signatures: Support custom event via [event_name] syntax

This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. This also tracks the message as StringValPtr directly to avoid allocating the same StringVal for every DoAction() call. Closes #3403
2025-10-02 14:48:21 +00:00 · 2023-11-29 17:27:29 +01:00 · 2023-11-29 17:27:29 +01:00 · a7b077aa17
commit a7b077aa17
parent d11ac929af
10 changed files with 202 additions and 10 deletions
--- a/src/RuleAction.h
+++ b/src/RuleAction.h
@ -3,9 +3,16 @@
 #include <sys/types.h> // for u_char
 #include <string>

+#include "zeek/EventHandler.h"
+#include "zeek/IntrusivePtr.h"
 #include "zeek/Tag.h"

-namespace zeek::detail {
+namespace zeek {
+
+class StringVal;
+using StringValPtr = IntrusivePtr<StringVal>;
+
+namespace detail {

 class Rule;
 class RuleEndpointState;
@ -24,14 +31,15 @@ public:
 class RuleActionEvent : public RuleAction {
 public:
    explicit RuleActionEvent(const char* arg_msg);
-    ~RuleActionEvent() override { delete[] msg; }
+    explicit RuleActionEvent(const char* arg_msg, const char* event_name);

    void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) override;

    void PrintDebug() override;

 private:
-    const char* msg;
+    StringValPtr msg;
+    EventHandlerPtr handler;
 };

 class RuleActionMIME : public RuleAction {
@ -88,4 +96,5 @@ public:
    void PrintDebug() override;
 };

-} // namespace zeek::detail
+} // namespace detail
+} // namespace zeek