Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix uses of bro.pac to use zeek.pac

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-08-25 16:12:50 -07:00
parent ece65ceff6
commit adcf99b25e
132 changed files with 898 additions and 909 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/analyzer/protocol/ayiya/ayiya-analyzer.pac
View file

@ -3,7 +3,7 @@
#include "Conn.h"
%}
connection AYIYA_Conn(bro_analyzer: BroAnalyzer)
connection AYIYA_Conn(zeek_analyzer: ZeekAnalyzer)
{
upflow = AYIYA_Flow;
downflow = AYIYA_Flow;
@ -15,7 +15,7 @@ flow AYIYA_Flow
function process_ayiya(pdu: PDU): bool
%{
zeek::Connection* c = connection()->bro_analyzer()->Conn();
zeek::Connection* c = connection()->zeek_analyzer()->Conn();
const zeek::EncapsulationStack* e = c->GetEncapsulation();
if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth )
@ -39,7 +39,7 @@ flow AYIYA_Flow
if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
{
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
"Truncated AYIYA", (const char*) ${pdu.packet}.data(),
${pdu.packet}.length());
return false;
@ -50,7 +50,7 @@ flow AYIYA_Flow
if ( ( ${pdu.next_header} == IPPROTO_IPV6 && ip->ip_v != 6 ) ||
( ${pdu.next_header} == IPPROTO_IPV4 && ip->ip_v != 4) )
{
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
"AYIYA next header mismatch", (const char*)${pdu.packet}.data(),
${pdu.packet}.length());
return false;
@ -61,20 +61,20 @@ flow AYIYA_Flow
${pdu.packet}.data(), ${pdu.next_header}, inner);
if ( result == 0 )
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
else if ( result == -2 )
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
"AYIYA next header internal mismatch", (const char*)${pdu.packet}.data(),
${pdu.packet}.length());
else if ( result < 0 )
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
"Truncated AYIYA", (const char*) ${pdu.packet}.data(),
${pdu.packet}.length());
else
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
"AYIYA payload length", (const char*) ${pdu.packet}.data(),
${pdu.packet}.length());

2
src/analyzer/protocol/ayiya/ayiya.pac
View file

@ -1,6 +1,6 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "IP.h"

56
src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
View file

@ -1,6 +1,6 @@
# This code contributed by Nadi Sarrar.
connection BitTorrent_Conn(bro_analyzer: BroAnalyzer) {
connection BitTorrent_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = BitTorrent_Flow(true);
downflow = BitTorrent_Flow(false);
};
@ -62,15 +62,15 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_handshake )
{
zeek::BifEvent::enqueue_bittorrent_peer_handshake(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
to_stringval(reserved),
to_stringval(info_hash),
to_stringval(peer_id));
}
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
return true;
%}
@ -80,8 +80,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_keep_alive )
{
zeek::BifEvent::enqueue_bittorrent_peer_keep_alive(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig());
}
@ -93,8 +93,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_choke )
{
zeek::BifEvent::enqueue_bittorrent_peer_choke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig());
}
@ -106,8 +106,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_unchoke )
{
zeek::BifEvent::enqueue_bittorrent_peer_unchoke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig());
}
@ -119,8 +119,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_interested )
{
zeek::BifEvent::enqueue_bittorrent_peer_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig());
}
@ -132,8 +132,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_not_interested )
{
zeek::BifEvent::enqueue_bittorrent_peer_not_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig());
}
@ -145,8 +145,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_have )
{
zeek::BifEvent::enqueue_bittorrent_peer_have(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
piece_index);
}
@ -159,8 +159,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_bitfield )
{
zeek::BifEvent::enqueue_bittorrent_peer_bitfield(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
to_stringval(bitfield));
}
@ -174,8 +174,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_request )
{
zeek::BifEvent::enqueue_bittorrent_peer_request(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
index, begin, length);
}
@ -189,8 +189,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_piece )
{
zeek::BifEvent::enqueue_bittorrent_peer_piece(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
index, begin, piece_length);
}
@ -204,8 +204,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_cancel )
{
zeek::BifEvent::enqueue_bittorrent_peer_cancel(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
index, begin, length);
}
@ -218,8 +218,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_port )
{
zeek::BifEvent::enqueue_bittorrent_peer_port(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
zeek::val_mgr->Port(listen_port, TRANSPORT_TCP));
}
@ -232,8 +232,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_unknown )
{
zeek::BifEvent::enqueue_bittorrent_peer_unknown(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
id,
to_stringval(data));

5
src/analyzer/protocol/bittorrent/bittorrent.pac
View file

@ -1,7 +1,7 @@
# This code contributed to Bro by Nadi Sarrar.
# This code contributed to Zeek by Nadi Sarrar.
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#define MSGLEN_LIMIT 0x40000
@ -16,4 +16,3 @@ analyzer BitTorrent withcontext {
%include bittorrent-protocol.pac
%include bittorrent-analyzer.pac

30
src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
View file

@ -29,7 +29,7 @@ refine connection DCE_RPC_Conn += {
function proc_dce_rpc_pdu(pdu: DCE_RPC_PDU): bool
%{
// If a whole pdu message parsed ok, let's confirm the protocol
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
return true;
%}
@ -37,8 +37,8 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_message )
{
zeek::BifEvent::enqueue_dce_rpc_message(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_dce_rpc_message(zeek_analyzer(),
zeek_analyzer()->Conn(),
${header.is_orig},
fid,
${header.PTYPE},
@ -51,8 +51,8 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_bind )
{
zeek::BifEvent::enqueue_dce_rpc_bind(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_dce_rpc_bind(zeek_analyzer(),
zeek_analyzer()->Conn(),
fid,
${req.id},
to_stringval(${req.abstract_syntax.uuid}),
@ -67,8 +67,8 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_alter_context )
{
zeek::BifEvent::enqueue_dce_rpc_alter_context(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_dce_rpc_alter_context(zeek_analyzer(),
zeek_analyzer()->Conn(),
fid,
${req.id},
to_stringval(${req.abstract_syntax.uuid}),
@ -92,8 +92,8 @@ refine connection DCE_RPC_Conn += {
else
sec_addr = zeek::make_intrusive<zeek::StringVal>(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
zeek::BifEvent::enqueue_dce_rpc_bind_ack(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_dce_rpc_bind_ack(zeek_analyzer(),
zeek_analyzer()->Conn(),
fid,
std::move(sec_addr));
}
@ -104,8 +104,8 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_alter_context_resp )
{
zeek::BifEvent::enqueue_dce_rpc_alter_context_resp(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_dce_rpc_alter_context_resp(zeek_analyzer(),
zeek_analyzer()->Conn(),
fid);
}
return true;
@ -115,8 +115,8 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_request )
{
zeek::BifEvent::enqueue_dce_rpc_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_dce_rpc_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
fid,
${req.context_id},
${req.opnum},
@ -132,8 +132,8 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_response )
{
zeek::BifEvent::enqueue_dce_rpc_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_dce_rpc_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
fid,
${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}),

6
src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
View file

@ -32,18 +32,18 @@ refine connection DCE_RPC_Conn += {
{
case 0x09:
if ( ! gssapi )
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
if ( gssapi )
gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break;
case 0x0a:
if ( ! ntlm )
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
if ( ntlm )
ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break;
default:
bro_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
zeek_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
break;
}

16
src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
View file

@ -190,9 +190,9 @@ flow DCE_RPC_Flow(is_orig: bool) {
if ( it != fb.end() )
{
// We already had a first frag earlier.
zeek::reporter->Weird(connection()->bro_analyzer()->Conn(),
zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
"multiple_first_fragments_in_dce_rpc_reassembly");
connection()->bro_analyzer()->SetSkip(true);
connection()->zeek_analyzer()->SetSkip(true);
return false;
}
@ -212,16 +212,16 @@ flow DCE_RPC_Flow(is_orig: bool) {
if ( fb.size() > zeek::BifConst::DCE_RPC::max_cmd_reassembly )
{
zeek::reporter->Weird(connection()->bro_analyzer()->Conn(),
zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
"too_many_dce_rpc_msgs_in_reassembly");
connection()->bro_analyzer()->SetSkip(true);
connection()->zeek_analyzer()->SetSkip(true);
}
if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data )
{
zeek::reporter->Weird(connection()->bro_analyzer()->Conn(),
zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
"too_much_dce_rpc_fragment_data");
connection()->bro_analyzer()->SetSkip(true);
connection()->zeek_analyzer()->SetSkip(true);
}
return false;
@ -235,9 +235,9 @@ flow DCE_RPC_Flow(is_orig: bool) {
if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data )
{
zeek::reporter->Weird(connection()->bro_analyzer()->Conn(),
zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
"too_much_dce_rpc_fragment_data");
connection()->bro_analyzer()->SetSkip(true);
connection()->zeek_analyzer()->SetSkip(true);
}
return ${header.lastfrag};

4
src/analyzer/protocol/dce-rpc/dce_rpc.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "consts.bif.h"
@ -12,7 +12,7 @@ analyzer DCE_RPC withcontext {
flow : DCE_RPC_Flow;
};
connection DCE_RPC_Conn(bro_analyzer: BroAnalyzer) {
connection DCE_RPC_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = DCE_RPC_Flow(true);
downflow = DCE_RPC_Flow(false);
};

8
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -44,7 +44,7 @@ refine flow DHCP_Flow += {
// the message options.
if ( ${msg.cookie} != 0x63825363 )
{
connection()->bro_analyzer()->ProtocolViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie}));
connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie}));
return false;
}
@ -91,8 +91,8 @@ refine flow DHCP_Flow += {
init_options();
zeek::BifEvent::enqueue_dhcp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_dhcp_message(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${msg.is_orig},
std::move(dhcp_msg_val),
std::move(options));
@ -106,7 +106,7 @@ refine flow DHCP_Flow += {
// on a "connection".
// The binpac analyzer would have thrown an error before this point
// if there was a problem too (and subsequently called ProtocolViolation).
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
return true;
%}

3
src/analyzer/protocol/dhcp/dhcp-protocol.pac
View file

@ -67,9 +67,8 @@ refine flow DHCP_Flow += {
}
if ( type == 0 )
connection()->bro_analyzer()->ProtocolViolation("no DHCP message type option");
connection()->zeek_analyzer()->ProtocolViolation("no DHCP message type option");
return type;
%}
};

4
src/analyzer/protocol/dhcp/dhcp.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "types.bif.h"
@ -11,7 +11,7 @@ analyzer DHCP withcontext {
flow: DHCP_Flow;
};
connection DHCP_Conn(bro_analyzer: BroAnalyzer) {
connection DHCP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = DHCP_Flow(true);
downflow = DHCP_Flow(false);
};

207
src/analyzer/protocol/dnp3/dnp3-analyzer.pac
View file

@ -1,5 +1,5 @@
connection DNP3_Conn(bro_analyzer: BroAnalyzer) {
connection DNP3_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = DNP3_Flow(true);
downflow = DNP3_Flow(false);
};
@ -30,8 +30,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_header_block )
{
zeek::BifEvent::enqueue_dnp3_header_block(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), len, ctrl, dest_addr, src_addr);
}
@ -43,8 +43,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_application_request_header )
{
zeek::BifEvent::enqueue_dnp3_application_request_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
application_control,
fc
@ -58,8 +58,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_application_response_header )
{
zeek::BifEvent::enqueue_dnp3_application_response_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(),
application_control,
fc,
@ -74,8 +74,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_object_header )
{
zeek::BifEvent::enqueue_dnp3_object_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), obj_type, qua_field, number, rf_low, rf_high);
}
@ -87,8 +87,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_object_prefix )
{
zeek::BifEvent::enqueue_dnp3_object_prefix(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), prefix_value);
}
@ -100,8 +100,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_response_data_object )
{
zeek::BifEvent::enqueue_dnp3_response_data_object(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), data_value);
}
@ -114,8 +114,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_attribute_common )
{
zeek::BifEvent::enqueue_dnp3_attribute_common(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), data_type_code, leng, to_stringval(attribute_obj) );
}
@ -128,8 +128,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_crob )
{
zeek::BifEvent::enqueue_dnp3_crob(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code);
}
@ -142,8 +142,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_pcb )
{
zeek::BifEvent::enqueue_dnp3_pcb(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code);
}
@ -156,8 +156,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_counter_32wFlag )
{
zeek::BifEvent::enqueue_dnp3_counter_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value);
}
@ -170,8 +170,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_counter_16wFlag )
{
zeek::BifEvent::enqueue_dnp3_counter_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value);
}
@ -184,8 +184,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_counter_32woFlag )
{
zeek::BifEvent::enqueue_dnp3_counter_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), count_value);
}
@ -198,8 +198,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_counter_16woFlag )
{
zeek::BifEvent::enqueue_dnp3_counter_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), count_value);
}
@ -212,8 +212,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_32wFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_counter_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value);
}
@ -226,8 +226,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_16wFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_counter_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value);
}
@ -240,8 +240,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_32wFlagTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_counter_32wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48));
}
@ -254,8 +254,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_16wFlagTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_counter_16wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48));
}
@ -268,8 +268,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_32woFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_counter_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), count_value);
}
@ -282,8 +282,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_16woFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_counter_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), count_value);
}
@ -296,8 +296,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_32wFlag )
{
zeek::BifEvent::enqueue_dnp3_analog_input_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value);
}
@ -310,8 +310,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_16wFlag )
{
zeek::BifEvent::enqueue_dnp3_analog_input_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value);
}
@ -324,8 +324,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_32woFlag )
{
zeek::BifEvent::enqueue_dnp3_analog_input_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), value);
}
@ -338,8 +338,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_16woFlag )
{
zeek::BifEvent::enqueue_dnp3_analog_input_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), value);
}
@ -352,8 +352,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_SPwFlag )
{
zeek::BifEvent::enqueue_dnp3_analog_input_SPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value);
}
@ -366,8 +366,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_DPwFlag )
{
zeek::BifEvent::enqueue_dnp3_analog_input_DPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value_low, value_high);
}
@ -380,8 +380,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_32wFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value);
}
@ -394,8 +394,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_16wFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value);
}
@ -408,8 +408,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_32wTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}
@ -422,8 +422,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_16wTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}
@ -436,8 +436,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_32woFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), frozen_value);
}
@ -450,8 +450,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_16woFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), frozen_value);
}
@ -464,8 +464,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_SPwFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_SPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value);
}
@ -478,8 +478,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_DPwFlag )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_DPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high);
}
@ -492,8 +492,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_32woTime )
{
zeek::BifEvent::enqueue_dnp3_analog_input_event_32woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value);
}
@ -506,8 +506,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_16woTime )
{
zeek::BifEvent::enqueue_dnp3_analog_input_event_16woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value);
}
@ -520,8 +520,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_32wTime )
{
zeek::BifEvent::enqueue_dnp3_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
}
@ -534,8 +534,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_16wTime )
{
zeek::BifEvent::enqueue_dnp3_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
}
@ -548,8 +548,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_SPwoTime )
{
zeek::BifEvent::enqueue_dnp3_analog_input_event_SPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value);
}
@ -562,8 +562,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_DPwoTime )
{
zeek::BifEvent::enqueue_dnp3_analog_input_event_DPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value_low, value_high);
}
@ -576,8 +576,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_SPwTime )
{
zeek::BifEvent::enqueue_dnp3_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
}
@ -590,8 +590,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_DPwTime )
{
zeek::BifEvent::enqueue_dnp3_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
}
@ -604,8 +604,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_32woTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_32woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value);
}
@ -618,8 +618,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_16woTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_16woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value);
}
@ -632,8 +632,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_32wTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}
@ -646,8 +646,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_16wTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}
@ -660,8 +660,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_SPwoTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value);
}
@ -674,8 +674,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_DPwoTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high);
}
@ -688,8 +688,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_SPwTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
}
@ -702,8 +702,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_DPwTime )
{
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
}
@ -716,8 +716,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_file_transport )
{
zeek::BifEvent::enqueue_dnp3_file_transport(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), file_handle, block_num, to_stringval(file_data));
}
@ -730,8 +730,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_debug_byte )
{
zeek::BifEvent::enqueue_dnp3_debug_byte (
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), to_stringval(debug));
}
@ -986,4 +986,3 @@ refine typeattr File_Transport += &let {
refine typeattr Debug_Byte += &let {
process_request: bool = $context.flow.get_dnp3_debug_byte(debug);
};

3
src/analyzer/protocol/dnp3/dnp3-objects.pac
View file

@ -616,7 +616,7 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
};
}
&let{
data_value: uint8 = case (object_type_field) of { # this data_value is used for the Bro Event
data_value: uint8 = case (object_type_field) of { # this data_value is used for the Zeek Event
0x0101 -> biwoflag;
0x0102 -> biwflag;
0x0a01 -> bowoflag;
@ -1504,4 +1504,3 @@ type UpdateKeySig(prefix: uint16) = record {
type UpdateKeyCon(prefix: uint16) = record {
mac: bytestring &length = prefix;
} &byteorder = littleendian;

2
src/analyzer/protocol/dnp3/dnp3-protocol.pac
View file

@ -17,7 +17,7 @@ type Header_Block = record {
} &byteorder = littleendian;
type DNP3_Request = record {
addin_header: Header_Block; ## added by Hui Lin in Bro code
addin_header: Header_Block; ## added by Hui Lin in Zeek code
app_header: DNP3_Application_Request_Header;
data: case ( app_header.function_code ) of {
CONFIRM -> none_coonfirm: empty;

3
src/analyzer/protocol/dnp3/dnp3.pac
View file

@ -1,6 +1,6 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"
@ -13,4 +13,3 @@ analyzer DNP3 withcontext {
%include dnp3-protocol.pac
%include dnp3-analyzer.pac

2
src/analyzer/protocol/dns/DNS.h
View file

@ -3,7 +3,7 @@
#pragma once
#include "analyzer/protocol/tcp/TCP.h"
#include "binpac_bro.h"
#include "binpac_zeek.h"
namespace zeek::analyzer::dns {
namespace detail {

8
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -34,7 +34,7 @@ refine connection GSSAPI_Conn += {
{
// ntlmssp
if ( ! ntlm )
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
if ( ntlm )
ntlm->DeliverStream(${val.ntlm}.length(),
@ -44,7 +44,7 @@ refine connection GSSAPI_Conn += {
else if ( ${val.has_krb} )
{
if ( ! krb5 )
krb5 = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
krb5 = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
if ( krb5 ) // accepting all KRB types (REQ, REP, etc)
{
@ -61,8 +61,8 @@ refine connection GSSAPI_Conn += {
%{
if ( gssapi_neg_result )
{
zeek::BifEvent::enqueue_gssapi_neg_result(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_gssapi_neg_result(zeek_analyzer(),
zeek_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content}));
}

4
src/analyzer/protocol/gssapi/gssapi.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "analyzer/Manager.h"
@ -13,7 +13,7 @@ analyzer GSSAPI withcontext {
flow : GSSAPI_Flow;
};
connection GSSAPI_Conn(bro_analyzer: BroAnalyzer) {
connection GSSAPI_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = GSSAPI_Flow(true);
downflow = GSSAPI_Flow(false);
};

20
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -233,7 +233,7 @@ static zeek::ValPtr BuildTeardownInd(const InformationElement* ie)
return zeek::val_mgr->Bool(ie->teardown_ind()->ind());
}
void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
void CreatePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_create_pdp_ctx_request ) return;
@ -332,7 +332,7 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv));
}
void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
void CreatePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_create_pdp_ctx_response )
return;
@ -401,7 +401,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
void UpdatePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_update_pdp_ctx_request )
return;
@ -479,7 +479,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
void UpdatePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_update_pdp_ctx_response )
return;
@ -539,7 +539,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
void DeletePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_delete_pdp_ctx_request )
return;
@ -573,7 +573,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
void DeletePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_delete_pdp_ctx_response )
return;
@ -605,7 +605,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
%}
connection GTPv1_Conn(bro_analyzer: BroAnalyzer)
connection GTPv1_Conn(zeek_analyzer: ZeekAnalyzer)
{
upflow = GTPv1_Flow(true);
downflow = GTPv1_Flow(false);
@ -639,14 +639,14 @@ flow GTPv1_Flow(is_orig: bool)
function violate(r: string, pdu: GTPv1_Header): void
%{
BroAnalyzer a = connection()->bro_analyzer();
ZeekAnalyzer a = connection()->zeek_analyzer();
const_bytestring b = ${pdu.sourcedata};
a->ProtocolViolation(r.c_str(), (const char*) b.begin(), b.length());
%}
function process_gtpv1(pdu: GTPv1_Header): bool
%{
BroAnalyzer a = connection()->bro_analyzer();
ZeekAnalyzer a = connection()->zeek_analyzer();
zeek::Connection* c = a->Conn();
const zeek::EncapsulationStack* e = c->GetEncapsulation();
@ -711,7 +711,7 @@ flow GTPv1_Flow(is_orig: bool)
function process_g_pdu(pdu: GTPv1_Header): bool
%{
BroAnalyzer a = connection()->bro_analyzer();
ZeekAnalyzer a = connection()->zeek_analyzer();
zeek::Connection* c = a->Conn();
const zeek::EncapsulationStack* e = c->GetEncapsulation();

2
src/analyzer/protocol/gtpv1/gtpv1.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "IP.h"

2
src/analyzer/protocol/http/HTTP.h
View file

@ -7,7 +7,7 @@
#include "analyzer/protocol/pia/PIA.h"
#include "analyzer/protocol/zip/ZIP.h"
#include "analyzer/protocol/mime/MIME.h"
#include "binpac_bro.h"
#include "binpac_zeek.h"
#include "IPAddr.h"
#include "analyzer/protocol/http/events.bif.h"

18
src/analyzer/protocol/imap/imap-analyzer.pac
View file

@ -17,23 +17,23 @@ refine connection IMAP_Conn += {
//printf("imap %s %s\n", commands.c_str(), tags.c_str());
if ( !is_orig && tags == "*" && commands == "ok" )
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
if ( is_orig && ( command == "capability" || commands == "starttls" ) )
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" )
{
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
bro_analyzer()->SetSkip(true);
zeek_analyzer()->SetSkip(true);
return true;
}
if ( is_orig && commands == "starttls" )
{
if ( !client_starttls_id.empty() )
zeek::reporter->Weird(bro_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS");
zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS");
client_starttls_id = tags;
}
@ -42,13 +42,13 @@ refine connection IMAP_Conn += {
{
if ( commands == "ok" )
{
bro_analyzer()->StartTLS();
zeek_analyzer()->StartTLS();
if ( imap_starttls )
zeek::BifEvent::enqueue_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
zeek::BifEvent::enqueue_imap_starttls(zeek_analyzer(), zeek_analyzer()->Conn());
}
else
zeek::reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: server refused StartTLS");
}
return true;
@ -67,7 +67,7 @@ refine connection IMAP_Conn += {
capv->Assign(i, zeek::make_intrusive<zeek::StringVal>(capability.length(), (const char*)capability.data()));
}
zeek::BifEvent::enqueue_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), std::move(capv));
zeek::BifEvent::enqueue_imap_capabilities(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(capv));
return true;
%}

4
src/analyzer/protocol/imap/imap.pac
View file

@ -4,7 +4,7 @@
# till StartTLS does (or does not) kick in.
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "zeek-config.h"
@ -25,7 +25,7 @@ analyzer IMAP withcontext {
flow: IMAP_Flow;
};
connection IMAP_Conn(bro_analyzer: IMAPAnalyzer) {
connection IMAP_Conn(zeek_analyzer: IMAPAnalyzer) {
upflow = IMAP_Flow(true);
downflow = IMAP_Flow(false);
};

56
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -1,6 +1,6 @@
%header{
zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts);
zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_analyzer);
zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const ZeekAnalyzer zeek_analyzer);
bool proc_error_arguments(zeek::RecordVal* rv, const std::vector<KRB_ERROR_Arg*>* args, int64 error_code);
%}
@ -27,7 +27,7 @@ zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts)
return rv;
}
zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_analyzer)
zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const ZeekAnalyzer zeek_analyzer)
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::KDC_Request);
@ -35,7 +35,7 @@ zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyze
rv->Assign(1, asn1_integer_to_val(msg->msg_type()->data(), zeek::TYPE_COUNT));
if ( msg->padata()->has_padata() )
rv->Assign(2, proc_padata(msg->padata()->padata()->padata(), bro_analyzer, false));
rv->Assign(2, proc_padata(msg->padata()->padata()->padata(), zeek_analyzer, false));
for ( uint i = 0; i < msg->body_args()->size(); ++i )
{
@ -73,7 +73,7 @@ zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyze
break;
case 9:
if ( element->data()->addrs()->addresses()->size() )
rv->Assign(12, proc_host_address_list(bro_analyzer, element->data()->addrs()));
rv->Assign(12, proc_host_address_list(zeek_analyzer, element->data()->addrs()));
break;
case 10:
@ -171,7 +171,7 @@ refine connection KRB_Conn += {
function proc_krb_kdc_req_msg(msg: KRB_KDC_REQ): bool
%{
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
auto msg_type = binary_to_int64(${msg.msg_type.data.content});
if ( msg_type == 10 )
@ -179,8 +179,8 @@ refine connection KRB_Conn += {
if ( ! krb_as_request )
return false;
auto rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
zeek::BifEvent::enqueue_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv));
auto rv = proc_krb_kdc_req_arguments(${msg}, zeek_analyzer());
zeek::BifEvent::enqueue_krb_as_request(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rv));
return true;
}
@ -189,8 +189,8 @@ refine connection KRB_Conn += {
if ( ! krb_tgs_request )
return false;
auto rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
zeek::BifEvent::enqueue_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv));
auto rv = proc_krb_kdc_req_arguments(${msg}, zeek_analyzer());
zeek::BifEvent::enqueue_krb_tgs_request(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rv));
return true;
}
@ -199,7 +199,7 @@ refine connection KRB_Conn += {
function proc_krb_kdc_rep_msg(msg: KRB_KDC_REP): bool
%{
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
auto msg_type = binary_to_int64(${msg.msg_type.data.content});
auto make_arg = [this, msg]() -> zeek::RecordValPtr
{
@ -209,7 +209,7 @@ refine connection KRB_Conn += {
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, zeek::TYPE_COUNT));
if ( ${msg.padata.has_padata} )
rv->Assign(2, proc_padata(${msg.padata.padata.padata}, bro_analyzer(), false));
rv->Assign(2, proc_padata(${msg.padata.padata.padata}, zeek_analyzer(), false));
rv->Assign(3, to_stringval(${msg.client_realm.encoding.content}));
rv->Assign(4, GetStringFromPrincipalName(${msg.client_name}));
@ -223,7 +223,7 @@ refine connection KRB_Conn += {
if ( ! krb_as_response )
return false;
zeek::BifEvent::enqueue_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
zeek::BifEvent::enqueue_krb_as_response(zeek_analyzer(), zeek_analyzer()->Conn(), make_arg());
return true;
}
@ -232,7 +232,7 @@ refine connection KRB_Conn += {
if ( ! krb_tgs_response )
return false;
zeek::BifEvent::enqueue_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
zeek::BifEvent::enqueue_krb_tgs_response(zeek_analyzer(), zeek_analyzer()->Conn(), make_arg());
return true;
}
@ -241,21 +241,21 @@ refine connection KRB_Conn += {
function proc_krb_error_msg(msg: KRB_ERROR_MSG): bool
%{
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
if ( krb_error )
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Error_Msg);
proc_error_arguments(rv.get(), ${msg.args1}, 0);
rv->Assign(4, asn1_integer_to_val(${msg.error_code}, zeek::TYPE_COUNT));
proc_error_arguments(rv.get(), ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
zeek::BifEvent::enqueue_krb_error(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv));
zeek::BifEvent::enqueue_krb_error(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rv));
}
return true;
%}
function proc_krb_ap_req_msg(msg: KRB_AP_REQ): bool
%{
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
if ( krb_ap_request )
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options);
@ -263,12 +263,12 @@ refine connection KRB_Conn += {
rv->Assign(1, zeek::val_mgr->Bool(${msg.ap_options.mutual_required}));
auto rvticket = proc_ticket(${msg.ticket});
auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->GetField(2)->AsString(), rvticket->GetField(4)->AsString(), rvticket->GetField(3)->AsCount());
auto authenticationinfo = zeek_analyzer()->GetAuthenticationInfo(rvticket->GetField(2)->AsString(), rvticket->GetField(4)->AsString(), rvticket->GetField(3)->AsCount());
if ( authenticationinfo )
rvticket->Assign(5, authenticationinfo);
zeek::BifEvent::enqueue_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_krb_ap_request(zeek_analyzer(), zeek_analyzer()->Conn(),
std::move(rvticket), std::move(rv));
}
return true;
@ -276,17 +276,17 @@ refine connection KRB_Conn += {
function proc_krb_ap_rep_msg(msg: KRB_AP_REP): bool
%{
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
if ( krb_ap_response )
{
zeek::BifEvent::enqueue_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
zeek::BifEvent::enqueue_krb_ap_response(zeek_analyzer(), zeek_analyzer()->Conn());
}
return true;
%}
function proc_krb_safe_msg(msg: KRB_SAFE_MSG): bool
%{
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
if ( krb_safe )
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::SAFE_Msg);
@ -328,36 +328,36 @@ refine connection KRB_Conn += {
rv->Assign(5, asn1_integer_to_val(${msg.safe_body.args[i].args.seq_number}, zeek::TYPE_COUNT));
break;
case 4:
rv->Assign(6, proc_host_address(bro_analyzer(), ${msg.safe_body.args[i].args.sender_addr}));
rv->Assign(6, proc_host_address(zeek_analyzer(), ${msg.safe_body.args[i].args.sender_addr}));
break;
case 5:
rv->Assign(7, proc_host_address(bro_analyzer(), ${msg.safe_body.args[i].args.recp_addr}));
rv->Assign(7, proc_host_address(zeek_analyzer(), ${msg.safe_body.args[i].args.recp_addr}));
break;
default:
break;
}
}
zeek::BifEvent::enqueue_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, std::move(rv));
zeek::BifEvent::enqueue_krb_safe(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig}, std::move(rv));
}
return true;
%}
function proc_krb_priv_msg(msg: KRB_PRIV_MSG): bool
%{
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
if ( krb_priv )
{
zeek::BifEvent::enqueue_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
zeek::BifEvent::enqueue_krb_priv(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig});
}
return true;
%}
function proc_krb_cred_msg(msg: KRB_CRED_MSG): bool
%{
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
if ( krb_cred )
{
zeek::BifEvent::enqueue_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
zeek::BifEvent::enqueue_krb_cred(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig},
proc_tickets(${msg.tickets}));
}
return true;

20
src/analyzer/protocol/krb/krb-padata.pac
View file

@ -7,11 +7,11 @@
%}
%header{
zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_analyzer, bool is_error);
zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnalyzer zeek_analyzer, bool is_error);
%}
%code{
zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_analyzer, bool is_error)
zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnalyzer zeek_analyzer, bool is_error)
{
auto vv = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("KRB::Type_Value_Vector"));
@ -64,10 +64,10 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
zeek::ODesc common;
common.AddRaw("Analyzer::ANALYZER_KRB");
common.Add(bro_analyzer->Conn()->StartTime());
common.Add(zeek_analyzer->Conn()->StartTime());
// Request means is_orig=T
common.AddRaw("T", 1);
bro_analyzer->Conn()->IDString(&common);
zeek_analyzer->Conn()->IDString(&common);
zeek::ODesc file_handle;
file_handle.Add(common.Description());
@ -76,8 +76,8 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(), bro_analyzer->GetAnalyzerTag(),
bro_analyzer->Conn(), true, file_id,
cert.length(), zeek_analyzer->GetAnalyzerTag(),
zeek_analyzer->Conn(), true, file_id,
"application/x-x509-user-cert");
zeek::file_mgr->EndOfFile(file_id);
@ -89,10 +89,10 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
zeek::ODesc common;
common.AddRaw("Analyzer::ANALYZER_KRB");
common.Add(bro_analyzer->Conn()->StartTime());
common.Add(zeek_analyzer->Conn()->StartTime());
// Response means is_orig=F
common.AddRaw("F", 1);
bro_analyzer->Conn()->IDString(&common);
zeek_analyzer->Conn()->IDString(&common);
zeek::ODesc file_handle;
file_handle.Add(common.Description());
@ -101,8 +101,8 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(), bro_analyzer->GetAnalyzerTag(),
bro_analyzer->Conn(), false, file_id,
cert.length(), zeek_analyzer->GetAnalyzerTag(),
zeek_analyzer->Conn(), false, file_id,
"application/x-x509-user-cert");
zeek::file_mgr->EndOfFile(file_id);

8
src/analyzer/protocol/krb/krb-types.pac
View file

@ -5,8 +5,8 @@ zeek::ValPtr GetStringFromPrincipalName(const KRB_Principal_Name* pname);
zeek::VectorValPtr proc_cipher_list(const Array* list);
zeek::VectorValPtr proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list);
zeek::RecordValPtr proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr);
zeek::VectorValPtr proc_host_address_list(const ZeekAnalyzer a, const KRB_Host_Addresses* list);
zeek::RecordValPtr proc_host_address(const ZeekAnalyzer a, const KRB_Host_Address* addr);
zeek::VectorValPtr proc_tickets(const KRB_Ticket_Sequence* list);
zeek::RecordValPtr proc_ticket(const KRB_Ticket* ticket);
@ -33,7 +33,7 @@ zeek::VectorValPtr proc_cipher_list(const Array* list)
return ciphers;
}
zeek::VectorValPtr proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list)
zeek::VectorValPtr proc_host_address_list(const ZeekAnalyzer a, const KRB_Host_Addresses* list)
{
auto addrs = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("KRB::Host_Address_Vector"));
@ -45,7 +45,7 @@ zeek::VectorValPtr proc_host_address_list(const BroAnalyzer a, const KRB_Host_Ad
return addrs;
}
zeek::RecordValPtr proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
zeek::RecordValPtr proc_host_address(const ZeekAnalyzer a, const KRB_Host_Address* addr)
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Host_Address);
const auto& addr_bytes = addr->address()->data()->content();

4
src/analyzer/protocol/krb/krb.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "zeek-config.h"
@ -20,7 +20,7 @@ analyzer KRB withcontext {
flow: KRB_Flow;
};
connection KRB_Conn(bro_analyzer: KRBAnalyzer) {
connection KRB_Conn(zeek_analyzer: KRBAnalyzer) {
upflow = KRB_Flow(true);
downflow = KRB_Flow(false);
};

4
src/analyzer/protocol/krb/krb_TCP.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "zeek-config.h"
@ -20,7 +20,7 @@ analyzer KRB_TCP withcontext {
flow: KRB_Flow;
};
connection KRB_Conn(bro_analyzer: KRBTCPAnalyzer) {
connection KRB_Conn(zeek_analyzer: KRBTCPAnalyzer) {
upflow = KRB_Flow(true);
downflow = KRB_Flow(false);
};

132
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -1,5 +1,5 @@
#
# The development of Bro's Modbus analyzer has been made possible thanks to
# The development of Zeek's Modbus analyzer has been made possible thanks to
# the support of the Ministry of Security and Justice of the Kingdom of the
# Netherlands within the projects of Hermes, Castor and Midas.
#
@ -88,8 +88,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_message )
{
zeek::BifEvent::enqueue_modbus_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_message(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
is_orig());
}
@ -106,7 +106,7 @@ refine flow ModbusTCP_Flow += {
if ( ! connection()->IsConfirmed() )
{
connection()->SetConfirmed();
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
}
return true;
@ -117,8 +117,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_exception )
{
zeek::BifEvent::enqueue_modbus_exception(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_exception(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.code});
}
@ -131,8 +131,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_coils_request )
{
zeek::BifEvent::enqueue_modbus_read_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_coils_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address},
${message.quantity});
@ -146,8 +146,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_coils_response )
{
zeek::BifEvent::enqueue_modbus_read_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_coils_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
}
@ -159,8 +159,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_discrete_inputs_request )
{
zeek::BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
@ -173,8 +173,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_discrete_inputs_response )
{
zeek::BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
}
@ -188,8 +188,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_holding_registers_request )
{
zeek::BifEvent::enqueue_modbus_read_holding_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_holding_registers_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
@ -202,7 +202,7 @@ refine flow ModbusTCP_Flow += {
%{
if ( ${message.byte_count} % 2 != 0 )
{
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read holding register response byte count %d", ${message.byte_count}));
return false;
}
@ -217,8 +217,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r);
}
zeek::BifEvent::enqueue_modbus_read_holding_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_holding_registers_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
@ -232,8 +232,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_input_registers_request )
{
zeek::BifEvent::enqueue_modbus_read_input_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_input_registers_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
@ -246,7 +246,7 @@ refine flow ModbusTCP_Flow += {
%{
if ( ${message.byte_count} % 2 != 0 )
{
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read input register response byte count %d", ${message.byte_count}));
return false;
}
@ -261,8 +261,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r);
}
zeek::BifEvent::enqueue_modbus_read_input_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_input_registers_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
@ -283,13 +283,13 @@ refine flow ModbusTCP_Flow += {
val = 1;
else
{
connection()->bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil request %d",
connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil request %d",
${message.value}));
return false;
}
zeek::BifEvent::enqueue_modbus_write_single_coil_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_single_coil_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
val);
@ -310,13 +310,13 @@ refine flow ModbusTCP_Flow += {
val = 1;
else
{
connection()->bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil response %d",
connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil response %d",
${message.value}));
return false;
}
zeek::BifEvent::enqueue_modbus_write_single_coil_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_single_coil_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
val);
@ -331,8 +331,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_single_register_request )
{
zeek::BifEvent::enqueue_modbus_write_single_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_single_register_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.address}, ${message.value});
}
@ -345,8 +345,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_single_register_response )
{
zeek::BifEvent::enqueue_modbus_write_single_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_single_register_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.address}, ${message.value});
}
@ -360,8 +360,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_coils_request )
{
zeek::BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address},
bytestring_to_coils(${message.coils}, ${message.quantity}));
@ -375,8 +375,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_coils_response )
{
zeek::BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
@ -390,7 +390,7 @@ refine flow ModbusTCP_Flow += {
%{
if ( ${message.byte_count} % 2 != 0 )
{
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus write multiple registers request byte count %d", ${message.byte_count}));
return false;
}
@ -405,8 +405,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r);
}
zeek::BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, std::move(t));
}
@ -419,8 +419,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_registers_response )
{
zeek::BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
@ -447,8 +447,8 @@ refine flow ModbusTCP_Flow += {
// t->Assign(i, l);
// }
zeek::BifEvent::enqueue_modbus_read_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_file_record_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header));
}
@ -468,8 +468,8 @@ refine flow ModbusTCP_Flow += {
// t->Assign(i, r);
// }
zeek::BifEvent::enqueue_modbus_read_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_file_record_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header));
}
@ -500,8 +500,8 @@ refine flow ModbusTCP_Flow += {
// }
// }
zeek::BifEvent::enqueue_modbus_write_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_file_record_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header));
}
@ -532,8 +532,8 @@ refine flow ModbusTCP_Flow += {
// t->Assign(i, k);
// }
zeek::BifEvent::enqueue_modbus_write_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_write_file_record_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header));
}
@ -545,8 +545,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_mask_write_register_request )
{
zeek::BifEvent::enqueue_modbus_mask_write_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_mask_write_register_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
${message.and_mask}, ${message.or_mask});
@ -560,8 +560,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_mask_write_register_response )
{
zeek::BifEvent::enqueue_modbus_mask_write_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_mask_write_register_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
${message.and_mask}, ${message.or_mask});
@ -575,7 +575,7 @@ refine flow ModbusTCP_Flow += {
%{
if ( ${message.write_byte_count} % 2 != 0 )
{
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read write multiple registers request write byte count %d", ${message.write_byte_count}));
return false;
}
@ -590,8 +590,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r);
}
zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.read_start_address},
${message.read_quantity},
@ -607,7 +607,7 @@ refine flow ModbusTCP_Flow += {
%{
if ( ${message.byte_count} % 2 != 0 )
{
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read write multiple registers response byte count %d", ${message.byte_count}));
return false;
}
@ -622,8 +622,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r);
}
zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
@ -636,8 +636,8 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_fifo_queue_request )
{
zeek::BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address});
}
@ -651,7 +651,7 @@ refine flow ModbusTCP_Flow += {
%{
if ( ${message.byte_count} % 2 != 0 )
{
connection()->bro_analyzer()->ProtocolViolation(
connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read FIFO queue response byte count %d", ${message.byte_count}));
return false;
}
@ -666,8 +666,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r);
}
zeek::BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}

2
src/analyzer/protocol/modbus/modbus-protocol.pac
View file

@ -1,5 +1,5 @@
#
# The development of Bro's Modbus analyzer has been made possible thanks to
# The development of Zeek's Modbus analyzer has been made possible thanks to
# the support of the Ministry of Security and Justice of the Kingdom of the
# Netherlands within the projects of Hermes, Castor and Midas.
#

6
src/analyzer/protocol/modbus/modbus.pac
View file

@ -1,5 +1,5 @@
#
# The development of Bro's Modbus analyzer has been made possible thanks to
# The development of Zeek's Modbus analyzer has been made possible thanks to
# the support of the Ministry of Security and Justice of the Kingdom of the
# Netherlands within the projects of Hermes, Castor and Midas.
#
@ -7,7 +7,7 @@
# http://www.simplymodbus.ca/faq.htm
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"
@ -18,7 +18,7 @@ analyzer ModbusTCP withcontext {
flow: ModbusTCP_Flow;
};
connection ModbusTCP_Conn(bro_analyzer: BroAnalyzer) {
connection ModbusTCP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = ModbusTCP_Flow(true);
downflow = ModbusTCP_Flow(false);
};

4
src/analyzer/protocol/mqtt/commands/connack.pac
View file

@ -18,8 +18,8 @@ refine flow MQTT_Flow += {
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, zeek::val_mgr->Count(${msg.return_code}));
m->Assign(1, zeek::val_mgr->Bool(${msg.session_present}));
zeek::BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_connack(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
std::move(m));
}

6
src/analyzer/protocol/mqtt/commands/connect.pac
View file

@ -75,13 +75,13 @@ refine flow MQTT_Flow += {
reinterpret_cast<const char*>(${msg.pass.str}.begin())));
}
zeek::BifEvent::enqueue_mqtt_connect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_connect(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
std::move(m));
}
// If a connect message was seen, let's say that confirms it.
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
return true;
%}
};

4
src/analyzer/protocol/mqtt/commands/disconnect.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_disconnect )
{
zeek::BifEvent::enqueue_mqtt_disconnect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
zeek::BifEvent::enqueue_mqtt_disconnect(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn());
}
return true;

4
src/analyzer/protocol/mqtt/commands/pingreq.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pingreq )
{
zeek::BifEvent::enqueue_mqtt_pingreq(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
zeek::BifEvent::enqueue_mqtt_pingreq(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn());
}
return true;

4
src/analyzer/protocol/mqtt/commands/pingresp.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pingresp )
{
zeek::BifEvent::enqueue_mqtt_pingresp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
zeek::BifEvent::enqueue_mqtt_pingresp(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn());
}
return true;

4
src/analyzer/protocol/mqtt/commands/puback.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_puback )
{
zeek::BifEvent::enqueue_mqtt_puback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_puback(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}

4
src/analyzer/protocol/mqtt/commands/pubcomp.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pubcomp )
{
zeek::BifEvent::enqueue_mqtt_pubcomp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_pubcomp(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}

6
src/analyzer/protocol/mqtt/commands/publish.pac
View file

@ -42,15 +42,15 @@ refine flow MQTT_Flow += {
m->Assign(5, zeek::val_mgr->Count(${msg.payload}.length()));
zeek::BifEvent::enqueue_mqtt_publish(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_publish(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${pdu.is_orig},
${msg.qos} == 0 ? 0 : ${msg.msg_id},
std::move(m));
}
// If a publish message was seen, let's say that confirms it.
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
return true;
%}

4
src/analyzer/protocol/mqtt/commands/pubrec.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pubrec )
{
zeek::BifEvent::enqueue_mqtt_pubrec(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_pubrec(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}

4
src/analyzer/protocol/mqtt/commands/pubrel.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pubrel )
{
zeek::BifEvent::enqueue_mqtt_pubrel(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_pubrel(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}

4
src/analyzer/protocol/mqtt/commands/suback.pac
View file

@ -14,8 +14,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_suback )
{
zeek::BifEvent::enqueue_mqtt_suback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_suback(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${msg.msg_id},
${msg.granted_QoS});
}

4
src/analyzer/protocol/mqtt/commands/subscribe.pac
View file

@ -31,8 +31,8 @@ refine flow MQTT_Flow += {
qos_levels->Assign(qos_levels->Size(), std::move(qos));
}
zeek::BifEvent::enqueue_mqtt_subscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_subscribe(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${msg.msg_id},
std::move(topics),
std::move(qos_levels));

4
src/analyzer/protocol/mqtt/commands/unsuback.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_unsuback )
{
zeek::BifEvent::enqueue_mqtt_unsuback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_unsuback(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${msg.msg_id});
}

4
src/analyzer/protocol/mqtt/commands/unsubscribe.pac
View file

@ -23,8 +23,8 @@ refine flow MQTT_Flow += {
topics->Assign(topics->Size(), std::move(unsubscribe_topic));
}
zeek::BifEvent::enqueue_mqtt_unsubscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mqtt_unsubscribe(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${msg.msg_id},
std::move(topics));
}

5
src/analyzer/protocol/mqtt/mqtt-protocol.pac
View file

@ -46,7 +46,7 @@ refine connection MQTT_Conn += {
if ( vals->size() > 4 )
{
this->bro_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too many bytes");
this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too many bytes");
return 0;
}
@ -57,7 +57,7 @@ refine connection MQTT_Conn += {
if ( multiplier > 128*128*128 )
{
// This is definitely a protocol violation
this->bro_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too large");
this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too large");
return 0;
}
}
@ -65,4 +65,3 @@ refine connection MQTT_Conn += {
return value;
%}
};

5
src/analyzer/protocol/mqtt/mqtt.pac
View file

@ -1,7 +1,7 @@
# Analyzer for MQTT Protocol (currently v3.1.1, no v5.0 support)
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "MQTT.h"
@ -15,7 +15,7 @@ analyzer MQTT withcontext {
};
# Our connection consists of two flows, one in each direction.
connection MQTT_Conn(bro_analyzer: BroAnalyzer) {
connection MQTT_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = MQTT_Flow(true);
downflow = MQTT_Flow(false);
};
@ -41,4 +41,3 @@ flow MQTT_Flow(is_orig: bool) {
%include commands/disconnect.pac
%include commands/pingreq.pac
%include commands/pingresp.pac

38
src/analyzer/protocol/mysql/mysql-analyzer.pac
View file

@ -6,12 +6,12 @@ refine flow MySQL_Flow += {
if ( mysql_server_version )
{
if ( ${msg.version} == 10 )
zeek::BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mysql_server_version(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(c_str(${msg.handshake10.server_version})));
if ( ${msg.version} == 9 )
zeek::BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mysql_server_version(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(c_str(${msg.handshake9.server_version})));
}
return true;
@ -20,17 +20,17 @@ refine flow MySQL_Flow += {
function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool
%{
if ( ${msg.version} == 9 || ${msg.version == 10} )
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
if ( mysql_handshake )
{
if ( ${msg.version} == 10 )
zeek::BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mysql_handshake(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(c_str(${msg.v10_response.username})));
if ( ${msg.version} == 9 )
zeek::BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mysql_handshake(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(c_str(${msg.v9_response.username})));
}
return true;
@ -39,8 +39,8 @@ refine flow MySQL_Flow += {
function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool
%{
if ( mysql_command_request )
zeek::BifEvent::enqueue_mysql_command_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mysql_command_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${msg.command},
to_stringval(${msg.arg}));
return true;
@ -49,8 +49,8 @@ refine flow MySQL_Flow += {
function proc_err_packet(msg: ERR_Packet): bool
%{
if ( mysql_error )
zeek::BifEvent::enqueue_mysql_error(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mysql_error(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${msg.code},
to_stringval(${msg.msg}));
return true;
@ -59,8 +59,8 @@ refine flow MySQL_Flow += {
function proc_ok_packet(msg: OK_Packet): bool
%{
if ( mysql_ok )
zeek::BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mysql_ok(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${msg.rows});
return true;
%}
@ -71,8 +71,8 @@ refine flow MySQL_Flow += {
{
// This is a bit fake...
if ( mysql_ok )
zeek::BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mysql_ok(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
0);
}
@ -98,8 +98,8 @@ refine flow MySQL_Flow += {
vv->Assign(vv->Size(), zeek::make_intrusive<zeek::StringVal>(bstring.length(), ptr));
}
zeek::BifEvent::enqueue_mysql_result_row(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_mysql_result_row(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
std::move(vv));
return true;

4
src/analyzer/protocol/mysql/mysql.pac
View file

@ -5,7 +5,7 @@
# - mysql-analyzer.pac: describes the MySQL analyzer code
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"
@ -17,7 +17,7 @@ analyzer MySQL withcontext {
};
# Our connection consists of two flows, one in each direction.
connection MySQL_Conn(bro_analyzer: BroAnalyzer) {
connection MySQL_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = MySQL_Flow(true);
downflow = MySQL_Flow(false);
};

2
src/analyzer/protocol/ncp/ncp.pac
View file

@ -1,6 +1,6 @@
# Netware Core Protocol
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"

52
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -1,20 +1,20 @@
%header{
zeek::ValPtr filetime2brotime(uint64_t ts);
zeek::ValPtr filetime2zeektime(uint64_t ts);
zeek::RecordValPtr build_version_record(NTLM_Version* val);
zeek::RecordValPtr build_negotiate_flag_record(NTLM_Negotiate_Flags* val);
%}
%code{
// This is replicated from the SMB analyzer. :(
zeek::ValPtr filetime2brotime(uint64_t ts)
zeek::ValPtr filetime2zeektime(uint64_t ts)
{
double secs = (ts / 10000000.0);
// Bro can't support times back to the 1600's
// Zeek can't support times back to the 1600's
// so we subtract a lot of seconds.
auto bro_ts = zeek::make_intrusive<zeek::TimeVal>(secs - 11644473600.0);
auto zeek_ts = zeek::make_intrusive<zeek::TimeVal>(secs - 11644473600.0);
return bro_ts;
return zeek_ts;
}
zeek::RecordValPtr build_version_record(NTLM_Version* val)
@ -60,7 +60,7 @@
refine connection NTLM_Conn += {
function build_av_record(val: NTLM_AV_Pair_Sequence, len: uint16): BroVal
function build_av_record(val: NTLM_AV_Pair_Sequence, len: uint16): ZeekVal
%{
zeek::RecordVal* result = new zeek::RecordVal(zeek::BifType::Record::NTLM::AVs);
for ( uint i = 0; ; i++ )
@ -71,7 +71,7 @@ refine connection NTLM_Conn += {
// According to spec, the TargetInfo MUST be a sequence of
// AV_PAIRs and terminated by the null AV_PAIR when the
// TargetInfoLen is non-zero, so this is in violation.
bro_analyzer()->ProtocolViolation("NTLM AV Pair loop underflow");
zeek_analyzer()->ProtocolViolation("NTLM AV Pair loop underflow");
return result;
}
@ -81,31 +81,31 @@ refine connection NTLM_Conn += {
case 0:
return result;
case 1:
result->Assign(0, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data}));
result->Assign(0, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data}));
break;
case 2:
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data}));
result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data}));
break;
case 3:
result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data}));
result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data}));
break;
case 4:
result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data}));
result->Assign(3, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data}));
break;
case 5:
result->Assign(4, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
result->Assign(4, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
break;
case 6:
result->Assign(5, zeek::val_mgr->Bool(${val.pairs[i].constrained_auth}));
break;
case 7:
result->Assign(6, filetime2brotime(${val.pairs[i].timestamp}));
result->Assign(6, filetime2zeektime(${val.pairs[i].timestamp}));
break;
case 8:
result->Assign(7, zeek::val_mgr->Count(${val.pairs[i].single_host.machine_id}));
break;
case 9:
result->Assign(8, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data}));
result->Assign(8, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].target_name.data}));
break;
}
}
@ -121,16 +121,16 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() )
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.domain_name.string.data}));
if ( ${val}->has_workstation() )
result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_version() )
result->Assign(3, build_version_record(${val.version}));
zeek::BifEvent::enqueue_ntlm_negotiate(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_ntlm_negotiate(zeek_analyzer(),
zeek_analyzer()->Conn(),
std::move(result));
return true;
@ -145,7 +145,7 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_target_name() )
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.target_name.string.data}));
result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.target_name.string.data}));
if ( ${val}->has_version() )
result->Assign(2, build_version_record(${val.version}));
@ -153,8 +153,8 @@ refine connection NTLM_Conn += {
if ( ${val}->has_target_info() )
result->Assign(3, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})});
zeek::BifEvent::enqueue_ntlm_challenge(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_ntlm_challenge(zeek_analyzer(),
zeek_analyzer()->Conn(),
std::move(result));
return true;
@ -169,13 +169,13 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() > 0 )
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data}));
result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.domain_name.string.data}));
if ( ${val}->has_user_name() > 0 )
result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.user_name.string.data}));
result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.user_name.string.data}));
if ( ${val}->has_workstation() > 0 )
result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
result->Assign(3, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_encrypted_session_key() > 0 )
result->Assign(4, to_stringval(${val.encrypted_session_key.string.data}));
@ -183,8 +183,8 @@ refine connection NTLM_Conn += {
if ( ${val}->has_version() )
result->Assign(5, build_version_record(${val.version}));
zeek::BifEvent::enqueue_ntlm_authenticate(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_ntlm_authenticate(zeek_analyzer(),
zeek_analyzer()->Conn(),
std::move(result));
return true;
%}

4
src/analyzer/protocol/ntlm/ntlm.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "analyzer/Manager.h"
@ -14,7 +14,7 @@ analyzer NTLM withcontext {
flow : NTLM_Flow;
};
connection NTLM_Conn(bro_analyzer: BroAnalyzer) {
connection NTLM_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = NTLM_Flow(true);
downflow = NTLM_Flow(false);
};

6
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -133,7 +133,7 @@ refine flow NTP_Flow += {
function proc_ntp_message(msg: NTP_PDU): bool
%{
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
if ( ! ntp_message )
return false;
@ -150,8 +150,8 @@ refine flow NTP_Flow += {
else if ( ${msg.mode} == 7 )
rv->Assign(4, BuildNTPMode7Msg(${msg.mode7}));
zeek::BifEvent::enqueue_ntp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_ntp_message(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
is_orig(), std::move(rv));
return true;
%}

4
src/analyzer/protocol/ntp/ntp.pac
View file

@ -1,6 +1,6 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "types.bif.h"
@ -12,7 +12,7 @@ analyzer NTP withcontext {
flow: NTP_Flow;
};
connection NTP_Conn(bro_analyzer: BroAnalyzer) {
connection NTP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = NTP_Flow(true);
downflow = NTP_Flow(false);
};

6
src/analyzer/protocol/radius/radius-analyzer.pac
View file

@ -2,7 +2,7 @@
refine flow RADIUS_Flow += {
function proc_radius_message(msg: RADIUS_PDU): bool
%{
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
if ( ! radius_message )
return false;
@ -41,7 +41,7 @@ refine flow RADIUS_Flow += {
result->Assign(3, std::move(attributes));
}
zeek::BifEvent::enqueue_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), std::move(result));
zeek::BifEvent::enqueue_radius_message(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), std::move(result));
return true;
%}
@ -50,7 +50,7 @@ refine flow RADIUS_Flow += {
if ( ! radius_attribute )
return false;
zeek::BifEvent::enqueue_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_radius_attribute(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
${attr.code}, to_stringval(${attr.value}));
return true;
%}

4
src/analyzer/protocol/radius/radius.pac
View file

@ -3,7 +3,7 @@
# - radius-analyzer.pac: describes the RADIUS analyzer code
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"
@ -15,7 +15,7 @@ analyzer RADIUS withcontext {
};
# Our connection consists of two flows, one in each direction.
connection RADIUS_Conn(bro_analyzer: BroAnalyzer) {
connection RADIUS_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = RADIUS_Flow(true);
downflow = RADIUS_Flow(false);
};

2
src/analyzer/protocol/rdp/RDP.cc
View file

@ -76,7 +76,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
if ( rdp_native_encrypted_data )
zeek::BifEvent::enqueue_rdp_native_encrypted_data(
interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
interp->zeek_analyzer(), interp->zeek_analyzer()->Conn(),
orig, len);
}
}

60
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -9,8 +9,8 @@ refine flow RDP_Flow += {
%{
if ( rdp_connect_request )
{
zeek::BifEvent::enqueue_rdp_connect_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_connect_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
to_stringval(${cr.cookie_value}),
${cr.rdp_neg_req} ? ${cr.rdp_neg_req.flags} : 0);
}
@ -22,8 +22,8 @@ refine flow RDP_Flow += {
%{
if ( rdp_negotiation_response )
{
zeek::BifEvent::enqueue_rdp_negotiation_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_negotiation_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${nr.selected_protocol},
${nr.flags});
}
@ -35,8 +35,8 @@ refine flow RDP_Flow += {
%{
if ( rdp_negotiation_failure )
{
zeek::BifEvent::enqueue_rdp_negotiation_failure(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_negotiation_failure(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${nf.failure_code},
${nf.flags});
}
@ -47,11 +47,11 @@ refine flow RDP_Flow += {
function proc_rdp_gcc_server_create_response(gcc_response: GCC_Server_Create_Response): bool
%{
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
if ( rdp_gcc_server_create_response )
zeek::BifEvent::enqueue_rdp_gcc_server_create_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_gcc_server_create_response(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${gcc_response.result});
return true;
@ -60,7 +60,7 @@ refine flow RDP_Flow += {
function proc_rdp_client_core_data(ccore: Client_Core_Data): bool
%{
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
if ( rdp_client_core_data )
{
@ -84,21 +84,21 @@ refine flow RDP_Flow += {
ccd->Assign(5, zeek::val_mgr->Count(${ccore.sas_sequence}));
ccd->Assign(6, zeek::val_mgr->Count(${ccore.keyboard_layout}));
ccd->Assign(7, zeek::val_mgr->Count(${ccore.client_build}));
ccd->Assign(8, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name}));
ccd->Assign(8, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.client_name}));
ccd->Assign(9, zeek::val_mgr->Count(${ccore.keyboard_type}));
ccd->Assign(10, zeek::val_mgr->Count(${ccore.keyboard_sub}));
ccd->Assign(11, zeek::val_mgr->Count(${ccore.keyboard_function_key}));
ccd->Assign(12, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name}));
ccd->Assign(12, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.ime_file_name}));
ccd->Assign(13, zeek::val_mgr->Count(${ccore.post_beta2_color_depth}));
ccd->Assign(14, zeek::val_mgr->Count(${ccore.client_product_id}));
ccd->Assign(15, zeek::val_mgr->Count(${ccore.serial_number}));
ccd->Assign(16, zeek::val_mgr->Count(${ccore.high_color_depth}));
ccd->Assign(17, zeek::val_mgr->Count(${ccore.supported_color_depths}));
ccd->Assign(18, std::move(ec_flags));
ccd->Assign(19, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id}));
ccd->Assign(19, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.dig_product_id}));
zeek::BifEvent::enqueue_rdp_client_core_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_client_core_data(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
std::move(ccd));
}
@ -114,8 +114,8 @@ refine flow RDP_Flow += {
csd->Assign(0, zeek::val_mgr->Count(${csec.encryption_methods}));
csd->Assign(1, zeek::val_mgr->Count(${csec.ext_encryption_methods}));
zeek::BifEvent::enqueue_rdp_client_security_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_client_security_data(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
std::move(csd));
return true;
%}
@ -151,8 +151,8 @@ refine flow RDP_Flow += {
channels->Assign(channels->Size(), std::move(channel_def));
}
zeek::BifEvent::enqueue_rdp_client_network_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_client_network_data(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
std::move(channels));
}
@ -172,19 +172,19 @@ refine flow RDP_Flow += {
ccld->Assign(4, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
ccld->Assign(5, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SMARTCARD}));
zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
std::move(ccld));
return true;
%}
function proc_rdp_server_security(ssd: Server_Security_Data): bool
%{
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
if ( rdp_server_security )
zeek::BifEvent::enqueue_rdp_server_security(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_server_security(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${ssd.encryption_method},
${ssd.encryption_level});
@ -195,8 +195,8 @@ refine flow RDP_Flow += {
%{
if ( rdp_server_certificate )
{
zeek::BifEvent::enqueue_rdp_server_certificate(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_server_certificate(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
${cert.cert_type},
${cert.permanently_issued});
}
@ -210,14 +210,14 @@ refine flow RDP_Flow += {
zeek::ODesc file_handle;
file_handle.AddRaw("Analyzer::ANALYZER_RDP");
file_handle.Add(connection()->bro_analyzer()->Conn()->StartTime());
connection()->bro_analyzer()->Conn()->IDString(&file_handle);
file_handle.Add(connection()->zeek_analyzer()->Conn()->StartTime());
connection()->zeek_analyzer()->Conn()->IDString(&file_handle);
string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(),
connection()->bro_analyzer()->GetAnalyzerTag(),
connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer()->GetAnalyzerTag(),
connection()->zeek_analyzer()->Conn(),
false, // It seems there are only server certs?
file_id, "application/x-x509-user-cert");
zeek::file_mgr->EndOfFile(file_id);

4
src/analyzer/protocol/rdp/rdp-protocol.pac
View file

@ -383,8 +383,8 @@ refine connection RDP_Conn += {
if ( rdp_begin_encryption )
{
zeek::BifEvent::enqueue_rdp_begin_encryption(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdp_begin_encryption(zeek_analyzer(),
zeek_analyzer()->Conn(),
${method});
}

4
src/analyzer/protocol/rdp/rdp.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"
@ -11,7 +11,7 @@ analyzer RDP withcontext {
};
# Our connection consists of two flows, one in each direction.
connection RDP_Conn(bro_analyzer: BroAnalyzer) {
connection RDP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = RDP_Flow(true);
downflow = RDP_Flow(false);
};

18
src/analyzer/protocol/rdp/rdpeudp-analyzer.pac
View file

@ -45,7 +45,7 @@ refine connection RDPEUDP_Conn += {
orig_lossy_ = true;
if ( rdpeudp_syn )
zeek::BifEvent::enqueue_rdpeudp_syn(bro_analyzer(), bro_analyzer()->Conn());
zeek::BifEvent::enqueue_rdpeudp_syn(zeek_analyzer(), zeek_analyzer()->Conn());
state_ = NEED_SYNACK;
return true;
@ -60,9 +60,9 @@ refine connection RDPEUDP_Conn += {
return false;
if ( rdpeudp_synack )
zeek::BifEvent::enqueue_rdpeudp_synack(bro_analyzer(), bro_analyzer()->Conn());
zeek::BifEvent::enqueue_rdpeudp_synack(zeek_analyzer(), zeek_analyzer()->Conn());
bro_analyzer()->ProtocolConfirmation();
zeek_analyzer()->ProtocolConfirmation();
state_ = NEED_ACK;
resp_synex_flags_ = uUdpVer;
@ -79,12 +79,12 @@ refine connection RDPEUDP_Conn += {
state_ = ESTABLISHED;
if ( rdpeudp_established )
zeek::BifEvent::enqueue_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 1);
zeek::BifEvent::enqueue_rdpeudp_established(zeek_analyzer(), zeek_analyzer()->Conn(), 1);
}
if ( state_ == ESTABLISHED && rdpeudp_data )
zeek::BifEvent::enqueue_rdpeudp_data(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdpeudp_data(zeek_analyzer(),
zeek_analyzer()->Conn(),
is_orig,
1,
to_stringval(data)
@ -102,14 +102,14 @@ refine connection RDPEUDP_Conn += {
if ( state_ == NEED_ACK )
{
if ( rdpeudp_established )
zeek::BifEvent::enqueue_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 2);
zeek::BifEvent::enqueue_rdpeudp_established(zeek_analyzer(), zeek_analyzer()->Conn(), 2);
state_ = ESTABLISHED;
}
if ( state_ == ESTABLISHED && rdpeudp_data )
zeek::BifEvent::enqueue_rdpeudp_data(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rdpeudp_data(zeek_analyzer(),
zeek_analyzer()->Conn(),
is_orig,
2,
to_stringval(data)

4
src/analyzer/protocol/rdp/rdpeudp.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"
@ -10,7 +10,7 @@ analyzer RDPEUDP withcontext {
flow: RDPEUDP_Flow;
};
connection RDPEUDP_Conn(bro_analyzer: BroAnalyzer) {
connection RDPEUDP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = RDPEUDP_Flow(true);
downflow = RDPEUDP_Flow(false);
};

26
src/analyzer/protocol/rfb/rfb-analyzer.pac
View file

@ -4,18 +4,18 @@ refine flow RFB_Flow += {
if ( client )
{
if ( rfb_client_version )
zeek::BifEvent::enqueue_rfb_client_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rfb_client_version(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
to_stringval(major),
to_stringval(minor));
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
}
else
{
if ( rfb_server_version )
zeek::BifEvent::enqueue_rfb_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_rfb_server_version(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
to_stringval(major),
to_stringval(minor));
}
@ -26,21 +26,21 @@ refine flow RFB_Flow += {
function proc_rfb_share_flag(shared: bool) : bool
%{
if ( rfb_share_flag )
zeek::BifEvent::enqueue_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared);
zeek::BifEvent::enqueue_rfb_share_flag(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), shared);
return true;
%}
function proc_security_types(msg: RFBSecurityType) : bool
%{
if ( rfb_authentication_type )
zeek::BifEvent::enqueue_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype});
zeek::BifEvent::enqueue_rfb_authentication_type(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), ${msg.sectype});
return true;
%}
function proc_security_types37(msg: RFBAuthTypeSelected) : bool
%{
if ( rfb_authentication_type )
zeek::BifEvent::enqueue_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type});
zeek::BifEvent::enqueue_rfb_authentication_type(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), ${msg.type});
return true;
%}
@ -51,7 +51,7 @@ refine flow RFB_Flow += {
auto vec_ptr = ${msg.name};
auto name_ptr = &((*vec_ptr)[0]);
zeek::BifEvent::enqueue_rfb_server_parameters(
connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(${msg.name}->size(), (const char*)name_ptr),
${msg.width},
${msg.height});
@ -62,7 +62,7 @@ refine flow RFB_Flow += {
function proc_handle_security_result(result : uint32) : bool
%{
if ( rfb_auth_result )
zeek::BifEvent::enqueue_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
zeek::BifEvent::enqueue_rfb_auth_result(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), result);
return true;
%}
};
@ -181,7 +181,7 @@ refine connection RFB_Conn += {
else
{
// Shouldn't be a possible.
bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype()));
zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype()));
}
return true;
@ -235,7 +235,7 @@ refine connection RFB_Conn += {
}
else
{
bro_analyzer()->ProtocolViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type}));
zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type}));
}
return true;
@ -277,7 +277,7 @@ refine connection RFB_Conn += {
// Failed
server_state = SERVER_AUTH_FAILURE;
else
bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result}));
zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result}));
return true;
%}

4
src/analyzer/protocol/rfb/rfb.pac
View file

@ -3,7 +3,7 @@
# - rfb-analyzer.pac: describes the rfb analyzer code
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"
@ -15,7 +15,7 @@ analyzer RFB withcontext {
};
# Our connection consists of two flows, one in each direction.
connection RFB_Conn(bro_analyzer: BroAnalyzer) {
connection RFB_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = RFB_Flow(true);
downflow = RFB_Flow(false);
};

18
src/analyzer/protocol/sip/sip-analyzer.pac
View file

@ -20,7 +20,7 @@ refine flow SIP_Flow += {
%{
if ( sip_request )
{
zeek::BifEvent::enqueue_sip_request(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_sip_request(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
to_stringval(method), to_stringval(uri),
to_stringval(${vers.vers_str}));
}
@ -32,10 +32,10 @@ refine flow SIP_Flow += {
function proc_sip_reply(vers: SIP_Version, code: int, reason: bytestring): bool
%{
connection()->bro_analyzer()->ProtocolConfirmation();
connection()->zeek_analyzer()->ProtocolConfirmation();
if ( sip_reply )
{
zeek::BifEvent::enqueue_sip_reply(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_sip_reply(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
to_stringval(${vers.vers_str}), code, to_stringval(reason));
}
@ -53,7 +53,7 @@ refine flow SIP_Flow += {
{
auto nameval = to_stringval(name);
nameval->ToUpper();
zeek::BifEvent::enqueue_sip_header(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_sip_header(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
is_orig(), std::move(nameval), to_stringval(value));
}
@ -65,7 +65,7 @@ refine flow SIP_Flow += {
return true;
%}
function build_sip_headers_val(): BroVal
function build_sip_headers_val(): ZeekVal
%{
static auto mime_header_list = zeek::id::find_type<zeek::TableType>("mime_header_list");
auto* t = new zeek::TableVal(mime_header_list);
@ -83,7 +83,7 @@ refine flow SIP_Flow += {
%{
if ( sip_all_headers )
{
zeek::BifEvent::enqueue_sip_all_headers(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_sip_all_headers(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
is_orig(), {zeek::AdoptRef{}, build_sip_headers_val()});
}
@ -100,7 +100,7 @@ refine flow SIP_Flow += {
return true;
%}
function build_sip_header_val(name: const_bytestring, value: const_bytestring): BroVal
function build_sip_header_val(name: const_bytestring, value: const_bytestring): ZeekVal
%{
static auto mime_header_rec = zeek::id::find_type<zeek::RecordType>("mime_header_rec");
auto* header_record = new zeek::RecordVal(mime_header_rec);
@ -127,7 +127,7 @@ refine flow SIP_Flow += {
%{
if ( sip_begin_entity )
{
zeek::BifEvent::enqueue_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
zeek::BifEvent::enqueue_sip_begin_entity(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), is_orig());
}
%}
@ -135,7 +135,7 @@ refine flow SIP_Flow += {
%{
if ( sip_end_entity )
{
zeek::BifEvent::enqueue_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig());
zeek::BifEvent::enqueue_sip_end_entity(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), is_orig());
}
return true;

4
src/analyzer/protocol/sip/sip.pac
View file

@ -2,7 +2,7 @@
# Based heavily on the HTTP BinPAC analyzer
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"
@ -13,7 +13,7 @@ analyzer SIP withcontext {
flow: SIP_Flow;
};
connection SIP_Conn(bro_analyzer: BroAnalyzer) {
connection SIP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = SIP_Flow(true);
downflow = SIP_Flow(false);
};

4
src/analyzer/protocol/sip/sip_TCP.pac
View file

@ -5,7 +5,7 @@
# activated. We don't yet support SIP-over-TCP.
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "events.bif.h"
@ -16,7 +16,7 @@ analyzer SIP_TCP withcontext {
flow: SIP_Flow;
};
connection SIP_Conn(bro_analyzer: BroAnalyzer) {
connection SIP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = SIP_Flow(true);
downflow = SIP_Flow(false);
};

4
src/analyzer/protocol/smb/smb-gssapi.pac
View file

@ -27,10 +27,10 @@ refine connection SMB_Conn += {
function forward_gssapi(data: bytestring, is_orig: bool): bool
%{
if ( ! gssapi )
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", bro_analyzer()->Conn());
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", zeek_analyzer()->Conn());
if ( ! ntlm )
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
// SMB allows raw NTLM instead of GSSAPI in certain messages.
// We check if this is the case and run the NTLM analyzer directly.

2
src/analyzer/protocol/smb/smb-pipe.pac
View file

@ -49,7 +49,7 @@ refine connection SMB_Conn += {
if ( it == fid_to_analyzer_map.end() )
{
auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn());
auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", zeek_analyzer()->Conn());
pipe_dcerpc = static_cast<zeek::analyzer::dce_rpc::DCE_RPC_Analyzer *>(tmp_analyzer);
if ( pipe_dcerpc )

4
src/analyzer/protocol/smb/smb-strings.pac
View file

@ -1,5 +1,5 @@
%extern{
#include "binpac_bro.h"
#include "binpac_zeek.h"
%}
%code{
@ -12,7 +12,7 @@ zeek::StringValPtr binpac::SMB::SMB_Conn::uint8s_to_stringval(std::vector<uint8_
buf[i] = (*data)[i];
const bytestring bs = bytestring(buf.get(), length);
return utf16_to_utf8_val(bro_analyzer()->Conn(), bs);
return utf16_to_utf8_val(zeek_analyzer()->Conn(), bs);
}
zeek::StringValPtr binpac::SMB::SMB_Conn::extract_string(SMB_string* s)

14
src/analyzer/protocol/smb/smb-time.pac
View file

@ -1,5 +1,5 @@
%header{
zeek::ValPtr filetime2brotime(uint64_t ts);
zeek::ValPtr filetime2zeektime(uint64_t ts);
zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz);
zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
@ -7,9 +7,9 @@ zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
%}
%code{
zeek::ValPtr filetime2brotime(uint64_t ts)
zeek::ValPtr filetime2zeektime(uint64_t ts)
{
// Bro can't support times back to the 1600's
// Zeek can't support times back to the 1600's
// so we subtract a lot of seconds.
double secs = (ts / 10000000.0L) - 11644473600.0L;
return zeek::make_intrusive<zeek::TimeVal>(secs);
@ -33,10 +33,10 @@ zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
uint64_t create, uint64_t change)
{
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB::MACTimes);
r->Assign(0, filetime2brotime(modify));
r->Assign(1, filetime2brotime(access));
r->Assign(2, filetime2brotime(create));
r->Assign(3, filetime2brotime(change));
r->Assign(0, filetime2zeektime(modify));
r->Assign(1, filetime2zeektime(access));
r->Assign(2, filetime2zeektime(create));
r->Assign(3, filetime2zeektime(change));
return r;
}
%}

4
src/analyzer/protocol/smb/smb.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac
%include bro.pac
%include zeek.pac
%extern{
#include "analyzer/Manager.h"
@ -48,7 +48,7 @@ analyzer SMB withcontext {
flow: SMB_Flow;
};
connection SMB_Conn(bro_analyzer: BroAnalyzer) {
connection SMB_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = SMB_Flow(true);
downflow = SMB_Flow(false);
};

8
src/analyzer/protocol/smb/smb1-com-check-directory.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_check_directory_request(header: SMB_Header, val: SMB1_check_directory_request): bool
%{
if ( smb1_check_directory_request )
zeek::BifEvent::enqueue_smb1_check_directory_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_check_directory_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
smb_string2stringval(${val.directory_name}));
return true;
@ -13,8 +13,8 @@ refine connection SMB_Conn += {
function proc_smb1_check_directory_response(header: SMB_Header, val: SMB1_check_directory_response): bool
%{
if ( smb1_check_directory_response )
zeek::BifEvent::enqueue_smb1_check_directory_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_check_directory_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header));
return true;
%}

8
src/analyzer/protocol/smb/smb1-com-close.pac
View file

@ -3,13 +3,13 @@ refine connection SMB_Conn += {
function proc_smb1_close_request(h: SMB_Header, val: SMB1_close_request): bool
%{
if ( smb1_close_request )
zeek::BifEvent::enqueue_smb1_close_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_close_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(h),
${val.file_id});
zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig());
zeek::file_mgr->EndOfFile(zeek_analyzer()->GetAnalyzerTag(),
zeek_analyzer()->Conn(), h->is_orig());
return true;
%}

7
src/analyzer/protocol/smb/smb1-com-create-directory.pac
View file

@ -3,7 +3,7 @@ refine connection SMB_Conn += {
function proc_smb1_create_directory_request(header: SMB_Header, val: SMB1_create_directory_request): bool
%{
if ( smb1_create_directory_request )
zeek::BifEvent::enqueue_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_create_directory_request(zeek_analyzer(), zeek_analyzer()->Conn(),
SMBHeaderVal(header),
smb_string2stringval(${val.directory_name}));
return true;
@ -11,8 +11,8 @@ refine connection SMB_Conn += {
function proc_smb1_create_directory_response(header: SMB_Header, val: SMB1_create_directory_response): bool
%{
if ( smb1_create_directory_response )
zeek::BifEvent::enqueue_smb1_create_directory_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_create_directory_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header));
return true;
%}
@ -34,4 +34,3 @@ type SMB1_create_directory_response(header: SMB_Header) = record {
} &let {
proc : bool = $context.connection.proc_smb1_create_directory_response(header, this);
};

5
src/analyzer/protocol/smb/smb1-com-echo.pac
View file

@ -3,7 +3,7 @@ refine connection SMB_Conn += {
function proc_smb1_echo_request(header: SMB_Header, val: SMB1_echo_request): bool
%{
if ( smb1_echo_request )
zeek::BifEvent::enqueue_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_echo_request(zeek_analyzer(), zeek_analyzer()->Conn(),
${val.echo_count}, to_stringval(${val.data}));
return true;
%}
@ -11,7 +11,7 @@ refine connection SMB_Conn += {
function proc_smb1_echo_response(header: SMB_Header, val: SMB1_echo_response): bool
%{
if ( smb1_echo_response )
zeek::BifEvent::enqueue_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_echo_response(zeek_analyzer(), zeek_analyzer()->Conn(),
${val.seq_num}, to_stringval(${val.data}));
return true;
%}
@ -40,4 +40,3 @@ type SMB1_echo_response(header: SMB_Header) = record {
} &let {
proc : bool = $context.connection.proc_smb1_echo_response(header, this);
};

2
src/analyzer/protocol/smb/smb1-com-logoff-andx.pac
View file

@ -3,7 +3,7 @@ refine connection SMB_Conn += {
function proc_smb1_logoff_andx(header: SMB_Header, val: SMB1_logoff_andx): bool
%{
if ( smb1_logoff_andx )
zeek::BifEvent::enqueue_smb1_logoff_andx(bro_analyzer(), bro_analyzer()->Conn(), ${val.is_orig});
zeek::BifEvent::enqueue_smb1_logoff_andx(zeek_analyzer(), zeek_analyzer()->Conn(), ${val.is_orig});
return true;
%}

8
src/analyzer/protocol/smb/smb1-com-negotiate.pac
View file

@ -23,7 +23,7 @@ refine connection SMB_Conn += {
dialects->Assign(i, std::move(dia));
}
zeek::BifEvent::enqueue_smb1_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_negotiate_request(zeek_analyzer(), zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(dialects));
}
@ -119,7 +119,7 @@ refine connection SMB_Conn += {
ntlm->Assign(6, zeek::val_mgr->Count(${val.ntlm.max_raw_size}));
ntlm->Assign(7, zeek::val_mgr->Count(${val.ntlm.session_key}));
ntlm->Assign(8, std::move(capabilities));
ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time}));
ntlm->Assign(9, filetime2zeektime(${val.ntlm.server_time}));
if ( ${val.ntlm.capabilities_extended_security} == false )
{
@ -135,8 +135,8 @@ refine connection SMB_Conn += {
}
break;
}
zeek::BifEvent::enqueue_smb1_negotiate_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_negotiate_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(response));
}

4
src/analyzer/protocol/smb/smb1-com-nt-cancel.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_nt_cancel_request(header: SMB_Header, val: SMB1_nt_cancel_request): bool
%{
if ( smb1_nt_cancel_request )
zeek::BifEvent::enqueue_smb1_nt_cancel_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_nt_cancel_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header));
return true;
%}

12
src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
View file

@ -9,14 +9,14 @@ refine connection SMB_Conn += {
set_tree_is_pipe(${header.tid});
if ( smb_pipe_connect_heuristic )
zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(zeek_analyzer(),
zeek_analyzer()->Conn());
}
if ( smb1_nt_create_andx_request )
{
zeek::BifEvent::enqueue_smb1_nt_create_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_nt_create_andx_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(filename));
}
@ -28,8 +28,8 @@ refine connection SMB_Conn += {
%{
if ( smb1_nt_create_andx_response )
{
zeek::BifEvent::enqueue_smb1_nt_create_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_nt_create_andx_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
${val.file_id},
${val.end_of_file},

5
src/analyzer/protocol/smb/smb1-com-query-information.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_query_information_request(header: SMB_Header, val: SMB1_query_information_request): bool
%{
if ( smb1_query_information_request )
zeek::BifEvent::enqueue_smb1_query_information_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_query_information_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
smb_string2stringval(${val.filename}));
return true;
@ -38,4 +38,3 @@ type SMB1_query_information_response(header: SMB_Header) = record {
} &let {
proc : bool = $context.connection.proc_smb1_query_information_response(header, this);
};

12
src/analyzer/protocol/smb/smb1-com-read-andx.pac
View file

@ -9,8 +9,8 @@ refine connection SMB_Conn += {
function proc_smb1_read_andx_request(h: SMB_Header, val: SMB1_read_andx_request): bool
%{
if ( smb1_read_andx_request )
zeek::BifEvent::enqueue_smb1_read_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_read_andx_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(h),
${val.file_id},
${val.read_offset},
@ -23,8 +23,8 @@ refine connection SMB_Conn += {
function proc_smb1_read_andx_response(h: SMB_Header, val: SMB1_read_andx_response): bool
%{
if ( smb1_read_andx_response )
zeek::BifEvent::enqueue_smb1_read_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_read_andx_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(h),
${val.data_len});
@ -34,8 +34,8 @@ refine connection SMB_Conn += {
read_offsets.erase(${h.mid});
zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig());
zeek_analyzer()->GetAnalyzerTag(),
zeek_analyzer()->Conn(), h->is_orig());
}
return true;

8
src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
View file

@ -78,8 +78,8 @@ refine connection SMB_Conn += {
break;
}
zeek::BifEvent::enqueue_smb1_session_setup_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_session_setup_andx_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(request));
}
@ -112,8 +112,8 @@ refine connection SMB_Conn += {
break;
}
zeek::BifEvent::enqueue_smb1_session_setup_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_session_setup_andx_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(response));
}

4
src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
View file

@ -45,8 +45,8 @@ refine connection SMB_Conn += {
payload_str = zeek::val_mgr->EmptyString();
}
zeek::BifEvent::enqueue_smb1_transaction_secondary_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_transaction_secondary_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(args),
std::move(parameters),

8
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -62,8 +62,8 @@ refine connection SMB_Conn += {
else
payload_str = zeek::val_mgr->EmptyString();
zeek::BifEvent::enqueue_smb1_transaction_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_transaction_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
smb_string2stringval(${val.name}),
${val.sub_cmd},
@ -87,8 +87,8 @@ refine connection SMB_Conn += {
else
payload_str = zeek::val_mgr->EmptyString();
zeek::BifEvent::enqueue_smb1_transaction_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_transaction_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(parameters),
std::move(payload_str));

4
src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
View file

@ -19,8 +19,8 @@ refine connection SMB_Conn += {
auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), (const char*)${val.parameters}.data());
auto payload = zeek::make_intrusive<zeek::StringVal>(${val.data}.length(), (const char*)${val.data}.data());
zeek::BifEvent::enqueue_smb1_transaction2_secondary_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_transaction2_secondary_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(args),
std::move(parameters),

19
src/analyzer/protocol/smb/smb1-com-transaction2.pac
View file

@ -38,8 +38,8 @@ refine connection SMB_Conn += {
args->Assign(10, zeek::val_mgr->Count(${val.data_offset}));
args->Assign(11, zeek::val_mgr->Count(${val.setup_count}));
zeek::BifEvent::enqueue_smb1_transaction2_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_transaction2_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(args),
${val.sub_cmd});
@ -51,7 +51,7 @@ refine connection SMB_Conn += {
function proc_smb1_transaction2_response(header: SMB_Header, val: SMB1_transaction2_response): bool
%{
//if ( smb1_transaction2_response )
// zeek::BifEvent::enqueue_smb1_transaction2_response(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), ${val.sub_cmd});
// zeek::BifEvent::enqueue_smb1_transaction2_response(zeek_analyzer(), zeek_analyzer()->Conn(), SMBHeaderVal(header), ${val.sub_cmd});
return true;
%}
@ -138,8 +138,8 @@ refine connection SMB_Conn += {
result->Assign(3, zeek::val_mgr->Count(${val.info_level}));
result->Assign(4, zeek::val_mgr->Count(${val.search_storage_type}));
result->Assign(5, smb_string2stringval(${val.file_name}));
zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(result));
@ -217,11 +217,10 @@ refine connection SMB_Conn += {
%{
if ( smb1_trans2_query_path_info_request )
{
zeek::BifEvent::enqueue_smb1_trans2_query_path_info_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_trans2_query_path_info_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
smb_string2stringval(${val.file_name}));
}
return true;
%}
@ -322,8 +321,8 @@ refine connection SMB_Conn += {
%{
if ( smb1_trans2_get_dfs_referral_request )
{
zeek::BifEvent::enqueue_smb1_trans2_get_dfs_referral_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_trans2_get_dfs_referral_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
smb_string2stringval(${val.file_name}));
}

8
src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_tree_connect_andx_request(header: SMB_Header, val: SMB1_tree_connect_andx_request): bool
%{
if ( smb1_tree_connect_andx_request )
zeek::BifEvent::enqueue_smb1_tree_connect_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_tree_connect_andx_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
smb_string2stringval(${val.path}),
smb_string2stringval(${val.service}));
@ -20,8 +20,8 @@ refine connection SMB_Conn += {
set_tree_is_pipe(${header.tid});
if ( smb1_tree_connect_andx_response )
zeek::BifEvent::enqueue_smb1_tree_connect_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_tree_connect_andx_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
std::move(service_string),
${val.byte_count} > ${val.service.a}->size() ?

4
src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_tree_disconnect(header: SMB_Header, val: SMB1_tree_disconnect): bool
%{
if ( smb1_tree_disconnect )
zeek::BifEvent::enqueue_smb1_tree_disconnect(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_tree_disconnect(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header),
${val.is_orig});
return true;

12
src/analyzer/protocol/smb/smb1-com-write-andx.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_write_andx_request(h: SMB_Header, val: SMB1_write_andx_request): bool
%{
if ( smb1_write_andx_request )
zeek::BifEvent::enqueue_smb1_write_andx_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_write_andx_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(h),
${val.file_id},
${val.write_offset},
@ -14,8 +14,8 @@ refine connection SMB_Conn += {
{
zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(),
${val.write_offset},
bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig());
zeek_analyzer()->GetAnalyzerTag(),
zeek_analyzer()->Conn(), h->is_orig());
}
return true;
@ -24,8 +24,8 @@ refine connection SMB_Conn += {
function proc_smb1_write_andx_response(h: SMB_Header, val: SMB1_write_andx_response): bool
%{
if ( smb1_write_andx_response )
zeek::BifEvent::enqueue_smb1_write_andx_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_write_andx_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(h),
${val.written_bytes});

14
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -43,7 +43,7 @@ refine connection SMB_Conn += {
%{
if ( smb1_message )
{
zeek::BifEvent::enqueue_smb1_message(bro_analyzer(), bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_message(zeek_analyzer(), zeek_analyzer()->Conn(),
SMBHeaderVal(h),
is_orig);
}
@ -54,8 +54,8 @@ refine connection SMB_Conn += {
%{
if ( smb1_empty_response )
{
zeek::BifEvent::enqueue_smb1_empty_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_empty_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(header));
}
return true;
@ -67,16 +67,16 @@ refine connection SMB_Conn += {
{
if ( smb1_empty_response )
{
zeek::BifEvent::enqueue_smb1_empty_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_empty_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(h));
}
}
else
{
if ( smb1_error )
zeek::BifEvent::enqueue_smb1_error(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb1_error(zeek_analyzer(),
zeek_analyzer()->Conn(),
SMBHeaderVal(h), is_orig);
}
return true;

14
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -4,14 +4,14 @@ refine connection SMB_Conn += {
%{
if ( smb2_close_request )
{
zeek::BifEvent::enqueue_smb2_close_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_close_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}));
}
zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig());
zeek::file_mgr->EndOfFile(zeek_analyzer()->GetAnalyzerTag(),
zeek_analyzer()->Conn(), h->is_orig());
return true;
%}
@ -28,10 +28,10 @@ refine connection SMB_Conn += {
${val.last_access_time},
${val.creation_time},
${val.change_time}));
resp->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
resp->Assign(3, smb2_file_attrs_to_zeek(${val.file_attrs}));
zeek::BifEvent::enqueue_smb2_close_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_close_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
std::move(resp));
}

14
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -10,8 +10,8 @@ refine connection SMB_Conn += {
set_tree_is_pipe(${h.tree_id});
if ( smb_pipe_connect_heuristic )
zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(zeek_analyzer(),
zeek_analyzer()->Conn());
}
if ( smb2_create_request )
@ -20,8 +20,8 @@ refine connection SMB_Conn += {
requestinfo->Assign(0, std::move(filename));
requestinfo->Assign(1, zeek::val_mgr->Count(${val.disposition}));
requestinfo->Assign(2, zeek::val_mgr->Count(${val.create_options}));
zeek::BifEvent::enqueue_smb2_create_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_create_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
std::move(requestinfo));
}
@ -40,10 +40,10 @@ refine connection SMB_Conn += {
${val.last_access_time},
${val.creation_time},
${val.change_time}));
responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
responseinfo->Assign(3, smb2_file_attrs_to_zeek(${val.file_attrs}));
responseinfo->Assign(4, zeek::val_mgr->Count(${val.create_action}));
zeek::BifEvent::enqueue_smb2_create_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_create_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
std::move(responseinfo));
}

8
src/analyzer/protocol/smb/smb2-com-negotiate.pac
View file

@ -27,7 +27,7 @@ refine connection SMB_Conn += {
for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i )
dialects->Assign(i, zeek::val_mgr->Count((*${val.dialects})[i]));
zeek::BifEvent::enqueue_smb2_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_negotiate_request(zeek_analyzer(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
std::move(dialects));
}
@ -44,8 +44,8 @@ refine connection SMB_Conn += {
nr->Assign(0, zeek::val_mgr->Count(${val.dialect_revision}));
nr->Assign(1, zeek::val_mgr->Count(${val.security_mode}));
nr->Assign(2, BuildSMB2GUID(${val.server_guid}));
nr->Assign(3, filetime2brotime(${val.system_time}));
nr->Assign(4, filetime2brotime(${val.server_start_time}));
nr->Assign(3, filetime2zeektime(${val.system_time}));
nr->Assign(4, filetime2zeektime(${val.server_start_time}));
nr->Assign(5, zeek::val_mgr->Count(${val.negotiate_context_count}));
auto cv = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::SMB2::NegotiateContextValues);
@ -60,7 +60,7 @@ refine connection SMB_Conn += {
nr->Assign(6, std::move(cv));
zeek::BifEvent::enqueue_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_negotiate_response(zeek_analyzer(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
std::move(nr));
}

8
src/analyzer/protocol/smb/smb2-com-read.pac
View file

@ -26,8 +26,8 @@ refine connection SMB_Conn += {
%{
if ( smb2_read_request )
{
zeek::BifEvent::enqueue_smb2_read_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_read_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}),
${val.offset},
@ -51,8 +51,8 @@ refine connection SMB_Conn += {
if ( ! ${h.is_pipe} && ${val.data_len} > 0 )
{
zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig());
zeek_analyzer()->GetAnalyzerTag(),
zeek_analyzer()->Conn(), h->is_orig());
}
return true;

8
src/analyzer/protocol/smb/smb2-com-session-setup.pac
View file

@ -7,8 +7,8 @@ refine connection SMB_Conn += {
auto req = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupRequest);
req->Assign(0, zeek::val_mgr->Count(${val.security_mode}));
zeek::BifEvent::enqueue_smb2_session_setup_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_session_setup_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
std::move(req));
}
@ -28,8 +28,8 @@ refine connection SMB_Conn += {
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupResponse);
resp->Assign(0, std::move(flags));
zeek::BifEvent::enqueue_smb2_session_setup_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_session_setup_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
std::move(resp));
}

58
src/analyzer/protocol/smb/smb2-com-set-info.pac
View file

@ -28,15 +28,15 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file(val: SMB2_file_basic_info): bool
%{
if ( smb2_file_sattr )
zeek::BifEvent::enqueue_smb2_file_sattr(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_sattr(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.creation_time},
${val.change_time}),
smb2_file_attrs_to_bro(${val.file_attrs}));
smb2_file_attrs_to_zeek(${val.file_attrs}));
return true;
%}
@ -44,8 +44,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_rename(val: SMB2_file_rename_info): bool
%{
if ( smb2_file_rename )
zeek::BifEvent::enqueue_smb2_file_rename(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_rename(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
smb2_string2stringval(${val.filename}));
@ -56,8 +56,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_delete(val: SMB2_file_disposition_info): bool
%{
if ( smb2_file_delete )
zeek::BifEvent::enqueue_smb2_file_delete(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_delete(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
(${val.delete_pending} > 0));
@ -68,8 +68,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_allocation(val: SMB2_file_allocation_info): bool
%{
if ( smb2_file_allocation )
zeek::BifEvent::enqueue_smb2_file_allocation(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_allocation(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
(${val.allocation_size}));
@ -80,8 +80,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_endoffile(val: SMB2_file_endoffile_info): bool
%{
if ( smb2_file_endoffile )
zeek::BifEvent::enqueue_smb2_file_endoffile(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_endoffile(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.endoffile});
@ -104,8 +104,8 @@ refine connection SMB_Conn += {
eas->Assign(i, std::move(r));
}
zeek::BifEvent::enqueue_smb2_file_fullea(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_fullea(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
std::move(eas));
@ -117,8 +117,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_link(val: SMB2_file_link_info): bool
%{
if ( smb2_file_link )
zeek::BifEvent::enqueue_smb2_file_link(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_link(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.root_directory},
@ -130,8 +130,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_mode(val: SMB2_file_mode_info): bool
%{
if ( smb2_file_mode )
zeek::BifEvent::enqueue_smb2_file_mode(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_mode(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.mode});
@ -142,8 +142,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_pipe(val: SMB2_file_pipe_info): bool
%{
if ( smb2_file_pipe )
zeek::BifEvent::enqueue_smb2_file_pipe(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_pipe(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.read_mode},
@ -155,8 +155,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_position(val: SMB2_file_position_info): bool
%{
if ( smb2_file_position )
zeek::BifEvent::enqueue_smb2_file_position(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_position(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.current_byte_offset});
@ -167,8 +167,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_shortname(val: SMB2_file_shortname_info): bool
%{
if ( smb2_file_shortname )
zeek::BifEvent::enqueue_smb2_file_shortname(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_shortname(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
smb2_string2stringval(${val.filename}));
@ -179,8 +179,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_validdatalength(val: SMB2_file_validdatalength_info): bool
%{
if ( smb2_file_validdatalength )
zeek::BifEvent::enqueue_smb2_file_validdatalength(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_validdatalength(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
${val.validdatalength});
@ -200,8 +200,8 @@ refine connection SMB_Conn += {
r->Assign(4, zeek::val_mgr->Count(${val.default_quota_limit}));
r->Assign(5, zeek::val_mgr->Count(${val.file_system_control_flags}));
zeek::BifEvent::enqueue_smb2_file_fscontrol(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_fscontrol(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
std::move(r));
@ -213,8 +213,8 @@ refine connection SMB_Conn += {
function proc_smb2_set_info_request_file_fsobjectid(val: SMB2_file_fsobjectid_info): bool
%{
if ( smb2_file_fsobjectid )
zeek::BifEvent::enqueue_smb2_file_fsobjectid(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_file_fsobjectid(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(${val.sir.header}),
BuildSMB2GUID(${val.sir.file_id}),
BuildSMB2GUID(${val.object_id}),

4
src/analyzer/protocol/smb/smb2-com-transform-header.pac
View file

@ -11,8 +11,8 @@ refine connection SMB_Conn += {
r->Assign(3, zeek::val_mgr->Count(${hdr.flags}));
r->Assign(4, zeek::val_mgr->Count(${hdr.session_id}));
zeek::BifEvent::enqueue_smb2_transform_header(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_transform_header(zeek_analyzer(),
zeek_analyzer()->Conn(),
std::move(r));
}

8
src/analyzer/protocol/smb/smb2-com-tree-connect.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb2_tree_connect_request(header: SMB2_Header, val: SMB2_tree_connect_request): bool
%{
if ( smb2_tree_connect_request )
zeek::BifEvent::enqueue_smb2_tree_connect_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_tree_connect_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(header),
smb2_string2stringval(${val.path}));
@ -21,8 +21,8 @@ refine connection SMB_Conn += {
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::TreeConnectResponse);
resp->Assign(0, zeek::val_mgr->Count(${val.share_type}));
zeek::BifEvent::enqueue_smb2_tree_connect_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_tree_connect_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(header),
std::move(resp));
}

8
src/analyzer/protocol/smb/smb2-com-tree-disconnect.pac
View file

@ -7,8 +7,8 @@ refine connection SMB_Conn += {
if ( smb2_tree_disconnect_request )
{
zeek::BifEvent::enqueue_smb2_tree_disconnect_request(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_tree_disconnect_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(header));
}
@ -19,8 +19,8 @@ refine connection SMB_Conn += {
%{
if ( smb2_tree_disconnect_response )
{
zeek::BifEvent::enqueue_smb2_tree_disconnect_response(bro_analyzer(),
bro_analyzer()->Conn(),
zeek::BifEvent::enqueue_smb2_tree_disconnect_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(header));
}

Some files were not shown because too many files have changed in this diff Show more