Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

First prototype of new analyzer framework.

Browse source 
This is a larger internal change that moves the analyzer
infrastructure to a more flexible model where the available analyzers
don't need to be hardcoded at compile time anymore. While currently
they actually still are, this will in the future enable external
analyzer plugins. For now, it does already add the capability to
dynamically enable/disable analyzers from script-land, replacing the
old Analyzer::Available() methods.

There are three major parts going into this:

    - A new plugin infrastructure in src/plugin. This is independent
      of analyzers and will eventually support plugins for other parts
      of Bro as well (think: readers and writers). The goal is that
      plugins can be alternatively compiled in statically or loadead
      dynamically at runtime from a shared library. While the latter
      isn't there yet, there'll be almost no code change for a plugin
      to make it dynamic later (hopefully :)

    - New analyzer infrastructure in src/analyzer. I've moved a number
      of analyzer-related classes here, including Analyzer and DPM;
      the latter now renamed to Analyzer::Manager. More will move here
      later. Currently, there's only one plugin here, which provides
      *all* existing analyzers. We can modularize this further in the
      future (or not).

    - A new script interface in base/framework/analyzer. I think that
      this will eventually replace the dpm framework, but for now
      that's still there as well, though some parts have moved over.

I've also remove the dpd_config table; ports are now configured via
the analyzer framework. For exmaple, for SSH:

    const ports = { 22/tcp } &redef;

    event bro_init() &priority=5
        {
        ...
        Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
        }

As you can see, the old ANALYZER_SSH constants have more into an enum
in the Analyzer namespace.

This is all hardly tested right now, and not everything works yet.
There's also a lot more cleanup to do (moving more classes around;
removing no longer used functionality; documenting script and C++
interfaces; regression tests). But it seems to generally work with a
small trace at least.

The debug stream "dpm" shows more about the loaded/enabled analyzers.

A new option -N lists loaded plugins and what they provide (including
those compiled in statically; i.e., right now it outputs all the
analyzers).

This is all not cast-in-stone yet, for some things we need to see if
they make sense this way. Feedback welcome.
This commit is contained in:
Robin Sommer 2013-03-20 13:32:36 -07:00
parent 9caf6e4884
commit af1809aaa3
166 changed files with 2717 additions and 1642 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/frameworks/analyzer/__load__.bro Normal file
View file

@ -0,0 +1 @@
@load ./main

119
scripts/base/frameworks/analyzer/main.bro Normal file
View file

@ -0,0 +1,119 @@
module Analyzer;
# Analyzer::Tag is defined in types.bif, and automatically extended by plugins
# as they are loaded.
export {
## XXX.
global enable_analyzer: function(tag: Analyzer::Tag) : bool;
## XXX.
global disable_analyzer: function(tag: Analyzer::Tag) : bool;
## XXX.
global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool;
## XXX.
global register_for_port: function(tag: Analyzer::Tag, p: port) : bool;
## XXX.
global registered_ports: function(tag: Analyzer::Tag) : set[port];
## Translate an analyzer type to an ASCII string.
##
## atype: The analyzer tag.
##
## Returns: The analyzer *aid* as string.
global name: function(atype: Analyzer::Tag) : string;
## Schedules an analyzer for a future connection from a given IP address and
## port. The function ignores the scheduling request if the connection did
## not occur within the specified time interval.
##
## orig: The IP address originating a connection in the future.
##
## resp: The IP address responding to a connection from *orig*.
##
## resp_p: The destination port at *resp*.
##
## analyzer: The analyzer ID.
##
## tout: The timeout interval after which to ignore the scheduling request.
##
## Returns: True if succesful.
global expect_connection: function(orig: addr, resp: addr, resp_p: port,
analyzer: Analyzer::Tag, tout: interval) : bool;
## Analyzers to disable at startup.
global disabled_analyzers: set[Analyzer::Tag] = {
ANALYZER_INTERCONN,
ANALYZER_STEPPINGSTONE,
ANALYZER_BACKDOOR,
ANALYZER_TCPSTATS,
}
&redef;
}
@load base/analyzer.bif
global ports: table[Analyzer::Tag] of set[port];
event bro_init()
{
for ( a in disabled_analyzers )
disable_analyzer(a);
}
function enable_analyzer(tag: Analyzer::Tag) : bool
{
return __enable_analyzer(tag);
}
function disable_analyzer(tag: Analyzer::Tag) : bool
{
return __disable_analyzer(tag);
}
function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
{
local rc = T;
for ( p in ports )
{
if ( ! register_for_port(tag, p) )
rc = F;
}
return rc;
}
function register_for_port(tag: Analyzer::Tag, p: port) : bool
{
if ( ! __register_for_port(tag, p) )
return F;
if ( tag !in ports )
ports[tag] = set();
add ports[tag][p];
return T;
}
function registered_ports(tag: Analyzer::Tag) : set[port]
{
return tag in ports ? ports[tag] : set();
}
function name(atype: Analyzer::Tag) : string
{
return __name(atype);
}
function expect_connection(orig: addr, resp: addr, resp_p: port,
analyzer: Analyzer::Tag, tout: interval) : bool
{
return __expect_connection(orig, resp, resp_p, analyzer, tout);
}

30
scripts/base/frameworks/dpd/main.bro
View file

@ -41,33 +41,27 @@ redef record connection += {
event bro_init() &priority=5
{
Log::create_stream(DPD::LOG, [$columns=Info]);
# Populate the internal DPD analysis variable.
for ( a in dpd_config )
{
for ( p in dpd_config[a]$ports )
{
if ( p !in dpd_analyzer_ports )
dpd_analyzer_ports[p] = set();
add dpd_analyzer_ports[p][a];
}
}
}
event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10
function foo() : string
{
local analyzer = analyzer_name(atype);
return "HTTP";
}
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
{
local analyzer = Analyzer::name(atype);
if ( fmt("-%s",analyzer) in c$service )
delete c$service[fmt("-%s", analyzer)];
add c$service[analyzer];
}
event protocol_violation(c: connection, atype: count, aid: count,
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
reason: string) &priority=10
{
local analyzer = analyzer_name(atype);
local analyzer = Analyzer::name(atype);
# If the service hasn't been confirmed yet, don't generate a log message
# for the protocol violation.
if ( analyzer !in c$service )
@ -86,7 +80,7 @@ event protocol_violation(c: connection, atype: count, aid: count,
c$dpd = info;
}
event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=5
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
{
if ( !c?$dpd || aid in c$dpd$disabled_aids )
return;
@ -100,7 +94,7 @@ event protocol_violation(c: connection, atype: count, aid: count, reason: string
add c$dpd$disabled_aids[aid];
}
event protocol_violation(c: connection, atype: count, aid: count,
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
reason: string) &priority=-5
{
if ( c?$dpd )

10
scripts/base/frameworks/tunnels/main.bro
View file

@ -83,19 +83,17 @@ export {
}
const ayiya_ports = { 5072/udp };
redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
const teredo_ports = { 3544/udp };
redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };
const gtpv1_ports = { 2152/udp, 2123/udp };
redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1_ports] };
redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports };
event bro_init() &priority=5
{
Log::create_stream(Tunnel::LOG, [$columns=Info]);
Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
}
function register_all(ecv: EncapsulatingConnVector)

44
scripts/base/init-bare.bro
View file

@ -2846,34 +2846,11 @@ const remote_trace_sync_peers = 0 &redef;
## consistency check.
const remote_check_sync_consistency = F &redef;
## Analyzer tags. The core automatically defines constants
## ``ANALYZER_<analyzer-name>*``, e.g., ``ANALYZER_HTTP``.
##
## .. bro:see:: dpd_config
##
## .. todo::We should autodoc these automaticallty generated constants.
type AnalyzerTag: count;
## Set of ports activating a particular protocol analysis.
##
## .. bro:see:: dpd_config
type dpd_protocol_config: record {
ports: set[port] &optional; ##< Set of ports.
};
## Port configuration for Bro's "dynamic protocol detection". Protocol
## analyzers can be activated via either well-known ports or content analysis.
## This table defines the ports.
##
## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
## dpd_match_only_beginning dpd_ignore_ports
const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
## Reassemble the beginning of all TCP connections before doing
## signature-matching. Enabling this provides more accurate matching at the
## expensive of CPU cycles.
##
## .. bro:see:: dpd_config dpd_buffer_size
## .. bro:see:: dpd_buffer_size
## dpd_match_only_beginning dpd_ignore_ports
##
## .. note:: Despite the name, this option affects *all* signature matching, not
@ -2888,24 +2865,24 @@ const dpd_reassemble_first_packets = T &redef;
## activated afterwards. Then only analyzers that can deal with partial
## connections will be able to analyze the session.
##
## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning
## .. bro:see:: dpd_reassemble_first_packets dpd_match_only_beginning
## dpd_ignore_ports
const dpd_buffer_size = 1024 &redef;
## If true, stops signature matching if dpd_buffer_size has been reached.
##
## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
## dpd_config dpd_ignore_ports
## dpd_ignore_ports
##
## .. note:: Despite the name, this option affects *all* signature matching, not
## only signatures used for dynamic protocol detection.
const dpd_match_only_beginning = T &redef;
## If true, don't consider any ports for deciding which protocol analyzer to
## use. If so, the value of :bro:see:`dpd_config` is ignored.
## use.
##
## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
## dpd_match_only_beginning dpd_config
## dpd_match_only_beginning
const dpd_ignore_ports = F &redef;
## Ports which the core considers being likely used by servers. For ports in
@ -2913,13 +2890,6 @@ const dpd_ignore_ports = F &redef;
## connection if it misses the initial handshake.
const likely_server_ports: set[port] &redef;
## Deprated. Set of all ports for which we know an analyzer, built by
## :doc:`/scripts/base/frameworks/dpd/main`.
##
## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main`
## itself we still need it.
global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
## Per-incident timer managers are drained after this amount of inactivity.
const timer_mgr_inactivity_timeout = 1 min &redef;
@ -3028,9 +2998,9 @@ module GLOBAL;
## Number of bytes per packet to capture from live interfaces.
const snaplen = 8192 &redef;
# Load the logging framework here because it uses fairly deep integration with
# Load these frameworks here because it uses fairly deep integration with
# BiFs and script-land defined types.
@load base/frameworks/logging
@load base/frameworks/input
@load base/frameworks/analyzer

1
scripts/base/init-default.bro
View file

@ -20,6 +20,7 @@
# loaded in base/init-bare.bro
#@load base/frameworks/logging
@load base/frameworks/notice
@load base/frameworks/analyzer
@load base/frameworks/dpd
@load base/frameworks/signatures
@load base/frameworks/packet-filter

6
scripts/base/protocols/conn/inactivity.bro
View file

@ -6,9 +6,9 @@ module Conn;
export {
## Define inactivity timeouts by the service detected being used over
## the connection.
const analyzer_inactivity_timeouts: table[AnalyzerTag] of interval = {
const analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = {
# For interactive services, allow longer periods of inactivity.
[[ANALYZER_SSH, ANALYZER_FTP]] = 1 hrs,
[[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs,
} &redef;
## Define inactivity timeouts based on common protocol ports.
@ -18,7 +18,7 @@ export {
}
event protocol_confirmation(c: connection, atype: count, aid: count)
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
{
if ( atype in analyzer_inactivity_timeouts )
set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]);

10
scripts/base/protocols/dns/main.bro
View file

@ -117,19 +117,17 @@ redef capture_filters += {
["netbios-ns"] = "udp port 137",
};
const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp };
const dns_tcp_ports = { 53/tcp };
redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] };
redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] };
redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
redef likely_server_ports += { dns_udp_ports, dns_tcp_ports };
event bro_init() &priority=5
{
Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]);
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports);
}
function new_session(c: connection, trans_id: count): Info

10
scripts/base/protocols/ftp/main.bro
View file

@ -96,11 +96,10 @@ redef record connection += {
};
# Configure DPD
const ports = { 21/tcp, 2811/tcp } &redef; # 2811/tcp is GridFTP.
redef capture_filters += { ["ftp"] = "port 21 and port 2811" };
redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
redef likely_server_ports += { 21/tcp, 2811/tcp };
const ports = { 21/tcp, 2811/tcp };
redef likely_server_ports += { ports };
# Establish the variable for tracking expected connections.
global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
@ -108,6 +107,7 @@ global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
event bro_init() &priority=5
{
Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]);
Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
}
## A set of commands where the argument can be expected to refer
@ -228,7 +228,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
{
c$ftp$passive=F;
ftp_data_expected[data$h, data$p] = c$ftp;
expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins);
Analyzer::expect_connection(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins);
}
else
{
@ -281,7 +281,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
data$h = id$resp_h;
ftp_data_expected[data$h, data$p] = c$ftp;
expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
Analyzer::expect_connection(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins);
}
else
{

27
scripts/base/protocols/http/main.bro
View file

@ -119,29 +119,26 @@ redef record connection += {
http_state: State &optional;
};
# Initialize the HTTP logging stream.
event bro_init() &priority=5
{
Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
}
# DPD configuration.
const ports = {
80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
8000/tcp, 8080/tcp, 8888/tcp,
};
redef dpd_config += {
[[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
};
redef capture_filters += {
["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)"
};
redef likely_server_ports += {
80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
const ports = {
80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
8000/tcp, 8080/tcp, 8888/tcp,
};
redef likely_server_ports += { ports };
# Initialize the HTTP logging stream and ports.
event bro_init() &priority=5
{
Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
}
function code_in_range(c: count, min: count, max: count) : bool
{
return c >= min && c <= max;

2
scripts/base/protocols/irc/dcc-send.bro
View file

@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool,
c$irc$dcc_file_name = argument;
c$irc$dcc_file_size = size;
local p = count_to_port(dest_port, tcp);
expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min);
Analyzer::expect_connection(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min);
dcc_expected_transfers[address, p] = c$irc;
}

7
scripts/base/protocols/irc/main.bro
View file

@ -45,14 +45,13 @@ redef capture_filters += { ["irc-6668"] = "port 6668" };
redef capture_filters += { ["irc-6669"] = "port 6669" };
# DPD configuration.
const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] };
redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log]);
Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
}
function new_session(c: connection): Info

6
scripts/base/protocols/modbus/main.bro
View file

@ -31,12 +31,14 @@ redef record connection += {
# Configure DPD and the packet filter.
redef capture_filters += { ["modbus"] = "tcp port 502" };
redef dpd_config += { [ANALYZER_MODBUS] = [$ports = set(502/tcp)] };
redef likely_server_ports += { 502/tcp };
const ports = { 502/tcp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus]);
Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports);
}
event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &priority=5

8
scripts/base/protocols/smtp/main.bro
View file

@ -74,9 +74,6 @@ export {
const mail_path_capture = ALL_HOSTS &redef;
global log_smtp: event(rec: Info);
## Configure the default ports for SMTP analysis.
const ports = { 25/tcp, 587/tcp } &redef;
}
redef record connection += {
@ -86,13 +83,14 @@ redef record connection += {
# Configure DPD
redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" };
redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] };
redef likely_server_ports += { 25/tcp, 587/tcp };
const ports = { 25/tcp, 587/tcp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
}
function find_address_in_smtp_header(header: string): string

5
scripts/base/protocols/socks/main.bro
View file

@ -34,9 +34,13 @@ export {
global log_socks: event(rec: Info);
}
const ports = { 1080/tcp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
}
redef record connection += {
@ -45,7 +49,6 @@ redef record connection += {
# Configure DPD
redef capture_filters += { ["socks"] = "tcp port 1080" };
redef dpd_config += { [ANALYZER_SOCKS] = [$ports = set(1080/tcp)] };
redef likely_server_ports += { 1080/tcp };
function set_session(c: connection, version: count)

8
scripts/base/protocols/ssh/main.bro
View file

@ -76,10 +76,11 @@ export {
}
# Configure DPD and the packet filter
redef capture_filters += { ["ssh"] = "tcp port 22" };
redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] };
redef likely_server_ports += { 22/tcp };
const ports = { 22/tcp };
redef capture_filters += { ["ssh"] = "tcp port 22" };
redef likely_server_ports += { ports };
redef record connection += {
ssh: Info &optional;
@ -88,6 +89,7 @@ redef record connection += {
event bro_init() &priority=5
{
Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
}
function set_session(c: connection)

28
scripts/base/protocols/ssl/main.bro
View file

@ -94,11 +94,6 @@ redef record Info += {
delay_tokens: set[string] &optional;
};
event bro_init() &priority=5
{
Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
}
redef capture_filters += {
["ssl"] = "tcp port 443",
["nntps"] = "tcp port 563",
@ -117,16 +112,9 @@ redef capture_filters += {
const ports = {
443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
};
} &redef;
redef dpd_config += {
[[ANALYZER_SSL]] = [$ports = ports]
};
redef likely_server_ports += {
443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
};
redef likely_server_ports += { ports };
# A queue that buffers log records.
global log_delay_queue: table[count] of Info;
@ -135,6 +123,12 @@ global log_delay_queue_head = 0;
# The bottom queue index that points to the next record to be flushed.
global log_delay_queue_tail = 0;
event bro_init() &priority=5
{
Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ports);
}
function set_session(c: connection)
{
if ( ! c?$ssl )
@ -288,14 +282,14 @@ event ssl_established(c: connection) &priority=-5
finish(c);
}
event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
{
# Check by checking for existence of c$ssl record.
if ( c?$ssl && analyzer_name(atype) == "SSL" )
if ( c?$ssl && atype == Analyzer::ANALYZER_SSL )
c$ssl$analyzer_id = aid;
}
event protocol_violation(c: connection, atype: count, aid: count,
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
reason: string) &priority=5
{
if ( c?$ssl )

6
scripts/base/protocols/syslog/main.bro
View file

@ -27,10 +27,9 @@ export {
}
redef capture_filters += { ["syslog"] = "port 514" };
const ports = { 514/udp } &redef;
redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] };
redef likely_server_ports += { 514/udp };
const ports = { 514/udp };
redef likely_server_ports += { ports };
redef record connection += {
syslog: Info &optional;
@ -39,6 +38,7 @@ redef record connection += {
event bro_init() &priority=5
{
Log::create_stream(Syslog::LOG, [$columns=Info]);
Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports);
}
event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5

39
scripts/policy/frameworks/dpd/detect-protocols.bro
View file

@ -21,22 +21,22 @@ export {
type dir: enum { NONE, INCOMING, OUTGOING, BOTH };
const valids: table[count, addr, port] of dir = {
const valids: table[Analyzer::Tag, addr, port] of dir = {
# A couple of ports commonly used for benign HTTP servers.
# For now we want to see everything.
# [ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING,
# [ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING,
# [ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING,
# [ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING,
# [ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING,
# [ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING,
# [ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING,
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING,
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING,
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING,
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING,
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING,
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING,
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING,
#
# [ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella
# [ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella
# [ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella
# [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella
} &redef;
# Set of analyzers for which we suppress Server_Found notices
@ -44,8 +44,8 @@ export {
# log files, this also saves memory because for these we don't
# need to remember which servers we already have reported, which
# for some can be a lot.
const suppress_servers: set [count] = {
# ANALYZER_HTTP
const suppress_servers: set [Analyzer::Tag] = {
# Analyzer::ANALYZER_HTTP
} &redef;
# We consider a connection to use a protocol X if the analyzer for X
@ -60,7 +60,7 @@ export {
# Entry point for other analyzers to report that they recognized
# a certain (sub-)protocol.
global found_protocol: function(c: connection, analyzer: count,
global found_protocol: function(c: connection, analyzer: Analyzer::Tag,
protocol: string);
# Table keeping reported (server, port, analyzer) tuples (and their
@ -89,7 +89,7 @@ function get_protocol(c: connection, a: count) : protocol
str = |str| > 0 ? fmt("%s/%s", str, p) : p;
}
return [$a=analyzer_name(a), $sub=str];
return [$a=Analyzer::name(a), $sub=str];
}
function fmt_protocol(p: protocol) : string
@ -194,10 +194,10 @@ event connection_state_remove(c: connection)
report_protocols(c);
}
event protocol_confirmation(c: connection, atype: count, aid: count)
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
{
# Don't report anything running on a well-known port.
if ( atype in dpd_config && c$id$resp_p in dpd_config[atype]$ports )
if ( c$id$resp_p in Analyzer::registered_ports(atype) )
return;
if ( c$id in conns )
@ -214,11 +214,10 @@ event protocol_confirmation(c: connection, atype: count, aid: count)
}
}
function found_protocol(c: connection, analyzer: count, protocol: string)
function found_protocol(c: connection, analyzer: Analyzer::tag, protocol: string)
{
# Don't report anything running on a well-known port.
if ( analyzer in dpd_config &&
c$id$resp_p in dpd_config[analyzer]$ports )
if ( c$id$resp_p in Analyzer::registered_ports(atype) )
return;
if ( c$id !in protocols )

2
scripts/policy/frameworks/dpd/packet-segment-logging.bro
View file

@ -20,7 +20,7 @@ export {
}
event protocol_violation(c: connection, atype: count, aid: count,
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
reason: string) &priority=4
{
if ( ! c?$dpd ) return;

2
scripts/policy/protocols/conn/known-services.bro
View file

@ -87,7 +87,7 @@ function known_services_done(c: connection)
event log_it(network_time(), id$resp_h, id$resp_p, c$service);
}
event protocol_confirmation(c: connection, atype: count, aid: count) &priority=-5
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5
{
known_services_done(c);
}

2
src/AYIYA.cc
View file

@ -1,7 +1,7 @@
#include "AYIYA.h"
AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn)
: Analyzer(AnalyzerTag::AYIYA, conn)
: Analyzer("AYIYA", conn)
{
interp = new binpac::AYIYA::AYIYA_Conn(this);
}

4
src/AYIYA.h
View file

@ -3,7 +3,7 @@
#include "ayiya_pac.h"
class AYIYA_Analyzer : public Analyzer {
class AYIYA_Analyzer : public analyzer::Analyzer {
public:
AYIYA_Analyzer(Connection* conn);
virtual ~AYIYA_Analyzer();
@ -12,7 +12,7 @@ public:
virtual void DeliverPacket(int len, const u_char* data, bool orig,
int seq, const IP_Hdr* ip, int caplen);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new AYIYA_Analyzer(conn); }
static bool Available()

57
src/AnalyzerTags.h
View file

@ -1,57 +0,0 @@
#ifndef ANALYZERTAGS_H
#define ANALYZERTAGS_H
// Each kind of analyzer gets a tag. When adding an analyzer here, also adapt
// the table of analyzers in Analyzer.cc.
//
// Using a namespace here is kind of a hack: ideally this would be in "class
// Analyzer {...}". But then we'd have circular dependencies across the header
// files.
#include "util.h"
typedef uint32 AnalyzerID;
namespace AnalyzerTag {
enum Tag {
Error = 0, // used as error code
// Analyzer in charge of protocol detection.
PIA_TCP, PIA_UDP,
// Transport-layer analyzers.
ICMP, TCP, UDP,
// Application-layer analyzers (hand-written).
BitTorrent, BitTorrentTracker,
DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC,
Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin,
RPC, Rsh, SMB, SMTP, SSH,
Telnet,
// Application-layer analyzers, binpac-generated.
DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC,
HTTP_BINPAC, SSL, SYSLOG_BINPAC,
Modbus,
// Decapsulation analyzers.
AYIYA,
SOCKS,
Teredo,
GTPv1,
// Other
File, Backdoor, InterConn, SteppingStone, TCPStats,
ConnSize,
// Support-analyzers
Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP,
Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh,
Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS,
FTP_ADAT,
// End-marker.
LastAnalyzer
};
};
#endif

2
src/BackDoor.cc
View file

@ -681,7 +681,7 @@ int BackDoorEndpoint::CheckForString(const char* str,
BackDoor_Analyzer::BackDoor_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer(AnalyzerTag::Backdoor, c)
: TCP_ApplicationAnalyzer("BACKDOOR", c)
{
orig_endp = resp_endp = 0;

2
src/BackDoor.h
View file

@ -71,7 +71,7 @@ public:
virtual void Done();
void StatTimer(double t, int is_expire);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new BackDoor_Analyzer(conn); }
static bool Available()

2
src/Base64.cc
View file

@ -84,7 +84,7 @@ int* Base64Converter::InitBase64Table(const string& alphabet)
Base64Converter::Base64Converter(Analyzer* arg_analyzer, const string& arg_alphabet)
Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string& arg_alphabet)
{
if ( arg_alphabet.size() > 0 )
{

7
src/Base64.h
View file

@ -7,7 +7,8 @@
#include "util.h"
#include "BroString.h"
#include "Analyzer.h"
#include "Reporter.h"
#include "analyzer/Analyzer.h"
// Maybe we should have a base class for generic decoders?
class Base64Converter {
@ -15,7 +16,7 @@ public:
// <analyzer> is used for error reporting, and it should be zero when
// the decoder is called by the built-in function decode_base64() or encode_base64().
// Empty alphabet indicates the default base64 alphabet.
Base64Converter(Analyzer* analyzer, const string& alphabet = "");
Base64Converter(analyzer::Analyzer* analyzer, const string& alphabet = "");
~Base64Converter();
// A note on Decode():
@ -62,7 +63,7 @@ protected:
int base64_after_padding;
int* base64_table;
int errored; // if true, we encountered an error - skip further processing
Analyzer* analyzer;
analyzer::Analyzer* analyzer;
};

2
src/BitTorrent.cc
View file

@ -4,7 +4,7 @@
#include "TCP_Reassembler.h"
BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrent, c)
: TCP_ApplicationAnalyzer("BITTORRENT", c)
{
interp = new binpac::BitTorrent::BitTorrent_Conn(this);
stop_orig = stop_resp = false;

2
src/BitTorrent.h
View file

@ -17,7 +17,7 @@ public:
virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new BitTorrent_Analyzer(conn); }
static bool Available()

2
src/BitTorrentTracker.cc
View file

@ -18,7 +18,7 @@ static RecordType* bittorrent_benc_value;
static TableType* bittorrent_benc_dir;
BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrentTracker, c)
: TCP_ApplicationAnalyzer("BITTORRENT", c)
{
if ( ! bt_tracker_headers )
{

2
src/BitTorrentTracker.h
View file

@ -50,7 +50,7 @@ public:
virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new BitTorrentTracker_Analyzer(conn); }
static bool Available()

13
src/CMakeLists.txt
View file

@ -141,6 +141,7 @@ macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar)
endmacro(GET_BIF_OUTPUT_FILES)
set(BIF_SRCS
analyzer.bif
bro.bif
logging.bif
input.bif
@ -283,7 +284,6 @@ set(bro_SRCS
net_util.cc
util.cc
module_util.cc
Analyzer.cc
Anon.cc
ARP.cc
Attr.cc
@ -318,7 +318,6 @@ set(bro_SRCS
Desc.cc
Dict.cc
Discard.cc
DPM.cc
EquivClass.cc
Event.cc
EventHandler.cc
@ -447,6 +446,16 @@ set(bro_SRCS
input/readers/Raw.cc
input/readers/Benchmark.cc
plugin/Component.cc
plugin/Manager.cc
plugin/Plugin.cc
analyzer/Analyzer.cc
analyzer/BuiltinAnalyzers.cc
analyzer/Manager.cc
analyzer/PluginComponent.cc
analyzer/Tag.cc
nb_dns.c
digest.h
)

22
src/Conn.cc
View file

@ -14,6 +14,7 @@
#include "PIA.h"
#include "binpac.h"
#include "TunnelEncapsulation.h"
#include "analyzer/Analyzer.h"
void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer,
int arg_do_expire)
@ -402,16 +403,21 @@ RecordVal* Connection::BuildConnVal()
return conn_val;
}
Analyzer* Connection::FindAnalyzer(AnalyzerID id)
analyzer::Analyzer* Connection::FindAnalyzer(analyzer::ID id)
{
return root_analyzer ? root_analyzer->FindChild(id) : 0;
}
Analyzer* Connection::FindAnalyzer(AnalyzerTag::Tag tag)
analyzer::Analyzer* Connection::FindAnalyzer(analyzer::Tag tag)
{
return root_analyzer ? root_analyzer->FindChild(tag) : 0;
}
analyzer::Analyzer* Connection::FindAnalyzer(const string& name)
{
return root_analyzer->FindChild(name);
}
void Connection::AppendAddl(const char* str)
{
Unref(BuildConnVal());
@ -540,7 +546,7 @@ Val* Connection::BuildVersionVal(const char* s, int len)
}
int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
Analyzer* analyzer)
analyzer::Analyzer* analyzer)
{
if ( ! software_version_found && ! software_parse_error )
return 1;
@ -578,7 +584,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
}
int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
const char* full, int len, Analyzer* analyzer)
const char* full, int len, analyzer::Analyzer* analyzer)
{
// Skip leading white space.
while ( len && isspace(*full) )
@ -602,7 +608,7 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
return 1;
}
void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name)
void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name)
{
if ( ! f )
return;
@ -615,7 +621,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name)
ConnectionEvent(f, analyzer, vl);
}
void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2)
void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
{
if ( ! f )
{
@ -634,7 +640,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2)
ConnectionEvent(f, analyzer, vl);
}
void Connection::ConnectionEvent(EventHandlerPtr f, Analyzer* a, val_list* vl)
void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
{
if ( ! f )
{
@ -929,7 +935,7 @@ error:
return false;
}
void Connection::SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia)
void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia)
{
root_analyzer = analyzer;
primary_PIA = pia;

30
src/Conn.h
View file

@ -11,19 +11,22 @@
#include "Serializer.h"
#include "PersistenceSerializer.h"
#include "RuleMatcher.h"
#include "AnalyzerTags.h"
#include "IPAddr.h"
#include "TunnelEncapsulation.h"
#include "analyzer/Tag.h"
#include "analyzer/Analyzer.h"
class Connection;
class ConnectionTimer;
class NetSessions;
class LoginConn;
class RuleHdrTest;
class Specific_RE_Matcher;
class TransportLayerAnalyzer;
class RuleEndpointState;
namespace analyzer { class TransportLayerAnalyzer; }
typedef enum {
NUL_IN_LINE,
SINGULAR_CR,
@ -47,7 +50,7 @@ static inline int addr_port_canon_lt(const IPAddr& addr1, uint32 p1,
return addr1 < addr2 || (addr1 == addr2 && p1 < p2);
}
class Analyzer;
namespace analyzer { class Analyzer; }
class Connection : public BroObj {
public:
@ -102,8 +105,9 @@ public:
void FlipRoles();
Analyzer* FindAnalyzer(AnalyzerID id);
Analyzer* FindAnalyzer(AnalyzerTag::Tag tag); // find first in tree.
analyzer::Analyzer* FindAnalyzer(analyzer::ID id);
analyzer::Analyzer* FindAnalyzer(analyzer::Tag tag); // find first in tree.
analyzer::Analyzer* FindAnalyzer(const string& name); // find first in tree.
TransportProto ConnTransport() const { return proto; }
@ -161,15 +165,15 @@ public:
// Raises a software_version_found event based on the
// given string (returns false if it's not parseable).
int VersionFoundEvent(const IPAddr& addr, const char* s, int len,
Analyzer* analyzer = 0);
analyzer::Analyzer* analyzer = 0);
// Raises a software_unparsed_version_found event.
int UnparsedVersionFoundEvent(const IPAddr& addr,
const char* full_descr, int len, Analyzer* analyzer);
const char* full_descr, int len, analyzer::Analyzer* analyzer);
void Event(EventHandlerPtr f, Analyzer* analyzer, const char* name = 0);
void Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2 = 0);
void ConnectionEvent(EventHandlerPtr f, Analyzer* analyzer,
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0);
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0);
void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
val_list* vl);
void Weird(const char* name, const char* addl = "");
@ -241,8 +245,8 @@ public:
void DeleteTimer(double t);
// Sets the root of the analyzer tree as well as the primary PIA.
void SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia);
TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; }
void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia);
analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; }
PIA* GetPrimaryPIA() { return primary_PIA; }
// Sets the transport protocol in use.
@ -314,7 +318,7 @@ protected:
string history;
uint32 hist_seen;
TransportLayerAnalyzer* root_analyzer;
analyzer::TransportLayerAnalyzer* root_analyzer;
PIA* primary_PIA;
uint64 uid; // Globally unique connection ID.

2
src/ConnSizeAnalyzer.cc
View file

@ -9,7 +9,7 @@
ConnSize_Analyzer::ConnSize_Analyzer(Connection* c)
: Analyzer(AnalyzerTag::ConnSize, c)
: Analyzer("CONNSIZE", c)
{
}

6
src/ConnSizeAnalyzer.h
View file

@ -4,11 +4,11 @@
#ifndef CONNSTATS_H
#define CONNSTATS_H
#include "Analyzer.h"
#include "analyzer/Analyzer.h"
#include "NetVar.h"
class ConnSize_Analyzer : public Analyzer {
class ConnSize_Analyzer : public analyzer::Analyzer {
public:
ConnSize_Analyzer(Connection* c);
virtual ~ConnSize_Analyzer();
@ -20,7 +20,7 @@ public:
virtual void UpdateConnVal(RecordVal *conn_val);
virtual void FlipRoles();
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new ConnSize_Analyzer(conn); }
static bool Available() { return BifConst::use_conn_size_analyzer ; }

7
src/ContentLine.cc
View file

@ -4,14 +4,13 @@
#include "TCP.h"
ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig)
: TCP_SupportAnalyzer(AnalyzerTag::ContentLine, conn, orig)
: TCP_SupportAnalyzer("CONTENTLINE", conn, orig)
{
InitState();
}
ContentLine_Analyzer::ContentLine_Analyzer(AnalyzerTag::Tag tag,
Connection* conn, bool orig)
: TCP_SupportAnalyzer(tag, conn, orig)
ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig)
: TCP_SupportAnalyzer(name, conn, orig)
{
InitState();
}

2
src/ContentLine.h
View file

@ -55,7 +55,7 @@ public:
{ return seq + length <= seq_to_skip; }
protected:
ContentLine_Analyzer(AnalyzerTag::Tag tag, Connection* conn, bool orig);
ContentLine_Analyzer(const char* name, Connection* conn, bool orig);
virtual void DeliverStream(int len, const u_char* data, bool is_orig);
virtual void Undelivered(int seq, int len, bool orig);

15
src/DCE_RPC.cc
View file

@ -10,7 +10,8 @@ using namespace std;
#include "DCE_RPC.h"
#include "Sessions.h"
#include "DPM.h"
#include "analyzer/Manager.h"
#define xbyte(b, n) (((const u_char*) (b))[n])
@ -160,11 +161,11 @@ static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr,
// of the dce_rpc_endpoints table.
// FIXME: Don't hard-code the timeout.
dpm->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto,
AnalyzerTag::DCE_RPC, 5 * 60, 0);
analyzer_mgr->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto,
"DCE_RPC", 5 * 60, 0);
}
DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b)
DCE_RPC_Header::DCE_RPC_Header(analyzer::Analyzer* a, const u_char* b)
{
analyzer = a;
bytes = b;
@ -183,7 +184,7 @@ DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b)
frag_len = extract_uint16(LittleEndian(), bytes + 8);
}
DCE_RPC_Session::DCE_RPC_Session(Analyzer* a)
DCE_RPC_Session::DCE_RPC_Session(analyzer::Analyzer* a)
: analyzer(a),
if_uuid("00000000-0000-0000-0000-000000000000"),
if_id(BifEnum::DCE_RPC_unknown_if)
@ -442,7 +443,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse(
Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn,
bool orig, DCE_RPC_Session* arg_session, bool speculative)
: TCP_SupportAnalyzer(AnalyzerTag::Contents_DCE_RPC, conn, orig)
: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig)
{
session = arg_session;
msg_buf = 0;
@ -566,7 +567,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader()
}
DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative)
: TCP_ApplicationAnalyzer(AnalyzerTag::DCE_RPC, conn)
: TCP_ApplicationAnalyzer("DCE_RPC", conn)
{
session = new DCE_RPC_Session(this);
speculative = arg_speculative;

10
src/DCE_RPC.h
View file

@ -88,7 +88,7 @@ enum DCE_RPC_PTYPE {
class DCE_RPC_Header {
public:
DCE_RPC_Header(Analyzer* a, const u_char* bytes);
DCE_RPC_Header(analyzer::Analyzer* a, const u_char* bytes);
BifEnum::dce_rpc_ptype PTYPE() const { return ptype; }
int FragLen() const { return frag_len; }
@ -99,7 +99,7 @@ public:
void SetBytes(const u_char* b) { bytes = b; }
protected:
Analyzer* analyzer;
analyzer::Analyzer* analyzer;
const u_char* bytes;
BifEnum::dce_rpc_ptype ptype;
int frag_len;
@ -112,7 +112,7 @@ protected:
class DCE_RPC_Session {
public:
DCE_RPC_Session(Analyzer* a);
DCE_RPC_Session(analyzer::Analyzer* a);
virtual ~DCE_RPC_Session() {}
virtual void DeliverPDU(int is_orig, int len, const u_char* data);
@ -135,7 +135,7 @@ protected:
const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp);
Analyzer* analyzer;
analyzer::Analyzer* analyzer;
UUID if_uuid;
BifEnum::dce_rpc_if_id if_id;
int opnum;
@ -174,7 +174,7 @@ public:
DCE_RPC_Analyzer(Connection* conn, bool speculative = false);
~DCE_RPC_Analyzer();
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new DCE_RPC_Analyzer(conn); }
static bool Available()

2
src/DHCP-binpac.cc
View file

@ -1,7 +1,7 @@
#include "DHCP-binpac.h"
DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn)
: Analyzer(AnalyzerTag::DHCP_BINPAC, conn)
: Analyzer("DHCP", conn)
{
interp = new binpac::DHCP::DHCP_Conn(this);
}

4
src/DHCP-binpac.h
View file

@ -6,7 +6,7 @@
#include "dhcp_pac.h"
class DHCP_Analyzer_binpac : public Analyzer {
class DHCP_Analyzer_binpac : public analyzer::Analyzer {
public:
DHCP_Analyzer_binpac(Connection* conn);
virtual ~DHCP_Analyzer_binpac();
@ -15,7 +15,7 @@ public:
virtual void DeliverPacket(int len, const u_char* data, bool orig,
int seq, const IP_Hdr* ip, int caplen);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new DHCP_Analyzer_binpac(conn); }
static bool Available()

4
src/DNS-binpac.cc
View file

@ -2,7 +2,7 @@
#include "TCP_Reassembler.h"
DNS_UDP_Analyzer_binpac::DNS_UDP_Analyzer_binpac(Connection* conn)
: Analyzer(AnalyzerTag::DNS_UDP_BINPAC, conn)
: Analyzer("DNS_UDP_BINPAC", conn)
{
interp = new binpac::DNS::DNS_Conn(this);
did_session_done = 0;
@ -45,7 +45,7 @@ void DNS_UDP_Analyzer_binpac::ExpireTimer(double t)
}
DNS_TCP_Analyzer_binpac::DNS_TCP_Analyzer_binpac(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::DNS_TCP_BINPAC, conn)
: TCP_ApplicationAnalyzer("DNS_TCP_BINPAC", conn)
{
interp = new binpac::DNS_on_TCP::DNS_TCP_Conn(this);
}

6
src/DNS-binpac.h
View file

@ -11,7 +11,7 @@
// change that easily? (Ideally, the TCP preprocessing would become a
// support-analyzer as it is done for the traditional DNS analyzer.)
class DNS_UDP_Analyzer_binpac : public Analyzer {
class DNS_UDP_Analyzer_binpac : public analyzer::Analyzer {
public:
DNS_UDP_Analyzer_binpac(Connection* conn);
virtual ~DNS_UDP_Analyzer_binpac();
@ -20,7 +20,7 @@ public:
virtual void DeliverPacket(int len, const u_char* data, bool orig,
int seq, const IP_Hdr* ip, int caplen);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new DNS_UDP_Analyzer_binpac(conn); }
static bool Available()
@ -47,7 +47,7 @@ public:
virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new DNS_TCP_Analyzer_binpac(conn); }
static bool Available()

6
src/DNS.cc
View file

@ -12,7 +12,7 @@
#include "Sessions.h"
#include "Event.h"
DNS_Interpreter::DNS_Interpreter(Analyzer* arg_analyzer)
DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer)
{
analyzer = arg_analyzer;
}
@ -993,7 +993,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val()
Contents_DNS::Contents_DNS(Connection* conn, bool orig,
DNS_Interpreter* arg_interp)
: TCP_SupportAnalyzer(AnalyzerTag::Contents_DNS, conn, orig)
: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
{
interp = arg_interp;
@ -1080,7 +1080,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig)
}
DNS_Analyzer::DNS_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::DNS, conn)
: TCP_ApplicationAnalyzer("DNS", conn)
{
interp = new DNS_Interpreter(this);
contents_dns_orig = contents_dns_resp = 0;

6
src/DNS.h
View file

@ -149,7 +149,7 @@ public:
class DNS_Interpreter {
public:
DNS_Interpreter(Analyzer* analyzer);
DNS_Interpreter(analyzer::Analyzer* analyzer);
int ParseMessage(const u_char* data, int len, int is_query);
@ -217,7 +217,7 @@ protected:
const u_char*& data, int& len,
BroString* question_name);
Analyzer* analyzer;
analyzer::Analyzer* analyzer;
};
@ -266,7 +266,7 @@ public:
void ExpireTimer(double t);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new DNS_Analyzer(conn); }
static bool Available()

407
src/DPM.cc
View file

@ -1,407 +0,0 @@
#include "DPM.h"
#include "PIA.h"
#include "Hash.h"
#include "ICMP.h"
#include "UDP.h"
#include "TCP.h"
#include "Val.h"
#include "BackDoor.h"
#include "InterConn.h"
#include "SteppingStone.h"
#include "ConnSizeAnalyzer.h"
ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp,
uint16 _resp_p, uint16 _proto)
{
if ( _orig == IPAddr(string("0.0.0.0")) )
// don't use the IPv4 mapping, use the literal unspecified address
// to indicate a wildcard
orig = IPAddr(string("::"));
else
orig = _orig;
resp = _resp;
resp_p = _resp_p;
proto = _proto;
}
ExpectedConn::ExpectedConn(const ExpectedConn& c)
{
orig = c.orig;
resp = c.resp;
resp_p = c.resp_p;
proto = c.proto;
}
DPM::DPM()
: expected_conns_queue(AssignedAnalyzer::compare)
{
}
DPM::~DPM()
{
delete [] active_analyzers;
}
void DPM::PreScriptInit()
{
for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ )
{
// Create IDs ANALYZER_*.
ID* id = install_ID(fmt("ANALYZER_%s",
Analyzer::analyzer_configs[i].name),
GLOBAL_MODULE_NAME, true, false);
assert(id);
id->SetVal(new Val(i, TYPE_COUNT));
id->SetType(id->ID_Val()->Type()->Ref());
}
}
void DPM::PostScriptInit()
{
active_analyzers = new bool[int(AnalyzerTag::LastAnalyzer)];
for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ )
{
if ( ! Analyzer::analyzer_configs[i].available )
continue;
active_analyzers[i] = Analyzer::analyzer_configs[i].available();
if ( active_analyzers[i] )
AddConfig(Analyzer::analyzer_configs[i]);
}
}
void DPM::AddConfig(const Analyzer::Config& cfg)
{
#ifdef USE_PERFTOOLS_DEBUG
HeapLeakChecker::Disabler disabler;
#endif
Val* index = new Val(cfg.tag, TYPE_COUNT);
Val* v = dpd_config->Lookup(index);
#ifdef DEBUG
ODesc desc;
#endif
if ( v )
{
RecordVal* cfg_record = v->AsRecordVal();
Val* ports = cfg_record->Lookup(0);
if ( ports )
{
ListVal* plist = ports->AsTableVal()->ConvertToPureList();
for ( int i = 0; i< plist->Length(); ++i )
{
PortVal* port = plist->Index(i)->AsPortVal();
analyzer_map* ports =
port->IsTCP() ? &tcp_ports : &udp_ports;
analyzer_map::iterator j =
ports->find(port->Port());
if ( j == ports->end() )
{
tag_list* analyzers = new tag_list;
analyzers->push_back(cfg.tag);
ports->insert(analyzer_map::value_type(port->Port(), analyzers));
}
else
j->second->push_back(cfg.tag);
#ifdef DEBUG
port->Describe(&desc);
desc.SP();
#endif
}
}
}
DBG_LOG(DBG_DPD, "%s analyzer active on port(s) %s", cfg.name, desc.Description());
Unref(index);
}
AnalyzerTag::Tag DPM::GetExpected(int proto, const Connection* conn)
{
if ( ! expected_conns.Length() )
return AnalyzerTag::Error;
ExpectedConn c(conn->OrigAddr(), conn->RespAddr(),
ntohs(conn->RespPort()), proto);
HashKey* key = BuildExpectedConnHashKey(c);
AssignedAnalyzer* a = expected_conns.Lookup(key);
delete key;
if ( ! a )
{
// Wildcard for originator.
c.orig = IPAddr(string("::"));
HashKey* key = BuildExpectedConnHashKey(c);
a = expected_conns.Lookup(key);
delete key;
}
if ( ! a )
return AnalyzerTag::Error;
// We don't delete it here. It will be expired eventually.
return a->analyzer;
}
bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
const u_char* data)
{
TCP_Analyzer* tcp = 0;
UDP_Analyzer* udp = 0;
ICMP_Analyzer* icmp = 0;
TransportLayerAnalyzer* root = 0;
AnalyzerTag::Tag expected = AnalyzerTag::Error;
analyzer_map* ports = 0;
PIA* pia = 0;
bool analyzed = false;
switch ( proto ) {
case TRANSPORT_TCP:
root = tcp = new TCP_Analyzer(conn);
pia = new PIA_TCP(conn);
expected = GetExpected(proto, conn);
ports = &tcp_ports;
DBG_DPD(conn, "activated TCP analyzer");
break;
case TRANSPORT_UDP:
root = udp = new UDP_Analyzer(conn);
pia = new PIA_UDP(conn);
expected = GetExpected(proto, conn);
ports = &udp_ports;
DBG_DPD(conn, "activated UDP analyzer");
break;
case TRANSPORT_ICMP: {
root = icmp = new ICMP_Analyzer(conn);
DBG_DPD(conn, "activated ICMP analyzer");
analyzed = true;
break;
}
default:
reporter->InternalError("unknown protocol");
}
if ( ! root )
{
DBG_DPD(conn, "cannot build analyzer tree");
return false;
}
// Any scheduled analyzer?
if ( expected != AnalyzerTag::Error )
{
Analyzer* analyzer =
Analyzer::InstantiateAnalyzer(expected, conn);
root->AddChildAnalyzer(analyzer, false);
DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled",
Analyzer::GetTagName(expected));
// Hmm... Do we want *just* the expected analyzer, or all
// other potential analyzers as well? For now we only take
// the scheduled one.
}
else
{ // Let's see if it's a port we know.
if ( ports && ! dpd_ignore_ports )
{
analyzer_map::const_iterator i =
ports->find(ntohs(conn->RespPort()));
if ( i != ports->end() )
{
tag_list* analyzers = i->second;
for ( tag_list::const_iterator j = analyzers->begin();
j != analyzers->end(); j++ )
{
Analyzer* analyzer =
Analyzer::InstantiateAnalyzer(*j, conn);
root->AddChildAnalyzer(analyzer, false);
DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", Analyzer::GetTagName(*j), conn->RespPort());
}
}
}
}
if ( tcp )
{
// We have to decide whether to reassamble the stream.
// We turn it on right away if we already have an app-layer
// analyzer, reassemble_first_packets is true, or the user
// asks us to do so. In all other cases, reassembly may
// be turned on later by the TCP PIA.
bool reass = root->GetChildren().size() ||
dpd_reassemble_first_packets ||
tcp_content_deliver_all_orig ||
tcp_content_deliver_all_resp;
if ( tcp_contents && ! reass )
{
PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP);
Val* result;
if ( ! reass )
reass = tcp_content_delivery_ports_orig->Lookup(&dport);
if ( ! reass )
reass = tcp_content_delivery_ports_resp->Lookup(&dport);
}
if ( reass )
tcp->EnableReassembly();
// Add a BackDoor analyzer if requested. This analyzer
// can handle both reassembled and non-reassembled input.
if ( BackDoor_Analyzer::Available() )
{
BackDoor_Analyzer* bd = new BackDoor_Analyzer(conn);
tcp->AddChildAnalyzer(bd, false);
}
// Add a InterConn analyzer if requested. This analyzer
// can handle both reassembled and non-reassembled input.
if ( InterConn_Analyzer::Available() )
{
InterConn_Analyzer* bd = new InterConn_Analyzer(conn);
tcp->AddChildAnalyzer(bd, false);
}
// Add a SteppingStone analyzer if requested. The port
// should really not be hardcoded here, but as it can
// handle non-reassembled data, it doesn't really fit into
// our general framing ... Better would be to turn it
// on *after* we discover we have interactive traffic.
uint16 resp_port = ntohs(conn->RespPort());
if ( SteppingStone_Analyzer::Available() &&
(resp_port == 22 || resp_port == 23 || resp_port == 513) )
{
AddrVal src(conn->OrigAddr());
if ( ! stp_skip_src->Lookup(&src) )
{
SteppingStone_Analyzer* bd =
new SteppingStone_Analyzer(conn);
tcp->AddChildAnalyzer(bd, false);
}
}
// Add TCPStats analyzer. This needs to see packets so
// we cannot add it as a normal child.
if ( TCPStats_Analyzer::Available() )
tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn));
// Add ConnSize analyzer. Needs to see packets, not stream.
if ( ConnSize_Analyzer::Available() )
tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn));
}
else
{
if ( ConnSize_Analyzer::Available() )
root->AddChildAnalyzer(new ConnSize_Analyzer(conn), false);
}
if ( pia )
root->AddChildAnalyzer(pia->AsAnalyzer(), false);
if ( root->GetChildren().size() )
analyzed = true;
conn->SetRootAnalyzer(root, pia);
root->Init();
root->InitChildren();
if ( ! analyzed )
conn->SetLifetime(non_analyzed_lifetime);
if ( expected != AnalyzerTag::Error )
conn->Event(expected_connection_seen, 0,
new Val(expected, TYPE_COUNT));
return true;
}
void DPM::ExpectConnection(const IPAddr& orig, const IPAddr& resp,
uint16 resp_p,
TransportProto proto, AnalyzerTag::Tag analyzer,
double timeout, void* cookie)
{
// Use the chance to see if the oldest entry is already expired.
if ( expected_conns_queue.size() )
{
AssignedAnalyzer* a = expected_conns_queue.top();
if ( a->timeout < network_time )
{
if ( ! a->deleted )
{
HashKey* key = BuildExpectedConnHashKey(a->conn);
expected_conns.Remove(key);
delete key;
}
expected_conns_queue.pop();
DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s",
Analyzer::GetTagName(analyzer),
fmt_conn_id(a->conn.orig, 0,
a->conn.resp,
a->conn.resp_p));
delete a;
}
}
ExpectedConn c(orig, resp, resp_p, proto);
HashKey* key = BuildExpectedConnHashKey(c);
AssignedAnalyzer* a = expected_conns.Lookup(key);
if ( a )
a->deleted = true;
a = new AssignedAnalyzer(c);
a->analyzer = analyzer;
a->cookie = cookie;
a->timeout = network_time + timeout;
a->deleted = false;
expected_conns.Insert(key, a);
expected_conns_queue.push(a);
delete key;
}
void DPM::Done()
{
// Clean up expected-connection table.
while ( expected_conns_queue.size() )
{
AssignedAnalyzer* a = expected_conns_queue.top();
if ( ! a->deleted )
{
HashKey* key = BuildExpectedConnHashKey(a->conn);
expected_conns.Remove(key);
delete key;
}
expected_conns_queue.pop();
delete a;
}
}

131
src/DPM.h
View file

@ -1,131 +0,0 @@
// The central management unit for dynamic analyzer selection.
#ifndef DPM_H
#define DPM_H
#include <queue>
#include "Analyzer.h"
#include "Dict.h"
#include "net_util.h"
// DPM debug logging, which includes the connection id into the message.
#ifdef DEBUG
# define DBG_DPD(conn, txt) \
DBG_LOG(DBG_DPD, "%s " txt, \
fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \
conn->RespAddr(), ntohs(conn->RespPort())));
# define DBG_DPD_ARGS(conn, fmt, args...) \
DBG_LOG(DBG_DPD, "%s " fmt, \
fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \
conn->RespAddr(), ntohs(conn->RespPort())), ##args);
#else
# define DBG_DPD(conn, txt)
# define DBG_DPD_ARGS(conn, fmt, args...)
#endif
// Map to assign expected connections to analyzers.
class ExpectedConn {
public:
ExpectedConn(const IPAddr& _orig, const IPAddr& _resp,
uint16 _resp_p, uint16 _proto);
ExpectedConn(const ExpectedConn& c);
IPAddr orig;
IPAddr resp;
uint16 resp_p;
uint16 proto;
};
// Associates an analyzer for an expected future connection.
class AssignedAnalyzer {
public:
AssignedAnalyzer(const ExpectedConn& c)
: conn(c)
{
}
ExpectedConn conn;
AnalyzerTag::Tag analyzer;
double timeout;
void* cookie;
bool deleted;
static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2)
{ return a1->timeout > a2->timeout; }
};
declare(PDict, AssignedAnalyzer);
class DPM {
public:
DPM();
~DPM();
// Setup analyzer config.
void PreScriptInit(); // To be called before scripts are parsed ...
void PostScriptInit(); // ... and after.
// Given info about the first packet, build initial analyzer tree.
//
// It would be more flexible if we simply pass in the IP header
// and then extract the information we need. However, when this
// method is called from the session management, protocol and ports
// have already been extracted there and it would be a waste to do
// it again.
//
// Returns 0 if we can't build a tree (e.g., because the necessary
// analyzers have not been converted to the DPM framework yet...)
bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
const u_char* data);
// Schedules a particular analyzer for an upcoming connection.
// 0 acts as a wildcard for orig. (Cookie is currently unused.
// Eventually, we may pass it on to the analyzer).
void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p,
TransportProto proto, AnalyzerTag::Tag analyzer,
double timeout, void* cookie);
// Activates signature matching for protocol detection. (Called when an
// DPM signatures is found.)
void ActivateSigs() { sigs_activated = true; }
bool SigsActivated() const { return sigs_activated; }
void Done();
private:
// Convert script-level config into internal data structures.
void AddConfig(const Analyzer::Config& tag);
// Return analyzer if any has been scheduled with ExpectConnection()
// AnalyzerTag::::Error if none.
AnalyzerTag::Tag GetExpected(int proto, const Connection* conn);
// Mappings of destination port to analyzer.
typedef list<AnalyzerTag::Tag> tag_list;
typedef map<uint32, tag_list*> analyzer_map;
analyzer_map tcp_ports;
analyzer_map udp_ports;
// Array of bools indicating whether an analyzer is activated,
// indexed by AnalyzerTag::Tag.
bool* active_analyzers;
// True if signature-matching has been activated.
bool sigs_activated;
PDict(AssignedAnalyzer) expected_conns;
typedef priority_queue<
AssignedAnalyzer*,
vector<AssignedAnalyzer*>,
bool (*)(const AssignedAnalyzer*,
const AssignedAnalyzer*)> conn_queue;
conn_queue expected_conns_queue;
};
extern DPM* dpm;
#endif

2
src/Event.cc
View file

@ -13,7 +13,7 @@ int num_events_queued = 0;
int num_events_dispatched = 0;
Event::Event(EventHandlerPtr arg_handler, val_list* arg_args,
SourceID arg_src, AnalyzerID arg_aid, TimerMgr* arg_mgr,
SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
BroObj* arg_obj)
{
handler = arg_handler;

16
src/Event.h
View file

@ -5,14 +5,16 @@
#include "EventRegistry.h"
#include "Serializer.h"
#include "AnalyzerTags.h"
#include "analyzer/Tag.h"
#include "analyzer/Analyzer.h"
class EventMgr;
class Event : public BroObj {
public:
Event(EventHandlerPtr handler, val_list* args,
SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0);
~Event();
@ -20,7 +22,7 @@ public:
Event* NextEvent() const { return next_event; }
SourceID Source() const { return src; }
AnalyzerID Analyzer() const { return aid; }
analyzer::ID Analyzer() const { return aid; }
TimerMgr* Mgr() const { return mgr; }
void Describe(ODesc* d) const;
@ -62,7 +64,7 @@ protected:
EventHandlerPtr handler;
val_list* args;
SourceID src;
AnalyzerID aid;
analyzer::ID aid;
TimerMgr* mgr;
BroObj* obj;
Event* next_event;
@ -77,7 +79,7 @@ public:
~EventMgr();
void QueueEvent(EventHandlerPtr h, val_list* vl,
SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0)
{
if ( h )
@ -105,7 +107,7 @@ public:
// Returns the ID of the analyzer which raised the last event, or 0 if
// non-analyzer event.
AnalyzerID CurrentAnalyzer() const { return current_aid; }
analyzer::ID CurrentAnalyzer() const { return current_aid; }
// Returns the timer mgr associated with the last raised event.
TimerMgr* CurrentTimerMgr() const { return current_mgr; }
@ -124,7 +126,7 @@ protected:
Event* head;
Event* tail;
SourceID current_src;
AnalyzerID current_aid;
analyzer::ID current_aid;
TimerMgr* current_mgr;
RecordVal* src_val;
bool draining;

4
src/EventLauncher.cc
View file

@ -1,6 +1,8 @@
#include "Val.h"
#include "Analyzer.h"
#include "analyzer/Analyzer.h"
#include "EventLauncher.h"
#include "Event.h"
#include "NetVar.h"
#include "Conn.h"
#include "event.bif.func_def"

4
src/FTP.cc
View file

@ -12,7 +12,7 @@
#include "Base64.h"
FTP_Analyzer::FTP_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::FTP, conn)
: TCP_ApplicationAnalyzer("FTP", conn)
{
pending_reply = 0;
@ -176,7 +176,7 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
// Don't know how to parse anything but the ADAT exchanges of GSI GSSAPI,
// which is basically just TLS/SSL.
if ( ! Parent()->GetTag() == AnalyzerTag::SSL )
if ( ! Parent()->IsAnalyzer("SSL") )
{
Parent()->Remove();
return;

8
src/FTP.h
View file

@ -13,7 +13,7 @@ public:
virtual void Done();
virtual void DeliverStream(int len, const u_char* data, bool orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{
return new FTP_Analyzer(conn);
}
@ -22,8 +22,6 @@ public:
protected:
FTP_Analyzer() {}
NVT_Analyzer* nvt_orig;
NVT_Analyzer* nvt_resp;
uint32 pending_reply; // code associated with multi-line reply, or 0
@ -37,10 +35,10 @@ protected:
* analyzer just decodes the tokens and passes them on to the parent, which must
* be an SSL analyzer instance.
*/
class FTP_ADAT_Analyzer : public SupportAnalyzer {
class FTP_ADAT_Analyzer : public analyzer::SupportAnalyzer {
public:
FTP_ADAT_Analyzer(Connection* conn, bool arg_orig)
: SupportAnalyzer(AnalyzerTag::FTP_ADAT, conn, arg_orig),
: SupportAnalyzer("FTP_ADAT", conn, arg_orig),
first_token(true) { }
void DeliverStream(int len, const u_char* data, bool orig);

2
src/FileAnalyzer.cc
View file

@ -8,7 +8,7 @@ magic_t File_Analyzer::magic = 0;
magic_t File_Analyzer::magic_mime = 0;
File_Analyzer::File_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::File, conn)
: TCP_ApplicationAnalyzer("FILE", conn)
{
buffer_len = 0;

4
src/FileAnalyzer.h
View file

@ -15,14 +15,12 @@ public:
virtual void DeliverStream(int len, const u_char* data, bool orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new File_Analyzer(conn); }
static bool Available() { return file_transferred; }
protected:
File_Analyzer() {}
void Identify();
static const int BUFFER_SIZE = 1024;

2
src/Finger.cc
View file

@ -10,7 +10,7 @@
#include "ContentLine.h"
Finger_Analyzer::Finger_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::Finger, conn)
: TCP_ApplicationAnalyzer("FINGER", conn)
{
did_deliver = 0;
content_line_orig = new ContentLine_Analyzer(conn, true);

2
src/Finger.h
View file

@ -16,7 +16,7 @@ public:
// Line-based input.
virtual void DeliverStream(int len, const u_char* data, bool orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new Finger_Analyzer(conn); }
static bool Available() { return finger_request || finger_reply; }

3
src/Func.cc
View file

@ -548,12 +548,14 @@ void builtin_error(const char* msg, BroObj* arg)
reporter->Error(msg, arg);
}
#include "analyzer.bif.func_h"
#include "bro.bif.func_h"
#include "logging.bif.func_h"
#include "input.bif.func_h"
#include "reporter.bif.func_h"
#include "strings.bif.func_h"
#include "analyzer.bif.func_def"
#include "bro.bif.func_def"
#include "logging.bif.func_def"
#include "input.bif.func_def"
@ -569,6 +571,7 @@ void init_builtin_funcs()
var_sizes = internal_type("var_sizes")->AsTableType();
gap_info = internal_type("gap_info")->AsRecordType();
#include "analyzer.bif.func_init"
#include "bro.bif.func_init"
#include "logging.bif.func_init"
#include "input.bif.func_init"

2
src/GTPv1.cc
View file

@ -1,7 +1,7 @@
#include "GTPv1.h"
GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn)
: Analyzer(AnalyzerTag::GTPv1, conn)
: Analyzer("GTPV1", conn)
{
interp = new binpac::GTPv1::GTPv1_Conn(this);
}

4
src/GTPv1.h
View file

@ -3,7 +3,7 @@
#include "gtpv1_pac.h"
class GTPv1_Analyzer : public Analyzer {
class GTPv1_Analyzer : public analyzer::Analyzer {
public:
GTPv1_Analyzer(Connection* conn);
virtual ~GTPv1_Analyzer();
@ -12,7 +12,7 @@ public:
virtual void DeliverPacket(int len, const u_char* data, bool orig,
int seq, const IP_Hdr* ip, int caplen);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new GTPv1_Analyzer(conn); }
static bool Available()

8
src/Gnutella.cc
View file

@ -30,7 +30,7 @@ GnutellaMsgState::GnutellaMsgState()
Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::Gnutella, conn)
: TCP_ApplicationAnalyzer("GNUTELLA", conn)
{
state = 0;
new_state = 0;
@ -131,13 +131,13 @@ int Gnutella_Analyzer::IsHTTP(string header)
if ( HTTP_Analyzer::Available() )
{
Analyzer* a = new HTTP_Analyzer(Conn());
analyzer::Analyzer* a = new HTTP_Analyzer(Conn());
Parent()->AddChildAnalyzer(a);
if ( Parent()->GetTag() == AnalyzerTag::TCP )
if ( Parent()->IsAnalyzer("TCP") )
{
// Replay buffered data.
PIA* pia = static_cast<TransportLayerAnalyzer *>(Parent())->GetPIA();
PIA* pia = static_cast<analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
if ( pia )
static_cast<PIA_TCP *>(pia)->ReplayStreamBuffer(a);
}

2
src/Gnutella.h
View file

@ -40,7 +40,7 @@ public:
virtual void Done ();
virtual void DeliverStream(int len, const u_char* data, bool orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new Gnutella_Analyzer(conn); }
static bool Available()

2
src/HTTP-binpac.cc
View file

@ -2,7 +2,7 @@
#include "TCP_Reassembler.h"
HTTP_Analyzer_binpac::HTTP_Analyzer_binpac(Connection *c)
: TCP_ApplicationAnalyzer(AnalyzerTag::HTTP_BINPAC, c)
: TCP_ApplicationAnalyzer("HTTP_BINPAC", c)
{
interp = new binpac::HTTP::HTTP_Conn(this);
}

2
src/HTTP-binpac.h
View file

@ -15,7 +15,7 @@ public:
virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new HTTP_Analyzer_binpac(conn); }
static bool Available()

6
src/HTTP.cc
View file

@ -161,7 +161,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF)
DeliverBody(len, data, trailing_CRLF);
}
class HTTP_Entity::UncompressedOutput : public Analyzer::OutputHandler {
class HTTP_Entity::UncompressedOutput : public analyzer::Analyzer::OutputHandler {
public:
UncompressedOutput(HTTP_Entity* e) { entity = e; }
virtual ~UncompressedOutput() { }
@ -787,7 +787,7 @@ void HTTP_Message::Weird(const char* msg)
}
HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::HTTP, conn)
: TCP_ApplicationAnalyzer("HTTP", conn)
{
num_requests = num_replies = 0;
num_request_lines = num_reply_lines = 0;
@ -1736,7 +1736,7 @@ void escape_URI_char(unsigned char ch, unsigned char*& p)
}
BroString* unescape_URI(const u_char* line, const u_char* line_end,
Analyzer* analyzer)
analyzer::Analyzer* analyzer)
{
byte_vec decoded_URI = new u_char[line_end - line + 1];
byte_vec URI_p = decoded_URI;

4
src/HTTP.h
View file

@ -174,7 +174,7 @@ public:
virtual void ConnectionReset();
virtual void PacketWithRST();
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new HTTP_Analyzer(conn); }
static bool Available()
@ -252,6 +252,6 @@ extern int is_reserved_URI_char(unsigned char ch);
extern int is_unreserved_URI_char(unsigned char ch);
extern void escape_URI_char(unsigned char ch, unsigned char*& p);
extern BroString* unescape_URI(const u_char* line, const u_char* line_end,
Analyzer* analyzer);
analyzer::Analyzer* analyzer);
#endif

11
src/ICMP.cc
View file

@ -8,19 +8,12 @@
#include "NetVar.h"
#include "Event.h"
#include "ICMP.h"
#include "Conn.h"
#include <netinet/icmp6.h>
ICMP_Analyzer::ICMP_Analyzer(Connection* c)
: TransportLayerAnalyzer(AnalyzerTag::ICMP, c)
{
icmp_conn_val = 0;
c->SetInactivityTimeout(icmp_inactivity_timeout);
request_len = reply_len = -1;
}
ICMP_Analyzer::ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* c)
: TransportLayerAnalyzer(tag, c)
: TransportLayerAnalyzer("ICMP", c)
{
icmp_conn_val = 0;
c->SetInactivityTimeout(icmp_inactivity_timeout);

10
src/ICMP.h
View file

@ -3,7 +3,8 @@
#ifndef icmp_h
#define icmp_h
#include "Analyzer.h"
#include "RuleMatcher.h"
#include "analyzer/Analyzer.h"
typedef enum {
ICMP_INACTIVE, // no packet seen
@ -12,20 +13,19 @@ typedef enum {
// We do not have an PIA for ICMP (yet) and therefore derive from
// RuleMatcherState to perform our own matching.
class ICMP_Analyzer : public TransportLayerAnalyzer {
class ICMP_Analyzer : public analyzer::TransportLayerAnalyzer {
public:
ICMP_Analyzer(Connection* conn);
virtual void UpdateConnVal(RecordVal *conn_val);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new ICMP_Analyzer(conn); }
static bool Available() { return true; }
protected:
ICMP_Analyzer() { }
ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* conn);
ICMP_Analyzer(analyzer::Tag tag, Connection* conn);
virtual void Done();
virtual void DeliverPacket(int len, const u_char* data, bool orig,

5
src/IPAddr.cc
View file

@ -5,9 +5,10 @@
#include "IPAddr.h"
#include "Reporter.h"
#include "Conn.h"
#include "DPM.h"
#include "bro_inet_ntop.h"
#include "analyzer/Manager.h"
const uint8_t IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0xff, 0xff };
@ -44,7 +45,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id)
return new HashKey(&key, sizeof(key));
}
HashKey* BuildExpectedConnHashKey(const ExpectedConn& c)
HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c)
{
struct {
in6_addr orig;

6
src/IPAddr.h
View file

@ -14,7 +14,7 @@
#include "threading/SerialTypes.h"
struct ConnID;
class ExpectedConn;
namespace analyzer { class ExpectedConn; }
typedef in_addr in4_addr;
@ -363,7 +363,7 @@ public:
void ConvertToThreadingValue(threading::Value::addr_t* v) const;
friend HashKey* BuildConnIDHashKey(const ConnID& id);
friend HashKey* BuildExpectedConnHashKey(const ExpectedConn& c);
friend HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c);
unsigned int MemoryAllocation() const { return padded_sizeof(*this); }
@ -455,7 +455,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id);
/**
* Returns a hash key for a given ExpectedConn instance. Passes ownership to caller.
*/
HashKey* BuildExpectedConnHashKey(const ExpectedConn& c);
HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c);
/**
* Class storing both IPv4 and IPv6 prefixes

4
src/IRC.cc
View file

@ -2,15 +2,15 @@
#include <iostream>
#include "IRC.h"
#include "DPM.h"
#include "ContentLine.h"
#include "NetVar.h"
#include "Event.h"
#include "ZIP.h"
#include "analyzer/Manager.h"
IRC_Analyzer::IRC_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::IRC, conn)
: TCP_ApplicationAnalyzer("IRC", conn)
{
invalid_msg_count = 0;
invalid_msg_max_count = 20;

2
src/IRC.h
View file

@ -30,7 +30,7 @@ public:
*/
virtual void DeliverStream(int len, const u_char* data, bool orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{
return new IRC_Analyzer(conn);
}

2
src/Ident.cc
View file

@ -9,7 +9,7 @@
#include "Event.h"
Ident_Analyzer::Ident_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::Ident, conn)
: TCP_ApplicationAnalyzer("IDENT", conn)
{
did_bad_reply = did_deliver = 0;

2
src/Ident.h
View file

@ -13,7 +13,7 @@ public:
virtual void DeliverStream(int length, const u_char* data, bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new Ident_Analyzer(conn); }
static bool Available()

2
src/InterConn.cc
View file

@ -153,7 +153,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const
}
InterConn_Analyzer::InterConn_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer(AnalyzerTag::InterConn, c)
: TCP_ApplicationAnalyzer("INTERCONN", c)
{
orig_endp = resp_endp = 0;
orig_stream_pos = resp_stream_pos = 1;

2
src/InterConn.h
View file

@ -47,7 +47,7 @@ public:
virtual void Done();
void StatTimer(double t, int is_expire);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new InterConn_Analyzer(conn); }
static bool Available() { return interconn_stats; }

4
src/Login.cc
View file

@ -20,8 +20,8 @@ static RE_Matcher* re_login_timeouts;
static RE_Matcher* init_RE(ListVal* l);
Login_Analyzer::Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn)
: TCP_ApplicationAnalyzer(tag, conn)
Login_Analyzer::Login_Analyzer(const char* name, Connection* conn)
: TCP_ApplicationAnalyzer(name, conn)
{
state = LOGIN_STATE_AUTHENTICATE;
num_user_lines_seen = lines_scanned = 0;

2
src/Login.h
View file

@ -21,7 +21,7 @@ typedef enum {
class Login_Analyzer : public TCP_ApplicationAnalyzer {
public:
Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn);
Login_Analyzer(const char* name, Connection* conn);
~Login_Analyzer();
virtual void DeliverStream(int len, const u_char* data, bool orig);

2
src/MIME.cc
View file

@ -966,7 +966,7 @@ TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
return t;
}
MIME_Mail::MIME_Mail(Analyzer* mail_analyzer, int buf_size)
MIME_Mail::MIME_Mail(analyzer::Analyzer* mail_analyzer, int buf_size)
: MIME_Message(mail_analyzer)
{
analyzer = mail_analyzer;

10
src/MIME.h
View file

@ -10,7 +10,7 @@ using namespace std;
#include "Base64.h"
#include "BroString.h"
#include "Analyzer.h"
#include "analyzer/Analyzer.h"
// MIME: Multipurpose Internet Mail Extensions
// Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME)
@ -178,7 +178,7 @@ protected:
class MIME_Message {
public:
MIME_Message(Analyzer* arg_analyzer)
MIME_Message(analyzer::Analyzer* arg_analyzer)
{
// Cannot initialize top_level entity because we do
// not know its type yet (MIME_Entity / MIME_Mail /
@ -203,7 +203,7 @@ public:
top_level->Deliver(len, data, trailing_CRLF);
}
Analyzer* GetAnalyzer() const { return analyzer; }
analyzer::Analyzer* GetAnalyzer() const { return analyzer; }
// Events generated by MIME_Entity
virtual void BeginEntity(MIME_Entity*) = 0;
@ -215,7 +215,7 @@ public:
virtual void SubmitEvent(int event_type, const char* detail) = 0;
protected:
Analyzer* analyzer;
analyzer::Analyzer* analyzer;
MIME_Entity* top_level;
int finished;
@ -226,7 +226,7 @@ protected:
class MIME_Mail : public MIME_Message {
public:
MIME_Mail(Analyzer* mail_conn, int buf_size = 0);
MIME_Mail(analyzer::Analyzer* mail_conn, int buf_size = 0);
~MIME_Mail();
void Done();

2
src/Modbus.cc
View file

@ -3,7 +3,7 @@
#include "TCP_Reassembler.h"
ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer(AnalyzerTag::Modbus, c)
: TCP_ApplicationAnalyzer("MODBUS", c)
{
interp = new binpac::ModbusTCP::ModbusTCP_Conn(this);
}

2
src/Modbus.h
View file

@ -15,7 +15,7 @@ public:
virtual void Undelivered(int seq, int len, bool orig);
virtual void EndpointEOF(bool is_orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new ModbusTCP_Analyzer(conn); }
// Put event names in this function

6
src/NCP.cc
View file

@ -17,7 +17,7 @@ using namespace std;
uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \
uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8))
NCP_Session::NCP_Session(Analyzer* a)
NCP_Session::NCP_Session(analyzer::Analyzer* a)
: analyzer(a)
{
req_frame_type = 0;
@ -150,7 +150,7 @@ void NCP_FrameBuffer::compute_msg_length()
}
Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* arg_session)
: TCP_SupportAnalyzer(AnalyzerTag::Contents_NCP, conn, orig)
: TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig)
{
session = arg_session;
resync = true;
@ -215,7 +215,7 @@ void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig)
}
NCP_Analyzer::NCP_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::NCP, conn)
: TCP_ApplicationAnalyzer("NCP", conn)
{
session = new NCP_Session(this);
o_ncp = new Contents_NCP_Analyzer(conn, true, session);

6
src/NCP.h
View file

@ -29,7 +29,7 @@
class NCP_Session {
public:
NCP_Session(Analyzer* analyzer);
NCP_Session(analyzer::Analyzer* analyzer);
virtual ~NCP_Session() {}
virtual void Deliver(int is_orig, int len, const u_char* data);
@ -42,7 +42,7 @@ public:
protected:
void DeliverFrame(const binpac::NCP::ncp_frame* frame);
Analyzer* analyzer;
analyzer::Analyzer* analyzer;
int req_frame_type;
int req_func;
};
@ -102,7 +102,7 @@ public:
NCP_Analyzer(Connection* conn);
virtual ~NCP_Analyzer();
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new NCP_Analyzer(conn); }
static bool Available() { return NCP_Session::any_ncp_event(); }

2
src/NFS.cc
View file

@ -641,7 +641,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n)
NFS_Analyzer::NFS_Analyzer(Connection* conn)
: RPC_Analyzer(AnalyzerTag::NFS, conn, new NFS_Interp(this))
: RPC_Analyzer("RPC", conn, new NFS_Interp(this))
{
orig_rpc = resp_rpc = 0;
}

4
src/NFS.h
View file

@ -9,7 +9,7 @@
class NFS_Interp : public RPC_Interpreter {
public:
NFS_Interp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
protected:
int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
@ -75,7 +75,7 @@ public:
NFS_Analyzer(Connection* conn);
virtual void Init();
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new NFS_Analyzer(conn); }
static bool Available()

2
src/NTP.cc
View file

@ -9,7 +9,7 @@
NTP_Analyzer::NTP_Analyzer(Connection* conn)
: Analyzer(AnalyzerTag::NTP, conn)
: Analyzer("NTP", conn)
{
ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer,
network_time + ntp_session_timeout, 1,

4
src/NTP.h
View file

@ -35,11 +35,11 @@ struct ntpdata {
struct l_fixedpt xmt;
};
class NTP_Analyzer : public Analyzer {
class NTP_Analyzer : public analyzer::Analyzer {
public:
NTP_Analyzer(Connection* conn);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new NTP_Analyzer(conn); }
static bool Available() { return ntp_message; }

2
src/NVT.cc
View file

@ -360,7 +360,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig)
: ContentLine_Analyzer(AnalyzerTag::NVT, conn, orig)
: ContentLine_Analyzer("NVT", conn, orig)
{
peer = 0;
is_suboption = last_was_IAC = pending_IAC = 0;

3
src/NetVar.cc
View file

@ -208,7 +208,6 @@ TableType* irc_join_list;
RecordType* irc_join_info;
TableVal* irc_servers;
TableVal* dpd_config;
int dpd_reassemble_first_packets;
int dpd_buffer_size;
int dpd_match_only_beginning;
@ -239,6 +238,7 @@ TableType* record_field_table;
StringVal* cmd_line_bpf_filter;
#include "analyzer.bif.netvar_def"
#include "const.bif.netvar_def"
#include "types.bif.netvar_def"
#include "event.bif.netvar_def"
@ -512,7 +512,6 @@ void init_net_var()
opt_internal_double("remote_trace_sync_interval");
remote_trace_sync_peers = opt_internal_int("remote_trace_sync_peers");
dpd_config = internal_val("dpd_config")->AsTableVal();
dpd_reassemble_first_packets =
opt_internal_int("dpd_reassemble_first_packets");
dpd_buffer_size = opt_internal_int("dpd_buffer_size");

2
src/NetVar.h
View file

@ -212,7 +212,6 @@ extern TableType* irc_join_list;
extern RecordType* irc_join_info;
extern TableVal* irc_servers;
extern TableVal* dpd_config;
extern int dpd_reassemble_first_packets;
extern int dpd_buffer_size;
extern int dpd_match_only_beginning;
@ -249,6 +248,7 @@ extern void init_general_global_var();
extern void init_event_handlers();
extern void init_net_var();
#include "analyzer.bif.netvar_h"
#include "const.bif.netvar_h"
#include "types.bif.netvar_h"
#include "event.bif.netvar_h"

6
src/NetbiosSSN.cc
View file

@ -43,7 +43,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len)
}
NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(Analyzer* arg_analyzer,
NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer,
SMB_Session* arg_smb_session)
{
analyzer = arg_analyzer;
@ -340,7 +340,7 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig,
NetbiosSSN_Interpreter* arg_interp)
: TCP_SupportAnalyzer(AnalyzerTag::Contents_NetbiosSSN, conn, orig)
: TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig)
{
interp = arg_interp;
type = flags = msg_size = 0;
@ -455,7 +455,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
}
NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::NetbiosSSN, conn)
: TCP_ApplicationAnalyzer("NETBIOS", conn)
{
smb_session = new SMB_Session(this);
interp = new NetbiosSSN_Interpreter(this, smb_session);

6
src/NetbiosSSN.h
View file

@ -62,7 +62,7 @@ struct NetbiosDGM_RawMsgHdr {
class NetbiosSSN_Interpreter {
public:
NetbiosSSN_Interpreter(Analyzer* analyzer, SMB_Session* smb_session);
NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, SMB_Session* smb_session);
int ParseMessage(unsigned int type, unsigned int flags,
const u_char* data, int len, int is_query);
@ -108,7 +108,7 @@ protected:
u_char*& xname, int& xlen);
protected:
Analyzer* analyzer;
analyzer::Analyzer* analyzer;
SMB_Session* smb_session;
};
@ -157,7 +157,7 @@ public:
virtual void DeliverPacket(int len, const u_char* data, bool orig,
int seq, const IP_Hdr* ip, int caplen);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new NetbiosSSN_Analyzer(conn); }
static bool Available()

24
src/PIA.cc
View file

@ -2,7 +2,7 @@
#include "RuleMatcher.h"
#include "TCP_Reassembler.h"
PIA::PIA(Analyzer* arg_as_analyzer)
PIA::PIA(analyzer::Analyzer* arg_as_analyzer)
{
current_packet.data = 0;
as_analyzer = arg_as_analyzer;
@ -61,7 +61,7 @@ void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig)
AddToBuffer(buffer, -1, len, data, is_orig);
}
void PIA::ReplayPacketBuffer(Analyzer* analyzer)
void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer)
{
DBG_LOG(DBG_DPD, "PIA replaying %d total packet bytes", pkt_buffer.size);
@ -129,7 +129,7 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
bol, eol, clear_state);
}
void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
{
if ( pkt_buffer.state == MATCHING_ONLY )
{
@ -142,14 +142,14 @@ void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
if ( Parent()->HasChildAnalyzer(tag) )
return;
Analyzer* a = Parent()->AddChildAnalyzer(tag);
analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
a->SetSignature(rule);
if ( a )
ReplayPacketBuffer(a);
}
void PIA_UDP::DeactivateAnalyzer(AnalyzerTag::Tag tag)
void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag)
{
reporter->InternalError("PIA_UDP::Deact not implemented yet");
}
@ -165,7 +165,7 @@ void PIA_TCP::Init()
{
TCP_ApplicationAnalyzer::Init();
if ( Parent()->GetTag() == AnalyzerTag::TCP )
if ( Parent()->IsAnalyzer("TCP") )
{
TCP_Analyzer* tcp = static_cast<TCP_Analyzer*>(Parent());
SetTCP(tcp);
@ -262,7 +262,7 @@ void PIA_TCP::Undelivered(int seq, int len, bool is_orig)
// No check for buffer overrun here. I think that's ok.
}
void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
{
if ( stream_buffer.state == MATCHING_ONLY )
{
@ -275,7 +275,7 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
if ( Parent()->HasChildAnalyzer(tag) )
return;
Analyzer* a = Parent()->AddChildAnalyzer(tag);
analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag);
a->SetSignature(rule);
// We have two cases here:
@ -305,13 +305,13 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
// (4) We hand the two reassemblers to the TCP Analyzer (our parent),
// turning reassembly now on for all subsequent data.
DBG_LOG(DBG_DPD, "DPM_TCP switching from packet-mode to stream-mode");
DBG_LOG(DBG_DPD, "PIA_TCP switching from packet-mode to stream-mode");
stream_mode = true;
// FIXME: The reassembler will query the endpoint for state. Not sure
// if this is works in all cases...
if ( Parent()->GetTag() != AnalyzerTag::TCP )
if ( ! Parent()->IsAnalyzer("TCP") )
{
// Our parent is not the TCP analyzer, which can only mean
// we have been inserted somewhere further down in the
@ -371,12 +371,12 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
tcp->SetReassembler(reass_orig, reass_resp);
}
void PIA_TCP::DeactivateAnalyzer(AnalyzerTag::Tag tag)
void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag)
{
reporter->InternalError("PIA_TCP::Deact not implemented yet");
}
void PIA_TCP::ReplayStreamBuffer(Analyzer* analyzer)
void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer)
{
DBG_LOG(DBG_DPD, "PIA_TCP replaying %d total stream bytes", stream_buffer.size);

34
src/PIA.h
View file

@ -3,7 +3,7 @@
#ifndef PIA_H
#define PIA_H
#include "Analyzer.h"
#include "analyzer/Analyzer.h"
#include "TCP.h"
class RuleEndpointState;
@ -17,25 +17,25 @@ class RuleEndpointState;
// PIAs and then each needs its own matching-state.
class PIA : public RuleMatcherState {
public:
PIA(Analyzer* as_analyzer);
PIA(analyzer::Analyzer* as_analyzer);
virtual ~PIA();
// Called when PIA wants to put an Analyzer in charge. rule is the
// signature that triggered the activitation, if any.
virtual void ActivateAnalyzer(AnalyzerTag::Tag tag,
virtual void ActivateAnalyzer(analyzer::Tag tag,
const Rule* rule = 0) = 0;
// Called when PIA wants to remove an Analyzer.
virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag) = 0;
virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0;
void Match(Rule::PatternType type, const u_char* data, int len,
bool is_orig, bool bol, bool eol, bool clear_state);
void ReplayPacketBuffer(Analyzer* analyzer);
void ReplayPacketBuffer(analyzer::Analyzer* analyzer);
// Children are also derived from Analyzer. Return this object
// as pointer to an Analyzer.
Analyzer* AsAnalyzer() { return as_analyzer; }
analyzer::Analyzer* AsAnalyzer() { return as_analyzer; }
static bool Available() { return true; }
@ -81,20 +81,20 @@ protected:
Buffer pkt_buffer;
private:
Analyzer* as_analyzer;
analyzer::Analyzer* as_analyzer;
Connection* conn;
DataBlock current_packet;
};
// PIA for UDP.
class PIA_UDP : public PIA, public Analyzer {
class PIA_UDP : public PIA, public analyzer::Analyzer {
public:
PIA_UDP(Connection* conn)
: PIA(this), Analyzer(AnalyzerTag::PIA_UDP, conn)
: PIA(this), Analyzer("PIA_UDP", conn)
{ SetConn(conn); }
virtual ~PIA_UDP() { }
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new PIA_UDP(conn); }
protected:
@ -111,8 +111,8 @@ protected:
PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
}
virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule);
virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag);
virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule);
virtual void DeactivateAnalyzer(analyzer::Tag tag);
};
// PIA for TCP. Accepts both packet and stream input (and reassembles
@ -120,7 +120,7 @@ protected:
class PIA_TCP : public PIA, public TCP_ApplicationAnalyzer {
public:
PIA_TCP(Connection* conn)
: PIA(this), TCP_ApplicationAnalyzer(AnalyzerTag::PIA_TCP, conn)
: PIA(this), TCP_ApplicationAnalyzer("PIA_TCP", conn)
{ stream_mode = false; SetConn(conn); }
virtual ~PIA_TCP();
@ -137,9 +137,9 @@ public:
// to be unnecessary overhead.)
void FirstPacket(bool is_orig, const IP_Hdr* ip);
void ReplayStreamBuffer(Analyzer* analyzer);
void ReplayStreamBuffer(analyzer::Analyzer* analyzer);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new PIA_TCP(conn); }
protected:
@ -159,9 +159,9 @@ protected:
virtual void DeliverStream(int len, const u_char* data, bool is_orig);
virtual void Undelivered(int seq, int len, bool is_orig);
virtual void ActivateAnalyzer(AnalyzerTag::Tag tag,
virtual void ActivateAnalyzer(analyzer::Tag tag,
const Rule* rule = 0);
virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag);
virtual void DeactivateAnalyzer(analyzer::Tag tag);
private:
// FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer.

2
src/POP3.cc
View file

@ -26,7 +26,7 @@ static const char* pop3_cmd_word[] = {
POP3_Analyzer::POP3_Analyzer(Connection* conn)
: TCP_ApplicationAnalyzer(AnalyzerTag::POP3, conn)
: TCP_ApplicationAnalyzer("POP3", conn)
{
masterState = POP3_START;
subState = POP3_WOK;

2
src/POP3.h
View file

@ -68,7 +68,7 @@ public:
virtual void Done();
virtual void DeliverStream(int len, const u_char* data, bool orig);
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{
return new POP3_Analyzer(conn);
}

2
src/Portmap.cc
View file

@ -300,7 +300,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
}
Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)
: RPC_Analyzer(AnalyzerTag::Portmapper, conn, new PortmapperInterp(this))
: RPC_Analyzer("PORTMAPPER", conn, new PortmapperInterp(this))
{
orig_rpc = resp_rpc = 0;
}

4
src/Portmap.h
View file

@ -7,7 +7,7 @@
class PortmapperInterp : public RPC_Interpreter {
public:
PortmapperInterp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
protected:
int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
@ -29,7 +29,7 @@ public:
virtual ~Portmapper_Analyzer();
virtual void Init();
static Analyzer* InstantiateAnalyzer(Connection* conn)
static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
{ return new Portmapper_Analyzer(conn); }
static bool Available()

Some files were not shown because too many files have changed in this diff Show more