signatures: Support custom event via [event_name] syntax

This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. This also tracks the message as StringValPtr directly to avoid allocating the same StringVal for every DoAction() call. Closes #3403
2025-10-08 09:38:19 +00:00 · 2023-11-29 17:27:29 +01:00 · 2023-11-29 17:27:29 +01:00 · a7b077aa17
commit a7b077aa17
parent d11ac929af
10 changed files with 202 additions and 10 deletions
--- a/testing/btest/signatures/custom-event-errors.zeek
+++ b/testing/btest/signatures/custom-event-errors.zeek
@ -0,0 +1,33 @@
+# @TEST-DOC: Using the wrong paramters for custom signature events.
+#
+# @TEST-EXEC-FAIL: zeek -b -s id -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >id.out
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+@TEST-START-FILE id.sig
+signature udp-proto {
+  ip-proto == 17
+  event [wrong_signature2] "id"
+}
+
+signature udp-proto2 {
+  ip-proto == 17
+  event [wrong_signature3]
+}
+
+signature udp-proto3 {
+  ip-proto == 17
+  event [wrong_signature4] "not a count"
+}
+
+signature udp-proto4 {
+  ip-proto == 17
+  event [non_existing_event]
+}
+
+@TEST-END-FILE
+
+event wrong_signature2(state: signature_state, data: string) { }
+
+event wrong_signature3(state: signature_state, msg: string, data: string) { }
+
+event wrong_signature4(state: signature_state, msg: count, data: string) { }