzer ID. ## ## tout: A timeout interval after which the scheduling request will be - ## discarded if the connection has not yet been seen. + ## discarded if the connection has not yet been seen. ## ## Returns: True if succesful. global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool; - ## A set of analyzers to disable by default at startup. The default set contains - ## legacy analyzers that are no longer supported. + ## A set of analyzers to disable by default at startup. The default set + ## contains legacy analyzers that are no longer supported. global disabled_analyzers: set[Analyzer::Tag] = { ANALYZER_INTERCONN, ANALYZER_STEPPINGSTONE, ANALYZER_BACKDOOR, ANALYZER_TCPSTATS, - } - - &redef; + } &redef; } @load base/bif/analyzer.bif diff --git a/scripts/base/frameworks/reporter/main.bro b/scripts/base/frameworks/reporter/main.bro index 249ecdac98..891aebf6b2 100644 --- a/scripts/base/frameworks/reporter/main.bro +++ b/scripts/base/frameworks/reporter/main.bro @@ -9,7 +9,7 @@ ##! Note that this framework deals with the handling of internally generated ##! reporter messages, for the interface in to actually creating interface ##! into actually creating reporter messages from the scripting layer, use -##! the built-in functions in :doc:`/scripts/base/reporter.bif`. +##! the built-in functions in :doc:`/scripts/base/bif/reporter.bif`. module Reporter; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d5abbef1ff..2110110a40 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -226,7 +226,7 @@ type endpoint_stats: record { ## for a connection, it assigns it a unique ID that can be used to reference ## that instance. ## -## .. bro:see:: analyzer_name disable_analyzer protocol_confirmation +## .. bro:see:: Analyzer::name Analyzer::disable_analyzer protocol_confirmation ## protocol_violation ## ## .. todo::While we declare an alias for the type here, the events/functions still diff --git a/src/IPAddr.h b/src/IPAddr.h index 0c6942c61e..cc7b2baa6e 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -451,11 +451,6 @@ inline void IPAddr::ConvertToThreadingValue(threading::Value::addr_t* v) const */ HashKey* BuildConnIDHashKey(const ConnID& id); -/** - * Returns a hash key for a given ExpectedConn instance. Passes ownership to caller. - */ -HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); - /** * Class storing both IPv4 and IPv6 prefixes * (i.e., \c 192.168.1.1/16 and \c FD00::/8. diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 2d905867eb..396d45d60e 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -509,31 +509,31 @@ public: virtual void UpdateConnVal(RecordVal *conn_val); /** - * Convinience function that forwards directly to + * Convenience function that forwards directly to * Connection::BuildConnVal(). */ RecordVal* BuildConnVal(); /** - * Convinience function that forwards directly to the corresponding + * Convenience function that forwards directly to the corresponding * Connection::Event(). */ void Event(EventHandlerPtr f, const char* name = 0); /** - * Convinience function that forwards directly to the corresponding + * Convenience function that forwards directly to the corresponding * Connection::Event(). */ void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0); /** - * Convinience function that forwards directly to + * Convenience function that forwards directly to * Connection::ConnectionEvent(). */ void ConnectionEvent(EventHandlerPtr f, val_list* vl); /** - * Convinience function that forwards directly to the corresponding + * Convenience function that forwards directly to the corresponding * Connection::Weird(). */ void Weird(const char* name, const char* addl = ""); diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index 79d4c12fe5..b766c2fe82 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -40,10 +40,10 @@ public: * returns a new instance. * * @param subtype A subtype associated with this component that - * further. The subtype will be integrated into the analyzer::Tag - * that the manager associates with this analyzer, and analyzer - * instances can accordingly access it via analyzer::Tag(). If not - * used, leave at zero. + * further distinguishes it. The subtype will be integrated into + * the analyzer::Tag that the manager associates with this analyzer, + * and analyzer instances can accordingly access it via analyzer::Tag(). + * If not used, leave at zero. * * @param enabled If false the analyzer starts out as disabled and * hence won't be used. It can still be enabled later via the diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index c66fd9eafb..efae629971 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -91,7 +91,7 @@ public: * * @param tag The analyzer's tag. * - * @return True if sucessful. + * @return True if successful. */ bool EnableAnalyzer(Tag tag); @@ -102,7 +102,7 @@ public: * @param tag The analyzer's tag as an enum of script type \c * Analyzer::Tag. * - * @return True if sucessful. + * @return True if successful. */ bool EnableAnalyzer(EnumVal* tag); @@ -112,7 +112,7 @@ public: * * @param tag The analyzer's tag. * - * @return True if sucessful. + * @return True if successful. */ bool DisableAnalyzer(Tag tag); @@ -123,7 +123,7 @@ public: * @param tag The analyzer's tag as an enum of script type \c * Analyzer::Tag. * - * @return True if sucessful. + * @return True if successful. */ bool DisableAnalyzer(EnumVal* tag); @@ -157,7 +157,7 @@ public: * * @param port The well-known port. * - * @return True if sucessful. + * @return True if successful. */ bool RegisterAnalyzerForPort(EnumVal* tag, PortVal* port); @@ -172,7 +172,7 @@ public: * * @param port The port's number. * - * @return True if sucessful. + * @return True if successful. */ bool RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); @@ -184,7 +184,7 @@ public: * * @param port The well-known port. * - * @return True if sucessful (incl. when the port wasn't actually + * @return True if successful (incl. when the port wasn't actually * registered for the analyzer). * */ @@ -215,7 +215,7 @@ public: * have been added to the connection's analyzer tree yet. Returns * null if tag is invalid or the requested analyzer is disabled. */ - Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled or not available. + Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); /** * Instantiates a new analyzer instance for a connection. @@ -229,7 +229,7 @@ public: * null if the name is not known or if the requested analyzer that is * disabled. */ - Analyzer* InstantiateAnalyzer(const char* name, Connection* c); // Null if disabled or not available. + Analyzer* InstantiateAnalyzer(const char* name, Connection* c); /** * Translates an analyzer tag into corresponding analyzer name. diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index 9b2fea4a9b..cf33dca41c 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -28,7 +28,7 @@ class Component; * assigns them their main types), and analyzer::Component creates new * tags. * - * The Tag class supports all operations necessary to act at the index in a + * The Tag class supports all operations necessary to act as an index in a * \c std::map. */ class Tag { @@ -90,7 +90,7 @@ public: /** * Assignment operator. */ - Tag& operator=(const Tag& other); + Tag& operator=(const Tag& other); /** * Compares two tags for equality. diff --git a/src/analyzer/protocol/http/events.bif b/src/analyzer/protocol/http/events.bif index ead8bc254b..7a509c6d54 100644 --- a/src/analyzer/protocol/http/events.bif +++ b/src/analyzer/protocol/http/events.bif @@ -18,7 +18,7 @@ ## version: The version number specified in the request (e.g., ``1.1``). ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_message_done ply http_stats +## http_entity_data http_event http_header http_message_done http_reply http_stats ## truncate_http_URI event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%); diff --git a/src/analyzer/protocol/login/events.bif b/src/analyzer/protocol/login/events.bif index 084f53eaad..68f1c3cf11 100644 --- a/src/analyzer/protocol/login/events.bif +++ b/src/analyzer/protocol/login/events.bif @@ -87,7 +87,8 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects @@ -121,7 +122,8 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for lines of input on Telnet/Rlogin sessions. The line will have @@ -137,7 +139,8 @@ event login_success%(c: connection, user: string, client_user: string, password: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_input_line%(c: connection, line: string%); ## Generated for lines of output on Telnet/Rlogin sessions. The line will have @@ -153,7 +156,8 @@ event login_input_line%(c: connection, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_output_line%(c: connection, line: string%); ## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's @@ -179,7 +183,8 @@ event login_output_line%(c: connection, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_confused%(c: connection, msg: string, line: string%); ## Generated after getting confused while tracking a Telnet/Rlogin @@ -199,7 +204,8 @@ event login_confused%(c: connection, msg: string, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_confused_text%(c: connection, line: string%); ## Generated for clients transmitting a terminal type in a Telnet session. This @@ -215,7 +221,8 @@ event login_confused_text%(c: connection, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_terminal%(c: connection, terminal: string%); ## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This @@ -231,7 +238,8 @@ event login_terminal%(c: connection, terminal: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_display%(c: connection, display: string%); ## Generated when a Telnet authentication has been successful. The Telnet @@ -255,7 +263,8 @@ event login_display%(c: connection, display: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event authentication_accepted%(name: string, c: connection%); ## Generated when a Telnet authentication has been unsuccessful. The Telnet @@ -279,7 +288,8 @@ event authentication_accepted%(name: string, c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event authentication_rejected%(name: string, c: connection%); ## Generated for Telnet/Rlogin sessions when a pattern match indicates @@ -302,7 +312,8 @@ event authentication_rejected%(name: string, c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event authentication_skipped%(c: connection%); ## Generated for clients transmitting a terminal prompt in a Telnet session. @@ -322,7 +333,8 @@ event authentication_skipped%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_prompt%(c: connection, prompt: string%); ## Generated for Telnet sessions when encryption is activated. The Telnet @@ -373,7 +385,8 @@ event inconsistent_option%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event bad_option%(c: connection%); ## Generated for a Telnet option that's incorrectly terminated. @@ -391,5 +404,6 @@ event bad_option%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event bad_option_termination%(c: connection%); diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif index f0050ab446..72c57aff74 100644 --- a/src/analyzer/protocol/rpc/events.bif +++ b/src/analyzer/protocol/rpc/events.bif @@ -675,7 +675,8 @@ event pm_bad_port%(r: connection, bad_p: count%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); ## Generated for RPC *call* messages. @@ -701,7 +702,8 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); ## Generated for RPC *reply* messages. @@ -724,5 +726,6 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif index 05a280024d..af61783ac4 100644 --- a/src/analyzer/protocol/tcp/events.bif +++ b/src/analyzer/protocol/tcp/events.bif @@ -10,7 +10,7 @@ ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection partial_connection +## scheduled_analyzer_applied new_connection partial_connection event new_connection_contents%(c: connection%); ## Generated for an unsuccessful connection attempt. This event is raised when @@ -25,7 +25,7 @@ event new_connection_contents%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); @@ -41,7 +41,7 @@ event connection_attempt%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_established%(c: connection%); @@ -57,7 +57,7 @@ event connection_established%(c: connection%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection new_connection_contents +## scheduled_analyzer_applied new_connection new_connection_contents ## event partial_connection%(c: connection%); @@ -73,7 +73,7 @@ event partial_connection%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_partial_close%(c: connection%); @@ -86,7 +86,7 @@ event connection_partial_close%(c: connection%); ## connection_established connection_external connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_finished%(c: connection%); @@ -100,7 +100,7 @@ event connection_finished%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_half_finished%(c: connection%); @@ -112,7 +112,7 @@ event connection_half_finished%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## c: The connection. @@ -136,7 +136,7 @@ event connection_rejected%(c: connection%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection new_connection_contents +## scheduled_analyzer_applied new_connection new_connection_contents ## partial_connection event connection_reset%(c: connection%); @@ -148,7 +148,7 @@ event connection_reset%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection bro_done event connection_pending%(c: connection%); @@ -163,7 +163,7 @@ event connection_pending%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -184,7 +184,7 @@ event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## connection_established connection_external connection_finished ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -204,7 +204,7 @@ event connection_first_ACK%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_EOF%(c: connection, is_orig: bool%); diff --git a/src/bro.bif b/src/bro.bif index 07a98327b3..efb913bbf7 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3699,7 +3699,7 @@ function file_mode%(mode: count%): string ## Returns: True if the connection identified by *cid* exists and has analyzer ## *aid*. ## -## .. bro:see:: expect_connection analyzer_name +## .. bro:see:: Analyzer::schedule_analyzer Analyzer::name function disable_analyzer%(cid: conn_id, aid: count%) : bool %{ Connection* c = sessions->FindConnection(cid); diff --git a/src/event.bif b/src/event.bif index 6ddcf21682..f7fd9b4147 100644 --- a/src/event.bif +++ b/src/event.bif @@ -107,8 +107,9 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update expected_connection_seen -## new_connection new_connection_contents partial_connection +## connection_state_remove connection_status_update +## scheduled_analyzer_applied new_connection new_connection_contents +## partial_connection ## ## .. note:: ## @@ -201,14 +202,15 @@ event connection_external%(c: connection, tag: string%); event udp_session_done%(u: connection%); ## Generated when a connection is seen that is marked as being expected. -## The function :bro:id:`expect_connection` tells Bro to expect a particular -## connection to come up, and which analyzer to associate with it. Once the -## first packet of such a connection is indeed seen, this event is raised. +## The function :bro:id:`Analyzer::schedule_analyzer` tells Bro to expect a +## particular connection to come up, and which analyzer to associate with it. +## Once the first packet of such a connection is indeed seen, this event is +## raised. ## ## c: The connection. ## ## a: The analyzer that was scheduled for the connection with the -## :bro:id:`expect_connection` call. When the event is raised, that +## :bro:id:`Analyzer::schedule_analyzer` call. When the event is raised, that ## analyzer will already have been activated to process the connection. The ## ``count`` is one of the ``ANALYZER_*`` constants, e.g., ``ANALYZER_HTTP``. ## diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 9d063cd60a..0cbf00f899 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -70,10 +70,10 @@ #define BRO_PLUGIN_VERSION(v) SetVersion(v) /** - * Adds scrip-level items defined in a \c *.bif file to what the plugin + * Adds script-level items defined in a \c *.bif file to what the plugin * provides. * - * @param file A string with the name of \c *.bif file. When loaded, the the + * @param file A string with the name of \c *.bif file. When loaded, the * plugin will make all items defined in the file available to Bro's script * interpreter. */ @@ -82,7 +82,7 @@ AddBifInitFunction(&__bif_##file##_init); /** - * Defines a component implementating a protocol analyzer. + * Defines a component implementing a protocol analyzer. * * @param tag A string with the analyzer's tag. This must be unique across * all loaded analyzers and will translate into a corresponding \c ANALYZER_* @@ -95,11 +95,11 @@ AddComponent(new ::analyzer::Component(tag, ::analyzer::cls::InstantiateAnalyzer)); /** - * Defines a component implementating an protocol analyzer class that will + * Defines a component implementing a protocol analyzer class that will * not be instantiated dynamically. This is for two use-cases: (1) abstract * analyzer base classes that aren't instantiated directly; and (2) analyzers * that are only instantiated explicitly by other Bro components, but not - * dynmically by the manager based on their tag (e.g., the ZIP analyzer is + * dynamically by the manager based on their tag (e.g., the ZIP analyzer is * attached by the HTTP analyzer when corresponding content is found). * * @param tag A string with the analyzer's tag. This must be unique across diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 189fdf5c52..7ec6a11884 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -80,7 +80,7 @@ private: * components, a plugin can also provide of script-level elements defined in * *.bif files. * - * Currently, all plugins ard compiled statically into the final Bro binary. + * Currently, all plugins are compiled statically into the final Bro binary. * Later, we will extend the infrastructure to also support plugins loaded * dynamically as shared libraries. */ @@ -124,8 +124,6 @@ public: /** * Returns a list of all components the plugin provides. - * BRO_PLUGIN_VERSION_BUILTIN indiciates that it's a plugin compiled - * in statically. */ component_list Components(); From a5cb605b1d3e9573338ae8069c3258a1207a4063 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 3 Jun 2013 20:10:48 -0700 Subject: [PATCH 101/200] Fixing test that was accidentally broken. --- testing/btest/core/tunnels/teredo-known-services.test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/core/tunnels/teredo-known-services.test b/testing/btest/core/tunnels/teredo-known-services.test index c207d9a2ab..d03ef2ab71 100644 --- a/testing/btest/core/tunnels/teredo-known-services.test +++ b/testing/btest/core/tunnels/teredo-known-services.test @@ -1,6 +1,6 @@ # @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: test ! -e known_services.log -# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: btest-diff known_services.log # The first case using Tunnel::delay_teredo_confirmation=T doesn't produce From f708cd4a361ba02083380cfe0db2949e3e06cff7 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 3 Jun 2013 22:55:21 -0700 Subject: [PATCH 102/200] Work on parameter estimation and serialization. --- src/BloomFilter.cc | 131 ++++++++++++++++++++++++++++++++++++++++++++- src/BloomFilter.h | 41 +++++++------- src/NetVar.cc | 2 + src/OpaqueVal.cc | 23 ++++++++ src/OpaqueVal.h | 16 ++++++ src/SerialTypes.h | 7 +++ 6 files changed, 198 insertions(+), 22 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 6873815f69..4787bef0f0 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -1,23 +1,130 @@ #include "BloomFilter.h" +#include +#include "Serializer.h" + +// Backport C++11's std::round(). +namespace { +template +T round(double x) { return (x > 0.0) ? (x + 0.5) : (x - 0.5); } +} // namespace + + +IMPLEMENT_SERIAL(CounterVector, SER_COUNTERVECTOR) + +bool CounterVector::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_COUNTERVECTOR, SerialObj); + if ( ! SERIALIZE(&bits_) ) + return false; + return SERIALIZE(static_cast(width_)); + } + +bool CounterVector::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(SerialObj); + return false; + // TODO: Ask Robin how to unserialize non-pointer members. + //if ( ! UNSERIALIZE(&bits_) ) + // return false; + uint64 width; + if ( ! UNSERIALIZE(&width) ) + return false; + width_ = static_cast(width); + return true; + } + + HashPolicy::HashVector DefaultHashing::Hash(const void* x, size_t n) const { - HashVector h(k(), 0); + HashVector h(K(), 0); for ( size_t i = 0; i < h.size(); ++i ) h[i] = hashers_[i](x, n); return h; } + HashPolicy::HashVector DoubleHashing::Hash(const void* x, size_t n) const { HashType h1 = hasher1_(x); HashType h2 = hasher2_(x); - HashVector h(k(), 0); + HashVector h(K(), 0); for ( size_t i = 0; i < h.size(); ++i ) h[i] = h1 + i * h2; return h; } +bool BloomFilter::Serialize(SerialInfo* info) const + { + return SerialObj::Serialize(info); + } + +BloomFilter* BloomFilter::Unserialize(UnserialInfo* info) + { + return reinterpret_cast( + SerialObj::Unserialize(info, SER_BLOOMFILTER)); + } + +// FIXME: should abstract base classes also have IMPLEMENT_SERIAL? +//IMPLEMENT_SERIAL(BloomFilter, SER_BLOOMFILTER) + +bool BloomFilter::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_BLOOMFILTER, SerialObj); + // TODO: Make the hash policy serializable. + //if ( ! SERIALIZE(hash_) ) + // return false; + return SERIALIZE(static_cast(elements_)); + } + +bool BloomFilter::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(SerialObj); + // TODO: Make the hash policy serializable. + //if ( ! hash_ = HashPolicy::Unserialize(info) ) + // return false; + uint64 elements; + if ( UNSERIALIZE(&elements) ) + return false; + elements_ = static_cast(elements); + return true; + } + +size_t BasicBloomFilter::Cells(double fp, size_t capacity) + { + double ln2 = std::log(2); + return std::ceil(-(capacity * std::log(fp) / ln2 / ln2)); + } + +size_t BasicBloomFilter::K(size_t cells, size_t capacity) + { + double frac = static_cast(cells) / static_cast(capacity); + return round(frac * std::log(2)); + } + +BasicBloomFilter::BasicBloomFilter(size_t cells, HashPolicy* hash) + : BloomFilter(hash), bits_(cells) + { + } + +IMPLEMENT_SERIAL(BasicBloomFilter, SER_BASICBLOOMFILTER) + +bool BasicBloomFilter::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_BASICBLOOMFILTER, BloomFilter); + // TODO: Make the hash policy serializable. + //if ( ! SERIALIZE(&bits_) ) + // return false; + return true; + } + +bool BasicBloomFilter::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(BloomFilter); + // TODO: Non-pointer member deserialization? + return true; + } + void BasicBloomFilter::AddImpl(const HashPolicy::HashVector& h) { for ( size_t i = 0; i < h.size(); ++i ) @@ -31,3 +138,23 @@ size_t BasicBloomFilter::CountImpl(const HashPolicy::HashVector& h) const return 0; return 1; } + + +void CountingBloomFilter::AddImpl(const HashPolicy::HashVector& h) + { + for ( size_t i = 0; i < h.size(); ++i ) + cells_.Increment(h[i] % h.size(), 1); + } + +size_t CountingBloomFilter::CountImpl(const HashPolicy::HashVector& h) const + { + CounterVector::size_type min = + std::numeric_limits::max(); + for ( size_t i = 0; i < h.size(); ++i ) + { + CounterVector::size_type cnt = cells_.Count(h[i] % h.size()); + if ( cnt < min ) + min = cnt; + } + return min; + } diff --git a/src/BloomFilter.h b/src/BloomFilter.h index dca4eff2bd..82948f30ec 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -65,7 +65,7 @@ public: protected: DECLARE_SERIAL(CounterVector); - CounterVector(); + CounterVector() { } private: BitVector bits_; @@ -82,7 +82,7 @@ public: typedef std::vector HashVector; virtual ~HashPolicy() { } - size_t k() const { return k_; } + size_t K() const { return k_; } virtual HashVector Hash(const void* x, size_t n) const = 0; protected: @@ -130,7 +130,7 @@ private: }; /** - * The *double-hashing* policy. Uses a linear combination of 2 hash functions. + * The *double-hashing* policy. Uses a linear combination of two hash functions. */ class DoubleHashing : public HashPolicy { public: @@ -185,25 +185,20 @@ public: return elements_; } -protected: - /** - * Default-constructs a Bloom filter. - */ - BloomFilter(); + bool Serialize(SerialInfo* info) const; + static BloomFilter* Unserialize(UnserialInfo* info); - /** - * Constructs a BloomFilter. - * @param hash The hashing policy. - */ - BloomFilter(HashPolicy* hash); +protected: + DECLARE_SERIAL(BloomFilter); + + BloomFilter() { }; + BloomFilter(HashPolicy* hash) : hash_(hash) { } virtual void AddImpl(const HashPolicy::HashVector& hashes) = 0; - virtual size_t CountImpl(const HashPolicy::HashVector& hashes) const = 0; private: - HashPolicy* hash_; // Owned by *this. - + HashPolicy* hash_; size_t elements_; }; @@ -212,12 +207,17 @@ private: */ class BasicBloomFilter : public BloomFilter { public: - BasicBloomFilter(); - BasicBloomFilter(HashPolicy* hash); + static size_t Cells(double fp, size_t capacity); + static size_t K(size_t cells, size_t capacity); + + BasicBloomFilter(size_t cells, HashPolicy* hash); protected: - virtual void AddImpl(const HashPolicy::HashVector& h); + DECLARE_SERIAL(BasicBloomFilter); + BasicBloomFilter() { } + + virtual void AddImpl(const HashPolicy::HashVector& h); virtual size_t CountImpl(const HashPolicy::HashVector& h) const; private: @@ -232,10 +232,11 @@ public: CountingBloomFilter(unsigned width, HashPolicy* hash); protected: + DECLARE_SERIAL(CountingBloomFilter); + CountingBloomFilter(); virtual void AddImpl(const HashPolicy::HashVector& h); - virtual size_t CountImpl(const HashPolicy::HashVector& h) const; private: diff --git a/src/NetVar.cc b/src/NetVar.cc index 3a23e4c9fa..d8c2192af7 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -244,6 +244,7 @@ OpaqueType* md5_type; OpaqueType* sha1_type; OpaqueType* sha256_type; OpaqueType* entropy_type; +OpaqueType* bloomfilter_type; #include "const.bif.netvar_def" #include "types.bif.netvar_def" @@ -310,6 +311,7 @@ void init_general_global_var() sha1_type = new OpaqueType("sha1"); sha256_type = new OpaqueType("sha256"); entropy_type = new OpaqueType("entropy"); + bloomfilter_type = new OpaqueType("bloomfilter"); } void init_net_var() diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 19346e52f2..a5fb65f53b 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -1,4 +1,6 @@ #include "OpaqueVal.h" + +#include "BloomFilter.h" #include "NetVar.h" #include "Reporter.h" #include "Serializer.h" @@ -515,3 +517,24 @@ bool EntropyVal::DoUnserialize(UnserialInfo* info) return true; } + +BloomFilterVal::BloomFilterVal(OpaqueType* t) : OpaqueVal(t) + { + } + +IMPLEMENT_SERIAL(BloomFilterVal, SER_BLOOMFILTER_VAL); + +bool BloomFilterVal::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_BLOOMFILTER_VAL, OpaqueVal); + // TODO: implement. + return true; + } + +bool BloomFilterVal::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(OpaqueVal); + // TODO: implement. + return true; + } + diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index 78fa5da5e9..1c9c0361cc 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -7,6 +7,8 @@ #include "Val.h" #include "digest.h" +class BloomFilter; + class HashVal : public OpaqueVal { public: virtual bool IsValid() const; @@ -107,4 +109,18 @@ private: RandTest state; }; +class BloomFilterVal : public OpaqueVal { +public: + BloomFilterVal(); + +protected: + friend class Val; + BloomFilterVal(OpaqueType* t); + + DECLARE_SERIAL(BloomFilterVal); + +private: + BloomFilter* bloom_filter_; +}; + #endif diff --git a/src/SerialTypes.h b/src/SerialTypes.h index c9c0c34a33..171113ab6a 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -50,6 +50,9 @@ SERIAL_IS_BO(CASE, 0x1200) SERIAL_IS(LOCATION, 0x1300) SERIAL_IS(RE_MATCHER, 0x1400) SERIAL_IS(BITVECTOR, 0x1500) +SERIAL_IS(COUNTERVECTOR, 0xa000) +SERIAL_IS(BLOOMFILTER, 0xa100) +SERIAL_IS(BASICBLOOMFILTER, 0xa200) // These are the externally visible types. const SerialType SER_NONE = 0; @@ -105,6 +108,7 @@ SERIAL_VAL(MD5_VAL, 16) SERIAL_VAL(SHA1_VAL, 17) SERIAL_VAL(SHA256_VAL, 18) SERIAL_VAL(ENTROPY_VAL, 19) +SERIAL_VAL(BLOOMFILTER_VAL, 20) #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR) SERIAL_EXPR(EXPR, 1) @@ -204,5 +208,8 @@ SERIAL_CONST2(CASE) SERIAL_CONST2(LOCATION) SERIAL_CONST2(RE_MATCHER) SERIAL_CONST2(BITVECTOR) +SERIAL_CONST2(COUNTERVECTOR) +SERIAL_CONST2(BLOOMFILTER) +SERIAL_CONST2(BASICBLOOMFILTER) #endif From 307fc187c000c95044aa3f61d891b4878e5552c1 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 4 Jun 2013 10:53:10 -0500 Subject: [PATCH 103/200] Add @PATH bro script macro. Addresses #869. The macro expands to a string value containing the file system path in which the script lives. --- src/scan.l | 4 ++++ testing/btest/Baseline/language.at-path/out | 1 + testing/btest/language/at-path.bro | 4 ++++ 3 files changed, 9 insertions(+) create mode 100644 testing/btest/Baseline/language.at-path/out create mode 100644 testing/btest/language/at-path.bro diff --git a/src/scan.l b/src/scan.l index ffbc125728..c488855e0e 100644 --- a/src/scan.l +++ b/src/scan.l @@ -344,6 +344,10 @@ when return TOK_WHEN; @DEBUG return TOK_DEBUG; // marks input for debugger +@PATH { + RET_CONST(new StringVal(current_scanned_file_path.c_str())); + } + @load{WS}{FILE} { const char* new_file = skip_whitespace(yytext + 5); // Skip "@load". if ( generate_documentation ) diff --git a/testing/btest/Baseline/language.at-path/out b/testing/btest/Baseline/language.at-path/out new file mode 100644 index 0000000000..7ac82c183c --- /dev/null +++ b/testing/btest/Baseline/language.at-path/out @@ -0,0 +1 @@ +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-path diff --git a/testing/btest/language/at-path.bro b/testing/btest/language/at-path.bro new file mode 100644 index 0000000000..78e15e07eb --- /dev/null +++ b/testing/btest/language/at-path.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +print @PATH; From 7e8b504305f8606246b52fb7a92ad151552aac11 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 4 Jun 2013 14:16:56 -0500 Subject: [PATCH 104/200] Make @PATH always return absolute path. Addresses #869. --- src/scan.l | 16 +++++++++++++++- testing/btest/Baseline/language.at-path/out2 | 1 + testing/btest/language/at-path.bro | 6 ++++++ 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/language.at-path/out2 diff --git a/src/scan.l b/src/scan.l index c488855e0e..8a460aba07 100644 --- a/src/scan.l +++ b/src/scan.l @@ -8,6 +8,8 @@ #include #include #include +#include +#include #include #include "input.h" @@ -345,7 +347,19 @@ when return TOK_WHEN; @DEBUG return TOK_DEBUG; // marks input for debugger @PATH { - RET_CONST(new StringVal(current_scanned_file_path.c_str())); + string rval = current_scanned_file_path; + + if ( ! rval.empty() && rval[0] == '.' ) + { + char path[MAXPATHLEN]; + + if ( ! getcwd(path, MAXPATHLEN) ) + reporter->Error("getcwd failed: %s", strerror(errno)); + else + rval = string(path) + "/" + rval; + } + + RET_CONST(new StringVal(rval.c_str())); } @load{WS}{FILE} { diff --git a/testing/btest/Baseline/language.at-path/out2 b/testing/btest/Baseline/language.at-path/out2 new file mode 100644 index 0000000000..f8e3c550d3 --- /dev/null +++ b/testing/btest/Baseline/language.at-path/out2 @@ -0,0 +1 @@ +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-path/. diff --git a/testing/btest/language/at-path.bro b/testing/btest/language/at-path.bro index 78e15e07eb..433db17835 100644 --- a/testing/btest/language/at-path.bro +++ b/testing/btest/language/at-path.bro @@ -1,4 +1,10 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out +# @TEST-EXEC: bro -b ./pathtest.bro >out2 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out2 print @PATH; + +@TEST-START-FILE pathtest.bro +print @PATH; +@TEST-END-FILE From d3297dd6f3b6a50c07c90e9ad5f61c0ddf762460 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Tue, 4 Jun 2013 13:32:26 -0700 Subject: [PATCH 105/200] Adhere to Bro coding style. --- src/BitVector.cc | 100 +++++++++++++++++++++++------------------------ src/BitVector.h | 40 +++++++++---------- 2 files changed, 69 insertions(+), 71 deletions(-) diff --git a/src/BitVector.cc b/src/BitVector.cc index f57301d506..f029230609 100644 --- a/src/BitVector.cc +++ b/src/BitVector.cc @@ -33,7 +33,7 @@ BitVector::Reference::Reference(block_type& block, block_type i) assert(i < bits_per_block); } -BitVector::Reference& BitVector::Reference::flip() +BitVector::Reference& BitVector::Reference::Flip() { block_ ^= mask_; return *this; @@ -105,7 +105,7 @@ BitVector::BitVector(BitVector const& other) BitVector BitVector::operator~() const { BitVector b(*this); - b.flip(); + b.Flip(); return b; } @@ -130,15 +130,15 @@ BitVector BitVector::operator>>(size_type n) const BitVector& BitVector::operator<<=(size_type n) { if (n >= num_bits_) - return reset(); + return Reset(); if (n > 0) { - size_type last = blocks() - 1; + size_type last = Blocks() - 1; size_type div = n / bits_per_block; block_type r = bit_index(n); block_type* b = &bits_[0]; - assert(blocks() >= 1); + assert(Blocks() >= 1); assert(div <= last); if (r != 0) @@ -164,15 +164,15 @@ BitVector& BitVector::operator<<=(size_type n) BitVector& BitVector::operator>>=(size_type n) { if (n >= num_bits_) - return reset(); + return Reset(); if (n > 0) { - size_type last = blocks() - 1; + size_type last = Blocks() - 1; size_type div = n / bits_per_block; block_type r = bit_index(n); block_type* b = &bits_[0]; - assert(blocks() >= 1); + assert(Blocks() >= 1); assert(div <= last); if (r != 0) @@ -187,39 +187,39 @@ BitVector& BitVector::operator>>=(size_type n) b[i-div] = b[i]; } - std::fill_n(b + (blocks() - div), div, block_type(0)); + std::fill_n(b + (Blocks() - div), div, block_type(0)); } return *this; } BitVector& BitVector::operator&=(BitVector const& other) { - assert(size() >= other.size()); - for (size_type i = 0; i < blocks(); ++i) + assert(Size() >= other.Size()); + for (size_type i = 0; i < Blocks(); ++i) bits_[i] &= other.bits_[i]; return *this; } BitVector& BitVector::operator|=(BitVector const& other) { - assert(size() >= other.size()); - for (size_type i = 0; i < blocks(); ++i) + assert(Size() >= other.Size()); + for (size_type i = 0; i < Blocks(); ++i) bits_[i] |= other.bits_[i]; return *this; } BitVector& BitVector::operator^=(BitVector const& other) { - assert(size() >= other.size()); - for (size_type i = 0; i < blocks(); ++i) + assert(Size() >= other.Size()); + for (size_type i = 0; i < Blocks(); ++i) bits_[i] ^= other.bits_[i]; return *this; } BitVector& BitVector::operator-=(BitVector const& other) { - assert(size() >= other.size()); - for (size_type i = 0; i < blocks(); ++i) + assert(Size() >= other.Size()); + for (size_type i = 0; i < Blocks(); ++i) bits_[i] &= ~other.bits_[i]; return *this; } @@ -260,8 +260,8 @@ bool operator!=(BitVector const& x, BitVector const& y) bool operator<(BitVector const& x, BitVector const& y) { - assert(x.size() == y.size()); - for (BitVector::size_type r = x.blocks(); r > 0; --r) + assert(x.Size() == y.Size()); + for (BitVector::size_type r = x.Blocks(); r > 0; --r) { BitVector::size_type i = r - 1; if (x.bits_[i] < y.bits_[i]) @@ -272,9 +272,9 @@ bool operator<(BitVector const& x, BitVector const& y) return false; } -void BitVector::resize(size_type n, bool value) +void BitVector::Resize(size_type n, bool value) { - size_type old = blocks(); + size_type old = Blocks(); size_type required = bits_to_blocks(n); block_type block_value = value ? ~block_type(0) : block_type(0); @@ -288,27 +288,27 @@ void BitVector::resize(size_type n, bool value) zero_unused_bits(); } -void BitVector::clear() +void BitVector::Clear() { bits_.clear(); num_bits_ = 0; } -void BitVector::push_back(bool bit) +void BitVector::PushBack(bool bit) { - size_type s = size(); - resize(s + 1); - set(s, bit); + size_type s = Size(); + Resize(s + 1); + Set(s, bit); } -void BitVector::append(block_type block) +void BitVector::Append(block_type block) { size_type excess = extra_bits(); if (excess) { - assert(! bits_.empty()); + assert(! Empty()); bits_.push_back(block >> (bits_per_block - excess)); - bits_[bits_.size() - 2] |= (block << excess); + bits_[Blocks() - 2] |= (block << excess); } else { @@ -317,48 +317,46 @@ void BitVector::append(block_type block) num_bits_ += bits_per_block; } -BitVector& BitVector::set(size_type i, bool bit) +BitVector& BitVector::Set(size_type i, bool bit) { assert(i < num_bits_); - if (bit) - bits_[block_index(i)] |= bit_mask(i); + bits_[block_index(i)] |= bit_mask(i); else - reset(i); - + Reset(i); return *this; } -BitVector& BitVector::set() +BitVector& BitVector::Set() { std::fill(bits_.begin(), bits_.end(), ~block_type(0)); zero_unused_bits(); return *this; } -BitVector& BitVector::reset(size_type i) +BitVector& BitVector::Reset(size_type i) { assert(i < num_bits_); bits_[block_index(i)] &= ~bit_mask(i); return *this; } -BitVector& BitVector::reset() +BitVector& BitVector::Reset() { std::fill(bits_.begin(), bits_.end(), block_type(0)); return *this; } -BitVector& BitVector::flip(size_type i) +BitVector& BitVector::Flip(size_type i) { assert(i < num_bits_); bits_[block_index(i)] ^= bit_mask(i); return *this; } -BitVector& BitVector::flip() +BitVector& BitVector::Flip() { - for (size_type i = 0; i < blocks(); ++i) + for (size_type i = 0; i < Blocks(); ++i) bits_[i] = ~bits_[i]; zero_unused_bits(); return *this; @@ -376,11 +374,11 @@ BitVector::Reference BitVector::operator[](size_type i) return Reference(bits_[block_index(i)], bit_index(i)); } -BitVector::size_type BitVector::count() const +BitVector::size_type BitVector::Count() const { std::vector::const_iterator first = bits_.begin(); size_t n = 0; - size_type length = blocks(); + size_type length = Blocks(); while (length) { block_type block = *first; @@ -396,29 +394,29 @@ BitVector::size_type BitVector::count() const return n; } -BitVector::size_type BitVector::blocks() const +BitVector::size_type BitVector::Blocks() const { return bits_.size(); } -BitVector::size_type BitVector::size() const +BitVector::size_type BitVector::Size() const { return num_bits_; } -bool BitVector::empty() const +bool BitVector::Empty() const { return bits_.empty(); } -BitVector::size_type BitVector::find_first() const +BitVector::size_type BitVector::FindFirst() const { return find_from(0); } -BitVector::size_type BitVector::find_next(size_type i) const +BitVector::size_type BitVector::FindNext(size_type i) const { - if (i >= (size() - 1) || size() == 0) + if (i >= (Size() - 1) || Size() == 0) return npos; ++i; size_type bi = block_index(i); @@ -437,7 +435,7 @@ BitVector::size_type BitVector::lowest_bit(block_type block) BitVector::block_type BitVector::extra_bits() const { - return bit_index(size()); + return bit_index(Size()); } void BitVector::zero_unused_bits() @@ -448,9 +446,9 @@ void BitVector::zero_unused_bits() BitVector::size_type BitVector::find_from(size_type i) const { - while (i < blocks() && bits_[i] == 0) + while (i < Blocks() && bits_[i] == 0) ++i; - if (i >= blocks()) + if (i >= Blocks()) return npos; return i * bits_per_block + lowest_bit(bits_[i]); } diff --git a/src/BitVector.h b/src/BitVector.h index 9900dd103e..8315a151f0 100644 --- a/src/BitVector.h +++ b/src/BitVector.h @@ -24,7 +24,7 @@ public: Reference(block_type& block, block_type i); public: - Reference& flip(); + Reference& Flip(); operator bool() const; bool operator~() const; Reference& operator=(bool x); @@ -110,7 +110,7 @@ public: * sequence. */ template - void append(ForwardIterator first, ForwardIterator last) + void Append(ForwardIterator first, ForwardIterator last) { if (first == last) return; @@ -119,7 +119,7 @@ public: typename std::iterator_traits::difference_type delta = std::distance(first, last); - bits_.reserve(blocks() + delta); + bits_.reserve(Blocks() + delta); if (excess == 0) { bits_.back() |= (*first << excess); @@ -140,24 +140,24 @@ public: * Appends the bits in a given block. * @param block The block containing bits to append. */ - void append(block_type block); + void Append(block_type block); /** Appends a single bit to the end of the bit vector. * @param bit The value of the bit. */ - void push_back(bool bit); + void PushBack(bool bit); /** * Clears all bits in the bitvector. */ - void clear(); + void Clear(); /** * Resizes the bit vector to a new number of bits. * @param n The new number of bits of the bit vector. * @param value The bit value of new values, if the vector expands. */ - void resize(size_type n, bool value = false); + void Resize(size_type n, bool value = false); /** * Sets a bit at a specific position to a given value. @@ -165,39 +165,39 @@ public: * @param bit The value assigned to position *i*. * @return A reference to the bit vector instance. */ - BitVector& set(size_type i, bool bit = true); + BitVector& Set(size_type i, bool bit = true); /** * Sets all bits to 1. * @return A reference to the bit vector instance. */ - BitVector& set(); + BitVector& Set(); /** * Resets a bit at a specific position, i.e., sets it to 0. * @param i The bit position. * @return A reference to the bit vector instance. */ - BitVector& reset(size_type i); + BitVector& Reset(size_type i); /** * Sets all bits to 0. * @return A reference to the bit vector instance. */ - BitVector& reset(); + BitVector& Reset(); /** * Toggles/flips a bit at a specific position. * @param i The bit position. * @return A reference to the bit vector instance. */ - BitVector& flip(size_type i); + BitVector& Flip(size_type i); /** * Computes the complement. * @return A reference to the bit vector instance. */ - BitVector& flip(); + BitVector& Flip(); /** Retrieves a single bit. * @param i The bit position. @@ -217,32 +217,32 @@ public: * count* or *Hamming weight*. * @return The number of bits set to 1. */ - size_type count() const; + size_type Count() const; /** * Retrieves the number of blocks of the underlying storage. - * @param The number of blocks that represent `size()` bits. + * @param The number of blocks that represent `Size()` bits. */ - size_type blocks() const; + size_type Blocks() const; /** * Retrieves the number of bits the bitvector consist of. * @return The length of the bit vector in bits. */ - size_type size() const; + size_type Size() const; /** * Checks whether the bit vector is empty. * @return `true` iff the bitvector has zero length. */ - bool empty() const; + bool Empty() const; /** * Finds the bit position of of the first 1-bit. * @return The position of the first bit that equals to one or `npos` if no * such bit exists. */ - size_type find_first() const; + size_type FindFirst() const; /** * Finds the next 1-bit from a given starting position. @@ -252,7 +252,7 @@ public: * @return The position of the first bit that equals to 1 after position * *i* or `npos` if no such bit exists. */ - size_type find_next(size_type i) const; + size_type FindNext(size_type i) const; bool Serialize(SerialInfo* info) const; static BitVector* Unserialize(UnserialInfo* info); From a5572dd66f10ca653855483e0941da327b8422e4 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Tue, 4 Jun 2013 14:31:39 -0700 Subject: [PATCH 106/200] Write CounterVector implementation scaffold. --- src/BloomFilter.cc | 36 ++++++++++++++++++++++++++++++++++++ src/BloomFilter.h | 10 +++++++--- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 4787bef0f0..78048ee588 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -10,6 +10,42 @@ T round(double x) { return (x > 0.0) ? (x + 0.5) : (x - 0.5); } } // namespace +CounterVector::CounterVector(size_t width, size_t cells) + : bits_(new BitVector(width * cells)), width_(width) + { + } + +CounterVector::~CounterVector() + { + delete bits_; + } + +bool CounterVector::Increment(size_type cell, count_type value) + { + // TODO + assert(! "not yet implemented"); + return false; + } + +bool CounterVector::Decrement(size_type cell, count_type value) + { + // TODO + assert(! "not yet implemented"); + return false; + } + +CounterVector::count_type CounterVector::Count(size_type cell) const + { + // TODO + assert(! "not yet implemented"); + return 0; + } + +CounterVector::size_type CounterVector::Size() const + { + return bits_->Blocks() / width_; + } + IMPLEMENT_SERIAL(CounterVector, SER_COUNTERVECTOR) bool CounterVector::DoSerialize(SerialInfo* info) const diff --git a/src/BloomFilter.h b/src/BloomFilter.h index 82948f30ec..b4f82efee9 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -9,7 +9,7 @@ /** * A vector of counters, each of which have a fixed number of bits. */ -class CounterVector : SerialObj { +class CounterVector : public SerialObj { public: typedef size_t size_type; typedef uint64 count_type; @@ -18,8 +18,12 @@ public: * Constructs a counter vector having cells of a given width. * * @param width The number of bits that each cell occupies. + * + * @param cells The number of cells in the bitvector. */ - explicit CounterVector(unsigned width); + CounterVector(size_t width, size_t cells = 1024); + + ~CounterVector(); /** * Increments a given cell. @@ -68,7 +72,7 @@ protected: CounterVector() { } private: - BitVector bits_; + BitVector* bits_; unsigned width_; }; From 751cf612931f021ddf7b5ee51019f20d05e0c309 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Tue, 4 Jun 2013 15:30:27 -0700 Subject: [PATCH 107/200] Add more serialization implementation. --- src/BloomFilter.cc | 93 ++++++++++++++++++++++++++++++++-------------- src/BloomFilter.h | 56 +++++++++++++++++++++++----- src/NetVar.h | 1 + src/OpaqueVal.cc | 18 ++++++--- src/OpaqueVal.h | 1 + src/SerialTypes.h | 2 + 6 files changed, 129 insertions(+), 42 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 78048ee588..64f0e1c67b 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -46,12 +46,23 @@ CounterVector::size_type CounterVector::Size() const return bits_->Blocks() / width_; } +bool CounterVector::Serialize(SerialInfo* info) const + { + return SerialObj::Serialize(info); + } + +CounterVector* CounterVector::Unserialize(UnserialInfo* info) + { + return reinterpret_cast( + SerialObj::Unserialize(info, SER_COUNTERVECTOR)); + } + IMPLEMENT_SERIAL(CounterVector, SER_COUNTERVECTOR) bool CounterVector::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_COUNTERVECTOR, SerialObj); - if ( ! SERIALIZE(&bits_) ) + if ( ! SERIALIZE(bits_) ) return false; return SERIALIZE(static_cast(width_)); } @@ -60,9 +71,9 @@ bool CounterVector::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(SerialObj); return false; - // TODO: Ask Robin how to unserialize non-pointer members. - //if ( ! UNSERIALIZE(&bits_) ) - // return false; + bits_ = BitVector::Unserialize(info); + if ( ! bits_ ) + return false; uint64 width; if ( ! UNSERIALIZE(&width) ) return false; @@ -90,6 +101,18 @@ HashPolicy::HashVector DoubleHashing::Hash(const void* x, size_t n) const return h; } + +BloomFilter::BloomFilter(size_t k) + : hash_(new hash_policy(k)) + { + } + +BloomFilter::~BloomFilter() + { + if ( hash_ ) + delete hash_; + } + bool BloomFilter::Serialize(SerialInfo* info) const { return SerialObj::Serialize(info); @@ -101,24 +124,21 @@ BloomFilter* BloomFilter::Unserialize(UnserialInfo* info) SerialObj::Unserialize(info, SER_BLOOMFILTER)); } -// FIXME: should abstract base classes also have IMPLEMENT_SERIAL? -//IMPLEMENT_SERIAL(BloomFilter, SER_BLOOMFILTER) - bool BloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER, SerialObj); - // TODO: Make the hash policy serializable. - //if ( ! SERIALIZE(hash_) ) - // return false; - return SERIALIZE(static_cast(elements_)); + if ( ! SERIALIZE(static_cast(hash_->K())) ) + return false; + return SERIALIZE(static_cast(elements_)); } bool BloomFilter::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(SerialObj); - // TODO: Make the hash policy serializable. - //if ( ! hash_ = HashPolicy::Unserialize(info) ) - // return false; + uint16 k; + if ( ! UNSERIALIZE(&k) ) + return false; + hash_ = new hash_policy(static_cast(k)); uint64 elements; if ( UNSERIALIZE(&elements) ) return false; @@ -126,7 +146,7 @@ bool BloomFilter::DoUnserialize(UnserialInfo* info) return true; } -size_t BasicBloomFilter::Cells(double fp, size_t capacity) +size_t BasicBloomFilter::M(double fp, size_t capacity) { double ln2 = std::log(2); return std::ceil(-(capacity * std::log(fp) / ln2 / ln2)); @@ -138,9 +158,16 @@ size_t BasicBloomFilter::K(size_t cells, size_t capacity) return round(frac * std::log(2)); } -BasicBloomFilter::BasicBloomFilter(size_t cells, HashPolicy* hash) - : BloomFilter(hash), bits_(cells) +BasicBloomFilter::BasicBloomFilter(double fp, size_t capacity) + : BloomFilter(K(M(fp, capacity), capacity)) { + bits_ = new BitVector(M(fp, capacity)); + } + +BasicBloomFilter::BasicBloomFilter(size_t cells, size_t capacity) + : BloomFilter(K(cells, capacity)) + { + bits_ = new BitVector(cells); } IMPLEMENT_SERIAL(BasicBloomFilter, SER_BASICBLOOMFILTER) @@ -148,38 +175,50 @@ IMPLEMENT_SERIAL(BasicBloomFilter, SER_BASICBLOOMFILTER) bool BasicBloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BASICBLOOMFILTER, BloomFilter); - // TODO: Make the hash policy serializable. - //if ( ! SERIALIZE(&bits_) ) - // return false; - return true; + return SERIALIZE(bits_); } bool BasicBloomFilter::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(BloomFilter); - // TODO: Non-pointer member deserialization? - return true; + bits_ = BitVector::Unserialize(info); + return bits_ == NULL; } void BasicBloomFilter::AddImpl(const HashPolicy::HashVector& h) { for ( size_t i = 0; i < h.size(); ++i ) - bits_.set(h[i] % h.size()); + bits_->Set(h[i] % h.size()); } size_t BasicBloomFilter::CountImpl(const HashPolicy::HashVector& h) const { for ( size_t i = 0; i < h.size(); ++i ) - if ( ! bits_[h[i] % h.size()] ) + if ( ! (*bits_)[h[i] % h.size()] ) return 0; return 1; } +IMPLEMENT_SERIAL(CountingBloomFilter, SER_COUNTINGBLOOMFILTER) + +bool CountingBloomFilter::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_BASICBLOOMFILTER, BloomFilter); + return SERIALIZE(cells_); + } + +bool CountingBloomFilter::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(BloomFilter); + cells_ = CounterVector::Unserialize(info); + return cells_ == NULL; + } + void CountingBloomFilter::AddImpl(const HashPolicy::HashVector& h) { for ( size_t i = 0; i < h.size(); ++i ) - cells_.Increment(h[i] % h.size(), 1); + cells_->Increment(h[i] % h.size(), 1); } size_t CountingBloomFilter::CountImpl(const HashPolicy::HashVector& h) const @@ -188,7 +227,7 @@ size_t CountingBloomFilter::CountImpl(const HashPolicy::HashVector& h) const std::numeric_limits::max(); for ( size_t i = 0; i < h.size(); ++i ) { - CounterVector::size_type cnt = cells_.Count(h[i] % h.size()); + CounterVector::size_type cnt = cells_->Count(h[i] % h.size()); if ( cnt < min ) min = cnt; } diff --git a/src/BloomFilter.h b/src/BloomFilter.h index b4f82efee9..77c6bc4f56 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -151,9 +151,13 @@ private: /** * The abstract base class for Bloom filters. */ -class BloomFilter : SerialObj { +class BloomFilter : public SerialObj { public: - virtual ~BloomFilter() { delete hash_; } + // At this point we won't let the user choose the hash policy, but we might + // open up the interface in the future. + typedef DoubleHashing hash_policy; + + virtual ~BloomFilter(); /** * Adds an element of type T to the Bloom filter. @@ -193,10 +197,10 @@ public: static BloomFilter* Unserialize(UnserialInfo* info); protected: - DECLARE_SERIAL(BloomFilter); + DECLARE_ABSTRACT_SERIAL(BloomFilter); BloomFilter() { }; - BloomFilter(HashPolicy* hash) : hash_(hash) { } + BloomFilter(size_t k); virtual void AddImpl(const HashPolicy::HashVector& hashes) = 0; virtual size_t CountImpl(const HashPolicy::HashVector& hashes) const = 0; @@ -211,10 +215,42 @@ private: */ class BasicBloomFilter : public BloomFilter { public: - static size_t Cells(double fp, size_t capacity); + /** + * Computes the number of cells based a given false-positive rate and + * capacity. In the literature, this parameter often has the name *M*. + * + * @param fp The false-positive rate. + * + * @param capacity The number of exepected elements. + * + * Returns: The number cells needed to support a false-positive rate of *fp* + * with at most *capacity* elements. + */ + static size_t M(double fp, size_t capacity); + + /** + * Computes the optimal number of hash functions based on the number cells + * and expected number of elements. + * + * @param cells The number of cells (*m*). + * + * @param capacity The maximum number of elements. + * + * Returns: the optimal number of hash functions for a false-positive rate of + * *fp* for at most *capacity* elements. + */ static size_t K(size_t cells, size_t capacity); - BasicBloomFilter(size_t cells, HashPolicy* hash); + /** + * Constructs a basic Bloom filter with a given false-positive rate and + * capacity. + */ + BasicBloomFilter(double fp, size_t capacity); + + /** + * Constructs a basic Bloom filter with a given number of cells and capacity. + */ + BasicBloomFilter(size_t cells, size_t capacity); protected: DECLARE_SERIAL(BasicBloomFilter); @@ -225,7 +261,7 @@ protected: virtual size_t CountImpl(const HashPolicy::HashVector& h) const; private: - BitVector bits_; + BitVector* bits_; }; /** @@ -233,18 +269,18 @@ private: */ class CountingBloomFilter : public BloomFilter { public: - CountingBloomFilter(unsigned width, HashPolicy* hash); + CountingBloomFilter(unsigned width); protected: DECLARE_SERIAL(CountingBloomFilter); - CountingBloomFilter(); + CountingBloomFilter() { } virtual void AddImpl(const HashPolicy::HashVector& h); virtual size_t CountImpl(const HashPolicy::HashVector& h) const; private: - CounterVector cells_; + CounterVector* cells_; }; #endif diff --git a/src/NetVar.h b/src/NetVar.h index 1a20adcaf2..aa2a14ada5 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -249,6 +249,7 @@ extern OpaqueType* md5_type; extern OpaqueType* sha1_type; extern OpaqueType* sha256_type; extern OpaqueType* entropy_type; +extern OpaqueType* bloomfilter_type; // Initializes globals that don't pertain to network/event analysis. extern void init_general_global_var(); diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index a5fb65f53b..b4f1290436 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -518,23 +518,31 @@ bool EntropyVal::DoUnserialize(UnserialInfo* info) return true; } +BloomFilterVal::BloomFilterVal() : OpaqueVal(bloomfilter_type) + { + } + BloomFilterVal::BloomFilterVal(OpaqueType* t) : OpaqueVal(t) { } +BloomFilterVal::~BloomFilterVal() + { + if ( bloom_filter_ ) + delete bloom_filter_; + } + IMPLEMENT_SERIAL(BloomFilterVal, SER_BLOOMFILTER_VAL); bool BloomFilterVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER_VAL, OpaqueVal); - // TODO: implement. - return true; + return SERIALIZE(bloom_filter_); } bool BloomFilterVal::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(OpaqueVal); - // TODO: implement. - return true; + bloom_filter_ = BloomFilter::Unserialize(info); + return bloom_filter_ == NULL; } - diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index 1c9c0361cc..68b42a8a49 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -112,6 +112,7 @@ private: class BloomFilterVal : public OpaqueVal { public: BloomFilterVal(); + ~BloomFilterVal(); protected: friend class Val; diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 171113ab6a..859145f19f 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -53,6 +53,7 @@ SERIAL_IS(BITVECTOR, 0x1500) SERIAL_IS(COUNTERVECTOR, 0xa000) SERIAL_IS(BLOOMFILTER, 0xa100) SERIAL_IS(BASICBLOOMFILTER, 0xa200) +SERIAL_IS(COUNTINGBLOOMFILTER, 0xa300) // These are the externally visible types. const SerialType SER_NONE = 0; @@ -211,5 +212,6 @@ SERIAL_CONST2(BITVECTOR) SERIAL_CONST2(COUNTERVECTOR) SERIAL_CONST2(BLOOMFILTER) SERIAL_CONST2(BASICBLOOMFILTER) +SERIAL_CONST2(COUNTINGBLOOMFILTER) #endif From cf9d65932cea68e97e15024c671da24cefb9af53 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 4 Jun 2013 20:43:20 -0700 Subject: [PATCH 108/200] Redoing the plugin versioning. We now explicitly mark plugins as static vs dynamic (though we don't have the latter yet) instead of piggy-backing that on the version. Also, versions are now ignored for static plugins. --- src/plugin/Macros.h | 15 ++++++--------- src/plugin/Plugin.cc | 27 +++++++++++++++++++++------ src/plugin/Plugin.h | 22 +++++++++++++++++++--- 3 files changed, 46 insertions(+), 18 deletions(-) diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 16f8224c14..f5c1a41cfa 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -10,19 +10,12 @@ #include "analyzer/Component.h" -/** - * Place-holder API version for plugins compiled in statically. - */ -#define BRO_PLUGIN_VERSION_BUILTIN -1 - /** * The current plugin API version. Plugins that won't match this version will * be rejected. */ #define BRO_PLUGIN_API_VERSION 1 -#define _BRO_PLUGIN_VERSION_DEFAULT -1 - /** * Starts the definition of a new plugin. * @@ -40,8 +33,12 @@ void InitPreScript() \ { \ SetName(#_ns "::" #_name); \ - SetVersion(_BRO_PLUGIN_VERSION_DEFAULT);\ - SetAPIVersion(BRO_PLUGIN_API_VERSION); + SetVersion(-1);\ + SetAPIVersion(BRO_PLUGIN_API_VERSION);\ + SetDynamicPlugin(false); +// TODO: The SetDynamicPlugin() call is currently hardcoded to false. Change +// once we have dynamic plugins as well. + /** * Ends the definition of a plugin. diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 093a4fad62..352aff6aed 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -46,6 +46,7 @@ Plugin::Plugin() // These will be reset by the BRO_PLUGIN_* macros. version = -9999; api_version = -9999; + dynamic = false; Manager::RegisterPlugin(this); } @@ -80,7 +81,7 @@ void Plugin::SetDescription(const char* arg_description) int Plugin::Version() { - return version; + return dynamic ? version : 0; } void Plugin::SetVersion(int arg_version) @@ -93,11 +94,21 @@ int Plugin::APIVersion() return api_version; } +bool Plugin::DynamicPlugin() + { + return dynamic; + } + void Plugin::SetAPIVersion(int arg_version) { api_version = arg_version; } +void Plugin::SetDynamicPlugin(bool arg_dynamic) + { + dynamic = arg_dynamic; + } + void Plugin::InitPreScript() { } @@ -166,12 +177,16 @@ void Plugin::Describe(ODesc* d) d->Add(description); } - if ( version != BRO_PLUGIN_VERSION_BUILTIN ) + if ( dynamic ) { - d->Add(" (version "); - d->Add(version); - - d->Add(")"); + if ( version > 0 ) + { + d->Add(" (version "); + d->Add(version); + d->Add(")"); + } + else + d->Add(" (version not set)"); } else diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 2dba0249c9..6c6d89a4d1 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -110,15 +110,23 @@ public: const char* Description(); /** - * Returns the version of the plugin. + * Returns the version of the plugin. Version are only meaningful for + * dynamically compiled plugins; for statically compiled ones, this + * will always return 0. */ int Version(); + /** + * Returns true if this is a dynamically linked in plugin. + */ + bool DynamicPlugin(); + /** * Returns the internal API version that this plugin relies on. Only - * plugins that match Bro's BRO_PLUGIN_API_VERSION may be used. For + * plugins that match Bro's current API version may be used. For * statically compiled plugins this is automatically the case, but - * dynamically loaded plugins could later cause a mismatch. + * dynamically loaded plugins may cause a mismatch if they were + * compiled for a different Bro version. */ int APIVersion(); @@ -197,6 +205,13 @@ protected: */ void SetAPIVersion(int version); + /** + * Marks the plugin as statically or dynamically linked. + * + * @param dynamic True if this is a dynamically linked plugin. + */ + void SetDynamicPlugin(bool dynamic); + /** * Takes ownership. */ @@ -225,6 +240,7 @@ private: const char* description; int version; int api_version; + bool dynamic; component_list components; bif_item_list bif_items; From 74e99a27db4b600208ca2b973bb35598c75867b9 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 4 Jun 2013 21:19:08 -0700 Subject: [PATCH 109/200] Ignoring file ids in external tests. They can change occasionally, and we likewise ignore uids already. --- CHANGES | 11 ++++++++ VERSION | 2 +- testing/scripts/diff-canonifier-external | 1 + testing/scripts/diff-remove-file-ids | 33 ++++++++++++++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) create mode 100755 testing/scripts/diff-remove-file-ids diff --git a/CHANGES b/CHANGES index 1c23429a43..75d3356603 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,15 @@ +2.1-731 | 2013-06-04 21:19:08 -0700 + + * Reorginization of internal protocol analyzer code. We're moving + them to a modularized structure, based on a plugin model. Along + with this change comes generic plugin infrastructure that we'll + later extend to other Bro component as well. For now all plugins + are compiled in statically, but in the future we plan to also + enable dynamic loading at run time. (Robin Sommer) + + * Ignoring file ids in external tests. (Robin Sommer) + 2.1-675 | 2013-06-02 20:03:19 -0700 * Fix a compiler warning. (Robin Sommer) diff --git a/VERSION b/VERSION index f3667fe959..d138533403 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-675 +2.1-731 diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external index 04ef699538..f4356154e4 100755 --- a/testing/scripts/diff-canonifier-external +++ b/testing/scripts/diff-canonifier-external @@ -4,6 +4,7 @@ `dirname $0`/diff-remove-timestamps \ | `dirname $0`/diff-remove-uids \ + | `dirname $0`/diff-remove-file-ids \ | `dirname $0`/diff-remove-x509-names \ | `dirname $0`/diff-canon-notice-policy \ | `dirname $0`/diff-sort diff --git a/testing/scripts/diff-remove-file-ids b/testing/scripts/diff-remove-file-ids new file mode 100755 index 0000000000..f54177d8ba --- /dev/null +++ b/testing/scripts/diff-remove-file-ids @@ -0,0 +1,33 @@ +#! /usr/bin/awk -f +# +# A diff canonifier that removes all file IDs from file_analysis.log + +BEGIN { + FS="\t"; + OFS="\t"; + process = 0; + } + +$1 == "#path" && $2 == "file_analysis" { + process = 1; + } + +process && column1 > 0 && column2 > 0 { + $column1 = "XXXXXXXXXXX"; + $column2 = "XXXXXXXXXXX"; + } + +/^#/ { + for ( i = 0; i < NF; ++i ) { + if ( $i == "id" ) + column1 = i - 1; + + if ( $i == "parent_id" ) + column2 = i - 1; + } + } + +{ print } + + + From 1dfaf249459afff9fc9188a90804b6e43caa5698 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 5 Jun 2013 08:00:01 -0700 Subject: [PATCH 110/200] Updating submodule(s). [nomail] --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- cmake | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/aux/binpac b/aux/binpac index f86a3169b8..c39bd478b9 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit f86a3169b8d49189d264cbc1a7507260cd9ff51d +Subproject commit c39bd478b9d0ecd05b1b83aa9d09a7887893977c diff --git a/aux/bro-aux b/aux/bro-aux index cfaf4eea78..a9942558c7 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit cfaf4eea788bdac4ebfe9e46e3de2cd74b0bc068 +Subproject commit a9942558c7d3dfd80148b8aaded64c82ade3d117 diff --git a/aux/broccoli b/aux/broccoli index 8955807b0f..889f9c6594 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 8955807b0f4151f5f6aca2e68d353b9b341d9f86 +Subproject commit 889f9c65944ceac20ad9230efc39d33e6e1221c3 diff --git a/aux/broctl b/aux/broctl index 0eca32b35d..a1aaa1608e 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 0eca32b35d16a4d387f41976ab46360ee6ecaed8 +Subproject commit a1aaa1608ef08761a211b1e251449d796ba5e4a0 diff --git a/cmake b/cmake index e1a7fd00a0..0187b33a29 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit e1a7fd00a0a66d6831a239fe84f5fcfaa54e2c35 +Subproject commit 0187b33a29d5ec824f940feff60dc5d8c2fe314f From 022ce2505f3423378d193e2b16fda873cb325c3c Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 5 Jun 2013 11:01:11 -0500 Subject: [PATCH 111/200] Change @PATH to @DIR for clarity. Add @FILENAME. Addresses #869. @DIR expands to directory path of the script, @FILENAME expands to just the script file name without path. --- src/scan.l | 16 ++++++++++++++-- testing/btest/Baseline/language.at-dir/out | 1 + .../{language.at-path => language.at-dir}/out2 | 0 testing/btest/Baseline/language.at-filename/out | 1 + testing/btest/Baseline/language.at-path/out | 1 - .../btest/language/{at-path.bro => at-dir.bro} | 4 ++-- testing/btest/language/at-filename.bro | 4 ++++ 7 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 testing/btest/Baseline/language.at-dir/out rename testing/btest/Baseline/{language.at-path => language.at-dir}/out2 (100%) create mode 100644 testing/btest/Baseline/language.at-filename/out delete mode 100644 testing/btest/Baseline/language.at-path/out rename testing/btest/language/{at-path.bro => at-dir.bro} (91%) create mode 100644 testing/btest/language/at-filename.bro diff --git a/src/scan.l b/src/scan.l index 8a460aba07..3d2d0e217f 100644 --- a/src/scan.l +++ b/src/scan.l @@ -346,7 +346,7 @@ when return TOK_WHEN; @DEBUG return TOK_DEBUG; // marks input for debugger -@PATH { +@DIR { string rval = current_scanned_file_path; if ( ! rval.empty() && rval[0] == '.' ) @@ -354,7 +354,7 @@ when return TOK_WHEN; char path[MAXPATHLEN]; if ( ! getcwd(path, MAXPATHLEN) ) - reporter->Error("getcwd failed: %s", strerror(errno)); + reporter->InternalError("getcwd failed: %s", strerror(errno)); else rval = string(path) + "/" + rval; } @@ -362,6 +362,18 @@ when return TOK_WHEN; RET_CONST(new StringVal(rval.c_str())); } +@FILENAME { + char* filename_copy = copy_string(::filename); + const char* bname = basename(filename_copy); + + if ( ! bname ) + reporter->InternalError("basename failed: %s", strerror(errno)); + + StringVal* rval = new StringVal(bname); + delete [] filename_copy; + RET_CONST(rval); + } + @load{WS}{FILE} { const char* new_file = skip_whitespace(yytext + 5); // Skip "@load". if ( generate_documentation ) diff --git a/testing/btest/Baseline/language.at-dir/out b/testing/btest/Baseline/language.at-dir/out new file mode 100644 index 0000000000..4cd8e27d6a --- /dev/null +++ b/testing/btest/Baseline/language.at-dir/out @@ -0,0 +1 @@ +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-dir diff --git a/testing/btest/Baseline/language.at-path/out2 b/testing/btest/Baseline/language.at-dir/out2 similarity index 100% rename from testing/btest/Baseline/language.at-path/out2 rename to testing/btest/Baseline/language.at-dir/out2 diff --git a/testing/btest/Baseline/language.at-filename/out b/testing/btest/Baseline/language.at-filename/out new file mode 100644 index 0000000000..12cfb152d9 --- /dev/null +++ b/testing/btest/Baseline/language.at-filename/out @@ -0,0 +1 @@ +at-filename.bro diff --git a/testing/btest/Baseline/language.at-path/out b/testing/btest/Baseline/language.at-path/out deleted file mode 100644 index 7ac82c183c..0000000000 --- a/testing/btest/Baseline/language.at-path/out +++ /dev/null @@ -1 +0,0 @@ -/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-path diff --git a/testing/btest/language/at-path.bro b/testing/btest/language/at-dir.bro similarity index 91% rename from testing/btest/language/at-path.bro rename to testing/btest/language/at-dir.bro index 433db17835..b826e3a5da 100644 --- a/testing/btest/language/at-path.bro +++ b/testing/btest/language/at-dir.bro @@ -3,8 +3,8 @@ # @TEST-EXEC: bro -b ./pathtest.bro >out2 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out2 -print @PATH; +print @DIR; @TEST-START-FILE pathtest.bro -print @PATH; +print @DIR; @TEST-END-FILE diff --git a/testing/btest/language/at-filename.bro b/testing/btest/language/at-filename.bro new file mode 100644 index 0000000000..83e4e968f3 --- /dev/null +++ b/testing/btest/language/at-filename.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +print @FILENAME; From 880d02f7204d21fc0e69f08ac78e963042df4f16 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Wed, 5 Jun 2013 16:16:55 -0700 Subject: [PATCH 112/200] Associate a Comphash with a BloomFilterVal. We also keep track of the Bloom filter's element type inside each value. The first use of the BiF bloomfilter_add will "typify" the Bloom filter and lock the Bloom filter's type to the element type. --- src/BloomFilter.cc | 15 ++++++++++++ src/BloomFilter.h | 3 ++- src/OpaqueVal.cc | 60 ++++++++++++++++++++++++++++++++++++++++++++-- src/OpaqueVal.h | 18 ++++++++++++-- 4 files changed, 91 insertions(+), 5 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 64f0e1c67b..74fa6fb255 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -199,6 +199,21 @@ size_t BasicBloomFilter::CountImpl(const HashPolicy::HashVector& h) const return 1; } +CountingBloomFilter::CountingBloomFilter(double fp, size_t capacity, + size_t width) + : BloomFilter(BasicBloomFilter::K(BasicBloomFilter::M(fp, capacity), + capacity)) + { + cells_ = new CounterVector(width, BasicBloomFilter::M(fp, capacity)); + } + +CountingBloomFilter::CountingBloomFilter(size_t cells, size_t capacity, + size_t width) + : BloomFilter(BasicBloomFilter::K(cells, capacity)) + { + cells_ = new CounterVector(width, cells); + } + IMPLEMENT_SERIAL(CountingBloomFilter, SER_COUNTINGBLOOMFILTER) diff --git a/src/BloomFilter.h b/src/BloomFilter.h index 77c6bc4f56..14b0ac3281 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -269,7 +269,8 @@ private: */ class CountingBloomFilter : public BloomFilter { public: - CountingBloomFilter(unsigned width); + CountingBloomFilter(double fp, size_t capacity, size_t width); + CountingBloomFilter(size_t cells, size_t capacity, size_t width); protected: DECLARE_SERIAL(CountingBloomFilter); diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index b4f1290436..abfd8f320f 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -518,31 +518,87 @@ bool EntropyVal::DoUnserialize(UnserialInfo* info) return true; } -BloomFilterVal::BloomFilterVal() : OpaqueVal(bloomfilter_type) +BloomFilterVal::BloomFilterVal(BloomFilter* bf) + : OpaqueVal(bloomfilter_type), bloom_filter_(bf) { } -BloomFilterVal::BloomFilterVal(OpaqueType* t) : OpaqueVal(t) +BloomFilterVal::BloomFilterVal(OpaqueType* t) + : OpaqueVal(t) { } +bool BloomFilterVal::Typify(BroType* type) + { + if ( type_ ) + return false; + type_ = type; + TypeList* tl = new TypeList(type_); + tl->Append(type_); + hash_ = new CompositeHash(tl); + Unref(tl); + return true; + } + +BroType* BloomFilterVal::Type() const + { + return type_; + } + +void BloomFilterVal::Add(const Val* val) + { + HashKey* key = hash_->ComputeHash(val, 1); + bloom_filter_->Add(key->Hash()); + } + +size_t BloomFilterVal::Count(const Val* val) const + { + HashKey* key = hash_->ComputeHash(val, 1); + return bloom_filter_->Count(key->Hash()); + } + +BloomFilterVal* BloomFilterVal::Merge(const BloomFilterVal* first, + const BloomFilterVal* second) +{ + assert(! "not yet implemented"); + return NULL; + } + BloomFilterVal::~BloomFilterVal() { + if ( type_ ) + Unref(type_); + if ( hash_ ) + delete hash_; if ( bloom_filter_ ) delete bloom_filter_; } +BloomFilterVal::BloomFilterVal() + : OpaqueVal(bloomfilter_type) + { + } + IMPLEMENT_SERIAL(BloomFilterVal, SER_BLOOMFILTER_VAL); bool BloomFilterVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER_VAL, OpaqueVal); + if ( ! SERIALIZE(type_) ) + return false; return SERIALIZE(bloom_filter_); } bool BloomFilterVal::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(OpaqueVal); + type_ = BroType::Unserialize(info); + if ( ! type_ ) + return false; + TypeList* tl = new TypeList(type_); + tl->Append(type_); + hash_ = new CompositeHash(tl); + Unref(tl); bloom_filter_ = BloomFilter::Unserialize(info); return bloom_filter_ == NULL; } diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index 68b42a8a49..e97a530f3a 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -110,18 +110,32 @@ private: }; class BloomFilterVal : public OpaqueVal { + BloomFilterVal(const BloomFilterVal&); + BloomFilterVal& operator=(const BloomFilterVal&); public: - BloomFilterVal(); + static BloomFilterVal* Merge(const BloomFilterVal* first, + const BloomFilterVal* second); + + BloomFilterVal(BloomFilter* bf); ~BloomFilterVal(); + bool Typify(BroType* type); + BroType* Type() const; + + void Add(const Val* val); + size_t Count(const Val* val) const; + protected: friend class Val; + BloomFilterVal(); BloomFilterVal(OpaqueType* t); DECLARE_SERIAL(BloomFilterVal); private: - BloomFilter* bloom_filter_; + BroType* type_; + CompositeHash* hash_; + BloomFilter* bloom_filter_; }; #endif From 3d9764213191070a6b68375c0d0ae8c3193528e3 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Wed, 5 Jun 2013 16:26:16 -0700 Subject: [PATCH 113/200] Add Bloom filter BiFs. --- src/bro.bif | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/src/bro.bif b/src/bro.bif index d9558106a7..60fb985dda 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -5730,3 +5730,92 @@ function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr } %} +# =========================================================================== +# +# Bloom Filter Functions +# +# =========================================================================== + +%%{ +#include "BloomFilter.h" +%%} + +## Initializes a Bloom filter data structure. +## +## fp: The desired false-positive rate. +## +## capacity: the maximum number of elements that guarantees a false-positive +## rate of *fp*. +## +## Returns: A Bloom filter handle. +function bloomfilter_init%(fp: double, capacity: count, + max: count &default=1%): opaque of bloomfilter + %{ + BloomFilter* bf; + if ( max == 1 ) + { + bf = new BasicBloomFilter(fp, capacity); + } + else + { + uint16 width = 0; + while ( max >>= 1 ) + ++width; + bf = new CountingBloomFilter(fp, capacity, width); + } + return new BloomFilterVal(bf); + %} + +## Adds an element to a Bloom filter. +## +## bf: The Bloom filter handle. +## +## x: The element to add. +function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any + %{ + BloomFilterVal* bfv = static_cast(bf); + if ( ! bfv->Type() || ! bfv->Typify(x->Type()) ) + reporter->Error("failed to set Bloom filter type"); + else if ( bfv->Type() != x->Type() ) + reporter->Error("incompatible Bloom filter types"); + bfv->Add(x); + return 0; + %} + +## Retrieves the counter for a given element in a Bloom filter. +## +## bf: The Bloom filter handle. +## +## x: The element to count. +## +## Returns: the counter associated with *x* in *bf*. +function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count + %{ + BloomFilterVal* bfv = static_cast(bf); + if ( ! bfv->Type() ) + reporter->Error("cannot perform lookup on untyped Bloom filter"); + else if ( bfv->Type() != x->Type() ) + reporter->Error("incompatible Bloom filter types"); + return new Val(static_cast(bfv->Count(x)), TYPE_COUNT); + %} + +## Merges two Bloom filters. +## +## bf1: The first Bloom filter handle. +## +## bf2: The second Bloom filter handle. +## +## Returns: The union of *bf1* and *bf2*. +function bloomfilter_merge%(bf1: opaque of bloomfilter, + bf2: opaque of bloomfilter%): opaque of bloomfilter + %{ + const BloomFilterVal* bfv1 = static_cast(bf1); + const BloomFilterVal* bfv2 = static_cast(bf2); + if ( ! bfv1->Type() ) + reporter->Error("The first Bloom filter has not yet been typed"); + if ( ! bfv2->Type() ) + reporter->Error("The second Bloom filter has not yet been typed"); + else if ( bfv1->Type() != bfv2->Type() ) + reporter->Error("incompatible Bloom filter types"); + return BloomFilterVal::Merge(bfv1, bfv2); + %} From d5126a13395f899fab12f081248336e687222ed9 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Wed, 5 Jun 2013 17:45:10 -0700 Subject: [PATCH 114/200] Fix some BiF issues. --- src/bro.bif | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 60fb985dda..08b532eaea 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -5774,12 +5774,18 @@ function bloomfilter_init%(fp: double, capacity: count, function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any %{ BloomFilterVal* bfv = static_cast(bf); - if ( ! bfv->Type() || ! bfv->Typify(x->Type()) ) + if ( ! bfv->Type() && ! bfv->Typify(x->Type()) ) + { reporter->Error("failed to set Bloom filter type"); + return NULL; + } else if ( bfv->Type() != x->Type() ) + { reporter->Error("incompatible Bloom filter types"); + return NULL; + } bfv->Add(x); - return 0; + return NULL; %} ## Retrieves the counter for a given element in a Bloom filter. @@ -5812,9 +5818,9 @@ function bloomfilter_merge%(bf1: opaque of bloomfilter, const BloomFilterVal* bfv1 = static_cast(bf1); const BloomFilterVal* bfv2 = static_cast(bf2); if ( ! bfv1->Type() ) - reporter->Error("The first Bloom filter has not yet been typed"); + reporter->Error("first Bloom filter has not yet been typed"); if ( ! bfv2->Type() ) - reporter->Error("The second Bloom filter has not yet been typed"); + reporter->Error("second Bloom filter has not yet been typed"); else if ( bfv1->Type() != bfv2->Type() ) reporter->Error("incompatible Bloom filter types"); return BloomFilterVal::Merge(bfv1, bfv2); From 012e09c5c40bdf0acd29a34bf2271417ed36d770 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 12:56:46 -0700 Subject: [PATCH 115/200] Small fixes and simplifications. --- src/BloomFilter.cc | 2 +- src/BloomFilter.h | 17 +++++++---------- src/OpaqueVal.cc | 1 + 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 74fa6fb255..e549553bf4 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -140,7 +140,7 @@ bool BloomFilter::DoUnserialize(UnserialInfo* info) return false; hash_ = new hash_policy(static_cast(k)); uint64 elements; - if ( UNSERIALIZE(&elements) ) + if ( ! UNSERIALIZE(&elements) ) return false; elements_ = static_cast(elements); return true; diff --git a/src/BloomFilter.h b/src/BloomFilter.h index 14b0ac3281..3e2bd5de90 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -94,15 +94,14 @@ protected: * A functor that computes a universal hash function. * @tparam Codomain An integral type. */ - template class Hasher { public: - template - Codomain operator()(const Domain& x) const + template + HashType operator()(const T& x) const { return h3_(&x, sizeof(x)); } - Codomain operator()(const void* x, size_t n) const + HashType operator()(const void* x, size_t n) const { return h3_(x, n); } @@ -110,7 +109,7 @@ protected: // FIXME: The hardcoded value of 36 comes from UHASH_KEY_SIZE defined in // Hash.h. I do not know how this value impacts the hash function behavior // so I'll just copy it verbatim. (Matthias) - H3 h3_; + H3 h3_; }; HashPolicy(size_t k) : k_(k) { } @@ -125,12 +124,11 @@ private: class DefaultHashing : public HashPolicy { public: DefaultHashing(size_t k) : HashPolicy(k), hashers_(k) { } - virtual ~DefaultHashing() { } virtual HashVector Hash(const void* x, size_t n) const; private: - std::vector< Hasher > hashers_; + std::vector hashers_; }; /** @@ -139,13 +137,12 @@ private: class DoubleHashing : public HashPolicy { public: DoubleHashing(size_t k) : HashPolicy(k) { } - virtual ~DoubleHashing() { } virtual HashVector Hash(const void* x, size_t n) const; private: - Hasher hasher1_; - Hasher hasher2_; + Hasher hasher1_; + Hasher hasher2_; }; /** diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index abfd8f320f..03a6e51ce8 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -533,6 +533,7 @@ bool BloomFilterVal::Typify(BroType* type) if ( type_ ) return false; type_ = type; + type_->Ref(); TypeList* tl = new TypeList(type_); tl->Append(type_); hash_ = new CompositeHash(tl); From f211b856c9ae35e68ea4af194e08157fdefef7e6 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 13:13:36 -0700 Subject: [PATCH 116/200] Catch invalid values of the false-positive rate. --- src/bro.bif | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/bro.bif b/src/bro.bif index 08b532eaea..74219dd2b7 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -5751,6 +5751,11 @@ function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr function bloomfilter_init%(fp: double, capacity: count, max: count &default=1%): opaque of bloomfilter %{ + if ( fp < 0.0 || fp > 1.0 ) + { + reporter->Error("false-positive rate must take value between 0 and 1"); + return NULL; + } BloomFilter* bf; if ( max == 1 ) { From 7ce986e31f59b1f1000ec335a4efc1f0f5e0c011 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 13:21:27 -0700 Subject: [PATCH 117/200] Fix modding. --- src/BloomFilter.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index e549553bf4..7c347927c3 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -188,13 +188,13 @@ bool BasicBloomFilter::DoUnserialize(UnserialInfo* info) void BasicBloomFilter::AddImpl(const HashPolicy::HashVector& h) { for ( size_t i = 0; i < h.size(); ++i ) - bits_->Set(h[i] % h.size()); + bits_->Set(h[i] % bits_->Size()); } size_t BasicBloomFilter::CountImpl(const HashPolicy::HashVector& h) const { for ( size_t i = 0; i < h.size(); ++i ) - if ( ! (*bits_)[h[i] % h.size()] ) + if ( ! (*bits_)[h[i] % bits_->Size()] ) return 0; return 1; } @@ -233,7 +233,7 @@ bool CountingBloomFilter::DoUnserialize(UnserialInfo* info) void CountingBloomFilter::AddImpl(const HashPolicy::HashVector& h) { for ( size_t i = 0; i < h.size(); ++i ) - cells_->Increment(h[i] % h.size(), 1); + cells_->Increment(h[i] % cells_->Size(), 1); } size_t CountingBloomFilter::CountImpl(const HashPolicy::HashVector& h) const @@ -242,7 +242,7 @@ size_t CountingBloomFilter::CountImpl(const HashPolicy::HashVector& h) const std::numeric_limits::max(); for ( size_t i = 0; i < h.size(); ++i ) { - CounterVector::size_type cnt = cells_->Count(h[i] % h.size()); + CounterVector::size_type cnt = cells_->Count(h[i] % cells_->Size()); if ( cnt < min ) min = cnt; } From fcf1807fc8ac320a6c787360e8b78509b58b0a5a Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 13:39:00 -0700 Subject: [PATCH 118/200] Fix hasher usage and narrow interface. --- src/BloomFilter.cc | 4 ++-- src/BloomFilter.h | 10 +--------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 7c347927c3..c684c82c0e 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -93,8 +93,8 @@ HashPolicy::HashVector DefaultHashing::Hash(const void* x, size_t n) const HashPolicy::HashVector DoubleHashing::Hash(const void* x, size_t n) const { - HashType h1 = hasher1_(x); - HashType h2 = hasher2_(x); + HashType h1 = hasher1_(x, n); + HashType h2 = hasher2_(x, n); HashVector h(K(), 0); for ( size_t i = 0; i < h.size(); ++i ) h[i] = h1 + i * h2; diff --git a/src/BloomFilter.h b/src/BloomFilter.h index 3e2bd5de90..fd1cb31d61 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -96,15 +96,7 @@ protected: */ class Hasher { public: - template - HashType operator()(const T& x) const - { - return h3_(&x, sizeof(x)); - } - HashType operator()(const void* x, size_t n) const - { - return h3_(x, n); - } + HashType operator()(const void* x, size_t n) const { return h3_(x, n); } private: // FIXME: The hardcoded value of 36 comes from UHASH_KEY_SIZE defined in // Hash.h. I do not know how this value impacts the hash function behavior From fde081c30f6b1a5c13b2cd5a53872f9b2241bffb Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 13:04:47 -0700 Subject: [PATCH 119/200] Remove invalid free on non-allocated pointer. The byte_lookup member is a fixed-size 2D array and should not be freed in the destructor. Fixes #1018. --- src/H3.h | 1 - 1 file changed, 1 deletion(-) diff --git a/src/H3.h b/src/H3.h index 9e6f1c5c35..72d81d519f 100644 --- a/src/H3.h +++ b/src/H3.h @@ -66,7 +66,6 @@ template class H3 { T byte_lookup[N][H3_BYTE_RANGE]; public: H3(); - ~H3() { free(byte_lookup); } T operator()(const void* data, size_t size, size_t offset = 0) const { const unsigned char *p = static_cast(data); From 0d299eca57ddab9dfb17c1f6c99139c481dccb49 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 14:54:25 -0700 Subject: [PATCH 120/200] Correct computation of k hash functions. --- src/BloomFilter.cc | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index c684c82c0e..f1db71ae1d 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -3,13 +3,6 @@ #include #include "Serializer.h" -// Backport C++11's std::round(). -namespace { -template -T round(double x) { return (x > 0.0) ? (x + 0.5) : (x - 0.5); } -} // namespace - - CounterVector::CounterVector(size_t width, size_t cells) : bits_(new BitVector(width * cells)), width_(width) { @@ -155,7 +148,7 @@ size_t BasicBloomFilter::M(double fp, size_t capacity) size_t BasicBloomFilter::K(size_t cells, size_t capacity) { double frac = static_cast(cells) / static_cast(capacity); - return round(frac * std::log(2)); + return std::ceil(frac * std::log(2)); } BasicBloomFilter::BasicBloomFilter(double fp, size_t capacity) From e15f03d980e8bb63d00969268056b2e9592b2f85 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 15:02:11 -0700 Subject: [PATCH 121/200] Cleanup BiFs. --- src/bro.bif | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 5c1280645e..8bd9575498 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -5026,16 +5026,11 @@ function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any %{ BloomFilterVal* bfv = static_cast(bf); if ( ! bfv->Type() && ! bfv->Typify(x->Type()) ) - { reporter->Error("failed to set Bloom filter type"); - return NULL; - } else if ( bfv->Type() != x->Type() ) - { reporter->Error("incompatible Bloom filter types"); - return NULL; - } - bfv->Add(x); + else + bfv->Add(x); return NULL; %} @@ -5048,12 +5043,14 @@ function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any ## Returns: the counter associated with *x* in *bf*. function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count %{ - BloomFilterVal* bfv = static_cast(bf); + const BloomFilterVal* bfv = static_cast(bf); if ( ! bfv->Type() ) reporter->Error("cannot perform lookup on untyped Bloom filter"); else if ( bfv->Type() != x->Type() ) reporter->Error("incompatible Bloom filter types"); - return new Val(static_cast(bfv->Count(x)), TYPE_COUNT); + else + return new Val(static_cast(bfv->Count(x)), TYPE_COUNT); + return new Val(0, TYPE_COUNT); %} ## Merges two Bloom filters. @@ -5068,11 +5065,9 @@ function bloomfilter_merge%(bf1: opaque of bloomfilter, %{ const BloomFilterVal* bfv1 = static_cast(bf1); const BloomFilterVal* bfv2 = static_cast(bf2); - if ( ! bfv1->Type() ) - reporter->Error("first Bloom filter has not yet been typed"); - if ( ! bfv2->Type() ) - reporter->Error("second Bloom filter has not yet been typed"); - else if ( bfv1->Type() != bfv2->Type() ) + if ( bfv1->Type() != bfv2->Type() ) reporter->Error("incompatible Bloom filter types"); - return BloomFilterVal::Merge(bfv1, bfv2); + else + return BloomFilterVal::Merge(bfv1, bfv2); + return NULL; %} From 86becdd6e467fabc475eb81baea6d3586b2d74e7 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 15:08:24 -0700 Subject: [PATCH 122/200] Add tests. --- testing/btest/bifs/bloomfilter.bro | 38 ++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 testing/btest/bifs/bloomfilter.bro diff --git a/testing/btest/bifs/bloomfilter.bro b/testing/btest/bifs/bloomfilter.bro new file mode 100644 index 0000000000..6abbdd69f7 --- /dev/null +++ b/testing/btest/bifs/bloomfilter.bro @@ -0,0 +1,38 @@ +# @TEST-EXEC: bro -b %INPUT >output +# @TEST-EXEC: btest-diff output + +event bro_init() + { + # Basic usage with counts. + local bf_cnt = bloomfilter_init(0.1, 1000); + bloomfilter_add(bf_cnt, 42); + bloomfilter_add(bf_cnt, 84); + bloomfilter_add(bf_cnt, 168); + print bloomfilter_lookup(bf_cnt, 0); + print bloomfilter_lookup(bf_cnt, 42); + print bloomfilter_lookup(bf_cnt, 168); + print bloomfilter_lookup(bf_cnt, 336); + bloomfilter_add(bf_cnt, 0.5); # Type mismatch + bloomfilter_add(bf_cnt, "foo"); # Type mismatch + + # Basic usage with strings. + local bf_str = bloomfilter_init(0.9, 10); + bloomfilter_add(bf_str, "foo"); + bloomfilter_add(bf_str, "bar"); + print bloomfilter_lookup(bf_str, "foo"); + print bloomfilter_lookup(bf_str, "bar"); + print bloomfilter_lookup(bf_str, "baz"); + print bloomfilter_lookup(bf_str, "qux"); + bloomfilter_add(bf_str, 0.5); # Type mismatch + bloomfilter_add(bf_str, 100); # Type mismatch + + # Edge cases. + local bf_edge0 = bloomfilter_init(0.000000000001, 1); + local bf_edge1 = bloomfilter_init(0.00000001, 100000000); + local bf_edge2 = bloomfilter_init(0.9999999, 1); + local bf_edge3 = bloomfilter_init(0.9999999, 100000000000); + + # Invalid parameters. + local bf_bug0 = bloomfilter_init(-0.5, 42); + local bf_bug1 = bloomfilter_init(1.1, 42); + } From f2d536d2da1118b1d5feb143f751d47dc344232b Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 15:22:04 -0700 Subject: [PATCH 123/200] Add missing initializations. --- src/BloomFilter.cc | 15 +++++++++++++++ src/BloomFilter.h | 6 +++--- src/OpaqueVal.cc | 25 +++++++++++++++++-------- 3 files changed, 35 insertions(+), 11 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index f1db71ae1d..40772fecb6 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -95,6 +95,11 @@ HashPolicy::HashVector DoubleHashing::Hash(const void* x, size_t n) const } +BloomFilter::BloomFilter() + : hash_(NULL) + { + } + BloomFilter::BloomFilter(size_t k) : hash_(new hash_policy(k)) { @@ -151,6 +156,11 @@ size_t BasicBloomFilter::K(size_t cells, size_t capacity) return std::ceil(frac * std::log(2)); } +BasicBloomFilter::BasicBloomFilter() + : bits_(NULL) + { + } + BasicBloomFilter::BasicBloomFilter(double fp, size_t capacity) : BloomFilter(K(M(fp, capacity), capacity)) { @@ -192,6 +202,11 @@ size_t BasicBloomFilter::CountImpl(const HashPolicy::HashVector& h) const return 1; } +CountingBloomFilter::CountingBloomFilter() + : cells_(NULL) + { + } + CountingBloomFilter::CountingBloomFilter(double fp, size_t capacity, size_t width) : BloomFilter(BasicBloomFilter::K(BasicBloomFilter::M(fp, capacity), diff --git a/src/BloomFilter.h b/src/BloomFilter.h index fd1cb31d61..c0101cadf8 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -188,7 +188,7 @@ public: protected: DECLARE_ABSTRACT_SERIAL(BloomFilter); - BloomFilter() { }; + BloomFilter(); BloomFilter(size_t k); virtual void AddImpl(const HashPolicy::HashVector& hashes) = 0; @@ -244,7 +244,7 @@ public: protected: DECLARE_SERIAL(BasicBloomFilter); - BasicBloomFilter() { } + BasicBloomFilter(); virtual void AddImpl(const HashPolicy::HashVector& h); virtual size_t CountImpl(const HashPolicy::HashVector& h) const; @@ -264,7 +264,7 @@ public: protected: DECLARE_SERIAL(CountingBloomFilter); - CountingBloomFilter() { } + CountingBloomFilter(); virtual void AddImpl(const HashPolicy::HashVector& h); virtual size_t CountImpl(const HashPolicy::HashVector& h) const; diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 03a6e51ce8..38ea93d000 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -518,13 +518,27 @@ bool EntropyVal::DoUnserialize(UnserialInfo* info) return true; } -BloomFilterVal::BloomFilterVal(BloomFilter* bf) - : OpaqueVal(bloomfilter_type), bloom_filter_(bf) +BloomFilterVal::BloomFilterVal() + : OpaqueVal(bloomfilter_type), + type_(NULL), + hash_(NULL), + bloom_filter_(NULL) { } BloomFilterVal::BloomFilterVal(OpaqueType* t) - : OpaqueVal(t) + : OpaqueVal(t), + type_(NULL), + hash_(NULL), + bloom_filter_(NULL) + { + } + +BloomFilterVal::BloomFilterVal(BloomFilter* bf) + : OpaqueVal(bloomfilter_type), + type_(NULL), + hash_(NULL), + bloom_filter_(bf) { } @@ -575,11 +589,6 @@ BloomFilterVal::~BloomFilterVal() delete bloom_filter_; } -BloomFilterVal::BloomFilterVal() - : OpaqueVal(bloomfilter_type) - { - } - IMPLEMENT_SERIAL(BloomFilterVal, SER_BLOOMFILTER_VAL); bool BloomFilterVal::DoSerialize(SerialInfo* info) const From eee16e1177310154ae049626f9a92a99e8f7a753 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 7 Jun 2013 13:19:36 -0500 Subject: [PATCH 124/200] const adjustments --- src/analyzer/Component.cc | 2 +- src/analyzer/Component.h | 2 +- src/plugin/Component.cc | 2 +- src/plugin/Component.h | 2 +- src/plugin/Plugin.cc | 18 +++++++++--------- src/plugin/Plugin.h | 18 +++++++++--------- 6 files changed, 22 insertions(+), 22 deletions(-) diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc index 5844da848f..f7da1d530c 100644 --- a/src/analyzer/Component.cc +++ b/src/analyzer/Component.cc @@ -58,7 +58,7 @@ analyzer::Tag Component::Tag() const return tag; } -void Component::Describe(ODesc* d) +void Component::Describe(ODesc* d) const { plugin::Component::Describe(d); d->Add(name); diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index b766c2fe82..0bc081c3e1 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -120,7 +120,7 @@ public: * Generates a human-readable description of the component's main * parameters. This goes into the output of \c "bro -NN". */ - virtual void Describe(ODesc* d); + virtual void Describe(ODesc* d) const; Component& operator=(const Component& other); diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc index 7d2e69eb86..c6f0e02174 100644 --- a/src/plugin/Component.cc +++ b/src/plugin/Component.cc @@ -21,7 +21,7 @@ component::Type Component::Type() const return type; } -void Component::Describe(ODesc* d) +void Component::Describe(ODesc* d) const { d->Add(" "); d->Add("["); diff --git a/src/plugin/Component.h b/src/plugin/Component.h index fbeb70ebed..dadf054a3c 100644 --- a/src/plugin/Component.h +++ b/src/plugin/Component.h @@ -57,7 +57,7 @@ public: * * @param d The description object to use. */ - virtual void Describe(ODesc* d); + virtual void Describe(ODesc* d) const; private: component::Type type; diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 352aff6aed..084c49f51e 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -59,7 +59,7 @@ Plugin::~Plugin() delete [] description; } -const char* Plugin::Name() +const char* Plugin::Name() const { return name; } @@ -69,7 +69,7 @@ void Plugin::SetName(const char* arg_name) name = copy_string(arg_name); } -const char* Plugin::Description() +const char* Plugin::Description() const { return description; } @@ -79,7 +79,7 @@ void Plugin::SetDescription(const char* arg_description) description = copy_string(arg_description); } -int Plugin::Version() +int Plugin::Version() const { return dynamic ? version : 0; } @@ -89,12 +89,12 @@ void Plugin::SetVersion(int arg_version) version = arg_version; } -int Plugin::APIVersion() +int Plugin::APIVersion() const { return api_version; } -bool Plugin::DynamicPlugin() +bool Plugin::DynamicPlugin() const { return dynamic; } @@ -127,7 +127,7 @@ void Plugin::InitPostScript() } } -Plugin::bif_item_list Plugin::BifItems() +Plugin::bif_item_list Plugin::BifItems() const { bif_item_list l1 = bif_items; bif_item_list l2 = CustomBifItems(); @@ -138,7 +138,7 @@ Plugin::bif_item_list Plugin::BifItems() return l1; } -Plugin::bif_item_list Plugin::CustomBifItems() +Plugin::bif_item_list Plugin::CustomBifItems() const { return bif_item_list(); } @@ -151,7 +151,7 @@ void Plugin::Done() components.clear(); } -Plugin::component_list Plugin::Components() +Plugin::component_list Plugin::Components() const { return components; } @@ -166,7 +166,7 @@ void Plugin::AddBifInitFunction(bif_init_func c) bif_inits.push_back(c); } -void Plugin::Describe(ODesc* d) +void Plugin::Describe(ODesc* d) const { d->Add("Plugin: "); d->Add(name); diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 6c6d89a4d1..4abd260550 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -102,24 +102,24 @@ public: /** * Returns the name of the plugin. */ - const char* Name(); + const char* Name() const; /** * Returns a short textual description of the plugin, if provided. */ - const char* Description(); + const char* Description() const; /** * Returns the version of the plugin. Version are only meaningful for * dynamically compiled plugins; for statically compiled ones, this * will always return 0. */ - int Version(); + int Version() const; /** * Returns true if this is a dynamically linked in plugin. */ - bool DynamicPlugin(); + bool DynamicPlugin() const; /** * Returns the internal API version that this plugin relies on. Only @@ -128,18 +128,18 @@ public: * dynamically loaded plugins may cause a mismatch if they were * compiled for a different Bro version. */ - int APIVersion(); + int APIVersion() const; /** * Returns a list of all components the plugin provides. */ - component_list Components(); + component_list Components() const; /** * Returns a list of all BiF items that the plugin provides. This * must be called only after InitBif() has been executed. */ - bif_item_list BifItems(); + bif_item_list BifItems() const; /** * First-stage initialization of the plugin called early during Bro's @@ -171,7 +171,7 @@ public: * is disabled, the rendering will include a list of all components * and BiF items. */ - void Describe(ODesc* d); + void Describe(ODesc* d) const; protected: typedef std::list > bif_init_func_result; @@ -225,7 +225,7 @@ protected: * for informational purpuses only and will show up in the result of * BifItems() as well as in the Describe() output. */ - virtual bif_item_list CustomBifItems() ; + virtual bif_item_list CustomBifItems() const; /** * Internal function adding an entry point for registering From e56a17102ef8288b32095a1dfa5ef72437160975 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 7 Jun 2013 13:21:18 -0500 Subject: [PATCH 125/200] Teach broxygen to generate protocol analyzer plugin reference. --- doc/ext/bro.py | 9 +- doc/index.rst | 2 +- doc/scripts/CMakeLists.txt | 31 ++- doc/scripts/bifs.rst | 5 - scripts/base/frameworks/analyzer/main.bro | 4 +- src/BroDoc.cc | 310 ++++++++++++++++------ src/BroDoc.h | 230 ++++++++-------- src/BroDocObj.cc | 3 + src/BroDocObj.h | 6 + src/Type.cc | 10 + src/Type.h | 2 + src/main.cc | 2 + 12 files changed, 397 insertions(+), 217 deletions(-) delete mode 100644 doc/scripts/bifs.rst diff --git a/doc/ext/bro.py b/doc/ext/bro.py index 9bdd86bd9a..6ef11c37f6 100644 --- a/doc/ext/bro.py +++ b/doc/ext/bro.py @@ -82,7 +82,8 @@ class BroGeneric(ObjectDescription): objects = self.env.domaindata['bro']['objects'] key = (self.objtype, name) - if key in objects: + if ( key in objects and self.objtype != "id" and + self.objtype != "type" ): self.env.warn(self.env.docname, 'duplicate description of %s %s, ' % (self.objtype, name) + @@ -150,6 +151,12 @@ class BroEnum(BroGeneric): #self.indexnode['entries'].append(('single', indextext, # targetname, targetname)) m = sig.split() + + if len(m) < 2: + self.env.warn(self.env.docname, + "bro:enum directive missing argument(s)") + return + if m[1] == "Notice::Type": if 'notices' not in self.env.domaindata['bro']: self.env.domaindata['bro']['notices'] = [] diff --git a/doc/index.rst b/doc/index.rst index 29b29541b4..7704081cab 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -45,7 +45,7 @@ Script Reference scripts/packages scripts/index scripts/builtins - scripts/bifs + scripts/proto-analyzers Other Bro Components -------------------- diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index 64c3de92eb..ddb09bb29c 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -15,11 +15,11 @@ endif () # # srcDir: the directory which contains broInput # broInput: the file name of a bro policy script, any path prefix of this -# argument will be used to derive what path under policy/ the generated +# argument will be used to derive what path under scripts/ the generated # documentation will be placed. # group: optional name of group that the script documentation will belong to. -# If this is not given, .bif files automatically get their own group or -# the group is automatically by any path portion of the broInput argument. +# If this is not given, the group is automatically set to any path portion +# of the broInput argument. # # In addition to adding the makefile target, several CMake variables are set: # @@ -64,8 +64,6 @@ macro(REST_TARGET srcDir broInput) if (NOT "${ARGN}" STREQUAL "") set(group ${ARGN}) - elseif (${broInput} MATCHES "\\.bif\\.bro$") - set(group bifs) elseif (relDstDir) set(group ${relDstDir}/index) # add package index to master package list if not already in it @@ -126,6 +124,29 @@ endmacro(REST_TARGET) # Schedule Bro scripts for which to generate documentation. include(DocSourcesList.cmake) +# This reST target is independent of a particular Bro script... +add_custom_command(OUTPUT proto-analyzers.rst + # delete any leftover state from previous bro runs + COMMAND "${CMAKE_COMMAND}" + ARGS -E remove_directory .state + # generate the reST documentation using bro + COMMAND BROPATH=${BROPATH}:${srcDir} BROMAGIC=${CMAKE_SOURCE_DIR}/magic ${CMAKE_BINARY_DIR}/src/bro + ARGS -b -Z base/init-bare.bro || (rm -rf .state *.log *.rst && exit 1) + # move generated doc into a new directory tree that + # defines the final structure of documents + COMMAND "${CMAKE_COMMAND}" + ARGS -E make_directory ${dstDir} + COMMAND "${CMAKE_COMMAND}" + ARGS -E copy proto-analyzers.rst ${dstDir} + # clean up the build directory + COMMAND rm + ARGS -rf .state *.log *.rst + DEPENDS bro + WORKING_DIRECTORY ${CMAKE_BINARY_DIR} + COMMENT "[Bro] Generating reST docs for proto-analyzers.rst" +) +list(APPEND ALL_REST_OUTPUTS proto-analyzers.rst) + # create temporary list of all docs to include in the master policy/index file file(WRITE ${MASTER_POLICY_INDEX} "${MASTER_POLICY_INDEX_TEXT}") diff --git a/doc/scripts/bifs.rst b/doc/scripts/bifs.rst deleted file mode 100644 index eaae0e13b8..0000000000 --- a/doc/scripts/bifs.rst +++ /dev/null @@ -1,5 +0,0 @@ -.. This is a stub doc to which broxygen appends during the build process - -Built-In Functions (BIFs) -========================= - diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index e2dcf151c7..c7bfd1ce34 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -9,9 +9,7 @@ ##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by ##! the analyzers themselves, and documented in their analyzer-specific ##! description along with the events that they generate. -##! -##! .. todo: ``The ANALYZER_*`` are in fact not yet documented, we need to -##! add that to Broxygen. + module Analyzer; export { diff --git a/src/BroDoc.cc b/src/BroDoc.cc index 984bdc90a4..c04cd92eca 100644 --- a/src/BroDoc.cc +++ b/src/BroDoc.cc @@ -8,6 +8,9 @@ #include "BroDoc.h" #include "BroDocObj.h" #include "util.h" +#include "plugin/Manager.h" +#include "analyzer/Manager.h" +#include "analyzer/Component.h" BroDoc::BroDoc(const std::string& rel, const std::string& abs) { @@ -164,84 +167,77 @@ void BroDoc::SetPacketFilter(const std::string& s) packet_filter.clear(); } -void BroDoc::AddPortAnalysis(const std::string& analyzer, - const std::string& ports) - { - std::string reST_string = analyzer + "::\n" + ports + "\n\n"; - port_analysis.push_back(reST_string); - } - void BroDoc::WriteDocFile() const { - WriteToDoc(".. Automatically generated. Do not edit.\n\n"); + WriteToDoc(reST_file, ".. Automatically generated. Do not edit.\n\n"); - WriteToDoc(":tocdepth: 3\n\n"); + WriteToDoc(reST_file, ":tocdepth: 3\n\n"); - WriteSectionHeading(doc_title.c_str(), '='); + WriteSectionHeading(reST_file, doc_title.c_str(), '='); - WriteStringList(".. bro:namespace:: %s\n", modules); + WriteStringList(reST_file, ".. bro:namespace:: %s\n", modules); - WriteToDoc("\n"); + WriteToDoc(reST_file, "\n"); - // WriteSectionHeading("Overview", '-'); - WriteStringList("%s\n", summary); + // WriteSectionHeading(reST_file, "Overview", '-'); + WriteStringList(reST_file, "%s\n", summary); - WriteToDoc("\n"); + WriteToDoc(reST_file, "\n"); if ( ! modules.empty() ) { - WriteToDoc(":Namespace%s: ", (modules.size() > 1 ? "s" : "")); - // WriteStringList(":bro:namespace:`%s`", modules); - WriteStringList("``%s``, ", "``%s``", modules); - WriteToDoc("\n"); + WriteToDoc(reST_file, ":Namespace%s: ", (modules.size() > 1 ? "s" : "")); + // WriteStringList(reST_file, ":bro:namespace:`%s`", modules); + WriteStringList(reST_file, "``%s``, ", "``%s``", modules); + WriteToDoc(reST_file, "\n"); } if ( ! imports.empty() ) { - WriteToDoc(":Imports: "); + WriteToDoc(reST_file, ":Imports: "); std::list::const_iterator it; for ( it = imports.begin(); it != imports.end(); ++it ) { if ( it != imports.begin() ) - WriteToDoc(", "); + WriteToDoc(reST_file, ", "); string pretty(*it); size_t pos = pretty.find("/index"); if ( pos != std::string::npos && pos + 6 == pretty.size() ) pretty = pretty.substr(0, pos); - WriteToDoc(":doc:`%s `", pretty.c_str(), it->c_str()); + WriteToDoc(reST_file, ":doc:`%s `", pretty.c_str(), it->c_str()); } - WriteToDoc("\n"); + WriteToDoc(reST_file, "\n"); } - WriteToDoc(":Source File: :download:`%s`\n", + WriteToDoc(reST_file, ":Source File: :download:`%s`\n", downloadable_filename.c_str()); - WriteToDoc("\n"); + WriteToDoc(reST_file, "\n"); WriteInterface("Summary", '~', '#', true, true); if ( ! notices.empty() ) - WriteBroDocObjList(notices, "Notices", '#'); + WriteBroDocObjList(reST_file, notices, "Notices", '#'); if ( port_analysis.size() || packet_filter.size() ) - WriteSectionHeading("Configuration Changes", '#'); + WriteSectionHeading(reST_file, "Configuration Changes", '#'); if ( ! port_analysis.empty() ) { - WriteSectionHeading("Port Analysis", '^'); - WriteToDoc("Loading this script makes the following changes to " + WriteSectionHeading(reST_file, "Port Analysis", '^'); + WriteToDoc(reST_file, "Loading this script makes the following changes to " ":bro:see:`dpd_config`.\n\n"); - WriteStringList("%s, ", "%s", port_analysis); + WriteStringList(reST_file, "%s, ", "%s", port_analysis); } if ( ! packet_filter.empty() ) { - WriteSectionHeading("Packet Filter", '^'); - WriteToDoc("Loading this script makes the following changes to " + WriteSectionHeading(reST_file, "Packet Filter", '^'); + WriteToDoc(reST_file, "Loading this script makes the following changes to " ":bro:see:`capture_filters`.\n\n"); - WriteToDoc("Filters added::\n\n"); - WriteToDoc("%s\n", packet_filter.c_str()); + WriteToDoc(reST_file, "Filters added::\n\n"); + WriteToDoc(reST_file, "%s\n", packet_filter.c_str()); } WriteInterface("Detailed Interface", '~', '#', true, false); @@ -267,23 +263,23 @@ void BroDoc::WriteDocFile() const void BroDoc::WriteInterface(const char* heading, char underline, char sub, bool isPublic, bool isShort) const { - WriteSectionHeading(heading, underline); - WriteBroDocObjList(options, isPublic, "Options", sub, isShort); - WriteBroDocObjList(constants, isPublic, "Constants", sub, isShort); - WriteBroDocObjList(state_vars, isPublic, "State Variables", sub, isShort); - WriteBroDocObjList(types, isPublic, "Types", sub, isShort); - WriteBroDocObjList(events, isPublic, "Events", sub, isShort); - WriteBroDocObjList(hooks, isPublic, "Hooks", sub, isShort); - WriteBroDocObjList(functions, isPublic, "Functions", sub, isShort); - WriteBroDocObjList(redefs, isPublic, "Redefinitions", sub, isShort); + WriteSectionHeading(reST_file, heading, underline); + WriteBroDocObjList(reST_file, options, isPublic, "Options", sub, isShort); + WriteBroDocObjList(reST_file, constants, isPublic, "Constants", sub, isShort); + WriteBroDocObjList(reST_file, state_vars, isPublic, "State Variables", sub, isShort); + WriteBroDocObjList(reST_file, types, isPublic, "Types", sub, isShort); + WriteBroDocObjList(reST_file, events, isPublic, "Events", sub, isShort); + WriteBroDocObjList(reST_file, hooks, isPublic, "Hooks", sub, isShort); + WriteBroDocObjList(reST_file, functions, isPublic, "Functions", sub, isShort); + WriteBroDocObjList(reST_file, redefs, isPublic, "Redefinitions", sub, isShort); } -void BroDoc::WriteStringList(const char* format, const char* last_format, - const std::list& l) const +void BroDoc::WriteStringList(FILE* f, const char* format, const char* last_format, + const std::list& l) { if ( l.empty() ) { - WriteToDoc("\n"); + WriteToDoc(f, "\n"); return; } @@ -292,12 +288,12 @@ void BroDoc::WriteStringList(const char* format, const char* last_format, last--; for ( it = l.begin(); it != last; ++it ) - WriteToDoc(format, it->c_str()); + WriteToDoc(f, format, it->c_str()); - WriteToDoc(last_format, last->c_str()); + WriteToDoc(f, last_format, last->c_str()); } -void BroDoc::WriteBroDocObjTable(const BroDocObjList& l) const +void BroDoc::WriteBroDocObjTable(FILE* f, const BroDocObjList& l) { int max_id_col = 0; int max_com_col = 0; @@ -317,38 +313,38 @@ void BroDoc::WriteBroDocObjTable(const BroDocObjList& l) const } // Start table. - WriteRepeatedChar('=', max_id_col); - WriteToDoc(" "); + WriteRepeatedChar(f, '=', max_id_col); + WriteToDoc(f, " "); if ( max_com_col == 0 ) - WriteToDoc("="); + WriteToDoc(f, "="); else - WriteRepeatedChar('=', max_com_col); + WriteRepeatedChar(f, '=', max_com_col); - WriteToDoc("\n"); + WriteToDoc(f, "\n"); for ( it = l.begin(); it != l.end(); ++it ) { if ( it != l.begin() ) - WriteToDoc("\n\n"); - (*it)->WriteReSTCompact(reST_file, max_id_col); + WriteToDoc(f, "\n\n"); + (*it)->WriteReSTCompact(f, max_id_col); } // End table. - WriteToDoc("\n"); - WriteRepeatedChar('=', max_id_col); - WriteToDoc(" "); + WriteToDoc(f, "\n"); + WriteRepeatedChar(f, '=', max_id_col); + WriteToDoc(f, " "); if ( max_com_col == 0 ) - WriteToDoc("="); + WriteToDoc(f, "="); else - WriteRepeatedChar('=', max_com_col); + WriteRepeatedChar(f, '=', max_com_col); - WriteToDoc("\n\n"); + WriteToDoc(f, "\n\n"); } -void BroDoc::WriteBroDocObjList(const BroDocObjList& l, bool wantPublic, - const char* heading, char underline, bool isShort) const +void BroDoc::WriteBroDocObjList(FILE* f, const BroDocObjList& l, bool wantPublic, + const char* heading, char underline, bool isShort) { if ( l.empty() ) return; @@ -366,7 +362,7 @@ void BroDoc::WriteBroDocObjList(const BroDocObjList& l, bool wantPublic, if ( it == l.end() ) return; - WriteSectionHeading(heading, underline); + WriteSectionHeading(f, heading, underline); BroDocObjList filtered_list; @@ -377,13 +373,13 @@ void BroDoc::WriteBroDocObjList(const BroDocObjList& l, bool wantPublic, } if ( isShort ) - WriteBroDocObjTable(filtered_list); + WriteBroDocObjTable(f, filtered_list); else - WriteBroDocObjList(filtered_list); + WriteBroDocObjList(f, filtered_list); } -void BroDoc::WriteBroDocObjList(const BroDocObjMap& m, bool wantPublic, - const char* heading, char underline, bool isShort) const +void BroDoc::WriteBroDocObjList(FILE* f, const BroDocObjMap& m, bool wantPublic, + const char* heading, char underline, bool isShort) { BroDocObjMap::const_iterator it; BroDocObjList l; @@ -391,24 +387,24 @@ void BroDoc::WriteBroDocObjList(const BroDocObjMap& m, bool wantPublic, for ( it = m.begin(); it != m.end(); ++it ) l.push_back(it->second); - WriteBroDocObjList(l, wantPublic, heading, underline, isShort); + WriteBroDocObjList(f, l, wantPublic, heading, underline, isShort); } -void BroDoc::WriteBroDocObjList(const BroDocObjList& l, const char* heading, - char underline) const +void BroDoc::WriteBroDocObjList(FILE* f, const BroDocObjList& l, const char* heading, + char underline) { - WriteSectionHeading(heading, underline); - WriteBroDocObjList(l); + WriteSectionHeading(f, heading, underline); + WriteBroDocObjList(f, l); } -void BroDoc::WriteBroDocObjList(const BroDocObjList& l) const +void BroDoc::WriteBroDocObjList(FILE* f, const BroDocObjList& l) { for ( BroDocObjList::const_iterator it = l.begin(); it != l.end(); ++it ) - (*it)->WriteReST(reST_file); + (*it)->WriteReST(f); } -void BroDoc::WriteBroDocObjList(const BroDocObjMap& m, const char* heading, - char underline) const +void BroDoc::WriteBroDocObjList(FILE* f, const BroDocObjMap& m, const char* heading, + char underline) { BroDocObjMap::const_iterator it; BroDocObjList l; @@ -416,28 +412,28 @@ void BroDoc::WriteBroDocObjList(const BroDocObjMap& m, const char* heading, for ( it = m.begin(); it != m.end(); ++it ) l.push_back(it->second); - WriteBroDocObjList(l, heading, underline); + WriteBroDocObjList(f, l, heading, underline); } -void BroDoc::WriteToDoc(const char* format, ...) const +void BroDoc::WriteToDoc(FILE* f, const char* format, ...) { va_list argp; va_start(argp, format); - vfprintf(reST_file, format, argp); + vfprintf(f, format, argp); va_end(argp); } -void BroDoc::WriteSectionHeading(const char* heading, char underline) const +void BroDoc::WriteSectionHeading(FILE* f, const char* heading, char underline) { - WriteToDoc("%s\n", heading); - WriteRepeatedChar(underline, strlen(heading)); - WriteToDoc("\n"); + WriteToDoc(f, "%s\n", heading); + WriteRepeatedChar(f, underline, strlen(heading)); + WriteToDoc(f, "\n"); } -void BroDoc::WriteRepeatedChar(char c, size_t n) const +void BroDoc::WriteRepeatedChar(FILE* f, char c, size_t n) { for ( size_t i = 0; i < n; ++i ) - WriteToDoc("%c", c); + WriteToDoc(f, "%c", c); } void BroDoc::FreeBroDocObjPtrList(BroDocObjList& l) @@ -459,3 +455,143 @@ void BroDoc::AddFunction(BroDocObj* o) else functions[o->Name()]->Combine(o); } + +static void WritePluginSectionHeading(FILE* f, const plugin::Plugin* p) + { + string name = p->Name(); + + fprintf(f, "%s\n", name.c_str()); + for ( size_t i = 0; i < name.size(); ++i ) + fprintf(f, "-"); + fprintf(f, "\n\n"); + + fprintf(f, "%s\n\n", p->Description()); + } + +static void WriteAnalyzerComponent(FILE* f, const analyzer::Component* c) + { + EnumType* atag = analyzer_mgr->GetTagEnumType(); + string tag = fmt("ANALYZER_%s", c->CanonicalName()); + + if ( atag->Lookup("Analyzer", tag.c_str()) < 0 ) + reporter->InternalError("missing analyzer tag for %s", tag.c_str()); + + fprintf(f, ":bro:enum:`Analyzer::%s`\n\n", tag.c_str()); + } + +static void WritePluginComponents(FILE* f, const plugin::Plugin* p) + { + plugin::Plugin::component_list components = p->Components(); + plugin::Plugin::component_list::const_iterator it; + + fprintf(f, "Components\n"); + fprintf(f, "++++++++++\n\n"); + + for ( it = components.begin(); it != components.end(); ++it ) + { + switch ( (*it)->Type() ) { + case plugin::component::ANALYZER: + WriteAnalyzerComponent(f, + dynamic_cast(*it)); + break; + case plugin::component::READER: + reporter->InternalError("docs for READER component unimplemented"); + case plugin::component::WRITER: + reporter->InternalError("docs for WRITER component unimplemented"); + default: + reporter->InternalError("docs for unknown component unimplemented"); + } + } + } + +static void WritePluginBifItems(FILE* f, const plugin::Plugin* p, + plugin::BifItem::Type t, const string& heading) + { + plugin::Plugin::bif_item_list bifitems = p->BifItems(); + plugin::Plugin::bif_item_list::iterator it = bifitems.begin(); + + while ( it != bifitems.end() ) + { + if ( it->GetType() != t ) + it = bifitems.erase(it); + else + ++it; + } + + if ( bifitems.empty() ) + return; + + fprintf(f, "%s\n", heading.c_str()); + for ( size_t i = 0; i < heading.size(); ++i ) + fprintf(f, "+"); + fprintf(f, "\n\n"); + + for ( it = bifitems.begin(); it != bifitems.end(); ++it ) + { + BroDocObj* o = doc_ids[it->GetID()]; + + if ( o ) + o->WriteReST(f); + else + reporter->Warning("No docs for ID: %s\n", it->GetID()); + } + } + +static void WriteAnalyzerTagDefn(FILE* f, EnumType* e) + { + e = new CommentedEnumType(e); + e->SetTypeID(copy_string("Analyzer::Tag")); + + ID* dummy_id = new ID(copy_string("Analyzer::Tag"), SCOPE_GLOBAL, true); + dummy_id->SetType(e); + dummy_id->MakeType(); + + list* r = new list(); + r->push_back("Unique identifiers for protocol analyzers."); + + BroDocObj bdo(dummy_id, r, true); + + bdo.WriteReST(f); + } + +static bool IsAnalyzerPlugin(const plugin::Plugin* p) + { + plugin::Plugin::component_list components = p->Components(); + plugin::Plugin::component_list::const_iterator it; + + for ( it = components.begin(); it != components.end(); ++it ) + if ( (*it)->Type() != plugin::component::ANALYZER ) + return false; + + return true; + } + +void CreateProtoAnalyzerDoc(const char* filename) + { + FILE* f = fopen(filename, "w"); + + fprintf(f, "Protocol Analyzer Reference\n"); + fprintf(f, "===========================\n\n"); + + WriteAnalyzerTagDefn(f, analyzer_mgr->GetTagEnumType()); + + plugin::Manager::plugin_list plugins = plugin_mgr->Plugins(); + plugin::Manager::plugin_list::const_iterator it; + + for ( it = plugins.begin(); it != plugins.end(); ++it ) + { + if ( ! IsAnalyzerPlugin(*it) ) + continue; + + WritePluginSectionHeading(f, *it); + WritePluginComponents(f, *it); + WritePluginBifItems(f, *it, plugin::BifItem::CONSTANT, + "Options/Constants"); + WritePluginBifItems(f, *it, plugin::BifItem::GLOBAL, "Globals"); + WritePluginBifItems(f, *it, plugin::BifItem::TYPE, "Types"); + WritePluginBifItems(f, *it, plugin::BifItem::EVENT, "Events"); + WritePluginBifItems(f, *it, plugin::BifItem::FUNCTION, "Functions"); + } + + fclose(f); + } diff --git a/src/BroDoc.h b/src/BroDoc.h index 79f02b7110..9f92f821f8 100644 --- a/src/BroDoc.h +++ b/src/BroDoc.h @@ -81,15 +81,6 @@ public: */ void SetPacketFilter(const std::string& s); - /** - * Schedules documentation of a given set of ports being associated - * with a particular analyzer as a result of the current script - * being loaded -- the way the "dpd_config" table is changed. - * @param analyzer An analyzer that changed the "dpd_config" table. - * @param ports The set of ports assigned to the analyzer in table. - */ - void AddPortAnalysis(const std::string& analyzer, const std::string& ports); - /** * Schedules documentation of a script option. An option is * defined as any variable in the script that is declared 'const' @@ -242,7 +233,115 @@ public: return reST_filename.c_str(); } -protected: + typedef std::list BroDocObjList; + typedef std::map BroDocObjMap; + + /** + * Writes out a table of BroDocObj's to the reST document + * @param f The file to write to. + * @param l A list of BroDocObj pointers + */ + static void WriteBroDocObjTable(FILE* f, const BroDocObjList& l); + + /** + * Writes out given number of characters to reST document + * @param f The file to write to. + * @param c the character to write + * @param n the number of characters to write + */ + static void WriteRepeatedChar(FILE* f, char c, size_t n); + + /** + * A wrapper to fprintf() that always uses the reST document + * for the FILE* argument. + * @param f The file to write to. + * @param format A printf style format string. + */ + static void WriteToDoc(FILE* f, const char* format, ...); + + /** + * Writes out a list of strings to the reST document. + * If the list is empty, prints a newline character. + * @param f The file to write to. + * @param format A printf style format string for elements of the list + * except for the last one in the list + * @param last_format A printf style format string to use for the last + * element of the list + * @param l A reference to a list of strings + */ + static void WriteStringList(FILE* f, const char* format, const char* last_format, + const std::list& l); + + /** + * @see WriteStringList(FILE* f, const char*, const char*, + * const std::list&>) + */ + static void WriteStringList(FILE* f, const char* format, + const std::list& l){ + WriteStringList(f, format, format, l); + } + + /** + * Writes out a list of BroDocObj objects to the reST document + * @param f The file to write to. + * @param l A list of BroDocObj pointers + * @param wantPublic If true, filter out objects that are not declared + * in the global scope. If false, filter out those that are in + * the global scope. + * @param heading The title of the section to create in the reST doc. + * @param underline The character to use to underline the reST + * section heading. + * @param isShort Whether to write the full documentation or a "short" + * version (a single sentence) + */ + static void WriteBroDocObjList(FILE* f, const BroDocObjList& l, bool wantPublic, + const char* heading, char underline, + bool isShort); + + /** + * Wraps the BroDocObjMap into a BroDocObjList and the writes that list + * to the reST document + * @see WriteBroDocObjList(FILE* f, const BroDocObjList&, bool, const char*, char, + bool) + */ + static void WriteBroDocObjList(FILE* f, const BroDocObjMap& m, bool wantPublic, + const char* heading, char underline, + bool isShort); + + /** + * Writes out a list of BroDocObj objects to the reST document + * @param l A list of BroDocObj pointers + * @param heading The title of the section to create in the reST doc. + * @param underline The character to use to underline the reST + * section heading. + */ + static void WriteBroDocObjList(FILE* f, const BroDocObjList& l, const char* heading, + char underline); + + /** + * Writes out a list of BroDocObj objects to the reST document + * @param l A list of BroDocObj pointers + */ + static void WriteBroDocObjList(FILE* f, const BroDocObjList& l); + + /** + * Wraps the BroDocObjMap into a BroDocObjList and the writes that list + * to the reST document + * @see WriteBroDocObjList(FILE* f, const BroDocObjList&, const char*, char) + */ + static void WriteBroDocObjList(FILE* f, const BroDocObjMap& m, const char* heading, + char underline); + + /** + * Writes out a reST section heading + * @param f The file to write to. + * @param heading The title of the heading to create + * @param underline The character to use to underline the section title + * within the reST document + */ + static void WriteSectionHeading(FILE* f, const char* heading, char underline); + +private: FILE* reST_file; std::string reST_filename; std::string source_filename; // points to the basename of source file @@ -255,9 +354,6 @@ protected: std::list imports; std::list port_analysis; - typedef std::list BroDocObjList; - typedef std::map BroDocObjMap; - BroDocObjList options; BroDocObjList constants; BroDocObjList state_vars; @@ -272,107 +368,6 @@ protected: BroDocObjList all; - /** - * Writes out a list of strings to the reST document. - * If the list is empty, prints a newline character. - * @param format A printf style format string for elements of the list - * except for the last one in the list - * @param last_format A printf style format string to use for the last - * element of the list - * @param l A reference to a list of strings - */ - void WriteStringList(const char* format, const char* last_format, - const std::list& l) const; - - /** - * @see WriteStringList(const char*, const char*, - * const std::list&>) - */ - void WriteStringList(const char* format, - const std::list& l) const - { - WriteStringList(format, format, l); - } - - - /** - * Writes out a table of BroDocObj's to the reST document - * @param l A list of BroDocObj pointers - */ - void WriteBroDocObjTable(const BroDocObjList& l) const; - - /** - * Writes out a list of BroDocObj objects to the reST document - * @param l A list of BroDocObj pointers - * @param wantPublic If true, filter out objects that are not declared - * in the global scope. If false, filter out those that are in - * the global scope. - * @param heading The title of the section to create in the reST doc. - * @param underline The character to use to underline the reST - * section heading. - * @param isShort Whether to write the full documentation or a "short" - * version (a single sentence) - */ - void WriteBroDocObjList(const BroDocObjList& l, bool wantPublic, - const char* heading, char underline, - bool isShort) const; - - /** - * Wraps the BroDocObjMap into a BroDocObjList and the writes that list - * to the reST document - * @see WriteBroDocObjList(const BroDocObjList&, bool, const char*, char, - bool) - */ - void WriteBroDocObjList(const BroDocObjMap& m, bool wantPublic, - const char* heading, char underline, - bool isShort) const; - - /** - * Writes out a list of BroDocObj objects to the reST document - * @param l A list of BroDocObj pointers - * @param heading The title of the section to create in the reST doc. - * @param underline The character to use to underline the reST - * section heading. - */ - void WriteBroDocObjList(const BroDocObjList& l, const char* heading, - char underline) const; - - /** - * Writes out a list of BroDocObj objects to the reST document - * @param l A list of BroDocObj pointers - */ - void WriteBroDocObjList(const BroDocObjList& l) const; - - /** - * Wraps the BroDocObjMap into a BroDocObjList and the writes that list - * to the reST document - * @see WriteBroDocObjList(const BroDocObjList&, const char*, char) - */ - void WriteBroDocObjList(const BroDocObjMap& m, const char* heading, - char underline) const; - - /** - * A wrapper to fprintf() that always uses the reST document - * for the FILE* argument. - * @param format A printf style format string. - */ - void WriteToDoc(const char* format, ...) const; - - /** - * Writes out a reST section heading - * @param heading The title of the heading to create - * @param underline The character to use to underline the section title - * within the reST document - */ - void WriteSectionHeading(const char* heading, char underline) const; - - /** - * Writes out given number of characters to reST document - * @param c the character to write - * @param n the number of characters to write - */ - void WriteRepeatedChar(char c, size_t n) const; - /** * Writes out the reST for either the script's public or private interface * @param heading The title of the interfaces section heading @@ -387,7 +382,6 @@ protected: */ void WriteInterface(const char* heading, char underline, char subunderline, bool isPublic, bool isShort) const; -private: /** * Frees memory allocated to BroDocObj's objects in a given list. @@ -413,4 +407,10 @@ private: }; }; +/** + * Writes out plugin index documentation for all analyzer plugins. + * @param filename the name of the file to write. + */ +void CreateProtoAnalyzerDoc(const char* filename); + #endif diff --git a/src/BroDocObj.cc b/src/BroDocObj.cc index 12753ea15d..4316b3113a 100644 --- a/src/BroDocObj.cc +++ b/src/BroDocObj.cc @@ -4,6 +4,8 @@ #include "ID.h" #include "BroDocObj.h" +map doc_ids = map(); + BroDocObj* BroDocObj::last = 0; BroDocObj::BroDocObj(const ID* id, std::list*& reST, @@ -16,6 +18,7 @@ BroDocObj::BroDocObj(const ID* id, std::list*& reST, is_fake_id = is_fake; use_role = 0; FormulateShortDesc(); + doc_ids[id->Name()] = this; } BroDocObj::~BroDocObj() diff --git a/src/BroDocObj.h b/src/BroDocObj.h index cb512f8cda..ab42dc3c94 100644 --- a/src/BroDocObj.h +++ b/src/BroDocObj.h @@ -4,6 +4,7 @@ #include #include #include +#include #include "ID.h" @@ -134,4 +135,9 @@ protected: private: }; +/** + * Map identifiers to their broxygen documentation objects. + */ +extern map doc_ids; + #endif diff --git a/src/Type.cc b/src/Type.cc index 6461bf2560..917c6f46b3 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1334,6 +1334,16 @@ EnumType::EnumType(const string& arg_name) counter = 0; } +EnumType::EnumType(EnumType* e) +: BroType(TYPE_ENUM) + { + name = e->name; + counter = e->counter; + + for ( NameMap::iterator it = e->names.begin(); it != e->names.end(); ++it ) + names[copy_string(it->first)] = it->second; + } + EnumType::~EnumType() { for ( NameMap::iterator iter = names.begin(); iter != names.end(); ++iter ) diff --git a/src/Type.h b/src/Type.h index bad51776d9..b10e249745 100644 --- a/src/Type.h +++ b/src/Type.h @@ -523,6 +523,7 @@ protected: class EnumType : public BroType { public: EnumType(const string& arg_name); + EnumType(EnumType* e); ~EnumType(); // The value of this name is next internal counter value, starting @@ -567,6 +568,7 @@ protected: class CommentedEnumType: public EnumType { public: CommentedEnumType(const string& arg_name) : EnumType(arg_name) {} + CommentedEnumType(EnumType* e) : EnumType(e) {} ~CommentedEnumType(); void DescribeReST(ODesc* d) const; diff --git a/src/main.cc b/src/main.cc index 491f8a732d..77a3468805 100644 --- a/src/main.cc +++ b/src/main.cc @@ -868,6 +868,8 @@ int main(int argc, char** argv) if ( generate_documentation ) { + CreateProtoAnalyzerDoc("proto-analyzers.rst"); + std::list::iterator it; for ( it = docs_generated.begin(); it != docs_generated.end(); ++it ) From 1302da10cdc8cee3dd3a08c4aeb5ae8e6acecdff Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jun 2013 16:28:27 -0700 Subject: [PATCH 126/200] Fix for CMake 2.6.x. --- src/CMakeLists.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index a5b1cfc106..5e74b3d8b0 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -391,7 +391,8 @@ set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) # Target to create all the autogenerated files. -add_custom_target(generate_outputs DEPENDS ${bro_ALL_GENERATED_OUTPUTS}) +add_custom_target(generate_outputs) +add_dependencies(generate_outputs ${bro_ALL_GENERATED_OUTPUTS}) # Build __load__.bro files for plugins/*.bif.bro. bro_bif_create_loader(bif_loader_plugins ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) From 5487258b039aee30becee0e0c45253c995949210 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jun 2013 16:37:32 -0700 Subject: [PATCH 127/200] Updating submodule(s). [nomail] --- CHANGES | 4 ++++ VERSION | 2 +- aux/broctl | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index da05746fd1..b671fe8cb0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.1-740 | 2013-06-07 16:37:32 -0700 + + * Fix for CMake 2.6.x. (Robin Sommer) + 2.1-738 | 2013-06-07 08:38:13 -0700 * Remove invalid free on non-allocated pointer in hash function diff --git a/VERSION b/VERSION index 82b504016f..468fc388bb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-738 +2.1-740 diff --git a/aux/broctl b/aux/broctl index a1aaa1608e..cf7a1ca56f 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit a1aaa1608ef08761a211b1e251449d796ba5e4a0 +Subproject commit cf7a1ca56f2b20f777542d912de0a9c8fdb0655d From f811e669ff59101e9a108097f1cbbdbd8e8201ad Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jun 2013 17:28:50 -0700 Subject: [PATCH 128/200] Fixing typo that could cause an assertion to falsely trigger. --- CHANGES | 5 +++++ VERSION | 2 +- src/analyzer/Tag.cc | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index b671fe8cb0..92f0a3b9ee 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.1-741 | 2013-06-07 17:28:50 -0700 + + * Fixing typo that could cause an assertion to falsely trigger. + (Robin Sommer) + 2.1-740 | 2013-06-07 16:37:32 -0700 * Fix for CMake 2.6.x. (Robin Sommer) diff --git a/VERSION b/VERSION index 468fc388bb..0559f5c3b4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-740 +2.1-741 diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index 469b61a6c5..2f04ff17da 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -24,7 +24,7 @@ Tag::Tag(type_t arg_type, subtype_t arg_subtype) Tag::Tag(EnumVal* arg_val) { - assert(val); + assert(arg_val); val = arg_val; Ref(val); From a32bb59770e9d6355aaa83f224e4f1c21c518515 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Sat, 8 Jun 2013 05:57:56 -0700 Subject: [PATCH 129/200] fix warning. Update baseline of stderr test to what it should be. There still is a message ordering issue there (which is the last issue in the new Raw reader I know of). One message that sidesteps a bit of the usual processing does not always arrive at the correct time (meaning it pops up from the event queue too early). Even though it sidesteps a bit of the usual processing that should not happen in my opinion (which clearly does not matter). And I have not yet fully grasped how this can happen. --- src/input/readers/Raw.cc | 8 ++++---- .../Baseline/scripts.base.frameworks.input.raw.stderr/out | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 435876ece1..ab2cb8bd44 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -359,9 +359,7 @@ int64_t Raw::GetLine(FILE* arg_file) } - if ( errno == 0 ) { - assert(false); - } else if ( errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR ) { + if ( errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR ) { return -2; } else { // an error code we did no expect. This probably is bad. @@ -369,6 +367,9 @@ int64_t Raw::GetLine(FILE* arg_file) return -3; } + InternalError("Internal control flow execution"); + assert(false); + } // write to the stdin of the child process @@ -546,7 +547,6 @@ bool Raw::DoUpdate() EndCurrentSend(); SendEvent("InputRaw::process_finished", 4, vals); - } diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out index e7ff580dfd..b7f857339d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out +++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out @@ -1,6 +1,3 @@ -Process finished event -input -Exit code != 0 Input::EVENT_NEW ..: F @@ -25,3 +22,6 @@ T done End of Data event input +Process finished event +input +Exit code != 0 From 3517c0ba992bb7333551489ec2790126120f525d Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Sun, 9 Jun 2013 08:27:08 -0400 Subject: [PATCH 130/200] add Terminate to input framework to prevent potential shutdown race-conditions. --- src/input/Manager.cc | 16 ++++++++++++++++ src/input/Manager.h | 5 +++++ src/main.cc | 1 + 3 files changed, 22 insertions(+) diff --git a/src/input/Manager.cc b/src/input/Manager.cc index 495df682fa..ac6946318d 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -1289,6 +1289,7 @@ void Manager::SendEndOfData(ReaderFrontend* reader) SendEndOfData(i); } + void Manager::SendEndOfData(const Stream *i) { #ifdef DEBUG @@ -2174,3 +2175,18 @@ Manager::Stream* Manager::FindStream(ReaderFrontend* reader) return 0; } + +// function is called on Bro shutdown. +// sinal all frontends that they will cease operation. +void Manager::Terminate() + { + for (map::iterator i = readers.begin(); i != readers.end(); ++i ) + { + if ( i->second->removed ) + continue; + + i->second->removed = true; + i->second->reader->Stop(); + } + + } diff --git a/src/input/Manager.h b/src/input/Manager.h index 633b20f8ed..0b633cca95 100644 --- a/src/input/Manager.h +++ b/src/input/Manager.h @@ -79,6 +79,11 @@ public: */ bool RemoveStream(const string &id); + /** + * Signals the manager to shutdown at Bro's termination. + */ + void Terminate(); + protected: friend class ReaderFrontend; friend class PutMessage; diff --git a/src/main.cc b/src/main.cc index 491f8a732d..90dca2d48c 100644 --- a/src/main.cc +++ b/src/main.cc @@ -357,6 +357,7 @@ void terminate_bro() file_mgr->Terminate(); log_mgr->Terminate(); + input_mgr->Terminate(); thread_mgr->Terminate(); mgr.Drain(); From 655187a4f4a24b7e27c2bc4db6bbd9658ab6bdc1 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Sun, 9 Jun 2013 08:43:17 -0400 Subject: [PATCH 131/200] ...and fix the event ordering issue. Dispatch != QueueEvent --- src/input/Manager.cc | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/src/input/Manager.cc b/src/input/Manager.cc index ac6946318d..8dd578d40f 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -1308,6 +1308,11 @@ void Manager::Put(ReaderFrontend* reader, Value* *vals) return; } +#ifdef DEBUG + DBG_LOG(DBG_INPUT, "Put for stream %s", + i->name.c_str()); +#endif + int readFields = 0; if ( i->stream_type == TABLE_STREAM ) @@ -1631,6 +1636,11 @@ bool Manager::SendEvent(const string& name, const int num_vals, Value* *vals) return false; } +#ifdef DEBUG + DBG_LOG(DBG_INPUT, "SendEvent for event %s with num_vals vals", + name.c_str(), num_vals); +#endif + RecordType *type = handler->FType()->Args(); int num_event_vals = type->NumFields(); if ( num_vals != num_event_vals ) @@ -1643,7 +1653,8 @@ bool Manager::SendEvent(const string& name, const int num_vals, Value* *vals) for ( int i = 0; i < num_vals; i++) vl->append(ValueToVal(vals[i], type->FieldType(i))); - mgr.Dispatch(new Event(handler, vl)); + //mgr.Dispatch(new Event(handler, vl)); + mgr.QueueEvent(handler, vl, SOURCE_LOCAL); for ( int i = 0; i < num_vals; i++ ) delete vals[i]; @@ -1657,6 +1668,11 @@ void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) { val_list* vl = new val_list; +#ifdef DEBUG + DBG_LOG(DBG_INPUT, "SendEvent with %d vals", + numvals); +#endif + va_list lP; va_start(lP, numvals); for ( int i = 0; i < numvals; i++ ) @@ -1671,6 +1687,11 @@ void Manager::SendEvent(EventHandlerPtr ev, list events) { val_list* vl = new val_list; +#ifdef DEBUG + DBG_LOG(DBG_INPUT, "SendEvent with %d vals (list)", + events.size()); +#endif + for ( list::iterator i = events.begin(); i != events.end(); i++ ) { vl->append( *i ); From ebb7af1483891ccb2dda66919d365682b3675727 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Sun, 9 Jun 2013 16:18:17 -0400 Subject: [PATCH 132/200] this event handler fails the unused-event-handlers test because it is a bit of a special case. It is only called via the SendEvent function from a reader. The reader does (at least with the current interface) however not provide the function pointer, but looks up the name of the event dynamically. Hence, internal_handler is never called for the event. Even if resolving the event in the reader, e.g. in an initialization function, this would not solve the issue - the initialization function is only called when the first Raw reader is initialized - and in the base configuration the raw reader will never be used (hence, internal_handler also won't be called). Calling it once in the manager seems like a really dirty hack. So - now it is the second exception in the testcase, unless anyone has a better idea :) --- testing/btest/Baseline/core.check-unused-event-handlers/.stderr | 1 + 1 file changed, 1 insertion(+) diff --git a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr index 8d8bf1a85b..1a32ad442c 100644 --- a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr +++ b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr @@ -1 +1,2 @@ warning in , line 1: event handler never invoked: this_is_never_used +warning in , line 1: event handler never invoked: InputRaw::process_finished From c6381055380f889c4891efcf83da512597ae64d6 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 10 Jun 2013 12:51:41 -0700 Subject: [PATCH 133/200] Document max parameter in bloomfilter_init. --- src/bro.bif | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/bro.bif b/src/bro.bif index 8bd9575498..9b80c90dbf 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -4993,6 +4993,13 @@ function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr ## capacity: the maximum number of elements that guarantees a false-positive ## rate of *fp*. ## +## max: The maximum counter value associated with each each element in the +## Bloom filter. If greater than 1, each element in the set has a counter of +## *w = ceil(log_2(max))* bits. Each bit in the underlying bit vector then +## becomes a cell of size *w* bits. Since the number number of cells is a +## function ## of *fp* and *capacity*, it is important to consider the effects +## on space when tuning this value. +## ## Returns: A Bloom filter handle. function bloomfilter_init%(fp: double, capacity: count, max: count &default=1%): opaque of bloomfilter From d25984ba45643be524788b73d7cebc1278a78810 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 10 Jun 2013 12:55:03 -0700 Subject: [PATCH 134/200] Update baseline for unit tests. --- testing/btest/Baseline/bifs.bloomfilter/output | 8 ++++++++ testing/btest/bifs/bloomfilter.bro | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/bifs.bloomfilter/output diff --git a/testing/btest/Baseline/bifs.bloomfilter/output b/testing/btest/Baseline/bifs.bloomfilter/output new file mode 100644 index 0000000000..65aaa8b07c --- /dev/null +++ b/testing/btest/Baseline/bifs.bloomfilter/output @@ -0,0 +1,8 @@ +0 +1 +1 +0 +1 +1 +1 +1 diff --git a/testing/btest/bifs/bloomfilter.bro b/testing/btest/bifs/bloomfilter.bro index 6abbdd69f7..769cec1200 100644 --- a/testing/btest/bifs/bloomfilter.bro +++ b/testing/btest/bifs/bloomfilter.bro @@ -21,8 +21,8 @@ event bro_init() bloomfilter_add(bf_str, "bar"); print bloomfilter_lookup(bf_str, "foo"); print bloomfilter_lookup(bf_str, "bar"); - print bloomfilter_lookup(bf_str, "baz"); - print bloomfilter_lookup(bf_str, "qux"); + print bloomfilter_lookup(bf_str, "baz"); # FP + print bloomfilter_lookup(bf_str, "qux"); # FP bloomfilter_add(bf_str, 0.5); # Type mismatch bloomfilter_add(bf_str, 100); # Type mismatch From 7c7b6214a6d731984c6009af7ef73b3d3dfbe515 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 10 Jun 2013 15:50:18 -0500 Subject: [PATCH 135/200] Move file analyzers to new plugin infrastructure. --- doc/scripts/DocSourcesList.cmake | 1 + .../base/frameworks/file-analysis/main.bro | 4 +- scripts/base/init-bare.bro | 17 +-- src/CMakeLists.txt | 12 +- src/Func.cc | 3 - src/NetVar.cc | 2 - src/NetVar.h | 1 - src/analyzer/Component.cc | 16 +-- src/analyzer/Component.h | 1 - src/analyzer/Tag.h | 11 +- src/const.bif | 2 - src/event.bif | 13 --- src/file_analysis/Analyzer.h | 11 +- src/file_analysis/AnalyzerSet.cc | 22 +--- src/file_analysis/CMakeLists.txt | 22 ++++ src/file_analysis/Component.cc | 70 +++++++++++ src/file_analysis/Component.h | 109 ++++++++++++++++++ src/file_analysis/Manager.cc | 70 ++++++++++- src/file_analysis/Manager.h | 46 +++++++- src/file_analysis/analyzer/CMakeLists.txt | 3 + .../analyzer/data_event/CMakeLists.txt | 8 ++ .../{ => analyzer/data_event}/DataEvent.cc | 0 .../{ => analyzer/data_event}/DataEvent.h | 0 .../analyzer/data_event/Plugin.cc | 26 +++++ .../analyzer/extract/CMakeLists.txt | 8 ++ .../{ => analyzer/extract}/Extract.cc | 0 .../{ => analyzer/extract}/Extract.h | 0 src/file_analysis/analyzer/extract/Plugin.cc | 26 +++++ .../analyzer/hash/CMakeLists.txt | 9 ++ src/file_analysis/{ => analyzer/hash}/Hash.cc | 0 src/file_analysis/{ => analyzer/hash}/Hash.h | 2 + src/file_analysis/analyzer/hash/Plugin.cc | 33 ++++++ src/file_analysis/analyzer/hash/events.bif | 12 ++ src/{ => file_analysis}/file_analysis.bif | 23 +--- src/main.cc | 2 + src/plugin/Component.cc | 4 + src/plugin/Component.h | 9 +- src/util.cc | 15 +++ src/util.h | 8 ++ .../canonified_loaded_scripts.log | 55 ++++----- .../canonified_loaded_scripts.log | 55 ++++----- 41 files changed, 559 insertions(+), 172 deletions(-) create mode 100644 src/file_analysis/CMakeLists.txt create mode 100644 src/file_analysis/Component.cc create mode 100644 src/file_analysis/Component.h create mode 100644 src/file_analysis/analyzer/CMakeLists.txt create mode 100644 src/file_analysis/analyzer/data_event/CMakeLists.txt rename src/file_analysis/{ => analyzer/data_event}/DataEvent.cc (100%) rename src/file_analysis/{ => analyzer/data_event}/DataEvent.h (100%) create mode 100644 src/file_analysis/analyzer/data_event/Plugin.cc create mode 100644 src/file_analysis/analyzer/extract/CMakeLists.txt rename src/file_analysis/{ => analyzer/extract}/Extract.cc (100%) rename src/file_analysis/{ => analyzer/extract}/Extract.h (100%) create mode 100644 src/file_analysis/analyzer/extract/Plugin.cc create mode 100644 src/file_analysis/analyzer/hash/CMakeLists.txt rename src/file_analysis/{ => analyzer/hash}/Hash.cc (100%) rename src/file_analysis/{ => analyzer/hash}/Hash.h (99%) create mode 100644 src/file_analysis/analyzer/hash/Plugin.cc create mode 100644 src/file_analysis/analyzer/hash/events.bif rename src/{ => file_analysis}/file_analysis.bif (77%) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 0b077c2c50..fdd919f86b 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -34,6 +34,7 @@ rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DNS.events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.functions.bif.bro) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_File.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FileHash.events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Finger.events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_GTPv1.events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Gnutella.events.bif.bro) diff --git a/scripts/base/frameworks/file-analysis/main.bro b/scripts/base/frameworks/file-analysis/main.bro index 15a9d01b0a..3352787cba 100644 --- a/scripts/base/frameworks/file-analysis/main.bro +++ b/scripts/base/frameworks/file-analysis/main.bro @@ -15,7 +15,7 @@ export { ## A structure which represents a desired type of file analysis. type AnalyzerArgs: record { ## The type of analysis. - tag: Analyzer; + tag: FileAnalysis::Tag; ## The local filename to which to write an extracted file. Must be ## set when *tag* is :bro:see:`FileAnalysis::ANALYZER_EXTRACT`. @@ -89,7 +89,7 @@ export { conn_uids: set[string] &log; ## A set of analysis types done during the file analysis. - analyzers: set[Analyzer]; + analyzers: set[FileAnalysis::Tag]; ## Local filenames of extracted files. extracted_files: set[string] &log; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 2110110a40..b7cafa70c7 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -222,17 +222,6 @@ type endpoint_stats: record { endian_type: count; }; -## A unique analyzer instance ID. Each time instantiates a protocol analyzers -## for a connection, it assigns it a unique ID that can be used to reference -## that instance. -## -## .. bro:see:: Analyzer::name Analyzer::disable_analyzer protocol_confirmation -## protocol_violation -## -## .. todo::While we declare an alias for the type here, the events/functions still -## use ``count``. That should be changed. -type AnalyzerID: count; - module Tunnel; export { ## Records the identity of an encapsulating parent of a tunneled connection. @@ -3065,12 +3054,12 @@ module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; +# Load BiFs defined by plugins. +@load base/bif/plugins + # Load these frameworks here because they use fairly deep integration with # BiFs and script-land defined types. @load base/frameworks/logging @load base/frameworks/input @load base/frameworks/analyzer @load base/frameworks/file-analysis - -# Load BiFs defined by plugins. -@load base/bif/plugins diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 2bde8d65a5..a8ec20293b 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -114,7 +114,6 @@ set(BIF_SRCS logging.bif input.bif event.bif - file_analysis.bif const.bif types.bif strings.bif @@ -150,6 +149,7 @@ set(bro_SUBDIR_LIBS CACHE INTERNAL "subdir libraries" FORCE) set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE) add_subdirectory(analyzer) +add_subdirectory(file_analysis) set(bro_SUBDIRS ${bro_SUBDIR_LIBS} @@ -355,20 +355,12 @@ set(bro_SRCS input/readers/Binary.cc input/readers/SQLite.cc - file_analysis/Manager.cc - file_analysis/File.cc - file_analysis/FileTimer.cc - file_analysis/Analyzer.h - file_analysis/AnalyzerSet.cc - file_analysis/Extract.cc - file_analysis/Hash.cc - file_analysis/DataEvent.cc - 3rdparty/sqlite3.c plugin/Component.cc plugin/Manager.cc plugin/Plugin.cc + plugin/Macros.h nb_dns.c digest.h diff --git a/src/Func.cc b/src/Func.cc index 97d84013e6..f3718fe231 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -553,14 +553,12 @@ void builtin_error(const char* msg, BroObj* arg) #include "input.bif.func_h" #include "reporter.bif.func_h" #include "strings.bif.func_h" -#include "file_analysis.bif.func_h" #include "bro.bif.func_def" #include "logging.bif.func_def" #include "input.bif.func_def" #include "reporter.bif.func_def" #include "strings.bif.func_def" -#include "file_analysis.bif.func_def" void init_builtin_funcs() { @@ -575,7 +573,6 @@ void init_builtin_funcs() #include "input.bif.func_init" #include "reporter.bif.func_init" #include "strings.bif.func_init" -#include "file_analysis.bif.func_init" did_builtin_init = true; } diff --git a/src/NetVar.cc b/src/NetVar.cc index 74cd6d08d0..2f50ce528b 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -249,7 +249,6 @@ OpaqueType* entropy_type; #include "logging.bif.netvar_def" #include "input.bif.netvar_def" #include "reporter.bif.netvar_def" -#include "file_analysis.bif.netvar_def" void init_event_handlers() { @@ -317,7 +316,6 @@ void init_net_var() #include "logging.bif.netvar_init" #include "input.bif.netvar_init" #include "reporter.bif.netvar_init" -#include "file_analysis.bif.netvar_init" conn_id = internal_type("conn_id")->AsRecordType(); endpoint = internal_type("endpoint")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index 0ecceb9f92..ac825e7845 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -260,6 +260,5 @@ extern void init_net_var(); #include "logging.bif.netvar_h" #include "input.bif.netvar_h" #include "reporter.bif.netvar_h" -#include "file_analysis.bif.netvar_h" #endif diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc index 5844da848f..2a48d5f160 100644 --- a/src/analyzer/Component.cc +++ b/src/analyzer/Component.cc @@ -4,26 +4,12 @@ #include "Manager.h" #include "../Desc.h" +#include "../util.h" using namespace analyzer; Tag::type_t Component::type_counter = 0; -static const char* canonify_name(const char* name) - { - unsigned int len = strlen(name); - char* nname = new char[len + 1]; - - for ( unsigned int i = 0; i < len; i++ ) - { - char c = isalnum(name[i]) ? name[i] : '_'; - nname[i] = toupper(c); - } - - nname[len] = '\0'; - return nname; - } - Component::Component(const char* arg_name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) : plugin::Component(plugin::component::ANALYZER) { diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index b766c2fe82..a520047fdb 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -23,7 +23,6 @@ class Analyzer; */ class Component : public plugin::Component { public: - typedef bool (*available_callback)(); typedef Analyzer* (*factory_callback)(Connection* conn); /** diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index cf33dca41c..edb0ade8a7 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -8,6 +8,11 @@ class EnumVal; +namespace file_analysis { +class Manager; +class Component; +} + namespace analyzer { class Manager; @@ -24,7 +29,7 @@ class Component; * subtype form an analyzer "tag". Each unique tag corresponds to a single * "analyzer" from the user's perspective. At the script layer, these tags * are mapped into enums of type \c Analyzer::Tag. Internally, the - * analyzer::Mangager maintains the mapping of tag to analyzer (and it also + * analyzer::Manager maintains the mapping of tag to analyzer (and it also * assigns them their main types), and analyzer::Component creates new * tags. * @@ -121,9 +126,11 @@ public: protected: friend class analyzer::Manager; friend class analyzer::Component; + friend class file_analysis::Manager; + friend class file_analysis::Component; /** - * Constructor. Note + * Constructor. * * @param type The main type. Note that the \a analyzer::Manager * manages the value space internally, so noone else should assign diff --git a/src/const.bif b/src/const.bif index 31e6ccee1a..ea84b3363d 100644 --- a/src/const.bif +++ b/src/const.bif @@ -23,5 +23,3 @@ const Tunnel::delay_gtp_confirmation: bool; const Tunnel::ip_tunnel_timeout: interval; const Threading::heartbeat_interval: interval; - -const FileAnalysis::salt: string; diff --git a/src/event.bif b/src/event.bif index 9d831cf141..6f363cb961 100644 --- a/src/event.bif +++ b/src/event.bif @@ -942,19 +942,6 @@ event file_gap%(f: fa_file, offset: count, len: count%); ## .. bro:see:: file_new file_over_new_connection file_timeout file_gap event file_state_remove%(f: fa_file%); -## This event is generated each time file analysis generates a digest of the -## file contents. -## -## f: The file. -## -## kind: The type of digest algorithm. -## -## hash: The result of the hashing. -## -## .. bro:see:: FileAnalysis::add_analyzer FileAnalysis::ANALYZER_MD5 -## FileAnalysis::ANALYZER_SHA1 FileAnalysis::ANALYZER_SHA256 -event file_hash%(f: fa_file, kind: string, hash: string%); - ## Generated when an internal DNS lookup produces the same result as last time. ## Bro keeps an internal DNS cache for host names and IP addresses it has ## already resolved. This event is generated when a subsequent lookup returns diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h index d32532b264..dba022efca 100644 --- a/src/file_analysis/Analyzer.h +++ b/src/file_analysis/Analyzer.h @@ -5,10 +5,13 @@ #include "Val.h" #include "NetVar.h" +#include "analyzer/Tag.h" + +#include "file_analysis/file_analysis.bif.h" namespace file_analysis { -typedef BifEnum::FileAnalysis::Analyzer FA_Tag; +typedef int FA_Tag; class File; @@ -94,8 +97,7 @@ public: static FA_Tag ArgsTag(const RecordVal* args) { using BifType::Record::FileAnalysis::AnalyzerArgs; - return static_cast( - args->Lookup(AnalyzerArgs->FieldOffset("tag"))->AsEnum()); + return args->Lookup(AnalyzerArgs->FieldOffset("tag"))->AsEnum(); } protected: @@ -119,9 +121,6 @@ private: File* file; /**< The file to which the analyzer is attached. */ }; -typedef file_analysis::Analyzer* (*AnalyzerInstantiator)(RecordVal* args, - File* file); - } // namespace file_analysis #endif diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index 83c60d9abe..e350e8b0d8 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -3,21 +3,10 @@ #include "AnalyzerSet.h" #include "File.h" #include "Analyzer.h" -#include "Extract.h" -#include "DataEvent.h" -#include "Hash.h" +#include "Manager.h" using namespace file_analysis; -// keep in order w/ declared enum values in file_analysis.bif -static AnalyzerInstantiator analyzer_factory[] = { - file_analysis::Extract::Instantiate, - file_analysis::MD5::Instantiate, - file_analysis::SHA1::Instantiate, - file_analysis::SHA256::Instantiate, - file_analysis::DataEvent::Instantiate, -}; - static void analyzer_del_func(void* v) { delete (file_analysis::Analyzer*) v; @@ -154,14 +143,13 @@ HashKey* AnalyzerSet::GetKey(const RecordVal* args) const file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(RecordVal* args) const { - file_analysis::Analyzer* a = - analyzer_factory[file_analysis::Analyzer::ArgsTag(args)](args, file); + FA_Tag tag = file_analysis::Analyzer::ArgsTag(args); + file_analysis::Analyzer* a = file_mgr->InstantiateAnalyzer(tag, args, file); if ( ! a ) { - DBG_LOG(DBG_FILE_ANALYSIS, "Instantiate analyzer %d failed for file id", - " %s", file_analysis::Analyzer::ArgsTag(args), - file->GetID().c_str()); + reporter->Error("Failed file analyzer %s instantiation for file id %s", + file_mgr->GetAnalyzerName(tag), file->GetID().c_str()); return 0; } diff --git a/src/file_analysis/CMakeLists.txt b/src/file_analysis/CMakeLists.txt new file mode 100644 index 0000000000..f22c293cc4 --- /dev/null +++ b/src/file_analysis/CMakeLists.txt @@ -0,0 +1,22 @@ +include(BroSubdir) + +include_directories(BEFORE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR} +) + +add_subdirectory(analyzer) + +set(file_analysis_SRCS + Manager.cc + File.cc + FileTimer.cc + Analyzer.h + AnalyzerSet.cc + Component.cc +) + +bif_target(file_analysis.bif) + +bro_add_subdir_library(file_analysis ${file_analysis_SRCS} ${BIF_OUTPUT_CC}) +add_dependencies(bro_file_analysis generate_outputs) diff --git a/src/file_analysis/Component.cc b/src/file_analysis/Component.cc new file mode 100644 index 0000000000..5b6018c106 --- /dev/null +++ b/src/file_analysis/Component.cc @@ -0,0 +1,70 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "Component.h" +#include "Manager.h" + +#include "../Desc.h" +#include "../util.h" + +using namespace file_analysis; + +analyzer::Tag::type_t Component::type_counter = 0; + +Component::Component(const char* arg_name, factory_callback arg_factory, + analyzer::Tag::subtype_t arg_subtype) + : plugin::Component(plugin::component::FILE_ANALYZER) + { + name = copy_string(arg_name); + canon_name = canonify_name(arg_name); + factory = arg_factory; + + tag = analyzer::Tag(++type_counter, arg_subtype); + } + +Component::Component(const Component& other) + : plugin::Component(Type()) + { + name = copy_string(other.name); + canon_name = copy_string(other.canon_name); + factory = other.factory; + tag = other.tag; + } + +Component::~Component() + { + delete [] name; + delete [] canon_name; + } + +analyzer::Tag Component::Tag() const + { + return tag; + } + +void Component::Describe(ODesc* d) + { + plugin::Component::Describe(d); + d->Add(name); + d->Add(" ("); + + if ( factory ) + { + d->Add("ANALYZER_"); + d->Add(canon_name); + d->Add(", "); + } + + d->Add(")"); + } + +Component& Component::operator=(const Component& other) + { + if ( &other != this ) + { + name = copy_string(other.name); + factory = other.factory; + tag = other.tag; + } + + return *this; + } diff --git a/src/file_analysis/Component.h b/src/file_analysis/Component.h new file mode 100644 index 0000000000..8584b5eb09 --- /dev/null +++ b/src/file_analysis/Component.h @@ -0,0 +1,109 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef FILE_ANALYZER_PLUGIN_COMPONENT_H +#define FILE_ANALYZER_PLUGIN_COMPONENT_H + +#include "analyzer/Tag.h" +#include "plugin/Component.h" + +#include "Val.h" + +#include "../config.h" +#include "../util.h" + +namespace file_analysis { + +class File; +class Analyzer; + +/** + * Component description for plugins providing file analyzers. + * + * A plugin can provide a specific protocol analyzer by registering this + * analyzer component, describing the analyzer. + */ +class Component : public plugin::Component { +public: + typedef Analyzer* (*factory_callback)(RecordVal* args, File* file); + + /** + * Constructor. + * + * @param name The name of the provided analyzer. This name is used + * across the system to identify the analyzer, e.g., when calling + * file_analysis::Manager::InstantiateAnalyzer with a name. + * + * @param factory A factory function to instantiate instances of the + * analyzer's class, which must be derived directly or indirectly + * from file_analysis::Analyzer. This is typically a static \c + * Instatiate() method inside the class that just allocates and + * returns a new instance. + * + * @param subtype A subtype associated with this component that + * further distinguishes it. The subtype will be integrated into + * the analyzer::Tag that the manager associates with this analyzer, + * and analyzer instances can accordingly access it via analyzer::Tag(). + * If not used, leave at zero. + */ + Component(const char* name, factory_callback factory, + analyzer::Tag::subtype_t subtype = 0); + + /** + * Copy constructor. + */ + Component(const Component& other); + + /** + * Destructor. + */ + ~Component(); + + /** + * Returns the name of the analyzer. This name is unique across all + * analyzers and used to identify it. The returned name is derived + * from what's passed to the constructor but upper-cased and + * canonified to allow being part of a script-level ID. + */ + const char* Name() const { return name; } + + /** + * Returns a canonocalized version of the analyzer's name. The + * returned name is derived from what's passed to the constructor but + * upper-cased and transformed to allow being part of a script-level + * ID. + */ + const char* CanonicalName() const { return canon_name; } + + /** + * Returns the analyzer's factory function. + */ + factory_callback Factory() const { return factory; } + + /** + * Returns the analyzer's tag. Note that this is automatically + * generated for each new Components, and hence unique across all of + * them. + */ + analyzer::Tag Tag() const; + + /** + * Generates a human-readable description of the component's main + * parameters. This goes into the output of \c "bro -NN". + */ + virtual void Describe(ODesc* d); + + Component& operator=(const Component& other); + +private: + const char* name; // The analyzer's name. + const char* canon_name; // The analyzer's canonical name. + factory_callback factory; // The analyzer's factory callback. + analyzer::Tag tag; // The automatically assigned analyzer tag. + + // Global counter used to generate unique tags. + static analyzer::Tag::type_t type_counter; +}; + +} + +#endif diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index a458134732..b0ba55d965 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -10,12 +10,18 @@ #include "Var.h" #include "Event.h" +#include "plugin/Manager.h" + using namespace file_analysis; TableVal* Manager::disabled = 0; +string Manager::salt; Manager::Manager() { + tag_enum_type = new EnumType("FileAnalysis::Tag"); + ::ID* id = install_ID("Tag", "FileAnalysis", true, true); + add_type(id, tag_enum_type, 0, 0); } Manager::~Manager() @@ -23,6 +29,40 @@ Manager::~Manager() Terminate(); } +void Manager::InitPreScript() + { + std::list analyzers = plugin_mgr->Components(); + + for ( std::list::const_iterator i = analyzers.begin(); + i != analyzers.end(); ++i ) + RegisterAnalyzerComponent(*i); + } + +void Manager::RegisterAnalyzerComponent(Component* component) + { + const char* cname = component->CanonicalName(); + + if ( tag_enum_type->Lookup("FileAnalysis", cname) != -1 ) + reporter->FatalError("File Analyzer %s defined more than once", cname); + + DBG_LOG(DBG_FILE_ANALYSIS, "Registering analyzer %s (tag %s)", + component->Name(), component->Tag().AsString().c_str()); + + analyzers_by_name.insert(std::make_pair(cname, component)); + analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); + analyzers_by_val.insert(std::make_pair( + component->Tag().AsEnumVal()->InternalInt(), component)); + + string id = fmt("ANALYZER_%s", cname); + tag_enum_type->AddName("FileAnalysis", id.c_str(), + component->Tag().AsEnumVal()->InternalInt(), true); + } + +void Manager::InitPostScript() + { + #include "file_analysis.bif.init.cc" + } + void Manager::Terminate() { vector keys; @@ -35,8 +75,6 @@ void Manager::Terminate() string Manager::HashHandle(const string& handle) const { - static string salt; - if ( salt.empty() ) salt = BifConst::FileAnalysis::salt->CheckString(); @@ -327,3 +365,31 @@ bool Manager::IsDisabled(analyzer::Tag tag) return rval; } + +Analyzer* Manager::InstantiateAnalyzer(int tag, RecordVal* args, File* f) const + { + analyzer_map_by_val::const_iterator it = analyzers_by_val.find(tag); + + if ( it == analyzers_by_val.end() ) + reporter->InternalError("cannot instantiate unknown file analyzer: %d", + tag); + + Component* c = it->second; + + if ( ! c->Factory() ) + reporter->InternalError("file analyzer %s cannot be instantiated " + "dynamically", c->CanonicalName()); + + return c->Factory()(args, f); + } + +const char* Manager::GetAnalyzerName(int tag) const + { + analyzer_map_by_val::const_iterator it = analyzers_by_val.find(tag); + + if ( it == analyzers_by_val.end() ) + reporter->InternalError("cannot get name of unknown file analyzer: %d", + tag); + + return it->second->CanonicalName(); + } diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index a96324871f..e56d9e7476 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -17,9 +17,12 @@ #include "File.h" #include "FileTimer.h" +#include "Component.h" #include "analyzer/Tag.h" +#include "file_analysis/file_analysis.bif.h" + namespace file_analysis { /** @@ -38,6 +41,18 @@ public: */ ~Manager(); + /** + * First-stage initializion of the manager. This is called early on + * during Bro's initialization, before any scripts are processed. + */ + void InitPreScript(); + + /** + * Second-stage initialization of the manager. This is called late + * during Bro's initialization after any scripts are processed. + */ + void InitPostScript(); + /** * Times out any active file analysis to prepare for shutdown. */ @@ -182,6 +197,23 @@ public: */ bool IsIgnored(const string& file_id); + /** + * Instantiates a new file analyzer instance for the file. + * @param tag The file analyzer's tag. + * @param args The file analzer argument/option values. + * @param f The file analzer is to be associated with. + * @return The new analyzer instance or null if tag is invalid. + */ + Analyzer* InstantiateAnalyzer(int tag, RecordVal* args, File* f) const; + + /** + * Translates a script-level file analyzer tag in to corresponding file + * analyzer name. + * @param tag The enum val of a file analyzer. + * @return The human-readable name of the file analyzer. + */ + const char* GetAnalyzerName(int tag) const; + protected: friend class FileTimer; @@ -255,11 +287,23 @@ protected: static bool IsDisabled(analyzer::Tag tag); private: + typedef map analyzer_map_by_name; + typedef map analyzer_map_by_tag; + typedef map analyzer_map_by_val; + + void RegisterAnalyzerComponent(Component* component); + IDMap id_map; /**< Map file ID to file_analysis::File records. */ IDSet ignored; /**< Ignored files. Will be finally removed on EOF. */ - string current_file_id; /**< Hash of what get_file_handle event sets.*/ + string current_file_id; /**< Hash of what get_file_handle event sets. */ + EnumType* tag_enum_type; /**< File analyzer tag type. */ + + analyzer_map_by_name analyzers_by_name; + analyzer_map_by_tag analyzers_by_tag; + analyzer_map_by_val analyzers_by_val; static TableVal* disabled; /**< Table of disabled analyzers. */ + static string salt; /**< A salt added to file handles before hashing. */ }; } // namespace file_analysis diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt new file mode 100644 index 0000000000..bfafcd2894 --- /dev/null +++ b/src/file_analysis/analyzer/CMakeLists.txt @@ -0,0 +1,3 @@ +add_subdirectory(data_event) +add_subdirectory(extract) +add_subdirectory(hash) diff --git a/src/file_analysis/analyzer/data_event/CMakeLists.txt b/src/file_analysis/analyzer/data_event/CMakeLists.txt new file mode 100644 index 0000000000..81551feda2 --- /dev/null +++ b/src/file_analysis/analyzer/data_event/CMakeLists.txt @@ -0,0 +1,8 @@ +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro FileDataEvent) +bro_plugin_cc(DataEvent.cc Plugin.cc) +bro_plugin_end() diff --git a/src/file_analysis/DataEvent.cc b/src/file_analysis/analyzer/data_event/DataEvent.cc similarity index 100% rename from src/file_analysis/DataEvent.cc rename to src/file_analysis/analyzer/data_event/DataEvent.cc diff --git a/src/file_analysis/DataEvent.h b/src/file_analysis/analyzer/data_event/DataEvent.h similarity index 100% rename from src/file_analysis/DataEvent.h rename to src/file_analysis/analyzer/data_event/DataEvent.h diff --git a/src/file_analysis/analyzer/data_event/Plugin.cc b/src/file_analysis/analyzer/data_event/Plugin.cc new file mode 100644 index 0000000000..7eb637f3a5 --- /dev/null +++ b/src/file_analysis/analyzer/data_event/Plugin.cc @@ -0,0 +1,26 @@ +#include "plugin/Plugin.h" +#include "file_analysis/Component.h" + +#include "DataEvent.h" + +namespace plugin { namespace Bro_FileDataEvent { + +class Plugin : public plugin::Plugin { +protected: + void InitPreScript() + { + SetName("Bro::FileDataEvent"); + SetVersion(-1); + SetAPIVersion(BRO_PLUGIN_API_VERSION); + SetDynamicPlugin(false); + + SetDescription("Delivers file content via events"); + + AddComponent(new ::file_analysis::Component("DATA_EVENT", + ::file_analysis::DataEvent::Instantiate)); + } +}; + +Plugin __plugin; + +} } diff --git a/src/file_analysis/analyzer/extract/CMakeLists.txt b/src/file_analysis/analyzer/extract/CMakeLists.txt new file mode 100644 index 0000000000..df3fa2646d --- /dev/null +++ b/src/file_analysis/analyzer/extract/CMakeLists.txt @@ -0,0 +1,8 @@ +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro FileExtract) +bro_plugin_cc(Extract.cc Plugin.cc) +bro_plugin_end() diff --git a/src/file_analysis/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc similarity index 100% rename from src/file_analysis/Extract.cc rename to src/file_analysis/analyzer/extract/Extract.cc diff --git a/src/file_analysis/Extract.h b/src/file_analysis/analyzer/extract/Extract.h similarity index 100% rename from src/file_analysis/Extract.h rename to src/file_analysis/analyzer/extract/Extract.h diff --git a/src/file_analysis/analyzer/extract/Plugin.cc b/src/file_analysis/analyzer/extract/Plugin.cc new file mode 100644 index 0000000000..f6cde57f03 --- /dev/null +++ b/src/file_analysis/analyzer/extract/Plugin.cc @@ -0,0 +1,26 @@ +#include "plugin/Plugin.h" +#include "file_analysis/Component.h" + +#include "Extract.h" + +namespace plugin { namespace Bro_FileExtract { + +class Plugin : public plugin::Plugin { +protected: + void InitPreScript() + { + SetName("Bro::FileExtract"); + SetVersion(-1); + SetAPIVersion(BRO_PLUGIN_API_VERSION); + SetDynamicPlugin(false); + + SetDescription("Extract file content to local file system"); + + AddComponent(new ::file_analysis::Component("EXTRACT", + ::file_analysis::Extract::Instantiate)); + } +}; + +Plugin __plugin; + +} } diff --git a/src/file_analysis/analyzer/hash/CMakeLists.txt b/src/file_analysis/analyzer/hash/CMakeLists.txt new file mode 100644 index 0000000000..5734740198 --- /dev/null +++ b/src/file_analysis/analyzer/hash/CMakeLists.txt @@ -0,0 +1,9 @@ +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro FileHash) +bro_plugin_cc(Hash.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/file_analysis/Hash.cc b/src/file_analysis/analyzer/hash/Hash.cc similarity index 100% rename from src/file_analysis/Hash.cc rename to src/file_analysis/analyzer/hash/Hash.cc diff --git a/src/file_analysis/Hash.h b/src/file_analysis/analyzer/hash/Hash.h similarity index 99% rename from src/file_analysis/Hash.h rename to src/file_analysis/analyzer/hash/Hash.h index e44af337aa..13303e21fc 100644 --- a/src/file_analysis/Hash.h +++ b/src/file_analysis/analyzer/hash/Hash.h @@ -10,6 +10,8 @@ #include "File.h" #include "Analyzer.h" +#include "events.bif.h" + namespace file_analysis { /** diff --git a/src/file_analysis/analyzer/hash/Plugin.cc b/src/file_analysis/analyzer/hash/Plugin.cc new file mode 100644 index 0000000000..1a7254105e --- /dev/null +++ b/src/file_analysis/analyzer/hash/Plugin.cc @@ -0,0 +1,33 @@ +#include "plugin/Plugin.h" +#include "file_analysis/Component.h" + +#include "Hash.h" + +namespace plugin { namespace Bro_FileHash { + +class Plugin : public plugin::Plugin { +protected: + void InitPreScript() + { + SetName("Bro::FileHash"); + SetVersion(-1); + SetAPIVersion(BRO_PLUGIN_API_VERSION); + SetDynamicPlugin(false); + + SetDescription("Hash file content"); + + AddComponent(new ::file_analysis::Component("MD5", + ::file_analysis::MD5::Instantiate)); + AddComponent(new ::file_analysis::Component("SHA1", + ::file_analysis::SHA1::Instantiate)); + AddComponent(new ::file_analysis::Component("SHA256", + ::file_analysis::SHA256::Instantiate)); + + extern std::list > __bif_events_init(); + AddBifInitFunction(&__bif_events_init); + } +}; + +Plugin __plugin; + +} } diff --git a/src/file_analysis/analyzer/hash/events.bif b/src/file_analysis/analyzer/hash/events.bif new file mode 100644 index 0000000000..b4a8de1c74 --- /dev/null +++ b/src/file_analysis/analyzer/hash/events.bif @@ -0,0 +1,12 @@ +## This event is generated each time file analysis generates a digest of the +## file contents. +## +## f: The file. +## +## kind: The type of digest algorithm. +## +## hash: The result of the hashing. +## +## .. bro:see:: FileAnalysis::add_analyzer FileAnalysis::ANALYZER_MD5 +## FileAnalysis::ANALYZER_SHA1 FileAnalysis::ANALYZER_SHA256 +event file_hash%(f: fa_file, kind: string, hash: string%); diff --git a/src/file_analysis.bif b/src/file_analysis/file_analysis.bif similarity index 77% rename from src/file_analysis.bif rename to src/file_analysis/file_analysis.bif index ef46ccf9c1..06ae9450dd 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -1,4 +1,4 @@ -##! Internal functions and types used by the logging framework. +##! Internal functions and types used by the file analysis framework. module FileAnalysis; @@ -8,25 +8,6 @@ module FileAnalysis; type AnalyzerArgs: record; -## An enumeration of various file analysis actions that can be taken. -enum Analyzer %{ - - ## Extract a file to local filesystem - ANALYZER_EXTRACT, - - ## Calculate an MD5 digest of the file's contents. - ANALYZER_MD5, - - ## Calculate an SHA1 digest of the file's contents. - ANALYZER_SHA1, - - ## Calculate an SHA256 digest of the file's contents. - ANALYZER_SHA256, - - ## Deliver the file contents to the script-layer in an event. - ANALYZER_DATA_EVENT, -%} - ## :bro:see:`FileAnalysis::set_timeout_interval`. function FileAnalysis::__set_timeout_interval%(file_id: string, t: interval%): bool %{ @@ -76,3 +57,5 @@ function set_file_handle%(handle: string%): any file_mgr->SetHandle(handle->CheckString()); return 0; %} + +const FileAnalysis::salt: string; diff --git a/src/main.cc b/src/main.cc index 491f8a732d..9947d51709 100644 --- a/src/main.cc +++ b/src/main.cc @@ -834,6 +834,7 @@ int main(int argc, char** argv) plugin_mgr->InitPreScript(); analyzer_mgr->InitPreScript(); + file_mgr->InitPreScript(); if ( events_file ) event_player = new EventPlayer(events_file); @@ -855,6 +856,7 @@ int main(int argc, char** argv) plugin_mgr->InitPostScript(); analyzer_mgr->InitPostScript(); + file_mgr->InitPostScript(); if ( print_plugins ) { diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc index 7d2e69eb86..48b19f8f07 100644 --- a/src/plugin/Component.cc +++ b/src/plugin/Component.cc @@ -39,6 +39,10 @@ void Component::Describe(ODesc* d) d->Add("Analyzer"); break; + case component::FILE_ANALYZER: + d->Add("File Analyzer"); + break; + default: reporter->InternalError("unknown component type in plugin::Component::Describe"); } diff --git a/src/plugin/Component.h b/src/plugin/Component.h index fbeb70ebed..1a4b41b43f 100644 --- a/src/plugin/Component.h +++ b/src/plugin/Component.h @@ -15,16 +15,11 @@ namespace component { enum Type { READER, /// An input reader (not currently used). WRITER, /// An logging writer (not currenly used). - ANALYZER /// A protocol analyzer. + ANALYZER, /// A protocol analyzer. + FILE_ANALYZER /// A file analyzer. }; } -#if 0 -namespace input { class PluginComponent; } -namespace logging { class PluginComponent; } -namespace analyzer { class PluginComponent; } -#endif - /** * Base class for plugin components. A component is a specific piece of * functionality that a plugin provides, such as a protocol analyzer or a log diff --git a/src/util.cc b/src/util.cc index de9bd5b679..cff36f0f23 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1617,3 +1617,18 @@ const char* bro_magic_buffer(magic_t cookie, const void* buffer, size_t length) return rval; } + +const char* canonify_name(const char* name) + { + unsigned int len = strlen(name); + char* nname = new char[len + 1]; + + for ( unsigned int i = 0; i < len; i++ ) + { + char c = isalnum(name[i]) ? name[i] : '_'; + nname[i] = toupper(c); + } + + nname[len] = '\0'; + return nname; + } diff --git a/src/util.h b/src/util.h index 49bcbf318b..cafa63b7e8 100644 --- a/src/util.h +++ b/src/util.h @@ -383,4 +383,12 @@ extern magic_t magic_mime_cookie; void bro_init_magic(magic_t* cookie_ptr, int flags); const char* bro_magic_buffer(magic_t cookie, const void* buffer, size_t length); +/** + * Canonicalizes a name by converting it to uppercase letters and replacing + * all non-alphanumeric characters with an underscore. + * @param name The string to canonicalize. + * @return The canonicalized version of \a name which caller may later delete[]. + */ +const char* canonify_name(const char* name); + #endif diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 06652e37e7..9d3fb87861 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-05-17-03-57-47 +#open 2013-06-10-19-50-56 #fields name #types string scripts/base/init-bare.bro @@ -13,31 +13,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/bro.bif.bro build/scripts/base/bif/reporter.bif.bro build/scripts/base/bif/event.bif.bro - scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/main.bro - build/scripts/base/bif/logging.bif.bro - scripts/base/frameworks/logging/postprocessors/__load__.bro - scripts/base/frameworks/logging/postprocessors/scp.bro - scripts/base/frameworks/logging/postprocessors/sftp.bro - scripts/base/frameworks/logging/writers/ascii.bro - scripts/base/frameworks/logging/writers/dataseries.bro - scripts/base/frameworks/logging/writers/sqlite.bro - scripts/base/frameworks/logging/writers/elasticsearch.bro - scripts/base/frameworks/logging/writers/none.bro - scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/main.bro - build/scripts/base/bif/input.bif.bro - scripts/base/frameworks/input/readers/ascii.bro - scripts/base/frameworks/input/readers/raw.bro - scripts/base/frameworks/input/readers/benchmark.bro - scripts/base/frameworks/input/readers/binary.bro - scripts/base/frameworks/input/readers/sqlite.bro - scripts/base/frameworks/analyzer/__load__.bro - scripts/base/frameworks/analyzer/main.bro - build/scripts/base/bif/analyzer.bif.bro - scripts/base/frameworks/file-analysis/__load__.bro - scripts/base/frameworks/file-analysis/main.bro - build/scripts/base/bif/file_analysis.bif.bro build/scripts/base/bif/plugins/__load__.bro build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro @@ -50,6 +25,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro build/scripts/base/bif/plugins/Bro_File.events.bif.bro + build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro @@ -85,6 +61,31 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro + scripts/base/frameworks/logging/__load__.bro + scripts/base/frameworks/logging/main.bro + build/scripts/base/bif/logging.bif.bro + scripts/base/frameworks/logging/postprocessors/__load__.bro + scripts/base/frameworks/logging/postprocessors/scp.bro + scripts/base/frameworks/logging/postprocessors/sftp.bro + scripts/base/frameworks/logging/writers/ascii.bro + scripts/base/frameworks/logging/writers/dataseries.bro + scripts/base/frameworks/logging/writers/sqlite.bro + scripts/base/frameworks/logging/writers/elasticsearch.bro + scripts/base/frameworks/logging/writers/none.bro + scripts/base/frameworks/input/__load__.bro + scripts/base/frameworks/input/main.bro + build/scripts/base/bif/input.bif.bro + scripts/base/frameworks/input/readers/ascii.bro + scripts/base/frameworks/input/readers/raw.bro + scripts/base/frameworks/input/readers/benchmark.bro + scripts/base/frameworks/input/readers/binary.bro + scripts/base/frameworks/input/readers/sqlite.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/main.bro + build/scripts/base/bif/analyzer.bif.bro + scripts/base/frameworks/file-analysis/__load__.bro + scripts/base/frameworks/file-analysis/main.bro + build/scripts/base/bif/file_analysis.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2013-05-17-03-57-47 +#close 2013-06-10-19-50-56 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index cb92b663f0..b861f44266 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-05-17-03-58-48 +#open 2013-06-10-19-50-57 #fields name #types string scripts/base/init-bare.bro @@ -13,31 +13,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/bro.bif.bro build/scripts/base/bif/reporter.bif.bro build/scripts/base/bif/event.bif.bro - scripts/base/frameworks/logging/__load__.bro - scripts/base/frameworks/logging/main.bro - build/scripts/base/bif/logging.bif.bro - scripts/base/frameworks/logging/postprocessors/__load__.bro - scripts/base/frameworks/logging/postprocessors/scp.bro - scripts/base/frameworks/logging/postprocessors/sftp.bro - scripts/base/frameworks/logging/writers/ascii.bro - scripts/base/frameworks/logging/writers/dataseries.bro - scripts/base/frameworks/logging/writers/sqlite.bro - scripts/base/frameworks/logging/writers/elasticsearch.bro - scripts/base/frameworks/logging/writers/none.bro - scripts/base/frameworks/input/__load__.bro - scripts/base/frameworks/input/main.bro - build/scripts/base/bif/input.bif.bro - scripts/base/frameworks/input/readers/ascii.bro - scripts/base/frameworks/input/readers/raw.bro - scripts/base/frameworks/input/readers/benchmark.bro - scripts/base/frameworks/input/readers/binary.bro - scripts/base/frameworks/input/readers/sqlite.bro - scripts/base/frameworks/analyzer/__load__.bro - scripts/base/frameworks/analyzer/main.bro - build/scripts/base/bif/analyzer.bif.bro - scripts/base/frameworks/file-analysis/__load__.bro - scripts/base/frameworks/file-analysis/main.bro - build/scripts/base/bif/file_analysis.bif.bro build/scripts/base/bif/plugins/__load__.bro build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro @@ -50,6 +25,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro build/scripts/base/bif/plugins/Bro_File.events.bif.bro + build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro @@ -85,6 +61,31 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro + scripts/base/frameworks/logging/__load__.bro + scripts/base/frameworks/logging/main.bro + build/scripts/base/bif/logging.bif.bro + scripts/base/frameworks/logging/postprocessors/__load__.bro + scripts/base/frameworks/logging/postprocessors/scp.bro + scripts/base/frameworks/logging/postprocessors/sftp.bro + scripts/base/frameworks/logging/writers/ascii.bro + scripts/base/frameworks/logging/writers/dataseries.bro + scripts/base/frameworks/logging/writers/sqlite.bro + scripts/base/frameworks/logging/writers/elasticsearch.bro + scripts/base/frameworks/logging/writers/none.bro + scripts/base/frameworks/input/__load__.bro + scripts/base/frameworks/input/main.bro + build/scripts/base/bif/input.bif.bro + scripts/base/frameworks/input/readers/ascii.bro + scripts/base/frameworks/input/readers/raw.bro + scripts/base/frameworks/input/readers/benchmark.bro + scripts/base/frameworks/input/readers/binary.bro + scripts/base/frameworks/input/readers/sqlite.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/main.bro + build/scripts/base/bif/analyzer.bif.bro + scripts/base/frameworks/file-analysis/__load__.bro + scripts/base/frameworks/file-analysis/main.bro + build/scripts/base/bif/file_analysis.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/patterns.bro @@ -191,4 +192,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-05-17-03-58-48 +#close 2013-06-10-19-50-57 From 4c21576c120a0dcc9725308549fd57a8bf9072a1 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 10 Jun 2013 20:14:34 -0700 Subject: [PATCH 136/200] Add Bloomfilter serialization test code. --- testing/btest/istate/opaque.bro | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/testing/btest/istate/opaque.bro b/testing/btest/istate/opaque.bro index 84818a5e70..ac3b2c0874 100644 --- a/testing/btest/istate/opaque.bro +++ b/testing/btest/istate/opaque.bro @@ -12,6 +12,9 @@ global sha1_handle: opaque of sha1 &persistent &synchronized; global sha256_handle: opaque of sha256 &persistent &synchronized; global entropy_handle: opaque of entropy &persistent &synchronized; +global bloomfilter_elements: set[string] &persistent &synchronized; +global bloomfilter_handle: opaque of bloomfilter &persistent &synchronized; + event bro_done() { local out = open("output.log"); @@ -36,6 +39,9 @@ event bro_done() print out, entropy_test_finish(entropy_handle); else print out, "entropy_test_add() failed"; + + for ( e in bloomfilter_elements ) + print bloomfilter_lookup(bloomfilter_handle, e); } @TEST-END-FILE @@ -47,6 +53,9 @@ global sha1_handle: opaque of sha1 &persistent &synchronized; global sha256_handle: opaque of sha256 &persistent &synchronized; global entropy_handle: opaque of entropy &persistent &synchronized; +global bloomfilter_elements = { "foo", "bar", "baz" } &persistent &synchronized; +global bloomfilter_handle: opaque of bloomfilter &persistent &synchronized; + event bro_init() { local out = open("expected.log"); @@ -72,6 +81,10 @@ event bro_init() entropy_handle = entropy_test_init(); if ( ! entropy_test_add(entropy_handle, "f") ) print out, "entropy_test_add() failed"; + + bloomfilter_handle = bloomfilter_init(0.1, 100); + for ( e in bloomfilter_elements ) + bloomfilter_add(bloomfilter_handle, e); } @TEST-END-FILE From 22afbe42dd91e668de8c72417b6a8ff8b544dd99 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 10 Jun 2013 20:15:13 -0700 Subject: [PATCH 137/200] A number of tweaks of the serialization code. --- src/BitVector.h | 2 +- src/BloomFilter.cc | 17 ++++++++--------- src/BloomFilter.h | 2 +- src/OpaqueVal.cc | 10 ++++++---- src/SerialTypes.h | 8 ++++---- 5 files changed, 20 insertions(+), 19 deletions(-) diff --git a/src/BitVector.h b/src/BitVector.h index 8315a151f0..83fec44a0d 100644 --- a/src/BitVector.h +++ b/src/BitVector.h @@ -8,7 +8,7 @@ /** * A vector of bits. */ -class BitVector : SerialObj { +class BitVector : public SerialObj { public: typedef size_t block_type; typedef size_t size_type; diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 40772fecb6..1d73734236 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -55,7 +55,7 @@ IMPLEMENT_SERIAL(CounterVector, SER_COUNTERVECTOR) bool CounterVector::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_COUNTERVECTOR, SerialObj); - if ( ! SERIALIZE(bits_) ) + if ( ! bits_->Serialize(info) ) return false; return SERIALIZE(static_cast(width_)); } @@ -63,14 +63,13 @@ bool CounterVector::DoSerialize(SerialInfo* info) const bool CounterVector::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(SerialObj); - return false; bits_ = BitVector::Unserialize(info); if ( ! bits_ ) return false; uint64 width; if ( ! UNSERIALIZE(&width) ) return false; - width_ = static_cast(width); + width_ = static_cast(width); return true; } @@ -127,7 +126,7 @@ bool BloomFilter::DoSerialize(SerialInfo* info) const DO_SERIALIZE(SER_BLOOMFILTER, SerialObj); if ( ! SERIALIZE(static_cast(hash_->K())) ) return false; - return SERIALIZE(static_cast(elements_)); + return SERIALIZE(static_cast(elements_)); } bool BloomFilter::DoUnserialize(UnserialInfo* info) @@ -178,14 +177,14 @@ IMPLEMENT_SERIAL(BasicBloomFilter, SER_BASICBLOOMFILTER) bool BasicBloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BASICBLOOMFILTER, BloomFilter); - return SERIALIZE(bits_); + return bits_->Serialize(info); } bool BasicBloomFilter::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(BloomFilter); bits_ = BitVector::Unserialize(info); - return bits_ == NULL; + return bits_ != NULL; } void BasicBloomFilter::AddImpl(const HashPolicy::HashVector& h) @@ -227,15 +226,15 @@ IMPLEMENT_SERIAL(CountingBloomFilter, SER_COUNTINGBLOOMFILTER) bool CountingBloomFilter::DoSerialize(SerialInfo* info) const { - DO_SERIALIZE(SER_BASICBLOOMFILTER, BloomFilter); - return SERIALIZE(cells_); + DO_SERIALIZE(SER_COUNTINGBLOOMFILTER, BloomFilter); + return cells_->Serialize(info); } bool CountingBloomFilter::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(BloomFilter); cells_ = CounterVector::Unserialize(info); - return cells_ == NULL; + return cells_ != NULL; } void CountingBloomFilter::AddImpl(const HashPolicy::HashVector& h) diff --git a/src/BloomFilter.h b/src/BloomFilter.h index c0101cadf8..4a83ba904b 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -73,7 +73,7 @@ protected: private: BitVector* bits_; - unsigned width_; + size_t width_; }; /** diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 38ea93d000..76936dfb78 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -574,7 +574,7 @@ size_t BloomFilterVal::Count(const Val* val) const BloomFilterVal* BloomFilterVal::Merge(const BloomFilterVal* first, const BloomFilterVal* second) -{ + { assert(! "not yet implemented"); return NULL; } @@ -594,14 +594,15 @@ IMPLEMENT_SERIAL(BloomFilterVal, SER_BLOOMFILTER_VAL); bool BloomFilterVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER_VAL, OpaqueVal); - if ( ! SERIALIZE(type_) ) + if ( ! type_->Serialize(info) ) return false; - return SERIALIZE(bloom_filter_); + return bloom_filter_->Serialize(info); } bool BloomFilterVal::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(OpaqueVal); + type_ = BroType::Unserialize(info); if ( ! type_ ) return false; @@ -609,6 +610,7 @@ bool BloomFilterVal::DoUnserialize(UnserialInfo* info) tl->Append(type_); hash_ = new CompositeHash(tl); Unref(tl); + bloom_filter_ = BloomFilter::Unserialize(info); - return bloom_filter_ == NULL; + return bloom_filter_ != NULL; } diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 859145f19f..9e4aef5b3b 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -50,10 +50,10 @@ SERIAL_IS_BO(CASE, 0x1200) SERIAL_IS(LOCATION, 0x1300) SERIAL_IS(RE_MATCHER, 0x1400) SERIAL_IS(BITVECTOR, 0x1500) -SERIAL_IS(COUNTERVECTOR, 0xa000) -SERIAL_IS(BLOOMFILTER, 0xa100) -SERIAL_IS(BASICBLOOMFILTER, 0xa200) -SERIAL_IS(COUNTINGBLOOMFILTER, 0xa300) +SERIAL_IS(COUNTERVECTOR, 0x1600) +SERIAL_IS(BLOOMFILTER, 0x1700) +SERIAL_IS(BASICBLOOMFILTER, 0x1800) +SERIAL_IS(COUNTINGBLOOMFILTER, 0x1900) // These are the externally visible types. const SerialType SER_NONE = 0; From 14a701a237dfdd745a842a11f363b93d01926505 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 10 Jun 2013 22:24:23 -0700 Subject: [PATCH 138/200] Implement value merging. The actual BloomFilter merging still lacks, this is just the first step in the right direction from the user interface side. --- src/BloomFilter.cc | 27 ++++++++++++++++++++------- src/BloomFilter.h | 18 ++++++------------ src/OpaqueVal.cc | 17 ++++++++++++++--- src/OpaqueVal.h | 17 ++++++++++++++--- 4 files changed, 54 insertions(+), 25 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 1d73734236..e55db71e46 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -124,9 +124,7 @@ BloomFilter* BloomFilter::Unserialize(UnserialInfo* info) bool BloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER, SerialObj); - if ( ! SERIALIZE(static_cast(hash_->K())) ) - return false; - return SERIALIZE(static_cast(elements_)); + return SERIALIZE(static_cast(hash_->K())); } bool BloomFilter::DoUnserialize(UnserialInfo* info) @@ -136,10 +134,6 @@ bool BloomFilter::DoUnserialize(UnserialInfo* info) if ( ! UNSERIALIZE(&k) ) return false; hash_ = new hash_policy(static_cast(k)); - uint64 elements; - if ( ! UNSERIALIZE(&elements) ) - return false; - elements_ = static_cast(elements); return true; } @@ -155,6 +149,17 @@ size_t BasicBloomFilter::K(size_t cells, size_t capacity) return std::ceil(frac * std::log(2)); } +BasicBloomFilter* BasicBloomFilter::Merge(const BasicBloomFilter* x, + const BasicBloomFilter* y) + { + BasicBloomFilter* result = new BasicBloomFilter(); + result->bits_ = new BitVector(*x->bits_ | *y->bits_); + // TODO: implement the hasher pool and make sure the new result gets the same + // number of (equal) hash functions. + //assert(x->hash_ == y->hash_); + return result; + } + BasicBloomFilter::BasicBloomFilter() : bits_(NULL) { @@ -201,6 +206,14 @@ size_t BasicBloomFilter::CountImpl(const HashPolicy::HashVector& h) const return 1; } + +CountingBloomFilter* CountingBloomFilter::Merge(const CountingBloomFilter* x, + const CountingBloomFilter* y) +{ + assert(! "not yet implemented"); + return NULL; +} + CountingBloomFilter::CountingBloomFilter() : cells_(NULL) { diff --git a/src/BloomFilter.h b/src/BloomFilter.h index 4a83ba904b..3b5d9efa71 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -155,7 +155,6 @@ public: template void Add(const T& x) { - ++elements_; AddImpl(hash_->Hash(&x, sizeof(x))); } @@ -172,16 +171,6 @@ public: return CountImpl(hash_->Hash(&x, sizeof(x))); } - /** - * Retrieves the number of elements added to the Bloom filter. - * - * @return The number of elements in this Bloom filter. - */ - size_t Size() const - { - return elements_; - } - bool Serialize(SerialInfo* info) const; static BloomFilter* Unserialize(UnserialInfo* info); @@ -196,7 +185,6 @@ protected: private: HashPolicy* hash_; - size_t elements_; }; /** @@ -230,6 +218,9 @@ public: */ static size_t K(size_t cells, size_t capacity); + static BasicBloomFilter* Merge(const BasicBloomFilter* x, + const BasicBloomFilter* y); + /** * Constructs a basic Bloom filter with a given false-positive rate and * capacity. @@ -258,6 +249,9 @@ private: */ class CountingBloomFilter : public BloomFilter { public: + static CountingBloomFilter* Merge(const CountingBloomFilter* x, + const CountingBloomFilter* y); + CountingBloomFilter(double fp, size_t capacity, size_t width); CountingBloomFilter(size_t cells, size_t capacity, size_t width); diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 76936dfb78..9dd5c7f980 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -572,10 +572,21 @@ size_t BloomFilterVal::Count(const Val* val) const return bloom_filter_->Count(key->Hash()); } -BloomFilterVal* BloomFilterVal::Merge(const BloomFilterVal* first, - const BloomFilterVal* second) +BloomFilterVal* BloomFilterVal::Merge(const BloomFilterVal* x, + const BloomFilterVal* y) { - assert(! "not yet implemented"); + if ( x->Type() != y->Type() ) + { + reporter->InternalError("cannot merge Bloom filters with different types"); + return NULL; + } + + BloomFilterVal* result; + if ( (result = DoMerge(x, y)) ) + return result; + else if ( (result = DoMerge(x, y)) ) + return result; + return NULL; } diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index e97a530f3a..4b45cad519 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -113,10 +113,10 @@ class BloomFilterVal : public OpaqueVal { BloomFilterVal(const BloomFilterVal&); BloomFilterVal& operator=(const BloomFilterVal&); public: - static BloomFilterVal* Merge(const BloomFilterVal* first, - const BloomFilterVal* second); + static BloomFilterVal* Merge(const BloomFilterVal* x, + const BloomFilterVal* y); - BloomFilterVal(BloomFilter* bf); + explicit BloomFilterVal(BloomFilter* bf); ~BloomFilterVal(); bool Typify(BroType* type); @@ -133,6 +133,17 @@ protected: DECLARE_SERIAL(BloomFilterVal); private: + template + static BloomFilterVal* DoMerge(const BloomFilterVal* x, + const BloomFilterVal* y) + { + const T* a = dynamic_cast(x->bloom_filter_); + const T* b = dynamic_cast(y->bloom_filter_); + if ( a && b ) + return new BloomFilterVal(T::Merge(a, b)); + return NULL; + } + BroType* type_; CompositeHash* hash_; BloomFilter* bloom_filter_; From ae5a75bad9ce7b774c286391203d220d87079a2d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 12 Jun 2013 15:18:58 -0500 Subject: [PATCH 139/200] Fix redef of table index from clearing table. Addresses #1013. `redef foo["x"] = 1` now acts like `redef foo += { ["x"] = 1 }` instead of `redef foo = { ["x"] = 1 }`. --- src/Var.cc | 6 +++++ .../btest/Baseline/language.table-redef/out | 6 +++++ testing/btest/language/table-redef.bro | 26 +++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 testing/btest/Baseline/language.table-redef/out create mode 100644 testing/btest/language/table-redef.bro diff --git a/src/Var.cc b/src/Var.cc index b7f2c77203..e85b1ba124 100644 --- a/src/Var.cc +++ b/src/Var.cc @@ -156,6 +156,12 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init, if ( do_init ) { + if ( c == INIT_NONE && dt == VAR_REDEF && t->IsTable() && + init && init->Tag() == EXPR_ASSIGN ) + // e.g. 'redef foo["x"] = 1' is missing an init class, but the + // intention clearly isn't to overwrite entire existing table val. + c = INIT_EXTRA; + if ( (c == INIT_EXTRA && id->FindAttr(ATTR_ADD_FUNC)) || (c == INIT_REMOVE && id->FindAttr(ATTR_DEL_FUNC)) ) // Just apply the function. diff --git a/testing/btest/Baseline/language.table-redef/out b/testing/btest/Baseline/language.table-redef/out new file mode 100644 index 0000000000..fd1939df7e --- /dev/null +++ b/testing/btest/Baseline/language.table-redef/out @@ -0,0 +1,6 @@ +{ +[def] = 99.0, +[neat] = 1.0, +[cool] = 28.0, +[abc] = 8.0 +} diff --git a/testing/btest/language/table-redef.bro b/testing/btest/language/table-redef.bro new file mode 100644 index 0000000000..290610499f --- /dev/null +++ b/testing/btest/language/table-redef.bro @@ -0,0 +1,26 @@ +# @TEST-EXEC: bro -b %INPUT > out +# @TEST-EXEC: btest-diff out + +const foo: table[string] of double &redef; + +# full (re)initialization +redef foo = { ["nope"] = 37.0 }; + +# full (re)initialization, discards "nope" index +redef foo = { ["abc"] = 42.0 }; + +# add elements +redef foo += { ["def"] = -42.0, ["ghi"] = 7.0 }; + +# remove elements from LHS based on indices shared with RHS +redef foo -= { ["ghi"] = 0.0 }; + +# RHS can be a table value +redef foo += table(["cool"] = 5.0, ["neat"] = 1.0); + +# Redef at a single index is allowed, same as += when RHS has overlapping index +redef foo["cool"] = 28.0; +redef foo["abc"] = 8.0; +redef foo += { ["def"] = 99.0 }; + +print foo; From 1f90b539a8574eeadd4b20ae9f379b0fe08999be Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 13 Jun 2013 23:06:01 -0700 Subject: [PATCH 140/200] Make H3 class adhere to Bro coding style. --- src/H3.h | 89 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 44 insertions(+), 45 deletions(-) diff --git a/src/H3.h b/src/H3.h index 72d81d519f..50afda5688 100644 --- a/src/H3.h +++ b/src/H3.h @@ -65,53 +65,52 @@ template class H3 { T byte_lookup[N][H3_BYTE_RANGE]; public: - H3(); - T operator()(const void* data, size_t size, size_t offset = 0) const - { - const unsigned char *p = static_cast(data); - T result = 0; + H3() + { + T bit_lookup[N * CHAR_BIT]; - // loop optmized with Duff's Device - register unsigned n = (size + 7) / 8; - switch (size % 8) { - case 0: do { result ^= byte_lookup[offset++][*p++]; - case 7: result ^= byte_lookup[offset++][*p++]; - case 6: result ^= byte_lookup[offset++][*p++]; - case 5: result ^= byte_lookup[offset++][*p++]; - case 4: result ^= byte_lookup[offset++][*p++]; - case 3: result ^= byte_lookup[offset++][*p++]; - case 2: result ^= byte_lookup[offset++][*p++]; - case 1: result ^= byte_lookup[offset++][*p++]; - } while (--n > 0); - } + for ( size_t bit = 0; bit < N * CHAR_BIT; bit++ ) + { + bit_lookup[bit] = 0; + for ( size_t i = 0; i < sizeof(T)/2; i++ ) + // assume random() returns at least 16 random bits + bit_lookup[bit] = (bit_lookup[bit] << 16) | (bro_random() & 0xFFFF); + } - return result; - } + for ( size_t byte = 0; byte < N; byte++ ) + { + for ( unsigned val = 0; val < H3_BYTE_RANGE; val++ ) + { + byte_lookup[byte][val] = 0; + for ( size_t bit = 0; bit < CHAR_BIT; bit++ ) + // Does this mean byte_lookup[*][0] == 0? -RP + if (val & (1 << bit)) + byte_lookup[byte][val] ^= bit_lookup[byte*CHAR_BIT+bit]; + } + } + } + + T operator()(const void* data, size_t size, size_t offset = 0) const + { + const unsigned char *p = static_cast(data); + T result = 0; + + // loop optmized with Duff's Device + register unsigned n = (size + 7) / 8; + switch (size % 8) { + case 0: do { result ^= byte_lookup[offset++][*p++]; + case 7: result ^= byte_lookup[offset++][*p++]; + case 6: result ^= byte_lookup[offset++][*p++]; + case 5: result ^= byte_lookup[offset++][*p++]; + case 4: result ^= byte_lookup[offset++][*p++]; + case 3: result ^= byte_lookup[offset++][*p++]; + case 2: result ^= byte_lookup[offset++][*p++]; + case 1: result ^= byte_lookup[offset++][*p++]; + } while (--n > 0); + } + + return result; + } }; -template -H3::H3() -{ - T bit_lookup[N * CHAR_BIT]; - - for (size_t bit = 0; bit < N * CHAR_BIT; bit++) { - bit_lookup[bit] = 0; - for (size_t i = 0; i < sizeof(T)/2; i++) { - // assume random() returns at least 16 random bits - bit_lookup[bit] = (bit_lookup[bit] << 16) | (bro_random() & 0xFFFF); - } - } - - for (size_t byte = 0; byte < N; byte++) { - for (unsigned val = 0; val < H3_BYTE_RANGE; val++) { - byte_lookup[byte][val] = 0; - for (size_t bit = 0; bit < CHAR_BIT; bit++) { - // Does this mean byte_lookup[*][0] == 0? -RP - if (val & (1 << bit)) - byte_lookup[byte][val] ^= bit_lookup[byte*CHAR_BIT+bit]; - } - } - } -} - #endif //H3_H From 529d12037672d34fd4d1ba5f0d291fd6214f41d4 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 13 Jun 2013 23:07:31 -0700 Subject: [PATCH 141/200] Make H3 seed configurable. --- src/H3.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/H3.h b/src/H3.h index 50afda5688..11b0cd79a5 100644 --- a/src/H3.h +++ b/src/H3.h @@ -65,7 +65,7 @@ template class H3 { T byte_lookup[N][H3_BYTE_RANGE]; public: - H3() + H3(T seed = bro_random()) { T bit_lookup[N * CHAR_BIT]; @@ -74,7 +74,7 @@ public: bit_lookup[bit] = 0; for ( size_t i = 0; i < sizeof(T)/2; i++ ) // assume random() returns at least 16 random bits - bit_lookup[bit] = (bit_lookup[bit] << 16) | (bro_random() & 0xFFFF); + bit_lookup[bit] = (bit_lookup[bit] << 16) | (seed & 0xFFFF); } for ( size_t byte = 0; byte < N; byte++ ) From a6d7b7856e87c3a15ba7009ccfb7d6550d1dcfcc Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 13 Jun 2013 23:12:00 -0700 Subject: [PATCH 142/200] Update H3 documentation (and minor style nits.) --- src/H3.h | 60 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/src/H3.h b/src/H3.h index 11b0cd79a5..2eda14d276 100644 --- a/src/H3.h +++ b/src/H3.h @@ -49,9 +49,9 @@ // hash a substring of the data. Hashes of substrings can be bitwise-XOR'ed // together to get the same result as hashing the full string. // Any number of hash functions can be created by creating new instances of H3, -// with the same or different template parameters. The hash function is -// randomly generated using bro_random(); you must call init_random_seed() -// before the H3 constructor if you wish to seed it. +// with the same or different template parameters. The hash function +// constructor takes a seed as argument which defaults to a call to +// bro_random(). #ifndef H3_H @@ -62,34 +62,34 @@ // The number of values representable by a byte. #define H3_BYTE_RANGE (UCHAR_MAX+1) -template class H3 { - T byte_lookup[N][H3_BYTE_RANGE]; +template +class H3 { public: - H3(T seed = bro_random()) + H3(T seed = bro_random()) + { + T bit_lookup[N * CHAR_BIT]; + + for ( size_t bit = 0; bit < N * CHAR_BIT; bit++ ) { - T bit_lookup[N * CHAR_BIT]; - - for ( size_t bit = 0; bit < N * CHAR_BIT; bit++ ) - { - bit_lookup[bit] = 0; - for ( size_t i = 0; i < sizeof(T)/2; i++ ) - // assume random() returns at least 16 random bits - bit_lookup[bit] = (bit_lookup[bit] << 16) | (seed & 0xFFFF); - } - - for ( size_t byte = 0; byte < N; byte++ ) - { - for ( unsigned val = 0; val < H3_BYTE_RANGE; val++ ) - { - byte_lookup[byte][val] = 0; - for ( size_t bit = 0; bit < CHAR_BIT; bit++ ) - // Does this mean byte_lookup[*][0] == 0? -RP - if (val & (1 << bit)) - byte_lookup[byte][val] ^= bit_lookup[byte*CHAR_BIT+bit]; - } - } + bit_lookup[bit] = 0; + for ( size_t i = 0; i < sizeof(T)/2; i++ ) + // assume random() returns at least 16 random bits + bit_lookup[bit] = (bit_lookup[bit] << 16) | (seed & 0xFFFF); } + for ( size_t byte = 0; byte < N; byte++ ) + { + for ( unsigned val = 0; val < H3_BYTE_RANGE; val++ ) + { + byte_lookup[byte][val] = 0; + for ( size_t bit = 0; bit < CHAR_BIT; bit++ ) + // Does this mean byte_lookup[*][0] == 0? -RP + if (val & (1 << bit)) + byte_lookup[byte][val] ^= bit_lookup[byte*CHAR_BIT+bit]; + } + } + } + T operator()(const void* data, size_t size, size_t offset = 0) const { const unsigned char *p = static_cast(data); @@ -97,7 +97,7 @@ public: // loop optmized with Duff's Device register unsigned n = (size + 7) / 8; - switch (size % 8) { + switch ( size % 8 ) { case 0: do { result ^= byte_lookup[offset++][*p++]; case 7: result ^= byte_lookup[offset++][*p++]; case 6: result ^= byte_lookup[offset++][*p++]; @@ -106,11 +106,13 @@ public: case 3: result ^= byte_lookup[offset++][*p++]; case 2: result ^= byte_lookup[offset++][*p++]; case 1: result ^= byte_lookup[offset++][*p++]; - } while (--n > 0); + } while ( --n > 0 ); } return result; } +private: + T byte_lookup[N][H3_BYTE_RANGE]; }; #endif //H3_H From d2d8aff81456413597b09b71557b0caabdb7af3d Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Fri, 14 Jun 2013 09:22:48 -0700 Subject: [PATCH 143/200] Add utility function to access first random seed. --- src/util.cc | 13 +++++++++++++ src/util.h | 5 +++++ 2 files changed, 18 insertions(+) diff --git a/src/util.cc b/src/util.cc index de9bd5b679..721ee10a7e 100644 --- a/src/util.cc +++ b/src/util.cc @@ -716,6 +716,8 @@ static bool write_random_seeds(const char* write_file, uint32 seed, static bool bro_rand_determistic = false; static unsigned int bro_rand_state = 0; +static bool first_seed_saved = false; +static unsigned int first_seed = 0; static void bro_srandom(unsigned int seed, bool deterministic) { @@ -800,6 +802,12 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file bro_srandom(seed, seeds_done); + if ( ! first_seed_saved ) + { + first_seed = seed; + first_seed_saved = true; + } + if ( ! hmac_key_set ) { MD5((const u_char*) buf, sizeof(buf), shared_hmac_md5_key); @@ -811,6 +819,11 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file write_file); } +unsigned int initial_seed() + { + return first_seed; +} + bool have_random_seed() { return bro_rand_determistic; diff --git a/src/util.h b/src/util.h index 49bcbf318b..c3eebb04e3 100644 --- a/src/util.h +++ b/src/util.h @@ -165,6 +165,11 @@ extern void hmac_md5(size_t size, const unsigned char* bytes, extern void init_random_seed(uint32 seed, const char* load_file, const char* write_file); +// Retrieves the initial seed computed after the very first call to +// init_random_seed(). Repeated calls to init_random_seed() will not affect the +// return value of this function. +unsigned int initial_seed(); + // Returns true if the user explicitly set a seed via init_random_seed(); extern bool have_random_seed(); From 1576239f67ef2641135f95bdd331f3c1a54ee5ad Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Fri, 14 Jun 2013 10:19:39 -0700 Subject: [PATCH 144/200] Support seeding for hashers. --- src/BloomFilter.cc | 11 +++++++++++ src/BloomFilter.h | 4 +++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index e55db71e46..eff7eee733 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -74,6 +74,17 @@ bool CounterVector::DoUnserialize(UnserialInfo* info) } +HashPolicy::Hasher::Hasher(size_t seed) + : h3_(seed) +{ +} + +HashPolicy::HashType +HashPolicy::Hasher::operator()(const void* x, size_t n) const + { + return h3_(x, n); + } + HashPolicy::HashVector DefaultHashing::Hash(const void* x, size_t n) const { HashVector h(K(), 0); diff --git a/src/BloomFilter.h b/src/BloomFilter.h index 3b5d9efa71..65133621f9 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -96,7 +96,9 @@ protected: */ class Hasher { public: - HashType operator()(const void* x, size_t n) const { return h3_(x, n); } + Hasher(size_t seed); + + HashType operator()(const void* x, size_t n) const; private: // FIXME: The hardcoded value of 36 comes from UHASH_KEY_SIZE defined in // Hash.h. I do not know how this value impacts the hash function behavior From 79a6a26f9f70a937551a94a5dc83b2c5dafe1414 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Fri, 14 Jun 2013 10:20:33 -0700 Subject: [PATCH 145/200] H3 does not check for zero length input. --- src/BloomFilter.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index eff7eee733..6a44defc6d 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -82,7 +82,7 @@ HashPolicy::Hasher::Hasher(size_t seed) HashPolicy::HashType HashPolicy::Hasher::operator()(const void* x, size_t n) const { - return h3_(x, n); + return n == 0 ? 0 : h3_(x, n); } HashPolicy::HashVector DefaultHashing::Hash(const void* x, size_t n) const From 9f740642891664ee8f482285523969793d0063d0 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 17 Jun 2013 14:02:14 -0700 Subject: [PATCH 146/200] Expose Bro's linear congruence PRNG as utility function. It was previously not possible to crank the wheel on the PRNG in a deterministic way without affecting the globally unique seed. The new extra utility function bro_prng takes a state in the form of a long int and returns the new PRNG state, now allowing arbitrary code parts to use the random number functionality. This commit also fixes a problem in the H3 constructor, which requires use of multiple seeds. The single seed passed in now serves as seed to crank out as many value needed using bro_prng. --- src/H3.h | 1 + src/util.cc | 29 ++++++++++++++++++----------- src/util.h | 7 +++++-- 3 files changed, 24 insertions(+), 13 deletions(-) diff --git a/src/H3.h b/src/H3.h index 2eda14d276..e2dc865147 100644 --- a/src/H3.h +++ b/src/H3.h @@ -72,6 +72,7 @@ public: for ( size_t bit = 0; bit < N * CHAR_BIT; bit++ ) { bit_lookup[bit] = 0; + seed = bro_prng(seed); for ( size_t i = 0; i < sizeof(T)/2; i++ ) // assume random() returns at least 16 random bits bit_lookup[bit] = (bit_lookup[bit] << 16) | (seed & 0xFFFF); diff --git a/src/util.cc b/src/util.cc index 721ee10a7e..cdd257d94f 100644 --- a/src/util.cc +++ b/src/util.cc @@ -829,22 +829,29 @@ bool have_random_seed() return bro_rand_determistic; } +long int bro_prng(long int state) + { + // Use our own simple linear congruence PRNG to make sure we are + // predictable across platforms. + static const long int m = 2147483647; + static const long int a = 16807; + const long int q = m / a; + const long int r = m % a; + + state = a * ( state % q ) - r * ( state / q ); + + if ( state <= 0 ) + state += m; + + return state; + } + long int bro_random() { if ( ! bro_rand_determistic ) return random(); // Use system PRNG. - // Use our own simple linear congruence PRNG to make sure we are - // predictable across platforms. - const long int m = 2147483647; - const long int a = 16807; - const long int q = m / a; - const long int r = m % a; - - bro_rand_state = a * ( bro_rand_state % q ) - r * ( bro_rand_state / q ); - - if ( bro_rand_state <= 0 ) - bro_rand_state += m; + bro_rand_state = bro_prng(bro_rand_state); return bro_rand_state; } diff --git a/src/util.h b/src/util.h index c3eebb04e3..0af401c668 100644 --- a/src/util.h +++ b/src/util.h @@ -173,9 +173,12 @@ unsigned int initial_seed(); // Returns true if the user explicitly set a seed via init_random_seed(); extern bool have_random_seed(); +// A simple linear congruence PRNG. It takes its state as argument and returns +// a new random value, which can serve as state for subsequent calls. +long int bro_prng(long int state); + // Replacement for the system random(), to which is normally falls back -// except when a seed has been given. In that case, we use our own -// predictable PRNG. +// except when a seed has been given. In that case, the function bro_prng. long int bro_random(); // Calls the system srandom() function with the given seed if not running From 532fbfb4d27ac9ee733dbcfebccbc91e652d4eb0 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 17 Jun 2013 16:06:02 -0700 Subject: [PATCH 147/200] Factor implementation and change interface. When constructing a Bloom filter, one now has to pass a HashPolicy instance to it. This separates more clearly the concerns of hashing and Bloom filter management. This commit also changes the interface to initialize Bloom filters: there exist now two initialization functions, one for each type: (1) bloomfilter_basic_init(fp: double, capacity: count, name: string &default=""): opaque of bloomfilter (2) bloomfilter_counting_init(k: count, cells: count, max: count, name: string &default=""): opaque of bloomfilter The BiFs for adding elements and performing lookups remain the same. This essentially gives us "BiF polymorphism" at script land, where the initialization BiF constructs the most derived type while subsequent BiFs adhere to the same interface. The reason why we split up the constructor in this case is that we have not yet derived the math that computes the optimal number of hash functions for counting Bloom filters---users have to explicitly parameterize them for now. --- src/BloomFilter.cc | 159 +++++--------------------- src/BloomFilter.h | 172 ++++------------------------- src/CMakeLists.txt | 2 + src/CounterVector.cc | 75 +++++++++++++ src/CounterVector.h | 78 +++++++++++++ src/HashPolicy.cc | 72 ++++++++++++ src/HashPolicy.h | 90 +++++++++++++++ src/OpaqueVal.cc | 1 + src/bro.bif | 57 ++++++---- testing/btest/bifs/bloomfilter.bro | 20 ++-- testing/btest/istate/opaque.bro | 2 +- 11 files changed, 409 insertions(+), 319 deletions(-) create mode 100644 src/CounterVector.cc create mode 100644 src/CounterVector.h create mode 100644 src/HashPolicy.cc create mode 100644 src/HashPolicy.h diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 6a44defc6d..0be64c18de 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -1,117 +1,16 @@ #include "BloomFilter.h" #include +#include "CounterVector.h" #include "Serializer.h" -CounterVector::CounterVector(size_t width, size_t cells) - : bits_(new BitVector(width * cells)), width_(width) - { - } - -CounterVector::~CounterVector() - { - delete bits_; - } - -bool CounterVector::Increment(size_type cell, count_type value) - { - // TODO - assert(! "not yet implemented"); - return false; - } - -bool CounterVector::Decrement(size_type cell, count_type value) - { - // TODO - assert(! "not yet implemented"); - return false; - } - -CounterVector::count_type CounterVector::Count(size_type cell) const - { - // TODO - assert(! "not yet implemented"); - return 0; - } - -CounterVector::size_type CounterVector::Size() const - { - return bits_->Blocks() / width_; - } - -bool CounterVector::Serialize(SerialInfo* info) const - { - return SerialObj::Serialize(info); - } - -CounterVector* CounterVector::Unserialize(UnserialInfo* info) - { - return reinterpret_cast( - SerialObj::Unserialize(info, SER_COUNTERVECTOR)); - } - -IMPLEMENT_SERIAL(CounterVector, SER_COUNTERVECTOR) - -bool CounterVector::DoSerialize(SerialInfo* info) const - { - DO_SERIALIZE(SER_COUNTERVECTOR, SerialObj); - if ( ! bits_->Serialize(info) ) - return false; - return SERIALIZE(static_cast(width_)); - } - -bool CounterVector::DoUnserialize(UnserialInfo* info) - { - DO_UNSERIALIZE(SerialObj); - bits_ = BitVector::Unserialize(info); - if ( ! bits_ ) - return false; - uint64 width; - if ( ! UNSERIALIZE(&width) ) - return false; - width_ = static_cast(width); - return true; - } - - -HashPolicy::Hasher::Hasher(size_t seed) - : h3_(seed) -{ -} - -HashPolicy::HashType -HashPolicy::Hasher::operator()(const void* x, size_t n) const - { - return n == 0 ? 0 : h3_(x, n); - } - -HashPolicy::HashVector DefaultHashing::Hash(const void* x, size_t n) const - { - HashVector h(K(), 0); - for ( size_t i = 0; i < h.size(); ++i ) - h[i] = hashers_[i](x, n); - return h; - } - - -HashPolicy::HashVector DoubleHashing::Hash(const void* x, size_t n) const - { - HashType h1 = hasher1_(x, n); - HashType h2 = hasher2_(x, n); - HashVector h(K(), 0); - for ( size_t i = 0; i < h.size(); ++i ) - h[i] = h1 + i * h2; - return h; - } - - BloomFilter::BloomFilter() : hash_(NULL) { } -BloomFilter::BloomFilter(size_t k) - : hash_(new hash_policy(k)) +BloomFilter::BloomFilter(const HashPolicy* hash_policy) + : hash_(hash_policy) { } @@ -135,7 +34,11 @@ BloomFilter* BloomFilter::Unserialize(UnserialInfo* info) bool BloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER, SerialObj); - return SERIALIZE(static_cast(hash_->K())); + // FIXME: Since we have a fixed hashing policy, we just serialize the + // information needed to reconstruct it. + if ( ! SERIALIZE(static_cast(hash_->K())) ) + return false; + return SERIALIZE_STR(hash_->Name().c_str(), hash_->Name().size()); } bool BloomFilter::DoUnserialize(UnserialInfo* info) @@ -144,10 +47,15 @@ bool BloomFilter::DoUnserialize(UnserialInfo* info) uint16 k; if ( ! UNSERIALIZE(&k) ) return false; - hash_ = new hash_policy(static_cast(k)); + const char* name; + if ( ! UNSERIALIZE_STR(&name, 0) ) + return false; + // FIXME: for now Bloom filters always use double hashing. + hash_ = new DefaultHashing(k, name); return true; } + size_t BasicBloomFilter::M(double fp, size_t capacity) { double ln2 = std::log(2); @@ -163,11 +71,9 @@ size_t BasicBloomFilter::K(size_t cells, size_t capacity) BasicBloomFilter* BasicBloomFilter::Merge(const BasicBloomFilter* x, const BasicBloomFilter* y) { + // TODO: Ensure that x and y use the same HashPolicy before proceeding. BasicBloomFilter* result = new BasicBloomFilter(); result->bits_ = new BitVector(*x->bits_ | *y->bits_); - // TODO: implement the hasher pool and make sure the new result gets the same - // number of (equal) hash functions. - //assert(x->hash_ == y->hash_); return result; } @@ -176,16 +82,10 @@ BasicBloomFilter::BasicBloomFilter() { } -BasicBloomFilter::BasicBloomFilter(double fp, size_t capacity) - : BloomFilter(K(M(fp, capacity), capacity)) +BasicBloomFilter::BasicBloomFilter(const HashPolicy* hash_policy, size_t cells) + : BloomFilter(hash_policy), + bits_(new BitVector(cells)) { - bits_ = new BitVector(M(fp, capacity)); - } - -BasicBloomFilter::BasicBloomFilter(size_t cells, size_t capacity) - : BloomFilter(K(cells, capacity)) - { - bits_ = new BitVector(cells); } IMPLEMENT_SERIAL(BasicBloomFilter, SER_BASICBLOOMFILTER) @@ -203,13 +103,13 @@ bool BasicBloomFilter::DoUnserialize(UnserialInfo* info) return bits_ != NULL; } -void BasicBloomFilter::AddImpl(const HashPolicy::HashVector& h) +void BasicBloomFilter::AddImpl(const HashPolicy::hash_vector& h) { for ( size_t i = 0; i < h.size(); ++i ) bits_->Set(h[i] % bits_->Size()); } -size_t BasicBloomFilter::CountImpl(const HashPolicy::HashVector& h) const +size_t BasicBloomFilter::CountImpl(const HashPolicy::hash_vector& h) const { for ( size_t i = 0; i < h.size(); ++i ) if ( ! (*bits_)[h[i] % bits_->Size()] ) @@ -230,17 +130,9 @@ CountingBloomFilter::CountingBloomFilter() { } -CountingBloomFilter::CountingBloomFilter(double fp, size_t capacity, - size_t width) - : BloomFilter(BasicBloomFilter::K(BasicBloomFilter::M(fp, capacity), - capacity)) - { - cells_ = new CounterVector(width, BasicBloomFilter::M(fp, capacity)); - } - -CountingBloomFilter::CountingBloomFilter(size_t cells, size_t capacity, - size_t width) - : BloomFilter(BasicBloomFilter::K(cells, capacity)) +CountingBloomFilter::CountingBloomFilter(const HashPolicy* hash_policy, + size_t cells, size_t width) + : BloomFilter(hash_policy) { cells_ = new CounterVector(width, cells); } @@ -261,18 +153,19 @@ bool CountingBloomFilter::DoUnserialize(UnserialInfo* info) return cells_ != NULL; } -void CountingBloomFilter::AddImpl(const HashPolicy::HashVector& h) +void CountingBloomFilter::AddImpl(const HashPolicy::hash_vector& h) { for ( size_t i = 0; i < h.size(); ++i ) cells_->Increment(h[i] % cells_->Size(), 1); } -size_t CountingBloomFilter::CountImpl(const HashPolicy::HashVector& h) const +size_t CountingBloomFilter::CountImpl(const HashPolicy::hash_vector& h) const { CounterVector::size_type min = std::numeric_limits::max(); for ( size_t i = 0; i < h.size(); ++i ) { + // TODO: Use partitioning. CounterVector::size_type cnt = cells_->Count(h[i] % cells_->Size()); if ( cnt < min ) min = cnt; diff --git a/src/BloomFilter.h b/src/BloomFilter.h index 65133621f9..189f4920b7 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -3,141 +3,9 @@ #include #include "BitVector.h" -#include "Hash.h" -#include "H3.h" +#include "HashPolicy.h" -/** - * A vector of counters, each of which have a fixed number of bits. - */ -class CounterVector : public SerialObj { -public: - typedef size_t size_type; - typedef uint64 count_type; - - /** - * Constructs a counter vector having cells of a given width. - * - * @param width The number of bits that each cell occupies. - * - * @param cells The number of cells in the bitvector. - */ - CounterVector(size_t width, size_t cells = 1024); - - ~CounterVector(); - - /** - * Increments a given cell. - * - * @param cell The cell to increment. - * - * @param value The value to add to the current counter in *cell*. - * - * @return `true` if adding *value* to the counter in *cell* succeeded. - */ - bool Increment(size_type cell, count_type value); - - /** - * Decrements a given cell. - * - * @param cell The cell to decrement. - * - * @param value The value to subtract from the current counter in *cell*. - * - * @return `true` if subtracting *value* from the counter in *cell* succeeded. - */ - bool Decrement(size_type cell, count_type value); - - /** - * Retrieves the counter of a given cell. - * - * @param cell The cell index to retrieve the count for. - * - * @return The counter associated with *cell*. - */ - count_type Count(size_type cell) const; - - /** - * Retrieves the number of cells in the storage. - * - * @return The number of cells. - */ - size_type Size() const; - - bool Serialize(SerialInfo* info) const; - static CounterVector* Unserialize(UnserialInfo* info); - -protected: - DECLARE_SERIAL(CounterVector); - - CounterVector() { } - -private: - BitVector* bits_; - size_t width_; -}; - -/** - * The abstract base class for hash policies that hash elements *k* times. - * @tparam Codomain An integral type. - */ -class HashPolicy { -public: - typedef hash_t HashType; - typedef std::vector HashVector; - - virtual ~HashPolicy() { } - size_t K() const { return k_; } - virtual HashVector Hash(const void* x, size_t n) const = 0; - -protected: - /** - * A functor that computes a universal hash function. - * @tparam Codomain An integral type. - */ - class Hasher { - public: - Hasher(size_t seed); - - HashType operator()(const void* x, size_t n) const; - private: - // FIXME: The hardcoded value of 36 comes from UHASH_KEY_SIZE defined in - // Hash.h. I do not know how this value impacts the hash function behavior - // so I'll just copy it verbatim. (Matthias) - H3 h3_; - }; - - HashPolicy(size_t k) : k_(k) { } - -private: - const size_t k_; -}; - -/** - * The *default* hashing policy. Performs *k* hash function computations. - */ -class DefaultHashing : public HashPolicy { -public: - DefaultHashing(size_t k) : HashPolicy(k), hashers_(k) { } - - virtual HashVector Hash(const void* x, size_t n) const; - -private: - std::vector hashers_; -}; - -/** - * The *double-hashing* policy. Uses a linear combination of two hash functions. - */ -class DoubleHashing : public HashPolicy { -public: - DoubleHashing(size_t k) : HashPolicy(k) { } - - virtual HashVector Hash(const void* x, size_t n) const; - -private: - Hasher hasher1_; - Hasher hasher2_; -}; +class CounterVector; /** * The abstract base class for Bloom filters. @@ -146,8 +14,6 @@ class BloomFilter : public SerialObj { public: // At this point we won't let the user choose the hash policy, but we might // open up the interface in the future. - typedef DoubleHashing hash_policy; - virtual ~BloomFilter(); /** @@ -180,13 +46,19 @@ protected: DECLARE_ABSTRACT_SERIAL(BloomFilter); BloomFilter(); - BloomFilter(size_t k); - virtual void AddImpl(const HashPolicy::HashVector& hashes) = 0; - virtual size_t CountImpl(const HashPolicy::HashVector& hashes) const = 0; + /** + * Constructs a Bloom filter. + * + * @param hash_policy The hash policy to use for this Bloom filter. + */ + BloomFilter(const HashPolicy* hash_policy); + + virtual void AddImpl(const HashPolicy::hash_vector& hashes) = 0; + virtual size_t CountImpl(const HashPolicy::hash_vector& hashes) const = 0; private: - HashPolicy* hash_; + const HashPolicy* hash_; }; /** @@ -223,24 +95,18 @@ public: static BasicBloomFilter* Merge(const BasicBloomFilter* x, const BasicBloomFilter* y); - /** - * Constructs a basic Bloom filter with a given false-positive rate and - * capacity. - */ - BasicBloomFilter(double fp, size_t capacity); - /** * Constructs a basic Bloom filter with a given number of cells and capacity. */ - BasicBloomFilter(size_t cells, size_t capacity); + BasicBloomFilter(const HashPolicy* hash_policy, size_t cells); protected: DECLARE_SERIAL(BasicBloomFilter); BasicBloomFilter(); - virtual void AddImpl(const HashPolicy::HashVector& h); - virtual size_t CountImpl(const HashPolicy::HashVector& h) const; + virtual void AddImpl(const HashPolicy::hash_vector& h); + virtual size_t CountImpl(const HashPolicy::hash_vector& h) const; private: BitVector* bits_; @@ -254,16 +120,16 @@ public: static CountingBloomFilter* Merge(const CountingBloomFilter* x, const CountingBloomFilter* y); - CountingBloomFilter(double fp, size_t capacity, size_t width); - CountingBloomFilter(size_t cells, size_t capacity, size_t width); + CountingBloomFilter(const HashPolicy* hash_policy, size_t cells, + size_t width); protected: DECLARE_SERIAL(CountingBloomFilter); CountingBloomFilter(); - virtual void AddImpl(const HashPolicy::HashVector& h); - virtual size_t CountImpl(const HashPolicy::HashVector& h) const; + virtual void AddImpl(const HashPolicy::hash_vector& h); + virtual size_t CountImpl(const HashPolicy::hash_vector& h) const; private: CounterVector* cells_; diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 1537bb04b0..f2c7ce6bad 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -255,6 +255,7 @@ set(bro_SRCS ChunkedIO.cc CompHash.cc Conn.cc + CounterVector.cc DFA.cc DbgBreakpoint.cc DbgHelp.cc @@ -278,6 +279,7 @@ set(bro_SRCS Frame.cc Func.cc Hash.cc + HashPolicy.cc ID.cc IntSet.cc IOSource.cc diff --git a/src/CounterVector.cc b/src/CounterVector.cc new file mode 100644 index 0000000000..8ed4c30427 --- /dev/null +++ b/src/CounterVector.cc @@ -0,0 +1,75 @@ +#include "CounterVector.h" + +#include "BitVector.h" +#include "Serializer.h" + +CounterVector::CounterVector(size_t width, size_t cells) + : bits_(new BitVector(width * cells)), width_(width) + { + } + +CounterVector::~CounterVector() + { + delete bits_; + } + +bool CounterVector::Increment(size_type cell, count_type value) + { + // TODO + assert(! "not yet implemented"); + return false; + } + +bool CounterVector::Decrement(size_type cell, count_type value) + { + // TODO + assert(! "not yet implemented"); + return false; + } + +CounterVector::count_type CounterVector::Count(size_type cell) const + { + // TODO + assert(! "not yet implemented"); + return 0; + } + +CounterVector::size_type CounterVector::Size() const + { + return bits_->Blocks() / width_; + } + +bool CounterVector::Serialize(SerialInfo* info) const + { + return SerialObj::Serialize(info); + } + +CounterVector* CounterVector::Unserialize(UnserialInfo* info) + { + return reinterpret_cast( + SerialObj::Unserialize(info, SER_COUNTERVECTOR)); + } + +IMPLEMENT_SERIAL(CounterVector, SER_COUNTERVECTOR) + +bool CounterVector::DoSerialize(SerialInfo* info) const + { + DO_SERIALIZE(SER_COUNTERVECTOR, SerialObj); + if ( ! bits_->Serialize(info) ) + return false; + return SERIALIZE(static_cast(width_)); + } + +bool CounterVector::DoUnserialize(UnserialInfo* info) + { + DO_UNSERIALIZE(SerialObj); + bits_ = BitVector::Unserialize(info); + if ( ! bits_ ) + return false; + uint64 width; + if ( ! UNSERIALIZE(&width) ) + return false; + width_ = static_cast(width); + return true; + } + diff --git a/src/CounterVector.h b/src/CounterVector.h new file mode 100644 index 0000000000..ecc8fe90e0 --- /dev/null +++ b/src/CounterVector.h @@ -0,0 +1,78 @@ +#ifndef CounterVector_h +#define CounterVector_h + +#include "SerialObj.h" + +class BitVector; + +/** + * A vector of counters, each of which have a fixed number of bits. + */ +class CounterVector : public SerialObj { +public: + typedef size_t size_type; + typedef uint64 count_type; + + /** + * Constructs a counter vector having cells of a given width. + * + * @param width The number of bits that each cell occupies. + * + * @param cells The number of cells in the bitvector. + */ + CounterVector(size_t width, size_t cells = 1024); + + ~CounterVector(); + + /** + * Increments a given cell. + * + * @param cell The cell to increment. + * + * @param value The value to add to the current counter in *cell*. + * + * @return `true` if adding *value* to the counter in *cell* succeeded. + */ + bool Increment(size_type cell, count_type value); + + /** + * Decrements a given cell. + * + * @param cell The cell to decrement. + * + * @param value The value to subtract from the current counter in *cell*. + * + * @return `true` if subtracting *value* from the counter in *cell* succeeded. + */ + bool Decrement(size_type cell, count_type value); + + /** + * Retrieves the counter of a given cell. + * + * @param cell The cell index to retrieve the count for. + * + * @return The counter associated with *cell*. + */ + count_type Count(size_type cell) const; + + /** + * Retrieves the number of cells in the storage. + * + * @return The number of cells. + */ + size_type Size() const; + + bool Serialize(SerialInfo* info) const; + static CounterVector* Unserialize(UnserialInfo* info); + +protected: + DECLARE_SERIAL(CounterVector); + + CounterVector() { } + +private: + BitVector* bits_; + size_t width_; +}; + +#endif diff --git a/src/HashPolicy.cc b/src/HashPolicy.cc new file mode 100644 index 0000000000..d6fb4f3da4 --- /dev/null +++ b/src/HashPolicy.cc @@ -0,0 +1,72 @@ +#include "HashPolicy.h" + +#include "digest.h" + +Hasher::Hasher(size_t seed, const std::string& extra) + : h_(compute_seed(seed, extra)) + { + } + +Hasher::hash_type Hasher::operator()(const void* x, size_t n) const + { + return n == 0 ? 0 : h_(x, n); + } + +size_t Hasher::compute_seed(size_t seed, const std::string& extra) + { + u_char digest[SHA256_DIGEST_LENGTH]; + SHA256_CTX ctx; + sha256_init(&ctx); + if ( extra.empty() ) + { + unsigned int first_seed = initial_seed(); + sha256_update(&ctx, &first_seed, sizeof(first_seed)); + } + else + { + sha256_update(&ctx, extra.c_str(), extra.size()); + } + sha256_update(&ctx, &seed, sizeof(seed)); + sha256_final(&ctx, digest); + return *reinterpret_cast(digest); + } + + +HashPolicy::HashPolicy(size_t k, const std::string& name) + : k_(k), name_(name) + { + } + +DefaultHashing::DefaultHashing(size_t k, const std::string& name) + : HashPolicy(k, name) + { + for ( size_t i = 0; i < k; ++i ) + hashers_.push_back(Hasher(i, name)); + } + +HashPolicy::hash_vector DefaultHashing::Hash(const void* x, size_t n) const + { + hash_vector h(K(), 0); + for ( size_t i = 0; i < h.size(); ++i ) + h[i] = hashers_[i](x, n); + return h; + } + +DoubleHashing::DoubleHashing(size_t k, const std::string& name) + : HashPolicy(k, name), + hasher1_(1, name), + hasher2_(2, name) + { + } + +HashPolicy::hash_vector DoubleHashing::Hash(const void* x, size_t n) const + { + hash_type h1 = hasher1_(x, n); + hash_type h2 = hasher2_(x, n); + hash_vector h(K(), 0); + for ( size_t i = 0; i < h.size(); ++i ) + h[i] = h1 + i * h2; + return h; + } + + diff --git a/src/HashPolicy.h b/src/HashPolicy.h new file mode 100644 index 0000000000..4660bc0080 --- /dev/null +++ b/src/HashPolicy.h @@ -0,0 +1,90 @@ +#ifndef HashPolicy_h +#define HashPolicy_h + +#include "Hash.h" +#include "H3.h" + +/** + * A functor that computes a universal hash function. + */ +class Hasher { +public: + typedef hash_t hash_type; + + /** + * Constructs a hasher seeded by a given seed and optionally an extra + * descriptor. + * + * @param seed The seed to use. + * + * @param extra If not `NULL`, the hasher will not mix in the initial seed + * but instead use this NUL-terminated string as additional seed. + */ + Hasher(size_t seed, const std::string& extra = ""); + + /** + * Computes the hash digest of contiguous data. + * + * @param x A pointer to the beginning of the byte sequence to hash. + * + * @param n The length of the sequence pointed to by *x*. + */ + hash_type operator()(const void* x, size_t n) const; + +private: + static size_t compute_seed(size_t seed, const std::string& extra); + + H3 h_; +}; + +/** + * The abstract base class for hash policies that hash elements *k* times. + */ +class HashPolicy { +public: + typedef Hasher::hash_type hash_type; + typedef std::vector hash_vector; + + virtual ~HashPolicy() { } + + virtual hash_vector Hash(const void* x, size_t n) const = 0; + + size_t K() const { return k_; } + const std::string& Name() const { return name_; } + +protected: + HashPolicy(size_t k, const std::string& name); + +private: + const size_t k_; + std::string name_; +}; + +/** + * The default hashing policy. Performs *k* hash function computations. + */ +class DefaultHashing : public HashPolicy { +public: + DefaultHashing(size_t k, const std::string& name); + + virtual hash_vector Hash(const void* x, size_t n) const /* override */; + +private: + std::vector hashers_; +}; + +/** + * The *double-hashing* policy. Uses a linear combination of two hash functions. + */ +class DoubleHashing : public HashPolicy { +public: + DoubleHashing(size_t k, const std::string& name); + + virtual hash_vector Hash(const void* x, size_t n) const; + +private: + Hasher hasher1_; + Hasher hasher2_; +}; + +#endif diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 9dd5c7f980..8b82916689 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -605,6 +605,7 @@ IMPLEMENT_SERIAL(BloomFilterVal, SER_BLOOMFILTER_VAL); bool BloomFilterVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER_VAL, OpaqueVal); + assert( type_ ); if ( ! type_->Serialize(info) ) return false; return bloom_filter_->Serialize(info); diff --git a/src/bro.bif b/src/bro.bif index 9b80c90dbf..a89b808888 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -4986,42 +4986,55 @@ function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr #include "BloomFilter.h" %%} -## Initializes a Bloom filter data structure. +## Creates a basic Bloom filter. ## ## fp: The desired false-positive rate. ## ## capacity: the maximum number of elements that guarantees a false-positive ## rate of *fp*. ## -## max: The maximum counter value associated with each each element in the -## Bloom filter. If greater than 1, each element in the set has a counter of -## *w = ceil(log_2(max))* bits. Each bit in the underlying bit vector then -## becomes a cell of size *w* bits. Since the number number of cells is a -## function ## of *fp* and *capacity*, it is important to consider the effects -## on space when tuning this value. +## name: A name that uniquely identifies and seeds the Bloom filter. If empty, +## the initialization will become dependent on the initial seed. ## ## Returns: A Bloom filter handle. -function bloomfilter_init%(fp: double, capacity: count, - max: count &default=1%): opaque of bloomfilter +function bloomfilter_basic_init%(fp: double, capacity: count, + name: string &default=""%): opaque of bloomfilter %{ if ( fp < 0.0 || fp > 1.0 ) { reporter->Error("false-positive rate must take value between 0 and 1"); return NULL; } - BloomFilter* bf; - if ( max == 1 ) - { - bf = new BasicBloomFilter(fp, capacity); - } - else - { - uint16 width = 0; - while ( max >>= 1 ) - ++width; - bf = new CountingBloomFilter(fp, capacity, width); - } - return new BloomFilterVal(bf); + + size_t cells = BasicBloomFilter::M(fp, capacity); + size_t optimal_k = BasicBloomFilter::K(cells, capacity); + const HashPolicy* hp = new DefaultHashing(optimal_k, name->CheckString()); + fprintf(stderr, "constructing Bloom filter with %llu hash fns and %llu cells\n", optimal_k, cells); + return new BloomFilterVal(new BasicBloomFilter(hp, cells)); + %} + +## Creates a counting Bloom filter. +## +## k: The number of hash functions to use. +## +## cells: The number of cells of the underlying counter vector. +## +## max: The maximum counter value associated with each each element described +## by *w = ceil(log_2(max))* bits. Each bit in the underlying counter vector +## becomes a cell of size *w* bits. +## +## name: A name that uniquely identifies and seeds the Bloom filter. If empty, +## the initialization will become dependent on the initial seed. +## +## Returns: A Bloom filter handle. +function bloomfilter_counting_init%(k: count, cells: count, max: count, + name: string &default=""%): opaque of bloomfilter + %{ + const HashPolicy* hp = new DefaultHashing(k, name->CheckString()); + uint16 width = 0; + while ( max >>= 1 ) + ++width; + return new BloomFilterVal(new CountingBloomFilter(hp, cells, width)); %} ## Adds an element to a Bloom filter. diff --git a/testing/btest/bifs/bloomfilter.bro b/testing/btest/bifs/bloomfilter.bro index 769cec1200..3ff6a6668e 100644 --- a/testing/btest/bifs/bloomfilter.bro +++ b/testing/btest/bifs/bloomfilter.bro @@ -4,7 +4,7 @@ event bro_init() { # Basic usage with counts. - local bf_cnt = bloomfilter_init(0.1, 1000); + local bf_cnt = bloomfilter_basic_init(0.1, 1000); bloomfilter_add(bf_cnt, 42); bloomfilter_add(bf_cnt, 84); bloomfilter_add(bf_cnt, 168); @@ -16,23 +16,23 @@ event bro_init() bloomfilter_add(bf_cnt, "foo"); # Type mismatch # Basic usage with strings. - local bf_str = bloomfilter_init(0.9, 10); + local bf_str = bloomfilter_basic_init(0.9, 10); bloomfilter_add(bf_str, "foo"); bloomfilter_add(bf_str, "bar"); print bloomfilter_lookup(bf_str, "foo"); print bloomfilter_lookup(bf_str, "bar"); - print bloomfilter_lookup(bf_str, "baz"); # FP - print bloomfilter_lookup(bf_str, "qux"); # FP + print bloomfilter_lookup(bf_str, "b4z"); # FP + print bloomfilter_lookup(bf_str, "quux"); # FP bloomfilter_add(bf_str, 0.5); # Type mismatch bloomfilter_add(bf_str, 100); # Type mismatch # Edge cases. - local bf_edge0 = bloomfilter_init(0.000000000001, 1); - local bf_edge1 = bloomfilter_init(0.00000001, 100000000); - local bf_edge2 = bloomfilter_init(0.9999999, 1); - local bf_edge3 = bloomfilter_init(0.9999999, 100000000000); + local bf_edge0 = bloomfilter_basic_init(0.000000000001, 1); + local bf_edge1 = bloomfilter_basic_init(0.00000001, 100000000); + local bf_edge2 = bloomfilter_basic_init(0.9999999, 1); + local bf_edge3 = bloomfilter_basic_init(0.9999999, 100000000000); # Invalid parameters. - local bf_bug0 = bloomfilter_init(-0.5, 42); - local bf_bug1 = bloomfilter_init(1.1, 42); + local bf_bug0 = bloomfilter_basic_init(-0.5, 42); + local bf_bug1 = bloomfilter_basic_init(1.1, 42); } diff --git a/testing/btest/istate/opaque.bro b/testing/btest/istate/opaque.bro index ac3b2c0874..b387f9d6bc 100644 --- a/testing/btest/istate/opaque.bro +++ b/testing/btest/istate/opaque.bro @@ -82,7 +82,7 @@ event bro_init() if ( ! entropy_test_add(entropy_handle, "f") ) print out, "entropy_test_add() failed"; - bloomfilter_handle = bloomfilter_init(0.1, 100); + bloomfilter_handle = bloomfilter_basic_init(0.1, 100); for ( e in bloomfilter_elements ) bloomfilter_add(bloomfilter_handle, e); } From 85668e7054dd22bc783a620eaf88b04f2e4bb952 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 17 Jun 2013 16:16:44 -0700 Subject: [PATCH 148/200] Remove lingering debug code. --- src/bro.bif | 1 - 1 file changed, 1 deletion(-) diff --git a/src/bro.bif b/src/bro.bif index a89b808888..7c81966317 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -5009,7 +5009,6 @@ function bloomfilter_basic_init%(fp: double, capacity: count, size_t cells = BasicBloomFilter::M(fp, capacity); size_t optimal_k = BasicBloomFilter::K(cells, capacity); const HashPolicy* hp = new DefaultHashing(optimal_k, name->CheckString()); - fprintf(stderr, "constructing Bloom filter with %llu hash fns and %llu cells\n", optimal_k, cells); return new BloomFilterVal(new BasicBloomFilter(hp, cells)); %} From e6e5f4926f5a850c773af05b51d7004fc4899a7c Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 17 Jun 2013 16:26:35 -0700 Subject: [PATCH 149/200] Create hash policies through factory. --- src/BloomFilter.cc | 5 +---- src/HashPolicy.cc | 5 +++++ src/HashPolicy.h | 7 +++++++ src/bro.bif | 4 ++-- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 0be64c18de..59d411d8e2 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -34,8 +34,6 @@ BloomFilter* BloomFilter::Unserialize(UnserialInfo* info) bool BloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER, SerialObj); - // FIXME: Since we have a fixed hashing policy, we just serialize the - // information needed to reconstruct it. if ( ! SERIALIZE(static_cast(hash_->K())) ) return false; return SERIALIZE_STR(hash_->Name().c_str(), hash_->Name().size()); @@ -50,8 +48,7 @@ bool BloomFilter::DoUnserialize(UnserialInfo* info) const char* name; if ( ! UNSERIALIZE_STR(&name, 0) ) return false; - // FIXME: for now Bloom filters always use double hashing. - hash_ = new DefaultHashing(k, name); + hash_ = HashPolicy::Create(k, name); return true; } diff --git a/src/HashPolicy.cc b/src/HashPolicy.cc index d6fb4f3da4..7ce754be3c 100644 --- a/src/HashPolicy.cc +++ b/src/HashPolicy.cc @@ -32,6 +32,11 @@ size_t Hasher::compute_seed(size_t seed, const std::string& extra) } +HashPolicy* HashPolicy::Create(size_t k, const std::string& name) + { + return new DefaultHashing(k, name); + } + HashPolicy::HashPolicy(size_t k, const std::string& name) : k_(k), name_(name) { diff --git a/src/HashPolicy.h b/src/HashPolicy.h index 4660bc0080..7bdb968bfe 100644 --- a/src/HashPolicy.h +++ b/src/HashPolicy.h @@ -42,6 +42,13 @@ private: */ class HashPolicy { public: + /** + * Constructs the hashing policy used by the implementation. This factory + * function exists because the HashingPolicy class hierachy is not yet + * serializable. + */ + static HashPolicy* Create(size_t k, const std::string& name); + typedef Hasher::hash_type hash_type; typedef std::vector hash_vector; diff --git a/src/bro.bif b/src/bro.bif index 7c81966317..d0ce066139 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -5008,7 +5008,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count, size_t cells = BasicBloomFilter::M(fp, capacity); size_t optimal_k = BasicBloomFilter::K(cells, capacity); - const HashPolicy* hp = new DefaultHashing(optimal_k, name->CheckString()); + const HashPolicy* hp = HashPolicy::Create(optimal_k, name->CheckString()); return new BloomFilterVal(new BasicBloomFilter(hp, cells)); %} @@ -5029,7 +5029,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count, function bloomfilter_counting_init%(k: count, cells: count, max: count, name: string &default=""%): opaque of bloomfilter %{ - const HashPolicy* hp = new DefaultHashing(k, name->CheckString()); + const HashPolicy* hp = HashPolicy::Create(k, name->CheckString()); uint16 width = 0; while ( max >>= 1 ) ++width; From 273629de366290f411f381fe5970fc672adf465f Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Tue, 18 Jun 2013 10:23:07 -0700 Subject: [PATCH 150/200] Only serialize Bloom filter type if available. --- src/OpaqueVal.cc | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 8b82916689..5a673c4a40 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -605,9 +605,13 @@ IMPLEMENT_SERIAL(BloomFilterVal, SER_BLOOMFILTER_VAL); bool BloomFilterVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER_VAL, OpaqueVal); - assert( type_ ); - if ( ! type_->Serialize(info) ) + + bool is_typed = type_ != NULL; + if ( ! SERIALIZE(is_typed) ) return false; + if ( is_typed && ! type_->Serialize(info) ) + return false; + return bloom_filter_->Serialize(info); } @@ -615,13 +619,16 @@ bool BloomFilterVal::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(OpaqueVal); - type_ = BroType::Unserialize(info); - if ( ! type_ ) + bool is_typed; + if ( ! UNSERIALIZE(&is_typed) ) return false; - TypeList* tl = new TypeList(type_); - tl->Append(type_); - hash_ = new CompositeHash(tl); - Unref(tl); + if ( is_typed ) + { + BroType* type = BroType::Unserialize(info); + if ( ! Typify(type) ) + return false; + Unref(type); + } bloom_filter_ = BloomFilter::Unserialize(info); return bloom_filter_ != NULL; From 5f70452a9ac816346c4e480d8de52b213630b5b7 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Tue, 18 Jun 2013 10:40:00 -0700 Subject: [PATCH 151/200] Small fixes and style tweaks. --- src/BitVector.cc | 2 +- src/BloomFilter.cc | 1 + src/OpaqueVal.h | 4 +--- src/Type.cc | 6 +++--- 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/BitVector.cc b/src/BitVector.cc index f029230609..64db32131f 100644 --- a/src/BitVector.cc +++ b/src/BitVector.cc @@ -473,7 +473,7 @@ bool BitVector::DoSerialize(SerialInfo* info) const if ( ! SERIALIZE(static_cast(bits_.size())) ) return false; - for (size_t i = 0; i < bits_.size(); ++i) + for ( size_t i = 0; i < bits_.size(); ++i ) if ( ! SERIALIZE(static_cast(bits_[i])) ) return false; diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 59d411d8e2..a7727630f7 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -49,6 +49,7 @@ bool BloomFilter::DoUnserialize(UnserialInfo* info) if ( ! UNSERIALIZE_STR(&name, 0) ) return false; hash_ = HashPolicy::Create(k, name); + delete [] name; return true; } diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index 4b45cad519..2362fdacfc 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -139,9 +139,7 @@ private: { const T* a = dynamic_cast(x->bloom_filter_); const T* b = dynamic_cast(y->bloom_filter_); - if ( a && b ) - return new BloomFilterVal(T::Merge(a, b)); - return NULL; + return a && b ? new BloomFilterVal(T::Merge(a, b)) : NULL; } BroType* type_; diff --git a/src/Type.cc b/src/Type.cc index 6461bf2560..f19de461cd 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1311,19 +1311,19 @@ IMPLEMENT_SERIAL(OpaqueType, SER_OPAQUE_TYPE); bool OpaqueType::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_OPAQUE_TYPE, BroType); - return SERIALIZE(name); + return SERIALIZE_STR(name.c_str(), name.size()); } bool OpaqueType::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(BroType); - char const* n; + const char* n; if ( ! UNSERIALIZE_STR(&n, 0) ) return false; - name = n; delete [] n; + return true; } From 7c50efde8056565e3356652ced7b93fe4fbfa4cc Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 28 Jun 2013 11:40:02 -0400 Subject: [PATCH 152/200] Remove the log queueing mechanism that was included with the SSL log delay mechanism. - One obvious downside is that queued logs at termination may not get logged because the trigger for the when statement never matches. --- scripts/base/protocols/ssl/main.bro | 60 +++++------------------------ 1 file changed, 10 insertions(+), 50 deletions(-) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 36d0c3f54d..61d8d2fdb4 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -116,13 +116,6 @@ const ports = { redef likely_server_ports += { ports }; -# A queue that buffers log records. -global log_delay_queue: table[count] of Info; -# The top queue index where records are added. -global log_delay_queue_head = 0; -# The bottom queue index that points to the next record to be flushed. -global log_delay_queue_tail = 0; - event bro_init() &priority=5 { Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); @@ -138,26 +131,17 @@ function set_session(c: connection) function delay_log(info: Info, token: string) { - info$delay_tokens = set(); + if ( ! info?$delay_tokens ) + info$delay_tokens = set(); add info$delay_tokens[token]; - - log_delay_queue[log_delay_queue_head] = info; - ++log_delay_queue_head; } function undelay_log(info: Info, token: string) { - if ( token in info$delay_tokens ) + if ( info?$delay_tokens && token in info$delay_tokens ) delete info$delay_tokens[token]; } -global log_record: function(info: Info); - -event delay_logging(info: Info) - { - log_record(info); - } - function log_record(info: Info) { if ( ! info?$delay_tokens || |info$delay_tokens| == 0 ) @@ -166,26 +150,14 @@ function log_record(info: Info) } else { - for ( unused_index in log_delay_queue ) + when ( |info$delay_tokens| == 0 ) { - if ( log_delay_queue_head == log_delay_queue_tail ) - return; - if ( |log_delay_queue[log_delay_queue_tail]$delay_tokens| > 0 ) - { - if ( info$ts + max_log_delay > network_time() ) - { - schedule 1sec { delay_logging(info) }; - return; - } - else - { - Reporter::info(fmt("SSL delay tokens not released in time (%s)", - info$delay_tokens)); - } - } - Log::write(SSL::LOG, log_delay_queue[log_delay_queue_tail]); - delete log_delay_queue[log_delay_queue_tail]; - ++log_delay_queue_tail; + log_record(info); + } + timeout max_log_delay + { + Reporter::info(fmt("SSL delay tokens not released in time (%s tokens remaining)", + |info$delay_tokens|)); } } } @@ -295,15 +267,3 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, if ( c?$ssl ) finish(c); } - -event bro_done() - { - if ( |log_delay_queue| == 0 ) - return; - for ( unused_index in log_delay_queue ) - { - Log::write(SSL::LOG, log_delay_queue[log_delay_queue_tail]); - delete log_delay_queue[log_delay_queue_tail]; - ++log_delay_queue_tail; - } - } From 030564a71058908276d9a07ba5e054822e977a07 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 2 Jul 2013 14:49:36 -0400 Subject: [PATCH 153/200] Single character fix to correct support for TLS 1.2 (my bad). - Thanks for help from Rafal Lesniak in nailing down the location of the bug and supplying test traffic. - Test traffic with a TLS 1.2 connection. - Addresses ticket #1020 --- src/analyzer/protocol/ssl/ssl-protocol.pac | 2 +- .../scripts.base.protocols.ssl.tls-1.2/ssl.log | 10 ++++++++++ testing/btest/Traces/tls1.2.trace | Bin 0 -> 8601 bytes .../scripts/base/protocols/ssl/tls-1.2.test | 2 ++ 4 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log create mode 100644 testing/btest/Traces/tls1.2.trace create mode 100644 testing/btest/scripts/base/protocols/ssl/tls-1.2.test diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index 0019478518..b35d07f18b 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -693,7 +693,7 @@ refine connection SSL_Conn += { head2 : uint8) : int %{ if ( head0 >= 20 && head0 <= 23 && - head1 == 0x03 && head2 < 0x03 ) + head1 == 0x03 && head2 <= 0x03 ) // This is most probably SSL version 3. return (head1 << 8) | head2; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log new file mode 100644 index 0000000000..375c033c38 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2013-07-02-18-46-17 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id subject issuer_subject not_valid_before not_valid_after last_alert client_subject client_issuer_subject +#types time string addr port addr port string string string string string string time time string string string +1357328848.549370 UWkUyAuUGXf 10.0.0.80 56637 68.233.76.12 443 TLSv12 TLS_RSA_WITH_RC4_128_MD5 - - CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1304467200.000000 1467676799.000000 - - - +#close 2013-07-02-18-46-17 diff --git a/testing/btest/Traces/tls1.2.trace b/testing/btest/Traces/tls1.2.trace new file mode 100644 index 0000000000000000000000000000000000000000..87d50c277c6b8e25a40ccee85b12e7bddcd41e5f GIT binary patch literal 8601 zcmd6sc|26@-^b6a82i3tnXDlkOQI5E$&&0Ma@$4rG1f{(5m6{4TgjRz71=YXP_{uN zB`UWyOGTo^a}KwD(fzxB&+GZ)d7gQ_uGh@D&UHTDYx#cP-|JlS?BSgpB!C9iKPxK$ zfPgNj@?$2ux@Z6+=r>&YK_|V(6;+>abFq5U0y+Sou@s^KXkhb~aR6YVJz>Z&sD`LL zI9+23E0rNvR=BJI0ExzwBTy(b0zr!dRa`#6_t3~Sb$DuH77UnsT z*tIo*RyYS#apmNKe908@s{<&M*@OAnLgc)JIL7X{^QrwtWlYNZ?uXSfg*Grp`JFmv zjbGlTc2Ci0>C)~m>BUKVLJZZ6d&5%nT=H*zkwO%Y({#cig;{|X7=TonKG6eAvjEe3 z0COFT#N>mK=yO+BN5cwSUM@m~8Qoc)Jw5e@Wp7mr$cUwriq?x>WJDk^7yu;4%F}~% zSd=9i%Z}95l-~mK!WXpcY`R2ON0KWMf56el+1)h&`YF!>GQl@#*lEliz1)0>F7kXJ z4_t#|XVo%3V61J7*COBzJ-j_gt}gO&pbUHu#V-EWJw1;j?lOdcfIuQ7>54aZbq*xL zU&J8Dj1~bDN>tf=UXCJ5+b5+JNNtU;1ikF3$uqzy?^^F{(;C zlvUPm(y}A92=dI(NLTxc)edy>^6-&o16kk-I(9nqK&XFs$cnrm$iG&{sU)ui;@4W@ zHGKoUT!S2;;jx3P@O>OR&ce~l)fcbt<18!B0OH_EdUlkRtCPG4xOMG{Ps`Wa*Tola zLUi@^2=q2LH^f_cc)2*kIvgMy+z7=%FC|NYm1KQfNnj*G_}Aq?U;tDkf*FA7amYx> z4JS_^XHvh_pP$}u;VaI{ni^Huj|;E%5pFmt(lJ)!`QQk$hVU${|MScjlC-3*nE+!( z>X2@uwgELg$j_O}uXeZT`BpbvMW%AxmC}bJ9o@Vy8YGfW_GLfw=bh0~9ZAzNmgUKN z9&YWF`*b(UAAw5}D}8yr{W=Ezj9$m;+J`Hu$i9y*qk|8rF@lnBMTP!c45HnB;UKQt?0dR?@*aabA80+_(dfzQno5iM zK89iuK;%XuDA0`5fkMy>3W%V2K&}W5_1+3#w%Xj%%$~<7s2atVPUPz-SR< zp=UsH#JX_=0!;#mpuzezi2OyI^gj?MfucXP5Yaq;b=226z;A=ts{aeHq9GJS{_5V5 zbpP`7jnIL-905pQuInk@ea)Tiol&&7RD=Wlo=4=7b9!cro{2N!Z*F%4X~oxCc7DCg zgvcCDO^I~N6CKS`UxcYlMgJ3(sTnYptu|%$h~#xDk7;kD@{jNa5vjtV&nYjK)` z!h~18Q=iQDaX0V^2t0gbSOMO%m8^*muhrsE5}9r~%A}Oz_kFK2WjmKJc#_?z(~}{8vR+g5+6$5 z3&GNu3Sr8W^!By>N*fsdzU#<@*l(`0PAMEaJ;BArf*2S;!V@&*#UVFX#ht*6P?G-3{ZkcYIiLk6>W(ilyq~kbE+*bevt}#RV1TI+o5N0pZUbx>zZ2K z-g=qmTW&Dp$s)AG+Z5Im#?i^^XI7eh1dZJkYRu~}#r)eDW)JMt^<-gq`S@yDxb@4O zeK#kt_0Nl3Kkck;_U;I779W025-LdJs%7wOxgSiOwJwyrT3zLVQEt66V4X`JSgIB$ z9EsoS7k!z(+PE_~kA_dgxl85X>Gur@kB#PeQZx9*FTOu_i!)Pn&Sv*Gb9IpoqUR33 z!;?%i^x%cU9}FdLbq3WvWzP`ySlhQQJP!V7-Ev?XHGTP00G+5isSa=0zrCz@ z{DqPC$9U16i*`xtbPk5-9I%1TrS)lHO6B5<%a6n@W>NLSqOBHuztH(_;SFyre$p9% zUCozkbfyKd5Tv0k;A$?0AdCZ{Dl8h}F#u|>@f4ymsCsqh)g94_zwk6Lz?DdX-FOwK z>t4C;yjldPs|s8$nxE4dqKaau_p?`!?ttP8sXcs z6Z({+afTc+eV4Q@5O{a)PtBgX4u-O&+(jx|O-ok`r19nQ;M6lz!YLoE;QT-7tLO1X}Ki^;W!uw@d@h~kNzzXfY;qu$=8%4hebDqC?GMV6{~I2fq^WL3Fi7W7KQ@iyG86pNAR6vktC94#IOb`C-@OM*IS1 z_B<1pcBgrO4;xRj*?a5?GR}z-MUHUT5uPu=(49Htq{H~~+s>~GV!{A=7ldhL2-AXV zm_{HrE#?0Smmwhk3&h-v8@c?yo+$nkd@C3E6h}V-Xc^UEBim`AIxpt-ie-^|9j`N3 z6))vU8lJd#rQV?K;xvlyT|(!d-X=DEmn4&IBFgl`UdpC?uX@_BQ$C-H`1nX$-?UB;*ThdQpj@$jvEuKC+H&3t^QRzF6J# zVnFCkcLgM0hHFI7kRpf>jHvp9Qm1Xq58&9^h1A)&Eb)887> z;G%cbeSB^Ds5`atRk+cN-*wcjh23Gm z(<2?$W~!MJ=G-+}oAX$@QTaYQ<7mBec<8Z0I!28fM+XzmKK%SSo=+2F`b=lxN}qYyoCvgYFs2|)SufkLA&z#=g!jyepcFUXiv{S7@@*lJfo6rIJK@QB# zU+TFdJY^@^44G`wLz(e7+1_ktaY4%q$^DVsHpi%S%?U=)X!r~P%>*4}z<~S!0TMod zg3IP3BS6W|14gbK*YC(ZTL>Zd?v~V_$W>oQZYKjB5P|?!%VtHy(O^4RQT+YiD)Qig zxayyZ8n7bNSp=2^IYDmLe|S%Im-^` z^y<_kt!U2v;#h%8=au;DSqH= zH{@2|dH*sF8Fqo3;Asz}$l6Z}xIsgK%VxI%tP6r*#V;d&s|dN36}awJelK7}ZfF*T zO8oC$$Pel|kG_**z0Y|o&hL$Y|9RnvbkdWQ)338^VXLDPxS!$i+axLpPQjDNl)PyY zyP-*(iC|%iXZBd1L}DMP;`ahpEStmu(6RGs`E48qE28i?u4-=@$IR-?K;v*8T_1

j8Ql#7=gl$+oGni&oCtx$8K(5I#Gx-02JZ z!f#fnj@y!Kqv&u>=5s8`<(a4*-wF1`dy_9dGe_ml_a`kygb?!|yh&#>?AGs!$Jy8> zaO9*3wBR4{6xhU1Pt*66;r;v(sk5(dmv{}mO?`;5qSAb*IkD$v53*MgJ6he_BMELL+(-v$&=_7>uU&%xAvXH@amIdB)E}5!(VFS?sG=ESi5_A z=@KTLZ4sA#9FAkT5;drUog2V>V*xyiiE)ktp{ZA*3Suuliv=^d)5{43)3$A|TBf%4 zN66aAS_XaYLFt&3vT)XI#Sq-6il?KEwL!qhmXN0w=k~6yT;ROk`P}bbJUU_+iN378h2r}Up#-^7E z^)P~s=U<8s0n|&+hX2%estbG~voI>4Rz1@b7b`0D^wB9WEatV*Z8Zibbg&?ou5w<8|?JZmOXkGh14*QzwO668K)#TA>eQBku2)e3o9iMoXcj@I& z>nDxC}5e%ldk}@t+#kIB_w(k)iFw3x)37tw235h!MZkxqboO%FL_CC** z()W7)F*skJnInO{1xFVTw^`^Z5Vu{|mnsZ%taW7k>b9>Ed)xS{y|`<0>-Ch$h-J0I z=d=}4PG-G06L~6|Tx$F7=7YlvLaH-@d|lPo_}gpj2{y;^5@eA$PHt+Qz4`3u?xf1> zJ$0J-Tyx*Mg4%t?-2MpUtt#lCJg-YX06J8Mk&m6}Yn6T2BF0}K5-qzD;t^Q>x+~+2 zOzd1=R<^hb_2Q+Ylc^P^+1vFSnBF~Y#l1w*C0|apWSzTrfRbqMpNs7wdzL&Y6KtPq zE{n>Fe8+vaB(BWI{d_P$iU8Rzg0}yG?BIM(6+1W7}3em_u)&SVA0aT*W~cF zk0oEfICtR?j2NZbUFkBW0j_j-r$I!&@6vEJp2vv&@lxM>S>o%959=z3gxusnq3?0( z@2}bB018Lpos2-+sF>LnU&pa-Ns%8dKSNhFar%lM-LU z7UgNp{PqNLzs0ddQNFq~nPr88ZC4h$KH?cV6oFd9v3~1RcWEH^=(7rc@+9sPr6u%Bh>gR+~ZRM+hl915OxmcOlC3j zLB6?sM|h862XD{tcLhTU25G{zYy5shV!adN>mi3$;}*9+q)899S2%weI7B5bFX8CE ztMXn?@wJaRtG(x``ALTA3)liJ zr+W-p&Acjydh&)Z3l=p!Lp^U&p0~3RX_40!O_f{BI7~bKUAu4hE_?0^9XCW-x=+g2 z(p60_`~G;gY#j4|@o>4oV_Ot%Znl`jj;KMB1w zm4J&b_S(Yt>hw%_I!>K2MF*ecnfvCVaCVutks(=?_l(UAgHxLBHQs}VntFZwZ|-6t zTfFxqP&C*MU1V0e@lm)j`0H1?J6rRU8s=Xor#pVcxznlzm~&91zD=aN?KWJ=@BQJ0 zv1;TQxf%ux_F!pF5q9mF)nkxGyXZc*ZeARis5jiFa^zdwPG9f+N;nD8hOI%3cWN4C zLBwYLbJC*kLL$*sNl0`YwFVo^GDp^tK?$ z@z|jZ7q&N}PGjS0qMBcMU%PhaOGO>1$~@b-<)OSbQ|5yX%l7mVp|k1yyWi_yl9GK< z+KA(qNcY3`zGgy-N_rYSsTfzHZ8Ee4KLB-|6%TxQw9yc( q$Zg8-Q*kpa0HxRmFf4NGH^Sn=pAangq3vunX5=R<L6b literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/tls-1.2.test b/testing/btest/scripts/base/protocols/ssl/tls-1.2.test new file mode 100644 index 0000000000..25b9083587 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2.test @@ -0,0 +1,2 @@ +# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT +# @TEST-EXEC: btest-diff ssl.log From fef3180942723b4124007b605da7c1d93f8f8ce3 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Tue, 2 Jul 2013 18:54:46 -0700 Subject: [PATCH 154/200] bump sqlite to 3.7.17. --- src/3rdparty/sqlite3.c | 3176 ++++++++++++++++++++++++++++++++++------ src/3rdparty/sqlite3.h | 109 +- 2 files changed, 2846 insertions(+), 439 deletions(-) diff --git a/src/3rdparty/sqlite3.c b/src/3rdparty/sqlite3.c index ba6a30e132..deef460899 100644 --- a/src/3rdparty/sqlite3.c +++ b/src/3rdparty/sqlite3.c @@ -1,9 +1,6 @@ -# define SQLITE_THREADSAFE 2 -# define SQLITE_DEFAULT_MEMSTATUS 0 - /****************************************************************************** ** This file is an amalgamation of many separate C source files from SQLite -** version 3.7.16.2. By combining all the individual C code files into this +** version 3.7.17. By combining all the individual C code files into this ** single large file, the entire code can be compiled as a single translation ** unit. This allows many compilers to do optimizations that would not be ** possible if the files were compiled separately. Performance improvements @@ -365,11 +362,11 @@ ** We support that for legacy. */ #if !defined(SQLITE_THREADSAFE) -#if defined(THREADSAFE) -# define SQLITE_THREADSAFE THREADSAFE -#else -# define SQLITE_THREADSAFE 1 /* IMP: R-07272-22309 */ -#endif +# if defined(THREADSAFE) +# define SQLITE_THREADSAFE THREADSAFE +# else +# define SQLITE_THREADSAFE 1 /* IMP: R-07272-22309 */ +# endif #endif /* @@ -681,9 +678,9 @@ extern "C" { ** [sqlite3_libversion_number()], [sqlite3_sourceid()], ** [sqlite_version()] and [sqlite_source_id()]. */ -#define SQLITE_VERSION "3.7.16.2" -#define SQLITE_VERSION_NUMBER 3007016 -#define SQLITE_SOURCE_ID "2013-04-12 11:52:43 cbea02d93865ce0e06789db95fd9168ebac970c7" +#define SQLITE_VERSION "3.7.17" +#define SQLITE_VERSION_NUMBER 3007017 +#define SQLITE_SOURCE_ID "2013-05-20 00:56:22 118a3b35693b134d56ebd780123b7fd6f1497668" /* ** CAPI3REF: Run-Time Library Version Numbers @@ -999,6 +996,8 @@ SQLITE_API int sqlite3_exec( #define SQLITE_FORMAT 24 /* Auxiliary database format error */ #define SQLITE_RANGE 25 /* 2nd parameter to sqlite3_bind out of range */ #define SQLITE_NOTADB 26 /* File opened that is not a database file */ +#define SQLITE_NOTICE 27 /* Notifications from sqlite3_log() */ +#define SQLITE_WARNING 28 /* Warnings from sqlite3_log() */ #define SQLITE_ROW 100 /* sqlite3_step() has another row ready */ #define SQLITE_DONE 101 /* sqlite3_step() has finished executing */ /* end-of-error-codes */ @@ -1049,6 +1048,7 @@ SQLITE_API int sqlite3_exec( #define SQLITE_IOERR_SHMMAP (SQLITE_IOERR | (21<<8)) #define SQLITE_IOERR_SEEK (SQLITE_IOERR | (22<<8)) #define SQLITE_IOERR_DELETE_NOENT (SQLITE_IOERR | (23<<8)) +#define SQLITE_IOERR_MMAP (SQLITE_IOERR | (24<<8)) #define SQLITE_LOCKED_SHAREDCACHE (SQLITE_LOCKED | (1<<8)) #define SQLITE_BUSY_RECOVERY (SQLITE_BUSY | (1<<8)) #define SQLITE_CANTOPEN_NOTEMPDIR (SQLITE_CANTOPEN | (1<<8)) @@ -1068,6 +1068,8 @@ SQLITE_API int sqlite3_exec( #define SQLITE_CONSTRAINT_TRIGGER (SQLITE_CONSTRAINT | (7<<8)) #define SQLITE_CONSTRAINT_UNIQUE (SQLITE_CONSTRAINT | (8<<8)) #define SQLITE_CONSTRAINT_VTAB (SQLITE_CONSTRAINT | (9<<8)) +#define SQLITE_NOTICE_RECOVER_WAL (SQLITE_NOTICE | (1<<8)) +#define SQLITE_NOTICE_RECOVER_ROLLBACK (SQLITE_NOTICE | (2<<8)) /* ** CAPI3REF: Flags For File Open Operations @@ -1307,6 +1309,9 @@ struct sqlite3_io_methods { void (*xShmBarrier)(sqlite3_file*); int (*xShmUnmap)(sqlite3_file*, int deleteFlag); /* Methods above are valid for version 2 */ + int (*xFetch)(sqlite3_file*, sqlite3_int64 iOfst, int iAmt, void **pp); + int (*xUnfetch)(sqlite3_file*, sqlite3_int64 iOfst, void *p); + /* Methods above are valid for version 3 */ /* Additional methods may be added in future releases */ }; @@ -1443,7 +1448,8 @@ struct sqlite3_io_methods { ** it is able to override built-in [PRAGMA] statements. ** **

  • [[SQLITE_FCNTL_BUSYHANDLER]] -** ^This file-control may be invoked by SQLite on the database file handle +** ^The [SQLITE_FCNTL_BUSYHANDLER] +** file-control may be invoked by SQLite on the database file handle ** shortly after it is opened in order to provide a custom VFS with access ** to the connections busy-handler callback. The argument is of type (void **) ** - an array of two (void *) values. The first (void *) actually points @@ -1454,13 +1460,24 @@ struct sqlite3_io_methods { ** current operation. ** **
  • [[SQLITE_FCNTL_TEMPFILENAME]] -** ^Application can invoke this file-control to have SQLite generate a +** ^Application can invoke the [SQLITE_FCNTL_TEMPFILENAME] file-control +** to have SQLite generate a ** temporary filename using the same algorithm that is followed to generate ** temporary filenames for TEMP tables and other internal uses. The ** argument should be a char** which will be filled with the filename ** written into memory obtained from [sqlite3_malloc()]. The caller should ** invoke [sqlite3_free()] on the result to avoid a memory leak. ** +**
  • [[SQLITE_FCNTL_MMAP_SIZE]] +** The [SQLITE_FCNTL_MMAP_SIZE] file control is used to query or set the +** maximum number of bytes that will be used for memory-mapped I/O. +** The argument is a pointer to a value of type sqlite3_int64 that +** is an advisory maximum number of bytes in the file to memory map. The +** pointer is overwritten with the old value. The limit is not changed if +** the value originally pointed to is negative, and so the current limit +** can be queried by passing in a pointer to a negative number. This +** file-control is used internally to implement [PRAGMA mmap_size]. +** ** */ #define SQLITE_FCNTL_LOCKSTATE 1 @@ -1479,6 +1496,7 @@ struct sqlite3_io_methods { #define SQLITE_FCNTL_PRAGMA 14 #define SQLITE_FCNTL_BUSYHANDLER 15 #define SQLITE_FCNTL_TEMPFILENAME 16 +#define SQLITE_FCNTL_MMAP_SIZE 18 /* ** CAPI3REF: Mutex Handle @@ -2145,7 +2163,9 @@ struct sqlite3_mem_methods { ** page cache implementation into that object.)^ ** ** [[SQLITE_CONFIG_LOG]]
    SQLITE_CONFIG_LOG
    -**
    ^The SQLITE_CONFIG_LOG option takes two arguments: a pointer to a +**
    The SQLITE_CONFIG_LOG option is used to configure the SQLite +** global [error log]. +** (^The SQLITE_CONFIG_LOG option takes two arguments: a pointer to a ** function with a call signature of void(*)(void*,int,const char*), ** and a pointer to void. ^If the function pointer is not NULL, it is ** invoked by [sqlite3_log()] to process each logging event. ^If the @@ -2191,12 +2211,12 @@ struct sqlite3_mem_methods { **
    SQLITE_CONFIG_PCACHE and SQLITE_CONFIG_GETPCACHE **
    These options are obsolete and should not be used by new code. ** They are retained for backwards compatibility but are now no-ops. -** +**
    ** ** [[SQLITE_CONFIG_SQLLOG]] **
    SQLITE_CONFIG_SQLLOG **
    This option is only available if sqlite is compiled with the -** SQLITE_ENABLE_SQLLOG pre-processor macro defined. The first argument should +** [SQLITE_ENABLE_SQLLOG] pre-processor macro defined. The first argument should ** be a pointer to a function of type void(*)(void*,sqlite3*,const char*, int). ** The second should be of type (void*). The callback is invoked by the library ** in three separate circumstances, identified by the value passed as the @@ -2206,7 +2226,23 @@ struct sqlite3_mem_methods { ** fourth parameter is 1, then the SQL statement that the third parameter ** points to has just been executed. Or, if the fourth parameter is 2, then ** the connection being passed as the second parameter is being closed. The -** third parameter is passed NULL In this case. +** third parameter is passed NULL In this case. An example of using this +** configuration option can be seen in the "test_sqllog.c" source file in +** the canonical SQLite source tree.
    +** +** [[SQLITE_CONFIG_MMAP_SIZE]] +**
    SQLITE_CONFIG_MMAP_SIZE +**
    SQLITE_CONFIG_MMAP_SIZE takes two 64-bit integer (sqlite3_int64) values +** that are the default mmap size limit (the default setting for +** [PRAGMA mmap_size]) and the maximum allowed mmap size limit. +** The default setting can be overridden by each database connection using +** either the [PRAGMA mmap_size] command, or by using the +** [SQLITE_FCNTL_MMAP_SIZE] file control. The maximum allowed mmap size +** cannot be changed at run-time. Nor may the maximum allowed mmap size +** exceed the compile-time maximum mmap size set by the +** [SQLITE_MAX_MMAP_SIZE] compile-time option. +** If either argument to this option is negative, then that argument is +** changed to its compile-time default. ** */ #define SQLITE_CONFIG_SINGLETHREAD 1 /* nil */ @@ -2230,6 +2266,7 @@ struct sqlite3_mem_methods { #define SQLITE_CONFIG_GETPCACHE2 19 /* sqlite3_pcache_methods2* */ #define SQLITE_CONFIG_COVERING_INDEX_SCAN 20 /* int */ #define SQLITE_CONFIG_SQLLOG 21 /* xSqllog, void* */ +#define SQLITE_CONFIG_MMAP_SIZE 22 /* sqlite3_int64, sqlite3_int64 */ /* ** CAPI3REF: Database Connection Configuration Options @@ -3063,6 +3100,9 @@ SQLITE_API int sqlite3_set_authorizer( ** as each triggered subprogram is entered. The callbacks for triggers ** contain a UTF-8 SQL comment that identifies the trigger.)^ ** +** The [SQLITE_TRACE_SIZE_LIMIT] compile-time option can be used to limit +** the length of [bound parameter] expansion in the output of sqlite3_trace(). +** ** ^The callback function registered by sqlite3_profile() is invoked ** as each SQL statement finishes. ^The profile callback contains ** the original statement text and an estimate of wall-clock time @@ -3601,7 +3641,8 @@ SQLITE_API int sqlite3_limit(sqlite3*, int id, int newVal); **
  • ** ^If the database schema changes, instead of returning [SQLITE_SCHEMA] as it ** always used to do, [sqlite3_step()] will automatically recompile the SQL -** statement and try to run it again. +** statement and try to run it again. As many as [SQLITE_MAX_SCHEMA_RETRY] +** retries will occur before sqlite3_step() gives up and returns an error. **
    • ** **
  • @@ -3805,6 +3846,9 @@ typedef struct sqlite3_context sqlite3_context; ** parameter [SQLITE_LIMIT_VARIABLE_NUMBER] (default value: 999). ** ** ^The third argument is the value to bind to the parameter. +** ^If the third parameter to sqlite3_bind_text() or sqlite3_bind_text16() +** or sqlite3_bind_blob() is a NULL pointer then the fourth parameter +** is ignored and the end result is the same as sqlite3_bind_null(). ** ** ^(In those routines that have a fourth argument, its value is the ** number of bytes in the parameter. To be clear: the value is the @@ -4761,7 +4805,7 @@ SQLITE_API void sqlite3_set_auxdata(sqlite3_context*, int N, void*, void (*)(voi ** the content before returning. ** ** The typedef is necessary to work around problems in certain -** C++ compilers. See ticket #2191. +** C++ compilers. */ typedef void (*sqlite3_destructor_type)(void*); #define SQLITE_STATIC ((sqlite3_destructor_type)0) @@ -5560,11 +5604,20 @@ SQLITE_API int sqlite3_table_column_metadata( ** ^This interface loads an SQLite extension library from the named file. ** ** ^The sqlite3_load_extension() interface attempts to load an -** SQLite extension library contained in the file zFile. +** [SQLite extension] library contained in the file zFile. If +** the file cannot be loaded directly, attempts are made to load +** with various operating-system specific extensions added. +** So for example, if "samplelib" cannot be loaded, then names like +** "samplelib.so" or "samplelib.dylib" or "samplelib.dll" might +** be tried also. ** ** ^The entry point is zProc. -** ^zProc may be 0, in which case the name of the entry point -** defaults to "sqlite3_extension_init". +** ^(zProc may be 0, in which case SQLite will try to come up with an +** entry point name on its own. It first tries "sqlite3_extension_init". +** If that does not work, it constructs a name "sqlite3_X_init" where the +** X is consists of the lower-case equivalent of all ASCII alphabetic +** characters in the filename from the last "/" to the first following +** "." and omitting any initial "lib".)^ ** ^The sqlite3_load_extension() interface returns ** [SQLITE_OK] on success and [SQLITE_ERROR] if something goes wrong. ** ^If an error occurs and pzErrMsg is not 0, then the @@ -5590,11 +5643,11 @@ SQLITE_API int sqlite3_load_extension( ** CAPI3REF: Enable Or Disable Extension Loading ** ** ^So as not to open security holes in older applications that are -** unprepared to deal with extension loading, and as a means of disabling -** extension loading while evaluating user-entered SQL, the following API +** unprepared to deal with [extension loading], and as a means of disabling +** [extension loading] while evaluating user-entered SQL, the following API ** is provided to turn the [sqlite3_load_extension()] mechanism on and off. ** -** ^Extension loading is off by default. See ticket #1863. +** ^Extension loading is off by default. ** ^Call the sqlite3_enable_load_extension() routine with onoff==1 ** to turn extension loading on and call it with onoff==0 to turn ** it back off again. @@ -5606,7 +5659,7 @@ SQLITE_API int sqlite3_enable_load_extension(sqlite3 *db, int onoff); ** ** ^This interface causes the xEntryPoint() function to be invoked for ** each new [database connection] that is created. The idea here is that -** xEntryPoint() is the entry point for a statically linked SQLite extension +** xEntryPoint() is the entry point for a statically linked [SQLite extension] ** that is to be automatically loaded into all new database connections. ** ** ^(Even though the function prototype shows that xEntryPoint() takes @@ -7386,10 +7439,25 @@ SQLITE_API int sqlite3_unlock_notify( SQLITE_API int sqlite3_stricmp(const char *, const char *); SQLITE_API int sqlite3_strnicmp(const char *, const char *, int); +/* +** CAPI3REF: String Globbing +* +** ^The [sqlite3_strglob(P,X)] interface returns zero if string X matches +** the glob pattern P, and it returns non-zero if string X does not match +** the glob pattern P. ^The definition of glob pattern matching used in +** [sqlite3_strglob(P,X)] is the same as for the "X GLOB P" operator in the +** SQL dialect used by SQLite. ^The sqlite3_strglob(P,X) function is case +** sensitive. +** +** Note that this routine returns zero on a match and non-zero if the strings +** do not match, the same as [sqlite3_stricmp()] and [sqlite3_strnicmp()]. +*/ +SQLITE_API int sqlite3_strglob(const char *zGlob, const char *zStr); + /* ** CAPI3REF: Error Logging Interface ** -** ^The [sqlite3_log()] interface writes a message into the error log +** ^The [sqlite3_log()] interface writes a message into the [error log] ** established by the [SQLITE_CONFIG_LOG] option to [sqlite3_config()]. ** ^If logging is enabled, the zFormat string and subsequent arguments are ** used with [sqlite3_snprintf()] to generate the final output string. @@ -8074,6 +8142,7 @@ SQLITE_PRIVATE void sqlite3HashClear(Hash*); */ #ifndef SQLITE_TEMP_STORE # define SQLITE_TEMP_STORE 1 +# define SQLITE_TEMP_STORE_xc 1 /* Exclude from ctime.c */ #endif /* @@ -8221,6 +8290,49 @@ SQLITE_PRIVATE const int sqlite3one; # define EIGHT_BYTE_ALIGNMENT(X) ((((char*)(X) - (char*)0)&7)==0) #endif +/* +** Disable MMAP on platforms where it is known to not work +*/ +#if defined(__OpenBSD__) || defined(__QNXNTO__) +# undef SQLITE_MAX_MMAP_SIZE +# define SQLITE_MAX_MMAP_SIZE 0 +#endif + +/* +** Default maximum size of memory used by memory-mapped I/O in the VFS +*/ +#ifdef __APPLE__ +# include +# if TARGET_OS_IPHONE +# undef SQLITE_MAX_MMAP_SIZE +# define SQLITE_MAX_MMAP_SIZE 0 +# endif +#endif +#ifndef SQLITE_MAX_MMAP_SIZE +# if defined(__linux__) \ + || defined(_WIN32) \ + || (defined(__APPLE__) && defined(__MACH__)) \ + || defined(__sun) +# define SQLITE_MAX_MMAP_SIZE 0x7fff0000 /* 2147418112 */ +# else +# define SQLITE_MAX_MMAP_SIZE 0 +# endif +# define SQLITE_MAX_MMAP_SIZE_xc 1 /* exclude from ctime.c */ +#endif + +/* +** The default MMAP_SIZE is zero on all platforms. Or, even if a larger +** default MMAP_SIZE is specified at compile-time, make sure that it does +** not exceed the maximum mmap size. +*/ +#ifndef SQLITE_DEFAULT_MMAP_SIZE +# define SQLITE_DEFAULT_MMAP_SIZE 0 +# define SQLITE_DEFAULT_MMAP_SIZE_xc 1 /* Exclude from ctime.c */ +#endif +#if SQLITE_DEFAULT_MMAP_SIZE>SQLITE_MAX_MMAP_SIZE +# undef SQLITE_DEFAULT_MMAP_SIZE +# define SQLITE_DEFAULT_MMAP_SIZE SQLITE_MAX_MMAP_SIZE +#endif /* ** An instance of the following structure is used to store the busy-handler @@ -8442,6 +8554,7 @@ SQLITE_PRIVATE int sqlite3BtreeOpen( SQLITE_PRIVATE int sqlite3BtreeClose(Btree*); SQLITE_PRIVATE int sqlite3BtreeSetCacheSize(Btree*,int); +SQLITE_PRIVATE int sqlite3BtreeSetMmapLimit(Btree*,sqlite3_int64); SQLITE_PRIVATE int sqlite3BtreeSetSafetyLevel(Btree*,int,int,int); SQLITE_PRIVATE int sqlite3BtreeSyncDisabled(Btree*); SQLITE_PRIVATE int sqlite3BtreeSetPageSize(Btree *p, int nPagesize, int nReserve, int eFix); @@ -8518,6 +8631,7 @@ SQLITE_PRIVATE int sqlite3BtreeNewDb(Btree *p); #define BTREE_TEXT_ENCODING 5 #define BTREE_USER_VERSION 6 #define BTREE_INCR_VACUUM 7 +#define BTREE_APPLICATION_ID 8 /* ** Values that may be OR'd together to form the second argument of an @@ -9142,6 +9256,12 @@ typedef struct PgHdr DbPage; #define PAGER_JOURNALMODE_MEMORY 4 /* In-memory journal file */ #define PAGER_JOURNALMODE_WAL 5 /* Use write-ahead logging */ +/* +** Flags that make up the mask passed to sqlite3PagerAcquire(). +*/ +#define PAGER_ACQUIRE_NOCONTENT 0x01 /* Do not load data from disk */ +#define PAGER_ACQUIRE_READONLY 0x02 /* Read-only page is acceptable */ + /* ** The remainder of this file contains the declarations of the functions ** that make up the Pager sub-system API. See source code comments for @@ -9166,6 +9286,7 @@ SQLITE_PRIVATE void sqlite3PagerSetBusyhandler(Pager*, int(*)(void *), void *); SQLITE_PRIVATE int sqlite3PagerSetPagesize(Pager*, u32*, int); SQLITE_PRIVATE int sqlite3PagerMaxPageCount(Pager*, int); SQLITE_PRIVATE void sqlite3PagerSetCachesize(Pager*, int); +SQLITE_PRIVATE void sqlite3PagerSetMmapLimit(Pager *, sqlite3_int64); SQLITE_PRIVATE void sqlite3PagerShrink(Pager*); SQLITE_PRIVATE void sqlite3PagerSetSafetyLevel(Pager*,int,int,int); SQLITE_PRIVATE int sqlite3PagerLockingMode(Pager *, int); @@ -9312,6 +9433,8 @@ struct PgHdr { #define PGHDR_REUSE_UNLIKELY 0x010 /* A hint that reuse is unlikely */ #define PGHDR_DONT_WRITE 0x020 /* Do not write content to disk */ +#define PGHDR_MMAP 0x040 /* This is an mmap page object */ + /* Initialize and shutdown the page cache subsystem */ SQLITE_PRIVATE int sqlite3PcacheInitialize(void); SQLITE_PRIVATE void sqlite3PcacheShutdown(void); @@ -9523,14 +9646,6 @@ SQLITE_PRIVATE void sqlite3PCacheSetDefault(void); # define SQLITE_OS_WINRT 0 #endif -/* -** When compiled for WinCE or WinRT, there is no concept of the current -** directory. - */ -#if !SQLITE_OS_WINCE && !SQLITE_OS_WINRT -# define SQLITE_CURDIR 1 -#endif - /* If the SET_FULLSYNC macro is not defined above, then make it ** a no-op */ @@ -9683,6 +9798,8 @@ SQLITE_PRIVATE int sqlite3OsShmMap(sqlite3_file *,int,int,int,void volatile **); SQLITE_PRIVATE int sqlite3OsShmLock(sqlite3_file *id, int, int, int); SQLITE_PRIVATE void sqlite3OsShmBarrier(sqlite3_file *id); SQLITE_PRIVATE int sqlite3OsShmUnmap(sqlite3_file *id, int); +SQLITE_PRIVATE int sqlite3OsFetch(sqlite3_file *id, i64, int, void **); +SQLITE_PRIVATE int sqlite3OsUnfetch(sqlite3_file *, i64, void *); /* @@ -9922,6 +10039,7 @@ struct sqlite3 { int nDb; /* Number of backends currently in use */ int flags; /* Miscellaneous flags. See below */ i64 lastRowid; /* ROWID of most recent insert (see above) */ + i64 szMmap; /* Default mmap_size setting */ unsigned int openFlags; /* Flags passed to sqlite3_vfs.xOpen() */ int errCode; /* Most recent error code (SQLITE_*) */ int errMask; /* & result codes with this before returning */ @@ -11158,6 +11276,8 @@ struct NameContext { #define NC_HasAgg 0x02 /* One or more aggregate functions seen */ #define NC_IsCheck 0x04 /* True if resolving names in a CHECK constraint */ #define NC_InAggFunc 0x08 /* True if analyzing arguments to an agg func */ +#define NC_AsMaybe 0x10 /* Resolve to AS terms of the result set only + ** if no other resolution is available */ /* ** An instance of the following structure contains all information @@ -11593,6 +11713,8 @@ struct Sqlite3Config { void *pHeap; /* Heap storage space */ int nHeap; /* Size of pHeap[] */ int mnReq, mxReq; /* Min and max heap requests sizes */ + sqlite3_int64 szMmap; /* mmap() space per open file */ + sqlite3_int64 mxMmap; /* Maximum value for szMmap */ void *pScratch; /* Scratch memory */ int szScratch; /* Size of each scratch buffer */ int nScratch; /* Number of scratch buffers */ @@ -11627,6 +11749,7 @@ struct Walker { int (*xSelectCallback)(Walker*,Select*); /* Callback for SELECTs */ Parse *pParse; /* Parser context. */ int walkerDepth; /* Number of subqueries */ + u8 bSelectDepthFirst; /* Do subqueries first */ union { /* Extra data for callback */ NameContext *pNC; /* Naming context */ int i; /* Integer value */ @@ -12130,6 +12253,12 @@ SQLITE_PRIVATE void sqlite3Error(sqlite3*, int, const char*,...); SQLITE_PRIVATE void *sqlite3HexToBlob(sqlite3*, const char *z, int n); SQLITE_PRIVATE u8 sqlite3HexToInt(int h); SQLITE_PRIVATE int sqlite3TwoPartName(Parse *, Token *, Token *, Token **); + +#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST) || \ + defined(SQLITE_DEBUG_OS_TRACE) +SQLITE_PRIVATE const char *sqlite3ErrName(int); +#endif + SQLITE_PRIVATE const char *sqlite3ErrStr(int); SQLITE_PRIVATE int sqlite3ReadSchema(Parse *pParse); SQLITE_PRIVATE CollSeq *sqlite3FindCollSeq(sqlite3*,u8 enc, const char*,int); @@ -12614,6 +12743,8 @@ SQLITE_PRIVATE SQLITE_WSD struct Sqlite3Config sqlite3Config = { (void*)0, /* pHeap */ 0, /* nHeap */ 0, 0, /* mnHeap, mxHeap */ + SQLITE_DEFAULT_MMAP_SIZE, /* szMmap */ + SQLITE_MAX_MMAP_SIZE, /* mxMmap */ (void*)0, /* pScratch */ 0, /* szScratch */ 0, /* nScratch */ @@ -12737,15 +12868,15 @@ static const char * const azCompileOpt[] = { #ifdef SQLITE_COVERAGE_TEST "COVERAGE_TEST", #endif -#ifdef SQLITE_CURDIR - "CURDIR", -#endif #ifdef SQLITE_DEBUG "DEBUG", #endif #ifdef SQLITE_DEFAULT_LOCKING_MODE "DEFAULT_LOCKING_MODE=" CTIMEOPT_VAL(SQLITE_DEFAULT_LOCKING_MODE), #endif +#if defined(SQLITE_DEFAULT_MMAP_SIZE) && !defined(SQLITE_DEFAULT_MMAP_SIZE_xc) + "DEFAULT_MMAP_SIZE=" CTIMEOPT_VAL(SQLITE_DEFAULT_MMAP_SIZE), +#endif #ifdef SQLITE_DISABLE_DIRSYNC "DISABLE_DIRSYNC", #endif @@ -12836,6 +12967,9 @@ static const char * const azCompileOpt[] = { #ifdef SQLITE_LOCK_TRACE "LOCK_TRACE", #endif +#if defined(SQLITE_MAX_MMAP_SIZE) && !defined(SQLITE_MAX_MMAP_SIZE_xc) + "MAX_MMAP_SIZE=" CTIMEOPT_VAL(SQLITE_MAX_MMAP_SIZE), +#endif #ifdef SQLITE_MAX_SCHEMA_RETRY "MAX_SCHEMA_RETRY=" CTIMEOPT_VAL(SQLITE_MAX_SCHEMA_RETRY), #endif @@ -12893,11 +13027,6 @@ static const char * const azCompileOpt[] = { #ifdef SQLITE_OMIT_CHECK "OMIT_CHECK", #endif -/* // redundant -** #ifdef SQLITE_OMIT_COMPILEOPTION_DIAGS -** "OMIT_COMPILEOPTION_DIAGS", -** #endif -*/ #ifdef SQLITE_OMIT_COMPLETE "OMIT_COMPLETE", #endif @@ -13039,13 +13168,13 @@ static const char * const azCompileOpt[] = { #ifdef SQLITE_TCL "TCL", #endif -#ifdef SQLITE_TEMP_STORE +#if defined(SQLITE_TEMP_STORE) && !defined(SQLITE_TEMP_STORE_xc) "TEMP_STORE=" CTIMEOPT_VAL(SQLITE_TEMP_STORE), #endif #ifdef SQLITE_TEST "TEST", #endif -#ifdef SQLITE_THREADSAFE +#if defined(SQLITE_THREADSAFE) "THREADSAFE=" CTIMEOPT_VAL(SQLITE_THREADSAFE), #endif #ifdef SQLITE_USE_ALLOCA @@ -13071,8 +13200,11 @@ SQLITE_API int sqlite3_compileoption_used(const char *zOptName){ /* Since ArraySize(azCompileOpt) is normally in single digits, a ** linear search is adequate. No need for a binary search. */ for(i=0; ipMethods->xShmMap(id, iPage, pgsz, bExtend, pp); } +#if SQLITE_MAX_MMAP_SIZE>0 +/* The real implementation of xFetch and xUnfetch */ +SQLITE_PRIVATE int sqlite3OsFetch(sqlite3_file *id, i64 iOff, int iAmt, void **pp){ + DO_OS_MALLOC_TEST(id); + return id->pMethods->xFetch(id, iOff, iAmt, pp); +} +SQLITE_PRIVATE int sqlite3OsUnfetch(sqlite3_file *id, i64 iOff, void *p){ + return id->pMethods->xUnfetch(id, iOff, p); +} +#else +/* No-op stubs to use when memory-mapped I/O is disabled */ +SQLITE_PRIVATE int sqlite3OsFetch(sqlite3_file *id, i64 iOff, int iAmt, void **pp){ + *pp = 0; + return SQLITE_OK; +} +SQLITE_PRIVATE int sqlite3OsUnfetch(sqlite3_file *id, i64 iOff, void *p){ + return SQLITE_OK; +} +#endif + /* ** The next group of routines are convenience wrappers around the ** VFS methods. @@ -22851,7 +23011,7 @@ SQLITE_PRIVATE const char *sqlite3OpcodeName(int i){ /* #include */ #include #include -#ifndef SQLITE_OMIT_WAL +#if !defined(SQLITE_OMIT_WAL) || SQLITE_MAX_MMAP_SIZE>0 #include #endif @@ -22950,6 +23110,11 @@ struct unixFile { const char *zPath; /* Name of the file */ unixShm *pShm; /* Shared memory segment information */ int szChunk; /* Configured by FCNTL_CHUNK_SIZE */ + int nFetchOut; /* Number of outstanding xFetch refs */ + sqlite3_int64 mmapSize; /* Usable size of mapping at pMapRegion */ + sqlite3_int64 mmapSizeActual; /* Actual size of mapping at pMapRegion */ + sqlite3_int64 mmapSizeMax; /* Configured FCNTL_MMAP_SIZE value */ + void *pMapRegion; /* Memory mapped region */ #ifdef __QNXNTO__ int sectorSize; /* Device sector size */ int deviceCharacteristics; /* Precomputed device characteristics */ @@ -22974,7 +23139,9 @@ struct unixFile { unsigned char transCntrChng; /* True if the transaction counter changed */ unsigned char dbUpdate; /* True if any part of database file changed */ unsigned char inNormalWrite; /* True if in a normal write operation */ + #endif + #ifdef SQLITE_TEST /* In test mode, increase the size of this structure a bit so that ** it is larger than the struct CrashFile defined in test6.c. @@ -22998,6 +23165,7 @@ struct unixFile { #define UNIXFILE_DELETE 0x20 /* Delete on close */ #define UNIXFILE_URI 0x40 /* Filename might have query parameters */ #define UNIXFILE_NOLOCK 0x80 /* Do no file locking */ +#define UNIXFILE_WARNED 0x0100 /* verifyDbFile() warnings have been issued */ /* ** Include code that is common to all os_*.c files @@ -23239,6 +23407,17 @@ SQLITE_API int sqlite3_open_file_count = 0; #define threadid 0 #endif +/* +** HAVE_MREMAP defaults to true on Linux and false everywhere else. +*/ +#if !defined(HAVE_MREMAP) +# if defined(__linux__) && defined(_GNU_SOURCE) +# define HAVE_MREMAP 1 +# else +# define HAVE_MREMAP 0 +# endif +#endif + /* ** Different Unix systems declare open() in different ways. Same use ** open(const char*,int,mode_t). Others use open(const char*,int,...). @@ -23263,9 +23442,6 @@ static int posixFchown(int fd, uid_t uid, gid_t gid){ /* Forward reference */ static int openDirectory(const char*, int*); -/* Fix for "error: 'fchmod' undeclared here (not in a function)" on FreeBSD 9 */ -int fchmod(int, mode_t); - /* ** Many system calls are accessed through pointer-to-functions so that ** they may be overridden at runtime to facilitate fault injection during @@ -23373,6 +23549,19 @@ static struct unix_syscall { { "fchown", (sqlite3_syscall_ptr)posixFchown, 0 }, #define osFchown ((int(*)(int,uid_t,gid_t))aSyscall[20].pCurrent) + { "mmap", (sqlite3_syscall_ptr)mmap, 0 }, +#define osMmap ((void*(*)(void*,size_t,int,int,int,off_t))aSyscall[21].pCurrent) + + { "munmap", (sqlite3_syscall_ptr)munmap, 0 }, +#define osMunmap ((void*(*)(void*,size_t))aSyscall[22].pCurrent) + +#if HAVE_MREMAP + { "mremap", (sqlite3_syscall_ptr)mremap, 0 }, +#else + { "mremap", (sqlite3_syscall_ptr)0, 0 }, +#endif +#define osMremap ((void*(*)(void*,size_t,size_t,int,...))aSyscall[23].pCurrent) + }; /* End of the overrideable system calls */ /* @@ -23704,7 +23893,6 @@ static int sqliteErrorFromPosixError(int posixError, int sqliteIOErr) { } - /****************************************************************************** ****************** Begin Unique File ID Utility Used By VxWorks *************** ** @@ -24040,7 +24228,6 @@ static int unixLogErrorAtLine( zErr = strerror(iErrno); #endif - assert( errcode!=SQLITE_OK ); if( zPath==0 ) zPath = ""; sqlite3_log(errcode, "os_unix.c:%d: (%d) %s(%s) - %s", @@ -24206,6 +24393,50 @@ static int findInodeInfo( } +/* +** Check a unixFile that is a database. Verify the following: +** +** (1) There is exactly one hard link on the file +** (2) The file is not a symbolic link +** (3) The file has not been renamed or unlinked +** +** Issue sqlite3_log(SQLITE_WARNING,...) messages if anything is not right. +*/ +static void verifyDbFile(unixFile *pFile){ + struct stat buf; + int rc; + if( pFile->ctrlFlags & UNIXFILE_WARNED ){ + /* One or more of the following warnings have already been issued. Do not + ** repeat them so as not to clutter the error log */ + return; + } + rc = osFstat(pFile->h, &buf); + if( rc!=0 ){ + sqlite3_log(SQLITE_WARNING, "cannot fstat db file %s", pFile->zPath); + pFile->ctrlFlags |= UNIXFILE_WARNED; + return; + } + if( buf.st_nlink==0 && (pFile->ctrlFlags & UNIXFILE_DELETE)==0 ){ + sqlite3_log(SQLITE_WARNING, "file unlinked while open: %s", pFile->zPath); + pFile->ctrlFlags |= UNIXFILE_WARNED; + return; + } + if( buf.st_nlink>1 ){ + sqlite3_log(SQLITE_WARNING, "multiple links to file: %s", pFile->zPath); + pFile->ctrlFlags |= UNIXFILE_WARNED; + return; + } + if( pFile->pInode!=0 + && ((rc = osStat(pFile->zPath, &buf))!=0 + || buf.st_ino!=pFile->pInode->fileId.ino) + ){ + sqlite3_log(SQLITE_WARNING, "file renamed while open: %s", pFile->zPath); + pFile->ctrlFlags |= UNIXFILE_WARNED; + return; + } +} + + /* ** This routine checks if there is a RESERVED lock held on the specified ** file by this or any other process. If such a lock is held, set *pResOut @@ -24736,9 +24967,13 @@ end_unlock: ** the requested locking level, this routine is a no-op. */ static int unixUnlock(sqlite3_file *id, int eFileLock){ + assert( eFileLock==SHARED_LOCK || ((unixFile *)id)->nFetchOut==0 ); return posixUnlock(id, eFileLock, 0); } +static int unixMapfile(unixFile *pFd, i64 nByte); +static void unixUnmapfile(unixFile *pFd); + /* ** This function performs the parts of the "close file" operation ** common to all locking schemes. It closes the directory and file @@ -24751,6 +24986,7 @@ static int unixUnlock(sqlite3_file *id, int eFileLock){ */ static int closeUnixFile(sqlite3_file *id){ unixFile *pFile = (unixFile*)id; + unixUnmapfile(pFile); if( pFile->h>=0 ){ robust_close(pFile, pFile->h, __LINE__); pFile->h = -1; @@ -24777,6 +25013,7 @@ static int closeUnixFile(sqlite3_file *id){ static int unixClose(sqlite3_file *id){ int rc = SQLITE_OK; unixFile *pFile = (unixFile *)id; + verifyDbFile(pFile); unixUnlock(id, NO_LOCK); unixEnterMutex(); @@ -26008,6 +26245,8 @@ static int unixRead( unixFile *pFile = (unixFile *)id; int got; assert( id ); + assert( offset>=0 ); + assert( amt>0 ); /* If this is a database file (not a journal, master-journal or temp ** file), the bytes in the locking range should never be read or written. */ @@ -26018,6 +26257,23 @@ static int unixRead( ); #endif +#if SQLITE_MAX_MMAP_SIZE>0 + /* Deal with as much of this read request as possible by transfering + ** data from the memory mapping using memcpy(). */ + if( offsetmmapSize ){ + if( offset+amt <= pFile->mmapSize ){ + memcpy(pBuf, &((u8 *)(pFile->pMapRegion))[offset], amt); + return SQLITE_OK; + }else{ + int nCopy = pFile->mmapSize - offset; + memcpy(pBuf, &((u8 *)(pFile->pMapRegion))[offset], nCopy); + pBuf = &((u8 *)pBuf)[nCopy]; + amt -= nCopy; + offset += nCopy; + } + } +#endif + got = seekAndRead(pFile, offset, pBuf, amt); if( got==amt ){ return SQLITE_OK; @@ -26032,6 +26288,51 @@ static int unixRead( } } +/* +** Attempt to seek the file-descriptor passed as the first argument to +** absolute offset iOff, then attempt to write nBuf bytes of data from +** pBuf to it. If an error occurs, return -1 and set *piErrno. Otherwise, +** return the actual number of bytes written (which may be less than +** nBuf). +*/ +static int seekAndWriteFd( + int fd, /* File descriptor to write to */ + i64 iOff, /* File offset to begin writing at */ + const void *pBuf, /* Copy data from this buffer to the file */ + int nBuf, /* Size of buffer pBuf in bytes */ + int *piErrno /* OUT: Error number if error occurs */ +){ + int rc = 0; /* Value returned by system call */ + + assert( nBuf==(nBuf&0x1ffff) ); + nBuf &= 0x1ffff; + TIMER_START; + +#if defined(USE_PREAD) + do{ rc = osPwrite(fd, pBuf, nBuf, iOff); }while( rc<0 && errno==EINTR ); +#elif defined(USE_PREAD64) + do{ rc = osPwrite64(fd, pBuf, nBuf, iOff);}while( rc<0 && errno==EINTR); +#else + do{ + i64 iSeek = lseek(fd, iOff, SEEK_SET); + SimulateIOError( iSeek-- ); + + if( iSeek!=iOff ){ + if( piErrno ) *piErrno = (iSeek==-1 ? errno : 0); + return -1; + } + rc = osWrite(fd, pBuf, nBuf); + }while( rc<0 && errno==EINTR ); +#endif + + TIMER_END; + OSTRACE(("WRITE %-3d %5d %7lld %llu\n", fd, rc, iOff, TIMER_ELAPSED)); + + if( rc<0 && piErrno ) *piErrno = errno; + return rc; +} + + /* ** Seek to the offset in id->offset then read cnt bytes into pBuf. ** Return the number of bytes actually read. Update the offset. @@ -26040,39 +26341,7 @@ static int unixRead( ** is set before returning. */ static int seekAndWrite(unixFile *id, i64 offset, const void *pBuf, int cnt){ - int got; -#if (!defined(USE_PREAD) && !defined(USE_PREAD64)) - i64 newOffset; -#endif - assert( cnt==(cnt&0x1ffff) ); - cnt &= 0x1ffff; - TIMER_START; -#if defined(USE_PREAD) - do{ got = osPwrite(id->h, pBuf, cnt, offset); }while( got<0 && errno==EINTR ); -#elif defined(USE_PREAD64) - do{ got = osPwrite64(id->h, pBuf, cnt, offset);}while( got<0 && errno==EINTR); -#else - do{ - newOffset = lseek(id->h, offset, SEEK_SET); - SimulateIOError( newOffset-- ); - if( newOffset!=offset ){ - if( newOffset == -1 ){ - ((unixFile*)id)->lastErrno = errno; - }else{ - ((unixFile*)id)->lastErrno = 0; - } - return -1; - } - got = osWrite(id->h, pBuf, cnt); - }while( got<0 && errno==EINTR ); -#endif - TIMER_END; - if( got<0 ){ - ((unixFile*)id)->lastErrno = errno; - } - - OSTRACE(("WRITE %-3d %5d %7lld %llu\n", id->h, got, offset, TIMER_ELAPSED)); - return got; + return seekAndWriteFd(id->h, offset, pBuf, cnt, &id->lastErrno); } @@ -26122,6 +26391,23 @@ static int unixWrite( } #endif +#if SQLITE_MAX_MMAP_SIZE>0 + /* Deal with as much of this write request as possible by transfering + ** data from the memory mapping using memcpy(). */ + if( offsetmmapSize ){ + if( offset+amt <= pFile->mmapSize ){ + memcpy(&((u8 *)(pFile->pMapRegion))[offset], pBuf, amt); + return SQLITE_OK; + }else{ + int nCopy = pFile->mmapSize - offset; + memcpy(&((u8 *)(pFile->pMapRegion))[offset], pBuf, nCopy); + pBuf = &((u8 *)pBuf)[nCopy]; + amt -= nCopy; + offset += nCopy; + } + } +#endif + while( amt>0 && (wrote = seekAndWrite(pFile, offset, pBuf, amt))>0 ){ amt -= wrote; offset += wrote; @@ -26404,6 +26690,14 @@ static int unixTruncate(sqlite3_file *id, i64 nByte){ } #endif + /* If the file was just truncated to a size smaller than the currently + ** mapped region, reduce the effective mapping size as well. SQLite will + ** use read() and write() to access data beyond this point from now on. + */ + if( nBytemmapSize ){ + pFile->mmapSize = nByte; + } + return SQLITE_OK; } } @@ -26492,6 +26786,19 @@ static int fcntlSizeHint(unixFile *pFile, i64 nByte){ } } + if( pFile->mmapSizeMax>0 && nByte>pFile->mmapSize ){ + int rc; + if( pFile->szChunk<=0 ){ + if( robust_ftruncate(pFile->h, nByte) ){ + pFile->lastErrno = errno; + return unixLogError(SQLITE_IOERR_TRUNCATE, "ftruncate", pFile->zPath); + } + } + + rc = unixMapfile(pFile, nByte); + return rc; + } + return SQLITE_OK; } @@ -26559,6 +26866,18 @@ static int unixFileControl(sqlite3_file *id, int op, void *pArg){ } return SQLITE_OK; } + case SQLITE_FCNTL_MMAP_SIZE: { + i64 newLimit = *(i64*)pArg; + if( newLimit>sqlite3GlobalConfig.mxMmap ){ + newLimit = sqlite3GlobalConfig.mxMmap; + } + *(i64*)pArg = pFile->mmapSizeMax; + if( newLimit>=0 ){ + pFile->mmapSizeMax = newLimit; + if( newLimitmmapSize ) pFile->mmapSize = newLimit; + } + return SQLITE_OK; + } #ifdef SQLITE_DEBUG /* The pager calls this method to signal that it has done ** a rollback and that the database is therefore unchanged and @@ -26871,7 +27190,7 @@ static void unixShmPurge(unixFile *pFd){ sqlite3_mutex_free(p->mutex); for(i=0; inRegion; i++){ if( p->h>=0 ){ - munmap(p->apRegion[i], p->szRegion); + osMunmap(p->apRegion[i], p->szRegion); }else{ sqlite3_free(p->apRegion[i]); } @@ -27111,24 +27430,32 @@ static int unixShmMap( if( sStat.st_sizeh, sStat.st_size, nByte)!=0 ){ - rc = unixLogError(SQLITE_IOERR_SHMSIZE, "fallocate", - pShmNode->zFilename); + if( !bExtend ){ goto shmpage_out; } -#else - if( robust_ftruncate(pShmNode->h, nByte) ){ - rc = unixLogError(SQLITE_IOERR_SHMSIZE, "ftruncate", - pShmNode->zFilename); - goto shmpage_out; + + /* Alternatively, if bExtend is true, extend the file. Do this by + ** writing a single byte to the end of each (OS) page being + ** allocated or extended. Technically, we need only write to the + ** last page in order to extend the file. But writing to all new + ** pages forces the OS to allocate them immediately, which reduces + ** the chances of SIGBUS while accessing the mapped region later on. + */ + else{ + static const int pgsz = 4096; + int iPg; + + /* Write to the last byte of each newly allocated or extended page */ + assert( (nByte % pgsz)==0 ); + for(iPg=(sStat.st_size/pgsz); iPg<(nByte/pgsz); iPg++){ + if( seekAndWriteFd(pShmNode->h, iPg*pgsz + pgsz-1, "", 1, 0)!=1 ){ + const char *zFile = pShmNode->zFilename; + rc = unixLogError(SQLITE_IOERR_SHMSIZE, "write", zFile); + goto shmpage_out; + } + } } -#endif } } @@ -27144,7 +27471,7 @@ static int unixShmMap( while(pShmNode->nRegion<=iRegion){ void *pMem; if( pShmNode->h>=0 ){ - pMem = mmap(0, szRegion, + pMem = osMmap(0, szRegion, pShmNode->isReadonly ? PROT_READ : PROT_READ|PROT_WRITE, MAP_SHARED, pShmNode->h, szRegion*(i64)pShmNode->nRegion ); @@ -27361,6 +27688,236 @@ static int unixShmUnmap( # define unixShmUnmap 0 #endif /* #ifndef SQLITE_OMIT_WAL */ +/* +** If it is currently memory mapped, unmap file pFd. +*/ +static void unixUnmapfile(unixFile *pFd){ + assert( pFd->nFetchOut==0 ); +#if SQLITE_MAX_MMAP_SIZE>0 + if( pFd->pMapRegion ){ + osMunmap(pFd->pMapRegion, pFd->mmapSizeActual); + pFd->pMapRegion = 0; + pFd->mmapSize = 0; + pFd->mmapSizeActual = 0; + } +#endif +} + +#if SQLITE_MAX_MMAP_SIZE>0 +/* +** Return the system page size. +*/ +static int unixGetPagesize(void){ +#if HAVE_MREMAP + return 512; +#elif defined(_BSD_SOURCE) + return getpagesize(); +#else + return (int)sysconf(_SC_PAGESIZE); +#endif +} +#endif /* SQLITE_MAX_MMAP_SIZE>0 */ + +#if SQLITE_MAX_MMAP_SIZE>0 +/* +** Attempt to set the size of the memory mapping maintained by file +** descriptor pFd to nNew bytes. Any existing mapping is discarded. +** +** If successful, this function sets the following variables: +** +** unixFile.pMapRegion +** unixFile.mmapSize +** unixFile.mmapSizeActual +** +** If unsuccessful, an error message is logged via sqlite3_log() and +** the three variables above are zeroed. In this case SQLite should +** continue accessing the database using the xRead() and xWrite() +** methods. +*/ +static void unixRemapfile( + unixFile *pFd, /* File descriptor object */ + i64 nNew /* Required mapping size */ +){ + const char *zErr = "mmap"; + int h = pFd->h; /* File descriptor open on db file */ + u8 *pOrig = (u8 *)pFd->pMapRegion; /* Pointer to current file mapping */ + i64 nOrig = pFd->mmapSizeActual; /* Size of pOrig region in bytes */ + u8 *pNew = 0; /* Location of new mapping */ + int flags = PROT_READ; /* Flags to pass to mmap() */ + + assert( pFd->nFetchOut==0 ); + assert( nNew>pFd->mmapSize ); + assert( nNew<=pFd->mmapSizeMax ); + assert( nNew>0 ); + assert( pFd->mmapSizeActual>=pFd->mmapSize ); + assert( MAP_FAILED!=0 ); + + if( (pFd->ctrlFlags & UNIXFILE_RDONLY)==0 ) flags |= PROT_WRITE; + + if( pOrig ){ + const int szSyspage = unixGetPagesize(); + i64 nReuse = (pFd->mmapSize & ~(szSyspage-1)); + u8 *pReq = &pOrig[nReuse]; + + /* Unmap any pages of the existing mapping that cannot be reused. */ + if( nReuse!=nOrig ){ + osMunmap(pReq, nOrig-nReuse); + } + +#if HAVE_MREMAP + pNew = osMremap(pOrig, nReuse, nNew, MREMAP_MAYMOVE); + zErr = "mremap"; +#else + pNew = osMmap(pReq, nNew-nReuse, flags, MAP_SHARED, h, nReuse); + if( pNew!=MAP_FAILED ){ + if( pNew!=pReq ){ + osMunmap(pNew, nNew - nReuse); + pNew = 0; + }else{ + pNew = pOrig; + } + } +#endif + + /* The attempt to extend the existing mapping failed. Free it. */ + if( pNew==MAP_FAILED || pNew==0 ){ + osMunmap(pOrig, nReuse); + } + } + + /* If pNew is still NULL, try to create an entirely new mapping. */ + if( pNew==0 ){ + pNew = osMmap(0, nNew, flags, MAP_SHARED, h, 0); + } + + if( pNew==MAP_FAILED ){ + pNew = 0; + nNew = 0; + unixLogError(SQLITE_OK, zErr, pFd->zPath); + + /* If the mmap() above failed, assume that all subsequent mmap() calls + ** will probably fail too. Fall back to using xRead/xWrite exclusively + ** in this case. */ + pFd->mmapSizeMax = 0; + } + pFd->pMapRegion = (void *)pNew; + pFd->mmapSize = pFd->mmapSizeActual = nNew; +} +#endif + +/* +** Memory map or remap the file opened by file-descriptor pFd (if the file +** is already mapped, the existing mapping is replaced by the new). Or, if +** there already exists a mapping for this file, and there are still +** outstanding xFetch() references to it, this function is a no-op. +** +** If parameter nByte is non-negative, then it is the requested size of +** the mapping to create. Otherwise, if nByte is less than zero, then the +** requested size is the size of the file on disk. The actual size of the +** created mapping is either the requested size or the value configured +** using SQLITE_FCNTL_MMAP_LIMIT, whichever is smaller. +** +** SQLITE_OK is returned if no error occurs (even if the mapping is not +** recreated as a result of outstanding references) or an SQLite error +** code otherwise. +*/ +static int unixMapfile(unixFile *pFd, i64 nByte){ +#if SQLITE_MAX_MMAP_SIZE>0 + i64 nMap = nByte; + int rc; + + assert( nMap>=0 || pFd->nFetchOut==0 ); + if( pFd->nFetchOut>0 ) return SQLITE_OK; + + if( nMap<0 ){ + struct stat statbuf; /* Low-level file information */ + rc = osFstat(pFd->h, &statbuf); + if( rc!=SQLITE_OK ){ + return SQLITE_IOERR_FSTAT; + } + nMap = statbuf.st_size; + } + if( nMap>pFd->mmapSizeMax ){ + nMap = pFd->mmapSizeMax; + } + + if( nMap!=pFd->mmapSize ){ + if( nMap>0 ){ + unixRemapfile(pFd, nMap); + }else{ + unixUnmapfile(pFd); + } + } +#endif + + return SQLITE_OK; +} + +/* +** If possible, return a pointer to a mapping of file fd starting at offset +** iOff. The mapping must be valid for at least nAmt bytes. +** +** If such a pointer can be obtained, store it in *pp and return SQLITE_OK. +** Or, if one cannot but no error occurs, set *pp to 0 and return SQLITE_OK. +** Finally, if an error does occur, return an SQLite error code. The final +** value of *pp is undefined in this case. +** +** If this function does return a pointer, the caller must eventually +** release the reference by calling unixUnfetch(). +*/ +static int unixFetch(sqlite3_file *fd, i64 iOff, int nAmt, void **pp){ +#if SQLITE_MAX_MMAP_SIZE>0 + unixFile *pFd = (unixFile *)fd; /* The underlying database file */ +#endif + *pp = 0; + +#if SQLITE_MAX_MMAP_SIZE>0 + if( pFd->mmapSizeMax>0 ){ + if( pFd->pMapRegion==0 ){ + int rc = unixMapfile(pFd, -1); + if( rc!=SQLITE_OK ) return rc; + } + if( pFd->mmapSize >= iOff+nAmt ){ + *pp = &((u8 *)pFd->pMapRegion)[iOff]; + pFd->nFetchOut++; + } + } +#endif + return SQLITE_OK; +} + +/* +** If the third argument is non-NULL, then this function releases a +** reference obtained by an earlier call to unixFetch(). The second +** argument passed to this function must be the same as the corresponding +** argument that was passed to the unixFetch() invocation. +** +** Or, if the third argument is NULL, then this function is being called +** to inform the VFS layer that, according to POSIX, any existing mapping +** may now be invalid and should be unmapped. +*/ +static int unixUnfetch(sqlite3_file *fd, i64 iOff, void *p){ + unixFile *pFd = (unixFile *)fd; /* The underlying database file */ + UNUSED_PARAMETER(iOff); + + /* If p==0 (unmap the entire file) then there must be no outstanding + ** xFetch references. Or, if p!=0 (meaning it is an xFetch reference), + ** then there must be at least one outstanding. */ + assert( (p==0)==(pFd->nFetchOut==0) ); + + /* If p!=0, it must match the iOff value. */ + assert( p==0 || p==&((u8 *)pFd->pMapRegion)[iOff] ); + + if( p ){ + pFd->nFetchOut--; + }else{ + unixUnmapfile(pFd); + } + + assert( pFd->nFetchOut>=0 ); + return SQLITE_OK; +} + /* ** Here ends the implementation of all sqlite3_file methods. ** @@ -27419,7 +27976,9 @@ static const sqlite3_io_methods METHOD = { \ unixShmMap, /* xShmMap */ \ unixShmLock, /* xShmLock */ \ unixShmBarrier, /* xShmBarrier */ \ - unixShmUnmap /* xShmUnmap */ \ + unixShmUnmap, /* xShmUnmap */ \ + unixFetch, /* xFetch */ \ + unixUnfetch, /* xUnfetch */ \ }; \ static const sqlite3_io_methods *FINDER##Impl(const char *z, unixFile *p){ \ UNUSED_PARAMETER(z); UNUSED_PARAMETER(p); \ @@ -27436,7 +27995,7 @@ static const sqlite3_io_methods *(*const FINDER)(const char*,unixFile *p) \ IOMETHODS( posixIoFinder, /* Finder function name */ posixIoMethods, /* sqlite3_io_methods object name */ - 2, /* shared memory is enabled */ + 3, /* shared memory and mmap are enabled */ unixClose, /* xClose method */ unixLock, /* xLock method */ unixUnlock, /* xUnlock method */ @@ -27687,6 +28246,7 @@ static int fillInUnixFile( pNew->pVfs = pVfs; pNew->zPath = zFilename; pNew->ctrlFlags = (u8)ctrlFlags; + pNew->mmapSizeMax = sqlite3GlobalConfig.szMmap; if( sqlite3_uri_boolean(((ctrlFlags & UNIXFILE_URI) ? zFilename : 0), "psow", SQLITE_POWERSAFE_OVERWRITE) ){ pNew->ctrlFlags |= UNIXFILE_PSOW; @@ -27822,15 +28382,15 @@ static int fillInUnixFile( if( h>=0 ) robust_close(pNew, h, __LINE__); h = -1; osUnlink(zFilename); - isDelete = 0; + pNew->ctrlFlags |= UNIXFILE_DELETE; } - if( isDelete ) pNew->ctrlFlags |= UNIXFILE_DELETE; #endif if( rc!=SQLITE_OK ){ if( h>=0 ) robust_close(pNew, h, __LINE__); }else{ pNew->pMethod = pLockingStyle; OpenCounter(+1); + verifyDbFile(pNew); } return rc; } @@ -29924,7 +30484,7 @@ SQLITE_API int sqlite3_os_init(void){ /* Double-check that the aSyscall[] array has been constructed ** correctly. See ticket [bb3a86e890c8e96ab] */ - assert( ArraySize(aSyscall)==21 ); + assert( ArraySize(aSyscall)==24 ); /* Register all VFSes defined in the aVfs[] array */ for(i=0; i<(sizeof(aVfs)/sizeof(sqlite3_vfs)); i++){ @@ -30307,11 +30867,20 @@ struct winFile { winceLock local; /* Locks obtained by this instance of winFile */ winceLock *shared; /* Global shared lock memory for the file */ #endif +#if SQLITE_MAX_MMAP_SIZE>0 + int nFetchOut; /* Number of outstanding xFetch references */ + HANDLE hMap; /* Handle for accessing memory mapping */ + void *pMapRegion; /* Area memory mapped */ + sqlite3_int64 mmapSize; /* Usable size of mapped region */ + sqlite3_int64 mmapSizeActual; /* Actual size of mapped region */ + sqlite3_int64 mmapSizeMax; /* Configured FCNTL_MMAP_SIZE value */ +#endif }; /* ** Allowed values for winFile.ctrlFlags */ +#define WINFILE_RDONLY 0x02 /* Connection is read only */ #define WINFILE_PERSIST_WAL 0x04 /* Persistent WAL mode */ #define WINFILE_PSOW 0x10 /* SQLITE_IOCAP_POWERSAFE_OVERWRITE */ @@ -31671,7 +32240,7 @@ static int getLastErrorMsg(DWORD lastErrno, int nBuf, char *zBuf){ } #endif if( 0 == dwLen ){ - sqlite3_snprintf(nBuf, zBuf, "OsError 0x%x (%u)", lastErrno, lastErrno); + sqlite3_snprintf(nBuf, zBuf, "OsError 0x%lx (%lu)", lastErrno, lastErrno); }else{ /* copy a maximum of nBuf chars to output buffer */ sqlite3_snprintf(nBuf, zBuf, "%s", zOut); @@ -31714,7 +32283,7 @@ static int winLogErrorAtLine( for(i=0; zMsg[i] && zMsg[i]!='\r' && zMsg[i]!='\n'; i++){} zMsg[i] = 0; sqlite3_log(errcode, - "os_win.c:%d: (%d) %s(%s) - %s", + "os_win.c:%d: (%lu) %s(%s) - %s", iLine, lastErrno, zFunc, zPath, zMsg ); @@ -32175,6 +32744,8 @@ static int seekWinFile(winFile *pFile, sqlite3_int64 iOffset){ DWORD dwRet; /* Value returned by SetFilePointer() */ DWORD lastErrno; /* Value returned by GetLastError() */ + OSTRACE(("SEEK file=%p, offset=%lld\n", pFile->h, iOffset)); + upperBits = (LONG)((iOffset>>32) & 0x7fffffff); lowerBits = (LONG)(iOffset & 0xffffffff); @@ -32192,9 +32763,11 @@ static int seekWinFile(winFile *pFile, sqlite3_int64 iOffset){ pFile->lastErrno = lastErrno; winLogError(SQLITE_IOERR_SEEK, pFile->lastErrno, "seekWinFile", pFile->zPath); + OSTRACE(("SEEK file=%p, rc=SQLITE_IOERR_SEEK\n", pFile->h)); return 1; } + OSTRACE(("SEEK file=%p, rc=SQLITE_OK\n", pFile->h)); return 0; #else /* @@ -32211,13 +32784,20 @@ static int seekWinFile(winFile *pFile, sqlite3_int64 iOffset){ pFile->lastErrno = osGetLastError(); winLogError(SQLITE_IOERR_SEEK, pFile->lastErrno, "seekWinFile", pFile->zPath); + OSTRACE(("SEEK file=%p, rc=SQLITE_IOERR_SEEK\n", pFile->h)); return 1; } + OSTRACE(("SEEK file=%p, rc=SQLITE_OK\n", pFile->h)); return 0; #endif } +#if SQLITE_MAX_MMAP_SIZE>0 +/* Forward references to VFS methods */ +static int winUnmapfile(winFile*); +#endif + /* ** Close a file. ** @@ -32237,8 +32817,14 @@ static int winClose(sqlite3_file *id){ #ifndef SQLITE_OMIT_WAL assert( pFile->pShm==0 ); #endif - OSTRACE(("CLOSE %d\n", pFile->h)); assert( pFile->h!=NULL && pFile->h!=INVALID_HANDLE_VALUE ); + OSTRACE(("CLOSE file=%p\n", pFile->h)); + +#if SQLITE_MAX_MMAP_SIZE>0 + rc = winUnmapfile(pFile); + if( rc!=SQLITE_OK ) return rc; +#endif + do{ rc = osCloseHandle(pFile->h); /* SimulateIOError( rc=0; cnt=MX_CLOSE_ATTEMPT; ); */ @@ -32258,11 +32844,11 @@ static int winClose(sqlite3_file *id){ sqlite3_free(pFile->zDeleteOnClose); } #endif - OSTRACE(("CLOSE %d %s\n", pFile->h, rc ? "ok" : "failed")); if( rc ){ pFile->h = NULL; } OpenCounter(-1); + OSTRACE(("CLOSE file=%p, rc=%s\n", pFile->h, rc ? "ok" : "failed")); return rc ? SQLITE_OK : winLogError(SQLITE_IOERR_CLOSE, osGetLastError(), "winClose", pFile->zPath); @@ -32287,11 +32873,33 @@ static int winRead( int nRetry = 0; /* Number of retrys */ assert( id!=0 ); + assert( amt>0 ); + assert( offset>=0 ); SimulateIOError(return SQLITE_IOERR_READ); - OSTRACE(("READ %d lock=%d\n", pFile->h, pFile->locktype)); + OSTRACE(("READ file=%p, buffer=%p, amount=%d, offset=%lld, lock=%d\n", + pFile->h, pBuf, amt, offset, pFile->locktype)); + +#if SQLITE_MAX_MMAP_SIZE>0 + /* Deal with as much of this read request as possible by transfering + ** data from the memory mapping using memcpy(). */ + if( offsetmmapSize ){ + if( offset+amt <= pFile->mmapSize ){ + memcpy(pBuf, &((u8 *)(pFile->pMapRegion))[offset], amt); + OSTRACE(("READ-MMAP file=%p, rc=SQLITE_OK\n", pFile->h)); + return SQLITE_OK; + }else{ + int nCopy = (int)(pFile->mmapSize - offset); + memcpy(pBuf, &((u8 *)(pFile->pMapRegion))[offset], nCopy); + pBuf = &((u8 *)pBuf)[nCopy]; + amt -= nCopy; + offset += nCopy; + } + } +#endif #if SQLITE_OS_WINCE if( seekWinFile(pFile, offset) ){ + OSTRACE(("READ file=%p, rc=SQLITE_FULL\n", pFile->h)); return SQLITE_FULL; } while( !osReadFile(pFile->h, pBuf, amt, &nRead, 0) ){ @@ -32305,6 +32913,7 @@ static int winRead( DWORD lastErrno; if( retryIoerr(&nRetry, &lastErrno) ) continue; pFile->lastErrno = lastErrno; + OSTRACE(("READ file=%p, rc=SQLITE_IOERR_READ\n", pFile->h)); return winLogError(SQLITE_IOERR_READ, pFile->lastErrno, "winRead", pFile->zPath); } @@ -32312,9 +32921,11 @@ static int winRead( if( nRead<(DWORD)amt ){ /* Unread parts of the buffer must be zero-filled */ memset(&((char*)pBuf)[nRead], 0, amt-nRead); + OSTRACE(("READ file=%p, rc=SQLITE_IOERR_SHORT_READ\n", pFile->h)); return SQLITE_IOERR_SHORT_READ; } + OSTRACE(("READ file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } @@ -32337,7 +32948,26 @@ static int winWrite( SimulateIOError(return SQLITE_IOERR_WRITE); SimulateDiskfullError(return SQLITE_FULL); - OSTRACE(("WRITE %d lock=%d\n", pFile->h, pFile->locktype)); + OSTRACE(("WRITE file=%p, buffer=%p, amount=%d, offset=%lld, lock=%d\n", + pFile->h, pBuf, amt, offset, pFile->locktype)); + +#if SQLITE_MAX_MMAP_SIZE>0 + /* Deal with as much of this write request as possible by transfering + ** data from the memory mapping using memcpy(). */ + if( offsetmmapSize ){ + if( offset+amt <= pFile->mmapSize ){ + memcpy(&((u8 *)(pFile->pMapRegion))[offset], pBuf, amt); + OSTRACE(("WRITE-MMAP file=%p, rc=SQLITE_OK\n", pFile->h)); + return SQLITE_OK; + }else{ + int nCopy = (int)(pFile->mmapSize - offset); + memcpy(&((u8 *)(pFile->pMapRegion))[offset], pBuf, nCopy); + pBuf = &((u8 *)pBuf)[nCopy]; + amt -= nCopy; + offset += nCopy; + } + } +#endif #if SQLITE_OS_WINCE rc = seekWinFile(pFile, offset); @@ -32390,13 +33020,16 @@ static int winWrite( if( rc ){ if( ( pFile->lastErrno==ERROR_HANDLE_DISK_FULL ) || ( pFile->lastErrno==ERROR_DISK_FULL )){ + OSTRACE(("WRITE file=%p, rc=SQLITE_FULL\n", pFile->h)); return SQLITE_FULL; } + OSTRACE(("WRITE file=%p, rc=SQLITE_IOERR_WRITE\n", pFile->h)); return winLogError(SQLITE_IOERR_WRITE, pFile->lastErrno, "winWrite", pFile->zPath); }else{ logIoerr(nRetry); } + OSTRACE(("WRITE file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } @@ -32406,11 +33039,12 @@ static int winWrite( static int winTruncate(sqlite3_file *id, sqlite3_int64 nByte){ winFile *pFile = (winFile*)id; /* File handle object */ int rc = SQLITE_OK; /* Return code for this function */ + DWORD lastErrno; assert( pFile ); - - OSTRACE(("TRUNCATE %d %lld\n", pFile->h, nByte)); SimulateIOError(return SQLITE_IOERR_TRUNCATE); + OSTRACE(("TRUNCATE file=%p, size=%lld, lock=%d\n", + pFile->h, nByte, pFile->locktype)); /* If the user has configured a chunk-size for this file, truncate the ** file so that it consists of an integer number of chunks (i.e. the @@ -32424,14 +33058,25 @@ static int winTruncate(sqlite3_file *id, sqlite3_int64 nByte){ /* SetEndOfFile() returns non-zero when successful, or zero when it fails. */ if( seekWinFile(pFile, nByte) ){ rc = winLogError(SQLITE_IOERR_TRUNCATE, pFile->lastErrno, - "winTruncate1", pFile->zPath); - }else if( 0==osSetEndOfFile(pFile->h) ){ - pFile->lastErrno = osGetLastError(); + "winTruncate1", pFile->zPath); + }else if( 0==osSetEndOfFile(pFile->h) && + ((lastErrno = osGetLastError())!=ERROR_USER_MAPPED_FILE) ){ + pFile->lastErrno = lastErrno; rc = winLogError(SQLITE_IOERR_TRUNCATE, pFile->lastErrno, - "winTruncate2", pFile->zPath); + "winTruncate2", pFile->zPath); } - OSTRACE(("TRUNCATE %d %lld %s\n", pFile->h, nByte, rc ? "failed" : "ok")); +#if SQLITE_MAX_MMAP_SIZE>0 + /* If the file was truncated to a size smaller than the currently + ** mapped region, reduce the effective mapping size as well. SQLite will + ** use read() and write() to access data beyond this point from now on. + */ + if( pFile->pMapRegion && nBytemmapSize ){ + pFile->mmapSize = nByte; + } +#endif + + OSTRACE(("TRUNCATE file=%p, rc=%s\n", pFile->h, sqlite3ErrName(rc))); return rc; } @@ -32471,13 +33116,14 @@ static int winSync(sqlite3_file *id, int flags){ || (flags&0x0F)==SQLITE_SYNC_FULL ); - OSTRACE(("SYNC %d lock=%d\n", pFile->h, pFile->locktype)); - /* Unix cannot, but some systems may return SQLITE_FULL from here. This ** line is to test that doing so does not cause any problems. */ SimulateDiskfullError( return SQLITE_FULL ); + OSTRACE(("SYNC file=%p, flags=%x, lock=%d\n", + pFile->h, flags, pFile->locktype)); + #ifndef SQLITE_TEST UNUSED_PARAMETER(flags); #else @@ -32496,9 +33142,11 @@ static int winSync(sqlite3_file *id, int flags){ rc = osFlushFileBuffers(pFile->h); SimulateIOError( rc=FALSE ); if( rc ){ + OSTRACE(("SYNC file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; }else{ pFile->lastErrno = osGetLastError(); + OSTRACE(("SYNC file=%p, rc=SQLITE_IOERR_FSYNC\n", pFile->h)); return winLogError(SQLITE_IOERR_FSYNC, pFile->lastErrno, "winSync", pFile->zPath); } @@ -32513,7 +33161,10 @@ static int winFileSize(sqlite3_file *id, sqlite3_int64 *pSize){ int rc = SQLITE_OK; assert( id!=0 ); + assert( pSize!=0 ); SimulateIOError(return SQLITE_IOERR_FSTAT); + OSTRACE(("SIZE file=%p, pSize=%p\n", pFile->h, pSize)); + #if SQLITE_OS_WINRT { FILE_STANDARD_INFO info; @@ -32542,6 +33193,8 @@ static int winFileSize(sqlite3_file *id, sqlite3_int64 *pSize){ } } #endif + OSTRACE(("SIZE file=%p, pSize=%p, *pSize=%lld, rc=%s\n", + pFile->h, pSize, *pSize, sqlite3ErrName(rc))); return rc; } @@ -32583,6 +33236,7 @@ static int winFileSize(sqlite3_file *id, sqlite3_int64 *pSize){ */ static int getReadLock(winFile *pFile){ int res; + OSTRACE(("READ-LOCK file=%p, lock=%d\n", pFile->h, pFile->locktype)); if( isNT() ){ #if SQLITE_OS_WINCE /* @@ -32608,6 +33262,7 @@ static int getReadLock(winFile *pFile){ pFile->lastErrno = osGetLastError(); /* No need to log a failure to lock */ } + OSTRACE(("READ-LOCK file=%p, rc=%s\n", pFile->h, sqlite3ErrName(res))); return res; } @@ -32617,6 +33272,7 @@ static int getReadLock(winFile *pFile){ static int unlockReadLock(winFile *pFile){ int res; DWORD lastErrno; + OSTRACE(("READ-UNLOCK file=%p, lock=%d\n", pFile->h, pFile->locktype)); if( isNT() ){ res = winUnlockFile(&pFile->h, SHARED_FIRST, 0, SHARED_SIZE, 0); } @@ -32630,6 +33286,7 @@ static int unlockReadLock(winFile *pFile){ winLogError(SQLITE_IOERR_UNLOCK, pFile->lastErrno, "unlockReadLock", pFile->zPath); } + OSTRACE(("READ-UNLOCK file=%p, rc=%s\n", pFile->h, sqlite3ErrName(res))); return res; } @@ -32668,14 +33325,15 @@ static int winLock(sqlite3_file *id, int locktype){ DWORD lastErrno = NO_ERROR; assert( id!=0 ); - OSTRACE(("LOCK %d %d was %d(%d)\n", - pFile->h, locktype, pFile->locktype, pFile->sharedLockByte)); + OSTRACE(("LOCK file=%p, oldLock=%d(%d), newLock=%d\n", + pFile->h, pFile->locktype, pFile->sharedLockByte, locktype)); /* If there is already a lock of this type or more restrictive on the ** OsFile, do nothing. Don't use the end_lock: exit path, as ** sqlite3OsEnterMutex() hasn't been called yet. */ if( pFile->locktype>=locktype ){ + OSTRACE(("LOCK-HELD file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } @@ -32703,7 +33361,8 @@ static int winLock(sqlite3_file *id, int locktype){ ** If you are using this code as a model for alternative VFSes, do not ** copy this retry logic. It is a hack intended for Windows only. */ - OSTRACE(("could not get a PENDING lock. cnt=%d\n", cnt)); + OSTRACE(("LOCK-PENDING-FAIL file=%p, count=%d, rc=%s\n", + pFile->h, cnt, sqlite3ErrName(res))); if( cnt ) sqlite3_win32_sleep(1); } gotPendingLock = res; @@ -32748,14 +33407,12 @@ static int winLock(sqlite3_file *id, int locktype){ if( locktype==EXCLUSIVE_LOCK && res ){ assert( pFile->locktype>=SHARED_LOCK ); res = unlockReadLock(pFile); - OSTRACE(("unreadlock = %d\n", res)); res = winLockFile(&pFile->h, SQLITE_LOCKFILE_FLAGS, SHARED_FIRST, 0, SHARED_SIZE, 0); if( res ){ newLocktype = EXCLUSIVE_LOCK; }else{ lastErrno = osGetLastError(); - OSTRACE(("error-code = %d\n", lastErrno)); getReadLock(pFile); } } @@ -32773,12 +33430,14 @@ static int winLock(sqlite3_file *id, int locktype){ if( res ){ rc = SQLITE_OK; }else{ - OSTRACE(("LOCK FAILED %d trying for %d but got %d\n", pFile->h, - locktype, newLocktype)); + OSTRACE(("LOCK-FAIL file=%p, wanted=%d, got=%d\n", + pFile->h, locktype, newLocktype)); pFile->lastErrno = lastErrno; rc = SQLITE_BUSY; } pFile->locktype = (u8)newLocktype; + OSTRACE(("LOCK file=%p, lock=%d, rc=%s\n", + pFile->h, pFile->locktype, sqlite3ErrName(rc))); return rc; } @@ -32792,20 +33451,23 @@ static int winCheckReservedLock(sqlite3_file *id, int *pResOut){ winFile *pFile = (winFile*)id; SimulateIOError( return SQLITE_IOERR_CHECKRESERVEDLOCK; ); + OSTRACE(("TEST-WR-LOCK file=%p, pResOut=%p\n", pFile->h, pResOut)); assert( id!=0 ); if( pFile->locktype>=RESERVED_LOCK ){ rc = 1; - OSTRACE(("TEST WR-LOCK %d %d (local)\n", pFile->h, rc)); + OSTRACE(("TEST-WR-LOCK file=%p, rc=%d (local)\n", pFile->h, rc)); }else{ rc = winLockFile(&pFile->h, SQLITE_LOCKFILEEX_FLAGS,RESERVED_BYTE, 0, 1, 0); if( rc ){ winUnlockFile(&pFile->h, RESERVED_BYTE, 0, 1, 0); } rc = !rc; - OSTRACE(("TEST WR-LOCK %d %d (remote)\n", pFile->h, rc)); + OSTRACE(("TEST-WR-LOCK file=%p, rc=%d (remote)\n", pFile->h, rc)); } *pResOut = rc; + OSTRACE(("TEST-WR-LOCK file=%p, pResOut=%p, *pResOut=%d, rc=SQLITE_OK\n", + pFile->h, pResOut, *pResOut)); return SQLITE_OK; } @@ -32826,8 +33488,8 @@ static int winUnlock(sqlite3_file *id, int locktype){ int rc = SQLITE_OK; assert( pFile!=0 ); assert( locktype<=SHARED_LOCK ); - OSTRACE(("UNLOCK %d to %d was %d(%d)\n", pFile->h, locktype, - pFile->locktype, pFile->sharedLockByte)); + OSTRACE(("UNLOCK file=%p, oldLock=%d(%d), newLock=%d\n", + pFile->h, pFile->locktype, pFile->sharedLockByte, locktype)); type = pFile->locktype; if( type>=EXCLUSIVE_LOCK ){ winUnlockFile(&pFile->h, SHARED_FIRST, 0, SHARED_SIZE, 0); @@ -32848,6 +33510,8 @@ static int winUnlock(sqlite3_file *id, int locktype){ winUnlockFile(&pFile->h, PENDING_BYTE, 0, 1, 0); } pFile->locktype = (u8)locktype; + OSTRACE(("UNLOCK file=%p, lock=%d, rc=%s\n", + pFile->h, pFile->locktype, sqlite3ErrName(rc))); return rc; } @@ -32875,17 +33539,21 @@ static int getTempname(int nBuf, char *zBuf); */ static int winFileControl(sqlite3_file *id, int op, void *pArg){ winFile *pFile = (winFile*)id; + OSTRACE(("FCNTL file=%p, op=%d, pArg=%p\n", pFile->h, op, pArg)); switch( op ){ case SQLITE_FCNTL_LOCKSTATE: { *(int*)pArg = pFile->locktype; + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } case SQLITE_LAST_ERRNO: { *(int*)pArg = (int)pFile->lastErrno; + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } case SQLITE_FCNTL_CHUNK_SIZE: { pFile->szChunk = *(int *)pArg; + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } case SQLITE_FCNTL_SIZE_HINT: { @@ -32900,20 +33568,25 @@ static int winFileControl(sqlite3_file *id, int op, void *pArg){ SimulateIOErrorBenign(0); } } + OSTRACE(("FCNTL file=%p, rc=%s\n", pFile->h, sqlite3ErrName(rc))); return rc; } + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } case SQLITE_FCNTL_PERSIST_WAL: { winModeBit(pFile, WINFILE_PERSIST_WAL, (int*)pArg); + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } case SQLITE_FCNTL_POWERSAFE_OVERWRITE: { winModeBit(pFile, WINFILE_PSOW, (int*)pArg); + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } case SQLITE_FCNTL_VFSNAME: { *(char**)pArg = sqlite3_mprintf("win32"); + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } case SQLITE_FCNTL_WIN32_AV_RETRY: { @@ -32928,6 +33601,7 @@ static int winFileControl(sqlite3_file *id, int op, void *pArg){ }else{ a[1] = win32IoerrRetryDelay; } + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } case SQLITE_FCNTL_TEMPFILENAME: { @@ -32936,9 +33610,23 @@ static int winFileControl(sqlite3_file *id, int op, void *pArg){ getTempname(pFile->pVfs->mxPathname, zTFile); *(char**)pArg = zTFile; } + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); return SQLITE_OK; } +#if SQLITE_MAX_MMAP_SIZE>0 + case SQLITE_FCNTL_MMAP_SIZE: { + i64 newLimit = *(i64*)pArg; + if( newLimit>sqlite3GlobalConfig.mxMmap ){ + newLimit = sqlite3GlobalConfig.mxMmap; + } + *(i64*)pArg = pFile->mmapSizeMax; + if( newLimit>=0 ) pFile->mmapSizeMax = newLimit; + OSTRACE(("FCNTL file=%p, rc=SQLITE_OK\n", pFile->h)); + return SQLITE_OK; + } +#endif } + OSTRACE(("FCNTL file=%p, rc=SQLITE_NOTFOUND\n", pFile->h)); return SQLITE_NOTFOUND; } @@ -32966,8 +33654,6 @@ static int winDeviceCharacteristics(sqlite3_file *id){ ((p->ctrlFlags & WINFILE_PSOW)?SQLITE_IOCAP_POWERSAFE_OVERWRITE:0); } -#ifndef SQLITE_OMIT_WAL - /* ** Windows will only let you create file view mappings ** on allocation size granularity boundaries. @@ -32976,6 +33662,8 @@ static int winDeviceCharacteristics(sqlite3_file *id){ */ SYSTEM_INFO winSysInfo; +#ifndef SQLITE_OMIT_WAL + /* ** Helper functions to obtain and relinquish the global mutex. The ** global mutex is used to protect the winLockInfo objects used by @@ -33099,6 +33787,9 @@ static int winShmSystemLock( /* Access to the winShmNode object is serialized by the caller */ assert( sqlite3_mutex_held(pFile->mutex) || pFile->nRef==0 ); + OSTRACE(("SHM-LOCK file=%p, lock=%d, offset=%d, size=%d\n", + pFile->hFile.h, lockType, ofst, nByte)); + /* Release/Acquire the system-level lock */ if( lockType==_SHM_UNLCK ){ rc = winUnlockFile(&pFile->hFile.h, ofst, 0, nByte, 0); @@ -33116,11 +33807,9 @@ static int winShmSystemLock( rc = SQLITE_BUSY; } - OSTRACE(("SHM-LOCK %d %s %s 0x%08lx\n", - pFile->hFile.h, - rc==SQLITE_OK ? "ok" : "failed", - lockType==_SHM_UNLCK ? "UnlockFileEx" : "LockFileEx", - pFile->lastErrno)); + OSTRACE(("SHM-LOCK file=%p, func=%s, errno=%lu, rc=%s\n", + pFile->hFile.h, (lockType == _SHM_UNLCK) ? "winUnlockFile" : + "winLockFile", pFile->lastErrno, sqlite3ErrName(rc))); return rc; } @@ -33140,6 +33829,8 @@ static void winShmPurge(sqlite3_vfs *pVfs, int deleteFlag){ winShmNode *p; BOOL bRc; assert( winShmMutexHeld() ); + OSTRACE(("SHM-PURGE pid=%lu, deleteFlag=%d\n", + osGetCurrentProcessId(), deleteFlag)); pp = &winShmNodeList; while( (p = *pp)!=0 ){ if( p->nRef==0 ){ @@ -33147,13 +33838,11 @@ static void winShmPurge(sqlite3_vfs *pVfs, int deleteFlag){ if( p->mutex ) sqlite3_mutex_free(p->mutex); for(i=0; inRegion; i++){ bRc = osUnmapViewOfFile(p->aRegion[i].pMap); - OSTRACE(("SHM-PURGE pid-%d unmap region=%d %s\n", - (int)osGetCurrentProcessId(), i, - bRc ? "ok" : "failed")); + OSTRACE(("SHM-PURGE-UNMAP pid=%lu, region=%d, rc=%s\n", + osGetCurrentProcessId(), i, bRc ? "ok" : "failed")); bRc = osCloseHandle(p->aRegion[i].hMap); - OSTRACE(("SHM-PURGE pid-%d close region=%d %s\n", - (int)osGetCurrentProcessId(), i, - bRc ? "ok" : "failed")); + OSTRACE(("SHM-PURGE-CLOSE pid=%lu, region=%d, rc=%s\n", + osGetCurrentProcessId(), i, bRc ? "ok" : "failed")); } if( p->hFile.h!=NULL && p->hFile.h!=INVALID_HANDLE_VALUE ){ SimulateIOErrorBenign(1); @@ -33432,9 +34121,9 @@ static int winShmLock( } } sqlite3_mutex_leave(pShmNode->mutex); - OSTRACE(("SHM-LOCK shmid-%d, pid-%d got %03x,%03x %s\n", - p->id, (int)osGetCurrentProcessId(), p->sharedMask, p->exclMask, - rc ? "failed" : "ok")); + OSTRACE(("SHM-LOCK pid=%lu, id=%d, sharedMask=%03x, exclMask=%03x, rc=%s\n", + osGetCurrentProcessId(), p->id, p->sharedMask, p->exclMask, + sqlite3ErrName(rc))); return rc; } @@ -33555,8 +34244,8 @@ static int winShmMap( NULL, PAGE_READWRITE, 0, nByte, NULL ); #endif - OSTRACE(("SHM-MAP pid-%d create region=%d nbyte=%d %s\n", - (int)osGetCurrentProcessId(), pShmNode->nRegion, nByte, + OSTRACE(("SHM-MAP-CREATE pid=%lu, region=%d, size=%d, rc=%s\n", + osGetCurrentProcessId(), pShmNode->nRegion, nByte, hMap ? "ok" : "failed")); if( hMap ){ int iOffset = pShmNode->nRegion*szRegion; @@ -33570,8 +34259,8 @@ static int winShmMap( 0, iOffset - iOffsetShift, szRegion + iOffsetShift ); #endif - OSTRACE(("SHM-MAP pid-%d map region=%d offset=%d size=%d %s\n", - (int)osGetCurrentProcessId(), pShmNode->nRegion, iOffset, + OSTRACE(("SHM-MAP-MAP pid=%lu, region=%d, offset=%d, size=%d, rc=%s\n", + osGetCurrentProcessId(), pShmNode->nRegion, iOffset, szRegion, pMap ? "ok" : "failed")); } if( !pMap ){ @@ -33608,6 +34297,230 @@ shmpage_out: # define winShmUnmap 0 #endif /* #ifndef SQLITE_OMIT_WAL */ +/* +** Cleans up the mapped region of the specified file, if any. +*/ +#if SQLITE_MAX_MMAP_SIZE>0 +static int winUnmapfile(winFile *pFile){ + assert( pFile!=0 ); + OSTRACE(("UNMAP-FILE pid=%lu, pFile=%p, hMap=%p, pMapRegion=%p, " + "mmapSize=%lld, mmapSizeActual=%lld, mmapSizeMax=%lld\n", + osGetCurrentProcessId(), pFile, pFile->hMap, pFile->pMapRegion, + pFile->mmapSize, pFile->mmapSizeActual, pFile->mmapSizeMax)); + if( pFile->pMapRegion ){ + if( !osUnmapViewOfFile(pFile->pMapRegion) ){ + pFile->lastErrno = osGetLastError(); + OSTRACE(("UNMAP-FILE pid=%lu, pFile=%p, pMapRegion=%p, " + "rc=SQLITE_IOERR_MMAP\n", osGetCurrentProcessId(), pFile, + pFile->pMapRegion)); + return winLogError(SQLITE_IOERR_MMAP, pFile->lastErrno, + "winUnmap1", pFile->zPath); + } + pFile->pMapRegion = 0; + pFile->mmapSize = 0; + pFile->mmapSizeActual = 0; + } + if( pFile->hMap!=NULL ){ + if( !osCloseHandle(pFile->hMap) ){ + pFile->lastErrno = osGetLastError(); + OSTRACE(("UNMAP-FILE pid=%lu, pFile=%p, hMap=%p, rc=SQLITE_IOERR_MMAP\n", + osGetCurrentProcessId(), pFile, pFile->hMap)); + return winLogError(SQLITE_IOERR_MMAP, pFile->lastErrno, + "winUnmap2", pFile->zPath); + } + pFile->hMap = NULL; + } + OSTRACE(("UNMAP-FILE pid=%lu, pFile=%p, rc=SQLITE_OK\n", + osGetCurrentProcessId(), pFile)); + return SQLITE_OK; +} + +/* +** Memory map or remap the file opened by file-descriptor pFd (if the file +** is already mapped, the existing mapping is replaced by the new). Or, if +** there already exists a mapping for this file, and there are still +** outstanding xFetch() references to it, this function is a no-op. +** +** If parameter nByte is non-negative, then it is the requested size of +** the mapping to create. Otherwise, if nByte is less than zero, then the +** requested size is the size of the file on disk. The actual size of the +** created mapping is either the requested size or the value configured +** using SQLITE_FCNTL_MMAP_SIZE, whichever is smaller. +** +** SQLITE_OK is returned if no error occurs (even if the mapping is not +** recreated as a result of outstanding references) or an SQLite error +** code otherwise. +*/ +static int winMapfile(winFile *pFd, sqlite3_int64 nByte){ + sqlite3_int64 nMap = nByte; + int rc; + + assert( nMap>=0 || pFd->nFetchOut==0 ); + OSTRACE(("MAP-FILE pid=%lu, pFile=%p, size=%lld\n", + osGetCurrentProcessId(), pFd, nByte)); + + if( pFd->nFetchOut>0 ) return SQLITE_OK; + + if( nMap<0 ){ + rc = winFileSize((sqlite3_file*)pFd, &nMap); + if( rc ){ + OSTRACE(("MAP-FILE pid=%lu, pFile=%p, rc=SQLITE_IOERR_FSTAT\n", + osGetCurrentProcessId(), pFd)); + return SQLITE_IOERR_FSTAT; + } + } + if( nMap>pFd->mmapSizeMax ){ + nMap = pFd->mmapSizeMax; + } + nMap &= ~(sqlite3_int64)(winSysInfo.dwPageSize - 1); + + if( nMap==0 && pFd->mmapSize>0 ){ + winUnmapfile(pFd); + } + if( nMap!=pFd->mmapSize ){ + void *pNew = 0; + DWORD protect = PAGE_READONLY; + DWORD flags = FILE_MAP_READ; + + winUnmapfile(pFd); + if( (pFd->ctrlFlags & WINFILE_RDONLY)==0 ){ + protect = PAGE_READWRITE; + flags |= FILE_MAP_WRITE; + } +#if SQLITE_OS_WINRT + pFd->hMap = osCreateFileMappingFromApp(pFd->h, NULL, protect, nMap, NULL); +#elif defined(SQLITE_WIN32_HAS_WIDE) + pFd->hMap = osCreateFileMappingW(pFd->h, NULL, protect, + (DWORD)((nMap>>32) & 0xffffffff), + (DWORD)(nMap & 0xffffffff), NULL); +#elif defined(SQLITE_WIN32_HAS_ANSI) + pFd->hMap = osCreateFileMappingA(pFd->h, NULL, protect, + (DWORD)((nMap>>32) & 0xffffffff), + (DWORD)(nMap & 0xffffffff), NULL); +#endif + if( pFd->hMap==NULL ){ + pFd->lastErrno = osGetLastError(); + rc = winLogError(SQLITE_IOERR_MMAP, pFd->lastErrno, + "winMapfile", pFd->zPath); + /* Log the error, but continue normal operation using xRead/xWrite */ + OSTRACE(("MAP-FILE-CREATE pid=%lu, pFile=%p, rc=SQLITE_IOERR_MMAP\n", + osGetCurrentProcessId(), pFd)); + return SQLITE_OK; + } + assert( (nMap % winSysInfo.dwPageSize)==0 ); +#if SQLITE_OS_WINRT + pNew = osMapViewOfFileFromApp(pFd->hMap, flags, 0, nMap); +#else + assert( sizeof(SIZE_T)==sizeof(sqlite3_int64) || nMap<=0xffffffff ); + pNew = osMapViewOfFile(pFd->hMap, flags, 0, 0, (SIZE_T)nMap); +#endif + if( pNew==NULL ){ + osCloseHandle(pFd->hMap); + pFd->hMap = NULL; + pFd->lastErrno = osGetLastError(); + winLogError(SQLITE_IOERR_MMAP, pFd->lastErrno, + "winMapfile", pFd->zPath); + OSTRACE(("MAP-FILE-MAP pid=%lu, pFile=%p, rc=SQLITE_IOERR_MMAP\n", + osGetCurrentProcessId(), pFd)); + return SQLITE_OK; + } + pFd->pMapRegion = pNew; + pFd->mmapSize = nMap; + pFd->mmapSizeActual = nMap; + } + + OSTRACE(("MAP-FILE pid=%lu, pFile=%p, rc=SQLITE_OK\n", + osGetCurrentProcessId(), pFd)); + return SQLITE_OK; +} +#endif /* SQLITE_MAX_MMAP_SIZE>0 */ + +/* +** If possible, return a pointer to a mapping of file fd starting at offset +** iOff. The mapping must be valid for at least nAmt bytes. +** +** If such a pointer can be obtained, store it in *pp and return SQLITE_OK. +** Or, if one cannot but no error occurs, set *pp to 0 and return SQLITE_OK. +** Finally, if an error does occur, return an SQLite error code. The final +** value of *pp is undefined in this case. +** +** If this function does return a pointer, the caller must eventually +** release the reference by calling winUnfetch(). +*/ +static int winFetch(sqlite3_file *fd, i64 iOff, int nAmt, void **pp){ +#if SQLITE_MAX_MMAP_SIZE>0 + winFile *pFd = (winFile*)fd; /* The underlying database file */ +#endif + *pp = 0; + + OSTRACE(("FETCH pid=%lu, pFile=%p, offset=%lld, amount=%d, pp=%p\n", + osGetCurrentProcessId(), fd, iOff, nAmt, pp)); + +#if SQLITE_MAX_MMAP_SIZE>0 + if( pFd->mmapSizeMax>0 ){ + if( pFd->pMapRegion==0 ){ + int rc = winMapfile(pFd, -1); + if( rc!=SQLITE_OK ){ + OSTRACE(("FETCH pid=%lu, pFile=%p, rc=%s\n", + osGetCurrentProcessId(), pFd, sqlite3ErrName(rc))); + return rc; + } + } + if( pFd->mmapSize >= iOff+nAmt ){ + *pp = &((u8 *)pFd->pMapRegion)[iOff]; + pFd->nFetchOut++; + } + } +#endif + + OSTRACE(("FETCH pid=%lu, pFile=%p, pp=%p, *pp=%p, rc=SQLITE_OK\n", + osGetCurrentProcessId(), fd, pp, *pp)); + return SQLITE_OK; +} + +/* +** If the third argument is non-NULL, then this function releases a +** reference obtained by an earlier call to winFetch(). The second +** argument passed to this function must be the same as the corresponding +** argument that was passed to the winFetch() invocation. +** +** Or, if the third argument is NULL, then this function is being called +** to inform the VFS layer that, according to POSIX, any existing mapping +** may now be invalid and should be unmapped. +*/ +static int winUnfetch(sqlite3_file *fd, i64 iOff, void *p){ +#if SQLITE_MAX_MMAP_SIZE>0 + winFile *pFd = (winFile*)fd; /* The underlying database file */ + + /* If p==0 (unmap the entire file) then there must be no outstanding + ** xFetch references. Or, if p!=0 (meaning it is an xFetch reference), + ** then there must be at least one outstanding. */ + assert( (p==0)==(pFd->nFetchOut==0) ); + + /* If p!=0, it must match the iOff value. */ + assert( p==0 || p==&((u8 *)pFd->pMapRegion)[iOff] ); + + OSTRACE(("UNFETCH pid=%lu, pFile=%p, offset=%lld, p=%p\n", + osGetCurrentProcessId(), pFd, iOff, p)); + + if( p ){ + pFd->nFetchOut--; + }else{ + /* FIXME: If Windows truly always prevents truncating or deleting a + ** file while a mapping is held, then the following winUnmapfile() call + ** is unnecessary can can be omitted - potentially improving + ** performance. */ + winUnmapfile(pFd); + } + + assert( pFd->nFetchOut>=0 ); +#endif + + OSTRACE(("UNFETCH pid=%lu, pFile=%p, rc=SQLITE_OK\n", + osGetCurrentProcessId(), fd)); + return SQLITE_OK; +} + /* ** Here ends the implementation of all sqlite3_file methods. ** @@ -33619,7 +34532,7 @@ shmpage_out: ** sqlite3_file for win32. */ static const sqlite3_io_methods winIoMethod = { - 2, /* iVersion */ + 3, /* iVersion */ winClose, /* xClose */ winRead, /* xRead */ winWrite, /* xWrite */ @@ -33635,7 +34548,9 @@ static const sqlite3_io_methods winIoMethod = { winShmMap, /* xShmMap */ winShmLock, /* xShmLock */ winShmBarrier, /* xShmBarrier */ - winShmUnmap /* xShmUnmap */ + winShmUnmap, /* xShmUnmap */ + winFetch, /* xFetch */ + winUnfetch /* xUnfetch */ }; /**************************************************************************** @@ -33699,6 +34614,7 @@ static int getTempname(int nBuf, char *zBuf){ sqlite3_snprintf(MAX_PATH-30, zTempPath, "%s", zMulti); sqlite3_free(zMulti); }else{ + OSTRACE(("TEMP-FILENAME rc=SQLITE_IOERR_NOMEM\n")); return SQLITE_IOERR_NOMEM; } } @@ -33712,6 +34628,7 @@ static int getTempname(int nBuf, char *zBuf){ sqlite3_snprintf(MAX_PATH-30, zTempPath, "%s", zUtf8); sqlite3_free(zUtf8); }else{ + OSTRACE(("TEMP-FILENAME rc=SQLITE_IOERR_NOMEM\n")); return SQLITE_IOERR_NOMEM; } } @@ -33724,6 +34641,7 @@ static int getTempname(int nBuf, char *zBuf){ nTempPath = sqlite3Strlen30(zTempPath); if( (nTempPath + sqlite3Strlen30(SQLITE_TEMP_FILE_PREFIX) + 18) >= nBuf ){ + OSTRACE(("TEMP-FILENAME rc=SQLITE_ERROR\n")); return SQLITE_ERROR; } @@ -33741,8 +34659,8 @@ static int getTempname(int nBuf, char *zBuf){ zBuf[j] = 0; zBuf[j+1] = 0; - OSTRACE(("TEMP FILENAME: %s\n", zBuf)); - return SQLITE_OK; + OSTRACE(("TEMP-FILENAME name=%s, rc=SQLITE_OK\n", zBuf)); + return SQLITE_OK; } /* @@ -33811,9 +34729,7 @@ static int winOpen( int isExclusive = (flags & SQLITE_OPEN_EXCLUSIVE); int isDelete = (flags & SQLITE_OPEN_DELETEONCLOSE); int isCreate = (flags & SQLITE_OPEN_CREATE); -#ifndef NDEBUG int isReadonly = (flags & SQLITE_OPEN_READONLY); -#endif int isReadWrite = (flags & SQLITE_OPEN_READWRITE); #ifndef NDEBUG @@ -33824,6 +34740,9 @@ static int winOpen( )); #endif + OSTRACE(("OPEN name=%s, pFile=%p, flags=%x, pOutFlags=%p\n", + zUtf8Name, id, flags, pOutFlags)); + /* Check the following statements are true: ** ** (a) Exactly one of the READWRITE and READONLY flags must be set, and @@ -33869,6 +34788,7 @@ static int winOpen( memset(zTmpname, 0, MAX_PATH+2); rc = getTempname(MAX_PATH+2, zTmpname); if( rc!=SQLITE_OK ){ + OSTRACE(("OPEN name=%s, rc=%s", zUtf8Name, sqlite3ErrName(rc))); return rc; } zUtf8Name = zTmpname; @@ -33884,11 +34804,13 @@ static int winOpen( /* Convert the filename to the system encoding. */ zConverted = convertUtf8Filename(zUtf8Name); if( zConverted==0 ){ + OSTRACE(("OPEN name=%s, rc=SQLITE_IOERR_NOMEM", zUtf8Name)); return SQLITE_IOERR_NOMEM; } if( winIsDir(zConverted) ){ sqlite3_free(zConverted); + OSTRACE(("OPEN name=%s, rc=SQLITE_CANTOPEN_ISDIR", zUtf8Name)); return SQLITE_CANTOPEN_ISDIR; } @@ -33979,9 +34901,8 @@ static int winOpen( #endif logIoerr(cnt); - OSTRACE(("OPEN %d %s 0x%lx %s\n", - h, zName, dwDesiredAccess, - h==INVALID_HANDLE_VALUE ? "failed" : "ok")); + OSTRACE(("OPEN file=%p, name=%s, access=%lx, rc=%s\n", h, zUtf8Name, + dwDesiredAccess, (h==INVALID_HANDLE_VALUE) ? "failed" : "ok")); if( h==INVALID_HANDLE_VALUE ){ pFile->lastErrno = lastErrno; @@ -34005,12 +34926,17 @@ static int winOpen( } } + OSTRACE(("OPEN file=%p, name=%s, access=%lx, pOutFlags=%p, *pOutFlags=%d, " + "rc=%s\n", h, zUtf8Name, dwDesiredAccess, pOutFlags, pOutFlags ? + *pOutFlags : 0, (h==INVALID_HANDLE_VALUE) ? "failed" : "ok")); + #if SQLITE_OS_WINCE if( isReadWrite && eType==SQLITE_OPEN_MAIN_DB && (rc = winceCreateLock(zName, pFile))!=SQLITE_OK ){ osCloseHandle(h); sqlite3_free(zConverted); + OSTRACE(("OPEN-CE-LOCK name=%s, rc=%s\n", zName, sqlite3ErrName(rc))); return rc; } if( isTemp ){ @@ -34024,11 +34950,21 @@ static int winOpen( pFile->pMethod = &winIoMethod; pFile->pVfs = pVfs; pFile->h = h; + if( isReadonly ){ + pFile->ctrlFlags |= WINFILE_RDONLY; + } if( sqlite3_uri_boolean(zName, "psow", SQLITE_POWERSAFE_OVERWRITE) ){ pFile->ctrlFlags |= WINFILE_PSOW; } pFile->lastErrno = NO_ERROR; pFile->zPath = zName; +#if SQLITE_MAX_MMAP_SIZE>0 + pFile->hMap = NULL; + pFile->pMapRegion = 0; + pFile->mmapSize = 0; + pFile->mmapSizeActual = 0; + pFile->mmapSizeMax = sqlite3GlobalConfig.szMmap; +#endif OpenCounter(+1); return rc; @@ -34060,6 +34996,8 @@ static int winDelete( UNUSED_PARAMETER(syncDir); SimulateIOError(return SQLITE_IOERR_DELETE); + OSTRACE(("DELETE name=%s, syncDir=%d\n", zFilename, syncDir)); + zConverted = convertUtf8Filename(zFilename); if( zConverted==0 ){ return SQLITE_IOERR_NOMEM; @@ -34145,7 +35083,7 @@ static int winDelete( logIoerr(cnt); } sqlite3_free(zConverted); - OSTRACE(("DELETE \"%s\" %s\n", zFilename, (rc ? "failed" : "ok" ))); + OSTRACE(("DELETE name=%s, rc=%s\n", zFilename, sqlite3ErrName(rc))); return rc; } @@ -34165,8 +35103,12 @@ static int winAccess( UNUSED_PARAMETER(pVfs); SimulateIOError( return SQLITE_IOERR_ACCESS; ); + OSTRACE(("ACCESS name=%s, flags=%x, pResOut=%p\n", + zFilename, flags, pResOut)); + zConverted = convertUtf8Filename(zFilename); if( zConverted==0 ){ + OSTRACE(("ACCESS name=%s, rc=SQLITE_IOERR_NOMEM\n", zFilename)); return SQLITE_IOERR_NOMEM; } if( isNT() ){ @@ -34217,6 +35159,8 @@ static int winAccess( assert(!"Invalid flags argument"); } *pResOut = rc; + OSTRACE(("ACCESS name=%s, pResOut=%p, *pResOut=%d, rc=SQLITE_OK\n", + zFilename, pResOut, *pResOut)); return SQLITE_OK; } @@ -34657,7 +35601,6 @@ SQLITE_API int sqlite3_os_init(void){ ** correctly. See ticket [bb3a86e890c8e96ab] */ assert( ArraySize(aSyscall)==74 ); -#ifndef SQLITE_OMIT_WAL /* get memory map allocation granularity */ memset(&winSysInfo, 0, sizeof(SYSTEM_INFO)); #if SQLITE_OS_WINRT @@ -34665,8 +35608,8 @@ SQLITE_API int sqlite3_os_init(void){ #else osGetSystemInfo(&winSysInfo); #endif - assert(winSysInfo.dwAllocationGranularity > 0); -#endif + assert( winSysInfo.dwAllocationGranularity>0 ); + assert( winSysInfo.dwPageSize>0 ); sqlite3_vfs_register(&winVfs, 1); return SQLITE_OK; @@ -37303,7 +38246,6 @@ SQLITE_PRIVATE int sqlite3RowSetTest(RowSet *pRowSet, u8 iBatch, sqlite3_int64 i # define sqlite3WalClose(w,x,y,z) 0 # define sqlite3WalBeginReadTransaction(y,z) 0 # define sqlite3WalEndReadTransaction(z) -# define sqlite3WalRead(v,w,x,y,z) 0 # define sqlite3WalDbsize(y) 0 # define sqlite3WalBeginWriteTransaction(y) 0 # define sqlite3WalEndWriteTransaction(x) 0 @@ -37316,6 +38258,7 @@ SQLITE_PRIVATE int sqlite3RowSetTest(RowSet *pRowSet, u8 iBatch, sqlite3_int64 i # define sqlite3WalExclusiveMode(y,z) 0 # define sqlite3WalHeapMemory(z) 0 # define sqlite3WalFramesize(z) 0 +# define sqlite3WalFindFrame(x,y,z) 0 #else #define WAL_SAVEPOINT_NDATA 4 @@ -37343,7 +38286,8 @@ SQLITE_PRIVATE int sqlite3WalBeginReadTransaction(Wal *pWal, int *); SQLITE_PRIVATE void sqlite3WalEndReadTransaction(Wal *pWal); /* Read a page from the write-ahead log, if it is present. */ -SQLITE_PRIVATE int sqlite3WalRead(Wal *pWal, Pgno pgno, int *pInWal, int nOut, u8 *pOut); +SQLITE_PRIVATE int sqlite3WalFindFrame(Wal *, Pgno, u32 *); +SQLITE_PRIVATE int sqlite3WalReadFrame(Wal *, u32, int, u8 *); /* If the WAL is not empty, return the size of the database. */ SQLITE_PRIVATE Pgno sqlite3WalDbsize(Wal *pWal); @@ -38043,6 +38987,11 @@ struct Pager { PagerSavepoint *aSavepoint; /* Array of active savepoints */ int nSavepoint; /* Number of elements in aSavepoint[] */ char dbFileVers[16]; /* Changes whenever database file changes */ + + u8 bUseFetch; /* True to use xFetch() */ + int nMmapOut; /* Number of mmap pages currently outstanding */ + sqlite3_int64 szMmap; /* Desired maximum mmap size */ + PgHdr *pMmapFreelist; /* List of free mmap page headers (pDirty) */ /* ** End of the routinely-changing class members ***************************************************************************/ @@ -38153,6 +39102,16 @@ static const unsigned char aJournalMagic[] = { # define MEMDB pPager->memDb #endif +/* +** The macro USEFETCH is true if we are allowed to use the xFetch and xUnfetch +** interfaces to access the database using memory-mapped I/O. +*/ +#if SQLITE_MAX_MMAP_SIZE>0 +# define USEFETCH(x) ((x)->bUseFetch) +#else +# define USEFETCH(x) 0 +#endif + /* ** The maximum legal page number is (2^31 - 1). */ @@ -39640,7 +40599,7 @@ static int pager_playback_one_page( i64 ofst = (pgno-1)*(i64)pPager->pageSize; testcase( !isSavepnt && pPg!=0 && (pPg->flags&PGHDR_NEED_SYNC)!=0 ); assert( !pagerUseWal(pPager) ); - rc = sqlite3OsWrite(pPager->fd, (u8*)aData, pPager->pageSize, ofst); + rc = sqlite3OsWrite(pPager->fd, (u8 *)aData, pPager->pageSize, ofst); if( pgno>pPager->dbFileSize ){ pPager->dbFileSize = pgno; } @@ -40031,6 +40990,7 @@ static int pager_playback(Pager *pPager, int isHot){ int res = 1; /* Value returned by sqlite3OsAccess() */ char *zMaster = 0; /* Name of master journal file if any */ int needPagerReset; /* True to reset page prior to first page rollback */ + int nPlayback = 0; /* Total number of pages restored from journal */ /* Figure out how many records are in the journal. Abort early if ** the journal is empty. @@ -40131,7 +41091,9 @@ static int pager_playback(Pager *pPager, int isHot){ needPagerReset = 0; } rc = pager_playback_one_page(pPager,&pPager->journalOff,0,1,0); - if( rc!=SQLITE_OK ){ + if( rc==SQLITE_OK ){ + nPlayback++; + }else{ if( rc==SQLITE_DONE ){ pPager->journalOff = szJ; break; @@ -40201,6 +41163,10 @@ end_playback: rc = pager_delmaster(pPager, zMaster); testcase( rc!=SQLITE_OK ); } + if( isHot && nPlayback ){ + sqlite3_log(SQLITE_NOTICE_RECOVER_ROLLBACK, "recovered %d pages from %s", + nPlayback, pPager->zJournal); + } /* The Pager.sectorSize variable may have been updated while rolling ** back a journal created by a process with a different sector size @@ -40222,11 +41188,10 @@ end_playback: ** If an IO error occurs, then the IO error is returned to the caller. ** Otherwise, SQLITE_OK is returned. */ -static int readDbPage(PgHdr *pPg){ +static int readDbPage(PgHdr *pPg, u32 iFrame){ Pager *pPager = pPg->pPager; /* Pager object associated with page pPg */ Pgno pgno = pPg->pgno; /* Page number to read */ int rc = SQLITE_OK; /* Return code */ - int isInWal = 0; /* True if page is in log file */ int pgsz = pPager->pageSize; /* Number of bytes to read */ assert( pPager->eState>=PAGER_READER && !MEMDB ); @@ -40238,11 +41203,13 @@ static int readDbPage(PgHdr *pPg){ return SQLITE_OK; } - if( pagerUseWal(pPager) ){ +#ifndef SQLITE_OMIT_WAL + if( iFrame ){ /* Try to pull the page from the write-ahead log. */ - rc = sqlite3WalRead(pPager->pWal, pgno, &isInWal, pgsz, pPg->pData); - } - if( rc==SQLITE_OK && !isInWal ){ + rc = sqlite3WalReadFrame(pPager->pWal, iFrame, pgsz, pPg->pData); + }else +#endif + { i64 iOffset = (pgno-1)*(i64)pPager->pageSize; rc = sqlite3OsRead(pPager->fd, pPg->pData, pgsz, iOffset); if( rc==SQLITE_IOERR_SHORT_READ ){ @@ -40321,12 +41288,17 @@ static int pagerUndoCallback(void *pCtx, Pgno iPg){ Pager *pPager = (Pager *)pCtx; PgHdr *pPg; + assert( pagerUseWal(pPager) ); pPg = sqlite3PagerLookup(pPager, iPg); if( pPg ){ if( sqlite3PcachePageRefcount(pPg)==1 ){ sqlite3PcacheDrop(pPg); }else{ - rc = readDbPage(pPg); + u32 iFrame = 0; + rc = sqlite3WalFindFrame(pPager->pWal, pPg->pgno, &iFrame); + if( rc==SQLITE_OK ){ + rc = readDbPage(pPg, iFrame); + } if( rc==SQLITE_OK ){ pPager->xReiniter(pPg); } @@ -40470,6 +41442,7 @@ static int pagerBeginReadTransaction(Pager *pPager){ rc = sqlite3WalBeginReadTransaction(pPager->pWal, &changed); if( rc!=SQLITE_OK || changed ){ pager_reset(pPager); + if( USEFETCH(pPager) ) sqlite3OsUnfetch(pPager->fd, 0, 0); } return rc; @@ -40731,6 +41704,29 @@ SQLITE_PRIVATE void sqlite3PagerSetCachesize(Pager *pPager, int mxPage){ sqlite3PcacheSetCachesize(pPager->pPCache, mxPage); } +/* +** Invoke SQLITE_FCNTL_MMAP_SIZE based on the current value of szMmap. +*/ +static void pagerFixMaplimit(Pager *pPager){ +#if SQLITE_MAX_MMAP_SIZE>0 + sqlite3_file *fd = pPager->fd; + if( isOpen(fd) ){ + sqlite3_int64 sz; + pPager->bUseFetch = (fd->pMethods->iVersion>=3) && pPager->szMmap>0; + sz = pPager->szMmap; + sqlite3OsFileControlHint(pPager->fd, SQLITE_FCNTL_MMAP_SIZE, &sz); + } +#endif +} + +/* +** Change the maximum size of any memory mapping made of the database file. +*/ +SQLITE_PRIVATE void sqlite3PagerSetMmapLimit(Pager *pPager, sqlite3_int64 szMmap){ + pPager->szMmap = szMmap; + pagerFixMaplimit(pPager); +} + /* ** Free as much memory as possible from the pager. */ @@ -40966,6 +41962,7 @@ SQLITE_PRIVATE int sqlite3PagerSetPagesize(Pager *pPager, u32 *pPageSize, int nR assert( nReserve>=0 && nReserve<1000 ); pPager->nReserve = (i16)nReserve; pagerReportSize(pPager); + pagerFixMaplimit(pPager); } return rc; } @@ -41191,6 +42188,81 @@ static int pagerSyncHotJournal(Pager *pPager){ return rc; } +/* +** Obtain a reference to a memory mapped page object for page number pgno. +** The new object will use the pointer pData, obtained from xFetch(). +** If successful, set *ppPage to point to the new page reference +** and return SQLITE_OK. Otherwise, return an SQLite error code and set +** *ppPage to zero. +** +** Page references obtained by calling this function should be released +** by calling pagerReleaseMapPage(). +*/ +static int pagerAcquireMapPage( + Pager *pPager, /* Pager object */ + Pgno pgno, /* Page number */ + void *pData, /* xFetch()'d data for this page */ + PgHdr **ppPage /* OUT: Acquired page object */ +){ + PgHdr *p; /* Memory mapped page to return */ + + if( pPager->pMmapFreelist ){ + *ppPage = p = pPager->pMmapFreelist; + pPager->pMmapFreelist = p->pDirty; + p->pDirty = 0; + memset(p->pExtra, 0, pPager->nExtra); + }else{ + *ppPage = p = (PgHdr *)sqlite3MallocZero(sizeof(PgHdr) + pPager->nExtra); + if( p==0 ){ + sqlite3OsUnfetch(pPager->fd, (i64)(pgno-1) * pPager->pageSize, pData); + return SQLITE_NOMEM; + } + p->pExtra = (void *)&p[1]; + p->flags = PGHDR_MMAP; + p->nRef = 1; + p->pPager = pPager; + } + + assert( p->pExtra==(void *)&p[1] ); + assert( p->pPage==0 ); + assert( p->flags==PGHDR_MMAP ); + assert( p->pPager==pPager ); + assert( p->nRef==1 ); + + p->pgno = pgno; + p->pData = pData; + pPager->nMmapOut++; + + return SQLITE_OK; +} + +/* +** Release a reference to page pPg. pPg must have been returned by an +** earlier call to pagerAcquireMapPage(). +*/ +static void pagerReleaseMapPage(PgHdr *pPg){ + Pager *pPager = pPg->pPager; + pPager->nMmapOut--; + pPg->pDirty = pPager->pMmapFreelist; + pPager->pMmapFreelist = pPg; + + assert( pPager->fd->pMethods->iVersion>=3 ); + sqlite3OsUnfetch(pPager->fd, (i64)(pPg->pgno-1)*pPager->pageSize, pPg->pData); +} + +/* +** Free all PgHdr objects stored in the Pager.pMmapFreelist list. +*/ +static void pagerFreeMapHdrs(Pager *pPager){ + PgHdr *p; + PgHdr *pNext; + for(p=pPager->pMmapFreelist; p; p=pNext){ + pNext = p->pDirty; + sqlite3_free(p); + } +} + + /* ** Shutdown the page cache. Free all memory and close all files. ** @@ -41211,6 +42283,7 @@ SQLITE_PRIVATE int sqlite3PagerClose(Pager *pPager){ assert( assert_pager_state(pPager) ); disable_simulated_io_errors(); sqlite3BeginBenignMalloc(); + pagerFreeMapHdrs(pPager); /* pPager->errCode = 0; */ pPager->exclusiveMode = 0; #ifndef SQLITE_OMIT_WAL @@ -41472,7 +42545,9 @@ static int pager_write_pagelist(Pager *pPager, PgHdr *pList){ ** file size will be. */ assert( rc!=SQLITE_OK || isOpen(pPager->fd) ); - if( rc==SQLITE_OK && pPager->dbSize>pPager->dbHintSize ){ + if( rc==SQLITE_OK + && (pList->pDirty ? pPager->dbSize : pList->pgno+1)>pPager->dbHintSize + ){ sqlite3_int64 szFile = pPager->pageSize * (sqlite3_int64)pPager->dbSize; sqlite3OsFileControlHint(pPager->fd, SQLITE_FCNTL_SIZE_HINT, &szFile); pPager->dbHintSize = pPager->dbSize; @@ -42026,6 +43101,7 @@ SQLITE_PRIVATE int sqlite3PagerOpen( /* pPager->pBusyHandlerArg = 0; */ pPager->xReiniter = xReinit; /* memset(pPager->aHash, 0, sizeof(pPager->aHash)); */ + /* pPager->szMmap = SQLITE_DEFAULT_MMAP_SIZE // will be set by btree.c */ *ppPager = pPager; return SQLITE_OK; @@ -42317,9 +43393,11 @@ SQLITE_PRIVATE int sqlite3PagerSharedLock(Pager *pPager){ ); } - if( !pPager->tempFile - && (pPager->pBackup || sqlite3PcachePagecount(pPager->pPCache)>0) - ){ + if( !pPager->tempFile && ( + pPager->pBackup + || sqlite3PcachePagecount(pPager->pPCache)>0 + || USEFETCH(pPager) + )){ /* The shared-lock has just been acquired on the database file ** and there are already pages in the cache (from a previous ** read or write transaction). Check to see if the database @@ -42345,7 +43423,7 @@ SQLITE_PRIVATE int sqlite3PagerSharedLock(Pager *pPager){ if( nPage>0 ){ IOTRACE(("CKVERS %p %d\n", pPager, sizeof(dbFileVers))); rc = sqlite3OsRead(pPager->fd, &dbFileVers, sizeof(dbFileVers), 24); - if( rc!=SQLITE_OK ){ + if( rc!=SQLITE_OK && rc!=SQLITE_IOERR_SHORT_READ ){ goto failed; } }else{ @@ -42354,6 +43432,16 @@ SQLITE_PRIVATE int sqlite3PagerSharedLock(Pager *pPager){ if( memcmp(pPager->dbFileVers, dbFileVers, sizeof(dbFileVers))!=0 ){ pager_reset(pPager); + + /* Unmap the database file. It is possible that external processes + ** may have truncated the database file and then extended it back + ** to its original size while this process was not holding a lock. + ** In this case there may exist a Pager.pMap mapping that appears + ** to be the right size but is not actually valid. Avoid this + ** possibility by unmapping the db here. */ + if( USEFETCH(pPager) ){ + sqlite3OsUnfetch(pPager->fd, 0, 0); + } } } @@ -42395,7 +43483,7 @@ SQLITE_PRIVATE int sqlite3PagerSharedLock(Pager *pPager){ ** nothing to rollback, so this routine is a no-op. */ static void pagerUnlockIfUnused(Pager *pPager){ - if( (sqlite3PcacheRefCount(pPager->pPCache)==0) ){ + if( pPager->nMmapOut==0 && (sqlite3PcacheRefCount(pPager->pPCache)==0) ){ pagerUnlockAndRollback(pPager); } } @@ -42454,13 +43542,27 @@ SQLITE_PRIVATE int sqlite3PagerAcquire( Pager *pPager, /* The pager open on the database file */ Pgno pgno, /* Page number to fetch */ DbPage **ppPage, /* Write a pointer to the page here */ - int noContent /* Do not bother reading content from disk if true */ + int flags /* PAGER_ACQUIRE_XXX flags */ ){ - int rc; - PgHdr *pPg; + int rc = SQLITE_OK; + PgHdr *pPg = 0; + u32 iFrame = 0; /* Frame to read from WAL file */ + const int noContent = (flags & PAGER_ACQUIRE_NOCONTENT); + + /* It is acceptable to use a read-only (mmap) page for any page except + ** page 1 if there is no write-transaction open or the ACQUIRE_READONLY + ** flag was specified by the caller. And so long as the db is not a + ** temporary or in-memory database. */ + const int bMmapOk = (pgno!=1 && USEFETCH(pPager) + && (pPager->eState==PAGER_READER || (flags & PAGER_ACQUIRE_READONLY)) +#ifdef SQLITE_HAS_CODEC + && pPager->xCodec==0 +#endif + ); assert( pPager->eState>=PAGER_READER ); assert( assert_pager_state(pPager) ); + assert( noContent==0 || bMmapOk==0 ); if( pgno==0 ){ return SQLITE_CORRUPT_BKPT; @@ -42471,6 +43573,39 @@ SQLITE_PRIVATE int sqlite3PagerAcquire( if( pPager->errCode!=SQLITE_OK ){ rc = pPager->errCode; }else{ + + if( bMmapOk && pagerUseWal(pPager) ){ + rc = sqlite3WalFindFrame(pPager->pWal, pgno, &iFrame); + if( rc!=SQLITE_OK ) goto pager_acquire_err; + } + + if( iFrame==0 && bMmapOk ){ + void *pData = 0; + + rc = sqlite3OsFetch(pPager->fd, + (i64)(pgno-1) * pPager->pageSize, pPager->pageSize, &pData + ); + + if( rc==SQLITE_OK && pData ){ + if( pPager->eState>PAGER_READER ){ + (void)sqlite3PcacheFetch(pPager->pPCache, pgno, 0, &pPg); + } + if( pPg==0 ){ + rc = pagerAcquireMapPage(pPager, pgno, pData, &pPg); + }else{ + sqlite3OsUnfetch(pPager->fd, (i64)(pgno-1)*pPager->pageSize, pData); + } + if( pPg ){ + assert( rc==SQLITE_OK ); + *ppPage = pPg; + return SQLITE_OK; + } + } + if( rc!=SQLITE_OK ){ + goto pager_acquire_err; + } + } + rc = sqlite3PcacheFetch(pPager->pPCache, pgno, 1, ppPage); } @@ -42529,9 +43664,13 @@ SQLITE_PRIVATE int sqlite3PagerAcquire( memset(pPg->pData, 0, pPager->pageSize); IOTRACE(("ZERO %p %d\n", pPager, pgno)); }else{ + if( pagerUseWal(pPager) && bMmapOk==0 ){ + rc = sqlite3WalFindFrame(pPager->pWal, pgno, &iFrame); + if( rc!=SQLITE_OK ) goto pager_acquire_err; + } assert( pPg->pPager==pPager ); pPager->aStat[PAGER_STAT_MISS]++; - rc = readDbPage(pPg); + rc = readDbPage(pPg, iFrame); if( rc!=SQLITE_OK ){ goto pager_acquire_err; } @@ -42584,7 +43723,11 @@ SQLITE_PRIVATE DbPage *sqlite3PagerLookup(Pager *pPager, Pgno pgno){ SQLITE_PRIVATE void sqlite3PagerUnref(DbPage *pPg){ if( pPg ){ Pager *pPager = pPg->pPager; - sqlite3PcacheRelease(pPg); + if( pPg->flags & PGHDR_MMAP ){ + pagerReleaseMapPage(pPg); + }else{ + sqlite3PcacheRelease(pPg); + } pagerUnlockIfUnused(pPager); } } @@ -42919,6 +44062,7 @@ SQLITE_PRIVATE int sqlite3PagerWrite(DbPage *pDbPage){ Pager *pPager = pPg->pPager; Pgno nPagePerSector = (pPager->sectorSize/pPager->pageSize); + assert( (pPg->flags & PGHDR_MMAP)==0 ); assert( pPager->eState>=PAGER_WRITER_LOCKED ); assert( pPager->eState!=PAGER_ERROR ); assert( assert_pager_state(pPager) ); @@ -43118,6 +44262,11 @@ static int pager_incr_changecounter(Pager *pPager, int isDirectMode){ pPager->aStat[PAGER_STAT_WRITE]++; } if( rc==SQLITE_OK ){ + /* Update the pager's copy of the change-counter. Otherwise, the + ** next time a read transaction is opened the cache will be + ** flushed (as the change-counter values will not match). */ + const void *pCopy = (const void *)&((const char *)zBuf)[24]; + memcpy(&pPager->dbFileVers, pCopy, sizeof(pPager->dbFileVers)); pPager->changeCountDone = 1; } }else{ @@ -43475,7 +44624,7 @@ SQLITE_PRIVATE int sqlite3PagerRollback(Pager *pPager){ } assert( pPager->eState==PAGER_READER || rc!=SQLITE_OK ); - assert( rc==SQLITE_OK || rc==SQLITE_FULL + assert( rc==SQLITE_OK || rc==SQLITE_FULL || rc==SQLITE_CORRUPT || rc==SQLITE_NOMEM || (rc&0xFF)==SQLITE_IOERR ); /* If an error occurs during a ROLLBACK, we can no longer trust the pager @@ -44209,11 +45358,12 @@ static int pagerOpenWal(Pager *pPager){ ** (e.g. due to malloc() failure), return an error code. */ if( rc==SQLITE_OK ){ - rc = sqlite3WalOpen(pPager->pVfs, + rc = sqlite3WalOpen(pPager->pVfs, pPager->fd, pPager->zWal, pPager->exclusiveMode, pPager->journalSizeLimit, &pPager->pWal ); } + pagerFixMaplimit(pPager); return rc; } @@ -44304,6 +45454,7 @@ SQLITE_PRIVATE int sqlite3PagerCloseWal(Pager *pPager){ rc = sqlite3WalClose(pPager->pWal, pPager->ckptSyncFlags, pPager->pageSize, (u8*)pPager->pTmpSpace); pPager->pWal = 0; + pagerFixMaplimit(pPager); } } return rc; @@ -45552,8 +46703,9 @@ finished: ** checkpointing the log file. */ if( pWal->hdr.nPage ){ - sqlite3_log(SQLITE_OK, "Recovered %d frames from WAL file %s", - pWal->hdr.nPage, pWal->zWalName + sqlite3_log(SQLITE_NOTICE_RECOVER_WAL, + "recovered %d frames from WAL file %s", + pWal->hdr.mxFrame, pWal->zWalName ); } } @@ -46067,8 +47219,8 @@ static int walCheckpoint( rc = sqlite3OsSync(pWal->pWalFd, sync_flags); } - /* If the database file may grow as a result of this checkpoint, hint - ** about the eventual size of the db file to the VFS layer. + /* If the database may grow as a result of this checkpoint, hint + ** about the eventual size of the db file to the VFS layer. */ if( rc==SQLITE_OK ){ i64 nReq = ((i64)mxPage * szPage); @@ -46078,6 +47230,7 @@ static int walCheckpoint( } } + /* Iterate through the contents of the WAL, copying data to the db file. */ while( rc==SQLITE_OK && 0==walIteratorNext(pIter, &iDbpage, &iFrame) ){ i64 iOffset; @@ -46632,19 +47785,17 @@ SQLITE_PRIVATE void sqlite3WalEndReadTransaction(Wal *pWal){ } /* -** Read a page from the WAL, if it is present in the WAL and if the -** current read transaction is configured to use the WAL. +** Search the wal file for page pgno. If found, set *piRead to the frame that +** contains the page. Otherwise, if pgno is not in the wal file, set *piRead +** to zero. ** -** The *pInWal is set to 1 if the requested page is in the WAL and -** has been loaded. Or *pInWal is set to 0 if the page was not in -** the WAL and needs to be read out of the database. +** Return SQLITE_OK if successful, or an error code if an error occurs. If an +** error does occur, the final value of *piRead is undefined. */ -SQLITE_PRIVATE int sqlite3WalRead( +SQLITE_PRIVATE int sqlite3WalFindFrame( Wal *pWal, /* WAL handle */ Pgno pgno, /* Database page number to read data for */ - int *pInWal, /* OUT: True if data is read from WAL */ - int nOut, /* Size of buffer pOut in bytes */ - u8 *pOut /* Buffer to write page data to */ + u32 *piRead /* OUT: Frame number (or zero) */ ){ u32 iRead = 0; /* If !=0, WAL frame to return data from */ u32 iLast = pWal->hdr.mxFrame; /* Last page in WAL for this reader */ @@ -46660,7 +47811,7 @@ SQLITE_PRIVATE int sqlite3WalRead( ** WAL were empty. */ if( iLast==0 || pWal->readLock==0 ){ - *pInWal = 0; + *piRead = 0; return SQLITE_OK; } @@ -46731,26 +47882,31 @@ SQLITE_PRIVATE int sqlite3WalRead( } #endif - /* If iRead is non-zero, then it is the log frame number that contains the - ** required page. Read and return data from the log file. - */ - if( iRead ){ - int sz; - i64 iOffset; - sz = pWal->hdr.szPage; - sz = (sz&0xfe00) + ((sz&0x0001)<<16); - testcase( sz<=32768 ); - testcase( sz>=65536 ); - iOffset = walFrameOffset(iRead, sz) + WAL_FRAME_HDRSIZE; - *pInWal = 1; - /* testcase( IS_BIG_INT(iOffset) ); // requires a 4GiB WAL */ - return sqlite3OsRead(pWal->pWalFd, pOut, (nOut>sz ? sz : nOut), iOffset); - } - - *pInWal = 0; + *piRead = iRead; return SQLITE_OK; } +/* +** Read the contents of frame iRead from the wal file into buffer pOut +** (which is nOut bytes in size). Return SQLITE_OK if successful, or an +** error code otherwise. +*/ +SQLITE_PRIVATE int sqlite3WalReadFrame( + Wal *pWal, /* WAL handle */ + u32 iRead, /* Frame to read */ + int nOut, /* Size of buffer pOut in bytes */ + u8 *pOut /* Buffer to write page data to */ +){ + int sz; + i64 iOffset; + sz = pWal->hdr.szPage; + sz = (sz&0xfe00) + ((sz&0x0001)<<16); + testcase( sz<=32768 ); + testcase( sz>=65536 ); + iOffset = walFrameOffset(iRead, sz) + WAL_FRAME_HDRSIZE; + /* testcase( IS_BIG_INT(iOffset) ); // requires a 4GiB WAL */ + return sqlite3OsRead(pWal->pWalFd, pOut, (nOut>sz ? sz : nOut), iOffset); +} /* ** Return the size of the database in pages (or zero, if unknown). @@ -47297,6 +48453,9 @@ SQLITE_PRIVATE int sqlite3WalCheckpoint( /* Read the wal-index header. */ if( rc==SQLITE_OK ){ rc = walIndexReadHdr(pWal, &isChanged); + if( isChanged && pWal->pDbFd->pMethods->iVersion>=3 ){ + sqlite3OsUnfetch(pWal->pDbFd, 0, 0); + } } /* Copy data from the log to the database file. */ @@ -49968,13 +51127,17 @@ static int btreeGetPage( BtShared *pBt, /* The btree */ Pgno pgno, /* Number of the page to fetch */ MemPage **ppPage, /* Return the page in this parameter */ - int noContent /* Do not load page content if true */ + int noContent, /* Do not load page content if true */ + int bReadonly /* True if a read-only (mmap) page is ok */ ){ int rc; DbPage *pDbPage; + int flags = (noContent ? PAGER_ACQUIRE_NOCONTENT : 0) + | (bReadonly ? PAGER_ACQUIRE_READONLY : 0); + assert( noContent==0 || bReadonly==0 ); assert( sqlite3_mutex_held(pBt->mutex) ); - rc = sqlite3PagerAcquire(pBt->pPager, pgno, (DbPage**)&pDbPage, noContent); + rc = sqlite3PagerAcquire(pBt->pPager, pgno, (DbPage**)&pDbPage, flags); if( rc ) return rc; *ppPage = btreePageFromDbPage(pDbPage, pgno, pBt); return SQLITE_OK; @@ -50017,9 +51180,10 @@ SQLITE_PRIVATE u32 sqlite3BtreeLastPage(Btree *p){ ** may remain unchanged, or it may be set to an invalid value. */ static int getAndInitPage( - BtShared *pBt, /* The database file */ - Pgno pgno, /* Number of the page to get */ - MemPage **ppPage /* Write the page pointer here */ + BtShared *pBt, /* The database file */ + Pgno pgno, /* Number of the page to get */ + MemPage **ppPage, /* Write the page pointer here */ + int bReadonly /* True if a read-only (mmap) page is ok */ ){ int rc; assert( sqlite3_mutex_held(pBt->mutex) ); @@ -50027,7 +51191,7 @@ static int getAndInitPage( if( pgno>btreePagecount(pBt) ){ rc = SQLITE_CORRUPT_BKPT; }else{ - rc = btreeGetPage(pBt, pgno, ppPage, 0); + rc = btreeGetPage(pBt, pgno, ppPage, 0, bReadonly); if( rc==SQLITE_OK ){ rc = btreeInitPage(*ppPage); if( rc!=SQLITE_OK ){ @@ -50258,6 +51422,7 @@ SQLITE_PRIVATE int sqlite3BtreeOpen( rc = sqlite3PagerOpen(pVfs, &pBt->pPager, zFilename, EXTRA_SIZE, flags, vfsFlags, pageReinit); if( rc==SQLITE_OK ){ + sqlite3PagerSetMmapLimit(pBt->pPager, db->szMmap); rc = sqlite3PagerReadFileheader(pBt->pPager,sizeof(zDbHeader),zDbHeader); } if( rc!=SQLITE_OK ){ @@ -50524,6 +51689,19 @@ SQLITE_PRIVATE int sqlite3BtreeSetCacheSize(Btree *p, int mxPage){ return SQLITE_OK; } +/* +** Change the limit on the amount of the database file that may be +** memory mapped. +*/ +SQLITE_PRIVATE int sqlite3BtreeSetMmapLimit(Btree *p, sqlite3_int64 szMmap){ + BtShared *pBt = p->pBt; + assert( sqlite3_mutex_held(p->db->mutex) ); + sqlite3BtreeEnter(p); + sqlite3PagerSetMmapLimit(pBt->pPager, szMmap); + sqlite3BtreeLeave(p); + return SQLITE_OK; +} + /* ** Change the way data is synced to disk in order to increase or decrease ** how well the database resists damage due to OS crashes and power @@ -50749,7 +51927,7 @@ static int lockBtree(BtShared *pBt){ assert( pBt->pPage1==0 ); rc = sqlite3PagerSharedLock(pBt->pPager); if( rc!=SQLITE_OK ) return rc; - rc = btreeGetPage(pBt, 1, &pPage1, 0); + rc = btreeGetPage(pBt, 1, &pPage1, 0, 0); if( rc!=SQLITE_OK ) return rc; /* Do some checking to help insure the file we opened really is @@ -50885,6 +52063,29 @@ page1_init_failed: return rc; } +#ifndef NDEBUG +/* +** Return the number of cursors open on pBt. This is for use +** in assert() expressions, so it is only compiled if NDEBUG is not +** defined. +** +** Only write cursors are counted if wrOnly is true. If wrOnly is +** false then all cursors are counted. +** +** For the purposes of this routine, a cursor is any cursor that +** is capable of reading or writing to the databse. Cursors that +** have been tripped into the CURSOR_FAULT state are not counted. +*/ +static int countValidCursors(BtShared *pBt, int wrOnly){ + BtCursor *pCur; + int r = 0; + for(pCur=pBt->pCursor; pCur; pCur=pCur->pNext){ + if( (wrOnly==0 || pCur->wrFlag) && pCur->eState!=CURSOR_FAULT ) r++; + } + return r; +} +#endif + /* ** If there are no outstanding cursors and we are not in the middle ** of a transaction but there is a read lock on the database, then @@ -50895,7 +52096,7 @@ page1_init_failed: */ static void unlockBtreeIfUnused(BtShared *pBt){ assert( sqlite3_mutex_held(pBt->mutex) ); - assert( pBt->pCursor==0 || pBt->inTransaction>TRANS_NONE ); + assert( countValidCursors(pBt,0)==0 || pBt->inTransaction>TRANS_NONE ); if( pBt->inTransaction==TRANS_NONE && pBt->pPage1!=0 ){ assert( pBt->pPage1->aData ); assert( sqlite3PagerRefcount(pBt->pPager)==1 ); @@ -51308,7 +52509,7 @@ static int relocatePage( ** iPtrPage. */ if( eType!=PTRMAP_ROOTPAGE ){ - rc = btreeGetPage(pBt, iPtrPage, &pPtrPage, 0); + rc = btreeGetPage(pBt, iPtrPage, &pPtrPage, 0, 0); if( rc!=SQLITE_OK ){ return rc; } @@ -51392,7 +52593,7 @@ static int incrVacuumStep(BtShared *pBt, Pgno nFin, Pgno iLastPg, int bCommit){ u8 eMode = BTALLOC_ANY; /* Mode parameter for allocateBtreePage() */ Pgno iNear = 0; /* nearby parameter for allocateBtreePage() */ - rc = btreeGetPage(pBt, iLastPg, &pLastPg, 0); + rc = btreeGetPage(pBt, iLastPg, &pLastPg, 0, 0); if( rc!=SQLITE_OK ){ return rc; } @@ -51484,8 +52685,11 @@ SQLITE_PRIVATE int sqlite3BtreeIncrVacuum(Btree *p){ if( nOrig0 ){ - invalidateAllOverflowCache(pBt); - rc = incrVacuumStep(pBt, nFin, nOrig, 0); + rc = saveAllCursors(pBt, 0, 0); + if( rc==SQLITE_OK ){ + invalidateAllOverflowCache(pBt); + rc = incrVacuumStep(pBt, nFin, nOrig, 0); + } if( rc==SQLITE_OK ){ rc = sqlite3PagerWrite(pBt->pPage1->pDbPage); put4byte(&pBt->pPage1->aData[28], pBt->nPage); @@ -51533,7 +52737,9 @@ static int autoVacuumCommit(BtShared *pBt){ nFree = get4byte(&pBt->pPage1->aData[36]); nFin = finalDbSize(pBt, nOrig, nFree); if( nFin>nOrig ) return SQLITE_CORRUPT_BKPT; - + if( nFinnFin && rc==SQLITE_OK; iFree--){ rc = incrVacuumStep(pBt, nFin, iFree, 1); } @@ -51550,7 +52756,7 @@ static int autoVacuumCommit(BtShared *pBt){ } } - assert( nRef==sqlite3PagerRefcount(pPager) ); + assert( nRef>=sqlite3PagerRefcount(pPager) ); return rc; } @@ -51618,7 +52824,6 @@ static void btreeEndTransaction(Btree *p){ #ifndef SQLITE_OMIT_AUTOVACUUM pBt->bDoTruncate = 0; #endif - btreeClearHasContent(pBt); if( p->inTrans>TRANS_NONE && p->db->activeVdbeCnt>1 ){ /* If there are other active statements that belong to this database ** handle, downgrade to a read-only transaction. The other statements @@ -51693,6 +52898,7 @@ SQLITE_PRIVATE int sqlite3BtreeCommitPhaseTwo(Btree *p, int bCleanup){ return rc; } pBt->inTransaction = TRANS_READ; + btreeClearHasContent(pBt); } btreeEndTransaction(p); @@ -51714,27 +52920,6 @@ SQLITE_PRIVATE int sqlite3BtreeCommit(Btree *p){ return rc; } -#ifndef NDEBUG -/* -** Return the number of write-cursors open on this handle. This is for use -** in assert() expressions, so it is only compiled if NDEBUG is not -** defined. -** -** For the purposes of this routine, a write-cursor is any cursor that -** is capable of writing to the databse. That means the cursor was -** originally opened for writing and the cursor has not be disabled -** by having its state changed to CURSOR_FAULT. -*/ -static int countWriteCursors(BtShared *pBt){ - BtCursor *pCur; - int r = 0; - for(pCur=pBt->pCursor; pCur; pCur=pCur->pNext){ - if( pCur->wrFlag && pCur->eState!=CURSOR_FAULT ) r++; - } - return r; -} -#endif - /* ** This routine sets the state to CURSOR_FAULT and the error ** code to errCode for every cursor on BtShared that pBtree @@ -51806,7 +52991,7 @@ SQLITE_PRIVATE int sqlite3BtreeRollback(Btree *p, int tripCode){ /* The rollback may have destroyed the pPage1->aData value. So ** call btreeGetPage() on page 1 again to make ** sure pPage1->aData is set correctly. */ - if( btreeGetPage(pBt, 1, &pPage1, 0)==SQLITE_OK ){ + if( btreeGetPage(pBt, 1, &pPage1, 0, 0)==SQLITE_OK ){ int nPage = get4byte(28+(u8*)pPage1->aData); testcase( nPage==0 ); if( nPage==0 ) sqlite3PagerPagecount(pBt->pPager, &nPage); @@ -51814,8 +52999,9 @@ SQLITE_PRIVATE int sqlite3BtreeRollback(Btree *p, int tripCode){ pBt->nPage = nPage; releasePage(pPage1); } - assert( countWriteCursors(pBt)==0 ); + assert( countValidCursors(pBt, 1)==0 ); pBt->inTransaction = TRANS_READ; + btreeClearHasContent(pBt); } btreeEndTransaction(p); @@ -52240,7 +53426,7 @@ static int getOverflowPage( assert( next==0 || rc==SQLITE_DONE ); if( rc==SQLITE_OK ){ - rc = btreeGetPage(pBt, ovfl, &pPage, 0); + rc = btreeGetPage(pBt, ovfl, &pPage, 0, (ppPage==0)); assert( rc==SQLITE_OK || pPage==0 ); if( rc==SQLITE_OK ){ next = get4byte(pPage->aData); @@ -52461,7 +53647,9 @@ static int accessPayload( { DbPage *pDbPage; - rc = sqlite3PagerGet(pBt->pPager, nextPage, &pDbPage); + rc = sqlite3PagerAcquire(pBt->pPager, nextPage, &pDbPage, + (eOp==0 ? PAGER_ACQUIRE_READONLY : 0) + ); if( rc==SQLITE_OK ){ aPayload = sqlite3PagerGetData(pDbPage); nextPage = get4byte(aPayload); @@ -52640,10 +53828,11 @@ static int moveToChild(BtCursor *pCur, u32 newPgno){ assert( cursorHoldsMutex(pCur) ); assert( pCur->eState==CURSOR_VALID ); assert( pCur->iPageiPage>=0 ); if( pCur->iPage>=(BTCURSOR_MAX_DEPTH-1) ){ return SQLITE_CORRUPT_BKPT; } - rc = getAndInitPage(pBt, newPgno, &pNewPage); + rc = getAndInitPage(pBt, newPgno, &pNewPage, (pCur->wrFlag==0)); if( rc ) return rc; pCur->apPage[i+1] = pNewPage; pCur->aiIdx[i+1] = 0; @@ -52760,7 +53949,7 @@ static int moveToRoot(BtCursor *pCur){ pCur->eState = CURSOR_INVALID; return SQLITE_OK; }else{ - rc = getAndInitPage(pBt, pCur->pgnoRoot, &pCur->apPage[0]); + rc = getAndInitPage(pBt, pCur->pgnoRoot, &pCur->apPage[0], pCur->wrFlag==0); if( rc!=SQLITE_OK ){ pCur->eState = CURSOR_INVALID; return rc; @@ -53374,7 +54563,7 @@ static int allocateBtreePage( if( iTrunk>mxPage ){ rc = SQLITE_CORRUPT_BKPT; }else{ - rc = btreeGetPage(pBt, iTrunk, &pTrunk, 0); + rc = btreeGetPage(pBt, iTrunk, &pTrunk, 0, 0); } if( rc ){ pTrunk = 0; @@ -53438,7 +54627,7 @@ static int allocateBtreePage( goto end_allocate_page; } testcase( iNewTrunk==mxPage ); - rc = btreeGetPage(pBt, iNewTrunk, &pNewTrunk, 0); + rc = btreeGetPage(pBt, iNewTrunk, &pNewTrunk, 0, 0); if( rc!=SQLITE_OK ){ goto end_allocate_page; } @@ -53518,7 +54707,7 @@ static int allocateBtreePage( } put4byte(&aData[4], k-1); noContent = !btreeGetHasContent(pBt, *pPgno); - rc = btreeGetPage(pBt, *pPgno, ppPage, noContent); + rc = btreeGetPage(pBt, *pPgno, ppPage, noContent, 0); if( rc==SQLITE_OK ){ rc = sqlite3PagerWrite((*ppPage)->pDbPage); if( rc!=SQLITE_OK ){ @@ -53566,7 +54755,7 @@ static int allocateBtreePage( MemPage *pPg = 0; TRACE(("ALLOCATE: %d from end of file (pointer-map page)\n", pBt->nPage)); assert( pBt->nPage!=PENDING_BYTE_PAGE(pBt) ); - rc = btreeGetPage(pBt, pBt->nPage, &pPg, bNoContent); + rc = btreeGetPage(pBt, pBt->nPage, &pPg, bNoContent, 0); if( rc==SQLITE_OK ){ rc = sqlite3PagerWrite(pPg->pDbPage); releasePage(pPg); @@ -53580,7 +54769,7 @@ static int allocateBtreePage( *pPgno = pBt->nPage; assert( *pPgno!=PENDING_BYTE_PAGE(pBt) ); - rc = btreeGetPage(pBt, *pPgno, ppPage, bNoContent); + rc = btreeGetPage(pBt, *pPgno, ppPage, bNoContent, 0); if( rc ) return rc; rc = sqlite3PagerWrite((*ppPage)->pDbPage); if( rc!=SQLITE_OK ){ @@ -53648,7 +54837,7 @@ static int freePage2(BtShared *pBt, MemPage *pMemPage, Pgno iPage){ /* If the secure_delete option is enabled, then ** always fully overwrite deleted information with zeros. */ - if( (!pPage && ((rc = btreeGetPage(pBt, iPage, &pPage, 0))!=0) ) + if( (!pPage && ((rc = btreeGetPage(pBt, iPage, &pPage, 0, 0))!=0) ) || ((rc = sqlite3PagerWrite(pPage->pDbPage))!=0) ){ goto freepage_out; @@ -53675,7 +54864,7 @@ static int freePage2(BtShared *pBt, MemPage *pMemPage, Pgno iPage){ u32 nLeaf; /* Initial number of leaf cells on trunk page */ iTrunk = get4byte(&pPage1->aData[32]); - rc = btreeGetPage(pBt, iTrunk, &pTrunk, 0); + rc = btreeGetPage(pBt, iTrunk, &pTrunk, 0, 0); if( rc!=SQLITE_OK ){ goto freepage_out; } @@ -53721,7 +54910,7 @@ static int freePage2(BtShared *pBt, MemPage *pMemPage, Pgno iPage){ ** first trunk in the free-list is full. Either way, the page being freed ** will become the new first trunk page in the free-list. */ - if( pPage==0 && SQLITE_OK!=(rc = btreeGetPage(pBt, iPage, &pPage, 0)) ){ + if( pPage==0 && SQLITE_OK!=(rc = btreeGetPage(pBt, iPage, &pPage, 0, 0)) ){ goto freepage_out; } rc = sqlite3PagerWrite(pPage->pDbPage); @@ -54522,7 +55711,7 @@ static int balance_nonroot( } pgno = get4byte(pRight); while( 1 ){ - rc = getAndInitPage(pBt, pgno, &apOld[i]); + rc = getAndInitPage(pBt, pgno, &apOld[i], 0); if( rc ){ memset(apOld, 0, (i+1)*sizeof(MemPage*)); goto balance_cleanup; @@ -55610,10 +56799,17 @@ static int btreeCreateTable(Btree *p, int *piTable, int createTabFlags){ u8 eType = 0; Pgno iPtrPage = 0; + /* Save the positions of any open cursors. This is required in + ** case they are holding a reference to an xFetch reference + ** corresponding to page pgnoRoot. */ + rc = saveAllCursors(pBt, 0, 0); releasePage(pPageMove); + if( rc!=SQLITE_OK ){ + return rc; + } /* Move the page currently at pgnoRoot to pgnoMove. */ - rc = btreeGetPage(pBt, pgnoRoot, &pRoot, 0); + rc = btreeGetPage(pBt, pgnoRoot, &pRoot, 0, 0); if( rc!=SQLITE_OK ){ return rc; } @@ -55634,7 +56830,7 @@ static int btreeCreateTable(Btree *p, int *piTable, int createTabFlags){ if( rc!=SQLITE_OK ){ return rc; } - rc = btreeGetPage(pBt, pgnoRoot, &pRoot, 0); + rc = btreeGetPage(pBt, pgnoRoot, &pRoot, 0, 0); if( rc!=SQLITE_OK ){ return rc; } @@ -55710,7 +56906,7 @@ static int clearDatabasePage( return SQLITE_CORRUPT_BKPT; } - rc = getAndInitPage(pBt, pgno, &pPage); + rc = getAndInitPage(pBt, pgno, &pPage, 0); if( rc ) return rc; for(i=0; inCell; i++){ pCell = findCell(pPage, i); @@ -55812,7 +57008,7 @@ static int btreeDropTable(Btree *p, Pgno iTable, int *piMoved){ return SQLITE_LOCKED_SHAREDCACHE; } - rc = btreeGetPage(pBt, (Pgno)iTable, &pPage, 0); + rc = btreeGetPage(pBt, (Pgno)iTable, &pPage, 0, 0); if( rc ) return rc; rc = sqlite3BtreeClearTable(p, iTable, 0); if( rc ){ @@ -55847,7 +57043,7 @@ static int btreeDropTable(Btree *p, Pgno iTable, int *piMoved){ */ MemPage *pMove; releasePage(pPage); - rc = btreeGetPage(pBt, maxRootPgno, &pMove, 0); + rc = btreeGetPage(pBt, maxRootPgno, &pMove, 0, 0); if( rc!=SQLITE_OK ){ return rc; } @@ -55857,7 +57053,7 @@ static int btreeDropTable(Btree *p, Pgno iTable, int *piMoved){ return rc; } pMove = 0; - rc = btreeGetPage(pBt, maxRootPgno, &pMove, 0); + rc = btreeGetPage(pBt, maxRootPgno, &pMove, 0, 0); freePage(pMove, &rc); releasePage(pMove); if( rc!=SQLITE_OK ){ @@ -56269,7 +57465,7 @@ static int checkTreePage( usableSize = pBt->usableSize; if( iPage==0 ) return 0; if( checkRef(pCheck, iPage, zParentContext) ) return 0; - if( (rc = btreeGetPage(pBt, (Pgno)iPage, &pPage, 0))!=0 ){ + if( (rc = btreeGetPage(pBt, (Pgno)iPage, &pPage, 0, 0))!=0 ){ checkAppendMsg(pCheck, zContext, "unable to get the page. error code=%d", rc); return 0; @@ -56741,6 +57937,17 @@ SQLITE_PRIVATE int sqlite3BtreePutData(BtCursor *pCsr, u32 offset, u32 amt, void return SQLITE_ABORT; } + /* Save the positions of all other cursors open on this table. This is + ** required in case any of them are holding references to an xFetch + ** version of the b-tree page modified by the accessPayload call below. + ** + ** Note that pCsr must be open on a BTREE_INTKEY table and saveCursorPosition() + ** and hence saveAllCursors() cannot fail on a BTREE_INTKEY table, hence + ** saveAllCursors can only return SQLITE_OK. + */ + VVA_ONLY(rc =) saveAllCursors(pCsr->pBt, pCsr->pgnoRoot, pCsr); + assert( rc==SQLITE_OK ); + /* Check some assumptions: ** (a) the cursor is open for writing, ** (b) there is a read/write transaction open, @@ -57222,7 +58429,8 @@ SQLITE_API int sqlite3_backup_step(sqlite3_backup *p, int nPage){ const Pgno iSrcPg = p->iNext; /* Source page number */ if( iSrcPg!=PENDING_BYTE_PAGE(p->pSrc->pBt) ){ DbPage *pSrcPg; /* Source page object */ - rc = sqlite3PagerGet(pSrcPager, iSrcPg, &pSrcPg); + rc = sqlite3PagerAcquire(pSrcPager, iSrcPg, &pSrcPg, + PAGER_ACQUIRE_READONLY); if( rc==SQLITE_OK ){ rc = backupOnePage(p, iSrcPg, sqlite3PagerGetData(pSrcPg), 0); sqlite3PagerUnref(pSrcPg); @@ -62445,14 +63653,6 @@ end_of_step: return (rc&db->errMask); } -/* -** The maximum number of times that a statement will try to reparse -** itself before giving up and returning SQLITE_SCHEMA. -*/ -#ifndef SQLITE_MAX_SCHEMA_RETRY -# define SQLITE_MAX_SCHEMA_RETRY 5 -#endif - /* ** This is the top-level implementation of sqlite3_step(). Call ** sqlite3Step() to do most of the work. If a schema error occurs, @@ -63356,6 +64556,11 @@ static int findNextHostParameter(const char *zSql, int *pnToken){ ** then the returned string holds a copy of zRawSql with "-- " prepended ** to each line of text. ** +** If the SQLITE_TRACE_SIZE_LIMIT macro is defined to an integer, then +** then long strings and blobs are truncated to that many bytes. This +** can be used to prevent unreasonably large trace strings when dealing +** with large (multi-megabyte) strings and blobs. +** ** The calling function is responsible for making sure the memory returned ** is eventually freed. ** @@ -63426,30 +64631,49 @@ SQLITE_PRIVATE char *sqlite3VdbeExpandSql( }else if( pVar->flags & MEM_Real ){ sqlite3XPrintf(&out, "%!.15g", pVar->r); }else if( pVar->flags & MEM_Str ){ + int nOut; /* Number of bytes of the string text to include in output */ #ifndef SQLITE_OMIT_UTF16 u8 enc = ENC(db); + Mem utf8; if( enc!=SQLITE_UTF8 ){ - Mem utf8; memset(&utf8, 0, sizeof(utf8)); utf8.db = db; sqlite3VdbeMemSetStr(&utf8, pVar->z, pVar->n, enc, SQLITE_STATIC); sqlite3VdbeChangeEncoding(&utf8, SQLITE_UTF8); - sqlite3XPrintf(&out, "'%.*q'", utf8.n, utf8.z); - sqlite3VdbeMemRelease(&utf8); - }else -#endif - { - sqlite3XPrintf(&out, "'%.*q'", pVar->n, pVar->z); + pVar = &utf8; } +#endif + nOut = pVar->n; +#ifdef SQLITE_TRACE_SIZE_LIMIT + if( nOut>SQLITE_TRACE_SIZE_LIMIT ){ + nOut = SQLITE_TRACE_SIZE_LIMIT; + while( nOutn && (pVar->z[nOut]&0xc0)==0x80 ){ nOut++; } + } +#endif + sqlite3XPrintf(&out, "'%.*q'", nOut, pVar->z); +#ifdef SQLITE_TRACE_SIZE_LIMIT + if( nOutn ) sqlite3XPrintf(&out, "/*+%d bytes*/", pVar->n-nOut); +#endif +#ifndef SQLITE_OMIT_UTF16 + if( enc!=SQLITE_UTF8 ) sqlite3VdbeMemRelease(&utf8); +#endif }else if( pVar->flags & MEM_Zero ){ sqlite3XPrintf(&out, "zeroblob(%d)", pVar->u.nZero); }else{ + int nOut; /* Number of bytes of the blob to include in output */ assert( pVar->flags & MEM_Blob ); sqlite3StrAccumAppend(&out, "x'", 2); - for(i=0; in; i++){ + nOut = pVar->n; +#ifdef SQLITE_TRACE_SIZE_LIMIT + if( nOut>SQLITE_TRACE_SIZE_LIMIT ) nOut = SQLITE_TRACE_SIZE_LIMIT; +#endif + for(i=0; iz[i]&0xff); } sqlite3StrAccumAppend(&out, "'", 1); +#ifdef SQLITE_TRACE_SIZE_LIMIT + if( nOutn ) sqlite3XPrintf(&out, "/*+%d bytes*/", pVar->n-nOut); +#endif } } } @@ -67666,7 +68890,7 @@ case OP_SeekGt: { /* jump, in3 */ ** u.bc.r.flags = 0; ** } */ - u.bc.r.flags = (u16)(UNPACKED_INCRKEY * (1 & (u.bc.oc - OP_SeekLt))); + u.bc.r.flags = (u8)(UNPACKED_INCRKEY * (1 & (u.bc.oc - OP_SeekLt))); assert( u.bc.oc!=OP_SeekGt || u.bc.r.flags==UNPACKED_INCRKEY ); assert( u.bc.oc!=OP_SeekLe || u.bc.r.flags==UNPACKED_INCRKEY ); assert( u.bc.oc!=OP_SeekGe || u.bc.r.flags==0 ); @@ -70791,7 +72015,7 @@ SQLITE_API int sqlite3_blob_open( } sqlite3_bind_int64(pBlob->pStmt, 1, iRow); rc = blobSeekToRow(pBlob, iRow, &zErr); - } while( (++nAttempt)<5 && rc==SQLITE_SCHEMA ); + } while( (++nAttempt)mallocFailed==0 ){ @@ -72476,7 +73700,9 @@ static const struct sqlite3_io_methods MemJournalMethods = { 0, /* xShmMap */ 0, /* xShmLock */ 0, /* xShmBarrier */ - 0 /* xShmUnlock */ + 0, /* xShmUnmap */ + 0, /* xFetch */ + 0 /* xUnfetch */ }; /* @@ -72620,7 +73846,9 @@ SQLITE_PRIVATE int sqlite3WalkSelectFrom(Walker *pWalker, Select *p){ /* ** Call sqlite3WalkExpr() for every expression in Select statement p. ** Invoke sqlite3WalkSelect() for subqueries in the FROM clause and -** on the compound select chain, p->pPrior. +** on the compound select chain, p->pPrior. Invoke the xSelectCallback() +** either before or after the walk of expressions and FROM clause, depending +** on whether pWalker->bSelectDepthFirst is false or true, respectively. ** ** Return WRC_Continue under normal conditions. Return WRC_Abort if ** there is an abort request. @@ -72634,14 +73862,23 @@ SQLITE_PRIVATE int sqlite3WalkSelect(Walker *pWalker, Select *p){ rc = WRC_Continue; pWalker->walkerDepth++; while( p ){ - rc = pWalker->xSelectCallback(pWalker, p); - if( rc ) break; + if( !pWalker->bSelectDepthFirst ){ + rc = pWalker->xSelectCallback(pWalker, p); + if( rc ) break; + } if( sqlite3WalkSelectExpr(pWalker, p) || sqlite3WalkSelectFrom(pWalker, p) ){ pWalker->walkerDepth--; return WRC_Abort; } + if( pWalker->bSelectDepthFirst ){ + rc = pWalker->xSelectCallback(pWalker, p); + /* Depth-first search is currently only used for + ** selectAddSubqueryTypeInfo() and that routine always returns + ** WRC_Continue (0). So the following branch is never taken. */ + if( NEVER(rc) ) break; + } p = p->pPrior; } pWalker->walkerDepth--; @@ -73039,7 +74276,10 @@ static int lookupName( ** Note that the expression in the result set should have already been ** resolved by the time the WHERE clause is resolved. */ - if( cnt==0 && (pEList = pNC->pEList)!=0 && zTab==0 ){ + if( (pEList = pNC->pEList)!=0 + && zTab==0 + && ((pNC->ncFlags & NC_AsMaybe)==0 || cnt==0) + ){ for(j=0; jnExpr; j++){ char *zAs = pEList->a[j].zName; if( zAs!=0 && sqlite3StrICmp(zAs, zCol)==0 ){ @@ -73130,7 +74370,9 @@ static int lookupName( lookupname_end: if( cnt==1 ){ assert( pNC!=0 ); - sqlite3AuthRead(pParse, pExpr, pSchema, pNC->pSrcList); + if( pExpr->op!=TK_AS ){ + sqlite3AuthRead(pParse, pExpr, pSchema, pNC->pSrcList); + } /* Increment the nRef value on all name contexts from TopNC up to ** the point where the name matched. */ for(;;){ @@ -73805,11 +75047,10 @@ static int resolveSelectStep(Walker *pWalker, Select *p){ ** re-evaluated for each reference to it. */ sNC.pEList = p->pEList; - if( sqlite3ResolveExprNames(&sNC, p->pWhere) || - sqlite3ResolveExprNames(&sNC, p->pHaving) - ){ - return WRC_Abort; - } + sNC.ncFlags |= NC_AsMaybe; + if( sqlite3ResolveExprNames(&sNC, p->pHaving) ) return WRC_Abort; + if( sqlite3ResolveExprNames(&sNC, p->pWhere) ) return WRC_Abort; + sNC.ncFlags &= ~NC_AsMaybe; /* The ORDER BY and GROUP BY clauses may not refer to terms in ** outer queries @@ -73930,6 +75171,7 @@ SQLITE_PRIVATE int sqlite3ResolveExprNames( #endif savedHasAgg = pNC->ncFlags & NC_HasAgg; pNC->ncFlags &= ~NC_HasAgg; + memset(&w, 0, sizeof(w)); w.xExprCallback = resolveExprStep; w.xSelectCallback = resolveSelectStep; w.pParse = pNC->pParse; @@ -73970,6 +75212,7 @@ SQLITE_PRIVATE void sqlite3ResolveSelectNames( Walker w; assert( p!=0 ); + memset(&w, 0, sizeof(w)); w.xExprCallback = resolveExprStep; w.xSelectCallback = resolveSelectStep; w.pParse = pParse; @@ -74096,12 +75339,7 @@ SQLITE_PRIVATE CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr){ } assert( op!=TK_REGISTER || p->op2!=TK_COLLATE ); if( op==TK_COLLATE ){ - if( db->init.busy ){ - /* Do not report errors when parsing while the schema */ - pColl = sqlite3FindCollSeq(db, ENC(db), p->u.zToken, 0); - }else{ - pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken); - } + pColl = sqlite3GetCollSeq(pParse, ENC(db), 0, p->u.zToken); break; } if( p->pTab!=0 @@ -75194,6 +76432,7 @@ static int selectNodeIsConstant(Walker *pWalker, Select *NotUsed){ } static int exprIsConst(Expr *p, int initFlag){ Walker w; + memset(&w, 0, sizeof(w)); w.u.i = initFlag; w.xExprCallback = exprNodeIsConstant; w.xSelectCallback = selectNodeIsConstant; @@ -77408,8 +78647,8 @@ SQLITE_PRIVATE void sqlite3ExprCodeConstants(Parse *pParse, Expr *pExpr){ Walker w; if( pParse->cookieGoto ) return; if( OptimizationDisabled(pParse->db, SQLITE_FactorOutConst) ) return; + memset(&w, 0, sizeof(w)); w.xExprCallback = evalConstExpr; - w.xSelectCallback = 0; w.pParse = pParse; sqlite3WalkExpr(&w, pExpr); } @@ -83601,10 +84840,8 @@ SQLITE_PRIVATE Index *sqlite3CreateIndex( for(i=0; inExpr; i++){ Expr *pExpr = pList->a[i].pExpr; if( pExpr ){ - CollSeq *pColl = sqlite3ExprCollSeq(pParse, pExpr); - if( pColl ){ - nExtra += (1 + sqlite3Strlen30(pColl->zName)); - } + assert( pExpr->op==TK_COLLATE ); + nExtra += (1 + sqlite3Strlen30(pExpr->u.zToken)); } } @@ -83665,7 +84902,6 @@ SQLITE_PRIVATE Index *sqlite3CreateIndex( const char *zColName = pListItem->zName; Column *pTabCol; int requestedSortOrder; - CollSeq *pColl; /* Collating sequence */ char *zColl; /* Collation sequence name */ for(j=0, pTabCol=pTab->aCol; jnCol; j++, pTabCol++){ @@ -83678,11 +84914,10 @@ SQLITE_PRIVATE Index *sqlite3CreateIndex( goto exit_create_index; } pIndex->aiColumn[i] = j; - if( pListItem->pExpr - && (pColl = sqlite3ExprCollSeq(pParse, pListItem->pExpr))!=0 - ){ + if( pListItem->pExpr ){ int nColl; - zColl = pColl->zName; + assert( pListItem->pExpr->op==TK_COLLATE ); + zColl = pListItem->pExpr->u.zToken; nColl = sqlite3Strlen30(zColl) + 1; assert( nExtra>=nColl ); memcpy(zExtra, zColl, nColl); @@ -83691,9 +84926,7 @@ SQLITE_PRIVATE Index *sqlite3CreateIndex( nExtra -= nColl; }else{ zColl = pTab->aCol[j].zColl; - if( !zColl ){ - zColl = "BINARY"; - } + if( !zColl ) zColl = "BINARY"; } if( !db->init.busy && !sqlite3LocateCollSeq(pParse, zColl) ){ goto exit_create_index; @@ -86612,6 +87845,13 @@ static int patternCompare( return *zString==0; } +/* +** The sqlite3_strglob() interface. +*/ +SQLITE_API int sqlite3_strglob(const char *zGlobPattern, const char *zString){ + return patternCompare((u8*)zGlobPattern, (u8*)zString, &globInfo, 0)==0; +} + /* ** Count the number of times that the LIKE operator (or GLOB which is ** just a variation of LIKE) gets called. This is used for testing @@ -90812,7 +92052,6 @@ SQLITE_API int sqlite3_exec( const char *zLeftover; /* Tail of unprocessed SQL */ sqlite3_stmt *pStmt = 0; /* The current SQL statement */ char **azCols = 0; /* Names of result columns */ - int nRetry = 0; /* Number of retry attempts */ int callbackIsInit; /* True if callback data is initialized */ if( !sqlite3SafetyCheckOk(db) ) return SQLITE_MISUSE_BKPT; @@ -90820,12 +92059,12 @@ SQLITE_API int sqlite3_exec( sqlite3_mutex_enter(db->mutex); sqlite3Error(db, SQLITE_OK, 0); - while( (rc==SQLITE_OK || (rc==SQLITE_SCHEMA && (++nRetry)<2)) && zSql[0] ){ + while( rc==SQLITE_OK && zSql[0] ){ int nCol; char **azVals = 0; pStmt = 0; - rc = sqlite3_prepare(db, zSql, -1, &pStmt, &zLeftover); + rc = sqlite3_prepare_v2(db, zSql, -1, &pStmt, &zLeftover); assert( rc==SQLITE_OK || pStmt==0 ); if( rc!=SQLITE_OK ){ continue; @@ -90882,11 +92121,8 @@ SQLITE_API int sqlite3_exec( if( rc!=SQLITE_ROW ){ rc = sqlite3VdbeFinalize((Vdbe *)pStmt); pStmt = 0; - if( rc!=SQLITE_SCHEMA ){ - nRetry = 0; - zSql = zLeftover; - while( sqlite3Isspace(zSql[0]) ) zSql++; - } + zSql = zLeftover; + while( sqlite3Isspace(zSql[0]) ) zSql++; break; } } @@ -91410,8 +92646,17 @@ struct sqlite3_api_routines { #define sqlite3_wal_checkpoint_v2 sqlite3_api->wal_checkpoint_v2 #endif /* SQLITE_CORE */ -#define SQLITE_EXTENSION_INIT1 const sqlite3_api_routines *sqlite3_api = 0; -#define SQLITE_EXTENSION_INIT2(v) sqlite3_api = v; +#ifndef SQLITE_CORE + /* This case when the file really is being compiled as a loadable + ** extension */ +# define SQLITE_EXTENSION_INIT1 const sqlite3_api_routines *sqlite3_api=0; +# define SQLITE_EXTENSION_INIT2(v) sqlite3_api=v; +#else + /* This case when the file is being statically linked into the + ** application */ +# define SQLITE_EXTENSION_INIT1 /*no-op*/ +# define SQLITE_EXTENSION_INIT2(v) (void)v; /* unused parameter */ +#endif #endif /* _SQLITE3EXT_H_ */ @@ -91814,8 +93059,23 @@ static int sqlite3LoadExtension( void *handle; int (*xInit)(sqlite3*,char**,const sqlite3_api_routines*); char *zErrmsg = 0; + const char *zEntry; + char *zAltEntry = 0; void **aHandle; int nMsg = 300 + sqlite3Strlen30(zFile); + int ii; + + /* Shared library endings to try if zFile cannot be loaded as written */ + static const char *azEndings[] = { +#if SQLITE_OS_WIN + "dll" +#elif defined(__APPLE__) + "dylib" +#else + "so" +#endif + }; + if( pzErrMsg ) *pzErrMsg = 0; @@ -91832,11 +93092,17 @@ static int sqlite3LoadExtension( return SQLITE_ERROR; } - if( zProc==0 ){ - zProc = "sqlite3_extension_init"; - } + zEntry = zProc ? zProc : "sqlite3_extension_init"; handle = sqlite3OsDlOpen(pVfs, zFile); +#if SQLITE_OS_UNIX || SQLITE_OS_WIN + for(ii=0; ii sqlite3_example_init + ** C:/lib/mathfuncs.dll ==> sqlite3_mathfuncs_init + */ + if( xInit==0 && zProc==0 ){ + int iFile, iEntry, c; + int ncFile = sqlite3Strlen30(zFile); + zAltEntry = sqlite3_malloc(ncFile+30); + if( zAltEntry==0 ){ + sqlite3OsDlClose(pVfs, handle); + return SQLITE_NOMEM; + } + memcpy(zAltEntry, "sqlite3_", 8); + for(iFile=ncFile-1; iFile>=0 && zFile[iFile]!='/'; iFile--){} + iFile++; + if( sqlite3_strnicmp(zFile+iFile, "lib", 3)==0 ) iFile += 3; + for(iEntry=8; (c = zFile[iFile])!=0 && c!='.'; iFile++){ + if( sqlite3Isalpha(c) ){ + zAltEntry[iEntry++] = (char)sqlite3UpperToLower[(unsigned)c]; + } + } + memcpy(zAltEntry+iEntry, "_init", 6); + zEntry = zAltEntry; + xInit = (int(*)(sqlite3*,char**,const sqlite3_api_routines*)) + sqlite3OsDlSym(pVfs, handle, zEntry); + } if( xInit==0 ){ if( pzErrMsg ){ - nMsg += sqlite3Strlen30(zProc); + nMsg += sqlite3Strlen30(zEntry); *pzErrMsg = zErrmsg = sqlite3_malloc(nMsg); if( zErrmsg ){ sqlite3_snprintf(nMsg, zErrmsg, - "no entry point [%s] in shared library [%s]", zProc,zFile); + "no entry point [%s] in shared library [%s]", zEntry, zFile); sqlite3OsDlError(pVfs, nMsg-1, zErrmsg); } - sqlite3OsDlClose(pVfs, handle); } + sqlite3OsDlClose(pVfs, handle); + sqlite3_free(zAltEntry); return SQLITE_ERROR; - }else if( xInit(db, &zErrmsg, &sqlite3Apis) ){ + } + sqlite3_free(zAltEntry); + if( xInit(db, &zErrmsg, &sqlite3Apis) ){ if( pzErrMsg ){ *pzErrMsg = sqlite3_mprintf("error during initialization: %s", zErrmsg); } @@ -92391,7 +93694,7 @@ SQLITE_PRIVATE void sqlite3Pragma( int rc; /* return value form SQLITE_FCNTL_PRAGMA */ sqlite3 *db = pParse->db; /* The database connection */ Db *pDb; /* The specific database being pragmaed */ - Vdbe *v = pParse->pVdbe = sqlite3VdbeCreate(db); /* Prepared statement */ + Vdbe *v = sqlite3GetVdbe(pParse); /* Prepared statement */ if( v==0 ) return; sqlite3VdbeRunOnlyOnce(v); @@ -92474,11 +93777,12 @@ SQLITE_PRIVATE void sqlite3Pragma( static const VdbeOpList getCacheSize[] = { { OP_Transaction, 0, 0, 0}, /* 0 */ { OP_ReadCookie, 0, 1, BTREE_DEFAULT_CACHE_SIZE}, /* 1 */ - { OP_IfPos, 1, 7, 0}, + { OP_IfPos, 1, 8, 0}, { OP_Integer, 0, 2, 0}, { OP_Subtract, 1, 2, 1}, - { OP_IfPos, 1, 7, 0}, + { OP_IfPos, 1, 8, 0}, { OP_Integer, 0, 1, 0}, /* 6 */ + { OP_Noop, 0, 0, 0}, { OP_ResultRow, 1, 1, 0}, }; int addr; @@ -92816,6 +94120,43 @@ SQLITE_PRIVATE void sqlite3Pragma( } }else + /* + ** PRAGMA [database.]mmap_size(N) + ** + ** Used to set mapping size limit. The mapping size limit is + ** used to limit the aggregate size of all memory mapped regions of the + ** database file. If this parameter is set to zero, then memory mapping + ** is not used at all. If N is negative, then the default memory map + ** limit determined by sqlite3_config(SQLITE_CONFIG_MMAP_SIZE) is set. + ** The parameter N is measured in bytes. + ** + ** This value is advisory. The underlying VFS is free to memory map + ** as little or as much as it wants. Except, if N is set to 0 then the + ** upper layers will never invoke the xFetch interfaces to the VFS. + */ + if( sqlite3StrICmp(zLeft,"mmap_size")==0 ){ + sqlite3_int64 sz; + assert( sqlite3SchemaMutexHeld(db, iDb, 0) ); + if( zRight ){ + int ii; + sqlite3Atoi64(zRight, &sz, 1000, SQLITE_UTF8); + if( sz<0 ) sz = sqlite3GlobalConfig.szMmap; + if( pId2->n==0 ) db->szMmap = sz; + for(ii=db->nDb-1; ii>=0; ii--){ + if( db->aDb[ii].pBt && (ii==iDb || pId2->n==0) ){ + sqlite3BtreeSetMmapLimit(db->aDb[ii].pBt, sz); + } + } + } + sz = -1; + if( sqlite3_file_control(db,zDb,SQLITE_FCNTL_MMAP_SIZE,&sz)==SQLITE_OK ){ +#if SQLITE_MAX_MMAP_SIZE==0 + sz = 0; +#endif + returnSingleInt(pParse, "mmap_size", sz); + } + }else + /* ** PRAGMA temp_store ** PRAGMA temp_store = "default"|"memory"|"file" @@ -93601,6 +94942,11 @@ SQLITE_PRIVATE void sqlite3Pragma( ** PRAGMA [database.]user_version ** PRAGMA [database.]user_version = ** + ** PRAGMA [database.]freelist_count = + ** + ** PRAGMA [database.]application_id + ** PRAGMA [database.]application_id = + ** ** The pragma's schema_version and user_version are used to set or get ** the value of the schema-version and user-version, respectively. Both ** the schema-version and the user-version are 32-bit signed integers @@ -93622,10 +94968,14 @@ SQLITE_PRIVATE void sqlite3Pragma( if( sqlite3StrICmp(zLeft, "schema_version")==0 || sqlite3StrICmp(zLeft, "user_version")==0 || sqlite3StrICmp(zLeft, "freelist_count")==0 + || sqlite3StrICmp(zLeft, "application_id")==0 ){ int iCookie; /* Cookie index. 1 for schema-cookie, 6 for user-cookie. */ sqlite3VdbeUsesBtree(v, iDb); switch( zLeft[0] ){ + case 'a': case 'A': + iCookie = BTREE_APPLICATION_ID; + break; case 'f': case 'F': iCookie = BTREE_FREE_PAGE_COUNT; break; @@ -94506,7 +95856,6 @@ static int sqlite3Prepare( } #endif - assert( db->init.busy==0 || saveSqlFlag==0 ); if( db->init.busy==0 ){ Vdbe *pVdbe = pParse->pVdbe; sqlite3VdbeSetSql(pVdbe, zSql, (int)(pParse->zTail-zSql), saveSqlFlag); @@ -97982,6 +99331,69 @@ SQLITE_PRIVATE int sqlite3IndexedByLookup(Parse *pParse, struct SrcList_item *pF } return SQLITE_OK; } +/* +** Detect compound SELECT statements that use an ORDER BY clause with +** an alternative collating sequence. +** +** SELECT ... FROM t1 EXCEPT SELECT ... FROM t2 ORDER BY .. COLLATE ... +** +** These are rewritten as a subquery: +** +** SELECT * FROM (SELECT ... FROM t1 EXCEPT SELECT ... FROM t2) +** ORDER BY ... COLLATE ... +** +** This transformation is necessary because the multiSelectOrderBy() routine +** above that generates the code for a compound SELECT with an ORDER BY clause +** uses a merge algorithm that requires the same collating sequence on the +** result columns as on the ORDER BY clause. See ticket +** http://www.sqlite.org/src/info/6709574d2a +** +** This transformation is only needed for EXCEPT, INTERSECT, and UNION. +** The UNION ALL operator works fine with multiSelectOrderBy() even when +** there are COLLATE terms in the ORDER BY. +*/ +static int convertCompoundSelectToSubquery(Walker *pWalker, Select *p){ + int i; + Select *pNew; + Select *pX; + sqlite3 *db; + struct ExprList_item *a; + SrcList *pNewSrc; + Parse *pParse; + Token dummy; + + if( p->pPrior==0 ) return WRC_Continue; + if( p->pOrderBy==0 ) return WRC_Continue; + for(pX=p; pX && (pX->op==TK_ALL || pX->op==TK_SELECT); pX=pX->pPrior){} + if( pX==0 ) return WRC_Continue; + a = p->pOrderBy->a; + for(i=p->pOrderBy->nExpr-1; i>=0; i--){ + if( a[i].pExpr->flags & EP_Collate ) break; + } + if( i<0 ) return WRC_Continue; + + /* If we reach this point, that means the transformation is required. */ + + pParse = pWalker->pParse; + db = pParse->db; + pNew = sqlite3DbMallocZero(db, sizeof(*pNew) ); + if( pNew==0 ) return WRC_Abort; + memset(&dummy, 0, sizeof(dummy)); + pNewSrc = sqlite3SrcListAppendFromTerm(pParse,0,0,0,&dummy,pNew,0,0); + if( pNewSrc==0 ) return WRC_Abort; + *pNew = *p; + p->pSrc = pNewSrc; + p->pEList = sqlite3ExprListAppend(pParse, 0, sqlite3Expr(db, TK_ALL, 0)); + p->op = TK_SELECT; + p->pWhere = 0; + pNew->pGroupBy = 0; + pNew->pHaving = 0; + pNew->pOrderBy = 0; + p->pPrior = 0; + pNew->pLimit = 0; + pNew->pOffset = 0; + return WRC_Continue; +} /* ** This routine is a Walker callback for "expanding" a SELECT statement. @@ -98298,10 +99710,13 @@ static int exprWalkNoop(Walker *NotUsed, Expr *NotUsed2){ */ static void sqlite3SelectExpand(Parse *pParse, Select *pSelect){ Walker w; - w.xSelectCallback = selectExpander; + memset(&w, 0, sizeof(w)); + w.xSelectCallback = convertCompoundSelectToSubquery; w.xExprCallback = exprWalkNoop; w.pParse = pParse; sqlite3WalkSelect(&w, pSelect); + w.xSelectCallback = selectExpander; + sqlite3WalkSelect(&w, pSelect); } @@ -98356,9 +99771,11 @@ static int selectAddSubqueryTypeInfo(Walker *pWalker, Select *p){ static void sqlite3SelectAddTypeInfo(Parse *pParse, Select *pSelect){ #ifndef SQLITE_OMIT_SUBQUERY Walker w; + memset(&w, 0, sizeof(w)); w.xSelectCallback = selectAddSubqueryTypeInfo; w.xExprCallback = exprWalkNoop; w.pParse = pParse; + w.bSelectDepthFirst = 1; sqlite3WalkSelect(&w, pSelect); #endif } @@ -98769,7 +100186,7 @@ SQLITE_PRIVATE int sqlite3Select( pItem->addrFillSub = topAddr+1; VdbeNoopComment((v, "materialize %s", pItem->pTab->zName)); if( pItem->isCorrelated==0 ){ - /* If the subquery is no correlated and if we are not inside of + /* If the subquery is not correlated and if we are not inside of ** a trigger, then we only need to compute the value of the subquery ** once. */ onceAddr = sqlite3CodeOnce(pParse); @@ -101035,6 +102452,7 @@ SQLITE_PRIVATE void sqlite3Update( } if( j>=pTab->nCol ){ if( sqlite3IsRowid(pChanges->a[i].zName) ){ + j = -1; chngRowid = 1; pRowidExpr = pChanges->a[i].pExpr; }else{ @@ -101047,7 +102465,8 @@ SQLITE_PRIVATE void sqlite3Update( { int rc; rc = sqlite3AuthCheck(pParse, SQLITE_UPDATE, pTab->zName, - pTab->aCol[j].zName, db->aDb[iDb].zName); + j<0 ? "ROWID" : pTab->aCol[j].zName, + db->aDb[iDb].zName); if( rc==SQLITE_DENY ){ goto update_cleanup; }else if( rc==SQLITE_IGNORE ){ @@ -101790,6 +103209,7 @@ SQLITE_PRIVATE int sqlite3RunVacuum(char **pzErrMsg, sqlite3 *db){ BTREE_DEFAULT_CACHE_SIZE, 0, /* Preserve the default page cache size */ BTREE_TEXT_ENCODING, 0, /* Preserve the text encoding */ BTREE_USER_VERSION, 0, /* Preserve the user version */ + BTREE_APPLICATION_ID, 0, /* Preserve the application id */ }; assert( 1==sqlite3BtreeIsInTrans(pTemp) ); @@ -103657,7 +105077,7 @@ static WhereTerm *findTerm( continue; } } - if( pTerm->prereqRight==0 ){ + if( pTerm->prereqRight==0 && (pTerm->eOperator&WO_EQ)!=0 ){ pResult = pTerm; goto findTerm_success; }else if( pResult==0 ){ @@ -105227,9 +106647,8 @@ static void bestVirtualIndex(WhereBestIdx *p){ struct sqlite3_index_constraint *pIdxCons; struct sqlite3_index_constraint_usage *pUsage; WhereTerm *pTerm; - int i, j, k; + int i, j; int nOrderBy; - int sortOrder; /* Sort order for IN clauses */ int bAllowIN; /* Allow IN optimizations */ double rCost; @@ -105328,7 +106747,6 @@ static void bestVirtualIndex(WhereBestIdx *p){ return; } - sortOrder = SQLITE_SO_ASC; pIdxCons = *(struct sqlite3_index_constraint**)&pIdxInfo->aConstraint; for(i=0; inConstraint; i++, pIdxCons++){ if( pUsage[i].argvIndex>0 ){ @@ -105343,17 +106761,28 @@ static void bestVirtualIndex(WhereBestIdx *p){ ** repeated in the output. */ break; } - for(k=0; knOrderBy; k++){ - if( pIdxInfo->aOrderBy[k].iColumn==pIdxCons->iColumn ){ - sortOrder = pIdxInfo->aOrderBy[k].desc; - break; - } - } + /* A virtual table that is constrained by an IN clause may not + ** consume the ORDER BY clause because (1) the order of IN terms + ** is not necessarily related to the order of output terms and + ** (2) Multiple outputs from a single IN value will not merge + ** together. */ + pIdxInfo->orderByConsumed = 0; } } } if( i>=pIdxInfo->nConstraint ) break; } + + /* The orderByConsumed signal is only valid if all outer loops collectively + ** generate just a single row of output. + */ + if( pIdxInfo->orderByConsumed ){ + for(i=0; ii; i++){ + if( (p->aLevel[i].plan.wsFlags & WHERE_UNIQUE)==0 ){ + pIdxInfo->orderByConsumed = 0; + } + } + } /* If there is an ORDER BY clause, and the selected virtual table index ** does not satisfy it, increase the cost of the scan accordingly. This @@ -105378,8 +106807,7 @@ static void bestVirtualIndex(WhereBestIdx *p){ } p->cost.plan.u.pVtabIdx = pIdxInfo; if( pIdxInfo->orderByConsumed ){ - assert( sortOrder==0 || sortOrder==1 ); - p->cost.plan.wsFlags |= WHERE_ORDERED + sortOrder*WHERE_REVERSE; + p->cost.plan.wsFlags |= WHERE_ORDERED; p->cost.plan.nOBSat = nOrderBy; }else{ p->cost.plan.nOBSat = p->i ? p->aLevel[p->i-1].plan.nOBSat : 0; @@ -107116,6 +108544,7 @@ static Bitmask codeOneLoopStart( int addrCont; /* Jump here to continue with next cycle */ int iRowidReg = 0; /* Rowid is stored in this register, if not zero */ int iReleaseReg = 0; /* Temp register to free before returning */ + Bitmask newNotReady; /* Return value */ pParse = pWInfo->pParse; v = pParse->pVdbe; @@ -107126,6 +108555,7 @@ static Bitmask codeOneLoopStart( bRev = (pLevel->plan.wsFlags & WHERE_REVERSE)!=0; omitTable = (pLevel->plan.wsFlags & WHERE_IDX_ONLY)!=0 && (wctrlFlags & WHERE_FORCE_TABLE)==0; + VdbeNoopComment((v, "Begin Join Loop %d", iLevel)); /* Create labels for the "break" and "continue" instructions ** for the current loop. Jump to addrBrk to break out of a loop. @@ -107668,6 +109098,10 @@ static Bitmask codeOneLoopStart( ** the "interesting" terms of z - terms that did not originate in the ** ON or USING clause of a LEFT JOIN, and terms that are usable as ** indices. + ** + ** This optimization also only applies if the (x1 OR x2 OR ...) term + ** is not contained in the ON clause of a LEFT JOIN. + ** See ticket http://www.sqlite.org/src/info/f2369304e4 */ if( pWC->nTerm>1 ){ int iTerm; @@ -107689,7 +109123,7 @@ static Bitmask codeOneLoopStart( if( pOrTerm->leftCursor==iCur || (pOrTerm->eOperator & WO_AND)!=0 ){ WhereInfo *pSubWInfo; /* Info for single OR-term scan */ Expr *pOrExpr = pOrTerm->pExpr; - if( pAndExpr ){ + if( pAndExpr && !ExprHasProperty(pOrExpr, EP_FromJoin) ){ pAndExpr->pLeft = pOrExpr; pOrExpr = pAndExpr; } @@ -107776,7 +109210,7 @@ static Bitmask codeOneLoopStart( pLevel->p2 = 1 + sqlite3VdbeAddOp2(v, aStart[bRev], iCur, addrBrk); pLevel->p5 = SQLITE_STMTSTATUS_FULLSCAN_STEP; } - notReady &= ~getMask(pWC->pMaskSet, iCur); + newNotReady = notReady & ~getMask(pWC->pMaskSet, iCur); /* Insert code to test every subexpression that can be completely ** computed using the current set of tables. @@ -107790,7 +109224,7 @@ static Bitmask codeOneLoopStart( testcase( pTerm->wtFlags & TERM_VIRTUAL ); /* IMP: R-30575-11662 */ testcase( pTerm->wtFlags & TERM_CODED ); if( pTerm->wtFlags & (TERM_VIRTUAL|TERM_CODED) ) continue; - if( (pTerm->prereqAll & notReady)!=0 ){ + if( (pTerm->prereqAll & newNotReady)!=0 ){ testcase( pWInfo->untestedTerms==0 && (pWInfo->wctrlFlags & WHERE_ONETABLE_ONLY)!=0 ); pWInfo->untestedTerms = 1; @@ -107805,6 +109239,33 @@ static Bitmask codeOneLoopStart( pTerm->wtFlags |= TERM_CODED; } + /* Insert code to test for implied constraints based on transitivity + ** of the "==" operator. + ** + ** Example: If the WHERE clause contains "t1.a=t2.b" and "t2.b=123" + ** and we are coding the t1 loop and the t2 loop has not yet coded, + ** then we cannot use the "t1.a=t2.b" constraint, but we can code + ** the implied "t1.a=123" constraint. + */ + for(pTerm=pWC->a, j=pWC->nTerm; j>0; j--, pTerm++){ + Expr *pE; + WhereTerm *pAlt; + Expr sEq; + if( pTerm->wtFlags & (TERM_VIRTUAL|TERM_CODED) ) continue; + if( pTerm->eOperator!=(WO_EQUIV|WO_EQ) ) continue; + if( pTerm->leftCursor!=iCur ) continue; + pE = pTerm->pExpr; + assert( !ExprHasProperty(pE, EP_FromJoin) ); + assert( (pTerm->prereqRight & newNotReady)!=0 ); + pAlt = findTerm(pWC, iCur, pTerm->u.leftColumn, notReady, WO_EQ|WO_IN, 0); + if( pAlt==0 ) continue; + if( pAlt->wtFlags & (TERM_CODED) ) continue; + VdbeNoopComment((v, "begin transitive constraint")); + sEq = *pAlt->pExpr; + sEq.pLeft = pE->pLeft; + sqlite3ExprIfFalse(pParse, &sEq, addrCont, SQLITE_JUMPIFNULL); + } + /* For a LEFT OUTER JOIN, generate code that will record the fact that ** at least one row of the right table has matched the left table. */ @@ -107817,7 +109278,7 @@ static Bitmask codeOneLoopStart( testcase( pTerm->wtFlags & TERM_VIRTUAL ); /* IMP: R-30575-11662 */ testcase( pTerm->wtFlags & TERM_CODED ); if( pTerm->wtFlags & (TERM_VIRTUAL|TERM_CODED) ) continue; - if( (pTerm->prereqAll & notReady)!=0 ){ + if( (pTerm->prereqAll & newNotReady)!=0 ){ assert( pWInfo->untestedTerms ); continue; } @@ -107828,7 +109289,7 @@ static Bitmask codeOneLoopStart( } sqlite3ReleaseTempReg(pParse, iReleaseReg); - return notReady; + return newNotReady; } #if defined(SQLITE_TEST) @@ -111146,7 +112607,9 @@ static void yy_reduce( struct SrcList_item *pOld = yymsp[-4].minor.yy347->a; pNew->zName = pOld->zName; pNew->zDatabase = pOld->zDatabase; + pNew->pSelect = pOld->pSelect; pOld->zName = pOld->zDatabase = 0; + pOld->pSelect = 0; } sqlite3SrcListDelete(pParse->db, yymsp[-4].minor.yy347); }else{ @@ -113814,6 +115277,19 @@ SQLITE_API int sqlite3_config(int op, ...){ } #endif + case SQLITE_CONFIG_MMAP_SIZE: { + sqlite3_int64 szMmap = va_arg(ap, sqlite3_int64); + sqlite3_int64 mxMmap = va_arg(ap, sqlite3_int64); + if( mxMmap<0 || mxMmap>SQLITE_MAX_MMAP_SIZE ){ + mxMmap = SQLITE_MAX_MMAP_SIZE; + } + sqlite3GlobalConfig.mxMmap = mxMmap; + if( szMmap<0 ) szMmap = SQLITE_DEFAULT_MMAP_SIZE; + if( szMmap>mxMmap) szMmap = mxMmap; + sqlite3GlobalConfig.szMmap = szMmap; + break; + } + default: { rc = SQLITE_ERROR; break; @@ -114207,6 +115683,12 @@ SQLITE_PRIVATE void sqlite3LeaveMutexAndCloseZombie(sqlite3 *db){ ** go ahead and free all resources. */ + /* If a transaction is open, roll it back. This also ensures that if + ** any database schemas have been modified by an uncommitted transaction + ** they are reset. And that the required b-tree mutex is held to make + ** the pager rollback and schema reset an atomic operation. */ + sqlite3RollbackAll(db, SQLITE_OK); + /* Free any outstanding Savepoint structures. */ sqlite3CloseSavepoints(db); @@ -114307,6 +115789,15 @@ SQLITE_PRIVATE void sqlite3RollbackAll(sqlite3 *db, int tripCode){ int inTrans = 0; assert( sqlite3_mutex_held(db->mutex) ); sqlite3BeginBenignMalloc(); + + /* Obtain all b-tree mutexes before making any calls to BtreeRollback(). + ** This is important in case the transaction being rolled back has + ** modified the database schema. If the b-tree mutexes are not taken + ** here, then another shared-cache connection might sneak in between + ** the database rollback and schema reset, which can cause false + ** corruption reports in some cases. */ + sqlite3BtreeEnterAll(db); + for(i=0; inDb; i++){ Btree *p = db->aDb[i].pBt; if( p ){ @@ -114324,6 +115815,7 @@ SQLITE_PRIVATE void sqlite3RollbackAll(sqlite3 *db, int tripCode){ sqlite3ExpirePreparedStatements(db); sqlite3ResetAllSchemasOfConnection(db); } + sqlite3BtreeLeaveAll(db); /* Any deferred constraint violations have now been resolved. */ db->nDeferredCons = 0; @@ -114334,6 +115826,110 @@ SQLITE_PRIVATE void sqlite3RollbackAll(sqlite3 *db, int tripCode){ } } +/* +** Return a static string containing the name corresponding to the error code +** specified in the argument. +*/ +#if defined(SQLITE_DEBUG) || defined(SQLITE_TEST) || \ + defined(SQLITE_DEBUG_OS_TRACE) +SQLITE_PRIVATE const char *sqlite3ErrName(int rc){ + const char *zName = 0; + int i, origRc = rc; + for(i=0; i<2 && zName==0; i++, rc &= 0xff){ + switch( rc ){ + case SQLITE_OK: zName = "SQLITE_OK"; break; + case SQLITE_ERROR: zName = "SQLITE_ERROR"; break; + case SQLITE_INTERNAL: zName = "SQLITE_INTERNAL"; break; + case SQLITE_PERM: zName = "SQLITE_PERM"; break; + case SQLITE_ABORT: zName = "SQLITE_ABORT"; break; + case SQLITE_ABORT_ROLLBACK: zName = "SQLITE_ABORT_ROLLBACK"; break; + case SQLITE_BUSY: zName = "SQLITE_BUSY"; break; + case SQLITE_BUSY_RECOVERY: zName = "SQLITE_BUSY_RECOVERY"; break; + case SQLITE_LOCKED: zName = "SQLITE_LOCKED"; break; + case SQLITE_LOCKED_SHAREDCACHE: zName = "SQLITE_LOCKED_SHAREDCACHE";break; + case SQLITE_NOMEM: zName = "SQLITE_NOMEM"; break; + case SQLITE_READONLY: zName = "SQLITE_READONLY"; break; + case SQLITE_READONLY_RECOVERY: zName = "SQLITE_READONLY_RECOVERY"; break; + case SQLITE_READONLY_CANTLOCK: zName = "SQLITE_READONLY_CANTLOCK"; break; + case SQLITE_READONLY_ROLLBACK: zName = "SQLITE_READONLY_ROLLBACK"; break; + case SQLITE_INTERRUPT: zName = "SQLITE_INTERRUPT"; break; + case SQLITE_IOERR: zName = "SQLITE_IOERR"; break; + case SQLITE_IOERR_READ: zName = "SQLITE_IOERR_READ"; break; + case SQLITE_IOERR_SHORT_READ: zName = "SQLITE_IOERR_SHORT_READ"; break; + case SQLITE_IOERR_WRITE: zName = "SQLITE_IOERR_WRITE"; break; + case SQLITE_IOERR_FSYNC: zName = "SQLITE_IOERR_FSYNC"; break; + case SQLITE_IOERR_DIR_FSYNC: zName = "SQLITE_IOERR_DIR_FSYNC"; break; + case SQLITE_IOERR_TRUNCATE: zName = "SQLITE_IOERR_TRUNCATE"; break; + case SQLITE_IOERR_FSTAT: zName = "SQLITE_IOERR_FSTAT"; break; + case SQLITE_IOERR_UNLOCK: zName = "SQLITE_IOERR_UNLOCK"; break; + case SQLITE_IOERR_RDLOCK: zName = "SQLITE_IOERR_RDLOCK"; break; + case SQLITE_IOERR_DELETE: zName = "SQLITE_IOERR_DELETE"; break; + case SQLITE_IOERR_BLOCKED: zName = "SQLITE_IOERR_BLOCKED"; break; + case SQLITE_IOERR_NOMEM: zName = "SQLITE_IOERR_NOMEM"; break; + case SQLITE_IOERR_ACCESS: zName = "SQLITE_IOERR_ACCESS"; break; + case SQLITE_IOERR_CHECKRESERVEDLOCK: + zName = "SQLITE_IOERR_CHECKRESERVEDLOCK"; break; + case SQLITE_IOERR_LOCK: zName = "SQLITE_IOERR_LOCK"; break; + case SQLITE_IOERR_CLOSE: zName = "SQLITE_IOERR_CLOSE"; break; + case SQLITE_IOERR_DIR_CLOSE: zName = "SQLITE_IOERR_DIR_CLOSE"; break; + case SQLITE_IOERR_SHMOPEN: zName = "SQLITE_IOERR_SHMOPEN"; break; + case SQLITE_IOERR_SHMSIZE: zName = "SQLITE_IOERR_SHMSIZE"; break; + case SQLITE_IOERR_SHMLOCK: zName = "SQLITE_IOERR_SHMLOCK"; break; + case SQLITE_IOERR_SHMMAP: zName = "SQLITE_IOERR_SHMMAP"; break; + case SQLITE_IOERR_SEEK: zName = "SQLITE_IOERR_SEEK"; break; + case SQLITE_IOERR_DELETE_NOENT: zName = "SQLITE_IOERR_DELETE_NOENT";break; + case SQLITE_IOERR_MMAP: zName = "SQLITE_IOERR_MMAP"; break; + case SQLITE_CORRUPT: zName = "SQLITE_CORRUPT"; break; + case SQLITE_CORRUPT_VTAB: zName = "SQLITE_CORRUPT_VTAB"; break; + case SQLITE_NOTFOUND: zName = "SQLITE_NOTFOUND"; break; + case SQLITE_FULL: zName = "SQLITE_FULL"; break; + case SQLITE_CANTOPEN: zName = "SQLITE_CANTOPEN"; break; + case SQLITE_CANTOPEN_NOTEMPDIR: zName = "SQLITE_CANTOPEN_NOTEMPDIR";break; + case SQLITE_CANTOPEN_ISDIR: zName = "SQLITE_CANTOPEN_ISDIR"; break; + case SQLITE_CANTOPEN_FULLPATH: zName = "SQLITE_CANTOPEN_FULLPATH"; break; + case SQLITE_PROTOCOL: zName = "SQLITE_PROTOCOL"; break; + case SQLITE_EMPTY: zName = "SQLITE_EMPTY"; break; + case SQLITE_SCHEMA: zName = "SQLITE_SCHEMA"; break; + case SQLITE_TOOBIG: zName = "SQLITE_TOOBIG"; break; + case SQLITE_CONSTRAINT: zName = "SQLITE_CONSTRAINT"; break; + case SQLITE_CONSTRAINT_UNIQUE: zName = "SQLITE_CONSTRAINT_UNIQUE"; break; + case SQLITE_CONSTRAINT_TRIGGER: zName = "SQLITE_CONSTRAINT_TRIGGER";break; + case SQLITE_CONSTRAINT_FOREIGNKEY: + zName = "SQLITE_CONSTRAINT_FOREIGNKEY"; break; + case SQLITE_CONSTRAINT_CHECK: zName = "SQLITE_CONSTRAINT_CHECK"; break; + case SQLITE_CONSTRAINT_PRIMARYKEY: + zName = "SQLITE_CONSTRAINT_PRIMARYKEY"; break; + case SQLITE_CONSTRAINT_NOTNULL: zName = "SQLITE_CONSTRAINT_NOTNULL";break; + case SQLITE_CONSTRAINT_COMMITHOOK: + zName = "SQLITE_CONSTRAINT_COMMITHOOK"; break; + case SQLITE_CONSTRAINT_VTAB: zName = "SQLITE_CONSTRAINT_VTAB"; break; + case SQLITE_CONSTRAINT_FUNCTION: + zName = "SQLITE_CONSTRAINT_FUNCTION"; break; + case SQLITE_MISMATCH: zName = "SQLITE_MISMATCH"; break; + case SQLITE_MISUSE: zName = "SQLITE_MISUSE"; break; + case SQLITE_NOLFS: zName = "SQLITE_NOLFS"; break; + case SQLITE_AUTH: zName = "SQLITE_AUTH"; break; + case SQLITE_FORMAT: zName = "SQLITE_FORMAT"; break; + case SQLITE_RANGE: zName = "SQLITE_RANGE"; break; + case SQLITE_NOTADB: zName = "SQLITE_NOTADB"; break; + case SQLITE_ROW: zName = "SQLITE_ROW"; break; + case SQLITE_NOTICE: zName = "SQLITE_NOTICE"; break; + case SQLITE_NOTICE_RECOVER_WAL: zName = "SQLITE_NOTICE_RECOVER_WAL";break; + case SQLITE_NOTICE_RECOVER_ROLLBACK: + zName = "SQLITE_NOTICE_RECOVER_ROLLBACK"; break; + case SQLITE_WARNING: zName = "SQLITE_WARNING"; break; + case SQLITE_DONE: zName = "SQLITE_DONE"; break; + } + } + if( zName==0 ){ + static char zBuf[50]; + sqlite3_snprintf(sizeof(zBuf), zBuf, "SQLITE_UNKNOWN(%d)", origRc); + zName = zBuf; + } + return zName; +} +#endif + /* ** Return a static string that describes the kind of error specified in the ** argument. @@ -115634,6 +117230,7 @@ static int openDatabase( memcpy(db->aLimit, aHardLimit, sizeof(db->aLimit)); db->autoCommit = 1; db->nextAutovac = -1; + db->szMmap = sqlite3GlobalConfig.szMmap; db->nextPagesize = 0; db->flags |= SQLITE_ShortColNames | SQLITE_AutoIndex | SQLITE_EnableTrigger #if SQLITE_DEFAULT_FILE_FORMAT<4 @@ -117950,7 +119547,7 @@ SQLITE_PRIVATE void sqlite3Fts3Matchinfo(sqlite3_context *, Fts3Cursor *, const /* fts3_expr.c */ SQLITE_PRIVATE int sqlite3Fts3ExprParse(sqlite3_tokenizer *, int, - char **, int, int, int, const char *, int, Fts3Expr ** + char **, int, int, int, const char *, int, Fts3Expr **, char ** ); SQLITE_PRIVATE void sqlite3Fts3ExprFree(Fts3Expr *); #ifdef SQLITE_TEST @@ -117975,6 +119572,9 @@ SQLITE_PRIVATE int sqlite3Fts3EvalPhrasePoslist(Fts3Cursor *, Fts3Expr *, int iC SQLITE_PRIVATE int sqlite3Fts3MsrOvfl(Fts3Cursor *, Fts3MultiSegReader *, int *); SQLITE_PRIVATE int sqlite3Fts3MsrIncrRestart(Fts3MultiSegReader *pCsr); +/* fts3_tokenize_vtab.c */ +SQLITE_PRIVATE int sqlite3Fts3InitTok(sqlite3*, Fts3Hash *); + /* fts3_unicode2.c (functions generated by parsing unicode text files) */ #ifdef SQLITE_ENABLE_FTS4_UNICODE61 SQLITE_PRIVATE int sqlite3FtsUnicodeFold(int, int); @@ -120671,14 +122271,12 @@ static int fts3FilterMethod( pCsr->iLangid = 0; if( nVal==2 ) pCsr->iLangid = sqlite3_value_int(apVal[1]); + assert( p->base.zErrMsg==0 ); rc = sqlite3Fts3ExprParse(p->pTokenizer, pCsr->iLangid, - p->azColumn, p->bFts4, p->nColumn, iCol, zQuery, -1, &pCsr->pExpr + p->azColumn, p->bFts4, p->nColumn, iCol, zQuery, -1, &pCsr->pExpr, + &p->base.zErrMsg ); if( rc!=SQLITE_OK ){ - if( rc==SQLITE_ERROR ){ - static const char *zErr = "malformed MATCH expression: [%s]"; - p->base.zErrMsg = sqlite3_mprintf(zErr, zQuery); - } return rc; } @@ -121342,9 +122940,13 @@ SQLITE_PRIVATE int sqlite3Fts3Init(sqlite3 *db){ db, "fts4", &fts3Module, (void *)pHash, 0 ); } + if( rc==SQLITE_OK ){ + rc = sqlite3Fts3InitTok(db, (void *)pHash); + } return rc; } + /* An error has occurred. Delete the hash table and return the error code. */ assert( rc!=SQLITE_OK ); if( pHash ){ @@ -123118,17 +124720,26 @@ static int fts3auxConnectMethod( UNUSED_PARAMETER(pUnused); - /* The user should specify a single argument - the name of an fts3 table. */ - if( argc!=4 ){ - *pzErr = sqlite3_mprintf( - "wrong number of arguments to fts4aux constructor" - ); - return SQLITE_ERROR; - } + /* The user should invoke this in one of two forms: + ** + ** CREATE VIRTUAL TABLE xxx USING fts4aux(fts4-table); + ** CREATE VIRTUAL TABLE xxx USING fts4aux(fts4-table-db, fts4-table); + */ + if( argc!=4 && argc!=5 ) goto bad_args; zDb = argv[1]; nDb = (int)strlen(zDb); - zFts3 = argv[3]; + if( argc==5 ){ + if( nDb==4 && 0==sqlite3_strnicmp("temp", zDb, 4) ){ + zDb = argv[3]; + nDb = (int)strlen(zDb); + zFts3 = argv[4]; + }else{ + goto bad_args; + } + }else{ + zFts3 = argv[3]; + } nFts3 = (int)strlen(zFts3); rc = sqlite3_declare_vtab(db, FTS3_TERMS_SCHEMA); @@ -123151,6 +124762,10 @@ static int fts3auxConnectMethod( *ppVtab = (sqlite3_vtab *)p; return SQLITE_OK; + + bad_args: + *pzErr = sqlite3_mprintf("invalid arguments to fts4aux constructor"); + return SQLITE_ERROR; } /* @@ -124164,8 +125779,10 @@ static int fts3ExprParse( } pNot->eType = FTSQUERY_NOT; pNot->pRight = p; + p->pParent = pNot; if( pNotBranch ){ pNot->pLeft = pNotBranch; + pNotBranch->pParent = pNot; } pNotBranch = pNot; p = pPrev; @@ -124253,6 +125870,7 @@ static int fts3ExprParse( pIter = pIter->pLeft; } pIter->pLeft = pRet; + pRet->pParent = pIter; pRet = pNotBranch; } } @@ -124269,6 +125887,223 @@ exprparse_out: return rc; } +/* +** Return SQLITE_ERROR if the maximum depth of the expression tree passed +** as the only argument is more than nMaxDepth. +*/ +static int fts3ExprCheckDepth(Fts3Expr *p, int nMaxDepth){ + int rc = SQLITE_OK; + if( p ){ + if( nMaxDepth<0 ){ + rc = SQLITE_TOOBIG; + }else{ + rc = fts3ExprCheckDepth(p->pLeft, nMaxDepth-1); + if( rc==SQLITE_OK ){ + rc = fts3ExprCheckDepth(p->pRight, nMaxDepth-1); + } + } + } + return rc; +} + +/* +** This function attempts to transform the expression tree at (*pp) to +** an equivalent but more balanced form. The tree is modified in place. +** If successful, SQLITE_OK is returned and (*pp) set to point to the +** new root expression node. +** +** nMaxDepth is the maximum allowable depth of the balanced sub-tree. +** +** Otherwise, if an error occurs, an SQLite error code is returned and +** expression (*pp) freed. +*/ +static int fts3ExprBalance(Fts3Expr **pp, int nMaxDepth){ + int rc = SQLITE_OK; /* Return code */ + Fts3Expr *pRoot = *pp; /* Initial root node */ + Fts3Expr *pFree = 0; /* List of free nodes. Linked by pParent. */ + int eType = pRoot->eType; /* Type of node in this tree */ + + if( nMaxDepth==0 ){ + rc = SQLITE_ERROR; + } + + if( rc==SQLITE_OK && (eType==FTSQUERY_AND || eType==FTSQUERY_OR) ){ + Fts3Expr **apLeaf; + apLeaf = (Fts3Expr **)sqlite3_malloc(sizeof(Fts3Expr *) * nMaxDepth); + if( 0==apLeaf ){ + rc = SQLITE_NOMEM; + }else{ + memset(apLeaf, 0, sizeof(Fts3Expr *) * nMaxDepth); + } + + if( rc==SQLITE_OK ){ + int i; + Fts3Expr *p; + + /* Set $p to point to the left-most leaf in the tree of eType nodes. */ + for(p=pRoot; p->eType==eType; p=p->pLeft){ + assert( p->pParent==0 || p->pParent->pLeft==p ); + assert( p->pLeft && p->pRight ); + } + + /* This loop runs once for each leaf in the tree of eType nodes. */ + while( 1 ){ + int iLvl; + Fts3Expr *pParent = p->pParent; /* Current parent of p */ + + assert( pParent==0 || pParent->pLeft==p ); + p->pParent = 0; + if( pParent ){ + pParent->pLeft = 0; + }else{ + pRoot = 0; + } + rc = fts3ExprBalance(&p, nMaxDepth-1); + if( rc!=SQLITE_OK ) break; + + for(iLvl=0; p && iLvlpLeft = apLeaf[iLvl]; + pFree->pRight = p; + pFree->pLeft->pParent = pFree; + pFree->pRight->pParent = pFree; + + p = pFree; + pFree = pFree->pParent; + p->pParent = 0; + apLeaf[iLvl] = 0; + } + } + if( p ){ + sqlite3Fts3ExprFree(p); + rc = SQLITE_TOOBIG; + break; + } + + /* If that was the last leaf node, break out of the loop */ + if( pParent==0 ) break; + + /* Set $p to point to the next leaf in the tree of eType nodes */ + for(p=pParent->pRight; p->eType==eType; p=p->pLeft); + + /* Remove pParent from the original tree. */ + assert( pParent->pParent==0 || pParent->pParent->pLeft==pParent ); + pParent->pRight->pParent = pParent->pParent; + if( pParent->pParent ){ + pParent->pParent->pLeft = pParent->pRight; + }else{ + assert( pParent==pRoot ); + pRoot = pParent->pRight; + } + + /* Link pParent into the free node list. It will be used as an + ** internal node of the new tree. */ + pParent->pParent = pFree; + pFree = pParent; + } + + if( rc==SQLITE_OK ){ + p = 0; + for(i=0; ipParent = 0; + }else{ + assert( pFree!=0 ); + pFree->pRight = p; + pFree->pLeft = apLeaf[i]; + pFree->pLeft->pParent = pFree; + pFree->pRight->pParent = pFree; + + p = pFree; + pFree = pFree->pParent; + p->pParent = 0; + } + } + } + pRoot = p; + }else{ + /* An error occurred. Delete the contents of the apLeaf[] array + ** and pFree list. Everything else is cleaned up by the call to + ** sqlite3Fts3ExprFree(pRoot) below. */ + Fts3Expr *pDel; + for(i=0; ipParent; + sqlite3_free(pDel); + } + } + + assert( pFree==0 ); + sqlite3_free( apLeaf ); + } + } + + if( rc!=SQLITE_OK ){ + sqlite3Fts3ExprFree(pRoot); + pRoot = 0; + } + *pp = pRoot; + return rc; +} + +/* +** This function is similar to sqlite3Fts3ExprParse(), with the following +** differences: +** +** 1. It does not do expression rebalancing. +** 2. It does not check that the expression does not exceed the +** maximum allowable depth. +** 3. Even if it fails, *ppExpr may still be set to point to an +** expression tree. It should be deleted using sqlite3Fts3ExprFree() +** in this case. +*/ +static int fts3ExprParseUnbalanced( + sqlite3_tokenizer *pTokenizer, /* Tokenizer module */ + int iLangid, /* Language id for tokenizer */ + char **azCol, /* Array of column names for fts3 table */ + int bFts4, /* True to allow FTS4-only syntax */ + int nCol, /* Number of entries in azCol[] */ + int iDefaultCol, /* Default column to query */ + const char *z, int n, /* Text of MATCH query */ + Fts3Expr **ppExpr /* OUT: Parsed query structure */ +){ + int nParsed; + int rc; + ParseContext sParse; + + memset(&sParse, 0, sizeof(ParseContext)); + sParse.pTokenizer = pTokenizer; + sParse.iLangid = iLangid; + sParse.azCol = (const char **)azCol; + sParse.nCol = nCol; + sParse.iDefaultCol = iDefaultCol; + sParse.bFts4 = bFts4; + if( z==0 ){ + *ppExpr = 0; + return SQLITE_OK; + } + if( n<0 ){ + n = (int)strlen(z); + } + rc = fts3ExprParse(&sParse, z, n, ppExpr, &nParsed); + assert( rc==SQLITE_OK || *ppExpr==0 ); + + /* Check for mismatched parenthesis */ + if( rc==SQLITE_OK && sParse.nNest ){ + rc = SQLITE_ERROR; + } + + return rc; +} + /* ** Parameters z and n contain a pointer to and length of a buffer containing ** an fts3 query expression, respectively. This function attempts to parse the @@ -124301,49 +126136,74 @@ SQLITE_PRIVATE int sqlite3Fts3ExprParse( int nCol, /* Number of entries in azCol[] */ int iDefaultCol, /* Default column to query */ const char *z, int n, /* Text of MATCH query */ - Fts3Expr **ppExpr /* OUT: Parsed query structure */ + Fts3Expr **ppExpr, /* OUT: Parsed query structure */ + char **pzErr /* OUT: Error message (sqlite3_malloc) */ ){ - int nParsed; - int rc; - ParseContext sParse; - - memset(&sParse, 0, sizeof(ParseContext)); - sParse.pTokenizer = pTokenizer; - sParse.iLangid = iLangid; - sParse.azCol = (const char **)azCol; - sParse.nCol = nCol; - sParse.iDefaultCol = iDefaultCol; - sParse.bFts4 = bFts4; - if( z==0 ){ - *ppExpr = 0; - return SQLITE_OK; + static const int MAX_EXPR_DEPTH = 12; + int rc = fts3ExprParseUnbalanced( + pTokenizer, iLangid, azCol, bFts4, nCol, iDefaultCol, z, n, ppExpr + ); + + /* Rebalance the expression. And check that its depth does not exceed + ** MAX_EXPR_DEPTH. */ + if( rc==SQLITE_OK && *ppExpr ){ + rc = fts3ExprBalance(ppExpr, MAX_EXPR_DEPTH); + if( rc==SQLITE_OK ){ + rc = fts3ExprCheckDepth(*ppExpr, MAX_EXPR_DEPTH); + } } - if( n<0 ){ - n = (int)strlen(z); - } - rc = fts3ExprParse(&sParse, z, n, ppExpr, &nParsed); - /* Check for mismatched parenthesis */ - if( rc==SQLITE_OK && sParse.nNest ){ - rc = SQLITE_ERROR; + if( rc!=SQLITE_OK ){ sqlite3Fts3ExprFree(*ppExpr); *ppExpr = 0; + if( rc==SQLITE_TOOBIG ){ + *pzErr = sqlite3_mprintf( + "FTS expression tree is too large (maximum depth %d)", MAX_EXPR_DEPTH + ); + rc = SQLITE_ERROR; + }else if( rc==SQLITE_ERROR ){ + *pzErr = sqlite3_mprintf("malformed MATCH expression: [%s]", z); + } } return rc; } /* -** Free a parsed fts3 query expression allocated by sqlite3Fts3ExprParse(). +** Free a single node of an expression tree. */ -SQLITE_PRIVATE void sqlite3Fts3ExprFree(Fts3Expr *p){ - if( p ){ - assert( p->eType==FTSQUERY_PHRASE || p->pPhrase==0 ); - sqlite3Fts3ExprFree(p->pLeft); - sqlite3Fts3ExprFree(p->pRight); - sqlite3Fts3EvalPhraseCleanup(p->pPhrase); - sqlite3_free(p->aMI); - sqlite3_free(p); +static void fts3FreeExprNode(Fts3Expr *p){ + assert( p->eType==FTSQUERY_PHRASE || p->pPhrase==0 ); + sqlite3Fts3EvalPhraseCleanup(p->pPhrase); + sqlite3_free(p->aMI); + sqlite3_free(p); +} + +/* +** Free a parsed fts3 query expression allocated by sqlite3Fts3ExprParse(). +** +** This function would be simpler if it recursively called itself. But +** that would mean passing a sufficiently large expression to ExprParse() +** could cause a stack overflow. +*/ +SQLITE_PRIVATE void sqlite3Fts3ExprFree(Fts3Expr *pDel){ + Fts3Expr *p; + assert( pDel==0 || pDel->pParent==0 ); + for(p=pDel; p && (p->pLeft||p->pRight); p=(p->pLeft ? p->pLeft : p->pRight)){ + assert( p->pParent==0 || p==p->pParent->pRight || p==p->pParent->pLeft ); + } + while( p ){ + Fts3Expr *pParent = p->pParent; + fts3FreeExprNode(p); + if( pParent && p==pParent->pLeft && pParent->pRight ){ + p = pParent->pRight; + while( p && (p->pLeft || p->pRight) ){ + assert( p==p->pParent->pRight || p==p->pParent->pLeft ); + p = (p->pLeft ? p->pLeft : p->pRight); + } + }else{ + p = pParent; + } } } @@ -124395,6 +126255,9 @@ static int queryTestTokenizer( ** the returned expression text and then freed using sqlite3_free(). */ static char *exprToString(Fts3Expr *pExpr, char *zBuf){ + if( pExpr==0 ){ + return sqlite3_mprintf(""); + } switch( pExpr->eType ){ case FTSQUERY_PHRASE: { Fts3Phrase *pPhrase = pExpr->pPhrase; @@ -124502,10 +126365,21 @@ static void fts3ExprTest( azCol[ii] = (char *)sqlite3_value_text(argv[ii+2]); } - rc = sqlite3Fts3ExprParse( - pTokenizer, 0, azCol, 0, nCol, nCol, zExpr, nExpr, &pExpr - ); + if( sqlite3_user_data(context) ){ + char *zDummy = 0; + rc = sqlite3Fts3ExprParse( + pTokenizer, 0, azCol, 0, nCol, nCol, zExpr, nExpr, &pExpr, &zDummy + ); + assert( rc==SQLITE_OK || pExpr==0 ); + sqlite3_free(zDummy); + }else{ + rc = fts3ExprParseUnbalanced( + pTokenizer, 0, azCol, 0, nCol, nCol, zExpr, nExpr, &pExpr + ); + } + if( rc!=SQLITE_OK && rc!=SQLITE_NOMEM ){ + sqlite3Fts3ExprFree(pExpr); sqlite3_result_error(context, "Error parsing expression", -1); }else if( rc==SQLITE_NOMEM || !(zBuf = exprToString(pExpr, 0)) ){ sqlite3_result_error_nomem(context); @@ -124528,9 +126402,15 @@ exprtest_out: ** with database connection db. */ SQLITE_PRIVATE int sqlite3Fts3ExprInitTestInterface(sqlite3* db){ - return sqlite3_create_function( + int rc = sqlite3_create_function( db, "fts3_exprtest", -1, SQLITE_UTF8, 0, fts3ExprTest, 0, 0 ); + if( rc==SQLITE_OK ){ + rc = sqlite3_create_function(db, "fts3_exprtest_rebalance", + -1, SQLITE_UTF8, (void *)1, fts3ExprTest, 0, 0 + ); + } + return rc; } #endif @@ -126293,6 +128173,462 @@ SQLITE_PRIVATE void sqlite3Fts3SimpleTokenizerModule( #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_FTS3) */ /************** End of fts3_tokenizer1.c *************************************/ +/************** Begin file fts3_tokenize_vtab.c ******************************/ +/* +** 2013 Apr 22 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +****************************************************************************** +** +** This file contains code for the "fts3tokenize" virtual table module. +** An fts3tokenize virtual table is created as follows: +** +** CREATE VIRTUAL TABLE USING fts3tokenize( +** , , ... +** ); +** +** The table created has the following schema: +** +** CREATE TABLE (input, token, start, end, position) +** +** When queried, the query must include a WHERE clause of type: +** +** input = +** +** The virtual table module tokenizes this , using the FTS3 +** tokenizer specified by the arguments to the CREATE VIRTUAL TABLE +** statement and returns one row for each token in the result. With +** fields set as follows: +** +** input: Always set to a copy of +** token: A token from the input. +** start: Byte offset of the token within the input . +** end: Byte offset of the byte immediately following the end of the +** token within the input string. +** pos: Token offset of token within input. +** +*/ +#if !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_FTS3) + +/* #include */ +/* #include */ + +typedef struct Fts3tokTable Fts3tokTable; +typedef struct Fts3tokCursor Fts3tokCursor; + +/* +** Virtual table structure. +*/ +struct Fts3tokTable { + sqlite3_vtab base; /* Base class used by SQLite core */ + const sqlite3_tokenizer_module *pMod; + sqlite3_tokenizer *pTok; +}; + +/* +** Virtual table cursor structure. +*/ +struct Fts3tokCursor { + sqlite3_vtab_cursor base; /* Base class used by SQLite core */ + char *zInput; /* Input string */ + sqlite3_tokenizer_cursor *pCsr; /* Cursor to iterate through zInput */ + int iRowid; /* Current 'rowid' value */ + const char *zToken; /* Current 'token' value */ + int nToken; /* Size of zToken in bytes */ + int iStart; /* Current 'start' value */ + int iEnd; /* Current 'end' value */ + int iPos; /* Current 'pos' value */ +}; + +/* +** Query FTS for the tokenizer implementation named zName. +*/ +static int fts3tokQueryTokenizer( + Fts3Hash *pHash, + const char *zName, + const sqlite3_tokenizer_module **pp, + char **pzErr +){ + sqlite3_tokenizer_module *p; + int nName = (int)strlen(zName); + + p = (sqlite3_tokenizer_module *)sqlite3Fts3HashFind(pHash, zName, nName+1); + if( !p ){ + *pzErr = sqlite3_mprintf("unknown tokenizer: %s", zName); + return SQLITE_ERROR; + } + + *pp = p; + return SQLITE_OK; +} + +/* +** The second argument, argv[], is an array of pointers to nul-terminated +** strings. This function makes a copy of the array and strings into a +** single block of memory. It then dequotes any of the strings that appear +** to be quoted. +** +** If successful, output parameter *pazDequote is set to point at the +** array of dequoted strings and SQLITE_OK is returned. The caller is +** responsible for eventually calling sqlite3_free() to free the array +** in this case. Or, if an error occurs, an SQLite error code is returned. +** The final value of *pazDequote is undefined in this case. +*/ +static int fts3tokDequoteArray( + int argc, /* Number of elements in argv[] */ + const char * const *argv, /* Input array */ + char ***pazDequote /* Output array */ +){ + int rc = SQLITE_OK; /* Return code */ + if( argc==0 ){ + *pazDequote = 0; + }else{ + int i; + int nByte = 0; + char **azDequote; + + for(i=0; ixCreate((nDequote>1 ? nDequote-1 : 0), azArg, &pTok); + } + + if( rc==SQLITE_OK ){ + pTab = (Fts3tokTable *)sqlite3_malloc(sizeof(Fts3tokTable)); + if( pTab==0 ){ + rc = SQLITE_NOMEM; + } + } + + if( rc==SQLITE_OK ){ + memset(pTab, 0, sizeof(Fts3tokTable)); + pTab->pMod = pMod; + pTab->pTok = pTok; + *ppVtab = &pTab->base; + }else{ + if( pTok ){ + pMod->xDestroy(pTok); + } + } + + sqlite3_free(azDequote); + return rc; +} + +/* +** This function does the work for both the xDisconnect and xDestroy methods. +** These tables have no persistent representation of their own, so xDisconnect +** and xDestroy are identical operations. +*/ +static int fts3tokDisconnectMethod(sqlite3_vtab *pVtab){ + Fts3tokTable *pTab = (Fts3tokTable *)pVtab; + + pTab->pMod->xDestroy(pTab->pTok); + sqlite3_free(pTab); + return SQLITE_OK; +} + +/* +** xBestIndex - Analyze a WHERE and ORDER BY clause. +*/ +static int fts3tokBestIndexMethod( + sqlite3_vtab *pVTab, + sqlite3_index_info *pInfo +){ + int i; + UNUSED_PARAMETER(pVTab); + + for(i=0; inConstraint; i++){ + if( pInfo->aConstraint[i].usable + && pInfo->aConstraint[i].iColumn==0 + && pInfo->aConstraint[i].op==SQLITE_INDEX_CONSTRAINT_EQ + ){ + pInfo->idxNum = 1; + pInfo->aConstraintUsage[i].argvIndex = 1; + pInfo->aConstraintUsage[i].omit = 1; + pInfo->estimatedCost = 1; + return SQLITE_OK; + } + } + + pInfo->idxNum = 0; + assert( pInfo->estimatedCost>1000000.0 ); + + return SQLITE_OK; +} + +/* +** xOpen - Open a cursor. +*/ +static int fts3tokOpenMethod(sqlite3_vtab *pVTab, sqlite3_vtab_cursor **ppCsr){ + Fts3tokCursor *pCsr; + UNUSED_PARAMETER(pVTab); + + pCsr = (Fts3tokCursor *)sqlite3_malloc(sizeof(Fts3tokCursor)); + if( pCsr==0 ){ + return SQLITE_NOMEM; + } + memset(pCsr, 0, sizeof(Fts3tokCursor)); + + *ppCsr = (sqlite3_vtab_cursor *)pCsr; + return SQLITE_OK; +} + +/* +** Reset the tokenizer cursor passed as the only argument. As if it had +** just been returned by fts3tokOpenMethod(). +*/ +static void fts3tokResetCursor(Fts3tokCursor *pCsr){ + if( pCsr->pCsr ){ + Fts3tokTable *pTab = (Fts3tokTable *)(pCsr->base.pVtab); + pTab->pMod->xClose(pCsr->pCsr); + pCsr->pCsr = 0; + } + sqlite3_free(pCsr->zInput); + pCsr->zInput = 0; + pCsr->zToken = 0; + pCsr->nToken = 0; + pCsr->iStart = 0; + pCsr->iEnd = 0; + pCsr->iPos = 0; + pCsr->iRowid = 0; +} + +/* +** xClose - Close a cursor. +*/ +static int fts3tokCloseMethod(sqlite3_vtab_cursor *pCursor){ + Fts3tokCursor *pCsr = (Fts3tokCursor *)pCursor; + + fts3tokResetCursor(pCsr); + sqlite3_free(pCsr); + return SQLITE_OK; +} + +/* +** xNext - Advance the cursor to the next row, if any. +*/ +static int fts3tokNextMethod(sqlite3_vtab_cursor *pCursor){ + Fts3tokCursor *pCsr = (Fts3tokCursor *)pCursor; + Fts3tokTable *pTab = (Fts3tokTable *)(pCursor->pVtab); + int rc; /* Return code */ + + pCsr->iRowid++; + rc = pTab->pMod->xNext(pCsr->pCsr, + &pCsr->zToken, &pCsr->nToken, + &pCsr->iStart, &pCsr->iEnd, &pCsr->iPos + ); + + if( rc!=SQLITE_OK ){ + fts3tokResetCursor(pCsr); + if( rc==SQLITE_DONE ) rc = SQLITE_OK; + } + + return rc; +} + +/* +** xFilter - Initialize a cursor to point at the start of its data. +*/ +static int fts3tokFilterMethod( + sqlite3_vtab_cursor *pCursor, /* The cursor used for this query */ + int idxNum, /* Strategy index */ + const char *idxStr, /* Unused */ + int nVal, /* Number of elements in apVal */ + sqlite3_value **apVal /* Arguments for the indexing scheme */ +){ + int rc = SQLITE_ERROR; + Fts3tokCursor *pCsr = (Fts3tokCursor *)pCursor; + Fts3tokTable *pTab = (Fts3tokTable *)(pCursor->pVtab); + UNUSED_PARAMETER(idxStr); + UNUSED_PARAMETER(nVal); + + fts3tokResetCursor(pCsr); + if( idxNum==1 ){ + const char *zByte = (const char *)sqlite3_value_text(apVal[0]); + int nByte = sqlite3_value_bytes(apVal[0]); + pCsr->zInput = sqlite3_malloc(nByte+1); + if( pCsr->zInput==0 ){ + rc = SQLITE_NOMEM; + }else{ + memcpy(pCsr->zInput, zByte, nByte); + pCsr->zInput[nByte] = 0; + rc = pTab->pMod->xOpen(pTab->pTok, pCsr->zInput, nByte, &pCsr->pCsr); + if( rc==SQLITE_OK ){ + pCsr->pCsr->pTokenizer = pTab->pTok; + } + } + } + + if( rc!=SQLITE_OK ) return rc; + return fts3tokNextMethod(pCursor); +} + +/* +** xEof - Return true if the cursor is at EOF, or false otherwise. +*/ +static int fts3tokEofMethod(sqlite3_vtab_cursor *pCursor){ + Fts3tokCursor *pCsr = (Fts3tokCursor *)pCursor; + return (pCsr->zToken==0); +} + +/* +** xColumn - Return a column value. +*/ +static int fts3tokColumnMethod( + sqlite3_vtab_cursor *pCursor, /* Cursor to retrieve value from */ + sqlite3_context *pCtx, /* Context for sqlite3_result_xxx() calls */ + int iCol /* Index of column to read value from */ +){ + Fts3tokCursor *pCsr = (Fts3tokCursor *)pCursor; + + /* CREATE TABLE x(input, token, start, end, position) */ + switch( iCol ){ + case 0: + sqlite3_result_text(pCtx, pCsr->zInput, -1, SQLITE_TRANSIENT); + break; + case 1: + sqlite3_result_text(pCtx, pCsr->zToken, pCsr->nToken, SQLITE_TRANSIENT); + break; + case 2: + sqlite3_result_int(pCtx, pCsr->iStart); + break; + case 3: + sqlite3_result_int(pCtx, pCsr->iEnd); + break; + default: + assert( iCol==4 ); + sqlite3_result_int(pCtx, pCsr->iPos); + break; + } + return SQLITE_OK; +} + +/* +** xRowid - Return the current rowid for the cursor. +*/ +static int fts3tokRowidMethod( + sqlite3_vtab_cursor *pCursor, /* Cursor to retrieve value from */ + sqlite_int64 *pRowid /* OUT: Rowid value */ +){ + Fts3tokCursor *pCsr = (Fts3tokCursor *)pCursor; + *pRowid = (sqlite3_int64)pCsr->iRowid; + return SQLITE_OK; +} + +/* +** Register the fts3tok module with database connection db. Return SQLITE_OK +** if successful or an error code if sqlite3_create_module() fails. +*/ +SQLITE_PRIVATE int sqlite3Fts3InitTok(sqlite3 *db, Fts3Hash *pHash){ + static const sqlite3_module fts3tok_module = { + 0, /* iVersion */ + fts3tokConnectMethod, /* xCreate */ + fts3tokConnectMethod, /* xConnect */ + fts3tokBestIndexMethod, /* xBestIndex */ + fts3tokDisconnectMethod, /* xDisconnect */ + fts3tokDisconnectMethod, /* xDestroy */ + fts3tokOpenMethod, /* xOpen */ + fts3tokCloseMethod, /* xClose */ + fts3tokFilterMethod, /* xFilter */ + fts3tokNextMethod, /* xNext */ + fts3tokEofMethod, /* xEof */ + fts3tokColumnMethod, /* xColumn */ + fts3tokRowidMethod, /* xRowid */ + 0, /* xUpdate */ + 0, /* xBegin */ + 0, /* xSync */ + 0, /* xCommit */ + 0, /* xRollback */ + 0, /* xFindFunction */ + 0, /* xRename */ + 0, /* xSavepoint */ + 0, /* xRelease */ + 0 /* xRollbackTo */ + }; + int rc; /* Return code */ + + rc = sqlite3_create_module(db, "fts3tokenize", &fts3tok_module, (void*)pHash); + return rc; +} + +#endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_FTS3) */ + +/************** End of fts3_tokenize_vtab.c **********************************/ /************** Begin file fts3_write.c **************************************/ /* ** 2009 Oct 23 diff --git a/src/3rdparty/sqlite3.h b/src/3rdparty/sqlite3.h index 69b4586a3f..e398838287 100644 --- a/src/3rdparty/sqlite3.h +++ b/src/3rdparty/sqlite3.h @@ -107,9 +107,9 @@ extern "C" { ** [sqlite3_libversion_number()], [sqlite3_sourceid()], ** [sqlite_version()] and [sqlite_source_id()]. */ -#define SQLITE_VERSION "3.7.16.2" -#define SQLITE_VERSION_NUMBER 3007016 -#define SQLITE_SOURCE_ID "2013-04-12 11:52:43 cbea02d93865ce0e06789db95fd9168ebac970c7" +#define SQLITE_VERSION "3.7.17" +#define SQLITE_VERSION_NUMBER 3007017 +#define SQLITE_SOURCE_ID "2013-05-20 00:56:22 118a3b35693b134d56ebd780123b7fd6f1497668" /* ** CAPI3REF: Run-Time Library Version Numbers @@ -425,6 +425,8 @@ SQLITE_API int sqlite3_exec( #define SQLITE_FORMAT 24 /* Auxiliary database format error */ #define SQLITE_RANGE 25 /* 2nd parameter to sqlite3_bind out of range */ #define SQLITE_NOTADB 26 /* File opened that is not a database file */ +#define SQLITE_NOTICE 27 /* Notifications from sqlite3_log() */ +#define SQLITE_WARNING 28 /* Warnings from sqlite3_log() */ #define SQLITE_ROW 100 /* sqlite3_step() has another row ready */ #define SQLITE_DONE 101 /* sqlite3_step() has finished executing */ /* end-of-error-codes */ @@ -475,6 +477,7 @@ SQLITE_API int sqlite3_exec( #define SQLITE_IOERR_SHMMAP (SQLITE_IOERR | (21<<8)) #define SQLITE_IOERR_SEEK (SQLITE_IOERR | (22<<8)) #define SQLITE_IOERR_DELETE_NOENT (SQLITE_IOERR | (23<<8)) +#define SQLITE_IOERR_MMAP (SQLITE_IOERR | (24<<8)) #define SQLITE_LOCKED_SHAREDCACHE (SQLITE_LOCKED | (1<<8)) #define SQLITE_BUSY_RECOVERY (SQLITE_BUSY | (1<<8)) #define SQLITE_CANTOPEN_NOTEMPDIR (SQLITE_CANTOPEN | (1<<8)) @@ -494,6 +497,8 @@ SQLITE_API int sqlite3_exec( #define SQLITE_CONSTRAINT_TRIGGER (SQLITE_CONSTRAINT | (7<<8)) #define SQLITE_CONSTRAINT_UNIQUE (SQLITE_CONSTRAINT | (8<<8)) #define SQLITE_CONSTRAINT_VTAB (SQLITE_CONSTRAINT | (9<<8)) +#define SQLITE_NOTICE_RECOVER_WAL (SQLITE_NOTICE | (1<<8)) +#define SQLITE_NOTICE_RECOVER_ROLLBACK (SQLITE_NOTICE | (2<<8)) /* ** CAPI3REF: Flags For File Open Operations @@ -733,6 +738,9 @@ struct sqlite3_io_methods { void (*xShmBarrier)(sqlite3_file*); int (*xShmUnmap)(sqlite3_file*, int deleteFlag); /* Methods above are valid for version 2 */ + int (*xFetch)(sqlite3_file*, sqlite3_int64 iOfst, int iAmt, void **pp); + int (*xUnfetch)(sqlite3_file*, sqlite3_int64 iOfst, void *p); + /* Methods above are valid for version 3 */ /* Additional methods may be added in future releases */ }; @@ -869,7 +877,8 @@ struct sqlite3_io_methods { ** it is able to override built-in [PRAGMA] statements. ** **
  • [[SQLITE_FCNTL_BUSYHANDLER]] -** ^This file-control may be invoked by SQLite on the database file handle +** ^The [SQLITE_FCNTL_BUSYHANDLER] +** file-control may be invoked by SQLite on the database file handle ** shortly after it is opened in order to provide a custom VFS with access ** to the connections busy-handler callback. The argument is of type (void **) ** - an array of two (void *) values. The first (void *) actually points @@ -880,13 +889,24 @@ struct sqlite3_io_methods { ** current operation. ** **
  • [[SQLITE_FCNTL_TEMPFILENAME]] -** ^Application can invoke this file-control to have SQLite generate a +** ^Application can invoke the [SQLITE_FCNTL_TEMPFILENAME] file-control +** to have SQLite generate a ** temporary filename using the same algorithm that is followed to generate ** temporary filenames for TEMP tables and other internal uses. The ** argument should be a char** which will be filled with the filename ** written into memory obtained from [sqlite3_malloc()]. The caller should ** invoke [sqlite3_free()] on the result to avoid a memory leak. ** +**
  • [[SQLITE_FCNTL_MMAP_SIZE]] +** The [SQLITE_FCNTL_MMAP_SIZE] file control is used to query or set the +** maximum number of bytes that will be used for memory-mapped I/O. +** The argument is a pointer to a value of type sqlite3_int64 that +** is an advisory maximum number of bytes in the file to memory map. The +** pointer is overwritten with the old value. The limit is not changed if +** the value originally pointed to is negative, and so the current limit +** can be queried by passing in a pointer to a negative number. This +** file-control is used internally to implement [PRAGMA mmap_size]. +** ** */ #define SQLITE_FCNTL_LOCKSTATE 1 @@ -905,6 +925,7 @@ struct sqlite3_io_methods { #define SQLITE_FCNTL_PRAGMA 14 #define SQLITE_FCNTL_BUSYHANDLER 15 #define SQLITE_FCNTL_TEMPFILENAME 16 +#define SQLITE_FCNTL_MMAP_SIZE 18 /* ** CAPI3REF: Mutex Handle @@ -1571,7 +1592,9 @@ struct sqlite3_mem_methods { ** page cache implementation into that object.)^
    • ** ** [[SQLITE_CONFIG_LOG]]
    SQLITE_CONFIG_LOG
    -**
    ^The SQLITE_CONFIG_LOG option takes two arguments: a pointer to a +**
    The SQLITE_CONFIG_LOG option is used to configure the SQLite +** global [error log]. +** (^The SQLITE_CONFIG_LOG option takes two arguments: a pointer to a ** function with a call signature of void(*)(void*,int,const char*), ** and a pointer to void. ^If the function pointer is not NULL, it is ** invoked by [sqlite3_log()] to process each logging event. ^If the @@ -1617,12 +1640,12 @@ struct sqlite3_mem_methods { **
    SQLITE_CONFIG_PCACHE and SQLITE_CONFIG_GETPCACHE **
    These options are obsolete and should not be used by new code. ** They are retained for backwards compatibility but are now no-ops. -** +**
    ** ** [[SQLITE_CONFIG_SQLLOG]] **
    SQLITE_CONFIG_SQLLOG **
    This option is only available if sqlite is compiled with the -** SQLITE_ENABLE_SQLLOG pre-processor macro defined. The first argument should +** [SQLITE_ENABLE_SQLLOG] pre-processor macro defined. The first argument should ** be a pointer to a function of type void(*)(void*,sqlite3*,const char*, int). ** The second should be of type (void*). The callback is invoked by the library ** in three separate circumstances, identified by the value passed as the @@ -1632,7 +1655,23 @@ struct sqlite3_mem_methods { ** fourth parameter is 1, then the SQL statement that the third parameter ** points to has just been executed. Or, if the fourth parameter is 2, then ** the connection being passed as the second parameter is being closed. The -** third parameter is passed NULL In this case. +** third parameter is passed NULL In this case. An example of using this +** configuration option can be seen in the "test_sqllog.c" source file in +** the canonical SQLite source tree.
    +** +** [[SQLITE_CONFIG_MMAP_SIZE]] +**
    SQLITE_CONFIG_MMAP_SIZE +**
    SQLITE_CONFIG_MMAP_SIZE takes two 64-bit integer (sqlite3_int64) values +** that are the default mmap size limit (the default setting for +** [PRAGMA mmap_size]) and the maximum allowed mmap size limit. +** The default setting can be overridden by each database connection using +** either the [PRAGMA mmap_size] command, or by using the +** [SQLITE_FCNTL_MMAP_SIZE] file control. The maximum allowed mmap size +** cannot be changed at run-time. Nor may the maximum allowed mmap size +** exceed the compile-time maximum mmap size set by the +** [SQLITE_MAX_MMAP_SIZE] compile-time option. +** If either argument to this option is negative, then that argument is +** changed to its compile-time default. ** */ #define SQLITE_CONFIG_SINGLETHREAD 1 /* nil */ @@ -1656,6 +1695,7 @@ struct sqlite3_mem_methods { #define SQLITE_CONFIG_GETPCACHE2 19 /* sqlite3_pcache_methods2* */ #define SQLITE_CONFIG_COVERING_INDEX_SCAN 20 /* int */ #define SQLITE_CONFIG_SQLLOG 21 /* xSqllog, void* */ +#define SQLITE_CONFIG_MMAP_SIZE 22 /* sqlite3_int64, sqlite3_int64 */ /* ** CAPI3REF: Database Connection Configuration Options @@ -2489,6 +2529,9 @@ SQLITE_API int sqlite3_set_authorizer( ** as each triggered subprogram is entered. The callbacks for triggers ** contain a UTF-8 SQL comment that identifies the trigger.)^ ** +** The [SQLITE_TRACE_SIZE_LIMIT] compile-time option can be used to limit +** the length of [bound parameter] expansion in the output of sqlite3_trace(). +** ** ^The callback function registered by sqlite3_profile() is invoked ** as each SQL statement finishes. ^The profile callback contains ** the original statement text and an estimate of wall-clock time @@ -3027,7 +3070,8 @@ SQLITE_API int sqlite3_limit(sqlite3*, int id, int newVal); **
  • ** ^If the database schema changes, instead of returning [SQLITE_SCHEMA] as it ** always used to do, [sqlite3_step()] will automatically recompile the SQL -** statement and try to run it again. +** statement and try to run it again. As many as [SQLITE_MAX_SCHEMA_RETRY] +** retries will occur before sqlite3_step() gives up and returns an error. **
    • ** **
  • @@ -3231,6 +3275,9 @@ typedef struct sqlite3_context sqlite3_context; ** parameter [SQLITE_LIMIT_VARIABLE_NUMBER] (default value: 999). ** ** ^The third argument is the value to bind to the parameter. +** ^If the third parameter to sqlite3_bind_text() or sqlite3_bind_text16() +** or sqlite3_bind_blob() is a NULL pointer then the fourth parameter +** is ignored and the end result is the same as sqlite3_bind_null(). ** ** ^(In those routines that have a fourth argument, its value is the ** number of bytes in the parameter. To be clear: the value is the @@ -4187,7 +4234,7 @@ SQLITE_API void sqlite3_set_auxdata(sqlite3_context*, int N, void*, void (*)(voi ** the content before returning. ** ** The typedef is necessary to work around problems in certain -** C++ compilers. See ticket #2191. +** C++ compilers. */ typedef void (*sqlite3_destructor_type)(void*); #define SQLITE_STATIC ((sqlite3_destructor_type)0) @@ -4986,11 +5033,20 @@ SQLITE_API int sqlite3_table_column_metadata( ** ^This interface loads an SQLite extension library from the named file. ** ** ^The sqlite3_load_extension() interface attempts to load an -** SQLite extension library contained in the file zFile. +** [SQLite extension] library contained in the file zFile. If +** the file cannot be loaded directly, attempts are made to load +** with various operating-system specific extensions added. +** So for example, if "samplelib" cannot be loaded, then names like +** "samplelib.so" or "samplelib.dylib" or "samplelib.dll" might +** be tried also. ** ** ^The entry point is zProc. -** ^zProc may be 0, in which case the name of the entry point -** defaults to "sqlite3_extension_init". +** ^(zProc may be 0, in which case SQLite will try to come up with an +** entry point name on its own. It first tries "sqlite3_extension_init". +** If that does not work, it constructs a name "sqlite3_X_init" where the +** X is consists of the lower-case equivalent of all ASCII alphabetic +** characters in the filename from the last "/" to the first following +** "." and omitting any initial "lib".)^ ** ^The sqlite3_load_extension() interface returns ** [SQLITE_OK] on success and [SQLITE_ERROR] if something goes wrong. ** ^If an error occurs and pzErrMsg is not 0, then the @@ -5016,11 +5072,11 @@ SQLITE_API int sqlite3_load_extension( ** CAPI3REF: Enable Or Disable Extension Loading ** ** ^So as not to open security holes in older applications that are -** unprepared to deal with extension loading, and as a means of disabling -** extension loading while evaluating user-entered SQL, the following API +** unprepared to deal with [extension loading], and as a means of disabling +** [extension loading] while evaluating user-entered SQL, the following API ** is provided to turn the [sqlite3_load_extension()] mechanism on and off. ** -** ^Extension loading is off by default. See ticket #1863. +** ^Extension loading is off by default. ** ^Call the sqlite3_enable_load_extension() routine with onoff==1 ** to turn extension loading on and call it with onoff==0 to turn ** it back off again. @@ -5032,7 +5088,7 @@ SQLITE_API int sqlite3_enable_load_extension(sqlite3 *db, int onoff); ** ** ^This interface causes the xEntryPoint() function to be invoked for ** each new [database connection] that is created. The idea here is that -** xEntryPoint() is the entry point for a statically linked SQLite extension +** xEntryPoint() is the entry point for a statically linked [SQLite extension] ** that is to be automatically loaded into all new database connections. ** ** ^(Even though the function prototype shows that xEntryPoint() takes @@ -6812,10 +6868,25 @@ SQLITE_API int sqlite3_unlock_notify( SQLITE_API int sqlite3_stricmp(const char *, const char *); SQLITE_API int sqlite3_strnicmp(const char *, const char *, int); +/* +** CAPI3REF: String Globbing +* +** ^The [sqlite3_strglob(P,X)] interface returns zero if string X matches +** the glob pattern P, and it returns non-zero if string X does not match +** the glob pattern P. ^The definition of glob pattern matching used in +** [sqlite3_strglob(P,X)] is the same as for the "X GLOB P" operator in the +** SQL dialect used by SQLite. ^The sqlite3_strglob(P,X) function is case +** sensitive. +** +** Note that this routine returns zero on a match and non-zero if the strings +** do not match, the same as [sqlite3_stricmp()] and [sqlite3_strnicmp()]. +*/ +SQLITE_API int sqlite3_strglob(const char *zGlob, const char *zStr); + /* ** CAPI3REF: Error Logging Interface ** -** ^The [sqlite3_log()] interface writes a message into the error log +** ^The [sqlite3_log()] interface writes a message into the [error log] ** established by the [SQLITE_CONFIG_LOG] option to [sqlite3_config()]. ** ^If logging is enabled, the zFormat string and subsequent arguments are ** used with [sqlite3_snprintf()] to generate the final output string. From 23b58d62d29ccb2a349deb3cf1299dac9d29fa47 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 3 Jul 2013 17:24:11 -0700 Subject: [PATCH 155/200] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index cf7a1ca56f..017e773244 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit cf7a1ca56f2b20f777542d912de0a9c8fdb0655d +Subproject commit 017e7732446b36af935c26834394b51829335e7c From ca6d2bb6bce8a2c01d4258c16498f5de471e9455 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 4 Jul 2013 22:32:07 -0400 Subject: [PATCH 156/200] Add a call to lookup_connection in SSH scripts to update connval. --- CHANGES | 6 ++++++ VERSION | 2 +- scripts/base/protocols/ssh/main.bro | 3 ++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index b8908bb9b6..4685ece5bb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,10 @@ +2.1-784 | 2013-07-04 22:28:48 -0400 + + * Add a call to lookup_connection in SSH scripts to update connval. (Seth Hall) + + * Updating submodule(s). (Robin Sommer) + 2.1-782 | 2013-07-03 17:00:39 -0700 * Remove the SSL log queueing mechanism that was included with the diff --git a/VERSION b/VERSION index 2b31013a2c..f1aa1a9e8e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-782 +2.1-784 diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 8e1c5515b5..ddd3e8b834 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -118,7 +118,7 @@ function check_ssh_connection(c: connection, done: bool) # Responder must have sent fewer than 40 packets. c$resp$num_pkts < 40 && # If there was a content gap we can't reliably do this heuristic. - c?$conn && c$conn$missed_bytes == 0)# && + c?$conn && c$conn$missed_bytes == 0 )# && # Only "normal" connections can count. #c$conn?$conn_state && c$conn$conn_state in valid_states ) { @@ -178,6 +178,7 @@ event ssh_watcher(c: connection) if ( ! connection_exists(id) ) return; + lookup_connection(c$id); check_ssh_connection(c, F); if ( ! c$ssh$done ) schedule +15secs { ssh_watcher(c) }; From 4149724f5978c82750ca5b9e47dd2f7785a406f6 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 5 Jul 2013 01:12:22 -0400 Subject: [PATCH 157/200] Updates for the PacketFilter framework to simplify it. --- scripts/base/frameworks/analyzer/main.bro | 40 ++++++++++++- .../frameworks/packet-filter/__load__.bro | 1 - .../base/frameworks/packet-filter/main.bro | 25 ++++---- .../base/frameworks/protocols/__load__.bro | 1 - scripts/base/frameworks/protocols/main.bro | 59 ------------------- scripts/base/protocols/dns/main.bro | 8 --- scripts/base/protocols/ftp/main.bro | 9 +-- scripts/base/protocols/http/main.bro | 7 --- scripts/base/protocols/irc/main.bro | 7 --- scripts/base/protocols/modbus/main.bro | 3 - scripts/base/protocols/smtp/main.bro | 3 - scripts/base/protocols/socks/main.bro | 4 -- scripts/base/protocols/ssh/main.bro | 10 +--- scripts/base/protocols/ssl/main.bro | 20 +------ scripts/base/protocols/syslog/main.bro | 8 +-- .../frameworks/packet-filter/shunt.bro | 3 +- 16 files changed, 64 insertions(+), 144 deletions(-) delete mode 100644 scripts/base/frameworks/protocols/__load__.bro delete mode 100644 scripts/base/frameworks/protocols/main.bro rename scripts/{base => policy}/frameworks/packet-filter/shunt.bro (99%) diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index c7bfd1ce34..e6c98dec5b 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -10,6 +10,8 @@ ##! the analyzers themselves, and documented in their analyzer-specific ##! description along with the events that they generate. +@load base/frameworks/packet-filter/utils + module Analyzer; export { @@ -96,7 +98,21 @@ export { ## ## Returns: True if succesful. global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, - analyzer: Analyzer::Tag, tout: interval) : bool; + analyzer: Analyzer::Tag, tout: interval) : bool; + + ## Automatically creates a BPF filter for the specified protocol based + ## on the data supplied for the protocol through the + ## :bro:see:`Analyzer::register_for_ports` function. + ## + ## tag: The analyzer tag. + ## + ## Returns: BPF filter string. + global analyzer_to_bpf: function(tag: Analyzer::Tag): string; + + ## Create a BPF filter which matches all of the ports defined + ## by the various protocol analysis scripts as "registered ports" + ## for the protocol. + global get_bpf: function(): string; ## A set of analyzers to disable by default at startup. The default set ## contains legacy analyzers that are no longer supported. @@ -177,3 +193,25 @@ function schedule_analyzer(orig: addr, resp: addr, resp_p: port, return __schedule_analyzer(orig, resp, resp_p, analyzer, tout); } +function analyzer_to_bpf(tag: Analyzer::Tag): string + { + # Return an empty string if an undefined analyzer was given. + if ( tag !in ports ) + return ""; + + local output = ""; + for ( p in ports[tag] ) + output = PacketFilter::combine_filters(output, "or", PacketFilter::port_to_bpf(p)); + return output; + } + +function get_bpf(): string + { + local output = ""; + for ( tag in ports ) + { + output = PacketFilter::combine_filters(output, "or", analyzer_to_bpf(tag)); + } + return output; + } + diff --git a/scripts/base/frameworks/packet-filter/__load__.bro b/scripts/base/frameworks/packet-filter/__load__.bro index 45c2488c00..011885e8b7 100644 --- a/scripts/base/frameworks/packet-filter/__load__.bro +++ b/scripts/base/frameworks/packet-filter/__load__.bro @@ -1,4 +1,3 @@ @load ./utils @load ./main -@load ./shunt @load ./netstats diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro index c5a0677add..b4885a19f2 100644 --- a/scripts/base/frameworks/packet-filter/main.bro +++ b/scripts/base/frameworks/packet-filter/main.bro @@ -5,7 +5,7 @@ ##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables. @load base/frameworks/notice -@load base/frameworks/protocols +@load base/frameworks/analyzer @load ./utils module PacketFilter; @@ -64,13 +64,13 @@ export { ## The maximum amount of time that you'd like to allow for BPF filters to compile. ## If this time is exceeded, compensation measures may be taken by the framework ## to reduce the filter size. This threshold being crossed also results in - ## the :bro:enum:`PacketFilter::Too_Long_To_Compile_Filter` notice. + ## the :bro:see:`PacketFilter::Too_Long_To_Compile_Filter` notice. const max_filter_compile_time = 100msec &redef; ## Install a BPF filter to exclude some traffic. The filter should positively ## match what is to be excluded, it will be wrapped in a "not". ## - ## filter_id: A somewhat arbitrary string that can be used to identify + ## filter_id: An arbitrary string that can be used to identify ## the filter. ## ## filter: A BPF expression of traffic that should be excluded. @@ -83,7 +83,7 @@ export { ## the BPF filter. The filter should match the traffic you don't want ## to see (it will be wrapped in a "not" condition). ## - ## filter_id: A somewhat arbitrary string that can be used to identify + ## filter_id: An arbitrary string that can be used to identify ## the filter. ## ## filter: A BPF expression of traffic that should be excluded. @@ -119,11 +119,8 @@ export { global dynamic_restrict_filters: table[string] of string = {}; -# Set the default capture filter. -redef capture_filters += { ["default"] = default_capture_filter }; - -# Track if a filter is currenlty building so functions that would ultimately -# install a filter immediately can still be used buy they won't try to build or +# Track if a filter is currently building so functions that would ultimately +# install a filter immediately can still be used but they won't try to build or # install the filter. global currently_building = F; @@ -239,7 +236,7 @@ function build(): string cfilter = combine_filters(cfilter, "or", capture_filters[id]); if ( enable_auto_protocol_capture_filters ) - cfilter = combine_filters(cfilter, "or", Protocols::to_bpf()); + cfilter = combine_filters(cfilter, "or", Analyzer::get_bpf()); # Apply the restriction filters. local rfilter = ""; @@ -269,6 +266,10 @@ function install(): bool local tmp_filter = build(); + # No need to proceed if the filter hasn't changed. + if ( tmp_filter == current_filter ) + return F; + local ts = current_time(); if ( ! precompile_pcap_filter(DefaultPcapFilter, tmp_filter) ) { @@ -283,8 +284,8 @@ function install(): bool local diff = current_time()-ts; if ( diff > max_filter_compile_time ) NOTICE([$note=Too_Long_To_Compile_Filter, - $msg=fmt("A BPF filter is taking longer than %0.6f seconds to compile", diff)]); - + $msg=fmt("A BPF filter is taking longer than %0.1f seconds to compile", diff)]); + # Set it to the current filter if it passed precompiling current_filter = tmp_filter; diff --git a/scripts/base/frameworks/protocols/__load__.bro b/scripts/base/frameworks/protocols/__load__.bro deleted file mode 100644 index d551be57d3..0000000000 --- a/scripts/base/frameworks/protocols/__load__.bro +++ /dev/null @@ -1 +0,0 @@ -@load ./main \ No newline at end of file diff --git a/scripts/base/frameworks/protocols/main.bro b/scripts/base/frameworks/protocols/main.bro deleted file mode 100644 index 43ea3b49f8..0000000000 --- a/scripts/base/frameworks/protocols/main.bro +++ /dev/null @@ -1,59 +0,0 @@ - -@load base/frameworks/packet-filter/utils - -module Protocols; - -export { - - const common_ports: table[string] of set[port] = {} &redef; - - ## Automatically creates a BPF filter for the specified protocol based - ## on the data supplied for the protocol in the :bro:id:`common_ports` - ## variable. - ## - ## protocol: A string representation for a protocol, e.g. "HTTP" - ## - ## Returns: BPF filter string. - global protocol_to_bpf: function(protocol: string): string; - - ## Create a BPF filter which matches all of the ports defined - ## by the various protocol analysis scripts as "common ports" - ## for the protocol. - global to_bpf: function(): string; - - ## Maps between human readable protocol identifiers (like "HTTP") - ## and the internal Bro representation for an analyzer (like ANALYZER_HTTP). - ## This is typically fully populated by the base protocol analyzer scripts. - const analyzer_map: table[string] of set[AnalyzerTag] = {} &redef; -} - -event bro_init() &priority=10 - { - for ( proto in common_ports ) - { - for ( p in common_ports[proto] ) - dpd_analyzer_ports[p] = analyzer_map[proto]; - for ( a in analyzer_map[proto] ) - dpd_config[a] = [$ports=common_ports[proto]]; - } - } - -function protocol_to_bpf(protocol: string): string - { - # Return an empty string if an undefined protocol was given. - if ( protocol !in common_ports ) - return ""; - - local output = ""; - for ( one_port in common_ports[protocol] ) - output = PacketFilter::combine_filters(output, "or", PacketFilter::port_to_bpf(one_port)); - return output; - } - -function to_bpf(): string - { - local output = ""; - for ( p in common_ports ) - output = PacketFilter::combine_filters(output, "or", protocol_to_bpf(p)); - return output; - } diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 15da9aa7b7..ea3ec016de 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -122,14 +122,6 @@ redef record connection += { dns_state: State &optional; }; -# DPD configuration. -redef capture_filters += { - ["dns"] = "port 53", - ["mdns"] = "udp and port 5353", - ["llmns"] = "udp and port 5355", - ["netbios-ns"] = "udp port 137", -}; - const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; redef likely_server_ports += { ports }; diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index e524c32c4b..448eccd454 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -111,21 +111,18 @@ redef record connection += { ftp_data_reuse: bool &default=F; }; -# Configure DPD -redef capture_filters += { ["ftp"] = "port 21 and port 2811" }; - const ports = { 21/tcp, 2811/tcp }; redef likely_server_ports += { ports }; -# Establish the variable for tracking expected connections. -global ftp_data_expected: table[addr, port] of Info &read_expire=5mins; - event bro_init() &priority=5 { Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]); Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports); } +# Establish the variable for tracking expected connections. +global ftp_data_expected: table[addr, port] of Info &read_expire=5mins; + ## A set of commands where the argument can be expected to refer ## to a file or directory. const file_cmds = { diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 1c9c1cad2d..6d06376183 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -123,19 +123,12 @@ redef record connection += { http_state: State &optional; }; -# DPD configuration. -redef capture_filters += { - ["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)" -}; - const ports = { 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp, 8000/tcp, 8080/tcp, 8888/tcp, }; - redef likely_server_ports += { ports }; - # Initialize the HTTP logging stream and ports. event bro_init() &priority=5 { diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index 490c39f54f..a57fc95448 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -38,13 +38,6 @@ redef record connection += { irc: Info &optional; }; -# Some common IRC ports. -redef capture_filters += { ["irc-6666"] = "port 6666" }; -redef capture_filters += { ["irc-6667"] = "port 6667" }; -redef capture_filters += { ["irc-6668"] = "port 6668" }; -redef capture_filters += { ["irc-6669"] = "port 6669" }; - -# DPD configuration. const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; redef likely_server_ports += { ports }; diff --git a/scripts/base/protocols/modbus/main.bro b/scripts/base/protocols/modbus/main.bro index a418873306..d484e7582b 100644 --- a/scripts/base/protocols/modbus/main.bro +++ b/scripts/base/protocols/modbus/main.bro @@ -29,9 +29,6 @@ redef record connection += { modbus: Info &optional; }; -# Configure DPD and the packet filter. -redef capture_filters += { ["modbus"] = "tcp port 502" }; - const ports = { 502/tcp }; redef likely_server_ports += { ports }; diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index c7b3a452d2..d53128b06c 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -81,9 +81,6 @@ redef record connection += { smtp_state: State &optional; }; -# Configure DPD -redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" }; - const ports = { 25/tcp, 587/tcp }; redef likely_server_ports += { ports }; diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro index a188646515..f697b355c1 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.bro @@ -47,10 +47,6 @@ redef record connection += { socks: SOCKS::Info &optional; }; -# Configure DPD -redef capture_filters += { ["socks"] = "tcp port 1080" }; -redef likely_server_ports += { 1080/tcp }; - function set_session(c: connection, version: count) { if ( ! c?$socks ) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index ddd3e8b834..53b61f00d8 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -70,17 +70,13 @@ export { global log_ssh: event(rec: Info); } -# Configure DPD and the packet filter - -const ports = { 22/tcp }; - -redef capture_filters += { ["ssh"] = "tcp port 22" }; -redef likely_server_ports += { ports }; - redef record connection += { ssh: Info &optional; }; +const ports = { 22/tcp }; +redef likely_server_ports += { ports }; + event bro_init() &priority=5 { Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]); diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 61d8d2fdb4..65526182ac 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -94,26 +94,10 @@ redef record Info += { delay_tokens: set[string] &optional; }; -redef capture_filters += { - ["ssl"] = "tcp port 443", - ["nntps"] = "tcp port 563", - ["imap4-ssl"] = "tcp port 585", - ["sshell"] = "tcp port 614", - ["ldaps"] = "tcp port 636", - ["ftps-data"] = "tcp port 989", - ["ftps"] = "tcp port 990", - ["telnets"] = "tcp port 992", - ["imaps"] = "tcp port 993", - ["ircs"] = "tcp port 994", - ["pop3s"] = "tcp port 995", - ["xmpps"] = "tcp port 5223", -}; - const ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -} &redef; - +}; redef likely_server_ports += { ports }; event bro_init() &priority=5 @@ -154,7 +138,7 @@ function log_record(info: Info) { log_record(info); } - timeout max_log_delay + timeout SSL::max_log_delay { Reporter::info(fmt("SSL delay tokens not released in time (%s tokens remaining)", |info$delay_tokens|)); diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 7c15fb4fae..afe562c890 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -26,15 +26,13 @@ export { }; } -redef capture_filters += { ["syslog"] = "port 514" }; - -const ports = { 514/udp }; -redef likely_server_ports += { ports }; - redef record connection += { syslog: Info &optional; }; +const ports = { 514/udp }; +redef likely_server_ports += { ports }; + event bro_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info]); diff --git a/scripts/base/frameworks/packet-filter/shunt.bro b/scripts/policy/frameworks/packet-filter/shunt.bro similarity index 99% rename from scripts/base/frameworks/packet-filter/shunt.bro rename to scripts/policy/frameworks/packet-filter/shunt.bro index fcbdac85aa..fba66e60f3 100644 --- a/scripts/base/frameworks/packet-filter/shunt.bro +++ b/scripts/policy/frameworks/packet-filter/shunt.bro @@ -1,6 +1,5 @@ @load base/frameworks/notice -@load ./main -@load ./utils +@load base/frameworks/packet-filter module PacketFilter; From af8712652178a1138e9e4df8e632ecfc32e52b89 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 5 Jul 2013 01:27:59 -0400 Subject: [PATCH 158/200] Updating test baselines. --- doc/scripts/DocSourcesList.cmake | 3 ++ .../Baseline/core.print-bpf-filters/conn.log | 6 ++-- .../Baseline/core.print-bpf-filters/output | 28 ++++++------------- .../canonified_loaded_scripts.log | 5 ++-- .../canonified_loaded_scripts.log | 5 ++-- 5 files changed, 21 insertions(+), 26 deletions(-) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index fdd919f86b..529b03ca83 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -112,6 +112,7 @@ rest_target(${psd} base/frameworks/notice/non-cluster.bro) rest_target(${psd} base/frameworks/notice/weird.bro) rest_target(${psd} base/frameworks/packet-filter/main.bro) rest_target(${psd} base/frameworks/packet-filter/netstats.bro) +rest_target(${psd} base/frameworks/packet-filter/utils.bro) rest_target(${psd} base/frameworks/reporter/main.bro) rest_target(${psd} base/frameworks/signatures/main.bro) rest_target(${psd} base/frameworks/software/main.bro) @@ -190,6 +191,7 @@ rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro) rest_target(${psd} policy/frameworks/intel/smtp.bro) rest_target(${psd} policy/frameworks/intel/ssl.bro) rest_target(${psd} policy/frameworks/intel/where-locations.bro) +rest_target(${psd} policy/frameworks/packet-filter/shunt.bro) rest_target(${psd} policy/frameworks/software/version-changes.bro) rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) @@ -198,6 +200,7 @@ rest_target(${psd} policy/integration/collective-intel/main.bro) rest_target(${psd} policy/misc/app-metrics.bro) rest_target(${psd} policy/misc/capture-loss.bro) rest_target(${psd} policy/misc/detect-traceroute/main.bro) +rest_target(${psd} policy/misc/load-balancing.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) rest_target(${psd} policy/misc/profiling.bro) rest_target(${psd} policy/misc/scan.bro) diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log index 0fd86b8dc4..ac366f679e 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2005-10-07-23-23-57 +#open 2013-07-05-05-19-59 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool count string count count count count table[string] -1128727435.450898 UWkUyAuUGXf 141.42.64.125 56730 125.190.109.199 80 tcp http 1.733303 98 9417 SF - 0 ShADdFaf 12 730 10 9945 (empty) -#close 2005-10-07-23-23-57 +1278600802.069419 UWkUyAuUGXf 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - 0 ShADadfF 7 381 7 3801 (empty) +#close 2013-07-05-05-19-59 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index cadc8b22db..292d7ab457 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -3,38 +3,28 @@ #empty_field (empty) #unset_field - #path packet_filter -#open 2012-11-06-00-53-09 +#open 2013-07-05-05-14-42 #fields ts node filter init success #types time string string bool bool -1352163189.729807 - ip or not ip T T -#close 2012-11-06-00-53-09 +1373001282.736785 - ip or not ip T T +#close 2013-07-05-05-14-42 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2012-11-06-00-53-10 +#open 2013-07-05-05-14-42 #fields ts node filter init success #types time string string bool bool -1352163190.114261 - ((((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (tcp port 1080)) or (udp and port 5355)) or (tcp port 502)) or (tcp port 995)) or (tcp port 22)) or (port 21 and port 2811)) or (tcp port 25 or tcp port 587)) or (tcp port 614)) or (tcp port 990)) or (port 6667)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666) T T -#close 2012-11-06-00-53-10 +1373001282.899854 - port 42 T T +#close 2013-07-05-05-14-42 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2012-11-06-00-53-10 +#open 2013-07-05-05-14-43 #fields ts node filter init success #types time string string bool bool -1352163190.484506 - port 42 T T -#close 2012-11-06-00-53-10 -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path packet_filter -#open 2012-11-06-00-53-10 -#fields ts node filter init success -#types time string string bool bool -1352163190.855090 - port 56730 T T -#close 2012-11-06-00-53-10 +1373001283.061158 - (vlan) and (ip or not ip) T T +#close 2013-07-05-05-14-43 diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 9d3fb87861..b7585a1477 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-06-10-19-50-56 +#open 2013-07-05-05-20-50 #fields name #types string scripts/base/init-bare.bro @@ -82,10 +82,11 @@ scripts/base/init-bare.bro scripts/base/frameworks/input/readers/sqlite.bro scripts/base/frameworks/analyzer/__load__.bro scripts/base/frameworks/analyzer/main.bro + scripts/base/frameworks/packet-filter/utils.bro build/scripts/base/bif/analyzer.bif.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro build/scripts/base/bif/file_analysis.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2013-06-10-19-50-56 +#close 2013-07-05-05-20-50 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index b861f44266..28430aacd8 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-06-10-19-50-57 +#open 2013-07-05-05-21-48 #fields name #types string scripts/base/init-bare.bro @@ -82,6 +82,7 @@ scripts/base/init-bare.bro scripts/base/frameworks/input/readers/sqlite.bro scripts/base/frameworks/analyzer/__load__.bro scripts/base/frameworks/analyzer/main.bro + scripts/base/frameworks/packet-filter/utils.bro build/scripts/base/bif/analyzer.bif.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro @@ -192,4 +193,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-06-10-19-50-57 +#close 2013-07-05-05-21-48 From 1e5906af08a91c4b9eaad51837df276b71318191 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 5 Jul 2013 01:52:37 -0400 Subject: [PATCH 159/200] Missed a test fix. --- scripts/test-all-policy.bro | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index daad03d9b6..1fd34d6f2f 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -24,6 +24,7 @@ @load frameworks/intel/smtp.bro @load frameworks/intel/ssl.bro @load frameworks/intel/where-locations.bro +@load frameworks/packet-filter/shunt.bro @load frameworks/software/version-changes.bro @load frameworks/software/vulnerable.bro @load integration/barnyard2/__load__.bro @@ -35,6 +36,7 @@ @load misc/capture-loss.bro @load misc/detect-traceroute/__load__.bro @load misc/detect-traceroute/main.bro +@load misc/load-balancing.bro @load misc/loaded-scripts.bro @load misc/profiling.bro @load misc/scan.bro From 2ea1f483dbff571ce0c04019d963f87d0a83ea67 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 8 Jul 2013 13:05:37 -0700 Subject: [PATCH 160/200] Bringing back test for enable_auto_protocol_capture_filters (formerly all_packets). --- CHANGES | 2 +- VERSION | 2 +- .../Baseline/core.print-bpf-filters/conn.log | 4 +-- .../Baseline/core.print-bpf-filters/output | 28 +++++++++++++------ testing/btest/core/print-bpf-filters.bro | 2 ++ 5 files changed, 25 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index 15fee38d49..575ccc386b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,5 @@ -2.1-797 | 2013-07-07 20:45:07 -0700 +2.1-798 | 2013-07-08 13:05:37 -0700 * Rewrite of the packet filter framework. (Seth Hall) diff --git a/VERSION b/VERSION index 07ac51c523..4a5af67890 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-797 +2.1-798 diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log index ac366f679e..745673c027 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2013-07-05-05-19-59 +#open 2013-07-08-20-05-18 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool count string count count count count table[string] 1278600802.069419 UWkUyAuUGXf 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - 0 ShADadfF 7 381 7 3801 (empty) -#close 2013-07-05-05-19-59 +#close 2013-07-08-20-05-18 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index 292d7ab457..8ccc04b1a7 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -3,28 +3,38 @@ #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-05-05-14-42 +#open 2013-07-08-20-05-17 #fields ts node filter init success #types time string string bool bool -1373001282.736785 - ip or not ip T T -#close 2013-07-05-05-14-42 +1373313917.926565 - ip or not ip T T +#close 2013-07-08-20-05-17 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-05-05-14-42 +#open 2013-07-08-20-05-18 #fields ts node filter init success #types time string string bool bool -1373001282.899854 - port 42 T T -#close 2013-07-05-05-14-42 +1373313918.205206 - port 42 T T +#close 2013-07-08-20-05-18 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-05-05-14-43 +#open 2013-07-08-20-05-18 #fields ts node filter init success #types time string string bool bool -1373001283.061158 - (vlan) and (ip or not ip) T T -#close 2013-07-05-05-14-43 +1373313918.491383 - (vlan) and (ip or not ip) T T +#close 2013-07-08-20-05-18 +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path packet_filter +#open 2013-07-08-20-05-18 +#fields ts node filter init success +#types time string string bool bool +1373313918.795264 - ((((((((((((udp and port 3544) or (udp and port 514)) or ((tcp and port 2811) or (tcp and port 21))) or (tcp and port 502)) or ((((tcp and port 6669) or (tcp and port 6666)) or (tcp and port 6668)) or (tcp and port 6667))) or (tcp and port 1080)) or ((udp and port 2152) or (udp and port 2123))) or ((((((((tcp and port 631) or (tcp and port 8888)) or (tcp and port 3128)) or (tcp and port 80)) or (tcp and port 1080)) or (tcp and port 8000)) or (tcp and port 81)) or (tcp and port 8080))) or (udp and port 5072)) or ((tcp and port 25) or (tcp and port 587))) or (((((((((((tcp and port 5223) or (tcp and port 585)) or (tcp and port 614)) or (tcp and port 993)) or (tcp and port 636)) or (tcp and port 989)) or (tcp and port 995)) or (tcp and port 443)) or (tcp and port 563)) or (tcp and port 990)) or (tcp and port 992))) or (((((udp and port 5355) or (tcp and port 53)) or (udp and port 5353)) or (udp and port 137)) or (udp and port 53))) or (tcp and port 22) T T +#close 2013-07-08-20-05-18 diff --git a/testing/btest/core/print-bpf-filters.bro b/testing/btest/core/print-bpf-filters.bro index 383982eddf..2c3d761cca 100644 --- a/testing/btest/core/print-bpf-filters.bro +++ b/testing/btest/core/print-bpf-filters.bro @@ -4,5 +4,7 @@ # @TEST-EXEC: cat packet_filter.log >>output # @TEST-EXEC: bro -r $TRACES/mixed-vlan-mpls.trace PacketFilter::restricted_filter="vlan" >>output # @TEST-EXEC: cat packet_filter.log >>output +# @TEST-EXEC: bro -r $TRACES/empty.trace PacketFilter::enable_auto_protocol_capture_filters=T >>output +# @TEST-EXEC: cat packet_filter.log >>output # @TEST-EXEC: btest-diff output # @TEST-EXEC: btest-diff conn.log From 7fe7684d4a3d0c2e7bd85ee75fe89d5b8c8d68dd Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 8 Jul 2013 13:28:07 -0700 Subject: [PATCH 161/200] Updating submodule(s). [nomail] --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index d5b8df42cb..be242b2113 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit d5b8df42cb9c398142e02d4bf8ede835fd0227f4 +Subproject commit be242b2113fec7315690f302bd10c9b0e32505bb From 841604bebecbb1944cbb6112b714754d81d3946a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 8 Jul 2013 20:46:52 -0700 Subject: [PATCH 162/200] Updating submodule(s). [nomail] --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index be242b2113..c2e73c9e1e 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit be242b2113fec7315690f302bd10c9b0e32505bb +Subproject commit c2e73c9e1efed6bfdf2d977d716c97773c39492e From 39444b5af79de557b5ead73a9c2156bec1e2ea46 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 9 Jul 2013 22:44:55 -0400 Subject: [PATCH 163/200] Moved DPD signatures into script specific directories. - This caused us to lose signatures for POP3 and Bittorrent. These will need discovered in the repository again when we add scripts for those analyzers. --- scripts/base/frameworks/dpd/dpd.sig | 212 -------------------- scripts/base/frameworks/dpd/main.bro | 2 - scripts/base/init-default.bro | 1 + scripts/base/protocols/ftp/__load__.bro | 2 + scripts/base/protocols/ftp/dpd.sig | 15 ++ scripts/base/protocols/http/__load__.bro | 2 + scripts/base/protocols/http/dpd.sig | 13 ++ scripts/base/protocols/irc/__load__.bro | 2 + scripts/base/protocols/irc/dpd.sig | 33 +++ scripts/base/protocols/smtp/__load__.bro | 2 + scripts/base/protocols/smtp/dpd.sig | 12 ++ scripts/base/protocols/socks/__load__.bro | 4 +- scripts/base/protocols/socks/dpd.sig | 48 +++++ scripts/base/protocols/ssh/__load__.bro | 4 +- scripts/base/protocols/ssh/dpd.sig | 13 ++ scripts/base/protocols/ssl/__load__.bro | 2 + scripts/base/protocols/ssl/dpd.sig | 15 ++ scripts/base/protocols/tunnels/__load__.bro | 1 + scripts/base/protocols/tunnels/dpd.sig | 14 ++ 19 files changed, 181 insertions(+), 216 deletions(-) delete mode 100644 scripts/base/frameworks/dpd/dpd.sig create mode 100644 scripts/base/protocols/ftp/dpd.sig create mode 100644 scripts/base/protocols/http/dpd.sig create mode 100644 scripts/base/protocols/irc/dpd.sig create mode 100644 scripts/base/protocols/smtp/dpd.sig create mode 100644 scripts/base/protocols/socks/dpd.sig create mode 100644 scripts/base/protocols/ssh/dpd.sig create mode 100644 scripts/base/protocols/ssl/dpd.sig create mode 100644 scripts/base/protocols/tunnels/__load__.bro create mode 100644 scripts/base/protocols/tunnels/dpd.sig diff --git a/scripts/base/frameworks/dpd/dpd.sig b/scripts/base/frameworks/dpd/dpd.sig deleted file mode 100644 index 49e24cefc6..0000000000 --- a/scripts/base/frameworks/dpd/dpd.sig +++ /dev/null @@ -1,212 +0,0 @@ -# Signatures to initiate dynamic protocol detection. - -signature dpd_ftp_client { - ip-proto == tcp - payload /(|.*[\n\r]) *[uU][sS][eE][rR] / - tcp-state originator -} - -# Match for server greeting (220, 120) and for login or passwd -# required (230, 331). -signature dpd_ftp_server { - ip-proto == tcp - payload /[\n\r ]*(120|220)[^0-9].*[\n\r] *(230|331)[^0-9]/ - tcp-state responder - requires-reverse-signature dpd_ftp_client - enable "ftp" -} - -signature dpd_http_client { - ip-proto == tcp - payload /^[[:space:]]*(GET|HEAD|POST)[[:space:]]*/ - tcp-state originator -} - -signature dpd_http_server { - ip-proto == tcp - payload /^HTTP\/[0-9]/ - tcp-state responder - requires-reverse-signature dpd_http_client - enable "http" -} - -signature dpd_bittorrenttracker_client { - ip-proto == tcp - payload /^.*\/announce\?.*info_hash/ - tcp-state originator -} - -signature dpd_bittorrenttracker_server { - ip-proto == tcp - payload /^HTTP\/[0-9]/ - tcp-state responder - requires-reverse-signature dpd_bittorrenttracker_client - enable "bittorrenttracker" -} - -signature dpd_bittorrent_peer1 { - ip-proto == tcp - payload /^\x13BitTorrent protocol/ - tcp-state originator -} - -signature dpd_bittorrent_peer2 { - ip-proto == tcp - payload /^\x13BitTorrent protocol/ - tcp-state responder - requires-reverse-signature dpd_bittorrent_peer1 - enable "bittorrent" -} - -signature irc_client1 { - ip-proto == tcp - payload /(|.*[\r\n]) *[Uu][Ss][Ee][Rr] +.+[\n\r]+ *[Nn][Ii][Cc][Kk] +.*[\r\n]/ - requires-reverse-signature irc_server_reply - tcp-state originator - enable "irc" -} - -signature irc_client2 { - ip-proto == tcp - payload /(|.*[\r\n]) *[Nn][Ii][Cc][Kk] +.+[\r\n]+ *[Uu][Ss][Ee][Rr] +.+[\r\n]/ - requires-reverse-signature irc_server_reply - tcp-state originator - enable "irc" -} - -signature irc_server_reply { - ip-proto == tcp - payload /^(|.*[\n\r])(:[^ \n\r]+ )?[0-9][0-9][0-9] / - tcp-state responder -} - -signature irc_server_to_server1 { - ip-proto == tcp - payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/ -} - -signature irc_server_to_server2 { - ip-proto == tcp - payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/ - requires-reverse-signature irc_server_to_server1 - enable "irc" -} - -signature dpd_smtp_client { - ip-proto == tcp - payload /(|.*[\n\r])[[:space:]]*([hH][eE][lL][oO]|[eE][hH][lL][oO])/ - requires-reverse-signature dpd_smtp_server - enable "smtp" - tcp-state originator -} - -signature dpd_smtp_server { - ip-proto == tcp - payload /^[[:space:]]*220[[:space:]-]/ - tcp-state responder -} - -signature dpd_ssh_client { - ip-proto == tcp - payload /^[sS][sS][hH]-/ - requires-reverse-signature dpd_ssh_server - enable "ssh" - tcp-state originator -} - -signature dpd_ssh_server { - ip-proto == tcp - payload /^[sS][sS][hH]-/ - tcp-state responder -} - -signature dpd_pop3_server { - ip-proto == tcp - payload /^\+OK/ - requires-reverse-signature dpd_pop3_client - enable "pop3" - tcp-state responder -} - -signature dpd_pop3_client { - ip-proto == tcp - payload /(|.*[\r\n])[[:space:]]*([uU][sS][eE][rR][[:space:]]|[aA][pP][oO][pP][[:space:]]|[cC][aA][pP][aA]|[aA][uU][tT][hH])/ - tcp-state originator -} - -signature dpd_ssl_server { - ip-proto == tcp - # Server hello. - payload /^(\x16\x03[\x00\x01\x02]..\x02...\x03[\x00\x01\x02]|...?\x04..\x00\x02).*/ - requires-reverse-signature dpd_ssl_client - enable "ssl" - tcp-state responder -} - -signature dpd_ssl_client { - ip-proto == tcp - # Client hello. - payload /^(\x16\x03[\x00\x01\x02]..\x01...\x03[\x00\x01\x02]|...?\x01[\x00\x01\x02][\x02\x03]).*/ - tcp-state originator -} - -signature dpd_ayiya { - ip-proto = udp - payload /^..\x11\x29/ - enable "ayiya" -} - -signature dpd_teredo { - ip-proto = udp - payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f])/ - enable "teredo" -} - -signature dpd_socks4_client { - ip-proto == tcp - # '32' is a rather arbitrary max length for the user name. - payload /^\x04[\x01\x02].{0,32}\x00/ - tcp-state originator -} - -signature dpd_socks4_server { - ip-proto == tcp - requires-reverse-signature dpd_socks4_client - payload /^\x00[\x5a\x5b\x5c\x5d]/ - tcp-state responder - enable "socks" -} - -signature dpd_socks4_reverse_client { - ip-proto == tcp - # '32' is a rather arbitrary max length for the user name. - payload /^\x04[\x01\x02].{0,32}\x00/ - tcp-state responder -} - -signature dpd_socks4_reverse_server { - ip-proto == tcp - requires-reverse-signature dpd_socks4_reverse_client - payload /^\x00[\x5a\x5b\x5c\x5d]/ - tcp-state originator - enable "socks" -} - -signature dpd_socks5_client { - ip-proto == tcp - # Watch for a few authentication methods to reduce false positives. - payload /^\x05.[\x00\x01\x02]/ - tcp-state originator -} - -signature dpd_socks5_server { - ip-proto == tcp - requires-reverse-signature dpd_socks5_client - # Watch for a single authentication method to be chosen by the server or - # the server to indicate the no authentication is required. - payload /^\x05(\x00|\x01[\x00\x01\x02])/ - tcp-state responder - enable "socks" -} - - diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.bro index c3282a1da4..9df8a45e5e 100644 --- a/scripts/base/frameworks/dpd/main.bro +++ b/scripts/base/frameworks/dpd/main.bro @@ -3,8 +3,6 @@ module DPD; -@load-sigs ./dpd.sig - export { ## Add the DPD logging stream identifier. redef enum Log::ID += { LOG }; diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 9c3995673c..6c40a7547f 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -46,5 +46,6 @@ @load base/protocols/ssh @load base/protocols/ssl @load base/protocols/syslog +@load base/protocols/tunnels @load base/misc/find-checksum-offloading diff --git a/scripts/base/protocols/ftp/__load__.bro b/scripts/base/protocols/ftp/__load__.bro index 464571dc7d..f3226de69d 100644 --- a/scripts/base/protocols/ftp/__load__.bro +++ b/scripts/base/protocols/ftp/__load__.bro @@ -3,3 +3,5 @@ @load ./file-analysis @load ./file-extract @load ./gridftp + +@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/ftp/dpd.sig b/scripts/base/protocols/ftp/dpd.sig new file mode 100644 index 0000000000..3a6ceadd18 --- /dev/null +++ b/scripts/base/protocols/ftp/dpd.sig @@ -0,0 +1,15 @@ +signature dpd_ftp_client { + ip-proto == tcp + payload /(|.*[\n\r]) *[uU][sS][eE][rR] / + tcp-state originator +} + +# Match for server greeting (220, 120) and for login or passwd +# required (230, 331). +signature dpd_ftp_server { + ip-proto == tcp + payload /[\n\r ]*(120|220)[^0-9].*[\n\r] *(230|331)[^0-9]/ + tcp-state responder + requires-reverse-signature dpd_ftp_client + enable "ftp" +} diff --git a/scripts/base/protocols/http/__load__.bro b/scripts/base/protocols/http/__load__.bro index 58618dedc7..8f426c1521 100644 --- a/scripts/base/protocols/http/__load__.bro +++ b/scripts/base/protocols/http/__load__.bro @@ -4,3 +4,5 @@ @load ./file-ident @load ./file-hash @load ./file-extract + +@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/http/dpd.sig b/scripts/base/protocols/http/dpd.sig new file mode 100644 index 0000000000..13470f4e95 --- /dev/null +++ b/scripts/base/protocols/http/dpd.sig @@ -0,0 +1,13 @@ +signature dpd_http_client { + ip-proto == tcp + payload /^[[:space:]]*(GET|HEAD|POST)[[:space:]]*/ + tcp-state originator +} + +signature dpd_http_server { + ip-proto == tcp + payload /^HTTP\/[0-9]/ + tcp-state responder + requires-reverse-signature dpd_http_client + enable "http" +} diff --git a/scripts/base/protocols/irc/__load__.bro b/scripts/base/protocols/irc/__load__.bro index 5123385b0c..2e60cda0a6 100644 --- a/scripts/base/protocols/irc/__load__.bro +++ b/scripts/base/protocols/irc/__load__.bro @@ -1,3 +1,5 @@ @load ./main @load ./dcc-send @load ./file-analysis + +@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/irc/dpd.sig b/scripts/base/protocols/irc/dpd.sig new file mode 100644 index 0000000000..308358d619 --- /dev/null +++ b/scripts/base/protocols/irc/dpd.sig @@ -0,0 +1,33 @@ +signature irc_client1 { + ip-proto == tcp + payload /(|.*[\r\n]) *[Uu][Ss][Ee][Rr] +.+[\n\r]+ *[Nn][Ii][Cc][Kk] +.*[\r\n]/ + requires-reverse-signature irc_server_reply + tcp-state originator + enable "irc" +} + +signature irc_client2 { + ip-proto == tcp + payload /(|.*[\r\n]) *[Nn][Ii][Cc][Kk] +.+[\r\n]+ *[Uu][Ss][Ee][Rr] +.+[\r\n]/ + requires-reverse-signature irc_server_reply + tcp-state originator + enable "irc" +} + +signature irc_server_reply { + ip-proto == tcp + payload /^(|.*[\n\r])(:[^ \n\r]+ )?[0-9][0-9][0-9] / + tcp-state responder +} + +signature irc_server_to_server1 { + ip-proto == tcp + payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/ +} + +signature irc_server_to_server2 { + ip-proto == tcp + payload /(|.*[\r\n]) *[Ss][Ee][Rr][Vv][Ee][Rr] +[^ ]+ +[0-9]+ +:.+[\r\n]/ + requires-reverse-signature irc_server_to_server1 + enable "irc" +} diff --git a/scripts/base/protocols/smtp/__load__.bro b/scripts/base/protocols/smtp/__load__.bro index bac9cc118f..3e3fde6947 100644 --- a/scripts/base/protocols/smtp/__load__.bro +++ b/scripts/base/protocols/smtp/__load__.bro @@ -2,3 +2,5 @@ @load ./entities @load ./entities-excerpt @load ./file-analysis + +@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/smtp/dpd.sig b/scripts/base/protocols/smtp/dpd.sig new file mode 100644 index 0000000000..49ed7ea3be --- /dev/null +++ b/scripts/base/protocols/smtp/dpd.sig @@ -0,0 +1,12 @@ +signature dpd_smtp_client { + ip-proto == tcp + payload /(|.*[\n\r])[[:space:]]*([hH][eE][lL][oO]|[eE][hH][lL][oO])/ + requires-reverse-signature dpd_smtp_server + enable "smtp" + tcp-state originator +} + +signature dpd_smtp_server { + ip-proto == tcp + payload /^[[:space:]]*220[[:space:]-]/ + tcp-state responder diff --git a/scripts/base/protocols/socks/__load__.bro b/scripts/base/protocols/socks/__load__.bro index 0098b81a7a..80193afb6f 100644 --- a/scripts/base/protocols/socks/__load__.bro +++ b/scripts/base/protocols/socks/__load__.bro @@ -1,2 +1,4 @@ @load ./consts -@load ./main \ No newline at end of file +@load ./main + +@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/socks/dpd.sig b/scripts/base/protocols/socks/dpd.sig new file mode 100644 index 0000000000..3dcd7a945a --- /dev/null +++ b/scripts/base/protocols/socks/dpd.sig @@ -0,0 +1,48 @@ +signature dpd_socks4_client { + ip-proto == tcp + # '32' is a rather arbitrary max length for the user name. + payload /^\x04[\x01\x02].{0,32}\x00/ + tcp-state originator +} + +signature dpd_socks4_server { + ip-proto == tcp + requires-reverse-signature dpd_socks4_client + payload /^\x00[\x5a\x5b\x5c\x5d]/ + tcp-state responder + enable "socks" +} + +signature dpd_socks4_reverse_client { + ip-proto == tcp + # '32' is a rather arbitrary max length for the user name. + payload /^\x04[\x01\x02].{0,32}\x00/ + tcp-state responder +} + +signature dpd_socks4_reverse_server { + ip-proto == tcp + requires-reverse-signature dpd_socks4_reverse_client + payload /^\x00[\x5a\x5b\x5c\x5d]/ + tcp-state originator + enable "socks" +} + +signature dpd_socks5_client { + ip-proto == tcp + # Watch for a few authentication methods to reduce false positives. + payload /^\x05.[\x00\x01\x02]/ + tcp-state originator +} + +signature dpd_socks5_server { + ip-proto == tcp + requires-reverse-signature dpd_socks5_client + # Watch for a single authentication method to be chosen by the server or + # the server to indicate the no authentication is required. + payload /^\x05(\x00|\x01[\x00\x01\x02])/ + tcp-state responder + enable "socks" +} + + diff --git a/scripts/base/protocols/ssh/__load__.bro b/scripts/base/protocols/ssh/__load__.bro index d551be57d3..0f3cb011f8 100644 --- a/scripts/base/protocols/ssh/__load__.bro +++ b/scripts/base/protocols/ssh/__load__.bro @@ -1 +1,3 @@ -@load ./main \ No newline at end of file +@load ./main + +@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/ssh/dpd.sig b/scripts/base/protocols/ssh/dpd.sig new file mode 100644 index 0000000000..95e22908ab --- /dev/null +++ b/scripts/base/protocols/ssh/dpd.sig @@ -0,0 +1,13 @@ +signature dpd_ssh_client { + ip-proto == tcp + payload /^[sS][sS][hH]-/ + requires-reverse-signature dpd_ssh_server + enable "ssh" + tcp-state originator +} + +signature dpd_ssh_server { + ip-proto == tcp + payload /^[sS][sS][hH]-/ + tcp-state responder +} diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro index 239438047c..80cb4e216a 100644 --- a/scripts/base/protocols/ssl/__load__.bro +++ b/scripts/base/protocols/ssl/__load__.bro @@ -1,3 +1,5 @@ @load ./consts @load ./main @load ./mozilla-ca-list + +@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig new file mode 100644 index 0000000000..b36b9a5aa5 --- /dev/null +++ b/scripts/base/protocols/ssl/dpd.sig @@ -0,0 +1,15 @@ +signature dpd_ssl_server { + ip-proto == tcp + # Server hello. + payload /^(\x16\x03[\x00\x01\x02]..\x02...\x03[\x00\x01\x02]|...?\x04..\x00\x02).*/ + requires-reverse-signature dpd_ssl_client + enable "ssl" + tcp-state responder +} + +signature dpd_ssl_client { + ip-proto == tcp + # Client hello. + payload /^(\x16\x03[\x00\x01\x02]..\x01...\x03[\x00\x01\x02]|...?\x01[\x00\x01\x02][\x02\x03]).*/ + tcp-state originator +} diff --git a/scripts/base/protocols/tunnels/__load__.bro b/scripts/base/protocols/tunnels/__load__.bro new file mode 100644 index 0000000000..9de7b6ff19 --- /dev/null +++ b/scripts/base/protocols/tunnels/__load__.bro @@ -0,0 +1 @@ +@load-sigs ./dpd.sig \ No newline at end of file diff --git a/scripts/base/protocols/tunnels/dpd.sig b/scripts/base/protocols/tunnels/dpd.sig new file mode 100644 index 0000000000..0c66775f5d --- /dev/null +++ b/scripts/base/protocols/tunnels/dpd.sig @@ -0,0 +1,14 @@ +# Provide DPD signatures for tunneling protocols that otherwise +# wouldn't be detected at all. + +signature dpd_ayiya { + ip-proto = udp + payload /^..\x11\x29/ + enable "ayiya" +} + +signature dpd_teredo { + ip-proto = udp + payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f])/ + enable "teredo" +} From 4dda9cd3bab0ca2eb2123a57ea4685eef7c560e1 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 9 Jul 2013 22:45:21 -0400 Subject: [PATCH 164/200] Fix a bug where the same analyzer tag was reused for two different analyzers. --- src/analyzer/protocol/bittorrent/BitTorrentTracker.cc | 2 +- src/analyzer/protocol/bittorrent/Plugin.cc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index b32db9a8bd..98adcaa610 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -22,7 +22,7 @@ static RecordType* bittorrent_benc_value; static TableType* bittorrent_benc_dir; BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c) -: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) +: tcp::TCP_ApplicationAnalyzer("BITTORRENTTRACKER", c) { if ( ! bt_tracker_headers ) { diff --git a/src/analyzer/protocol/bittorrent/Plugin.cc b/src/analyzer/protocol/bittorrent/Plugin.cc index 2da9972d0d..7fea68bf07 100644 --- a/src/analyzer/protocol/bittorrent/Plugin.cc +++ b/src/analyzer/protocol/bittorrent/Plugin.cc @@ -7,6 +7,6 @@ BRO_PLUGIN_BEGIN(Bro, BitTorrent) BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); BRO_PLUGIN_ANALYZER("BitTorrent", bittorrent::BitTorrent_Analyzer); - BRO_PLUGIN_ANALYZER("BitTorrentTracker", bittorrent::BitTorrent_Analyzer); + BRO_PLUGIN_ANALYZER("BitTorrentTracker", bittorrent::BitTorrentTracker_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END From 60da0f476416e4a7a831a20df9f06b8f0db1a782 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 9 Jul 2013 22:57:36 -0400 Subject: [PATCH 165/200] Added a missing curly brace in smtp/dpd.sig --- scripts/base/protocols/smtp/dpd.sig | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/base/protocols/smtp/dpd.sig b/scripts/base/protocols/smtp/dpd.sig index 49ed7ea3be..6fbde59059 100644 --- a/scripts/base/protocols/smtp/dpd.sig +++ b/scripts/base/protocols/smtp/dpd.sig @@ -10,3 +10,4 @@ signature dpd_smtp_server { ip-proto == tcp payload /^[[:space:]]*220[[:space:]-]/ tcp-state responder +} \ No newline at end of file From 8322bbfd620038171f93a0aca09119c406dab221 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 9 Jul 2013 23:28:09 -0400 Subject: [PATCH 166/200] Small test fixes. --- .../canonified_loaded_scripts.log | 5 +++-- testing/btest/core/tunnels/teredo-known-services.test | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 28430aacd8..6d6906d924 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-07-05-05-21-48 +#open 2013-07-10-03-19-58 #fields name #types string scripts/base/init-bare.bro @@ -191,6 +191,7 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/__load__.bro scripts/base/protocols/syslog/consts.bro scripts/base/protocols/syslog/main.bro + scripts/base/protocols/tunnels/__load__.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-07-05-05-21-48 +#close 2013-07-10-03-19-58 diff --git a/testing/btest/core/tunnels/teredo-known-services.test b/testing/btest/core/tunnels/teredo-known-services.test index d03ef2ab71..da3a538515 100644 --- a/testing/btest/core/tunnels/teredo-known-services.test +++ b/testing/btest/core/tunnels/teredo-known-services.test @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd base/protocols/tunnels protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: test ! -e known_services.log -# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd base/protocols/tunnels protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: btest-diff known_services.log # The first case using Tunnel::delay_teredo_confirmation=T doesn't produce From 40201a180e54a560711003f2e65e14be87a7b8e9 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 9 Jul 2013 21:00:53 -0700 Subject: [PATCH 167/200] Fixing for unserializion error. Because BloomFilter is a base class, with other classes derived from it, it needs special treatment. --- src/SerialTypes.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/SerialTypes.h b/src/SerialTypes.h index 9e4aef5b3b..85aed10bda 100644 --- a/src/SerialTypes.h +++ b/src/SerialTypes.h @@ -52,8 +52,6 @@ SERIAL_IS(RE_MATCHER, 0x1400) SERIAL_IS(BITVECTOR, 0x1500) SERIAL_IS(COUNTERVECTOR, 0x1600) SERIAL_IS(BLOOMFILTER, 0x1700) -SERIAL_IS(BASICBLOOMFILTER, 0x1800) -SERIAL_IS(COUNTINGBLOOMFILTER, 0x1900) // These are the externally visible types. const SerialType SER_NONE = 0; @@ -203,6 +201,11 @@ SERIAL_FUNC(BRO_FUNC, 2) SERIAL_FUNC(DEBUG_FUNC, 3) SERIAL_FUNC(BUILTIN_FUNC, 4) +#define SERIAL_BLOOMFILTER(name, val) SERIAL_CONST(name, val, BLOOMFILTER) +SERIAL_BLOOMFILTER(BLOOMFILTER, 1) +SERIAL_BLOOMFILTER(BASICBLOOMFILTER, 2) +SERIAL_BLOOMFILTER(COUNTINGBLOOMFILTER, 3) + SERIAL_CONST2(ID) SERIAL_CONST2(STATE_ACCESS) SERIAL_CONST2(CASE) @@ -210,8 +213,5 @@ SERIAL_CONST2(LOCATION) SERIAL_CONST2(RE_MATCHER) SERIAL_CONST2(BITVECTOR) SERIAL_CONST2(COUNTERVECTOR) -SERIAL_CONST2(BLOOMFILTER) -SERIAL_CONST2(BASICBLOOMFILTER) -SERIAL_CONST2(COUNTINGBLOOMFILTER) #endif From 446344ae998e8eef30a0f45a05dcea29efe4f032 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Wed, 10 Jul 2013 01:32:59 -0700 Subject: [PATCH 168/200] Add missing include for GCC. --- src/BloomFilter.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index a7727630f7..c59092b1e4 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -1,6 +1,7 @@ #include "BloomFilter.h" #include +#include #include "CounterVector.h" #include "Serializer.h" From 0394493faccf3975094208b4142d3c19b3482b4b Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 10 Jul 2013 11:53:44 -0500 Subject: [PATCH 169/200] const adjustment And fixes compiler warning about overloaded virtual function hiding. --- src/file_analysis/Component.cc | 2 +- src/file_analysis/Component.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/file_analysis/Component.cc b/src/file_analysis/Component.cc index d686918130..99531e40f5 100644 --- a/src/file_analysis/Component.cc +++ b/src/file_analysis/Component.cc @@ -41,7 +41,7 @@ analyzer::Tag Component::Tag() const return tag; } -void Component::Describe(ODesc* d) +void Component::Describe(ODesc* d) const { plugin::Component::Describe(d); d->Add(name); diff --git a/src/file_analysis/Component.h b/src/file_analysis/Component.h index 5ec97f2e0c..8b79436991 100644 --- a/src/file_analysis/Component.h +++ b/src/file_analysis/Component.h @@ -90,7 +90,7 @@ public: * Generates a human-readable description of the component's main * parameters. This goes into the output of \c "bro -NN". */ - virtual void Describe(ODesc* d); + virtual void Describe(ODesc* d) const; Component& operator=(const Component& other); From 06287966a166d9a2d33a84084898009bfe86eea3 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 10 Jul 2013 14:19:00 -0700 Subject: [PATCH 170/200] Bringing the DPD POP3 signature back. This also avoids the need for updating the external test suite. --- scripts/base/init-default.bro | 1 + scripts/base/protocols/pop3/__load__.bro | 2 ++ scripts/base/protocols/pop3/dpd.sig | 13 +++++++++++++ .../canonified_loaded_scripts.log | 5 +++-- 4 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 scripts/base/protocols/pop3/__load__.bro create mode 100644 scripts/base/protocols/pop3/dpd.sig diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 6c40a7547f..6aa8ff5e26 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -41,6 +41,7 @@ @load base/protocols/http @load base/protocols/irc @load base/protocols/modbus +@load base/protocols/pop3 @load base/protocols/smtp @load base/protocols/socks @load base/protocols/ssh diff --git a/scripts/base/protocols/pop3/__load__.bro b/scripts/base/protocols/pop3/__load__.bro new file mode 100644 index 0000000000..c5ddf0e788 --- /dev/null +++ b/scripts/base/protocols/pop3/__load__.bro @@ -0,0 +1,2 @@ + +@load-sigs ./dpd.sig diff --git a/scripts/base/protocols/pop3/dpd.sig b/scripts/base/protocols/pop3/dpd.sig new file mode 100644 index 0000000000..8d7e3567da --- /dev/null +++ b/scripts/base/protocols/pop3/dpd.sig @@ -0,0 +1,13 @@ +signature dpd_pop3_server { + ip-proto == tcp + payload /^\+OK/ + requires-reverse-signature dpd_pop3_client + enable "pop3" + tcp-state responder +} + +signature dpd_pop3_client { + ip-proto == tcp + payload /(|.*[\r\n])[[:space:]]*([uU][sS][eE][rR][[:space:]]|[aA][pP][oO][pP][[:space:]]|[cC][aA][pP][aA]|[aA][uU][tT][hH])/ + tcp-state originator +} diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 6d6906d924..999fd7c841 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-07-10-03-19-58 +#open 2013-07-10-21-18-31 #fields name #types string scripts/base/init-bare.bro @@ -178,6 +178,7 @@ scripts/base/init-default.bro scripts/base/protocols/modbus/__load__.bro scripts/base/protocols/modbus/consts.bro scripts/base/protocols/modbus/main.bro + scripts/base/protocols/pop3/__load__.bro scripts/base/protocols/smtp/__load__.bro scripts/base/protocols/smtp/main.bro scripts/base/protocols/smtp/entities.bro @@ -194,4 +195,4 @@ scripts/base/init-default.bro scripts/base/protocols/tunnels/__load__.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-07-10-03-19-58 +#close 2013-07-10-21-18-31 From e01678d132a7fcb90c45701d110733bcc6ab84e4 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Fri, 12 Jul 2013 21:09:13 +0200 Subject: [PATCH 171/200] yep, freebsd still needs this fix --- src/3rdparty/sqlite3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/3rdparty/sqlite3.c b/src/3rdparty/sqlite3.c index deef460899..8d473d32b7 100644 --- a/src/3rdparty/sqlite3.c +++ b/src/3rdparty/sqlite3.c @@ -23442,6 +23442,9 @@ static int posixFchown(int fd, uid_t uid, gid_t gid){ /* Forward reference */ static int openDirectory(const char*, int*); +/* fix compile on FreeBSD, not sure why needed... */ +int fchmod(int, mode_t); + /* ** Many system calls are accessed through pointer-to-functions so that ** they may be overridden at runtime to facilitate fault injection during From 58290d6fc0436677df760792a9cda9b0c99def11 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 14 Jul 2013 08:42:35 -0700 Subject: [PATCH 172/200] Updating NEWS. --- NEWS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/NEWS b/NEWS index b5fea869e4..1fce6b1d9d 100644 --- a/NEWS +++ b/NEWS @@ -189,6 +189,8 @@ Changed Functionality - PacketFilter::all_packets has been replaced with PacketFilter::enable_auto_protocol_capture_filters. +- We removed the BitTorrent DPD signatures pending further updates to + that analyzer. Bro 2.1 ------- From 7427ce511b78c8ae5656762ad8c229976dd33fd3 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 15 Jul 2013 13:50:40 -0700 Subject: [PATCH 173/200] Small raw reader fixes * crash when accessing nonexistant file. * memory leak when reading from file. Addresses #1038. --- src/input/readers/Raw.cc | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 46cb3656a3..98f1dfcab6 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -55,6 +55,13 @@ void Raw::DoClose() if ( file != 0 ) CloseInput(); + if ( buf != 0 ) + { + // we still have output that has not been flushed. Throw away. + delete buf; + buf = 0; + } + if ( execute && childpid > 0 && kill(childpid, 0) == 0 ) { // kill child process @@ -157,13 +164,13 @@ bool Raw::OpenInput() else { file = fopen(fname.c_str(), "r"); - fcntl(fileno(file), F_SETFD, FD_CLOEXEC); if ( ! file ) { Error(Fmt("Init: cannot open %s", fname.c_str())); return false; } } + fcntl(fileno(file), F_SETFD, FD_CLOEXEC); return true; } @@ -322,12 +329,14 @@ int64_t Raw::GetLine(FILE* arg_file) // but first check if we encountered the file end - because if we did this was it. if ( feof(arg_file) != 0 ) { - outbuf = buf; - buf = 0; if ( pos == 0 ) return -1; // signal EOF - and that we had no more data. else + { + outbuf = buf; + buf = 0; return pos; + } } repeats++; @@ -342,15 +351,13 @@ int64_t Raw::GetLine(FILE* arg_file) { outbuf = buf; buf = 0; - buf = new char[block_size]; - if ( found < pos ) { // we have leftovers. copy them into the buffer for the next line buf = new char[block_size]; memcpy(buf, outbuf + found + sep_length, pos - found - sep_length); - bufpos = pos - found - sep_length; + bufpos = pos - found - sep_length; } return found; @@ -368,7 +375,7 @@ int64_t Raw::GetLine(FILE* arg_file) return -3; } - InternalError("Internal control flow execution"); + InternalError("Internal control flow execution error in raw reader"); assert(false); } @@ -461,7 +468,7 @@ bool Raw::DoUpdate() if ( length == -3 ) return false; - else if ( length == -2 || length == -1 ) + else if ( length == -2 || length == -1 ) // no data ready or eof break; From 57b05a2989d32e87147686b39480240e5162e405 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 17 Jul 2013 17:30:35 -0700 Subject: [PATCH 174/200] Small raw reader tweaks that I forgot to commit earlier. --- src/input/readers/Raw.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc index 98f1dfcab6..2820923a25 100644 --- a/src/input/readers/Raw.cc +++ b/src/input/readers/Raw.cc @@ -55,7 +55,7 @@ void Raw::DoClose() if ( file != 0 ) CloseInput(); - if ( buf != 0 ) + if ( buf != 0 ) { // we still have output that has not been flushed. Throw away. delete buf; @@ -169,8 +169,8 @@ bool Raw::OpenInput() Error(Fmt("Init: cannot open %s", fname.c_str())); return false; } - } fcntl(fileno(file), F_SETFD, FD_CLOEXEC); + } return true; } @@ -468,7 +468,7 @@ bool Raw::DoUpdate() if ( length == -3 ) return false; - else if ( length == -2 || length == -1 ) + else if ( length == -2 || length == -1 ) // no data ready or eof break; From d8801bb9c4bc8c898a6c0b51ddb7a647076237bc Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 17 Jul 2013 17:31:16 -0700 Subject: [PATCH 175/200] Canonifying internal order for plugins and their components to make it deterministic. --- aux/btest | 2 +- src/analyzer/Component.h | 2 +- src/file_analysis/Component.h | 2 +- src/plugin/Component.h | 6 +++++ src/plugin/Manager.cc | 9 +++++++ src/plugin/Plugin.cc | 9 +++++++ .../Baseline/core.print-bpf-filters/conn.log | 4 ++-- .../Baseline/core.print-bpf-filters/output | 24 +++++++++---------- 8 files changed, 41 insertions(+), 17 deletions(-) diff --git a/aux/btest b/aux/btest index c2e73c9e1e..b1d4faf239 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit c2e73c9e1efed6bfdf2d977d716c97773c39492e +Subproject commit b1d4faf23900d4753e93a68abbba45ae3bf96d03 diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index f3d91c7f90..9e12ed347e 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -72,7 +72,7 @@ public: * from what's passed to the constructor but upper-cased and * canonified to allow being part of a script-level ID. */ - const char* Name() const { return name; } + virtual const char* Name() const { return name; } /** * Returns a canonocalized version of the analyzer's name. The diff --git a/src/file_analysis/Component.h b/src/file_analysis/Component.h index 8b79436991..3cdc69efdf 100644 --- a/src/file_analysis/Component.h +++ b/src/file_analysis/Component.h @@ -64,7 +64,7 @@ public: * from what's passed to the constructor but upper-cased and * canonified to allow being part of a script-level ID. */ - const char* Name() const { return name; } + virtual const char* Name() const { return name; } /** * Returns a canonocalized version of the analyzer's name. The diff --git a/src/plugin/Component.h b/src/plugin/Component.h index 4ac448e466..ad02dc7e4b 100644 --- a/src/plugin/Component.h +++ b/src/plugin/Component.h @@ -45,6 +45,12 @@ public: */ component::Type Type() const; + /** + * Returns a descriptive name for the analyzer. This name must be + * unique across all components of the same type. + */ + virtual const char* Name() const = 0; + /** * Returns a textual representation of the component. The default * version just output the type. Derived version should call the diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 93ed3f2b97..67f4dea2bd 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -30,9 +30,18 @@ bool Manager::LoadPluginsFrom(const std::string& dir) return false; } +static bool plugin_cmp(const Plugin* a, const Plugin* b) + { + return a->Name() < b->Name(); + } + bool Manager::RegisterPlugin(Plugin *plugin) { Manager::PluginsInternal()->push_back(plugin); + + // Sort plugins by name to make sure we have a deterministic order. + PluginsInternal()->sort(plugin_cmp); + return true; } diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 084c49f51e..eaac8a3b25 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -156,9 +156,18 @@ Plugin::component_list Plugin::Components() const return components; } +static bool component_cmp(const Component* a, const Component* b) + { + return a->Name() < b->Name(); + } + void Plugin::AddComponent(Component* c) { components.push_back(c); + + // Sort components by name to make sure we have a deterministic + // order. + components.sort(component_cmp); } void Plugin::AddBifInitFunction(bif_init_func c) diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log index 745673c027..166286203e 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/conn.log +++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2013-07-08-20-05-18 +#open 2013-07-18-00-18-33 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool count string count count count count table[string] 1278600802.069419 UWkUyAuUGXf 10.20.80.1 50343 10.0.0.15 80 tcp - 0.004152 9 3429 SF - 0 ShADadfF 7 381 7 3801 (empty) -#close 2013-07-08-20-05-18 +#close 2013-07-18-00-18-33 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index 8ccc04b1a7..871719bba8 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -3,38 +3,38 @@ #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-08-20-05-17 +#open 2013-07-18-00-18-33 #fields ts node filter init success #types time string string bool bool -1373313917.926565 - ip or not ip T T -#close 2013-07-08-20-05-17 +1374106713.105591 - ip or not ip T T +#close 2013-07-18-00-18-33 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-08-20-05-18 +#open 2013-07-18-00-18-33 #fields ts node filter init success #types time string string bool bool -1373313918.205206 - port 42 T T -#close 2013-07-08-20-05-18 +1374106713.385541 - port 42 T T +#close 2013-07-18-00-18-33 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-08-20-05-18 +#open 2013-07-18-00-18-33 #fields ts node filter init success #types time string string bool bool -1373313918.491383 - (vlan) and (ip or not ip) T T -#close 2013-07-08-20-05-18 +1374106713.664282 - (vlan) and (ip or not ip) T T +#close 2013-07-18-00-18-33 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-08-20-05-18 +#open 2013-07-18-00-18-33 #fields ts node filter init success #types time string string bool bool -1373313918.795264 - ((((((((((((udp and port 3544) or (udp and port 514)) or ((tcp and port 2811) or (tcp and port 21))) or (tcp and port 502)) or ((((tcp and port 6669) or (tcp and port 6666)) or (tcp and port 6668)) or (tcp and port 6667))) or (tcp and port 1080)) or ((udp and port 2152) or (udp and port 2123))) or ((((((((tcp and port 631) or (tcp and port 8888)) or (tcp and port 3128)) or (tcp and port 80)) or (tcp and port 1080)) or (tcp and port 8000)) or (tcp and port 81)) or (tcp and port 8080))) or (udp and port 5072)) or ((tcp and port 25) or (tcp and port 587))) or (((((((((((tcp and port 5223) or (tcp and port 585)) or (tcp and port 614)) or (tcp and port 993)) or (tcp and port 636)) or (tcp and port 989)) or (tcp and port 995)) or (tcp and port 443)) or (tcp and port 563)) or (tcp and port 990)) or (tcp and port 992))) or (((((udp and port 5355) or (tcp and port 53)) or (udp and port 5353)) or (udp and port 137)) or (udp and port 53))) or (tcp and port 22) T T -#close 2013-07-08-20-05-18 +1374106713.957005 - ((((((((((((((((((((((tcp and port 5223) or (tcp and port 585)) or (tcp and port 614)) or (tcp and port 993)) or (tcp and port 636)) or (tcp and port 989)) or (tcp and port 995)) or (tcp and port 443)) or (tcp and port 563)) or (tcp and port 990)) or (tcp and port 992)) or ((tcp and port 2811) or (tcp and port 21))) or ((((tcp and port 6669) or (tcp and port 6666)) or (tcp and port 6668)) or (tcp and port 6667))) or ((udp and port 2152) or (udp and port 2123))) or (tcp and port 22)) or (tcp and port 1080)) or ((((((((tcp and port 631) or (tcp and port 8888)) or (tcp and port 3128)) or (tcp and port 80)) or (tcp and port 1080)) or (tcp and port 8000)) or (tcp and port 81)) or (tcp and port 8080))) or (udp and port 5072)) or ((tcp and port 25) or (tcp and port 587))) or (tcp and port 502)) or (udp and port 514)) or (((((udp and port 5355) or (tcp and port 53)) or (udp and port 5353)) or (udp and port 137)) or (udp and port 53))) or (udp and port 3544) T T +#close 2013-07-18-00-18-33 From efd343af8d0122975536308b7a98689f6def42d1 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 17 Jul 2013 21:55:36 -0700 Subject: [PATCH 176/200] Extending external canonifier to remove fractional values from capture_loss.log. --- testing/scripts/diff-canonifier-external | 9 ++++++++- testing/scripts/diff-remove-fractions | 6 ++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100755 testing/scripts/diff-remove-fractions diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external index f4356154e4..37a51fa72f 100755 --- a/testing/scripts/diff-canonifier-external +++ b/testing/scripts/diff-canonifier-external @@ -2,10 +2,17 @@ # # Default canonifier used with the trace-based tests in testing/external/*. +addl="cat" + +if [ "$1" == "capture_loss.log" ]; then + addl="`dirname $0`/diff-remove-fractions" +fi + `dirname $0`/diff-remove-timestamps \ | `dirname $0`/diff-remove-uids \ | `dirname $0`/diff-remove-file-ids \ | `dirname $0`/diff-remove-x509-names \ | `dirname $0`/diff-canon-notice-policy \ - | `dirname $0`/diff-sort + | `dirname $0`/diff-sort \ + | eval $addl diff --git a/testing/scripts/diff-remove-fractions b/testing/scripts/diff-remove-fractions new file mode 100755 index 0000000000..975157913c --- /dev/null +++ b/testing/scripts/diff-remove-fractions @@ -0,0 +1,6 @@ +#! /usr/bin/env bash +# +# Replace fractions of double value (i.e., 3.14 -> 3.x). + +sed 's/\.[0-9]\{1,\}/.X/g' + From c373f93c4f8922c31e8676ba7aa139e594b41bcf Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 17 Jul 2013 21:57:25 -0700 Subject: [PATCH 177/200] Updating submodule(s). [nomail] --- aux/btest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/btest b/aux/btest index b1d4faf239..ce366206e3 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit b1d4faf23900d4753e93a68abbba45ae3bf96d03 +Subproject commit ce366206e3407e534a786ad572c342e9f9fef26b From 1e32100fed2eac8639453739c376dc070befc9c0 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 18 Jul 2013 09:24:22 -0400 Subject: [PATCH 178/200] Fixing a dns reporter message in master. --- scripts/base/protocols/dns/main.bro | 5 +++++ .../dns.log | 11 +++++++++++ .../weird.log | 11 +++++++++++ testing/btest/Traces/dns-two-responses.trace | Bin 0 -> 1006 bytes .../base/protocols/dns/duplicate-reponses.bro | 5 +++++ 5 files changed, 32 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log create mode 100644 testing/btest/Traces/dns-two-responses.trace create mode 100644 testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index ea3ec016de..bf47519cd8 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -207,6 +207,11 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) { if ( ans$answer_type == DNS_ANS ) { + if ( ! c?$dns ) + { + event conn_weird("dns_unmatched_reply", c, ""); + hook set_session(c, msg, F); + } c$dns$AA = msg$AA; c$dns$RA = msg$RA; diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log new file mode 100644 index 0000000000..ca071ee8ef --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dns +#open 2013-07-18-13-21-52 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected +#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool +1363716396.798072 UWkUyAuUGXf 55.247.223.174 27285 222.195.43.124 53 udp 21140 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163,www-cmu.andrew.cmu.edu 86400.000000,5.000000,21600.000000,86400.000000 F +1363716396.798374 UWkUyAuUGXf 55.247.223.174 27285 222.195.43.124 53 udp 21140 - - - - - 0 NOERROR T F F F 0 www-cmu-2.andrew.cmu.edu,128.2.10.163 5.000000,21600.000000 F +#close 2013-07-18-13-21-52 diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log new file mode 100644 index 0000000000..c7de92f894 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open 2013-07-18-13-21-52 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer +#types time string addr port addr port string string bool string +1363716396.798286 UWkUyAuUGXf 55.247.223.174 27285 222.195.43.124 53 DNS_RR_unknown_type - F bro +1363716396.798374 UWkUyAuUGXf 55.247.223.174 27285 222.195.43.124 53 dns_unmatched_reply - F bro +#close 2013-07-18-13-21-52 diff --git a/testing/btest/Traces/dns-two-responses.trace b/testing/btest/Traces/dns-two-responses.trace new file mode 100644 index 0000000000000000000000000000000000000000..627b0d2ebe091fcec6ffbbcbe8c96019235d718b GIT binary patch literal 1006 zcmca|c+)~A1{MYw`2U}Qff2~jS?Lj2q07S%1Z0CSgWArB$9EYdN*v}ea4@(sFt{8u zVPG&6T-a~^{r7O<@oK8v!(kxxBobIXSnKIW?seWG>KTO#z@` z4L}UC!B3BeVHHpigdt`_>;c)pI7dvGfx$u0(Gz4k$QB0Etf`D0FD3*{X#v^5!T@wQ zh7AXJ7+66z1vW4UvWJI<>pJ^}vN`&>1i6ME5CBT*K_zE1u(C6Qlm*6YiVifDsFGHO zyEMB*YExpCz3~R!=||*l#~<*%XH>z~zW2P!4u#%zr2&tl#auLguaxB}dLF)<_q4?% z-vV8hr4whT+p@C7sj%&|o_X5qrt6X1P%e$Pdk&s{cH8jyj#RD`jWxfv=+v2VaV*~8gd{4Nrnq5V{}mVpeR^BC~ScG899J_ i8K`~%HTK^cz({}rmV^38YTr&-ffjSiMq_RW#vA~4#T8xv literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro b/testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro new file mode 100644 index 0000000000..a16235b9a5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro @@ -0,0 +1,5 @@ +# This tests the case where the DNS server responded with zero RRs. +# +# @TEST-EXEC: bro -r $TRACES/dns-two-responses.trace +# @TEST-EXEC: btest-diff dns.log +# @TEST-EXEC: btest-diff weird.log \ No newline at end of file From 006e370ee04775c6196b52368c93897402115992 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 18 Jul 2013 19:58:19 -0700 Subject: [PATCH 179/200] Canonyfying the output of core.print-bpf-filters. I couldn't figure out why it's not stable but it doesn't seem to matter for now unless more such situations show up. --- .../Baseline/core.print-bpf-filters/output | 28 ++++-------- .../Baseline/core.print-bpf-filters/output2 | 43 +++++++++++++++++++ testing/btest/core/print-bpf-filters.bro | 9 +++- 3 files changed, 59 insertions(+), 21 deletions(-) create mode 100644 testing/btest/Baseline/core.print-bpf-filters/output2 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output index 871719bba8..2f7a1d9386 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output +++ b/testing/btest/Baseline/core.print-bpf-filters/output @@ -3,38 +3,28 @@ #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-18-00-18-33 +#open 2013-07-19-02-54-13 #fields ts node filter init success #types time string string bool bool -1374106713.105591 - ip or not ip T T -#close 2013-07-18-00-18-33 +1374202453.158981 - ip or not ip T T +#close 2013-07-19-02-54-13 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-18-00-18-33 +#open 2013-07-19-02-54-13 #fields ts node filter init success #types time string string bool bool -1374106713.385541 - port 42 T T -#close 2013-07-18-00-18-33 +1374202453.437816 - port 42 T T +#close 2013-07-19-02-54-13 #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path packet_filter -#open 2013-07-18-00-18-33 +#open 2013-07-19-02-54-13 #fields ts node filter init success #types time string string bool bool -1374106713.664282 - (vlan) and (ip or not ip) T T -#close 2013-07-18-00-18-33 -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path packet_filter -#open 2013-07-18-00-18-33 -#fields ts node filter init success -#types time string string bool bool -1374106713.957005 - ((((((((((((((((((((((tcp and port 5223) or (tcp and port 585)) or (tcp and port 614)) or (tcp and port 993)) or (tcp and port 636)) or (tcp and port 989)) or (tcp and port 995)) or (tcp and port 443)) or (tcp and port 563)) or (tcp and port 990)) or (tcp and port 992)) or ((tcp and port 2811) or (tcp and port 21))) or ((((tcp and port 6669) or (tcp and port 6666)) or (tcp and port 6668)) or (tcp and port 6667))) or ((udp and port 2152) or (udp and port 2123))) or (tcp and port 22)) or (tcp and port 1080)) or ((((((((tcp and port 631) or (tcp and port 8888)) or (tcp and port 3128)) or (tcp and port 80)) or (tcp and port 1080)) or (tcp and port 8000)) or (tcp and port 81)) or (tcp and port 8080))) or (udp and port 5072)) or ((tcp and port 25) or (tcp and port 587))) or (tcp and port 502)) or (udp and port 514)) or (((((udp and port 5355) or (tcp and port 53)) or (udp and port 5353)) or (udp and port 137)) or (udp and port 53))) or (udp and port 3544) T T -#close 2013-07-18-00-18-33 +1374202453.715717 - (vlan) and (ip or not ip) T T +#close 2013-07-19-02-54-13 diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 new file mode 100644 index 0000000000..460b02e055 --- /dev/null +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -0,0 +1,43 @@ + 2 1080 + 1 137 + 1 21 + 1 2123 + 1 2152 + 1 22 + 1 25 + 1 2811 + 1 3128 + 1 3544 + 1 443 + 1 502 + 1 5072 + 1 514 + 1 5223 + 2 53 + 1 5353 + 1 5355 + 1 563 + 1 585 + 1 587 + 1 614 + 1 631 + 1 636 + 1 6666 + 1 6667 + 1 6668 + 1 6669 + 1 80 + 1 8000 + 1 8080 + 1 81 + 1 8888 + 1 989 + 1 990 + 1 992 + 1 993 + 1 995 + 40 and + 39 or + 40 port + 31 tcp + 9 udp diff --git a/testing/btest/core/print-bpf-filters.bro b/testing/btest/core/print-bpf-filters.bro index 2c3d761cca..410db14b5d 100644 --- a/testing/btest/core/print-bpf-filters.bro +++ b/testing/btest/core/print-bpf-filters.bro @@ -4,7 +4,12 @@ # @TEST-EXEC: cat packet_filter.log >>output # @TEST-EXEC: bro -r $TRACES/mixed-vlan-mpls.trace PacketFilter::restricted_filter="vlan" >>output # @TEST-EXEC: cat packet_filter.log >>output -# @TEST-EXEC: bro -r $TRACES/empty.trace PacketFilter::enable_auto_protocol_capture_filters=T >>output -# @TEST-EXEC: cat packet_filter.log >>output # @TEST-EXEC: btest-diff output # @TEST-EXEC: btest-diff conn.log +# +# The order in the output of enable_auto_protocol_capture_filters isn't +# stable, for reasons not clear. We canonify it first. +# @TEST-EXEC: bro -r $TRACES/empty.trace PacketFilter::enable_auto_protocol_capture_filters=T +# @TEST-EXEC: cat packet_filter.log | bro-cut filter | sed 's#[()]##g' | tr ' ' '\n' | sort | uniq -c >output2 +# @TEST-EXEC: btest-diff output2 + From d3495207453aa5f10edef51699606856e9829987 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 18 Jul 2013 21:34:02 -0700 Subject: [PATCH 180/200] Another test fix. The classic "uniq -c" is not portable ... --- .../Baseline/core.print-bpf-filters/output2 | 86 +++++++++---------- testing/btest/core/print-bpf-filters.bro | 2 +- 2 files changed, 44 insertions(+), 44 deletions(-) diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index 460b02e055..99ad929fbf 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -1,43 +1,43 @@ - 2 1080 - 1 137 - 1 21 - 1 2123 - 1 2152 - 1 22 - 1 25 - 1 2811 - 1 3128 - 1 3544 - 1 443 - 1 502 - 1 5072 - 1 514 - 1 5223 - 2 53 - 1 5353 - 1 5355 - 1 563 - 1 585 - 1 587 - 1 614 - 1 631 - 1 636 - 1 6666 - 1 6667 - 1 6668 - 1 6669 - 1 80 - 1 8000 - 1 8080 - 1 81 - 1 8888 - 1 989 - 1 990 - 1 992 - 1 993 - 1 995 - 40 and - 39 or - 40 port - 31 tcp - 9 udp +2 1080 +1 137 +1 21 +1 2123 +1 2152 +1 22 +1 25 +1 2811 +1 3128 +1 3544 +1 443 +1 502 +1 5072 +1 514 +1 5223 +2 53 +1 5353 +1 5355 +1 563 +1 585 +1 587 +1 614 +1 631 +1 636 +1 6666 +1 6667 +1 6668 +1 6669 +1 80 +1 8000 +1 8080 +1 81 +1 8888 +1 989 +1 990 +1 992 +1 993 +1 995 +40 and +39 or +40 port +31 tcp +9 udp diff --git a/testing/btest/core/print-bpf-filters.bro b/testing/btest/core/print-bpf-filters.bro index 410db14b5d..6e4a4d5c30 100644 --- a/testing/btest/core/print-bpf-filters.bro +++ b/testing/btest/core/print-bpf-filters.bro @@ -10,6 +10,6 @@ # The order in the output of enable_auto_protocol_capture_filters isn't # stable, for reasons not clear. We canonify it first. # @TEST-EXEC: bro -r $TRACES/empty.trace PacketFilter::enable_auto_protocol_capture_filters=T -# @TEST-EXEC: cat packet_filter.log | bro-cut filter | sed 's#[()]##g' | tr ' ' '\n' | sort | uniq -c >output2 +# @TEST-EXEC: cat packet_filter.log | bro-cut filter | sed 's#[()]##g' | tr ' ' '\n' | sort | uniq -c | awk '{print $1, $2}' >output2 # @TEST-EXEC: btest-diff output2 From fd2e155d1af26086d40e12d38f564b7954f4597e Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 21 Jul 2013 17:34:25 +0200 Subject: [PATCH 181/200] Tweak hasher interface. --- src/BloomFilter.cc | 34 +++++++------- src/BloomFilter.h | 31 +++++++------ src/CMakeLists.txt | 2 +- src/HashPolicy.cc | 77 -------------------------------- src/HashPolicy.h | 97 ---------------------------------------- src/Hasher.cc | 79 ++++++++++++++++++++++++++++++++ src/Hasher.h | 109 +++++++++++++++++++++++++++++++++++++++++++++ src/bro.bif | 8 ++-- 8 files changed, 225 insertions(+), 212 deletions(-) delete mode 100644 src/HashPolicy.cc delete mode 100644 src/HashPolicy.h create mode 100644 src/Hasher.cc create mode 100644 src/Hasher.h diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index c59092b1e4..f399bddeca 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -6,19 +6,19 @@ #include "Serializer.h" BloomFilter::BloomFilter() - : hash_(NULL) + : hasher_(NULL) { } -BloomFilter::BloomFilter(const HashPolicy* hash_policy) - : hash_(hash_policy) +BloomFilter::BloomFilter(const Hasher* hasher) + : hasher_(hasher) { } BloomFilter::~BloomFilter() { - if ( hash_ ) - delete hash_; + if ( hasher_ ) + delete hasher_; } bool BloomFilter::Serialize(SerialInfo* info) const @@ -35,9 +35,9 @@ BloomFilter* BloomFilter::Unserialize(UnserialInfo* info) bool BloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER, SerialObj); - if ( ! SERIALIZE(static_cast(hash_->K())) ) + if ( ! SERIALIZE(static_cast(hasher_->K())) ) return false; - return SERIALIZE_STR(hash_->Name().c_str(), hash_->Name().size()); + return SERIALIZE_STR(hasher_->Name().c_str(), hasher_->Name().size()); } bool BloomFilter::DoUnserialize(UnserialInfo* info) @@ -49,7 +49,7 @@ bool BloomFilter::DoUnserialize(UnserialInfo* info) const char* name; if ( ! UNSERIALIZE_STR(&name, 0) ) return false; - hash_ = HashPolicy::Create(k, name); + hasher_ = Hasher::Create(k, name); delete [] name; return true; } @@ -70,7 +70,7 @@ size_t BasicBloomFilter::K(size_t cells, size_t capacity) BasicBloomFilter* BasicBloomFilter::Merge(const BasicBloomFilter* x, const BasicBloomFilter* y) { - // TODO: Ensure that x and y use the same HashPolicy before proceeding. + // TODO: Ensure that x and y use the same Hasher before proceeding. BasicBloomFilter* result = new BasicBloomFilter(); result->bits_ = new BitVector(*x->bits_ | *y->bits_); return result; @@ -81,8 +81,8 @@ BasicBloomFilter::BasicBloomFilter() { } -BasicBloomFilter::BasicBloomFilter(const HashPolicy* hash_policy, size_t cells) - : BloomFilter(hash_policy), +BasicBloomFilter::BasicBloomFilter(const Hasher* hasher, size_t cells) + : BloomFilter(hasher), bits_(new BitVector(cells)) { } @@ -102,13 +102,13 @@ bool BasicBloomFilter::DoUnserialize(UnserialInfo* info) return bits_ != NULL; } -void BasicBloomFilter::AddImpl(const HashPolicy::hash_vector& h) +void BasicBloomFilter::AddImpl(const Hasher::digest_vector& h) { for ( size_t i = 0; i < h.size(); ++i ) bits_->Set(h[i] % bits_->Size()); } -size_t BasicBloomFilter::CountImpl(const HashPolicy::hash_vector& h) const +size_t BasicBloomFilter::CountImpl(const Hasher::digest_vector& h) const { for ( size_t i = 0; i < h.size(); ++i ) if ( ! (*bits_)[h[i] % bits_->Size()] ) @@ -129,9 +129,9 @@ CountingBloomFilter::CountingBloomFilter() { } -CountingBloomFilter::CountingBloomFilter(const HashPolicy* hash_policy, +CountingBloomFilter::CountingBloomFilter(const Hasher* hasher, size_t cells, size_t width) - : BloomFilter(hash_policy) + : BloomFilter(hasher) { cells_ = new CounterVector(width, cells); } @@ -152,13 +152,13 @@ bool CountingBloomFilter::DoUnserialize(UnserialInfo* info) return cells_ != NULL; } -void CountingBloomFilter::AddImpl(const HashPolicy::hash_vector& h) +void CountingBloomFilter::AddImpl(const Hasher::digest_vector& h) { for ( size_t i = 0; i < h.size(); ++i ) cells_->Increment(h[i] % cells_->Size(), 1); } -size_t CountingBloomFilter::CountImpl(const HashPolicy::hash_vector& h) const +size_t CountingBloomFilter::CountImpl(const Hasher::digest_vector& h) const { CounterVector::size_type min = std::numeric_limits::max(); diff --git a/src/BloomFilter.h b/src/BloomFilter.h index 189f4920b7..92f15c6070 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -3,7 +3,7 @@ #include #include "BitVector.h" -#include "HashPolicy.h" +#include "Hasher.h" class CounterVector; @@ -12,7 +12,7 @@ class CounterVector; */ class BloomFilter : public SerialObj { public: - // At this point we won't let the user choose the hash policy, but we might + // At this point we won't let the user choose the hasher, but we might // open up the interface in the future. virtual ~BloomFilter(); @@ -23,7 +23,7 @@ public: template void Add(const T& x) { - AddImpl(hash_->Hash(&x, sizeof(x))); + AddImpl((*hasher_)(x)); } /** @@ -36,7 +36,7 @@ public: template size_t Count(const T& x) const { - return CountImpl(hash_->Hash(&x, sizeof(x))); + return CountImpl((*hasher_)(x)); } bool Serialize(SerialInfo* info) const; @@ -50,15 +50,15 @@ protected: /** * Constructs a Bloom filter. * - * @param hash_policy The hash policy to use for this Bloom filter. + * @param hasher The hasher to use for this Bloom filter. */ - BloomFilter(const HashPolicy* hash_policy); + BloomFilter(const Hasher* hasher); - virtual void AddImpl(const HashPolicy::hash_vector& hashes) = 0; - virtual size_t CountImpl(const HashPolicy::hash_vector& hashes) const = 0; + virtual void AddImpl(const Hasher::digest_vector& hashes) = 0; + virtual size_t CountImpl(const Hasher::digest_vector& hashes) const = 0; private: - const HashPolicy* hash_; + const Hasher* hasher_; }; /** @@ -98,15 +98,15 @@ public: /** * Constructs a basic Bloom filter with a given number of cells and capacity. */ - BasicBloomFilter(const HashPolicy* hash_policy, size_t cells); + BasicBloomFilter(const Hasher* hasher, size_t cells); protected: DECLARE_SERIAL(BasicBloomFilter); BasicBloomFilter(); - virtual void AddImpl(const HashPolicy::hash_vector& h); - virtual size_t CountImpl(const HashPolicy::hash_vector& h) const; + virtual void AddImpl(const Hasher::digest_vector& h); + virtual size_t CountImpl(const Hasher::digest_vector& h) const; private: BitVector* bits_; @@ -120,16 +120,15 @@ public: static CountingBloomFilter* Merge(const CountingBloomFilter* x, const CountingBloomFilter* y); - CountingBloomFilter(const HashPolicy* hash_policy, size_t cells, - size_t width); + CountingBloomFilter(const Hasher* hasher, size_t cells, size_t width); protected: DECLARE_SERIAL(CountingBloomFilter); CountingBloomFilter(); - virtual void AddImpl(const HashPolicy::hash_vector& h); - virtual size_t CountImpl(const HashPolicy::hash_vector& h) const; + virtual void AddImpl(const Hasher::digest_vector& h); + virtual size_t CountImpl(const Hasher::digest_vector& h) const; private: CounterVector* cells_; diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f2c7ce6bad..87a3db3b62 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -279,7 +279,7 @@ set(bro_SRCS Frame.cc Func.cc Hash.cc - HashPolicy.cc + Hasher.cc ID.cc IntSet.cc IOSource.cc diff --git a/src/HashPolicy.cc b/src/HashPolicy.cc deleted file mode 100644 index 7ce754be3c..0000000000 --- a/src/HashPolicy.cc +++ /dev/null @@ -1,77 +0,0 @@ -#include "HashPolicy.h" - -#include "digest.h" - -Hasher::Hasher(size_t seed, const std::string& extra) - : h_(compute_seed(seed, extra)) - { - } - -Hasher::hash_type Hasher::operator()(const void* x, size_t n) const - { - return n == 0 ? 0 : h_(x, n); - } - -size_t Hasher::compute_seed(size_t seed, const std::string& extra) - { - u_char digest[SHA256_DIGEST_LENGTH]; - SHA256_CTX ctx; - sha256_init(&ctx); - if ( extra.empty() ) - { - unsigned int first_seed = initial_seed(); - sha256_update(&ctx, &first_seed, sizeof(first_seed)); - } - else - { - sha256_update(&ctx, extra.c_str(), extra.size()); - } - sha256_update(&ctx, &seed, sizeof(seed)); - sha256_final(&ctx, digest); - return *reinterpret_cast(digest); - } - - -HashPolicy* HashPolicy::Create(size_t k, const std::string& name) - { - return new DefaultHashing(k, name); - } - -HashPolicy::HashPolicy(size_t k, const std::string& name) - : k_(k), name_(name) - { - } - -DefaultHashing::DefaultHashing(size_t k, const std::string& name) - : HashPolicy(k, name) - { - for ( size_t i = 0; i < k; ++i ) - hashers_.push_back(Hasher(i, name)); - } - -HashPolicy::hash_vector DefaultHashing::Hash(const void* x, size_t n) const - { - hash_vector h(K(), 0); - for ( size_t i = 0; i < h.size(); ++i ) - h[i] = hashers_[i](x, n); - return h; - } - -DoubleHashing::DoubleHashing(size_t k, const std::string& name) - : HashPolicy(k, name), - hasher1_(1, name), - hasher2_(2, name) - { - } - -HashPolicy::hash_vector DoubleHashing::Hash(const void* x, size_t n) const - { - hash_type h1 = hasher1_(x, n); - hash_type h2 = hasher2_(x, n); - hash_vector h(K(), 0); - for ( size_t i = 0; i < h.size(); ++i ) - h[i] = h1 + i * h2; - return h; - } - - diff --git a/src/HashPolicy.h b/src/HashPolicy.h deleted file mode 100644 index 7bdb968bfe..0000000000 --- a/src/HashPolicy.h +++ /dev/null @@ -1,97 +0,0 @@ -#ifndef HashPolicy_h -#define HashPolicy_h - -#include "Hash.h" -#include "H3.h" - -/** - * A functor that computes a universal hash function. - */ -class Hasher { -public: - typedef hash_t hash_type; - - /** - * Constructs a hasher seeded by a given seed and optionally an extra - * descriptor. - * - * @param seed The seed to use. - * - * @param extra If not `NULL`, the hasher will not mix in the initial seed - * but instead use this NUL-terminated string as additional seed. - */ - Hasher(size_t seed, const std::string& extra = ""); - - /** - * Computes the hash digest of contiguous data. - * - * @param x A pointer to the beginning of the byte sequence to hash. - * - * @param n The length of the sequence pointed to by *x*. - */ - hash_type operator()(const void* x, size_t n) const; - -private: - static size_t compute_seed(size_t seed, const std::string& extra); - - H3 h_; -}; - -/** - * The abstract base class for hash policies that hash elements *k* times. - */ -class HashPolicy { -public: - /** - * Constructs the hashing policy used by the implementation. This factory - * function exists because the HashingPolicy class hierachy is not yet - * serializable. - */ - static HashPolicy* Create(size_t k, const std::string& name); - - typedef Hasher::hash_type hash_type; - typedef std::vector hash_vector; - - virtual ~HashPolicy() { } - - virtual hash_vector Hash(const void* x, size_t n) const = 0; - - size_t K() const { return k_; } - const std::string& Name() const { return name_; } - -protected: - HashPolicy(size_t k, const std::string& name); - -private: - const size_t k_; - std::string name_; -}; - -/** - * The default hashing policy. Performs *k* hash function computations. - */ -class DefaultHashing : public HashPolicy { -public: - DefaultHashing(size_t k, const std::string& name); - - virtual hash_vector Hash(const void* x, size_t n) const /* override */; - -private: - std::vector hashers_; -}; - -/** - * The *double-hashing* policy. Uses a linear combination of two hash functions. - */ -class DoubleHashing : public HashPolicy { -public: - DoubleHashing(size_t k, const std::string& name); - - virtual hash_vector Hash(const void* x, size_t n) const; - -private: - Hasher hasher1_; - Hasher hasher2_; -}; - -#endif diff --git a/src/Hasher.cc b/src/Hasher.cc new file mode 100644 index 0000000000..045adcd174 --- /dev/null +++ b/src/Hasher.cc @@ -0,0 +1,79 @@ +#include "Hasher.h" + +#include "digest.h" + +Hasher::UHF::UHF(size_t seed, const std::string& extra) + : h_(compute_seed(seed, extra)) + { + } + +Hasher::digest Hasher::UHF::hash(const void* x, size_t n) const + { + assert(n <= UHASH_KEY_SIZE); + return n == 0 ? 0 : h_(x, n); + } + +size_t Hasher::UHF::compute_seed(size_t seed, const std::string& extra) + { + u_char buf[SHA256_DIGEST_LENGTH]; + SHA256_CTX ctx; + sha256_init(&ctx); + if ( extra.empty() ) + { + unsigned int first_seed = initial_seed(); + sha256_update(&ctx, &first_seed, sizeof(first_seed)); + } + else + { + sha256_update(&ctx, extra.c_str(), extra.size()); + } + sha256_update(&ctx, &seed, sizeof(seed)); + sha256_final(&ctx, buf); + // Take the first sizeof(size_t) bytes as seed. + return *reinterpret_cast(buf); + } + + +Hasher* Hasher::Create(size_t k, const std::string& name) + { + return new DefaultHasher(k, name); + } + +Hasher::Hasher(size_t k, const std::string& name) + : k_(k), name_(name) + { + } + +DefaultHasher::DefaultHasher(size_t k, const std::string& name) + : Hasher(k, name) + { + for ( size_t i = 0; i < k; ++i ) + hash_functions_.push_back(UHF(i, name)); + } + +Hasher::digest_vector DefaultHasher::Hash(const void* x, size_t n) const + { + digest_vector h(K(), 0); + for ( size_t i = 0; i < h.size(); ++i ) + h[i] = hash_functions_[i](x, n); + return h; + } + +DoubleHasher::DoubleHasher(size_t k, const std::string& name) + : Hasher(k, name), + h1_(1, name), + h2_(2, name) + { + } + +Hasher::digest_vector DoubleHasher::Hash(const void* x, size_t n) const + { + digest h1 = h1_(x, n); + digest h2 = h2_(x, n); + digest_vector h(K(), 0); + for ( size_t i = 0; i < h.size(); ++i ) + h[i] = h1 + i * h2; + return h; + } + + diff --git a/src/Hasher.h b/src/Hasher.h new file mode 100644 index 0000000000..8d0af6b03f --- /dev/null +++ b/src/Hasher.h @@ -0,0 +1,109 @@ +#ifndef Hasher_h +#define Hasher_h + +#include "Hash.h" +#include "H3.h" + +/** + * The abstract base class for hashers, i.e., constructs which hash elements + * *k* times. + */ +class Hasher { +public: + typedef hash_t digest; + typedef std::vector digest_vector; + + /** + * Constructs the hashing policy used by the implementation. + * + * @todo This factory function exists because the HashingPolicy class + * hierachy is not yet serializable. + */ + static Hasher* Create(size_t k, const std::string& name); + + virtual ~Hasher() { } + + template + digest_vector operator()(const T& x) const + { + return Hash(&x, sizeof(T)); + } + + virtual digest_vector Hash(const void* x, size_t n) const = 0; + + size_t K() const { return k_; } + const std::string& Name() const { return name_; } + +protected: + /** + * A universal hash function family. + */ + class UHF { + public: + /** + * Constructs an H3 hash function seeded with a given seed and an optional + * extra seed to replace the initial Bro seed. + * + * @param seed The seed to use for this instance. + * + * @param extra If not empty, this parameter replaces the initial seed to + * compute the seed for t to compute the + * seed + * NUL-terminated string as additional seed. + */ + UHF(size_t seed, const std::string& extra = ""); + + template + digest operator()(const T& x) const + { + return hash(&x, sizeof(T)); + } + + digest operator()(const void* x, size_t n) const + { + return hash(x, n); + } + + digest hash(const void* x, size_t n) const; + + private: + static size_t compute_seed(size_t seed, const std::string& extra); + + H3 h_; + }; + + Hasher(size_t k, const std::string& name); + +private: + const size_t k_; + std::string name_; +}; + +/** + * The default hashing policy. Performs *k* hash function computations. + */ +class DefaultHasher : public Hasher { +public: + DefaultHasher(size_t k, const std::string& name); + + virtual digest_vector Hash(const void* x, size_t n) const /* final */; + +private: + std::vector hash_functions_; +}; + +/** + * The *double-hashing* policy. Uses a linear combination of two hash functions. + */ +class DoubleHasher : public Hasher { +public: + DoubleHasher(size_t k, const std::string& name); + + virtual digest_vector Hash(const void* x, size_t n) const /* final */; + +private: + UHF h1_; + UHF h2_; +}; + +#endif diff --git a/src/bro.bif b/src/bro.bif index d0ce066139..71f8c0716f 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -5008,8 +5008,8 @@ function bloomfilter_basic_init%(fp: double, capacity: count, size_t cells = BasicBloomFilter::M(fp, capacity); size_t optimal_k = BasicBloomFilter::K(cells, capacity); - const HashPolicy* hp = HashPolicy::Create(optimal_k, name->CheckString()); - return new BloomFilterVal(new BasicBloomFilter(hp, cells)); + const Hasher* h = Hasher::Create(optimal_k, name->CheckString()); + return new BloomFilterVal(new BasicBloomFilter(h, cells)); %} ## Creates a counting Bloom filter. @@ -5029,11 +5029,11 @@ function bloomfilter_basic_init%(fp: double, capacity: count, function bloomfilter_counting_init%(k: count, cells: count, max: count, name: string &default=""%): opaque of bloomfilter %{ - const HashPolicy* hp = HashPolicy::Create(k, name->CheckString()); + const Hasher* h = Hasher::Create(k, name->CheckString()); uint16 width = 0; while ( max >>= 1 ) ++width; - return new BloomFilterVal(new CountingBloomFilter(hp, cells, width)); + return new BloomFilterVal(new CountingBloomFilter(h, cells, width)); %} ## Adds an element to a Bloom filter. From 79a2e4b5d5c28076a8db1857d3ea6a8891e1ef7c Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 21 Jul 2013 22:41:48 +0200 Subject: [PATCH 182/200] Implement missing CounterVector functions. --- src/CounterVector.cc | 66 ++++++++++++++++++++++++++++++++++++++------ src/CounterVector.h | 15 ++++++++++ 2 files changed, 73 insertions(+), 8 deletions(-) diff --git a/src/CounterVector.cc b/src/CounterVector.cc index 8ed4c30427..a661492313 100644 --- a/src/CounterVector.cc +++ b/src/CounterVector.cc @@ -1,5 +1,6 @@ #include "CounterVector.h" +#include #include "BitVector.h" #include "Serializer.h" @@ -15,23 +16,66 @@ CounterVector::~CounterVector() bool CounterVector::Increment(size_type cell, count_type value) { - // TODO - assert(! "not yet implemented"); + assert(cell < Size()); + assert(value != 0); + size_t lsb = cell * width_; + if (value >= Max()) + { + bool r = false; + for (size_t i = 0; i < width_; ++i) + if (! (*bits_)[lsb + i]) + { + bits_->Set(lsb + i); + if (! r) + r = true; + } + return r; + } + bool carry = false; + for (size_t i = 0; i < width_; ++i) + { + bool b1 = (*bits_)[lsb + i]; + bool b2 = value & (1 << i); + (*bits_)[lsb + i] ^= b2 != carry; // bit1 ^ bit2 ^ carry + carry = carry ? b1 || b2 : b1 && b2; + } + if (! carry) + return true; + for (size_t i = 0; i < width_; ++i) + bits_->Set(lsb + i); return false; } bool CounterVector::Decrement(size_type cell, count_type value) { - // TODO - assert(! "not yet implemented"); - return false; + assert(cell < Size()); + size_t lsb = cell * width_; + bool success; + while (value --> 0) + { + success = false; + for (size_t i = lsb; i < lsb + width_; ++i) + if ((*bits_)[i]) + { + bits_->Reset(i); + while (i && i > lsb) + bits_->Set(--i); + success = true; + break; + } + } + return success; } CounterVector::count_type CounterVector::Count(size_type cell) const { - // TODO - assert(! "not yet implemented"); - return 0; + assert(cell < Size()); + size_t cnt = 0, order = 1; + size_t lsb = cell * width_; + for (size_t i = lsb; i < lsb + width_; ++i, order <<= 1) + if ((*bits_)[i]) + cnt |= order; + return cnt; } CounterVector::size_type CounterVector::Size() const @@ -39,6 +83,12 @@ CounterVector::size_type CounterVector::Size() const return bits_->Blocks() / width_; } +size_t CounterVector::Max() const + { + return std::numeric_limits::max() + >> (std::numeric_limits::digits - width_); + } + bool CounterVector::Serialize(SerialInfo* info) const { return SerialObj::Serialize(info); diff --git a/src/CounterVector.h b/src/CounterVector.h index ecc8fe90e0..868beaca9b 100644 --- a/src/CounterVector.h +++ b/src/CounterVector.h @@ -19,6 +19,8 @@ public: * @param width The number of bits that each cell occupies. * * @param cells The number of cells in the bitvector. + * + * @pre `cells > 0 && width > 0` */ CounterVector(size_t width, size_t cells = 1024); @@ -32,6 +34,8 @@ public: * @param value The value to add to the current counter in *cell*. * * @return `true` if adding *value* to the counter in *cell* succeeded. + * + * @pre `cell < Size()` */ bool Increment(size_type cell, count_type value); @@ -43,6 +47,8 @@ public: * @param value The value to subtract from the current counter in *cell*. * * @return `true` if subtracting *value* from the counter in *cell* succeeded. + * + * @pre `cell < Size()` */ bool Decrement(size_type cell, count_type value); @@ -52,6 +58,8 @@ public: * @param cell The cell index to retrieve the count for. * * @return The counter associated with *cell*. + * + * @pre `cell < Size()` */ count_type Count(size_type cell) const; @@ -62,6 +70,13 @@ public: */ size_type Size() const; + /** + * Computes the maximum counter value. + * + * @return The maximum counter value based on the width. + */ + size_t Max() const; + bool Serialize(SerialInfo* info) const; static CounterVector* Unserialize(UnserialInfo* info); From 7a0240694ec69506b0789029ba48bb56ae703206 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 22 Jul 2013 14:07:47 +0200 Subject: [PATCH 183/200] Fix and test counting Bloom filter. --- src/BloomFilter.cc | 9 ++++--- src/CounterVector.cc | 5 ++-- src/CounterVector.h | 4 +-- src/bro.bif | 8 +++++- .../btest/Baseline/bifs.bloomfilter/output | 6 +++++ testing/btest/bifs/bloomfilter.bro | 26 ++++++++++++++++++- 6 files changed, 48 insertions(+), 10 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index f399bddeca..3c7bac80f1 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -131,9 +131,9 @@ CountingBloomFilter::CountingBloomFilter() CountingBloomFilter::CountingBloomFilter(const Hasher* hasher, size_t cells, size_t width) - : BloomFilter(hasher) + : BloomFilter(hasher), + cells_(new CounterVector(width, cells)) { - cells_ = new CounterVector(width, cells); } @@ -152,10 +152,12 @@ bool CountingBloomFilter::DoUnserialize(UnserialInfo* info) return cells_ != NULL; } +// TODO: Use partitioning in add/count to allow for reusing CMS bounds. + void CountingBloomFilter::AddImpl(const Hasher::digest_vector& h) { for ( size_t i = 0; i < h.size(); ++i ) - cells_->Increment(h[i] % cells_->Size(), 1); + cells_->Increment(h[i] % cells_->Size()); } size_t CountingBloomFilter::CountImpl(const Hasher::digest_vector& h) const @@ -164,7 +166,6 @@ size_t CountingBloomFilter::CountImpl(const Hasher::digest_vector& h) const std::numeric_limits::max(); for ( size_t i = 0; i < h.size(); ++i ) { - // TODO: Use partitioning. CounterVector::size_type cnt = cells_->Count(h[i] % cells_->Size()); if ( cnt < min ) min = cnt; diff --git a/src/CounterVector.cc b/src/CounterVector.cc index a661492313..831b95386f 100644 --- a/src/CounterVector.cc +++ b/src/CounterVector.cc @@ -5,7 +5,8 @@ #include "Serializer.h" CounterVector::CounterVector(size_t width, size_t cells) - : bits_(new BitVector(width * cells)), width_(width) + : bits_(new BitVector(width * cells)), + width_(width) { } @@ -80,7 +81,7 @@ CounterVector::count_type CounterVector::Count(size_type cell) const CounterVector::size_type CounterVector::Size() const { - return bits_->Blocks() / width_; + return bits_->Size() / width_; } size_t CounterVector::Max() const diff --git a/src/CounterVector.h b/src/CounterVector.h index 868beaca9b..2d99bb44d8 100644 --- a/src/CounterVector.h +++ b/src/CounterVector.h @@ -37,7 +37,7 @@ public: * * @pre `cell < Size()` */ - bool Increment(size_type cell, count_type value); + bool Increment(size_type cell, count_type value = 1); /** * Decrements a given cell. @@ -50,7 +50,7 @@ public: * * @pre `cell < Size()` */ - bool Decrement(size_type cell, count_type value); + bool Decrement(size_type cell, count_type value = 1); /** * Retrieves the counter of a given cell. diff --git a/src/bro.bif b/src/bro.bif index 71f8c0716f..a33a2248dd 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -5029,8 +5029,14 @@ function bloomfilter_basic_init%(fp: double, capacity: count, function bloomfilter_counting_init%(k: count, cells: count, max: count, name: string &default=""%): opaque of bloomfilter %{ + if ( max == 0 ) + { + reporter->Error("max counter value must be greater than 0"); + return NULL; + } + const Hasher* h = Hasher::Create(k, name->CheckString()); - uint16 width = 0; + uint16 width = 1; while ( max >>= 1 ) ++width; return new BloomFilterVal(new CountingBloomFilter(h, cells, width)); diff --git a/testing/btest/Baseline/bifs.bloomfilter/output b/testing/btest/Baseline/bifs.bloomfilter/output index 65aaa8b07c..80847a81b9 100644 --- a/testing/btest/Baseline/bifs.bloomfilter/output +++ b/testing/btest/Baseline/bifs.bloomfilter/output @@ -6,3 +6,9 @@ 1 1 1 +1 +2 +3 +3 +2 +3 diff --git a/testing/btest/bifs/bloomfilter.bro b/testing/btest/bifs/bloomfilter.bro index 3ff6a6668e..ab0bf86c22 100644 --- a/testing/btest/bifs/bloomfilter.bro +++ b/testing/btest/bifs/bloomfilter.bro @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -b %INPUT >output # @TEST-EXEC: btest-diff output -event bro_init() +function test_basic_bloom_filter() { # Basic usage with counts. local bf_cnt = bloomfilter_basic_init(0.1, 1000); @@ -36,3 +36,27 @@ event bro_init() local bf_bug0 = bloomfilter_basic_init(-0.5, 42); local bf_bug1 = bloomfilter_basic_init(1.1, 42); } + +function test_counting_bloom_filter() + { + local bf = bloomfilter_counting_init(3, 16, 3); + bloomfilter_add(bf, "foo"); + print bloomfilter_lookup(bf, "foo"); # 1 + bloomfilter_add(bf, "foo"); + print bloomfilter_lookup(bf, "foo"); # 2 + bloomfilter_add(bf, "foo"); + print bloomfilter_lookup(bf, "foo"); # 3 + bloomfilter_add(bf, "foo"); + print bloomfilter_lookup(bf, "foo"); # still 3 + + bloomfilter_add(bf, "bar"); + bloomfilter_add(bf, "bar"); + print bloomfilter_lookup(bf, "bar"); # 2 + print bloomfilter_lookup(bf, "foo"); # still 3 + } + +event bro_init() + { + test_basic_bloom_filter(); + test_counting_bloom_filter(); + } From a3c61fe7eb6c43622de17df0e818def20cab7e90 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 22 Jul 2013 15:39:13 +0200 Subject: [PATCH 184/200] Use half adder for bitwise addition and subtraction. --- src/CounterVector.cc | 53 +++++++++++++++----------------------------- 1 file changed, 18 insertions(+), 35 deletions(-) diff --git a/src/CounterVector.cc b/src/CounterVector.cc index 831b95386f..f46fae1b98 100644 --- a/src/CounterVector.cc +++ b/src/CounterVector.cc @@ -20,52 +20,35 @@ bool CounterVector::Increment(size_type cell, count_type value) assert(cell < Size()); assert(value != 0); size_t lsb = cell * width_; - if (value >= Max()) - { - bool r = false; - for (size_t i = 0; i < width_; ++i) - if (! (*bits_)[lsb + i]) - { - bits_->Set(lsb + i); - if (! r) - r = true; - } - return r; - } bool carry = false; - for (size_t i = 0; i < width_; ++i) - { + for ( size_t i = 0; i < width_; ++i ) + { bool b1 = (*bits_)[lsb + i]; bool b2 = value & (1 << i); - (*bits_)[lsb + i] ^= b2 != carry; // bit1 ^ bit2 ^ carry - carry = carry ? b1 || b2 : b1 && b2; - } - if (! carry) - return true; - for (size_t i = 0; i < width_; ++i) - bits_->Set(lsb + i); - return false; + (*bits_)[lsb + i] = b1 ^ b2 ^ carry; + carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); + } + if ( carry ) + for ( size_t i = 0; i < width_; ++i ) + bits_->Set(lsb + i); + return ! carry; } bool CounterVector::Decrement(size_type cell, count_type value) { assert(cell < Size()); + assert(value != 0); + value = ~value + 1; // A - B := A + ~B + 1 + bool carry = false; size_t lsb = cell * width_; - bool success; - while (value --> 0) + for ( size_t i = 0; i < width_; ++i ) { - success = false; - for (size_t i = lsb; i < lsb + width_; ++i) - if ((*bits_)[i]) - { - bits_->Reset(i); - while (i && i > lsb) - bits_->Set(--i); - success = true; - break; - } + bool b1 = bits_[lsb + i]; + bool b2 = value & (1 << i); + bits_[lsb + i] = b1 ^ b2 ^ carry; + carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); } - return success; + return carry; } CounterVector::count_type CounterVector::Count(size_type cell) const From 9c2f57a9d9d5667d05e43efd3c8541ff9d33382a Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 22 Jul 2013 16:36:54 +0200 Subject: [PATCH 185/200] Make counter vectors mergeable. --- src/CounterVector.cc | 42 ++++++++++++++++++++++++++++++++++++++++-- src/CounterVector.h | 27 +++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 2 deletions(-) diff --git a/src/CounterVector.cc b/src/CounterVector.cc index f46fae1b98..75c62b208a 100644 --- a/src/CounterVector.cc +++ b/src/CounterVector.cc @@ -43,9 +43,9 @@ bool CounterVector::Decrement(size_type cell, count_type value) size_t lsb = cell * width_; for ( size_t i = 0; i < width_; ++i ) { - bool b1 = bits_[lsb + i]; + bool b1 = (*bits_)[lsb + i]; bool b2 = value & (1 << i); - bits_[lsb + i] = b1 ^ b2 ^ carry; + (*bits_)[lsb + i] = b1 ^ b2 ^ carry; carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); } return carry; @@ -67,12 +67,50 @@ CounterVector::size_type CounterVector::Size() const return bits_->Size() / width_; } +size_t CounterVector::Width() const + { + return width_; + } + size_t CounterVector::Max() const { return std::numeric_limits::max() >> (std::numeric_limits::digits - width_); } +CounterVector& CounterVector::Merge(const CounterVector& other) + { + assert(Size() == other.Size()); + assert(Width() == other.Width()); + for ( size_t cell = 0; cell < Size(); ++cell ) + { + size_t lsb = cell * width_; + bool carry = false; + for ( size_t i = 0; i < width_; ++i ) + { + bool b1 = (*bits_)[lsb + i]; + bool b2 = (*other.bits_)[lsb + i]; + (*bits_)[lsb + i] = b1 ^ b2 ^ carry; + carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); + } + if ( carry ) + for ( size_t i = 0; i < width_; ++i ) + bits_->Set(lsb + i); + } + return *this; + } + +CounterVector& CounterVector::operator|=(const CounterVector& other) +{ + return Merge(other); +} + +CounterVector operator|(const CounterVector& x, const CounterVector& y) +{ + CounterVector cv(x); + return cv |= y; +} + bool CounterVector::Serialize(SerialInfo* info) const { return SerialObj::Serialize(info); diff --git a/src/CounterVector.h b/src/CounterVector.h index 2d99bb44d8..4ab221ff6b 100644 --- a/src/CounterVector.h +++ b/src/CounterVector.h @@ -70,6 +70,13 @@ public: */ size_type Size() const; + /** + * Retrieves the counter width. + * + * @return The number of bits per counter. + */ + size_t Width() const; + /** * Computes the maximum counter value. * @@ -77,6 +84,26 @@ public: */ size_t Max() const; + /** + * Merges another counter vector into this instance by *adding* the counters + * of each cells. + * + * @param other The counter vector to merge into this instance. + * + * @return A reference to `*this`. + * + * @pre `Size() == other.Size() && Width() == other.Width()` + */ + CounterVector& Merge(const CounterVector& other); + + /** + * An alias for ::Merge. + */ + CounterVector& operator|=(const CounterVector& other); + + friend CounterVector operator|(const CounterVector& x, + const CounterVector& y); + bool Serialize(SerialInfo* info) const; static CounterVector* Unserialize(UnserialInfo* info); From eb64f5f9616e84295bc17537e8db57ae4f089c41 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 22 Jul 2013 18:03:55 +0200 Subject: [PATCH 186/200] Make hash functions equality comparable. --- src/H3.h | 12 ++++++ src/Hasher.cc | 101 +++++++++++++++++++++++++++++++------------------- src/Hasher.h | 18 +++++++++ 3 files changed, 93 insertions(+), 38 deletions(-) diff --git a/src/H3.h b/src/H3.h index e2dc865147..123dd6f374 100644 --- a/src/H3.h +++ b/src/H3.h @@ -58,6 +58,7 @@ #define H3_H #include +#include // The number of values representable by a byte. #define H3_BYTE_RANGE (UCHAR_MAX+1) @@ -112,6 +113,17 @@ public: return result; } + + friend bool operator==(const H3& x, const H3& y) + { + return ! std::memcmp(x.byte_lookup, y.byte_lookup, N * H3_BYTE_RANGE); + } + + friend bool operator!=(const H3& x, const H3& y) + { + return ! (x == y); + } + private: T byte_lookup[N][H3_BYTE_RANGE]; }; diff --git a/src/Hasher.cc b/src/Hasher.cc index 045adcd174..7a8d9a67e0 100644 --- a/src/Hasher.cc +++ b/src/Hasher.cc @@ -8,56 +8,69 @@ Hasher::UHF::UHF(size_t seed, const std::string& extra) } Hasher::digest Hasher::UHF::hash(const void* x, size_t n) const - { - assert(n <= UHASH_KEY_SIZE); - return n == 0 ? 0 : h_(x, n); - } + { + assert(n <= UHASH_KEY_SIZE); + return n == 0 ? 0 : h_(x, n); + } size_t Hasher::UHF::compute_seed(size_t seed, const std::string& extra) - { - u_char buf[SHA256_DIGEST_LENGTH]; - SHA256_CTX ctx; - sha256_init(&ctx); - if ( extra.empty() ) + { + u_char buf[SHA256_DIGEST_LENGTH]; + SHA256_CTX ctx; + sha256_init(&ctx); + if ( extra.empty() ) { unsigned int first_seed = initial_seed(); sha256_update(&ctx, &first_seed, sizeof(first_seed)); } else { - sha256_update(&ctx, extra.c_str(), extra.size()); + sha256_update(&ctx, extra.c_str(), extra.size()); + } + sha256_update(&ctx, &seed, sizeof(seed)); + sha256_final(&ctx, buf); + // Take the first sizeof(size_t) bytes as seed. + return *reinterpret_cast(buf); } - sha256_update(&ctx, &seed, sizeof(seed)); - sha256_final(&ctx, buf); - // Take the first sizeof(size_t) bytes as seed. - return *reinterpret_cast(buf); - } Hasher* Hasher::Create(size_t k, const std::string& name) - { - return new DefaultHasher(k, name); - } + { + return new DefaultHasher(k, name); + } Hasher::Hasher(size_t k, const std::string& name) - : k_(k), name_(name) + : k_(k), name_(name) { } DefaultHasher::DefaultHasher(size_t k, const std::string& name) - : Hasher(k, name) - { - for ( size_t i = 0; i < k; ++i ) - hash_functions_.push_back(UHF(i, name)); - } + : Hasher(k, name) + { + for ( size_t i = 0; i < k; ++i ) + hash_functions_.push_back(UHF(i, name)); + } Hasher::digest_vector DefaultHasher::Hash(const void* x, size_t n) const - { - digest_vector h(K(), 0); - for ( size_t i = 0; i < h.size(); ++i ) - h[i] = hash_functions_[i](x, n); - return h; - } + { + digest_vector h(K(), 0); + for ( size_t i = 0; i < h.size(); ++i ) + h[i] = hash_functions_[i](x, n); + return h; + } + +DefaultHasher* DefaultHasher::Clone() const + { + return new DefaultHasher(*this); + } + +bool DefaultHasher::Equals(const Hasher* other) const /* final */ + { + if ( typeid(*this) != typeid(*other) ) + return false; + const DefaultHasher* o = static_cast(other); + return hash_functions_ == o->hash_functions_; + } DoubleHasher::DoubleHasher(size_t k, const std::string& name) : Hasher(k, name), @@ -67,13 +80,25 @@ DoubleHasher::DoubleHasher(size_t k, const std::string& name) } Hasher::digest_vector DoubleHasher::Hash(const void* x, size_t n) const - { - digest h1 = h1_(x, n); - digest h2 = h2_(x, n); - digest_vector h(K(), 0); - for ( size_t i = 0; i < h.size(); ++i ) - h[i] = h1 + i * h2; - return h; - } + { + digest h1 = h1_(x, n); + digest h2 = h2_(x, n); + digest_vector h(K(), 0); + for ( size_t i = 0; i < h.size(); ++i ) + h[i] = h1 + i * h2; + return h; + } +DoubleHasher* DoubleHasher::Clone() const + { + return new DoubleHasher(*this); + } + +bool DoubleHasher::Equals(const Hasher* other) const /* final */ + { + if ( typeid(*this) != typeid(*other) ) + return false; + const DoubleHasher* o = static_cast(other); + return h1_ == o->h1_ && h2_ == o->h2_; + } diff --git a/src/Hasher.h b/src/Hasher.h index 8d0af6b03f..12393e7217 100644 --- a/src/Hasher.h +++ b/src/Hasher.h @@ -31,6 +31,10 @@ public: virtual digest_vector Hash(const void* x, size_t n) const = 0; + virtual Hasher* Clone() const = 0; + + virtual bool Equals(const Hasher* other) const = 0; + size_t K() const { return k_; } const std::string& Name() const { return name_; } @@ -64,6 +68,16 @@ protected: return hash(x, n); } + friend bool operator==(const UHF& x, const UHF& y) + { + return x.h_ == y.h_; + } + + friend bool operator!=(const UHF& x, const UHF& y) + { + return ! (x == y); + } + digest hash(const void* x, size_t n) const; private: @@ -87,6 +101,8 @@ public: DefaultHasher(size_t k, const std::string& name); virtual digest_vector Hash(const void* x, size_t n) const /* final */; + virtual DefaultHasher* Clone() const /* final */; + virtual bool Equals(const Hasher* other) const /* final */; private: std::vector hash_functions_; @@ -100,6 +116,8 @@ public: DoubleHasher(size_t k, const std::string& name); virtual digest_vector Hash(const void* x, size_t n) const /* final */; + virtual DoubleHasher* Clone() const /* final */; + virtual bool Equals(const Hasher* other) const /* final */; private: UHF h1_; From a39f980cd493e64a6bb4016c47923e8754b059dc Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 22 Jul 2013 18:11:12 +0200 Subject: [PATCH 187/200] Implement and test Bloom filter merging. --- src/BloomFilter.cc | 22 ++++++++++++++---- src/BloomFilter.h | 1 - src/CounterVector.cc | 6 +++++ src/CounterVector.h | 8 +++++++ src/Hasher.cc | 4 ++-- src/OpaqueVal.cc | 2 +- src/OpaqueVal.h | 21 ++++++++++++++--- .../btest/Baseline/bifs.bloomfilter/output | 7 ++++++ testing/btest/bifs/bloomfilter.bro | 23 ++++++++++++++++++- 9 files changed, 81 insertions(+), 13 deletions(-) diff --git a/src/BloomFilter.cc b/src/BloomFilter.cc index 3c7bac80f1..889c7bafe1 100644 --- a/src/BloomFilter.cc +++ b/src/BloomFilter.cc @@ -70,8 +70,13 @@ size_t BasicBloomFilter::K(size_t cells, size_t capacity) BasicBloomFilter* BasicBloomFilter::Merge(const BasicBloomFilter* x, const BasicBloomFilter* y) { - // TODO: Ensure that x and y use the same Hasher before proceeding. + if ( ! x->hasher_->Equals(y->hasher_) ) + { + reporter->InternalError("incompatible hashers during Bloom filter merge"); + return NULL; + } BasicBloomFilter* result = new BasicBloomFilter(); + result->hasher_ = x->hasher_->Clone(); result->bits_ = new BitVector(*x->bits_ | *y->bits_); return result; } @@ -119,10 +124,17 @@ size_t BasicBloomFilter::CountImpl(const Hasher::digest_vector& h) const CountingBloomFilter* CountingBloomFilter::Merge(const CountingBloomFilter* x, const CountingBloomFilter* y) -{ - assert(! "not yet implemented"); - return NULL; -} + { + if ( ! x->hasher_->Equals(y->hasher_) ) + { + reporter->InternalError("incompatible hashers during Bloom filter merge"); + return NULL; + } + CountingBloomFilter* result = new CountingBloomFilter(); + result->hasher_ = x->hasher_->Clone(); + result->cells_ = new CounterVector(*x->cells_ | *y->cells_); + return result; + } CountingBloomFilter::CountingBloomFilter() : cells_(NULL) diff --git a/src/BloomFilter.h b/src/BloomFilter.h index 92f15c6070..070aa2dc25 100644 --- a/src/BloomFilter.h +++ b/src/BloomFilter.h @@ -57,7 +57,6 @@ protected: virtual void AddImpl(const Hasher::digest_vector& hashes) = 0; virtual size_t CountImpl(const Hasher::digest_vector& hashes) const = 0; -private: const Hasher* hasher_; }; diff --git a/src/CounterVector.cc b/src/CounterVector.cc index 75c62b208a..cf3083de9e 100644 --- a/src/CounterVector.cc +++ b/src/CounterVector.cc @@ -10,6 +10,12 @@ CounterVector::CounterVector(size_t width, size_t cells) { } +CounterVector::CounterVector(const CounterVector& other) + : bits_(new BitVector(*other.bits_)), + width_(other.width_) + { + } + CounterVector::~CounterVector() { delete bits_; diff --git a/src/CounterVector.h b/src/CounterVector.h index 4ab221ff6b..eced5956d4 100644 --- a/src/CounterVector.h +++ b/src/CounterVector.h @@ -9,6 +9,7 @@ class BitVector; * A vector of counters, each of which have a fixed number of bits. */ class CounterVector : public SerialObj { + CounterVector& operator=(const CounterVector&); public: typedef size_t size_type; typedef uint64 count_type; @@ -24,6 +25,13 @@ public: */ CounterVector(size_t width, size_t cells = 1024); + /** + * Copy-constructs a counter vector. + * + * @param other The counter vector to copy. + */ + CounterVector(const CounterVector& other); + ~CounterVector(); /** diff --git a/src/Hasher.cc b/src/Hasher.cc index 7a8d9a67e0..2a889c7e09 100644 --- a/src/Hasher.cc +++ b/src/Hasher.cc @@ -64,7 +64,7 @@ DefaultHasher* DefaultHasher::Clone() const return new DefaultHasher(*this); } -bool DefaultHasher::Equals(const Hasher* other) const /* final */ +bool DefaultHasher::Equals(const Hasher* other) const { if ( typeid(*this) != typeid(*other) ) return false; @@ -94,7 +94,7 @@ DoubleHasher* DoubleHasher::Clone() const return new DoubleHasher(*this); } -bool DoubleHasher::Equals(const Hasher* other) const /* final */ +bool DoubleHasher::Equals(const Hasher* other) const { if ( typeid(*this) != typeid(*other) ) return false; diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 5a673c4a40..36038d679a 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -1,6 +1,5 @@ #include "OpaqueVal.h" -#include "BloomFilter.h" #include "NetVar.h" #include "Reporter.h" #include "Serializer.h" @@ -587,6 +586,7 @@ BloomFilterVal* BloomFilterVal::Merge(const BloomFilterVal* x, else if ( (result = DoMerge(x, y)) ) return result; + reporter->InternalError("failed to merge Bloom filters"); return NULL; } diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index 2362fdacfc..22c3dbfade 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -3,6 +3,7 @@ #ifndef OPAQUEVAL_H #define OPAQUEVAL_H +#include "BloomFilter.h" #include "RandTest.h" #include "Val.h" #include "digest.h" @@ -137,9 +138,23 @@ private: static BloomFilterVal* DoMerge(const BloomFilterVal* x, const BloomFilterVal* y) { - const T* a = dynamic_cast(x->bloom_filter_); - const T* b = dynamic_cast(y->bloom_filter_); - return a && b ? new BloomFilterVal(T::Merge(a, b)) : NULL; + if ( typeid(*x->bloom_filter_) != typeid(*y->bloom_filter_) ) + { + reporter->InternalError("cannot merge different Bloom filter types"); + return NULL; + } + if ( typeid(T) != typeid(*x->bloom_filter_) ) + return NULL; + const T* a = static_cast(x->bloom_filter_); + const T* b = static_cast(y->bloom_filter_); + BloomFilterVal* merged = new BloomFilterVal(T::Merge(a, b)); + assert(merged); + if ( ! merged->Typify(x->Type()) ) + { + reporter->InternalError("failed to set type on merged Bloom filter"); + return NULL; + } + return merged; } BroType* type_; diff --git a/testing/btest/Baseline/bifs.bloomfilter/output b/testing/btest/Baseline/bifs.bloomfilter/output index 80847a81b9..4fe2ae1ecc 100644 --- a/testing/btest/Baseline/bifs.bloomfilter/output +++ b/testing/btest/Baseline/bifs.bloomfilter/output @@ -7,8 +7,15 @@ 1 1 1 +1 +1 +1 +1 2 3 3 2 3 +3 +3 +2 diff --git a/testing/btest/bifs/bloomfilter.bro b/testing/btest/bifs/bloomfilter.bro index ab0bf86c22..f69ddbda0c 100644 --- a/testing/btest/bifs/bloomfilter.bro +++ b/testing/btest/bifs/bloomfilter.bro @@ -35,11 +35,21 @@ function test_basic_bloom_filter() # Invalid parameters. local bf_bug0 = bloomfilter_basic_init(-0.5, 42); local bf_bug1 = bloomfilter_basic_init(1.1, 42); + + # Merging + local bf_cnt2 = bloomfilter_basic_init(0.1, 1000); + bloomfilter_add(bf_cnt2, 42); + bloomfilter_add(bf_cnt, 100); + local bf_merged = bloomfilter_merge(bf_cnt, bf_cnt2); + print bloomfilter_lookup(bf_merged, 42); + print bloomfilter_lookup(bf_merged, 84); + print bloomfilter_lookup(bf_merged, 100); + print bloomfilter_lookup(bf_merged, 168); } function test_counting_bloom_filter() { - local bf = bloomfilter_counting_init(3, 16, 3); + local bf = bloomfilter_counting_init(3, 32, 3); bloomfilter_add(bf, "foo"); print bloomfilter_lookup(bf, "foo"); # 1 bloomfilter_add(bf, "foo"); @@ -49,10 +59,21 @@ function test_counting_bloom_filter() bloomfilter_add(bf, "foo"); print bloomfilter_lookup(bf, "foo"); # still 3 + bloomfilter_add(bf, "bar"); bloomfilter_add(bf, "bar"); print bloomfilter_lookup(bf, "bar"); # 2 print bloomfilter_lookup(bf, "foo"); # still 3 + + # Merging + local bf2 = bloomfilter_counting_init(3, 32, 3); + bloomfilter_add(bf2, "baz"); + bloomfilter_add(bf2, "baz"); + bloomfilter_add(bf2, "bar"); + local bf_merged = bloomfilter_merge(bf, bf2); + print bloomfilter_lookup(bf_merged, "foo"); + print bloomfilter_lookup(bf_merged, "bar"); + print bloomfilter_lookup(bf_merged, "baz"); } event bro_init() From 5c3bf14d168cca9af75e0ac642de8049f89cf525 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 22 Jul 2013 14:02:56 -0400 Subject: [PATCH 188/200] Fixed a scriptland state issue that manifested especially badly on proxies. --- scripts/base/protocols/irc/dcc-send.bro | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 0a7f27e438..3194766946 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -185,5 +185,6 @@ event expected_connection_seen(c: connection, a: Analyzer::Tag) &priority=10 event connection_state_remove(c: connection) &priority=-5 { - delete dcc_expected_transfers[c$id$resp_h, c$id$resp_p]; + if ( [c$id$resp_h, c$id$resp_p] in dcc_expected_transfers ) + delete dcc_expected_transfers[c$id$resp_h, c$id$resp_p]; } From 474107fe40c22dec977d4e9ee3dad0edcbc02344 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 23 Jul 2013 17:16:57 -0700 Subject: [PATCH 189/200] Broifying the code. Also extending API documentation a bit more and fixing a memory leak. --- src/Func.cc | 4 +- src/H3.h | 4 +- src/OpaqueVal.cc | 159 ++-- src/OpaqueVal.h | 67 +- src/Type.cc | 1 + src/probabilistic/BitVector.cc | 777 ++++++++++-------- src/probabilistic/BitVector.h | 575 +++++++------ src/probabilistic/BloomFilter.cc | 229 +++--- src/probabilistic/BloomFilter.h | 229 ++++-- src/probabilistic/CounterVector.cc | 244 +++--- src/probabilistic/CounterVector.h | 208 ++--- src/probabilistic/Hasher.cc | 63 +- src/probabilistic/Hasher.h | 262 +++--- src/probabilistic/bloom-filter.bif | 122 +-- src/util.cc | 20 +- src/util.h | 8 +- .../btest/Baseline/bifs.bloomfilter/output | 6 + testing/btest/bifs/bloomfilter.bro | 2 +- 18 files changed, 1651 insertions(+), 1329 deletions(-) diff --git a/src/Func.cc b/src/Func.cc index a0d2299933..483699668f 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -560,7 +560,7 @@ void builtin_error(const char* msg, BroObj* arg) #include "reporter.bif.func_def" #include "strings.bif.func_def" -// TODO: Add a nicer mechanism to pull subdirectory bifs automatically. +// TODO: Add a nicer mechanism to pull in subdirectory bifs automatically. #include "probabilistic/bloom-filter.bif.h" void init_builtin_funcs() @@ -577,7 +577,7 @@ void init_builtin_funcs() #include "reporter.bif.func_init" #include "strings.bif.func_init" -// TODO: Add a nicer mechanism to pull subdirectory bifs automatically. +// TODO: Add a nicer mechanism to pull in subdirectory bifs automatically. #include "probabilistic/bloom-filter.bif.init.cc" did_builtin_init = true; diff --git a/src/H3.h b/src/H3.h index 123dd6f374..8ea5848816 100644 --- a/src/H3.h +++ b/src/H3.h @@ -100,8 +100,8 @@ public: // loop optmized with Duff's Device register unsigned n = (size + 7) / 8; switch ( size % 8 ) { - case 0: do { result ^= byte_lookup[offset++][*p++]; - case 7: result ^= byte_lookup[offset++][*p++]; + case 0: do { result ^= byte_lookup[offset++][*p++]; + case 7: result ^= byte_lookup[offset++][*p++]; case 6: result ^= byte_lookup[offset++][*p++]; case 5: result ^= byte_lookup[offset++][*p++]; case 4: result ^= byte_lookup[offset++][*p++]; diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 04032b2cfc..efdd890f70 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -1,5 +1,6 @@ -#include "OpaqueVal.h" +// See the file "COPYING" in the main distribution directory for copyright. +#include "OpaqueVal.h" #include "NetVar.h" #include "Reporter.h" #include "Serializer.h" @@ -518,87 +519,89 @@ bool EntropyVal::DoUnserialize(UnserialInfo* info) } BloomFilterVal::BloomFilterVal() - : OpaqueVal(bloomfilter_type), - type_(NULL), - hash_(NULL), - bloom_filter_(NULL) + : OpaqueVal(bloomfilter_type) { + type = 0; + hash = 0; + bloom_filter = 0; } BloomFilterVal::BloomFilterVal(OpaqueType* t) - : OpaqueVal(t), - type_(NULL), - hash_(NULL), - bloom_filter_(NULL) + : OpaqueVal(t) { + type = 0; + hash = 0; + bloom_filter = 0; } BloomFilterVal::BloomFilterVal(probabilistic::BloomFilter* bf) - : OpaqueVal(bloomfilter_type), - type_(NULL), - hash_(NULL), - bloom_filter_(bf) + : OpaqueVal(bloomfilter_type) { + type = 0; + hash = 0; + bloom_filter = bf; } -bool BloomFilterVal::Typify(BroType* type) - { - if ( type_ ) - return false; - type_ = type; - type_->Ref(); - TypeList* tl = new TypeList(type_); - tl->Append(type_); - hash_ = new CompositeHash(tl); - Unref(tl); - return true; - } +bool BloomFilterVal::Typify(BroType* arg_type) + { + if ( type ) + return false; + + type = arg_type; + type->Ref(); + + TypeList* tl = new TypeList(type); + tl->Append(type); + hash = new CompositeHash(tl); + Unref(tl); + + return true; + } BroType* BloomFilterVal::Type() const - { - return type_; - } + { + return type; + } void BloomFilterVal::Add(const Val* val) - { - HashKey* key = hash_->ComputeHash(val, 1); - bloom_filter_->Add(key->Hash()); - } + { + HashKey* key = hash->ComputeHash(val, 1); + bloom_filter->Add(key->Hash()); + delete key; + } size_t BloomFilterVal::Count(const Val* val) const - { - HashKey* key = hash_->ComputeHash(val, 1); - return bloom_filter_->Count(key->Hash()); - } + { + HashKey* key = hash->ComputeHash(val, 1); + size_t cnt = bloom_filter->Count(key->Hash()); + delete key; + return cnt; + } BloomFilterVal* BloomFilterVal::Merge(const BloomFilterVal* x, const BloomFilterVal* y) - { - if ( x->Type() != y->Type() ) - { - reporter->InternalError("cannot merge Bloom filters with different types"); - return NULL; - } + { + if ( ! same_type(x->Type(), y->Type()) ) + reporter->InternalError("cannot merge Bloom filters with different types"); - BloomFilterVal* result; - if ( (result = DoMerge(x, y)) ) - return result; - else if ( (result = DoMerge(x, y)) ) - return result; + BloomFilterVal* result; - reporter->InternalError("failed to merge Bloom filters"); - return NULL; - } + if ( (result = DoMerge(x, y)) ) + return result; + + else if ( (result = DoMerge(x, y)) ) + return result; + + reporter->InternalError("failed to merge Bloom filters"); + return 0; + } BloomFilterVal::~BloomFilterVal() - { - if ( type_ ) - Unref(type_); - if ( hash_ ) - delete hash_; - if ( bloom_filter_ ) - delete bloom_filter_; - } + { + Unref(type); + delete hash; + delete bloom_filter; + } IMPLEMENT_SERIAL(BloomFilterVal, SER_BLOOMFILTER_VAL); @@ -606,14 +609,16 @@ bool BloomFilterVal::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER_VAL, OpaqueVal); - bool is_typed = type_ != NULL; - if ( ! SERIALIZE(is_typed) ) - return false; - if ( is_typed && ! type_->Serialize(info) ) - return false; + bool is_typed = (type != 0); - return bloom_filter_->Serialize(info); - } + if ( ! SERIALIZE(is_typed) ) + return false; + + if ( is_typed && ! type->Serialize(info) ) + return false; + + return bloom_filter->Serialize(info); + } bool BloomFilterVal::DoUnserialize(UnserialInfo* info) { @@ -621,15 +626,17 @@ bool BloomFilterVal::DoUnserialize(UnserialInfo* info) bool is_typed; if ( ! UNSERIALIZE(&is_typed) ) - return false; - if ( is_typed ) - { - BroType* type = BroType::Unserialize(info); - if ( ! Typify(type) ) - return false; - Unref(type); - } + return false; - bloom_filter_ = probabilistic::BloomFilter::Unserialize(info); - return bloom_filter_ != NULL; - } + if ( is_typed ) + { + BroType* type = BroType::Unserialize(info); + if ( ! Typify(type) ) + return false; + + Unref(type); + } + + bloom_filter = probabilistic::BloomFilter::Unserialize(info); + return bloom_filter != 0; + } diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index 5ccf73e11f..ea704cb70a 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -116,21 +116,19 @@ private: }; class BloomFilterVal : public OpaqueVal { - BloomFilterVal(const BloomFilterVal&); - BloomFilterVal& operator=(const BloomFilterVal&); public: - static BloomFilterVal* Merge(const BloomFilterVal* x, - const BloomFilterVal* y); - explicit BloomFilterVal(probabilistic::BloomFilter* bf); - ~BloomFilterVal(); + virtual ~BloomFilterVal(); - bool Typify(BroType* type); BroType* Type() const; + bool Typify(BroType* type); void Add(const Val* val); size_t Count(const Val* val) const; + static BloomFilterVal* Merge(const BloomFilterVal* x, + const BloomFilterVal* y); + protected: friend class Val; BloomFilterVal(); @@ -139,32 +137,35 @@ protected: DECLARE_SERIAL(BloomFilterVal); private: - template - static BloomFilterVal* DoMerge(const BloomFilterVal* x, - const BloomFilterVal* y) - { - if ( typeid(*x->bloom_filter_) != typeid(*y->bloom_filter_) ) - { - reporter->InternalError("cannot merge different Bloom filter types"); - return NULL; - } - if ( typeid(T) != typeid(*x->bloom_filter_) ) - return NULL; - const T* a = static_cast(x->bloom_filter_); - const T* b = static_cast(y->bloom_filter_); - BloomFilterVal* merged = new BloomFilterVal(T::Merge(a, b)); - assert(merged); - if ( ! merged->Typify(x->Type()) ) - { - reporter->InternalError("failed to set type on merged Bloom filter"); - return NULL; - } - return merged; - } + // Disable. + BloomFilterVal(const BloomFilterVal&); + BloomFilterVal& operator=(const BloomFilterVal&); - BroType* type_; - CompositeHash* hash_; - probabilistic::BloomFilter* bloom_filter_; -}; + template + static BloomFilterVal* DoMerge(const BloomFilterVal* x, + const BloomFilterVal* y) + { + if ( typeid(*x->bloom_filter) != typeid(*y->bloom_filter) ) + reporter->InternalError("cannot merge different Bloom filter types"); + + if ( typeid(T) != typeid(*x->bloom_filter) ) + return 0; + + const T* a = static_cast(x->bloom_filter); + const T* b = static_cast(y->bloom_filter); + + BloomFilterVal* merged = new BloomFilterVal(T::Merge(a, b)); + assert(merged); + + if ( ! merged->Typify(x->Type()) ) + reporter->InternalError("failed to set type on merged Bloom filter"); + + return merged; + } + + BroType* type; + CompositeHash* hash; + probabilistic::BloomFilter* bloom_filter; + }; #endif diff --git a/src/Type.cc b/src/Type.cc index 57d9d0e6e5..563bc5afbd 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -1321,6 +1321,7 @@ bool OpaqueType::DoUnserialize(UnserialInfo* info) const char* n; if ( ! UNSERIALIZE_STR(&n, 0) ) return false; + name = n; delete [] n; diff --git a/src/probabilistic/BitVector.cc b/src/probabilistic/BitVector.cc index 67714fe7d0..98f008b24b 100644 --- a/src/probabilistic/BitVector.cc +++ b/src/probabilistic/BitVector.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "BitVector.h" #include @@ -8,505 +10,558 @@ using namespace probabilistic; BitVector::size_type BitVector::npos = static_cast(-1); BitVector::block_type BitVector::bits_per_block = - std::numeric_limits::digits; + std::numeric_limits::digits; namespace { uint8_t count_table[] = { - 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 1, 2, 2, 3, 2, 3, 3, 4, 2, - 3, 3, 4, 3, 4, 4, 5, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, - 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, - 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, - 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, - 6, 6, 7, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, - 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, - 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 2, 3, 3, 4, 3, 4, 4, 5, - 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 3, - 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 4, 5, 5, 6, 5, 6, 6, 7, 5, 6, - 6, 7, 6, 7, 7, 8 + 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 1, 2, 2, 3, 2, 3, 3, 4, 2, + 3, 3, 4, 3, 4, 4, 5, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, + 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, + 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, + 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, + 6, 6, 7, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, + 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, + 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 2, 3, 3, 4, 3, 4, 4, 5, + 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 3, + 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 4, 5, 5, 6, 5, 6, 6, 7, 5, 6, + 6, 7, 6, 7, 7, 8 }; } // namespace BitVector::Reference::Reference(block_type& block, block_type i) - : block_(block), - mask_(block_type(1) << i) - { - assert(i < bits_per_block); - } + : block(block), mask((block_type(1) << i)) + { + assert(i < bits_per_block); + } BitVector::Reference& BitVector::Reference::Flip() - { - block_ ^= mask_; - return *this; - } + { + block ^= mask; + return *this; + } BitVector::Reference::operator bool() const - { - return (block_ & mask_) != 0; - } + { + return (block & mask) != 0; + } bool BitVector::Reference::operator~() const - { - return (block_ & mask_) == 0; - } + { + return (block & mask) == 0; + } BitVector::Reference& BitVector::Reference::operator=(bool x) - { - x ? block_ |= mask_ : block_ &= ~mask_; - return *this; - } + { + if ( x ) + block |= mask; + else + block &= ~mask; -BitVector::Reference& BitVector::Reference::operator=(Reference const& other) - { - other ? block_ |= mask_ : block_ &= ~mask_; - return *this; - } + return *this; + } + +BitVector::Reference& BitVector::Reference::operator=(const Reference& other) + { + if ( other ) + block |= mask; + else + block &= ~mask; + + return *this; + } BitVector::Reference& BitVector::Reference::operator|=(bool x) - { - if (x) - block_ |= mask_; - return *this; - } + { + if ( x ) + block |= mask; + + return *this; + } BitVector::Reference& BitVector::Reference::operator&=(bool x) - { - if (! x) - block_ &= ~mask_; - return *this; - } + { + if ( ! x ) + block &= ~mask; + + return *this; + } BitVector::Reference& BitVector::Reference::operator^=(bool x) - { - if (x) - block_ ^= mask_; - return *this; - } + { + if ( x ) + block ^= mask; + + return *this; + } BitVector::Reference& BitVector::Reference::operator-=(bool x) - { - if (x) - block_ &= ~mask_; - return *this; - } + { + if ( x ) + block &= ~mask; + return *this; + } -BitVector::BitVector() : num_bits_(0) { } +BitVector::BitVector() + { + num_bits = 0; + } BitVector::BitVector(size_type size, bool value) - : bits_(bits_to_blocks(size), value ? ~block_type(0) : 0), - num_bits_(size) -{ } + : bits(bits_to_blocks(size), value ? ~block_type(0) : 0) + { + num_bits = size; + } BitVector::BitVector(BitVector const& other) - : bits_(other.bits_), - num_bits_(other.num_bits_) -{ } + : bits(other.bits) + { + num_bits = other.num_bits; + } BitVector BitVector::operator~() const - { - BitVector b(*this); - b.Flip(); - return b; - } + { + BitVector b(*this); + b.Flip(); + return b; + } BitVector& BitVector::operator=(BitVector const& other) - { - bits_ = other.bits_; - return *this; - } + { + bits = other.bits; + return *this; + } BitVector BitVector::operator<<(size_type n) const - { - BitVector b(*this); - return b <<= n; - } + { + BitVector b(*this); + return b <<= n; + } BitVector BitVector::operator>>(size_type n) const - { - BitVector b(*this); - return b >>= n; - } + { + BitVector b(*this); + return b >>= n; + } BitVector& BitVector::operator<<=(size_type n) - { - if (n >= num_bits_) - return Reset(); + { + if ( n >= num_bits ) + return Reset(); - if (n > 0) - { - size_type last = Blocks() - 1; - size_type div = n / bits_per_block; - block_type r = bit_index(n); - block_type* b = &bits_[0]; - assert(Blocks() >= 1); - assert(div <= last); + if ( n > 0 ) + { + size_type last = Blocks() - 1; + size_type div = n / bits_per_block; + block_type r = bit_index(n); + block_type* b = &bits[0]; - if (r != 0) - { - for (size_type i = last - div; i > 0; --i) - b[i + div] = (b[i] << r) | (b[i - 1] >> (bits_per_block - r)); - b[div] = b[0] << r; - } - else - { - for (size_type i = last-div; i > 0; --i) - b[i + div] = b[i]; - b[div] = b[0]; - } + assert(Blocks() >= 1); + assert(div <= last); - std::fill_n(b, div, block_type(0)); - zero_unused_bits(); - } + if ( r != 0 ) + { + for ( size_type i = last - div; i > 0; --i ) + b[i + div] = (b[i] << r) | (b[i - 1] >> (bits_per_block - r)); - return *this; - } + b[div] = b[0] << r; + } + + else + { + for (size_type i = last-div; i > 0; --i) + b[i + div] = b[i]; + + b[div] = b[0]; + } + + std::fill_n(b, div, block_type(0)); + zero_unused_bits(); + } + + return *this; + } BitVector& BitVector::operator>>=(size_type n) - { - if (n >= num_bits_) - return Reset(); + { + if ( n >= num_bits ) + return Reset(); - if (n > 0) - { - size_type last = Blocks() - 1; - size_type div = n / bits_per_block; - block_type r = bit_index(n); - block_type* b = &bits_[0]; - assert(Blocks() >= 1); - assert(div <= last); + if ( n > 0 ) + { + size_type last = Blocks() - 1; + size_type div = n / bits_per_block; + block_type r = bit_index(n); + block_type* b = &bits[0]; - if (r != 0) - { - for (size_type i = last - div; i > 0; --i) - b[i - div] = (b[i] >> r) | (b[i + 1] << (bits_per_block - r)); - b[last - div] = b[last] >> r; - } - else - { - for (size_type i = div; i <= last; ++i) - b[i-div] = b[i]; - } + assert(Blocks() >= 1); + assert(div <= last); - std::fill_n(b + (Blocks() - div), div, block_type(0)); - } - return *this; - } + if ( r != 0 ) + { + for (size_type i = last - div; i > 0; --i) + b[i - div] = (b[i] >> r) | (b[i + 1] << (bits_per_block - r)); + + b[last - div] = b[last] >> r; + } + + else + { + for (size_type i = div; i <= last; ++i) + b[i-div] = b[i]; + } + + std::fill_n(b + (Blocks() - div), div, block_type(0)); + } + + return *this; + } BitVector& BitVector::operator&=(BitVector const& other) - { - assert(Size() >= other.Size()); - for (size_type i = 0; i < Blocks(); ++i) - bits_[i] &= other.bits_[i]; - return *this; - } + { + assert(Size() >= other.Size()); + + for ( size_type i = 0; i < Blocks(); ++i ) + bits[i] &= other.bits[i]; + + return *this; + } BitVector& BitVector::operator|=(BitVector const& other) - { - assert(Size() >= other.Size()); - for (size_type i = 0; i < Blocks(); ++i) - bits_[i] |= other.bits_[i]; - return *this; - } + { + assert(Size() >= other.Size()); + + for ( size_type i = 0; i < Blocks(); ++i ) + bits[i] |= other.bits[i]; + + return *this; + } BitVector& BitVector::operator^=(BitVector const& other) - { - assert(Size() >= other.Size()); - for (size_type i = 0; i < Blocks(); ++i) - bits_[i] ^= other.bits_[i]; - return *this; - } + { + assert(Size() >= other.Size()); + + for ( size_type i = 0; i < Blocks(); ++i ) + bits[i] ^= other.bits[i]; + + return *this; + } BitVector& BitVector::operator-=(BitVector const& other) - { - assert(Size() >= other.Size()); - for (size_type i = 0; i < Blocks(); ++i) - bits_[i] &= ~other.bits_[i]; - return *this; - } + { + assert(Size() >= other.Size()); + + for ( size_type i = 0; i < Blocks(); ++i ) + bits[i] &= ~other.bits[i]; + + return *this; + } namespace probabilistic { BitVector operator&(BitVector const& x, BitVector const& y) - { - BitVector b(x); - return b &= y; - } + { + BitVector b(x); + return b &= y; + } BitVector operator|(BitVector const& x, BitVector const& y) - { - BitVector b(x); - return b |= y; - } + { + BitVector b(x); + return b |= y; + } BitVector operator^(BitVector const& x, BitVector const& y) - { - BitVector b(x); - return b ^= y; - } + { + BitVector b(x); + return b ^= y; + } BitVector operator-(BitVector const& x, BitVector const& y) - { - BitVector b(x); - return b -= y; - } + { + BitVector b(x); + return b -= y; + } bool operator==(BitVector const& x, BitVector const& y) - { - return x.num_bits_ == y.num_bits_ && x.bits_ == y.bits_; - } + { + return x.num_bits == y.num_bits && x.bits == y.bits; + } bool operator!=(BitVector const& x, BitVector const& y) - { - return ! (x == y); - } + { + return ! (x == y); + } bool operator<(BitVector const& x, BitVector const& y) - { - assert(x.Size() == y.Size()); - for (BitVector::size_type r = x.Blocks(); r > 0; --r) - { - BitVector::size_type i = r - 1; - if (x.bits_[i] < y.bits_[i]) - return true; - else if (x.bits_[i] > y.bits_[i]) - return false; - } - return false; - } + { + assert(x.Size() == y.Size()); + + for ( BitVector::size_type r = x.Blocks(); r > 0; --r ) + { + BitVector::size_type i = r - 1; + + if ( x.bits[i] < y.bits[i] ) + return true; + + else if ( x.bits[i] > y.bits[i] ) + return false; + + } + + return false; + } } void BitVector::Resize(size_type n, bool value) - { - size_type old = Blocks(); - size_type required = bits_to_blocks(n); - block_type block_value = value ? ~block_type(0) : block_type(0); + { + size_type old = Blocks(); + size_type required = bits_to_blocks(n); + block_type block_value = value ? ~block_type(0) : block_type(0); - if (required != old) - bits_.resize(required, block_value); + if ( required != old ) + bits.resize(required, block_value); - if (value && (n > num_bits_) && extra_bits()) - bits_[old - 1] |= (block_value << extra_bits()); + if ( value && (n > num_bits) && extra_bits() ) + bits[old - 1] |= (block_value << extra_bits()); - num_bits_ = n; - zero_unused_bits(); - } + num_bits = n; + zero_unused_bits(); + } void BitVector::Clear() - { - bits_.clear(); - num_bits_ = 0; - } + { + bits.clear(); + num_bits = 0; + } void BitVector::PushBack(bool bit) - { - size_type s = Size(); - Resize(s + 1); - Set(s, bit); - } + { + size_type s = Size(); + Resize(s + 1); + Set(s, bit); + } void BitVector::Append(block_type block) - { - size_type excess = extra_bits(); - if (excess) - { - assert(! Empty()); - bits_.push_back(block >> (bits_per_block - excess)); - bits_[Blocks() - 2] |= (block << excess); - } - else - { - bits_.push_back(block); - } - num_bits_ += bits_per_block; - } + { + size_type excess = extra_bits(); + + if ( excess ) + { + assert(! Empty()); + bits.push_back(block >> (bits_per_block - excess)); + bits[Blocks() - 2] |= (block << excess); + } + + else + { + bits.push_back(block); + } + + num_bits += bits_per_block; + } BitVector& BitVector::Set(size_type i, bool bit) - { - assert(i < num_bits_); - if (bit) - bits_[block_index(i)] |= bit_mask(i); - else - Reset(i); - return *this; - } + { + assert(i < num_bits); + + if ( bit ) + bits[block_index(i)] |= bit_mask(i); + else + Reset(i); + + return *this; + } BitVector& BitVector::Set() - { - std::fill(bits_.begin(), bits_.end(), ~block_type(0)); - zero_unused_bits(); - return *this; - } + { + std::fill(bits.begin(), bits.end(), ~block_type(0)); + zero_unused_bits(); + return *this; + } BitVector& BitVector::Reset(size_type i) - { - assert(i < num_bits_); - bits_[block_index(i)] &= ~bit_mask(i); - return *this; - } + { + assert(i < num_bits); + bits[block_index(i)] &= ~bit_mask(i); + return *this; + } BitVector& BitVector::Reset() - { - std::fill(bits_.begin(), bits_.end(), block_type(0)); - return *this; - } + { + std::fill(bits.begin(), bits.end(), block_type(0)); + return *this; + } BitVector& BitVector::Flip(size_type i) - { - assert(i < num_bits_); - bits_[block_index(i)] ^= bit_mask(i); - return *this; - } + { + assert(i < num_bits); + bits[block_index(i)] ^= bit_mask(i); + return *this; + } BitVector& BitVector::Flip() - { - for (size_type i = 0; i < Blocks(); ++i) - bits_[i] = ~bits_[i]; - zero_unused_bits(); - return *this; - } + { + for (size_type i = 0; i < Blocks(); ++i) + bits[i] = ~bits[i]; + + zero_unused_bits(); + return *this; + } bool BitVector::operator[](size_type i) const - { - assert(i < num_bits_); - return (bits_[block_index(i)] & bit_mask(i)) != 0; - } + { + assert(i < num_bits); + return (bits[block_index(i)] & bit_mask(i)) != 0; + } BitVector::Reference BitVector::operator[](size_type i) - { - assert(i < num_bits_); - return Reference(bits_[block_index(i)], bit_index(i)); - } + { + assert(i < num_bits); + return Reference(bits[block_index(i)], bit_index(i)); + } BitVector::size_type BitVector::Count() const - { - std::vector::const_iterator first = bits_.begin(); - size_t n = 0; - size_type length = Blocks(); - while (length) - { - block_type block = *first; - while (block) - { - // TODO: use __popcnt if available. - n += count_table[block & ((1u << 8) - 1)]; - block >>= 8; - } - ++first; - --length; - } - return n; - } + { + std::vector::const_iterator first = bits.begin(); + size_t n = 0; + size_type length = Blocks(); + + while ( length ) + { + block_type block = *first; + + while ( block ) + { + // TODO: use _popcnt if available. + n += count_table[block & ((1u << 8) - 1)]; + block >>= 8; + } + + ++first; + --length; + } + + return n; + } BitVector::size_type BitVector::Blocks() const - { - return bits_.size(); - } + { + return bits.size(); + } BitVector::size_type BitVector::Size() const - { - return num_bits_; - } + { + return num_bits; + } bool BitVector::Empty() const - { - return bits_.empty(); - } + { + return bits.empty(); + } BitVector::size_type BitVector::FindFirst() const - { - return find_from(0); - } + { + return find_from(0); + } BitVector::size_type BitVector::FindNext(size_type i) const - { - if (i >= (Size() - 1) || Size() == 0) - return npos; - ++i; - size_type bi = block_index(i); - block_type block = bits_[bi] & (~block_type(0) << bit_index(i)); - return block ? bi * bits_per_block + lowest_bit(block) : find_from(bi + 1); - } + { + if ( i >= (Size() - 1) || Size() == 0 ) + return npos; + + ++i; + size_type bi = block_index(i); + block_type block = bits[bi] & (~block_type(0) << bit_index(i)); + return block ? bi * bits_per_block + lowest_bit(block) : find_from(bi + 1); + } BitVector::size_type BitVector::lowest_bit(block_type block) - { - block_type x = block - (block & (block - 1)); - size_type log = 0; - while (x >>= 1) - ++log; - return log; - } + { + block_type x = block - (block & (block - 1)); + size_type log = 0; + + while (x >>= 1) + ++log; + + return log; + } BitVector::block_type BitVector::extra_bits() const - { - return bit_index(Size()); - } + { + return bit_index(Size()); + } void BitVector::zero_unused_bits() - { - if (extra_bits()) - bits_.back() &= ~(~block_type(0) << extra_bits()); - } + { + if ( extra_bits() ) + bits.back() &= ~(~block_type(0) << extra_bits()); + } BitVector::size_type BitVector::find_from(size_type i) const - { - while (i < Blocks() && bits_[i] == 0) - ++i; - if (i >= Blocks()) - return npos; - return i * bits_per_block + lowest_bit(bits_[i]); - } + { + while (i < Blocks() && bits[i] == 0) + ++i; + + if ( i >= Blocks() ) + return npos; + + return i * bits_per_block + lowest_bit(bits[i]); + } bool BitVector::Serialize(SerialInfo* info) const - { - return SerialObj::Serialize(info); - } + { + return SerialObj::Serialize(info); + } BitVector* BitVector::Unserialize(UnserialInfo* info) - { - return reinterpret_cast( - SerialObj::Unserialize(info, SER_BITVECTOR)); - } + { + return reinterpret_cast(SerialObj::Unserialize(info, SER_BITVECTOR)); + } IMPLEMENT_SERIAL(BitVector, SER_BITVECTOR); bool BitVector::DoSerialize(SerialInfo* info) const - { - DO_SERIALIZE(SER_BITVECTOR, SerialObj); + { + DO_SERIALIZE(SER_BITVECTOR, SerialObj); - if ( ! SERIALIZE(static_cast(bits_.size())) ) - return false; + if ( ! SERIALIZE(static_cast(bits.size())) ) + return false; - for ( size_t i = 0; i < bits_.size(); ++i ) - if ( ! SERIALIZE(static_cast(bits_[i])) ) - return false; + for ( size_t i = 0; i < bits.size(); ++i ) + if ( ! SERIALIZE(static_cast(bits[i])) ) + return false; - return SERIALIZE(static_cast(num_bits_)); - } + return SERIALIZE(static_cast(num_bits)); + } bool BitVector::DoUnserialize(UnserialInfo* info) - { - DO_UNSERIALIZE(SerialObj); + { + DO_UNSERIALIZE(SerialObj); - uint64 size; - if ( ! UNSERIALIZE(&size) ) - return false; + uint64 size; + if ( ! UNSERIALIZE(&size) ) + return false; - bits_.resize(static_cast(size)); - uint64 block; - for ( size_t i = 0; i < bits_.size(); ++i ) - { - if ( ! UNSERIALIZE(&block) ) - return false; - bits_[i] = static_cast(block); - } + bits.resize(static_cast(size)); - uint64 num_bits; - if ( ! UNSERIALIZE(&num_bits) ) - return false; - num_bits_ = static_cast(num_bits); + for ( size_t i = 0; i < bits.size(); ++i ) + { + uint64 block; + if ( ! UNSERIALIZE(&block) ) + return false; - return true; - } + bits[i] = static_cast(block); + } + + uint64 num_bits; + if ( ! UNSERIALIZE(&num_bits) ) + return false; + + num_bits = static_cast(num_bits); + + return true; + } diff --git a/src/probabilistic/BitVector.h b/src/probabilistic/BitVector.h index 8832c24cbe..9eefe1b633 100644 --- a/src/probabilistic/BitVector.h +++ b/src/probabilistic/BitVector.h @@ -1,8 +1,11 @@ -#ifndef BitVector_h -#define BitVector_h +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef PROBABILISTIC_BITVECTOR_H +#define PROBABILISTIC_BITVECTOR_H #include #include + #include "SerialObj.h" namespace probabilistic { @@ -12,322 +15,348 @@ namespace probabilistic { */ class BitVector : public SerialObj { public: - typedef size_t block_type; - typedef size_t size_type; - static size_type npos; - static block_type bits_per_block; + typedef size_t block_type; + typedef size_t size_type; + typedef bool const_reference; -public: - /** - * An lvalue proxy for single bits. - */ - class Reference { - friend class BitVector; - Reference(block_type& block, block_type i); + static size_type npos; + static block_type bits_per_block; - public: - Reference& Flip(); - operator bool() const; - bool operator~() const; - Reference& operator=(bool x); - Reference& operator=(Reference const& other); - Reference& operator|=(bool x); - Reference& operator&=(bool x); - Reference& operator^=(bool x); - Reference& operator-=(bool x); + /** + * An lvalue proxy for individual bits. + */ + class Reference { + public: + /** + * Inverts the bits' values. + */ + Reference& Flip(); - private: - void operator&(); - block_type& block_; - block_type const mask_; - }; + operator bool() const; + bool operator~() const; + Reference& operator=(bool x); + Reference& operator=(const Reference& other); + Reference& operator|=(bool x); + Reference& operator&=(bool x); + Reference& operator^=(bool x); + Reference& operator-=(bool x); - typedef bool const_reference; + private: + friend class BitVector; - /** - * Default-constructs an empty bit vector. - */ - BitVector(); + Reference(block_type& block, block_type i); + void operator&(); - /** - * Constructs a bit vector of a given size. - * @param size The number of bits. - * @param value The value for each bit. - */ - explicit BitVector(size_type size, bool value = false); + block_type& block; + const block_type mask; + }; - /** - * Constructs a bit vector from a sequence of blocks. - */ - template - BitVector(InputIterator first, InputIterator last) - { - bits_.insert(bits_.end(), first, last); - num_bits_ = bits_.size() * bits_per_block; - } + /** + * Default-constructs an empty bit vector. + */ + BitVector(); - /** - * Copy-constructs a bit vector. - * @param other The bit vector to copy. - */ - BitVector(const BitVector& other); + /** + * Constructs a bit vector of a given size. + * @param size The number of bits. + * @param value The value for each bit. + */ + explicit BitVector(size_type size, bool value = false); - /** - * Assigns another bit vector to this instance. - * @param other The RHS of the assignment. - */ - BitVector& operator=(const BitVector& other); + /** + * Constructs a bit vector from a sequence of blocks. + * + * @param first Start of range + * @param last End of range. + * + */ + template + BitVector(InputIterator first, InputIterator last) + { + bits.insert(bits.end(), first, last); + num_bits = bits.size() * bits_per_block; + } - // - // Bitwise operations - // - BitVector operator~() const; - BitVector operator<<(size_type n) const; - BitVector operator>>(size_type n) const; - BitVector& operator<<=(size_type n); - BitVector& operator>>=(size_type n); - BitVector& operator&=(BitVector const& other); - BitVector& operator|=(BitVector const& other); - BitVector& operator^=(BitVector const& other); - BitVector& operator-=(BitVector const& other); - friend BitVector operator&(BitVector const& x, BitVector const& y); - friend BitVector operator|(BitVector const& x, BitVector const& y); - friend BitVector operator^(BitVector const& x, BitVector const& y); - friend BitVector operator-(BitVector const& x, BitVector const& y); + /** + * Copy-constructs a bit vector. + * @param other The bit vector to copy. + */ + BitVector(const BitVector& other); - // - // Relational operators - // - friend bool operator==(BitVector const& x, BitVector const& y); - friend bool operator!=(BitVector const& x, BitVector const& y); - friend bool operator<(BitVector const& x, BitVector const& y); + /** + * Assigns another bit vector to this instance. + * @param other The RHS of the assignment. + */ + BitVector& operator=(const BitVector& other); - // - // Basic operations - // - /** Appends the bits in a sequence of values. - * @tparam Iterator A forward iterator. - * @param first An iterator pointing to the first element of the sequence. - * @param last An iterator pointing to one past the last element of the - * sequence. - */ - template - void Append(ForwardIterator first, ForwardIterator last) - { - if (first == last) - return; + // + // Bitwise operations. + // + BitVector operator~() const; + BitVector operator<<(size_type n) const; + BitVector operator>>(size_type n) const; + BitVector& operator<<=(size_type n); + BitVector& operator>>=(size_type n); + BitVector& operator&=(BitVector const& other); + BitVector& operator|=(BitVector const& other); + BitVector& operator^=(BitVector const& other); + BitVector& operator-=(BitVector const& other); + friend BitVector operator&(BitVector const& x, BitVector const& y); + friend BitVector operator|(BitVector const& x, BitVector const& y); + friend BitVector operator^(BitVector const& x, BitVector const& y); + friend BitVector operator-(BitVector const& x, BitVector const& y); - block_type excess = extra_bits(); - typename std::iterator_traits::difference_type delta = - std::distance(first, last); + // + // Relational operators + // + friend bool operator==(BitVector const& x, BitVector const& y); + friend bool operator!=(BitVector const& x, BitVector const& y); + friend bool operator<(BitVector const& x, BitVector const& y); - bits_.reserve(Blocks() + delta); - if (excess == 0) - { - bits_.back() |= (*first << excess); - do - { - block_type b = *first++ >> (bits_per_block - excess); - bits_.push_back(b | (first == last ? 0 : *first << excess)); - } while (first != last); - } - else - { - bits_.insert(bits_.end(), first, last); - } - num_bits_ += bits_per_block * delta; - } + // + // Basic operations + // - /** - * Appends the bits in a given block. - * @param block The block containing bits to append. - */ - void Append(block_type block); + /** Appends the bits in a sequence of values. + * @tparam Iterator A forward iterator. + * @param first An iterator pointing to the first element of the sequence. + * @param last An iterator pointing to one past the last element of the + * sequence. + */ + template + void Append(ForwardIterator first, ForwardIterator last) + { + if ( first == last ) + return; - /** Appends a single bit to the end of the bit vector. - * @param bit The value of the bit. - */ - void PushBack(bool bit); + block_type excess = extra_bits(); + typename std::iterator_traits::difference_type delta = + std::distance(first, last); - /** - * Clears all bits in the bitvector. - */ - void Clear(); + bits.reserve(Blocks() + delta); - /** - * Resizes the bit vector to a new number of bits. - * @param n The new number of bits of the bit vector. - * @param value The bit value of new values, if the vector expands. - */ - void Resize(size_type n, bool value = false); + if ( excess == 0 ) + { + bits.back() |= (*first << excess); - /** - * Sets a bit at a specific position to a given value. - * @param i The bit position. - * @param bit The value assigned to position *i*. - * @return A reference to the bit vector instance. - */ - BitVector& Set(size_type i, bool bit = true); + do { + block_type b = *first++ >> (bits_per_block - excess); + bits.push_back(b | (first == last ? 0 : *first << excess)); + } while (first != last); - /** - * Sets all bits to 1. - * @return A reference to the bit vector instance. - */ - BitVector& Set(); + } - /** - * Resets a bit at a specific position, i.e., sets it to 0. - * @param i The bit position. - * @return A reference to the bit vector instance. - */ - BitVector& Reset(size_type i); + else + bits.insert(bits.end(), first, last); - /** - * Sets all bits to 0. - * @return A reference to the bit vector instance. - */ - BitVector& Reset(); + num_bits += bits_per_block * delta; + } - /** - * Toggles/flips a bit at a specific position. - * @param i The bit position. - * @return A reference to the bit vector instance. - */ - BitVector& Flip(size_type i); + /** + * Appends the bits in a given block. + * @param block The block containing bits to append. + */ + void Append(block_type block); - /** - * Computes the complement. - * @return A reference to the bit vector instance. - */ - BitVector& Flip(); + /** Appends a single bit to the end of the bit vector. + * @param bit The value of the bit. + */ + void PushBack(bool bit); - /** Retrieves a single bit. - * @param i The bit position. - * @return A mutable reference to the bit at position *i*. - */ - Reference operator[](size_type i); + /** + * Clears all bits in the bitvector. + */ + void Clear(); - /** - * Retrieves a single bit. - * @param i The bit position. - * @return A const-reference to the bit at position *i*. - */ - const_reference operator[](size_type i) const; + /** + * Resizes the bit vector to a new number of bits. + * @param n The new number of bits of the bit vector. + * @param value The bit value of new values, if the vector expands. + */ + void Resize(size_type n, bool value = false); - /** - * Counts the number of 1-bits in the bit vector. Also known as *population - * count* or *Hamming weight*. - * @return The number of bits set to 1. - */ - size_type Count() const; + /** + * Sets a bit at a specific position to a given value. + * @param i The bit position. + * @param bit The value assigned to position *i*. + * @return A reference to the bit vector instance. + */ + BitVector& Set(size_type i, bool bit = true); - /** - * Retrieves the number of blocks of the underlying storage. - * @param The number of blocks that represent `Size()` bits. - */ - size_type Blocks() const; + /** + * Sets all bits to 1. + * @return A reference to the bit vector instance. + */ + BitVector& Set(); - /** - * Retrieves the number of bits the bitvector consist of. - * @return The length of the bit vector in bits. - */ - size_type Size() const; + /** + * Resets a bit at a specific position, i.e., sets it to 0. + * @param i The bit position. + * @return A reference to the bit vector instance. + */ + BitVector& Reset(size_type i); - /** - * Checks whether the bit vector is empty. - * @return `true` iff the bitvector has zero length. - */ - bool Empty() const; + /** + * Sets all bits to 0. + * @return A reference to the bit vector instance. + */ + BitVector& Reset(); - /** - * Finds the bit position of of the first 1-bit. - * @return The position of the first bit that equals to one or `npos` if no - * such bit exists. - */ - size_type FindFirst() const; + /** + * Toggles/flips a bit at a specific position. + * @param i The bit position. + * @return A reference to the bit vector instance. + */ + BitVector& Flip(size_type i); - /** - * Finds the next 1-bit from a given starting position. - * - * @param i The index where to start looking. - * - * @return The position of the first bit that equals to 1 after position - * *i* or `npos` if no such bit exists. - */ - size_type FindNext(size_type i) const; + /** + * Computes the complement. + * @return A reference to the bit vector instance. + */ + BitVector& Flip(); - bool Serialize(SerialInfo* info) const; - static BitVector* Unserialize(UnserialInfo* info); + /** Retrieves a single bit. + * @param i The bit position. + * @return A mutable reference to the bit at position *i*. + */ + Reference operator[](size_type i); + + /** + * Retrieves a single bit. + * @param i The bit position. + * @return A const-reference to the bit at position *i*. + */ + const_reference operator[](size_type i) const; + + /** + * Counts the number of 1-bits in the bit vector. Also known as *population + * count* or *Hamming weight*. + * @return The number of bits set to 1. + */ + size_type Count() const; + + /** + * Retrieves the number of blocks of the underlying storage. + * @param The number of blocks that represent `Size()` bits. + */ + size_type Blocks() const; + + /** + * Retrieves the number of bits the bitvector consist of. + * @return The length of the bit vector in bits. + */ + size_type Size() const; + + /** + * Checks whether the bit vector is empty. + * @return `true` iff the bitvector has zero length. + */ + bool Empty() const; + + /** + * Finds the bit position of of the first 1-bit. + * @return The position of the first bit that equals to one or `npos` if no + * such bit exists. + */ + size_type FindFirst() const; + + /** + * Finds the next 1-bit from a given starting position. + * + * @param i The index where to start looking. + * + * @return The position of the first bit that equals to 1 after position + * *i* or `npos` if no such bit exists. + */ + size_type FindNext(size_type i) const; + + /** + * Serializes the bit vector. + * + * @param info The serializaton informationt to use. + * + * @return True if successful. + */ + bool Serialize(SerialInfo* info) const; + + /** + * Unserialize the bit vector. + * + * @param info The serializaton informationt to use. + * + * @return The unserialized bit vector, or null if an error occured. + */ + static BitVector* Unserialize(UnserialInfo* info); protected: - DECLARE_SERIAL(BitVector); + DECLARE_SERIAL(BitVector); private: - /** - * Computes the block index for a given bit position. - */ - static size_type block_index(size_type i) - { - return i / bits_per_block; - } + /** + * Computes the number of excess/unused bits in the bit vector. + */ + block_type extra_bits() const; - /** - * Computes the bit index within a given block for a given bit position. - */ - static block_type bit_index(size_type i) - { - return i % bits_per_block; - } + /** + * If the number of bits in the vector are not not a multiple of + * bitvector::bits_per_block, then the last block exhibits unused bits which + * this function resets. + */ + void zero_unused_bits(); - /** - * Computes the bitmask block to extract a bit a given bit position. - */ - static block_type bit_mask(size_type i) - { - return block_type(1) << bit_index(i); - } + /** + * Looks for the first 1-bit starting at a given position. + * @param i The block index to start looking. + * @return The block index of the first 1-bit starting from *i* or + * `bitvector::npos` if no 1-bit exists. + */ + size_type find_from(size_type i) const; - /** - * Computes the number of blocks needed to represent a given number of - * bits. - * @param bits the number of bits. - * @return The number of blocks to represent *bits* number of bits. - */ - static size_type bits_to_blocks(size_type bits) - { - return bits / bits_per_block - + static_cast(bits % bits_per_block != 0); - } + /** + * Computes the block index for a given bit position. + */ + static size_type block_index(size_type i) + { + return i / bits_per_block; + } - /** - * Computes the bit position first 1-bit in a given block. - * @param block The block to inspect. - * @return The bit position where *block* has its first bit set to 1. - */ - static size_type lowest_bit(block_type block); + /** + * Computes the bit index within a given block for a given bit position. + */ + static block_type bit_index(size_type i) + { + return i % bits_per_block; + } - /** - * Computes the number of excess/unused bits in the bit vector. - */ - block_type extra_bits() const; + /** + * Computes the bitmask block to extract a bit a given bit position. + */ + static block_type bit_mask(size_type i) + { + return block_type(1) << bit_index(i); + } - /** - * If the number of bits in the vector are not not a multiple of - * bitvector::bits_per_block, then the last block exhibits unused bits which - * this function resets. - */ - void zero_unused_bits(); + /** + * Computes the number of blocks needed to represent a given number of + * bits. + * @param bits the number of bits. + * @return The number of blocks to represent *bits* number of bits. + */ + static size_type bits_to_blocks(size_type bits) + { + return bits / bits_per_block + + static_cast(bits % bits_per_block != 0); + } - /** - * Looks for the first 1-bit starting at a given position. - * @param i The block index to start looking. - * @return The block index of the first 1-bit starting from *i* or - * `bitvector::npos` if no 1-bit exists. - */ - size_type find_from(size_type i) const; + /** + * Computes the bit position first 1-bit in a given block. + * @param block The block to inspect. + * @return The bit position where *block* has its first bit set to 1. + */ + static size_type lowest_bit(block_type block); - std::vector bits_; - size_type num_bits_; + std::vector bits; + size_type num_bits; }; } diff --git a/src/probabilistic/BloomFilter.cc b/src/probabilistic/BloomFilter.cc index 1b86ea1441..5613dcce05 100644 --- a/src/probabilistic/BloomFilter.cc +++ b/src/probabilistic/BloomFilter.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "BloomFilter.h" #include @@ -8,181 +10,184 @@ using namespace probabilistic; BloomFilter::BloomFilter() - : hasher_(NULL) - { - } + { + hasher = 0; + } -BloomFilter::BloomFilter(const Hasher* hasher) - : hasher_(hasher) - { - } +BloomFilter::BloomFilter(const Hasher* arg_hasher) + { + hasher = arg_hasher; + } BloomFilter::~BloomFilter() - { - if ( hasher_ ) - delete hasher_; - } + { + delete hasher; + } bool BloomFilter::Serialize(SerialInfo* info) const - { - return SerialObj::Serialize(info); - } + { + return SerialObj::Serialize(info); + } BloomFilter* BloomFilter::Unserialize(UnserialInfo* info) - { - return reinterpret_cast( - SerialObj::Unserialize(info, SER_BLOOMFILTER)); - } + { + return reinterpret_cast(SerialObj::Unserialize(info, SER_BLOOMFILTER)); + } bool BloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BLOOMFILTER, SerialObj); - if ( ! SERIALIZE(static_cast(hasher_->K())) ) - return false; - return SERIALIZE_STR(hasher_->Name().c_str(), hasher_->Name().size()); - } + + if ( ! SERIALIZE(static_cast(hasher->K())) ) + return false; + + return SERIALIZE_STR(hasher->Name().c_str(), hasher->Name().size()); + } bool BloomFilter::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(SerialObj); + uint16 k; if ( ! UNSERIALIZE(&k) ) - return false; - const char* name; - if ( ! UNSERIALIZE_STR(&name, 0) ) - return false; - hasher_ = Hasher::Create(k, name); + return false; + + const char* name; + if ( ! UNSERIALIZE_STR(&name, 0) ) + return false; + + hasher = Hasher::Create(k, name); + delete [] name; return true; - } - + } size_t BasicBloomFilter::M(double fp, size_t capacity) - { - double ln2 = std::log(2); - return std::ceil(-(capacity * std::log(fp) / ln2 / ln2)); - } + { + double ln2 = std::log(2); + return std::ceil(-(capacity * std::log(fp) / ln2 / ln2)); + } size_t BasicBloomFilter::K(size_t cells, size_t capacity) - { - double frac = static_cast(cells) / static_cast(capacity); - return std::ceil(frac * std::log(2)); - } + { + double frac = static_cast(cells) / static_cast(capacity); + return std::ceil(frac * std::log(2)); + } BasicBloomFilter* BasicBloomFilter::Merge(const BasicBloomFilter* x, const BasicBloomFilter* y) - { - if ( ! x->hasher_->Equals(y->hasher_) ) - { - reporter->InternalError("incompatible hashers during Bloom filter merge"); - return NULL; - } - BasicBloomFilter* result = new BasicBloomFilter(); - result->hasher_ = x->hasher_->Clone(); - result->bits_ = new BitVector(*x->bits_ | *y->bits_); - return result; - } + { + if ( ! x->hasher->Equals(y->hasher) ) + reporter->InternalError("incompatible hashers during BasicBloomFilter merge"); + + BasicBloomFilter* result = new BasicBloomFilter(); + result->hasher = x->hasher->Clone(); + result->bits = new BitVector(*x->bits | *y->bits); + + return result; + } BasicBloomFilter::BasicBloomFilter() - : bits_(NULL) - { - } + { + bits = 0; + } BasicBloomFilter::BasicBloomFilter(const Hasher* hasher, size_t cells) - : BloomFilter(hasher), - bits_(new BitVector(cells)) - { - } + : BloomFilter(hasher) + { + bits = new BitVector(cells); + } IMPLEMENT_SERIAL(BasicBloomFilter, SER_BASICBLOOMFILTER) bool BasicBloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_BASICBLOOMFILTER, BloomFilter); - return bits_->Serialize(info); - } + return bits->Serialize(info); + } bool BasicBloomFilter::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(BloomFilter); - bits_ = BitVector::Unserialize(info); - return bits_ != NULL; - } + bits = BitVector::Unserialize(info); + return (bits != 0); + } void BasicBloomFilter::AddImpl(const Hasher::digest_vector& h) - { - for ( size_t i = 0; i < h.size(); ++i ) - bits_->Set(h[i] % bits_->Size()); - } + { + for ( size_t i = 0; i < h.size(); ++i ) + bits->Set(h[i] % bits->Size()); + } size_t BasicBloomFilter::CountImpl(const Hasher::digest_vector& h) const - { - for ( size_t i = 0; i < h.size(); ++i ) - if ( ! (*bits_)[h[i] % bits_->Size()] ) - return 0; - return 1; - } + { + for ( size_t i = 0; i < h.size(); ++i ) + { + if ( ! (*bits)[h[i] % bits->Size()] ) + return 0; + } + return 1; + } CountingBloomFilter* CountingBloomFilter::Merge(const CountingBloomFilter* x, - const CountingBloomFilter* y) - { - if ( ! x->hasher_->Equals(y->hasher_) ) - { - reporter->InternalError("incompatible hashers during Bloom filter merge"); - return NULL; - } - CountingBloomFilter* result = new CountingBloomFilter(); - result->hasher_ = x->hasher_->Clone(); - result->cells_ = new CounterVector(*x->cells_ | *y->cells_); - return result; - } + const CountingBloomFilter* y) + { + if ( ! x->hasher->Equals(y->hasher) ) + reporter->InternalError("incompatible hashers during CountingBloomFilter merge"); + + CountingBloomFilter* result = new CountingBloomFilter(); + result->hasher = x->hasher->Clone(); + result->cells = new CounterVector(*x->cells | *y->cells); + + return result; + } CountingBloomFilter::CountingBloomFilter() - : cells_(NULL) - { - } + { + cells = 0; + } CountingBloomFilter::CountingBloomFilter(const Hasher* hasher, - size_t cells, size_t width) - : BloomFilter(hasher), - cells_(new CounterVector(width, cells)) - { - } - + size_t arg_cells, size_t width) + : BloomFilter(hasher) + { + cells = new CounterVector(width, arg_cells); + } IMPLEMENT_SERIAL(CountingBloomFilter, SER_COUNTINGBLOOMFILTER) bool CountingBloomFilter::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_COUNTINGBLOOMFILTER, BloomFilter); - return cells_->Serialize(info); - } + return cells->Serialize(info); + } bool CountingBloomFilter::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(BloomFilter); - cells_ = CounterVector::Unserialize(info); - return cells_ != NULL; - } + cells = CounterVector::Unserialize(info); + return (cells != 0); + } // TODO: Use partitioning in add/count to allow for reusing CMS bounds. - void CountingBloomFilter::AddImpl(const Hasher::digest_vector& h) - { - for ( size_t i = 0; i < h.size(); ++i ) - cells_->Increment(h[i] % cells_->Size()); - } + { + for ( size_t i = 0; i < h.size(); ++i ) + cells->Increment(h[i] % cells->Size()); + } size_t CountingBloomFilter::CountImpl(const Hasher::digest_vector& h) const - { - CounterVector::size_type min = - std::numeric_limits::max(); - for ( size_t i = 0; i < h.size(); ++i ) - { - CounterVector::size_type cnt = cells_->Count(h[i] % cells_->Size()); - if ( cnt < min ) - min = cnt; - } - return min; - } + { + CounterVector::size_type min = + std::numeric_limits::max(); + + for ( size_t i = 0; i < h.size(); ++i ) + { + CounterVector::size_type cnt = cells->Count(h[i] % cells->Size()); + if ( cnt < min ) + min = cnt; + } + + return min; + } diff --git a/src/probabilistic/BloomFilter.h b/src/probabilistic/BloomFilter.h index 2fa849505d..4a6b01c484 100644 --- a/src/probabilistic/BloomFilter.h +++ b/src/probabilistic/BloomFilter.h @@ -1,5 +1,7 @@ -#ifndef BloomFilter_h -#define BloomFilter_h +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef PROBABILISTIC_BLOOMFILTER_H +#define PROBABILISTIC_BLOOMFILTER_H #include #include "BitVector.h" @@ -11,42 +13,65 @@ class CounterVector; /** * The abstract base class for Bloom filters. + * + * At this point we won't let the user choose the hasher, but we might open + * up the interface in the future. */ class BloomFilter : public SerialObj { public: - // At this point we won't let the user choose the hasher, but we might - // open up the interface in the future. - virtual ~BloomFilter(); + /** + * Destructor. + */ + virtual ~BloomFilter(); - /** - * Adds an element of type T to the Bloom filter. - * @param x The element to add - */ - template - void Add(const T& x) - { - AddImpl((*hasher_)(x)); - } + /** + * Adds an element of type T to the Bloom filter. + * @param x The element to add + */ + template + void Add(const T& x) + { + AddImpl((*hasher)(x)); + } - /** - * Retrieves the associated count of a given value. - * - * @param x The value of type `T` to check. - * - * @return The counter associated with *x*. - */ - template - size_t Count(const T& x) const - { - return CountImpl((*hasher_)(x)); - } + /** + * Retrieves the associated count of a given value. + * + * @param x The value of type `T` to check. + * + * @return The counter associated with *x*. + */ + template + size_t Count(const T& x) const + { + return CountImpl((*hasher)(x)); + } - bool Serialize(SerialInfo* info) const; - static BloomFilter* Unserialize(UnserialInfo* info); + /** + * Serializes the Bloom filter. + * + * @param info The serializaton information to use. + * + * @return True if successful. + */ + bool Serialize(SerialInfo* info) const; + + /** + * Unserializes a Bloom filter. + * + * @param info The serializaton information to use. + * + * @return The unserialized Bloom filter, or null if an error + * occured. + */ + static BloomFilter* Unserialize(UnserialInfo* info); protected: - DECLARE_ABSTRACT_SERIAL(BloomFilter); + DECLARE_ABSTRACT_SERIAL(BloomFilter); + /** + * Default constructor. + */ BloomFilter(); /** @@ -54,12 +79,28 @@ protected: * * @param hasher The hasher to use for this Bloom filter. */ - BloomFilter(const Hasher* hasher); + BloomFilter(const Hasher* hasher); - virtual void AddImpl(const Hasher::digest_vector& hashes) = 0; - virtual size_t CountImpl(const Hasher::digest_vector& hashes) const = 0; + /** + * Abstract method for implementinng the *Add* operation. + * + * @param hashes A set of *k* hashes for the item to add, computed by + * the internal hasher object. + * + */ + virtual void AddImpl(const Hasher::digest_vector& hashes) = 0; - const Hasher* hasher_; + /** + * Abstract method for implementing the *Count* operation. + * + * @param hashes A set of *k* hashes for the item to add, computed by + * the internal hasher object. + * + * @return Returns the counter associated with the hashed element. + */ + virtual size_t CountImpl(const Hasher::digest_vector& hashes) const = 0; + + const Hasher* hasher; }; /** @@ -67,50 +108,67 @@ protected: */ class BasicBloomFilter : public BloomFilter { public: - /** - * Computes the number of cells based a given false-positive rate and - * capacity. In the literature, this parameter often has the name *M*. - * - * @param fp The false-positive rate. - * - * @param capacity The number of exepected elements. - * - * Returns: The number cells needed to support a false-positive rate of *fp* - * with at most *capacity* elements. - */ - static size_t M(double fp, size_t capacity); + /** + * Constructs a basic Bloom filter with a given number of cells. The + * ideal number of cells can be computed with *M*. + * + * @param hasher The hasher to use. The ideal number of hash + * functions can be computed with *K*. + * + * @param cells The number of cells. + */ + BasicBloomFilter(const Hasher* hasher, size_t cells); - /** - * Computes the optimal number of hash functions based on the number cells - * and expected number of elements. - * - * @param cells The number of cells (*m*). - * - * @param capacity The maximum number of elements. - * - * Returns: the optimal number of hash functions for a false-positive rate of - * *fp* for at most *capacity* elements. - */ - static size_t K(size_t cells, size_t capacity); + /** + * Computes the number of cells based on a given false positive rate + * and capacity. In the literature, this parameter often has the name + * *M*. + * + * @param fp The false positive rate. + * + * @param capacity The expected number of elements that will be + * stored. + * + * Returns: The number cells needed to support a false positive rate + * of *fp* with at most *capacity* elements. + */ + static size_t M(double fp, size_t capacity); - static BasicBloomFilter* Merge(const BasicBloomFilter* x, - const BasicBloomFilter* y); + /** + * Computes the optimal number of hash functions based on the number cells + * and expected number of elements. + * + * @param cells The number of cells (*m*). + * + * @param capacity The maximum number of elements. + * + * Returns: the optimal number of hash functions for a false-positive + * rate of *fp* for at most *capacity* elements. + */ + static size_t K(size_t cells, size_t capacity); - /** - * Constructs a basic Bloom filter with a given number of cells and capacity. - */ - BasicBloomFilter(const Hasher* hasher, size_t cells); + /** + * Merges two basic Bloom filters. + * + * @return The merged Bloom filter. + */ + static BasicBloomFilter* Merge(const BasicBloomFilter* x, + const BasicBloomFilter* y); protected: - DECLARE_SERIAL(BasicBloomFilter); + DECLARE_SERIAL(BasicBloomFilter); - BasicBloomFilter(); + /** + * Default constructor. + */ + BasicBloomFilter(); - virtual void AddImpl(const Hasher::digest_vector& h); - virtual size_t CountImpl(const Hasher::digest_vector& h) const; + // Overridden from BloomFilter. + virtual void AddImpl(const Hasher::digest_vector& h); + virtual size_t CountImpl(const Hasher::digest_vector& h) const; private: - BitVector* bits_; + BitVector* bits; }; /** @@ -118,21 +176,40 @@ private: */ class CountingBloomFilter : public BloomFilter { public: - static CountingBloomFilter* Merge(const CountingBloomFilter* x, - const CountingBloomFilter* y); + /** + * Constructs a counting Bloom filter. + * + * @param hasher The hasher to use. The ideal number of hash + * functions can be computed with *K*. + * + * @param cells The number of cells to use. + * + * @param width The maximal bit-width of counter values. + */ + CountingBloomFilter(const Hasher* hasher, size_t cells, size_t width); - CountingBloomFilter(const Hasher* hasher, size_t cells, size_t width); + /** + * Merges two counting Bloom filters. + * + * @return The merged Bloom filter. + */ + static CountingBloomFilter* Merge(const CountingBloomFilter* x, + const CountingBloomFilter* y); protected: - DECLARE_SERIAL(CountingBloomFilter); + DECLARE_SERIAL(CountingBloomFilter); - CountingBloomFilter(); + /** + * Default constructor. + */ + CountingBloomFilter(); - virtual void AddImpl(const Hasher::digest_vector& h); - virtual size_t CountImpl(const Hasher::digest_vector& h) const; + // Overridden from BloomFilter. + virtual void AddImpl(const Hasher::digest_vector& h); + virtual size_t CountImpl(const Hasher::digest_vector& h) const; private: - CounterVector* cells_; + CounterVector* cells; }; } diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc index 943749ad46..570ed1f8ea 100644 --- a/src/probabilistic/CounterVector.cc +++ b/src/probabilistic/CounterVector.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "CounterVector.h" #include @@ -6,154 +8,176 @@ using namespace probabilistic; -CounterVector::CounterVector(size_t width, size_t cells) - : bits_(new BitVector(width * cells)), - width_(width) - { - } +CounterVector::CounterVector(size_t arg_width, size_t cells) + { + bits = new BitVector(arg_width * cells); + width = arg_width; + } CounterVector::CounterVector(const CounterVector& other) - : bits_(new BitVector(*other.bits_)), - width_(other.width_) - { - } + { + bits = new BitVector(*other.bits); + width = other.width; + } CounterVector::~CounterVector() - { - delete bits_; - } + { + delete bits; + } bool CounterVector::Increment(size_type cell, count_type value) - { - assert(cell < Size()); - assert(value != 0); - size_t lsb = cell * width_; - bool carry = false; - for ( size_t i = 0; i < width_; ++i ) - { - bool b1 = (*bits_)[lsb + i]; - bool b2 = value & (1 << i); - (*bits_)[lsb + i] = b1 ^ b2 ^ carry; - carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); - } - if ( carry ) - for ( size_t i = 0; i < width_; ++i ) - bits_->Set(lsb + i); - return ! carry; - } + { + assert(cell < Size()); + assert(value != 0); + + size_t lsb = cell * width; + bool carry = false; + + for ( size_t i = 0; i < width; ++i ) + { + bool b1 = (*bits)[lsb + i]; + bool b2 = value & (1 << i); + (*bits)[lsb + i] = b1 ^ b2 ^ carry; + carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); + } + + if ( carry ) + { + for ( size_t i = 0; i < width; ++i ) + bits->Set(lsb + i); + } + + return ! carry; + } bool CounterVector::Decrement(size_type cell, count_type value) - { - assert(cell < Size()); - assert(value != 0); - value = ~value + 1; // A - B := A + ~B + 1 - bool carry = false; - size_t lsb = cell * width_; - for ( size_t i = 0; i < width_; ++i ) - { - bool b1 = (*bits_)[lsb + i]; - bool b2 = value & (1 << i); - (*bits_)[lsb + i] = b1 ^ b2 ^ carry; - carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); - } - return carry; - } + { + assert(cell < Size()); + assert(value != 0); + + value = ~value + 1; // A - B := A + ~B + 1 + bool carry = false; + size_t lsb = cell * width; + + for ( size_t i = 0; i < width; ++i ) + { + bool b1 = (*bits)[lsb + i]; + bool b2 = value & (1 << i); + (*bits)[lsb + i] = b1 ^ b2 ^ carry; + carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); + } + + return carry; + } CounterVector::count_type CounterVector::Count(size_type cell) const - { - assert(cell < Size()); - size_t cnt = 0, order = 1; - size_t lsb = cell * width_; - for (size_t i = lsb; i < lsb + width_; ++i, order <<= 1) - if ((*bits_)[i]) - cnt |= order; - return cnt; - } + { + assert(cell < Size()); + + size_t cnt = 0, order = 1; + size_t lsb = cell * width; + + for ( size_t i = lsb; i < lsb + width; ++i, order <<= 1 ) + if ( (*bits)[i] ) + cnt |= order; + + return cnt; + } CounterVector::size_type CounterVector::Size() const - { - return bits_->Size() / width_; - } + { + return bits->Size() / width; + } size_t CounterVector::Width() const - { - return width_; - } + { + return width; + } size_t CounterVector::Max() const - { - return std::numeric_limits::max() - >> (std::numeric_limits::digits - width_); - } + { + return std::numeric_limits::max() + >> (std::numeric_limits::digits - width); + } CounterVector& CounterVector::Merge(const CounterVector& other) - { - assert(Size() == other.Size()); - assert(Width() == other.Width()); - for ( size_t cell = 0; cell < Size(); ++cell ) - { - size_t lsb = cell * width_; - bool carry = false; - for ( size_t i = 0; i < width_; ++i ) - { - bool b1 = (*bits_)[lsb + i]; - bool b2 = (*other.bits_)[lsb + i]; - (*bits_)[lsb + i] = b1 ^ b2 ^ carry; - carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); - } - if ( carry ) - for ( size_t i = 0; i < width_; ++i ) - bits_->Set(lsb + i); - } - return *this; - } + { + assert(Size() == other.Size()); + assert(Width() == other.Width()); + + for ( size_t cell = 0; cell < Size(); ++cell ) + { + size_t lsb = cell * width; + bool carry = false; + + for ( size_t i = 0; i < width; ++i ) + { + bool b1 = (*bits)[lsb + i]; + bool b2 = (*other.bits)[lsb + i]; + (*bits)[lsb + i] = b1 ^ b2 ^ carry; + carry = ( b1 && b2 ) || ( carry && ( b1 != b2 ) ); + } + + if ( carry ) + { + for ( size_t i = 0; i < width; ++i ) + bits->Set(lsb + i); + } + } + + return *this; + } namespace probabilistic { CounterVector& CounterVector::operator|=(const CounterVector& other) -{ - return Merge(other); -} + { + return Merge(other); + } CounterVector operator|(const CounterVector& x, const CounterVector& y) -{ - CounterVector cv(x); - return cv |= y; -} + { + CounterVector cv(x); + return cv |= y; + } } bool CounterVector::Serialize(SerialInfo* info) const - { - return SerialObj::Serialize(info); - } + { + return SerialObj::Serialize(info); + } CounterVector* CounterVector::Unserialize(UnserialInfo* info) - { - return reinterpret_cast( - SerialObj::Unserialize(info, SER_COUNTERVECTOR)); - } + { + return reinterpret_cast(SerialObj::Unserialize(info, SER_COUNTERVECTOR)); + } IMPLEMENT_SERIAL(CounterVector, SER_COUNTERVECTOR) bool CounterVector::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_COUNTERVECTOR, SerialObj); - if ( ! bits_->Serialize(info) ) - return false; - return SERIALIZE(static_cast(width_)); - } + + if ( ! bits->Serialize(info) ) + return false; + + return SERIALIZE(static_cast(width)); + } bool CounterVector::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(SerialObj); - bits_ = BitVector::Unserialize(info); - if ( ! bits_ ) - return false; - uint64 width; - if ( ! UNSERIALIZE(&width) ) - return false; - width_ = static_cast(width); - return true; - } + bits = BitVector::Unserialize(info); + if ( ! bits ) + return false; + + uint64 width; + if ( ! UNSERIALIZE(&width) ) + return false; + + width = static_cast(width); + + return true; + } diff --git a/src/probabilistic/CounterVector.h b/src/probabilistic/CounterVector.h index 63445ec12d..178a68e8f2 100644 --- a/src/probabilistic/CounterVector.h +++ b/src/probabilistic/CounterVector.h @@ -1,5 +1,7 @@ -#ifndef CounterVector_h -#define CounterVector_h +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef PROBABILISTIC_COUNTERVECTOR_H +#define PROBABILISTIC_COUNTERVECTOR_H #include "SerialObj.h" @@ -8,123 +10,143 @@ namespace probabilistic { class BitVector; /** - * A vector of counters, each of which have a fixed number of bits. + * A vector of counters, each of which has a fixed number of bits. */ class CounterVector : public SerialObj { - CounterVector& operator=(const CounterVector&); public: - typedef size_t size_type; - typedef uint64 count_type; + typedef size_t size_type; + typedef uint64 count_type; - /** - * Constructs a counter vector having cells of a given width. - * - * @param width The number of bits that each cell occupies. - * - * @param cells The number of cells in the bitvector. - * - * @pre `cells > 0 && width > 0` - */ - CounterVector(size_t width, size_t cells = 1024); + /** + * Constructs a counter vector having cells of a given width. + * + * @param width The number of bits that each cell occupies. + * + * @param cells The number of cells in the bitvector. + * + * @pre `cells > 0 && width > 0` + */ + CounterVector(size_t width, size_t cells = 1024); /** * Copy-constructs a counter vector. * * @param other The counter vector to copy. */ - CounterVector(const CounterVector& other); + CounterVector(const CounterVector& other); - ~CounterVector(); + /** + * Destructor. + */ + ~CounterVector(); - /** - * Increments a given cell. - * - * @param cell The cell to increment. - * - * @param value The value to add to the current counter in *cell*. - * - * @return `true` if adding *value* to the counter in *cell* succeeded. - * - * @pre `cell < Size()` - */ - bool Increment(size_type cell, count_type value = 1); + /** + * Increments a given cell. + * + * @param cell The cell to increment. + * + * @param value The value to add to the current counter in *cell*. + * + * @return `true` if adding *value* to the counter in *cell* succeeded. + * + * @pre `cell < Size()` + */ + bool Increment(size_type cell, count_type value = 1); - /** - * Decrements a given cell. - * - * @param cell The cell to decrement. - * - * @param value The value to subtract from the current counter in *cell*. - * - * @return `true` if subtracting *value* from the counter in *cell* succeeded. - * - * @pre `cell < Size()` - */ - bool Decrement(size_type cell, count_type value = 1); + /** + * Decrements a given cell. + * + * @param cell The cell to decrement. + * + * @param value The value to subtract from the current counter in *cell*. + * + * @return `true` if subtracting *value* from the counter in *cell* succeeded. + * + * @pre `cell < Size()` + */ + bool Decrement(size_type cell, count_type value = 1); - /** - * Retrieves the counter of a given cell. - * - * @param cell The cell index to retrieve the count for. - * - * @return The counter associated with *cell*. - * - * @pre `cell < Size()` - */ - count_type Count(size_type cell) const; + /** + * Retrieves the counter of a given cell. + * + * @param cell The cell index to retrieve the count for. + * + * @return The counter associated with *cell*. + * + * @pre `cell < Size()` + */ + count_type Count(size_type cell) const; - /** - * Retrieves the number of cells in the storage. - * - * @return The number of cells. - */ - size_type Size() const; + /** + * Retrieves the number of cells in the storage. + * + * @return The number of cells. + */ + size_type Size() const; - /** - * Retrieves the counter width. - * - * @return The number of bits per counter. - */ - size_t Width() const; + /** + * Retrieves the counter width. + * + * @return The number of bits per counter. + */ + size_t Width() const; - /** - * Computes the maximum counter value. - * - * @return The maximum counter value based on the width. - */ - size_t Max() const; + /** + * Computes the maximum counter value. + * + * @return The maximum counter value based on the width. + */ + size_t Max() const; - /** - * Merges another counter vector into this instance by *adding* the counters - * of each cells. - * - * @param other The counter vector to merge into this instance. - * - * @return A reference to `*this`. - * - * @pre `Size() == other.Size() && Width() == other.Width()` - */ - CounterVector& Merge(const CounterVector& other); + /** + * Merges another counter vector into this instance by *adding* the + * counters of each cells. + * + * @param other The counter vector to merge into this instance. + * + * @return A reference to `*this`. + * + * @pre `Size() == other.Size() && Width() == other.Width()` + */ + CounterVector& Merge(const CounterVector& other); - /** - * An alias for ::Merge. - */ - CounterVector& operator|=(const CounterVector& other); + /** + * An alias for ::Merge. + */ + CounterVector& operator|=(const CounterVector& other); - friend CounterVector operator|(const CounterVector& x, - const CounterVector& y); + /** + * Serializes the bit vector. + * + * @param info The serializaton information to use. + * + * @return True if successful. + */ + bool Serialize(SerialInfo* info) const; - bool Serialize(SerialInfo* info) const; - static CounterVector* Unserialize(UnserialInfo* info); + /** + * Unserialize the counter vector. + * + * @param info The serializaton information to use. + * + * @return The unserialized counter vector, or null if an error + * occured. + */ + static CounterVector* Unserialize(UnserialInfo* info); protected: - DECLARE_SERIAL(CounterVector); + friend CounterVector operator|(const CounterVector& x, + const CounterVector& y); - CounterVector() { } + CounterVector() { } + + DECLARE_SERIAL(CounterVector); private: - BitVector* bits_; - size_t width_; + CounterVector& operator=(const CounterVector&); // Disable. + + BitVector* bits; + size_t width; }; } diff --git a/src/probabilistic/Hasher.cc b/src/probabilistic/Hasher.cc index c2f1110ecd..f9ce7bdd6b 100644 --- a/src/probabilistic/Hasher.cc +++ b/src/probabilistic/Hasher.cc @@ -1,66 +1,70 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include #include "Hasher.h" - #include "digest.h" using namespace probabilistic; -Hasher::UHF::UHF(size_t seed, const std::string& extra) - : h_(compute_seed(seed, extra)) +UHF::UHF(size_t seed, const std::string& extra) + : h(compute_seed(seed, extra)) { } -Hasher::digest Hasher::UHF::hash(const void* x, size_t n) const +Hasher::digest UHF::hash(const void* x, size_t n) const { assert(n <= UHASH_KEY_SIZE); - return n == 0 ? 0 : h_(x, n); + return n == 0 ? 0 : h(x, n); } -size_t Hasher::UHF::compute_seed(size_t seed, const std::string& extra) +size_t UHF::compute_seed(size_t seed, const std::string& extra) { u_char buf[SHA256_DIGEST_LENGTH]; SHA256_CTX ctx; sha256_init(&ctx); + if ( extra.empty() ) { unsigned int first_seed = initial_seed(); sha256_update(&ctx, &first_seed, sizeof(first_seed)); } - else - { - sha256_update(&ctx, extra.c_str(), extra.size()); - } - sha256_update(&ctx, &seed, sizeof(seed)); - sha256_final(&ctx, buf); - // Take the first sizeof(size_t) bytes as seed. - return *reinterpret_cast(buf); - } + else + sha256_update(&ctx, extra.c_str(), extra.size()); + + sha256_update(&ctx, &seed, sizeof(seed)); + sha256_final(&ctx, buf); + + // Take the first sizeof(size_t) bytes as seed. + return *reinterpret_cast(buf); + } Hasher* Hasher::Create(size_t k, const std::string& name) { return new DefaultHasher(k, name); } -Hasher::Hasher(size_t k, const std::string& name) - : k_(k), name_(name) +Hasher::Hasher(size_t k, const std::string& arg_name) + : k(k) { + name = arg_name; } DefaultHasher::DefaultHasher(size_t k, const std::string& name) : Hasher(k, name) { for ( size_t i = 0; i < k; ++i ) - hash_functions_.push_back(UHF(i, name)); + hash_functions.push_back(UHF(i, name)); } Hasher::digest_vector DefaultHasher::Hash(const void* x, size_t n) const { digest_vector h(K(), 0); + for ( size_t i = 0; i < h.size(); ++i ) - h[i] = hash_functions_[i](x, n); + h[i] = hash_functions[i](x, n); + return h; } @@ -73,24 +77,25 @@ bool DefaultHasher::Equals(const Hasher* other) const { if ( typeid(*this) != typeid(*other) ) return false; + const DefaultHasher* o = static_cast(other); - return hash_functions_ == o->hash_functions_; + return hash_functions == o->hash_functions; } DoubleHasher::DoubleHasher(size_t k, const std::string& name) - : Hasher(k, name), - h1_(1, name), - h2_(2, name) + : Hasher(k, name), h1(1, name), h2(2, name) { } Hasher::digest_vector DoubleHasher::Hash(const void* x, size_t n) const { - digest h1 = h1_(x, n); - digest h2 = h2_(x, n); + digest d1 = h1(x, n); + digest d2 = h2(x, n); digest_vector h(K(), 0); + for ( size_t i = 0; i < h.size(); ++i ) - h[i] = h1 + i * h2; + h[i] = d1 + i * d2; + return h; } @@ -103,7 +108,7 @@ bool DoubleHasher::Equals(const Hasher* other) const { if ( typeid(*this) != typeid(*other) ) return false; - const DoubleHasher* o = static_cast(other); - return h1_ == o->h1_ && h2_ == o->h2_; - } + const DoubleHasher* o = static_cast(other); + return h1 == o->h1 && h2 == o->h2; + } diff --git a/src/probabilistic/Hasher.h b/src/probabilistic/Hasher.h index 0231343dcd..62c5d58d1f 100644 --- a/src/probabilistic/Hasher.h +++ b/src/probabilistic/Hasher.h @@ -1,5 +1,7 @@ -#ifndef Hasher_h -#define Hasher_h +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef PROBABILISTIC_HASHER_H +#define PROBABILISTIC_HASHER_H #include "Hash.h" #include "H3.h" @@ -7,123 +9,197 @@ namespace probabilistic { /** - * The abstract base class for hashers, i.e., constructs which hash elements - * *k* times. + * Abstract base class for hashers. A hasher creates a family of hash + * functions to hash an element *k* times. */ class Hasher { public: - typedef hash_t digest; - typedef std::vector digest_vector; + typedef hash_t digest; + typedef std::vector digest_vector; - /** - * Constructs the hashing policy used by the implementation. - * - * @todo This factory function exists because the HashingPolicy class - * hierachy is not yet serializable. - */ + /** + * Destructor. + */ + virtual ~Hasher() { } + + /** + * Computes hash values for an element. + * + * @param x The element to hash. + * + * @return Vector of *k* hash values. + */ + template + digest_vector operator()(const T& x) const + { + return Hash(&x, sizeof(T)); + } + + /** + * Computes the hashes for a set of bytes. + * + * @param x Pointer to first byte to hash. + * + * @param n Number of bytes to hash. + * + * @return Vector of *k* hash values. + * + */ + virtual digest_vector Hash(const void* x, size_t n) const = 0; + + /** + * Returns a deep copy of the hasher. + */ + virtual Hasher* Clone() const = 0; + + /** + * Returns true if two hashers are identical. + */ + virtual bool Equals(const Hasher* other) const = 0; + + /** + * Returns the number *k* of hash functions the hashers applies. + */ + size_t K() const { return k; } + + /** + * Returns the hasher's name. TODO: What's this? + */ + const std::string& Name() const { return name; } + + /** + * Constructs the hasher used by the implementation. This hardcodes a + * specific hashing policy. It exists only because the HashingPolicy + * class hierachy is not yet serializable. + * + * @param k The number of hash functions to apply. + * + * @param name The hasher's name. + * + * @return Returns a new hasher instance. + */ static Hasher* Create(size_t k, const std::string& name); - virtual ~Hasher() { } - - template - digest_vector operator()(const T& x) const - { - return Hash(&x, sizeof(T)); - } - - virtual digest_vector Hash(const void* x, size_t n) const = 0; - - virtual Hasher* Clone() const = 0; - - virtual bool Equals(const Hasher* other) const = 0; - - size_t K() const { return k_; } - const std::string& Name() const { return name_; } - protected: - /** - * A universal hash function family. - */ - class UHF { - public: - /** - * Constructs an H3 hash function seeded with a given seed and an optional - * extra seed to replace the initial Bro seed. - * - * @param seed The seed to use for this instance. - * - * @param extra If not empty, this parameter replaces the initial seed to - * compute the seed for t to compute the - * seed - * NUL-terminated string as additional seed. - */ - UHF(size_t seed, const std::string& extra = ""); + Hasher(size_t k, const std::string& name); - template - digest operator()(const T& x) const - { - return hash(&x, sizeof(T)); - } - - digest operator()(const void* x, size_t n) const - { - return hash(x, n); - } - - friend bool operator==(const UHF& x, const UHF& y) - { - return x.h_ == y.h_; - } - - friend bool operator!=(const UHF& x, const UHF& y) - { - return ! (x == y); - } - - digest hash(const void* x, size_t n) const; - - private: - static size_t compute_seed(size_t seed, const std::string& extra); - - H3 h_; - }; - - Hasher(size_t k, const std::string& name); - -private: - const size_t k_; - std::string name_; + private: + const size_t k; + std::string name; }; /** - * The default hashing policy. Performs *k* hash function computations. + * A universal hash function family. This is a helper class that Hasher + * implementations can use in their implementation. + */ +class UHF { +public: + /** + * Constructs an H3 hash function seeded with a given seed and an + * optional extra seed to replace the initial Bro seed. + * + * @param seed The seed to use for this instance. + * + * @param extra If not empty, this parameter replaces the initial + * seed to compute the seed for t to compute the seed NUL-terminated + * string as additional seed. + */ + UHF(size_t seed, const std::string& extra = ""); + + template + Hasher::digest operator()(const T& x) const + { + return hash(&x, sizeof(T)); + } + + /** + * Computes hash values for an element. + * + * @param x The element to hash. + * + * @return Vector of *k* hash values. + */ + Hasher::digest operator()(const void* x, size_t n) const + { + return hash(x, n); + } + + /** + * Computes the hashes for a set of bytes. + * + * @param x Pointer to first byte to hash. + * + * @param n Number of bytes to hash. + * + * @return Vector of *k* hash values. + * + */ + Hasher::digest hash(const void* x, size_t n) const; + + friend bool operator==(const UHF& x, const UHF& y) + { + return x.h == y.h; + } + + friend bool operator!=(const UHF& x, const UHF& y) + { + return ! (x == y); + } + +private: + static size_t compute_seed(size_t seed, const std::string& extra); + + H3 h; +}; + + +/** + * A hasher implementing the default hashing policy. Uses *k* separate hash + * functions internally. */ class DefaultHasher : public Hasher { public: - DefaultHasher(size_t k, const std::string& name); + /** + * Constructor for a hasher with *k* hash functions. + * + * @param k The number of hash functions to use. + * + * @param name The name of the hasher. + */ + DefaultHasher(size_t k, const std::string& name); - virtual digest_vector Hash(const void* x, size_t n) const /* final */; - virtual DefaultHasher* Clone() const /* final */; - virtual bool Equals(const Hasher* other) const /* final */; + // Overridden from Hasher. + virtual digest_vector Hash(const void* x, size_t n) const /* final */; + virtual DefaultHasher* Clone() const /* final */; + virtual bool Equals(const Hasher* other) const /* final */; private: - std::vector hash_functions_; + std::vector hash_functions; }; /** - * The *double-hashing* policy. Uses a linear combination of two hash functions. + * The *double-hashing* policy. Uses a linear combination of two hash + * functions. */ class DoubleHasher : public Hasher { public: - DoubleHasher(size_t k, const std::string& name); + /** + * Constructor for a double hasher with *k* hash functions. + * + * @param k The number of hash functions to use. + * + * @param name The name of the hasher. + */ + DoubleHasher(size_t k, const std::string& name); - virtual digest_vector Hash(const void* x, size_t n) const /* final */; - virtual DoubleHasher* Clone() const /* final */; - virtual bool Equals(const Hasher* other) const /* final */; + // Overridden from Hasher. + virtual digest_vector Hash(const void* x, size_t n) const /* final */; + virtual DoubleHasher* Clone() const /* final */; + virtual bool Equals(const Hasher* other) const /* final */; private: - UHF h1_; - UHF h2_; + UHF h1; + UHF h2; }; } diff --git a/src/probabilistic/bloom-filter.bif b/src/probabilistic/bloom-filter.bif index 3c409b1b0f..cbbff85d7d 100644 --- a/src/probabilistic/bloom-filter.bif +++ b/src/probabilistic/bloom-filter.bif @@ -31,18 +31,19 @@ module GLOBAL; ## Returns: A Bloom filter handle. function bloomfilter_basic_init%(fp: double, capacity: count, name: string &default=""%): opaque of bloomfilter - %{ - if ( fp < 0.0 || fp > 1.0 ) - { - reporter->Error("false-positive rate must take value between 0 and 1"); - return NULL; - } + %{ + if ( fp < 0.0 || fp > 1.0 ) + { + reporter->Error("false-positive rate must take value between 0 and 1"); + return 0; + } - size_t cells = BasicBloomFilter::M(fp, capacity); - size_t optimal_k = BasicBloomFilter::K(cells, capacity); - const Hasher* h = Hasher::Create(optimal_k, name->CheckString()); - return new BloomFilterVal(new BasicBloomFilter(h, cells)); - %} + size_t cells = BasicBloomFilter::M(fp, capacity); + size_t optimal_k = BasicBloomFilter::K(cells, capacity); + const Hasher* h = Hasher::Create(optimal_k, name->CheckString()); + + return new BloomFilterVal(new BasicBloomFilter(h, cells)); + %} ## Creates a counting Bloom filter. ## @@ -59,20 +60,22 @@ function bloomfilter_basic_init%(fp: double, capacity: count, ## ## Returns: A Bloom filter handle. function bloomfilter_counting_init%(k: count, cells: count, max: count, - name: string &default=""%): opaque of bloomfilter - %{ - if ( max == 0 ) - { - reporter->Error("max counter value must be greater than 0"); - return NULL; - } + name: string &default=""%): opaque of bloomfilter + %{ + if ( max == 0 ) + { + reporter->Error("max counter value must be greater than 0"); + return 0; + } - const Hasher* h = Hasher::Create(k, name->CheckString()); - uint16 width = 1; - while ( max >>= 1 ) - ++width; - return new BloomFilterVal(new CountingBloomFilter(h, cells, width)); - %} + const Hasher* h = Hasher::Create(k, name->CheckString()); + + uint16 width = 1; + while ( max >>= 1 ) + ++width; + + return new BloomFilterVal(new CountingBloomFilter(h, cells, width)); + %} ## Adds an element to a Bloom filter. ## @@ -80,16 +83,20 @@ function bloomfilter_counting_init%(k: count, cells: count, max: count, ## ## x: The element to add. function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any - %{ - BloomFilterVal* bfv = static_cast(bf); - if ( ! bfv->Type() && ! bfv->Typify(x->Type()) ) - reporter->Error("failed to set Bloom filter type"); - else if ( bfv->Type() != x->Type() ) - reporter->Error("incompatible Bloom filter types"); - else - bfv->Add(x); - return NULL; - %} + %{ + BloomFilterVal* bfv = static_cast(bf); + + if ( ! bfv->Type() && ! bfv->Typify(x->Type()) ) + reporter->Error("failed to set Bloom filter type"); + + else if ( ! same_type(bfv->Type(), x->Type()) ) + reporter->Error("incompatible Bloom filter types"); + + else + bfv->Add(x); + + return 0; + %} ## Retrieves the counter for a given element in a Bloom filter. ## @@ -99,16 +106,20 @@ function bloomfilter_add%(bf: opaque of bloomfilter, x: any%): any ## ## Returns: the counter associated with *x* in *bf*. function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count - %{ - const BloomFilterVal* bfv = static_cast(bf); - if ( ! bfv->Type() ) - reporter->Error("cannot perform lookup on untyped Bloom filter"); - else if ( bfv->Type() != x->Type() ) - reporter->Error("incompatible Bloom filter types"); - else - return new Val(static_cast(bfv->Count(x)), TYPE_COUNT); - return new Val(0, TYPE_COUNT); - %} + %{ + const BloomFilterVal* bfv = static_cast(bf); + + if ( ! bfv->Type() ) + reporter->Error("cannot perform lookup on untyped Bloom filter"); + + else if ( ! same_type(bfv->Type(), x->Type()) ) + reporter->Error("incompatible Bloom filter types"); + + else + return new Val(static_cast(bfv->Count(x)), TYPE_COUNT); + + return new Val(0, TYPE_COUNT); + %} ## Merges two Bloom filters. ## @@ -118,13 +129,16 @@ function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count ## ## Returns: The union of *bf1* and *bf2*. function bloomfilter_merge%(bf1: opaque of bloomfilter, - bf2: opaque of bloomfilter%): opaque of bloomfilter - %{ - const BloomFilterVal* bfv1 = static_cast(bf1); - const BloomFilterVal* bfv2 = static_cast(bf2); - if ( bfv1->Type() != bfv2->Type() ) - reporter->Error("incompatible Bloom filter types"); - else - return BloomFilterVal::Merge(bfv1, bfv2); - return NULL; - %} + bf2: opaque of bloomfilter%): opaque of bloomfilter + %{ + const BloomFilterVal* bfv1 = static_cast(bf1); + const BloomFilterVal* bfv2 = static_cast(bf2); + + if ( ! same_type(bfv1->Type(), bfv2->Type()) ) + { + reporter->Error("incompatible Bloom filter types"); + return 0; + } + + return BloomFilterVal::Merge(bfv1, bfv2); + %} diff --git a/src/util.cc b/src/util.cc index 81ec135f98..6bea2eb7f1 100644 --- a/src/util.cc +++ b/src/util.cc @@ -803,10 +803,10 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file bro_srandom(seed, seeds_done); if ( ! first_seed_saved ) - { - first_seed = seed; - first_seed_saved = true; - } + { + first_seed = seed; + first_seed_saved = true; + } if ( ! hmac_key_set ) { @@ -820,9 +820,9 @@ void init_random_seed(uint32 seed, const char* read_file, const char* write_file } unsigned int initial_seed() - { - return first_seed; -} + { + return first_seed; + } bool have_random_seed() { @@ -830,7 +830,7 @@ bool have_random_seed() } long int bro_prng(long int state) - { + { // Use our own simple linear congruence PRNG to make sure we are // predictable across platforms. static const long int m = 2147483647; @@ -844,14 +844,14 @@ long int bro_prng(long int state) state += m; return state; - } + } long int bro_random() { if ( ! bro_rand_determistic ) return random(); // Use system PRNG. - bro_rand_state = bro_prng(bro_rand_state); + bro_rand_state = bro_prng(bro_rand_state); return bro_rand_state; } diff --git a/src/util.h b/src/util.h index 5689253d95..aaad2d9403 100644 --- a/src/util.h +++ b/src/util.h @@ -166,15 +166,15 @@ extern void init_random_seed(uint32 seed, const char* load_file, const char* write_file); // Retrieves the initial seed computed after the very first call to -// init_random_seed(). Repeated calls to init_random_seed() will not affect the -// return value of this function. +// init_random_seed(). Repeated calls to init_random_seed() will not affect +// the return value of this function. unsigned int initial_seed(); // Returns true if the user explicitly set a seed via init_random_seed(); extern bool have_random_seed(); -// A simple linear congruence PRNG. It takes its state as argument and returns -// a new random value, which can serve as state for subsequent calls. +// A simple linear congruence PRNG. It takes its state as argument and +// returns a new random value, which can serve as state for subsequent calls. long int bro_prng(long int state); // Replacement for the system random(), to which is normally falls back diff --git a/testing/btest/Baseline/bifs.bloomfilter/output b/testing/btest/Baseline/bifs.bloomfilter/output index 4fe2ae1ecc..14e1f038c0 100644 --- a/testing/btest/Baseline/bifs.bloomfilter/output +++ b/testing/btest/Baseline/bifs.bloomfilter/output @@ -1,3 +1,9 @@ +error: incompatible Bloom filter types +error: incompatible Bloom filter types +error: incompatible Bloom filter types +error: incompatible Bloom filter types +error: false-positive rate must take value between 0 and 1 +error: false-positive rate must take value between 0 and 1 0 1 1 diff --git a/testing/btest/bifs/bloomfilter.bro b/testing/btest/bifs/bloomfilter.bro index f69ddbda0c..3b40f29553 100644 --- a/testing/btest/bifs/bloomfilter.bro +++ b/testing/btest/bifs/bloomfilter.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -b %INPUT >output +# @TEST-EXEC: bro -b %INPUT >output 2>&1 # @TEST-EXEC: btest-diff output function test_basic_bloom_filter() From c89f61917b8b7a6ab8014fad211c879681c3ad5f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 23 Jul 2013 18:44:22 -0700 Subject: [PATCH 190/200] Updating NEWS. --- NEWS | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/NEWS b/NEWS index 1fce6b1d9d..b1a5adc12b 100644 --- a/NEWS +++ b/NEWS @@ -108,6 +108,18 @@ New Functionality shunting, and sampling; plus plugin support to customize filters dynamically. +- Bro now provides Bloom filters of two kinds: basic Bloom filters + supporting membership tests, and counting Bloom filters that track + the frequency of elements. The corresponding functions are: + + bloomfilter_basic_init(fp: double, capacity: count, name: string &default=""): opaque of bloomfilter + bloomfilter_counting_init(k: count, cells: count, max: count, name: string &default=""): opaque of bloomfilter + bloomfilter_add(bf: opaque of bloomfilter, x: any) + bloomfilter_lookup(bf: opaque of bloomfilter, x: any): count + bloomfilter_merge(bf1: opaque of bloomfilter, bf2: opaque of bloomfilter): opaque of bloomfilter + + See TODO for full documentation. + Changed Functionality ~~~~~~~~~~~~~~~~~~~~~ From 5383e8f75bae11bc5da30acf0b77493b90e5f71c Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Wed, 24 Jul 2013 11:21:10 +0200 Subject: [PATCH 191/200] Add bloomfilter_clear() BiF. --- src/OpaqueVal.cc | 5 +++++ src/OpaqueVal.h | 1 + src/probabilistic/BloomFilter.cc | 10 ++++++++++ src/probabilistic/BloomFilter.h | 11 +++++++++++ src/probabilistic/CounterVector.cc | 5 +++++ src/probabilistic/CounterVector.h | 5 +++++ src/probabilistic/bloom-filter.bif | 16 ++++++++++++++++ 7 files changed, 53 insertions(+) diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index efdd890f70..19a372c005 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -578,6 +578,11 @@ size_t BloomFilterVal::Count(const Val* val) const return cnt; } +void BloomFilterVal::Clear() + { + bloom_filter->Clear(); + } + BloomFilterVal* BloomFilterVal::Merge(const BloomFilterVal* x, const BloomFilterVal* y) { diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index ea704cb70a..cfb184fc77 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -125,6 +125,7 @@ public: void Add(const Val* val); size_t Count(const Val* val) const; + void Clear(); static BloomFilterVal* Merge(const BloomFilterVal* x, const BloomFilterVal* y); diff --git a/src/probabilistic/BloomFilter.cc b/src/probabilistic/BloomFilter.cc index 5613dcce05..c78cd4193d 100644 --- a/src/probabilistic/BloomFilter.cc +++ b/src/probabilistic/BloomFilter.cc @@ -74,6 +74,11 @@ size_t BasicBloomFilter::K(size_t cells, size_t capacity) return std::ceil(frac * std::log(2)); } +void BasicBloomFilter::Clear() + { + bits->Clear(); + } + BasicBloomFilter* BasicBloomFilter::Merge(const BasicBloomFilter* x, const BasicBloomFilter* y) { @@ -191,3 +196,8 @@ size_t CountingBloomFilter::CountImpl(const Hasher::digest_vector& h) const return min; } + +void CountingBloomFilter::Clear() + { + cells->Clear(); + } diff --git a/src/probabilistic/BloomFilter.h b/src/probabilistic/BloomFilter.h index 4a6b01c484..55bc76fca7 100644 --- a/src/probabilistic/BloomFilter.h +++ b/src/probabilistic/BloomFilter.h @@ -47,6 +47,11 @@ public: return CountImpl((*hasher)(x)); } + /** + * Removes all elements, i.e., resets all bits in the underlying bit vector. + */ + virtual void Clear() = 0; + /** * Serializes the Bloom filter. * @@ -147,6 +152,9 @@ public: */ static size_t K(size_t cells, size_t capacity); + // Overridden from BloomFilter. + virtual void Clear(); + /** * Merges two basic Bloom filters. * @@ -188,6 +196,9 @@ public: */ CountingBloomFilter(const Hasher* hasher, size_t cells, size_t width); + // Overridden from BloomFilter. + virtual void Clear(); + /** * Merges two counting Bloom filters. * diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc index 570ed1f8ea..00fa7fb8c0 100644 --- a/src/probabilistic/CounterVector.cc +++ b/src/probabilistic/CounterVector.cc @@ -70,6 +70,11 @@ bool CounterVector::Decrement(size_type cell, count_type value) return carry; } +void CounterVector::Clear() + { + bits->Clear(); + } + CounterVector::count_type CounterVector::Count(size_type cell) const { assert(cell < Size()); diff --git a/src/probabilistic/CounterVector.h b/src/probabilistic/CounterVector.h index 178a68e8f2..896f98ef1e 100644 --- a/src/probabilistic/CounterVector.h +++ b/src/probabilistic/CounterVector.h @@ -77,6 +77,11 @@ public: */ count_type Count(size_type cell) const; + /** + * Sets all counters to 0. + */ + void Clear(); + /** * Retrieves the number of cells in the storage. * diff --git a/src/probabilistic/bloom-filter.bif b/src/probabilistic/bloom-filter.bif index cbbff85d7d..9df168be0e 100644 --- a/src/probabilistic/bloom-filter.bif +++ b/src/probabilistic/bloom-filter.bif @@ -121,6 +121,22 @@ function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count return new Val(0, TYPE_COUNT); %} +## Removes all elements from a Bloom filter. This function sets resets all bits +## in the underlying bitvector to 0 but does not change the parameterization of +## the Bloom filter, such as the element type and the hasher seed. +## +## bf: The Bloom filter handle. +function bloomfilter_clear%(bf: opaque of bloomfilter%): any + %{ + BloomFilterVal* bfv = static_cast(bf); + + if ( bfv->Type() ) // Untyped Bloom filters are already empty. + bfv->Clear(); + + return 0; + %} + + ## Merges two Bloom filters. ## ## bf1: The first Bloom filter handle. From 5736aef440574389dda6555642ee7e938156dcf1 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Wed, 24 Jul 2013 13:05:38 +0200 Subject: [PATCH 192/200] Refactor Bloom filter merging. --- src/OpaqueVal.cc | 31 ++++++++--- src/OpaqueVal.h | 22 -------- src/probabilistic/BloomFilter.cc | 92 +++++++++++++++++++++++--------- src/probabilistic/BloomFilter.h | 36 +++++++------ 4 files changed, 109 insertions(+), 72 deletions(-) diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index 19a372c005..feff4f3cc0 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -584,21 +584,36 @@ void BloomFilterVal::Clear() } BloomFilterVal* BloomFilterVal::Merge(const BloomFilterVal* x, - const BloomFilterVal* y) + const BloomFilterVal* y) { if ( ! same_type(x->Type(), y->Type()) ) + { reporter->InternalError("cannot merge Bloom filters with different types"); + return 0; + } - BloomFilterVal* result; + if ( typeid(*x->bloom_filter) != typeid(*y->bloom_filter) ) + { + reporter->InternalError("cannot merge different Bloom filter types"); + return 0; + } - if ( (result = DoMerge(x, y)) ) - return result; + probabilistic::BloomFilter* copy = x->bloom_filter->Clone(); + bool success = copy->Merge(y->bloom_filter); + if ( ! success ) + { + reporter->InternalError("failed to merge Bloom filter"); + return 0; + } - else if ( (result = DoMerge(x, y)) ) - return result; + BloomFilterVal* merged = new BloomFilterVal(copy); + if ( ! merged->Typify(x->Type()) ) + { + reporter->InternalError("failed to set type on merged Bloom filter"); + return 0; + } - reporter->InternalError("failed to merge Bloom filters"); - return 0; + return merged; } BloomFilterVal::~BloomFilterVal() diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index cfb184fc77..360bb69803 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -142,28 +142,6 @@ private: BloomFilterVal(const BloomFilterVal&); BloomFilterVal& operator=(const BloomFilterVal&); - template - static BloomFilterVal* DoMerge(const BloomFilterVal* x, - const BloomFilterVal* y) - { - if ( typeid(*x->bloom_filter) != typeid(*y->bloom_filter) ) - reporter->InternalError("cannot merge different Bloom filter types"); - - if ( typeid(T) != typeid(*x->bloom_filter) ) - return 0; - - const T* a = static_cast(x->bloom_filter); - const T* b = static_cast(y->bloom_filter); - - BloomFilterVal* merged = new BloomFilterVal(T::Merge(a, b)); - assert(merged); - - if ( ! merged->Typify(x->Type()) ) - reporter->InternalError("failed to set type on merged Bloom filter"); - - return merged; - } - BroType* type; CompositeHash* hash; probabilistic::BloomFilter* bloom_filter; diff --git a/src/probabilistic/BloomFilter.cc b/src/probabilistic/BloomFilter.cc index c78cd4193d..132cf376ec 100644 --- a/src/probabilistic/BloomFilter.cc +++ b/src/probabilistic/BloomFilter.cc @@ -79,17 +79,37 @@ void BasicBloomFilter::Clear() bits->Clear(); } -BasicBloomFilter* BasicBloomFilter::Merge(const BasicBloomFilter* x, - const BasicBloomFilter* y) +bool BasicBloomFilter::Merge(const BloomFilter* other) { - if ( ! x->hasher->Equals(y->hasher) ) - reporter->InternalError("incompatible hashers during BasicBloomFilter merge"); + if ( typeid(*this) != typeid(*other) ) + return 0; - BasicBloomFilter* result = new BasicBloomFilter(); - result->hasher = x->hasher->Clone(); - result->bits = new BitVector(*x->bits | *y->bits); + const BasicBloomFilter* o = static_cast(other); - return result; + if ( ! hasher->Equals(o->hasher) ) + { + reporter->InternalError("incompatible hashers in BasicBloomFilter merge"); + return false; + } + else if ( bits->Size() != o->bits->Size() ) + { + reporter->InternalError("different bitvector size in BasicBloomFilter merge"); + return false; + } + + (*bits) |= *o->bits; + + return true; + } + +BasicBloomFilter* BasicBloomFilter::Clone() const + { + BasicBloomFilter* copy = new BasicBloomFilter(); + + copy->hasher = hasher->Clone(); + copy->bits = new BitVector(*bits); + + return copy; } BasicBloomFilter::BasicBloomFilter() @@ -135,19 +155,6 @@ size_t BasicBloomFilter::CountImpl(const Hasher::digest_vector& h) const return 1; } -CountingBloomFilter* CountingBloomFilter::Merge(const CountingBloomFilter* x, - const CountingBloomFilter* y) - { - if ( ! x->hasher->Equals(y->hasher) ) - reporter->InternalError("incompatible hashers during CountingBloomFilter merge"); - - CountingBloomFilter* result = new CountingBloomFilter(); - result->hasher = x->hasher->Clone(); - result->cells = new CounterVector(*x->cells | *y->cells); - - return result; - } - CountingBloomFilter::CountingBloomFilter() { cells = 0; @@ -160,6 +167,44 @@ CountingBloomFilter::CountingBloomFilter(const Hasher* hasher, cells = new CounterVector(width, arg_cells); } +void CountingBloomFilter::Clear() + { + cells->Clear(); + } + +bool CountingBloomFilter::Merge(const BloomFilter* other) + { + if ( typeid(*this) != typeid(*other) ) + return 0; + + const CountingBloomFilter* o = static_cast(other); + + if ( ! hasher->Equals(o->hasher) ) + { + reporter->InternalError("incompatible hashers in CountingBloomFilter merge"); + return false; + } + else if ( cells->Size() != o->cells->Size() ) + { + reporter->InternalError("different bitvector size in CountingBloomFilter merge"); + return false; + } + + (*cells) |= *o->cells; + + return true; + } + +CountingBloomFilter* CountingBloomFilter::Clone() const + { + CountingBloomFilter* copy = new CountingBloomFilter(); + + copy->hasher = hasher->Clone(); + copy->cells = new CounterVector(*cells); + + return copy; + } + IMPLEMENT_SERIAL(CountingBloomFilter, SER_COUNTINGBLOOMFILTER) bool CountingBloomFilter::DoSerialize(SerialInfo* info) const @@ -196,8 +241,3 @@ size_t CountingBloomFilter::CountImpl(const Hasher::digest_vector& h) const return min; } - -void CountingBloomFilter::Clear() - { - cells->Clear(); - } diff --git a/src/probabilistic/BloomFilter.h b/src/probabilistic/BloomFilter.h index 55bc76fca7..2ab5b89941 100644 --- a/src/probabilistic/BloomFilter.h +++ b/src/probabilistic/BloomFilter.h @@ -52,6 +52,22 @@ public: */ virtual void Clear() = 0; + /** + * Merges another Bloom filter into a copy of this one. + * + * @param other The other Bloom filter. + * + * @return `true` on success. + */ + virtual bool Merge(const BloomFilter* other) = 0; + + /** + * Constructs a copy of this Bloom filter. + * + * @return A copy of `*this`. + */ + virtual BloomFilter* Clone() const = 0; + /** * Serializes the Bloom filter. * @@ -154,14 +170,8 @@ public: // Overridden from BloomFilter. virtual void Clear(); - - /** - * Merges two basic Bloom filters. - * - * @return The merged Bloom filter. - */ - static BasicBloomFilter* Merge(const BasicBloomFilter* x, - const BasicBloomFilter* y); + virtual bool Merge(const BloomFilter* other); + virtual BasicBloomFilter* Clone() const; protected: DECLARE_SERIAL(BasicBloomFilter); @@ -198,14 +208,8 @@ public: // Overridden from BloomFilter. virtual void Clear(); - - /** - * Merges two counting Bloom filters. - * - * @return The merged Bloom filter. - */ - static CountingBloomFilter* Merge(const CountingBloomFilter* x, - const CountingBloomFilter* y); + virtual bool Merge(const BloomFilter* other); + virtual CountingBloomFilter* Clone() const; protected: DECLARE_SERIAL(CountingBloomFilter); From 5769c32f1eeb319e599996e05e0e63b30af34823 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Wed, 24 Jul 2013 13:18:19 +0200 Subject: [PATCH 193/200] Support emptiness check on Bloom filters. --- src/OpaqueVal.cc | 5 +++++ src/OpaqueVal.h | 1 + src/probabilistic/BitVector.cc | 8 ++++++++ src/probabilistic/BitVector.h | 6 ++++++ src/probabilistic/BloomFilter.cc | 10 ++++++++++ src/probabilistic/BloomFilter.h | 9 +++++++++ src/probabilistic/CounterVector.cc | 5 +++++ src/probabilistic/CounterVector.h | 6 ++++++ src/probabilistic/bloom-filter.bif | 3 +++ 9 files changed, 53 insertions(+) diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index feff4f3cc0..a42892e2b2 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -583,6 +583,11 @@ void BloomFilterVal::Clear() bloom_filter->Clear(); } +bool BloomFilterVal::Empty() const + { + return bloom_filter->Empty(); + } + BloomFilterVal* BloomFilterVal::Merge(const BloomFilterVal* x, const BloomFilterVal* y) { diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h index 360bb69803..52c9583fc7 100644 --- a/src/OpaqueVal.h +++ b/src/OpaqueVal.h @@ -126,6 +126,7 @@ public: void Add(const Val* val); size_t Count(const Val* val) const; void Clear(); + bool Empty() const; static BloomFilterVal* Merge(const BloomFilterVal* x, const BloomFilterVal* y); diff --git a/src/probabilistic/BitVector.cc b/src/probabilistic/BitVector.cc index 98f008b24b..13cd1aa3bb 100644 --- a/src/probabilistic/BitVector.cc +++ b/src/probabilistic/BitVector.cc @@ -463,6 +463,14 @@ bool BitVector::Empty() const return bits.empty(); } +bool BitVector::AllZero() const + { + for ( size_t i = 0; i < bits.size(); ++i ) + if ( bits[i] ) + return false; + return true; + } + BitVector::size_type BitVector::FindFirst() const { return find_from(0); diff --git a/src/probabilistic/BitVector.h b/src/probabilistic/BitVector.h index 9eefe1b633..d9c55d53c6 100644 --- a/src/probabilistic/BitVector.h +++ b/src/probabilistic/BitVector.h @@ -253,6 +253,12 @@ public: */ bool Empty() const; + /** + * Checks whether all bits are 0. + * @return `true` iff all bits in all blocks are 0. + */ + bool AllZero() const; + /** * Finds the bit position of of the first 1-bit. * @return The position of the first bit that equals to one or `npos` if no diff --git a/src/probabilistic/BloomFilter.cc b/src/probabilistic/BloomFilter.cc index 132cf376ec..7f769cbf7c 100644 --- a/src/probabilistic/BloomFilter.cc +++ b/src/probabilistic/BloomFilter.cc @@ -74,6 +74,11 @@ size_t BasicBloomFilter::K(size_t cells, size_t capacity) return std::ceil(frac * std::log(2)); } +bool BasicBloomFilter::Empty() const + { + return bits->AllZero(); + } + void BasicBloomFilter::Clear() { bits->Clear(); @@ -167,6 +172,11 @@ CountingBloomFilter::CountingBloomFilter(const Hasher* hasher, cells = new CounterVector(width, arg_cells); } +bool CountingBloomFilter::Empty() const + { + return cells->AllZero(); + } + void CountingBloomFilter::Clear() { cells->Clear(); diff --git a/src/probabilistic/BloomFilter.h b/src/probabilistic/BloomFilter.h index 2ab5b89941..b6cf18672f 100644 --- a/src/probabilistic/BloomFilter.h +++ b/src/probabilistic/BloomFilter.h @@ -47,6 +47,13 @@ public: return CountImpl((*hasher)(x)); } + /** + * Checks whether the Bloom filter is empty. + * + * @return `true` if the Bloom filter contains no elements. + */ + virtual bool Empty() const = 0; + /** * Removes all elements, i.e., resets all bits in the underlying bit vector. */ @@ -169,6 +176,7 @@ public: static size_t K(size_t cells, size_t capacity); // Overridden from BloomFilter. + virtual bool Empty() const; virtual void Clear(); virtual bool Merge(const BloomFilter* other); virtual BasicBloomFilter* Clone() const; @@ -207,6 +215,7 @@ public: CountingBloomFilter(const Hasher* hasher, size_t cells, size_t width); // Overridden from BloomFilter. + virtual bool Empty() const; virtual void Clear(); virtual bool Merge(const BloomFilter* other); virtual CountingBloomFilter* Clone() const; diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc index 00fa7fb8c0..24c9ff3638 100644 --- a/src/probabilistic/CounterVector.cc +++ b/src/probabilistic/CounterVector.cc @@ -70,6 +70,11 @@ bool CounterVector::Decrement(size_type cell, count_type value) return carry; } +bool CounterVector::AllZero() const + { + return bits->AllZero(); + } + void CounterVector::Clear() { bits->Clear(); diff --git a/src/probabilistic/CounterVector.h b/src/probabilistic/CounterVector.h index 896f98ef1e..df6fc57ac2 100644 --- a/src/probabilistic/CounterVector.h +++ b/src/probabilistic/CounterVector.h @@ -77,6 +77,12 @@ public: */ count_type Count(size_type cell) const; + /** + * Checks whether all counters are 0. + * @return `true` iff all counters have the value 0. + */ + bool AllZero() const; + /** * Sets all counters to 0. */ diff --git a/src/probabilistic/bloom-filter.bif b/src/probabilistic/bloom-filter.bif index 9df168be0e..dd21688fdd 100644 --- a/src/probabilistic/bloom-filter.bif +++ b/src/probabilistic/bloom-filter.bif @@ -109,6 +109,9 @@ function bloomfilter_lookup%(bf: opaque of bloomfilter, x: any%): count %{ const BloomFilterVal* bfv = static_cast(bf); + if ( bfv->Empty() ) + return new Val(0, TYPE_COUNT); + if ( ! bfv->Type() ) reporter->Error("cannot perform lookup on untyped Bloom filter"); From d8226169b8266b554c73b2804d480d10c4a9e456 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 24 Jul 2013 16:34:52 -0700 Subject: [PATCH 194/200] Fixing random number generation so that it returns same numbers as before. That broke a lot of tests. --- src/H3.h | 16 ++++++++++++++-- src/util.cc | 2 +- src/util.h | 2 +- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/H3.h b/src/H3.h index 8ea5848816..321fda924b 100644 --- a/src/H3.h +++ b/src/H3.h @@ -66,17 +66,29 @@ template class H3 { public: - H3(T seed = bro_random()) + H3() + { + Init(false, 0); + } + + H3(T seed) + { + Init(true, seed); + } + + void Init(bool have_seed, T seed) { T bit_lookup[N * CHAR_BIT]; for ( size_t bit = 0; bit < N * CHAR_BIT; bit++ ) { bit_lookup[bit] = 0; - seed = bro_prng(seed); for ( size_t i = 0; i < sizeof(T)/2; i++ ) + { + seed = have_seed ? bro_prng(seed) : bro_random(); // assume random() returns at least 16 random bits bit_lookup[bit] = (bit_lookup[bit] << 16) | (seed & 0xFFFF); + } } for ( size_t byte = 0; byte < N; byte++ ) diff --git a/src/util.cc b/src/util.cc index 6bea2eb7f1..23abbacc3f 100644 --- a/src/util.cc +++ b/src/util.cc @@ -829,7 +829,7 @@ bool have_random_seed() return bro_rand_determistic; } -long int bro_prng(long int state) +unsigned int bro_prng(unsigned int state) { // Use our own simple linear congruence PRNG to make sure we are // predictable across platforms. diff --git a/src/util.h b/src/util.h index aaad2d9403..05b3f032d0 100644 --- a/src/util.h +++ b/src/util.h @@ -175,7 +175,7 @@ extern bool have_random_seed(); // A simple linear congruence PRNG. It takes its state as argument and // returns a new random value, which can serve as state for subsequent calls. -long int bro_prng(long int state); +unsigned int bro_prng(unsigned int state); // Replacement for the system random(), to which is normally falls back // except when a seed has been given. In that case, the function bro_prng. From 33e6435329c9c629b47069fd48fd97139f21a2e4 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 24 Jul 2013 16:39:22 -0700 Subject: [PATCH 195/200] Updating tests. --- doc/scripts/DocSourcesList.cmake | 1 + .../canonified_loaded_scripts.log | 5 +++-- .../canonified_loaded_scripts.log | 5 +++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 529b03ca83..26a88027ef 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -17,6 +17,7 @@ rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/bloom-filter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/event.bif.bro) diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index b7585a1477..04316da023 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-07-05-05-20-50 +#open 2013-07-24-23-38-28 #fields name #types string scripts/base/init-bare.bro @@ -12,6 +12,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/strings.bif.bro build/scripts/base/bif/bro.bif.bro build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/bloom-filter.bif.bro build/scripts/base/bif/event.bif.bro build/scripts/base/bif/plugins/__load__.bro build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro @@ -89,4 +90,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/file_analysis.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2013-07-05-05-20-50 +#close 2013-07-24-23-38-28 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 999fd7c841..66212643f3 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-07-10-21-18-31 +#open 2013-07-24-23-38-33 #fields name #types string scripts/base/init-bare.bro @@ -12,6 +12,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/strings.bif.bro build/scripts/base/bif/bro.bif.bro build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/bloom-filter.bif.bro build/scripts/base/bif/event.bif.bro build/scripts/base/bif/plugins/__load__.bro build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro @@ -195,4 +196,4 @@ scripts/base/init-default.bro scripts/base/protocols/tunnels/__load__.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-07-10-21-18-31 +#close 2013-07-24-23-38-33 From febb7e83957aa14fbc14d59782b33ac3690388b3 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 25 Jul 2013 09:55:15 -0700 Subject: [PATCH 196/200] Covenience make target to update the three coverage tests that usually need tweaking when scripts get added/removed. --- testing/btest/Makefile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/testing/btest/Makefile b/testing/btest/Makefile index ff63bdb601..47451fbf27 100644 --- a/testing/btest/Makefile +++ b/testing/btest/Makefile @@ -24,4 +24,11 @@ cleanup: update-doc-sources: ../../doc/scripts/genDocSourcesList.sh ../../doc/scripts/DocSourcesList.cmake +# Updates the three coverage tests that usually need tweaking when +# scripts get added/removed. +update-coverage-tests: update-doc-sources + btest -qU coverage.bare-load-baseline + btest -qU coverage.default-load-baseline + @echo "Use 'git diff' to check updates look right." + .PHONY: all btest-verbose brief btest-brief coverage cleanup From 4a7046848caf6f0b97149c91902e42b770c97b3c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 25 Jul 2013 09:45:10 -0700 Subject: [PATCH 197/200] bif files declared with bif_target() are now automatically compiled in. No more manual includes to pull them in. (It doesn't quite work fully automatically yet for some bifs that need script-level types defined, like the input and logging frameworks. They still do a manual "@load foo.bif" in their main.bro to get the order right. It's a bit tricky to fix that and would probably need splitting main.bro into two parts; not sure that's worth it.) --- CHANGES | 10 ++++++++++ VERSION | 2 +- aux/binpac | 2 +- cmake | 2 +- scripts/base/init-bare.bro | 2 ++ src/CMakeLists.txt | 18 +++++++++++++++++- src/Func.cc | 4 ++++ src/analyzer/Manager.cc | 1 - src/file_analysis/Manager.cc | 1 - .../canonified_loaded_scripts.log | 5 +++-- .../canonified_loaded_scripts.log | 5 +++-- 11 files changed, 42 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index 7cbbc74e4f..92d16d7776 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,14 @@ +2.1-826 | 2013-07-25 10:12:26 -0700 + + * bif files declared with bif_target() are now automatically + compiled in. No more manual includes to pull them in. (Robin + Sommer) + + * Covenience make target in testing/btest to update the three + coverage tests that usually need tweaking when scripts get + added/removed. (Robin Sommer) + 2.1-824 | 2013-07-22 14:25:14 -0400 * Fixed a scriptland state issue that manifested especially badly on proxies. (Seth Hall) diff --git a/VERSION b/VERSION index d35eaf1454..71d91b2ea8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-824 +2.1-826 diff --git a/aux/binpac b/aux/binpac index c39bd478b9..0c91feea55 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit c39bd478b9d0ecd05b1b83aa9d09a7887893977c +Subproject commit 0c91feea55d00d3a1787203b3a43e3f9044d66e0 diff --git a/cmake b/cmake index 0187b33a29..026639f836 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 0187b33a29d5ec824f940feff60dc5d8c2fe314f +Subproject commit 026639f8368e56742c0cb5d9fb390ea64e60ec50 diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 60ed0d2fd1..cffa6d80f1 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3050,3 +3050,5 @@ const snaplen = 8192 &redef; @load base/frameworks/input @load base/frameworks/analyzer @load base/frameworks/file-analysis + +@load base/bif diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index e353dd4695..4644bab80a 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -6,6 +6,9 @@ include_directories(BEFORE # This collects generated bif and pac files from subdirectories. set(bro_ALL_GENERATED_OUTPUTS CACHE INTERNAL "automatically generated files" FORCE) +# This collects bif inputs that we'll load automatically. +set(bro_AUTO_BIFS CACHE INTERNAL "BIFs for automatic inclusion" FORCE) + # If TRUE, use CMake's object libraries for sub-directories instead of # static libraries. This requires CMake >= 2.8.8. set(bro_HAVE_OBJECT_LIBRARIES FALSE) @@ -382,8 +385,21 @@ set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) # Target to create all the autogenerated files. +add_custom_target(generate_outputs_stage1) +add_dependencies(generate_outputs_stage1 ${bro_ALL_GENERATED_OUTPUTS}) + +# Target to create the joint includes files that pull in the bif code. +bro_bif_create_includes(generate_outputs_stage2 ${CMAKE_CURRENT_BINARY_DIR} "${bro_AUTO_BIFS}") +add_dependencies(generate_outputs_stage2 generate_outputs_stage1) + +# Global target to trigger creation of autogenerated code. add_custom_target(generate_outputs) -add_dependencies(generate_outputs ${bro_ALL_GENERATED_OUTPUTS}) +add_dependencies(generate_outputs generate_outputs_stage2) + +# Build __load__.bro files for standard *.bif.bro. +bro_bif_create_loader(bif_loader ${CMAKE_BINARY_DIR}/scripts/base/bif) +add_dependencies(bif_loader ${bro_SUBDIRS}) +add_dependencies(bro bif_loader) # Build __load__.bro files for plugins/*.bif.bro. bro_bif_create_loader(bif_loader_plugins ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) diff --git a/src/Func.cc b/src/Func.cc index f3718fe231..7859e8d2ad 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -560,6 +560,8 @@ void builtin_error(const char* msg, BroObj* arg) #include "reporter.bif.func_def" #include "strings.bif.func_def" +#include "__all__.bif.cc" // Autogenerated for compiling in the bif_target() code. + void init_builtin_funcs() { bro_resources = internal_type("bro_resources")->AsRecordType(); @@ -574,6 +576,8 @@ void init_builtin_funcs() #include "reporter.bif.func_init" #include "strings.bif.func_init" +#include "__all__.bif.init.cc" // Autogenerated for compiling in the bif_target() code. + did_builtin_init = true; } diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 5695dec625..8b290e2341 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -103,7 +103,6 @@ void Manager::InitPreScript() void Manager::InitPostScript() { - #include "analyzer.bif.init.cc" } void Manager::DumpDebug() diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index ea1ed954ed..a7f7a29c18 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -60,7 +60,6 @@ void Manager::RegisterAnalyzerComponent(Component* component) void Manager::InitPostScript() { - #include "file_analysis.bif.init.cc" } void Manager::Terminate() diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index b7585a1477..724de75027 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-07-05-05-20-50 +#open 2013-07-25-17-10-49 #fields name #types string scripts/base/init-bare.bro @@ -87,6 +87,7 @@ scripts/base/init-bare.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro build/scripts/base/bif/file_analysis.bif.bro + build/scripts/base/bif/__load__.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2013-07-05-05-20-50 +#close 2013-07-25-17-10-49 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 999fd7c841..a3e89b4d60 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-07-10-21-18-31 +#open 2013-07-25-17-10-50 #fields name #types string scripts/base/init-bare.bro @@ -87,6 +87,7 @@ scripts/base/init-bare.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro build/scripts/base/bif/file_analysis.bif.bro + build/scripts/base/bif/__load__.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/patterns.bro @@ -195,4 +196,4 @@ scripts/base/init-default.bro scripts/base/protocols/tunnels/__load__.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-07-10-21-18-31 +#close 2013-07-25-17-10-50 From c11bf3d9226fed28dbf2676c123cadd52bd13a68 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 25 Jul 2013 11:28:30 -0700 Subject: [PATCH 198/200] Fixing serialization bug introduced during earlier merge. --- src/OpaqueVal.cc | 6 +++--- src/probabilistic/BitVector.cc | 6 +++--- src/probabilistic/CounterVector.cc | 6 +++--- .../canonified_loaded_scripts.log | 14 +++++++------- .../canonified_loaded_scripts.log | 14 +++++++------- 5 files changed, 23 insertions(+), 23 deletions(-) diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index b70cfee086..66b3c081e7 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -656,11 +656,11 @@ bool BloomFilterVal::DoUnserialize(UnserialInfo* info) if ( is_typed ) { - BroType* type = BroType::Unserialize(info); - if ( ! Typify(type) ) + BroType* t = BroType::Unserialize(info); + if ( ! Typify(t) ) return false; - Unref(type); + Unref(t); } bloom_filter = probabilistic::BloomFilter::Unserialize(info); diff --git a/src/probabilistic/BitVector.cc b/src/probabilistic/BitVector.cc index c0285eced3..6e642e62c1 100644 --- a/src/probabilistic/BitVector.cc +++ b/src/probabilistic/BitVector.cc @@ -568,11 +568,11 @@ bool BitVector::DoUnserialize(UnserialInfo* info) bits[i] = static_cast(block); } - uint64 num_bits; - if ( ! UNSERIALIZE(&num_bits) ) + uint64 n; + if ( ! UNSERIALIZE(&n) ) return false; - num_bits = static_cast(num_bits); + num_bits = static_cast(n); return true; } diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc index 24c9ff3638..d5635fc0f2 100644 --- a/src/probabilistic/CounterVector.cc +++ b/src/probabilistic/CounterVector.cc @@ -183,11 +183,11 @@ bool CounterVector::DoUnserialize(UnserialInfo* info) if ( ! bits ) return false; - uint64 width; - if ( ! UNSERIALIZE(&width) ) + uint64 w; + if ( ! UNSERIALIZE(&w) ) return false; - width = static_cast(width); + width = static_cast(w); return true; } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 3236b39acd..5879c504e2 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-07-25-17-17-10 +#open 2013-07-25-17-54-33 #fields name #types string scripts/base/init-bare.bro @@ -23,28 +23,28 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro build/scripts/base/bif/plugins/Bro_File.events.bif.bro build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro + build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro - build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro build/scripts/base/bif/plugins/Bro_Login.events.bif.bro build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro - build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro @@ -91,4 +91,4 @@ scripts/base/init-bare.bro build/scripts/base/bif/__load__.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2013-07-25-17-17-10 +#close 2013-07-25-17-54-33 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index cb4ccba850..2a820f4270 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-07-25-17-17-11 +#open 2013-07-25-17-54-33 #fields name #types string scripts/base/init-bare.bro @@ -23,28 +23,28 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro build/scripts/base/bif/plugins/Bro_File.events.bif.bro build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro - build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro - build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro + build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro - build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro build/scripts/base/bif/plugins/Bro_Login.events.bif.bro build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro - build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro @@ -197,4 +197,4 @@ scripts/base/init-default.bro scripts/base/protocols/tunnels/__load__.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-07-25-17-17-11 +#close 2013-07-25-17-54-33 From 7dd5771384d6e45693e602efaebc18ffbabe8c47 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 25 Jul 2013 12:02:41 -0700 Subject: [PATCH 199/200] Protection about broken traces with empty pcap headers. --- CHANGES | 5 +++++ VERSION | 2 +- src/PktSrc.cc | 6 ++++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 3529576088..912d7d301f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.1-888 | 2013-07-25 12:02:41 -0700 + + * Protection about broken traces with empty pcap headers. (Matt + Thompson) + 2.1-887 | 2013-07-25 11:33:27 -0700 * Support for Bloom filter. (Matthias Vallentin) diff --git a/VERSION b/VERSION index 2ced22d6f4..4f0ea7a5ac 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-887 +2.1-888 diff --git a/src/PktSrc.cc b/src/PktSrc.cc index 105dc90d30..48b382565b 100644 --- a/src/PktSrc.cc +++ b/src/PktSrc.cc @@ -77,6 +77,12 @@ int PktSrc::ExtractNextPacket() data = last_data = pcap_next(pd, &hdr); + if ( data && (hdr.len == 0 || hdr.caplen == 0) ) + { + sessions->Weird("empty_pcap_header", &hdr, data); + return 0; + } + if ( data ) next_timestamp = hdr.ts.tv_sec + double(hdr.ts.tv_usec) / 1e6; From 8d729a378bd149206326f470fa76c1d4447e038f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 25 Jul 2013 12:08:01 -0700 Subject: [PATCH 200/200] Updating submodule(s). [nomail] --- aux/binpac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/binpac b/aux/binpac index 0c91feea55..896ddedde5 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 0c91feea55d00d3a1787203b3a43e3f9044d66e0 +Subproject commit 896ddedde55c48ec2163577fc258b49c418abb3e