diff --git a/CHANGES b/CHANGES index 405b75ca1a..ff21d36f63 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,23 @@ +7.0.0-dev.72 | 2024-03-18 09:55:51 +0100 + + * btest/spicy: Remove most port usages (Arne Welzel, Corelight) + + * spicy: Deprecate port/ports in .evt files (Arne Welzel, Corelight) + + * Update doc submodule (Arne Welzel, Corelight) + + For spicy-pygments.py sync. + + * github/generate-docs: Only commit if there are staged changes (Arne Welzel, Corelight) + + git diff-index by default includes staged and non-staged changes. + The autogen-spicy-docs script copies over spicy-pygments.py from + the Spicy tree into doc/ext. + + The job would attempt to commit scripts and script-reference even + though nothing actually is staged when a spurious diff existed in + ext/spicy-pygments.py. Guard from this by using --cached. + 7.0.0-dev.66 | 2024-03-16 11:14:25 +0100 * Bump Spicy to latest version reworking AST memory management. (Robin Sommer, Corelight) diff --git a/VERSION b/VERSION index a4a375871f..343217bda7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.0.0-dev.66 +7.0.0-dev.72 diff --git a/src/spicy/spicyz/glue-compiler.cc b/src/spicy/spicyz/glue-compiler.cc index 50c903dc0a..72b1de3a0c 100644 --- a/src/spicy/spicyz/glue-compiler.cc +++ b/src/spicy/spicyz/glue-compiler.cc @@ -739,6 +739,14 @@ glue::ProtocolAnalyzer GlueCompiler::parseProtocolAnalyzer(const std::string& ch eat_token(chunk, &i, ","); } + if ( ! a.ports.empty() ) + hilti::logger().warning( + hilti::rt:: + fmt("Remove in v7.1: Analyzer %s is using the deprecated 'port' or 'ports' keyword to register " + "well-known ports. Use Analyzer::register_for_ports() in the accompanying Zeek script instead.", + a.name), + a.location); + return a; } diff --git a/testing/btest/Baseline/spicy.event-args-mismatch/output b/testing/btest/Baseline/spicy.event-args-mismatch/output index 3f6f6338db..cbedb262ac 100644 --- a/testing/btest/Baseline/spicy.event-args-mismatch/output +++ b/testing/btest/Baseline/spicy.event-args-mismatch/output @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -XXXXXXXXXX.XXXXXX analyzer error in <...>/test.evt, line 6: Event parameter mismatch, cannot convert Spicy value of type 'string' to Zeek value of type 'count' +XXXXXXXXXX.XXXXXX analyzer error in <...>/test.evt, line 5: Event parameter mismatch, cannot convert Spicy value of type 'string' to Zeek value of type 'count' diff --git a/testing/btest/Baseline/spicy.port-deprecated/out.stderr b/testing/btest/Baseline/spicy.port-deprecated/out.stderr new file mode 100644 index 0000000000..a033682601 --- /dev/null +++ b/testing/btest/Baseline/spicy.port-deprecated/out.stderr @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +[warning] <...>/udp-test.evt:4: Remove in v7.1: Analyzer spicy::TEST is using the deprecated 'port' or 'ports' keyword to register well-known ports. Use Analyzer::register_for_ports() in the accompanying Zeek script instead. diff --git a/testing/btest/Baseline/spicy.port-fail/output b/testing/btest/Baseline/spicy.port-fail/output index 24eb09807d..f572d2e79a 100644 --- a/testing/btest/Baseline/spicy.port-fail/output +++ b/testing/btest/Baseline/spicy.port-fail/output @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -[error] <...>/port-fail.evt:7: port outside of valid range +[error] <...>/port-fail.evt:9: port outside of valid range [error] error loading EVT file "<...>/port-fail.evt" diff --git a/testing/btest/spicy/conn-id.spicy b/testing/btest/spicy/conn-id.spicy index e843815984..5711ee5252 100644 --- a/testing/btest/spicy/conn-id.spicy +++ b/testing/btest/spicy/conn-id.spicy @@ -1,8 +1,8 @@ # @TEST-REQUIRES: have-spicy # # @TEST-EXEC: spicyz -d -o test.hlto %INPUT test.evt -# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy test.hlto Spicy::enable_print=T >>output -# @TEST-EXEC: zeek -b -r ${TRACES}/ftp/ipv6.trace Zeek::Spicy test.hlto Spicy::enable_print=T >>output +# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy test.hlto test.zeek Spicy::enable_print=T >>output +# @TEST-EXEC: zeek -b -r ${TRACES}/ftp/ipv6.trace Zeek::Spicy test.hlto test.zeek Spicy::enable_print=T >>output # @TEST-EXEC: btest-diff output module Test; @@ -16,6 +16,12 @@ public type Foo = unit { # @TEST-START-FILE test.evt protocol analyzer spicy::Test over TCP: - port 21/tcp-22/tcp, parse originator with Test::Foo; # @TEST-END-FILE + +# @TEST-START-FILE test.zeek +event zeek_init() + { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_TEST, set(21/tcp, 22/tcp)); + } +# @TEST-END-FILE diff --git a/testing/btest/spicy/context.spicy b/testing/btest/spicy/context.spicy index b0f5705a34..9605368461 100644 --- a/testing/btest/spicy/context.spicy +++ b/testing/btest/spicy/context.spicy @@ -1,7 +1,7 @@ # @TEST-REQUIRES: have-spicy # # @TEST-EXEC: spicyz -d -o x.hlto %INPUT ./ssh.evt -# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy x.hlto Spicy::enable_print=T >output +# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy x.hlto ssh.zeek Spicy::enable_print=T >output # @TEST-EXEC: btest-diff output # # @TEST-DOC: Check that the Zeek plugin passes a (and the same) %context object to both sides of a connection. @@ -44,7 +44,13 @@ public type Responder = unit { # @TEST-START-FILE ssh.evt protocol analyzer spicy::SSH over TCP: - port 22/tcp, parse originator with SSH::Originator, parse responder with SSH::Responder; # @TEST-END-FILE + + +# @TEST-START-FILE ssh.zeek +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} +# @TEST-END-FILE diff --git a/testing/btest/spicy/decline_input.spicy b/testing/btest/spicy/decline_input.spicy index 5e4855ae52..9bbcca9f6f 100644 --- a/testing/btest/spicy/decline_input.spicy +++ b/testing/btest/spicy/decline_input.spicy @@ -1,7 +1,7 @@ # @TEST-REQUIRES: have-spicy # # @TEST-EXEC: spicyz -d -o foo.hlto foo.spicy foo.evt %INPUT -# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap foo.hlto +# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap foo.hlto foo.zeek # @TEST-EXEC: cat analyzer.log | zeek-cut analyzer_name failure_reason failure_data > analyzer.log2 && mv analyzer.log2 analyzer.log # @TEST-EXEC: btest-diff analyzer.log # @@ -17,8 +17,13 @@ public type X = unit { # @TEST-START-FILE foo.evt protocol analyzer spicy::foo over UDP: - parse with foo::X, - ports { 12345/udp, 31337/udp }; + parse with foo::X; +# @TEST-END-FILE + +# @TEST-START-FILE foo.zeek +event zeek_init() { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_FOO, set(12345/udp, 31337/udp)); +} # @TEST-END-FILE module zeek_foo; diff --git a/testing/btest/spicy/double-event.zeek b/testing/btest/spicy/double-event.zeek index 3345f760e2..e6e7de7457 100644 --- a/testing/btest/spicy/double-event.zeek +++ b/testing/btest/spicy/double-event.zeek @@ -9,6 +9,11 @@ event ssh::banner(i: int, software: string) print i, software; } +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); + } + # @TEST-START-FILE ssh.spicy module SSH; @@ -24,7 +29,6 @@ public type Banner = unit { protocol analyzer spicy::SSH over TCP: parse with SSH::Banner, - port 22/tcp, replaces SSH; on SSH::Banner -> event ssh::banner(1, self.software); diff --git a/testing/btest/spicy/double-types.zeek b/testing/btest/spicy/double-types.zeek index 082012d5ef..a67b0c5ef5 100644 --- a/testing/btest/spicy/double-types.zeek +++ b/testing/btest/spicy/double-types.zeek @@ -21,11 +21,14 @@ event dtest_result_tuple(r: R) { print "dtest_result_tuple", r$x, r$y; } +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_DTEST, 22/tcp); +} + # @TEST-START-FILE dtest.evt protocol analyzer spicy::dtest over TCP: - parse originator with dtest::Message, - port 22/tcp; + parse originator with dtest::Message; on dtest::Message -> event dtest_message(self.func); @@ -57,7 +60,7 @@ public type SubMessage = unit { }; public function bro_result(entry: Message) : tuple { - return (entry.func, entry.sub.result); + return (entry.func, entry.sub.result); } # @TEST-END-FILE diff --git a/testing/btest/spicy/event-args-mismatch.zeek b/testing/btest/spicy/event-args-mismatch.zeek index 7eb330c122..96f48781cb 100644 --- a/testing/btest/spicy/event-args-mismatch.zeek +++ b/testing/btest/spicy/event-args-mismatch.zeek @@ -8,6 +8,10 @@ event Banner::error(i: count) { } +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} + # @TEST-START-FILE test.spicy module SSH; @@ -22,8 +26,7 @@ public type Banner = unit { # @TEST-START-FILE test.evt protocol analyzer spicy::SSH over TCP: - parse originator with SSH::Banner, - port 22/tcp; + parse originator with SSH::Banner; on SSH::Banner::magic -> event Banner::error(self.magic); # Error: string -> count diff --git a/testing/btest/spicy/event-args.zeek b/testing/btest/spicy/event-args.zeek index 32dfa2a960..94312aff47 100644 --- a/testing/btest/spicy/event-args.zeek +++ b/testing/btest/spicy/event-args.zeek @@ -10,6 +10,10 @@ event Banner::error(msg: string) { print fmt("Error message: %s", msg); } +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} + # @TEST-START-FILE test.spicy module SSH; @@ -24,8 +28,7 @@ public type Banner = unit { # @TEST-START-FILE test.evt protocol analyzer spicy::SSH over TCP: - parse originator with SSH::Banner, - port 22/tcp; + parse originator with SSH::Banner; on SSH::Banner::%error(msg: string) -> event Banner::error(msg); on SSH::Banner::%error() -> event Banner::error("n/a"); diff --git a/testing/btest/spicy/event-cond.zeek b/testing/btest/spicy/event-cond.zeek index 23728f766f..f072019804 100644 --- a/testing/btest/spicy/event-cond.zeek +++ b/testing/btest/spicy/event-cond.zeek @@ -29,6 +29,11 @@ event ssh::banner5(c: connection, is_orig: bool, version: string, software: stri print "5", software; } +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); + } + # @TEST-START-FILE ssh.spicy module SSH; @@ -46,7 +51,6 @@ import zeek; protocol analyzer spicy::SSH over TCP: parse with SSH::Banner, - port 22/tcp, replaces SSH; on SSH::Banner if ( True ) -> event ssh::banner1($conn, $is_orig, self.version, self.software); diff --git a/testing/btest/spicy/export-bitfield.zeek b/testing/btest/spicy/export-bitfield.zeek index 20ddf84ffb..6043122a82 100644 --- a/testing/btest/spicy/export-bitfield.zeek +++ b/testing/btest/spicy/export-bitfield.zeek @@ -7,6 +7,10 @@ # # @TEST-DOC: Tests that named and anonymous bitfields are exported as expected. +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_FOO, 80/tcp); +} + # @TEST-START-FILE export.spicy module foo; @@ -33,8 +37,7 @@ public type X = unit { import foo; protocol analyzer FOO over TCP: - parse originator with foo::X, - port 80/tcp; + parse originator with foo::X; export foo::X; diff --git a/testing/btest/spicy/export-switch.zeek b/testing/btest/spicy/export-switch.zeek index ca08a61743..b78e0aac53 100644 --- a/testing/btest/spicy/export-switch.zeek +++ b/testing/btest/spicy/export-switch.zeek @@ -9,6 +9,9 @@ event TEST_ZEEK::MessageEvt(message: TEST::Message) { print message; } +event zeek_init() + { Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_TEST, 31337/udp); } + # @TEST-START-FILE test.spicy module TEST; @@ -22,7 +25,6 @@ public type Message = unit { # @TEST-START-FILE test.evt import TEST; protocol analyzer spicy::Test over UDP: - port 0/udp - 42000/udp, parse with TEST::Message; export TEST::Message; diff --git a/testing/btest/spicy/export-type-e2e.zeek b/testing/btest/spicy/export-type-e2e.zeek index ce9b402b1b..310bddada2 100644 --- a/testing/btest/spicy/export-type-e2e.zeek +++ b/testing/btest/spicy/export-type-e2e.zeek @@ -7,6 +7,10 @@ # # @TEST-DOC: Test type export end-to-end, with access from the Zeek side. Regression test for #3083. +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_FOO, 80/tcp); +} + # @TEST-START-FILE export.spicy module foo; @@ -19,8 +23,7 @@ public type X = unit { import foo; protocol analyzer FOO over TCP: - parse with foo::X, - port 80/tcp; + parse with foo::X; export foo::X; diff --git a/testing/btest/spicy/export-type-with-fields.zeek b/testing/btest/spicy/export-type-with-fields.zeek index 381cdbb372..6d3f077341 100644 --- a/testing/btest/spicy/export-type-with-fields.zeek +++ b/testing/btest/spicy/export-type-with-fields.zeek @@ -21,8 +21,7 @@ public type X = unit { import foo; protocol analyzer FOO over TCP: - parse with foo::X, - port 80/tcp; + parse with foo::X; export foo::X with { x }; export foo::X as foo::X1; diff --git a/testing/btest/spicy/file-analysis-data-in-concurrent.zeek b/testing/btest/spicy/file-analysis-data-in-concurrent.zeek index 9ff70352c4..fe8c8c3afe 100644 --- a/testing/btest/spicy/file-analysis-data-in-concurrent.zeek +++ b/testing/btest/spicy/file-analysis-data-in-concurrent.zeek @@ -4,6 +4,10 @@ # @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T >output # @TEST-EXEC: btest-diff output +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} + # @TEST-START-FILE ssh.spicy module SSH; @@ -51,7 +55,6 @@ import zeek; protocol analyzer spicy::SSH over TCP: parse originator with SSH::Banner, - port 22/tcp, replaces SSH; file analyzer spicy::Text: diff --git a/testing/btest/spicy/file-analysis-data-in.zeek b/testing/btest/spicy/file-analysis-data-in.zeek index c2c2e9622f..4418eabe94 100644 --- a/testing/btest/spicy/file-analysis-data-in.zeek +++ b/testing/btest/spicy/file-analysis-data-in.zeek @@ -20,6 +20,10 @@ # @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output-1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output-2 +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} + # @TEST-START-FILE ssh.spicy module SSH; @@ -70,7 +74,6 @@ import zeek; protocol analyzer spicy::SSH over TCP: parse with SSH::Banner, - port 22/tcp, replaces SSH; on SSH::Banner::software -> event have_filename($file, self.file_name); diff --git a/testing/btest/spicy/file-data-in-at-offset.zeek b/testing/btest/spicy/file-data-in-at-offset.zeek index 21e62f27cf..e2b680f37f 100644 --- a/testing/btest/spicy/file-data-in-at-offset.zeek +++ b/testing/btest/spicy/file-data-in-at-offset.zeek @@ -7,6 +7,10 @@ # @TEST-EXEC: btest-diff x509.log # @TEST-EXEC: btest-diff output +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} + # @TEST-START-FILE ssh.spicy module SSH; @@ -41,7 +45,6 @@ import zeek; protocol analyzer spicy::SSH over TCP: parse with SSH::Banner, - port 22/tcp, replaces SSH; # @TEST-END-FILE diff --git a/testing/btest/spicy/gap-recovery.zeek b/testing/btest/spicy/gap-recovery.zeek index 3cca9775fa..2f7e52a5c5 100644 --- a/testing/btest/spicy/gap-recovery.zeek +++ b/testing/btest/spicy/gap-recovery.zeek @@ -1,16 +1,19 @@ # @TEST-REQUIRES: have-spicy # # @TEST-EXEC: spicyz -d -o analyzer.hlto analyzer.spicy analyzer.evt -# @TEST-EXEC: zeek -Cr ${TRACES}/spicy/gap-recovery.pcap analyzer.hlto Spicy::enable_print=T >output 2>&1 +# @TEST-EXEC: zeek -Cr ${TRACES}/spicy/gap-recovery.pcap analyzer.hlto %INPUT Spicy::enable_print=T >output 2>&1 # @TEST-EXEC: if spicy-version 10503; then btest-diff output; else OUT=output-before-spicy-issue-1303; mv output "$OUT"; btest-diff "$OUT"; fi # # @TEST-DOC: Tests that parsers can resynchronize on gaps. +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 9000/tcp); +} + # @TEST-START-FILE analyzer.evt protocol analyzer spicy::HTTP over TCP: parse originator with test::Requests, parse responder with test::Responses, - port 9000/tcp, replaces HTTP; # @TEST-END-FILE diff --git a/testing/btest/spicy/list-conversion.zeek b/testing/btest/spicy/list-conversion.zeek index 129e7b1e69..be97085cf6 100644 --- a/testing/btest/spicy/list-conversion.zeek +++ b/testing/btest/spicy/list-conversion.zeek @@ -4,6 +4,10 @@ # @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT >output # @TEST-EXEC: btest-diff output +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_LISTCONV, 22/tcp); +} + @TEST-START-FILE listconv.spicy module listconv; @@ -23,8 +27,7 @@ public type Test = unit { @TEST-START-FILE listconv.evt protocol analyzer listconv over TCP: - parse originator with listconv::Test, - port 22/tcp; + parse originator with listconv::Test; on listconv::Test -> event listconv::test($conn, $is_orig, diff --git a/testing/btest/spicy/multiple-enum.zeek b/testing/btest/spicy/multiple-enum.zeek index 8a5a849259..ff6508d715 100644 --- a/testing/btest/spicy/multiple-enum.zeek +++ b/testing/btest/spicy/multiple-enum.zeek @@ -12,11 +12,14 @@ event dtest_two(x: dtest::RESULT) { print "two", x; } +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_DTEST, 22/tcp); +} + # @TEST-START-FILE dtest.evt protocol analyzer spicy::dtest over TCP: - parse originator with dtest::Message, - port 22/tcp; + parse originator with dtest::Message; on dtest::Message if ( self.sswitch == 83 ) -> event dtest_one(self.result); diff --git a/testing/btest/spicy/network-time.spicy b/testing/btest/spicy/network-time.spicy index 59306c8a86..6debb7a4c9 100644 --- a/testing/btest/spicy/network-time.spicy +++ b/testing/btest/spicy/network-time.spicy @@ -1,7 +1,7 @@ # @TEST-REQUIRES: have-spicy # # @TEST-EXEC: spicyz -d -o test.hlto %INPUT ./udp-test.evt -# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap test.hlto Spicy::enable_print=T >output +# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap test.hlto network-time.zeek Spicy::enable_print=T >output # @TEST-EXEC: btest-diff output module Test; @@ -20,7 +20,13 @@ public type Message = unit { # @TEST-START-FILE udp-test.evt protocol analyzer spicy::TEST over UDP: - parse with Test::Message, - port 11337/udp-11340/udp, - ports {31337/udp-31340/udp}; + parse with Test::Message; +# @TEST-END-FILE + + +# @TEST-START-FILE network-time.zeek +event zeek_init() { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_TEST, set(11337/udp, 11338/udp, 11339/udp, 11340/udp)); + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_TEST, set(31337/udp, 31338/udp, 31339/udp, 31340/udp)); +} # @TEST-END-FILE diff --git a/testing/btest/spicy/optional.zeek b/testing/btest/spicy/optional.zeek index 8b848abdbc..0d809a3818 100644 --- a/testing/btest/spicy/optional.zeek +++ b/testing/btest/spicy/optional.zeek @@ -12,11 +12,14 @@ event foo_result_tuple(r: R) { print(r); } +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_FOO, 22/tcp); +} + # @TEST-START-FILE foo.evt protocol analyzer spicy::foo over TCP: - parse originator with Foo::Message, - port 22/tcp; + parse originator with Foo::Message; on Foo::Message -> event foo_result_tuple(Foo::bro_result(self)); diff --git a/testing/btest/spicy/parse-error.zeek b/testing/btest/spicy/parse-error.zeek index 59f4897135..1438f597af 100644 --- a/testing/btest/spicy/parse-error.zeek +++ b/testing/btest/spicy/parse-error.zeek @@ -8,6 +8,10 @@ # # @TEST-DOC: Trigger parse error after confirmation, should be recorded in dpd.log +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} + # @TEST-START-FILE test.spicy module SSH; @@ -24,9 +28,7 @@ public type Banner = unit { # @TEST-START-FILE test.evt protocol analyzer spicy::SSH over TCP: - parse originator with SSH::Banner, - port 22/tcp - + parse originator with SSH::Banner # With Zeek < 5.0, DPD tracking doesn't work correctly for replaced # analyzers because the ProtocolViolation() doesn't take a tag. # diff --git a/testing/btest/spicy/port-deprecated.evt b/testing/btest/spicy/port-deprecated.evt new file mode 100644 index 0000000000..220a9d1faf --- /dev/null +++ b/testing/btest/spicy/port-deprecated.evt @@ -0,0 +1,21 @@ +# @TEST-REQUIRES: have-spicy +# +# @TEST-EXEC: spicyz -d -o test.hlto ./udp-test.evt 2>out.stderr +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out.stderr +# +# @TEST-DOC: Remove with v7.1: Specifying ports is deprecated. + +module Test; + +import zeek; + +public type Message = unit { + data: bytes &eod {} +}; + +# @TEST-START-FILE udp-test.evt +protocol analyzer spicy::TEST over UDP: + parse with Test::Message, + port 11337/udp-11340/udp, + ports {31337/udp-31340/udp}; +# @TEST-END-FILE diff --git a/testing/btest/spicy/port-fail.evt b/testing/btest/spicy/port-fail.evt index f00efc6210..e51ca0fb79 100644 --- a/testing/btest/spicy/port-fail.evt +++ b/testing/btest/spicy/port-fail.evt @@ -2,6 +2,8 @@ # # @TEST-EXEC-FAIL: spicyz %INPUT -d -o x.hlto >output 2>&1 # @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output +# +# @TEST-DOC: Remove with v7.1 protocol analyzer spicy::SSH over TCP: port 123456/udp; diff --git a/testing/btest/spicy/port-range-one-port.zeek b/testing/btest/spicy/port-range-one-port.zeek index bdc5219791..95c32f2b27 100644 --- a/testing/btest/spicy/port-range-one-port.zeek +++ b/testing/btest/spicy/port-range-one-port.zeek @@ -5,7 +5,7 @@ # @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered # @TEST-EXEC: btest-diff out.filtered -# @TEST-DOC: Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278. +# @TEST-DOC: Remove with v7.1. Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278. # @TEST-START-FILE udp-test.spicy module UDPTest; diff --git a/testing/btest/spicy/profiling.zeek b/testing/btest/spicy/profiling.zeek index 3f4743055c..49a398edcf 100644 --- a/testing/btest/spicy/profiling.zeek +++ b/testing/btest/spicy/profiling.zeek @@ -13,6 +13,11 @@ event ssh::banner(c: connection, is_orig: bool, version: string, software: strin print "SSH banner", c$id, is_orig, version, software; } +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); + } + # @TEST-START-FILE ssh.spicy module SSH; @@ -28,9 +33,7 @@ public type Banner = unit { # @TEST-START-FILE ssh.evt protocol analyzer spicy::SSH over TCP: - # no port, we're using the signature parse with SSH::Banner, - port 22/tcp, replaces SSH; on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software); diff --git a/testing/btest/spicy/protocol-analyzer-data-in.zeek b/testing/btest/spicy/protocol-analyzer-data-in.zeek index 7aec5d7203..f836a3ca27 100644 --- a/testing/btest/spicy/protocol-analyzer-data-in.zeek +++ b/testing/btest/spicy/protocol-analyzer-data-in.zeek @@ -4,6 +4,10 @@ # @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT # @TEST-EXEC: btest-diff http.log +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} + # @TEST-START-FILE ssh.spicy module SSH; @@ -51,7 +55,6 @@ import zeek; protocol analyzer spicy::SSH over TCP: parse originator with SSH::Banner, - port 22/tcp, replaces SSH; # @TEST-END-FILE diff --git a/testing/btest/spicy/protocol-analyzer-explicit-forwarding.zeek b/testing/btest/spicy/protocol-analyzer-explicit-forwarding.zeek index d12541efd5..6f93b60019 100644 --- a/testing/btest/spicy/protocol-analyzer-explicit-forwarding.zeek +++ b/testing/btest/spicy/protocol-analyzer-explicit-forwarding.zeek @@ -4,6 +4,10 @@ # @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace foo.hlto %INPUT Spicy::enable_print=T >output # @TEST-EXEC: btest-diff output +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_X, 22/tcp); +} + # @TEST-START-FILE foo.spicy module foo; import zeek; @@ -37,7 +41,6 @@ public type Z = unit { # Analyzer instantiated from Zeek based on the traffic. protocol analyzer spicy::X over TCP: parse originator with foo::X, - port 22/tcp, replaces SSH; # Analyzers which will only be instantiated explicitly by us. diff --git a/testing/btest/spicy/protocol-analyzer-tcp-over-udp.spicy b/testing/btest/spicy/protocol-analyzer-tcp-over-udp.spicy index 62c009d3de..4ca602b635 100644 --- a/testing/btest/spicy/protocol-analyzer-tcp-over-udp.spicy +++ b/testing/btest/spicy/protocol-analyzer-tcp-over-udp.spicy @@ -1,7 +1,7 @@ # @TEST-REQUIRES: have-spicy # # @TEST-EXEC: spicyz -d -o test.hlto %INPUT ./foo.evt -# @TEST-EXEC: zeek -Cr ${TRACES}/ssh/ssh-over-udp.pcap test.hlto +# @TEST-EXEC: zeek -Cr ${TRACES}/ssh/ssh-over-udp.pcap test.hlto test.zeek # @TEST-EXEC: btest-diff ssh.log # # @TEST-DOC: Pass data from inside a UDP analyzer to a Zeek analyzers that works on top of TCP. Regression tests for #92 and also #91. @@ -22,7 +22,12 @@ public type Bar = unit { import zeek; protocol analyzer spicy::Foo over UDP: - parse with Foo::Bar, - port 1234/udp; + parse with Foo::Bar; # @TEST-END-FILE + +# @TEST-START-FILE test.zeek +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_FOO, 1234/udp); +} +# @TEST-END-FILE diff --git a/testing/btest/spicy/replaces-mismatch.zeek b/testing/btest/spicy/replaces-mismatch.zeek index b4cc9d6d16..e194a7956a 100644 --- a/testing/btest/spicy/replaces-mismatch.zeek +++ b/testing/btest/spicy/replaces-mismatch.zeek @@ -19,7 +19,6 @@ public type Banner = unit { protocol analyzer spicy::SSH over TCP: parse with SSH::Banner, - port 22/tcp, replaces Ethernet; # fail # @TEST-END-FILE diff --git a/testing/btest/spicy/replaces.zeek b/testing/btest/spicy/replaces.zeek index a1b155c718..a9a690d9a5 100644 --- a/testing/btest/spicy/replaces.zeek +++ b/testing/btest/spicy/replaces.zeek @@ -8,6 +8,23 @@ # We use the module search path for loading here as a regression test for #137. # Note that this that problem only showed up when the Spicy plugin was built # into Zeek. +# +# XXX: Replaces is kin of borked. "replaces" probably should inherit/use +# ports previously registered through Analyzer::register_for_port() for +# the analyzer that is being replaced, but that doesn't seem to be +# happening. Having ports previosly in .evt "worked around it" mostly. +# +# This seems pretty much #3573. +# +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); + + # The following should maybe "do the right thing" when using replaces + # if we fiddle with the underlying enum value? + # + # Analyzer::register_for_port(Analyzer::ANALYZER_SSH, 22/tcp); + } event ssh::banner(c: connection, is_orig: bool, version: string, software: string) { @@ -15,9 +32,9 @@ event ssh::banner(c: connection, is_orig: bool, version: string, software: strin } event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) - { - print atype, info$aid; - } + { + print atype, info$aid; + } # @TEST-START-FILE ssh.spicy module SSH; @@ -38,7 +55,6 @@ public type Banner = unit { protocol analyzer spicy::SSH over TCP: parse with SSH::Banner, - port 22/tcp, replaces SSH; on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software); diff --git a/testing/btest/spicy/resource-usage.zeek b/testing/btest/spicy/resource-usage.zeek index 3181c45950..5eeacad637 100644 --- a/testing/btest/spicy/resource-usage.zeek +++ b/testing/btest/spicy/resource-usage.zeek @@ -1,11 +1,15 @@ # @TEST-REQUIRES: have-spicy # # @TEST-EXEC: spicyz -d -o test.hlto test.evt test.spicy -# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto Zeek/Spicy/misc/resource-usage | sed 's/=[^ ]*/=XXX/g' >output +# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Zeek/Spicy/misc/resource-usage | sed 's/=[^ ]*/=XXX/g' >output # @TEST-EXEC: btest-diff output # # @TEST-DOC: Exercise the misc/resource-usage.zeek script. +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} + # @TEST-START-FILE test.spicy module SSH; @@ -20,7 +24,6 @@ public type Banner = unit { # @TEST-START-FILE test.evt protocol analyzer spicy::SSH over TCP: - parse originator with SSH::Banner, - port 22/tcp; + parse originator with SSH::Banner; # @TEST-END-FILE diff --git a/testing/btest/spicy/skip-input-file.zeek b/testing/btest/spicy/skip-input-file.zeek index af30a2ff39..1632cf62dc 100644 --- a/testing/btest/spicy/skip-input-file.zeek +++ b/testing/btest/spicy/skip-input-file.zeek @@ -6,6 +6,10 @@ # # @TEST-DOC: Validate that `skip_input` works for file analyzers. +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); +} + # @TEST-START-FILE ssh.spicy module SSH; @@ -51,7 +55,6 @@ import zeek; protocol analyzer spicy::SSH over TCP: parse originator with SSH::Banner, - port 22/tcp, replaces SSH; file analyzer spicy::Text: diff --git a/testing/btest/spicy/skip-input-protocol.zeek b/testing/btest/spicy/skip-input-protocol.zeek index 5acc9d299a..93fc814b1f 100644 --- a/testing/btest/spicy/skip-input-protocol.zeek +++ b/testing/btest/spicy/skip-input-protocol.zeek @@ -11,6 +11,10 @@ redef udp_inactivity_timeout = 24hrs; # avoid long gaps to trigger removal event Test::foo() { print "event"; } +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_TEST, 53/udp); +} + # @TEST-START-FILE test.spicy module Test; @@ -37,7 +41,6 @@ public type Foo = unit { # @TEST-START-FILE test.evt protocol analyzer spicy::Test over UDP: - port 53/udp, parse with Test::Foo; on Test::Foo -> event Test::foo(); diff --git a/testing/btest/spicy/spicyz.test b/testing/btest/spicy/spicyz.test index 1f1b79d09c..e6cddc3a39 100644 --- a/testing/btest/spicy/spicyz.test +++ b/testing/btest/spicy/spicyz.test @@ -2,7 +2,7 @@ # # @TEST-EXEC: spicyz test.spicy test.evt -d -o test.hlto # @TEST-EXEC: zeek -NN test.hlto | grep -q ANALYZER_SPICY_TEST -# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace test.zeek test.hlto "Spicy::enable_print = T;" >>output 2>&1 +# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace test.hlto test.zeek "Spicy::enable_print = T;" >>output 2>&1 # @TEST-EXEC: btest-diff output # # @TEST-DOC: Smoke test for a custom ahead-of-time compiled Spicy analyzer hooked into Zeek. @@ -22,8 +22,7 @@ public type Dummy = unit { # @TEST-START-FILE test.evt protocol analyzer spicy::Test over TCP: - parse with test::Dummy, - port 80/tcp; + parse with test::Dummy; on test::Dummy -> event test::dummy(self.data); # @TEST-END-FILE @@ -35,4 +34,9 @@ event test::dummy(data: vector of string) { print "Event:", data; } + +event zeek_init() +{ + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_TEST, 80/tcp); +} # @TEST-END-FILE diff --git a/testing/btest/spicy/terminate-session.zeek b/testing/btest/spicy/terminate-session.zeek index 6f22c4e7ec..ff1752304b 100644 --- a/testing/btest/spicy/terminate-session.zeek +++ b/testing/btest/spicy/terminate-session.zeek @@ -12,6 +12,10 @@ redef likely_server_ports += { 53/udp }; # avoid flipping direction after termination redef udp_inactivity_timeout = 24hrs; # avoid long gaps to trigger removal +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_TEST, 53/udp); +} + # @TEST-START-FILE test.spicy module Test; @@ -36,6 +40,5 @@ type Counter = tuple; # @TEST-START-FILE test.evt protocol analyzer spicy::Test over UDP: - port 53/udp, parse originator with Test::Foo; # @TEST-END-FILE diff --git a/testing/btest/spicy/toggle-protocol-analyzer.zeek b/testing/btest/spicy/toggle-protocol-analyzer.zeek index ef0077a473..3d4f1f9087 100644 --- a/testing/btest/spicy/toggle-protocol-analyzer.zeek +++ b/testing/btest/spicy/toggle-protocol-analyzer.zeek @@ -13,6 +13,8 @@ const ENABLE = T &redef; event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); + if ( ENABLE ) Spicy::enable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SSH); else @@ -39,7 +41,6 @@ public type Banner = unit { # @TEST-START-FILE ssh.evt protocol analyzer spicy::SSH over TCP: - port 22/tcp, parse originator with SSH::Banner; on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software); diff --git a/testing/btest/spicy/tuple-arg.zeek b/testing/btest/spicy/tuple-arg.zeek index 4a50d593ec..b011a2426a 100644 --- a/testing/btest/spicy/tuple-arg.zeek +++ b/testing/btest/spicy/tuple-arg.zeek @@ -15,6 +15,11 @@ event ssh::banner(f: Foo) print f; } +event zeek_init() + { + Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp); + } + # @TEST-START-FILE ssh.spicy module SSH; @@ -37,7 +42,6 @@ public type Banner = unit { protocol analyzer spicy::SSH over TCP: parse originator with SSH::Banner, - port 22/tcp, replaces SSH; on SSH::Banner -> event ssh::banner((1, self.software)); diff --git a/testing/btest/spicy/tuple-enum.zeek b/testing/btest/spicy/tuple-enum.zeek index 9918957b40..8fd9430400 100644 --- a/testing/btest/spicy/tuple-enum.zeek +++ b/testing/btest/spicy/tuple-enum.zeek @@ -13,12 +13,14 @@ event enum_message(f: Foo) { print f; } +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_TUPLEENUM, 22/tcp); +} + # @TEST-START-FILE tupleenum.evt protocol analyzer TupleEnum over TCP: - parse with TupleEnum::Message, - port 22/tcp, - replaces SSH; + parse with TupleEnum::Message; on TupleEnum::Message -> event enum_message( (self.a, cast(self.b)) ); diff --git a/testing/btest/spicy/type-converter.zeek b/testing/btest/spicy/type-converter.zeek index 310470fd7d..469a8c9008 100644 --- a/testing/btest/spicy/type-converter.zeek +++ b/testing/btest/spicy/type-converter.zeek @@ -1,9 +1,13 @@ # @TEST-REQUIRES: have-spicy # # @TEST-EXEC: spicyz -o test.hlto conv.spicy ./conv.evt -# @TEST-EXEC: ASAN_OPTIONS=detect_leaks=0 zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T >output +# @TEST-EXEC: ASAN_OPTIONS='detect_odr_violation=0 detect_leaks=0' zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T >output # @TEST-EXEC: btest-diff output +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_CONV, 22/tcp); +} + @TEST-START-FILE conv.spicy module Conv; @@ -41,8 +45,7 @@ type MyStruct = struct { @TEST-START-FILE conv.evt protocol analyzer Conv over TCP: - parse originator with Conv::Test, - port 22/tcp; + parse originator with Conv::Test; on Conv::Test -> event conv::test($conn, $is_orig, diff --git a/testing/btest/spicy/udp.zeek b/testing/btest/spicy/udp.zeek index d9eef7fd86..012c71d3d7 100644 --- a/testing/btest/spicy/udp.zeek +++ b/testing/btest/spicy/udp.zeek @@ -15,6 +15,12 @@ event udp_test::message(c: connection, is_orig: bool, data: string) print "UDP packet", c$id, is_orig, data; } +event zeek_init() + { + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_UDP_TEST, set(11337/udp, 11338/udp, 11339/udp, 11340/udp)); + Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_UDP_TEST, set(31337/udp, 31338/udp, 31339/udp, 31340/udp)); + } + # @TEST-START-FILE udp-test.spicy module UDPTest; @@ -25,9 +31,7 @@ public type Message = unit { # @TEST-START-FILE udp-test.evt protocol analyzer spicy::UDP_TEST over UDP: - parse with UDPTest::Message, - port 11337/udp-11340/udp, - ports {31337/udp-31340/udp}; + parse with UDPTest::Message; on UDPTest::Message -> event udp_test::message($conn, $is_orig, self.data); # @TEST-END-FILE diff --git a/testing/btest/spicy/zeekygen-enum-zeek-side.zeek b/testing/btest/spicy/zeekygen-enum-zeek-side.zeek index 51a499ec2f..b336685c6b 100644 --- a/testing/btest/spicy/zeekygen-enum-zeek-side.zeek +++ b/testing/btest/spicy/zeekygen-enum-zeek-side.zeek @@ -66,9 +66,7 @@ public type Banner = unit { %doc-description = "Just a \"test\" analyzer.h"; protocol analyzer spicy::MySSH over TCP: - parse originator with MySSH::Banner, - port 22/tcp, - replaces SSH; + parse originator with MySSH::Banner; export MySSH::Compression; # This one also exists on the Zeek side diff --git a/testing/btest/spicy/zeekygen.zeek b/testing/btest/spicy/zeekygen.zeek index 764ee7636c..aff0a574e3 100644 --- a/testing/btest/spicy/zeekygen.zeek +++ b/testing/btest/spicy/zeekygen.zeek @@ -41,9 +41,7 @@ public type Banner = unit { %doc-description = "Just a \"test\" analyzer.h"; protocol analyzer spicy::SSH over TCP: - parse originator with SSH::Banner, - port 22/tcp, - replaces SSH; + parse originator with SSH::Banner; on SSH::Banner -> event ssh::banner((1, self.software));