diff --git a/scripts/base/frameworks/analyzer/__load__.bro b/scripts/base/frameworks/analyzer/__load__.bro new file mode 100644 index 0000000000..a10fe855df --- /dev/null +++ b/scripts/base/frameworks/analyzer/__load__.bro @@ -0,0 +1 @@ +@load ./main diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro new file mode 100644 index 0000000000..b93ebcba24 --- /dev/null +++ b/scripts/base/frameworks/analyzer/main.bro @@ -0,0 +1,119 @@ + +module Analyzer; + +# Analyzer::Tag is defined in types.bif, and automatically extended by plugins +# as they are loaded. + +export { + ## XXX. + global enable_analyzer: function(tag: Analyzer::Tag) : bool; + + ## XXX. + global disable_analyzer: function(tag: Analyzer::Tag) : bool; + + ## XXX. + global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool; + + ## XXX. + global register_for_port: function(tag: Analyzer::Tag, p: port) : bool; + + ## XXX. + global registered_ports: function(tag: Analyzer::Tag) : set[port]; + + ## Translate an analyzer type to an ASCII string. + ## + ## atype: The analyzer tag. + ## + ## Returns: The analyzer *aid* as string. + global name: function(atype: Analyzer::Tag) : string; + + ## Schedules an analyzer for a future connection from a given IP address and + ## port. The function ignores the scheduling request if the connection did + ## not occur within the specified time interval. + ## + ## orig: The IP address originating a connection in the future. + ## + ## resp: The IP address responding to a connection from *orig*. + ## + ## resp_p: The destination port at *resp*. + ## + ## analyzer: The analyzer ID. + ## + ## tout: The timeout interval after which to ignore the scheduling request. + ## + ## Returns: True if succesful. + global expect_connection: function(orig: addr, resp: addr, resp_p: port, + analyzer: Analyzer::Tag, tout: interval) : bool; + + ## Analyzers to disable at startup. + global disabled_analyzers: set[Analyzer::Tag] = { + ANALYZER_INTERCONN, + ANALYZER_STEPPINGSTONE, + ANALYZER_BACKDOOR, + ANALYZER_TCPSTATS, + } + + &redef; +} + +@load base/analyzer.bif + +global ports: table[Analyzer::Tag] of set[port]; + +event bro_init() + { + for ( a in disabled_analyzers ) + disable_analyzer(a); + } + +function enable_analyzer(tag: Analyzer::Tag) : bool + { + return __enable_analyzer(tag); + } + +function disable_analyzer(tag: Analyzer::Tag) : bool + { + return __disable_analyzer(tag); + } + +function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool + { + local rc = T; + + for ( p in ports ) + { + if ( ! register_for_port(tag, p) ) + rc = F; + } + + return rc; + } + +function register_for_port(tag: Analyzer::Tag, p: port) : bool + { + if ( ! __register_for_port(tag, p) ) + return F; + + if ( tag !in ports ) + ports[tag] = set(); + + add ports[tag][p]; + return T; + } + +function registered_ports(tag: Analyzer::Tag) : set[port] + { + return tag in ports ? ports[tag] : set(); + } + +function name(atype: Analyzer::Tag) : string + { + return __name(atype); + } + +function expect_connection(orig: addr, resp: addr, resp_p: port, + analyzer: Analyzer::Tag, tout: interval) : bool + { + return __expect_connection(orig, resp, resp_p, analyzer, tout); + } + diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.bro index a5349b6cfb..b4da2ff492 100644 --- a/scripts/base/frameworks/dpd/main.bro +++ b/scripts/base/frameworks/dpd/main.bro @@ -41,33 +41,27 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(DPD::LOG, [$columns=Info]); - - # Populate the internal DPD analysis variable. - for ( a in dpd_config ) - { - for ( p in dpd_config[a]$ports ) - { - if ( p !in dpd_analyzer_ports ) - dpd_analyzer_ports[p] = set(); - add dpd_analyzer_ports[p][a]; - } - } } -event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10 +function foo() : string { - local analyzer = analyzer_name(atype); - + return "HTTP"; + } + +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10 + { + local analyzer = Analyzer::name(atype); + if ( fmt("-%s",analyzer) in c$service ) delete c$service[fmt("-%s", analyzer)]; add c$service[analyzer]; } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=10 { - local analyzer = analyzer_name(atype); + local analyzer = Analyzer::name(atype); # If the service hasn't been confirmed yet, don't generate a log message # for the protocol violation. if ( analyzer !in c$service ) @@ -86,7 +80,7 @@ event protocol_violation(c: connection, atype: count, aid: count, c$dpd = info; } -event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=5 +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5 { if ( !c?$dpd || aid in c$dpd$disabled_aids ) return; @@ -100,7 +94,7 @@ event protocol_violation(c: connection, atype: count, aid: count, reason: string add c$dpd$disabled_aids[aid]; } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=-5 { if ( c?$dpd ) diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index a8fc6c8236..faa725b3f6 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -83,19 +83,17 @@ export { } const ayiya_ports = { 5072/udp }; -redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] }; - const teredo_ports = { 3544/udp }; -redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] }; - const gtpv1_ports = { 2152/udp, 2123/udp }; -redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1_ports] }; - redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports }; event bro_init() &priority=5 { Log::create_stream(Tunnel::LOG, [$columns=Info]); + + Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b6187df0d9..d8f38ed124 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2846,34 +2846,11 @@ const remote_trace_sync_peers = 0 &redef; ## consistency check. const remote_check_sync_consistency = F &redef; -## Analyzer tags. The core automatically defines constants -## ``ANALYZER_*``, e.g., ``ANALYZER_HTTP``. -## -## .. bro:see:: dpd_config -## -## .. todo::We should autodoc these automaticallty generated constants. -type AnalyzerTag: count; - -## Set of ports activating a particular protocol analysis. -## -## .. bro:see:: dpd_config -type dpd_protocol_config: record { - ports: set[port] &optional; ##< Set of ports. -}; - -## Port configuration for Bro's "dynamic protocol detection". Protocol -## analyzers can be activated via either well-known ports or content analysis. -## This table defines the ports. -## -## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_match_only_beginning dpd_ignore_ports -const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef; - ## Reassemble the beginning of all TCP connections before doing ## signature-matching. Enabling this provides more accurate matching at the ## expensive of CPU cycles. ## -## .. bro:see:: dpd_config dpd_buffer_size +## .. bro:see:: dpd_buffer_size ## dpd_match_only_beginning dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not @@ -2888,24 +2865,24 @@ const dpd_reassemble_first_packets = T &redef; ## activated afterwards. Then only analyzers that can deal with partial ## connections will be able to analyze the session. ## -## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning +## .. bro:see:: dpd_reassemble_first_packets dpd_match_only_beginning ## dpd_ignore_ports const dpd_buffer_size = 1024 &redef; ## If true, stops signature matching if dpd_buffer_size has been reached. ## ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_config dpd_ignore_ports +## dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not ## only signatures used for dynamic protocol detection. const dpd_match_only_beginning = T &redef; ## If true, don't consider any ports for deciding which protocol analyzer to -## use. If so, the value of :bro:see:`dpd_config` is ignored. +## use. ## ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_match_only_beginning dpd_config +## dpd_match_only_beginning const dpd_ignore_ports = F &redef; ## Ports which the core considers being likely used by servers. For ports in @@ -2913,13 +2890,6 @@ const dpd_ignore_ports = F &redef; ## connection if it misses the initial handshake. const likely_server_ports: set[port] &redef; -## Deprated. Set of all ports for which we know an analyzer, built by -## :doc:`/scripts/base/frameworks/dpd/main`. -## -## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main` -## itself we still need it. -global dpd_analyzer_ports: table[port] of set[AnalyzerTag]; - ## Per-incident timer managers are drained after this amount of inactivity. const timer_mgr_inactivity_timeout = 1 min &redef; @@ -3028,9 +2998,9 @@ module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; -# Load the logging framework here because it uses fairly deep integration with +# Load these frameworks here because it uses fairly deep integration with # BiFs and script-land defined types. @load base/frameworks/logging - @load base/frameworks/input +@load base/frameworks/analyzer diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 8b36899f10..590140c486 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -20,6 +20,7 @@ # loaded in base/init-bare.bro #@load base/frameworks/logging @load base/frameworks/notice +@load base/frameworks/analyzer @load base/frameworks/dpd @load base/frameworks/signatures @load base/frameworks/packet-filter diff --git a/scripts/base/protocols/conn/inactivity.bro b/scripts/base/protocols/conn/inactivity.bro index 28df192de3..b383f1ad7c 100644 --- a/scripts/base/protocols/conn/inactivity.bro +++ b/scripts/base/protocols/conn/inactivity.bro @@ -6,9 +6,9 @@ module Conn; export { ## Define inactivity timeouts by the service detected being used over ## the connection. - const analyzer_inactivity_timeouts: table[AnalyzerTag] of interval = { + const analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = { # For interactive services, allow longer periods of inactivity. - [[ANALYZER_SSH, ANALYZER_FTP]] = 1 hrs, + [[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs, } &redef; ## Define inactivity timeouts based on common protocol ports. @@ -18,7 +18,7 @@ export { } -event protocol_confirmation(c: connection, atype: count, aid: count) +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) { if ( atype in analyzer_inactivity_timeouts ) set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]); diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index ee0e4166da..66cdbc6241 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -117,19 +117,17 @@ redef capture_filters += { ["netbios-ns"] = "udp port 137", }; -const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; -redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; - const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp }; const dns_tcp_ports = { 53/tcp }; -redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] }; -redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] }; -redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; +redef likely_server_ports += { dns_udp_ports, dns_tcp_ports }; event bro_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]); + + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports); } function new_session(c: connection, trans_id: count): Info diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 3d7b1fe61a..e2b77e0099 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -96,11 +96,10 @@ redef record connection += { }; # Configure DPD -const ports = { 21/tcp, 2811/tcp } &redef; # 2811/tcp is GridFTP. redef capture_filters += { ["ftp"] = "port 21 and port 2811" }; -redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] }; -redef likely_server_ports += { 21/tcp, 2811/tcp }; +const ports = { 21/tcp, 2811/tcp }; +redef likely_server_ports += { ports }; # Establish the variable for tracking expected connections. global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; @@ -108,6 +107,7 @@ global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; event bro_init() &priority=5 { Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]); + Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports); } ## A set of commands where the argument can be expected to refer @@ -228,7 +228,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 { c$ftp$passive=F; ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins); + Analyzer::expect_connection(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { @@ -281,7 +281,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior data$h = id$resp_h; ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins); + Analyzer::expect_connection(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 660386f901..daf546fc82 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -119,29 +119,26 @@ redef record connection += { http_state: State &optional; }; -# Initialize the HTTP logging stream. -event bro_init() &priority=5 - { - Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]); - } - # DPD configuration. -const ports = { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp, - 8000/tcp, 8080/tcp, 8888/tcp, -}; -redef dpd_config += { - [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports], -}; redef capture_filters += { ["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)" }; -redef likely_server_ports += { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, +const ports = { + 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp, 8000/tcp, 8080/tcp, 8888/tcp, }; +redef likely_server_ports += { ports }; + + +# Initialize the HTTP logging stream and ports. +event bro_init() &priority=5 + { + Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]); + Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports); + } + function code_in_range(c: count, min: count, max: count) : bool { return c >= min && c <= max; diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index d07a0edf5a..621ad42826 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool, c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; local p = count_to_port(dest_port, tcp); - expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min); + Analyzer::expect_connection(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index 1cf542b8ea..490c39f54f 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -45,14 +45,13 @@ redef capture_filters += { ["irc-6668"] = "port 6668" }; redef capture_filters += { ["irc-6669"] = "port 6669" }; # DPD configuration. -const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; -redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] }; - -redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; +const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log]); + Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports); } function new_session(c: connection): Info diff --git a/scripts/base/protocols/modbus/main.bro b/scripts/base/protocols/modbus/main.bro index aa11c5ce07..a418873306 100644 --- a/scripts/base/protocols/modbus/main.bro +++ b/scripts/base/protocols/modbus/main.bro @@ -31,12 +31,14 @@ redef record connection += { # Configure DPD and the packet filter. redef capture_filters += { ["modbus"] = "tcp port 502" }; -redef dpd_config += { [ANALYZER_MODBUS] = [$ports = set(502/tcp)] }; -redef likely_server_ports += { 502/tcp }; + +const ports = { 502/tcp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus]); + Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports); } event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &priority=5 diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index 03b3d36a24..c7b3a452d2 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -74,9 +74,6 @@ export { const mail_path_capture = ALL_HOSTS &redef; global log_smtp: event(rec: Info); - - ## Configure the default ports for SMTP analysis. - const ports = { 25/tcp, 587/tcp } &redef; } redef record connection += { @@ -86,13 +83,14 @@ redef record connection += { # Configure DPD redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" }; -redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] }; -redef likely_server_ports += { 25/tcp, 587/tcp }; +const ports = { 25/tcp, 587/tcp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports); } function find_address_in_smtp_header(header: string): string diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro index df5ee69f16..a188646515 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.bro @@ -34,9 +34,13 @@ export { global log_socks: event(rec: Info); } +const ports = { 1080/tcp }; +redef likely_server_ports += { ports }; + event bro_init() &priority=5 { Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports); } redef record connection += { @@ -45,7 +49,6 @@ redef record connection += { # Configure DPD redef capture_filters += { ["socks"] = "tcp port 1080" }; -redef dpd_config += { [ANALYZER_SOCKS] = [$ports = set(1080/tcp)] }; redef likely_server_ports += { 1080/tcp }; function set_session(c: connection, version: count) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index cd20f4e913..6f363eeb0e 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -76,10 +76,11 @@ export { } # Configure DPD and the packet filter -redef capture_filters += { ["ssh"] = "tcp port 22" }; -redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] }; -redef likely_server_ports += { 22/tcp }; +const ports = { 22/tcp }; + +redef capture_filters += { ["ssh"] = "tcp port 22" }; +redef likely_server_ports += { ports }; redef record connection += { ssh: Info &optional; @@ -88,6 +89,7 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); } function set_session(c: connection) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index c6c4091a87..36d0c3f54d 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -94,11 +94,6 @@ redef record Info += { delay_tokens: set[string] &optional; }; -event bro_init() &priority=5 - { - Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); - } - redef capture_filters += { ["ssl"] = "tcp port 443", ["nntps"] = "tcp port 563", @@ -117,16 +112,9 @@ redef capture_filters += { const ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; +} &redef; -redef dpd_config += { - [[ANALYZER_SSL]] = [$ports = ports] -}; - -redef likely_server_ports += { - 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, - 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; +redef likely_server_ports += { ports }; # A queue that buffers log records. global log_delay_queue: table[count] of Info; @@ -135,6 +123,12 @@ global log_delay_queue_head = 0; # The bottom queue index that points to the next record to be flushed. global log_delay_queue_tail = 0; +event bro_init() &priority=5 + { + Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ports); + } + function set_session(c: connection) { if ( ! c?$ssl ) @@ -288,14 +282,14 @@ event ssl_established(c: connection) &priority=-5 finish(c); } -event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5 +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5 { # Check by checking for existence of c$ssl record. - if ( c?$ssl && analyzer_name(atype) == "SSL" ) + if ( c?$ssl && atype == Analyzer::ANALYZER_SSL ) c$ssl$analyzer_id = aid; } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5 { if ( c?$ssl ) diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 61334e3f2b..8e6a807c24 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -27,10 +27,9 @@ export { } redef capture_filters += { ["syslog"] = "port 514" }; -const ports = { 514/udp } &redef; -redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] }; -redef likely_server_ports += { 514/udp }; +const ports = { 514/udp }; +redef likely_server_ports += { ports }; redef record connection += { syslog: Info &optional; @@ -39,6 +38,7 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro index 8f4e892ce4..c45486b776 100644 --- a/scripts/policy/frameworks/dpd/detect-protocols.bro +++ b/scripts/policy/frameworks/dpd/detect-protocols.bro @@ -21,22 +21,22 @@ export { type dir: enum { NONE, INCOMING, OUTGOING, BOTH }; - const valids: table[count, addr, port] of dir = { + const valids: table[Analyzer::Tag, addr, port] of dir = { # A couple of ports commonly used for benign HTTP servers. # For now we want to see everything. - # [ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING, # - # [ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella } &redef; # Set of analyzers for which we suppress Server_Found notices @@ -44,8 +44,8 @@ export { # log files, this also saves memory because for these we don't # need to remember which servers we already have reported, which # for some can be a lot. - const suppress_servers: set [count] = { - # ANALYZER_HTTP + const suppress_servers: set [Analyzer::Tag] = { + # Analyzer::ANALYZER_HTTP } &redef; # We consider a connection to use a protocol X if the analyzer for X @@ -60,7 +60,7 @@ export { # Entry point for other analyzers to report that they recognized # a certain (sub-)protocol. - global found_protocol: function(c: connection, analyzer: count, + global found_protocol: function(c: connection, analyzer: Analyzer::Tag, protocol: string); # Table keeping reported (server, port, analyzer) tuples (and their @@ -89,7 +89,7 @@ function get_protocol(c: connection, a: count) : protocol str = |str| > 0 ? fmt("%s/%s", str, p) : p; } - return [$a=analyzer_name(a), $sub=str]; + return [$a=Analyzer::name(a), $sub=str]; } function fmt_protocol(p: protocol) : string @@ -194,10 +194,10 @@ event connection_state_remove(c: connection) report_protocols(c); } -event protocol_confirmation(c: connection, atype: count, aid: count) +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) { # Don't report anything running on a well-known port. - if ( atype in dpd_config && c$id$resp_p in dpd_config[atype]$ports ) + if ( c$id$resp_p in Analyzer::registered_ports(atype) ) return; if ( c$id in conns ) @@ -214,11 +214,10 @@ event protocol_confirmation(c: connection, atype: count, aid: count) } } -function found_protocol(c: connection, analyzer: count, protocol: string) +function found_protocol(c: connection, analyzer: Analyzer::tag, protocol: string) { # Don't report anything running on a well-known port. - if ( analyzer in dpd_config && - c$id$resp_p in dpd_config[analyzer]$ports ) + if ( c$id$resp_p in Analyzer::registered_ports(atype) ) return; if ( c$id !in protocols ) diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.bro index 3883cd1207..a605d84a74 100644 --- a/scripts/policy/frameworks/dpd/packet-segment-logging.bro +++ b/scripts/policy/frameworks/dpd/packet-segment-logging.bro @@ -20,7 +20,7 @@ export { } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=4 { if ( ! c?$dpd ) return; diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro index f494a30f82..4e474f76a0 100644 --- a/scripts/policy/protocols/conn/known-services.bro +++ b/scripts/policy/protocols/conn/known-services.bro @@ -87,7 +87,7 @@ function known_services_done(c: connection) event log_it(network_time(), id$resp_h, id$resp_p, c$service); } -event protocol_confirmation(c: connection, atype: count, aid: count) &priority=-5 +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5 { known_services_done(c); } diff --git a/src/AYIYA.cc b/src/AYIYA.cc index 79fa44e743..2154ae4b30 100644 --- a/src/AYIYA.cc +++ b/src/AYIYA.cc @@ -1,7 +1,7 @@ #include "AYIYA.h" AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) -: Analyzer(AnalyzerTag::AYIYA, conn) +: Analyzer("AYIYA", conn) { interp = new binpac::AYIYA::AYIYA_Conn(this); } diff --git a/src/AYIYA.h b/src/AYIYA.h index 79b41553c7..f6025b709f 100644 --- a/src/AYIYA.h +++ b/src/AYIYA.h @@ -3,7 +3,7 @@ #include "ayiya_pac.h" -class AYIYA_Analyzer : public Analyzer { +class AYIYA_Analyzer : public analyzer::Analyzer { public: AYIYA_Analyzer(Connection* conn); virtual ~AYIYA_Analyzer(); @@ -12,7 +12,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new AYIYA_Analyzer(conn); } static bool Available() diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h deleted file mode 100644 index 38e47cf8fc..0000000000 --- a/src/AnalyzerTags.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef ANALYZERTAGS_H -#define ANALYZERTAGS_H - -// Each kind of analyzer gets a tag. When adding an analyzer here, also adapt -// the table of analyzers in Analyzer.cc. -// -// Using a namespace here is kind of a hack: ideally this would be in "class -// Analyzer {...}". But then we'd have circular dependencies across the header -// files. - -#include "util.h" - -typedef uint32 AnalyzerID; - -namespace AnalyzerTag { - enum Tag { - Error = 0, // used as error code - - // Analyzer in charge of protocol detection. - PIA_TCP, PIA_UDP, - - // Transport-layer analyzers. - ICMP, TCP, UDP, - - // Application-layer analyzers (hand-written). - BitTorrent, BitTorrentTracker, - DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC, - Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin, - RPC, Rsh, SMB, SMTP, SSH, - Telnet, - - // Application-layer analyzers, binpac-generated. - DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC, - HTTP_BINPAC, SSL, SYSLOG_BINPAC, - Modbus, - - // Decapsulation analyzers. - AYIYA, - SOCKS, - Teredo, - GTPv1, - - // Other - File, Backdoor, InterConn, SteppingStone, TCPStats, - ConnSize, - - // Support-analyzers - Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP, - Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh, - Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS, - FTP_ADAT, - // End-marker. - LastAnalyzer - }; -}; - -#endif diff --git a/src/BackDoor.cc b/src/BackDoor.cc index c218a98ce2..333dc9c806 100644 --- a/src/BackDoor.cc +++ b/src/BackDoor.cc @@ -681,7 +681,7 @@ int BackDoorEndpoint::CheckForString(const char* str, BackDoor_Analyzer::BackDoor_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::Backdoor, c) +: TCP_ApplicationAnalyzer("BACKDOOR", c) { orig_endp = resp_endp = 0; diff --git a/src/BackDoor.h b/src/BackDoor.h index 40ea3bbaa3..2286138239 100644 --- a/src/BackDoor.h +++ b/src/BackDoor.h @@ -71,7 +71,7 @@ public: virtual void Done(); void StatTimer(double t, int is_expire); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BackDoor_Analyzer(conn); } static bool Available() diff --git a/src/Base64.cc b/src/Base64.cc index d3abd9b563..cef11dab92 100644 --- a/src/Base64.cc +++ b/src/Base64.cc @@ -84,7 +84,7 @@ int* Base64Converter::InitBase64Table(const string& alphabet) -Base64Converter::Base64Converter(Analyzer* arg_analyzer, const string& arg_alphabet) +Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string& arg_alphabet) { if ( arg_alphabet.size() > 0 ) { diff --git a/src/Base64.h b/src/Base64.h index 8cfeffde74..d7e4384ac5 100644 --- a/src/Base64.h +++ b/src/Base64.h @@ -7,7 +7,8 @@ #include "util.h" #include "BroString.h" -#include "Analyzer.h" +#include "Reporter.h" +#include "analyzer/Analyzer.h" // Maybe we should have a base class for generic decoders? class Base64Converter { @@ -15,7 +16,7 @@ public: // is used for error reporting, and it should be zero when // the decoder is called by the built-in function decode_base64() or encode_base64(). // Empty alphabet indicates the default base64 alphabet. - Base64Converter(Analyzer* analyzer, const string& alphabet = ""); + Base64Converter(analyzer::Analyzer* analyzer, const string& alphabet = ""); ~Base64Converter(); // A note on Decode(): @@ -62,7 +63,7 @@ protected: int base64_after_padding; int* base64_table; int errored; // if true, we encountered an error - skip further processing - Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; diff --git a/src/BitTorrent.cc b/src/BitTorrent.cc index fa8fb09e43..de033cbbe7 100644 --- a/src/BitTorrent.cc +++ b/src/BitTorrent.cc @@ -4,7 +4,7 @@ #include "TCP_Reassembler.h" BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrent, c) +: TCP_ApplicationAnalyzer("BITTORRENT", c) { interp = new binpac::BitTorrent::BitTorrent_Conn(this); stop_orig = stop_resp = false; diff --git a/src/BitTorrent.h b/src/BitTorrent.h index f083cf4fc7..eb2aeb422e 100644 --- a/src/BitTorrent.h +++ b/src/BitTorrent.h @@ -17,7 +17,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrent_Analyzer(conn); } static bool Available() diff --git a/src/BitTorrentTracker.cc b/src/BitTorrentTracker.cc index 12c5a199de..81b97f44d4 100644 --- a/src/BitTorrentTracker.cc +++ b/src/BitTorrentTracker.cc @@ -18,7 +18,7 @@ static RecordType* bittorrent_benc_value; static TableType* bittorrent_benc_dir; BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrentTracker, c) +: TCP_ApplicationAnalyzer("BITTORRENT", c) { if ( ! bt_tracker_headers ) { diff --git a/src/BitTorrentTracker.h b/src/BitTorrentTracker.h index 3b9efe0430..cc17d98af3 100644 --- a/src/BitTorrentTracker.h +++ b/src/BitTorrentTracker.h @@ -50,7 +50,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrentTracker_Analyzer(conn); } static bool Available() diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 83a018ccde..318a014a19 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -141,6 +141,7 @@ macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar) endmacro(GET_BIF_OUTPUT_FILES) set(BIF_SRCS + analyzer.bif bro.bif logging.bif input.bif @@ -283,7 +284,6 @@ set(bro_SRCS net_util.cc util.cc module_util.cc - Analyzer.cc Anon.cc ARP.cc Attr.cc @@ -318,7 +318,6 @@ set(bro_SRCS Desc.cc Dict.cc Discard.cc - DPM.cc EquivClass.cc Event.cc EventHandler.cc @@ -447,6 +446,16 @@ set(bro_SRCS input/readers/Raw.cc input/readers/Benchmark.cc + plugin/Component.cc + plugin/Manager.cc + plugin/Plugin.cc + + analyzer/Analyzer.cc + analyzer/BuiltinAnalyzers.cc + analyzer/Manager.cc + analyzer/PluginComponent.cc + analyzer/Tag.cc + nb_dns.c digest.h ) diff --git a/src/Conn.cc b/src/Conn.cc index bc2e7fb5cf..e7687c5464 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -14,6 +14,7 @@ #include "PIA.h" #include "binpac.h" #include "TunnelEncapsulation.h" +#include "analyzer/Analyzer.h" void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer, int arg_do_expire) @@ -402,16 +403,21 @@ RecordVal* Connection::BuildConnVal() return conn_val; } -Analyzer* Connection::FindAnalyzer(AnalyzerID id) +analyzer::Analyzer* Connection::FindAnalyzer(analyzer::ID id) { return root_analyzer ? root_analyzer->FindChild(id) : 0; } -Analyzer* Connection::FindAnalyzer(AnalyzerTag::Tag tag) +analyzer::Analyzer* Connection::FindAnalyzer(analyzer::Tag tag) { return root_analyzer ? root_analyzer->FindChild(tag) : 0; } +analyzer::Analyzer* Connection::FindAnalyzer(const string& name) + { + return root_analyzer->FindChild(name); + } + void Connection::AppendAddl(const char* str) { Unref(BuildConnVal()); @@ -540,7 +546,7 @@ Val* Connection::BuildVersionVal(const char* s, int len) } int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, - Analyzer* analyzer) + analyzer::Analyzer* analyzer) { if ( ! software_version_found && ! software_parse_error ) return 1; @@ -578,7 +584,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, } int Connection::UnparsedVersionFoundEvent(const IPAddr& addr, - const char* full, int len, Analyzer* analyzer) + const char* full, int len, analyzer::Analyzer* analyzer) { // Skip leading white space. while ( len && isspace(*full) ) @@ -602,7 +608,7 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr, return 1; } -void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name) +void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name) { if ( ! f ) return; @@ -615,7 +621,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name) ConnectionEvent(f, analyzer, vl); } -void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2) +void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2) { if ( ! f ) { @@ -634,7 +640,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2) ConnectionEvent(f, analyzer, vl); } -void Connection::ConnectionEvent(EventHandlerPtr f, Analyzer* a, val_list* vl) +void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl) { if ( ! f ) { @@ -929,7 +935,7 @@ error: return false; } -void Connection::SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia) +void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia) { root_analyzer = analyzer; primary_PIA = pia; diff --git a/src/Conn.h b/src/Conn.h index 782d41a801..1989ce0b43 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -11,19 +11,22 @@ #include "Serializer.h" #include "PersistenceSerializer.h" #include "RuleMatcher.h" -#include "AnalyzerTags.h" #include "IPAddr.h" #include "TunnelEncapsulation.h" +#include "analyzer/Tag.h" +#include "analyzer/Analyzer.h" + class Connection; class ConnectionTimer; class NetSessions; class LoginConn; class RuleHdrTest; class Specific_RE_Matcher; -class TransportLayerAnalyzer; class RuleEndpointState; +namespace analyzer { class TransportLayerAnalyzer; } + typedef enum { NUL_IN_LINE, SINGULAR_CR, @@ -47,7 +50,7 @@ static inline int addr_port_canon_lt(const IPAddr& addr1, uint32 p1, return addr1 < addr2 || (addr1 == addr2 && p1 < p2); } -class Analyzer; +namespace analyzer { class Analyzer; } class Connection : public BroObj { public: @@ -102,8 +105,9 @@ public: void FlipRoles(); - Analyzer* FindAnalyzer(AnalyzerID id); - Analyzer* FindAnalyzer(AnalyzerTag::Tag tag); // find first in tree. + analyzer::Analyzer* FindAnalyzer(analyzer::ID id); + analyzer::Analyzer* FindAnalyzer(analyzer::Tag tag); // find first in tree. + analyzer::Analyzer* FindAnalyzer(const string& name); // find first in tree. TransportProto ConnTransport() const { return proto; } @@ -161,15 +165,15 @@ public: // Raises a software_version_found event based on the // given string (returns false if it's not parseable). int VersionFoundEvent(const IPAddr& addr, const char* s, int len, - Analyzer* analyzer = 0); + analyzer::Analyzer* analyzer = 0); // Raises a software_unparsed_version_found event. int UnparsedVersionFoundEvent(const IPAddr& addr, - const char* full_descr, int len, Analyzer* analyzer); + const char* full_descr, int len, analyzer::Analyzer* analyzer); - void Event(EventHandlerPtr f, Analyzer* analyzer, const char* name = 0); - void Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2 = 0); - void ConnectionEvent(EventHandlerPtr f, Analyzer* analyzer, + void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0); + void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0); + void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer, val_list* vl); void Weird(const char* name, const char* addl = ""); @@ -241,8 +245,8 @@ public: void DeleteTimer(double t); // Sets the root of the analyzer tree as well as the primary PIA. - void SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia); - TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } + void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia); + analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } PIA* GetPrimaryPIA() { return primary_PIA; } // Sets the transport protocol in use. @@ -314,7 +318,7 @@ protected: string history; uint32 hist_seen; - TransportLayerAnalyzer* root_analyzer; + analyzer::TransportLayerAnalyzer* root_analyzer; PIA* primary_PIA; uint64 uid; // Globally unique connection ID. diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc index a1b892f4db..82672dba7c 100644 --- a/src/ConnSizeAnalyzer.cc +++ b/src/ConnSizeAnalyzer.cc @@ -9,7 +9,7 @@ ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) -: Analyzer(AnalyzerTag::ConnSize, c) +: Analyzer("CONNSIZE", c) { } diff --git a/src/ConnSizeAnalyzer.h b/src/ConnSizeAnalyzer.h index 1fdd57bb15..23f7975617 100644 --- a/src/ConnSizeAnalyzer.h +++ b/src/ConnSizeAnalyzer.h @@ -4,11 +4,11 @@ #ifndef CONNSTATS_H #define CONNSTATS_H -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "NetVar.h" -class ConnSize_Analyzer : public Analyzer { +class ConnSize_Analyzer : public analyzer::Analyzer { public: ConnSize_Analyzer(Connection* c); virtual ~ConnSize_Analyzer(); @@ -20,7 +20,7 @@ public: virtual void UpdateConnVal(RecordVal *conn_val); virtual void FlipRoles(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ConnSize_Analyzer(conn); } static bool Available() { return BifConst::use_conn_size_analyzer ; } diff --git a/src/ContentLine.cc b/src/ContentLine.cc index 5601694e1d..2a79272cbd 100644 --- a/src/ContentLine.cc +++ b/src/ContentLine.cc @@ -4,14 +4,13 @@ #include "TCP.h" ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) -: TCP_SupportAnalyzer(AnalyzerTag::ContentLine, conn, orig) +: TCP_SupportAnalyzer("CONTENTLINE", conn, orig) { InitState(); } -ContentLine_Analyzer::ContentLine_Analyzer(AnalyzerTag::Tag tag, - Connection* conn, bool orig) -: TCP_SupportAnalyzer(tag, conn, orig) +ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig) +: TCP_SupportAnalyzer(name, conn, orig) { InitState(); } diff --git a/src/ContentLine.h b/src/ContentLine.h index 5e9f01945f..849f457075 100644 --- a/src/ContentLine.h +++ b/src/ContentLine.h @@ -55,7 +55,7 @@ public: { return seq + length <= seq_to_skip; } protected: - ContentLine_Analyzer(AnalyzerTag::Tag tag, Connection* conn, bool orig); + ContentLine_Analyzer(const char* name, Connection* conn, bool orig); virtual void DeliverStream(int len, const u_char* data, bool is_orig); virtual void Undelivered(int seq, int len, bool orig); diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc index 21cb3be9a0..0cb9ab3c3f 100644 --- a/src/DCE_RPC.cc +++ b/src/DCE_RPC.cc @@ -10,7 +10,8 @@ using namespace std; #include "DCE_RPC.h" #include "Sessions.h" -#include "DPM.h" + +#include "analyzer/Manager.h" #define xbyte(b, n) (((const u_char*) (b))[n]) @@ -160,11 +161,11 @@ static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr, // of the dce_rpc_endpoints table. // FIXME: Don't hard-code the timeout. - dpm->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto, - AnalyzerTag::DCE_RPC, 5 * 60, 0); + analyzer_mgr->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto, + "DCE_RPC", 5 * 60, 0); } -DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b) +DCE_RPC_Header::DCE_RPC_Header(analyzer::Analyzer* a, const u_char* b) { analyzer = a; bytes = b; @@ -183,7 +184,7 @@ DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b) frag_len = extract_uint16(LittleEndian(), bytes + 8); } -DCE_RPC_Session::DCE_RPC_Session(Analyzer* a) +DCE_RPC_Session::DCE_RPC_Session(analyzer::Analyzer* a) : analyzer(a), if_uuid("00000000-0000-0000-0000-000000000000"), if_id(BifEnum::DCE_RPC_unknown_if) @@ -442,7 +443,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse( Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* arg_session, bool speculative) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_DCE_RPC, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) { session = arg_session; msg_buf = 0; @@ -566,7 +567,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader() } DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative) -: TCP_ApplicationAnalyzer(AnalyzerTag::DCE_RPC, conn) +: TCP_ApplicationAnalyzer("DCE_RPC", conn) { session = new DCE_RPC_Session(this); speculative = arg_speculative; diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h index acdbf1637d..cfffc73c4e 100644 --- a/src/DCE_RPC.h +++ b/src/DCE_RPC.h @@ -88,7 +88,7 @@ enum DCE_RPC_PTYPE { class DCE_RPC_Header { public: - DCE_RPC_Header(Analyzer* a, const u_char* bytes); + DCE_RPC_Header(analyzer::Analyzer* a, const u_char* bytes); BifEnum::dce_rpc_ptype PTYPE() const { return ptype; } int FragLen() const { return frag_len; } @@ -99,7 +99,7 @@ public: void SetBytes(const u_char* b) { bytes = b; } protected: - Analyzer* analyzer; + analyzer::Analyzer* analyzer; const u_char* bytes; BifEnum::dce_rpc_ptype ptype; int frag_len; @@ -112,7 +112,7 @@ protected: class DCE_RPC_Session { public: - DCE_RPC_Session(Analyzer* a); + DCE_RPC_Session(analyzer::Analyzer* a); virtual ~DCE_RPC_Session() {} virtual void DeliverPDU(int is_orig, int len, const u_char* data); @@ -135,7 +135,7 @@ protected: const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu, const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; UUID if_uuid; BifEnum::dce_rpc_if_id if_id; int opnum; @@ -174,7 +174,7 @@ public: DCE_RPC_Analyzer(Connection* conn, bool speculative = false); ~DCE_RPC_Analyzer(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DCE_RPC_Analyzer(conn); } static bool Available() diff --git a/src/DHCP-binpac.cc b/src/DHCP-binpac.cc index 2aec6e6e9f..d2847966ae 100644 --- a/src/DHCP-binpac.cc +++ b/src/DHCP-binpac.cc @@ -1,7 +1,7 @@ #include "DHCP-binpac.h" DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn) -: Analyzer(AnalyzerTag::DHCP_BINPAC, conn) +: Analyzer("DHCP", conn) { interp = new binpac::DHCP::DHCP_Conn(this); } diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h index 06ddff3bb6..a3890b399d 100644 --- a/src/DHCP-binpac.h +++ b/src/DHCP-binpac.h @@ -6,7 +6,7 @@ #include "dhcp_pac.h" -class DHCP_Analyzer_binpac : public Analyzer { +class DHCP_Analyzer_binpac : public analyzer::Analyzer { public: DHCP_Analyzer_binpac(Connection* conn); virtual ~DHCP_Analyzer_binpac(); @@ -15,7 +15,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DHCP_Analyzer_binpac(conn); } static bool Available() diff --git a/src/DNS-binpac.cc b/src/DNS-binpac.cc index 999f6015c0..4ab84d1cfe 100644 --- a/src/DNS-binpac.cc +++ b/src/DNS-binpac.cc @@ -2,7 +2,7 @@ #include "TCP_Reassembler.h" DNS_UDP_Analyzer_binpac::DNS_UDP_Analyzer_binpac(Connection* conn) -: Analyzer(AnalyzerTag::DNS_UDP_BINPAC, conn) +: Analyzer("DNS_UDP_BINPAC", conn) { interp = new binpac::DNS::DNS_Conn(this); did_session_done = 0; @@ -45,7 +45,7 @@ void DNS_UDP_Analyzer_binpac::ExpireTimer(double t) } DNS_TCP_Analyzer_binpac::DNS_TCP_Analyzer_binpac(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::DNS_TCP_BINPAC, conn) +: TCP_ApplicationAnalyzer("DNS_TCP_BINPAC", conn) { interp = new binpac::DNS_on_TCP::DNS_TCP_Conn(this); } diff --git a/src/DNS-binpac.h b/src/DNS-binpac.h index 0bbacf9192..2f241b89ae 100644 --- a/src/DNS-binpac.h +++ b/src/DNS-binpac.h @@ -11,7 +11,7 @@ // change that easily? (Ideally, the TCP preprocessing would become a // support-analyzer as it is done for the traditional DNS analyzer.) -class DNS_UDP_Analyzer_binpac : public Analyzer { +class DNS_UDP_Analyzer_binpac : public analyzer::Analyzer { public: DNS_UDP_Analyzer_binpac(Connection* conn); virtual ~DNS_UDP_Analyzer_binpac(); @@ -20,7 +20,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_UDP_Analyzer_binpac(conn); } static bool Available() @@ -47,7 +47,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_TCP_Analyzer_binpac(conn); } static bool Available() diff --git a/src/DNS.cc b/src/DNS.cc index a3b0b62ef3..7cab27c4b9 100644 --- a/src/DNS.cc +++ b/src/DNS.cc @@ -12,7 +12,7 @@ #include "Sessions.h" #include "Event.h" -DNS_Interpreter::DNS_Interpreter(Analyzer* arg_analyzer) +DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; } @@ -993,7 +993,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val() Contents_DNS::Contents_DNS(Connection* conn, bool orig, DNS_Interpreter* arg_interp) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_DNS, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) { interp = arg_interp; @@ -1080,7 +1080,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig) } DNS_Analyzer::DNS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::DNS, conn) +: TCP_ApplicationAnalyzer("DNS", conn) { interp = new DNS_Interpreter(this); contents_dns_orig = contents_dns_resp = 0; diff --git a/src/DNS.h b/src/DNS.h index 83ca80911e..28e68cccad 100644 --- a/src/DNS.h +++ b/src/DNS.h @@ -149,7 +149,7 @@ public: class DNS_Interpreter { public: - DNS_Interpreter(Analyzer* analyzer); + DNS_Interpreter(analyzer::Analyzer* analyzer); int ParseMessage(const u_char* data, int len, int is_query); @@ -217,7 +217,7 @@ protected: const u_char*& data, int& len, BroString* question_name); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; @@ -266,7 +266,7 @@ public: void ExpireTimer(double t); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_Analyzer(conn); } static bool Available() diff --git a/src/DPM.cc b/src/DPM.cc deleted file mode 100644 index d7e5cd25ef..0000000000 --- a/src/DPM.cc +++ /dev/null @@ -1,407 +0,0 @@ -#include "DPM.h" -#include "PIA.h" -#include "Hash.h" -#include "ICMP.h" -#include "UDP.h" -#include "TCP.h" -#include "Val.h" -#include "BackDoor.h" -#include "InterConn.h" -#include "SteppingStone.h" -#include "ConnSizeAnalyzer.h" - - -ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto) - { - if ( _orig == IPAddr(string("0.0.0.0")) ) - // don't use the IPv4 mapping, use the literal unspecified address - // to indicate a wildcard - orig = IPAddr(string("::")); - else - orig = _orig; - resp = _resp; - resp_p = _resp_p; - proto = _proto; - } - -ExpectedConn::ExpectedConn(const ExpectedConn& c) - { - orig = c.orig; - resp = c.resp; - resp_p = c.resp_p; - proto = c.proto; - } - -DPM::DPM() -: expected_conns_queue(AssignedAnalyzer::compare) - { - } - -DPM::~DPM() - { - delete [] active_analyzers; - } - -void DPM::PreScriptInit() - { - for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ ) - { - // Create IDs ANALYZER_*. - ID* id = install_ID(fmt("ANALYZER_%s", - Analyzer::analyzer_configs[i].name), - GLOBAL_MODULE_NAME, true, false); - assert(id); - id->SetVal(new Val(i, TYPE_COUNT)); - id->SetType(id->ID_Val()->Type()->Ref()); - } - } - -void DPM::PostScriptInit() - { - active_analyzers = new bool[int(AnalyzerTag::LastAnalyzer)]; - - for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ ) - { - if ( ! Analyzer::analyzer_configs[i].available ) - continue; - - active_analyzers[i] = Analyzer::analyzer_configs[i].available(); - if ( active_analyzers[i] ) - AddConfig(Analyzer::analyzer_configs[i]); - } - } - -void DPM::AddConfig(const Analyzer::Config& cfg) - { -#ifdef USE_PERFTOOLS_DEBUG - HeapLeakChecker::Disabler disabler; -#endif - - Val* index = new Val(cfg.tag, TYPE_COUNT); - Val* v = dpd_config->Lookup(index); - -#ifdef DEBUG - ODesc desc; -#endif - if ( v ) - { - RecordVal* cfg_record = v->AsRecordVal(); - Val* ports = cfg_record->Lookup(0); - - if ( ports ) - { - ListVal* plist = ports->AsTableVal()->ConvertToPureList(); - - for ( int i = 0; i< plist->Length(); ++i ) - { - PortVal* port = plist->Index(i)->AsPortVal(); - - analyzer_map* ports = - port->IsTCP() ? &tcp_ports : &udp_ports; - - analyzer_map::iterator j = - ports->find(port->Port()); - - if ( j == ports->end() ) - { - tag_list* analyzers = new tag_list; - analyzers->push_back(cfg.tag); - ports->insert(analyzer_map::value_type(port->Port(), analyzers)); - } - else - j->second->push_back(cfg.tag); - -#ifdef DEBUG - port->Describe(&desc); - desc.SP(); -#endif - } - } - } - - DBG_LOG(DBG_DPD, "%s analyzer active on port(s) %s", cfg.name, desc.Description()); - - Unref(index); - } - -AnalyzerTag::Tag DPM::GetExpected(int proto, const Connection* conn) - { - if ( ! expected_conns.Length() ) - return AnalyzerTag::Error; - - ExpectedConn c(conn->OrigAddr(), conn->RespAddr(), - ntohs(conn->RespPort()), proto); - - HashKey* key = BuildExpectedConnHashKey(c); - AssignedAnalyzer* a = expected_conns.Lookup(key); - delete key; - - if ( ! a ) - { - // Wildcard for originator. - c.orig = IPAddr(string("::")); - - HashKey* key = BuildExpectedConnHashKey(c); - a = expected_conns.Lookup(key); - delete key; - } - - if ( ! a ) - return AnalyzerTag::Error; - - // We don't delete it here. It will be expired eventually. - return a->analyzer; - } - -bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data) - { - TCP_Analyzer* tcp = 0; - UDP_Analyzer* udp = 0; - ICMP_Analyzer* icmp = 0; - TransportLayerAnalyzer* root = 0; - AnalyzerTag::Tag expected = AnalyzerTag::Error; - analyzer_map* ports = 0; - PIA* pia = 0; - bool analyzed = false; - - switch ( proto ) { - - case TRANSPORT_TCP: - root = tcp = new TCP_Analyzer(conn); - pia = new PIA_TCP(conn); - expected = GetExpected(proto, conn); - ports = &tcp_ports; - DBG_DPD(conn, "activated TCP analyzer"); - break; - - case TRANSPORT_UDP: - root = udp = new UDP_Analyzer(conn); - pia = new PIA_UDP(conn); - expected = GetExpected(proto, conn); - ports = &udp_ports; - DBG_DPD(conn, "activated UDP analyzer"); - break; - - case TRANSPORT_ICMP: { - root = icmp = new ICMP_Analyzer(conn); - DBG_DPD(conn, "activated ICMP analyzer"); - analyzed = true; - break; - } - - default: - reporter->InternalError("unknown protocol"); - } - - if ( ! root ) - { - DBG_DPD(conn, "cannot build analyzer tree"); - return false; - } - - // Any scheduled analyzer? - if ( expected != AnalyzerTag::Error ) - { - Analyzer* analyzer = - Analyzer::InstantiateAnalyzer(expected, conn); - root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled", - Analyzer::GetTagName(expected)); - - // Hmm... Do we want *just* the expected analyzer, or all - // other potential analyzers as well? For now we only take - // the scheduled one. - } - - else - { // Let's see if it's a port we know. - if ( ports && ! dpd_ignore_ports ) - { - analyzer_map::const_iterator i = - ports->find(ntohs(conn->RespPort())); - - if ( i != ports->end() ) - { - tag_list* analyzers = i->second; - for ( tag_list::const_iterator j = analyzers->begin(); - j != analyzers->end(); j++ ) - { - Analyzer* analyzer = - Analyzer::InstantiateAnalyzer(*j, conn); - - root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", Analyzer::GetTagName(*j), conn->RespPort()); - } - } - } - } - - if ( tcp ) - { - // We have to decide whether to reassamble the stream. - // We turn it on right away if we already have an app-layer - // analyzer, reassemble_first_packets is true, or the user - // asks us to do so. In all other cases, reassembly may - // be turned on later by the TCP PIA. - - bool reass = root->GetChildren().size() || - dpd_reassemble_first_packets || - tcp_content_deliver_all_orig || - tcp_content_deliver_all_resp; - - if ( tcp_contents && ! reass ) - { - PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP); - Val* result; - - if ( ! reass ) - reass = tcp_content_delivery_ports_orig->Lookup(&dport); - - if ( ! reass ) - reass = tcp_content_delivery_ports_resp->Lookup(&dport); - } - - if ( reass ) - tcp->EnableReassembly(); - - // Add a BackDoor analyzer if requested. This analyzer - // can handle both reassembled and non-reassembled input. - if ( BackDoor_Analyzer::Available() ) - { - BackDoor_Analyzer* bd = new BackDoor_Analyzer(conn); - tcp->AddChildAnalyzer(bd, false); - } - - // Add a InterConn analyzer if requested. This analyzer - // can handle both reassembled and non-reassembled input. - if ( InterConn_Analyzer::Available() ) - { - InterConn_Analyzer* bd = new InterConn_Analyzer(conn); - tcp->AddChildAnalyzer(bd, false); - } - - // Add a SteppingStone analyzer if requested. The port - // should really not be hardcoded here, but as it can - // handle non-reassembled data, it doesn't really fit into - // our general framing ... Better would be to turn it - // on *after* we discover we have interactive traffic. - uint16 resp_port = ntohs(conn->RespPort()); - if ( SteppingStone_Analyzer::Available() && - (resp_port == 22 || resp_port == 23 || resp_port == 513) ) - { - AddrVal src(conn->OrigAddr()); - if ( ! stp_skip_src->Lookup(&src) ) - { - SteppingStone_Analyzer* bd = - new SteppingStone_Analyzer(conn); - tcp->AddChildAnalyzer(bd, false); - } - } - - // Add TCPStats analyzer. This needs to see packets so - // we cannot add it as a normal child. - if ( TCPStats_Analyzer::Available() ) - tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); - - // Add ConnSize analyzer. Needs to see packets, not stream. - if ( ConnSize_Analyzer::Available() ) - tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); - } - - else - { - if ( ConnSize_Analyzer::Available() ) - root->AddChildAnalyzer(new ConnSize_Analyzer(conn), false); - } - - if ( pia ) - root->AddChildAnalyzer(pia->AsAnalyzer(), false); - - if ( root->GetChildren().size() ) - analyzed = true; - - conn->SetRootAnalyzer(root, pia); - root->Init(); - root->InitChildren(); - - if ( ! analyzed ) - conn->SetLifetime(non_analyzed_lifetime); - - if ( expected != AnalyzerTag::Error ) - conn->Event(expected_connection_seen, 0, - new Val(expected, TYPE_COUNT)); - - return true; - } - -void DPM::ExpectConnection(const IPAddr& orig, const IPAddr& resp, - uint16 resp_p, - TransportProto proto, AnalyzerTag::Tag analyzer, - double timeout, void* cookie) - { - // Use the chance to see if the oldest entry is already expired. - if ( expected_conns_queue.size() ) - { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( a->timeout < network_time ) - { - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } - - expected_conns_queue.pop(); - - DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s", - Analyzer::GetTagName(analyzer), - fmt_conn_id(a->conn.orig, 0, - a->conn.resp, - a->conn.resp_p)); - - delete a; - } - } - - ExpectedConn c(orig, resp, resp_p, proto); - - HashKey* key = BuildExpectedConnHashKey(c); - - AssignedAnalyzer* a = expected_conns.Lookup(key); - - if ( a ) - a->deleted = true; - - a = new AssignedAnalyzer(c); - - a->analyzer = analyzer; - a->cookie = cookie; - a->timeout = network_time + timeout; - a->deleted = false; - - expected_conns.Insert(key, a); - expected_conns_queue.push(a); - delete key; - } - -void DPM::Done() - { - // Clean up expected-connection table. - while ( expected_conns_queue.size() ) - { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } - - expected_conns_queue.pop(); - delete a; - } - } - diff --git a/src/DPM.h b/src/DPM.h deleted file mode 100644 index f59d21dbfc..0000000000 --- a/src/DPM.h +++ /dev/null @@ -1,131 +0,0 @@ -// The central management unit for dynamic analyzer selection. - -#ifndef DPM_H -#define DPM_H - -#include - -#include "Analyzer.h" -#include "Dict.h" -#include "net_util.h" - -// DPM debug logging, which includes the connection id into the message. -#ifdef DEBUG -# define DBG_DPD(conn, txt) \ - DBG_LOG(DBG_DPD, "%s " txt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort()))); -# define DBG_DPD_ARGS(conn, fmt, args...) \ - DBG_LOG(DBG_DPD, "%s " fmt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort())), ##args); -#else -# define DBG_DPD(conn, txt) -# define DBG_DPD_ARGS(conn, fmt, args...) -#endif - -// Map to assign expected connections to analyzers. -class ExpectedConn { -public: - ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto); - - ExpectedConn(const ExpectedConn& c); - - IPAddr orig; - IPAddr resp; - uint16 resp_p; - uint16 proto; -}; - -// Associates an analyzer for an expected future connection. -class AssignedAnalyzer { -public: - AssignedAnalyzer(const ExpectedConn& c) - : conn(c) - { - } - - ExpectedConn conn; - AnalyzerTag::Tag analyzer; - double timeout; - void* cookie; - bool deleted; - - static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2) - { return a1->timeout > a2->timeout; } -}; - -declare(PDict, AssignedAnalyzer); - -class DPM { -public: - DPM(); - ~DPM(); - - // Setup analyzer config. - void PreScriptInit(); // To be called before scripts are parsed ... - void PostScriptInit(); // ... and after. - - // Given info about the first packet, build initial analyzer tree. - // - // It would be more flexible if we simply pass in the IP header - // and then extract the information we need. However, when this - // method is called from the session management, protocol and ports - // have already been extracted there and it would be a waste to do - // it again. - // - // Returns 0 if we can't build a tree (e.g., because the necessary - // analyzers have not been converted to the DPM framework yet...) - - bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data); - - // Schedules a particular analyzer for an upcoming connection. - // 0 acts as a wildcard for orig. (Cookie is currently unused. - // Eventually, we may pass it on to the analyzer). - void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, AnalyzerTag::Tag analyzer, - double timeout, void* cookie); - - // Activates signature matching for protocol detection. (Called when an - // DPM signatures is found.) - void ActivateSigs() { sigs_activated = true; } - bool SigsActivated() const { return sigs_activated; } - - void Done(); - -private: - // Convert script-level config into internal data structures. - void AddConfig(const Analyzer::Config& tag); - - // Return analyzer if any has been scheduled with ExpectConnection() - // AnalyzerTag::::Error if none. - AnalyzerTag::Tag GetExpected(int proto, const Connection* conn); - - // Mappings of destination port to analyzer. - typedef list tag_list; - typedef map analyzer_map; - analyzer_map tcp_ports; - analyzer_map udp_ports; - - // Array of bools indicating whether an analyzer is activated, - // indexed by AnalyzerTag::Tag. - bool* active_analyzers; - - // True if signature-matching has been activated. - bool sigs_activated; - - PDict(AssignedAnalyzer) expected_conns; - - typedef priority_queue< - AssignedAnalyzer*, - vector, - bool (*)(const AssignedAnalyzer*, - const AssignedAnalyzer*)> conn_queue; - conn_queue expected_conns_queue; -}; - -extern DPM* dpm; - -#endif diff --git a/src/Event.cc b/src/Event.cc index 97f29000d6..678c61552c 100644 --- a/src/Event.cc +++ b/src/Event.cc @@ -13,7 +13,7 @@ int num_events_queued = 0; int num_events_dispatched = 0; Event::Event(EventHandlerPtr arg_handler, val_list* arg_args, - SourceID arg_src, AnalyzerID arg_aid, TimerMgr* arg_mgr, + SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr, BroObj* arg_obj) { handler = arg_handler; diff --git a/src/Event.h b/src/Event.h index e0ce7bf555..9d0a707cda 100644 --- a/src/Event.h +++ b/src/Event.h @@ -5,14 +5,16 @@ #include "EventRegistry.h" #include "Serializer.h" -#include "AnalyzerTags.h" + +#include "analyzer/Tag.h" +#include "analyzer/Analyzer.h" class EventMgr; class Event : public BroObj { public: Event(EventHandlerPtr handler, val_list* args, - SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0, + SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, TimerMgr* mgr = 0, BroObj* obj = 0); ~Event(); @@ -20,7 +22,7 @@ public: Event* NextEvent() const { return next_event; } SourceID Source() const { return src; } - AnalyzerID Analyzer() const { return aid; } + analyzer::ID Analyzer() const { return aid; } TimerMgr* Mgr() const { return mgr; } void Describe(ODesc* d) const; @@ -62,7 +64,7 @@ protected: EventHandlerPtr handler; val_list* args; SourceID src; - AnalyzerID aid; + analyzer::ID aid; TimerMgr* mgr; BroObj* obj; Event* next_event; @@ -77,7 +79,7 @@ public: ~EventMgr(); void QueueEvent(EventHandlerPtr h, val_list* vl, - SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0, + SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, TimerMgr* mgr = 0, BroObj* obj = 0) { if ( h ) @@ -105,7 +107,7 @@ public: // Returns the ID of the analyzer which raised the last event, or 0 if // non-analyzer event. - AnalyzerID CurrentAnalyzer() const { return current_aid; } + analyzer::ID CurrentAnalyzer() const { return current_aid; } // Returns the timer mgr associated with the last raised event. TimerMgr* CurrentTimerMgr() const { return current_mgr; } @@ -124,7 +126,7 @@ protected: Event* head; Event* tail; SourceID current_src; - AnalyzerID current_aid; + analyzer::ID current_aid; TimerMgr* current_mgr; RecordVal* src_val; bool draining; diff --git a/src/EventLauncher.cc b/src/EventLauncher.cc index 246c9dc8aa..cc32efe59e 100644 --- a/src/EventLauncher.cc +++ b/src/EventLauncher.cc @@ -1,6 +1,8 @@ #include "Val.h" -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "EventLauncher.h" #include "Event.h" +#include "NetVar.h" +#include "Conn.h" #include "event.bif.func_def" diff --git a/src/FTP.cc b/src/FTP.cc index 5e7a66e304..5430b9e754 100644 --- a/src/FTP.cc +++ b/src/FTP.cc @@ -12,7 +12,7 @@ #include "Base64.h" FTP_Analyzer::FTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::FTP, conn) +: TCP_ApplicationAnalyzer("FTP", conn) { pending_reply = 0; @@ -176,7 +176,7 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { // Don't know how to parse anything but the ADAT exchanges of GSI GSSAPI, // which is basically just TLS/SSL. - if ( ! Parent()->GetTag() == AnalyzerTag::SSL ) + if ( ! Parent()->IsAnalyzer("SSL") ) { Parent()->Remove(); return; diff --git a/src/FTP.h b/src/FTP.h index f8d7644808..849b18f50b 100644 --- a/src/FTP.h +++ b/src/FTP.h @@ -13,7 +13,7 @@ public: virtual void Done(); virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new FTP_Analyzer(conn); } @@ -22,8 +22,6 @@ public: protected: - FTP_Analyzer() {} - NVT_Analyzer* nvt_orig; NVT_Analyzer* nvt_resp; uint32 pending_reply; // code associated with multi-line reply, or 0 @@ -37,10 +35,10 @@ protected: * analyzer just decodes the tokens and passes them on to the parent, which must * be an SSL analyzer instance. */ -class FTP_ADAT_Analyzer : public SupportAnalyzer { +class FTP_ADAT_Analyzer : public analyzer::SupportAnalyzer { public: FTP_ADAT_Analyzer(Connection* conn, bool arg_orig) - : SupportAnalyzer(AnalyzerTag::FTP_ADAT, conn, arg_orig), + : SupportAnalyzer("FTP_ADAT", conn, arg_orig), first_token(true) { } void DeliverStream(int len, const u_char* data, bool orig); diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc index 172f1aaa1d..9663d51260 100644 --- a/src/FileAnalyzer.cc +++ b/src/FileAnalyzer.cc @@ -8,7 +8,7 @@ magic_t File_Analyzer::magic = 0; magic_t File_Analyzer::magic_mime = 0; File_Analyzer::File_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::File, conn) +: TCP_ApplicationAnalyzer("FILE", conn) { buffer_len = 0; diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h index ac5c783e6b..6edda1646f 100644 --- a/src/FileAnalyzer.h +++ b/src/FileAnalyzer.h @@ -15,14 +15,12 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new File_Analyzer(conn); } static bool Available() { return file_transferred; } protected: - File_Analyzer() {} - void Identify(); static const int BUFFER_SIZE = 1024; diff --git a/src/Finger.cc b/src/Finger.cc index be0f3754b5..35809194d4 100644 --- a/src/Finger.cc +++ b/src/Finger.cc @@ -10,7 +10,7 @@ #include "ContentLine.h" Finger_Analyzer::Finger_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::Finger, conn) +: TCP_ApplicationAnalyzer("FINGER", conn) { did_deliver = 0; content_line_orig = new ContentLine_Analyzer(conn, true); diff --git a/src/Finger.h b/src/Finger.h index 3c61c4ad2a..5de0086dbc 100644 --- a/src/Finger.h +++ b/src/Finger.h @@ -16,7 +16,7 @@ public: // Line-based input. virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Finger_Analyzer(conn); } static bool Available() { return finger_request || finger_reply; } diff --git a/src/Func.cc b/src/Func.cc index 02f8dd4f29..cedf729301 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -548,12 +548,14 @@ void builtin_error(const char* msg, BroObj* arg) reporter->Error(msg, arg); } +#include "analyzer.bif.func_h" #include "bro.bif.func_h" #include "logging.bif.func_h" #include "input.bif.func_h" #include "reporter.bif.func_h" #include "strings.bif.func_h" +#include "analyzer.bif.func_def" #include "bro.bif.func_def" #include "logging.bif.func_def" #include "input.bif.func_def" @@ -569,6 +571,7 @@ void init_builtin_funcs() var_sizes = internal_type("var_sizes")->AsTableType(); gap_info = internal_type("gap_info")->AsRecordType(); +#include "analyzer.bif.func_init" #include "bro.bif.func_init" #include "logging.bif.func_init" #include "input.bif.func_init" diff --git a/src/GTPv1.cc b/src/GTPv1.cc index 68b6f30a0c..86a2615690 100644 --- a/src/GTPv1.cc +++ b/src/GTPv1.cc @@ -1,7 +1,7 @@ #include "GTPv1.h" GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) -: Analyzer(AnalyzerTag::GTPv1, conn) +: Analyzer("GTPV1", conn) { interp = new binpac::GTPv1::GTPv1_Conn(this); } diff --git a/src/GTPv1.h b/src/GTPv1.h index e111158833..e6c2066df0 100644 --- a/src/GTPv1.h +++ b/src/GTPv1.h @@ -3,7 +3,7 @@ #include "gtpv1_pac.h" -class GTPv1_Analyzer : public Analyzer { +class GTPv1_Analyzer : public analyzer::Analyzer { public: GTPv1_Analyzer(Connection* conn); virtual ~GTPv1_Analyzer(); @@ -12,7 +12,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new GTPv1_Analyzer(conn); } static bool Available() diff --git a/src/Gnutella.cc b/src/Gnutella.cc index 6b5e901bc5..6c8d4ee3f6 100644 --- a/src/Gnutella.cc +++ b/src/Gnutella.cc @@ -30,7 +30,7 @@ GnutellaMsgState::GnutellaMsgState() Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::Gnutella, conn) +: TCP_ApplicationAnalyzer("GNUTELLA", conn) { state = 0; new_state = 0; @@ -131,13 +131,13 @@ int Gnutella_Analyzer::IsHTTP(string header) if ( HTTP_Analyzer::Available() ) { - Analyzer* a = new HTTP_Analyzer(Conn()); + analyzer::Analyzer* a = new HTTP_Analyzer(Conn()); Parent()->AddChildAnalyzer(a); - if ( Parent()->GetTag() == AnalyzerTag::TCP ) + if ( Parent()->IsAnalyzer("TCP") ) { // Replay buffered data. - PIA* pia = static_cast(Parent())->GetPIA(); + PIA* pia = static_cast(Parent())->GetPIA(); if ( pia ) static_cast(pia)->ReplayStreamBuffer(a); } diff --git a/src/Gnutella.h b/src/Gnutella.h index 455876462d..88a8bcb4c7 100644 --- a/src/Gnutella.h +++ b/src/Gnutella.h @@ -40,7 +40,7 @@ public: virtual void Done (); virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Gnutella_Analyzer(conn); } static bool Available() diff --git a/src/HTTP-binpac.cc b/src/HTTP-binpac.cc index 47b2c479ec..a23ef0043a 100644 --- a/src/HTTP-binpac.cc +++ b/src/HTTP-binpac.cc @@ -2,7 +2,7 @@ #include "TCP_Reassembler.h" HTTP_Analyzer_binpac::HTTP_Analyzer_binpac(Connection *c) -: TCP_ApplicationAnalyzer(AnalyzerTag::HTTP_BINPAC, c) +: TCP_ApplicationAnalyzer("HTTP_BINPAC", c) { interp = new binpac::HTTP::HTTP_Conn(this); } diff --git a/src/HTTP-binpac.h b/src/HTTP-binpac.h index ef7cc7dd7d..8f0370afda 100644 --- a/src/HTTP-binpac.h +++ b/src/HTTP-binpac.h @@ -15,7 +15,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new HTTP_Analyzer_binpac(conn); } static bool Available() diff --git a/src/HTTP.cc b/src/HTTP.cc index 7e4079b853..5b49f8844e 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -161,7 +161,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) DeliverBody(len, data, trailing_CRLF); } -class HTTP_Entity::UncompressedOutput : public Analyzer::OutputHandler { +class HTTP_Entity::UncompressedOutput : public analyzer::Analyzer::OutputHandler { public: UncompressedOutput(HTTP_Entity* e) { entity = e; } virtual ~UncompressedOutput() { } @@ -787,7 +787,7 @@ void HTTP_Message::Weird(const char* msg) } HTTP_Analyzer::HTTP_Analyzer(Connection* conn) - : TCP_ApplicationAnalyzer(AnalyzerTag::HTTP, conn) +: TCP_ApplicationAnalyzer("HTTP", conn) { num_requests = num_replies = 0; num_request_lines = num_reply_lines = 0; @@ -1736,7 +1736,7 @@ void escape_URI_char(unsigned char ch, unsigned char*& p) } BroString* unescape_URI(const u_char* line, const u_char* line_end, - Analyzer* analyzer) + analyzer::Analyzer* analyzer) { byte_vec decoded_URI = new u_char[line_end - line + 1]; byte_vec URI_p = decoded_URI; diff --git a/src/HTTP.h b/src/HTTP.h index c9d8ae55d1..e8746e9d52 100644 --- a/src/HTTP.h +++ b/src/HTTP.h @@ -174,7 +174,7 @@ public: virtual void ConnectionReset(); virtual void PacketWithRST(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new HTTP_Analyzer(conn); } static bool Available() @@ -252,6 +252,6 @@ extern int is_reserved_URI_char(unsigned char ch); extern int is_unreserved_URI_char(unsigned char ch); extern void escape_URI_char(unsigned char ch, unsigned char*& p); extern BroString* unescape_URI(const u_char* line, const u_char* line_end, - Analyzer* analyzer); + analyzer::Analyzer* analyzer); #endif diff --git a/src/ICMP.cc b/src/ICMP.cc index 5634e3885f..538d25dfc3 100644 --- a/src/ICMP.cc +++ b/src/ICMP.cc @@ -8,19 +8,12 @@ #include "NetVar.h" #include "Event.h" #include "ICMP.h" +#include "Conn.h" #include ICMP_Analyzer::ICMP_Analyzer(Connection* c) -: TransportLayerAnalyzer(AnalyzerTag::ICMP, c) - { - icmp_conn_val = 0; - c->SetInactivityTimeout(icmp_inactivity_timeout); - request_len = reply_len = -1; - } - -ICMP_Analyzer::ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* c) -: TransportLayerAnalyzer(tag, c) +: TransportLayerAnalyzer("ICMP", c) { icmp_conn_val = 0; c->SetInactivityTimeout(icmp_inactivity_timeout); diff --git a/src/ICMP.h b/src/ICMP.h index 1e30b7ff54..fbf61f7993 100644 --- a/src/ICMP.h +++ b/src/ICMP.h @@ -3,7 +3,8 @@ #ifndef icmp_h #define icmp_h -#include "Analyzer.h" +#include "RuleMatcher.h" +#include "analyzer/Analyzer.h" typedef enum { ICMP_INACTIVE, // no packet seen @@ -12,20 +13,19 @@ typedef enum { // We do not have an PIA for ICMP (yet) and therefore derive from // RuleMatcherState to perform our own matching. -class ICMP_Analyzer : public TransportLayerAnalyzer { +class ICMP_Analyzer : public analyzer::TransportLayerAnalyzer { public: ICMP_Analyzer(Connection* conn); virtual void UpdateConnVal(RecordVal *conn_val); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ICMP_Analyzer(conn); } static bool Available() { return true; } protected: - ICMP_Analyzer() { } - ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* conn); + ICMP_Analyzer(analyzer::Tag tag, Connection* conn); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, diff --git a/src/IPAddr.cc b/src/IPAddr.cc index 51fb37c4d5..cc52de31ed 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -5,9 +5,10 @@ #include "IPAddr.h" #include "Reporter.h" #include "Conn.h" -#include "DPM.h" #include "bro_inet_ntop.h" +#include "analyzer/Manager.h" + const uint8_t IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff }; @@ -44,7 +45,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id) return new HashKey(&key, sizeof(key)); } -HashKey* BuildExpectedConnHashKey(const ExpectedConn& c) +HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c) { struct { in6_addr orig; diff --git a/src/IPAddr.h b/src/IPAddr.h index 5ddee70fb8..e79f3aa0a9 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -14,7 +14,7 @@ #include "threading/SerialTypes.h" struct ConnID; -class ExpectedConn; +namespace analyzer { class ExpectedConn; } typedef in_addr in4_addr; @@ -363,7 +363,7 @@ public: void ConvertToThreadingValue(threading::Value::addr_t* v) const; friend HashKey* BuildConnIDHashKey(const ConnID& id); - friend HashKey* BuildExpectedConnHashKey(const ExpectedConn& c); + friend HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); unsigned int MemoryAllocation() const { return padded_sizeof(*this); } @@ -455,7 +455,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id); /** * Returns a hash key for a given ExpectedConn instance. Passes ownership to caller. */ -HashKey* BuildExpectedConnHashKey(const ExpectedConn& c); +HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); /** * Class storing both IPv4 and IPv6 prefixes diff --git a/src/IRC.cc b/src/IRC.cc index 1918300ba2..35156ccb40 100644 --- a/src/IRC.cc +++ b/src/IRC.cc @@ -2,15 +2,15 @@ #include #include "IRC.h" -#include "DPM.h" #include "ContentLine.h" #include "NetVar.h" #include "Event.h" #include "ZIP.h" +#include "analyzer/Manager.h" IRC_Analyzer::IRC_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::IRC, conn) +: TCP_ApplicationAnalyzer("IRC", conn) { invalid_msg_count = 0; invalid_msg_max_count = 20; diff --git a/src/IRC.h b/src/IRC.h index 0fe36957de..657532f5f1 100644 --- a/src/IRC.h +++ b/src/IRC.h @@ -30,7 +30,7 @@ public: */ virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new IRC_Analyzer(conn); } diff --git a/src/Ident.cc b/src/Ident.cc index b2e82e5f12..e9ba679b0b 100644 --- a/src/Ident.cc +++ b/src/Ident.cc @@ -9,7 +9,7 @@ #include "Event.h" Ident_Analyzer::Ident_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::Ident, conn) +: TCP_ApplicationAnalyzer("IDENT", conn) { did_bad_reply = did_deliver = 0; diff --git a/src/Ident.h b/src/Ident.h index a848d233e1..e0cf44f5a4 100644 --- a/src/Ident.h +++ b/src/Ident.h @@ -13,7 +13,7 @@ public: virtual void DeliverStream(int length, const u_char* data, bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Ident_Analyzer(conn); } static bool Available() diff --git a/src/InterConn.cc b/src/InterConn.cc index 403081181a..65e814a962 100644 --- a/src/InterConn.cc +++ b/src/InterConn.cc @@ -153,7 +153,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const } InterConn_Analyzer::InterConn_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::InterConn, c) +: TCP_ApplicationAnalyzer("INTERCONN", c) { orig_endp = resp_endp = 0; orig_stream_pos = resp_stream_pos = 1; diff --git a/src/InterConn.h b/src/InterConn.h index d9cd10de27..1abec4058b 100644 --- a/src/InterConn.h +++ b/src/InterConn.h @@ -47,7 +47,7 @@ public: virtual void Done(); void StatTimer(double t, int is_expire); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new InterConn_Analyzer(conn); } static bool Available() { return interconn_stats; } diff --git a/src/Login.cc b/src/Login.cc index e626fb3a0a..2eb4900692 100644 --- a/src/Login.cc +++ b/src/Login.cc @@ -20,8 +20,8 @@ static RE_Matcher* re_login_timeouts; static RE_Matcher* init_RE(ListVal* l); -Login_Analyzer::Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn) -: TCP_ApplicationAnalyzer(tag, conn) +Login_Analyzer::Login_Analyzer(const char* name, Connection* conn) +: TCP_ApplicationAnalyzer(name, conn) { state = LOGIN_STATE_AUTHENTICATE; num_user_lines_seen = lines_scanned = 0; diff --git a/src/Login.h b/src/Login.h index b186cc52d2..6337738e7d 100644 --- a/src/Login.h +++ b/src/Login.h @@ -21,7 +21,7 @@ typedef enum { class Login_Analyzer : public TCP_ApplicationAnalyzer { public: - Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn); + Login_Analyzer(const char* name, Connection* conn); ~Login_Analyzer(); virtual void DeliverStream(int len, const u_char* data, bool orig); diff --git a/src/MIME.cc b/src/MIME.cc index ce60e74b89..011857ee6e 100644 --- a/src/MIME.cc +++ b/src/MIME.cc @@ -966,7 +966,7 @@ TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist) return t; } -MIME_Mail::MIME_Mail(Analyzer* mail_analyzer, int buf_size) +MIME_Mail::MIME_Mail(analyzer::Analyzer* mail_analyzer, int buf_size) : MIME_Message(mail_analyzer) { analyzer = mail_analyzer; diff --git a/src/MIME.h b/src/MIME.h index 17ac7fde9f..3f8c3281fc 100644 --- a/src/MIME.h +++ b/src/MIME.h @@ -10,7 +10,7 @@ using namespace std; #include "Base64.h" #include "BroString.h" -#include "Analyzer.h" +#include "analyzer/Analyzer.h" // MIME: Multipurpose Internet Mail Extensions // Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME) @@ -178,7 +178,7 @@ protected: class MIME_Message { public: - MIME_Message(Analyzer* arg_analyzer) + MIME_Message(analyzer::Analyzer* arg_analyzer) { // Cannot initialize top_level entity because we do // not know its type yet (MIME_Entity / MIME_Mail / @@ -203,7 +203,7 @@ public: top_level->Deliver(len, data, trailing_CRLF); } - Analyzer* GetAnalyzer() const { return analyzer; } + analyzer::Analyzer* GetAnalyzer() const { return analyzer; } // Events generated by MIME_Entity virtual void BeginEntity(MIME_Entity*) = 0; @@ -215,7 +215,7 @@ public: virtual void SubmitEvent(int event_type, const char* detail) = 0; protected: - Analyzer* analyzer; + analyzer::Analyzer* analyzer; MIME_Entity* top_level; int finished; @@ -226,7 +226,7 @@ protected: class MIME_Mail : public MIME_Message { public: - MIME_Mail(Analyzer* mail_conn, int buf_size = 0); + MIME_Mail(analyzer::Analyzer* mail_conn, int buf_size = 0); ~MIME_Mail(); void Done(); diff --git a/src/Modbus.cc b/src/Modbus.cc index 278eb91e57..22772daea0 100644 --- a/src/Modbus.cc +++ b/src/Modbus.cc @@ -3,7 +3,7 @@ #include "TCP_Reassembler.h" ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) - : TCP_ApplicationAnalyzer(AnalyzerTag::Modbus, c) + : TCP_ApplicationAnalyzer("MODBUS", c) { interp = new binpac::ModbusTCP::ModbusTCP_Conn(this); } diff --git a/src/Modbus.h b/src/Modbus.h index 5e3294d91c..84389b0554 100644 --- a/src/Modbus.h +++ b/src/Modbus.h @@ -15,7 +15,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ModbusTCP_Analyzer(conn); } // Put event names in this function diff --git a/src/NCP.cc b/src/NCP.cc index edd882747c..bdf484cad7 100644 --- a/src/NCP.cc +++ b/src/NCP.cc @@ -17,7 +17,7 @@ using namespace std; uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \ uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8)) -NCP_Session::NCP_Session(Analyzer* a) +NCP_Session::NCP_Session(analyzer::Analyzer* a) : analyzer(a) { req_frame_type = 0; @@ -150,7 +150,7 @@ void NCP_FrameBuffer::compute_msg_length() } Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* arg_session) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_NCP, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) { session = arg_session; resync = true; @@ -215,7 +215,7 @@ void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig) } NCP_Analyzer::NCP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::NCP, conn) +: TCP_ApplicationAnalyzer("NCP", conn) { session = new NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); diff --git a/src/NCP.h b/src/NCP.h index 1e783ee3ab..833d030394 100644 --- a/src/NCP.h +++ b/src/NCP.h @@ -29,7 +29,7 @@ class NCP_Session { public: - NCP_Session(Analyzer* analyzer); + NCP_Session(analyzer::Analyzer* analyzer); virtual ~NCP_Session() {} virtual void Deliver(int is_orig, int len, const u_char* data); @@ -42,7 +42,7 @@ public: protected: void DeliverFrame(const binpac::NCP::ncp_frame* frame); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; int req_frame_type; int req_func; }; @@ -102,7 +102,7 @@ public: NCP_Analyzer(Connection* conn); virtual ~NCP_Analyzer(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NCP_Analyzer(conn); } static bool Available() { return NCP_Session::any_ncp_event(); } diff --git a/src/NFS.cc b/src/NFS.cc index d64f7755a3..461ac44c4f 100644 --- a/src/NFS.cc +++ b/src/NFS.cc @@ -641,7 +641,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n) NFS_Analyzer::NFS_Analyzer(Connection* conn) - : RPC_Analyzer(AnalyzerTag::NFS, conn, new NFS_Interp(this)) + : RPC_Analyzer("RPC", conn, new NFS_Interp(this)) { orig_rpc = resp_rpc = 0; } diff --git a/src/NFS.h b/src/NFS.h index 6a65143808..ecb89ff7bf 100644 --- a/src/NFS.h +++ b/src/NFS.h @@ -9,7 +9,7 @@ class NFS_Interp : public RPC_Interpreter { public: - NFS_Interp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } + NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } protected: int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n); @@ -75,7 +75,7 @@ public: NFS_Analyzer(Connection* conn); virtual void Init(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NFS_Analyzer(conn); } static bool Available() diff --git a/src/NTP.cc b/src/NTP.cc index 60b7e6202d..729edee923 100644 --- a/src/NTP.cc +++ b/src/NTP.cc @@ -9,7 +9,7 @@ NTP_Analyzer::NTP_Analyzer(Connection* conn) - : Analyzer(AnalyzerTag::NTP, conn) + : Analyzer("NTP", conn) { ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer, network_time + ntp_session_timeout, 1, diff --git a/src/NTP.h b/src/NTP.h index a22a7b231b..3ae44d4cf7 100644 --- a/src/NTP.h +++ b/src/NTP.h @@ -35,11 +35,11 @@ struct ntpdata { struct l_fixedpt xmt; }; -class NTP_Analyzer : public Analyzer { +class NTP_Analyzer : public analyzer::Analyzer { public: NTP_Analyzer(Connection* conn); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NTP_Analyzer(conn); } static bool Available() { return ntp_message; } diff --git a/src/NVT.cc b/src/NVT.cc index 5ba12ac32a..641ad211e4 100644 --- a/src/NVT.cc +++ b/src/NVT.cc @@ -360,7 +360,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */) NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig) -: ContentLine_Analyzer(AnalyzerTag::NVT, conn, orig) +: ContentLine_Analyzer("NVT", conn, orig) { peer = 0; is_suboption = last_was_IAC = pending_IAC = 0; diff --git a/src/NetVar.cc b/src/NetVar.cc index 248ae15e1a..97bf9fd559 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -208,7 +208,6 @@ TableType* irc_join_list; RecordType* irc_join_info; TableVal* irc_servers; -TableVal* dpd_config; int dpd_reassemble_first_packets; int dpd_buffer_size; int dpd_match_only_beginning; @@ -239,6 +238,7 @@ TableType* record_field_table; StringVal* cmd_line_bpf_filter; +#include "analyzer.bif.netvar_def" #include "const.bif.netvar_def" #include "types.bif.netvar_def" #include "event.bif.netvar_def" @@ -512,7 +512,6 @@ void init_net_var() opt_internal_double("remote_trace_sync_interval"); remote_trace_sync_peers = opt_internal_int("remote_trace_sync_peers"); - dpd_config = internal_val("dpd_config")->AsTableVal(); dpd_reassemble_first_packets = opt_internal_int("dpd_reassemble_first_packets"); dpd_buffer_size = opt_internal_int("dpd_buffer_size"); diff --git a/src/NetVar.h b/src/NetVar.h index 2561fa0ad9..6a1103ebb9 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -212,7 +212,6 @@ extern TableType* irc_join_list; extern RecordType* irc_join_info; extern TableVal* irc_servers; -extern TableVal* dpd_config; extern int dpd_reassemble_first_packets; extern int dpd_buffer_size; extern int dpd_match_only_beginning; @@ -249,6 +248,7 @@ extern void init_general_global_var(); extern void init_event_handlers(); extern void init_net_var(); +#include "analyzer.bif.netvar_h" #include "const.bif.netvar_h" #include "types.bif.netvar_h" #include "event.bif.netvar_h" diff --git a/src/NetbiosSSN.cc b/src/NetbiosSSN.cc index 362d974956..fd3a4f6111 100644 --- a/src/NetbiosSSN.cc +++ b/src/NetbiosSSN.cc @@ -43,7 +43,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len) } -NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(Analyzer* arg_analyzer, +NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer, SMB_Session* arg_smb_session) { analyzer = arg_analyzer; @@ -340,7 +340,7 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data, Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig, NetbiosSSN_Interpreter* arg_interp) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_NetbiosSSN, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) { interp = arg_interp; type = flags = msg_size = 0; @@ -455,7 +455,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) } NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::NetbiosSSN, conn) +: TCP_ApplicationAnalyzer("NETBIOS", conn) { smb_session = new SMB_Session(this); interp = new NetbiosSSN_Interpreter(this, smb_session); diff --git a/src/NetbiosSSN.h b/src/NetbiosSSN.h index 7c4dd91b90..c3851516a0 100644 --- a/src/NetbiosSSN.h +++ b/src/NetbiosSSN.h @@ -62,7 +62,7 @@ struct NetbiosDGM_RawMsgHdr { class NetbiosSSN_Interpreter { public: - NetbiosSSN_Interpreter(Analyzer* analyzer, SMB_Session* smb_session); + NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, SMB_Session* smb_session); int ParseMessage(unsigned int type, unsigned int flags, const u_char* data, int len, int is_query); @@ -108,7 +108,7 @@ protected: u_char*& xname, int& xlen); protected: - Analyzer* analyzer; + analyzer::Analyzer* analyzer; SMB_Session* smb_session; }; @@ -157,7 +157,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NetbiosSSN_Analyzer(conn); } static bool Available() diff --git a/src/PIA.cc b/src/PIA.cc index 9adb4ccab3..f2eb633cd4 100644 --- a/src/PIA.cc +++ b/src/PIA.cc @@ -2,7 +2,7 @@ #include "RuleMatcher.h" #include "TCP_Reassembler.h" -PIA::PIA(Analyzer* arg_as_analyzer) +PIA::PIA(analyzer::Analyzer* arg_as_analyzer) { current_packet.data = 0; as_analyzer = arg_as_analyzer; @@ -61,7 +61,7 @@ void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig) AddToBuffer(buffer, -1, len, data, is_orig); } -void PIA::ReplayPacketBuffer(Analyzer* analyzer) +void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer) { DBG_LOG(DBG_DPD, "PIA replaying %d total packet bytes", pkt_buffer.size); @@ -129,7 +129,7 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol, bol, eol, clear_state); } -void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) +void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( pkt_buffer.state == MATCHING_ONLY ) { @@ -142,14 +142,14 @@ void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) if ( Parent()->HasChildAnalyzer(tag) ) return; - Analyzer* a = Parent()->AddChildAnalyzer(tag); + analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); a->SetSignature(rule); if ( a ) ReplayPacketBuffer(a); } -void PIA_UDP::DeactivateAnalyzer(AnalyzerTag::Tag tag) +void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag) { reporter->InternalError("PIA_UDP::Deact not implemented yet"); } @@ -165,7 +165,7 @@ void PIA_TCP::Init() { TCP_ApplicationAnalyzer::Init(); - if ( Parent()->GetTag() == AnalyzerTag::TCP ) + if ( Parent()->IsAnalyzer("TCP") ) { TCP_Analyzer* tcp = static_cast(Parent()); SetTCP(tcp); @@ -262,7 +262,7 @@ void PIA_TCP::Undelivered(int seq, int len, bool is_orig) // No check for buffer overrun here. I think that's ok. } -void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) +void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( stream_buffer.state == MATCHING_ONLY ) { @@ -275,7 +275,7 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) if ( Parent()->HasChildAnalyzer(tag) ) return; - Analyzer* a = Parent()->AddChildAnalyzer(tag); + analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); a->SetSignature(rule); // We have two cases here: @@ -305,13 +305,13 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) // (4) We hand the two reassemblers to the TCP Analyzer (our parent), // turning reassembly now on for all subsequent data. - DBG_LOG(DBG_DPD, "DPM_TCP switching from packet-mode to stream-mode"); + DBG_LOG(DBG_DPD, "PIA_TCP switching from packet-mode to stream-mode"); stream_mode = true; // FIXME: The reassembler will query the endpoint for state. Not sure // if this is works in all cases... - if ( Parent()->GetTag() != AnalyzerTag::TCP ) + if ( ! Parent()->IsAnalyzer("TCP") ) { // Our parent is not the TCP analyzer, which can only mean // we have been inserted somewhere further down in the @@ -371,12 +371,12 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) tcp->SetReassembler(reass_orig, reass_resp); } -void PIA_TCP::DeactivateAnalyzer(AnalyzerTag::Tag tag) +void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag) { reporter->InternalError("PIA_TCP::Deact not implemented yet"); } -void PIA_TCP::ReplayStreamBuffer(Analyzer* analyzer) +void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer) { DBG_LOG(DBG_DPD, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); diff --git a/src/PIA.h b/src/PIA.h index 907350bbdf..d0521a6885 100644 --- a/src/PIA.h +++ b/src/PIA.h @@ -3,7 +3,7 @@ #ifndef PIA_H #define PIA_H -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "TCP.h" class RuleEndpointState; @@ -17,25 +17,25 @@ class RuleEndpointState; // PIAs and then each needs its own matching-state. class PIA : public RuleMatcherState { public: - PIA(Analyzer* as_analyzer); + PIA(analyzer::Analyzer* as_analyzer); virtual ~PIA(); // Called when PIA wants to put an Analyzer in charge. rule is the // signature that triggered the activitation, if any. - virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, + virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule = 0) = 0; // Called when PIA wants to remove an Analyzer. - virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag) = 0; + virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0; void Match(Rule::PatternType type, const u_char* data, int len, bool is_orig, bool bol, bool eol, bool clear_state); - void ReplayPacketBuffer(Analyzer* analyzer); + void ReplayPacketBuffer(analyzer::Analyzer* analyzer); // Children are also derived from Analyzer. Return this object // as pointer to an Analyzer. - Analyzer* AsAnalyzer() { return as_analyzer; } + analyzer::Analyzer* AsAnalyzer() { return as_analyzer; } static bool Available() { return true; } @@ -81,20 +81,20 @@ protected: Buffer pkt_buffer; private: - Analyzer* as_analyzer; + analyzer::Analyzer* as_analyzer; Connection* conn; DataBlock current_packet; }; // PIA for UDP. -class PIA_UDP : public PIA, public Analyzer { +class PIA_UDP : public PIA, public analyzer::Analyzer { public: PIA_UDP(Connection* conn) - : PIA(this), Analyzer(AnalyzerTag::PIA_UDP, conn) + : PIA(this), Analyzer("PIA_UDP", conn) { SetConn(conn); } virtual ~PIA_UDP() { } - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new PIA_UDP(conn); } protected: @@ -111,8 +111,8 @@ protected: PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen); } - virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule); - virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag); + virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule); + virtual void DeactivateAnalyzer(analyzer::Tag tag); }; // PIA for TCP. Accepts both packet and stream input (and reassembles @@ -120,7 +120,7 @@ protected: class PIA_TCP : public PIA, public TCP_ApplicationAnalyzer { public: PIA_TCP(Connection* conn) - : PIA(this), TCP_ApplicationAnalyzer(AnalyzerTag::PIA_TCP, conn) + : PIA(this), TCP_ApplicationAnalyzer("PIA_TCP", conn) { stream_mode = false; SetConn(conn); } virtual ~PIA_TCP(); @@ -137,9 +137,9 @@ public: // to be unnecessary overhead.) void FirstPacket(bool is_orig, const IP_Hdr* ip); - void ReplayStreamBuffer(Analyzer* analyzer); + void ReplayStreamBuffer(analyzer::Analyzer* analyzer); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new PIA_TCP(conn); } protected: @@ -159,9 +159,9 @@ protected: virtual void DeliverStream(int len, const u_char* data, bool is_orig); virtual void Undelivered(int seq, int len, bool is_orig); - virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, + virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule = 0); - virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag); + virtual void DeactivateAnalyzer(analyzer::Tag tag); private: // FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer. diff --git a/src/POP3.cc b/src/POP3.cc index 3075e76507..697dc0434e 100644 --- a/src/POP3.cc +++ b/src/POP3.cc @@ -26,7 +26,7 @@ static const char* pop3_cmd_word[] = { POP3_Analyzer::POP3_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::POP3, conn) +: TCP_ApplicationAnalyzer("POP3", conn) { masterState = POP3_START; subState = POP3_WOK; diff --git a/src/POP3.h b/src/POP3.h index 8d09d5e686..bab2737fca 100644 --- a/src/POP3.h +++ b/src/POP3.h @@ -68,7 +68,7 @@ public: virtual void Done(); virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new POP3_Analyzer(conn); } diff --git a/src/Portmap.cc b/src/Portmap.cc index dd1049a361..9bebd0f8a6 100644 --- a/src/Portmap.cc +++ b/src/Portmap.cc @@ -300,7 +300,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu } Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn) -: RPC_Analyzer(AnalyzerTag::Portmapper, conn, new PortmapperInterp(this)) +: RPC_Analyzer("PORTMAPPER", conn, new PortmapperInterp(this)) { orig_rpc = resp_rpc = 0; } diff --git a/src/Portmap.h b/src/Portmap.h index 62e954bc80..1a98537153 100644 --- a/src/Portmap.h +++ b/src/Portmap.h @@ -7,7 +7,7 @@ class PortmapperInterp : public RPC_Interpreter { public: - PortmapperInterp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } + PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } protected: int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n); @@ -29,7 +29,7 @@ public: virtual ~Portmapper_Analyzer(); virtual void Init(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Portmapper_Analyzer(conn); } static bool Available() diff --git a/src/RPC.cc b/src/RPC.cc index 81fd6709b1..2dd11c215e 100644 --- a/src/RPC.cc +++ b/src/RPC.cc @@ -66,7 +66,7 @@ void rpc_callinfo_delete_func(void* v) delete (RPC_CallInfo*) v; } -RPC_Interpreter::RPC_Interpreter(Analyzer* arg_analyzer) +RPC_Interpreter::RPC_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; calls.SetDeleteFunc(rpc_callinfo_delete_func); @@ -373,7 +373,7 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len) Contents_RPC::Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* arg_interp) - : TCP_SupportAnalyzer(AnalyzerTag::Contents_RPC, conn, orig) + : TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) { interp = arg_interp; state = WAIT_FOR_MESSAGE; @@ -673,9 +673,9 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) } // end while } -RPC_Analyzer::RPC_Analyzer(AnalyzerTag::Tag tag, Connection* conn, +RPC_Analyzer::RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp) -: TCP_ApplicationAnalyzer(tag, conn) +: TCP_ApplicationAnalyzer(name, conn) { interp = arg_interp; diff --git a/src/RPC.h b/src/RPC.h index 0eee423460..960b9c744a 100644 --- a/src/RPC.h +++ b/src/RPC.h @@ -92,7 +92,7 @@ declare(PDict,RPC_CallInfo); class RPC_Interpreter { public: - RPC_Interpreter(Analyzer* analyzer); + RPC_Interpreter(analyzer::Analyzer* analyzer); virtual ~RPC_Interpreter(); // Delivers the given RPC. Returns true if "len" bytes were @@ -115,7 +115,7 @@ protected: void Weird(const char* name); PDict(RPC_CallInfo) calls; - Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; @@ -224,7 +224,7 @@ protected: class RPC_Analyzer : public TCP_ApplicationAnalyzer { public: - RPC_Analyzer(AnalyzerTag::Tag tag, Connection* conn, + RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp); virtual ~RPC_Analyzer(); diff --git a/src/RSH.cc b/src/RSH.cc index ceef3ba7a4..09d403fe59 100644 --- a/src/RSH.cc +++ b/src/RSH.cc @@ -11,7 +11,7 @@ Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* arg_analyzer) -: ContentLine_Analyzer(AnalyzerTag::Contents_Rsh, conn, orig) +: ContentLine_Analyzer("CONTENTS_RSH", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -138,7 +138,7 @@ void Contents_Rsh_Analyzer::BadProlog() } Rsh_Analyzer::Rsh_Analyzer(Connection* conn) -: Login_Analyzer(AnalyzerTag::Rsh, conn) +: Login_Analyzer("RSH", conn) { contents_orig = new Contents_Rsh_Analyzer(conn, true, this); contents_resp = new Contents_Rsh_Analyzer(conn, false, this); diff --git a/src/RSH.h b/src/RSH.h index 136d0b07f1..31e5fe683f 100644 --- a/src/RSH.h +++ b/src/RSH.h @@ -47,7 +47,7 @@ public: void ClientUserName(const char* s); void ServerUserName(const char* s); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rsh_Analyzer(conn); } static bool Available() diff --git a/src/Rlogin.cc b/src/Rlogin.cc index 1ad3f16d7e..b09e24d2cb 100644 --- a/src/Rlogin.cc +++ b/src/Rlogin.cc @@ -8,7 +8,7 @@ Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) -: ContentLine_Analyzer(AnalyzerTag::Contents_Rlogin, conn, orig) +: ContentLine_Analyzer("CONTENTLINE", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -204,7 +204,7 @@ void Contents_Rlogin_Analyzer::BadProlog() Rlogin_Analyzer::Rlogin_Analyzer(Connection* conn) -: Login_Analyzer(AnalyzerTag::Rlogin, conn) +: Login_Analyzer("RLOGIN", conn) { Contents_Rlogin_Analyzer* orig = new Contents_Rlogin_Analyzer(conn, true, this); diff --git a/src/Rlogin.h b/src/Rlogin.h index f8ad480630..04486e4262 100644 --- a/src/Rlogin.h +++ b/src/Rlogin.h @@ -60,7 +60,7 @@ public: void ServerUserName(const char* s); void TerminalType(const char* s); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rlogin_Analyzer(conn); } static bool Available() diff --git a/src/RuleAction.cc b/src/RuleAction.cc index bf90c0681e..808bead3d8 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -8,9 +8,10 @@ using std::string; #include "Conn.h" #include "Event.h" #include "NetVar.h" -#include "DPM.h" #include "PIA.h" +#include "analyzer/Manager.h" + void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { @@ -34,42 +35,42 @@ void RuleActionEvent::PrintDebug() fprintf(stderr, " RuleActionEvent: |%s|\n", msg); } -RuleActionDPM::RuleActionDPM(const char* arg_analyzer) +RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) { string str(arg_analyzer); string::size_type pos = str.find(':'); string arg = str.substr(0, pos); - analyzer = Analyzer::GetTag(arg.c_str()); + analyzer = analyzer_mgr->GetAnalyzerTag(arg); if ( pos != string::npos ) { arg = str.substr(pos + 1); - child_analyzer = Analyzer::GetTag(arg.c_str()); + child_analyzer = analyzer_mgr->GetAnalyzerTag(arg); } else - child_analyzer = AnalyzerTag::Error; + child_analyzer = analyzer::Tag::ERROR; - if ( analyzer != AnalyzerTag::Error ) - dpm->ActivateSigs(); + if ( analyzer != analyzer::Tag::ERROR ) + analyzer_mgr->ActivateSigs(); } -void RuleActionDPM::PrintDebug() +void RuleActionAnalyzer::PrintDebug() { - if ( child_analyzer == AnalyzerTag::Error ) - fprintf(stderr, "|%s|\n", Analyzer::GetTagName(analyzer)); + if ( child_analyzer == analyzer::Tag::ERROR ) + fprintf(stderr, "|%s|\n", analyzer_mgr->GetAnalyzerName(analyzer).c_str()); else fprintf(stderr, "|%s:%s|\n", - Analyzer::GetTagName(analyzer), - Analyzer::GetTagName(child_analyzer)); + analyzer_mgr->GetAnalyzerName(analyzer).c_str(), + analyzer_mgr->GetAnalyzerName(child_analyzer).c_str()); } void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == AnalyzerTag::Error ) + if ( ChildAnalyzer() == analyzer::Tag::ERROR ) { - if ( ! Analyzer::IsAvailable(Analyzer()) ) + if ( ! analyzer_mgr->IsEnabled(Analyzer()) ) return; if ( state->PIA() ) @@ -77,7 +78,7 @@ void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, } else { - if ( ! Analyzer::IsAvailable(ChildAnalyzer()) ) + if ( ! analyzer_mgr->IsEnabled(ChildAnalyzer()) ) return; // This is ugly and works only if there exists only one @@ -90,13 +91,13 @@ void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, void RuleActionEnable::PrintDebug() { fprintf(stderr, " RuleActionEnable: "); - RuleActionDPM::PrintDebug(); + RuleActionAnalyzer::PrintDebug(); } void RuleActionDisable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == AnalyzerTag::Error ) + if ( ChildAnalyzer() == analyzer::Tag::ERROR ) { if ( state->PIA() ) state->PIA()->DeactivateAnalyzer(Analyzer()); @@ -109,5 +110,5 @@ void RuleActionDisable::DoAction(const Rule* parent, RuleEndpointState* state, void RuleActionDisable::PrintDebug() { fprintf(stderr, " RuleActionDisable: "); - RuleActionDPM::PrintDebug(); + RuleActionAnalyzer::PrintDebug(); } diff --git a/src/RuleAction.h b/src/RuleAction.h index a9feb0c314..f4c2ae4cfa 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -1,11 +1,12 @@ #ifndef ruleaction_h #define ruleaction_h -#include "AnalyzerTags.h" #include "BroString.h" #include "List.h" #include "util.h" +#include "analyzer/tag.h" + class Rule; class RuleEndpointState; @@ -35,29 +36,29 @@ private: const char* msg; }; -// Base class for DPM enable/disable actions. -class RuleActionDPM : public RuleAction { +// Base class for enable/disable actions. +class RuleActionAnalyzer : public RuleAction { public: - RuleActionDPM(const char* analyzer); + RuleActionAnalyzer(const char* analyzer); virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) = 0; virtual void PrintDebug(); - AnalyzerTag::Tag Analyzer() const { return analyzer; } - AnalyzerTag::Tag ChildAnalyzer() const { return child_analyzer; } + analyzer::Tag Analyzer() const { return analyzer; } + analyzer::Tag ChildAnalyzer() const { return child_analyzer; } private: - // FIXME: This is in fact an AnalyzerID but we can't include "Analyzer.h" + // FIXME: This is in fact an analyzer::ID but we can't include "analyzer/Analyzer.h" // at this point due to circular dependenides. Fix that! - AnalyzerTag::Tag analyzer; - AnalyzerTag::Tag child_analyzer; + analyzer::Tag analyzer; + analyzer::Tag child_analyzer; }; -class RuleActionEnable : public RuleActionDPM { +class RuleActionEnable : public RuleActionAnalyzer { public: - RuleActionEnable(const char* analyzer) : RuleActionDPM(analyzer) {} + RuleActionEnable(const char* analyzer) : RuleActionAnalyzer(analyzer) {} virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len); @@ -65,9 +66,9 @@ public: virtual void PrintDebug(); }; -class RuleActionDisable : public RuleActionDPM { +class RuleActionDisable : public RuleActionAnalyzer { public: - RuleActionDisable(const char* analyzer) : RuleActionDPM(analyzer) {} + RuleActionDisable(const char* analyzer) : RuleActionAnalyzer(analyzer) {} virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len); diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 410f6a1b3e..b31976711c 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -18,9 +18,9 @@ static inline bool is_established(const TCP_Endpoint* e) bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, const u_char* data, int len) { - Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer(); + analyzer::Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer(); - if ( ! root || root->GetTag() != AnalyzerTag::TCP ) + if ( ! root || ! root->IsAnalyzer("TCP") ) return false; TCP_Analyzer* ta = static_cast(root); diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index c71f86108a..4c69576524 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -3,7 +3,7 @@ #include "config.h" -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "RuleMatcher.h" #include "DFA.h" #include "NetVar.h" @@ -159,7 +159,7 @@ void RuleHdrTest::PrintDebug() fprintf(stderr, "\n"); } -RuleEndpointState::RuleEndpointState(Analyzer* arg_analyzer, bool arg_is_orig, +RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState* arg_opposite, ::PIA* arg_PIA) { @@ -562,7 +562,7 @@ static inline bool compare(const vector& prefixes, const IPAddr& a, return false; } -RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer, +RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, RuleEndpointState* opposite, bool from_orig, PIA* pia) @@ -1300,7 +1300,7 @@ uint32 id_to_uint(const char* id) return 0; } -void RuleMatcherState::InitEndpointMatcher(Analyzer* analyzer, const IP_Hdr* ip, +void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, bool from_orig, PIA* pia) { if ( ! rule_matcher ) diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index b8895513b4..1b2756594d 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -35,7 +35,7 @@ extern const char* current_rule_file; class RuleMatcher; extern RuleMatcher* rule_matcher; -class Analyzer; +namespace analyzer { class Analyzer; } class PIA; // RuleHdrTest and associated things: @@ -140,7 +140,7 @@ class RuleEndpointState { public: ~RuleEndpointState(); - Analyzer* GetAnalyzer() const { return analyzer; } + analyzer::Analyzer* GetAnalyzer() const { return analyzer; } bool IsOrig() { return is_orig; } // For flipping roles. @@ -159,7 +159,7 @@ private: // Constructor is private; use RuleMatcher::InitEndpoint() // for creating an instance. - RuleEndpointState(Analyzer* arg_analyzer, bool arg_is_orig, + RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState* arg_opposite, ::PIA* arg_PIA); struct Matcher { @@ -171,7 +171,7 @@ private: typedef PList(Matcher) matcher_list; bool is_orig; - Analyzer* analyzer; + analyzer::Analyzer* analyzer; RuleEndpointState* opposite; ::PIA* pia; @@ -207,7 +207,7 @@ public: // the given packet (which should be the first packet encountered for // this endpoint). If the matching is triggered by an PIA, a pointer to // it needs to be given. - RuleEndpointState* InitEndpoint(Analyzer* analyzer, const IP_Hdr* ip, + RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, RuleEndpointState* opposite, bool is_orig, PIA* pia); // Finish matching for this stream. @@ -310,7 +310,7 @@ public: { delete orig_match_state; delete resp_match_state; } // ip may be nil. - void InitEndpointMatcher(Analyzer* analyzer, const IP_Hdr* ip, + void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, bool from_orig, PIA* pia = 0); // bol/eol should be set to false for type Rule::PAYLOAD; they're diff --git a/src/SMB.cc b/src/SMB.cc index a06707328a..24cbf2dc1a 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -93,7 +93,7 @@ static int lookup_IPC_name(BroString* name) return IPC_NONE; } -SMB_Session::SMB_Session(Analyzer* arg_analyzer) +SMB_Session::SMB_Session(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; dce_rpc_session = 0; @@ -1104,7 +1104,7 @@ bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data) } Contents_SMB::Contents_SMB(Connection* conn, bool orig, SMB_Session* s) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_SMB, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_SMB", conn, orig) { smb_session = s; msg_buf = 0; @@ -1221,7 +1221,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) } SMB_Analyzer::SMB_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::SMB, conn) +: TCP_ApplicationAnalyzer("SMB", conn) { smb_session = new SMB_Session(this); o_smb = new Contents_SMB(conn, true, smb_session); diff --git a/src/SMB.h b/src/SMB.h index f7287efb79..23af04720e 100644 --- a/src/SMB.h +++ b/src/SMB.h @@ -39,7 +39,7 @@ protected: class SMB_Session { public: - SMB_Session(Analyzer* analyzer); + SMB_Session(analyzer::Analyzer* analyzer); ~SMB_Session(); void Deliver(int is_orig, int len, const u_char* msg); @@ -158,7 +158,7 @@ protected: Val* BuildTransactionVal(binpac::SMB::SMB_transaction_response const &trans); Val* BuildTransactionDataVal(binpac::SMB::SMB_transaction_data* data); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; DCE_RPC_Session* dce_rpc_session; enum IPC_named_pipe IPC_pipe; int is_IPC; @@ -195,7 +195,7 @@ public: SMB_Analyzer(Connection* conn); ~SMB_Analyzer(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SMB_Analyzer(conn); } static bool Available() diff --git a/src/SMTP.cc b/src/SMTP.cc index 85a3bc79dc..16be4480dc 100644 --- a/src/SMTP.cc +++ b/src/SMTP.cc @@ -21,7 +21,7 @@ static const char* smtp_cmd_word[] = { SMTP_Analyzer::SMTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::SMTP, conn) +: TCP_ApplicationAnalyzer("SMTP", conn) { expect_sender = 0; expect_recver = 1; diff --git a/src/SMTP.h b/src/SMTP.h index 5b15dc44c0..563b99cc32 100644 --- a/src/SMTP.h +++ b/src/SMTP.h @@ -47,7 +47,7 @@ public: void SkipData() { skip_data = 1; } // skip delivery of data lines - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SMTP_Analyzer(conn); } diff --git a/src/SOCKS.cc b/src/SOCKS.cc index 4a6eda7043..0157c19cd7 100644 --- a/src/SOCKS.cc +++ b/src/SOCKS.cc @@ -3,7 +3,7 @@ #include "TCP_Reassembler.h" SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::SOCKS, conn) +: TCP_ApplicationAnalyzer("SOCKS", conn) { interp = new binpac::SOCKS::SOCKS_Conn(this); orig_done = resp_done = false; diff --git a/src/SOCKS.h b/src/SOCKS.h index 9753abb660..9557dc761d 100644 --- a/src/SOCKS.h +++ b/src/SOCKS.h @@ -25,7 +25,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SOCKS_Analyzer(conn); } static bool Available() diff --git a/src/SSH.cc b/src/SSH.cc index 3a8f468ae4..0bb710ac2f 100644 --- a/src/SSH.cc +++ b/src/SSH.cc @@ -10,7 +10,7 @@ #include "ContentLine.h" SSH_Analyzer::SSH_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::SSH, c) +: TCP_ApplicationAnalyzer("SSH", c) { orig = new ContentLine_Analyzer(c, true); orig->SetSkipPartial(true); diff --git a/src/SSH.h b/src/SSH.h index ccdcd76929..0d3fa4d6e6 100644 --- a/src/SSH.h +++ b/src/SSH.h @@ -12,7 +12,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SSH_Analyzer(conn); } static bool Available() diff --git a/src/SSL.cc b/src/SSL.cc index 4658bbbc16..7dd2e0525a 100644 --- a/src/SSL.cc +++ b/src/SSL.cc @@ -4,7 +4,7 @@ #include "util.h" SSL_Analyzer::SSL_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::SSL, c) +: TCP_ApplicationAnalyzer("SSL", c) { interp = new binpac::SSL::SSL_Conn(this); had_gap = false; diff --git a/src/SSL.h b/src/SSL.h index d0ef164877..ee2148450f 100644 --- a/src/SSL.h +++ b/src/SSL.h @@ -17,7 +17,7 @@ public: // Overriden from TCP_ApplicationAnalyzer. virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SSL_Analyzer(conn); } static bool Available() diff --git a/src/Sessions.cc b/src/Sessions.cc index 2e5a6ded30..f18d12ef90 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -27,11 +27,12 @@ #include "InterConn.h" #include "Discard.h" #include "RuleMatcher.h" -#include "DPM.h" #include "PacketSort.h" #include "TunnelEncapsulation.h" +#include "analyzer/Manager.h" + // These represent NetBIOS services on ephemeral ports. They're numbered // so that we can use a single int to hold either an actual TCP/UDP server // port or one of these. @@ -967,7 +968,7 @@ void NetSessions::Remove(Connection* c) TCP_Analyzer* ta = (TCP_Analyzer*) c->GetRootAnalyzer(); if ( ta && c->ConnTransport() == TRANSPORT_TCP ) { - assert(ta->GetTag() == AnalyzerTag::TCP); + assert(ta->IsAnalyzer("TCP")); TCP_Endpoint* to = ta->Orig(); TCP_Endpoint* tr = ta->Resp(); @@ -1178,7 +1179,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, Connection* conn = new Connection(this, k, t, id, flow_label, encapsulation); conn->SetTransport(tproto); - dpm->BuildInitialAnalyzerTree(tproto, conn, data); + analyzer_mgr->BuildInitialAnalyzerTree(tproto, conn, data); bool external = conn->IsExternal(); diff --git a/src/SteppingStone.cc b/src/SteppingStone.cc index 32850d82c6..1809b4abef 100644 --- a/src/SteppingStone.cc +++ b/src/SteppingStone.cc @@ -157,7 +157,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) } SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::SteppingStone, c) +: TCP_ApplicationAnalyzer("STEPPINGSTONE", c) { stp_manager = sessions->GetSTPManager(); diff --git a/src/SteppingStone.h b/src/SteppingStone.h index a47b268c83..aab411a46d 100644 --- a/src/SteppingStone.h +++ b/src/SteppingStone.h @@ -51,7 +51,7 @@ public: virtual void Init(); virtual void Done(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SteppingStone_Analyzer(conn); } static bool Available() { return stp_correlate_pair; } diff --git a/src/Syslog-binpac.cc b/src/Syslog-binpac.cc index c8697d0f3f..37449004c7 100644 --- a/src/Syslog-binpac.cc +++ b/src/Syslog-binpac.cc @@ -2,7 +2,7 @@ #include "TCP_Reassembler.h" Syslog_Analyzer_binpac::Syslog_Analyzer_binpac(Connection* conn) -: Analyzer(AnalyzerTag::SYSLOG_BINPAC, conn) +: Analyzer("SYSLOG_BINPAC", conn) { interp = new binpac::Syslog::Syslog_Conn(this); did_session_done = 0; @@ -45,7 +45,7 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // } //Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn) -//: TCP_ApplicationAnalyzer(AnalyzerTag::Syslog_TCP_BINPAC, conn) +//: TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h index fcd75edf0e..85caf5aaa4 100644 --- a/src/Syslog-binpac.h +++ b/src/Syslog-binpac.h @@ -6,7 +6,7 @@ #include "syslog_pac.h" -class Syslog_Analyzer_binpac : public Analyzer { +class Syslog_Analyzer_binpac : public analyzer::Analyzer { public: Syslog_Analyzer_binpac(Connection* conn); virtual ~Syslog_Analyzer_binpac(); @@ -15,7 +15,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Syslog_Analyzer_binpac(conn); } static bool Available() @@ -42,7 +42,7 @@ protected: // virtual void Undelivered(int seq, int len, bool orig); // virtual void EndpointEOF(TCP_Reassembler* endp); // -// static Analyzer* InstantiateAnalyzer(Connection* conn) +// static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) // { return new Syslog_TCP_Analyzer_binpac(conn); } // // static bool Available() diff --git a/src/TCP.cc b/src/TCP.cc index da977d8157..feb21c3271 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -32,7 +32,7 @@ static const int ORIG = 1; static const int RESP = 2; TCP_Analyzer::TCP_Analyzer(Connection* conn) -: TransportLayerAnalyzer(AnalyzerTag::TCP, conn) +: TransportLayerAnalyzer("TCP", conn) { // Set a timer to eventually time out this connection. ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer, @@ -1551,6 +1551,10 @@ void TCP_Analyzer::DeleteTimer(double /* t */) sessions->Remove(Conn()); } +void TCP_Analyzer::ConnDeleteTimer(double t) + { + Conn()->DeleteTimer(t); + } // The following need to be consistent with bro.init. #define CONTENTS_NONE 0 @@ -1847,7 +1851,7 @@ void TCP_ApplicationAnalyzer::Init() { Analyzer::Init(); - if ( Parent()->GetTag() == AnalyzerTag::TCP ) + if ( Parent()->IsAnalyzer("TCP") ) SetTCP(static_cast(Parent())); } @@ -1883,7 +1887,7 @@ void TCP_ApplicationAnalyzer::SetEnv(bool /* is_orig */, char* name, char* val) void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig) { - SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters; + analyzer::SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters; for ( ; sa; sa = sa->Sibling() ) static_cast(sa)->EndpointEOF(is_orig); } @@ -1891,7 +1895,7 @@ void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig) void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, int gen_event) { - SupportAnalyzer* sa = + analyzer::SupportAnalyzer* sa = endpoint->IsOrig() ? orig_supporters : resp_supporters; for ( ; sa; sa = sa->Sibling() ) @@ -1901,30 +1905,30 @@ void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint, void TCP_ApplicationAnalyzer::ConnectionFinished(int half_finished) { - for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa) ->ConnectionFinished(half_finished); - for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa) ->ConnectionFinished(half_finished); } void TCP_ApplicationAnalyzer::ConnectionReset() { - for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->ConnectionReset(); - for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->ConnectionReset(); } void TCP_ApplicationAnalyzer::PacketWithRST() { - for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->PacketWithRST(); - for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->PacketWithRST(); } @@ -2060,7 +2064,7 @@ RecordVal* TCPStats_Endpoint::BuildStats() } TCPStats_Analyzer::TCPStats_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::TCPStats, c) +: TCP_ApplicationAnalyzer("TCPSTATS", c) { } diff --git a/src/TCP.h b/src/TCP.h index 635fda7960..93c008af58 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -3,10 +3,12 @@ #ifndef TCP_H #define TCP_H -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "TCP.h" #include "PacketDumper.h" #include "IPAddr.h" +#include "TCP_Endpoint.h" +#include "Conn.h" // We define two classes here: // - TCP_Analyzer is the analyzer for the TCP protocol itself. @@ -16,6 +18,7 @@ class PIA_TCP; class TCP_ApplicationAnalyzer; class TCP_Reassembler; +class TCP_Endpoint; class TCP_Flags { public: @@ -32,7 +35,7 @@ protected: u_char flags; }; -class TCP_Analyzer : public TransportLayerAnalyzer { +class TCP_Analyzer : public analyzer::TransportLayerAnalyzer { public: TCP_Analyzer(Connection* conn); virtual ~TCP_Analyzer(); @@ -41,7 +44,7 @@ public: // Add a child analyzer that will always get the packets, // independently of whether we do any reassembly. - void AddChildPacketAnalyzer(Analyzer* a) + void AddChildPacketAnalyzer(analyzer::Analyzer* a) { packet_children.push_back(a); a->SetParent(this); } // True if the connection has closed in some sense, false otherwise. @@ -85,7 +88,7 @@ public: proc_tcp_option_t proc, TCP_Analyzer* analyzer, bool is_orig, void* cookie); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCP_Analyzer(conn); } static bool Available() { return true; } @@ -213,7 +216,7 @@ protected: void ExpireTimer(double t); void ResetTimer(double t); void DeleteTimer(double t); - void ConnDeleteTimer(double t) { Conn()->DeleteTimer(t); } + void ConnDeleteTimer(double t); void EndpointEOF(TCP_Reassembler* endp); void ConnectionClosed(TCP_Endpoint* endpoint, @@ -240,6 +243,7 @@ private: TCP_Endpoint* orig; TCP_Endpoint* resp; + typedef list analyzer_list; analyzer_list packet_children; unsigned int first_packet_seen: 2; @@ -259,10 +263,10 @@ private: unsigned int seen_first_ACK: 1; }; -class TCP_ApplicationAnalyzer : public Analyzer { +class TCP_ApplicationAnalyzer : public analyzer::Analyzer { public: - TCP_ApplicationAnalyzer(AnalyzerTag::Tag tag, Connection* conn) - : Analyzer(tag, conn) + TCP_ApplicationAnalyzer(const char* name, Connection* conn) + : Analyzer(name, conn) { tcp = 0; } virtual ~TCP_ApplicationAnalyzer() { } @@ -273,8 +277,7 @@ public: { return tcp ? tcp : - static_cast( - Conn()->FindAnalyzer(AnalyzerTag::TCP)); + static_cast(Conn()->FindAnalyzer("TCP")); } void SetTCP(TCP_Analyzer* arg_tcp) { tcp = arg_tcp; } @@ -308,17 +311,14 @@ public: // delete them when done with them. virtual void SetEnv(bool orig, char* name, char* val); -protected: - TCP_ApplicationAnalyzer() { }; - private: TCP_Analyzer* tcp; }; -class TCP_SupportAnalyzer : public SupportAnalyzer { +class TCP_SupportAnalyzer : public analyzer::SupportAnalyzer { public: - TCP_SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig) - : SupportAnalyzer(tag, conn, arg_orig) { } + TCP_SupportAnalyzer(const char* name, Connection* conn, bool arg_orig) + : analyzer::SupportAnalyzer(name, conn, arg_orig) { } virtual ~TCP_SupportAnalyzer() {} @@ -362,7 +362,7 @@ public: virtual void Init(); virtual void Done(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCPStats_Analyzer(conn); } static bool Available() { return conn_stats || tcp_rexmit; } diff --git a/src/TCP_Reassembler.cc b/src/TCP_Reassembler.cc index eb2709373c..a9c25781c4 100644 --- a/src/TCP_Reassembler.cc +++ b/src/TCP_Reassembler.cc @@ -1,6 +1,6 @@ #include -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "TCP_Reassembler.h" #include "TCP.h" #include "TCP_Endpoint.h" @@ -25,7 +25,7 @@ static uint64 last_ack_bytes = 0; static uint64 last_gap_events = 0; static uint64 last_gap_bytes = 0; -TCP_Reassembler::TCP_Reassembler(Analyzer* arg_dst_analyzer, +TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, TCP_Reassembler::Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp) diff --git a/src/TCP_Reassembler.h b/src/TCP_Reassembler.h index cb1750e2a2..410aa7cbbc 100644 --- a/src/TCP_Reassembler.h +++ b/src/TCP_Reassembler.h @@ -14,7 +14,7 @@ class BroFile; class Connection; class TCP_Analyzer; -class Analyzer; +namespace analyzer { class Analyzer; } const int STOP_ON_GAP = 1; const int PUNT_ON_PARTIAL = 1; @@ -26,7 +26,7 @@ public: Forward, // forward to destination analyzer's children }; - TCP_Reassembler(Analyzer* arg_dst_analyzer, + TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp); @@ -34,7 +34,7 @@ public: void Done(); - void SetDstAnalyzer(Analyzer* analyzer) { dst_analyzer = analyzer; } + void SetDstAnalyzer(analyzer::Analyzer* analyzer) { dst_analyzer = analyzer; } void SetType(Type arg_type) { type = arg_type; } TCP_Analyzer* GetTCPAnalyzer() { return tcp_analyzer; } @@ -125,7 +125,7 @@ private: BroFile* record_contents_file; // file on which to reassemble contents - Analyzer* dst_analyzer; + analyzer::Analyzer* dst_analyzer; TCP_Analyzer* tcp_analyzer; Type type; diff --git a/src/Telnet.cc b/src/Telnet.cc index 62c7d7b500..47991177f2 100644 --- a/src/Telnet.cc +++ b/src/Telnet.cc @@ -6,7 +6,7 @@ #include "NVT.h" Telnet_Analyzer::Telnet_Analyzer(Connection* conn) -: Login_Analyzer(AnalyzerTag::Telnet, conn) +: Login_Analyzer("TELNET", conn) { NVT_Analyzer* nvt_orig = new NVT_Analyzer(conn, true); NVT_Analyzer* nvt_resp = new NVT_Analyzer(conn, false); diff --git a/src/Telnet.h b/src/Telnet.h index 5675775789..6e1695be9c 100644 --- a/src/Telnet.h +++ b/src/Telnet.h @@ -10,7 +10,7 @@ public: Telnet_Analyzer(Connection* conn); virtual ~Telnet_Analyzer() {} - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Telnet_Analyzer(conn); } static bool Available() diff --git a/src/Teredo.cc b/src/Teredo.cc index 7794d1cb3b..88ed6d582e 100644 --- a/src/Teredo.cc +++ b/src/Teredo.cc @@ -1,5 +1,7 @@ #include "Teredo.h" +#include "TunnelEncapsulation.h" +#include "Conn.h" #include "IP.h" #include "Reporter.h" diff --git a/src/Teredo.h b/src/Teredo.h index e720d3f37c..d3e3336f9b 100644 --- a/src/Teredo.h +++ b/src/Teredo.h @@ -1,12 +1,13 @@ #ifndef Teredo_h #define Teredo_h -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "NetVar.h" +#include "Reporter.h" -class Teredo_Analyzer : public Analyzer { +class Teredo_Analyzer : public analyzer::Analyzer { public: - Teredo_Analyzer(Connection* conn) : Analyzer(AnalyzerTag::Teredo, conn), + Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn), valid_orig(false), valid_resp(false) {} @@ -18,7 +19,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Teredo_Analyzer(conn); } static bool Available() diff --git a/src/UDP.cc b/src/UDP.cc index d85cb39edd..2fd80cfce3 100644 --- a/src/UDP.cc +++ b/src/UDP.cc @@ -8,9 +8,10 @@ #include "NetVar.h" #include "UDP.h" #include "Reporter.h" +#include "Conn.h" UDP_Analyzer::UDP_Analyzer(Connection* conn) -: TransportLayerAnalyzer(AnalyzerTag::UDP, conn) +: TransportLayerAnalyzer("UDP", conn) { conn->EnableStatusUpdateTimer(); conn->SetInactivityTimeout(udp_inactivity_timeout); diff --git a/src/UDP.h b/src/UDP.h index b93d4da97f..36a9b84dcd 100644 --- a/src/UDP.h +++ b/src/UDP.h @@ -3,7 +3,7 @@ #ifndef udp_h #define udp_h -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include typedef enum { @@ -11,7 +11,7 @@ typedef enum { UDP_ACTIVE, // packets seen } UDP_EndpointState; -class UDP_Analyzer : public TransportLayerAnalyzer { +class UDP_Analyzer : public analyzer::TransportLayerAnalyzer { public: UDP_Analyzer(Connection* conn); virtual ~UDP_Analyzer(); @@ -20,7 +20,7 @@ public: virtual void UpdateConnVal(RecordVal *conn_val); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new UDP_Analyzer(conn); } static bool Available() { return true; } diff --git a/src/Val.cc b/src/Val.cc index 5133550236..8b55049706 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -1049,6 +1049,11 @@ StringVal::StringVal(const char* s) : Val(TYPE_STRING) val.string_val = new BroString(s); } +StringVal::StringVal(const string& s) : Val(TYPE_STRING) + { + val.string_val = new BroString(s.c_str()); + } + StringVal* StringVal::ToUpper() { val.string_val->ToUpper(); diff --git a/src/Val.h b/src/Val.h index 4b2705c5b4..019c390699 100644 --- a/src/Val.h +++ b/src/Val.h @@ -608,6 +608,7 @@ class StringVal : public Val { public: StringVal(BroString* s); StringVal(const char* s); + StringVal(const string& s); StringVal(int length, const char* s); Val* SizeVal() const diff --git a/src/ZIP.cc b/src/ZIP.cc index 0ebe93abe6..d3d9b1c38b 100644 --- a/src/ZIP.cc +++ b/src/ZIP.cc @@ -3,7 +3,7 @@ #include "ZIP.h" ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method) -: TCP_SupportAnalyzer(AnalyzerTag::Zip, conn, orig) +: TCP_SupportAnalyzer("ZIP", conn, orig) { zip = 0; zip_status = Z_OK; diff --git a/src/analyzer.bif b/src/analyzer.bif new file mode 100644 index 0000000000..2ce5af992d --- /dev/null +++ b/src/analyzer.bif @@ -0,0 +1,39 @@ +##! Internal functions and types used by the logging framework. + +module Analyzer; + +%%{ +#include "NetVar.h" + +#include "analyzer/Manager.h" +%%} + +function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool + %{ + bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal()); + return new Val(result, TYPE_BOOL); + %} + +function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool + %{ + bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal()); + return new Val(result, TYPE_BOOL); + %} + +function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool + %{ + bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p); + return new Val(result, TYPE_BOOL); + %} + +function Analyzer::__expect_connection%(orig: addr, resp: addr, resp_p: port, + analyzer: Analyzer::Tag, tout: interval%) : bool + %{ + analyzer_mgr->ExpectConnection(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout, 0); + return new Val(true, TYPE_BOOL); + %} + +function __name%(atype: Analyzer::Tag%) : string + %{ + return new StringVal(analyzer_mgr->GetAnalyzerName(atype)); + %} diff --git a/src/Analyzer.cc b/src/analyzer/Analyzer.cc similarity index 65% rename from src/Analyzer.cc rename to src/analyzer/Analyzer.cc index 15926dfa2a..ca15ad56e1 100644 --- a/src/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -1,186 +1,13 @@ + #include #include "Analyzer.h" -#include "PIA.h" -#include "Event.h" +#include "Manager.h" -#include "AYIYA.h" -#include "BackDoor.h" -#include "BitTorrent.h" -#include "BitTorrentTracker.h" -#include "Finger.h" -#include "InterConn.h" -#include "NTP.h" -#include "HTTP.h" -#include "HTTP-binpac.h" -#include "ICMP.h" -#include "SteppingStone.h" -#include "IRC.h" -#include "SMTP.h" -#include "FTP.h" -#include "FileAnalyzer.h" -#include "DNS.h" -#include "DNS-binpac.h" -#include "DHCP-binpac.h" -#include "Telnet.h" -#include "Rlogin.h" -#include "RSH.h" -#include "DCE_RPC.h" -#include "Gnutella.h" -#include "Ident.h" -#include "Modbus.h" -#include "NCP.h" -#include "NetbiosSSN.h" -#include "SMB.h" -#include "NFS.h" -#include "Portmap.h" -#include "POP3.h" -#include "SOCKS.h" -#include "SSH.h" -#include "SSL.h" -#include "Syslog-binpac.h" -#include "Teredo.h" -#include "ConnSizeAnalyzer.h" -#include "GTPv1.h" +#include "../PIA.h" +#include "../Event.h" -// Keep same order here as in AnalyzerTag definition! -const Analyzer::Config Analyzer::analyzer_configs[] = { - { AnalyzerTag::Error, "", 0, 0, 0, false }, - - { AnalyzerTag::PIA_TCP, "PIA_TCP", PIA_TCP::InstantiateAnalyzer, - PIA_TCP::Available, 0, false }, - { AnalyzerTag::PIA_UDP, "PIA_UDP", PIA_UDP::InstantiateAnalyzer, - PIA_UDP::Available, 0, false }, - - { AnalyzerTag::ICMP, "ICMP", ICMP_Analyzer::InstantiateAnalyzer, - ICMP_Analyzer::Available, 0, false }, - - { AnalyzerTag::TCP, "TCP", TCP_Analyzer::InstantiateAnalyzer, - TCP_Analyzer::Available, 0, false }, - { AnalyzerTag::UDP, "UDP", UDP_Analyzer::InstantiateAnalyzer, - UDP_Analyzer::Available, 0, false }, - - { AnalyzerTag::BitTorrent, "BITTORRENT", - BitTorrent_Analyzer::InstantiateAnalyzer, - BitTorrent_Analyzer::Available, 0, false }, - { AnalyzerTag::BitTorrentTracker, "BITTORRENTTRACKER", - BitTorrentTracker_Analyzer::InstantiateAnalyzer, - BitTorrentTracker_Analyzer::Available, 0, false }, - { AnalyzerTag::DCE_RPC, "DCE_RPC", - DCE_RPC_Analyzer::InstantiateAnalyzer, - DCE_RPC_Analyzer::Available, 0, false }, - { AnalyzerTag::DNS, "DNS", DNS_Analyzer::InstantiateAnalyzer, - DNS_Analyzer::Available, 0, false }, - { AnalyzerTag::Finger, "FINGER", Finger_Analyzer::InstantiateAnalyzer, - Finger_Analyzer::Available, 0, false }, - { AnalyzerTag::FTP, "FTP", FTP_Analyzer::InstantiateAnalyzer, - FTP_Analyzer::Available, 0, false }, - { AnalyzerTag::Gnutella, "GNUTELLA", - Gnutella_Analyzer::InstantiateAnalyzer, - Gnutella_Analyzer::Available, 0, false }, - { AnalyzerTag::HTTP, "HTTP", HTTP_Analyzer::InstantiateAnalyzer, - HTTP_Analyzer::Available, 0, false }, - { AnalyzerTag::Ident, "IDENT", Ident_Analyzer::InstantiateAnalyzer, - Ident_Analyzer::Available, 0, false }, - { AnalyzerTag::IRC, "IRC", IRC_Analyzer::InstantiateAnalyzer, - IRC_Analyzer::Available, 0, false }, - { AnalyzerTag::Login, "LOGIN", 0, 0, 0, false }, // just a base class - { AnalyzerTag::NCP, "NCP", NCP_Analyzer::InstantiateAnalyzer, - NCP_Analyzer::Available, 0, false }, - { AnalyzerTag::NetbiosSSN, "NetbiosSSN", - NetbiosSSN_Analyzer::InstantiateAnalyzer, - NetbiosSSN_Analyzer::Available, 0, false }, - { AnalyzerTag::NFS, "NFS", NFS_Analyzer::InstantiateAnalyzer, - NFS_Analyzer::Available, 0, false }, - { AnalyzerTag::NTP, "NTP", NTP_Analyzer::InstantiateAnalyzer, - NTP_Analyzer::Available, 0, false }, - { AnalyzerTag::POP3, "POP3", POP3_Analyzer::InstantiateAnalyzer, - POP3_Analyzer::Available, 0, false }, - { AnalyzerTag::Portmapper, "PORTMAPPER", - Portmapper_Analyzer::InstantiateAnalyzer, - Portmapper_Analyzer::Available, 0, false }, - { AnalyzerTag::Rlogin, "RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer, - Rlogin_Analyzer::Available, 0, false }, - { AnalyzerTag::RPC, "RPC", 0, 0, 0, false }, - { AnalyzerTag::Rsh, "RSH", Rsh_Analyzer::InstantiateAnalyzer, - Rsh_Analyzer::Available, 0, false }, - { AnalyzerTag::SMB, "SMB", SMB_Analyzer::InstantiateAnalyzer, - SMB_Analyzer::Available, 0, false }, - { AnalyzerTag::SMTP, "SMTP", SMTP_Analyzer::InstantiateAnalyzer, - SMTP_Analyzer::Available, 0, false }, - { AnalyzerTag::SSH, "SSH", SSH_Analyzer::InstantiateAnalyzer, - SSH_Analyzer::Available, 0, false }, - { AnalyzerTag::Telnet, "TELNET", Telnet_Analyzer::InstantiateAnalyzer, - Telnet_Analyzer::Available, 0, false }, - - { AnalyzerTag::DHCP_BINPAC, "DHCP_BINPAC", - DHCP_Analyzer_binpac::InstantiateAnalyzer, - DHCP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::DNS_TCP_BINPAC, "DNS_TCP_BINPAC", - DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, - DNS_TCP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::DNS_UDP_BINPAC, "DNS_UDP_BINPAC", - DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, - DNS_UDP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::HTTP_BINPAC, "HTTP_BINPAC", - HTTP_Analyzer_binpac::InstantiateAnalyzer, - HTTP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::SSL, "SSL", - SSL_Analyzer::InstantiateAnalyzer, - SSL_Analyzer::Available, 0, false }, - { AnalyzerTag::SYSLOG_BINPAC, "SYSLOG_BINPAC", - Syslog_Analyzer_binpac::InstantiateAnalyzer, - Syslog_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::Modbus, "MODBUS", - ModbusTCP_Analyzer::InstantiateAnalyzer, - ModbusTCP_Analyzer::Available, 0, false }, - - { AnalyzerTag::AYIYA, "AYIYA", - AYIYA_Analyzer::InstantiateAnalyzer, - AYIYA_Analyzer::Available, 0, false }, - { AnalyzerTag::SOCKS, "SOCKS", - SOCKS_Analyzer::InstantiateAnalyzer, - SOCKS_Analyzer::Available, 0, false }, - { AnalyzerTag::Teredo, "TEREDO", - Teredo_Analyzer::InstantiateAnalyzer, - Teredo_Analyzer::Available, 0, false }, - { AnalyzerTag::GTPv1, "GTPV1", - GTPv1_Analyzer::InstantiateAnalyzer, - GTPv1_Analyzer::Available, 0, false }, - - { AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer, - File_Analyzer::Available, 0, false }, - { AnalyzerTag::Backdoor, "BACKDOOR", - BackDoor_Analyzer::InstantiateAnalyzer, - BackDoor_Analyzer::Available, 0, false }, - { AnalyzerTag::InterConn, "INTERCONN", - InterConn_Analyzer::InstantiateAnalyzer, - InterConn_Analyzer::Available, 0, false }, - { AnalyzerTag::SteppingStone, "STEPPINGSTONE", - SteppingStone_Analyzer::InstantiateAnalyzer, - SteppingStone_Analyzer::Available, 0, false }, - { AnalyzerTag::TCPStats, "TCPSTATS", - TCPStats_Analyzer::InstantiateAnalyzer, - TCPStats_Analyzer::Available, 0, false }, - { AnalyzerTag::ConnSize, "CONNSIZE", - ConnSize_Analyzer::InstantiateAnalyzer, - ConnSize_Analyzer::Available, 0, false }, - - { AnalyzerTag::Contents, "CONTENTS", 0, 0, 0, false }, - { AnalyzerTag::ContentLine, "CONTENTLINE", 0, 0, 0, false }, - { AnalyzerTag::NVT, "NVT", 0, 0, 0, false }, - { AnalyzerTag::Zip, "ZIP", 0, 0, 0, false }, - { AnalyzerTag::Contents_DNS, "CONTENTS_DNS", 0, 0, 0, false }, - { AnalyzerTag::Contents_NetbiosSSN, "CONTENTS_NETBIOSSSN", 0, 0, 0, false }, - { AnalyzerTag::Contents_NCP, "CONTENTS_NCP", 0, 0, 0, false }, - { AnalyzerTag::Contents_Rlogin, "CONTENTS_Rlogin", 0, 0, 0, false }, - { AnalyzerTag::Contents_Rsh, "CONTENTS_RSH", 0, 0, 0, false }, - { AnalyzerTag::Contents_DCE_RPC, "CONTENTS_DCE_RPC", 0, 0, 0, false }, - { AnalyzerTag::Contents_SMB, "CONTENTS_SMB", 0, 0, 0, false }, - { AnalyzerTag::Contents_RPC, "CONTENTS_RPC", 0, 0, 0, false }, - { AnalyzerTag::Contents_NFS, "CONTENTS_NFS", 0, 0, 0, false }, - { AnalyzerTag::FTP_ADAT, "FTP_ADAT", 0, 0, 0, false }, -}; +using namespace analyzer; AnalyzerTimer::~AnalyzerTimer() { @@ -212,41 +39,25 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, Ref(analyzer->Conn()); } -AnalyzerID Analyzer::id_counter = 0;; +analyzer::ID Analyzer::id_counter = 0;; -Analyzer* Analyzer::InstantiateAnalyzer(AnalyzerTag::Tag tag, Connection* c) +bool Analyzer::IsAnalyzer(const char* name) { - Analyzer* a = analyzer_configs[tag].factory(c); - assert(a); - return a; - } - -const char* Analyzer::GetTagName(AnalyzerTag::Tag tag) - { - return analyzer_configs[tag].name; - } - -AnalyzerTag::Tag Analyzer::GetTag(const char* name) - { - for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ ) - if ( strcasecmp(analyzer_configs[i].name, name) == 0 ) - return analyzer_configs[i].tag; - - return AnalyzerTag::Error; + return analyzer_mgr->GetAnalyzerName(Tag()) == name; } // Used in debugging output. static string fmt_analyzer(Analyzer* a) { - return string(a->GetTagName()) + fmt("[%d]", a->GetID()); + return analyzer_mgr->GetAnalyzerName(a->GetTag()) + fmt("[%d]", a->GetID()); } -Analyzer::Analyzer(AnalyzerTag::Tag arg_tag, Connection* arg_conn) +Analyzer::Analyzer(const char* name, Connection* arg_conn) { // Don't Ref conn here to avoid circular ref'ing. It can't be deleted // before us. conn = arg_conn; - tag = arg_tag; + tag = analyzer_mgr->GetAnalyzerTag(name); id = ++id_counter; protocol_confirmed = false; skip = false; @@ -257,6 +68,10 @@ Analyzer::Analyzer(AnalyzerTag::Tag arg_tag, Connection* arg_conn) resp_supporters = 0; signature = 0; output_handler = 0; + + if ( ! tag ) + reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::PluginComponent?", name); + } Analyzer::~Analyzer() @@ -351,11 +166,6 @@ void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, int seq, } } -const char* Analyzer::GetTagName() const - { - return GetTagName(tag); - } - void Analyzer::NextStream(int len, const u_char* data, bool is_orig) { if ( skip ) @@ -533,12 +343,15 @@ void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) fmt_analyzer(this).c_str(), fmt_analyzer(analyzer).c_str()); } -Analyzer* Analyzer::AddChildAnalyzer(AnalyzerTag::Tag analyzer) +Analyzer* Analyzer::AddChildAnalyzer(Tag analyzer) { if ( ! HasChildAnalyzer(analyzer) ) { - Analyzer* a = InstantiateAnalyzer(analyzer, conn); - AddChildAnalyzer(a); + Analyzer* a = analyzer_mgr->InstantiateAnalyzer(analyzer, conn); + + if ( a ) + AddChildAnalyzer(a); + return a; } @@ -563,12 +376,12 @@ void Analyzer::RemoveChildAnalyzer(Analyzer* analyzer) } } -void Analyzer::RemoveChildAnalyzer(AnalyzerID id) +void Analyzer::RemoveChildAnalyzer(ID id) { LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", GetTagName(), id, + DBG_LOG(DBG_DPD, "%s disabling child %s", analyzer_mgr->GetAnalyzerName(GetTag()).c_str(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -576,7 +389,7 @@ void Analyzer::RemoveChildAnalyzer(AnalyzerID id) } } -bool Analyzer::HasChildAnalyzer(AnalyzerTag::Tag tag) +bool Analyzer::HasChildAnalyzer(Tag tag) { LOOP_OVER_CHILDREN(i) if ( (*i)->tag == tag ) @@ -589,7 +402,7 @@ bool Analyzer::HasChildAnalyzer(AnalyzerTag::Tag tag) return false; } -Analyzer* Analyzer::FindChild(AnalyzerID arg_id) +Analyzer* Analyzer::FindChild(ID arg_id) { if ( id == arg_id ) return this; @@ -604,7 +417,7 @@ Analyzer* Analyzer::FindChild(AnalyzerID arg_id) return 0; } -Analyzer* Analyzer::FindChild(AnalyzerTag::Tag arg_tag) +Analyzer* Analyzer::FindChild(Tag arg_tag) { if ( tag == arg_tag ) return this; @@ -619,6 +432,12 @@ Analyzer* Analyzer::FindChild(AnalyzerTag::Tag arg_tag) return 0; } +Analyzer* Analyzer::FindChild(const string& name) + { + Tag tag = analyzer_mgr->GetAnalyzerTag(name); + return tag != Tag::ERROR ? FindChild(tag) : 0; + } + void Analyzer::DeleteChild(analyzer_list::iterator i) { Analyzer* child = *i; @@ -707,7 +526,7 @@ void Analyzer::RemoveSupportAnalyzer(SupportAnalyzer* analyzer) return; } -bool Analyzer::HasSupportAnalyzer(AnalyzerTag::Tag tag, bool orig) +bool Analyzer::HasSupportAnalyzer(Tag tag, bool orig) { SupportAnalyzer* s = orig ? orig_supporters : resp_supporters; for ( ; s; s = s->sibling ) @@ -772,7 +591,7 @@ void Analyzer::ProtocolConfirmation() val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(new Val(tag, TYPE_COUNT)); + vl->append(tag.Val()); vl->append(new Val(id, TYPE_COUNT)); // We immediately raise the event so that the analyzer can quickly @@ -800,7 +619,7 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(new Val(tag, TYPE_COUNT)); + vl->append(tag.Val()); vl->append(new Val(id, TYPE_COUNT)); vl->append(r); @@ -872,6 +691,31 @@ void Analyzer::UpdateConnVal(RecordVal *conn_val) (*i)->UpdateConnVal(conn_val); } +RecordVal* Analyzer::BuildConnVal() + { + return conn->BuildConnVal(); + } + +void Analyzer::Event(EventHandlerPtr f, const char* name) + { + conn->Event(f, this, name); + } + +void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2) + { + conn->Event(f, this, v1, v2); + } + +void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl) + { + conn->ConnectionEvent(f, this, vl); + } + +void Analyzer::Weird(const char* name, const char* addl) + { + conn->Weird(name, addl); + } + void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { diff --git a/src/Analyzer.h b/src/analyzer/Analyzer.h similarity index 81% rename from src/Analyzer.h rename to src/analyzer/Analyzer.h index 6ccd7648d3..db65670ad6 100644 --- a/src/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -1,19 +1,30 @@ // Main analyzer interface. -#ifndef ANALYZER_H -#define ANALYZER_H +#ifndef ANALYZER_ANALYZER_H +#define ANALYZER_ANALYZER_H #include -#include "AnalyzerTags.h" -#include "Conn.h" -#include "Obj.h" +#include "Tag.h" -class DPM; +#include "../Obj.h" +#include "../EventHandler.h" +#include "../Timer.h" + +class Rule; +class Connection; class PIA; -class Analyzer; +class IP_Hdr; +class TCP_ApplicationAnalyzer; + +namespace analyzer { class Analyzer; } + +namespace analyzer { + typedef list analyzer_list; +typedef uint32 ID; + typedef void (Analyzer::*analyzer_timer_func)(double t); // FIXME: This is a copy of ConnectionTimer, which we may eventually be @@ -56,7 +67,8 @@ class OutputHandler; class Analyzer { public: - Analyzer(AnalyzerTag::Tag tag, Connection* conn); + // "name" must match the one used in + Analyzer(const char* name, Connection* conn); virtual ~Analyzer(); virtual void Init(); @@ -94,7 +106,7 @@ public: // Report a message boundary to all child analyzers virtual void ForwardEndOfData(bool orig); - AnalyzerID GetID() const { return id; } + ID GetID() const { return id; } Connection* Conn() const { return conn; } // An OutputHandler can be used to get access to data extracted by this @@ -128,12 +140,8 @@ public: bool IsFinished() const { return finished; } - AnalyzerTag::Tag GetTag() const { return tag; } - const char* GetTagName() const; - static AnalyzerTag::Tag GetTag(const char* tag); - static const char* GetTagName(AnalyzerTag::Tag tag); - static bool IsAvailable(AnalyzerTag::Tag tag) - { return analyzer_configs[tag].available(); } + Tag GetTag() const { return tag; } + bool IsAnalyzer(const char* name); // Management of the tree. // @@ -141,18 +149,21 @@ public: // of the same type. void AddChildAnalyzer(Analyzer* analyzer) { AddChildAnalyzer(analyzer, true); } - Analyzer* AddChildAnalyzer(AnalyzerTag::Tag tag); + Analyzer* AddChildAnalyzer(Tag tag); void RemoveChildAnalyzer(Analyzer* analyzer); - void RemoveChildAnalyzer(AnalyzerID id); + void RemoveChildAnalyzer(ID id); - bool HasChildAnalyzer(AnalyzerTag::Tag tag); + bool HasChildAnalyzer(Tag tag); // Recursive; returns nil if not found. - Analyzer* FindChild(AnalyzerID id); + Analyzer* FindChild(ID id); // Recursive; returns first found, or nil. - Analyzer* FindChild(AnalyzerTag::Tag tag); + Analyzer* FindChild(Tag tag); + + // Recursive; returns first found, or nil. + Analyzer* FindChild(const string& name); const analyzer_list& GetChildren() { return children; } @@ -240,27 +251,17 @@ public: // The following methods are proxies: calls are directly forwarded // to the connection instance. These are for convenience only, // allowing us to reuse more of the old analyzer code unchanged. - RecordVal* BuildConnVal() - { return conn->BuildConnVal(); } - void Event(EventHandlerPtr f, const char* name = 0) - { conn->Event(f, this, name); } - void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0) - { conn->Event(f, this, v1, v2); } - void ConnectionEvent(EventHandlerPtr f, val_list* vl) - { conn->ConnectionEvent(f, this, vl); } - void Weird(const char* name, const char* addl = "") - { conn->Weird(name, addl); } - - // Factory function to instantiate new analyzers. - static Analyzer* InstantiateAnalyzer(AnalyzerTag::Tag tag, Connection* c); + RecordVal* BuildConnVal(); + void Event(EventHandlerPtr f, const char* name = 0); + void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0); + void ConnectionEvent(EventHandlerPtr f, val_list* vl); + void Weird(const char* name, const char* addl = ""); protected: - friend class DPM; friend class Connection; friend class AnalyzerTimer; friend class TCP_ApplicationAnalyzer; - - Analyzer() { } + friend class Manager; // Associates a connection with this analyzer. Must be called if // we're using the default ctor. @@ -275,7 +276,7 @@ protected: void RemoveTimer(Timer* t); void CancelTimers(); - bool HasSupportAnalyzer(AnalyzerTag::Tag tag, bool orig); + bool HasSupportAnalyzer(Tag tag, bool orig); void AddChildAnalyzer(Analyzer* analyzer, bool init); void InitChildren(); @@ -286,8 +287,8 @@ private: // already Done(). void DeleteChild(analyzer_list::iterator i); - AnalyzerTag::Tag tag; - AnalyzerID id; + Tag tag; + ID id; Connection* conn; Analyzer* parent; @@ -308,49 +309,32 @@ private: bool finished; bool removing; - static AnalyzerID id_counter; - - typedef bool (*available_callback)(); - typedef Analyzer* (*factory_callback)(Connection* conn); - typedef bool (*match_callback)(Connection*); - - struct Config { - AnalyzerTag::Tag tag; - const char* name; - factory_callback factory; - available_callback available; - match_callback match; - bool partial; - }; - - // Table of analyzers. - static const Config analyzer_configs[]; - + static ID id_counter; }; #define ADD_ANALYZER_TIMER(timer, t, do_expire, type) \ - AddTimer(analyzer_timer_func(timer), (t), (do_expire), (type)) + AddTimer(analyzer::analyzer_timer_func(timer), (t), (do_expire), (type)) #define LOOP_OVER_CHILDREN(var) \ - for ( analyzer_list::iterator var = children.begin(); \ + for ( analyzer::analyzer_list::iterator var = children.begin(); \ var != children.end(); var++ ) #define LOOP_OVER_CONST_CHILDREN(var) \ - for ( analyzer_list::const_iterator var = children.begin(); \ + for ( analyzer::analyzer_list::const_iterator var = children.begin(); \ var != children.end(); var++ ) #define LOOP_OVER_GIVEN_CHILDREN(var, the_kids) \ - for ( analyzer_list::iterator var = the_kids.begin(); \ + for ( analyzer::analyzer_list::iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) #define LOOP_OVER_GIVEN_CONST_CHILDREN(var, the_kids) \ - for ( analyzer_list::const_iterator var = the_kids.begin(); \ + for ( analyzer::analyzer_list::const_iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) class SupportAnalyzer : public Analyzer { public: - SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig) - : Analyzer(tag, conn) { orig = arg_orig; sibling = 0; } + SupportAnalyzer(const char* name, Connection* conn, bool arg_orig) + : Analyzer(name, conn) { orig = arg_orig; sibling = 0; } virtual ~SupportAnalyzer() {} @@ -366,7 +350,6 @@ public: protected: friend class Analyzer; - SupportAnalyzer() { } private: bool orig; @@ -378,8 +361,8 @@ private: class TransportLayerAnalyzer : public Analyzer { public: - TransportLayerAnalyzer(AnalyzerTag::Tag tag, Connection* conn) - : Analyzer(tag, conn) { pia = 0; } + TransportLayerAnalyzer(const char* name, Connection* conn) + : Analyzer(name, conn) { pia = 0; } virtual void Done(); virtual bool IsReuse(double t, const u_char* pkt) = 0; @@ -393,11 +376,10 @@ public: // Raises packet_contents event. void PacketContents(const u_char* data, int len); -protected: - TransportLayerAnalyzer() { } - private: PIA* pia; }; +} + #endif diff --git a/src/analyzer/BuiltinAnalyzers.cc b/src/analyzer/BuiltinAnalyzers.cc new file mode 100644 index 0000000000..e65dbdb62e --- /dev/null +++ b/src/analyzer/BuiltinAnalyzers.cc @@ -0,0 +1,127 @@ + +#include "BuiltInAnalyzers.h" +#include "PluginComponent.h" + +#include "../binpac_bro.h" + +#include "AYIYA.h" +#include "BackDoor.h" +#include "BitTorrent.h" +#include "BitTorrentTracker.h" +#include "Finger.h" +#include "InterConn.h" +#include "NTP.h" +#include "HTTP.h" +#include "HTTP-binpac.h" +#include "ICMP.h" +#include "SteppingStone.h" +#include "IRC.h" +#include "SMTP.h" +#include "FTP.h" +#include "FileAnalyzer.h" +#include "DNS.h" +#include "DNS-binpac.h" +#include "DHCP-binpac.h" +#include "Telnet.h" +#include "Rlogin.h" +#include "RSH.h" +#include "DCE_RPC.h" +#include "Gnutella.h" +#include "Ident.h" +#include "Modbus.h" +#include "NCP.h" +#include "NetbiosSSN.h" +#include "SMB.h" +#include "NFS.h" +#include "Portmap.h" +#include "POP3.h" +#include "SOCKS.h" +#include "SSH.h" +#include "SSL.h" +#include "Syslog-binpac.h" +#include "Teredo.h" +#include "ConnSizeAnalyzer.h" +#include "GTPv1.h" + +using namespace analyzer; + +#define DEFINE_ANALYZER(name, factory, enabled, partial) \ + AddComponent(new PluginComponent(name, factory, enabled, partial)) + +void BuiltinAnalyzers::Init() + { + plugin::Description desc; + desc.name = "Core-Analyzers"; + desc.description = "Built-in protocol analyzers"; + desc.version = plugin::API_BUILTIN; + SetDescription(desc); + + DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); + DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); + DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("LOGIN", 0, true, false); // just a base class + DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("RPC", 0, true, false); + DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + DEFINE_ANALYZER("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + DEFINE_ANALYZER("HTTP_BINPAC", HTTP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + DEFINE_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("CONTENTS", 0, true, false); + DEFINE_ANALYZER("CONTENTLINE", 0, true, false); + DEFINE_ANALYZER("NVT", 0, true, false); + DEFINE_ANALYZER("ZIP", 0, true, false); + DEFINE_ANALYZER("CONTENTS_DNS", 0, true, false); + DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0, true, false); + DEFINE_ANALYZER("CONTENTS_NCP", 0, true, false); + DEFINE_ANALYZER("CONTENTS_RLOGIN", 0, true, false); + DEFINE_ANALYZER("CONTENTS_RSH", 0, true, false); + DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0, true, false); + DEFINE_ANALYZER("CONTENTS_SMB", 0, true, false); + DEFINE_ANALYZER("CONTENTS_RPC", 0, true, false); + DEFINE_ANALYZER("CONTENTS_NFS", 0, true, false); + DEFINE_ANALYZER("FTP_ADAT", 0, true, false); + } + diff --git a/src/analyzer/BuiltinAnalyzers.h b/src/analyzer/BuiltinAnalyzers.h new file mode 100644 index 0000000000..6097bfa078 --- /dev/null +++ b/src/analyzer/BuiltinAnalyzers.h @@ -0,0 +1,17 @@ + +#ifndef ANALYZER_BUILTIN_ANALYZERS_H +#define ANALYZER_BUILTIN_ANALYZERS_H + +#include "plugin/Plugin.h" + +namespace analyzer { + +class BuiltinAnalyzers : public plugin::Plugin { +public: + virtual void Init(); +}; + +} + + +#endif diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc new file mode 100644 index 0000000000..b2d35215f3 --- /dev/null +++ b/src/analyzer/Manager.cc @@ -0,0 +1,691 @@ + +#include "Manager.h" + +#include "PIA.h" +#include "Hash.h" +#include "ICMP.h" +#include "UDP.h" +#include "TCP.h" +#include "Val.h" +#include "BackDoor.h" +#include "InterConn.h" +#include "SteppingStone.h" +#include "ConnSizeAnalyzer.h" + +#include "plugin/Manager.h" + +using namespace analyzer; + +ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto) + { + if ( _orig == IPAddr(string("0.0.0.0")) ) + // don't use the IPv4 mapping, use the literal unspecified address + // to indicate a wildcard + orig = IPAddr(string("::")); + else + orig = _orig; + resp = _resp; + resp_p = _resp_p; + proto = _proto; + } + +ExpectedConn::ExpectedConn(const ExpectedConn& c) + { + orig = c.orig; + resp = c.resp; + resp_p = c.resp_p; + proto = c.proto; + } + +Manager::Manager() + : expected_conns_queue(AssignedAnalyzer::compare) + { + tag_enum_type = new EnumType("Analyzer::Tag"); + ::ID* id = install_ID("Tag", "Analyzer", true, true); + add_type(id, tag_enum_type, 0, 0); + } + +Manager::~Manager() + { + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_tcp.begin(); i != analyzers_by_port_tcp.end(); i++ ) + delete i->second; + + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_udp.begin(); i != analyzers_by_port_udp.end(); i++ ) + delete i->second; + + analyzers_by_port_udp.clear(); + analyzers_by_port_tcp.clear(); + + // Clean up expected-connection table. + while ( expected_conns_queue.size() ) + { + AssignedAnalyzer* a = expected_conns_queue.top(); + if ( ! a->deleted ) + { + HashKey* key = BuildExpectedConnHashKey(a->conn); + expected_conns.Remove(key); + delete key; + } + + expected_conns_queue.pop(); + delete a; + } + } + +void Manager::Init() + { + std::list analyzers = plugin_mgr->Components(plugin::component::ANALYZER); + + for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) + RegisterAnalyzerComponent(*i); + + // Caache these tags. + analyzer_backdoor = GetAnalyzerTag("BACKDOOR"); + analyzer_connsize = GetAnalyzerTag("CONNSIZE"); + analyzer_interconn = GetAnalyzerTag("INTERCONN"); + analyzer_stepping = GetAnalyzerTag("STEPPINGSTONE"); + analyzer_tcpstats = GetAnalyzerTag("TCPSTATS"); + } + +void Manager::DumpDebug() + { +#ifdef DEBUG + DBG_LOG(DBG_DPD, "Available analyzers after bro_init():"); + for ( analyzer_map_by_name::const_iterator i = analyzers_by_name.begin(); i != analyzers_by_name.end(); i++ ) + DBG_LOG(DBG_DPD, " %s (%s)", i->second->Name().c_str(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); + + DBG_LOG(DBG_DPD, ""); + DBG_LOG(DBG_DPD, "Analyzers by port:"); + + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_tcp.begin(); i != analyzers_by_port_tcp.end(); i++ ) + { + string s; + + for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) + s += GetAnalyzerName(*j) + " "; + + DBG_LOG(DBG_DPD, " %d/tcp: %s", i->first, s.c_str()); + } + + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_udp.begin(); i != analyzers_by_port_udp.end(); i++ ) + { + string s; + + for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) + s += GetAnalyzerName(*j) + " "; + + DBG_LOG(DBG_DPD, " %d/udp: %s", i->first, s.c_str()); + } + +#if 0 + ODesc d; + tag_enum_type->Describe(&d); + + DBG_LOG(DBG_DPD, ""); + DBG_LOG(DBG_DPD, "Analyzer::Tag type: %s", d.Description()); +#endif + +#endif + } + +void Manager::Done() + { + } + +void Manager::RegisterAnalyzerComponent(PluginComponent* component) + { + if ( Lookup(component->Name()) ) + reporter->FatalError("Analyzer %s defined more than once", component->Name().c_str()); + + DBG_LOG(DBG_DPD, "Registering analyzer %s (tag %s)", + component->Name().c_str(), component->Tag().AsString().c_str()); + + analyzers_by_name.insert(std::make_pair(component->Name(), component)); + analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); + analyzers_by_val.insert(std::make_pair(component->Tag().Val()->InternalInt(), component)); + + // Install enum "Analyzer::ANALYZER_*" + string name = to_upper(component->Name()); + string id = fmt("ANALYZER_%s", name.c_str()); + tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().Val()->InternalInt(), true); + } + +bool Manager::EnableAnalyzer(Tag tag) + { + PluginComponent* p = Lookup(tag); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + + return true; + } + +bool Manager::EnableAnalyzer(EnumVal* val) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + + return true; + } + +bool Manager::DisableAnalyzer(Tag tag) + { + PluginComponent* p = Lookup(tag); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + + return true; + } + +bool Manager::DisableAnalyzer(EnumVal* val) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + + return true; + } + +bool Manager::IsEnabled(Tag tag) + { + if ( ! tag ) + return false; + + PluginComponent* p = Lookup(tag); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + return false; + } + + return p->Enabled(); + } + +bool Manager::IsEnabled(EnumVal* val) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + return false; + } + + return p->Enabled(); + } + + +bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to register port for non-existing analyzer"); + return false; + } + + return RegisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); + } + +bool Manager::UnregisterAnalyzerForPort(EnumVal* val, PortVal* port) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to unregister port fork non-existing analyzer"); + return false; + } + + return UnregisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); + } + +bool Manager::RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port) + { + tag_set* l = LookupPort(proto, port, true); + +#ifdef DEBUG + std::string name = GetAnalyzerName(tag); + DBG_LOG(DBG_DPD, "Registering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); +#endif + + l->insert(tag); + return true; + } + +bool Manager::UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port) + { + tag_set* l = LookupPort(proto, port, true); + +#ifdef DEBUG + std::string name = GetAnalyzerName(tag); + DBG_LOG(DBG_DPD, "Unregistering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); +#endif + + l->erase(tag); + return true; + } + +Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) + { + PluginComponent* c = Lookup(tag); + + if ( ! c ) + reporter->InternalError("request to instantiate unknown analyzer"); + + if ( ! c->Enabled() ) + return 0; + + assert(c->Factory()); + Analyzer* a = c->Factory()(conn); + + if ( ! a ) + reporter->InternalError("analyzer instantiation failed"); + + return a; + } + +string Manager::GetAnalyzerName(Tag tag) + { + if ( ! tag ) + return ""; + + PluginComponent* c = Lookup(tag); + + if ( ! c ) + reporter->InternalError("request for name of unknown analyzer tag %s", tag.AsString().c_str()); + + return c->Name(); + } + +string Manager::GetAnalyzerName(Val* val) + { + return GetAnalyzerName(Tag(val->AsEnumVal())); + } + +Tag Manager::GetAnalyzerTag(const string& name) + { + PluginComponent* c = Lookup(name); + return c ? c->Tag() : Tag::ERROR; + } + +Tag Manager::GetAnalyzerTag(const char* name) + { + PluginComponent* c = Lookup(name); + return c ? c->Tag() : Tag::ERROR; + } + +EnumType* Manager::GetTagEnumType() + { + return tag_enum_type; + } + + +PluginComponent* Manager::Lookup(const string& name) + { + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + return i != analyzers_by_name.end() ? i->second : 0; + } + +PluginComponent* Manager::Lookup(const char* name) + { + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + return i != analyzers_by_name.end() ? i->second : 0; + } + +PluginComponent* Manager::Lookup(const Tag& tag) + { + analyzer_map_by_tag::const_iterator i = analyzers_by_tag.find(tag); + return i != analyzers_by_tag.end() ? i->second : 0; + } + +PluginComponent* Manager::Lookup(EnumVal* val) + { + analyzer_map_by_val::const_iterator i = analyzers_by_val.find(val->InternalInt()); + return i != analyzers_by_val.end() ? i->second : 0; + } + +Manager::tag_set* Manager::LookupPort(TransportProto proto, uint32 port, bool add_if_not_found) + { + analyzer_map_by_port* m = 0; + + switch ( proto ) { + case TRANSPORT_TCP: + m = &analyzers_by_port_tcp; + break; + + case TRANSPORT_UDP: + m = &analyzers_by_port_udp; + break; + + default: + reporter->InternalError("unsupport transport protocol in analyzer::Manager::LookupPort"); + } + + analyzer_map_by_port::const_iterator i = m->find(port); + + if ( i != m->end() ) + return i->second; + + if ( ! add_if_not_found ) + return 0; + + tag_set* l = new tag_set; + m->insert(std::make_pair(port, l)); + return l; + } + +Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found) + { + return LookupPort(val->PortType(), val->Port(), add_if_not_found); + } + +Tag Manager::GetExpected(int proto, const Connection* conn) + { + if ( ! expected_conns.Length() ) + return Tag::ERROR; + + ExpectedConn c(conn->OrigAddr(), conn->RespAddr(), + ntohs(conn->RespPort()), proto); + + HashKey* key = BuildExpectedConnHashKey(c); + AssignedAnalyzer* a = expected_conns.Lookup(key); + delete key; + + if ( ! a ) + { + // Wildcard for originator. + c.orig = IPAddr(string("::")); + + HashKey* key = BuildExpectedConnHashKey(c); + a = expected_conns.Lookup(key); + delete key; + } + + if ( ! a ) + return Tag::ERROR; + + // We don't delete it here. It will be expired eventually. + return a->analyzer; + } + +bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, + const u_char* data) + { + Analyzer* analyzer = 0; + TCP_Analyzer* tcp = 0; + UDP_Analyzer* udp = 0; + ICMP_Analyzer* icmp = 0; + TransportLayerAnalyzer* root = 0; + Tag expected = Tag::ERROR; + PIA* pia = 0; + bool analyzed = false; + bool check_port = false; + + switch ( proto ) { + + case TRANSPORT_TCP: + root = tcp = new TCP_Analyzer(conn); + pia = new PIA_TCP(conn); + expected = GetExpected(proto, conn); + check_port = true; + DBG_DPD(conn, "activated TCP analyzer"); + break; + + case TRANSPORT_UDP: + root = udp = new UDP_Analyzer(conn); + pia = new PIA_UDP(conn); + expected = GetExpected(proto, conn); + check_port = true; + DBG_DPD(conn, "activated UDP analyzer"); + break; + + case TRANSPORT_ICMP: { + root = icmp = new ICMP_Analyzer(conn); + DBG_DPD(conn, "activated ICMP analyzer"); + analyzed = true; + break; + } + + default: + reporter->InternalError("unknown protocol"); + } + + if ( ! root ) + { + DBG_DPD(conn, "cannot build analyzer tree"); + return false; + } + + // Any scheduled analyzer? + if ( expected ) + { + Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(expected, conn); + + if ( analyzer ) + { + root->AddChildAnalyzer(analyzer, false); + + DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled", + analyzer_mgr->GetAnalyzerName(expected).c_str()); + } + + // Hmm... Do we want *just* the expected analyzer, or all + // other potential analyzers as well? For now we only take + // the scheduled one. + } + + else + { // Let's see if it's a port we know. + if ( check_port && ! dpd_ignore_ports ) + { + int resp_port = ntohs(conn->RespPort()); + tag_set* ports = LookupPort(proto, resp_port, false); + + if ( ports ) + { + for ( tag_set::const_iterator j = ports->begin(); j != ports->end(); ++j ) + { + Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(*j, conn); + + if ( ! analyzer ) + continue; + + root->AddChildAnalyzer(analyzer, false); + DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", + analyzer_mgr->GetAnalyzerName(*j).c_str(), resp_port); + } + } + } + } + + if ( tcp ) + { + // We have to decide whether to reassamble the stream. + // We turn it on right away if we already have an app-layer + // analyzer, reassemble_first_packets is true, or the user + // asks us to do so. In all other cases, reassembly may + // be turned on later by the TCP PIA. + + bool reass = root->GetChildren().size() || + dpd_reassemble_first_packets || + tcp_content_deliver_all_orig || + tcp_content_deliver_all_resp; + + if ( tcp_contents && ! reass ) + { + PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP); + Val* result; + + if ( ! reass ) + reass = tcp_content_delivery_ports_orig->Lookup(&dport); + + if ( ! reass ) + reass = tcp_content_delivery_ports_resp->Lookup(&dport); + } + + if ( reass ) + tcp->EnableReassembly(); + + if ( IsEnabled(analyzer_backdoor) ) + // Add a BackDoor analyzer if requested. This analyzer + // can handle both reassembled and non-reassembled input. + tcp->AddChildAnalyzer(new BackDoor_Analyzer(conn), false); + + if ( IsEnabled(analyzer_interconn) ) + // Add a InterConn analyzer if requested. This analyzer + // can handle both reassembled and non-reassembled input. + tcp->AddChildAnalyzer(new InterConn_Analyzer(conn), false); + + if ( IsEnabled(analyzer_stepping) ) + { + // Add a SteppingStone analyzer if requested. The port + // should really not be hardcoded here, but as it can + // handle non-reassembled data, it doesn't really fit into + // our general framing ... Better would be to turn it + // on *after* we discover we have interactive traffic. + uint16 resp_port = ntohs(conn->RespPort()); + if ( resp_port == 22 || resp_port == 23 || resp_port == 513 ) + { + AddrVal src(conn->OrigAddr()); + if ( ! stp_skip_src->Lookup(&src) ) + tcp->AddChildAnalyzer(new SteppingStone_Analyzer(conn), false); + } + } + + if ( IsEnabled(analyzer_tcpstats) ) + // Add TCPStats analyzer. This needs to see packets so + // we cannot add it as a normal child. + tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); + + if ( IsEnabled(analyzer_connsize) ) + // Add ConnSize analyzer. Needs to see packets, not stream. + tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); + } + + else + { + if ( IsEnabled(analyzer_connsize) ) + // Add ConnSize analyzer. Needs to see packets, not stream. + udp->AddChildAnalyzer(new ConnSize_Analyzer(conn)); + } + + if ( pia ) + root->AddChildAnalyzer(pia->AsAnalyzer()); + + if ( root->GetChildren().size() ) + analyzed = true; + + conn->SetRootAnalyzer(root, pia); + root->Init(); + root->InitChildren(); + + if ( ! analyzed ) + conn->SetLifetime(non_analyzed_lifetime); + + if ( expected != Tag::ERROR ) + conn->Event(expected_connection_seen, 0, + new Val(expected, TYPE_COUNT)); + + return true; + } + +void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, + uint16 resp_p, + TransportProto proto, Tag analyzer, + double timeout, void* cookie) + { + // Use the chance to see if the oldest entry is already expired. + if ( expected_conns_queue.size() ) + { + AssignedAnalyzer* a = expected_conns_queue.top(); + if ( a->timeout < network_time ) + { + if ( ! a->deleted ) + { + HashKey* key = BuildExpectedConnHashKey(a->conn); + expected_conns.Remove(key); + delete key; + } + + expected_conns_queue.pop(); + + DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s", + analyzer_mgr->GetAnalyzerName(analyzer).c_str(), + fmt_conn_id(a->conn.orig, 0, + a->conn.resp, + a->conn.resp_p)); + + delete a; + } + } + + ExpectedConn c(orig, resp, resp_p, proto); + + HashKey* key = BuildExpectedConnHashKey(c); + + AssignedAnalyzer* a = expected_conns.Lookup(key); + + if ( a ) + a->deleted = true; + + a = new AssignedAnalyzer(c); + + a->analyzer = analyzer; + a->cookie = cookie; + a->timeout = network_time + timeout; + a->deleted = false; + + expected_conns.Insert(key, a); + expected_conns_queue.push(a); + delete key; + } + +void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, + uint16 resp_p, + TransportProto proto, const string& analyzer, + double timeout, void* cookie) + { + Tag tag = GetAnalyzerTag(analyzer); + + if ( tag != Tag::ERROR ) + ExpectConnection(orig, resp, resp_p, proto, tag, timeout, cookie); + } + +void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* analyzer, double timeout, void* cookie) + { + EnumVal* ev = analyzer->AsEnumVal(); + return ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(), Tag(ev), timeout, cookie); + } diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h new file mode 100644 index 0000000000..e6143cada6 --- /dev/null +++ b/src/analyzer/Manager.h @@ -0,0 +1,182 @@ +// The central management unit for dynamic analyzer selection. + +#ifndef ANALYZER_MANAGER_H +#define ANALYZER_MANAGER_H + +#include + +#include "Tag.h" +#include "PluginComponent.h" + +#include "Analyzer.h" +#include "../Dict.h" +#include "../net_util.h" +#include "../IP.h" + +namespace analyzer { + +// Manager debug logging, which includes the connection id into the message. +#ifdef DEBUG +# define DBG_DPD(conn, txt) \ + DBG_LOG(DBG_DPD, "%s " txt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort()))); +# define DBG_DPD_ARGS(conn, fmt, args...) \ + DBG_LOG(DBG_DPD, "%s " fmt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort())), ##args); +#else +# define DBG_DPD(conn, txt) +# define DBG_DPD_ARGS(conn, fmt, args...) +#endif + +// Map index to assign expected connections to analyzers. +class ExpectedConn { +public: + ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto); + + ExpectedConn(const ExpectedConn& c); + + IPAddr orig; + IPAddr resp; + uint16 resp_p; + uint16 proto; +}; + +// Associates an analyzer for an expected future connection. +class AssignedAnalyzer { +public: + AssignedAnalyzer(const ExpectedConn& c) + : conn(c) { } + + ExpectedConn conn; + Tag analyzer; + double timeout; + void* cookie; + bool deleted; + + static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2) + { return a1->timeout > a2->timeout; } +}; + +declare(PDict, AssignedAnalyzer); + +class Manager { +public: + Manager(); + ~Manager(); + + void Init(); // Called before script's are parsed. + void Done(); + void DumpDebug(); // Called after bro_init() events. + + bool EnableAnalyzer(Tag tag); + bool EnableAnalyzer(EnumVal* tag); + + bool DisableAnalyzer(Tag tag); + bool DisableAnalyzer(EnumVal* tag); + + bool IsEnabled(Tag tag); + bool IsEnabled(EnumVal* tag); + + bool RegisterAnalyzerForPort(EnumVal* tag, PortVal* port); + bool RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + + bool UnregisterAnalyzerForPort(EnumVal* tag, PortVal* port); + bool UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + + Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled. + + string GetAnalyzerName(Tag tag); + string GetAnalyzerName(Val* val); + Tag GetAnalyzerTag(const string& name); // Tag::ERROR when not known. + Tag GetAnalyzerTag(const char* name); // Tag::ERROR when not known. + + EnumType* GetTagEnumType(); + + // Given info about the first packet, build initial analyzer tree. + // + // It would be more flexible if we simply pass in the IP header and + // then extract the information we need. However, when this method + // is called from the session management, protocol and ports have + // already been extracted there and it would be a waste to do it + // again. + // + // Returns 0 if we can't build a tree (e.g., because the necessary + // analyzers have not been converted to the Manager framework yet...) + bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, + const u_char* data); + + // Schedules a particular analyzer for an upcoming connection. 0 acts + // as a wildcard for orig. (Cookie is currently unused. Eventually, + // we may pass it on to the analyzer). + void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + TransportProto proto, Tag::Tag analyzer, + double timeout, void* cookie); + + void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + TransportProto proto, const string& analyzer, + double timeout, void* cookie); + + void ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* val, double timeout, void* cookie); + + // Activates signature matching for protocol detection. (Called when + // an Manager signatures is found.) + void ActivateSigs() { sigs_activated = true; } + bool SigsActivated() const { return sigs_activated; } + +private: + typedef set tag_set; + typedef map analyzer_map_by_name; + typedef map analyzer_map_by_tag; + typedef map analyzer_map_by_val; + typedef map analyzer_map_by_port; + + void RegisterAnalyzerComponent(PluginComponent* component); // Takes ownership. + + PluginComponent* Lookup(const string& name); + PluginComponent* Lookup(const char* name); + PluginComponent* Lookup(const Tag& tag); + PluginComponent* Lookup(EnumVal* val); + + tag_set* LookupPort(PortVal* val, bool add_if_not_found); + tag_set* LookupPort(TransportProto proto, uint32 port, bool add_if_not_found); + + // Return analyzer if any has been scheduled with ExpectConnection() + // Tag::::Error if none. + Tag GetExpected(int proto, const Connection* conn); + + analyzer_map_by_port analyzers_by_port_tcp; + analyzer_map_by_port analyzers_by_port_udp; + analyzer_map_by_name analyzers_by_name; + analyzer_map_by_tag analyzers_by_tag; + analyzer_map_by_val analyzers_by_val; + + Tag analyzer_backdoor; + Tag analyzer_connsize; + Tag analyzer_interconn; + Tag analyzer_stepping; + Tag analyzer_tcpstats; + + EnumType* tag_enum_type; + + // True if signature-matching has been activated. + bool sigs_activated; + + PDict(AssignedAnalyzer) expected_conns; + + typedef priority_queue< + AssignedAnalyzer*, + vector, + bool (*)(const AssignedAnalyzer*, + const AssignedAnalyzer*)> conn_queue; + conn_queue expected_conns_queue; +}; + +} + +extern analyzer::Manager* analyzer_mgr; + +#endif diff --git a/src/analyzer/PluginComponent.cc b/src/analyzer/PluginComponent.cc new file mode 100644 index 0000000000..fed3ca225a --- /dev/null +++ b/src/analyzer/PluginComponent.cc @@ -0,0 +1,37 @@ + +#include "PluginComponent.h" + +#include "../Desc.h" + +using namespace analyzer; + +Tag::type_t PluginComponent::type_counter = 0; + +PluginComponent::PluginComponent(std::string arg_name, factory_callback arg_factory, bool arg_enabled, bool arg_partial) + : Component(plugin::component::ANALYZER) + { + name = arg_name; + factory = arg_factory; + enabled = arg_enabled; + partial = arg_partial; + + tag = analyzer::Tag(++type_counter, 0); + } + +PluginComponent::PluginComponent(std::string arg_name, Tag::subtype_t arg_stype, factory_callback arg_factory, bool arg_enabled, bool arg_partial) + : Component(plugin::component::ANALYZER) + { + name = arg_name; + factory = arg_factory; + enabled = arg_enabled; + partial = arg_partial; + + tag = analyzer::Tag(++type_counter, arg_stype); + } + +void PluginComponent::Describe(ODesc* d) + { + plugin::Component::Describe(d); + d->Add(name); + } + diff --git a/src/analyzer/PluginComponent.h b/src/analyzer/PluginComponent.h new file mode 100644 index 0000000000..6db5aaf994 --- /dev/null +++ b/src/analyzer/PluginComponent.h @@ -0,0 +1,51 @@ + +#ifndef ANALYZER_PLUGIN_COMPONENT_H +#define ANALYZER_PLUGIN_COMPONENT_H + +#include + +#include "../config.h" +#include "../util.h" + +#include "plugin/Component.h" +#include "Tag.h" + +class Connection; + +namespace analyzer { + +class Analyzer; + +// This can be copied by value. +class PluginComponent : public plugin::Component { +public: + typedef bool (*available_callback)(); + typedef Analyzer* (*factory_callback)(Connection* conn); + + PluginComponent(std::string name, factory_callback factory, bool enabled, bool partial); + PluginComponent(std::string name, Tag::subtype_t subtype, factory_callback factory, bool enabled, bool partial); + + std::string Name() const { return name; } + factory_callback Factory() const { return factory; } + bool Partial() const { return partial; } + bool Enabled() const { return enabled; } + analyzer::Tag Tag() const { return tag; } + + void SetEnabled(bool arg_enabled) { enabled = arg_enabled; } + + virtual void Describe(ODesc* d); + +private: + std::string name; + factory_callback factory; + bool partial; + + analyzer::Tag tag; + bool enabled; + + static analyzer::Tag::type_t type_counter; +}; + +} + +#endif diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc new file mode 100644 index 0000000000..fbf1bcd2b7 --- /dev/null +++ b/src/analyzer/Tag.cc @@ -0,0 +1,69 @@ + +#include "Tag.h" +#include "Manager.h" + +#include "../NetVar.h" + +using namespace analyzer; + +Tag Tag::ERROR; + +Tag::Tag(type_t arg_type, subtype_t arg_subtype) + { + assert(arg_type > 0); + type = arg_type; + subtype = arg_subtype; + int64_t i = (int64)(type) | ((int64)subtype << 31); + + EnumType* etype = analyzer_mgr->GetTagEnumType(); + Ref(etype); + val = new EnumVal(i, etype); + } + +Tag::Tag(EnumVal* arg_val) + { + assert(val); + val = arg_val; + Ref(val); + + int64 i = val->InternalInt(); + type = i & 0xffffffff; + subtype = (i >> 31) & 0xffffffff; + } + +Tag::Tag(const Tag& other) : type(other.type), subtype(other.subtype) + { + type = other.type; + subtype = other.subtype; + val = other.val; + + if ( val ) + Ref(val); + } + +Tag::Tag() + { + type = 0; + subtype = 0; + val = 0; + } + +EnumVal* Tag::Val() + { + if ( ! val ) + { + assert(analyzer_mgr); + assert(type == 0 && subtype == 0); + EnumType* etype = analyzer_mgr->GetTagEnumType(); + Ref(etype); + val = new EnumVal(0, etype); + } + + return val; + } + +std::string Tag::AsString() const + { + return fmt("%" PRIu32 "/%" PRIu32, type, subtype); + } + diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h new file mode 100644 index 0000000000..dab8563982 --- /dev/null +++ b/src/analyzer/Tag.h @@ -0,0 +1,59 @@ + +#ifndef ANALYZER_TAG_H +#define ANALYZER_TAG_H + +// Each kind of analyzer gets a tag consisting of a main type and subtype. +// The former is an identifier that's unique all analyzer classes. The latter +// is passed through analyzer instances, yet not further interpreted by the +// analyzer infrastructure; it allows an analyzer to branch out into a set of +// sub-analyzers internally. Jointly, main type and subtype form an analyzer +// "tag". Each unique tag corresponds to a single "analyzer" from the user's +// perspective. + +#include "config.h" +#include "util.h" + +class EnumVal; + +namespace analyzer { + +/// This has supports all operations to be used as a map index. +class Tag { +public: + typedef uint32 type_t; + typedef uint32 subtype_t; + + Tag(type_t type, subtype_t subtype = 0); + Tag(EnumVal* val); + Tag(const Tag& other); + Tag(); // Tag::ERROR value + + type_t Type() const { return type; } + subtype_t Subtype() const { return subtype; } + + // Returns an identifying integer for this tag that's guaranteed to + // be unique across all tags. + EnumVal* Val(); + + std::string AsString() const; + + operator bool() const { return *this != Tag(); } + bool operator==(const Tag& other) const { return type == other.type && subtype == other.subtype; } + bool operator!=(const Tag& other) const { return type != other.type || subtype != other.subtype; } + bool operator<(const Tag& other) const + { + return type != other.type ? type < other.type : (subtype < other.subtype); + } + + + static Tag ERROR; + +private: + type_t type; + subtype_t subtype; + EnumVal* val; +}; + +} + +#endif diff --git a/src/ayiya.pac b/src/ayiya.pac index 58fa196c15..ff0af4d47c 100644 --- a/src/ayiya.pac +++ b/src/ayiya.pac @@ -1,3 +1,4 @@ + %include binpac.pac %include bro.pac diff --git a/src/binpac_bro.h b/src/binpac_bro.h index dcdbe94f57..5f46d8f458 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -1,20 +1,24 @@ #ifndef binpac_bro_h #define binpac_bro_h -class Analyzer; +class Connection; class Val; class PortVal; +namespace analyzer { class Analyzer; } + #include "util.h" -#include "Analyzer.h" #include "Val.h" #include "event.bif.func_h" +#include "TunnelEncapsulation.h" +#include "analyzer/Analyzer.h" +#include "Conn.h" #include "binpac.h" namespace binpac { -typedef Analyzer* BroAnalyzer; +typedef analyzer::Analyzer* BroAnalyzer; typedef Val* BroVal; typedef PortVal* BroPortVal; typedef StringVal* BroStringVal; diff --git a/src/bro.bif b/src/bro.bif index ac54da0e75..4c88a7dd77 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3353,14 +3353,14 @@ const char* conn_id_string(Val* c) ## .. bro:see:: skip_smtp_data function skip_http_entity_data%(c: connection, is_orig: bool%): any %{ - AnalyzerID id = mgr.CurrentAnalyzer(); + analyzer::ID id = mgr.CurrentAnalyzer(); if ( id ) { - Analyzer* ha = c->FindAnalyzer(id); + analyzer::Analyzer* ha = c->FindAnalyzer(id); if ( ha ) { - if ( ha->GetTag() == AnalyzerTag::HTTP ) + if ( ha->IsAnalyzer("HTTP") ) static_cast(ha)->SkipEntityData(is_orig); else reporter->Error("non-HTTP analyzer associated with connection record"); @@ -4074,36 +4074,9 @@ function file_mode%(mode: count%): string # =========================================================================== %%{ -#include "DPM.h" +#include "analyzer/Manager.h" %%} -## Schedules an analyzer for a future connection from a given IP address and -## port. The function ignores the scheduling request if the connection did -## not occur within the specified time interval. -## -## orig: The IP address originating a connection in the future. -## -## resp: The IP address responding to a connection from *orig*. -## -## resp_p: The destination port at *resp*. -## -## analyzer: The analyzer ID. -## -## tout: The timeout interval after which to ignore the scheduling request. -## -## Returns: True (unconditionally). -## -## .. bro:see:: disable_analyzer analyzer_name -## -## .. todo:: The return value should be changed to any. -function expect_connection%(orig: addr, resp: addr, resp_p: port, - analyzer: count, tout: interval%) : any - %{ - dpm->ExpectConnection(orig->AsAddr(), resp->AsAddr(), resp_p->Port(), - resp_p->PortType(), (AnalyzerTag::Tag) analyzer, tout, 0); - return new Val(1, TYPE_BOOL); - %} - ## Disables the analyzer which raised the current event (if the analyzer ## belongs to the given connection). ## @@ -4124,7 +4097,7 @@ function disable_analyzer%(cid: conn_id, aid: count%) : bool return new Val(0, TYPE_BOOL); } - Analyzer* a = c->FindAnalyzer(aid); + analyzer::Analyzer* a = c->FindAnalyzer(aid); if ( ! a ) { reporter->Error("connection does not have analyzer specified to disable"); @@ -4135,18 +4108,6 @@ function disable_analyzer%(cid: conn_id, aid: count%) : bool return new Val(1, TYPE_BOOL); %} -## Translate an analyzer type to an ASCII string. -## -## aid: The analyzer ID. -## -## Returns: The analyzer *aid* as string. -## -## .. bro:see:: expect_connection disable_analyzer current_analyzer -function analyzer_name%(aid: count%) : string - %{ - return new StringVal(Analyzer::GetTagName((AnalyzerTag::Tag) aid)); - %} - ## Informs Bro that it should skip any further processing of the contents of ## a given connection. In particular, Bro will refrain from reassembling the ## TCP byte stream and from generating events relating to any analyzers that @@ -4321,7 +4282,7 @@ function get_login_state%(cid: conn_id%): count if ( ! c ) return new Val(0, TYPE_BOOL); - Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login); + analyzer::Analyzer* la = c->FindAnalyzer("Login"); if ( ! la ) return new Val(0, TYPE_BOOL); @@ -4346,7 +4307,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool if ( ! c ) return new Val(0, TYPE_BOOL); - Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login); + analyzer::Analyzer* la = c->FindAnalyzer("Login"); if ( ! la ) return new Val(0, TYPE_BOOL); @@ -4377,7 +4338,7 @@ function get_orig_seq%(cid: conn_id%): count if ( c->ConnTransport() != TRANSPORT_TCP ) return new Val(0, TYPE_COUNT); - Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP); + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) return new Val(static_cast(tc)->OrigSeq(), TYPE_COUNT); @@ -4407,7 +4368,7 @@ function get_resp_seq%(cid: conn_id%): count if ( c->ConnTransport() != TRANSPORT_TCP ) return new Val(0, TYPE_COUNT); - Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP); + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) return new Val(static_cast(tc)->RespSeq(), TYPE_COUNT); @@ -4429,7 +4390,7 @@ function get_resp_seq%(cid: conn_id%): count ## .. bro:see:: skip_http_entity_data function skip_smtp_data%(c: connection%): any %{ - Analyzer* sa = c->FindAnalyzer(AnalyzerTag::SMTP); + analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); if ( sa ) static_cast(sa)->SkipData(); return 0; diff --git a/src/builtin-func.y b/src/builtin-func.y index 474f321ccd..b5d076a56e 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -197,11 +197,11 @@ char* concat(const char* str1, const char* str2) void print_event_c_prototype(FILE *fp, bool is_header) { if ( is_header ) - fprintf(fp, "%s void %s(Analyzer* analyzer%s", + fprintf(fp, "%s void %s(analyzer::Analyzer* analyzer%s", decl.generate_c_namespace_start.c_str(), decl.generate_bare_name.c_str(), args.size() ? ", " : "" ); else - fprintf(fp, "void %s(Analyzer* analyzer%s", + fprintf(fp, "void %s(analyzer::Analyzer* analyzer%s", decl.generate_c_fullname.c_str(), args.size() ? ", " : "" ); for ( int i = 0; i < (int) args.size(); ++i ) diff --git a/src/event.bif b/src/event.bif index 393021024a..dd7ab3c1d6 100644 --- a/src/event.bif +++ b/src/event.bif @@ -841,8 +841,8 @@ event gap_report%(dt: interval, info: gap_info%); ## c: The connection. ## ## atype: The type of the analyzer confirming that its protocol is in -## use. The value is one of the ``ANALYZER_*`` constants. For example, -## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed +## use. The value is one of the ``Analyzer::ANALYZER_*`` constants. For example, +## ``Analyzer::ANALYZER_HTTP`` means the HTTP analyzer determined that it's indeed ## parsing an HTTP connection. ## ## aid: A unique integer ID identifying the specific *instance* of the @@ -857,7 +857,7 @@ event gap_report%(dt: interval, info: gap_info%); ## Bro's default scripts use this event to determine the ``service`` column ## of :bro:type:`Conn::Info`: once confirmed, the protocol will be listed ## there (and thus in ``conn.log``). -event protocol_confirmation%(c: connection, atype: count, aid: count%); +event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); ## Generated when a protocol analyzer determines that a connection it is parsing ## is not conforming to the protocol it expects. Bro's dynamic protocol @@ -869,8 +869,8 @@ event protocol_confirmation%(c: connection, atype: count, aid: count%); ## c: The connection. ## ## atype: The type of the analyzer confirming that its protocol is in -## use. The value is one of the ``ANALYZER_*`` constants. For example, -## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed +## use. The value is one of the ``Analyzer::ANALYZER_*`` constants. For example, +## ``Analyzer::ANALYZER_HTTP`` means the HTTP analyzer determined that it's indeed ## parsing an HTTP connection. ## ## aid: A unique integer ID identifying the specific *instance* of the @@ -888,7 +888,7 @@ event protocol_confirmation%(c: connection, atype: count, aid: count%); ## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's ## however a script-level decision and not done automatically by the event ## engine. -event protocol_violation%(c: connection, atype: count, aid: count, reason: string%); +event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%); ## Generated for each packet sent by a UDP flow's originator. This a potentially ## expensive event due to the volume of UDP traffic and should be used with @@ -1389,8 +1389,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); ## TODO. @@ -1636,8 +1636,8 @@ event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event finger_request%(c: connection, full: bool, username: string, hostname: string%); ## Generated for Finger replies. @@ -1653,8 +1653,8 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event finger_reply%(c: connection, reply_line: string%); @@ -1669,8 +1669,8 @@ event finger_reply%(c: connection, reply_line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## TODO. @@ -1683,8 +1683,8 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, @@ -1700,8 +1700,8 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_partial_binary_msg%(c: connection, orig: bool, msg: string, len: count%); @@ -1715,8 +1715,8 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_establish%(c: connection%); ## TODO. @@ -1729,8 +1729,8 @@ event gnutella_establish%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_not_establish%(c: connection%); ## TODO. @@ -1743,8 +1743,8 @@ event gnutella_not_establish%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_http_notify%(c: connection%); ## Generated for Ident requests. @@ -1762,8 +1762,8 @@ event gnutella_http_notify%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ident_request%(c: connection, lport: port, rport: port%); ## Generated for Ident replies. @@ -1785,8 +1785,8 @@ event ident_request%(c: connection, lport: port, rport: port%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); ## Generated for Ident error replies. @@ -1806,8 +1806,8 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ident_error%(c: connection, lport: port, rport: port, line: string%); ## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects @@ -1840,8 +1840,8 @@ event ident_error%(c: connection, lport: port, rport: port, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects @@ -1874,8 +1874,8 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for lines of input on Telnet/Rlogin sessions. The line will have @@ -1890,8 +1890,8 @@ event login_success%(c: connection, user: string, client_user: string, password: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_input_line%(c: connection, line: string%); ## Generated for lines of output on Telnet/Rlogin sessions. The line will have @@ -1906,8 +1906,8 @@ event login_input_line%(c: connection, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_output_line%(c: connection, line: string%); ## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's @@ -1932,8 +1932,8 @@ event login_output_line%(c: connection, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_confused%(c: connection, msg: string, line: string%); ## Generated after getting confused while tracking a Telnet/Rlogin @@ -1952,8 +1952,8 @@ event login_confused%(c: connection, msg: string, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_confused_text%(c: connection, line: string%); ## Generated for clients transmitting a terminal type in a Telnet session. This @@ -1968,8 +1968,8 @@ event login_confused_text%(c: connection, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_terminal%(c: connection, terminal: string%); ## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This @@ -1984,8 +1984,8 @@ event login_terminal%(c: connection, terminal: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_display%(c: connection, display: string%); ## Generated when a Telnet authentication has been successful. The Telnet @@ -2008,8 +2008,8 @@ event login_display%(c: connection, display: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event authentication_accepted%(name: string, c: connection%); ## Generated when a Telnet authentication has been unsuccessful. The Telnet @@ -2032,8 +2032,8 @@ event authentication_accepted%(name: string, c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event authentication_rejected%(name: string, c: connection%); ## Generated for Telnet/Rlogin sessions when a pattern match indicates @@ -2055,8 +2055,8 @@ event authentication_rejected%(name: string, c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event authentication_skipped%(c: connection%); ## Generated for clients transmitting a terminal prompt in a Telnet session. @@ -2075,8 +2075,8 @@ event authentication_skipped%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_prompt%(c: connection, prompt: string%); ## Generated for Telnet sessions when encryption is activated. The Telnet @@ -2126,8 +2126,8 @@ event inconsistent_option%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event bad_option%(c: connection%); ## Generated for a Telnet option that's incorrectly terminated. @@ -2144,8 +2144,8 @@ event bad_option%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event bad_option_termination%(c: connection%); ## Generated for client side commands on an RSH connection. @@ -2174,8 +2174,8 @@ event bad_option_termination%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); ## Generated for client side commands on an RSH connection. @@ -2202,8 +2202,8 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); ## Generated for client-side FTP commands. @@ -2569,8 +2569,8 @@ event mime_content_hash%(c: connection, content_len: count, hash_value: string%) ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); ## Generated for RPC *call* messages. @@ -2595,8 +2595,8 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); ## Generated for RPC *reply* messages. @@ -2618,8 +2618,8 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); ## Generated for Portmapper requests of type *null*. @@ -2637,8 +2637,8 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_null%(r: connection%); ## Generated for Portmapper request/reply dialogues of type *set*. @@ -2662,8 +2662,8 @@ event pm_request_null%(r: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *unset*. @@ -2687,8 +2687,8 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *getport*. @@ -2710,8 +2710,8 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## Generated for Portmapper request/reply dialogues of type *dump*. @@ -2731,8 +2731,8 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_dump%(r: connection, m: pm_mappings%); ## Generated for Portmapper request/reply dialogues of type *callit*. @@ -2754,8 +2754,8 @@ event pm_request_dump%(r: connection, m: pm_mappings%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## Generated for failed Portmapper requests of type *null*. @@ -2776,8 +2776,8 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_null%(r: connection, status: rpc_status%); ## Generated for failed Portmapper requests of type *set*. @@ -2800,8 +2800,8 @@ event pm_attempt_null%(r: connection, status: rpc_status%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## Generated for failed Portmapper requests of type *unset*. @@ -2824,8 +2824,8 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## Generated for failed Portmapper requests of type *getport*. @@ -2848,8 +2848,8 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); ## Generated for failed Portmapper requests of type *dump*. @@ -2870,8 +2870,8 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_dump%(r: connection, status: rpc_status%); ## Generated for failed Portmapper requests of type *callit*. @@ -2894,8 +2894,8 @@ event pm_attempt_dump%(r: connection, status: rpc_status%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); ## Generated for Portmapper requests or replies that include an invalid port @@ -2918,8 +2918,8 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_bad_port%(r: connection, bad_p: count%); ## Generated for NFSv3 request/reply dialogues of type *null*. The event is @@ -2941,8 +2941,8 @@ event pm_bad_port%(r: connection, bad_p: count%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is @@ -2969,8 +2969,8 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); ## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is @@ -2997,8 +2997,8 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *read*. The event is @@ -3025,8 +3025,8 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is @@ -3053,8 +3053,8 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *write*. The event is @@ -3082,8 +3082,8 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *create*. The event is @@ -3110,8 +3110,8 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is @@ -3138,8 +3138,8 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *remove*. The event is @@ -3166,8 +3166,8 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is @@ -3194,8 +3194,8 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is @@ -3222,8 +3222,8 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); ## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 @@ -3245,8 +3245,8 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); ## Generated for each NFSv3 reply message received, reporting just the @@ -3263,8 +3263,8 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## Generated for all NTP messages. Different from many other of Bro's events, @@ -3284,8 +3284,8 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer @@ -3316,8 +3316,8 @@ event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); ## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS @@ -3344,8 +3344,8 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_request%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *positive session response*. Bro's @@ -3372,8 +3372,8 @@ event netbios_session_request%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_accepted%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *negative session response*. Bro's @@ -3400,8 +3400,8 @@ event netbios_session_accepted%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_rejected%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *session message* that are not @@ -3435,8 +3435,8 @@ event netbios_session_rejected%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS @@ -3465,8 +3465,8 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer @@ -3493,8 +3493,8 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_keepalive%(c: connection, msg: string%); ## Generated for all SMB/CIFS messages. @@ -3526,8 +3526,8 @@ event netbios_session_keepalive%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); ## Generated for SMB/CIFS messages of type *tree connect andx*. @@ -3553,8 +3553,8 @@ event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); ## Generated for SMB/CIFS messages of type *tree disconnect*. @@ -3576,8 +3576,8 @@ event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, serv ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *nt create andx*. @@ -3601,8 +3601,8 @@ event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## Generated for SMB/CIFS messages of type *nt transaction*. @@ -3630,8 +3630,8 @@ event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *nt transaction 2*. @@ -3659,8 +3659,8 @@ event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction mailslot*. @@ -3688,8 +3688,8 @@ event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction rap*. @@ -3717,8 +3717,8 @@ event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, dat ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction pipe*. @@ -3746,8 +3746,8 @@ event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: sm ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *read andx*. @@ -3771,8 +3771,8 @@ event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: s ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *read andx*. @@ -3796,8 +3796,8 @@ event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *get dfs referral*. @@ -3824,8 +3824,8 @@ event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); ## Generated for SMB/CIFS messages of type *negotiate*. @@ -3846,8 +3846,8 @@ event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: cou ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *negotiate response*. @@ -3870,8 +3870,8 @@ event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); ## Generated for SMB/CIFS messages of type *setup andx*. @@ -3893,8 +3893,8 @@ event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: co ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *generic andx*. @@ -3916,8 +3916,8 @@ event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *close*. @@ -3939,8 +3939,8 @@ event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_close%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *logoff andx*. @@ -3962,8 +3962,8 @@ event smb_com_close%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages that indicate an error. This event is @@ -3988,8 +3988,8 @@ event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); ## Generated for all DNS messages. @@ -4500,8 +4500,8 @@ event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## Generated for DHCP messages of type *offer*. @@ -4535,8 +4535,8 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); ## Generated for DHCP messages of type *request*. @@ -4566,8 +4566,8 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_ ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); ## Generated for DHCP messages of type *decline*. @@ -4593,8 +4593,8 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_decline%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *acknowledgment*. @@ -4628,8 +4628,8 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); ## Generated for DHCP messages of type *negative acknowledgment*. @@ -4655,8 +4655,8 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_nak%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *release*. @@ -4682,8 +4682,8 @@ event dhcp_nak%(c: connection, msg: dhcp_msg%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_release%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *inform*. @@ -4709,8 +4709,8 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_inform%(c: connection, msg: dhcp_msg%); ## Generated for HTTP requests. Bro supports persistent and pipelined HTTP @@ -5186,8 +5186,8 @@ event x509_error%(c: connection, is_orig: bool, err: count%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); ## TODO. @@ -5197,8 +5197,8 @@ event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_bind%(c: connection, uuid: string%); ## TODO. @@ -5208,8 +5208,8 @@ event dce_rpc_bind%(c: connection, uuid: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_request%(c: connection, opnum: count, stub: string%); ## TODO. @@ -5219,8 +5219,8 @@ event dce_rpc_request%(c: connection, opnum: count, stub: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_response%(c: connection, opnum: count, stub: string%); ## TODO. @@ -5230,8 +5230,8 @@ event dce_rpc_response%(c: connection, opnum: count, stub: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## Generated for NCP requests (Netware Core Protocol). @@ -5251,8 +5251,8 @@ event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ncp_request%(c: connection, frame_type: count, length: count, func: count%); ## Generated for NCP replies (Netware Core Protocol). @@ -5276,8 +5276,8 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count% ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); ## Generated for client-side commands on POP3 connections. @@ -5299,8 +5299,8 @@ event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: cou ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_request%(c: connection, is_orig: bool, command: string, arg: string%); @@ -5326,8 +5326,8 @@ event pop3_request%(c: connection, is_orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## Generated for server-side multi-line responses on POP3 connections. POP3 @@ -5349,8 +5349,8 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_data%(c: connection, is_orig: bool, data: string%); ## Generated for errors encountered on POP3 sessions. If the POP3 analyzer @@ -5373,8 +5373,8 @@ event pop3_data%(c: connection, is_orig: bool, data: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); @@ -5400,8 +5400,8 @@ event pop3_unexpected%(c: connection, is_orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## Generated for successful authentications on POP3 connections. @@ -5423,8 +5423,8 @@ event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_login_success%(c: connection, is_orig: bool, user: string, password: string%); @@ -5447,8 +5447,8 @@ event pop3_login_success%(c: connection, is_orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_login_failure%(c: connection, is_orig: bool, user: string, password: string%); diff --git a/src/main.cc b/src/main.cc index 2232180c5e..08756c1bf3 100644 --- a/src/main.cc +++ b/src/main.cc @@ -49,7 +49,6 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "PersistenceSerializer.h" #include "EventRegistry.h" #include "Stats.h" -#include "DPM.h" #include "BroDoc.h" #include "Brofiler.h" @@ -57,6 +56,9 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "input/Manager.h" #include "logging/Manager.h" #include "logging/writers/Ascii.h" +#include "analyzer/BuiltinAnalyzers.h" +#include "analyzer/Manager.h" +#include "plugin/Manager.h" #include "binpac_bro.h" @@ -86,6 +88,8 @@ TimerMgr* timer_mgr; logging::Manager* log_mgr = 0; threading::Manager* thread_mgr = 0; input::Manager* input_mgr = 0; +plugin::Manager* plugin_mgr = 0; +analyzer::Manager* analyzer_mgr = 0; Stmt* stmts; EventHandlerPtr net_done = 0; RuleMatcher* rule_matcher = 0; @@ -99,7 +103,6 @@ ProfileLogger* profiling_logger = 0; ProfileLogger* segment_logger = 0; SampleLogger* sample_logger = 0; int signal_val = 0; -DPM* dpm = 0; int optimize = 0; int do_notice_analysis = 0; int rule_bench = 0; @@ -176,6 +179,7 @@ void usage() fprintf(stderr, " -I|--print-id | print out given ID\n"); fprintf(stderr, " -K|--md5-hashkey | set key for MD5-keyed hashing\n"); fprintf(stderr, " -L|--rule-benchmark | benchmark for rules\n"); + fprintf(stderr, " -N|--print-plugins | print all available plugins and exit\n"); fprintf(stderr, " -O|--optimize | optimize policy script\n"); fprintf(stderr, " -P|--prime-dns | prime DNS\n"); fprintf(stderr, " -R|--replay | replay events\n"); @@ -233,6 +237,27 @@ void usage() exit(1); } +void show_plugins() + { + plugin::Manager::plugin_list plugins = plugin_mgr->Plugins(); + + if ( ! plugins.size() ) + { + printf("No plugins registered, not even any built-ins. This is probably a bug.\n"); + return; + } + + ODesc d; + + for ( plugin::Manager::plugin_list::const_iterator i = plugins.begin(); i != plugins.end(); i++ ) + { + (*i)->Describe(&d); + d.NL(); + } + + printf("%s", d.Description()); + } + void done_with_network() { set_processing_status("TERMINATING", "done_with_network"); @@ -262,7 +287,7 @@ void done_with_network() terminating = true; - dpm->Done(); + analyzer_mgr->Done(); timer_mgr->Expire(); dns_mgr->Flush(); mgr.Drain(); @@ -324,6 +349,8 @@ void terminate_bro() mgr.Drain(); + plugin_mgr->FinishPlugins(); + delete timer_mgr; delete dns_mgr; delete persistence_serializer; @@ -333,8 +360,9 @@ void terminate_bro() delete event_registry; delete secondary_path; delete remote_serializer; - delete dpm; + delete analyzer_mgr; delete log_mgr; + delete plugin_mgr; delete thread_mgr; delete reporter; @@ -412,6 +440,7 @@ int main(int argc, char** argv) int override_ignore_checksums = 0; int rule_debug = 0; int RE_level = 4; + int print_plugins = 0; static struct option long_opts[] = { {"bare-mode", no_argument, 0, 'b'}, @@ -440,6 +469,7 @@ int main(int argc, char** argv) {"set-seed", required_argument, 0, 'J'}, {"md5-hashkey", required_argument, 0, 'K'}, {"rule-benchmark", no_argument, 0, 'L'}, + {"print-plugins", no_argument, 0, 'N'}, {"optimize", no_argument, 0, 'O'}, {"prime-dns", no_argument, 0, 'P'}, {"replay", required_argument, 0, 'R'}, @@ -494,7 +524,7 @@ int main(int argc, char** argv) opterr = 0; char opts[256]; - safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLOPSWbdghvZ", + safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLNOPSWbdghvZ", sizeof(opts)); #ifdef USE_PERFTOOLS_DEBUG @@ -609,6 +639,10 @@ int main(int argc, char** argv) ++rule_bench; break; + case 'N': + print_plugins = 1; + break; + case 'O': optimize = 1; break; @@ -764,6 +798,8 @@ int main(int argc, char** argv) add_input_file(argv[optind++]); } + push_scope(0); + dns_mgr = new DNS_Mgr(dns_type); // It would nice if this were configurable. This is similar to the @@ -774,19 +810,28 @@ int main(int argc, char** argv) persistence_serializer = new PersistenceSerializer(); remote_serializer = new RemoteSerializer(); event_registry = new EventRegistry(); + + analyzer_mgr = new analyzer::Manager(); log_mgr = new logging::Manager(); - input_mgr = new input::Manager(); + input_mgr = new input::Manager(); + plugin_mgr = new plugin::Manager(); + + plugin_mgr->RegisterPlugin(new analyzer::BuiltinAnalyzers()); + plugin_mgr->InitPlugins(); + + if ( print_plugins ) + { + show_plugins(); + exit(1); + } + + analyzer_mgr->Init(); if ( events_file ) event_player = new EventPlayer(events_file); init_event_handlers(); - push_scope(0); - - dpm = new DPM; - dpm->PreScriptInit(); - // The leak-checker tends to produce some false // positives (memory which had already been // allocated before we start the checking is @@ -1045,12 +1090,12 @@ int main(int argc, char** argv) mgr.QueueEvent(bro_script_loaded, vl); } - dpm->PostScriptInit(); - reporter->ReportViaEvents(true); mgr.Drain(); + analyzer_mgr->DumpDebug(); + have_pending_timers = ! reading_traces && timer_mgr->Size() > 0; io_sources.Register(thread_mgr, true); diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc new file mode 100644 index 0000000000..c4276ca1ff --- /dev/null +++ b/src/plugin/Component.cc @@ -0,0 +1,47 @@ + +#include "Component.h" + +#include "../Desc.h" +#include "../Reporter.h" + +using namespace plugin; + +Component::Component(component::Type arg_type) + { + type = arg_type; + } + +Component::~Component() + { + } + +component::Type Component::Type() const + { + return type; + } + +void Component::Describe(ODesc* d) + { + d->Add(" "); + d->Add("["); + + switch ( type ) { + case component::READER: + d->Add("Reader"); + break; + + case component::WRITER: + d->Add("Writer"); + break; + + case component::ANALYZER: + d->Add("Analyzer"); + break; + + default: + reporter->InternalError("unknown component type in plugin::Component::Describe"); + } + + d->Add("]"); + d->Add(" "); + } diff --git a/src/plugin/Component.h b/src/plugin/Component.h new file mode 100644 index 0000000000..09357effd2 --- /dev/null +++ b/src/plugin/Component.h @@ -0,0 +1,37 @@ + +#ifndef PLUGIN_COMPONENT_H +#define PLUGIN_COMPONENT_H + +class ODesc; + +namespace plugin { + +namespace component { + enum Type { + READER, + WRITER, + ANALYZER + }; +} + +namespace input { class PluginComponent; } +namespace logging { class PluginComponent; } +namespace analyzer { class PluginComponent; } + +class Component +{ +public: + Component(component::Type type); + virtual ~Component(); + + component::Type Type() const; + + virtual void Describe(ODesc* d); + +private: + component::Type type; +}; + +} + +#endif diff --git a/src/plugin/DummyPlugin.cc b/src/plugin/DummyPlugin.cc new file mode 100644 index 0000000000..8a7889c682 --- /dev/null +++ b/src/plugin/DummyPlugin.cc @@ -0,0 +1,28 @@ + +#include "Plugin.h" + +class DummyPlugin { +public: + virtual void Init() + { + plugin::Description desc; + desc.name = "Dummy"; + desc.description = "My little dummy plugin"; + desc.version = 2; + desc.url = "http://dummy.bro.org"; + SetDescription(desc); + + analyzer::PluginComponent dummy("DUMMY", "Analyzer::DUMMY", dummy::Instantiate, dummy::Available, 0, false); + AddComponent(dummy); + } + +Plugin* bro_plugin() + { + return new DummyPlugin(); + } + + + + + + diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc new file mode 100644 index 0000000000..62440c0039 --- /dev/null +++ b/src/plugin/Manager.cc @@ -0,0 +1,81 @@ + +#include "Manager.h" + +#include "../Reporter.h" + +using namespace plugin; + +Manager::Manager() + { + init = false; + } + +Manager::~Manager() + { + assert(! init); + } + +bool Manager::LoadPlugin(const std::string& path) + { + assert(! init); + reporter->InternalError("plugin::Manager::LoadPlugin not yet implemented"); + return false; + } + +bool Manager::LoadPluginsFrom(const std::string& dir) + { + assert(! init); + reporter->InternalError("plugin::Manager::LoadPluginsFrom not yet implemented"); + return false; + } + +bool Manager::RegisterPlugin(Plugin *plugin) + { + assert(! init); + + plugin::Description desc = plugin->GetDescription(); + + if ( desc.version != plugin::API_BUILTIN ) + { + if ( desc.api_version == API_ERROR ) + reporter->InternalError("API version of plugin %s not initialized", desc.name.c_str()); + + if ( desc.api_version != API_VERSION ) + reporter->FatalError("API version mismatch for plugin %s: expected %d, but have %d", + desc.name.c_str(), API_VERSION, desc.version); + } + + plugins.push_back(plugin); + return true; + } + +void Manager::InitPlugins() + { + assert(! init); + + for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + (*i)->Init(); + + init = true; + } + +void Manager::FinishPlugins() + { + assert(init); + + for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + { + (*i)->Done(); + delete *i; + } + + plugins.clear(); + + init = false; + } + +Manager::plugin_list Manager::Plugins() const + { + return plugins; +} + diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h new file mode 100644 index 0000000000..26f07dc944 --- /dev/null +++ b/src/plugin/Manager.h @@ -0,0 +1,87 @@ + +#ifndef PLUGIN_MANAGER_H +#define PLUGIN_MANAGER_H + +#include "Plugin.h" +#include "Component.h" + +#include "../Reporter.h" + +namespace plugin { + +class Manager +{ +public: + typedef std::list plugin_list; + typedef Plugin::component_list component_list; + + Manager(); + ~Manager(); + + /** + */ + bool LoadPlugin(const std::string& file); + + /** + * + */ + bool LoadPluginsFrom(const std::string& dir); + + /** + * + * @param plugin: The plugin to register. The method takes ownership. + */ + bool RegisterPlugin(Plugin *plugin); // Takes ownership. + + /** + * + */ + void InitPlugins(); + + /** + * + */ + void FinishPlugins(); + + /** + * + */ + plugin_list Plugins() const; + + /** + * + */ + template + std::list Components(component::Type type) const; + +private: + bool init; + plugin_list plugins; +}; + +template +std::list Manager::Components(component::Type type) const + { + std::list result; + + for ( plugin_list::const_iterator p = plugins.begin(); p != plugins.end(); p++ ) + { + component_list components = (*p)->Components(); + + for ( component_list::const_iterator c = components.begin(); c != components.end(); c++ ) + { + T* t = dynamic_cast(*c); + + if ( t ) + result.push_back(t); + } + } + + return result; + } + +} + +extern plugin::Manager* plugin_mgr; + +#endif diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc new file mode 100644 index 0000000000..e5a09e0dcc --- /dev/null +++ b/src/plugin/Plugin.cc @@ -0,0 +1,94 @@ + +#include + +#include "Plugin.h" +#include "Component.h" + +#include "../Desc.h" + +using namespace plugin; + +Description::Description() + { + name = ""; + api_version = API_VERSION; + } + +Plugin::Plugin() + { + } + +Description Plugin::GetDescription() const + { + return description; + } + +void Plugin::SetDescription(Description& desc) + { + description = desc; + } + +Plugin::~Plugin() + { + Done(); + } + +void Plugin::Init() + { + } + +void Plugin::Done() + { + for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) + delete *i; + + components.clear(); + } + +Plugin::component_list Plugin::Components() + { + return components; + } + +void Plugin::AddComponent(Component* c) + { + components.push_back(c); + } + +void Plugin::Describe(ODesc* d) + { + d->Add("Plugin: "); + d->Add(description.name); + + if ( description.description.size() ) + { + d->Add(" - "); + d->Add(description.description); + } + + if ( description.version != API_BUILTIN ) + { + d->Add(" (version "); + d->Add(description.version); + + if ( description.url.size() ) + { + d->Add(", from "); + d->Add(description.url); + } + + d->Add(")"); + } + + else + d->Add(" (built-in)"); + + d->NL(); + + for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) + { + (*i)->Describe(d); + d->NL(); + } + } + diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h new file mode 100644 index 0000000000..f62b81772f --- /dev/null +++ b/src/plugin/Plugin.h @@ -0,0 +1,60 @@ + +#ifndef PLUGIN_PLUGIN_H +#define PLUGIN_PLUGIN_H + +#include +#include + +class ODesc; + +namespace plugin { + +class Manager; +class Component; + +static const int API_VERSION = 1; +static const int API_BUILTIN = -1; +static const int API_ERROR = -2; + +struct Description { + std::string name; + std::string description; + std::string url; + int version; + int api_version; + + Description(); + void Describe(ODesc* d); + }; + +class Plugin { +public: + typedef std::list component_list; + + Plugin(); + virtual ~Plugin(); + + Description GetDescription() const; + void SetDescription(Description& desc); + + component_list Components(); + + virtual void Init(); + virtual void Done(); + + void Describe(ODesc* d); + +protected: + /** + * Takes ownership. + */ + void AddComponent(Component* c); + +private: + plugin::Description description; + component_list components; +}; + +} + +#endif diff --git a/src/scan.l b/src/scan.l index ffbc125728..6a649fb93b 100644 --- a/src/scan.l +++ b/src/scan.l @@ -22,9 +22,11 @@ #include "PolicyFile.h" #include "broparse.h" #include "BroDoc.h" -#include "Analyzer.h" -#include "AnalyzerTags.h" #include "Reporter.h" +#include "RE.h" +#include "Net.h" + +#include "analyzer/analyzer.h" extern YYLTYPE yylloc; // holds start line and column of token extern int print_loaded_scripts; @@ -67,8 +69,10 @@ void clear_reST_doc_comments(); // Adds changes to capture_filter to the current script's reST documentation. static void check_capture_filter_changes(); +#if 0 // Adds changes to dpd_config to the current script's reST documentation. static void check_dpd_config_changes(); +#endif static const char* canon_doc_comment(const char* comment) { @@ -822,7 +826,9 @@ int yywrap() while ( input_files.length() > 0 ) { check_capture_filter_changes(); +#if 0 check_dpd_config_changes(); +#endif if ( load_files(input_files[0]) ) { @@ -838,7 +844,9 @@ int yywrap() } check_capture_filter_changes(); +#if 0 check_dpd_config_changes(); +#endif // For each file scanned so far, and for each @prefix, look for a // prefixed and flattened version of the loaded file in BROPATH. The @@ -1003,6 +1011,7 @@ static void check_capture_filter_changes() } } +#if 0 static void check_dpd_config_changes() { if ( ! generate_documentation ) @@ -1047,6 +1056,7 @@ static void check_dpd_config_changes() dpd_table->RemoveAll(); } +#endif void print_current_reST_doc_comments() { diff --git a/src/util.cc b/src/util.cc index 0051f9f6fe..5d6104ce46 100644 --- a/src/util.cc +++ b/src/util.cc @@ -16,6 +16,7 @@ #include #include +#include #include #include #include @@ -298,6 +299,13 @@ void to_upper(char* s) } } +string to_upper(const std::string& s) + { + string t = s; + std::transform(t.begin(), t.end(), t.begin(), ::toupper); + return t; + } + const char* strchr_n(const char* s, const char* end_of_s, char ch) { for ( ; s < end_of_s; ++s ) diff --git a/src/util.h b/src/util.h index f717ecd333..7e0c1ba085 100644 --- a/src/util.h +++ b/src/util.h @@ -114,6 +114,7 @@ extern char* skip_digits(char* s); extern char* get_word(char*& s); extern void get_word(int length, const char* s, int& pwlen, const char*& pw); extern void to_upper(char* s); +extern std::string to_upper(const std::string& s); extern const char* strchr_n(const char* s, const char* end_of_s, char ch); extern const char* strrchr_n(const char* s, const char* end_of_s, char ch); extern int decode_hex(char ch);