From adcf99b25eb6f3b1fb94bd9331d531a17e193114 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 25 Aug 2020 16:12:50 -0700 Subject: [PATCH] Fix uses of bro.pac to use zeek.pac --- .../protocol/ayiya/ayiya-analyzer.pac | 16 +- src/analyzer/protocol/ayiya/ayiya.pac | 2 +- .../bittorrent/bittorrent-analyzer.pac | 56 ++--- .../protocol/bittorrent/bittorrent.pac | 5 +- .../protocol/dce-rpc/dce_rpc-analyzer.pac | 30 +-- .../protocol/dce-rpc/dce_rpc-auth.pac | 6 +- .../protocol/dce-rpc/dce_rpc-protocol.pac | 16 +- src/analyzer/protocol/dce-rpc/dce_rpc.pac | 4 +- src/analyzer/protocol/dhcp/dhcp-analyzer.pac | 8 +- src/analyzer/protocol/dhcp/dhcp-protocol.pac | 3 +- src/analyzer/protocol/dhcp/dhcp.pac | 4 +- src/analyzer/protocol/dnp3/dnp3-analyzer.pac | 207 +++++++++--------- src/analyzer/protocol/dnp3/dnp3-objects.pac | 3 +- src/analyzer/protocol/dnp3/dnp3-protocol.pac | 2 +- src/analyzer/protocol/dnp3/dnp3.pac | 3 +- src/analyzer/protocol/dns/DNS.h | 2 +- .../protocol/gssapi/gssapi-analyzer.pac | 8 +- src/analyzer/protocol/gssapi/gssapi.pac | 4 +- .../protocol/gtpv1/gtpv1-analyzer.pac | 20 +- src/analyzer/protocol/gtpv1/gtpv1.pac | 2 +- src/analyzer/protocol/http/HTTP.h | 2 +- src/analyzer/protocol/imap/imap-analyzer.pac | 18 +- src/analyzer/protocol/imap/imap.pac | 4 +- src/analyzer/protocol/krb/krb-analyzer.pac | 56 ++--- src/analyzer/protocol/krb/krb-padata.pac | 20 +- src/analyzer/protocol/krb/krb-types.pac | 8 +- src/analyzer/protocol/krb/krb.pac | 4 +- src/analyzer/protocol/krb/krb_TCP.pac | 4 +- .../protocol/modbus/modbus-analyzer.pac | 132 +++++------ .../protocol/modbus/modbus-protocol.pac | 4 +- src/analyzer/protocol/modbus/modbus.pac | 6 +- .../protocol/mqtt/commands/connack.pac | 4 +- .../protocol/mqtt/commands/connect.pac | 6 +- .../protocol/mqtt/commands/disconnect.pac | 4 +- .../protocol/mqtt/commands/pingreq.pac | 4 +- .../protocol/mqtt/commands/pingresp.pac | 4 +- .../protocol/mqtt/commands/puback.pac | 4 +- .../protocol/mqtt/commands/pubcomp.pac | 4 +- .../protocol/mqtt/commands/publish.pac | 6 +- .../protocol/mqtt/commands/pubrec.pac | 4 +- .../protocol/mqtt/commands/pubrel.pac | 4 +- .../protocol/mqtt/commands/suback.pac | 4 +- .../protocol/mqtt/commands/subscribe.pac | 4 +- .../protocol/mqtt/commands/unsuback.pac | 4 +- .../protocol/mqtt/commands/unsubscribe.pac | 4 +- src/analyzer/protocol/mqtt/mqtt-protocol.pac | 5 +- src/analyzer/protocol/mqtt/mqtt.pac | 5 +- .../protocol/mysql/mysql-analyzer.pac | 38 ++-- src/analyzer/protocol/mysql/mysql.pac | 4 +- src/analyzer/protocol/ncp/ncp.pac | 2 +- src/analyzer/protocol/ntlm/ntlm-analyzer.pac | 52 ++--- src/analyzer/protocol/ntlm/ntlm.pac | 4 +- src/analyzer/protocol/ntp/ntp-analyzer.pac | 6 +- src/analyzer/protocol/ntp/ntp.pac | 4 +- .../protocol/radius/radius-analyzer.pac | 6 +- src/analyzer/protocol/radius/radius.pac | 4 +- src/analyzer/protocol/rdp/RDP.cc | 2 +- src/analyzer/protocol/rdp/rdp-analyzer.pac | 60 ++--- src/analyzer/protocol/rdp/rdp-protocol.pac | 4 +- src/analyzer/protocol/rdp/rdp.pac | 4 +- .../protocol/rdp/rdpeudp-analyzer.pac | 18 +- src/analyzer/protocol/rdp/rdpeudp.pac | 4 +- src/analyzer/protocol/rfb/rfb-analyzer.pac | 26 +-- src/analyzer/protocol/rfb/rfb.pac | 4 +- src/analyzer/protocol/sip/sip-analyzer.pac | 18 +- src/analyzer/protocol/sip/sip.pac | 4 +- src/analyzer/protocol/sip/sip_TCP.pac | 4 +- src/analyzer/protocol/smb/smb-gssapi.pac | 4 +- src/analyzer/protocol/smb/smb-pipe.pac | 2 +- src/analyzer/protocol/smb/smb-strings.pac | 4 +- src/analyzer/protocol/smb/smb-time.pac | 14 +- src/analyzer/protocol/smb/smb.pac | 6 +- .../protocol/smb/smb1-com-check-directory.pac | 8 +- src/analyzer/protocol/smb/smb1-com-close.pac | 8 +- .../smb/smb1-com-create-directory.pac | 7 +- src/analyzer/protocol/smb/smb1-com-echo.pac | 5 +- .../protocol/smb/smb1-com-logoff-andx.pac | 2 +- .../protocol/smb/smb1-com-negotiate.pac | 8 +- .../protocol/smb/smb1-com-nt-cancel.pac | 4 +- .../protocol/smb/smb1-com-nt-create-andx.pac | 12 +- .../smb/smb1-com-query-information.pac | 5 +- .../protocol/smb/smb1-com-read-andx.pac | 12 +- .../smb/smb1-com-session-setup-andx.pac | 8 +- .../smb/smb1-com-transaction-secondary.pac | 4 +- .../protocol/smb/smb1-com-transaction.pac | 8 +- .../smb/smb1-com-transaction2-secondary.pac | 4 +- .../protocol/smb/smb1-com-transaction2.pac | 23 +- .../smb/smb1-com-tree-connect-andx.pac | 8 +- .../protocol/smb/smb1-com-tree-disconnect.pac | 4 +- .../protocol/smb/smb1-com-write-andx.pac | 12 +- src/analyzer/protocol/smb/smb1-protocol.pac | 14 +- src/analyzer/protocol/smb/smb2-com-close.pac | 14 +- src/analyzer/protocol/smb/smb2-com-create.pac | 14 +- .../protocol/smb/smb2-com-negotiate.pac | 8 +- src/analyzer/protocol/smb/smb2-com-read.pac | 8 +- .../protocol/smb/smb2-com-session-setup.pac | 10 +- .../protocol/smb/smb2-com-set-info.pac | 58 ++--- .../smb/smb2-com-transform-header.pac | 4 +- .../protocol/smb/smb2-com-tree-connect.pac | 8 +- .../protocol/smb/smb2-com-tree-disconnect.pac | 8 +- src/analyzer/protocol/smb/smb2-com-write.pac | 12 +- src/analyzer/protocol/smb/smb2-protocol.pac | 6 +- src/analyzer/protocol/snmp/snmp-analyzer.pac | 56 ++--- src/analyzer/protocol/snmp/snmp.pac | 4 +- .../protocol/socks/socks-analyzer.pac | 54 ++--- src/analyzer/protocol/socks/socks.pac | 4 +- src/analyzer/protocol/ssh/SSH.cc | 14 +- src/analyzer/protocol/ssh/ssh-analyzer.pac | 34 +-- src/analyzer/protocol/ssh/ssh-protocol.pac | 2 +- src/analyzer/protocol/ssh/ssh.pac | 4 +- src/analyzer/protocol/ssl/dtls-analyzer.pac | 14 +- src/analyzer/protocol/ssl/dtls-protocol.pac | 8 +- src/analyzer/protocol/ssl/dtls.pac | 4 +- .../protocol/ssl/proc-certificate.pac | 10 +- .../protocol/ssl/proc-client-hello.pac | 8 +- .../protocol/ssl/proc-server-hello.pac | 8 +- src/analyzer/protocol/ssl/ssl-analyzer.pac | 6 +- .../protocol/ssl/ssl-dtls-analyzer.pac | 26 +-- src/analyzer/protocol/ssl/ssl-protocol.pac | 22 +- src/analyzer/protocol/ssl/ssl.pac | 4 +- .../protocol/ssl/tls-handshake-analyzer.pac | 106 ++++----- src/analyzer/protocol/ssl/tls-handshake.pac | 4 +- .../protocol/syslog/syslog-analyzer.pac | 10 +- src/analyzer/protocol/syslog/syslog.pac | 2 +- src/analyzer/protocol/xmpp/xmpp-analyzer.pac | 10 +- src/analyzer/protocol/xmpp/xmpp.pac | 4 +- src/file_analysis/analyzer/pe/pe-analyzer.pac | 20 +- src/file_analysis/analyzer/pe/pe.pac | 6 +- .../analyzer/unified2/unified2-analyzer.pac | 18 +- .../analyzer/unified2/unified2.pac | 4 +- .../analyzer/x509/x509-extension.pac | 6 +- src/zeek-setup.cc | 2 +- 132 files changed, 898 insertions(+), 909 deletions(-) diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac index f3dc420d1b..af194aa31c 100644 --- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac +++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac @@ -3,7 +3,7 @@ #include "Conn.h" %} -connection AYIYA_Conn(bro_analyzer: BroAnalyzer) +connection AYIYA_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = AYIYA_Flow; downflow = AYIYA_Flow; @@ -15,7 +15,7 @@ flow AYIYA_Flow function process_ayiya(pdu: PDU): bool %{ - zeek::Connection* c = connection()->bro_analyzer()->Conn(); + zeek::Connection* c = connection()->zeek_analyzer()->Conn(); const zeek::EncapsulationStack* e = c->GetEncapsulation(); if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth ) @@ -39,7 +39,7 @@ flow AYIYA_Flow if ( ${pdu.packet}.length() < (int)sizeof(struct ip) ) { - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( "Truncated AYIYA", (const char*) ${pdu.packet}.data(), ${pdu.packet}.length()); return false; @@ -50,7 +50,7 @@ flow AYIYA_Flow if ( ( ${pdu.next_header} == IPPROTO_IPV6 && ip->ip_v != 6 ) || ( ${pdu.next_header} == IPPROTO_IPV4 && ip->ip_v != 4) ) { - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( "AYIYA next header mismatch", (const char*)${pdu.packet}.data(), ${pdu.packet}.length()); return false; @@ -61,20 +61,20 @@ flow AYIYA_Flow ${pdu.packet}.data(), ${pdu.next_header}, inner); if ( result == 0 ) - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); else if ( result == -2 ) - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( "AYIYA next header internal mismatch", (const char*)${pdu.packet}.data(), ${pdu.packet}.length()); else if ( result < 0 ) - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( "Truncated AYIYA", (const char*) ${pdu.packet}.data(), ${pdu.packet}.length()); else - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( "AYIYA payload length", (const char*) ${pdu.packet}.data(), ${pdu.packet}.length()); diff --git a/src/analyzer/protocol/ayiya/ayiya.pac b/src/analyzer/protocol/ayiya/ayiya.pac index ad4b7582a8..8e30bd3109 100644 --- a/src/analyzer/protocol/ayiya/ayiya.pac +++ b/src/analyzer/protocol/ayiya/ayiya.pac @@ -1,6 +1,6 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "IP.h" diff --git a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac index 8a30c93e4a..eb856a3ff8 100644 --- a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac +++ b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac @@ -1,6 +1,6 @@ # This code contributed by Nadi Sarrar. -connection BitTorrent_Conn(bro_analyzer: BroAnalyzer) { +connection BitTorrent_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = BitTorrent_Flow(true); downflow = BitTorrent_Flow(false); }; @@ -62,15 +62,15 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_handshake ) { zeek::BifEvent::enqueue_bittorrent_peer_handshake( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), to_stringval(reserved), to_stringval(info_hash), to_stringval(peer_id)); } - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); return true; %} @@ -80,8 +80,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_keep_alive ) { zeek::BifEvent::enqueue_bittorrent_peer_keep_alive( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig()); } @@ -93,8 +93,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_choke ) { zeek::BifEvent::enqueue_bittorrent_peer_choke( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig()); } @@ -106,8 +106,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_unchoke ) { zeek::BifEvent::enqueue_bittorrent_peer_unchoke( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig()); } @@ -119,8 +119,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_interested ) { zeek::BifEvent::enqueue_bittorrent_peer_interested( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig()); } @@ -132,8 +132,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_not_interested ) { zeek::BifEvent::enqueue_bittorrent_peer_not_interested( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig()); } @@ -145,8 +145,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_have ) { zeek::BifEvent::enqueue_bittorrent_peer_have( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), piece_index); } @@ -159,8 +159,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_bitfield ) { zeek::BifEvent::enqueue_bittorrent_peer_bitfield( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), to_stringval(bitfield)); } @@ -174,8 +174,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_request ) { zeek::BifEvent::enqueue_bittorrent_peer_request( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), index, begin, length); } @@ -189,8 +189,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_piece ) { zeek::BifEvent::enqueue_bittorrent_peer_piece( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), index, begin, piece_length); } @@ -204,8 +204,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_cancel ) { zeek::BifEvent::enqueue_bittorrent_peer_cancel( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), index, begin, length); } @@ -218,8 +218,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_port ) { zeek::BifEvent::enqueue_bittorrent_peer_port( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), zeek::val_mgr->Port(listen_port, TRANSPORT_TCP)); } @@ -232,8 +232,8 @@ flow BitTorrent_Flow(is_orig: bool) { if ( ::bittorrent_peer_unknown ) { zeek::BifEvent::enqueue_bittorrent_peer_unknown( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), id, to_stringval(data)); diff --git a/src/analyzer/protocol/bittorrent/bittorrent.pac b/src/analyzer/protocol/bittorrent/bittorrent.pac index 39e53596dd..dbf0efecf1 100644 --- a/src/analyzer/protocol/bittorrent/bittorrent.pac +++ b/src/analyzer/protocol/bittorrent/bittorrent.pac @@ -1,7 +1,7 @@ -# This code contributed to Bro by Nadi Sarrar. +# This code contributed to Zeek by Nadi Sarrar. %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #define MSGLEN_LIMIT 0x40000 @@ -16,4 +16,3 @@ analyzer BitTorrent withcontext { %include bittorrent-protocol.pac %include bittorrent-analyzer.pac - diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac index 5e022cd75c..4abbbdf009 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac @@ -29,7 +29,7 @@ refine connection DCE_RPC_Conn += { function proc_dce_rpc_pdu(pdu: DCE_RPC_PDU): bool %{ // If a whole pdu message parsed ok, let's confirm the protocol - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); return true; %} @@ -37,8 +37,8 @@ refine connection DCE_RPC_Conn += { %{ if ( dce_rpc_message ) { - zeek::BifEvent::enqueue_dce_rpc_message(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_dce_rpc_message(zeek_analyzer(), + zeek_analyzer()->Conn(), ${header.is_orig}, fid, ${header.PTYPE}, @@ -51,8 +51,8 @@ refine connection DCE_RPC_Conn += { %{ if ( dce_rpc_bind ) { - zeek::BifEvent::enqueue_dce_rpc_bind(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_dce_rpc_bind(zeek_analyzer(), + zeek_analyzer()->Conn(), fid, ${req.id}, to_stringval(${req.abstract_syntax.uuid}), @@ -67,8 +67,8 @@ refine connection DCE_RPC_Conn += { %{ if ( dce_rpc_alter_context ) { - zeek::BifEvent::enqueue_dce_rpc_alter_context(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_dce_rpc_alter_context(zeek_analyzer(), + zeek_analyzer()->Conn(), fid, ${req.id}, to_stringval(${req.abstract_syntax.uuid}), @@ -92,8 +92,8 @@ refine connection DCE_RPC_Conn += { else sec_addr = zeek::make_intrusive(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin()); - zeek::BifEvent::enqueue_dce_rpc_bind_ack(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_dce_rpc_bind_ack(zeek_analyzer(), + zeek_analyzer()->Conn(), fid, std::move(sec_addr)); } @@ -104,8 +104,8 @@ refine connection DCE_RPC_Conn += { %{ if ( dce_rpc_alter_context_resp ) { - zeek::BifEvent::enqueue_dce_rpc_alter_context_resp(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_dce_rpc_alter_context_resp(zeek_analyzer(), + zeek_analyzer()->Conn(), fid); } return true; @@ -115,8 +115,8 @@ refine connection DCE_RPC_Conn += { %{ if ( dce_rpc_request ) { - zeek::BifEvent::enqueue_dce_rpc_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_dce_rpc_request(zeek_analyzer(), + zeek_analyzer()->Conn(), fid, ${req.context_id}, ${req.opnum}, @@ -132,8 +132,8 @@ refine connection DCE_RPC_Conn += { %{ if ( dce_rpc_response ) { - zeek::BifEvent::enqueue_dce_rpc_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_dce_rpc_response(zeek_analyzer(), + zeek_analyzer()->Conn(), fid, ${resp.context_id}, get_cont_id_opnum_map(${resp.context_id}), diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac index 1aa845156e..5207f3611a 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac @@ -32,18 +32,18 @@ refine connection DCE_RPC_Conn += { { case 0x09: if ( ! gssapi ) - gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn()); + gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn()); if ( gssapi ) gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig); break; case 0x0a: if ( ! ntlm ) - ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn()); + ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn()); if ( ntlm ) ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig); break; default: - bro_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type})); + zeek_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type})); break; } diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac index 1f2c3958a0..f294f564b2 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac @@ -190,9 +190,9 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( it != fb.end() ) { // We already had a first frag earlier. - zeek::reporter->Weird(connection()->bro_analyzer()->Conn(), + zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), "multiple_first_fragments_in_dce_rpc_reassembly"); - connection()->bro_analyzer()->SetSkip(true); + connection()->zeek_analyzer()->SetSkip(true); return false; } @@ -212,16 +212,16 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( fb.size() > zeek::BifConst::DCE_RPC::max_cmd_reassembly ) { - zeek::reporter->Weird(connection()->bro_analyzer()->Conn(), + zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), "too_many_dce_rpc_msgs_in_reassembly"); - connection()->bro_analyzer()->SetSkip(true); + connection()->zeek_analyzer()->SetSkip(true); } if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data ) { - zeek::reporter->Weird(connection()->bro_analyzer()->Conn(), + zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); - connection()->bro_analyzer()->SetSkip(true); + connection()->zeek_analyzer()->SetSkip(true); } return false; @@ -235,9 +235,9 @@ flow DCE_RPC_Flow(is_orig: bool) { if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data ) { - zeek::reporter->Weird(connection()->bro_analyzer()->Conn(), + zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(), "too_much_dce_rpc_fragment_data"); - connection()->bro_analyzer()->SetSkip(true); + connection()->zeek_analyzer()->SetSkip(true); } return ${header.lastfrag}; diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc.pac b/src/analyzer/protocol/dce-rpc/dce_rpc.pac index 87070e6216..521885ea1a 100644 --- a/src/analyzer/protocol/dce-rpc/dce_rpc.pac +++ b/src/analyzer/protocol/dce-rpc/dce_rpc.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "consts.bif.h" @@ -12,7 +12,7 @@ analyzer DCE_RPC withcontext { flow : DCE_RPC_Flow; }; -connection DCE_RPC_Conn(bro_analyzer: BroAnalyzer) { +connection DCE_RPC_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = DCE_RPC_Flow(true); downflow = DCE_RPC_Flow(false); }; diff --git a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac index b8f02139e3..99fe9913bc 100644 --- a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac +++ b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac @@ -44,7 +44,7 @@ refine flow DHCP_Flow += { // the message options. if ( ${msg.cookie} != 0x63825363 ) { - connection()->bro_analyzer()->ProtocolViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie})); + connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie})); return false; } @@ -91,8 +91,8 @@ refine flow DHCP_Flow += { init_options(); - zeek::BifEvent::enqueue_dhcp_message(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_dhcp_message(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${msg.is_orig}, std::move(dhcp_msg_val), std::move(options)); @@ -106,7 +106,7 @@ refine flow DHCP_Flow += { // on a "connection". // The binpac analyzer would have thrown an error before this point // if there was a problem too (and subsequently called ProtocolViolation). - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); return true; %} diff --git a/src/analyzer/protocol/dhcp/dhcp-protocol.pac b/src/analyzer/protocol/dhcp/dhcp-protocol.pac index af48a416c4..b26d163c97 100644 --- a/src/analyzer/protocol/dhcp/dhcp-protocol.pac +++ b/src/analyzer/protocol/dhcp/dhcp-protocol.pac @@ -67,9 +67,8 @@ refine flow DHCP_Flow += { } if ( type == 0 ) - connection()->bro_analyzer()->ProtocolViolation("no DHCP message type option"); + connection()->zeek_analyzer()->ProtocolViolation("no DHCP message type option"); return type; %} }; - diff --git a/src/analyzer/protocol/dhcp/dhcp.pac b/src/analyzer/protocol/dhcp/dhcp.pac index ac88726b3c..f67523299b 100644 --- a/src/analyzer/protocol/dhcp/dhcp.pac +++ b/src/analyzer/protocol/dhcp/dhcp.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "types.bif.h" @@ -11,7 +11,7 @@ analyzer DHCP withcontext { flow: DHCP_Flow; }; -connection DHCP_Conn(bro_analyzer: BroAnalyzer) { +connection DHCP_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = DHCP_Flow(true); downflow = DHCP_Flow(false); }; diff --git a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac index 189128b39d..33608c1845 100644 --- a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac +++ b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac @@ -1,5 +1,5 @@ -connection DNP3_Conn(bro_analyzer: BroAnalyzer) { +connection DNP3_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = DNP3_Flow(true); downflow = DNP3_Flow(false); }; @@ -30,8 +30,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_header_block ) { zeek::BifEvent::enqueue_dnp3_header_block( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), len, ctrl, dest_addr, src_addr); } @@ -43,8 +43,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_application_request_header ) { zeek::BifEvent::enqueue_dnp3_application_request_header( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), application_control, fc @@ -58,8 +58,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_application_response_header ) { zeek::BifEvent::enqueue_dnp3_application_response_header( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), application_control, fc, @@ -74,8 +74,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_object_header ) { zeek::BifEvent::enqueue_dnp3_object_header( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), obj_type, qua_field, number, rf_low, rf_high); } @@ -87,8 +87,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_object_prefix ) { zeek::BifEvent::enqueue_dnp3_object_prefix( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), prefix_value); } @@ -100,8 +100,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_response_data_object ) { zeek::BifEvent::enqueue_dnp3_response_data_object( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), data_value); } @@ -114,8 +114,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_attribute_common ) { zeek::BifEvent::enqueue_dnp3_attribute_common( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), data_type_code, leng, to_stringval(attribute_obj) ); } @@ -128,8 +128,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_crob ) { zeek::BifEvent::enqueue_dnp3_crob( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), control_code, count8, on_time, off_time, status_code); } @@ -142,8 +142,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_pcb ) { zeek::BifEvent::enqueue_dnp3_pcb( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), control_code, count8, on_time, off_time, status_code); } @@ -156,8 +156,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_counter_32wFlag ) { zeek::BifEvent::enqueue_dnp3_counter_32wFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, count_value); } @@ -170,8 +170,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_counter_16wFlag ) { zeek::BifEvent::enqueue_dnp3_counter_16wFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, count_value); } @@ -184,8 +184,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_counter_32woFlag ) { zeek::BifEvent::enqueue_dnp3_counter_32woFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), count_value); } @@ -198,8 +198,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_counter_16woFlag ) { zeek::BifEvent::enqueue_dnp3_counter_16woFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), count_value); } @@ -212,8 +212,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_counter_32wFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_counter_32wFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, count_value); } @@ -226,8 +226,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_counter_16wFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_counter_16wFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, count_value); } @@ -240,8 +240,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_counter_32wFlagTime ) { zeek::BifEvent::enqueue_dnp3_frozen_counter_32wFlagTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, count_value, bytestring_to_time(time48)); } @@ -254,8 +254,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_counter_16wFlagTime ) { zeek::BifEvent::enqueue_dnp3_frozen_counter_16wFlagTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, count_value, bytestring_to_time(time48)); } @@ -268,8 +268,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_counter_32woFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_counter_32woFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), count_value); } @@ -282,8 +282,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_counter_16woFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_counter_16woFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), count_value); } @@ -296,8 +296,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_32wFlag ) { zeek::BifEvent::enqueue_dnp3_analog_input_32wFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value); } @@ -310,8 +310,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_16wFlag ) { zeek::BifEvent::enqueue_dnp3_analog_input_16wFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value); } @@ -324,8 +324,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_32woFlag ) { zeek::BifEvent::enqueue_dnp3_analog_input_32woFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), value); } @@ -338,8 +338,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_16woFlag ) { zeek::BifEvent::enqueue_dnp3_analog_input_16woFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), value); } @@ -352,8 +352,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_SPwFlag ) { zeek::BifEvent::enqueue_dnp3_analog_input_SPwFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value); } @@ -366,8 +366,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_DPwFlag ) { zeek::BifEvent::enqueue_dnp3_analog_input_DPwFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value_low, value_high); } @@ -380,8 +380,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_32wFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32wFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value); } @@ -394,8 +394,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_16wFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16wFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value); } @@ -408,8 +408,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_32wTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32wTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value, bytestring_to_time(time48)); } @@ -422,8 +422,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_16wTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16wTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value, bytestring_to_time(time48)); } @@ -436,8 +436,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_32woFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32woFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), frozen_value); } @@ -450,8 +450,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_16woFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16woFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), frozen_value); } @@ -464,8 +464,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_SPwFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_SPwFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value); } @@ -478,8 +478,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_DPwFlag ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_DPwFlag( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value_low, frozen_value_high); } @@ -492,8 +492,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_event_32woTime ) { zeek::BifEvent::enqueue_dnp3_analog_input_event_32woTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value); } @@ -506,8 +506,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_event_16woTime ) { zeek::BifEvent::enqueue_dnp3_analog_input_event_16woTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value); } @@ -520,8 +520,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_event_32wTime ) { zeek::BifEvent::enqueue_dnp3_analog_input_event_32wTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value, bytestring_to_time(time48)); } @@ -534,8 +534,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_event_16wTime ) { zeek::BifEvent::enqueue_dnp3_analog_input_event_16wTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value, bytestring_to_time(time48)); } @@ -548,8 +548,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_event_SPwoTime ) { zeek::BifEvent::enqueue_dnp3_analog_input_event_SPwoTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value); } @@ -562,8 +562,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_event_DPwoTime ) { zeek::BifEvent::enqueue_dnp3_analog_input_event_DPwoTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value_low, value_high); } @@ -576,8 +576,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_event_SPwTime ) { zeek::BifEvent::enqueue_dnp3_analog_input_event_SPwTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value, bytestring_to_time(time48)); } @@ -590,8 +590,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_analog_input_event_DPwTime ) { zeek::BifEvent::enqueue_dnp3_analog_input_event_DPwTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, value_low, value_high, bytestring_to_time(time48)); } @@ -604,8 +604,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_event_32woTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_32woTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value); } @@ -618,8 +618,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_event_16woTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_16woTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value); } @@ -632,8 +632,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_event_32wTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_32wTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value, bytestring_to_time(time48)); } @@ -646,8 +646,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_event_16wTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_16wTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value, bytestring_to_time(time48)); } @@ -660,8 +660,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_event_SPwoTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwoTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value); } @@ -674,8 +674,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_event_DPwoTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwoTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value_low, frozen_value_high); } @@ -688,8 +688,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_event_SPwTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value, bytestring_to_time(time48)); } @@ -702,8 +702,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_frozen_analog_input_event_DPwTime ) { zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwTime( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48)); } @@ -716,8 +716,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_file_transport ) { zeek::BifEvent::enqueue_dnp3_file_transport( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), file_handle, block_num, to_stringval(file_data)); } @@ -730,8 +730,8 @@ flow DNP3_Flow(is_orig: bool) { if ( ::dnp3_debug_byte ) { zeek::BifEvent::enqueue_dnp3_debug_byte ( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), to_stringval(debug)); } @@ -986,4 +986,3 @@ refine typeattr File_Transport += &let { refine typeattr Debug_Byte += &let { process_request: bool = $context.flow.get_dnp3_debug_byte(debug); }; - diff --git a/src/analyzer/protocol/dnp3/dnp3-objects.pac b/src/analyzer/protocol/dnp3/dnp3-objects.pac index 3aabe07e2a..af0cf7b81b 100644 --- a/src/analyzer/protocol/dnp3/dnp3-objects.pac +++ b/src/analyzer/protocol/dnp3/dnp3-objects.pac @@ -616,7 +616,7 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t }; } &let{ - data_value: uint8 = case (object_type_field) of { # this data_value is used for the Bro Event + data_value: uint8 = case (object_type_field) of { # this data_value is used for the Zeek Event 0x0101 -> biwoflag; 0x0102 -> biwflag; 0x0a01 -> bowoflag; @@ -1504,4 +1504,3 @@ type UpdateKeySig(prefix: uint16) = record { type UpdateKeyCon(prefix: uint16) = record { mac: bytestring &length = prefix; } &byteorder = littleendian; - diff --git a/src/analyzer/protocol/dnp3/dnp3-protocol.pac b/src/analyzer/protocol/dnp3/dnp3-protocol.pac index 5c20379c8b..c0bd39b663 100644 --- a/src/analyzer/protocol/dnp3/dnp3-protocol.pac +++ b/src/analyzer/protocol/dnp3/dnp3-protocol.pac @@ -17,7 +17,7 @@ type Header_Block = record { } &byteorder = littleendian; type DNP3_Request = record { - addin_header: Header_Block; ## added by Hui Lin in Bro code + addin_header: Header_Block; ## added by Hui Lin in Zeek code app_header: DNP3_Application_Request_Header; data: case ( app_header.function_code ) of { CONFIRM -> none_coonfirm: empty; diff --git a/src/analyzer/protocol/dnp3/dnp3.pac b/src/analyzer/protocol/dnp3/dnp3.pac index 57005fd8e1..4c3169f669 100644 --- a/src/analyzer/protocol/dnp3/dnp3.pac +++ b/src/analyzer/protocol/dnp3/dnp3.pac @@ -1,6 +1,6 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -13,4 +13,3 @@ analyzer DNP3 withcontext { %include dnp3-protocol.pac %include dnp3-analyzer.pac - diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index ec33e72d04..fee8bf73f3 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -3,7 +3,7 @@ #pragma once #include "analyzer/protocol/tcp/TCP.h" -#include "binpac_bro.h" +#include "binpac_zeek.h" namespace zeek::analyzer::dns { namespace detail { diff --git a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac index 9a01244455..42a098b383 100644 --- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac +++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac @@ -34,7 +34,7 @@ refine connection GSSAPI_Conn += { { // ntlmssp if ( ! ntlm ) - ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn()); + ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn()); if ( ntlm ) ntlm->DeliverStream(${val.ntlm}.length(), @@ -44,7 +44,7 @@ refine connection GSSAPI_Conn += { else if ( ${val.has_krb} ) { if ( ! krb5 ) - krb5 = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn()); + krb5 = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn()); if ( krb5 ) // accepting all KRB types (REQ, REP, etc) { @@ -61,8 +61,8 @@ refine connection GSSAPI_Conn += { %{ if ( gssapi_neg_result ) { - zeek::BifEvent::enqueue_gssapi_neg_result(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_gssapi_neg_result(zeek_analyzer(), + zeek_analyzer()->Conn(), binary_to_int64(${val.neg_state.encoding.content})); } diff --git a/src/analyzer/protocol/gssapi/gssapi.pac b/src/analyzer/protocol/gssapi/gssapi.pac index 55b7fe4255..b3c8c5023f 100644 --- a/src/analyzer/protocol/gssapi/gssapi.pac +++ b/src/analyzer/protocol/gssapi/gssapi.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "analyzer/Manager.h" @@ -13,7 +13,7 @@ analyzer GSSAPI withcontext { flow : GSSAPI_Flow; }; -connection GSSAPI_Conn(bro_analyzer: BroAnalyzer) { +connection GSSAPI_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = GSSAPI_Flow(true); downflow = GSSAPI_Flow(false); }; diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac index dd33d639f3..ba51153519 100644 --- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac +++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac @@ -233,7 +233,7 @@ static zeek::ValPtr BuildTeardownInd(const InformationElement* ie) return zeek::val_mgr->Bool(ie->teardown_ind()->ind()); } -void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) +void CreatePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu) { if ( ! ::gtpv1_create_pdp_ctx_request ) return; @@ -332,7 +332,7 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) BuildGTPv1Hdr(pdu), std::move(rv)); } -void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) +void CreatePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu) { if ( ! ::gtpv1_create_pdp_ctx_response ) return; @@ -401,7 +401,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) BuildGTPv1Hdr(pdu), std::move(rv)); } -void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) +void UpdatePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu) { if ( ! ::gtpv1_update_pdp_ctx_request ) return; @@ -479,7 +479,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) BuildGTPv1Hdr(pdu), std::move(rv)); } -void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) +void UpdatePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu) { if ( ! ::gtpv1_update_pdp_ctx_response ) return; @@ -539,7 +539,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) BuildGTPv1Hdr(pdu), std::move(rv)); } -void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) +void DeletePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu) { if ( ! ::gtpv1_delete_pdp_ctx_request ) return; @@ -573,7 +573,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) BuildGTPv1Hdr(pdu), std::move(rv)); } -void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) +void DeletePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu) { if ( ! ::gtpv1_delete_pdp_ctx_response ) return; @@ -605,7 +605,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) } %} -connection GTPv1_Conn(bro_analyzer: BroAnalyzer) +connection GTPv1_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = GTPv1_Flow(true); downflow = GTPv1_Flow(false); @@ -639,14 +639,14 @@ flow GTPv1_Flow(is_orig: bool) function violate(r: string, pdu: GTPv1_Header): void %{ - BroAnalyzer a = connection()->bro_analyzer(); + ZeekAnalyzer a = connection()->zeek_analyzer(); const_bytestring b = ${pdu.sourcedata}; a->ProtocolViolation(r.c_str(), (const char*) b.begin(), b.length()); %} function process_gtpv1(pdu: GTPv1_Header): bool %{ - BroAnalyzer a = connection()->bro_analyzer(); + ZeekAnalyzer a = connection()->zeek_analyzer(); zeek::Connection* c = a->Conn(); const zeek::EncapsulationStack* e = c->GetEncapsulation(); @@ -711,7 +711,7 @@ flow GTPv1_Flow(is_orig: bool) function process_g_pdu(pdu: GTPv1_Header): bool %{ - BroAnalyzer a = connection()->bro_analyzer(); + ZeekAnalyzer a = connection()->zeek_analyzer(); zeek::Connection* c = a->Conn(); const zeek::EncapsulationStack* e = c->GetEncapsulation(); diff --git a/src/analyzer/protocol/gtpv1/gtpv1.pac b/src/analyzer/protocol/gtpv1/gtpv1.pac index 6223df22d6..15cccfc89a 100644 --- a/src/analyzer/protocol/gtpv1/gtpv1.pac +++ b/src/analyzer/protocol/gtpv1/gtpv1.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "IP.h" diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h index 70af9187fd..e3134f488e 100644 --- a/src/analyzer/protocol/http/HTTP.h +++ b/src/analyzer/protocol/http/HTTP.h @@ -7,7 +7,7 @@ #include "analyzer/protocol/pia/PIA.h" #include "analyzer/protocol/zip/ZIP.h" #include "analyzer/protocol/mime/MIME.h" -#include "binpac_bro.h" +#include "binpac_zeek.h" #include "IPAddr.h" #include "analyzer/protocol/http/events.bif.h" diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac index a8d4af8dc4..ca50de03a5 100644 --- a/src/analyzer/protocol/imap/imap-analyzer.pac +++ b/src/analyzer/protocol/imap/imap-analyzer.pac @@ -17,23 +17,23 @@ refine connection IMAP_Conn += { //printf("imap %s %s\n", commands.c_str(), tags.c_str()); if ( !is_orig && tags == "*" && commands == "ok" ) - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( is_orig && ( command == "capability" || commands == "starttls" ) ) - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" ) { - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); // Handshake has passed the phase where we should see StartTLS. Simply skip from hereon... - bro_analyzer()->SetSkip(true); + zeek_analyzer()->SetSkip(true); return true; } if ( is_orig && commands == "starttls" ) { if ( !client_starttls_id.empty() ) - zeek::reporter->Weird(bro_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS"); + zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS"); client_starttls_id = tags; } @@ -42,13 +42,13 @@ refine connection IMAP_Conn += { { if ( commands == "ok" ) { - bro_analyzer()->StartTLS(); + zeek_analyzer()->StartTLS(); if ( imap_starttls ) - zeek::BifEvent::enqueue_imap_starttls(bro_analyzer(), bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_imap_starttls(zeek_analyzer(), zeek_analyzer()->Conn()); } else - zeek::reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS"); + zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: server refused StartTLS"); } return true; @@ -67,7 +67,7 @@ refine connection IMAP_Conn += { capv->Assign(i, zeek::make_intrusive(capability.length(), (const char*)capability.data())); } - zeek::BifEvent::enqueue_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), std::move(capv)); + zeek::BifEvent::enqueue_imap_capabilities(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(capv)); return true; %} diff --git a/src/analyzer/protocol/imap/imap.pac b/src/analyzer/protocol/imap/imap.pac index 0c2256d732..c663d69f34 100644 --- a/src/analyzer/protocol/imap/imap.pac +++ b/src/analyzer/protocol/imap/imap.pac @@ -4,7 +4,7 @@ # till StartTLS does (or does not) kick in. %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "zeek-config.h" @@ -25,7 +25,7 @@ analyzer IMAP withcontext { flow: IMAP_Flow; }; -connection IMAP_Conn(bro_analyzer: IMAPAnalyzer) { +connection IMAP_Conn(zeek_analyzer: IMAPAnalyzer) { upflow = IMAP_Flow(true); downflow = IMAP_Flow(false); }; diff --git a/src/analyzer/protocol/krb/krb-analyzer.pac b/src/analyzer/protocol/krb/krb-analyzer.pac index 94883b353b..70074fd9d3 100644 --- a/src/analyzer/protocol/krb/krb-analyzer.pac +++ b/src/analyzer/protocol/krb/krb-analyzer.pac @@ -1,6 +1,6 @@ %header{ zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts); -zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_analyzer); +zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const ZeekAnalyzer zeek_analyzer); bool proc_error_arguments(zeek::RecordVal* rv, const std::vector* args, int64 error_code); %} @@ -27,7 +27,7 @@ zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts) return rv; } -zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_analyzer) +zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const ZeekAnalyzer zeek_analyzer) { auto rv = zeek::make_intrusive(zeek::BifType::Record::KRB::KDC_Request); @@ -35,7 +35,7 @@ zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyze rv->Assign(1, asn1_integer_to_val(msg->msg_type()->data(), zeek::TYPE_COUNT)); if ( msg->padata()->has_padata() ) - rv->Assign(2, proc_padata(msg->padata()->padata()->padata(), bro_analyzer, false)); + rv->Assign(2, proc_padata(msg->padata()->padata()->padata(), zeek_analyzer, false)); for ( uint i = 0; i < msg->body_args()->size(); ++i ) { @@ -73,7 +73,7 @@ zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyze break; case 9: if ( element->data()->addrs()->addresses()->size() ) - rv->Assign(12, proc_host_address_list(bro_analyzer, element->data()->addrs())); + rv->Assign(12, proc_host_address_list(zeek_analyzer, element->data()->addrs())); break; case 10: @@ -171,7 +171,7 @@ refine connection KRB_Conn += { function proc_krb_kdc_req_msg(msg: KRB_KDC_REQ): bool %{ - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); auto msg_type = binary_to_int64(${msg.msg_type.data.content}); if ( msg_type == 10 ) @@ -179,8 +179,8 @@ refine connection KRB_Conn += { if ( ! krb_as_request ) return false; - auto rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer()); - zeek::BifEvent::enqueue_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv)); + auto rv = proc_krb_kdc_req_arguments(${msg}, zeek_analyzer()); + zeek::BifEvent::enqueue_krb_as_request(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rv)); return true; } @@ -189,8 +189,8 @@ refine connection KRB_Conn += { if ( ! krb_tgs_request ) return false; - auto rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer()); - zeek::BifEvent::enqueue_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv)); + auto rv = proc_krb_kdc_req_arguments(${msg}, zeek_analyzer()); + zeek::BifEvent::enqueue_krb_tgs_request(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rv)); return true; } @@ -199,7 +199,7 @@ refine connection KRB_Conn += { function proc_krb_kdc_rep_msg(msg: KRB_KDC_REP): bool %{ - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); auto msg_type = binary_to_int64(${msg.msg_type.data.content}); auto make_arg = [this, msg]() -> zeek::RecordValPtr { @@ -209,7 +209,7 @@ refine connection KRB_Conn += { rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, zeek::TYPE_COUNT)); if ( ${msg.padata.has_padata} ) - rv->Assign(2, proc_padata(${msg.padata.padata.padata}, bro_analyzer(), false)); + rv->Assign(2, proc_padata(${msg.padata.padata.padata}, zeek_analyzer(), false)); rv->Assign(3, to_stringval(${msg.client_realm.encoding.content})); rv->Assign(4, GetStringFromPrincipalName(${msg.client_name})); @@ -223,7 +223,7 @@ refine connection KRB_Conn += { if ( ! krb_as_response ) return false; - zeek::BifEvent::enqueue_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg()); + zeek::BifEvent::enqueue_krb_as_response(zeek_analyzer(), zeek_analyzer()->Conn(), make_arg()); return true; } @@ -232,7 +232,7 @@ refine connection KRB_Conn += { if ( ! krb_tgs_response ) return false; - zeek::BifEvent::enqueue_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg()); + zeek::BifEvent::enqueue_krb_tgs_response(zeek_analyzer(), zeek_analyzer()->Conn(), make_arg()); return true; } @@ -241,21 +241,21 @@ refine connection KRB_Conn += { function proc_krb_error_msg(msg: KRB_ERROR_MSG): bool %{ - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( krb_error ) { auto rv = zeek::make_intrusive(zeek::BifType::Record::KRB::Error_Msg); proc_error_arguments(rv.get(), ${msg.args1}, 0); rv->Assign(4, asn1_integer_to_val(${msg.error_code}, zeek::TYPE_COUNT)); proc_error_arguments(rv.get(), ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content})); - zeek::BifEvent::enqueue_krb_error(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv)); + zeek::BifEvent::enqueue_krb_error(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rv)); } return true; %} function proc_krb_ap_req_msg(msg: KRB_AP_REQ): bool %{ - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( krb_ap_request ) { auto rv = zeek::make_intrusive(zeek::BifType::Record::KRB::AP_Options); @@ -263,12 +263,12 @@ refine connection KRB_Conn += { rv->Assign(1, zeek::val_mgr->Bool(${msg.ap_options.mutual_required})); auto rvticket = proc_ticket(${msg.ticket}); - auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->GetField(2)->AsString(), rvticket->GetField(4)->AsString(), rvticket->GetField(3)->AsCount()); + auto authenticationinfo = zeek_analyzer()->GetAuthenticationInfo(rvticket->GetField(2)->AsString(), rvticket->GetField(4)->AsString(), rvticket->GetField(3)->AsCount()); if ( authenticationinfo ) rvticket->Assign(5, authenticationinfo); - zeek::BifEvent::enqueue_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_krb_ap_request(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rvticket), std::move(rv)); } return true; @@ -276,17 +276,17 @@ refine connection KRB_Conn += { function proc_krb_ap_rep_msg(msg: KRB_AP_REP): bool %{ - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( krb_ap_response ) { - zeek::BifEvent::enqueue_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_krb_ap_response(zeek_analyzer(), zeek_analyzer()->Conn()); } return true; %} function proc_krb_safe_msg(msg: KRB_SAFE_MSG): bool %{ - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( krb_safe ) { auto rv = zeek::make_intrusive(zeek::BifType::Record::KRB::SAFE_Msg); @@ -328,36 +328,36 @@ refine connection KRB_Conn += { rv->Assign(5, asn1_integer_to_val(${msg.safe_body.args[i].args.seq_number}, zeek::TYPE_COUNT)); break; case 4: - rv->Assign(6, proc_host_address(bro_analyzer(), ${msg.safe_body.args[i].args.sender_addr})); + rv->Assign(6, proc_host_address(zeek_analyzer(), ${msg.safe_body.args[i].args.sender_addr})); break; case 5: - rv->Assign(7, proc_host_address(bro_analyzer(), ${msg.safe_body.args[i].args.recp_addr})); + rv->Assign(7, proc_host_address(zeek_analyzer(), ${msg.safe_body.args[i].args.recp_addr})); break; default: break; } } - zeek::BifEvent::enqueue_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, std::move(rv)); + zeek::BifEvent::enqueue_krb_safe(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig}, std::move(rv)); } return true; %} function proc_krb_priv_msg(msg: KRB_PRIV_MSG): bool %{ - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( krb_priv ) { - zeek::BifEvent::enqueue_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}); + zeek::BifEvent::enqueue_krb_priv(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig}); } return true; %} function proc_krb_cred_msg(msg: KRB_CRED_MSG): bool %{ - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( krb_cred ) { - zeek::BifEvent::enqueue_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, + zeek::BifEvent::enqueue_krb_cred(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig}, proc_tickets(${msg.tickets})); } return true; diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac index 1e54f37cde..a6a389d435 100644 --- a/src/analyzer/protocol/krb/krb-padata.pac +++ b/src/analyzer/protocol/krb/krb-padata.pac @@ -7,11 +7,11 @@ %} %header{ -zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_analyzer, bool is_error); +zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnalyzer zeek_analyzer, bool is_error); %} %code{ -zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_analyzer, bool is_error) +zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnalyzer zeek_analyzer, bool is_error) { auto vv = zeek::make_intrusive(zeek::id::find_type("KRB::Type_Value_Vector")); @@ -64,10 +64,10 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz zeek::ODesc common; common.AddRaw("Analyzer::ANALYZER_KRB"); - common.Add(bro_analyzer->Conn()->StartTime()); + common.Add(zeek_analyzer->Conn()->StartTime()); // Request means is_orig=T common.AddRaw("T", 1); - bro_analyzer->Conn()->IDString(&common); + zeek_analyzer->Conn()->IDString(&common); zeek::ODesc file_handle; file_handle.Add(common.Description()); @@ -76,8 +76,8 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), true, file_id, + cert.length(), zeek_analyzer->GetAnalyzerTag(), + zeek_analyzer->Conn(), true, file_id, "application/x-x509-user-cert"); zeek::file_mgr->EndOfFile(file_id); @@ -89,10 +89,10 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz zeek::ODesc common; common.AddRaw("Analyzer::ANALYZER_KRB"); - common.Add(bro_analyzer->Conn()->StartTime()); + common.Add(zeek_analyzer->Conn()->StartTime()); // Response means is_orig=F common.AddRaw("F", 1); - bro_analyzer->Conn()->IDString(&common); + zeek_analyzer->Conn()->IDString(&common); zeek::ODesc file_handle; file_handle.Add(common.Description()); @@ -101,8 +101,8 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), false, file_id, + cert.length(), zeek_analyzer->GetAnalyzerTag(), + zeek_analyzer->Conn(), false, file_id, "application/x-x509-user-cert"); zeek::file_mgr->EndOfFile(file_id); diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac index 071a336200..397924c4bb 100644 --- a/src/analyzer/protocol/krb/krb-types.pac +++ b/src/analyzer/protocol/krb/krb-types.pac @@ -5,8 +5,8 @@ zeek::ValPtr GetStringFromPrincipalName(const KRB_Principal_Name* pname); zeek::VectorValPtr proc_cipher_list(const Array* list); -zeek::VectorValPtr proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list); -zeek::RecordValPtr proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr); +zeek::VectorValPtr proc_host_address_list(const ZeekAnalyzer a, const KRB_Host_Addresses* list); +zeek::RecordValPtr proc_host_address(const ZeekAnalyzer a, const KRB_Host_Address* addr); zeek::VectorValPtr proc_tickets(const KRB_Ticket_Sequence* list); zeek::RecordValPtr proc_ticket(const KRB_Ticket* ticket); @@ -33,7 +33,7 @@ zeek::VectorValPtr proc_cipher_list(const Array* list) return ciphers; } -zeek::VectorValPtr proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list) +zeek::VectorValPtr proc_host_address_list(const ZeekAnalyzer a, const KRB_Host_Addresses* list) { auto addrs = zeek::make_intrusive(zeek::id::find_type("KRB::Host_Address_Vector")); @@ -45,7 +45,7 @@ zeek::VectorValPtr proc_host_address_list(const BroAnalyzer a, const KRB_Host_Ad return addrs; } -zeek::RecordValPtr proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr) +zeek::RecordValPtr proc_host_address(const ZeekAnalyzer a, const KRB_Host_Address* addr) { auto rv = zeek::make_intrusive(zeek::BifType::Record::KRB::Host_Address); const auto& addr_bytes = addr->address()->data()->content(); diff --git a/src/analyzer/protocol/krb/krb.pac b/src/analyzer/protocol/krb/krb.pac index 745caceff0..cf9095d0ae 100644 --- a/src/analyzer/protocol/krb/krb.pac +++ b/src/analyzer/protocol/krb/krb.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "zeek-config.h" @@ -20,7 +20,7 @@ analyzer KRB withcontext { flow: KRB_Flow; }; -connection KRB_Conn(bro_analyzer: KRBAnalyzer) { +connection KRB_Conn(zeek_analyzer: KRBAnalyzer) { upflow = KRB_Flow(true); downflow = KRB_Flow(false); }; diff --git a/src/analyzer/protocol/krb/krb_TCP.pac b/src/analyzer/protocol/krb/krb_TCP.pac index f52c07f2a0..083b28ada4 100644 --- a/src/analyzer/protocol/krb/krb_TCP.pac +++ b/src/analyzer/protocol/krb/krb_TCP.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "zeek-config.h" @@ -20,7 +20,7 @@ analyzer KRB_TCP withcontext { flow: KRB_Flow; }; -connection KRB_Conn(bro_analyzer: KRBTCPAnalyzer) { +connection KRB_Conn(zeek_analyzer: KRBTCPAnalyzer) { upflow = KRB_Flow(true); downflow = KRB_Flow(false); }; diff --git a/src/analyzer/protocol/modbus/modbus-analyzer.pac b/src/analyzer/protocol/modbus/modbus-analyzer.pac index 4f34184a05..5701529272 100644 --- a/src/analyzer/protocol/modbus/modbus-analyzer.pac +++ b/src/analyzer/protocol/modbus/modbus-analyzer.pac @@ -1,5 +1,5 @@ # -# The development of Bro's Modbus analyzer has been made possible thanks to +# The development of Zeek's Modbus analyzer has been made possible thanks to # the support of the Ministry of Security and Justice of the Kingdom of the # Netherlands within the projects of Hermes, Castor and Midas. # @@ -88,8 +88,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_message ) { - zeek::BifEvent::enqueue_modbus_message(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_message(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), is_orig()); } @@ -106,7 +106,7 @@ refine flow ModbusTCP_Flow += { if ( ! connection()->IsConfirmed() ) { connection()->SetConfirmed(); - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); } return true; @@ -117,8 +117,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_exception ) { - zeek::BifEvent::enqueue_modbus_exception(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_exception(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.code}); } @@ -131,8 +131,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_read_coils_request ) { - zeek::BifEvent::enqueue_modbus_read_coils_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_coils_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.start_address}, ${message.quantity}); @@ -146,8 +146,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_read_coils_response ) { - zeek::BifEvent::enqueue_modbus_read_coils_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_coils_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), bytestring_to_coils(${message.bits}, ${message.bits}.length()*8)); } @@ -159,8 +159,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_read_discrete_inputs_request ) { - zeek::BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.start_address}, ${message.quantity}); } @@ -173,8 +173,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_read_discrete_inputs_response ) { - zeek::BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), bytestring_to_coils(${message.bits}, ${message.bits}.length()*8)); } @@ -188,8 +188,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_read_holding_registers_request ) { - zeek::BifEvent::enqueue_modbus_read_holding_registers_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_holding_registers_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.start_address}, ${message.quantity}); } @@ -202,7 +202,7 @@ refine flow ModbusTCP_Flow += { %{ if ( ${message.byte_count} % 2 != 0 ) { - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( zeek::util::fmt("invalid value for modbus read holding register response byte count %d", ${message.byte_count})); return false; } @@ -217,8 +217,8 @@ refine flow ModbusTCP_Flow += { t->Assign(i, r); } - zeek::BifEvent::enqueue_modbus_read_holding_registers_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_holding_registers_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), std::move(t)); } @@ -232,8 +232,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_read_input_registers_request ) { - zeek::BifEvent::enqueue_modbus_read_input_registers_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_input_registers_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.start_address}, ${message.quantity}); } @@ -246,7 +246,7 @@ refine flow ModbusTCP_Flow += { %{ if ( ${message.byte_count} % 2 != 0 ) { - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( zeek::util::fmt("invalid value for modbus read input register response byte count %d", ${message.byte_count})); return false; } @@ -261,8 +261,8 @@ refine flow ModbusTCP_Flow += { t->Assign(i, r); } - zeek::BifEvent::enqueue_modbus_read_input_registers_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_input_registers_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), std::move(t)); } @@ -283,13 +283,13 @@ refine flow ModbusTCP_Flow += { val = 1; else { - connection()->bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil request %d", + connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil request %d", ${message.value})); return false; } - zeek::BifEvent::enqueue_modbus_write_single_coil_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_single_coil_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.address}, val); @@ -310,13 +310,13 @@ refine flow ModbusTCP_Flow += { val = 1; else { - connection()->bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil response %d", + connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil response %d", ${message.value})); return false; } - zeek::BifEvent::enqueue_modbus_write_single_coil_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_single_coil_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.address}, val); @@ -331,8 +331,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_write_single_register_request ) { - zeek::BifEvent::enqueue_modbus_write_single_register_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_single_register_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.address}, ${message.value}); } @@ -345,8 +345,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_write_single_register_response ) { - zeek::BifEvent::enqueue_modbus_write_single_register_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_single_register_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.address}, ${message.value}); } @@ -360,8 +360,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_write_multiple_coils_request ) { - zeek::BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.start_address}, bytestring_to_coils(${message.coils}, ${message.quantity})); @@ -375,8 +375,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_write_multiple_coils_response ) { - zeek::BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.start_address}, ${message.quantity}); } @@ -390,7 +390,7 @@ refine flow ModbusTCP_Flow += { %{ if ( ${message.byte_count} % 2 != 0 ) { - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( zeek::util::fmt("invalid value for modbus write multiple registers request byte count %d", ${message.byte_count})); return false; } @@ -405,8 +405,8 @@ refine flow ModbusTCP_Flow += { t->Assign(i, r); } - zeek::BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.start_address}, std::move(t)); } @@ -419,8 +419,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_write_multiple_registers_response ) { - zeek::BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.start_address}, ${message.quantity}); } @@ -447,8 +447,8 @@ refine flow ModbusTCP_Flow += { // t->Assign(i, l); // } - zeek::BifEvent::enqueue_modbus_read_file_record_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_file_record_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header)); } @@ -468,8 +468,8 @@ refine flow ModbusTCP_Flow += { // t->Assign(i, r); // } - zeek::BifEvent::enqueue_modbus_read_file_record_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_file_record_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header)); } @@ -500,8 +500,8 @@ refine flow ModbusTCP_Flow += { // } // } - zeek::BifEvent::enqueue_modbus_write_file_record_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_file_record_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header)); } @@ -532,8 +532,8 @@ refine flow ModbusTCP_Flow += { // t->Assign(i, k); // } - zeek::BifEvent::enqueue_modbus_write_file_record_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_write_file_record_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header)); } @@ -545,8 +545,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_mask_write_register_request ) { - zeek::BifEvent::enqueue_modbus_mask_write_register_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_mask_write_register_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.address}, ${message.and_mask}, ${message.or_mask}); @@ -560,8 +560,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_mask_write_register_response ) { - zeek::BifEvent::enqueue_modbus_mask_write_register_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_mask_write_register_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.address}, ${message.and_mask}, ${message.or_mask}); @@ -575,7 +575,7 @@ refine flow ModbusTCP_Flow += { %{ if ( ${message.write_byte_count} % 2 != 0 ) { - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( zeek::util::fmt("invalid value for modbus read write multiple registers request write byte count %d", ${message.write_byte_count})); return false; } @@ -590,8 +590,8 @@ refine flow ModbusTCP_Flow += { t->Assign(i, r); } - zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.read_start_address}, ${message.read_quantity}, @@ -607,7 +607,7 @@ refine flow ModbusTCP_Flow += { %{ if ( ${message.byte_count} % 2 != 0 ) { - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( zeek::util::fmt("invalid value for modbus read write multiple registers response byte count %d", ${message.byte_count})); return false; } @@ -622,8 +622,8 @@ refine flow ModbusTCP_Flow += { t->Assign(i, r); } - zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), std::move(t)); } @@ -636,8 +636,8 @@ refine flow ModbusTCP_Flow += { %{ if ( ::modbus_read_fifo_queue_request ) { - zeek::BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), ${message.start_address}); } @@ -651,7 +651,7 @@ refine flow ModbusTCP_Flow += { %{ if ( ${message.byte_count} % 2 != 0 ) { - connection()->bro_analyzer()->ProtocolViolation( + connection()->zeek_analyzer()->ProtocolViolation( zeek::util::fmt("invalid value for modbus read FIFO queue response byte count %d", ${message.byte_count})); return false; } @@ -666,8 +666,8 @@ refine flow ModbusTCP_Flow += { t->Assign(i, r); } - zeek::BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), HeaderToVal(header), std::move(t)); } diff --git a/src/analyzer/protocol/modbus/modbus-protocol.pac b/src/analyzer/protocol/modbus/modbus-protocol.pac index e49b1c62e6..d804780f5e 100644 --- a/src/analyzer/protocol/modbus/modbus-protocol.pac +++ b/src/analyzer/protocol/modbus/modbus-protocol.pac @@ -1,5 +1,5 @@ # -# The development of Bro's Modbus analyzer has been made possible thanks to +# The development of Zeek's Modbus analyzer has been made possible thanks to # the support of the Ministry of Security and Justice of the Kingdom of the # Netherlands within the projects of Hermes, Castor and Midas. # @@ -270,7 +270,7 @@ type WriteMultipleRegistersRequest(header: ModbusTCP_TransportHeader) = record { start_address: uint16; quantity: uint16; byte_count: uint8; - # We specify registers buffer with quantity and byte_count so that the analyzer + # We specify registers buffer with quantity and byte_count so that the analyzer # will choke if something doesn't match right (correct devices should make it right). registers: uint16[quantity] &length=byte_count; } &let { diff --git a/src/analyzer/protocol/modbus/modbus.pac b/src/analyzer/protocol/modbus/modbus.pac index 28b657abc5..6f94e1c43b 100644 --- a/src/analyzer/protocol/modbus/modbus.pac +++ b/src/analyzer/protocol/modbus/modbus.pac @@ -1,5 +1,5 @@ # -# The development of Bro's Modbus analyzer has been made possible thanks to +# The development of Zeek's Modbus analyzer has been made possible thanks to # the support of the Ministry of Security and Justice of the Kingdom of the # Netherlands within the projects of Hermes, Castor and Midas. # @@ -7,7 +7,7 @@ # http://www.simplymodbus.ca/faq.htm %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -18,7 +18,7 @@ analyzer ModbusTCP withcontext { flow: ModbusTCP_Flow; }; -connection ModbusTCP_Conn(bro_analyzer: BroAnalyzer) { +connection ModbusTCP_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = ModbusTCP_Flow(true); downflow = ModbusTCP_Flow(false); }; diff --git a/src/analyzer/protocol/mqtt/commands/connack.pac b/src/analyzer/protocol/mqtt/commands/connack.pac index ae7619ba3b..dcc8da5858 100644 --- a/src/analyzer/protocol/mqtt/commands/connack.pac +++ b/src/analyzer/protocol/mqtt/commands/connack.pac @@ -18,8 +18,8 @@ refine flow MQTT_Flow += { auto m = zeek::make_intrusive(zeek::BifType::Record::MQTT::ConnectAckMsg); m->Assign(0, zeek::val_mgr->Count(${msg.return_code})); m->Assign(1, zeek::val_mgr->Bool(${msg.session_present})); - zeek::BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_connack(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), std::move(m)); } diff --git a/src/analyzer/protocol/mqtt/commands/connect.pac b/src/analyzer/protocol/mqtt/commands/connect.pac index 84fddf0eb3..b6db5864f7 100644 --- a/src/analyzer/protocol/mqtt/commands/connect.pac +++ b/src/analyzer/protocol/mqtt/commands/connect.pac @@ -75,13 +75,13 @@ refine flow MQTT_Flow += { reinterpret_cast(${msg.pass.str}.begin()))); } - zeek::BifEvent::enqueue_mqtt_connect(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_connect(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), std::move(m)); } // If a connect message was seen, let's say that confirms it. - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); return true; %} }; diff --git a/src/analyzer/protocol/mqtt/commands/disconnect.pac b/src/analyzer/protocol/mqtt/commands/disconnect.pac index 8a3050a3a9..6ada0002b6 100644 --- a/src/analyzer/protocol/mqtt/commands/disconnect.pac +++ b/src/analyzer/protocol/mqtt/commands/disconnect.pac @@ -11,8 +11,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_disconnect ) { - zeek::BifEvent::enqueue_mqtt_disconnect(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_mqtt_disconnect(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn()); } return true; diff --git a/src/analyzer/protocol/mqtt/commands/pingreq.pac b/src/analyzer/protocol/mqtt/commands/pingreq.pac index 3aad0b854d..a8c49f5708 100644 --- a/src/analyzer/protocol/mqtt/commands/pingreq.pac +++ b/src/analyzer/protocol/mqtt/commands/pingreq.pac @@ -11,8 +11,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_pingreq ) { - zeek::BifEvent::enqueue_mqtt_pingreq(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_mqtt_pingreq(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn()); } return true; diff --git a/src/analyzer/protocol/mqtt/commands/pingresp.pac b/src/analyzer/protocol/mqtt/commands/pingresp.pac index dc0cb227ba..82422f3cf8 100644 --- a/src/analyzer/protocol/mqtt/commands/pingresp.pac +++ b/src/analyzer/protocol/mqtt/commands/pingresp.pac @@ -11,8 +11,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_pingresp ) { - zeek::BifEvent::enqueue_mqtt_pingresp(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_mqtt_pingresp(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn()); } return true; diff --git a/src/analyzer/protocol/mqtt/commands/puback.pac b/src/analyzer/protocol/mqtt/commands/puback.pac index 1a3e6454fe..961c5ee0ae 100644 --- a/src/analyzer/protocol/mqtt/commands/puback.pac +++ b/src/analyzer/protocol/mqtt/commands/puback.pac @@ -13,8 +13,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_puback ) { - zeek::BifEvent::enqueue_mqtt_puback(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_puback(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig, ${msg.msg_id}); } diff --git a/src/analyzer/protocol/mqtt/commands/pubcomp.pac b/src/analyzer/protocol/mqtt/commands/pubcomp.pac index 28e5650efe..2513d0f510 100644 --- a/src/analyzer/protocol/mqtt/commands/pubcomp.pac +++ b/src/analyzer/protocol/mqtt/commands/pubcomp.pac @@ -13,8 +13,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_pubcomp ) { - zeek::BifEvent::enqueue_mqtt_pubcomp(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_pubcomp(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig, ${msg.msg_id}); } diff --git a/src/analyzer/protocol/mqtt/commands/publish.pac b/src/analyzer/protocol/mqtt/commands/publish.pac index 9ca39273c7..af1513bbb2 100644 --- a/src/analyzer/protocol/mqtt/commands/publish.pac +++ b/src/analyzer/protocol/mqtt/commands/publish.pac @@ -42,15 +42,15 @@ refine flow MQTT_Flow += { m->Assign(5, zeek::val_mgr->Count(${msg.payload}.length())); - zeek::BifEvent::enqueue_mqtt_publish(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_publish(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${pdu.is_orig}, ${msg.qos} == 0 ? 0 : ${msg.msg_id}, std::move(m)); } // If a publish message was seen, let's say that confirms it. - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); return true; %} diff --git a/src/analyzer/protocol/mqtt/commands/pubrec.pac b/src/analyzer/protocol/mqtt/commands/pubrec.pac index 7aa128ad3c..6e836072ea 100644 --- a/src/analyzer/protocol/mqtt/commands/pubrec.pac +++ b/src/analyzer/protocol/mqtt/commands/pubrec.pac @@ -13,8 +13,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_pubrec ) { - zeek::BifEvent::enqueue_mqtt_pubrec(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_pubrec(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig, ${msg.msg_id}); } diff --git a/src/analyzer/protocol/mqtt/commands/pubrel.pac b/src/analyzer/protocol/mqtt/commands/pubrel.pac index 1c11d61289..7e40992fdd 100644 --- a/src/analyzer/protocol/mqtt/commands/pubrel.pac +++ b/src/analyzer/protocol/mqtt/commands/pubrel.pac @@ -13,8 +13,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_pubrel ) { - zeek::BifEvent::enqueue_mqtt_pubrel(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_pubrel(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig, ${msg.msg_id}); } diff --git a/src/analyzer/protocol/mqtt/commands/suback.pac b/src/analyzer/protocol/mqtt/commands/suback.pac index 79f4d09a05..305e30d95d 100644 --- a/src/analyzer/protocol/mqtt/commands/suback.pac +++ b/src/analyzer/protocol/mqtt/commands/suback.pac @@ -14,8 +14,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_suback ) { - zeek::BifEvent::enqueue_mqtt_suback(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_suback(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${msg.msg_id}, ${msg.granted_QoS}); } diff --git a/src/analyzer/protocol/mqtt/commands/subscribe.pac b/src/analyzer/protocol/mqtt/commands/subscribe.pac index bf52a3f29d..bda4c94fe5 100644 --- a/src/analyzer/protocol/mqtt/commands/subscribe.pac +++ b/src/analyzer/protocol/mqtt/commands/subscribe.pac @@ -31,8 +31,8 @@ refine flow MQTT_Flow += { qos_levels->Assign(qos_levels->Size(), std::move(qos)); } - zeek::BifEvent::enqueue_mqtt_subscribe(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_subscribe(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${msg.msg_id}, std::move(topics), std::move(qos_levels)); diff --git a/src/analyzer/protocol/mqtt/commands/unsuback.pac b/src/analyzer/protocol/mqtt/commands/unsuback.pac index 168d55e1bd..ca8c63635e 100644 --- a/src/analyzer/protocol/mqtt/commands/unsuback.pac +++ b/src/analyzer/protocol/mqtt/commands/unsuback.pac @@ -13,8 +13,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_unsuback ) { - zeek::BifEvent::enqueue_mqtt_unsuback(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_unsuback(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${msg.msg_id}); } diff --git a/src/analyzer/protocol/mqtt/commands/unsubscribe.pac b/src/analyzer/protocol/mqtt/commands/unsubscribe.pac index f9363efebd..3975fc077c 100644 --- a/src/analyzer/protocol/mqtt/commands/unsubscribe.pac +++ b/src/analyzer/protocol/mqtt/commands/unsubscribe.pac @@ -23,8 +23,8 @@ refine flow MQTT_Flow += { topics->Assign(topics->Size(), std::move(unsubscribe_topic)); } - zeek::BifEvent::enqueue_mqtt_unsubscribe(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mqtt_unsubscribe(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${msg.msg_id}, std::move(topics)); } diff --git a/src/analyzer/protocol/mqtt/mqtt-protocol.pac b/src/analyzer/protocol/mqtt/mqtt-protocol.pac index 768f7b1686..814c477d72 100644 --- a/src/analyzer/protocol/mqtt/mqtt-protocol.pac +++ b/src/analyzer/protocol/mqtt/mqtt-protocol.pac @@ -46,7 +46,7 @@ refine connection MQTT_Conn += { if ( vals->size() > 4 ) { - this->bro_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too many bytes"); + this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too many bytes"); return 0; } @@ -57,7 +57,7 @@ refine connection MQTT_Conn += { if ( multiplier > 128*128*128 ) { // This is definitely a protocol violation - this->bro_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too large"); + this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too large"); return 0; } } @@ -65,4 +65,3 @@ refine connection MQTT_Conn += { return value; %} }; - diff --git a/src/analyzer/protocol/mqtt/mqtt.pac b/src/analyzer/protocol/mqtt/mqtt.pac index 376825c541..2dd5af2b72 100644 --- a/src/analyzer/protocol/mqtt/mqtt.pac +++ b/src/analyzer/protocol/mqtt/mqtt.pac @@ -1,7 +1,7 @@ # Analyzer for MQTT Protocol (currently v3.1.1, no v5.0 support) %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "MQTT.h" @@ -15,7 +15,7 @@ analyzer MQTT withcontext { }; # Our connection consists of two flows, one in each direction. -connection MQTT_Conn(bro_analyzer: BroAnalyzer) { +connection MQTT_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = MQTT_Flow(true); downflow = MQTT_Flow(false); }; @@ -41,4 +41,3 @@ flow MQTT_Flow(is_orig: bool) { %include commands/disconnect.pac %include commands/pingreq.pac %include commands/pingresp.pac - diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac index f019cbcf39..8903c3eaa9 100644 --- a/src/analyzer/protocol/mysql/mysql-analyzer.pac +++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac @@ -6,12 +6,12 @@ refine flow MySQL_Flow += { if ( mysql_server_version ) { if ( ${msg.version} == 10 ) - zeek::BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mysql_server_version(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), zeek::make_intrusive(c_str(${msg.handshake10.server_version}))); if ( ${msg.version} == 9 ) - zeek::BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mysql_server_version(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), zeek::make_intrusive(c_str(${msg.handshake9.server_version}))); } return true; @@ -20,17 +20,17 @@ refine flow MySQL_Flow += { function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool %{ if ( ${msg.version} == 9 || ${msg.version == 10} ) - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); if ( mysql_handshake ) { if ( ${msg.version} == 10 ) - zeek::BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mysql_handshake(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), zeek::make_intrusive(c_str(${msg.v10_response.username}))); if ( ${msg.version} == 9 ) - zeek::BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mysql_handshake(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), zeek::make_intrusive(c_str(${msg.v9_response.username}))); } return true; @@ -39,8 +39,8 @@ refine flow MySQL_Flow += { function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool %{ if ( mysql_command_request ) - zeek::BifEvent::enqueue_mysql_command_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mysql_command_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${msg.command}, to_stringval(${msg.arg})); return true; @@ -49,8 +49,8 @@ refine flow MySQL_Flow += { function proc_err_packet(msg: ERR_Packet): bool %{ if ( mysql_error ) - zeek::BifEvent::enqueue_mysql_error(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mysql_error(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${msg.code}, to_stringval(${msg.msg})); return true; @@ -59,8 +59,8 @@ refine flow MySQL_Flow += { function proc_ok_packet(msg: OK_Packet): bool %{ if ( mysql_ok ) - zeek::BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mysql_ok(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${msg.rows}); return true; %} @@ -71,8 +71,8 @@ refine flow MySQL_Flow += { { // This is a bit fake... if ( mysql_ok ) - zeek::BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mysql_ok(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), 0); } @@ -98,8 +98,8 @@ refine flow MySQL_Flow += { vv->Assign(vv->Size(), zeek::make_intrusive(bstring.length(), ptr)); } - zeek::BifEvent::enqueue_mysql_result_row(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_mysql_result_row(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), std::move(vv)); return true; diff --git a/src/analyzer/protocol/mysql/mysql.pac b/src/analyzer/protocol/mysql/mysql.pac index 1cb80aff75..28453cb830 100644 --- a/src/analyzer/protocol/mysql/mysql.pac +++ b/src/analyzer/protocol/mysql/mysql.pac @@ -5,7 +5,7 @@ # - mysql-analyzer.pac: describes the MySQL analyzer code %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -17,7 +17,7 @@ analyzer MySQL withcontext { }; # Our connection consists of two flows, one in each direction. -connection MySQL_Conn(bro_analyzer: BroAnalyzer) { +connection MySQL_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = MySQL_Flow(true); downflow = MySQL_Flow(false); }; diff --git a/src/analyzer/protocol/ncp/ncp.pac b/src/analyzer/protocol/ncp/ncp.pac index 205c8ee7bc..dd92672a44 100644 --- a/src/analyzer/protocol/ncp/ncp.pac +++ b/src/analyzer/protocol/ncp/ncp.pac @@ -1,6 +1,6 @@ # Netware Core Protocol -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac index 8071fa1f5d..6501cc649b 100644 --- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac +++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac @@ -1,20 +1,20 @@ %header{ - zeek::ValPtr filetime2brotime(uint64_t ts); + zeek::ValPtr filetime2zeektime(uint64_t ts); zeek::RecordValPtr build_version_record(NTLM_Version* val); zeek::RecordValPtr build_negotiate_flag_record(NTLM_Negotiate_Flags* val); %} %code{ // This is replicated from the SMB analyzer. :( - zeek::ValPtr filetime2brotime(uint64_t ts) + zeek::ValPtr filetime2zeektime(uint64_t ts) { double secs = (ts / 10000000.0); - // Bro can't support times back to the 1600's + // Zeek can't support times back to the 1600's // so we subtract a lot of seconds. - auto bro_ts = zeek::make_intrusive(secs - 11644473600.0); + auto zeek_ts = zeek::make_intrusive(secs - 11644473600.0); - return bro_ts; + return zeek_ts; } zeek::RecordValPtr build_version_record(NTLM_Version* val) @@ -60,7 +60,7 @@ refine connection NTLM_Conn += { - function build_av_record(val: NTLM_AV_Pair_Sequence, len: uint16): BroVal + function build_av_record(val: NTLM_AV_Pair_Sequence, len: uint16): ZeekVal %{ zeek::RecordVal* result = new zeek::RecordVal(zeek::BifType::Record::NTLM::AVs); for ( uint i = 0; ; i++ ) @@ -71,7 +71,7 @@ refine connection NTLM_Conn += { // According to spec, the TargetInfo MUST be a sequence of // AV_PAIRs and terminated by the null AV_PAIR when the // TargetInfoLen is non-zero, so this is in violation. - bro_analyzer()->ProtocolViolation("NTLM AV Pair loop underflow"); + zeek_analyzer()->ProtocolViolation("NTLM AV Pair loop underflow"); return result; } @@ -81,31 +81,31 @@ refine connection NTLM_Conn += { case 0: return result; case 1: - result->Assign(0, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data})); + result->Assign(0, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data})); break; case 2: - result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data})); + result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data})); break; case 3: - result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data})); + result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data})); break; case 4: - result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data})); + result->Assign(3, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data})); break; case 5: - result->Assign(4, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data})); + result->Assign(4, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data})); break; case 6: result->Assign(5, zeek::val_mgr->Bool(${val.pairs[i].constrained_auth})); break; case 7: - result->Assign(6, filetime2brotime(${val.pairs[i].timestamp})); + result->Assign(6, filetime2zeektime(${val.pairs[i].timestamp})); break; case 8: result->Assign(7, zeek::val_mgr->Count(${val.pairs[i].single_host.machine_id})); break; case 9: - result->Assign(8, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data})); + result->Assign(8, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].target_name.data})); break; } } @@ -121,16 +121,16 @@ refine connection NTLM_Conn += { result->Assign(0, build_negotiate_flag_record(${val.flags})); if ( ${val}->has_domain_name() ) - result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data})); + result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.domain_name.string.data})); if ( ${val}->has_workstation() ) - result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); + result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.workstation.string.data})); if ( ${val}->has_version() ) result->Assign(3, build_version_record(${val.version})); - zeek::BifEvent::enqueue_ntlm_negotiate(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ntlm_negotiate(zeek_analyzer(), + zeek_analyzer()->Conn(), std::move(result)); return true; @@ -145,7 +145,7 @@ refine connection NTLM_Conn += { result->Assign(0, build_negotiate_flag_record(${val.flags})); if ( ${val}->has_target_name() ) - result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.target_name.string.data})); + result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.target_name.string.data})); if ( ${val}->has_version() ) result->Assign(2, build_version_record(${val.version})); @@ -153,8 +153,8 @@ refine connection NTLM_Conn += { if ( ${val}->has_target_info() ) result->Assign(3, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})}); - zeek::BifEvent::enqueue_ntlm_challenge(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ntlm_challenge(zeek_analyzer(), + zeek_analyzer()->Conn(), std::move(result)); return true; @@ -169,13 +169,13 @@ refine connection NTLM_Conn += { result->Assign(0, build_negotiate_flag_record(${val.flags})); if ( ${val}->has_domain_name() > 0 ) - result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data})); + result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.domain_name.string.data})); if ( ${val}->has_user_name() > 0 ) - result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.user_name.string.data})); + result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.user_name.string.data})); if ( ${val}->has_workstation() > 0 ) - result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); + result->Assign(3, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.workstation.string.data})); if ( ${val}->has_encrypted_session_key() > 0 ) result->Assign(4, to_stringval(${val.encrypted_session_key.string.data})); @@ -183,8 +183,8 @@ refine connection NTLM_Conn += { if ( ${val}->has_version() ) result->Assign(5, build_version_record(${val.version})); - zeek::BifEvent::enqueue_ntlm_authenticate(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ntlm_authenticate(zeek_analyzer(), + zeek_analyzer()->Conn(), std::move(result)); return true; %} diff --git a/src/analyzer/protocol/ntlm/ntlm.pac b/src/analyzer/protocol/ntlm/ntlm.pac index ee5d33b688..ffa781b308 100644 --- a/src/analyzer/protocol/ntlm/ntlm.pac +++ b/src/analyzer/protocol/ntlm/ntlm.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "analyzer/Manager.h" @@ -14,7 +14,7 @@ analyzer NTLM withcontext { flow : NTLM_Flow; }; -connection NTLM_Conn(bro_analyzer: BroAnalyzer) { +connection NTLM_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = NTLM_Flow(true); downflow = NTLM_Flow(false); }; diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac index 955825a645..41906dd075 100644 --- a/src/analyzer/protocol/ntp/ntp-analyzer.pac +++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac @@ -133,7 +133,7 @@ refine flow NTP_Flow += { function proc_ntp_message(msg: NTP_PDU): bool %{ - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); if ( ! ntp_message ) return false; @@ -150,8 +150,8 @@ refine flow NTP_Flow += { else if ( ${msg.mode} == 7 ) rv->Assign(4, BuildNTPMode7Msg(${msg.mode7})); - zeek::BifEvent::enqueue_ntp_message(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ntp_message(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig(), std::move(rv)); return true; %} diff --git a/src/analyzer/protocol/ntp/ntp.pac b/src/analyzer/protocol/ntp/ntp.pac index 4da2ae0f6a..6f4343a246 100644 --- a/src/analyzer/protocol/ntp/ntp.pac +++ b/src/analyzer/protocol/ntp/ntp.pac @@ -1,6 +1,6 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "types.bif.h" @@ -12,7 +12,7 @@ analyzer NTP withcontext { flow: NTP_Flow; }; -connection NTP_Conn(bro_analyzer: BroAnalyzer) { +connection NTP_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = NTP_Flow(true); downflow = NTP_Flow(false); }; diff --git a/src/analyzer/protocol/radius/radius-analyzer.pac b/src/analyzer/protocol/radius/radius-analyzer.pac index e47f2748d6..20a2e93bef 100644 --- a/src/analyzer/protocol/radius/radius-analyzer.pac +++ b/src/analyzer/protocol/radius/radius-analyzer.pac @@ -2,7 +2,7 @@ refine flow RADIUS_Flow += { function proc_radius_message(msg: RADIUS_PDU): bool %{ - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); if ( ! radius_message ) return false; @@ -41,7 +41,7 @@ refine flow RADIUS_Flow += { result->Assign(3, std::move(attributes)); } - zeek::BifEvent::enqueue_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), std::move(result)); + zeek::BifEvent::enqueue_radius_message(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), std::move(result)); return true; %} @@ -50,7 +50,7 @@ refine flow RADIUS_Flow += { if ( ! radius_attribute ) return false; - zeek::BifEvent::enqueue_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_radius_attribute(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), ${attr.code}, to_stringval(${attr.value})); return true; %} diff --git a/src/analyzer/protocol/radius/radius.pac b/src/analyzer/protocol/radius/radius.pac index 2c3ddca969..6da1813ba7 100644 --- a/src/analyzer/protocol/radius/radius.pac +++ b/src/analyzer/protocol/radius/radius.pac @@ -3,7 +3,7 @@ # - radius-analyzer.pac: describes the RADIUS analyzer code %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -15,7 +15,7 @@ analyzer RADIUS withcontext { }; # Our connection consists of two flows, one in each direction. -connection RADIUS_Conn(bro_analyzer: BroAnalyzer) { +connection RADIUS_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = RADIUS_Flow(true); downflow = RADIUS_Flow(false); }; diff --git a/src/analyzer/protocol/rdp/RDP.cc b/src/analyzer/protocol/rdp/RDP.cc index 4656b43ca6..cca4ea2c81 100644 --- a/src/analyzer/protocol/rdp/RDP.cc +++ b/src/analyzer/protocol/rdp/RDP.cc @@ -76,7 +76,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { if ( rdp_native_encrypted_data ) zeek::BifEvent::enqueue_rdp_native_encrypted_data( - interp->bro_analyzer(), interp->bro_analyzer()->Conn(), + interp->zeek_analyzer(), interp->zeek_analyzer()->Conn(), orig, len); } } diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index a1f11e7cdb..053e56c46e 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -9,8 +9,8 @@ refine flow RDP_Flow += { %{ if ( rdp_connect_request ) { - zeek::BifEvent::enqueue_rdp_connect_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_connect_request(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), to_stringval(${cr.cookie_value}), ${cr.rdp_neg_req} ? ${cr.rdp_neg_req.flags} : 0); } @@ -22,8 +22,8 @@ refine flow RDP_Flow += { %{ if ( rdp_negotiation_response ) { - zeek::BifEvent::enqueue_rdp_negotiation_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_negotiation_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${nr.selected_protocol}, ${nr.flags}); } @@ -35,8 +35,8 @@ refine flow RDP_Flow += { %{ if ( rdp_negotiation_failure ) { - zeek::BifEvent::enqueue_rdp_negotiation_failure(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_negotiation_failure(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${nf.failure_code}, ${nf.flags}); } @@ -47,11 +47,11 @@ refine flow RDP_Flow += { function proc_rdp_gcc_server_create_response(gcc_response: GCC_Server_Create_Response): bool %{ - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); if ( rdp_gcc_server_create_response ) - zeek::BifEvent::enqueue_rdp_gcc_server_create_response(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_gcc_server_create_response(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${gcc_response.result}); return true; @@ -60,7 +60,7 @@ refine flow RDP_Flow += { function proc_rdp_client_core_data(ccore: Client_Core_Data): bool %{ - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); if ( rdp_client_core_data ) { @@ -84,21 +84,21 @@ refine flow RDP_Flow += { ccd->Assign(5, zeek::val_mgr->Count(${ccore.sas_sequence})); ccd->Assign(6, zeek::val_mgr->Count(${ccore.keyboard_layout})); ccd->Assign(7, zeek::val_mgr->Count(${ccore.client_build})); - ccd->Assign(8, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name})); + ccd->Assign(8, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.client_name})); ccd->Assign(9, zeek::val_mgr->Count(${ccore.keyboard_type})); ccd->Assign(10, zeek::val_mgr->Count(${ccore.keyboard_sub})); ccd->Assign(11, zeek::val_mgr->Count(${ccore.keyboard_function_key})); - ccd->Assign(12, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name})); + ccd->Assign(12, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.ime_file_name})); ccd->Assign(13, zeek::val_mgr->Count(${ccore.post_beta2_color_depth})); ccd->Assign(14, zeek::val_mgr->Count(${ccore.client_product_id})); ccd->Assign(15, zeek::val_mgr->Count(${ccore.serial_number})); ccd->Assign(16, zeek::val_mgr->Count(${ccore.high_color_depth})); ccd->Assign(17, zeek::val_mgr->Count(${ccore.supported_color_depths})); ccd->Assign(18, std::move(ec_flags)); - ccd->Assign(19, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id})); + ccd->Assign(19, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.dig_product_id})); - zeek::BifEvent::enqueue_rdp_client_core_data(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_client_core_data(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), std::move(ccd)); } @@ -114,8 +114,8 @@ refine flow RDP_Flow += { csd->Assign(0, zeek::val_mgr->Count(${csec.encryption_methods})); csd->Assign(1, zeek::val_mgr->Count(${csec.ext_encryption_methods})); - zeek::BifEvent::enqueue_rdp_client_security_data(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_client_security_data(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), std::move(csd)); return true; %} @@ -151,8 +151,8 @@ refine flow RDP_Flow += { channels->Assign(channels->Size(), std::move(channel_def)); } - zeek::BifEvent::enqueue_rdp_client_network_data(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_client_network_data(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), std::move(channels)); } @@ -172,19 +172,19 @@ refine flow RDP_Flow += { ccld->Assign(4, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID})); ccld->Assign(5, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SMARTCARD})); - zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), std::move(ccld)); return true; %} function proc_rdp_server_security(ssd: Server_Security_Data): bool %{ - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); if ( rdp_server_security ) - zeek::BifEvent::enqueue_rdp_server_security(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_server_security(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${ssd.encryption_method}, ${ssd.encryption_level}); @@ -195,8 +195,8 @@ refine flow RDP_Flow += { %{ if ( rdp_server_certificate ) { - zeek::BifEvent::enqueue_rdp_server_certificate(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_server_certificate(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${cert.cert_type}, ${cert.permanently_issued}); } @@ -210,14 +210,14 @@ refine flow RDP_Flow += { zeek::ODesc file_handle; file_handle.AddRaw("Analyzer::ANALYZER_RDP"); - file_handle.Add(connection()->bro_analyzer()->Conn()->StartTime()); - connection()->bro_analyzer()->Conn()->IDString(&file_handle); + file_handle.Add(connection()->zeek_analyzer()->Conn()->StartTime()); + connection()->zeek_analyzer()->Conn()->IDString(&file_handle); string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), cert.length(), - connection()->bro_analyzer()->GetAnalyzerTag(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer()->GetAnalyzerTag(), + connection()->zeek_analyzer()->Conn(), false, // It seems there are only server certs? file_id, "application/x-x509-user-cert"); zeek::file_mgr->EndOfFile(file_id); diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac index ca88d90284..e09e54e3ad 100644 --- a/src/analyzer/protocol/rdp/rdp-protocol.pac +++ b/src/analyzer/protocol/rdp/rdp-protocol.pac @@ -383,8 +383,8 @@ refine connection RDP_Conn += { if ( rdp_begin_encryption ) { - zeek::BifEvent::enqueue_rdp_begin_encryption(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdp_begin_encryption(zeek_analyzer(), + zeek_analyzer()->Conn(), ${method}); } diff --git a/src/analyzer/protocol/rdp/rdp.pac b/src/analyzer/protocol/rdp/rdp.pac index 088896c663..58e0c3a61f 100644 --- a/src/analyzer/protocol/rdp/rdp.pac +++ b/src/analyzer/protocol/rdp/rdp.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -11,7 +11,7 @@ analyzer RDP withcontext { }; # Our connection consists of two flows, one in each direction. -connection RDP_Conn(bro_analyzer: BroAnalyzer) { +connection RDP_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = RDP_Flow(true); downflow = RDP_Flow(false); }; diff --git a/src/analyzer/protocol/rdp/rdpeudp-analyzer.pac b/src/analyzer/protocol/rdp/rdpeudp-analyzer.pac index 9e2730ba60..a150361bba 100644 --- a/src/analyzer/protocol/rdp/rdpeudp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdpeudp-analyzer.pac @@ -45,7 +45,7 @@ refine connection RDPEUDP_Conn += { orig_lossy_ = true; if ( rdpeudp_syn ) - zeek::BifEvent::enqueue_rdpeudp_syn(bro_analyzer(), bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_rdpeudp_syn(zeek_analyzer(), zeek_analyzer()->Conn()); state_ = NEED_SYNACK; return true; @@ -60,9 +60,9 @@ refine connection RDPEUDP_Conn += { return false; if ( rdpeudp_synack ) - zeek::BifEvent::enqueue_rdpeudp_synack(bro_analyzer(), bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_rdpeudp_synack(zeek_analyzer(), zeek_analyzer()->Conn()); - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); state_ = NEED_ACK; resp_synex_flags_ = uUdpVer; @@ -79,12 +79,12 @@ refine connection RDPEUDP_Conn += { state_ = ESTABLISHED; if ( rdpeudp_established ) - zeek::BifEvent::enqueue_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 1); + zeek::BifEvent::enqueue_rdpeudp_established(zeek_analyzer(), zeek_analyzer()->Conn(), 1); } if ( state_ == ESTABLISHED && rdpeudp_data ) - zeek::BifEvent::enqueue_rdpeudp_data(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdpeudp_data(zeek_analyzer(), + zeek_analyzer()->Conn(), is_orig, 1, to_stringval(data) @@ -102,14 +102,14 @@ refine connection RDPEUDP_Conn += { if ( state_ == NEED_ACK ) { if ( rdpeudp_established ) - zeek::BifEvent::enqueue_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 2); + zeek::BifEvent::enqueue_rdpeudp_established(zeek_analyzer(), zeek_analyzer()->Conn(), 2); state_ = ESTABLISHED; } if ( state_ == ESTABLISHED && rdpeudp_data ) - zeek::BifEvent::enqueue_rdpeudp_data(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rdpeudp_data(zeek_analyzer(), + zeek_analyzer()->Conn(), is_orig, 2, to_stringval(data) diff --git a/src/analyzer/protocol/rdp/rdpeudp.pac b/src/analyzer/protocol/rdp/rdpeudp.pac index 525c3b05ee..1ece356231 100644 --- a/src/analyzer/protocol/rdp/rdpeudp.pac +++ b/src/analyzer/protocol/rdp/rdpeudp.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -10,7 +10,7 @@ analyzer RDPEUDP withcontext { flow: RDPEUDP_Flow; }; -connection RDPEUDP_Conn(bro_analyzer: BroAnalyzer) { +connection RDPEUDP_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = RDPEUDP_Flow(true); downflow = RDPEUDP_Flow(false); }; diff --git a/src/analyzer/protocol/rfb/rfb-analyzer.pac b/src/analyzer/protocol/rfb/rfb-analyzer.pac index ed149ab693..513958af54 100644 --- a/src/analyzer/protocol/rfb/rfb-analyzer.pac +++ b/src/analyzer/protocol/rfb/rfb-analyzer.pac @@ -4,18 +4,18 @@ refine flow RFB_Flow += { if ( client ) { if ( rfb_client_version ) - zeek::BifEvent::enqueue_rfb_client_version(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rfb_client_version(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), to_stringval(major), to_stringval(minor)); - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); } else { if ( rfb_server_version ) - zeek::BifEvent::enqueue_rfb_server_version(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_rfb_server_version(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), to_stringval(major), to_stringval(minor)); } @@ -26,21 +26,21 @@ refine flow RFB_Flow += { function proc_rfb_share_flag(shared: bool) : bool %{ if ( rfb_share_flag ) - zeek::BifEvent::enqueue_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared); + zeek::BifEvent::enqueue_rfb_share_flag(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), shared); return true; %} function proc_security_types(msg: RFBSecurityType) : bool %{ if ( rfb_authentication_type ) - zeek::BifEvent::enqueue_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype}); + zeek::BifEvent::enqueue_rfb_authentication_type(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), ${msg.sectype}); return true; %} function proc_security_types37(msg: RFBAuthTypeSelected) : bool %{ if ( rfb_authentication_type ) - zeek::BifEvent::enqueue_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type}); + zeek::BifEvent::enqueue_rfb_authentication_type(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), ${msg.type}); return true; %} @@ -51,7 +51,7 @@ refine flow RFB_Flow += { auto vec_ptr = ${msg.name}; auto name_ptr = &((*vec_ptr)[0]); zeek::BifEvent::enqueue_rfb_server_parameters( - connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), zeek::make_intrusive(${msg.name}->size(), (const char*)name_ptr), ${msg.width}, ${msg.height}); @@ -62,7 +62,7 @@ refine flow RFB_Flow += { function proc_handle_security_result(result : uint32) : bool %{ if ( rfb_auth_result ) - zeek::BifEvent::enqueue_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result); + zeek::BifEvent::enqueue_rfb_auth_result(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), result); return true; %} }; @@ -181,7 +181,7 @@ refine connection RFB_Conn += { else { // Shouldn't be a possible. - bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype())); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype())); } return true; @@ -235,7 +235,7 @@ refine connection RFB_Conn += { } else { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type})); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type})); } return true; @@ -277,7 +277,7 @@ refine connection RFB_Conn += { // Failed server_state = SERVER_AUTH_FAILURE; else - bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result})); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result})); return true; %} diff --git a/src/analyzer/protocol/rfb/rfb.pac b/src/analyzer/protocol/rfb/rfb.pac index 525cef6416..e03e3fb383 100644 --- a/src/analyzer/protocol/rfb/rfb.pac +++ b/src/analyzer/protocol/rfb/rfb.pac @@ -3,7 +3,7 @@ # - rfb-analyzer.pac: describes the rfb analyzer code %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -15,7 +15,7 @@ analyzer RFB withcontext { }; # Our connection consists of two flows, one in each direction. -connection RFB_Conn(bro_analyzer: BroAnalyzer) { +connection RFB_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = RFB_Flow(true); downflow = RFB_Flow(false); }; diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac index 061e371c02..273d1ba738 100644 --- a/src/analyzer/protocol/sip/sip-analyzer.pac +++ b/src/analyzer/protocol/sip/sip-analyzer.pac @@ -20,7 +20,7 @@ refine flow SIP_Flow += { %{ if ( sip_request ) { - zeek::BifEvent::enqueue_sip_request(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_sip_request(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), to_stringval(method), to_stringval(uri), to_stringval(${vers.vers_str})); } @@ -32,10 +32,10 @@ refine flow SIP_Flow += { function proc_sip_reply(vers: SIP_Version, code: int, reason: bytestring): bool %{ - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); if ( sip_reply ) { - zeek::BifEvent::enqueue_sip_reply(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_sip_reply(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), to_stringval(${vers.vers_str}), code, to_stringval(reason)); } @@ -53,7 +53,7 @@ refine flow SIP_Flow += { { auto nameval = to_stringval(name); nameval->ToUpper(); - zeek::BifEvent::enqueue_sip_header(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_sip_header(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), is_orig(), std::move(nameval), to_stringval(value)); } @@ -65,7 +65,7 @@ refine flow SIP_Flow += { return true; %} - function build_sip_headers_val(): BroVal + function build_sip_headers_val(): ZeekVal %{ static auto mime_header_list = zeek::id::find_type("mime_header_list"); auto* t = new zeek::TableVal(mime_header_list); @@ -83,7 +83,7 @@ refine flow SIP_Flow += { %{ if ( sip_all_headers ) { - zeek::BifEvent::enqueue_sip_all_headers(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_sip_all_headers(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), is_orig(), {zeek::AdoptRef{}, build_sip_headers_val()}); } @@ -100,7 +100,7 @@ refine flow SIP_Flow += { return true; %} - function build_sip_header_val(name: const_bytestring, value: const_bytestring): BroVal + function build_sip_header_val(name: const_bytestring, value: const_bytestring): ZeekVal %{ static auto mime_header_rec = zeek::id::find_type("mime_header_rec"); auto* header_record = new zeek::RecordVal(mime_header_rec); @@ -127,7 +127,7 @@ refine flow SIP_Flow += { %{ if ( sip_begin_entity ) { - zeek::BifEvent::enqueue_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); + zeek::BifEvent::enqueue_sip_begin_entity(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), is_orig()); } %} @@ -135,7 +135,7 @@ refine flow SIP_Flow += { %{ if ( sip_end_entity ) { - zeek::BifEvent::enqueue_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); + zeek::BifEvent::enqueue_sip_end_entity(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), is_orig()); } return true; diff --git a/src/analyzer/protocol/sip/sip.pac b/src/analyzer/protocol/sip/sip.pac index 15addb8c1e..7198cfe22c 100644 --- a/src/analyzer/protocol/sip/sip.pac +++ b/src/analyzer/protocol/sip/sip.pac @@ -2,7 +2,7 @@ # Based heavily on the HTTP BinPAC analyzer %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -13,7 +13,7 @@ analyzer SIP withcontext { flow: SIP_Flow; }; -connection SIP_Conn(bro_analyzer: BroAnalyzer) { +connection SIP_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = SIP_Flow(true); downflow = SIP_Flow(false); }; diff --git a/src/analyzer/protocol/sip/sip_TCP.pac b/src/analyzer/protocol/sip/sip_TCP.pac index 2e51675dea..d38b271a5e 100644 --- a/src/analyzer/protocol/sip/sip_TCP.pac +++ b/src/analyzer/protocol/sip/sip_TCP.pac @@ -5,7 +5,7 @@ # activated. We don't yet support SIP-over-TCP. %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -16,7 +16,7 @@ analyzer SIP_TCP withcontext { flow: SIP_Flow; }; -connection SIP_Conn(bro_analyzer: BroAnalyzer) { +connection SIP_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = SIP_Flow(true); downflow = SIP_Flow(false); }; diff --git a/src/analyzer/protocol/smb/smb-gssapi.pac b/src/analyzer/protocol/smb/smb-gssapi.pac index 38adb7adb4..812ada277b 100644 --- a/src/analyzer/protocol/smb/smb-gssapi.pac +++ b/src/analyzer/protocol/smb/smb-gssapi.pac @@ -27,10 +27,10 @@ refine connection SMB_Conn += { function forward_gssapi(data: bytestring, is_orig: bool): bool %{ if ( ! gssapi ) - gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", bro_analyzer()->Conn()); + gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", zeek_analyzer()->Conn()); if ( ! ntlm ) - ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn()); + ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn()); // SMB allows raw NTLM instead of GSSAPI in certain messages. // We check if this is the case and run the NTLM analyzer directly. diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac index 7326210ae4..b37aea87f7 100644 --- a/src/analyzer/protocol/smb/smb-pipe.pac +++ b/src/analyzer/protocol/smb/smb-pipe.pac @@ -49,7 +49,7 @@ refine connection SMB_Conn += { if ( it == fid_to_analyzer_map.end() ) { - auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn()); + auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", zeek_analyzer()->Conn()); pipe_dcerpc = static_cast(tmp_analyzer); if ( pipe_dcerpc ) diff --git a/src/analyzer/protocol/smb/smb-strings.pac b/src/analyzer/protocol/smb/smb-strings.pac index 3e6e8815ce..ad345ba7c3 100644 --- a/src/analyzer/protocol/smb/smb-strings.pac +++ b/src/analyzer/protocol/smb/smb-strings.pac @@ -1,5 +1,5 @@ %extern{ -#include "binpac_bro.h" +#include "binpac_zeek.h" %} %code{ @@ -12,7 +12,7 @@ zeek::StringValPtr binpac::SMB::SMB_Conn::uint8s_to_stringval(std::vectorConn(), bs); + return utf16_to_utf8_val(zeek_analyzer()->Conn(), bs); } zeek::StringValPtr binpac::SMB::SMB_Conn::extract_string(SMB_string* s) diff --git a/src/analyzer/protocol/smb/smb-time.pac b/src/analyzer/protocol/smb/smb-time.pac index c658ec1ae1..3f163b21a0 100644 --- a/src/analyzer/protocol/smb/smb-time.pac +++ b/src/analyzer/protocol/smb/smb-time.pac @@ -1,5 +1,5 @@ %header{ -zeek::ValPtr filetime2brotime(uint64_t ts); +zeek::ValPtr filetime2zeektime(uint64_t ts); zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz); zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, @@ -7,9 +7,9 @@ zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, %} %code{ -zeek::ValPtr filetime2brotime(uint64_t ts) +zeek::ValPtr filetime2zeektime(uint64_t ts) { - // Bro can't support times back to the 1600's + // Zeek can't support times back to the 1600's // so we subtract a lot of seconds. double secs = (ts / 10000000.0L) - 11644473600.0L; return zeek::make_intrusive(secs); @@ -33,10 +33,10 @@ zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, uint64_t create, uint64_t change) { auto r = zeek::make_intrusive(zeek::BifType::Record::SMB::MACTimes); - r->Assign(0, filetime2brotime(modify)); - r->Assign(1, filetime2brotime(access)); - r->Assign(2, filetime2brotime(create)); - r->Assign(3, filetime2brotime(change)); + r->Assign(0, filetime2zeektime(modify)); + r->Assign(1, filetime2zeektime(access)); + r->Assign(2, filetime2zeektime(create)); + r->Assign(3, filetime2zeektime(change)); return r; } %} diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac index 4a1e8abbb3..a30547f9df 100644 --- a/src/analyzer/protocol/smb/smb.pac +++ b/src/analyzer/protocol/smb/smb.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "analyzer/Manager.h" @@ -48,7 +48,7 @@ analyzer SMB withcontext { flow: SMB_Flow; }; -connection SMB_Conn(bro_analyzer: BroAnalyzer) { +connection SMB_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = SMB_Flow(true); downflow = SMB_Flow(false); }; @@ -108,7 +108,7 @@ function to_int(num: uint24): uint32 %} type SMB_TCP(is_orig: bool) = record { - # These are technically NetBIOS fields but it's considered + # These are technically NetBIOS fields but it's considered # to be SMB directly over TCP. The fields are essentially # the NBSS protocol but it's only used for framing here. message_type : uint8; diff --git a/src/analyzer/protocol/smb/smb1-com-check-directory.pac b/src/analyzer/protocol/smb/smb1-com-check-directory.pac index 3c7747fc7b..75b66a298e 100644 --- a/src/analyzer/protocol/smb/smb1-com-check-directory.pac +++ b/src/analyzer/protocol/smb/smb1-com-check-directory.pac @@ -3,8 +3,8 @@ refine connection SMB_Conn += { function proc_smb1_check_directory_request(header: SMB_Header, val: SMB1_check_directory_request): bool %{ if ( smb1_check_directory_request ) - zeek::BifEvent::enqueue_smb1_check_directory_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_check_directory_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), smb_string2stringval(${val.directory_name})); return true; @@ -13,8 +13,8 @@ refine connection SMB_Conn += { function proc_smb1_check_directory_response(header: SMB_Header, val: SMB1_check_directory_response): bool %{ if ( smb1_check_directory_response ) - zeek::BifEvent::enqueue_smb1_check_directory_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_check_directory_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header)); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-close.pac b/src/analyzer/protocol/smb/smb1-com-close.pac index abd42c828b..9933fe2539 100644 --- a/src/analyzer/protocol/smb/smb1-com-close.pac +++ b/src/analyzer/protocol/smb/smb1-com-close.pac @@ -3,13 +3,13 @@ refine connection SMB_Conn += { function proc_smb1_close_request(h: SMB_Header, val: SMB1_close_request): bool %{ if ( smb1_close_request ) - zeek::BifEvent::enqueue_smb1_close_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_close_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(h), ${val.file_id}); - zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek::file_mgr->EndOfFile(zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), h->is_orig()); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-create-directory.pac b/src/analyzer/protocol/smb/smb1-com-create-directory.pac index af9b9f4897..3e977bcc8b 100644 --- a/src/analyzer/protocol/smb/smb1-com-create-directory.pac +++ b/src/analyzer/protocol/smb/smb1-com-create-directory.pac @@ -3,7 +3,7 @@ refine connection SMB_Conn += { function proc_smb1_create_directory_request(header: SMB_Header, val: SMB1_create_directory_request): bool %{ if ( smb1_create_directory_request ) - zeek::BifEvent::enqueue_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_create_directory_request(zeek_analyzer(), zeek_analyzer()->Conn(), SMBHeaderVal(header), smb_string2stringval(${val.directory_name})); return true; @@ -11,8 +11,8 @@ refine connection SMB_Conn += { function proc_smb1_create_directory_response(header: SMB_Header, val: SMB1_create_directory_response): bool %{ if ( smb1_create_directory_response ) - zeek::BifEvent::enqueue_smb1_create_directory_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_create_directory_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header)); return true; %} @@ -34,4 +34,3 @@ type SMB1_create_directory_response(header: SMB_Header) = record { } &let { proc : bool = $context.connection.proc_smb1_create_directory_response(header, this); }; - diff --git a/src/analyzer/protocol/smb/smb1-com-echo.pac b/src/analyzer/protocol/smb/smb1-com-echo.pac index 33fb977748..07ae710d14 100644 --- a/src/analyzer/protocol/smb/smb1-com-echo.pac +++ b/src/analyzer/protocol/smb/smb1-com-echo.pac @@ -3,7 +3,7 @@ refine connection SMB_Conn += { function proc_smb1_echo_request(header: SMB_Header, val: SMB1_echo_request): bool %{ if ( smb1_echo_request ) - zeek::BifEvent::enqueue_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_echo_request(zeek_analyzer(), zeek_analyzer()->Conn(), ${val.echo_count}, to_stringval(${val.data})); return true; %} @@ -11,7 +11,7 @@ refine connection SMB_Conn += { function proc_smb1_echo_response(header: SMB_Header, val: SMB1_echo_response): bool %{ if ( smb1_echo_response ) - zeek::BifEvent::enqueue_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_echo_response(zeek_analyzer(), zeek_analyzer()->Conn(), ${val.seq_num}, to_stringval(${val.data})); return true; %} @@ -40,4 +40,3 @@ type SMB1_echo_response(header: SMB_Header) = record { } &let { proc : bool = $context.connection.proc_smb1_echo_response(header, this); }; - diff --git a/src/analyzer/protocol/smb/smb1-com-logoff-andx.pac b/src/analyzer/protocol/smb/smb1-com-logoff-andx.pac index 7efc8993ca..3e4630cd68 100644 --- a/src/analyzer/protocol/smb/smb1-com-logoff-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-logoff-andx.pac @@ -3,7 +3,7 @@ refine connection SMB_Conn += { function proc_smb1_logoff_andx(header: SMB_Header, val: SMB1_logoff_andx): bool %{ if ( smb1_logoff_andx ) - zeek::BifEvent::enqueue_smb1_logoff_andx(bro_analyzer(), bro_analyzer()->Conn(), ${val.is_orig}); + zeek::BifEvent::enqueue_smb1_logoff_andx(zeek_analyzer(), zeek_analyzer()->Conn(), ${val.is_orig}); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-negotiate.pac b/src/analyzer/protocol/smb/smb1-com-negotiate.pac index 4ade78c53e..0a576e7a61 100644 --- a/src/analyzer/protocol/smb/smb1-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb1-com-negotiate.pac @@ -23,7 +23,7 @@ refine connection SMB_Conn += { dialects->Assign(i, std::move(dia)); } - zeek::BifEvent::enqueue_smb1_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_negotiate_request(zeek_analyzer(), zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(dialects)); } @@ -119,7 +119,7 @@ refine connection SMB_Conn += { ntlm->Assign(6, zeek::val_mgr->Count(${val.ntlm.max_raw_size})); ntlm->Assign(7, zeek::val_mgr->Count(${val.ntlm.session_key})); ntlm->Assign(8, std::move(capabilities)); - ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time})); + ntlm->Assign(9, filetime2zeektime(${val.ntlm.server_time})); if ( ${val.ntlm.capabilities_extended_security} == false ) { @@ -135,8 +135,8 @@ refine connection SMB_Conn += { } break; } - zeek::BifEvent::enqueue_smb1_negotiate_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_negotiate_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(response)); } diff --git a/src/analyzer/protocol/smb/smb1-com-nt-cancel.pac b/src/analyzer/protocol/smb/smb1-com-nt-cancel.pac index 185c49b6b5..cc95e77324 100644 --- a/src/analyzer/protocol/smb/smb1-com-nt-cancel.pac +++ b/src/analyzer/protocol/smb/smb1-com-nt-cancel.pac @@ -3,8 +3,8 @@ refine connection SMB_Conn += { function proc_smb1_nt_cancel_request(header: SMB_Header, val: SMB1_nt_cancel_request): bool %{ if ( smb1_nt_cancel_request ) - zeek::BifEvent::enqueue_smb1_nt_cancel_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_nt_cancel_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header)); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac index c7c0ba745e..5759b18708 100644 --- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac @@ -9,14 +9,14 @@ refine connection SMB_Conn += { set_tree_is_pipe(${header.tid}); if ( smb_pipe_connect_heuristic ) - zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(bro_analyzer(), - bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(zeek_analyzer(), + zeek_analyzer()->Conn()); } if ( smb1_nt_create_andx_request ) { - zeek::BifEvent::enqueue_smb1_nt_create_andx_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_nt_create_andx_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(filename)); } @@ -28,8 +28,8 @@ refine connection SMB_Conn += { %{ if ( smb1_nt_create_andx_response ) { - zeek::BifEvent::enqueue_smb1_nt_create_andx_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_nt_create_andx_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), ${val.file_id}, ${val.end_of_file}, diff --git a/src/analyzer/protocol/smb/smb1-com-query-information.pac b/src/analyzer/protocol/smb/smb1-com-query-information.pac index a5dc03366b..b3016bfb65 100644 --- a/src/analyzer/protocol/smb/smb1-com-query-information.pac +++ b/src/analyzer/protocol/smb/smb1-com-query-information.pac @@ -3,8 +3,8 @@ refine connection SMB_Conn += { function proc_smb1_query_information_request(header: SMB_Header, val: SMB1_query_information_request): bool %{ if ( smb1_query_information_request ) - zeek::BifEvent::enqueue_smb1_query_information_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_query_information_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), smb_string2stringval(${val.filename})); return true; @@ -38,4 +38,3 @@ type SMB1_query_information_response(header: SMB_Header) = record { } &let { proc : bool = $context.connection.proc_smb1_query_information_response(header, this); }; - diff --git a/src/analyzer/protocol/smb/smb1-com-read-andx.pac b/src/analyzer/protocol/smb/smb1-com-read-andx.pac index a785875e82..58f891ae11 100644 --- a/src/analyzer/protocol/smb/smb1-com-read-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-read-andx.pac @@ -9,8 +9,8 @@ refine connection SMB_Conn += { function proc_smb1_read_andx_request(h: SMB_Header, val: SMB1_read_andx_request): bool %{ if ( smb1_read_andx_request ) - zeek::BifEvent::enqueue_smb1_read_andx_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_read_andx_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(h), ${val.file_id}, ${val.read_offset}, @@ -23,8 +23,8 @@ refine connection SMB_Conn += { function proc_smb1_read_andx_response(h: SMB_Header, val: SMB1_read_andx_response): bool %{ if ( smb1_read_andx_response ) - zeek::BifEvent::enqueue_smb1_read_andx_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_read_andx_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(h), ${val.data_len}); @@ -34,8 +34,8 @@ refine connection SMB_Conn += { read_offsets.erase(${h.mid}); zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, - bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), h->is_orig()); } return true; diff --git a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac index 5eb97ce315..b6b51ac390 100644 --- a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac @@ -78,8 +78,8 @@ refine connection SMB_Conn += { break; } - zeek::BifEvent::enqueue_smb1_session_setup_andx_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_session_setup_andx_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(request)); } @@ -112,8 +112,8 @@ refine connection SMB_Conn += { break; } - zeek::BifEvent::enqueue_smb1_session_setup_andx_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_session_setup_andx_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(response)); } diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac index ba8d6a0af9..0bb7c4f1e7 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac @@ -45,8 +45,8 @@ refine connection SMB_Conn += { payload_str = zeek::val_mgr->EmptyString(); } - zeek::BifEvent::enqueue_smb1_transaction_secondary_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_transaction_secondary_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(args), std::move(parameters), diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac index 662f95e579..ff8b6f8ee8 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac @@ -62,8 +62,8 @@ refine connection SMB_Conn += { else payload_str = zeek::val_mgr->EmptyString(); - zeek::BifEvent::enqueue_smb1_transaction_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_transaction_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), smb_string2stringval(${val.name}), ${val.sub_cmd}, @@ -87,8 +87,8 @@ refine connection SMB_Conn += { else payload_str = zeek::val_mgr->EmptyString(); - zeek::BifEvent::enqueue_smb1_transaction_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_transaction_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(parameters), std::move(payload_str)); diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac index 832092274c..3571579cfb 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac @@ -19,8 +19,8 @@ refine connection SMB_Conn += { auto parameters = zeek::make_intrusive(${val.parameters}.length(), (const char*)${val.parameters}.data()); auto payload = zeek::make_intrusive(${val.data}.length(), (const char*)${val.data}.data()); - zeek::BifEvent::enqueue_smb1_transaction2_secondary_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_transaction2_secondary_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(args), std::move(parameters), diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2.pac b/src/analyzer/protocol/smb/smb1-com-transaction2.pac index d831ea70ca..4dced3ddba 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction2.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction2.pac @@ -38,8 +38,8 @@ refine connection SMB_Conn += { args->Assign(10, zeek::val_mgr->Count(${val.data_offset})); args->Assign(11, zeek::val_mgr->Count(${val.setup_count})); - zeek::BifEvent::enqueue_smb1_transaction2_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_transaction2_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(args), ${val.sub_cmd}); @@ -51,7 +51,7 @@ refine connection SMB_Conn += { function proc_smb1_transaction2_response(header: SMB_Header, val: SMB1_transaction2_response): bool %{ //if ( smb1_transaction2_response ) - // zeek::BifEvent::enqueue_smb1_transaction2_response(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), ${val.sub_cmd}); + // zeek::BifEvent::enqueue_smb1_transaction2_response(zeek_analyzer(), zeek_analyzer()->Conn(), SMBHeaderVal(header), ${val.sub_cmd}); return true; %} @@ -138,8 +138,8 @@ refine connection SMB_Conn += { result->Assign(3, zeek::val_mgr->Count(${val.info_level})); result->Assign(4, zeek::val_mgr->Count(${val.search_storage_type})); result->Assign(5, smb_string2stringval(${val.file_name})); - zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(result)); @@ -217,11 +217,10 @@ refine connection SMB_Conn += { %{ if ( smb1_trans2_query_path_info_request ) { - zeek::BifEvent::enqueue_smb1_trans2_query_path_info_request(bro_analyzer(), - bro_analyzer()->Conn(), - SMBHeaderVal(header), - smb_string2stringval(${val.file_name})); - + zeek::BifEvent::enqueue_smb1_trans2_query_path_info_request(zeek_analyzer(), + zeek_analyzer()->Conn(), + SMBHeaderVal(header), + smb_string2stringval(${val.file_name})); } return true; %} @@ -322,8 +321,8 @@ refine connection SMB_Conn += { %{ if ( smb1_trans2_get_dfs_referral_request ) { - zeek::BifEvent::enqueue_smb1_trans2_get_dfs_referral_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_trans2_get_dfs_referral_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), smb_string2stringval(${val.file_name})); } diff --git a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac index 14e11cf8cd..599fc79a2d 100644 --- a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac @@ -3,8 +3,8 @@ refine connection SMB_Conn += { function proc_smb1_tree_connect_andx_request(header: SMB_Header, val: SMB1_tree_connect_andx_request): bool %{ if ( smb1_tree_connect_andx_request ) - zeek::BifEvent::enqueue_smb1_tree_connect_andx_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_tree_connect_andx_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), smb_string2stringval(${val.path}), smb_string2stringval(${val.service})); @@ -20,8 +20,8 @@ refine connection SMB_Conn += { set_tree_is_pipe(${header.tid}); if ( smb1_tree_connect_andx_response ) - zeek::BifEvent::enqueue_smb1_tree_connect_andx_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_tree_connect_andx_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), std::move(service_string), ${val.byte_count} > ${val.service.a}->size() ? diff --git a/src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac b/src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac index 7a23729181..b241e4d47e 100644 --- a/src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac +++ b/src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac @@ -3,8 +3,8 @@ refine connection SMB_Conn += { function proc_smb1_tree_disconnect(header: SMB_Header, val: SMB1_tree_disconnect): bool %{ if ( smb1_tree_disconnect ) - zeek::BifEvent::enqueue_smb1_tree_disconnect(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_tree_disconnect(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header), ${val.is_orig}); return true; diff --git a/src/analyzer/protocol/smb/smb1-com-write-andx.pac b/src/analyzer/protocol/smb/smb1-com-write-andx.pac index 7bb7bcb12f..0c76f53062 100644 --- a/src/analyzer/protocol/smb/smb1-com-write-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-write-andx.pac @@ -3,8 +3,8 @@ refine connection SMB_Conn += { function proc_smb1_write_andx_request(h: SMB_Header, val: SMB1_write_andx_request): bool %{ if ( smb1_write_andx_request ) - zeek::BifEvent::enqueue_smb1_write_andx_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_write_andx_request(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(h), ${val.file_id}, ${val.write_offset}, @@ -14,8 +14,8 @@ refine connection SMB_Conn += { { zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(), ${val.write_offset}, - bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), h->is_orig()); } return true; @@ -24,8 +24,8 @@ refine connection SMB_Conn += { function proc_smb1_write_andx_response(h: SMB_Header, val: SMB1_write_andx_response): bool %{ if ( smb1_write_andx_response ) - zeek::BifEvent::enqueue_smb1_write_andx_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_write_andx_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(h), ${val.written_bytes}); diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac index bd399ca183..80c763d0eb 100644 --- a/src/analyzer/protocol/smb/smb1-protocol.pac +++ b/src/analyzer/protocol/smb/smb1-protocol.pac @@ -43,7 +43,7 @@ refine connection SMB_Conn += { %{ if ( smb1_message ) { - zeek::BifEvent::enqueue_smb1_message(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_message(zeek_analyzer(), zeek_analyzer()->Conn(), SMBHeaderVal(h), is_orig); } @@ -54,8 +54,8 @@ refine connection SMB_Conn += { %{ if ( smb1_empty_response ) { - zeek::BifEvent::enqueue_smb1_empty_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_empty_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(header)); } return true; @@ -67,16 +67,16 @@ refine connection SMB_Conn += { { if ( smb1_empty_response ) { - zeek::BifEvent::enqueue_smb1_empty_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_empty_response(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(h)); } } else { if ( smb1_error ) - zeek::BifEvent::enqueue_smb1_error(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb1_error(zeek_analyzer(), + zeek_analyzer()->Conn(), SMBHeaderVal(h), is_orig); } return true; diff --git a/src/analyzer/protocol/smb/smb2-com-close.pac b/src/analyzer/protocol/smb/smb2-com-close.pac index c843bbb4e5..13d34f0663 100644 --- a/src/analyzer/protocol/smb/smb2-com-close.pac +++ b/src/analyzer/protocol/smb/smb2-com-close.pac @@ -4,14 +4,14 @@ refine connection SMB_Conn += { %{ if ( smb2_close_request ) { - zeek::BifEvent::enqueue_smb2_close_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_close_request(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), BuildSMB2GUID(${val.file_id})); } - zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek::file_mgr->EndOfFile(zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), h->is_orig()); return true; %} @@ -28,10 +28,10 @@ refine connection SMB_Conn += { ${val.last_access_time}, ${val.creation_time}, ${val.change_time})); - resp->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs})); + resp->Assign(3, smb2_file_attrs_to_zeek(${val.file_attrs})); - zeek::BifEvent::enqueue_smb2_close_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_close_response(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), std::move(resp)); } diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index 20cc31def8..97e55791e0 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -10,8 +10,8 @@ refine connection SMB_Conn += { set_tree_is_pipe(${h.tree_id}); if ( smb_pipe_connect_heuristic ) - zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(bro_analyzer(), - bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(zeek_analyzer(), + zeek_analyzer()->Conn()); } if ( smb2_create_request ) @@ -20,8 +20,8 @@ refine connection SMB_Conn += { requestinfo->Assign(0, std::move(filename)); requestinfo->Assign(1, zeek::val_mgr->Count(${val.disposition})); requestinfo->Assign(2, zeek::val_mgr->Count(${val.create_options})); - zeek::BifEvent::enqueue_smb2_create_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_create_request(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), std::move(requestinfo)); } @@ -40,10 +40,10 @@ refine connection SMB_Conn += { ${val.last_access_time}, ${val.creation_time}, ${val.change_time})); - responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs})); + responseinfo->Assign(3, smb2_file_attrs_to_zeek(${val.file_attrs})); responseinfo->Assign(4, zeek::val_mgr->Count(${val.create_action})); - zeek::BifEvent::enqueue_smb2_create_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_create_response(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), std::move(responseinfo)); } diff --git a/src/analyzer/protocol/smb/smb2-com-negotiate.pac b/src/analyzer/protocol/smb/smb2-com-negotiate.pac index d99fa6a869..68012fc588 100644 --- a/src/analyzer/protocol/smb/smb2-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb2-com-negotiate.pac @@ -27,7 +27,7 @@ refine connection SMB_Conn += { for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i ) dialects->Assign(i, zeek::val_mgr->Count((*${val.dialects})[i])); - zeek::BifEvent::enqueue_smb2_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_negotiate_request(zeek_analyzer(), zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), std::move(dialects)); } @@ -44,8 +44,8 @@ refine connection SMB_Conn += { nr->Assign(0, zeek::val_mgr->Count(${val.dialect_revision})); nr->Assign(1, zeek::val_mgr->Count(${val.security_mode})); nr->Assign(2, BuildSMB2GUID(${val.server_guid})); - nr->Assign(3, filetime2brotime(${val.system_time})); - nr->Assign(4, filetime2brotime(${val.server_start_time})); + nr->Assign(3, filetime2zeektime(${val.system_time})); + nr->Assign(4, filetime2zeektime(${val.server_start_time})); nr->Assign(5, zeek::val_mgr->Count(${val.negotiate_context_count})); auto cv = zeek::make_intrusive(zeek::BifType::Vector::SMB2::NegotiateContextValues); @@ -60,7 +60,7 @@ refine connection SMB_Conn += { nr->Assign(6, std::move(cv)); - zeek::BifEvent::enqueue_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_negotiate_response(zeek_analyzer(), zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), std::move(nr)); } diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac index 03a384cd8e..04679d804f 100644 --- a/src/analyzer/protocol/smb/smb2-com-read.pac +++ b/src/analyzer/protocol/smb/smb2-com-read.pac @@ -26,8 +26,8 @@ refine connection SMB_Conn += { %{ if ( smb2_read_request ) { - zeek::BifEvent::enqueue_smb2_read_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_read_request(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), BuildSMB2GUID(${val.file_id}), ${val.offset}, @@ -51,8 +51,8 @@ refine connection SMB_Conn += { if ( ! ${h.is_pipe} && ${val.data_len} > 0 ) { zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, - bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), h->is_orig()); } return true; diff --git a/src/analyzer/protocol/smb/smb2-com-session-setup.pac b/src/analyzer/protocol/smb/smb2-com-session-setup.pac index a052d1944f..b8132184a5 100644 --- a/src/analyzer/protocol/smb/smb2-com-session-setup.pac +++ b/src/analyzer/protocol/smb/smb2-com-session-setup.pac @@ -7,10 +7,10 @@ refine connection SMB_Conn += { auto req = zeek::make_intrusive(zeek::BifType::Record::SMB2::SessionSetupRequest); req->Assign(0, zeek::val_mgr->Count(${val.security_mode})); - zeek::BifEvent::enqueue_smb2_session_setup_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_session_setup_request(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), - std::move(req)); + std::move(req)); } return true; @@ -28,8 +28,8 @@ refine connection SMB_Conn += { auto resp = zeek::make_intrusive(zeek::BifType::Record::SMB2::SessionSetupResponse); resp->Assign(0, std::move(flags)); - zeek::BifEvent::enqueue_smb2_session_setup_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_session_setup_response(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), std::move(resp)); } diff --git a/src/analyzer/protocol/smb/smb2-com-set-info.pac b/src/analyzer/protocol/smb/smb2-com-set-info.pac index 10e5899b2a..c76ce00781 100644 --- a/src/analyzer/protocol/smb/smb2-com-set-info.pac +++ b/src/analyzer/protocol/smb/smb2-com-set-info.pac @@ -28,15 +28,15 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file(val: SMB2_file_basic_info): bool %{ if ( smb2_file_sattr ) - zeek::BifEvent::enqueue_smb2_file_sattr(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_sattr(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), SMB_BuildMACTimes(${val.last_write_time}, ${val.last_access_time}, ${val.creation_time}, ${val.change_time}), - smb2_file_attrs_to_bro(${val.file_attrs})); + smb2_file_attrs_to_zeek(${val.file_attrs})); return true; %} @@ -44,8 +44,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_rename(val: SMB2_file_rename_info): bool %{ if ( smb2_file_rename ) - zeek::BifEvent::enqueue_smb2_file_rename(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_rename(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), smb2_string2stringval(${val.filename})); @@ -56,8 +56,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_delete(val: SMB2_file_disposition_info): bool %{ if ( smb2_file_delete ) - zeek::BifEvent::enqueue_smb2_file_delete(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_delete(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), (${val.delete_pending} > 0)); @@ -68,8 +68,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_allocation(val: SMB2_file_allocation_info): bool %{ if ( smb2_file_allocation ) - zeek::BifEvent::enqueue_smb2_file_allocation(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_allocation(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), (${val.allocation_size})); @@ -80,8 +80,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_endoffile(val: SMB2_file_endoffile_info): bool %{ if ( smb2_file_endoffile ) - zeek::BifEvent::enqueue_smb2_file_endoffile(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_endoffile(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), ${val.endoffile}); @@ -104,8 +104,8 @@ refine connection SMB_Conn += { eas->Assign(i, std::move(r)); } - zeek::BifEvent::enqueue_smb2_file_fullea(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_fullea(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), std::move(eas)); @@ -117,8 +117,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_link(val: SMB2_file_link_info): bool %{ if ( smb2_file_link ) - zeek::BifEvent::enqueue_smb2_file_link(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_link(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), ${val.root_directory}, @@ -130,8 +130,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_mode(val: SMB2_file_mode_info): bool %{ if ( smb2_file_mode ) - zeek::BifEvent::enqueue_smb2_file_mode(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_mode(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), ${val.mode}); @@ -142,8 +142,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_pipe(val: SMB2_file_pipe_info): bool %{ if ( smb2_file_pipe ) - zeek::BifEvent::enqueue_smb2_file_pipe(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_pipe(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), ${val.read_mode}, @@ -155,8 +155,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_position(val: SMB2_file_position_info): bool %{ if ( smb2_file_position ) - zeek::BifEvent::enqueue_smb2_file_position(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_position(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), ${val.current_byte_offset}); @@ -167,8 +167,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_shortname(val: SMB2_file_shortname_info): bool %{ if ( smb2_file_shortname ) - zeek::BifEvent::enqueue_smb2_file_shortname(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_shortname(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), smb2_string2stringval(${val.filename})); @@ -179,8 +179,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_validdatalength(val: SMB2_file_validdatalength_info): bool %{ if ( smb2_file_validdatalength ) - zeek::BifEvent::enqueue_smb2_file_validdatalength(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_validdatalength(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), ${val.validdatalength}); @@ -200,8 +200,8 @@ refine connection SMB_Conn += { r->Assign(4, zeek::val_mgr->Count(${val.default_quota_limit})); r->Assign(5, zeek::val_mgr->Count(${val.file_system_control_flags})); - zeek::BifEvent::enqueue_smb2_file_fscontrol(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_fscontrol(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), std::move(r)); @@ -213,8 +213,8 @@ refine connection SMB_Conn += { function proc_smb2_set_info_request_file_fsobjectid(val: SMB2_file_fsobjectid_info): bool %{ if ( smb2_file_fsobjectid ) - zeek::BifEvent::enqueue_smb2_file_fsobjectid(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_file_fsobjectid(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(${val.sir.header}), BuildSMB2GUID(${val.sir.file_id}), BuildSMB2GUID(${val.object_id}), diff --git a/src/analyzer/protocol/smb/smb2-com-transform-header.pac b/src/analyzer/protocol/smb/smb2-com-transform-header.pac index e24c6d5ed8..1c28a91f6d 100644 --- a/src/analyzer/protocol/smb/smb2-com-transform-header.pac +++ b/src/analyzer/protocol/smb/smb2-com-transform-header.pac @@ -11,8 +11,8 @@ refine connection SMB_Conn += { r->Assign(3, zeek::val_mgr->Count(${hdr.flags})); r->Assign(4, zeek::val_mgr->Count(${hdr.session_id})); - zeek::BifEvent::enqueue_smb2_transform_header(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_transform_header(zeek_analyzer(), + zeek_analyzer()->Conn(), std::move(r)); } diff --git a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac index b89265506a..cc7af36b4d 100644 --- a/src/analyzer/protocol/smb/smb2-com-tree-connect.pac +++ b/src/analyzer/protocol/smb/smb2-com-tree-connect.pac @@ -3,8 +3,8 @@ refine connection SMB_Conn += { function proc_smb2_tree_connect_request(header: SMB2_Header, val: SMB2_tree_connect_request): bool %{ if ( smb2_tree_connect_request ) - zeek::BifEvent::enqueue_smb2_tree_connect_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_tree_connect_request(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(header), smb2_string2stringval(${val.path})); @@ -21,8 +21,8 @@ refine connection SMB_Conn += { auto resp = zeek::make_intrusive(zeek::BifType::Record::SMB2::TreeConnectResponse); resp->Assign(0, zeek::val_mgr->Count(${val.share_type})); - zeek::BifEvent::enqueue_smb2_tree_connect_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_tree_connect_response(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(header), std::move(resp)); } diff --git a/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac b/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac index ebfe3cf367..82185e5f0e 100644 --- a/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac +++ b/src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac @@ -7,8 +7,8 @@ refine connection SMB_Conn += { if ( smb2_tree_disconnect_request ) { - zeek::BifEvent::enqueue_smb2_tree_disconnect_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_tree_disconnect_request(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(header)); } @@ -19,8 +19,8 @@ refine connection SMB_Conn += { %{ if ( smb2_tree_disconnect_response ) { - zeek::BifEvent::enqueue_smb2_tree_disconnect_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_tree_disconnect_response(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(header)); } diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac index 34904478fe..b9bf9d6fae 100644 --- a/src/analyzer/protocol/smb/smb2-com-write.pac +++ b/src/analyzer/protocol/smb/smb2-com-write.pac @@ -4,8 +4,8 @@ refine connection SMB_Conn += { %{ if ( smb2_write_request ) { - zeek::BifEvent::enqueue_smb2_write_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_write_request(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), BuildSMB2GUID(${val.file_id}), ${val.offset}, @@ -15,8 +15,8 @@ refine connection SMB_Conn += { if ( ! ${h.is_pipe} && ${val.data}.length() > 0 ) { zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, ${val.offset}, - bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), h->is_orig()); } return true; @@ -27,8 +27,8 @@ refine connection SMB_Conn += { if ( smb2_write_response ) { - zeek::BifEvent::enqueue_smb2_write_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_write_response(zeek_analyzer(), + zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), ${val.write_count}); } diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index 9f12838037..f6a1931a82 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -4,7 +4,7 @@ %header{ zeek::RecordValPtr BuildSMB2HeaderVal(SMB2_Header* hdr); zeek::RecordValPtr BuildSMB2GUID(SMB2_guid* file_id); -zeek::RecordValPtr smb2_file_attrs_to_bro(SMB2_file_attributes* val); +zeek::RecordValPtr smb2_file_attrs_to_zeek(SMB2_file_attributes* val); zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv); %} @@ -33,7 +33,7 @@ zeek::RecordValPtr BuildSMB2GUID(SMB2_guid* file_id) return r; } -zeek::RecordValPtr smb2_file_attrs_to_bro(SMB2_file_attributes* val) +zeek::RecordValPtr smb2_file_attrs_to_zeek(SMB2_file_attributes* val) { auto r = zeek::make_intrusive(zeek::BifType::Record::SMB2::FileAttrs); r->Assign(0, zeek::val_mgr->Bool(${val.read_only})); @@ -250,7 +250,7 @@ refine connection SMB_Conn += { if ( smb2_message ) { - zeek::BifEvent::enqueue_smb2_message(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_smb2_message(zeek_analyzer(), zeek_analyzer()->Conn(), BuildSMB2HeaderVal(h), is_orig); } return true; diff --git a/src/analyzer/protocol/snmp/snmp-analyzer.pac b/src/analyzer/protocol/snmp/snmp-analyzer.pac index a0e4894711..90470f6206 100644 --- a/src/analyzer/protocol/snmp/snmp-analyzer.pac +++ b/src/analyzer/protocol/snmp/snmp-analyzer.pac @@ -207,8 +207,8 @@ refine connection SNMP_Conn += { if ( ! snmp_get_request ) return false; - zeek::BifEvent::enqueue_snmp_get_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_get_request(zeek_analyzer(), + zeek_analyzer()->Conn(), ${pdu.header.is_orig}, build_hdr(${pdu.header}), build_pdu(${pdu.pdu})); @@ -220,8 +220,8 @@ refine connection SNMP_Conn += { if ( ! snmp_get_next_request ) return false; - zeek::BifEvent::enqueue_snmp_get_next_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_get_next_request(zeek_analyzer(), + zeek_analyzer()->Conn(), ${pdu.header.is_orig}, build_hdr(${pdu.header}), build_pdu(${pdu.pdu})); @@ -233,8 +233,8 @@ refine connection SNMP_Conn += { if ( ! snmp_response ) return false; - zeek::BifEvent::enqueue_snmp_response(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_response(zeek_analyzer(), + zeek_analyzer()->Conn(), ${pdu.header.is_orig}, build_hdr(${pdu.header}), build_pdu(${pdu.pdu})); @@ -246,8 +246,8 @@ refine connection SNMP_Conn += { if ( ! snmp_set_request ) return false; - zeek::BifEvent::enqueue_snmp_set_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_set_request(zeek_analyzer(), + zeek_analyzer()->Conn(), ${pdu.header.is_orig}, build_hdr(${pdu.header}), build_pdu(${pdu.pdu})); @@ -259,8 +259,8 @@ refine connection SNMP_Conn += { if ( ! snmp_trap ) return false; - zeek::BifEvent::enqueue_snmp_trap(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_trap(zeek_analyzer(), + zeek_analyzer()->Conn(), ${pdu.header.is_orig}, build_hdr(${pdu.header}), build_trap_pdu(${pdu})); @@ -272,8 +272,8 @@ refine connection SNMP_Conn += { if ( ! snmp_get_bulk_request ) return false; - zeek::BifEvent::enqueue_snmp_get_bulk_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_get_bulk_request(zeek_analyzer(), + zeek_analyzer()->Conn(), ${pdu.header.is_orig}, build_hdr(${pdu.header}), build_bulk_pdu(${pdu})); @@ -285,8 +285,8 @@ refine connection SNMP_Conn += { if ( ! snmp_inform_request ) return false; - zeek::BifEvent::enqueue_snmp_inform_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_inform_request(zeek_analyzer(), + zeek_analyzer()->Conn(), ${pdu.header.is_orig}, build_hdr(${pdu.header}), build_pdu(${pdu.pdu})); @@ -298,8 +298,8 @@ refine connection SNMP_Conn += { if ( ! snmp_trapV2 ) return false; - zeek::BifEvent::enqueue_snmp_trapV2(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_trapV2(zeek_analyzer(), + zeek_analyzer()->Conn(), ${pdu.header.is_orig}, build_hdr(${pdu.header}), build_pdu(${pdu.pdu})); @@ -311,8 +311,8 @@ refine connection SNMP_Conn += { if ( ! snmp_report ) return false; - zeek::BifEvent::enqueue_snmp_report(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_report(zeek_analyzer(), + zeek_analyzer()->Conn(), ${pdu.header.is_orig}, build_hdr(${pdu.header}), build_pdu(${pdu.pdu})); @@ -324,8 +324,8 @@ refine connection SNMP_Conn += { if ( ! snmp_unknown_header_version ) return false; - zeek::BifEvent::enqueue_snmp_unknown_header_version(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_unknown_header_version(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.header.is_orig}, ${rec.header.version}); return true; @@ -336,8 +336,8 @@ refine connection SNMP_Conn += { if ( ! snmp_unknown_pdu ) return false; - zeek::BifEvent::enqueue_snmp_unknown_pdu(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_unknown_pdu(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.header.is_orig}, build_hdr(${rec.header}), ${rec.tag}); @@ -349,8 +349,8 @@ refine connection SNMP_Conn += { if ( ! snmp_unknown_scoped_pdu ) return false; - zeek::BifEvent::enqueue_snmp_unknown_scoped_pdu(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_unknown_scoped_pdu(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.header.is_orig}, build_hdr(${rec.header}), ${rec.tag}); @@ -362,8 +362,8 @@ refine connection SNMP_Conn += { if ( ! snmp_encrypted_pdu ) return false; - zeek::BifEvent::enqueue_snmp_encrypted_pdu(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_snmp_encrypted_pdu(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.header.is_orig}, build_hdr(${rec.header})); return true; @@ -372,7 +372,7 @@ refine connection SNMP_Conn += { function proc_header(rec: Header): bool %{ if ( ! ${rec.is_orig} ) - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( rec->unknown() ) return false; @@ -385,7 +385,7 @@ refine connection SNMP_Conn += { if ( rec->flags()->encoding()->content().length() == 1 ) return true; - bro_analyzer()->ProtocolViolation("Invalid v3 HeaderData msgFlags"); + zeek_analyzer()->ProtocolViolation("Invalid v3 HeaderData msgFlags"); return false; %} diff --git a/src/analyzer/protocol/snmp/snmp.pac b/src/analyzer/protocol/snmp/snmp.pac index 33bdecf24a..cbc69e5e6c 100644 --- a/src/analyzer/protocol/snmp/snmp.pac +++ b/src/analyzer/protocol/snmp/snmp.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "Reporter.h" @@ -12,7 +12,7 @@ analyzer SNMP withcontext { flow: SNMP_Flow; }; -connection SNMP_Conn(bro_analyzer: BroAnalyzer) { +connection SNMP_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = SNMP_Flow(true); downflow = SNMP_Flow(false); }; diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index a0b16e30d3..2226c1aa7f 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -31,8 +31,8 @@ refine connection SOCKS_Conn += { if ( ${request.v4a} ) sa->Assign(1, array_to_string(${request.name})); - zeek::BifEvent::enqueue_socks_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_socks_request(zeek_analyzer(), + zeek_analyzer()->Conn(), 4, ${request.command}, std::move(sa), @@ -40,7 +40,7 @@ refine connection SOCKS_Conn += { array_to_string(${request.user})); } - static_cast(bro_analyzer())->EndpointDone(true); + static_cast(zeek_analyzer())->EndpointDone(true); return true; %} @@ -53,16 +53,16 @@ refine connection SOCKS_Conn += { auto sa = zeek::make_intrusive(socks_address); sa->Assign(0, zeek::make_intrusive(htonl(${reply.addr}))); - zeek::BifEvent::enqueue_socks_reply(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_socks_reply(zeek_analyzer(), + zeek_analyzer()->Conn(), 4, ${reply.status}, std::move(sa), zeek::val_mgr->Port(${reply.port}, TRANSPORT_TCP)); } - bro_analyzer()->ProtocolConfirmation(); - static_cast(bro_analyzer())->EndpointDone(false); + zeek_analyzer()->ProtocolConfirmation(); + static_cast(zeek_analyzer())->EndpointDone(false); return true; %} @@ -70,15 +70,15 @@ refine connection SOCKS_Conn += { %{ if ( ${request.reserved} != 0 ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value in reserved field: %d", ${request.reserved})); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value in reserved field: %d", ${request.reserved})); + zeek_analyzer()->SetSkip(true); return false; } if ( (${request.command} == 0) || (${request.command} > 3) ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("undefined value in command field: %d", ${request.command})); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("undefined value in command field: %d", ${request.command})); + zeek_analyzer()->SetSkip(true); return false; } @@ -102,20 +102,20 @@ refine connection SOCKS_Conn += { break; default: - bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${request.remote_name.addr_type})); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${request.remote_name.addr_type})); return false; } if ( socks_request ) - zeek::BifEvent::enqueue_socks_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_socks_request(zeek_analyzer(), + zeek_analyzer()->Conn(), 5, ${request.command}, std::move(sa), zeek::val_mgr->Port(${request.port}, TRANSPORT_TCP), zeek::val_mgr->EmptyString()); - static_cast(bro_analyzer())->EndpointDone(true); + static_cast(zeek_analyzer())->EndpointDone(true); return true; %} @@ -142,20 +142,20 @@ refine connection SOCKS_Conn += { break; default: - bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${reply.bound.addr_type})); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${reply.bound.addr_type})); return false; } if ( socks_reply ) - zeek::BifEvent::enqueue_socks_reply(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_socks_reply(zeek_analyzer(), + zeek_analyzer()->Conn(), 5, ${reply.reply}, std::move(sa), zeek::val_mgr->Port(${reply.port}, TRANSPORT_TCP)); - bro_analyzer()->ProtocolConfirmation(); - static_cast(bro_analyzer())->EndpointDone(false); + zeek_analyzer()->ProtocolConfirmation(); + static_cast(zeek_analyzer())->EndpointDone(false); return true; %} @@ -167,36 +167,36 @@ refine connection SOCKS_Conn += { auto user = zeek::make_intrusive(${request.username}.length(), (const char*) ${request.username}.begin()); auto pass = zeek::make_intrusive(${request.password}.length(), (const char*) ${request.password}.begin()); - zeek::BifEvent::enqueue_socks_login_userpass_request(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_socks_login_userpass_request(zeek_analyzer(), + zeek_analyzer()->Conn(), std::move(user), std::move(pass)); return true; %} function socks5_unsupported_authentication_method(auth_method: uint8): bool %{ - zeek::reporter->Weird(bro_analyzer()->Conn(), "socks5_unsupported_authentication_method", zeek::util::fmt("%d", auth_method)); + zeek::reporter->Weird(zeek_analyzer()->Conn(), "socks5_unsupported_authentication_method", zeek::util::fmt("%d", auth_method)); return true; %} function socks5_unsupported_authentication_version(auth_method: uint8, version: uint8): bool %{ - zeek::reporter->Weird(bro_analyzer()->Conn(), "socks5_unsupported_authentication", zeek::util::fmt("method %d, version %d", auth_method, version)); + zeek::reporter->Weird(zeek_analyzer()->Conn(), "socks5_unsupported_authentication", zeek::util::fmt("method %d, version %d", auth_method, version)); return true; %} function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool %{ if ( socks_login_userpass_reply ) - zeek::BifEvent::enqueue_socks_login_userpass_reply(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_socks_login_userpass_reply(zeek_analyzer(), + zeek_analyzer()->Conn(), ${reply.code}); return true; %} function version_error(version: uint8): bool %{ - bro_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported/unknown SOCKS version %d", version)); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported/unknown SOCKS version %d", version)); return true; %} diff --git a/src/analyzer/protocol/socks/socks.pac b/src/analyzer/protocol/socks/socks.pac index a6c4ad3605..551dff8b54 100644 --- a/src/analyzer/protocol/socks/socks.pac +++ b/src/analyzer/protocol/socks/socks.pac @@ -1,5 +1,5 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "SOCKS.h" @@ -13,7 +13,7 @@ analyzer SOCKS withcontext { flow: SOCKS_Flow; }; -connection SOCKS_Conn(bro_analyzer: BroAnalyzer) { +connection SOCKS_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = SOCKS_Flow(true); downflow = SOCKS_Flow(false); }; diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc index 518f175cbb..c706d58b24 100644 --- a/src/analyzer/protocol/ssh/SSH.cc +++ b/src/analyzer/protocol/ssh/SSH.cc @@ -91,8 +91,8 @@ void SSH_Analyzer::Undelivered(uint64_t seq, int len, bool orig) void SSH_Analyzer::ProcessEncryptedSegment(int len, bool orig) { if ( ssh_encrypted_packet ) - zeek::BifEvent::enqueue_ssh_encrypted_packet(interp->bro_analyzer(), - interp->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssh_encrypted_packet(interp->zeek_analyzer(), + interp->zeek_analyzer()->Conn(), orig, len); if ( ! auth_decision_made ) @@ -132,9 +132,9 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig) { auth_decision_made = true; if ( ssh_auth_attempted ) - zeek::BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); + zeek::BifEvent::enqueue_ssh_auth_attempted(interp->zeek_analyzer(), interp->zeek_analyzer()->Conn(), true); if ( ssh_auth_successful ) - zeek::BifEvent::enqueue_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); + zeek::BifEvent::enqueue_ssh_auth_successful(interp->zeek_analyzer(), interp->zeek_analyzer()->Conn(), true); return; } @@ -159,7 +159,7 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig) if ( len == userauth_failure_size ) { if ( ssh_auth_attempted ) - zeek::BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false); + zeek::BifEvent::enqueue_ssh_auth_attempted(interp->zeek_analyzer(), interp->zeek_analyzer()->Conn(), false); return; } @@ -168,9 +168,9 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig) { auth_decision_made = true; if ( ssh_auth_attempted ) - zeek::BifEvent::enqueue_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); + zeek::BifEvent::enqueue_ssh_auth_attempted(interp->zeek_analyzer(), interp->zeek_analyzer()->Conn(), true); if ( ssh_auth_successful ) - zeek::BifEvent::enqueue_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false); + zeek::BifEvent::enqueue_ssh_auth_successful(interp->zeek_analyzer(), interp->zeek_analyzer()->Conn(), false); return; } } diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index 1a7529c993..59a6864083 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -52,14 +52,14 @@ refine flow SSH_Flow += { %{ if ( ssh_client_version && ${msg.is_orig } ) { - zeek::BifEvent::enqueue_ssh_client_version(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssh_client_version(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), to_stringval(${msg.version})); } else if ( ssh_server_version ) { - zeek::BifEvent::enqueue_ssh_server_version(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssh_server_version(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), to_stringval(${msg.version})); } return true; @@ -103,8 +103,8 @@ refine flow SSH_Flow += { result->Assign(6, zeek::val_mgr->Bool(!${msg.is_orig})); - zeek::BifEvent::enqueue_ssh_capabilities(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), to_stringval(${msg.cookie}), + zeek::BifEvent::enqueue_ssh_capabilities(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), to_stringval(${msg.cookie}), result); return true; @@ -115,8 +115,8 @@ refine flow SSH_Flow += { %{ if ( ssh2_dh_server_params ) { - zeek::BifEvent::enqueue_ssh2_dh_server_params(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssh2_dh_server_params(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), to_stringval(${msg.p.val}), to_stringval(${msg.g.val})); } return true; @@ -126,8 +126,8 @@ refine flow SSH_Flow += { %{ if ( ssh2_ecc_key ) { - zeek::BifEvent::enqueue_ssh2_ecc_key(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssh2_ecc_key(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), is_orig, to_stringval(q)); } return true; @@ -137,8 +137,8 @@ refine flow SSH_Flow += { %{ if ( ssh2_gss_error ) { - zeek::BifEvent::enqueue_ssh2_gss_error(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssh2_gss_error(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${msg.major_status}, ${msg.minor_status}, to_stringval(${msg.message.val})); } @@ -149,8 +149,8 @@ refine flow SSH_Flow += { %{ if ( ssh2_server_host_key ) { - zeek::BifEvent::enqueue_ssh2_server_host_key(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssh2_server_host_key(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), to_stringval(${key})); } return true; @@ -160,8 +160,8 @@ refine flow SSH_Flow += { %{ if ( ssh1_server_host_key ) { - zeek::BifEvent::enqueue_ssh1_server_host_key(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssh1_server_host_key(connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), to_stringval(${p}), to_stringval(${e})); } @@ -170,7 +170,7 @@ refine flow SSH_Flow += { function proc_newkeys(): bool %{ - connection()->bro_analyzer()->ProtocolConfirmation(); + connection()->zeek_analyzer()->ProtocolConfirmation(); return true; %} diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac index 56b65d25c0..cf6f232247 100644 --- a/src/analyzer/protocol/ssh/ssh-protocol.pac +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -442,7 +442,7 @@ refine connection SSH_Conn += { return true; - bro_analyzer()->Weird("ssh_unknown_kex_algorithm", c_str(kex_algorithm_)); + zeek_analyzer()->Weird("ssh_unknown_kex_algorithm", c_str(kex_algorithm_)); return true; } diff --git a/src/analyzer/protocol/ssh/ssh.pac b/src/analyzer/protocol/ssh/ssh.pac index 2358f056da..6fbab0105c 100644 --- a/src/analyzer/protocol/ssh/ssh.pac +++ b/src/analyzer/protocol/ssh/ssh.pac @@ -5,7 +5,7 @@ # - ssh-analyzer.pac: describes the SSH analyzer code %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "types.bif.h" @@ -18,7 +18,7 @@ analyzer SSH withcontext { }; # Our connection consists of two flows, one in each direction. -connection SSH_Conn(bro_analyzer: BroAnalyzer) { +connection SSH_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = SSH_Flow(true); downflow = SSH_Flow(false); }; diff --git a/src/analyzer/protocol/ssl/dtls-analyzer.pac b/src/analyzer/protocol/ssl/dtls-analyzer.pac index c650483332..0fa6fbceba 100644 --- a/src/analyzer/protocol/ssl/dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/dtls-analyzer.pac @@ -42,7 +42,7 @@ refine connection SSL_Conn += { if ( foffset == 0 && length == flength ) { //fprintf(stderr, "Complete fragment, forwarding...\n"); - bro_analyzer()->SendHandshake(${pdu.raw_tls_version}, ${rec.msg_type}, length, ${rec.data}.begin(), ${rec.data}.end(), ${pdu.is_orig}); + zeek_analyzer()->SendHandshake(${pdu.raw_tls_version}, ${rec.msg_type}, length, ${rec.data}.begin(), ${rec.data}.end(), ${pdu.is_orig}); return true; } @@ -55,7 +55,7 @@ refine connection SSL_Conn += { if ( length > MAX_DTLS_HANDSHAKE_RECORD ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS record length %" PRId64 " larger than allowed maximum.", length)); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS record length %" PRId64 " larger than allowed maximum.", length)); return true; } @@ -77,7 +77,7 @@ refine connection SSL_Conn += { { if ( i->first_sequence_seen ) { - bro_analyzer()->ProtocolViolation("Saw second and different first message fragment for handshake."); + zeek_analyzer()->ProtocolViolation("Saw second and different first message fragment for handshake."); return true; } // first sequence number was incorrect, let's fix that. @@ -97,13 +97,13 @@ refine connection SSL_Conn += { // copy data from fragment to buffer if ( ${rec.data}.length() != flength ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS handshake record length does not match packet length")); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS handshake record length does not match packet length")); return true; } if ( foffset + flength > length ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS handshake fragment trying to write past end of buffer")); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS handshake fragment trying to write past end of buffer")); return true; } @@ -124,14 +124,14 @@ refine connection SSL_Conn += { uint64 total_length = i->message_last_sequence - i->message_first_sequence; if ( total_length > 30 ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS Message fragmented over more than 30 pieces. Cannot reassemble.")); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS Message fragmented over more than 30 pieces. Cannot reassemble.")); return true; } if ( ( ~(i->message_sequence_seen) & ( ( 1<<(total_length+1) ) -1 ) ) == 0 ) { //fprintf(stderr, "ALl fragments here. Total length %u\n", length); - bro_analyzer()->SendHandshake(${pdu.raw_tls_version}, ${rec.msg_type}, length, i->buffer, i->buffer + length, ${pdu.is_orig}); + zeek_analyzer()->SendHandshake(${pdu.raw_tls_version}, ${rec.msg_type}, length, i->buffer, i->buffer + length, ${pdu.is_orig}); } } diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac index ded8549388..e81ef4484f 100644 --- a/src/analyzer/protocol/ssl/dtls-protocol.pac +++ b/src/analyzer/protocol/ssl/dtls-protocol.pac @@ -63,22 +63,22 @@ refine connection SSL_Conn += { // Reset only to 0 once we have seen a client hello. // This means the connection gets a limited amount of valid/invalid // packets before a client hello has to be seen - which seems reasonable. - if ( bro_analyzer()->ProtocolConfirmed() ) + if ( zeek_analyzer()->ProtocolConfirmed() ) invalid_version_count_ = 0; return true; default: invalid_version_count_++; - if ( bro_analyzer()->ProtocolConfirmed() ) + if ( zeek_analyzer()->ProtocolConfirmed() ) { reported_errors_++; if ( reported_errors_ <= zeek::BifConst::SSL::dtls_max_reported_version_errors ) - bro_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in DTLS connection. Packet reported version: %d", version)); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in DTLS connection. Packet reported version: %d", version)); } if ( invalid_version_count_ > zeek::BifConst::SSL::dtls_max_version_errors ) - bro_analyzer()->SetSkip(true); + zeek_analyzer()->SetSkip(true); return false; } %} diff --git a/src/analyzer/protocol/ssl/dtls.pac b/src/analyzer/protocol/ssl/dtls.pac index 05dd3b7d06..c53b5491d9 100644 --- a/src/analyzer/protocol/ssl/dtls.pac +++ b/src/analyzer/protocol/ssl/dtls.pac @@ -1,7 +1,7 @@ # binpac file for SSL analyzer %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -20,7 +20,7 @@ analyzer DTLS withcontext { flow: DTLS_Flow; }; -connection SSL_Conn(bro_analyzer: DTLSAnalyzer) { +connection SSL_Conn(zeek_analyzer: DTLSAnalyzer) { upflow = DTLS_Flow(true); downflow = DTLS_Flow(false); }; diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac index 167476999c..a82772d2b4 100644 --- a/src/analyzer/protocol/ssl/proc-certificate.pac +++ b/src/analyzer/protocol/ssl/proc-certificate.pac @@ -5,9 +5,9 @@ zeek::ODesc common; common.AddRaw("Analyzer::ANALYZER_SSL"); - common.Add(bro_analyzer()->Conn()->StartTime()); + common.Add(zeek_analyzer()->Conn()->StartTime()); common.AddRaw(is_orig ? "T" : "F", 1); - bro_analyzer()->Conn()->IDString(&common); + zeek_analyzer()->Conn()->IDString(&common); static const string user_mime = "application/x-x509-user-cert"; static const string ca_mime = "application/x-x509-ca-cert"; @@ -18,7 +18,7 @@ if ( cert.length() <= 0 ) { - zeek::reporter->Weird(bro_analyzer()->Conn(), "zero_length_certificate"); + zeek::reporter->Weird(zeek_analyzer()->Conn(), "zero_length_certificate"); continue; } @@ -29,8 +29,8 @@ string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), is_orig, + cert.length(), zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), is_orig, file_id, i == 0 ? user_mime : ca_mime); zeek::file_mgr->EndOfFile(file_id); } diff --git a/src/analyzer/protocol/ssl/proc-client-hello.pac b/src/analyzer/protocol/ssl/proc-client-hello.pac index af98a08c71..ae3774ed9a 100644 --- a/src/analyzer/protocol/ssl/proc-client-hello.pac +++ b/src/analyzer/protocol/ssl/proc-client-hello.pac @@ -8,11 +8,11 @@ %{ if ( ! version_ok(version) ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported client SSL version 0x%04x", version)); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported client SSL version 0x%04x", version)); + zeek_analyzer()->SetSkip(true); } else - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( ssl_client_hello ) { @@ -42,7 +42,7 @@ } } - zeek::BifEvent::enqueue_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_client_hello(zeek_analyzer(), zeek_analyzer()->Conn(), version, record_version(), ts, zeek::make_intrusive(client_random.length(), (const char*) client_random.data()), diff --git a/src/analyzer/protocol/ssl/proc-server-hello.pac b/src/analyzer/protocol/ssl/proc-server-hello.pac index 092090c2f8..30356508c6 100644 --- a/src/analyzer/protocol/ssl/proc-server-hello.pac +++ b/src/analyzer/protocol/ssl/proc-server-hello.pac @@ -8,8 +8,8 @@ %{ if ( ! version_ok(version) ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported server SSL version 0x%04x", version)); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported server SSL version 0x%04x", version)); + zeek_analyzer()->SetSkip(true); } if ( ssl_server_hello ) @@ -25,8 +25,8 @@ if ( v2 == 0 && server_random.length() >= 4 ) ts = ntohl(*((uint32*)server_random.data())); - zeek::BifEvent::enqueue_ssl_server_hello(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_server_hello(zeek_analyzer(), + zeek_analyzer()->Conn(), version, record_version(), ts, zeek::make_intrusive(server_random.length(), (const char*) server_random.data()), diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac index 3e2a4a2d6a..c1a8876058 100644 --- a/src/analyzer/protocol/ssl/ssl-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac @@ -1,4 +1,4 @@ -# Analyzer for SSL (Bro-specific part). +# Analyzer for SSL (Zeek-specific part). refine connection SSL_Conn += { @@ -18,14 +18,14 @@ refine connection SSL_Conn += { function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool %{ if ( ssl_established ) - zeek::BifEvent::enqueue_ssl_established(bro_analyzer(), bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_ssl_established(zeek_analyzer(), zeek_analyzer()->Conn()); return true; %} function proc_handshake(rec: SSLRecord, data: bytestring, is_orig: bool) : bool %{ - bro_analyzer()->SendHandshake(${rec.raw_tls_version}, data.begin(), data.end(), is_orig); + zeek_analyzer()->SendHandshake(${rec.raw_tls_version}, data.begin(), data.end(), is_orig); return true; %} }; diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac index 126f4ce58b..0c8bfdce59 100644 --- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac @@ -32,13 +32,13 @@ refine connection SSL_Conn += { function proc_alert(rec: SSLRecord, level : int, desc : int) : bool %{ if ( ssl_alert ) - zeek::BifEvent::enqueue_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_alert(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, level, desc); return true; %} function proc_unknown_record(rec: SSLRecord) : bool %{ - bro_analyzer()->ProtocolViolation(zeek::util::fmt("unknown SSL record type (%d) from %s", + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown SSL record type (%d) from %s", ${rec.content_type}, orig_label(${rec.is_orig}).c_str())); return true; @@ -52,12 +52,12 @@ refine connection SSL_Conn += { { established_ = true; if ( ssl_established ) - zeek::BifEvent::enqueue_ssl_established(bro_analyzer(), bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_ssl_established(zeek_analyzer(), zeek_analyzer()->Conn()); } if ( ssl_encrypted_data ) - zeek::BifEvent::enqueue_ssl_encrypted_data(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); + zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); return true; %} @@ -65,8 +65,8 @@ refine connection SSL_Conn += { function proc_plaintext_record(rec : SSLRecord) : bool %{ if ( ssl_plaintext_data ) - zeek::BifEvent::enqueue_ssl_plaintext_data(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); + zeek::BifEvent::enqueue_ssl_plaintext_data(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); return true; %} @@ -74,8 +74,8 @@ refine connection SSL_Conn += { function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool %{ if ( ssl_heartbeat ) - zeek::BifEvent::enqueue_ssl_heartbeat(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, + zeek::BifEvent::enqueue_ssl_heartbeat(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, zeek::make_intrusive(data.length(), (const char*) data.data())); return true; %} @@ -84,8 +84,8 @@ refine connection SSL_Conn += { %{ if ( version != SSLv20 ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in SSL server hello. Version: %d", version)); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in SSL server hello. Version: %d", version)); + zeek_analyzer()->SetSkip(true); return false; } @@ -96,8 +96,8 @@ refine connection SSL_Conn += { function proc_ccs(rec: SSLRecord) : bool %{ if ( ssl_change_cipher_spec ) - zeek::BifEvent::enqueue_ssl_change_cipher_spec(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}); + zeek::BifEvent::enqueue_ssl_change_cipher_spec(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.is_orig}); return true; %} diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index 0235611aa6..26735c1f97 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -143,7 +143,7 @@ refine connection SSL_Conn += { // stop processing if we already had a protocol violation or otherwhise // decided that we do not want to parse anymore. Just setting skip is not // enough for the data that is already in the pipe. - if ( bro_analyzer()->Skipping() ) + if ( zeek_analyzer()->Skipping() ) return UNKNOWN_VERSION; // re-check record layer version to be sure that we still are synchronized with @@ -154,8 +154,8 @@ refine connection SSL_Conn += { if ( version != SSLv30 && version != TLSv10 && version != TLSv11 && version != TLSv12 ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version late in TLS connection. Packet reported version: %d", version)); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version late in TLS connection. Packet reported version: %d", version)); + zeek_analyzer()->SetSkip(true); return UNKNOWN_VERSION; } } @@ -171,8 +171,8 @@ refine connection SSL_Conn += { if ( version != SSLv20 && version != SSLv30 && version != TLSv10 && version != TLSv11 && version != TLSv12 ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in SSL client hello. Version: %d", version)); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in SSL client hello. Version: %d", version)); + zeek_analyzer()->SetSkip(true); return UNKNOWN_VERSION; } @@ -188,8 +188,8 @@ refine connection SSL_Conn += { else // this is not SSL or TLS. { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3)); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3)); + zeek_analyzer()->SetSkip(true); return UNKNOWN_VERSION; } } @@ -198,8 +198,8 @@ refine connection SSL_Conn += { if ( version != SSLv30 && version != TLSv10 && version != TLSv11 && version != TLSv12 ) { - bro_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in TLS connection. Version: %d", version)); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in TLS connection. Version: %d", version)); + zeek_analyzer()->SetSkip(true); return UNKNOWN_VERSION; } @@ -209,8 +209,8 @@ refine connection SSL_Conn += { return version; } - bro_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0)); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0)); + zeek_analyzer()->SetSkip(true); return UNKNOWN_VERSION; %} diff --git a/src/analyzer/protocol/ssl/ssl.pac b/src/analyzer/protocol/ssl/ssl.pac index 7269d2514f..e22a012e8a 100644 --- a/src/analyzer/protocol/ssl/ssl.pac +++ b/src/analyzer/protocol/ssl/ssl.pac @@ -6,7 +6,7 @@ # - ssl-record-layer.pac: describes the SSL record layer %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "Desc.h" @@ -25,7 +25,7 @@ analyzer SSL withcontext { flow: SSL_Flow; }; -connection SSL_Conn(bro_analyzer: SSLAnalyzer) { +connection SSL_Conn(zeek_analyzer: SSLAnalyzer) { upflow = SSL_Flow(true); downflow = SSL_Flow(false); }; diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 41972c9614..251ecae941 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -1,4 +1,4 @@ -# Analyzer for SSL/TLS Handshake protocol (Bro-specific part). +# Analyzer for SSL/TLS Handshake protocol (Zeek-specific part). %extern{ #include @@ -34,8 +34,8 @@ refine connection Handshake_Conn += { %{ if ( ssl_session_ticket_handshake ) { - zeek::BifEvent::enqueue_ssl_session_ticket_handshake(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_session_ticket_handshake(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.ticket_lifetime_hint}, zeek::make_intrusive(${rec.data}.length(), (const char*) ${rec.data}.data())); } @@ -55,8 +55,8 @@ refine connection Handshake_Conn += { { // This should be impossible due to the binpac parser // and protocol description - bro_analyzer()->ProtocolViolation(zeek::util::fmt("Impossible extension length: %zu", length)); - bro_analyzer()->SetSkip(true); + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Impossible extension length: %zu", length)); + zeek_analyzer()->SetSkip(true); return true; } @@ -64,8 +64,8 @@ refine connection Handshake_Conn += { const unsigned char* data = sourcedata.begin() + 4; if ( ssl_extension ) - zeek::BifEvent::enqueue_ssl_extension(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, type, + zeek::BifEvent::enqueue_ssl_extension(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.is_orig}, type, zeek::make_intrusive(length, reinterpret_cast(data))); return true; %} @@ -83,7 +83,7 @@ refine connection Handshake_Conn += { points->Assign(i, zeek::val_mgr->Count((*point_format_list)[i])); } - zeek::BifEvent::enqueue_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_extension_ec_point_formats(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(points)); return true; @@ -102,7 +102,7 @@ refine connection Handshake_Conn += { curves->Assign(i, zeek::val_mgr->Count((*list)[i])); } - zeek::BifEvent::enqueue_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_extension_elliptic_curves(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(curves)); return true; @@ -121,7 +121,7 @@ refine connection Handshake_Conn += { nglist->Assign(i, zeek::val_mgr->Count((*keyshare)[i]->namedgroup())); } - zeek::BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); + zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); return true; %} @@ -134,7 +134,7 @@ refine connection Handshake_Conn += { auto nglist = zeek::make_intrusive(zeek::id::index_vec); nglist->Assign(0u, zeek::val_mgr->Count(keyshare->namedgroup())); - zeek::BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); + zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); return true; %} @@ -146,7 +146,7 @@ refine connection Handshake_Conn += { auto nglist = zeek::make_intrusive(zeek::id::index_vec); nglist->Assign(0u, zeek::val_mgr->Count(namedgroup)); - zeek::BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); + zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); return true; %} @@ -168,7 +168,7 @@ refine connection Handshake_Conn += { } } - zeek::BifEvent::enqueue_ssl_extension_signature_algorithm(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(slist)); + zeek::BifEvent::enqueue_ssl_extension_signature_algorithm(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(slist)); return true; %} @@ -186,7 +186,7 @@ refine connection Handshake_Conn += { plist->Assign(i, zeek::make_intrusive((*protocols)[i]->name().length(), (const char*) (*protocols)[i]->name().data())); } - zeek::BifEvent::enqueue_ssl_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_extension_application_layer_protocol_negotiation(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(plist)); return true; @@ -203,19 +203,19 @@ refine connection Handshake_Conn += { ServerName* servername = (*list)[i]; if ( servername->name_type() != 0 ) { - bro_analyzer()->Weird("ssl_ext_unknown_server_name_type", zeek::util::fmt("%d", servername->name_type())); + zeek_analyzer()->Weird("ssl_ext_unknown_server_name_type", zeek::util::fmt("%d", servername->name_type())); continue; } if ( servername->host_name() ) servers->Assign(j++, zeek::make_intrusive(servername->host_name()->host_name().length(), (const char*) servername->host_name()->host_name().data())); else - bro_analyzer()->Weird("Empty server_name extension in ssl connection"); + zeek_analyzer()->Weird("Empty server_name extension in ssl connection"); } } if ( ssl_extension_server_name ) - zeek::BifEvent::enqueue_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_extension_server_name(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(servers)); return true; @@ -234,7 +234,7 @@ refine connection Handshake_Conn += { versions->Assign(i, zeek::val_mgr->Count((*versions_list)[i])); } - zeek::BifEvent::enqueue_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(versions)); return true; @@ -248,7 +248,7 @@ refine connection Handshake_Conn += { auto versions = zeek::make_intrusive(zeek::id::index_vec); versions->Assign(0u, zeek::val_mgr->Count(version)); - zeek::BifEvent::enqueue_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(versions)); return true; @@ -267,7 +267,7 @@ refine connection Handshake_Conn += { modes->Assign(i, zeek::val_mgr->Count((*mode_list)[i])); } - zeek::BifEvent::enqueue_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_extension_psk_key_exchange_modes(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(modes)); return true; @@ -288,7 +288,7 @@ refine connection Handshake_Conn += { function proc_unknown_handshake(hs: HandshakeRecord, is_orig: bool) : bool %{ - bro_analyzer()->ProtocolViolation(zeek::util::fmt("unknown handshake message (%d) from %s", + zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown handshake message (%d) from %s", ${hs.msg_type}, orig_label(is_orig).c_str())); return true; %} @@ -297,9 +297,9 @@ refine connection Handshake_Conn += { %{ zeek::ODesc common; common.AddRaw("Analyzer::ANALYZER_SSL"); - common.Add(bro_analyzer()->Conn()->StartTime()); + common.Add(zeek_analyzer()->Conn()->StartTime()); common.AddRaw("F"); - bro_analyzer()->Conn()->IDString(&common); + zeek_analyzer()->Conn()->IDString(&common); if ( status_type == 1 && response.length() > 0 ) // ocsp { @@ -310,12 +310,12 @@ refine connection Handshake_Conn += { string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); zeek::file_mgr->DataIn(reinterpret_cast(response.data()), - response.length(), bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), false, file_id, "application/ocsp-response"); + response.length(), zeek_analyzer()->GetAnalyzerTag(), + zeek_analyzer()->Conn(), false, file_id, "application/ocsp-response"); if ( ssl_stapled_ocsp ) - zeek::BifEvent::enqueue_ssl_stapled_ocsp(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_stapled_ocsp(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.is_orig}, zeek::make_intrusive(response.length(), (const char*) response.data())); @@ -323,7 +323,7 @@ refine connection Handshake_Conn += { } else if ( response.length() == 0 ) { - zeek::reporter->Weird(bro_analyzer()->Conn(), "SSL_zero_length_stapled_OCSP_message"); + zeek::reporter->Weird(zeek_analyzer()->Conn(), "SSL_zero_length_stapled_OCSP_message"); } return true; @@ -335,8 +335,8 @@ refine connection Handshake_Conn += { return true; if ( ssl_ecdh_server_params ) - zeek::BifEvent::enqueue_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_ecdh_server_params(zeek_analyzer(), + zeek_analyzer()->Conn(), ${kex.params.curve}, zeek::make_intrusive(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); @@ -356,8 +356,8 @@ refine connection Handshake_Conn += { ha->Assign(1, zeek::val_mgr->Count(256)); } - zeek::BifEvent::enqueue_ssl_server_signature(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_server_signature(zeek_analyzer(), + zeek_analyzer()->Conn(), std::move(ha), zeek::make_intrusive(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data())); } @@ -371,8 +371,8 @@ refine connection Handshake_Conn += { return true; if ( ssl_ecdh_server_params ) - zeek::BifEvent::enqueue_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_ecdh_server_params(zeek_analyzer(), + zeek_analyzer()->Conn(), ${kex.params.curve}, zeek::make_intrusive(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); @@ -382,8 +382,8 @@ refine connection Handshake_Conn += { function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool %{ if ( ssl_rsa_client_pms ) - zeek::BifEvent::enqueue_ssl_rsa_client_pms(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_rsa_client_pms(zeek_analyzer(), + zeek_analyzer()->Conn(), zeek::make_intrusive(rsa_pms.length(), (const char*)rsa_pms.data())); return true; @@ -392,8 +392,8 @@ refine connection Handshake_Conn += { function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool %{ if ( ssl_dh_client_params ) - zeek::BifEvent::enqueue_ssl_dh_client_params(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_dh_client_params(zeek_analyzer(), + zeek_analyzer()->Conn(), zeek::make_intrusive(Yc.length(), (const char*)Yc.data())); return true; @@ -402,8 +402,8 @@ refine connection Handshake_Conn += { function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool %{ if ( ssl_ecdh_client_params ) - zeek::BifEvent::enqueue_ssl_ecdh_client_params(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_ecdh_client_params(zeek_analyzer(), + zeek_analyzer()->Conn(), zeek::make_intrusive(point.length(), (const char*)point.data())); return true; @@ -418,8 +418,8 @@ refine connection Handshake_Conn += { ha->Assign(0, zeek::val_mgr->Count(digitally_signed_algorithms->HashAlgorithm())); ha->Assign(1, zeek::val_mgr->Count(digitally_signed_algorithms->SignatureAlgorithm())); - zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, + zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.is_orig}, version, zeek::make_intrusive(logid.length(), reinterpret_cast(logid.begin())), timestamp, @@ -433,8 +433,8 @@ refine connection Handshake_Conn += { function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool %{ if ( ssl_ecdh_server_params ) - zeek::BifEvent::enqueue_ssl_dh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_dh_server_params(zeek_analyzer(), + zeek_analyzer()->Conn(), zeek::make_intrusive(p.length(), (const char*) p.data()), zeek::make_intrusive(g.length(), (const char*) g.data()), zeek::make_intrusive(Ys.length(), (const char*) Ys.data()) @@ -456,8 +456,8 @@ refine connection Handshake_Conn += { ha->Assign(1, zeek::val_mgr->Count(256)); } - zeek::BifEvent::enqueue_ssl_server_signature(bro_analyzer(), - bro_analyzer()->Conn(), std::move(ha), + zeek::BifEvent::enqueue_ssl_server_signature(zeek_analyzer(), + zeek_analyzer()->Conn(), std::move(ha), zeek::make_intrusive(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data()) ); } @@ -468,8 +468,8 @@ refine connection Handshake_Conn += { function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool %{ if ( ssl_dh_server_params ) - zeek::BifEvent::enqueue_ssl_dh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_dh_server_params(zeek_analyzer(), + zeek_analyzer()->Conn(), zeek::make_intrusive(p.length(), (const char*) p.data()), zeek::make_intrusive(g.length(), (const char*) g.data()), zeek::make_intrusive(Ys.length(), (const char*) Ys.data()) @@ -481,8 +481,8 @@ refine connection Handshake_Conn += { function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool %{ if ( ssl_handshake_message ) - zeek::BifEvent::enqueue_ssl_handshake_message(bro_analyzer(), - bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); + zeek::BifEvent::enqueue_ssl_handshake_message(zeek_analyzer(), + zeek_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); return true; %} @@ -513,7 +513,7 @@ refine connection Handshake_Conn += { blist->Assign(blist->Size(), zeek::make_intrusive(binder->binder().length(), (const char*) binder->binder().data())); } - zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_client_hello(bro_analyzer(), bro_analyzer()->Conn(), + zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_client_hello(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(slist), std::move(blist)); return true; @@ -524,8 +524,8 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_pre_shared_key_client_hello ) return true; - zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_server_hello(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, selected_identity); + zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_server_hello(zeek_analyzer(), + zeek_analyzer()->Conn(), ${rec.is_orig}, selected_identity); return true; %} diff --git a/src/analyzer/protocol/ssl/tls-handshake.pac b/src/analyzer/protocol/ssl/tls-handshake.pac index c545d1bc71..012ef3fc32 100644 --- a/src/analyzer/protocol/ssl/tls-handshake.pac +++ b/src/analyzer/protocol/ssl/tls-handshake.pac @@ -1,7 +1,7 @@ # Binpac analyzer just for the TLS handshake protocol and nothing else %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "Desc.h" @@ -14,7 +14,7 @@ analyzer TLSHandshake withcontext { flow: Handshake_Flow; }; -connection Handshake_Conn(bro_analyzer: BroAnalyzer) { +connection Handshake_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = Handshake_Flow(true); downflow = Handshake_Flow(false); }; diff --git a/src/analyzer/protocol/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/syslog-analyzer.pac index 1dff5f6f66..3cdab6bff0 100644 --- a/src/analyzer/protocol/syslog/syslog-analyzer.pac +++ b/src/analyzer/protocol/syslog/syslog-analyzer.pac @@ -1,5 +1,5 @@ -connection Syslog_Conn(bro_analyzer: BroAnalyzer) +connection Syslog_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = Syslog_Flow; downflow = Syslog_Flow; @@ -16,16 +16,16 @@ flow Syslog_Flow if ( ${m.has_pri} ) zeek::BifEvent::enqueue_syslog_message( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), ${m.PRI.facility}, ${m.PRI.severity}, zeek::make_intrusive(${m.msg}.length(), (const char*)${m.msg}.begin()) ); else zeek::BifEvent::enqueue_syslog_message( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), + connection()->zeek_analyzer(), + connection()->zeek_analyzer()->Conn(), 999, 999, zeek::make_intrusive(${m.msg}.length(), (const char*)${m.msg}.begin()) diff --git a/src/analyzer/protocol/syslog/syslog.pac b/src/analyzer/protocol/syslog/syslog.pac index 2c1fdd10d0..3784d333b9 100644 --- a/src/analyzer/protocol/syslog/syslog.pac +++ b/src/analyzer/protocol/syslog/syslog.pac @@ -1,6 +1,6 @@ %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac index e67ab9e851..2520cbe6e2 100644 --- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac +++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac @@ -19,24 +19,24 @@ refine connection XMPP_Conn += { if ( is_orig && token == "stream:stream" ) // Yup, looks like xmpp... - bro_analyzer()->ProtocolConfirmation(); + zeek_analyzer()->ProtocolConfirmation(); if ( token == "success" || token == "message" || token == "db:result" || token == "db:verify" || token == "presence" ) // Handshake has passed the phase where we should see StartTLS. Simply skip from hereon... - bro_analyzer()->SetSkip(true); + zeek_analyzer()->SetSkip(true); if ( is_orig && ( token == "starttls" || token_no_ns == "starttls" ) ) client_starttls = true; if ( !is_orig && ( token == "proceed" || token_no_ns == "proceed" ) && client_starttls ) { - bro_analyzer()->StartTLS(); + zeek_analyzer()->StartTLS(); if ( xmpp_starttls ) - zeek::BifEvent::enqueue_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_xmpp_starttls(zeek_analyzer(), zeek_analyzer()->Conn()); } else if ( !is_orig && token == "proceed" ) - zeek::reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls"); + zeek::reporter->Weird(zeek_analyzer()->Conn(), "XMPP: proceed without starttls"); // printf("Processed: %d %s %s %s \n", is_orig, c_str(name), c_str(rest), token_no_ns.c_str()); diff --git a/src/analyzer/protocol/xmpp/xmpp.pac b/src/analyzer/protocol/xmpp/xmpp.pac index e735b5ecec..f9d0a6a4e5 100644 --- a/src/analyzer/protocol/xmpp/xmpp.pac +++ b/src/analyzer/protocol/xmpp/xmpp.pac @@ -4,7 +4,7 @@ # till StartTLS does (or does not) kick in. %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ @@ -25,7 +25,7 @@ analyzer XMPP withcontext { flow: XMPP_Flow; }; -connection XMPP_Conn(bro_analyzer: XMPPAnalyzer) { +connection XMPP_Conn(zeek_analyzer: XMPPAnalyzer) { upflow = XMPP_Flow(true); downflow = XMPP_Flow(false); }; diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index dd4e2c6d9b..4dc284b769 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -6,7 +6,7 @@ %header{ zeek::VectorValPtr process_rvas(const RVAS* rvas); -zeek::TableValPtr characteristics_to_bro(uint32_t c, uint8_t len); +zeek::TableValPtr characteristics_to_zeek(uint32_t c, uint8_t len); %} %code{ @@ -20,7 +20,7 @@ zeek::VectorValPtr process_rvas(const RVAS* rva_table) return rvas; } -zeek::TableValPtr characteristics_to_bro(uint32_t c, uint8_t len) +zeek::TableValPtr characteristics_to_zeek(uint32_t c, uint8_t len) { uint64 mask = (len==16) ? 0xFFFF : 0xFFFFFFFF; auto char_set = zeek::make_intrusive(zeek::id::count_set); @@ -66,7 +66,7 @@ refine flow File += { dh->Assign(16, zeek::val_mgr->Count(${h.AddressOfNewExeHeader})); zeek::event_mgr.Enqueue(pe_dos_header, - connection()->bro_analyzer()->GetFile()->ToVal(), + connection()->zeek_analyzer()->GetFile()->ToVal(), std::move(dh)); } return true; @@ -76,7 +76,7 @@ refine flow File += { %{ if ( pe_dos_code ) zeek::event_mgr.Enqueue(pe_dos_code, - connection()->bro_analyzer()->GetFile()->ToVal(), + connection()->zeek_analyzer()->GetFile()->ToVal(), zeek::make_intrusive(code.length(), (const char*) code.data()) ); return true; @@ -102,10 +102,10 @@ refine flow File += { fh->Assign(2, zeek::val_mgr->Count(${h.PointerToSymbolTable})); fh->Assign(3, zeek::val_mgr->Count(${h.NumberOfSymbols})); fh->Assign(4, zeek::val_mgr->Count(${h.SizeOfOptionalHeader})); - fh->Assign(5, characteristics_to_bro(${h.Characteristics}, 16)); + fh->Assign(5, characteristics_to_zeek(${h.Characteristics}, 16)); zeek::event_mgr.Enqueue(pe_file_header, - connection()->bro_analyzer()->GetFile()->ToVal(), + connection()->zeek_analyzer()->GetFile()->ToVal(), std::move(fh)); } @@ -151,12 +151,12 @@ refine flow File += { oh->Assign(19, zeek::val_mgr->Count(${h.size_of_headers})); oh->Assign(20, zeek::val_mgr->Count(${h.checksum})); oh->Assign(21, zeek::val_mgr->Count(${h.subsystem})); - oh->Assign(22, characteristics_to_bro(${h.dll_characteristics}, 16)); + oh->Assign(22, characteristics_to_zeek(${h.dll_characteristics}, 16)); oh->Assign(23, process_rvas(${h.rvas})); zeek::event_mgr.Enqueue(pe_optional_header, - connection()->bro_analyzer()->GetFile()->ToVal(), + connection()->zeek_analyzer()->GetFile()->ToVal(), std::move(oh)); } return true; @@ -185,10 +185,10 @@ refine flow File += { section_header->Assign(6, zeek::val_mgr->Count(${h.non_used_ptr_to_line_nums})); section_header->Assign(7, zeek::val_mgr->Count(${h.non_used_num_of_relocs})); section_header->Assign(8, zeek::val_mgr->Count(${h.non_used_num_of_line_nums})); - section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32)); + section_header->Assign(9, characteristics_to_zeek(${h.characteristics}, 32)); zeek::event_mgr.Enqueue(pe_section_header, - connection()->bro_analyzer()->GetFile()->ToVal(), + connection()->zeek_analyzer()->GetFile()->ToVal(), std::move(section_header) ); } diff --git a/src/file_analysis/analyzer/pe/pe.pac b/src/file_analysis/analyzer/pe/pe.pac index df7c3011d9..183fdb71a1 100644 --- a/src/file_analysis/analyzer/pe/pe.pac +++ b/src/file_analysis/analyzer/pe/pe.pac @@ -1,12 +1,12 @@ %include binpac.pac -%include bro.pac +%include zeek.pac analyzer PE withcontext { connection: MockConnection; flow: File; }; -connection MockConnection(bro_analyzer: BroFileAnalyzer) { +connection MockConnection(zeek_analyzer: ZeekFileAnalyzer) { upflow = File; downflow = File; }; @@ -16,5 +16,5 @@ connection MockConnection(bro_analyzer: BroFileAnalyzer) { flow File { flowunit = PE_File withcontext(connection, this); } - + %include pe-analyzer.pac diff --git a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac index 6370a8cf25..bb74008099 100644 --- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac +++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac @@ -8,7 +8,7 @@ %} %code{ -zeek::AddrValPtr binpac::Unified2::Flow::unified2_addr_to_bro_addr(std::vector* a) +zeek::AddrValPtr binpac::Unified2::Flow::unified2_addr_to_zeek_addr(std::vector* a) { if ( a->size() == 1 ) { @@ -42,7 +42,7 @@ zeek::ValPtr binpac::Unified2::Flow::to_port(uint16_t n, uint8_t p) refine flow Flow += { %member{ - zeek::AddrValPtr unified2_addr_to_bro_addr(std::vector* a); + zeek::AddrValPtr unified2_addr_to_zeek_addr(std::vector* a); zeek::ValPtr to_port(uint16_t n, uint8_t p); %} @@ -80,14 +80,14 @@ refine flow Flow += { ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision})); ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id})); ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id})); - ids_event->Assign(8, unified2_addr_to_bro_addr(${ev.src_ip})); - ids_event->Assign(9, unified2_addr_to_bro_addr(${ev.dst_ip})); + ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip})); + ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip})); ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol})); ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol})); ids_event->Assign(17, zeek::val_mgr->Count(${ev.packet_action})); zeek::event_mgr.Enqueue(::unified2_event, - connection()->bro_analyzer()->GetFile()->ToVal(), + connection()->zeek_analyzer()->GetFile()->ToVal(), std::move(ids_event)); } return true; @@ -106,8 +106,8 @@ refine flow Flow += { ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision})); ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id})); ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id})); - ids_event->Assign(8, unified2_addr_to_bro_addr(${ev.src_ip})); - ids_event->Assign(9, unified2_addr_to_bro_addr(${ev.dst_ip})); + ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip})); + ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip})); ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol})); ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol})); ids_event->Assign(12, zeek::val_mgr->Count(${ev.impact_flag})); @@ -117,7 +117,7 @@ refine flow Flow += { ids_event->Assign(16, zeek::val_mgr->Count(${ev.vlan_id})); zeek::event_mgr.Enqueue(::unified2_event, - connection()->bro_analyzer()->GetFile()->ToVal(), + connection()->zeek_analyzer()->GetFile()->ToVal(), std::move(ids_event)); } @@ -137,7 +137,7 @@ refine flow Flow += { packet->Assign(5, to_stringval(${pkt.packet_data})); zeek::event_mgr.Enqueue(::unified2_packet, - connection()->bro_analyzer()->GetFile()->ToVal(), + connection()->zeek_analyzer()->GetFile()->ToVal(), std::move(packet)); } diff --git a/src/file_analysis/analyzer/unified2/unified2.pac b/src/file_analysis/analyzer/unified2/unified2.pac index ddc7dc5315..f8a4fb993d 100644 --- a/src/file_analysis/analyzer/unified2/unified2.pac +++ b/src/file_analysis/analyzer/unified2/unified2.pac @@ -1,13 +1,13 @@ %include binpac.pac -%include bro.pac +%include zeek.pac analyzer Unified2 withcontext { analyzer: Unified2_Analyzer; flow: Flow; }; -analyzer Unified2_Analyzer(bro_analyzer: BroFileAnalyzer) { +analyzer Unified2_Analyzer(zeek_analyzer: ZeekFileAnalyzer) { downflow = Flow; upflow = Flow; }; diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac index f6e7cd106a..6a48932e88 100644 --- a/src/file_analysis/analyzer/x509/x509-extension.pac +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -2,7 +2,7 @@ # we just use it for the SignedCertificateTimestamp at the moment %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "types.bif.h" @@ -15,7 +15,7 @@ analyzer X509Extension withcontext { flow: SignedCertTimestampExt; }; -connection MockConnection(bro_analyzer: BroFileAnalyzer) { +connection MockConnection(zeek_analyzer: ZeekFileAnalyzer) { upflow = SignedCertTimestampExt; downflow = SignedCertTimestampExt; }; @@ -39,7 +39,7 @@ refine connection MockConnection += { return true; zeek::event_mgr.Enqueue(x509_ocsp_ext_signed_certificate_timestamp, - bro_analyzer()->GetFile()->ToVal(), + zeek_analyzer()->GetFile()->ToVal(), zeek::val_mgr->Count(version), zeek::make_intrusive(logid.length(), reinterpret_cast(logid.begin())), zeek::val_mgr->Count(timestamp), diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index c2f2a8b2b7..2909b2ae4f 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -61,7 +61,7 @@ extern "C" { #include "iosource/Manager.h" #include "broker/Manager.h" -#include "binpac_bro.h" +#include "binpac_zeek.h" #include "3rdparty/sqlite3.h"