Rename IPBasedTransportAnalyzer to SessionAdapter

This also also combines the old TransportLayerAnalyzer class into SessionAdapter, and removes the old class. This requires naming changes in a few places but no functionality changes.
2025-10-11 19:18:19 +00:00 · 2021-05-11 13:30:57 -07:00 · 2021-05-11 13:30:57 -07:00 · b22ce6848f
commit b22ce6848f
parent c56fb3e8e4
24 changed files with 340 additions and 329 deletions
--- a/src/packet_analysis/protocol/ip/CMakeLists.txt
+++ b/src/packet_analysis/protocol/ip/CMakeLists.txt
@ -4,5 +4,5 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})

 zeek_plugin_begin(PacketAnalyzer IP)
-zeek_plugin_cc(IP.cc IPBasedAnalyzer.cc Plugin.cc)
+zeek_plugin_cc(IP.cc IPBasedAnalyzer.cc SessionAdapter.cc Plugin.cc)
 zeek_plugin_end()
--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
@ -218,7 +218,7 @@ zeek::Connection* IPBasedAnalyzer::NewConn(const ConnTuple* id, const detail::Co

 bool IPBasedAnalyzer::BuildSessionAnalyzerTree(Connection* conn)
 	{
-	packet_analysis::IP::IPBasedTransportAnalyzer* root = MakeTransportAnalyzer(conn);
+	SessionAdapter* root = MakeSessionAdapter(conn);
 	analyzer::pia::PIA* pia = MakePIA(conn);

 	// TODO: temporary, can be replaced when the port lookup stuff is moved from analyzer_mgr
@ -262,7 +262,7 @@ bool IPBasedAnalyzer::BuildSessionAnalyzerTree(Connection* conn)
 	if ( pia )
 		root->AddChildAnalyzer(pia->AsAnalyzer());

-	conn->SetRootAnalyzer(root, pia);
+	conn->SetSessionAdapter(root, pia);
 	root->Init();
 	root->InitChildren();

--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
@ -4,6 +4,7 @@

 #include "zeek/packet_analysis/Analyzer.h"
 #include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
 #include "zeek/analyzer/Analyzer.h"
 #include "zeek/analyzer/Manager.h"

@ -11,11 +12,9 @@ namespace zeek::analyzer::pia { class PIA; }

 namespace zeek::packet_analysis::IP {

-class IPBasedTransportAnalyzer;
-
 /**
- * A base class for any packet analyzer based on IP. This is used by default by
- * the TCP, UDP, and ICMP analyzers to reduce a large amount of duplicated code
+ * A base class for reuse by packet analyzers based on IP. This is used by default
+ * by the TCP, UDP, and ICMP analyzers to reduce a large amount of duplicated code
 * that those plugins have in common.
 */
 class IPBasedAnalyzer : public Analyzer {
@ -91,13 +90,15 @@ protected:
 		}

 	/**
-	 * Returns a transport analyzer appropriate for this IP-based analyzer. This
-	 * can also be used to do any extra initialization of connection timers, etc.
+	 * Returns an analyzer adapter appropriate for this IP-based analyzer. This adapter
+	 * is used to hook into the session analyzer framework. This function can also be used
+	 * to do any extra initialization of connection timers, etc.
 	 */
-	virtual IPBasedTransportAnalyzer* MakeTransportAnalyzer(Connection* conn) { return nullptr; }
+	virtual SessionAdapter* MakeSessionAdapter(Connection* conn) = 0;

 	/**
-	 * Returns a PIA appropriate for this IP-based analyzer.
+	 * Returns a PIA appropriate for this IP-based analyzer. This method is optional to
+	 * override in child classes, as not all analyzers need a PIA.
 	 */
 	virtual analyzer::pia::PIA* MakePIA(Connection* conn) { return nullptr; }

@ -145,44 +146,4 @@ private:
 	uint32_t server_port_mask;
 };

-/**
- * This class represents the interface between the packet analysis framework and
- * the session analysis framework. One of these should be implemented for each
- * packet analyzer that intends to forward into the session analysis.
- */
-class IPBasedTransportAnalyzer : public zeek::analyzer::TransportLayerAnalyzer {
-
-public:
-
-	IPBasedTransportAnalyzer(const char* name, Connection* conn)
-		: TransportLayerAnalyzer(name, conn) { }
-
-	/**
-	 * Sets the parent packet analyzer for this transport analyzer. This can't be passed to
-	 * the constructor due to the way that TransportLayerAnalyzer gets instantiated.
-	 *
-	 * @param p The parent packet analyzer to store
-	 */
-	void SetParent(IPBasedAnalyzer* p) { parent = p; }
-
-	/**
-	 * Returns true if the analyzer determines that in fact a new connection has started
-	 * without the connection statement having terminated the previous one, i.e., the new
-	 * data is arriving at what's the analyzer for the previous instance. This is used only
-	 * for TCP.
-	 */
-	bool IsReuse(double t, const u_char* pkt) override { return parent->IsReuse(t, pkt); }
-
-	/**
-	 * Pure virtual method to allow extra session analzyers to be added to this analyzer's
-	 * tree of children. This is used by analyzer::Manager when creating the session analyzer
-	 * tree.
-	 */
-	virtual void AddExtraAnalyzers(Connection* conn) = 0;
-
-protected:
-
-	IPBasedAnalyzer* parent;
-};
-
 }
--- a/src/packet_analysis/protocol/ip/SessionAdapter.cc
+++ b/src/packet_analysis/protocol/ip/SessionAdapter.cc
@ -0,0 +1,39 @@
+#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
+
+#include "zeek/File.h"
+#include "zeek/ZeekString.h"
+#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
+
+using namespace zeek::packet_analysis::IP;
+
+void SessionAdapter::Done()
+	{
+	Analyzer::Done();
+	}
+
+bool SessionAdapter::IsReuse(double t, const u_char* pkt)
+	{
+	return parent->IsReuse(t, pkt);
+	}
+
+void SessionAdapter::SetContentsFile(unsigned int /* direction */,
+                                             FilePtr /* f */)
+	{
+	reporter->Error("analyzer type does not support writing to a contents file");
+	}
+
+zeek::FilePtr SessionAdapter::GetContentsFile(unsigned int /* direction */) const
+	{
+	reporter->Error("analyzer type does not support writing to a contents file");
+	return nullptr;
+	}
+
+void SessionAdapter::PacketContents(const u_char* data, int len)
+	{
+	if ( packet_contents && len > 0 )
+		{
+		zeek::String* cbs = new zeek::String(data, len, true);
+		auto contents = make_intrusive<StringVal>(cbs);
+		EnqueueConnEvent(packet_contents, ConnVal(), std::move(contents));
+		}
+	}
--- a/src/packet_analysis/protocol/ip/SessionAdapter.h
+++ b/src/packet_analysis/protocol/ip/SessionAdapter.h
@ -0,0 +1,102 @@
+#pragma once
+
+#include "zeek/analyzer/Analyzer.h"
+
+namespace zeek::analyzer::pia { class PIA; }
+
+namespace zeek::packet_analysis::IP {
+
+class IPBasedAnalyzer;
+
+/**
+ * This class represents the interface between the packet analysis framework and
+ * the session analysis framework. One of these should be implemented for each
+ * packet analyzer that intends to forward into the session analysis.
+ */
+class SessionAdapter : public analyzer::Analyzer {
+
+public:
+
+	SessionAdapter(const char* name, Connection* conn)
+		: analyzer::Analyzer(name, conn) { }
+
+	/**
+	 * Overridden from parent class.
+	 */
+	virtual void Done() override;
+
+	/**
+	 * Sets the parent packet analyzer for this session adapter. This can't be passed to
+	 * the constructor due to the way that SessionAdapter gets instantiated.
+	 *
+	 * @param p The parent packet analyzer to store
+	 */
+	void SetParent(IPBasedAnalyzer* p) { parent = p; }
+
+	/**
+	 * Returns true if the analyzer determines that in fact a new connection has started
+	 * without the connection statement having terminated the previous one, i.e., the new
+	 * data is arriving at what's the analyzer for the previous instance. This is used only
+	 * for TCP.
+	 */
+	virtual bool IsReuse(double t, const u_char* pkt);
+
+	/**
+	 * Pure virtual method to allow extra session analzyers to be added to this analyzer's
+	 * tree of children. This is used by analyzer::Manager when creating the session analyzer
+	 * tree.
+	 */
+	virtual void AddExtraAnalyzers(Connection* conn) = 0;
+
+	/**
+	 * Associates a file with the analyzer in which to record all
+	 * analyzed input. This must only be called with derived classes that
+	 * overide the method; the default implementation will abort.
+	 *
+	 * @param direction One of the CONTENTS_* constants indicating which
+	 * direction of the input stream is to be recorded.
+	 *
+	 * @param f The file to record to.
+	 *
+	 */
+	virtual void SetContentsFile(unsigned int direction, FilePtr f);
+
+	/**
+	 * Returns an associated contents file, if any.  This must only be
+	 * called with derived classes that overide the method; the default
+	 * implementation will abort.
+	 *
+	 * @param direction One of the CONTENTS_* constants indicating which
+	 * direction the query is for.
+	 */
+	virtual FilePtr GetContentsFile(unsigned int direction) const;
+
+	/**
+	 * Associates a PIA with this analyzer. A PIA takes the
+	 * transport-layer input and determine which protocol analyzer(s) to
+	 * use for parsing it.
+	 */
+	void SetPIA(analyzer::pia::PIA* arg_PIA)	{ pia = arg_PIA; }
+
+	/**
+	 * Returns the associated PIA, or null of none. Does not take
+	 * ownership.
+	 */
+	analyzer::pia::PIA* GetPIA() const		{ return pia; }
+
+	/**
+	 * Helper to raise a \c packet_contents event.
+	 *
+	 * @param data The dass to pass to the event.
+	 *
+	 * @param len The length of \a data.
+	 */
+	void PacketContents(const u_char* data, int len);
+
+protected:
+
+	IPBasedAnalyzer* parent;
+	analyzer::pia::PIA* pia;
+};
+
+} // namespace zeek::packet_analysis::IP