Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/master' into topic/johanna/remove-serializer

Browse source
This commit is contained in:
Johanna Amann 2019-06-17 09:50:05 -07:00
commit a50b06d6c1
543 changed files with 6954 additions and 6478 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -1,3 +1,7 @@
build
tmp
*.gcov
# Configuration and build directories for CLion
.idea
cmake-build-debug

236
CHANGES
View file

@ -1,4 +1,240 @@
2.6-444 | 2019-06-15 19:09:03 -0700
* Add/rewrite NTP support (Vlad Grigorescu and Mauro Palumbo)
2.6-416 | 2019-06-14 20:57:57 -0700
* DNS: Add support for SPF response records (Vlad Grigorescu)
2.6-413 | 2019-06-14 19:51:28 -0700
* GH-406: rename bro.bif to zeek.bif (Jon Siwek, Corelight)
2.6-412 | 2019-06-14 19:26:21 -0700
* GH-387: update Broker topic names to use "zeek/" prefix (Jon Siwek, Corelight)
* GH-323: change builtin plugin namespaces to Zeek (Jon Siwek, Corelight)
2.6-408 | 2019-06-13 11:19:50 -0700
* Fix potential null-dereference in current_time() (Tim Wojtulewicz, Corelight)
* Add --sanitizers configure script to enable Clang sanitizers (Tim Wojtulewicz, Corelight)
2.6-404 | 2019-06-12 15:10:19 -0700
* Rename directories from bro to zeek (Daniel Thayer)
The new default installation prefix is /usr/local/zeek
2.6-400 | 2019-06-07 20:06:33 -0700
* Adapt bro_plugin CMake macros to use zeek_plugin (Jon Siwek, Corelight)
2.6-399 | 2019-06-07 14:02:18 -0700
* Update SSL documentation. (Johanna Amann)
* Support the newer TLS 1.3 key_share extension. (Johanna Amann)
* Include all data of the server-hello random (Johanna Amann)
Before we cut the first 4 bytes, which makes it impossible to recognize
several newer packets (like the hello retry).
* Parse TLS 1.3 pre-shared-key extension. (Johanna Amann)
Adds new events:
- ssl_extension_pre_shared_key_client_hello
- ssl_extension_pre_shared_key_server_hello
2.6-391 | 2019-06-07 17:29:28 +1000
* GH-209: replace "remote_ip" field of radius.log with "tunnel_client".
Also changes type from addr to string. (Jon Siwek, Corelight)
2.6-389 | 2019-06-06 20:02:19 -0700
* Update plugin unit tests to use --zeek-dist (Jon Siwek, Corelight)
2.6-388 | 2019-06-06 19:48:55 -0700
* Change default value of peer_description "zeek" (Jon Siwek, Corelight)
2.6-387 | 2019-06-06 18:51:09 -0700
* Rename Bro to Zeek in Zeekygen-generated documentation (Jon Siwek, Corelight)
2.6-386 | 2019-06-06 17:17:55 -0700
* Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight)
2.6-384 | 2019-06-06 16:49:14 -0700
* Add new RDP event: rdp_client_security_data (Jeff Atkinson)
2.6-379 | 2019-06-06 11:56:58 -0700
* Improve sqlite logging unit tests (Jon Siwek, Corelight)
2.6-378 | 2019-06-05 16:23:04 -0700
* Rename BRO_DEPRECATED macro to ZEEK_DEPRECATED (Jon Siwek, Corelight)
2.6-377 | 2019-06-05 16:15:58 -0700
* Deprecate functions with "bro" in them. (Jon Siwek, Corelight)
* "bro_is_terminating" is now "zeek_is_terminating"
* "bro_version" is now "zeek_version"
The old functions still exist for now, but are deprecated.
2.6-376 | 2019-06-05 13:29:57 -0700
* GH-379: move catch-and-release and unified2 scripts to policy/ (Jon Siwek, Corelight)
These are no longer loaded by default due to the performance impact they
cause simply by being loaded (they have event handlers for commonly
generated events) and they aren't generally useful enough to justify it.
2.6-375 | 2019-06-04 19:28:06 -0700
* Simplify threading::Value destructor (Jon Siwek, Corelight)
* Add pattern support to input framework. (Zeke Medley, Corelight)
2.6-369 | 2019-06-04 17:53:10 -0700
* GH-155: Improve coercion of expression lists to vector types (Tim Wojtulewicz, Corelight)
* GH-159: Allow coercion of numeric record field values to other types (Tim Wojtulewicz, Corelight)
* Allow passing a location to BroObj::Warning and BroObj::Error. (Tim Wojtulewicz, Corelight)
This allows callers (such as check_and_promote) to pass an expression
location to be logged if the location doesn't exist in the value being
promoted.
* Add CLion directories to gitignore (Tim Wojtulewicz, Corelight)
* Move #define outside of max_type for clarity (Tim Wojtulewicz, Corelight)
2.6-361 | 2019-06-04 10:30:21 -0700
* GH-293: Protect copy() against reference cycles. (Robin Sommer, Corelight)
Reference cycles shouldn't occur but there's nothing really preventing
people from creating them, so may just as well be safe and deal with
them when cloning values.
2.6-359 | 2019-05-31 13:37:17 -0700
* Remove old documentation reference to rotate_interval (Jon Siwek, Corelight)
2.6-357 | 2019-05-30 10:57:54 -0700
* Tweak to ASCII reader warning suppression (Christian Kreibich, Corelight)
Warnings in the ASCII reader so far remained suppressed even
when an input file changed. It's helpful to learn about problems
in the data when putting in place new data files, so this change
maintains the existing warning suppression while processing a file,
but re-enables warnings after updates to a file.
2.6-354 | 2019-05-29 09:46:19 -0700
* Add weird: "RDP_channels_requested_exceeds_max" (Vlad Grigorescu)
2.6-352 | 2019-05-28 17:57:36 -0700
* Reduce data copying in Broker message processing (Jon Siwek, Corelight)
* Improve Broker I/O loop integration: less mutex locking (Jon Siwek, Corelight)
Checking a subscriber for available messages required locking a mutex,
but we should never actually need to do that in the main-loop to check
for Broker readiness since we can rely on file descriptor polling.
* Improve processing of broker data store responses (Jon Siwek, Corelight)
Now retrieves and processes all N available responses at once instead
of one-by-one-until-empty.
2.6-345 | 2019-05-28 11:32:16 -0700
* RDP: Add parsing and logging of channels requested by the client. (Vlad Grigorescu)
Can determine capabilities requested by the client, as well as attacks such
as CVE-2019-0708.
2.6-342 | 2019-05-28 10:48:37 -0700
* GH-168: Improve type-checking for table/set list assignment. (Zeke Medley and Jon Siwek, Corelight)
2.6-340 | 2019-05-24 18:02:43 -0700
* Add support for parsing additional DHCP options (Jay Wren)
The following optional fields were added to the DHCP::Options record:
- time_offset (Option 2)
- time_servers (Option 4)
- name_servers (Option 5)
- ntp_servers (Option 42)
2.6-338 | 2019-05-24 17:06:08 -0700
* Add input file name to additional ASCII reader warning messages (Christian Kreibich, Corelight)
2.6-336 | 2019-05-24 10:23:20 -0700
* GH-378: check validity of missing 'val' field in Input::add_table (Jon Siwek, Corelight)
2.6-335 | 2019-05-24 08:58:59 -0700
* Fix memory leak when no protocol_violation event handler exists (Jon Siwek, Corelight)
2.6-334 | 2019-05-23 20:40:03 -0700
* Add an internal getenv wrapper function: zeekenv (Jon Siwek, Corelight)
It maps newer environment variable names starting with ZEEK to the
legacy names starting with BRO.
* Rename all BRO-prefixed environment variables (Daniel Thayer)
For backward compatibility when reading values, we first check
the ZEEK-prefixed value, and if not set, then check the corresponding
BRO-prefixed value.
2.6-331 | 2019-05-23 18:03:42 -0700
* Update broker unit test output. (Jon Siwek, Corelight)
Due to string representation of Broker vectors changing (they now
use parentheses instead of square brackets).
2.6-330 | 2019-05-23 13:04:26 -0700
* GH-173: Support ranges of values for value_list elements in the signature parser
(Tim Wojtulewicz, Corelight)
* GH-173: Modify the signature parser so ID components can't start with numbers
(Tim Wojtulewicz, Corelight)
2.6-327 | 2019-05-23 11:56:11 -0700
* Remove redundant RecordVal::record_type member (Jon Siwek, Corelight)
2.6-326 | 2019-05-23 10:49:38 -0700
* Fix parse-time RecordVal tracking containing duplicates (Jon Siwek, Corelight)
2.6-325 | 2019-05-22 23:56:23 -0700
* Add leak-checks for new copy operations (Johanna Amann, Corelight)

52
CMakeLists.txt
View file

@ -24,7 +24,7 @@ endif ()
set(ZEEK_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
if (NOT ZEEK_SCRIPT_INSTALL_PATH)
# set the default Zeek script installation path (user did not specify one)
set(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_ROOT_DIR}/share/bro)
set(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_ROOT_DIR}/share/zeek)
endif ()
if (NOT ZEEK_MAN_INSTALL_PATH)
@ -37,18 +37,18 @@ endif ()
get_filename_component(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_SCRIPT_INSTALL_PATH}
ABSOLUTE)
set(BRO_PLUGIN_INSTALL_PATH ${ZEEK_ROOT_DIR}/lib/bro/plugins CACHE STRING "Installation path for plugins" FORCE)
set(BRO_PLUGIN_INSTALL_PATH ${ZEEK_ROOT_DIR}/lib/zeek/plugins CACHE STRING "Installation path for plugins" FORCE)
configure_file(zeek-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev)
file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.sh
"export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
"export BRO_PLUGIN_PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
"export ZEEKPATH=`${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
"export ZEEK_PLUGIN_PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":${ZEEK_PLUGIN_PATH}\n"
"export PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.csh
"setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
"setenv BRO_PLUGIN_PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
"setenv ZEEKPATH `${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
"setenv ZEEK_PLUGIN_PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":${ZEEK_PLUGIN_PATH}\n"
"setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
@ -72,6 +72,40 @@ if(${ENABLE_DEBUG})
set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
endif()
if ( NOT BINARY_PACKAGING_MODE )
macro(_make_install_dir_symlink _target _link)
install(CODE "
if ( \"\$ENV{DESTDIR}\" STREQUAL \"\" )
if ( EXISTS \"${_target}\" AND NOT EXISTS \"${_link}\" )
message(STATUS \"WARNING: installed ${_link} as symlink to ${_target}\")
execute_process(COMMAND \"${CMAKE_COMMAND}\" -E create_symlink
\"${_target}\" \"${_link}\")
endif ()
endif ()
")
endmacro()
if ( "${CMAKE_INSTALL_PREFIX}" STREQUAL "/usr/local/zeek" )
# If we're installing into the default prefix, check if the
# old default prefix already exists and symlink to it.
# This is done to help keep custom user configuration/installation
# if they're upgrading from a version before Zeek 3.0.
_make_install_dir_symlink("/usr/local/bro" "/usr/local/zeek")
endif ()
# Check whether we need to symlink directories used by versions
# before Zeek 3.0.
_make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/include/bro" "${CMAKE_INSTALL_PREFIX}/include/zeek")
_make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/share/bro" "${CMAKE_INSTALL_PREFIX}/share/zeek")
_make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/lib/bro" "${CMAKE_INSTALL_PREFIX}/lib/zeek")
endif ()
if ( SANITIZERS )
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=${SANITIZERS} -fno-omit-frame-pointer")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=${SANITIZERS} -fno-omit-frame-pointer")
set(CMAKE_LD_FLAGS "${CMAKE_LD_FLAGS} -fsanitize=${SANITIZERS} -fno-omit-frame-pointer")
endif()
########################################################################
## Dependency Configuration
@ -257,7 +291,7 @@ string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)
configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.h.in
${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h)
include_directories(${CMAKE_CURRENT_BINARY_DIR})
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/bro)
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/zeek)
if ( CAF_ROOT_DIR )
set(ZEEK_CONFIG_CAF_ROOT_DIR ${CAF_ROOT_DIR})
@ -281,7 +315,7 @@ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.in
${CMAKE_CURRENT_BINARY_DIR}/zeek-config @ONLY)
install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/zeek-config DESTINATION bin)
install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/bro
install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/zeek
USE_SOURCE_PERMISSIONS)
# Install wrapper script for Bro-to-Zeek renaming.
@ -289,7 +323,7 @@ include(InstallShellScript)
include(InstallSymlink)
InstallShellScript("bin" "zeek-wrapper.in" "zeek-wrapper")
InstallSymlink("${CMAKE_INSTALL_PREFIX}/bin/zeek-wrapper" "${CMAKE_INSTALL_PREFIX}/bin/bro-config")
InstallSymlink("${CMAKE_INSTALL_PREFIX}/include/bro/zeek-config.h" "${CMAKE_INSTALL_PREFIX}/include/bro/bro-config.h")
InstallSymlink("${CMAKE_INSTALL_PREFIX}/include/zeek/zeek-config.h" "${CMAKE_INSTALL_PREFIX}/include/zeek/bro-config.h")
########################################################################
## Recurse on sub-directories

110
NEWS
View file

@ -18,6 +18,9 @@ New Functionality
- dns_NSEC
- dns_NSEC3
- Added support for parsing and logging DNS SPF resource records.
A new ``dns_SPF_reply`` event is also available.
- Zeek's Plugin framework now allows a patch version. If a patch version is not
provided, it will default to 0. To specify this, modify the plugin
Configuration class in your ``src/Plugin.cc`` and set
@ -79,6 +82,29 @@ New Functionality
- The ``/<re>/i`` convenience syntax for case-insensitive patterns is now
also allowed when specifying patterns used in signature files.
- New RDP functionality.
- New events:
- rdp_client_network_data
- rdp_client_security_data
- rdp_native_encrypted_data
- Add a new "client_channels" field to rdp.log based on data parsed from
the Client Network Data (TS_UD_CS_NET) packet. The channel list is also
available in the new ``rdp_client_network_data`` event.
- Add parsing support for TLS 1.3 pre-shared key extension. This info
is available in the events: ``ssl_extension_pre_shared_key_client_hello``
and ``ssl_extension_pre_shared_key_server_hello``.
- Added/re-wrote support for NTP.
- Parsing support for modes 1-7, with parsed structures available in
the ``ntp_message`` event.
- An ntp.log is produced by default, containing data extracted from
NTP messages with modes 1-5.
Changed Functionality
---------------------
@ -101,6 +127,13 @@ Changed Functionality
installation, installing the newer Zeek version over it will retain that
file and even symlink the new ``zeekctl.cfg`` to it.
- The default install prefix is now ``/usr/local/zeek`` instead of
``/usr/local/bro``. If you have an existing installation that used
the previous default and are still using the new default when upgrading,
we'll crate ``/usr/local/zeek`` as a symlink to ``/usr/local/bro``.
Certain subdirectories will also get similar treatment: ``share/bro``,
``include/bro``, and ``lib/bro``.
- ``$prefix/share/bro/site/local.bro`` has been renamed to
``local.zeek``. If you have a ``local.bro`` file from a previous
installation, possibly with customizations made to it, the new
@ -212,6 +245,80 @@ Changed Functionality
in scripts has also been updated to replace Sphinx cross-referencing roles
and directives like ":bro:see:" with ":zeek:zee:".
- The catch-and-release and unified2 scripts are no longer loaded by
default. Because there was a performance impact simply from loading
them and it's unlikely a majority of user make use of their features,
they've been moved from the scripts/base/ directory into
scripts/policy/ and must be manually loaded to use their
functionality. The "drop" action for the notice framework is likewise
moved since it was implemented via catch-and-release. As a result,
the default notice.log no longer contains a "dropped" field.
If you previously used the catch-and-release functionality add this:
@load policy/frameworks/netcontrol/catch-and-release
If you previously used Notice::ACTION_DROP add:
@load policy/frameworks/notice/actions/drop
If you previously used the Unified2 file analysis support add:
@load policy/files/unified2
- The default value of ``peer_description`` has changed from "bro"
to "zeek". This won't effect most users, except for the fact that
this value may appear in several log files, so any external plugins
that have written unit tests that compare baselines of such log
files may need to be updated.
- The "remote_ip" field of "addr" type was removed from radius.log and
replaced with a field named "tunnel_client" of "string" type. The
reason for this is that the Tunnel-Client-Endpoint RADIUS attribute
this data is derived from may also be a FQDN, not just an IP address.
- The ``ssl_server_hello`` event's ``server_random`` parameter has been
changed to always include the full 32-byte field from the
ServerHello. Previously a 4-byte timestamp and 28-byte random data
were parsed separately as some TLS protocol versions specified a
separate timestamp field as part of the full 32-byte random sequence.
- The namespace used by all the builtin plugins that ship with Zeek have
changed to use "Zeek::" instead of "Bro::".
- Any Broker topic names used in scripts shipped with Zeek that
previously were prefixed with "bro/" are now prefixed with "zeek/"
instead.
In the case where external applications were using a "bro/" topic
to send data into a Bro process, a Zeek process still subscribes
to those topics in addition to the equivalently named "zeek/" topic.
In the case where external applications were using a "bro/" topic
to subscribe to remote messages or query data stores, there's no
backwards compatibility and external applications must be changed
to use the new "zeek/" topic. The thought is this change will have
low impact since most data published under "bro/" topic names is
intended for use only as a detail of implementing cluster-enabled
versions of various scripts.
A list of the most relevant/common topic names that could potentially
be used in external applications to consume/query remote data that
one may need to change:
- store names
- bro/known/services
- bro/known/hosts
- bro/known/certs
- cluster nodes
- bro/cluster/<node type>
- bro/cluster/node/<name>
- bro/cluster/nodeid/<id>
- logging
- bro/logs/<stream>
Removed Functionality
---------------------
@ -336,6 +443,9 @@ Deprecated Functionality
such that existing code will not break, but will emit a deprecation
warning.
- The ``bro_is_terminating`` and ``bro_version`` function are deprecated and
replaced by functions named ``zeek_is_terminating`` and ``zeek_version``.
- The ``rotate_file``, ``rotate_file_by_name`` and ``calc_next_rotate`` functions
were marked as deprecated. These functions were used with the old pre-2.0 logging
framework and are no longer used. They also were marked as deprecated in their

2
VERSION
View file

@ -1 +1 @@
2.6-325
2.6-444

2
aux/bifcl

@ -1 +1 @@
Subproject commit bbf503e67cdcddbb13f8e067b0cbb2d874728c4f
Subproject commit 699ffb13c986aca599b70735b368a515c2149982

2
aux/binpac

@ -1 +1 @@
Subproject commit 6ed824a38ea23dc10ec8bb21f813496719e9f76c
Subproject commit baabe22a2b8a68fac448e862e1c2acc46f89c5fc

2
aux/broker

@ -1 +1 @@
Subproject commit 0c7a8816fd385af4f633cb7239e3c63e6c88c27e
Subproject commit d884db29a72ba88c7992e17a253524d1505b8f78

2
aux/btest

@ -1 +1 @@
Subproject commit 6ece47ba6438e7a6db5c7b85a68b3c16f0911871
Subproject commit 539c2d82534345c62ba9a20c2e98ea5cbdea9c7e

2
aux/netcontrol-connectors

@ -1 +1 @@
Subproject commit e93235aa6e45820af7e23e97627845a7b2b3d919
Subproject commit 8a6f3f7c506ac483265afc77d3c1b0861db79601

2
aux/zeek-aux

@ -1 +1 @@
Subproject commit 3ecc7b8c348a7b768092dad75e6cb54c6357b9d7
Subproject commit e0689c1c9565ba7ffcab011e9f22f6a17a67e40a

2
aux/zeekctl

@ -1 +1 @@
Subproject commit a955e66c8b07fd6715c7ed379d0759acc592bb78
Subproject commit 5efa2d0c29bf52c3c64d5f61e39501a9c7b9dd80

2
cmake

@ -1 +1 @@
Subproject commit 8fb99b7aa9851caae2d938675324661571f8758e
Subproject commit 58e4eebe3aebd0cf608e51046805a9ab1ffa6c1b

15
configure vendored
View file

@ -31,9 +31,9 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
(useful for cross-compiling)
Installation Directories:
--prefix=PREFIX installation directory [/usr/local/bro]
--prefix=PREFIX installation directory [/usr/local/zeek]
--scriptdir=PATH root installation directory for Zeek scripts
[PREFIX/share/bro]
[PREFIX/share/zeek]
--localstatedir=PATH when using ZeekControl, path to store log files
and run-time data (within log/ and spool/ subdirs)
[PREFIX]
@ -58,6 +58,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
--disable-perftools don't try to build with Google Perftools
--disable-python don't try to build python bindings for Broker
--disable-broker-tests don't try to build Broker unit tests
--sanitizers=SANITIZERS comma-separated list of Clang sanitizers to enable
Required Packages in Non-Standard Locations:
--with-openssl=PATH path to OpenSSL install root
@ -127,12 +128,12 @@ remove_cache_entry () {
# set defaults
builddir=build
prefix=/usr/local/bro
prefix=/usr/local/zeek
CMakeCacheEntries=""
append_cache_entry CMAKE_INSTALL_PREFIX PATH $prefix
append_cache_entry ZEEK_ROOT_DIR PATH $prefix
append_cache_entry PY_MOD_INSTALL_DIR PATH $prefix/lib/zeekctl
append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
append_cache_entry ZEEK_ETC_INSTALL_DIR PATH $prefix/etc
append_cache_entry ENABLE_DEBUG BOOL false
append_cache_entry ENABLE_PERFTOOLS BOOL false
@ -144,6 +145,7 @@ append_cache_entry INSTALL_ZEEKCTL BOOL true
append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
append_cache_entry ENABLE_MOBILE_IPV6 BOOL false
append_cache_entry DISABLE_PERFTOOLS BOOL false
append_cache_entry SANITIZERS STRING ""
# parse arguments
while [ $# -ne 0 ]; do
@ -216,6 +218,9 @@ while [ $# -ne 0 ]; do
append_cache_entry ENABLE_PERFTOOLS BOOL true
append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL true
;;
--sanitizers=*)
append_cache_entry SANITIZERS STRING $optarg
;;
--enable-jemalloc)
append_cache_entry ENABLE_JEMALLOC BOOL true
;;
@ -321,7 +326,7 @@ while [ $# -ne 0 ]; do
done
if [ "$user_set_scriptdir" != "true" ]; then
append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
fi
if [ "$user_set_conffilesdir" != "true" ]; then

2
doc

@ -1 +1 @@
Subproject commit e5422eafff850708f4d4ff590e54299ddc97ca42
Subproject commit 4e00c8d826535d8ee4f93f3256864cf1634ae766

18
man/zeek.8
View file

@ -122,31 +122,31 @@ show leaks
record heap
.SH ENVIRONMENT
.TP
.B BROPATH
.B ZEEKPATH
file search path
.TP
.B BRO_PLUGIN_PATH
.B ZEEK_PLUGIN_PATH
plugin search path
.TP
.B BRO_PLUGIN_ACTIVATE
.B ZEEK_PLUGIN_ACTIVATE
plugins to always activate
.TP
.B BRO_PREFIXES
.B ZEEK_PREFIXES
prefix list
.TP
.B BRO_DNS_FAKE
.B ZEEK_DNS_FAKE
disable DNS lookups
.TP
.B BRO_SEED_FILE
.B ZEEK_SEED_FILE
file to load seeds from
.TP
.B BRO_LOG_SUFFIX
.B ZEEK_LOG_SUFFIX
ASCII log file extension
.TP
.B BRO_PROFILER_FILE
.B ZEEK_PROFILER_FILE
Output file for script execution statistics
.TP
.B BRO_DISABLE_BROXYGEN
.B ZEEK_DISABLE_ZEEKYGEN
Disable Zeekygen (Broxygen) documentation support
.SH AUTHOR
.B zeek

16
scripts/base/frameworks/broker/main.zeek
View file

@ -8,7 +8,7 @@ export {
const default_port = 9999/tcp &redef;
## Default interval to retry listening on a port if it's currently in
## use already. Use of the BRO_DEFAULT_LISTEN_RETRY environment variable
## use already. Use of the ZEEK_DEFAULT_LISTEN_RETRY environment variable
## (set as a number of seconds) will override this option and also
## any values given to :zeek:see:`Broker::listen`.
const default_listen_retry = 30sec &redef;
@ -16,11 +16,11 @@ export {
## Default address on which to listen.
##
## .. zeek:see:: Broker::listen
const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;
const default_listen_address = getenv("ZEEK_DEFAULT_LISTEN_ADDRESS") &redef;
## Default interval to retry connecting to a peer if it cannot be made to
## work initially, or if it ever becomes disconnected. Use of the
## BRO_DEFAULT_CONNECT_RETRY environment variable (set as number of
## ZEEK_DEFAULT_CONNECT_RETRY environment variable (set as number of
## seconds) will override this option and also any values given to
## :zeek:see:`Broker::peer`.
const default_connect_retry = 30sec &redef;
@ -70,7 +70,7 @@ export {
const log_batch_interval = 1sec &redef;
## Max number of threads to use for Broker/CAF functionality. The
## BRO_BROKER_MAX_THREADS environment variable overrides this setting.
## ZEEK_BROKER_MAX_THREADS environment variable overrides this setting.
const max_threads = 1 &redef;
## Interval of time for under-utilized Broker/CAF threads to sleep
@ -113,7 +113,7 @@ export {
## The default topic prefix where logs will be published. The log's stream
## id is appended when writing to a particular stream.
const default_log_topic_prefix = "bro/logs/" &redef;
const default_log_topic_prefix = "zeek/logs/" &redef;
## The default implementation for :zeek:see:`Broker::log_topic`.
function default_log_topic(id: Log::ID, path: string): string
@ -235,7 +235,7 @@ export {
##
## retry: If non-zero, retries listening in regular intervals if the port cannot be
## acquired immediately. 0 disables retries. If the
## BRO_DEFAULT_LISTEN_RETRY environment variable is set (as number
## ZEEK_DEFAULT_LISTEN_RETRY environment variable is set (as number
## of seconds), it overrides any value given here.
##
## Returns: the bound port or 0/? on failure.
@ -253,7 +253,7 @@ export {
## retry: an interval at which to retry establishing the
## connection with the remote peer if it cannot be made initially, or
## if it ever becomes disconnected. If the
## BRO_DEFAULT_CONNECT_RETRY environment variable is set (as number
## ZEEK_DEFAULT_CONNECT_RETRY environment variable is set (as number
## of seconds), it overrides any value given here.
##
## Returns: true if it's possible to try connecting with the peer and
@ -379,7 +379,7 @@ function listen(a: string, p: port, retry: interval): port
if ( bound == 0/tcp )
{
local e = getenv("BRO_DEFAULT_LISTEN_RETRY");
local e = getenv("ZEEK_DEFAULT_LISTEN_RETRY");
if ( e != "" )
retry = double_to_interval(to_double(e));

2
scripts/base/frameworks/cluster/__load__.zeek
View file

@ -16,7 +16,7 @@ redef Broker::log_topic = Cluster::rr_log_topic;
# If this script isn't found anywhere, the cluster bombs out.
# Loading the cluster framework requires that a script by this name exists
# somewhere in the BROPATH. The only thing in the file should be the
# somewhere in the ZEEKPATH. The only thing in the file should be the
# cluster definition in the :zeek:id:`Cluster::nodes` variable.
@load cluster-layout

20
scripts/base/frameworks/cluster/main.zeek
View file

@ -17,31 +17,31 @@ export {
## The topic name used for exchanging messages that are relevant to
## logger nodes in a cluster. Used with broker-enabled cluster communication.
const logger_topic = "bro/cluster/logger" &redef;
const logger_topic = "zeek/cluster/logger" &redef;
## The topic name used for exchanging messages that are relevant to
## manager nodes in a cluster. Used with broker-enabled cluster communication.
const manager_topic = "bro/cluster/manager" &redef;
const manager_topic = "zeek/cluster/manager" &redef;
## The topic name used for exchanging messages that are relevant to
## proxy nodes in a cluster. Used with broker-enabled cluster communication.
const proxy_topic = "bro/cluster/proxy" &redef;
const proxy_topic = "zeek/cluster/proxy" &redef;
## The topic name used for exchanging messages that are relevant to
## worker nodes in a cluster. Used with broker-enabled cluster communication.
const worker_topic = "bro/cluster/worker" &redef;
const worker_topic = "zeek/cluster/worker" &redef;
## The topic name used for exchanging messages that are relevant to
## time machine nodes in a cluster. Used with broker-enabled cluster communication.
const time_machine_topic = "bro/cluster/time_machine" &redef;
const time_machine_topic = "zeek/cluster/time_machine" &redef;
## The topic prefix used for exchanging messages that are relevant to
## a named node in a cluster. Used with broker-enabled cluster communication.
const node_topic_prefix = "bro/cluster/node/" &redef;
const node_topic_prefix = "zeek/cluster/node/" &redef;
## The topic prefix used for exchanging messages that are relevant to
## a unique node in a cluster. Used with broker-enabled cluster communication.
const nodeid_topic_prefix = "bro/cluster/nodeid/" &redef;
const nodeid_topic_prefix = "zeek/cluster/nodeid/" &redef;
## Name of the node on which master data stores will be created if no other
## has already been specified by the user in :zeek:see:`Cluster::stores`.
@ -192,7 +192,7 @@ export {
global worker_count: count = 0;
## The cluster layout definition. This should be placed into a filter
## named cluster-layout.zeek somewhere in the BROPATH. It will be
## named cluster-layout.zeek somewhere in the ZEEKPATH. It will be
## automatically loaded if the CLUSTER_NODE environment variable is set.
## Note that ZeekControl handles all of this automatically.
## The table is typically indexed by node names/labels (e.g. "manager"
@ -210,8 +210,8 @@ export {
const node = getenv("CLUSTER_NODE") &redef;
## Interval for retrying failed connections between cluster nodes.
## If set, the BRO_DEFAULT_CONNECT_RETRY (given in number of seconds)
## overrides this option.
## If set, the ZEEK_DEFAULT_CONNECT_RETRY (given in number of seconds)
## environment variable overrides this option.
const retry_interval = 1min &redef;
## When using broker-enabled cluster framework, nodes broadcast this event

6
scripts/base/frameworks/cluster/pools.zeek
View file

@ -60,17 +60,17 @@ export {
## The specification for :zeek:see:`Cluster::proxy_pool`.
global proxy_pool_spec: PoolSpec =
PoolSpec($topic = "bro/cluster/pool/proxy",
PoolSpec($topic = "zeek/cluster/pool/proxy",
$node_type = Cluster::PROXY) &redef;
## The specification for :zeek:see:`Cluster::worker_pool`.
global worker_pool_spec: PoolSpec =
PoolSpec($topic = "bro/cluster/pool/worker",
PoolSpec($topic = "zeek/cluster/pool/worker",
$node_type = Cluster::WORKER) &redef;
## The specification for :zeek:see:`Cluster::logger_pool`.
global logger_pool_spec: PoolSpec =
PoolSpec($topic = "bro/cluster/pool/logger",
PoolSpec($topic = "zeek/cluster/pool/logger",
$node_type = Cluster::LOGGER) &redef;
## A pool containing all the proxy nodes of a cluster.

2
scripts/base/frameworks/logging/writers/ascii.zeek
View file

@ -81,7 +81,7 @@ function default_rotation_postprocessor_func(info: Log::RotationInfo) : bool
{
# If the filename has a ".gz" extension, then keep it.
local gz = info$fname[-3:] == ".gz" ? ".gz" : "";
local bls = getenv("BRO_LOG_SUFFIX");
local bls = getenv("ZEEK_LOG_SUFFIX");
if ( bls == "" )
bls = "log";

1
scripts/base/frameworks/netcontrol/__load__.zeek
View file

@ -3,7 +3,6 @@
@load ./plugins
@load ./drop
@load ./shunt
@load ./catch-and-release
# The cluster framework must be loaded first.
@load base/frameworks/cluster

4
scripts/base/frameworks/netcontrol/drop.zeek
View file

@ -1,9 +1,9 @@
##! Implementation of the drop functionality for NetControl.
module NetControl;
@load ./main
module NetControl;
export {
redef enum Log::ID += { DROP };

6
scripts/base/frameworks/netcontrol/main.zeek
View file

@ -10,11 +10,11 @@
##! provides convenience functions for a set of common operations. The
##! low-level API provides full flexibility.
module NetControl;
@load ./plugin
@load ./types
module NetControl;
export {
## The framework's logging stream identifier.
redef enum Log::ID += { LOG };
@ -889,7 +889,7 @@ function remove_rule_impl(id: string, reason: string) : bool
function rule_expire_impl(r: Rule, p: PluginState) &priority=-5
{
# do not emit timeout events on shutdown
if ( bro_is_terminating() )
if ( zeek_is_terminating() )
return;
if ( r$id !in rules )

3
scripts/base/frameworks/netcontrol/non-cluster.zeek
View file

@ -1,7 +1,8 @@
module NetControl;
@load ./main
module NetControl;
function activate(p: PluginState, priority: int)
{
activate_impl(p, priority);

4
scripts/base/frameworks/netcontrol/plugin.zeek
View file

@ -1,9 +1,9 @@
##! This file defines the plugin interface for NetControl.
module NetControl;
@load ./types
module NetControl;
export {
## This record keeps the per instance state of a plugin.
##

4
scripts/base/frameworks/netcontrol/plugins/acld.zeek
View file

@ -1,11 +1,11 @@
##! Acld plugin for the netcontrol framework.
module NetControl;
@load ../main
@load ../plugin
@load base/frameworks/broker
module NetControl;
export {
type AclRule : record {
command: string;

4
scripts/base/frameworks/netcontrol/plugins/broker.zeek
View file

@ -2,12 +2,12 @@
##! used in NetControl on to Broker to allow for easy handling, e.g., of
##! command-line scripts.
module NetControl;
@load ../main
@load ../plugin
@load base/frameworks/broker
module NetControl;
export {
## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
type BrokerConfig: record {

4
scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
View file

@ -3,10 +3,10 @@
##! and can only add/remove filters for addresses, this is quite
##! limited in scope at the moment.
module NetControl;
@load ../plugin
module NetControl;
export {
## Instantiates the packetfilter plugin.
global create_packetfilter: function() : PluginState;

1
scripts/base/frameworks/notice/__load__.zeek
View file

@ -3,7 +3,6 @@
# There should be no overhead imposed by loading notice actions so we
# load them all.
@load ./actions/drop
@load ./actions/email_admin
@load ./actions/page
@load ./actions/add-geodata

4
scripts/base/frameworks/notice/main.zeek
View file

@ -405,7 +405,7 @@ function email_headers(subject_desc: string, dest: string): string
"From: ", mail_from, "\n",
"Subject: ", mail_subject_prefix, " ", subject_desc, "\n",
"To: ", dest, "\n",
"User-Agent: Bro-IDS/", bro_version(), "\n");
"User-Agent: Bro-IDS/", zeek_version(), "\n");
if ( reply_to != "" )
header_text = string_cat(header_text, "Reply-To: ", reply_to, "\n");
return header_text;
@ -552,7 +552,7 @@ function is_being_suppressed(n: Notice::Info): bool
}
# Executes a script with all of the notice fields put into the
# new process' environment as "BRO_ARG_<field>" variables.
# new process' environment as "ZEEK_ARG_<field>" variables.
function execute_with_notice(cmd: string, n: Notice::Info)
{
# TODO: fix system calls

2
scripts/base/frameworks/openflow/consts.zeek
View file

@ -11,7 +11,7 @@ const COOKIE_BID_SIZE = 16777216;
# start at bit 40 (1 << 40)
const COOKIE_BID_START = 1099511627776;
# Zeek specific cookie ID shall have the 42 bit set (1 << 42)
const BRO_COOKIE_ID = 4;
const ZEEK_COOKIE_ID = 4;
# 8 bits group identifier
const COOKIE_GID_SIZE = 256;
# start at bit 32 (1 << 32)

6
scripts/base/frameworks/openflow/main.zeek
View file

@ -198,7 +198,7 @@ function match_conn(id: conn_id, reverse: bool &default=F): ofp_match
# 42 bit of the cookie set.
function generate_cookie(cookie: count &default=0): count
{
local c = BRO_COOKIE_ID * COOKIE_BID_START;
local c = ZEEK_COOKIE_ID * COOKIE_BID_START;
if ( cookie >= COOKIE_UID_SIZE )
Reporter::warning(fmt("The given cookie uid '%d' is > 32bit and will be discarded", cookie));
@ -211,7 +211,7 @@ function generate_cookie(cookie: count &default=0): count
# local function to check if a given flow_mod cookie is forged from this framework.
function is_valid_cookie(cookie: count): bool
{
if ( cookie / COOKIE_BID_START == BRO_COOKIE_ID )
if ( cookie / COOKIE_BID_START == ZEEK_COOKIE_ID )
return T;
Reporter::warning(fmt("The given Openflow cookie '%d' is not valid", cookie));
@ -231,7 +231,7 @@ function get_cookie_gid(cookie: count): count
{
if( is_valid_cookie(cookie) )
return (
(cookie - (COOKIE_BID_START * BRO_COOKIE_ID) -
(cookie - (COOKIE_BID_START * ZEEK_COOKIE_ID) -
(cookie - ((cookie / COOKIE_GID_START) * COOKIE_GID_START))) /
COOKIE_GID_START
);

2
scripts/base/frameworks/openflow/types.zeek
View file

@ -89,7 +89,7 @@ export {
## Opaque controller-issued identifier.
# This is optional in the specification - but let's force
# it so we always can identify our flows...
cookie: count; # &default=BRO_COOKIE_ID * COOKIE_BID_START;
cookie: count; # &default=ZEEK_COOKIE_ID * COOKIE_BID_START;
# Flow actions
## Table to put the flow in. OFPTT_ALL can be used for delete,
## to delete flows from all matching tables.

2
scripts/base/frameworks/sumstats/non-cluster.zeek
View file

@ -35,7 +35,7 @@ event SumStats::finish_epoch(ss: SumStat)
{
local data = result_store[ss$name];
local now = network_time();
if ( bro_is_terminating() )
if ( zeek_is_terminating() )
{
for ( key, val in data )
ss$epoch_result(now, key, val);

285
scripts/base/init-bare.zeek
View file

@ -777,7 +777,7 @@ type IPAddrAnonymizationClass: enum {
## Deprecated.
##
## .. zeek:see:: rotate_file rotate_file_by_name rotate_interval
## .. zeek:see:: rotate_file rotate_file_by_name
type rotate_info: record {
old_name: string; ##< Original filename.
new_name: string; ##< File name after rotation.
@ -1113,9 +1113,6 @@ const table_expire_delay = 0.01 secs &redef;
## Time to wait before timing out a DNS request.
const dns_session_timeout = 10 sec &redef;
## Time to wait before timing out an NTP request.
const ntp_session_timeout = 300 sec &redef;
## Time to wait before timing out an RPC request.
const rpc_timeout = 24 sec &redef;
@ -1789,7 +1786,7 @@ type gtp_delete_pdp_ctx_response_elements: record {
};
# Prototypes of Zeek built-in functions.
@load base/bif/bro.bif
@load base/bif/zeek.bif
@load base/bif/stats.bif
@load base/bif/reporter.bif
@load base/bif/strings.bif
@ -1806,7 +1803,11 @@ event net_done(t: time) { done_with_network = T; }
function log_file_name(tag: string): string
{
local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX");
local suffix = getenv("ZEEK_LOG_SUFFIX");
if ( suffix == "" )
suffix = "log";
return fmt("%s.%s", tag, suffix);
}
@ -1839,11 +1840,11 @@ function add_signature_file(sold: string, snew: string): string
## Signature files to read. Use ``redef signature_files += "foo.sig"`` to
## extend. Signature files added this way will be searched relative to
## ``BROPATH``. Using the ``@load-sigs`` directive instead is preferred
## ``ZEEKPATH``. Using the ``@load-sigs`` directive instead is preferred
## since that can search paths relative to the current script.
global signature_files = "" &add_func = add_signature_file;
## ``p0f`` fingerprint file to use. Will be searched relative to ``BROPATH``.
## ``p0f`` fingerprint file to use. Will be searched relative to ``ZEEKPATH``.
const passive_fingerprint_file = "base/misc/p0f.fp" &redef;
## Definition of "secondary filters". A secondary filter is a BPF filter given
@ -2525,26 +2526,6 @@ export {
};
}
module GLOBAL;
## An NTP message.
##
## .. zeek:see:: ntp_message
type ntp_msg: record {
id: count; ##< Message ID.
code: count; ##< Message code.
stratum: count; ##< Stratum.
poll: count; ##< Poll.
precision: int; ##< Precision.
distance: interval; ##< Distance.
dispersion: interval; ##< Dispersion.
ref_t: time; ##< Reference time.
originate_t: time; ##< Originating time.
receive_t: time; ##< Receive time.
xmit_t: time; ##< Send time.
};
module NTLM;
export {
@ -3517,6 +3498,20 @@ export {
## URL to find a proxy.pac for auto proxy config (Option 252)
auto_proxy_config: string &optional;
## The offset of the client's subnet in seconds from UTC. (Option 2)
time_offset: int &optional;
## A list of :rfc:`868` time servers available to the client.
## (Option 4)
time_servers: DHCP::Addrs &optional;
## A list of IEN 116 name servers available to the client. (Option 5)
name_servers: DHCP::Addrs &optional;
## A list of IP addresses indicating NTP servers available to the
## client. (Option 42)
ntp_servers: DHCP::Addrs &optional;
};
}
@ -4122,6 +4117,10 @@ export {
SignatureAlgorithm: count; ##< Signature algorithm number
};
type PSKIdentity: record {
identity: string; ##< PSK identity
obfuscated_ticket_age: count;
};
## Number of non-DTLS frames that can occur in a DTLS connection before
## parsing of the connection is suspended.
@ -4143,6 +4142,8 @@ module GLOBAL;
## directly and then remove this alias.
type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm;
type psk_identity_vec: vector of SSL::PSKIdentity;
module X509;
export {
type Certificate: record {
@ -4257,9 +4258,57 @@ export {
ec_flags: RDP::EarlyCapabilityFlags &optional;
dig_product_id: string &optional;
};
## The TS_UD_CS_SEC data block contains security-related information used
## to advertise client cryptographic support.
type RDP::ClientSecurityData: record {
## Cryptographic encryption methods supported by the client and used in
## conjunction with Standard RDP Security. Known flags:
##
## - 0x00000001: support for 40-bit session encryption keys
## - 0x00000002: support for 128-bit session encryption keys
## - 0x00000008: support for 56-bit session encryption keys
## - 0x00000010: support for FIPS compliant encryption and MAC methods
encryption_methods: count;
## Only used in French locale and designates the encryption method. If
## non-zero, then encryption_methods should be set to 0.
ext_encryption_methods: count;
};
## Name and flags for a single channel requested by the client.
type RDP::ClientChannelDef: record {
## A unique name for the channel
name: string;
## Absence of this flag indicates that this channel is
## a placeholder and that the server MUST NOT set it up.
initialized: bool;
## Unused, must be ignored by the server.
encrypt_rdp: bool;
## Unused, must be ignored by the server.
encrypt_sc: bool;
## Unused, must be ignored by the server.
encrypt_cs: bool;
## Channel data must be sent with high MCS priority.
pri_high: bool;
## Channel data must be sent with medium MCS priority.
pri_med: bool;
## Channel data must be sent with low MCS priority.
pri_low: bool;
## Virtual channel data must be compressed if RDP data is being compressed.
compress_rdp: bool;
## Virtual channel data must be compressed.
compress: bool;
## Ignored by the server.
show_protocol: bool;
## Channel must be persistent across remote control transactions.
persistent: bool;
};
## The list of channels requested by the client.
type RDP::ClientChannelList: vector of ClientChannelDef;
}
@load base/bif/plugins/Bro_SNMP.types.bif
@load base/bif/plugins/Zeek_SNMP.types.bif
module SNMP;
export {
@ -4381,7 +4430,7 @@ export {
};
}
@load base/bif/plugins/Bro_KRB.types.bif
@load base/bif/plugins/Zeek_KRB.types.bif
module KRB;
export {
@ -4693,7 +4742,7 @@ const packet_filter_default = F &redef;
const sig_max_group_size = 50 &redef;
## Description transmitted to remote communication peers for identification.
const peer_description = "bro" &redef;
const peer_description = "zeek" &redef;
## The number of IO chunks allowed to be buffered between the child
## and parent process of remote communication before Zeek starts dropping
@ -4903,6 +4952,180 @@ export {
const max_frame_size = 65536 &redef;
}
module NTP;
export {
## NTP standard message as defined in :rfc:`5905` for modes 1-5
## This record contains the standard fields used by the NTP protocol
## for standard syncronization operations.
type NTP::StandardMessage: record {
## This value mainly identifies the type of server (primary server,
## secondary server, etc.). Possible values, as in :rfc:`5905`, are:
##
## * 0 -> unspecified or invalid
## * 1 -> primary server (e.g., equipped with a GPS receiver)
## * 2-15 -> secondary server (via NTP)
## * 16 -> unsynchronized
## * 17-255 -> reserved
##
## For stratum 0, a *kiss_code* can be given for debugging and
## monitoring.
stratum: count;
## The maximum interval between successive messages.
poll: interval;
## The precision of the system clock.
precision: interval;
## Root delay. The total round-trip delay to the reference clock.
root_delay: interval;
## Root Dispersion. The total dispersion to the reference clock.
root_disp: interval;
## For stratum 0, four-character ASCII string used for debugging and
## monitoring. Values are defined in :rfc:`1345`.
kiss_code: string &optional;
## Reference ID. For stratum 1, this is the ID assigned to the
## reference clock by IANA.
## For example: GOES, GPS, GAL, etc. (see :rfc:`5905`)
ref_id: string &optional;
## Above stratum 1, when using IPv4, the IP address of the reference
## clock. Note that the NTP protocol did not originally specify a
## large enough field to represent IPv6 addresses, so they use
## the first four bytes of the MD5 hash of the reference clock's
## IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
ref_addr: addr &optional;
## Reference timestamp. Time when the system clock was last set or
## correct.
ref_time: time;
## Origin timestamp. Time at the client when the request departed for
## the NTP server.
org_time: time;
## Receive timestamp. Time at the server when the request arrived from
## the NTP client.
rec_time: time;
## Transmit timestamp. Time at the server when the response departed
# for the NTP client.
xmt_time: time;
## Key used to designate a secret MD5 key.
key_id: count &optional;
## MD5 hash computed over the key followed by the NTP packet header and
## extension fields.
digest: string &optional;
## Number of extension fields (which are not currently parsed).
num_exts: count &default=0;
};
## NTP control message as defined in :rfc:`1119` for mode=6
## This record contains the fields used by the NTP protocol
## for control operations.
type NTP::ControlMessage: record {
## An integer specifying the command function. Values currently defined:
##
## * 1 read status command/response
## * 2 read variables command/response
## * 3 write variables command/response
## * 4 read clock variables command/response
## * 5 write clock variables command/response
## * 6 set trap address/port command/response
## * 7 trap response
##
## Other values are reserved.
op_code: count;
## The response bit. Set to zero for commands, one for responses.
resp_bit: bool;
## The error bit. Set to zero for normal response, one for error
## response.
err_bit: bool;
## The more bit. Set to zero for last fragment, one for all others.
more_bit: bool;
## The sequence number of the command or response.
sequence: count;
## The current status of the system, peer or clock.
#TODO: this can be further parsed internally
status: count;
## A 16-bit integer identifying a valid association.
association_id: count;
## Message data for the command or response + Authenticator (optional).
data: string &optional;
## This is an integer identifying the cryptographic
## key used to generate the message-authentication code.
key_id: count &optional;
## This is a crypto-checksum computed by the encryption procedure.
crypto_checksum: string &optional;
};
## NTP mode 7 message. Note that this is not defined in any RFC and is
## implementation dependent. We used the official implementation from the
## `NTP official project <www.ntp.org>`_. A mode 7 packet is used
## exchanging data between an NTP server and a client for purposes other
## than time synchronization, e.g. monitoring, statistics gathering and
## configuration. For details see the documentation from the `NTP official
## project <www.ntp.org>`_, code v. ntp-4.2.8p13, in include/ntp_request.h.
type NTP::Mode7Message: record {
## An implementation-specific code which specifies the
## operation to be (which has been) performed and/or the
## format and semantics of the data included in the packet.
req_code: count;
## The authenticated bit. If set, this packet is authenticated.
auth_bit: bool;
## For a multipacket response, contains the sequence
## number of this packet. 0 is the first in the sequence,
## 127 (or less) is the last. The More Bit must be set in
## all packets but the last.
sequence: count;
## The number of the implementation this request code
## is defined by. An implementation number of zero is used
## for requst codes/data formats which all implementations
## agree on. Implementation number 255 is reserved (for
## extensions, in case we run out).
implementation: count;
## Must be 0 for a request. For a response, holds an error
## code relating to the request. If nonzero, the operation
## requested wasn't performed.
##
## * 0 - no error
## * 1 - incompatible implementation number
## * 2 - unimplemented request code
## * 3 - format error (wrong data items, data size, packet size etc.)
## * 4 - no data available (e.g. request for details on unknown peer)
## * 5 - unknown
## * 6 - unknown
## * 7 - authentication failure (i.e. permission denied)
err: count;
## Rest of data
data: string &optional;
};
## NTP message as defined in :rfc:`5905`. Does include fields for mode 7,
## reserved for private use in :rfc:`5905`, but used in some implementation
## for commands such as "monlist".
type NTP::Message: record {
## The NTP version number (1, 2, 3, 4).
version: count;
## The NTP mode being used. Possible values are:
##
## * 1 - symmetric active
## * 2 - symmetric passive
## * 3 - client
## * 4 - server
## * 5 - broadcast
## * 6 - NTP control message
## * 7 - reserved for private use
mode: count;
## If mode 1-5, the standard fields for syncronization operations are
## here. See :rfc:`5905`
std_msg: NTP::StandardMessage &optional;
## If mode 6, the fields for control operations are here.
## See :rfc:`1119`
control_msg: NTP::ControlMessage &optional;
## If mode 7, the fields for extra operations are here.
## Note that this is not defined in any RFC
## and is implementation dependent. We used the official implementation
## from the `NTP official project <www.ntp.org>`_.
## A mode 7 packet is used exchanging data between an NTP server
## and a client for purposes other than time synchronization, e.g.
## monitoring, statistics gathering and configuration.
mode7_msg: NTP::Mode7Message &optional;
};
}
module Cluster;
export {
type Cluster::Pool: record {};

2
scripts/base/init-default.zeek
View file

@ -56,6 +56,7 @@
@load base/protocols/modbus
@load base/protocols/mysql
@load base/protocols/ntlm
@load base/protocols/ntp
@load base/protocols/pop3
@load base/protocols/radius
@load base/protocols/rdp
@ -74,7 +75,6 @@
@load base/files/pe
@load base/files/hash
@load base/files/extract
@load base/files/unified2
@load base/files/x509
@load base/misc/find-checksum-offloading

4
scripts/base/misc/version.zeek
View file

@ -78,10 +78,10 @@ export {
## The format of the number is ABBCC with A being the major version,
## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
## As an example, Zeek 2.4.1 results in the number 20401
const number = Version::parse(bro_version())$version_number;
const number = Version::parse(zeek_version())$version_number;
## `VersionDescription` record pertaining to the currently running version of Zeek.
const info = Version::parse(bro_version());
const info = Version::parse(zeek_version());
}
function at_least(version_string: string): bool

2
scripts/base/protocols/dhcp/main.zeek
View file

@ -141,7 +141,7 @@ function join_data_expiration(t: table[count] of Info, idx: count): interval
# Also, if Zeek is shutting down.
if ( (now - info$last_message_ts) > 5sec ||
(now - info$ts) > max_txid_watch_time ||
bro_is_terminating() )
zeek_is_terminating() )
{
Log::write(LOG, info);

15
scripts/base/protocols/dns/main.zeek
View file

@ -456,6 +456,21 @@ event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_v
hook DNS::do_reply(c, msg, ans, txt_strings);
}
event dns_SPF_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec) &priority=5
{
local spf_strings: string = "";
for ( i in strs )
{
if ( i > 0 )
spf_strings += " ";
spf_strings += fmt("SPF %d %s", |strs[i]|, strs[i]);
}
hook DNS::do_reply(c, msg, ans, spf_strings);
}
event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
{
hook DNS::do_reply(c, msg, ans, fmt("%s", a));

2
scripts/base/protocols/ntp/__load__.zeek Normal file
View file

@ -0,0 +1,2 @@
@load ./main
@load ./consts

15
scripts/base/protocols/ntp/consts.zeek Normal file
View file

@ -0,0 +1,15 @@
module NTP;
export {
## The descriptions of the NTP mode value, as described
## in :rfc:`5905`, Figure 1
const modes: table[count] of string = {
[1] = "symmetric active",
[2] = "symmetric passive",
[3] = "client",
[4] = "server",
[5] = "broadcast server",
[6] = "broadcast client",
[7] = "reserved",
} &default=function(i: count):string { return fmt("unknown-%d", i); } &redef;
}

107
scripts/base/protocols/ntp/main.zeek Normal file
View file

@ -0,0 +1,107 @@
module NTP;
export {
redef enum Log::ID += { LOG };
type Info: record {
## Timestamp for when the event happened.
ts: time &log;
## Unique ID for the connection.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## The NTP version number (1, 2, 3, 4).
version: count &log;
## The NTP mode being used.
mode: count &log;
## The stratum (primary server, secondary server, etc.).
stratum: count &log;
## The maximum interval between successive messages.
poll: interval &log;
## The precision of the system clock.
precision: interval &log;
## Total round-trip delay to the reference clock.
root_delay: interval &log;
## Total dispersion to the reference clock.
root_disp: interval &log;
## For stratum 0, 4 character string used for debugging.
## For stratum 1, ID assigned to the reference clock by IANA.
## Above stratum 1, when using IPv4, the IP address of the reference
## clock. Note that the NTP protocol did not originally specify a
## large enough field to represent IPv6 addresses, so they use
## the first four bytes of the MD5 hash of the reference clock's
## IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
ref_id: string &log;
## Time when the system clock was last set or correct.
ref_time: time &log;
## Time at the client when the request departed for the NTP server.
org_time: time &log;
## Time at the server when the request arrived from the NTP client.
rec_time: time &log;
## Time at the server when the response departed for the NTP client.
xmt_time: time &log;
## Number of extension fields (which are not currently parsed).
num_exts: count &default=0 &log;
};
## Event that can be handled to access the NTP record as it is sent on
## to the logging framework.
global log_ntp: event(rec: Info);
}
redef record connection += {
ntp: Info &optional;
};
const ports = { 123/udp };
redef likely_server_ports += { ports };
event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
{
local info: Info;
info$ts = network_time();
info$uid = c$uid;
info$id = c$id;
info$version = msg$version;
info$mode = msg$mode;
if ( msg$mode < 6 )
{
info$stratum = msg$std_msg$stratum;
info$poll = msg$std_msg$poll;
info$precision = msg$std_msg$precision;
info$root_delay = msg$std_msg$root_delay;
info$root_disp = msg$std_msg$root_disp;
if ( msg$std_msg?$kiss_code )
info$ref_id = msg$std_msg$kiss_code;
else if ( msg$std_msg?$ref_id )
info$ref_id = msg$std_msg$ref_id;
else if ( msg$std_msg?$ref_addr )
info$ref_id= cat(msg$std_msg$ref_addr);
info$ref_time = msg$std_msg$ref_time;
info$org_time = msg$std_msg$org_time;
info$rec_time = msg$std_msg$rec_time;
info$xmt_time = msg$std_msg$xmt_time;
info$num_exts = msg$std_msg$num_exts;
}
# Copy the present packet info into the connection record
# If more ntp packets are sent on the same connection, the newest one
# will overwrite the previous
c$ntp = info;
}
event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
{
if ( msg$mode < 6 )
Log::write(NTP::LOG, c$ntp);
}
event zeek_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
}

11
scripts/base/protocols/radius/main.zeek
View file

@ -24,9 +24,10 @@ export {
## and the network access server is not required to honor
## the address.
framed_addr : addr &log &optional;
## Remote IP address, if present. This is collected
## from the Tunnel-Client-Endpoint attribute.
remote_ip : addr &log &optional;
## Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel,
## if present. This is collected from the Tunnel-Client-Endpoint
## attribute.
tunnel_client: string &log &optional;
## Connect info, if present.
connect_info : string &log &optional;
## Reply message from the server challenge. This is
@ -85,8 +86,8 @@ event radius_message(c: connection, result: RADIUS::Message) &priority=5
c$radius$mac = normalize_mac(result$attributes[31][0]);
# Tunnel-Client-EndPoint (useful for VPNs)
if ( ! c$radius?$remote_ip && 66 in result$attributes )
c$radius$remote_ip = to_addr(result$attributes[66][0]);
if ( ! c$radius?$tunnel_client && 66 in result$attributes )
c$radius$tunnel_client = result$attributes[66][0];
# Connect-Info
if ( ! c$radius?$connect_info && 77 in result$attributes )

17
scripts/base/protocols/rdp/main.zeek
View file

@ -23,6 +23,8 @@ export {
result: string &log &optional;
## Security protocol chosen by the server.
security_protocol: string &log &optional;
## The channels requested by the client
client_channels: vector of string &log &optional;
## Keyboard layout (language) of the client machine.
keyboard_layout: string &log &optional;
@ -189,6 +191,21 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
c$rdp$requested_color_depth = RDP::high_color_depths[data$high_color_depth];
}
event rdp_client_network_data(c: connection, channels: ClientChannelList)
{
set_session(c);
if ( ! c$rdp?$client_channels )
c$rdp$client_channels = vector();
for ( i in channels )
# Remove the NULs at the end
c$rdp$client_channels[i] = gsub(channels[i]$name, /\x00+$/, "");
if ( |channels| > 31 )
Reporter::conn_weird("RDP_channels_requested_exceeds_max", c, fmt("%s", |channels|));
}
event rdp_gcc_server_create_response(c: connection, result: count) &priority=5
{
set_session(c);

0
scripts/base/files/unified2/README → scripts/policy/files/unified2/README
View file

0
scripts/base/files/unified2/__load__.zeek → scripts/policy/files/unified2/__load__.zeek
View file

0
scripts/base/files/unified2/main.zeek → scripts/policy/files/unified2/main.zeek
View file

7
scripts/base/frameworks/netcontrol/catch-and-release.zeek → scripts/policy/frameworks/netcontrol/catch-and-release.zeek
View file

@ -1,10 +1,9 @@
##! Implementation of catch-and-release functionality for NetControl.
module NetControl;
@load base/frameworks/netcontrol
@load base/frameworks/cluster
@load ./main
@load ./drop
module NetControl;
export {

3
scripts/base/frameworks/notice/actions/drop.zeek → scripts/policy/frameworks/notice/actions/drop.zeek
View file

@ -1,8 +1,9 @@
##! This script extends the built in notice code to implement the IP address
##! dropping functionality.
@load ../main
@load base/frameworks/notice/main
@load base/frameworks/netcontrol
@load policy/frameworks/netcontrol/catch-and-release
module Notice;

2
scripts/policy/misc/stats.zeek
View file

@ -99,7 +99,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
local fs = get_file_analysis_stats();
local ds = get_dns_stats();
if ( bro_is_terminating() )
if ( zeek_is_terminating() )
# No more stats will be written or scheduled when Zeek is
# shutting down.
return;

2
scripts/policy/misc/trim-trace-file.zeek
View file

@ -17,7 +17,7 @@ export {
event TrimTraceFile::go(first_trim: bool)
{
if ( bro_is_terminating() || trace_output_file == "" )
if ( zeek_is_terminating() || trace_output_file == "" )
return;
if ( ! first_trim )

2
scripts/policy/protocols/conn/known-hosts.zeek
View file

@ -36,7 +36,7 @@ export {
global host_store: Cluster::StoreInfo;
## The Broker topic name to use for :zeek:see:`Known::host_store`.
const host_store_name = "bro/known/hosts" &redef;
const host_store_name = "zeek/known/hosts" &redef;
## The expiry interval of new entries in :zeek:see:`Known::host_store`.
## This also changes the interval at which hosts get logged.

2
scripts/policy/protocols/conn/known-services.zeek
View file

@ -48,7 +48,7 @@ export {
global service_store: Cluster::StoreInfo;
## The Broker topic name to use for :zeek:see:`Known::service_store`.
const service_store_name = "bro/known/services" &redef;
const service_store_name = "zeek/known/services" &redef;
## The expiry interval of new entries in :zeek:see:`Known::service_store`.
## This also changes the interval at which services get logged.

2
scripts/policy/protocols/ssl/known-certs.zeek
View file

@ -48,7 +48,7 @@ export {
global cert_store: Cluster::StoreInfo;
## The Broker topic name to use for :zeek:see:`Known::cert_store`.
const cert_store_name = "bro/known/certs" &redef;
const cert_store_name = "zeek/known/certs" &redef;
## The expiry interval of new entries in :zeek:see:`Known::cert_store`.
## This also changes the interval at which certs get logged.

4
scripts/test-all-policy.zeek
View file

@ -31,12 +31,16 @@
@load frameworks/intel/seen/ssl.zeek
@load frameworks/intel/seen/where-locations.zeek
@load frameworks/intel/seen/x509.zeek
@load frameworks/netcontrol/catch-and-release.zeek
@load frameworks/files/detect-MHR.zeek
@load frameworks/files/entropy-test-all-files.zeek
#@load frameworks/files/extract-all-files.zeek
@load frameworks/files/hash-all-files.zeek
@load frameworks/notice/__load__.zeek
@load frameworks/notice/actions/drop.zeek
@load frameworks/notice/extend-email/hostnames.zeek
@load files/unified2/__load__.zeek
@load files/unified2/main.zeek
@load files/x509/log-ocsp.zeek
@load frameworks/packet-filter/shunt.zeek
@load frameworks/software/version-changes.zeek

2
src/BroString.cc
View file

@ -288,7 +288,7 @@ void BroString::ToUpper()
BroString* BroString::GetSubstring(int start, int len) const
{
// This code used to live in bro.bif's sub_bytes() routine.
// This code used to live in zeek.bif's sub_bytes() routine.
if ( start < 0 || start > n )
return 0;

15
src/Brofiler.cc
View file

@ -17,7 +17,8 @@ Brofiler::~Brofiler()
bool Brofiler::ReadStats()
{
char* bf = getenv("BRO_PROFILER_FILE");
char* bf = zeekenv("ZEEK_PROFILER_FILE");
if ( ! bf )
return false;
@ -47,14 +48,16 @@ bool Brofiler::ReadStats()
bool Brofiler::WriteStats()
{
char* bf = getenv("BRO_PROFILER_FILE");
if ( ! bf ) return false;
char* bf = zeekenv("ZEEK_PROFILER_FILE");
if ( ! bf )
return false;
SafeDirname dirname{bf};
if ( ! ensure_intermediate_dirs(dirname.result.data()) )
{
reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf);
reporter->Error("Failed to open ZEEK_PROFILER_FILE destination '%s' for writing", bf);
return false;
}
@ -69,7 +72,7 @@ bool Brofiler::WriteStats()
if ( fd == -1 )
{
reporter->Error("Failed to generate unique file name from BRO_PROFILER_FILE: %s", bf);
reporter->Error("Failed to generate unique file name from ZEEK_PROFILER_FILE: %s", bf);
return false;
}
f = fdopen(fd, "w");
@ -81,7 +84,7 @@ bool Brofiler::WriteStats()
if ( ! f )
{
reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf);
reporter->Error("Failed to open ZEEK_PROFILER_FILE destination '%s' for writing", bf);
return false;
}

4
src/Brofiler.h
View file

@ -17,7 +17,7 @@ public:
/**
* Imports Bro script Stmt usage information from file pointed to by
* environment variable BRO_PROFILER_FILE.
* environment variable ZEEK_PROFILER_FILE.
*
* @return: true if usage info was read, otherwise false.
*/
@ -26,7 +26,7 @@ public:
/**
* Combines usage stats from current run with any read from ReadStats(),
* then writes information to file pointed to by environment variable
* BRO_PROFILER_FILE. If the value of that env. variable ends with
* ZEEK_PROFILER_FILE. If the value of that env. variable ends with
* ".XXXXXX" (exactly 6 X's), then it is first passed through mkstemp
* to get a unique file.
*

8
src/CMakeLists.txt
View file

@ -103,7 +103,7 @@ set_property(SOURCE scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-comp
include(BifCl)
set(BIF_SRCS
bro.bif
zeek.bif
stats.bif
event.bif
const.bif
@ -415,7 +415,7 @@ install(CODE "
")
install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
DESTINATION include/bro
DESTINATION include/zeek
FILES_MATCHING
PATTERN "*.h"
PATTERN "*.pac"
@ -423,7 +423,7 @@ install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
)
install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
DESTINATION include/bro
DESTINATION include/zeek
FILES_MATCHING
PATTERN "*.bif.func_h"
PATTERN "*.bif.netvar_h"
@ -432,5 +432,5 @@ install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
)
install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h
DESTINATION include/bro/3rdparty
DESTINATION include/zeek/3rdparty
)

2
src/DNS_Mgr.cc
View file

@ -414,7 +414,7 @@ void DNS_Mgr::Init()
// script-layer option to configure the DNS resolver as it may not be
// configured to the user's desired address at the time when we need to to
// the lookup.
auto dns_resolver = getenv("ZEEK_DNS_RESOLVER");
auto dns_resolver = zeekenv("ZEEK_DNS_RESOLVER");
auto dns_resolver_addr = dns_resolver ? IPAddr(dns_resolver) : IPAddr();
char err[NB_DNS_ERRSIZE];

77
src/Expr.cc
View file

@ -2110,7 +2110,6 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
if ( bt1 == TYPE_TABLE && op2->Tag() == EXPR_LIST )
{
attr_list* attr_copy = 0;
if ( attrs )
{
attr_copy = new attr_list(attrs->length());
@ -2118,11 +2117,23 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
attr_copy->append((*attrs)[i]);
}
bool empty_list_assignment = (op2->AsListExpr()->Exprs().length() == 0);
if ( op1->Type()->IsSet() )
op2 = new SetConstructorExpr(op2->AsListExpr(), attr_copy);
else
op2 = new TableConstructorExpr(op2->AsListExpr(), attr_copy);
if ( ! empty_list_assignment && ! same_type(op1->Type(), op2->Type()) )
{
if ( op1->Type()->IsSet() )
ExprError("set type mismatch in assignment");
else
ExprError("table type mismatch in assignment");
return false;
}
return true;
}
@ -2136,7 +2147,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
if ( op2->Tag() == EXPR_LIST )
{
op2 = new VectorConstructorExpr(op2->AsListExpr());
op2 = new VectorConstructorExpr(op2->AsListExpr(), op1->Type());
return true;
}
}
@ -3520,15 +3531,41 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
if ( ! same_type(sup_t_i, sub_t_i) )
{
if ( sup_t_i->Tag() != TYPE_RECORD ||
sub_t_i->Tag() != TYPE_RECORD ||
! record_promotion_compatible(sup_t_i->AsRecordType(),
sub_t_i->AsRecordType()) )
auto is_arithmetic_promotable = [](BroType* sup, BroType* sub) -> bool
{
char buf[512];
safe_snprintf(buf, sizeof(buf),
auto sup_tag = sup->Tag();
auto sub_tag = sub->Tag();
if ( ! BothArithmetic(sup_tag, sub_tag) )
return false;
if ( sub_tag == TYPE_DOUBLE && IsIntegral(sup_tag) )
return false;
if ( sub_tag == TYPE_INT && sup_tag == TYPE_COUNT )
return false;
return true;
};
auto is_record_promotable = [](BroType* sup, BroType* sub) -> bool
{
if ( sup->Tag() != TYPE_RECORD )
return false;
if ( sub->Tag() != TYPE_RECORD )
return false;
return record_promotion_compatible(sup->AsRecordType(),
sub->AsRecordType());
};
if ( ! is_arithmetic_promotable(sup_t_i, sub_t_i) &&
! is_record_promotable(sup_t_i, sub_t_i) )
{
string error_msg = fmt(
"type clash for field \"%s\"", sub_r->FieldName(i));
Error(buf, sub_t_i);
Error(error_msg.c_str(), sub_t_i);
SetError();
break;
}
@ -3546,11 +3583,9 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
{
if ( ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
{
char buf[512];
safe_snprintf(buf, sizeof(buf),
"non-optional field \"%s\" missing",
t_r->FieldName(i));
Error(buf);
string error_msg = fmt(
"non-optional field \"%s\" missing", t_r->FieldName(i));
Error(error_msg.c_str());
SetError();
break;
}
@ -3638,6 +3673,20 @@ Val* RecordCoerceExpr::Fold(Val* v) const
rhs = new_val;
}
}
else if ( BothArithmetic(rhs_type->Tag(), field_type->Tag()) &&
! same_type(rhs_type, field_type) )
{
if ( Val* new_val = check_and_promote(rhs, field_type, false, op->GetLocationInfo()) )
{
// Don't call unref here on rhs because check_and_promote already called it.
rhs = new_val;
}
else
{
Unref(val);
RuntimeError("Failed type conversion");
}
}
val->Assign(i, rhs);
}

6
src/Func.cc
View file

@ -627,13 +627,13 @@ void builtin_error(const char* msg, BroObj* arg)
emit(last_call.call);
}
#include "bro.bif.func_h"
#include "zeek.bif.func_h"
#include "stats.bif.func_h"
#include "reporter.bif.func_h"
#include "strings.bif.func_h"
#include "option.bif.func_h"
#include "bro.bif.func_def"
#include "zeek.bif.func_def"
#include "stats.bif.func_def"
#include "reporter.bif.func_def"
#include "strings.bif.func_def"
@ -660,7 +660,7 @@ void init_builtin_funcs()
var_sizes = internal_type("var_sizes")->AsTableType();
#include "bro.bif.func_init"
#include "zeek.bif.func_init"
#include "stats.bif.func_init"
#include "reporter.bif.func_init"
#include "strings.bif.func_init"

6
src/NetVar.cc
View file

@ -77,7 +77,6 @@ bool udp_content_deliver_all_orig;
bool udp_content_deliver_all_resp;
double dns_session_timeout;
double ntp_session_timeout;
double rpc_timeout;
ListVal* skip_authentication;
@ -103,8 +102,6 @@ TableType* pm_mappings;
RecordType* pm_port_request;
RecordType* pm_callit_request;
RecordType* ntp_msg;
RecordType* geo_location;
RecordType* entropy_test_result;
@ -360,7 +357,6 @@ void init_net_var()
bool(internal_val("udp_content_deliver_all_resp")->AsBool());
dns_session_timeout = opt_internal_double("dns_session_timeout");
ntp_session_timeout = opt_internal_double("ntp_session_timeout");
rpc_timeout = opt_internal_double("rpc_timeout");
watchdog_interval = int(opt_internal_double("watchdog_interval"));
@ -390,8 +386,6 @@ void init_net_var()
pm_port_request = internal_type("pm_port_request")->AsRecordType();
pm_callit_request = internal_type("pm_callit_request")->AsRecordType();
ntp_msg = internal_type("ntp_msg")->AsRecordType();
geo_location = internal_type("geo_location")->AsRecordType();
entropy_test_result = internal_type("entropy_test_result")->AsRecordType();

3
src/NetVar.h
View file

@ -80,7 +80,6 @@ extern bool udp_content_deliver_all_orig;
extern bool udp_content_deliver_all_resp;
extern double dns_session_timeout;
extern double ntp_session_timeout;
extern double rpc_timeout;
extern ListVal* skip_authentication;
@ -106,8 +105,6 @@ extern TableType* pm_mappings;
extern RecordType* pm_port_request;
extern RecordType* pm_callit_request;
extern RecordType* ntp_msg;
extern RecordType* geo_location;
extern RecordType* entropy_test_result;

12
src/Obj.cc
View file

@ -58,21 +58,21 @@ BroObj::~BroObj()
delete location;
}
void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only) const
void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only, const Location* expr_location) const
{
ODesc d;
DoMsg(&d, msg, obj2, pinpoint_only);
DoMsg(&d, msg, obj2, pinpoint_only, expr_location);
reporter->Warning("%s", d.Description());
reporter->PopLocation();
}
void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only) const
void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only, const Location* expr_location) const
{
if ( suppress_errors )
return;
ODesc d;
DoMsg(&d, msg, obj2, pinpoint_only);
DoMsg(&d, msg, obj2, pinpoint_only, expr_location);
reporter->Error("%s", d.Description());
reporter->PopLocation();
}
@ -158,7 +158,7 @@ void BroObj::UpdateLocationEndInfo(const Location& end)
}
void BroObj::DoMsg(ODesc* d, const char s1[], const BroObj* obj2,
int pinpoint_only) const
int pinpoint_only, const Location* expr_location) const
{
d->SetShort();
@ -169,6 +169,8 @@ void BroObj::DoMsg(ODesc* d, const char s1[], const BroObj* obj2,
if ( obj2 && obj2->GetLocationInfo() != &no_location &&
*obj2->GetLocationInfo() != *GetLocationInfo() )
loc2 = obj2->GetLocationInfo();
else if ( expr_location )
loc2 = expr_location;
reporter->PushLocation(GetLocationInfo(), loc2);
}

6
src/Obj.h
View file

@ -109,9 +109,9 @@ public:
// included in the message, though if pinpoint_only is non-zero,
// then obj2 is only used to pinpoint the location.
void Warn(const char* msg, const BroObj* obj2 = 0,
int pinpoint_only = 0) const;
int pinpoint_only = 0, const Location* expr_location = 0) const;
void Error(const char* msg, const BroObj* obj2 = 0,
int pinpoint_only = 0) const;
int pinpoint_only = 0, const Location* expr_location = 0) const;
// Report internal errors.
void BadTag(const char* msg, const char* t1 = 0,
@ -165,7 +165,7 @@ private:
friend class SuppressErrors;
void DoMsg(ODesc* d, const char s1[], const BroObj* obj2 = 0,
int pinpoint_only = 0) const;
int pinpoint_only = 0, const Location* expr_location = 0) const;
void PinPoint(ODesc* d, const BroObj* obj2 = 0,
int pinpoint_only = 0) const;

13
src/OpaqueVal.cc
View file

@ -223,7 +223,7 @@ Val* MD5Val::DoClone(CloneState* state)
EVP_MD_CTX_copy_ex(out->ctx, ctx);
}
return out;
return state->NewClone(this, out);
}
void MD5Val::digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH])
@ -375,7 +375,7 @@ Val* SHA1Val::DoClone(CloneState* state)
EVP_MD_CTX_copy_ex(out->ctx, ctx);
}
return out;
return state->NewClone(this, out);
}
void SHA1Val::digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH])
@ -519,7 +519,7 @@ Val* SHA256Val::DoClone(CloneState* state)
EVP_MD_CTX_copy_ex(out->ctx, ctx);
}
return out;
return state->NewClone(this, out);
}
void SHA256Val::digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH])
@ -776,10 +776,10 @@ Val* BloomFilterVal::DoClone(CloneState* state)
{
auto bf = new BloomFilterVal(bloom_filter->Clone());
bf->Typify(type);
return bf;
return state->NewClone(this, bf);
}
return new BloomFilterVal();
return state->NewClone(this, new BloomFilterVal());
}
bool BloomFilterVal::Typify(BroType* arg_type)
@ -948,7 +948,8 @@ CardinalityVal::~CardinalityVal()
Val* CardinalityVal::DoClone(CloneState* state)
{
return new CardinalityVal(new probabilistic::CardinalityCounter(*c));
return state->NewClone(this,
new CardinalityVal(new probabilistic::CardinalityCounter(*c)));
}
bool CardinalityVal::Typify(BroType* arg_type)

8
src/Type.cc
View file

@ -1672,6 +1672,10 @@ int is_assignable(BroType* t)
return 0;
}
#define CHECK_TYPE(t) \
if ( t1 == t || t2 == t ) \
return t;
TypeTag max_type(TypeTag t1, TypeTag t2)
{
if ( t1 == TYPE_INTERVAL || t1 == TYPE_TIME )
@ -1681,10 +1685,6 @@ TypeTag max_type(TypeTag t1, TypeTag t2)
if ( BothArithmetic(t1, t2) )
{
#define CHECK_TYPE(t) \
if ( t1 == t || t2 == t ) \
return t;
CHECK_TYPE(TYPE_DOUBLE);
CHECK_TYPE(TYPE_INT);
CHECK_TYPE(TYPE_COUNT);

105
src/Val.cc
View file

@ -89,8 +89,6 @@ Val* Val::Clone(CloneState* state)
auto c = DoClone(state);
assert(c);
state->clones.insert(std::make_pair(this, c));
return c;
}
@ -353,6 +351,35 @@ void Val::ValDescribeReST(ODesc* d) const
}
}
bool Val::WouldOverflow(const BroType* from_type, const BroType* to_type, const Val* val)
{
if ( !to_type || !from_type )
return true;
else if ( same_type(to_type, from_type) )
return false;
if ( to_type->InternalType() == TYPE_INTERNAL_DOUBLE )
return false;
else if ( to_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
{
if ( from_type->InternalType() == TYPE_INTERNAL_DOUBLE )
return (val->InternalDouble() < 0.0 || val->InternalDouble() > static_cast<double>(UINT64_MAX));
else if ( from_type->InternalType() == TYPE_INTERNAL_INT )
return (val->InternalInt() < 0);
}
else if ( to_type->InternalType() == TYPE_INTERNAL_INT )
{
if ( from_type->InternalType() == TYPE_INTERNAL_DOUBLE )
return (val->InternalDouble() < static_cast<double>(INT64_MIN) ||
val->InternalDouble() > static_cast<double>(INT64_MAX));
else if ( from_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
return (val->InternalUnsigned() > INT64_MAX);
}
return false;
}
MutableVal::~MutableVal()
{
for ( list<ID*>::iterator i = aliases.begin(); i != aliases.end(); ++i )
@ -831,8 +858,12 @@ unsigned int StringVal::MemoryAllocation() const
Val* StringVal::DoClone(CloneState* state)
{
return new StringVal(new BroString((u_char*) val.string_val->Bytes(),
val.string_val->Len(), 1));
// We could likely treat this type as immutable and return a reference
// instead of creating a new copy, but we first need to be careful and
// audit whether anything internal actually does mutate it.
return state->NewClone(this, new StringVal(
new BroString((u_char*) val.string_val->Bytes(),
val.string_val->Len(), 1)));
}
PatternVal::PatternVal(RE_Matcher* re) : Val(base_type(TYPE_PATTERN))
@ -885,10 +916,13 @@ unsigned int PatternVal::MemoryAllocation() const
Val* PatternVal::DoClone(CloneState* state)
{
// We could likely treat this type as immutable and return a reference
// instead of creating a new copy, but we first need to be careful and
// audit whether anything internal actually does mutate it.
auto re = new RE_Matcher(val.re_val->PatternText(),
val.re_val->AnywherePatternText());
re->Compile();
return new PatternVal(re);
return state->NewClone(this, new PatternVal(re));
}
ListVal::ListVal(TypeTag t)
@ -977,6 +1011,7 @@ Val* ListVal::DoClone(CloneState* state)
{
auto lv = new ListVal(tag);
lv->vals.resize(vals.length());
state->NewClone(this, lv);
loop_over_list(vals, i)
lv->Append(vals[i]->Clone(state));
@ -2137,6 +2172,7 @@ void TableVal::ReadOperation(Val* index, TableEntryVal* v)
Val* TableVal::DoClone(CloneState* state)
{
auto tv = new TableVal(table_type);
state->NewClone(this, tv);
const PDict(TableEntryVal)* tbl = AsTable();
IterCookie* cookie = tbl->InitForIteration();
@ -2249,10 +2285,15 @@ vector<RecordVal*> RecordVal::parse_time_records;
RecordVal::RecordVal(RecordType* t, bool init_fields) : MutableVal(t)
{
origin = 0;
record_type = t;
int n = record_type->NumFields();
int n = t->NumFields();
val_list* vl = val.val_list_val = new val_list(n);
if ( is_parsing )
{
parse_time_records.emplace_back(this);
Ref();
}
if ( ! init_fields )
return;
@ -2260,10 +2301,10 @@ RecordVal::RecordVal(RecordType* t, bool init_fields) : MutableVal(t)
// by default).
for ( int i = 0; i < n; ++i )
{
Attributes* a = record_type->FieldDecl(i)->attrs;
Attributes* a = t->FieldDecl(i)->attrs;
Attr* def_attr = a ? a->FindAttr(ATTR_DEFAULT) : 0;
Val* def = def_attr ? def_attr->AttrExpr()->Eval(0) : 0;
BroType* type = record_type->FieldDecl(i)->type;
BroType* type = t->FieldDecl(i)->type;
if ( def && type->Tag() == TYPE_RECORD &&
def->Type()->Tag() == TYPE_RECORD &&
@ -2294,12 +2335,6 @@ RecordVal::RecordVal(RecordType* t, bool init_fields) : MutableVal(t)
vl->append(def ? def->Ref() : 0);
Unref(def);
if ( is_parsing )
{
parse_time_records.emplace_back(this);
Ref();
}
}
}
@ -2340,7 +2375,7 @@ Val* RecordVal::LookupWithDefault(int field) const
if ( val )
return val->Ref();
return record_type->FieldDefault(field);
return Type()->AsRecordType()->FieldDefault(field);
}
void RecordVal::ResizeParseTimeRecords()
@ -2348,7 +2383,7 @@ void RecordVal::ResizeParseTimeRecords()
for ( auto& rv : parse_time_records )
{
auto vs = rv->val.val_list_val;
auto rt = rv->record_type;
auto rt = rv->Type()->AsRecordType();
auto current_length = vs->length();
auto required_length = rt->NumFields();
@ -2368,7 +2403,7 @@ void RecordVal::ResizeParseTimeRecords()
Val* RecordVal::Lookup(const char* field, bool with_default) const
{
int idx = record_type->FieldOffset(field);
int idx = Type()->AsRecordType()->FieldOffset(field);
if ( idx < 0 )
reporter->InternalError("missing record field: %s", field);
@ -2453,6 +2488,7 @@ void RecordVal::Describe(ODesc* d) const
{
const val_list* vl = AsRecord();
int n = vl->length();
auto record_type = Type()->AsRecordType();
if ( d->IsBinary() || d->IsPortable() )
{
@ -2489,6 +2525,7 @@ void RecordVal::DescribeReST(ODesc* d) const
{
const val_list* vl = AsRecord();
int n = vl->length();
auto record_type = Type()->AsRecordType();
d->Add("{");
d->PushIndent();
@ -2520,8 +2557,9 @@ Val* RecordVal::DoClone(CloneState* state)
// record. As we cannot guarantee that it will ber zeroed out at the
// approproate time (as it seems to be guaranteed for the original record)
// we don't touch it.
auto rv = new RecordVal(record_type, false);
auto rv = new RecordVal(Type()->AsRecordType(), false);
rv->origin = nullptr;
state->NewClone(this, rv);
loop_over_list(*val.val_list_val, i)
{
@ -2750,6 +2788,7 @@ Val* VectorVal::DoClone(CloneState* state)
{
auto vv = new VectorVal(vector_type);
vv->val.vector_val->reserve(val.vector_val->size());
state->NewClone(this, vv);
for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
{
@ -2779,7 +2818,7 @@ void VectorVal::ValDescribe(ODesc* d) const
d->Add("]");
}
Val* check_and_promote(Val* v, const BroType* t, int is_init)
Val* check_and_promote(Val* v, const BroType* t, int is_init, const Location* expr_location)
{
if ( ! v )
return 0;
@ -2803,7 +2842,7 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
if ( same_type(t, vt, is_init) )
return v;
t->Error("type clash", v);
t->Error("type clash", v, 0, expr_location);
Unref(v);
return 0;
}
@ -2812,9 +2851,9 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
(! IsArithmetic(v_tag) || t_tag != TYPE_TIME || ! v->IsZero()) )
{
if ( t_tag == TYPE_LIST || v_tag == TYPE_LIST )
t->Error("list mixed with scalar", v);
t->Error("list mixed with scalar", v, 0, expr_location);
else
t->Error("arithmetic mixed with non-arithmetic", v);
t->Error("arithmetic mixed with non-arithmetic", v, 0, expr_location);
Unref(v);
return 0;
}
@ -2822,12 +2861,12 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
if ( v_tag == t_tag )
return v;
if ( t_tag != TYPE_TIME )
if ( t_tag != TYPE_TIME && ! BothArithmetic(t_tag, v_tag) )
{
TypeTag mt = max_type(t_tag, v_tag);
if ( mt != t_tag )
{
t->Error("over-promotion of arithmetic value", v);
t->Error("over-promotion of arithmetic value", v, 0, expr_location);
Unref(v);
return 0;
}
@ -2844,7 +2883,13 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
Val* promoted_v;
switch ( it ) {
case TYPE_INTERNAL_INT:
if ( t_tag == TYPE_INT )
if ( ( vit == TYPE_INTERNAL_UNSIGNED || vit == TYPE_INTERNAL_DOUBLE ) && Val::WouldOverflow(vt, t, v) )
{
t->Error("overflow promoting from unsigned/double to signed arithmetic value", v, 0, expr_location);
Unref(v);
return 0;
}
else if ( t_tag == TYPE_INT )
promoted_v = val_mgr->GetInt(v->CoerceToInt());
else if ( t_tag == TYPE_BOOL )
promoted_v = val_mgr->GetBool(v->CoerceToInt());
@ -2858,7 +2903,13 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
break;
case TYPE_INTERNAL_UNSIGNED:
if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
if ( ( vit == TYPE_INTERNAL_DOUBLE || vit == TYPE_INTERNAL_INT) && Val::WouldOverflow(vt, t, v) )
{
t->Error("overflow promoting from signed/double to unsigned arithmetic value", v, 0, expr_location);
Unref(v);
return 0;
}
else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
promoted_v = val_mgr->GetCount(v->CoerceToUnsigned());
else // port
{

39
src/Val.h
View file

@ -91,7 +91,7 @@ typedef union {
class Val : public BroObj {
public:
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(bool b, TypeTag t)
{
val.int_val = b;
@ -101,7 +101,7 @@ public:
#endif
}
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(int32 i, TypeTag t)
{
val.int_val = bro_int_t(i);
@ -111,7 +111,7 @@ public:
#endif
}
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(uint32 u, TypeTag t)
{
val.uint_val = bro_uint_t(u);
@ -121,7 +121,7 @@ public:
#endif
}
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(int64 i, TypeTag t)
{
val.int_val = i;
@ -131,7 +131,7 @@ public:
#endif
}
BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
Val(uint64 u, TypeTag t)
{
val.uint_val = u;
@ -365,6 +365,8 @@ public:
}
#endif
static bool WouldOverflow(const BroType* from_type, const BroType* to_type, const Val* val);
protected:
friend class EnumType;
@ -418,7 +420,16 @@ protected:
// For internal use by the Val::Clone() methods.
struct CloneState {
std::unordered_map<const Val*, Val*> clones;
// Caches a cloned value for later reuse during the same
// cloning operation. For recursive types, call this *before*
// descending down.
Val* NewClone(Val *src, Val* dst)
{
clones.insert(std::make_pair(src, dst));
return dst;
}
std::unordered_map<Val*, Val*> clones;
};
Val* Clone(CloneState* state);
@ -437,15 +448,15 @@ protected:
class PortManager {
public:
// Port number given in host order.
BRO_DEPRECATED("use val_mgr->GetPort() instead")
ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
PortVal* Get(uint32 port_num, TransportProto port_type) const;
// Host-order port number already masked with port space protocol mask.
BRO_DEPRECATED("use val_mgr->GetPort() instead")
ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
PortVal* Get(uint32 port_num) const;
// Returns a masked port number
BRO_DEPRECATED("use PortVal::Mask() instead")
ZEEK_DEPRECATED("use PortVal::Mask() instead")
uint32 Mask(uint32 port_num, TransportProto port_type) const;
};
@ -590,11 +601,11 @@ protected:
class PortVal : public Val {
public:
// Port number given in host order.
BRO_DEPRECATED("use val_mgr->GetPort() instead")
ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
PortVal(uint32 p, TransportProto port_type);
// Host-order port number already masked with port space protocol mask.
BRO_DEPRECATED("use val_mgr->GetPort() instead")
ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
explicit PortVal(uint32 p);
Val* SizeVal() const override { return val_mgr->GetInt(val.uint_val); }
@ -1012,7 +1023,7 @@ public:
~RecordVal() override;
Val* SizeVal() const override
{ return val_mgr->GetCount(record_type->NumFields()); }
{ return val_mgr->GetCount(Type()->AsRecordType()->NumFields()); }
void Assign(int field, Val* new_val, Opcode op = OP_ASSIGN);
Val* Lookup(int field) const; // Does not Ref() value.
@ -1076,7 +1087,7 @@ protected:
class EnumVal : public Val {
public:
BRO_DEPRECATED("use t->GetVal(i) instead")
ZEEK_DEPRECATED("use t->GetVal(i) instead")
EnumVal(int i, EnumType* t) : Val(t)
{
val.int_val = i;
@ -1165,7 +1176,7 @@ protected:
// Unref()'ing the original. If not a match, generates an error message
// and returns nil, also Unref()'ing v. If is_init is true, then
// the checking is done in the context of an initialization.
extern Val* check_and_promote(Val* v, const BroType* t, int is_init);
extern Val* check_and_promote(Val* v, const BroType* t, int is_init, const Location* expr_location = nullptr);
// Given a pointer to where a Val's core (i.e., its BRO value) resides,
// returns a corresponding newly-created or Ref()'d Val. ptr must already

6
src/analyzer/Analyzer.cc
View file

@ -679,6 +679,9 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
{
if ( ! protocol_violation )
return;
StringVal* r;
if ( data && len )
@ -692,9 +695,6 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
else
r = new StringVal(reason);
if ( ! protocol_violation )
return;
EnumVal* tval = tag.AsEnumVal();
Ref(tval);

2
src/analyzer/protocol/CMakeLists.txt
View file

@ -36,9 +36,9 @@ add_subdirectory(rdp)
add_subdirectory(rfb)
add_subdirectory(rpc)
add_subdirectory(sip)
add_subdirectory(snmp)
add_subdirectory(smb)
add_subdirectory(smtp)
add_subdirectory(snmp)
add_subdirectory(socks)
add_subdirectory(ssh)
add_subdirectory(ssl)

10
src/analyzer/protocol/arp/CMakeLists.txt
View file

@ -4,12 +4,12 @@
# it's also parsing a protocol just like them. The current structure
# is merely a left-over from when this code was written.
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro ARP)
bro_plugin_cc(ARP.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()
zeek_plugin_begin(Zeek ARP)
zeek_plugin_cc(ARP.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_end()

4
src/analyzer/protocol/arp/Plugin.cc
View file

@ -4,14 +4,14 @@
#include "plugin/Plugin.h"
namespace plugin {
namespace Bro_ARP {
namespace Zeek_ARP {
class Plugin : public plugin::Plugin {
public:
plugin::Configuration Configure()
{
plugin::Configuration config;
config.name = "Bro::ARP";
config.name = "Zeek::ARP";
config.description = "ARP Parsing";
return config;
}

6
src/analyzer/protocol/arp/events.bif
View file

@ -40,7 +40,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string%);
## Generated for ARP packets that Bro cannot interpret. Examples are packets
## Generated for ARP packets that Zeek cannot interpret. Examples are packets
## with non-standard hardware address formats or hardware addresses that do not
## match the originator of the packet.
##
@ -56,8 +56,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
##
## .. zeek:see:: arp_reply arp_request
##
## .. todo:: Bro's current default configuration does not activate the protocol
## .. todo:: Zeek's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to
## been ported. To still enable this event, one needs to
## register a port for it or add a DPD payload signature.
event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);

10
src/analyzer/protocol/ayiya/CMakeLists.txt
View file

@ -1,9 +1,9 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro AYIYA)
bro_plugin_cc(AYIYA.cc Plugin.cc)
bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
bro_plugin_end()
zeek_plugin_begin(Zeek AYIYA)
zeek_plugin_cc(AYIYA.cc Plugin.cc)
zeek_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
zeek_plugin_end()

4
src/analyzer/protocol/ayiya/Plugin.cc
View file

@ -6,7 +6,7 @@
#include "AYIYA.h"
namespace plugin {
namespace Bro_AYIYA {
namespace Zeek_AYIYA {
class Plugin : public plugin::Plugin {
public:
@ -15,7 +15,7 @@ public:
AddComponent(new ::analyzer::Component("AYIYA", ::analyzer::ayiya::AYIYA_Analyzer::Instantiate));
plugin::Configuration config;
config.name = "Bro::AYIYA";
config.name = "Zeek::AYIYA";
config.description = "AYIYA Analyzer";
return config;
}

10
src/analyzer/protocol/backdoor/CMakeLists.txt
View file

@ -1,9 +1,9 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro BackDoor)
bro_plugin_cc(BackDoor.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()
zeek_plugin_begin(Zeek BackDoor)
zeek_plugin_cc(BackDoor.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_end()

4
src/analyzer/protocol/backdoor/Plugin.cc
View file

@ -6,7 +6,7 @@
#include "BackDoor.h"
namespace plugin {
namespace Bro_BackDoor {
namespace Zeek_BackDoor {
class Plugin : public plugin::Plugin {
public:
@ -15,7 +15,7 @@ public:
AddComponent(new ::analyzer::Component("BackDoor", ::analyzer::backdoor::BackDoor_Analyzer::Instantiate));
plugin::Configuration config;
config.name = "Bro::BackDoor";
config.name = "Zeek::BackDoor";
config.description = "Backdoor Analyzer deprecated";
return config;
}

12
src/analyzer/protocol/bittorrent/CMakeLists.txt
View file

@ -1,10 +1,10 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro BitTorrent)
bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac)
bro_plugin_end()
zeek_plugin_begin(Zeek BitTorrent)
zeek_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac)
zeek_plugin_end()

4
src/analyzer/protocol/bittorrent/Plugin.cc
View file

@ -7,7 +7,7 @@
#include "BitTorrentTracker.h"
namespace plugin {
namespace Bro_BitTorrent {
namespace Zeek_BitTorrent {
class Plugin : public plugin::Plugin {
public:
@ -17,7 +17,7 @@ public:
AddComponent(new ::analyzer::Component("BitTorrentTracker", ::analyzer::bittorrent::BitTorrentTracker_Analyzer::Instantiate));
plugin::Configuration config;
config.name = "Bro::BitTorrent";
config.name = "Zeek::BitTorrent";
config.description = "BitTorrent Analyzer";
return config;
}

12
src/analyzer/protocol/conn-size/CMakeLists.txt
View file

@ -1,10 +1,10 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro ConnSize)
bro_plugin_cc(ConnSize.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_bif(functions.bif)
bro_plugin_end()
zeek_plugin_begin(Zeek ConnSize)
zeek_plugin_cc(ConnSize.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_bif(functions.bif)
zeek_plugin_end()

4
src/analyzer/protocol/conn-size/Plugin.cc
View file

@ -6,7 +6,7 @@
#include "ConnSize.h"
namespace plugin {
namespace Bro_ConnSize {
namespace Zeek_ConnSize {
class Plugin : public plugin::Plugin {
public:
@ -15,7 +15,7 @@ public:
AddComponent(new ::analyzer::Component("ConnSize", ::analyzer::conn_size::ConnSize_Analyzer::Instantiate));
plugin::Configuration config;
config.name = "Bro::ConnSize";
config.name = "Zeek::ConnSize";
config.description = "Connection size analyzer";
return config;
}

12
src/analyzer/protocol/dce-rpc/CMakeLists.txt
View file

@ -1,12 +1,12 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro DCE_RPC)
bro_plugin_cc(DCE_RPC.cc Plugin.cc)
bro_plugin_bif(consts.bif types.bif events.bif)
bro_plugin_pac(
zeek_plugin_begin(Zeek DCE_RPC)
zeek_plugin_cc(DCE_RPC.cc Plugin.cc)
zeek_plugin_bif(consts.bif types.bif events.bif)
zeek_plugin_pac(
dce_rpc.pac
dce_rpc-protocol.pac
dce_rpc-analyzer.pac
@ -14,5 +14,5 @@ bro_plugin_pac(
endpoint-atsvc.pac
endpoint-epmapper.pac
)
bro_plugin_end()
zeek_plugin_end()

4
src/analyzer/protocol/dce-rpc/Plugin.cc
View file

@ -6,7 +6,7 @@
#include "DCE_RPC.h"
namespace plugin {
namespace Bro_DCE_RPC {
namespace Zeek_DCE_RPC {
class Plugin : public plugin::Plugin {
public:
@ -15,7 +15,7 @@ public:
AddComponent(new ::analyzer::Component("DCE_RPC", ::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate));
plugin::Configuration config;
config.name = "Bro::DCE_RPC";
config.name = "Zeek::DCE_RPC";
config.description = "DCE-RPC analyzer";
return config;
}

14
src/analyzer/protocol/dhcp/CMakeLists.txt
View file

@ -1,11 +1,11 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro DHCP)
bro_plugin_cc(DHCP.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_bif(types.bif)
bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac dhcp-options.pac)
bro_plugin_end()
zeek_plugin_begin(Zeek DHCP)
zeek_plugin_cc(DHCP.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_bif(types.bif)
zeek_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac dhcp-options.pac)
zeek_plugin_end()

4
src/analyzer/protocol/dhcp/Plugin.cc
View file

@ -6,7 +6,7 @@
#include "DHCP.h"
namespace plugin {
namespace Bro_DHCP {
namespace Zeek_DHCP {
class Plugin : public plugin::Plugin {
public:
@ -15,7 +15,7 @@ public:
AddComponent(new ::analyzer::Component("DHCP", ::analyzer::dhcp::DHCP_Analyzer::Instantiate));
plugin::Configuration config;
config.name = "Bro::DHCP";
config.name = "Zeek::DHCP";
config.description = "DHCP analyzer";
return config;
}

124
src/analyzer/protocol/dhcp/dhcp-options.pac
View file

@ -21,6 +21,29 @@ refine typeattr Option += &let {
};
##############################
# TIME OFFSET OPTION
##############################
let TIME_OFFSET_OPTION = 2;
# Parse the option
refine casetype OptionValue += {
TIME_OFFSET_OPTION -> time_offset : int32;
};
refine flow DHCP_Flow += {
function process_time_offset_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(25, val_mgr->GetInt(${v.time_offset}));
return true;
%}
};
refine typeattr Option += &let {
proc_timeoffset_option = $context.flow.process_time_offset_option(info.value) &if(code==TIME_OFFSET_OPTION);
};
##############################
# ROUTER OPTION
##############################
@ -55,6 +78,74 @@ refine typeattr Option += &let {
};
##############################
# TIME SERVER OPTION
##############################
let TIME_SERVER_OPTION = 4;
# Parse the option
refine casetype OptionValue += {
TIME_SERVER_OPTION -> timeserver_list : uint32[length/4];
};
refine flow DHCP_Flow += {
function process_timeserver_option(v: OptionValue): bool
%{
VectorVal* timeserver_list = new VectorVal(BifType::Vector::DHCP::Addrs);
int num_servers = ${v.timeserver_list}->size();
vector<uint32>* rlist = ${v.timeserver_list};
for ( int i = 0; i < num_servers; ++i )
{
uint32 raddr = (*rlist)[i];
timeserver_list->Assign(i, new AddrVal(htonl(raddr)));
}
${context.flow}->options->Assign(26, timeserver_list);
return true;
%}
};
refine typeattr Option += &let {
proc_timeserver_option = $context.flow.process_timeserver_option(info.value) &if(code==TIME_SERVER_OPTION);
};
##############################
# NAME SERVER OPTION
##############################
let NAME_SERVER_OPTION = 5;
# Parse the option
refine casetype OptionValue += {
NAME_SERVER_OPTION -> nameserver_list : uint32[length/4];
};
refine flow DHCP_Flow += {
function process_nameserver_option(v: OptionValue): bool
%{
VectorVal* nameserver_list = new VectorVal(BifType::Vector::DHCP::Addrs);
int num_servers = ${v.nameserver_list}->size();
vector<uint32>* rlist = ${v.nameserver_list};
for ( int i = 0; i < num_servers; ++i )
{
uint32 raddr = (*rlist)[i];
nameserver_list->Assign(i, new AddrVal(htonl(raddr)));
}
${context.flow}->options->Assign(27, nameserver_list);
return true;
%}
};
refine typeattr Option += &let {
proc_nameserver_option = $context.flow.process_nameserver_option(info.value) &if(code==NAME_SERVER_OPTION);
};
##############################
# DNS SERVER OPTION
##############################
@ -194,6 +285,39 @@ refine typeattr Option += &let {
};
##############################
# NTP SERVER OPTION
##############################
let NTP_SERVER_OPTION = 42;
# Parse the option
refine casetype OptionValue += {
NTP_SERVER_OPTION -> ntpserver_list : uint32[length/4];
};
refine flow DHCP_Flow += {
function process_ntpserver_option(v: OptionValue): bool
%{
VectorVal* ntpserver_list = new VectorVal(BifType::Vector::DHCP::Addrs);
int num_servers = ${v.ntpserver_list}->size();
vector<uint32>* rlist = ${v.ntpserver_list};
for ( int i = 0; i < num_servers; ++i )
{
uint32 raddr = (*rlist)[i];
ntpserver_list->Assign(i, new AddrVal(htonl(raddr)));
}
${context.flow}->options->Assign(28, ntpserver_list);
return true;
%}
};
refine typeattr Option += &let {
proc_ntpserver_option = $context.flow.process_ntpserver_option(info.value) &if(code==NTP_SERVER_OPTION);
};
##############################
# VENDOR SPECIFIC OPTION
##############################

12
src/analyzer/protocol/dnp3/CMakeLists.txt
View file

@ -1,10 +1,10 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro DNP3)
bro_plugin_cc(DNP3.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_pac(dnp3.pac dnp3-analyzer.pac dnp3-protocol.pac dnp3-objects.pac)
bro_plugin_end()
zeek_plugin_begin(Zeek DNP3)
zeek_plugin_cc(DNP3.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_pac(dnp3.pac dnp3-analyzer.pac dnp3-protocol.pac dnp3-objects.pac)
zeek_plugin_end()

4
src/analyzer/protocol/dnp3/Plugin.cc
View file

@ -6,7 +6,7 @@
#include "DNP3.h"
namespace plugin {
namespace Bro_DNP3 {
namespace Zeek_DNP3 {
class Plugin : public plugin::Plugin {
public:
@ -16,7 +16,7 @@ public:
AddComponent(new ::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate));
plugin::Configuration config;
config.name = "Bro::DNP3";
config.name = "Zeek::DNP3";
config.description = "DNP3 UDP/TCP analyzers";
return config;
}

10
src/analyzer/protocol/dns/CMakeLists.txt
View file

@ -1,9 +1,9 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro DNS)
bro_plugin_cc(DNS.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()
zeek_plugin_begin(Zeek DNS)
zeek_plugin_cc(DNS.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_end()

34
src/analyzer/protocol/dns/DNS.cc
View file

@ -281,6 +281,10 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
status = ParseRR_TXT(msg, data, len, rdlength, msg_start);
break;
case TYPE_SPF:
status = ParseRR_SPF(msg, data, len, rdlength, msg_start);
break;
case TYPE_CAA:
status = ParseRR_CAA(msg, data, len, rdlength, msg_start);
break;
@ -1321,6 +1325,36 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
return rdlength == 0;
}
int DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)
{
if ( ! dns_SPF_reply || msg->skip_event )
{
data += rdlength;
len -= rdlength;
return 1;
}
VectorVal* char_strings = new VectorVal(string_vec);
StringVal* char_string;
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), char_string);
if ( dns_SPF_reply )
analyzer->ConnectionEventFast(dns_SPF_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
char_strings,
});
else
Unref(char_strings);
return rdlength == 0;
}
int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start)

5
src/analyzer/protocol/dns/DNS.h
View file

@ -63,6 +63,8 @@ typedef enum {
TYPE_DNSKEY = 48, ///< DNS Key record (RFC 4034)
TYPE_DS = 43, ///< Delegation signer (RFC 4034)
TYPE_NSEC3 = 50,
// Obsoleted
TYPE_SPF = 99, ///< Alternative: storing SPF data in TXT records, using the same format (RFC 4408). Support for it was discontinued in RFC 7208
// The following are only valid in queries.
TYPE_AXFR = 252,
TYPE_ALL = 255,
@ -282,6 +284,9 @@ protected:
int ParseRR_TXT(DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
int ParseRR_SPF(DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);
int ParseRR_CAA(DNS_MsgInfo* msg,
const u_char*& data, int& len, int rdlength,
const u_char* msg_start);

4
src/analyzer/protocol/dns/Plugin.cc
View file

@ -6,7 +6,7 @@
#include "DNS.h"
namespace plugin {
namespace Bro_DNS {
namespace Zeek_DNS {
class Plugin : public plugin::Plugin {
public:
@ -16,7 +16,7 @@ public:
AddComponent(new ::analyzer::Component("Contents_DNS", 0));
plugin::Configuration config;
config.name = "Bro::DNS";
config.name = "Zeek::DNS";
config.description = "DNS analyzer";
return config;
}

105
src/analyzer/protocol/dns/events.bif
View file

@ -1,7 +1,7 @@
## Generated for all DNS messages.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -15,7 +15,7 @@
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@ -26,7 +26,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
## is raised once for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -42,7 +42,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@ -55,7 +55,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
## the reply; there's no stateful correlation with the query.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -71,7 +71,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@ -81,7 +81,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
## Generated for each entry in the Question section of a DNS reply.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -97,7 +97,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@ -109,7 +109,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -123,7 +123,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
##
## .. zeek:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@ -134,7 +134,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -148,7 +148,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
##
## .. zeek:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@ -159,7 +159,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -173,7 +173,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
##
## .. zeek:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@ -184,7 +184,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -198,7 +198,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@ -209,7 +209,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -223,7 +223,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@ -234,7 +234,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -248,7 +248,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@ -259,7 +259,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -273,7 +273,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@ -284,7 +284,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -296,7 +296,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@ -307,7 +307,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -319,7 +319,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@ -330,7 +330,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -346,7 +346,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@ -357,7 +357,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -378,6 +378,31 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec%);
## Generated for DNS replies of type *SPF*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## ans: The type-independent part of the parsed answer record.
##
## strs: The textual information returned by the reply.
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_SPF_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec%);
## Generated for DNS replies of type *CAA* (Certification Authority Authorization).
## For replies with multiple answers, an individual event of the corresponding type
## is raised for each.
@ -401,7 +426,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -425,7 +450,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@ -433,7 +458,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count%);
## Generated on DNS reply resource records when the type of record is not one
## that Bro knows how to parse and generate another more specific event.
## that Zeek knows how to parse and generate another more specific event.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
@ -444,14 +469,14 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: strin
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end
## dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_SRV_reply dns_end
event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
## Generated for DNS replies of type *EDNS*. For replies with multiple answers,
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -463,7 +488,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@ -474,7 +499,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
## an individual event of the corresponding type is raised for each.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -486,7 +511,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request
## dns_SRV_reply dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@ -565,7 +590,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
## all resource records have been passed on.
##
## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
## sessions.
##
## c: The connection, which may be UDP or TCP depending on the type of the
@ -575,7 +600,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
##
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_full_request
## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@ -590,6 +615,6 @@ event dns_full_request%(%);
## msg: The raw DNS payload.
##
## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
## .. note:: This event is deprecated and superseded by Zeek's dynamic protocol
## detection framework.
event non_dns_request%(c: connection, msg: string%);

10
src/analyzer/protocol/file/CMakeLists.txt
View file

@ -1,9 +1,9 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro File)
bro_plugin_cc(File.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()
zeek_plugin_begin(Zeek File)
zeek_plugin_cc(File.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_end()

4
src/analyzer/protocol/file/Plugin.cc
View file

@ -6,7 +6,7 @@
#include "./File.h"
namespace plugin {
namespace Bro_File {
namespace Zeek_File {
class Plugin : public plugin::Plugin {
public:
@ -16,7 +16,7 @@ public:
AddComponent(new ::analyzer::Component("IRC_Data", ::analyzer::file::IRC_Data::Instantiate));
plugin::Configuration config;
config.name = "Bro::File";
config.name = "Zeek::File";
config.description = "Generic file analyzer";
return config;
}

10
src/analyzer/protocol/finger/CMakeLists.txt
View file

@ -1,9 +1,9 @@
include(BroPlugin)
include(ZeekPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro Finger)
bro_plugin_cc(Finger.cc Plugin.cc)
bro_plugin_bif(events.bif)
bro_plugin_end()
zeek_plugin_begin(Zeek Finger)
zeek_plugin_cc(Finger.cc Plugin.cc)
zeek_plugin_bif(events.bif)
zeek_plugin_end()

4
src/analyzer/protocol/finger/Plugin.cc
View file

@ -5,7 +5,7 @@
#include "Finger.h"
namespace plugin {
namespace Bro_Finger {
namespace Zeek_Finger {
class Plugin : public plugin::Plugin {
public:
@ -14,7 +14,7 @@ public:
AddComponent(new ::analyzer::Component("Finger", ::analyzer::finger::Finger_Analyzer::Instantiate));
plugin::Configuration config;
config.name = "Bro::Finger";
config.name = "Zeek::Finger";
config.description = "Finger analyzer";
return config;
}

Some files were not shown because too many files have changed in this diff Show more