From af1809aaa36c4bd37b6b1871b78776625aa188f8 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 20 Mar 2013 13:32:36 -0700 Subject: [PATCH 01/70] First prototype of new analyzer framework. This is a larger internal change that moves the analyzer infrastructure to a more flexible model where the available analyzers don't need to be hardcoded at compile time anymore. While currently they actually still are, this will in the future enable external analyzer plugins. For now, it does already add the capability to dynamically enable/disable analyzers from script-land, replacing the old Analyzer::Available() methods. There are three major parts going into this: - A new plugin infrastructure in src/plugin. This is independent of analyzers and will eventually support plugins for other parts of Bro as well (think: readers and writers). The goal is that plugins can be alternatively compiled in statically or loadead dynamically at runtime from a shared library. While the latter isn't there yet, there'll be almost no code change for a plugin to make it dynamic later (hopefully :) - New analyzer infrastructure in src/analyzer. I've moved a number of analyzer-related classes here, including Analyzer and DPM; the latter now renamed to Analyzer::Manager. More will move here later. Currently, there's only one plugin here, which provides *all* existing analyzers. We can modularize this further in the future (or not). - A new script interface in base/framework/analyzer. I think that this will eventually replace the dpm framework, but for now that's still there as well, though some parts have moved over. I've also remove the dpd_config table; ports are now configured via the analyzer framework. For exmaple, for SSH: const ports = { 22/tcp } &redef; event bro_init() &priority=5 { ... Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); } As you can see, the old ANALYZER_SSH constants have more into an enum in the Analyzer namespace. This is all hardly tested right now, and not everything works yet. There's also a lot more cleanup to do (moving more classes around; removing no longer used functionality; documenting script and C++ interfaces; regression tests). But it seems to generally work with a small trace at least. The debug stream "dpm" shows more about the loaded/enabled analyzers. A new option -N lists loaded plugins and what they provide (including those compiled in statically; i.e., right now it outputs all the analyzers). This is all not cast-in-stone yet, for some things we need to see if they make sense this way. Feedback welcome. --- scripts/base/frameworks/analyzer/__load__.bro | 1 + scripts/base/frameworks/analyzer/main.bro | 119 +++ scripts/base/frameworks/dpd/main.bro | 30 +- scripts/base/frameworks/tunnels/main.bro | 10 +- scripts/base/init-bare.bro | 44 +- scripts/base/init-default.bro | 1 + scripts/base/protocols/conn/inactivity.bro | 6 +- scripts/base/protocols/dns/main.bro | 10 +- scripts/base/protocols/ftp/main.bro | 10 +- scripts/base/protocols/http/main.bro | 27 +- scripts/base/protocols/irc/dcc-send.bro | 2 +- scripts/base/protocols/irc/main.bro | 7 +- scripts/base/protocols/modbus/main.bro | 6 +- scripts/base/protocols/smtp/main.bro | 8 +- scripts/base/protocols/socks/main.bro | 5 +- scripts/base/protocols/ssh/main.bro | 8 +- scripts/base/protocols/ssl/main.bro | 28 +- scripts/base/protocols/syslog/main.bro | 6 +- .../frameworks/dpd/detect-protocols.bro | 39 +- .../frameworks/dpd/packet-segment-logging.bro | 2 +- .../policy/protocols/conn/known-services.bro | 2 +- src/AYIYA.cc | 2 +- src/AYIYA.h | 4 +- src/AnalyzerTags.h | 57 -- src/BackDoor.cc | 2 +- src/BackDoor.h | 2 +- src/Base64.cc | 2 +- src/Base64.h | 7 +- src/BitTorrent.cc | 2 +- src/BitTorrent.h | 2 +- src/BitTorrentTracker.cc | 2 +- src/BitTorrentTracker.h | 2 +- src/CMakeLists.txt | 13 +- src/Conn.cc | 22 +- src/Conn.h | 30 +- src/ConnSizeAnalyzer.cc | 2 +- src/ConnSizeAnalyzer.h | 6 +- src/ContentLine.cc | 7 +- src/ContentLine.h | 2 +- src/DCE_RPC.cc | 15 +- src/DCE_RPC.h | 10 +- src/DHCP-binpac.cc | 2 +- src/DHCP-binpac.h | 4 +- src/DNS-binpac.cc | 4 +- src/DNS-binpac.h | 6 +- src/DNS.cc | 6 +- src/DNS.h | 6 +- src/DPM.cc | 407 ----------- src/DPM.h | 131 ---- src/Event.cc | 2 +- src/Event.h | 16 +- src/EventLauncher.cc | 4 +- src/FTP.cc | 4 +- src/FTP.h | 8 +- src/FileAnalyzer.cc | 2 +- src/FileAnalyzer.h | 4 +- src/Finger.cc | 2 +- src/Finger.h | 2 +- src/Func.cc | 3 + src/GTPv1.cc | 2 +- src/GTPv1.h | 4 +- src/Gnutella.cc | 8 +- src/Gnutella.h | 2 +- src/HTTP-binpac.cc | 2 +- src/HTTP-binpac.h | 2 +- src/HTTP.cc | 6 +- src/HTTP.h | 4 +- src/ICMP.cc | 11 +- src/ICMP.h | 10 +- src/IPAddr.cc | 5 +- src/IPAddr.h | 6 +- src/IRC.cc | 4 +- src/IRC.h | 2 +- src/Ident.cc | 2 +- src/Ident.h | 2 +- src/InterConn.cc | 2 +- src/InterConn.h | 2 +- src/Login.cc | 4 +- src/Login.h | 2 +- src/MIME.cc | 2 +- src/MIME.h | 10 +- src/Modbus.cc | 2 +- src/Modbus.h | 2 +- src/NCP.cc | 6 +- src/NCP.h | 6 +- src/NFS.cc | 2 +- src/NFS.h | 4 +- src/NTP.cc | 2 +- src/NTP.h | 4 +- src/NVT.cc | 2 +- src/NetVar.cc | 3 +- src/NetVar.h | 2 +- src/NetbiosSSN.cc | 6 +- src/NetbiosSSN.h | 6 +- src/PIA.cc | 24 +- src/PIA.h | 34 +- src/POP3.cc | 2 +- src/POP3.h | 2 +- src/Portmap.cc | 2 +- src/Portmap.h | 4 +- src/RPC.cc | 8 +- src/RPC.h | 6 +- src/RSH.cc | 4 +- src/RSH.h | 2 +- src/Rlogin.cc | 4 +- src/Rlogin.h | 2 +- src/RuleAction.cc | 37 +- src/RuleAction.h | 27 +- src/RuleCondition.cc | 4 +- src/RuleMatcher.cc | 8 +- src/RuleMatcher.h | 12 +- src/SMB.cc | 6 +- src/SMB.h | 6 +- src/SMTP.cc | 2 +- src/SMTP.h | 2 +- src/SOCKS.cc | 2 +- src/SOCKS.h | 2 +- src/SSH.cc | 2 +- src/SSH.h | 2 +- src/SSL.cc | 2 +- src/SSL.h | 2 +- src/Sessions.cc | 7 +- src/SteppingStone.cc | 2 +- src/SteppingStone.h | 2 +- src/Syslog-binpac.cc | 4 +- src/Syslog-binpac.h | 6 +- src/TCP.cc | 26 +- src/TCP.h | 34 +- src/TCP_Reassembler.cc | 4 +- src/TCP_Reassembler.h | 8 +- src/Telnet.cc | 2 +- src/Telnet.h | 2 +- src/Teredo.cc | 2 + src/Teredo.h | 9 +- src/UDP.cc | 3 +- src/UDP.h | 6 +- src/Val.cc | 5 + src/Val.h | 1 + src/ZIP.cc | 2 +- src/analyzer.bif | 39 + src/{ => analyzer}/Analyzer.cc | 276 ++----- src/{ => analyzer}/Analyzer.h | 122 ++-- src/analyzer/BuiltinAnalyzers.cc | 127 ++++ src/analyzer/BuiltinAnalyzers.h | 17 + src/analyzer/Manager.cc | 691 ++++++++++++++++++ src/analyzer/Manager.h | 182 +++++ src/analyzer/PluginComponent.cc | 37 + src/analyzer/PluginComponent.h | 51 ++ src/analyzer/Tag.cc | 69 ++ src/analyzer/Tag.h | 59 ++ src/ayiya.pac | 1 + src/binpac_bro.h | 10 +- src/bro.bif | 59 +- src/builtin-func.y | 4 +- src/event.bif | 436 +++++------ src/main.cc | 71 +- src/plugin/Component.cc | 47 ++ src/plugin/Component.h | 37 + src/plugin/DummyPlugin.cc | 28 + src/plugin/Manager.cc | 81 ++ src/plugin/Manager.h | 87 +++ src/plugin/Plugin.cc | 94 +++ src/plugin/Plugin.h | 60 ++ src/scan.l | 14 +- src/util.cc | 8 + src/util.h | 1 + 166 files changed, 2717 insertions(+), 1642 deletions(-) create mode 100644 scripts/base/frameworks/analyzer/__load__.bro create mode 100644 scripts/base/frameworks/analyzer/main.bro delete mode 100644 src/AnalyzerTags.h delete mode 100644 src/DPM.cc delete mode 100644 src/DPM.h create mode 100644 src/analyzer.bif rename src/{ => analyzer}/Analyzer.cc (65%) rename src/{ => analyzer}/Analyzer.h (81%) create mode 100644 src/analyzer/BuiltinAnalyzers.cc create mode 100644 src/analyzer/BuiltinAnalyzers.h create mode 100644 src/analyzer/Manager.cc create mode 100644 src/analyzer/Manager.h create mode 100644 src/analyzer/PluginComponent.cc create mode 100644 src/analyzer/PluginComponent.h create mode 100644 src/analyzer/Tag.cc create mode 100644 src/analyzer/Tag.h create mode 100644 src/plugin/Component.cc create mode 100644 src/plugin/Component.h create mode 100644 src/plugin/DummyPlugin.cc create mode 100644 src/plugin/Manager.cc create mode 100644 src/plugin/Manager.h create mode 100644 src/plugin/Plugin.cc create mode 100644 src/plugin/Plugin.h diff --git a/scripts/base/frameworks/analyzer/__load__.bro b/scripts/base/frameworks/analyzer/__load__.bro new file mode 100644 index 0000000000..a10fe855df --- /dev/null +++ b/scripts/base/frameworks/analyzer/__load__.bro @@ -0,0 +1 @@ +@load ./main diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro new file mode 100644 index 0000000000..b93ebcba24 --- /dev/null +++ b/scripts/base/frameworks/analyzer/main.bro @@ -0,0 +1,119 @@ + +module Analyzer; + +# Analyzer::Tag is defined in types.bif, and automatically extended by plugins +# as they are loaded. + +export { + ## XXX. + global enable_analyzer: function(tag: Analyzer::Tag) : bool; + + ## XXX. + global disable_analyzer: function(tag: Analyzer::Tag) : bool; + + ## XXX. + global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool; + + ## XXX. + global register_for_port: function(tag: Analyzer::Tag, p: port) : bool; + + ## XXX. + global registered_ports: function(tag: Analyzer::Tag) : set[port]; + + ## Translate an analyzer type to an ASCII string. + ## + ## atype: The analyzer tag. + ## + ## Returns: The analyzer *aid* as string. + global name: function(atype: Analyzer::Tag) : string; + + ## Schedules an analyzer for a future connection from a given IP address and + ## port. The function ignores the scheduling request if the connection did + ## not occur within the specified time interval. + ## + ## orig: The IP address originating a connection in the future. + ## + ## resp: The IP address responding to a connection from *orig*. + ## + ## resp_p: The destination port at *resp*. + ## + ## analyzer: The analyzer ID. + ## + ## tout: The timeout interval after which to ignore the scheduling request. + ## + ## Returns: True if succesful. + global expect_connection: function(orig: addr, resp: addr, resp_p: port, + analyzer: Analyzer::Tag, tout: interval) : bool; + + ## Analyzers to disable at startup. + global disabled_analyzers: set[Analyzer::Tag] = { + ANALYZER_INTERCONN, + ANALYZER_STEPPINGSTONE, + ANALYZER_BACKDOOR, + ANALYZER_TCPSTATS, + } + + &redef; +} + +@load base/analyzer.bif + +global ports: table[Analyzer::Tag] of set[port]; + +event bro_init() + { + for ( a in disabled_analyzers ) + disable_analyzer(a); + } + +function enable_analyzer(tag: Analyzer::Tag) : bool + { + return __enable_analyzer(tag); + } + +function disable_analyzer(tag: Analyzer::Tag) : bool + { + return __disable_analyzer(tag); + } + +function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool + { + local rc = T; + + for ( p in ports ) + { + if ( ! register_for_port(tag, p) ) + rc = F; + } + + return rc; + } + +function register_for_port(tag: Analyzer::Tag, p: port) : bool + { + if ( ! __register_for_port(tag, p) ) + return F; + + if ( tag !in ports ) + ports[tag] = set(); + + add ports[tag][p]; + return T; + } + +function registered_ports(tag: Analyzer::Tag) : set[port] + { + return tag in ports ? ports[tag] : set(); + } + +function name(atype: Analyzer::Tag) : string + { + return __name(atype); + } + +function expect_connection(orig: addr, resp: addr, resp_p: port, + analyzer: Analyzer::Tag, tout: interval) : bool + { + return __expect_connection(orig, resp, resp_p, analyzer, tout); + } + diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.bro index a5349b6cfb..b4da2ff492 100644 --- a/scripts/base/frameworks/dpd/main.bro +++ b/scripts/base/frameworks/dpd/main.bro @@ -41,33 +41,27 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(DPD::LOG, [$columns=Info]); - - # Populate the internal DPD analysis variable. - for ( a in dpd_config ) - { - for ( p in dpd_config[a]$ports ) - { - if ( p !in dpd_analyzer_ports ) - dpd_analyzer_ports[p] = set(); - add dpd_analyzer_ports[p][a]; - } - } } -event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10 +function foo() : string { - local analyzer = analyzer_name(atype); - + return "HTTP"; + } + +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10 + { + local analyzer = Analyzer::name(atype); + if ( fmt("-%s",analyzer) in c$service ) delete c$service[fmt("-%s", analyzer)]; add c$service[analyzer]; } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=10 { - local analyzer = analyzer_name(atype); + local analyzer = Analyzer::name(atype); # If the service hasn't been confirmed yet, don't generate a log message # for the protocol violation. if ( analyzer !in c$service ) @@ -86,7 +80,7 @@ event protocol_violation(c: connection, atype: count, aid: count, c$dpd = info; } -event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=5 +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5 { if ( !c?$dpd || aid in c$dpd$disabled_aids ) return; @@ -100,7 +94,7 @@ event protocol_violation(c: connection, atype: count, aid: count, reason: string add c$dpd$disabled_aids[aid]; } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=-5 { if ( c?$dpd ) diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index a8fc6c8236..faa725b3f6 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -83,19 +83,17 @@ export { } const ayiya_ports = { 5072/udp }; -redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] }; - const teredo_ports = { 3544/udp }; -redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] }; - const gtpv1_ports = { 2152/udp, 2123/udp }; -redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1_ports] }; - redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports }; event bro_init() &priority=5 { Log::create_stream(Tunnel::LOG, [$columns=Info]); + + Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports); } function register_all(ecv: EncapsulatingConnVector) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index b6187df0d9..d8f38ed124 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2846,34 +2846,11 @@ const remote_trace_sync_peers = 0 &redef; ## consistency check. const remote_check_sync_consistency = F &redef; -## Analyzer tags. The core automatically defines constants -## ``ANALYZER_*``, e.g., ``ANALYZER_HTTP``. -## -## .. bro:see:: dpd_config -## -## .. todo::We should autodoc these automaticallty generated constants. -type AnalyzerTag: count; - -## Set of ports activating a particular protocol analysis. -## -## .. bro:see:: dpd_config -type dpd_protocol_config: record { - ports: set[port] &optional; ##< Set of ports. -}; - -## Port configuration for Bro's "dynamic protocol detection". Protocol -## analyzers can be activated via either well-known ports or content analysis. -## This table defines the ports. -## -## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_match_only_beginning dpd_ignore_ports -const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef; - ## Reassemble the beginning of all TCP connections before doing ## signature-matching. Enabling this provides more accurate matching at the ## expensive of CPU cycles. ## -## .. bro:see:: dpd_config dpd_buffer_size +## .. bro:see:: dpd_buffer_size ## dpd_match_only_beginning dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not @@ -2888,24 +2865,24 @@ const dpd_reassemble_first_packets = T &redef; ## activated afterwards. Then only analyzers that can deal with partial ## connections will be able to analyze the session. ## -## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning +## .. bro:see:: dpd_reassemble_first_packets dpd_match_only_beginning ## dpd_ignore_ports const dpd_buffer_size = 1024 &redef; ## If true, stops signature matching if dpd_buffer_size has been reached. ## ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_config dpd_ignore_ports +## dpd_ignore_ports ## ## .. note:: Despite the name, this option affects *all* signature matching, not ## only signatures used for dynamic protocol detection. const dpd_match_only_beginning = T &redef; ## If true, don't consider any ports for deciding which protocol analyzer to -## use. If so, the value of :bro:see:`dpd_config` is ignored. +## use. ## ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size -## dpd_match_only_beginning dpd_config +## dpd_match_only_beginning const dpd_ignore_ports = F &redef; ## Ports which the core considers being likely used by servers. For ports in @@ -2913,13 +2890,6 @@ const dpd_ignore_ports = F &redef; ## connection if it misses the initial handshake. const likely_server_ports: set[port] &redef; -## Deprated. Set of all ports for which we know an analyzer, built by -## :doc:`/scripts/base/frameworks/dpd/main`. -## -## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main` -## itself we still need it. -global dpd_analyzer_ports: table[port] of set[AnalyzerTag]; - ## Per-incident timer managers are drained after this amount of inactivity. const timer_mgr_inactivity_timeout = 1 min &redef; @@ -3028,9 +2998,9 @@ module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; -# Load the logging framework here because it uses fairly deep integration with +# Load these frameworks here because it uses fairly deep integration with # BiFs and script-land defined types. @load base/frameworks/logging - @load base/frameworks/input +@load base/frameworks/analyzer diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 8b36899f10..590140c486 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -20,6 +20,7 @@ # loaded in base/init-bare.bro #@load base/frameworks/logging @load base/frameworks/notice +@load base/frameworks/analyzer @load base/frameworks/dpd @load base/frameworks/signatures @load base/frameworks/packet-filter diff --git a/scripts/base/protocols/conn/inactivity.bro b/scripts/base/protocols/conn/inactivity.bro index 28df192de3..b383f1ad7c 100644 --- a/scripts/base/protocols/conn/inactivity.bro +++ b/scripts/base/protocols/conn/inactivity.bro @@ -6,9 +6,9 @@ module Conn; export { ## Define inactivity timeouts by the service detected being used over ## the connection. - const analyzer_inactivity_timeouts: table[AnalyzerTag] of interval = { + const analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = { # For interactive services, allow longer periods of inactivity. - [[ANALYZER_SSH, ANALYZER_FTP]] = 1 hrs, + [[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs, } &redef; ## Define inactivity timeouts based on common protocol ports. @@ -18,7 +18,7 @@ export { } -event protocol_confirmation(c: connection, atype: count, aid: count) +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) { if ( atype in analyzer_inactivity_timeouts ) set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]); diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index ee0e4166da..66cdbc6241 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -117,19 +117,17 @@ redef capture_filters += { ["netbios-ns"] = "udp port 137", }; -const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; -redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] }; - const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp }; const dns_tcp_ports = { 53/tcp }; -redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] }; -redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] }; -redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; +redef likely_server_ports += { dns_udp_ports, dns_tcp_ports }; event bro_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]); + + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports); } function new_session(c: connection, trans_id: count): Info diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 3d7b1fe61a..e2b77e0099 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -96,11 +96,10 @@ redef record connection += { }; # Configure DPD -const ports = { 21/tcp, 2811/tcp } &redef; # 2811/tcp is GridFTP. redef capture_filters += { ["ftp"] = "port 21 and port 2811" }; -redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] }; -redef likely_server_ports += { 21/tcp, 2811/tcp }; +const ports = { 21/tcp, 2811/tcp }; +redef likely_server_ports += { ports }; # Establish the variable for tracking expected connections. global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; @@ -108,6 +107,7 @@ global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; event bro_init() &priority=5 { Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]); + Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports); } ## A set of commands where the argument can be expected to refer @@ -228,7 +228,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 { c$ftp$passive=F; ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins); + Analyzer::expect_connection(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { @@ -281,7 +281,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior data$h = id$resp_h; ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins); + Analyzer::expect_connection(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro index 660386f901..daf546fc82 100644 --- a/scripts/base/protocols/http/main.bro +++ b/scripts/base/protocols/http/main.bro @@ -119,29 +119,26 @@ redef record connection += { http_state: State &optional; }; -# Initialize the HTTP logging stream. -event bro_init() &priority=5 - { - Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]); - } - # DPD configuration. -const ports = { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp, - 8000/tcp, 8080/tcp, 8888/tcp, -}; -redef dpd_config += { - [[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports], -}; redef capture_filters += { ["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)" }; -redef likely_server_ports += { - 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp, +const ports = { + 80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp, 8000/tcp, 8080/tcp, 8888/tcp, }; +redef likely_server_ports += { ports }; + + +# Initialize the HTTP logging stream and ports. +event bro_init() &priority=5 + { + Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]); + Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports); + } + function code_in_range(c: count, min: count, max: count) : bool { return c >= min && c <= max; diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index d07a0edf5a..621ad42826 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool, c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; local p = count_to_port(dest_port, tcp); - expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min); + Analyzer::expect_connection(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/scripts/base/protocols/irc/main.bro b/scripts/base/protocols/irc/main.bro index 1cf542b8ea..490c39f54f 100644 --- a/scripts/base/protocols/irc/main.bro +++ b/scripts/base/protocols/irc/main.bro @@ -45,14 +45,13 @@ redef capture_filters += { ["irc-6668"] = "port 6668" }; redef capture_filters += { ["irc-6669"] = "port 6669" }; # DPD configuration. -const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; -redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] }; - -redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; +const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log]); + Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports); } function new_session(c: connection): Info diff --git a/scripts/base/protocols/modbus/main.bro b/scripts/base/protocols/modbus/main.bro index aa11c5ce07..a418873306 100644 --- a/scripts/base/protocols/modbus/main.bro +++ b/scripts/base/protocols/modbus/main.bro @@ -31,12 +31,14 @@ redef record connection += { # Configure DPD and the packet filter. redef capture_filters += { ["modbus"] = "tcp port 502" }; -redef dpd_config += { [ANALYZER_MODBUS] = [$ports = set(502/tcp)] }; -redef likely_server_ports += { 502/tcp }; + +const ports = { 502/tcp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus]); + Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports); } event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &priority=5 diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro index 03b3d36a24..c7b3a452d2 100644 --- a/scripts/base/protocols/smtp/main.bro +++ b/scripts/base/protocols/smtp/main.bro @@ -74,9 +74,6 @@ export { const mail_path_capture = ALL_HOSTS &redef; global log_smtp: event(rec: Info); - - ## Configure the default ports for SMTP analysis. - const ports = { 25/tcp, 587/tcp } &redef; } redef record connection += { @@ -86,13 +83,14 @@ redef record connection += { # Configure DPD redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" }; -redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] }; -redef likely_server_ports += { 25/tcp, 587/tcp }; +const ports = { 25/tcp, 587/tcp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports); } function find_address_in_smtp_header(header: string): string diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro index df5ee69f16..a188646515 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.bro @@ -34,9 +34,13 @@ export { global log_socks: event(rec: Info); } +const ports = { 1080/tcp }; +redef likely_server_ports += { ports }; + event bro_init() &priority=5 { Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports); } redef record connection += { @@ -45,7 +49,6 @@ redef record connection += { # Configure DPD redef capture_filters += { ["socks"] = "tcp port 1080" }; -redef dpd_config += { [ANALYZER_SOCKS] = [$ports = set(1080/tcp)] }; redef likely_server_ports += { 1080/tcp }; function set_session(c: connection, version: count) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index cd20f4e913..6f363eeb0e 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -76,10 +76,11 @@ export { } # Configure DPD and the packet filter -redef capture_filters += { ["ssh"] = "tcp port 22" }; -redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] }; -redef likely_server_ports += { 22/tcp }; +const ports = { 22/tcp }; + +redef capture_filters += { ["ssh"] = "tcp port 22" }; +redef likely_server_ports += { ports }; redef record connection += { ssh: Info &optional; @@ -88,6 +89,7 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); } function set_session(c: connection) diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index c6c4091a87..36d0c3f54d 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -94,11 +94,6 @@ redef record Info += { delay_tokens: set[string] &optional; }; -event bro_init() &priority=5 - { - Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); - } - redef capture_filters += { ["ssl"] = "tcp port 443", ["nntps"] = "tcp port 563", @@ -117,16 +112,9 @@ redef capture_filters += { const ports = { 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; +} &redef; -redef dpd_config += { - [[ANALYZER_SSL]] = [$ports = ports] -}; - -redef likely_server_ports += { - 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, - 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp -}; +redef likely_server_ports += { ports }; # A queue that buffers log records. global log_delay_queue: table[count] of Info; @@ -135,6 +123,12 @@ global log_delay_queue_head = 0; # The bottom queue index that points to the next record to be flushed. global log_delay_queue_tail = 0; +event bro_init() &priority=5 + { + Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ports); + } + function set_session(c: connection) { if ( ! c?$ssl ) @@ -288,14 +282,14 @@ event ssl_established(c: connection) &priority=-5 finish(c); } -event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5 +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5 { # Check by checking for existence of c$ssl record. - if ( c?$ssl && analyzer_name(atype) == "SSL" ) + if ( c?$ssl && atype == Analyzer::ANALYZER_SSL ) c$ssl$analyzer_id = aid; } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5 { if ( c?$ssl ) diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 61334e3f2b..8e6a807c24 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -27,10 +27,9 @@ export { } redef capture_filters += { ["syslog"] = "port 514" }; -const ports = { 514/udp } &redef; -redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] }; -redef likely_server_ports += { 514/udp }; +const ports = { 514/udp }; +redef likely_server_ports += { ports }; redef record connection += { syslog: Info &optional; @@ -39,6 +38,7 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info]); + Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro index 8f4e892ce4..c45486b776 100644 --- a/scripts/policy/frameworks/dpd/detect-protocols.bro +++ b/scripts/policy/frameworks/dpd/detect-protocols.bro @@ -21,22 +21,22 @@ export { type dir: enum { NONE, INCOMING, OUTGOING, BOTH }; - const valids: table[count, addr, port] of dir = { + const valids: table[Analyzer::Tag, addr, port] of dir = { # A couple of ports commonly used for benign HTTP servers. # For now we want to see everything. - # [ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING, - # [ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING, + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING, # - # [ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella - # [ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella + # [Analyzer::ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella } &redef; # Set of analyzers for which we suppress Server_Found notices @@ -44,8 +44,8 @@ export { # log files, this also saves memory because for these we don't # need to remember which servers we already have reported, which # for some can be a lot. - const suppress_servers: set [count] = { - # ANALYZER_HTTP + const suppress_servers: set [Analyzer::Tag] = { + # Analyzer::ANALYZER_HTTP } &redef; # We consider a connection to use a protocol X if the analyzer for X @@ -60,7 +60,7 @@ export { # Entry point for other analyzers to report that they recognized # a certain (sub-)protocol. - global found_protocol: function(c: connection, analyzer: count, + global found_protocol: function(c: connection, analyzer: Analyzer::Tag, protocol: string); # Table keeping reported (server, port, analyzer) tuples (and their @@ -89,7 +89,7 @@ function get_protocol(c: connection, a: count) : protocol str = |str| > 0 ? fmt("%s/%s", str, p) : p; } - return [$a=analyzer_name(a), $sub=str]; + return [$a=Analyzer::name(a), $sub=str]; } function fmt_protocol(p: protocol) : string @@ -194,10 +194,10 @@ event connection_state_remove(c: connection) report_protocols(c); } -event protocol_confirmation(c: connection, atype: count, aid: count) +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) { # Don't report anything running on a well-known port. - if ( atype in dpd_config && c$id$resp_p in dpd_config[atype]$ports ) + if ( c$id$resp_p in Analyzer::registered_ports(atype) ) return; if ( c$id in conns ) @@ -214,11 +214,10 @@ event protocol_confirmation(c: connection, atype: count, aid: count) } } -function found_protocol(c: connection, analyzer: count, protocol: string) +function found_protocol(c: connection, analyzer: Analyzer::tag, protocol: string) { # Don't report anything running on a well-known port. - if ( analyzer in dpd_config && - c$id$resp_p in dpd_config[analyzer]$ports ) + if ( c$id$resp_p in Analyzer::registered_ports(atype) ) return; if ( c$id !in protocols ) diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.bro b/scripts/policy/frameworks/dpd/packet-segment-logging.bro index 3883cd1207..a605d84a74 100644 --- a/scripts/policy/frameworks/dpd/packet-segment-logging.bro +++ b/scripts/policy/frameworks/dpd/packet-segment-logging.bro @@ -20,7 +20,7 @@ export { } -event protocol_violation(c: connection, atype: count, aid: count, +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=4 { if ( ! c?$dpd ) return; diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro index f494a30f82..4e474f76a0 100644 --- a/scripts/policy/protocols/conn/known-services.bro +++ b/scripts/policy/protocols/conn/known-services.bro @@ -87,7 +87,7 @@ function known_services_done(c: connection) event log_it(network_time(), id$resp_h, id$resp_p, c$service); } -event protocol_confirmation(c: connection, atype: count, aid: count) &priority=-5 +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5 { known_services_done(c); } diff --git a/src/AYIYA.cc b/src/AYIYA.cc index 79fa44e743..2154ae4b30 100644 --- a/src/AYIYA.cc +++ b/src/AYIYA.cc @@ -1,7 +1,7 @@ #include "AYIYA.h" AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) -: Analyzer(AnalyzerTag::AYIYA, conn) +: Analyzer("AYIYA", conn) { interp = new binpac::AYIYA::AYIYA_Conn(this); } diff --git a/src/AYIYA.h b/src/AYIYA.h index 79b41553c7..f6025b709f 100644 --- a/src/AYIYA.h +++ b/src/AYIYA.h @@ -3,7 +3,7 @@ #include "ayiya_pac.h" -class AYIYA_Analyzer : public Analyzer { +class AYIYA_Analyzer : public analyzer::Analyzer { public: AYIYA_Analyzer(Connection* conn); virtual ~AYIYA_Analyzer(); @@ -12,7 +12,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new AYIYA_Analyzer(conn); } static bool Available() diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h deleted file mode 100644 index 38e47cf8fc..0000000000 --- a/src/AnalyzerTags.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef ANALYZERTAGS_H -#define ANALYZERTAGS_H - -// Each kind of analyzer gets a tag. When adding an analyzer here, also adapt -// the table of analyzers in Analyzer.cc. -// -// Using a namespace here is kind of a hack: ideally this would be in "class -// Analyzer {...}". But then we'd have circular dependencies across the header -// files. - -#include "util.h" - -typedef uint32 AnalyzerID; - -namespace AnalyzerTag { - enum Tag { - Error = 0, // used as error code - - // Analyzer in charge of protocol detection. - PIA_TCP, PIA_UDP, - - // Transport-layer analyzers. - ICMP, TCP, UDP, - - // Application-layer analyzers (hand-written). - BitTorrent, BitTorrentTracker, - DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC, - Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin, - RPC, Rsh, SMB, SMTP, SSH, - Telnet, - - // Application-layer analyzers, binpac-generated. - DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC, - HTTP_BINPAC, SSL, SYSLOG_BINPAC, - Modbus, - - // Decapsulation analyzers. - AYIYA, - SOCKS, - Teredo, - GTPv1, - - // Other - File, Backdoor, InterConn, SteppingStone, TCPStats, - ConnSize, - - // Support-analyzers - Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP, - Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh, - Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS, - FTP_ADAT, - // End-marker. - LastAnalyzer - }; -}; - -#endif diff --git a/src/BackDoor.cc b/src/BackDoor.cc index c218a98ce2..333dc9c806 100644 --- a/src/BackDoor.cc +++ b/src/BackDoor.cc @@ -681,7 +681,7 @@ int BackDoorEndpoint::CheckForString(const char* str, BackDoor_Analyzer::BackDoor_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::Backdoor, c) +: TCP_ApplicationAnalyzer("BACKDOOR", c) { orig_endp = resp_endp = 0; diff --git a/src/BackDoor.h b/src/BackDoor.h index 40ea3bbaa3..2286138239 100644 --- a/src/BackDoor.h +++ b/src/BackDoor.h @@ -71,7 +71,7 @@ public: virtual void Done(); void StatTimer(double t, int is_expire); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BackDoor_Analyzer(conn); } static bool Available() diff --git a/src/Base64.cc b/src/Base64.cc index d3abd9b563..cef11dab92 100644 --- a/src/Base64.cc +++ b/src/Base64.cc @@ -84,7 +84,7 @@ int* Base64Converter::InitBase64Table(const string& alphabet) -Base64Converter::Base64Converter(Analyzer* arg_analyzer, const string& arg_alphabet) +Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string& arg_alphabet) { if ( arg_alphabet.size() > 0 ) { diff --git a/src/Base64.h b/src/Base64.h index 8cfeffde74..d7e4384ac5 100644 --- a/src/Base64.h +++ b/src/Base64.h @@ -7,7 +7,8 @@ #include "util.h" #include "BroString.h" -#include "Analyzer.h" +#include "Reporter.h" +#include "analyzer/Analyzer.h" // Maybe we should have a base class for generic decoders? class Base64Converter { @@ -15,7 +16,7 @@ public: // is used for error reporting, and it should be zero when // the decoder is called by the built-in function decode_base64() or encode_base64(). // Empty alphabet indicates the default base64 alphabet. - Base64Converter(Analyzer* analyzer, const string& alphabet = ""); + Base64Converter(analyzer::Analyzer* analyzer, const string& alphabet = ""); ~Base64Converter(); // A note on Decode(): @@ -62,7 +63,7 @@ protected: int base64_after_padding; int* base64_table; int errored; // if true, we encountered an error - skip further processing - Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; diff --git a/src/BitTorrent.cc b/src/BitTorrent.cc index fa8fb09e43..de033cbbe7 100644 --- a/src/BitTorrent.cc +++ b/src/BitTorrent.cc @@ -4,7 +4,7 @@ #include "TCP_Reassembler.h" BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrent, c) +: TCP_ApplicationAnalyzer("BITTORRENT", c) { interp = new binpac::BitTorrent::BitTorrent_Conn(this); stop_orig = stop_resp = false; diff --git a/src/BitTorrent.h b/src/BitTorrent.h index f083cf4fc7..eb2aeb422e 100644 --- a/src/BitTorrent.h +++ b/src/BitTorrent.h @@ -17,7 +17,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrent_Analyzer(conn); } static bool Available() diff --git a/src/BitTorrentTracker.cc b/src/BitTorrentTracker.cc index 12c5a199de..81b97f44d4 100644 --- a/src/BitTorrentTracker.cc +++ b/src/BitTorrentTracker.cc @@ -18,7 +18,7 @@ static RecordType* bittorrent_benc_value; static TableType* bittorrent_benc_dir; BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrentTracker, c) +: TCP_ApplicationAnalyzer("BITTORRENT", c) { if ( ! bt_tracker_headers ) { diff --git a/src/BitTorrentTracker.h b/src/BitTorrentTracker.h index 3b9efe0430..cc17d98af3 100644 --- a/src/BitTorrentTracker.h +++ b/src/BitTorrentTracker.h @@ -50,7 +50,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrentTracker_Analyzer(conn); } static bool Available() diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 83a018ccde..318a014a19 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -141,6 +141,7 @@ macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar) endmacro(GET_BIF_OUTPUT_FILES) set(BIF_SRCS + analyzer.bif bro.bif logging.bif input.bif @@ -283,7 +284,6 @@ set(bro_SRCS net_util.cc util.cc module_util.cc - Analyzer.cc Anon.cc ARP.cc Attr.cc @@ -318,7 +318,6 @@ set(bro_SRCS Desc.cc Dict.cc Discard.cc - DPM.cc EquivClass.cc Event.cc EventHandler.cc @@ -447,6 +446,16 @@ set(bro_SRCS input/readers/Raw.cc input/readers/Benchmark.cc + plugin/Component.cc + plugin/Manager.cc + plugin/Plugin.cc + + analyzer/Analyzer.cc + analyzer/BuiltinAnalyzers.cc + analyzer/Manager.cc + analyzer/PluginComponent.cc + analyzer/Tag.cc + nb_dns.c digest.h ) diff --git a/src/Conn.cc b/src/Conn.cc index bc2e7fb5cf..e7687c5464 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -14,6 +14,7 @@ #include "PIA.h" #include "binpac.h" #include "TunnelEncapsulation.h" +#include "analyzer/Analyzer.h" void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer, int arg_do_expire) @@ -402,16 +403,21 @@ RecordVal* Connection::BuildConnVal() return conn_val; } -Analyzer* Connection::FindAnalyzer(AnalyzerID id) +analyzer::Analyzer* Connection::FindAnalyzer(analyzer::ID id) { return root_analyzer ? root_analyzer->FindChild(id) : 0; } -Analyzer* Connection::FindAnalyzer(AnalyzerTag::Tag tag) +analyzer::Analyzer* Connection::FindAnalyzer(analyzer::Tag tag) { return root_analyzer ? root_analyzer->FindChild(tag) : 0; } +analyzer::Analyzer* Connection::FindAnalyzer(const string& name) + { + return root_analyzer->FindChild(name); + } + void Connection::AppendAddl(const char* str) { Unref(BuildConnVal()); @@ -540,7 +546,7 @@ Val* Connection::BuildVersionVal(const char* s, int len) } int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, - Analyzer* analyzer) + analyzer::Analyzer* analyzer) { if ( ! software_version_found && ! software_parse_error ) return 1; @@ -578,7 +584,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, } int Connection::UnparsedVersionFoundEvent(const IPAddr& addr, - const char* full, int len, Analyzer* analyzer) + const char* full, int len, analyzer::Analyzer* analyzer) { // Skip leading white space. while ( len && isspace(*full) ) @@ -602,7 +608,7 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr, return 1; } -void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name) +void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name) { if ( ! f ) return; @@ -615,7 +621,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name) ConnectionEvent(f, analyzer, vl); } -void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2) +void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2) { if ( ! f ) { @@ -634,7 +640,7 @@ void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2) ConnectionEvent(f, analyzer, vl); } -void Connection::ConnectionEvent(EventHandlerPtr f, Analyzer* a, val_list* vl) +void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl) { if ( ! f ) { @@ -929,7 +935,7 @@ error: return false; } -void Connection::SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia) +void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia) { root_analyzer = analyzer; primary_PIA = pia; diff --git a/src/Conn.h b/src/Conn.h index 782d41a801..1989ce0b43 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -11,19 +11,22 @@ #include "Serializer.h" #include "PersistenceSerializer.h" #include "RuleMatcher.h" -#include "AnalyzerTags.h" #include "IPAddr.h" #include "TunnelEncapsulation.h" +#include "analyzer/Tag.h" +#include "analyzer/Analyzer.h" + class Connection; class ConnectionTimer; class NetSessions; class LoginConn; class RuleHdrTest; class Specific_RE_Matcher; -class TransportLayerAnalyzer; class RuleEndpointState; +namespace analyzer { class TransportLayerAnalyzer; } + typedef enum { NUL_IN_LINE, SINGULAR_CR, @@ -47,7 +50,7 @@ static inline int addr_port_canon_lt(const IPAddr& addr1, uint32 p1, return addr1 < addr2 || (addr1 == addr2 && p1 < p2); } -class Analyzer; +namespace analyzer { class Analyzer; } class Connection : public BroObj { public: @@ -102,8 +105,9 @@ public: void FlipRoles(); - Analyzer* FindAnalyzer(AnalyzerID id); - Analyzer* FindAnalyzer(AnalyzerTag::Tag tag); // find first in tree. + analyzer::Analyzer* FindAnalyzer(analyzer::ID id); + analyzer::Analyzer* FindAnalyzer(analyzer::Tag tag); // find first in tree. + analyzer::Analyzer* FindAnalyzer(const string& name); // find first in tree. TransportProto ConnTransport() const { return proto; } @@ -161,15 +165,15 @@ public: // Raises a software_version_found event based on the // given string (returns false if it's not parseable). int VersionFoundEvent(const IPAddr& addr, const char* s, int len, - Analyzer* analyzer = 0); + analyzer::Analyzer* analyzer = 0); // Raises a software_unparsed_version_found event. int UnparsedVersionFoundEvent(const IPAddr& addr, - const char* full_descr, int len, Analyzer* analyzer); + const char* full_descr, int len, analyzer::Analyzer* analyzer); - void Event(EventHandlerPtr f, Analyzer* analyzer, const char* name = 0); - void Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2 = 0); - void ConnectionEvent(EventHandlerPtr f, Analyzer* analyzer, + void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0); + void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0); + void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer, val_list* vl); void Weird(const char* name, const char* addl = ""); @@ -241,8 +245,8 @@ public: void DeleteTimer(double t); // Sets the root of the analyzer tree as well as the primary PIA. - void SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia); - TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } + void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia); + analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } PIA* GetPrimaryPIA() { return primary_PIA; } // Sets the transport protocol in use. @@ -314,7 +318,7 @@ protected: string history; uint32 hist_seen; - TransportLayerAnalyzer* root_analyzer; + analyzer::TransportLayerAnalyzer* root_analyzer; PIA* primary_PIA; uint64 uid; // Globally unique connection ID. diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc index a1b892f4db..82672dba7c 100644 --- a/src/ConnSizeAnalyzer.cc +++ b/src/ConnSizeAnalyzer.cc @@ -9,7 +9,7 @@ ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) -: Analyzer(AnalyzerTag::ConnSize, c) +: Analyzer("CONNSIZE", c) { } diff --git a/src/ConnSizeAnalyzer.h b/src/ConnSizeAnalyzer.h index 1fdd57bb15..23f7975617 100644 --- a/src/ConnSizeAnalyzer.h +++ b/src/ConnSizeAnalyzer.h @@ -4,11 +4,11 @@ #ifndef CONNSTATS_H #define CONNSTATS_H -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "NetVar.h" -class ConnSize_Analyzer : public Analyzer { +class ConnSize_Analyzer : public analyzer::Analyzer { public: ConnSize_Analyzer(Connection* c); virtual ~ConnSize_Analyzer(); @@ -20,7 +20,7 @@ public: virtual void UpdateConnVal(RecordVal *conn_val); virtual void FlipRoles(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ConnSize_Analyzer(conn); } static bool Available() { return BifConst::use_conn_size_analyzer ; } diff --git a/src/ContentLine.cc b/src/ContentLine.cc index 5601694e1d..2a79272cbd 100644 --- a/src/ContentLine.cc +++ b/src/ContentLine.cc @@ -4,14 +4,13 @@ #include "TCP.h" ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) -: TCP_SupportAnalyzer(AnalyzerTag::ContentLine, conn, orig) +: TCP_SupportAnalyzer("CONTENTLINE", conn, orig) { InitState(); } -ContentLine_Analyzer::ContentLine_Analyzer(AnalyzerTag::Tag tag, - Connection* conn, bool orig) -: TCP_SupportAnalyzer(tag, conn, orig) +ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig) +: TCP_SupportAnalyzer(name, conn, orig) { InitState(); } diff --git a/src/ContentLine.h b/src/ContentLine.h index 5e9f01945f..849f457075 100644 --- a/src/ContentLine.h +++ b/src/ContentLine.h @@ -55,7 +55,7 @@ public: { return seq + length <= seq_to_skip; } protected: - ContentLine_Analyzer(AnalyzerTag::Tag tag, Connection* conn, bool orig); + ContentLine_Analyzer(const char* name, Connection* conn, bool orig); virtual void DeliverStream(int len, const u_char* data, bool is_orig); virtual void Undelivered(int seq, int len, bool orig); diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc index 21cb3be9a0..0cb9ab3c3f 100644 --- a/src/DCE_RPC.cc +++ b/src/DCE_RPC.cc @@ -10,7 +10,8 @@ using namespace std; #include "DCE_RPC.h" #include "Sessions.h" -#include "DPM.h" + +#include "analyzer/Manager.h" #define xbyte(b, n) (((const u_char*) (b))[n]) @@ -160,11 +161,11 @@ static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr, // of the dce_rpc_endpoints table. // FIXME: Don't hard-code the timeout. - dpm->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto, - AnalyzerTag::DCE_RPC, 5 * 60, 0); + analyzer_mgr->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto, + "DCE_RPC", 5 * 60, 0); } -DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b) +DCE_RPC_Header::DCE_RPC_Header(analyzer::Analyzer* a, const u_char* b) { analyzer = a; bytes = b; @@ -183,7 +184,7 @@ DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b) frag_len = extract_uint16(LittleEndian(), bytes + 8); } -DCE_RPC_Session::DCE_RPC_Session(Analyzer* a) +DCE_RPC_Session::DCE_RPC_Session(analyzer::Analyzer* a) : analyzer(a), if_uuid("00000000-0000-0000-0000-000000000000"), if_id(BifEnum::DCE_RPC_unknown_if) @@ -442,7 +443,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse( Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* arg_session, bool speculative) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_DCE_RPC, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) { session = arg_session; msg_buf = 0; @@ -566,7 +567,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader() } DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative) -: TCP_ApplicationAnalyzer(AnalyzerTag::DCE_RPC, conn) +: TCP_ApplicationAnalyzer("DCE_RPC", conn) { session = new DCE_RPC_Session(this); speculative = arg_speculative; diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h index acdbf1637d..cfffc73c4e 100644 --- a/src/DCE_RPC.h +++ b/src/DCE_RPC.h @@ -88,7 +88,7 @@ enum DCE_RPC_PTYPE { class DCE_RPC_Header { public: - DCE_RPC_Header(Analyzer* a, const u_char* bytes); + DCE_RPC_Header(analyzer::Analyzer* a, const u_char* bytes); BifEnum::dce_rpc_ptype PTYPE() const { return ptype; } int FragLen() const { return frag_len; } @@ -99,7 +99,7 @@ public: void SetBytes(const u_char* b) { bytes = b; } protected: - Analyzer* analyzer; + analyzer::Analyzer* analyzer; const u_char* bytes; BifEnum::dce_rpc_ptype ptype; int frag_len; @@ -112,7 +112,7 @@ protected: class DCE_RPC_Session { public: - DCE_RPC_Session(Analyzer* a); + DCE_RPC_Session(analyzer::Analyzer* a); virtual ~DCE_RPC_Session() {} virtual void DeliverPDU(int is_orig, int len, const u_char* data); @@ -135,7 +135,7 @@ protected: const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu, const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; UUID if_uuid; BifEnum::dce_rpc_if_id if_id; int opnum; @@ -174,7 +174,7 @@ public: DCE_RPC_Analyzer(Connection* conn, bool speculative = false); ~DCE_RPC_Analyzer(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DCE_RPC_Analyzer(conn); } static bool Available() diff --git a/src/DHCP-binpac.cc b/src/DHCP-binpac.cc index 2aec6e6e9f..d2847966ae 100644 --- a/src/DHCP-binpac.cc +++ b/src/DHCP-binpac.cc @@ -1,7 +1,7 @@ #include "DHCP-binpac.h" DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn) -: Analyzer(AnalyzerTag::DHCP_BINPAC, conn) +: Analyzer("DHCP", conn) { interp = new binpac::DHCP::DHCP_Conn(this); } diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h index 06ddff3bb6..a3890b399d 100644 --- a/src/DHCP-binpac.h +++ b/src/DHCP-binpac.h @@ -6,7 +6,7 @@ #include "dhcp_pac.h" -class DHCP_Analyzer_binpac : public Analyzer { +class DHCP_Analyzer_binpac : public analyzer::Analyzer { public: DHCP_Analyzer_binpac(Connection* conn); virtual ~DHCP_Analyzer_binpac(); @@ -15,7 +15,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DHCP_Analyzer_binpac(conn); } static bool Available() diff --git a/src/DNS-binpac.cc b/src/DNS-binpac.cc index 999f6015c0..4ab84d1cfe 100644 --- a/src/DNS-binpac.cc +++ b/src/DNS-binpac.cc @@ -2,7 +2,7 @@ #include "TCP_Reassembler.h" DNS_UDP_Analyzer_binpac::DNS_UDP_Analyzer_binpac(Connection* conn) -: Analyzer(AnalyzerTag::DNS_UDP_BINPAC, conn) +: Analyzer("DNS_UDP_BINPAC", conn) { interp = new binpac::DNS::DNS_Conn(this); did_session_done = 0; @@ -45,7 +45,7 @@ void DNS_UDP_Analyzer_binpac::ExpireTimer(double t) } DNS_TCP_Analyzer_binpac::DNS_TCP_Analyzer_binpac(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::DNS_TCP_BINPAC, conn) +: TCP_ApplicationAnalyzer("DNS_TCP_BINPAC", conn) { interp = new binpac::DNS_on_TCP::DNS_TCP_Conn(this); } diff --git a/src/DNS-binpac.h b/src/DNS-binpac.h index 0bbacf9192..2f241b89ae 100644 --- a/src/DNS-binpac.h +++ b/src/DNS-binpac.h @@ -11,7 +11,7 @@ // change that easily? (Ideally, the TCP preprocessing would become a // support-analyzer as it is done for the traditional DNS analyzer.) -class DNS_UDP_Analyzer_binpac : public Analyzer { +class DNS_UDP_Analyzer_binpac : public analyzer::Analyzer { public: DNS_UDP_Analyzer_binpac(Connection* conn); virtual ~DNS_UDP_Analyzer_binpac(); @@ -20,7 +20,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_UDP_Analyzer_binpac(conn); } static bool Available() @@ -47,7 +47,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_TCP_Analyzer_binpac(conn); } static bool Available() diff --git a/src/DNS.cc b/src/DNS.cc index a3b0b62ef3..7cab27c4b9 100644 --- a/src/DNS.cc +++ b/src/DNS.cc @@ -12,7 +12,7 @@ #include "Sessions.h" #include "Event.h" -DNS_Interpreter::DNS_Interpreter(Analyzer* arg_analyzer) +DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; } @@ -993,7 +993,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val() Contents_DNS::Contents_DNS(Connection* conn, bool orig, DNS_Interpreter* arg_interp) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_DNS, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) { interp = arg_interp; @@ -1080,7 +1080,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig) } DNS_Analyzer::DNS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::DNS, conn) +: TCP_ApplicationAnalyzer("DNS", conn) { interp = new DNS_Interpreter(this); contents_dns_orig = contents_dns_resp = 0; diff --git a/src/DNS.h b/src/DNS.h index 83ca80911e..28e68cccad 100644 --- a/src/DNS.h +++ b/src/DNS.h @@ -149,7 +149,7 @@ public: class DNS_Interpreter { public: - DNS_Interpreter(Analyzer* analyzer); + DNS_Interpreter(analyzer::Analyzer* analyzer); int ParseMessage(const u_char* data, int len, int is_query); @@ -217,7 +217,7 @@ protected: const u_char*& data, int& len, BroString* question_name); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; @@ -266,7 +266,7 @@ public: void ExpireTimer(double t); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_Analyzer(conn); } static bool Available() diff --git a/src/DPM.cc b/src/DPM.cc deleted file mode 100644 index d7e5cd25ef..0000000000 --- a/src/DPM.cc +++ /dev/null @@ -1,407 +0,0 @@ -#include "DPM.h" -#include "PIA.h" -#include "Hash.h" -#include "ICMP.h" -#include "UDP.h" -#include "TCP.h" -#include "Val.h" -#include "BackDoor.h" -#include "InterConn.h" -#include "SteppingStone.h" -#include "ConnSizeAnalyzer.h" - - -ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto) - { - if ( _orig == IPAddr(string("0.0.0.0")) ) - // don't use the IPv4 mapping, use the literal unspecified address - // to indicate a wildcard - orig = IPAddr(string("::")); - else - orig = _orig; - resp = _resp; - resp_p = _resp_p; - proto = _proto; - } - -ExpectedConn::ExpectedConn(const ExpectedConn& c) - { - orig = c.orig; - resp = c.resp; - resp_p = c.resp_p; - proto = c.proto; - } - -DPM::DPM() -: expected_conns_queue(AssignedAnalyzer::compare) - { - } - -DPM::~DPM() - { - delete [] active_analyzers; - } - -void DPM::PreScriptInit() - { - for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ ) - { - // Create IDs ANALYZER_*. - ID* id = install_ID(fmt("ANALYZER_%s", - Analyzer::analyzer_configs[i].name), - GLOBAL_MODULE_NAME, true, false); - assert(id); - id->SetVal(new Val(i, TYPE_COUNT)); - id->SetType(id->ID_Val()->Type()->Ref()); - } - } - -void DPM::PostScriptInit() - { - active_analyzers = new bool[int(AnalyzerTag::LastAnalyzer)]; - - for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ ) - { - if ( ! Analyzer::analyzer_configs[i].available ) - continue; - - active_analyzers[i] = Analyzer::analyzer_configs[i].available(); - if ( active_analyzers[i] ) - AddConfig(Analyzer::analyzer_configs[i]); - } - } - -void DPM::AddConfig(const Analyzer::Config& cfg) - { -#ifdef USE_PERFTOOLS_DEBUG - HeapLeakChecker::Disabler disabler; -#endif - - Val* index = new Val(cfg.tag, TYPE_COUNT); - Val* v = dpd_config->Lookup(index); - -#ifdef DEBUG - ODesc desc; -#endif - if ( v ) - { - RecordVal* cfg_record = v->AsRecordVal(); - Val* ports = cfg_record->Lookup(0); - - if ( ports ) - { - ListVal* plist = ports->AsTableVal()->ConvertToPureList(); - - for ( int i = 0; i< plist->Length(); ++i ) - { - PortVal* port = plist->Index(i)->AsPortVal(); - - analyzer_map* ports = - port->IsTCP() ? &tcp_ports : &udp_ports; - - analyzer_map::iterator j = - ports->find(port->Port()); - - if ( j == ports->end() ) - { - tag_list* analyzers = new tag_list; - analyzers->push_back(cfg.tag); - ports->insert(analyzer_map::value_type(port->Port(), analyzers)); - } - else - j->second->push_back(cfg.tag); - -#ifdef DEBUG - port->Describe(&desc); - desc.SP(); -#endif - } - } - } - - DBG_LOG(DBG_DPD, "%s analyzer active on port(s) %s", cfg.name, desc.Description()); - - Unref(index); - } - -AnalyzerTag::Tag DPM::GetExpected(int proto, const Connection* conn) - { - if ( ! expected_conns.Length() ) - return AnalyzerTag::Error; - - ExpectedConn c(conn->OrigAddr(), conn->RespAddr(), - ntohs(conn->RespPort()), proto); - - HashKey* key = BuildExpectedConnHashKey(c); - AssignedAnalyzer* a = expected_conns.Lookup(key); - delete key; - - if ( ! a ) - { - // Wildcard for originator. - c.orig = IPAddr(string("::")); - - HashKey* key = BuildExpectedConnHashKey(c); - a = expected_conns.Lookup(key); - delete key; - } - - if ( ! a ) - return AnalyzerTag::Error; - - // We don't delete it here. It will be expired eventually. - return a->analyzer; - } - -bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data) - { - TCP_Analyzer* tcp = 0; - UDP_Analyzer* udp = 0; - ICMP_Analyzer* icmp = 0; - TransportLayerAnalyzer* root = 0; - AnalyzerTag::Tag expected = AnalyzerTag::Error; - analyzer_map* ports = 0; - PIA* pia = 0; - bool analyzed = false; - - switch ( proto ) { - - case TRANSPORT_TCP: - root = tcp = new TCP_Analyzer(conn); - pia = new PIA_TCP(conn); - expected = GetExpected(proto, conn); - ports = &tcp_ports; - DBG_DPD(conn, "activated TCP analyzer"); - break; - - case TRANSPORT_UDP: - root = udp = new UDP_Analyzer(conn); - pia = new PIA_UDP(conn); - expected = GetExpected(proto, conn); - ports = &udp_ports; - DBG_DPD(conn, "activated UDP analyzer"); - break; - - case TRANSPORT_ICMP: { - root = icmp = new ICMP_Analyzer(conn); - DBG_DPD(conn, "activated ICMP analyzer"); - analyzed = true; - break; - } - - default: - reporter->InternalError("unknown protocol"); - } - - if ( ! root ) - { - DBG_DPD(conn, "cannot build analyzer tree"); - return false; - } - - // Any scheduled analyzer? - if ( expected != AnalyzerTag::Error ) - { - Analyzer* analyzer = - Analyzer::InstantiateAnalyzer(expected, conn); - root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled", - Analyzer::GetTagName(expected)); - - // Hmm... Do we want *just* the expected analyzer, or all - // other potential analyzers as well? For now we only take - // the scheduled one. - } - - else - { // Let's see if it's a port we know. - if ( ports && ! dpd_ignore_ports ) - { - analyzer_map::const_iterator i = - ports->find(ntohs(conn->RespPort())); - - if ( i != ports->end() ) - { - tag_list* analyzers = i->second; - for ( tag_list::const_iterator j = analyzers->begin(); - j != analyzers->end(); j++ ) - { - Analyzer* analyzer = - Analyzer::InstantiateAnalyzer(*j, conn); - - root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", Analyzer::GetTagName(*j), conn->RespPort()); - } - } - } - } - - if ( tcp ) - { - // We have to decide whether to reassamble the stream. - // We turn it on right away if we already have an app-layer - // analyzer, reassemble_first_packets is true, or the user - // asks us to do so. In all other cases, reassembly may - // be turned on later by the TCP PIA. - - bool reass = root->GetChildren().size() || - dpd_reassemble_first_packets || - tcp_content_deliver_all_orig || - tcp_content_deliver_all_resp; - - if ( tcp_contents && ! reass ) - { - PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP); - Val* result; - - if ( ! reass ) - reass = tcp_content_delivery_ports_orig->Lookup(&dport); - - if ( ! reass ) - reass = tcp_content_delivery_ports_resp->Lookup(&dport); - } - - if ( reass ) - tcp->EnableReassembly(); - - // Add a BackDoor analyzer if requested. This analyzer - // can handle both reassembled and non-reassembled input. - if ( BackDoor_Analyzer::Available() ) - { - BackDoor_Analyzer* bd = new BackDoor_Analyzer(conn); - tcp->AddChildAnalyzer(bd, false); - } - - // Add a InterConn analyzer if requested. This analyzer - // can handle both reassembled and non-reassembled input. - if ( InterConn_Analyzer::Available() ) - { - InterConn_Analyzer* bd = new InterConn_Analyzer(conn); - tcp->AddChildAnalyzer(bd, false); - } - - // Add a SteppingStone analyzer if requested. The port - // should really not be hardcoded here, but as it can - // handle non-reassembled data, it doesn't really fit into - // our general framing ... Better would be to turn it - // on *after* we discover we have interactive traffic. - uint16 resp_port = ntohs(conn->RespPort()); - if ( SteppingStone_Analyzer::Available() && - (resp_port == 22 || resp_port == 23 || resp_port == 513) ) - { - AddrVal src(conn->OrigAddr()); - if ( ! stp_skip_src->Lookup(&src) ) - { - SteppingStone_Analyzer* bd = - new SteppingStone_Analyzer(conn); - tcp->AddChildAnalyzer(bd, false); - } - } - - // Add TCPStats analyzer. This needs to see packets so - // we cannot add it as a normal child. - if ( TCPStats_Analyzer::Available() ) - tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); - - // Add ConnSize analyzer. Needs to see packets, not stream. - if ( ConnSize_Analyzer::Available() ) - tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); - } - - else - { - if ( ConnSize_Analyzer::Available() ) - root->AddChildAnalyzer(new ConnSize_Analyzer(conn), false); - } - - if ( pia ) - root->AddChildAnalyzer(pia->AsAnalyzer(), false); - - if ( root->GetChildren().size() ) - analyzed = true; - - conn->SetRootAnalyzer(root, pia); - root->Init(); - root->InitChildren(); - - if ( ! analyzed ) - conn->SetLifetime(non_analyzed_lifetime); - - if ( expected != AnalyzerTag::Error ) - conn->Event(expected_connection_seen, 0, - new Val(expected, TYPE_COUNT)); - - return true; - } - -void DPM::ExpectConnection(const IPAddr& orig, const IPAddr& resp, - uint16 resp_p, - TransportProto proto, AnalyzerTag::Tag analyzer, - double timeout, void* cookie) - { - // Use the chance to see if the oldest entry is already expired. - if ( expected_conns_queue.size() ) - { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( a->timeout < network_time ) - { - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } - - expected_conns_queue.pop(); - - DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s", - Analyzer::GetTagName(analyzer), - fmt_conn_id(a->conn.orig, 0, - a->conn.resp, - a->conn.resp_p)); - - delete a; - } - } - - ExpectedConn c(orig, resp, resp_p, proto); - - HashKey* key = BuildExpectedConnHashKey(c); - - AssignedAnalyzer* a = expected_conns.Lookup(key); - - if ( a ) - a->deleted = true; - - a = new AssignedAnalyzer(c); - - a->analyzer = analyzer; - a->cookie = cookie; - a->timeout = network_time + timeout; - a->deleted = false; - - expected_conns.Insert(key, a); - expected_conns_queue.push(a); - delete key; - } - -void DPM::Done() - { - // Clean up expected-connection table. - while ( expected_conns_queue.size() ) - { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } - - expected_conns_queue.pop(); - delete a; - } - } - diff --git a/src/DPM.h b/src/DPM.h deleted file mode 100644 index f59d21dbfc..0000000000 --- a/src/DPM.h +++ /dev/null @@ -1,131 +0,0 @@ -// The central management unit for dynamic analyzer selection. - -#ifndef DPM_H -#define DPM_H - -#include - -#include "Analyzer.h" -#include "Dict.h" -#include "net_util.h" - -// DPM debug logging, which includes the connection id into the message. -#ifdef DEBUG -# define DBG_DPD(conn, txt) \ - DBG_LOG(DBG_DPD, "%s " txt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort()))); -# define DBG_DPD_ARGS(conn, fmt, args...) \ - DBG_LOG(DBG_DPD, "%s " fmt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort())), ##args); -#else -# define DBG_DPD(conn, txt) -# define DBG_DPD_ARGS(conn, fmt, args...) -#endif - -// Map to assign expected connections to analyzers. -class ExpectedConn { -public: - ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto); - - ExpectedConn(const ExpectedConn& c); - - IPAddr orig; - IPAddr resp; - uint16 resp_p; - uint16 proto; -}; - -// Associates an analyzer for an expected future connection. -class AssignedAnalyzer { -public: - AssignedAnalyzer(const ExpectedConn& c) - : conn(c) - { - } - - ExpectedConn conn; - AnalyzerTag::Tag analyzer; - double timeout; - void* cookie; - bool deleted; - - static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2) - { return a1->timeout > a2->timeout; } -}; - -declare(PDict, AssignedAnalyzer); - -class DPM { -public: - DPM(); - ~DPM(); - - // Setup analyzer config. - void PreScriptInit(); // To be called before scripts are parsed ... - void PostScriptInit(); // ... and after. - - // Given info about the first packet, build initial analyzer tree. - // - // It would be more flexible if we simply pass in the IP header - // and then extract the information we need. However, when this - // method is called from the session management, protocol and ports - // have already been extracted there and it would be a waste to do - // it again. - // - // Returns 0 if we can't build a tree (e.g., because the necessary - // analyzers have not been converted to the DPM framework yet...) - - bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data); - - // Schedules a particular analyzer for an upcoming connection. - // 0 acts as a wildcard for orig. (Cookie is currently unused. - // Eventually, we may pass it on to the analyzer). - void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, AnalyzerTag::Tag analyzer, - double timeout, void* cookie); - - // Activates signature matching for protocol detection. (Called when an - // DPM signatures is found.) - void ActivateSigs() { sigs_activated = true; } - bool SigsActivated() const { return sigs_activated; } - - void Done(); - -private: - // Convert script-level config into internal data structures. - void AddConfig(const Analyzer::Config& tag); - - // Return analyzer if any has been scheduled with ExpectConnection() - // AnalyzerTag::::Error if none. - AnalyzerTag::Tag GetExpected(int proto, const Connection* conn); - - // Mappings of destination port to analyzer. - typedef list tag_list; - typedef map analyzer_map; - analyzer_map tcp_ports; - analyzer_map udp_ports; - - // Array of bools indicating whether an analyzer is activated, - // indexed by AnalyzerTag::Tag. - bool* active_analyzers; - - // True if signature-matching has been activated. - bool sigs_activated; - - PDict(AssignedAnalyzer) expected_conns; - - typedef priority_queue< - AssignedAnalyzer*, - vector, - bool (*)(const AssignedAnalyzer*, - const AssignedAnalyzer*)> conn_queue; - conn_queue expected_conns_queue; -}; - -extern DPM* dpm; - -#endif diff --git a/src/Event.cc b/src/Event.cc index 97f29000d6..678c61552c 100644 --- a/src/Event.cc +++ b/src/Event.cc @@ -13,7 +13,7 @@ int num_events_queued = 0; int num_events_dispatched = 0; Event::Event(EventHandlerPtr arg_handler, val_list* arg_args, - SourceID arg_src, AnalyzerID arg_aid, TimerMgr* arg_mgr, + SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr, BroObj* arg_obj) { handler = arg_handler; diff --git a/src/Event.h b/src/Event.h index e0ce7bf555..9d0a707cda 100644 --- a/src/Event.h +++ b/src/Event.h @@ -5,14 +5,16 @@ #include "EventRegistry.h" #include "Serializer.h" -#include "AnalyzerTags.h" + +#include "analyzer/Tag.h" +#include "analyzer/Analyzer.h" class EventMgr; class Event : public BroObj { public: Event(EventHandlerPtr handler, val_list* args, - SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0, + SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, TimerMgr* mgr = 0, BroObj* obj = 0); ~Event(); @@ -20,7 +22,7 @@ public: Event* NextEvent() const { return next_event; } SourceID Source() const { return src; } - AnalyzerID Analyzer() const { return aid; } + analyzer::ID Analyzer() const { return aid; } TimerMgr* Mgr() const { return mgr; } void Describe(ODesc* d) const; @@ -62,7 +64,7 @@ protected: EventHandlerPtr handler; val_list* args; SourceID src; - AnalyzerID aid; + analyzer::ID aid; TimerMgr* mgr; BroObj* obj; Event* next_event; @@ -77,7 +79,7 @@ public: ~EventMgr(); void QueueEvent(EventHandlerPtr h, val_list* vl, - SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0, + SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, TimerMgr* mgr = 0, BroObj* obj = 0) { if ( h ) @@ -105,7 +107,7 @@ public: // Returns the ID of the analyzer which raised the last event, or 0 if // non-analyzer event. - AnalyzerID CurrentAnalyzer() const { return current_aid; } + analyzer::ID CurrentAnalyzer() const { return current_aid; } // Returns the timer mgr associated with the last raised event. TimerMgr* CurrentTimerMgr() const { return current_mgr; } @@ -124,7 +126,7 @@ protected: Event* head; Event* tail; SourceID current_src; - AnalyzerID current_aid; + analyzer::ID current_aid; TimerMgr* current_mgr; RecordVal* src_val; bool draining; diff --git a/src/EventLauncher.cc b/src/EventLauncher.cc index 246c9dc8aa..cc32efe59e 100644 --- a/src/EventLauncher.cc +++ b/src/EventLauncher.cc @@ -1,6 +1,8 @@ #include "Val.h" -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "EventLauncher.h" #include "Event.h" +#include "NetVar.h" +#include "Conn.h" #include "event.bif.func_def" diff --git a/src/FTP.cc b/src/FTP.cc index 5e7a66e304..5430b9e754 100644 --- a/src/FTP.cc +++ b/src/FTP.cc @@ -12,7 +12,7 @@ #include "Base64.h" FTP_Analyzer::FTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::FTP, conn) +: TCP_ApplicationAnalyzer("FTP", conn) { pending_reply = 0; @@ -176,7 +176,7 @@ void FTP_ADAT_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { // Don't know how to parse anything but the ADAT exchanges of GSI GSSAPI, // which is basically just TLS/SSL. - if ( ! Parent()->GetTag() == AnalyzerTag::SSL ) + if ( ! Parent()->IsAnalyzer("SSL") ) { Parent()->Remove(); return; diff --git a/src/FTP.h b/src/FTP.h index f8d7644808..849b18f50b 100644 --- a/src/FTP.h +++ b/src/FTP.h @@ -13,7 +13,7 @@ public: virtual void Done(); virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new FTP_Analyzer(conn); } @@ -22,8 +22,6 @@ public: protected: - FTP_Analyzer() {} - NVT_Analyzer* nvt_orig; NVT_Analyzer* nvt_resp; uint32 pending_reply; // code associated with multi-line reply, or 0 @@ -37,10 +35,10 @@ protected: * analyzer just decodes the tokens and passes them on to the parent, which must * be an SSL analyzer instance. */ -class FTP_ADAT_Analyzer : public SupportAnalyzer { +class FTP_ADAT_Analyzer : public analyzer::SupportAnalyzer { public: FTP_ADAT_Analyzer(Connection* conn, bool arg_orig) - : SupportAnalyzer(AnalyzerTag::FTP_ADAT, conn, arg_orig), + : SupportAnalyzer("FTP_ADAT", conn, arg_orig), first_token(true) { } void DeliverStream(int len, const u_char* data, bool orig); diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc index 172f1aaa1d..9663d51260 100644 --- a/src/FileAnalyzer.cc +++ b/src/FileAnalyzer.cc @@ -8,7 +8,7 @@ magic_t File_Analyzer::magic = 0; magic_t File_Analyzer::magic_mime = 0; File_Analyzer::File_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::File, conn) +: TCP_ApplicationAnalyzer("FILE", conn) { buffer_len = 0; diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h index ac5c783e6b..6edda1646f 100644 --- a/src/FileAnalyzer.h +++ b/src/FileAnalyzer.h @@ -15,14 +15,12 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new File_Analyzer(conn); } static bool Available() { return file_transferred; } protected: - File_Analyzer() {} - void Identify(); static const int BUFFER_SIZE = 1024; diff --git a/src/Finger.cc b/src/Finger.cc index be0f3754b5..35809194d4 100644 --- a/src/Finger.cc +++ b/src/Finger.cc @@ -10,7 +10,7 @@ #include "ContentLine.h" Finger_Analyzer::Finger_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::Finger, conn) +: TCP_ApplicationAnalyzer("FINGER", conn) { did_deliver = 0; content_line_orig = new ContentLine_Analyzer(conn, true); diff --git a/src/Finger.h b/src/Finger.h index 3c61c4ad2a..5de0086dbc 100644 --- a/src/Finger.h +++ b/src/Finger.h @@ -16,7 +16,7 @@ public: // Line-based input. virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Finger_Analyzer(conn); } static bool Available() { return finger_request || finger_reply; } diff --git a/src/Func.cc b/src/Func.cc index 02f8dd4f29..cedf729301 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -548,12 +548,14 @@ void builtin_error(const char* msg, BroObj* arg) reporter->Error(msg, arg); } +#include "analyzer.bif.func_h" #include "bro.bif.func_h" #include "logging.bif.func_h" #include "input.bif.func_h" #include "reporter.bif.func_h" #include "strings.bif.func_h" +#include "analyzer.bif.func_def" #include "bro.bif.func_def" #include "logging.bif.func_def" #include "input.bif.func_def" @@ -569,6 +571,7 @@ void init_builtin_funcs() var_sizes = internal_type("var_sizes")->AsTableType(); gap_info = internal_type("gap_info")->AsRecordType(); +#include "analyzer.bif.func_init" #include "bro.bif.func_init" #include "logging.bif.func_init" #include "input.bif.func_init" diff --git a/src/GTPv1.cc b/src/GTPv1.cc index 68b6f30a0c..86a2615690 100644 --- a/src/GTPv1.cc +++ b/src/GTPv1.cc @@ -1,7 +1,7 @@ #include "GTPv1.h" GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) -: Analyzer(AnalyzerTag::GTPv1, conn) +: Analyzer("GTPV1", conn) { interp = new binpac::GTPv1::GTPv1_Conn(this); } diff --git a/src/GTPv1.h b/src/GTPv1.h index e111158833..e6c2066df0 100644 --- a/src/GTPv1.h +++ b/src/GTPv1.h @@ -3,7 +3,7 @@ #include "gtpv1_pac.h" -class GTPv1_Analyzer : public Analyzer { +class GTPv1_Analyzer : public analyzer::Analyzer { public: GTPv1_Analyzer(Connection* conn); virtual ~GTPv1_Analyzer(); @@ -12,7 +12,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new GTPv1_Analyzer(conn); } static bool Available() diff --git a/src/Gnutella.cc b/src/Gnutella.cc index 6b5e901bc5..6c8d4ee3f6 100644 --- a/src/Gnutella.cc +++ b/src/Gnutella.cc @@ -30,7 +30,7 @@ GnutellaMsgState::GnutellaMsgState() Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::Gnutella, conn) +: TCP_ApplicationAnalyzer("GNUTELLA", conn) { state = 0; new_state = 0; @@ -131,13 +131,13 @@ int Gnutella_Analyzer::IsHTTP(string header) if ( HTTP_Analyzer::Available() ) { - Analyzer* a = new HTTP_Analyzer(Conn()); + analyzer::Analyzer* a = new HTTP_Analyzer(Conn()); Parent()->AddChildAnalyzer(a); - if ( Parent()->GetTag() == AnalyzerTag::TCP ) + if ( Parent()->IsAnalyzer("TCP") ) { // Replay buffered data. - PIA* pia = static_cast(Parent())->GetPIA(); + PIA* pia = static_cast(Parent())->GetPIA(); if ( pia ) static_cast(pia)->ReplayStreamBuffer(a); } diff --git a/src/Gnutella.h b/src/Gnutella.h index 455876462d..88a8bcb4c7 100644 --- a/src/Gnutella.h +++ b/src/Gnutella.h @@ -40,7 +40,7 @@ public: virtual void Done (); virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Gnutella_Analyzer(conn); } static bool Available() diff --git a/src/HTTP-binpac.cc b/src/HTTP-binpac.cc index 47b2c479ec..a23ef0043a 100644 --- a/src/HTTP-binpac.cc +++ b/src/HTTP-binpac.cc @@ -2,7 +2,7 @@ #include "TCP_Reassembler.h" HTTP_Analyzer_binpac::HTTP_Analyzer_binpac(Connection *c) -: TCP_ApplicationAnalyzer(AnalyzerTag::HTTP_BINPAC, c) +: TCP_ApplicationAnalyzer("HTTP_BINPAC", c) { interp = new binpac::HTTP::HTTP_Conn(this); } diff --git a/src/HTTP-binpac.h b/src/HTTP-binpac.h index ef7cc7dd7d..8f0370afda 100644 --- a/src/HTTP-binpac.h +++ b/src/HTTP-binpac.h @@ -15,7 +15,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new HTTP_Analyzer_binpac(conn); } static bool Available() diff --git a/src/HTTP.cc b/src/HTTP.cc index 7e4079b853..5b49f8844e 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -161,7 +161,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) DeliverBody(len, data, trailing_CRLF); } -class HTTP_Entity::UncompressedOutput : public Analyzer::OutputHandler { +class HTTP_Entity::UncompressedOutput : public analyzer::Analyzer::OutputHandler { public: UncompressedOutput(HTTP_Entity* e) { entity = e; } virtual ~UncompressedOutput() { } @@ -787,7 +787,7 @@ void HTTP_Message::Weird(const char* msg) } HTTP_Analyzer::HTTP_Analyzer(Connection* conn) - : TCP_ApplicationAnalyzer(AnalyzerTag::HTTP, conn) +: TCP_ApplicationAnalyzer("HTTP", conn) { num_requests = num_replies = 0; num_request_lines = num_reply_lines = 0; @@ -1736,7 +1736,7 @@ void escape_URI_char(unsigned char ch, unsigned char*& p) } BroString* unescape_URI(const u_char* line, const u_char* line_end, - Analyzer* analyzer) + analyzer::Analyzer* analyzer) { byte_vec decoded_URI = new u_char[line_end - line + 1]; byte_vec URI_p = decoded_URI; diff --git a/src/HTTP.h b/src/HTTP.h index c9d8ae55d1..e8746e9d52 100644 --- a/src/HTTP.h +++ b/src/HTTP.h @@ -174,7 +174,7 @@ public: virtual void ConnectionReset(); virtual void PacketWithRST(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new HTTP_Analyzer(conn); } static bool Available() @@ -252,6 +252,6 @@ extern int is_reserved_URI_char(unsigned char ch); extern int is_unreserved_URI_char(unsigned char ch); extern void escape_URI_char(unsigned char ch, unsigned char*& p); extern BroString* unescape_URI(const u_char* line, const u_char* line_end, - Analyzer* analyzer); + analyzer::Analyzer* analyzer); #endif diff --git a/src/ICMP.cc b/src/ICMP.cc index 5634e3885f..538d25dfc3 100644 --- a/src/ICMP.cc +++ b/src/ICMP.cc @@ -8,19 +8,12 @@ #include "NetVar.h" #include "Event.h" #include "ICMP.h" +#include "Conn.h" #include ICMP_Analyzer::ICMP_Analyzer(Connection* c) -: TransportLayerAnalyzer(AnalyzerTag::ICMP, c) - { - icmp_conn_val = 0; - c->SetInactivityTimeout(icmp_inactivity_timeout); - request_len = reply_len = -1; - } - -ICMP_Analyzer::ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* c) -: TransportLayerAnalyzer(tag, c) +: TransportLayerAnalyzer("ICMP", c) { icmp_conn_val = 0; c->SetInactivityTimeout(icmp_inactivity_timeout); diff --git a/src/ICMP.h b/src/ICMP.h index 1e30b7ff54..fbf61f7993 100644 --- a/src/ICMP.h +++ b/src/ICMP.h @@ -3,7 +3,8 @@ #ifndef icmp_h #define icmp_h -#include "Analyzer.h" +#include "RuleMatcher.h" +#include "analyzer/Analyzer.h" typedef enum { ICMP_INACTIVE, // no packet seen @@ -12,20 +13,19 @@ typedef enum { // We do not have an PIA for ICMP (yet) and therefore derive from // RuleMatcherState to perform our own matching. -class ICMP_Analyzer : public TransportLayerAnalyzer { +class ICMP_Analyzer : public analyzer::TransportLayerAnalyzer { public: ICMP_Analyzer(Connection* conn); virtual void UpdateConnVal(RecordVal *conn_val); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ICMP_Analyzer(conn); } static bool Available() { return true; } protected: - ICMP_Analyzer() { } - ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* conn); + ICMP_Analyzer(analyzer::Tag tag, Connection* conn); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, diff --git a/src/IPAddr.cc b/src/IPAddr.cc index 51fb37c4d5..cc52de31ed 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -5,9 +5,10 @@ #include "IPAddr.h" #include "Reporter.h" #include "Conn.h" -#include "DPM.h" #include "bro_inet_ntop.h" +#include "analyzer/Manager.h" + const uint8_t IPAddr::v4_mapped_prefix[12] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff }; @@ -44,7 +45,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id) return new HashKey(&key, sizeof(key)); } -HashKey* BuildExpectedConnHashKey(const ExpectedConn& c) +HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c) { struct { in6_addr orig; diff --git a/src/IPAddr.h b/src/IPAddr.h index 5ddee70fb8..e79f3aa0a9 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -14,7 +14,7 @@ #include "threading/SerialTypes.h" struct ConnID; -class ExpectedConn; +namespace analyzer { class ExpectedConn; } typedef in_addr in4_addr; @@ -363,7 +363,7 @@ public: void ConvertToThreadingValue(threading::Value::addr_t* v) const; friend HashKey* BuildConnIDHashKey(const ConnID& id); - friend HashKey* BuildExpectedConnHashKey(const ExpectedConn& c); + friend HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); unsigned int MemoryAllocation() const { return padded_sizeof(*this); } @@ -455,7 +455,7 @@ HashKey* BuildConnIDHashKey(const ConnID& id); /** * Returns a hash key for a given ExpectedConn instance. Passes ownership to caller. */ -HashKey* BuildExpectedConnHashKey(const ExpectedConn& c); +HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); /** * Class storing both IPv4 and IPv6 prefixes diff --git a/src/IRC.cc b/src/IRC.cc index 1918300ba2..35156ccb40 100644 --- a/src/IRC.cc +++ b/src/IRC.cc @@ -2,15 +2,15 @@ #include #include "IRC.h" -#include "DPM.h" #include "ContentLine.h" #include "NetVar.h" #include "Event.h" #include "ZIP.h" +#include "analyzer/Manager.h" IRC_Analyzer::IRC_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::IRC, conn) +: TCP_ApplicationAnalyzer("IRC", conn) { invalid_msg_count = 0; invalid_msg_max_count = 20; diff --git a/src/IRC.h b/src/IRC.h index 0fe36957de..657532f5f1 100644 --- a/src/IRC.h +++ b/src/IRC.h @@ -30,7 +30,7 @@ public: */ virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new IRC_Analyzer(conn); } diff --git a/src/Ident.cc b/src/Ident.cc index b2e82e5f12..e9ba679b0b 100644 --- a/src/Ident.cc +++ b/src/Ident.cc @@ -9,7 +9,7 @@ #include "Event.h" Ident_Analyzer::Ident_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::Ident, conn) +: TCP_ApplicationAnalyzer("IDENT", conn) { did_bad_reply = did_deliver = 0; diff --git a/src/Ident.h b/src/Ident.h index a848d233e1..e0cf44f5a4 100644 --- a/src/Ident.h +++ b/src/Ident.h @@ -13,7 +13,7 @@ public: virtual void DeliverStream(int length, const u_char* data, bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Ident_Analyzer(conn); } static bool Available() diff --git a/src/InterConn.cc b/src/InterConn.cc index 403081181a..65e814a962 100644 --- a/src/InterConn.cc +++ b/src/InterConn.cc @@ -153,7 +153,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const } InterConn_Analyzer::InterConn_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::InterConn, c) +: TCP_ApplicationAnalyzer("INTERCONN", c) { orig_endp = resp_endp = 0; orig_stream_pos = resp_stream_pos = 1; diff --git a/src/InterConn.h b/src/InterConn.h index d9cd10de27..1abec4058b 100644 --- a/src/InterConn.h +++ b/src/InterConn.h @@ -47,7 +47,7 @@ public: virtual void Done(); void StatTimer(double t, int is_expire); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new InterConn_Analyzer(conn); } static bool Available() { return interconn_stats; } diff --git a/src/Login.cc b/src/Login.cc index e626fb3a0a..2eb4900692 100644 --- a/src/Login.cc +++ b/src/Login.cc @@ -20,8 +20,8 @@ static RE_Matcher* re_login_timeouts; static RE_Matcher* init_RE(ListVal* l); -Login_Analyzer::Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn) -: TCP_ApplicationAnalyzer(tag, conn) +Login_Analyzer::Login_Analyzer(const char* name, Connection* conn) +: TCP_ApplicationAnalyzer(name, conn) { state = LOGIN_STATE_AUTHENTICATE; num_user_lines_seen = lines_scanned = 0; diff --git a/src/Login.h b/src/Login.h index b186cc52d2..6337738e7d 100644 --- a/src/Login.h +++ b/src/Login.h @@ -21,7 +21,7 @@ typedef enum { class Login_Analyzer : public TCP_ApplicationAnalyzer { public: - Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn); + Login_Analyzer(const char* name, Connection* conn); ~Login_Analyzer(); virtual void DeliverStream(int len, const u_char* data, bool orig); diff --git a/src/MIME.cc b/src/MIME.cc index ce60e74b89..011857ee6e 100644 --- a/src/MIME.cc +++ b/src/MIME.cc @@ -966,7 +966,7 @@ TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist) return t; } -MIME_Mail::MIME_Mail(Analyzer* mail_analyzer, int buf_size) +MIME_Mail::MIME_Mail(analyzer::Analyzer* mail_analyzer, int buf_size) : MIME_Message(mail_analyzer) { analyzer = mail_analyzer; diff --git a/src/MIME.h b/src/MIME.h index 17ac7fde9f..3f8c3281fc 100644 --- a/src/MIME.h +++ b/src/MIME.h @@ -10,7 +10,7 @@ using namespace std; #include "Base64.h" #include "BroString.h" -#include "Analyzer.h" +#include "analyzer/Analyzer.h" // MIME: Multipurpose Internet Mail Extensions // Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME) @@ -178,7 +178,7 @@ protected: class MIME_Message { public: - MIME_Message(Analyzer* arg_analyzer) + MIME_Message(analyzer::Analyzer* arg_analyzer) { // Cannot initialize top_level entity because we do // not know its type yet (MIME_Entity / MIME_Mail / @@ -203,7 +203,7 @@ public: top_level->Deliver(len, data, trailing_CRLF); } - Analyzer* GetAnalyzer() const { return analyzer; } + analyzer::Analyzer* GetAnalyzer() const { return analyzer; } // Events generated by MIME_Entity virtual void BeginEntity(MIME_Entity*) = 0; @@ -215,7 +215,7 @@ public: virtual void SubmitEvent(int event_type, const char* detail) = 0; protected: - Analyzer* analyzer; + analyzer::Analyzer* analyzer; MIME_Entity* top_level; int finished; @@ -226,7 +226,7 @@ protected: class MIME_Mail : public MIME_Message { public: - MIME_Mail(Analyzer* mail_conn, int buf_size = 0); + MIME_Mail(analyzer::Analyzer* mail_conn, int buf_size = 0); ~MIME_Mail(); void Done(); diff --git a/src/Modbus.cc b/src/Modbus.cc index 278eb91e57..22772daea0 100644 --- a/src/Modbus.cc +++ b/src/Modbus.cc @@ -3,7 +3,7 @@ #include "TCP_Reassembler.h" ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) - : TCP_ApplicationAnalyzer(AnalyzerTag::Modbus, c) + : TCP_ApplicationAnalyzer("MODBUS", c) { interp = new binpac::ModbusTCP::ModbusTCP_Conn(this); } diff --git a/src/Modbus.h b/src/Modbus.h index 5e3294d91c..84389b0554 100644 --- a/src/Modbus.h +++ b/src/Modbus.h @@ -15,7 +15,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ModbusTCP_Analyzer(conn); } // Put event names in this function diff --git a/src/NCP.cc b/src/NCP.cc index edd882747c..bdf484cad7 100644 --- a/src/NCP.cc +++ b/src/NCP.cc @@ -17,7 +17,7 @@ using namespace std; uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \ uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8)) -NCP_Session::NCP_Session(Analyzer* a) +NCP_Session::NCP_Session(analyzer::Analyzer* a) : analyzer(a) { req_frame_type = 0; @@ -150,7 +150,7 @@ void NCP_FrameBuffer::compute_msg_length() } Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* arg_session) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_NCP, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) { session = arg_session; resync = true; @@ -215,7 +215,7 @@ void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig) } NCP_Analyzer::NCP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::NCP, conn) +: TCP_ApplicationAnalyzer("NCP", conn) { session = new NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); diff --git a/src/NCP.h b/src/NCP.h index 1e783ee3ab..833d030394 100644 --- a/src/NCP.h +++ b/src/NCP.h @@ -29,7 +29,7 @@ class NCP_Session { public: - NCP_Session(Analyzer* analyzer); + NCP_Session(analyzer::Analyzer* analyzer); virtual ~NCP_Session() {} virtual void Deliver(int is_orig, int len, const u_char* data); @@ -42,7 +42,7 @@ public: protected: void DeliverFrame(const binpac::NCP::ncp_frame* frame); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; int req_frame_type; int req_func; }; @@ -102,7 +102,7 @@ public: NCP_Analyzer(Connection* conn); virtual ~NCP_Analyzer(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NCP_Analyzer(conn); } static bool Available() { return NCP_Session::any_ncp_event(); } diff --git a/src/NFS.cc b/src/NFS.cc index d64f7755a3..461ac44c4f 100644 --- a/src/NFS.cc +++ b/src/NFS.cc @@ -641,7 +641,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n) NFS_Analyzer::NFS_Analyzer(Connection* conn) - : RPC_Analyzer(AnalyzerTag::NFS, conn, new NFS_Interp(this)) + : RPC_Analyzer("RPC", conn, new NFS_Interp(this)) { orig_rpc = resp_rpc = 0; } diff --git a/src/NFS.h b/src/NFS.h index 6a65143808..ecb89ff7bf 100644 --- a/src/NFS.h +++ b/src/NFS.h @@ -9,7 +9,7 @@ class NFS_Interp : public RPC_Interpreter { public: - NFS_Interp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } + NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } protected: int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n); @@ -75,7 +75,7 @@ public: NFS_Analyzer(Connection* conn); virtual void Init(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NFS_Analyzer(conn); } static bool Available() diff --git a/src/NTP.cc b/src/NTP.cc index 60b7e6202d..729edee923 100644 --- a/src/NTP.cc +++ b/src/NTP.cc @@ -9,7 +9,7 @@ NTP_Analyzer::NTP_Analyzer(Connection* conn) - : Analyzer(AnalyzerTag::NTP, conn) + : Analyzer("NTP", conn) { ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer, network_time + ntp_session_timeout, 1, diff --git a/src/NTP.h b/src/NTP.h index a22a7b231b..3ae44d4cf7 100644 --- a/src/NTP.h +++ b/src/NTP.h @@ -35,11 +35,11 @@ struct ntpdata { struct l_fixedpt xmt; }; -class NTP_Analyzer : public Analyzer { +class NTP_Analyzer : public analyzer::Analyzer { public: NTP_Analyzer(Connection* conn); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NTP_Analyzer(conn); } static bool Available() { return ntp_message; } diff --git a/src/NVT.cc b/src/NVT.cc index 5ba12ac32a..641ad211e4 100644 --- a/src/NVT.cc +++ b/src/NVT.cc @@ -360,7 +360,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */) NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig) -: ContentLine_Analyzer(AnalyzerTag::NVT, conn, orig) +: ContentLine_Analyzer("NVT", conn, orig) { peer = 0; is_suboption = last_was_IAC = pending_IAC = 0; diff --git a/src/NetVar.cc b/src/NetVar.cc index 248ae15e1a..97bf9fd559 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -208,7 +208,6 @@ TableType* irc_join_list; RecordType* irc_join_info; TableVal* irc_servers; -TableVal* dpd_config; int dpd_reassemble_first_packets; int dpd_buffer_size; int dpd_match_only_beginning; @@ -239,6 +238,7 @@ TableType* record_field_table; StringVal* cmd_line_bpf_filter; +#include "analyzer.bif.netvar_def" #include "const.bif.netvar_def" #include "types.bif.netvar_def" #include "event.bif.netvar_def" @@ -512,7 +512,6 @@ void init_net_var() opt_internal_double("remote_trace_sync_interval"); remote_trace_sync_peers = opt_internal_int("remote_trace_sync_peers"); - dpd_config = internal_val("dpd_config")->AsTableVal(); dpd_reassemble_first_packets = opt_internal_int("dpd_reassemble_first_packets"); dpd_buffer_size = opt_internal_int("dpd_buffer_size"); diff --git a/src/NetVar.h b/src/NetVar.h index 2561fa0ad9..6a1103ebb9 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -212,7 +212,6 @@ extern TableType* irc_join_list; extern RecordType* irc_join_info; extern TableVal* irc_servers; -extern TableVal* dpd_config; extern int dpd_reassemble_first_packets; extern int dpd_buffer_size; extern int dpd_match_only_beginning; @@ -249,6 +248,7 @@ extern void init_general_global_var(); extern void init_event_handlers(); extern void init_net_var(); +#include "analyzer.bif.netvar_h" #include "const.bif.netvar_h" #include "types.bif.netvar_h" #include "event.bif.netvar_h" diff --git a/src/NetbiosSSN.cc b/src/NetbiosSSN.cc index 362d974956..fd3a4f6111 100644 --- a/src/NetbiosSSN.cc +++ b/src/NetbiosSSN.cc @@ -43,7 +43,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len) } -NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(Analyzer* arg_analyzer, +NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer, SMB_Session* arg_smb_session) { analyzer = arg_analyzer; @@ -340,7 +340,7 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data, Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig, NetbiosSSN_Interpreter* arg_interp) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_NetbiosSSN, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) { interp = arg_interp; type = flags = msg_size = 0; @@ -455,7 +455,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) } NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::NetbiosSSN, conn) +: TCP_ApplicationAnalyzer("NETBIOS", conn) { smb_session = new SMB_Session(this); interp = new NetbiosSSN_Interpreter(this, smb_session); diff --git a/src/NetbiosSSN.h b/src/NetbiosSSN.h index 7c4dd91b90..c3851516a0 100644 --- a/src/NetbiosSSN.h +++ b/src/NetbiosSSN.h @@ -62,7 +62,7 @@ struct NetbiosDGM_RawMsgHdr { class NetbiosSSN_Interpreter { public: - NetbiosSSN_Interpreter(Analyzer* analyzer, SMB_Session* smb_session); + NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, SMB_Session* smb_session); int ParseMessage(unsigned int type, unsigned int flags, const u_char* data, int len, int is_query); @@ -108,7 +108,7 @@ protected: u_char*& xname, int& xlen); protected: - Analyzer* analyzer; + analyzer::Analyzer* analyzer; SMB_Session* smb_session; }; @@ -157,7 +157,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NetbiosSSN_Analyzer(conn); } static bool Available() diff --git a/src/PIA.cc b/src/PIA.cc index 9adb4ccab3..f2eb633cd4 100644 --- a/src/PIA.cc +++ b/src/PIA.cc @@ -2,7 +2,7 @@ #include "RuleMatcher.h" #include "TCP_Reassembler.h" -PIA::PIA(Analyzer* arg_as_analyzer) +PIA::PIA(analyzer::Analyzer* arg_as_analyzer) { current_packet.data = 0; as_analyzer = arg_as_analyzer; @@ -61,7 +61,7 @@ void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig) AddToBuffer(buffer, -1, len, data, is_orig); } -void PIA::ReplayPacketBuffer(Analyzer* analyzer) +void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer) { DBG_LOG(DBG_DPD, "PIA replaying %d total packet bytes", pkt_buffer.size); @@ -129,7 +129,7 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol, bol, eol, clear_state); } -void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) +void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( pkt_buffer.state == MATCHING_ONLY ) { @@ -142,14 +142,14 @@ void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) if ( Parent()->HasChildAnalyzer(tag) ) return; - Analyzer* a = Parent()->AddChildAnalyzer(tag); + analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); a->SetSignature(rule); if ( a ) ReplayPacketBuffer(a); } -void PIA_UDP::DeactivateAnalyzer(AnalyzerTag::Tag tag) +void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag) { reporter->InternalError("PIA_UDP::Deact not implemented yet"); } @@ -165,7 +165,7 @@ void PIA_TCP::Init() { TCP_ApplicationAnalyzer::Init(); - if ( Parent()->GetTag() == AnalyzerTag::TCP ) + if ( Parent()->IsAnalyzer("TCP") ) { TCP_Analyzer* tcp = static_cast(Parent()); SetTCP(tcp); @@ -262,7 +262,7 @@ void PIA_TCP::Undelivered(int seq, int len, bool is_orig) // No check for buffer overrun here. I think that's ok. } -void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) +void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( stream_buffer.state == MATCHING_ONLY ) { @@ -275,7 +275,7 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) if ( Parent()->HasChildAnalyzer(tag) ) return; - Analyzer* a = Parent()->AddChildAnalyzer(tag); + analyzer::Analyzer* a = Parent()->AddChildAnalyzer(tag); a->SetSignature(rule); // We have two cases here: @@ -305,13 +305,13 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) // (4) We hand the two reassemblers to the TCP Analyzer (our parent), // turning reassembly now on for all subsequent data. - DBG_LOG(DBG_DPD, "DPM_TCP switching from packet-mode to stream-mode"); + DBG_LOG(DBG_DPD, "PIA_TCP switching from packet-mode to stream-mode"); stream_mode = true; // FIXME: The reassembler will query the endpoint for state. Not sure // if this is works in all cases... - if ( Parent()->GetTag() != AnalyzerTag::TCP ) + if ( ! Parent()->IsAnalyzer("TCP") ) { // Our parent is not the TCP analyzer, which can only mean // we have been inserted somewhere further down in the @@ -371,12 +371,12 @@ void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule) tcp->SetReassembler(reass_orig, reass_resp); } -void PIA_TCP::DeactivateAnalyzer(AnalyzerTag::Tag tag) +void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag) { reporter->InternalError("PIA_TCP::Deact not implemented yet"); } -void PIA_TCP::ReplayStreamBuffer(Analyzer* analyzer) +void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer) { DBG_LOG(DBG_DPD, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); diff --git a/src/PIA.h b/src/PIA.h index 907350bbdf..d0521a6885 100644 --- a/src/PIA.h +++ b/src/PIA.h @@ -3,7 +3,7 @@ #ifndef PIA_H #define PIA_H -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "TCP.h" class RuleEndpointState; @@ -17,25 +17,25 @@ class RuleEndpointState; // PIAs and then each needs its own matching-state. class PIA : public RuleMatcherState { public: - PIA(Analyzer* as_analyzer); + PIA(analyzer::Analyzer* as_analyzer); virtual ~PIA(); // Called when PIA wants to put an Analyzer in charge. rule is the // signature that triggered the activitation, if any. - virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, + virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule = 0) = 0; // Called when PIA wants to remove an Analyzer. - virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag) = 0; + virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0; void Match(Rule::PatternType type, const u_char* data, int len, bool is_orig, bool bol, bool eol, bool clear_state); - void ReplayPacketBuffer(Analyzer* analyzer); + void ReplayPacketBuffer(analyzer::Analyzer* analyzer); // Children are also derived from Analyzer. Return this object // as pointer to an Analyzer. - Analyzer* AsAnalyzer() { return as_analyzer; } + analyzer::Analyzer* AsAnalyzer() { return as_analyzer; } static bool Available() { return true; } @@ -81,20 +81,20 @@ protected: Buffer pkt_buffer; private: - Analyzer* as_analyzer; + analyzer::Analyzer* as_analyzer; Connection* conn; DataBlock current_packet; }; // PIA for UDP. -class PIA_UDP : public PIA, public Analyzer { +class PIA_UDP : public PIA, public analyzer::Analyzer { public: PIA_UDP(Connection* conn) - : PIA(this), Analyzer(AnalyzerTag::PIA_UDP, conn) + : PIA(this), Analyzer("PIA_UDP", conn) { SetConn(conn); } virtual ~PIA_UDP() { } - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new PIA_UDP(conn); } protected: @@ -111,8 +111,8 @@ protected: PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen); } - virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule); - virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag); + virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule); + virtual void DeactivateAnalyzer(analyzer::Tag tag); }; // PIA for TCP. Accepts both packet and stream input (and reassembles @@ -120,7 +120,7 @@ protected: class PIA_TCP : public PIA, public TCP_ApplicationAnalyzer { public: PIA_TCP(Connection* conn) - : PIA(this), TCP_ApplicationAnalyzer(AnalyzerTag::PIA_TCP, conn) + : PIA(this), TCP_ApplicationAnalyzer("PIA_TCP", conn) { stream_mode = false; SetConn(conn); } virtual ~PIA_TCP(); @@ -137,9 +137,9 @@ public: // to be unnecessary overhead.) void FirstPacket(bool is_orig, const IP_Hdr* ip); - void ReplayStreamBuffer(Analyzer* analyzer); + void ReplayStreamBuffer(analyzer::Analyzer* analyzer); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new PIA_TCP(conn); } protected: @@ -159,9 +159,9 @@ protected: virtual void DeliverStream(int len, const u_char* data, bool is_orig); virtual void Undelivered(int seq, int len, bool is_orig); - virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, + virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule = 0); - virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag); + virtual void DeactivateAnalyzer(analyzer::Tag tag); private: // FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer. diff --git a/src/POP3.cc b/src/POP3.cc index 3075e76507..697dc0434e 100644 --- a/src/POP3.cc +++ b/src/POP3.cc @@ -26,7 +26,7 @@ static const char* pop3_cmd_word[] = { POP3_Analyzer::POP3_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::POP3, conn) +: TCP_ApplicationAnalyzer("POP3", conn) { masterState = POP3_START; subState = POP3_WOK; diff --git a/src/POP3.h b/src/POP3.h index 8d09d5e686..bab2737fca 100644 --- a/src/POP3.h +++ b/src/POP3.h @@ -68,7 +68,7 @@ public: virtual void Done(); virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new POP3_Analyzer(conn); } diff --git a/src/Portmap.cc b/src/Portmap.cc index dd1049a361..9bebd0f8a6 100644 --- a/src/Portmap.cc +++ b/src/Portmap.cc @@ -300,7 +300,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu } Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn) -: RPC_Analyzer(AnalyzerTag::Portmapper, conn, new PortmapperInterp(this)) +: RPC_Analyzer("PORTMAPPER", conn, new PortmapperInterp(this)) { orig_rpc = resp_rpc = 0; } diff --git a/src/Portmap.h b/src/Portmap.h index 62e954bc80..1a98537153 100644 --- a/src/Portmap.h +++ b/src/Portmap.h @@ -7,7 +7,7 @@ class PortmapperInterp : public RPC_Interpreter { public: - PortmapperInterp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } + PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } protected: int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n); @@ -29,7 +29,7 @@ public: virtual ~Portmapper_Analyzer(); virtual void Init(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Portmapper_Analyzer(conn); } static bool Available() diff --git a/src/RPC.cc b/src/RPC.cc index 81fd6709b1..2dd11c215e 100644 --- a/src/RPC.cc +++ b/src/RPC.cc @@ -66,7 +66,7 @@ void rpc_callinfo_delete_func(void* v) delete (RPC_CallInfo*) v; } -RPC_Interpreter::RPC_Interpreter(Analyzer* arg_analyzer) +RPC_Interpreter::RPC_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; calls.SetDeleteFunc(rpc_callinfo_delete_func); @@ -373,7 +373,7 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len) Contents_RPC::Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* arg_interp) - : TCP_SupportAnalyzer(AnalyzerTag::Contents_RPC, conn, orig) + : TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) { interp = arg_interp; state = WAIT_FOR_MESSAGE; @@ -673,9 +673,9 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) } // end while } -RPC_Analyzer::RPC_Analyzer(AnalyzerTag::Tag tag, Connection* conn, +RPC_Analyzer::RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp) -: TCP_ApplicationAnalyzer(tag, conn) +: TCP_ApplicationAnalyzer(name, conn) { interp = arg_interp; diff --git a/src/RPC.h b/src/RPC.h index 0eee423460..960b9c744a 100644 --- a/src/RPC.h +++ b/src/RPC.h @@ -92,7 +92,7 @@ declare(PDict,RPC_CallInfo); class RPC_Interpreter { public: - RPC_Interpreter(Analyzer* analyzer); + RPC_Interpreter(analyzer::Analyzer* analyzer); virtual ~RPC_Interpreter(); // Delivers the given RPC. Returns true if "len" bytes were @@ -115,7 +115,7 @@ protected: void Weird(const char* name); PDict(RPC_CallInfo) calls; - Analyzer* analyzer; + analyzer::Analyzer* analyzer; }; @@ -224,7 +224,7 @@ protected: class RPC_Analyzer : public TCP_ApplicationAnalyzer { public: - RPC_Analyzer(AnalyzerTag::Tag tag, Connection* conn, + RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp); virtual ~RPC_Analyzer(); diff --git a/src/RSH.cc b/src/RSH.cc index ceef3ba7a4..09d403fe59 100644 --- a/src/RSH.cc +++ b/src/RSH.cc @@ -11,7 +11,7 @@ Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* arg_analyzer) -: ContentLine_Analyzer(AnalyzerTag::Contents_Rsh, conn, orig) +: ContentLine_Analyzer("CONTENTS_RSH", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -138,7 +138,7 @@ void Contents_Rsh_Analyzer::BadProlog() } Rsh_Analyzer::Rsh_Analyzer(Connection* conn) -: Login_Analyzer(AnalyzerTag::Rsh, conn) +: Login_Analyzer("RSH", conn) { contents_orig = new Contents_Rsh_Analyzer(conn, true, this); contents_resp = new Contents_Rsh_Analyzer(conn, false, this); diff --git a/src/RSH.h b/src/RSH.h index 136d0b07f1..31e5fe683f 100644 --- a/src/RSH.h +++ b/src/RSH.h @@ -47,7 +47,7 @@ public: void ClientUserName(const char* s); void ServerUserName(const char* s); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rsh_Analyzer(conn); } static bool Available() diff --git a/src/Rlogin.cc b/src/Rlogin.cc index 1ad3f16d7e..b09e24d2cb 100644 --- a/src/Rlogin.cc +++ b/src/Rlogin.cc @@ -8,7 +8,7 @@ Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) -: ContentLine_Analyzer(AnalyzerTag::Contents_Rlogin, conn, orig) +: ContentLine_Analyzer("CONTENTLINE", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -204,7 +204,7 @@ void Contents_Rlogin_Analyzer::BadProlog() Rlogin_Analyzer::Rlogin_Analyzer(Connection* conn) -: Login_Analyzer(AnalyzerTag::Rlogin, conn) +: Login_Analyzer("RLOGIN", conn) { Contents_Rlogin_Analyzer* orig = new Contents_Rlogin_Analyzer(conn, true, this); diff --git a/src/Rlogin.h b/src/Rlogin.h index f8ad480630..04486e4262 100644 --- a/src/Rlogin.h +++ b/src/Rlogin.h @@ -60,7 +60,7 @@ public: void ServerUserName(const char* s); void TerminalType(const char* s); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rlogin_Analyzer(conn); } static bool Available() diff --git a/src/RuleAction.cc b/src/RuleAction.cc index bf90c0681e..808bead3d8 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -8,9 +8,10 @@ using std::string; #include "Conn.h" #include "Event.h" #include "NetVar.h" -#include "DPM.h" #include "PIA.h" +#include "analyzer/Manager.h" + void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { @@ -34,42 +35,42 @@ void RuleActionEvent::PrintDebug() fprintf(stderr, " RuleActionEvent: |%s|\n", msg); } -RuleActionDPM::RuleActionDPM(const char* arg_analyzer) +RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) { string str(arg_analyzer); string::size_type pos = str.find(':'); string arg = str.substr(0, pos); - analyzer = Analyzer::GetTag(arg.c_str()); + analyzer = analyzer_mgr->GetAnalyzerTag(arg); if ( pos != string::npos ) { arg = str.substr(pos + 1); - child_analyzer = Analyzer::GetTag(arg.c_str()); + child_analyzer = analyzer_mgr->GetAnalyzerTag(arg); } else - child_analyzer = AnalyzerTag::Error; + child_analyzer = analyzer::Tag::ERROR; - if ( analyzer != AnalyzerTag::Error ) - dpm->ActivateSigs(); + if ( analyzer != analyzer::Tag::ERROR ) + analyzer_mgr->ActivateSigs(); } -void RuleActionDPM::PrintDebug() +void RuleActionAnalyzer::PrintDebug() { - if ( child_analyzer == AnalyzerTag::Error ) - fprintf(stderr, "|%s|\n", Analyzer::GetTagName(analyzer)); + if ( child_analyzer == analyzer::Tag::ERROR ) + fprintf(stderr, "|%s|\n", analyzer_mgr->GetAnalyzerName(analyzer).c_str()); else fprintf(stderr, "|%s:%s|\n", - Analyzer::GetTagName(analyzer), - Analyzer::GetTagName(child_analyzer)); + analyzer_mgr->GetAnalyzerName(analyzer).c_str(), + analyzer_mgr->GetAnalyzerName(child_analyzer).c_str()); } void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == AnalyzerTag::Error ) + if ( ChildAnalyzer() == analyzer::Tag::ERROR ) { - if ( ! Analyzer::IsAvailable(Analyzer()) ) + if ( ! analyzer_mgr->IsEnabled(Analyzer()) ) return; if ( state->PIA() ) @@ -77,7 +78,7 @@ void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, } else { - if ( ! Analyzer::IsAvailable(ChildAnalyzer()) ) + if ( ! analyzer_mgr->IsEnabled(ChildAnalyzer()) ) return; // This is ugly and works only if there exists only one @@ -90,13 +91,13 @@ void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, void RuleActionEnable::PrintDebug() { fprintf(stderr, " RuleActionEnable: "); - RuleActionDPM::PrintDebug(); + RuleActionAnalyzer::PrintDebug(); } void RuleActionDisable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == AnalyzerTag::Error ) + if ( ChildAnalyzer() == analyzer::Tag::ERROR ) { if ( state->PIA() ) state->PIA()->DeactivateAnalyzer(Analyzer()); @@ -109,5 +110,5 @@ void RuleActionDisable::DoAction(const Rule* parent, RuleEndpointState* state, void RuleActionDisable::PrintDebug() { fprintf(stderr, " RuleActionDisable: "); - RuleActionDPM::PrintDebug(); + RuleActionAnalyzer::PrintDebug(); } diff --git a/src/RuleAction.h b/src/RuleAction.h index a9feb0c314..f4c2ae4cfa 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -1,11 +1,12 @@ #ifndef ruleaction_h #define ruleaction_h -#include "AnalyzerTags.h" #include "BroString.h" #include "List.h" #include "util.h" +#include "analyzer/tag.h" + class Rule; class RuleEndpointState; @@ -35,29 +36,29 @@ private: const char* msg; }; -// Base class for DPM enable/disable actions. -class RuleActionDPM : public RuleAction { +// Base class for enable/disable actions. +class RuleActionAnalyzer : public RuleAction { public: - RuleActionDPM(const char* analyzer); + RuleActionAnalyzer(const char* analyzer); virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) = 0; virtual void PrintDebug(); - AnalyzerTag::Tag Analyzer() const { return analyzer; } - AnalyzerTag::Tag ChildAnalyzer() const { return child_analyzer; } + analyzer::Tag Analyzer() const { return analyzer; } + analyzer::Tag ChildAnalyzer() const { return child_analyzer; } private: - // FIXME: This is in fact an AnalyzerID but we can't include "Analyzer.h" + // FIXME: This is in fact an analyzer::ID but we can't include "analyzer/Analyzer.h" // at this point due to circular dependenides. Fix that! - AnalyzerTag::Tag analyzer; - AnalyzerTag::Tag child_analyzer; + analyzer::Tag analyzer; + analyzer::Tag child_analyzer; }; -class RuleActionEnable : public RuleActionDPM { +class RuleActionEnable : public RuleActionAnalyzer { public: - RuleActionEnable(const char* analyzer) : RuleActionDPM(analyzer) {} + RuleActionEnable(const char* analyzer) : RuleActionAnalyzer(analyzer) {} virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len); @@ -65,9 +66,9 @@ public: virtual void PrintDebug(); }; -class RuleActionDisable : public RuleActionDPM { +class RuleActionDisable : public RuleActionAnalyzer { public: - RuleActionDisable(const char* analyzer) : RuleActionDPM(analyzer) {} + RuleActionDisable(const char* analyzer) : RuleActionAnalyzer(analyzer) {} virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len); diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 410f6a1b3e..b31976711c 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -18,9 +18,9 @@ static inline bool is_established(const TCP_Endpoint* e) bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, const u_char* data, int len) { - Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer(); + analyzer::Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer(); - if ( ! root || root->GetTag() != AnalyzerTag::TCP ) + if ( ! root || ! root->IsAnalyzer("TCP") ) return false; TCP_Analyzer* ta = static_cast(root); diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index c71f86108a..4c69576524 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -3,7 +3,7 @@ #include "config.h" -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "RuleMatcher.h" #include "DFA.h" #include "NetVar.h" @@ -159,7 +159,7 @@ void RuleHdrTest::PrintDebug() fprintf(stderr, "\n"); } -RuleEndpointState::RuleEndpointState(Analyzer* arg_analyzer, bool arg_is_orig, +RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState* arg_opposite, ::PIA* arg_PIA) { @@ -562,7 +562,7 @@ static inline bool compare(const vector& prefixes, const IPAddr& a, return false; } -RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer, +RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, RuleEndpointState* opposite, bool from_orig, PIA* pia) @@ -1300,7 +1300,7 @@ uint32 id_to_uint(const char* id) return 0; } -void RuleMatcherState::InitEndpointMatcher(Analyzer* analyzer, const IP_Hdr* ip, +void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, bool from_orig, PIA* pia) { if ( ! rule_matcher ) diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index b8895513b4..1b2756594d 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -35,7 +35,7 @@ extern const char* current_rule_file; class RuleMatcher; extern RuleMatcher* rule_matcher; -class Analyzer; +namespace analyzer { class Analyzer; } class PIA; // RuleHdrTest and associated things: @@ -140,7 +140,7 @@ class RuleEndpointState { public: ~RuleEndpointState(); - Analyzer* GetAnalyzer() const { return analyzer; } + analyzer::Analyzer* GetAnalyzer() const { return analyzer; } bool IsOrig() { return is_orig; } // For flipping roles. @@ -159,7 +159,7 @@ private: // Constructor is private; use RuleMatcher::InitEndpoint() // for creating an instance. - RuleEndpointState(Analyzer* arg_analyzer, bool arg_is_orig, + RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState* arg_opposite, ::PIA* arg_PIA); struct Matcher { @@ -171,7 +171,7 @@ private: typedef PList(Matcher) matcher_list; bool is_orig; - Analyzer* analyzer; + analyzer::Analyzer* analyzer; RuleEndpointState* opposite; ::PIA* pia; @@ -207,7 +207,7 @@ public: // the given packet (which should be the first packet encountered for // this endpoint). If the matching is triggered by an PIA, a pointer to // it needs to be given. - RuleEndpointState* InitEndpoint(Analyzer* analyzer, const IP_Hdr* ip, + RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, RuleEndpointState* opposite, bool is_orig, PIA* pia); // Finish matching for this stream. @@ -310,7 +310,7 @@ public: { delete orig_match_state; delete resp_match_state; } // ip may be nil. - void InitEndpointMatcher(Analyzer* analyzer, const IP_Hdr* ip, + void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, bool from_orig, PIA* pia = 0); // bol/eol should be set to false for type Rule::PAYLOAD; they're diff --git a/src/SMB.cc b/src/SMB.cc index a06707328a..24cbf2dc1a 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -93,7 +93,7 @@ static int lookup_IPC_name(BroString* name) return IPC_NONE; } -SMB_Session::SMB_Session(Analyzer* arg_analyzer) +SMB_Session::SMB_Session(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; dce_rpc_session = 0; @@ -1104,7 +1104,7 @@ bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data) } Contents_SMB::Contents_SMB(Connection* conn, bool orig, SMB_Session* s) -: TCP_SupportAnalyzer(AnalyzerTag::Contents_SMB, conn, orig) +: TCP_SupportAnalyzer("CONTENTS_SMB", conn, orig) { smb_session = s; msg_buf = 0; @@ -1221,7 +1221,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) } SMB_Analyzer::SMB_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::SMB, conn) +: TCP_ApplicationAnalyzer("SMB", conn) { smb_session = new SMB_Session(this); o_smb = new Contents_SMB(conn, true, smb_session); diff --git a/src/SMB.h b/src/SMB.h index f7287efb79..23af04720e 100644 --- a/src/SMB.h +++ b/src/SMB.h @@ -39,7 +39,7 @@ protected: class SMB_Session { public: - SMB_Session(Analyzer* analyzer); + SMB_Session(analyzer::Analyzer* analyzer); ~SMB_Session(); void Deliver(int is_orig, int len, const u_char* msg); @@ -158,7 +158,7 @@ protected: Val* BuildTransactionVal(binpac::SMB::SMB_transaction_response const &trans); Val* BuildTransactionDataVal(binpac::SMB::SMB_transaction_data* data); - Analyzer* analyzer; + analyzer::Analyzer* analyzer; DCE_RPC_Session* dce_rpc_session; enum IPC_named_pipe IPC_pipe; int is_IPC; @@ -195,7 +195,7 @@ public: SMB_Analyzer(Connection* conn); ~SMB_Analyzer(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SMB_Analyzer(conn); } static bool Available() diff --git a/src/SMTP.cc b/src/SMTP.cc index 85a3bc79dc..16be4480dc 100644 --- a/src/SMTP.cc +++ b/src/SMTP.cc @@ -21,7 +21,7 @@ static const char* smtp_cmd_word[] = { SMTP_Analyzer::SMTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::SMTP, conn) +: TCP_ApplicationAnalyzer("SMTP", conn) { expect_sender = 0; expect_recver = 1; diff --git a/src/SMTP.h b/src/SMTP.h index 5b15dc44c0..563b99cc32 100644 --- a/src/SMTP.h +++ b/src/SMTP.h @@ -47,7 +47,7 @@ public: void SkipData() { skip_data = 1; } // skip delivery of data lines - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SMTP_Analyzer(conn); } diff --git a/src/SOCKS.cc b/src/SOCKS.cc index 4a6eda7043..0157c19cd7 100644 --- a/src/SOCKS.cc +++ b/src/SOCKS.cc @@ -3,7 +3,7 @@ #include "TCP_Reassembler.h" SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer(AnalyzerTag::SOCKS, conn) +: TCP_ApplicationAnalyzer("SOCKS", conn) { interp = new binpac::SOCKS::SOCKS_Conn(this); orig_done = resp_done = false; diff --git a/src/SOCKS.h b/src/SOCKS.h index 9753abb660..9557dc761d 100644 --- a/src/SOCKS.h +++ b/src/SOCKS.h @@ -25,7 +25,7 @@ public: virtual void Undelivered(int seq, int len, bool orig); virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SOCKS_Analyzer(conn); } static bool Available() diff --git a/src/SSH.cc b/src/SSH.cc index 3a8f468ae4..0bb710ac2f 100644 --- a/src/SSH.cc +++ b/src/SSH.cc @@ -10,7 +10,7 @@ #include "ContentLine.h" SSH_Analyzer::SSH_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::SSH, c) +: TCP_ApplicationAnalyzer("SSH", c) { orig = new ContentLine_Analyzer(c, true); orig->SetSkipPartial(true); diff --git a/src/SSH.h b/src/SSH.h index ccdcd76929..0d3fa4d6e6 100644 --- a/src/SSH.h +++ b/src/SSH.h @@ -12,7 +12,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SSH_Analyzer(conn); } static bool Available() diff --git a/src/SSL.cc b/src/SSL.cc index 4658bbbc16..7dd2e0525a 100644 --- a/src/SSL.cc +++ b/src/SSL.cc @@ -4,7 +4,7 @@ #include "util.h" SSL_Analyzer::SSL_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::SSL, c) +: TCP_ApplicationAnalyzer("SSL", c) { interp = new binpac::SSL::SSL_Conn(this); had_gap = false; diff --git a/src/SSL.h b/src/SSL.h index d0ef164877..ee2148450f 100644 --- a/src/SSL.h +++ b/src/SSL.h @@ -17,7 +17,7 @@ public: // Overriden from TCP_ApplicationAnalyzer. virtual void EndpointEOF(bool is_orig); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SSL_Analyzer(conn); } static bool Available() diff --git a/src/Sessions.cc b/src/Sessions.cc index 2e5a6ded30..f18d12ef90 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -27,11 +27,12 @@ #include "InterConn.h" #include "Discard.h" #include "RuleMatcher.h" -#include "DPM.h" #include "PacketSort.h" #include "TunnelEncapsulation.h" +#include "analyzer/Manager.h" + // These represent NetBIOS services on ephemeral ports. They're numbered // so that we can use a single int to hold either an actual TCP/UDP server // port or one of these. @@ -967,7 +968,7 @@ void NetSessions::Remove(Connection* c) TCP_Analyzer* ta = (TCP_Analyzer*) c->GetRootAnalyzer(); if ( ta && c->ConnTransport() == TRANSPORT_TCP ) { - assert(ta->GetTag() == AnalyzerTag::TCP); + assert(ta->IsAnalyzer("TCP")); TCP_Endpoint* to = ta->Orig(); TCP_Endpoint* tr = ta->Resp(); @@ -1178,7 +1179,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, Connection* conn = new Connection(this, k, t, id, flow_label, encapsulation); conn->SetTransport(tproto); - dpm->BuildInitialAnalyzerTree(tproto, conn, data); + analyzer_mgr->BuildInitialAnalyzerTree(tproto, conn, data); bool external = conn->IsExternal(); diff --git a/src/SteppingStone.cc b/src/SteppingStone.cc index 32850d82c6..1809b4abef 100644 --- a/src/SteppingStone.cc +++ b/src/SteppingStone.cc @@ -157,7 +157,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) } SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::SteppingStone, c) +: TCP_ApplicationAnalyzer("STEPPINGSTONE", c) { stp_manager = sessions->GetSTPManager(); diff --git a/src/SteppingStone.h b/src/SteppingStone.h index a47b268c83..aab411a46d 100644 --- a/src/SteppingStone.h +++ b/src/SteppingStone.h @@ -51,7 +51,7 @@ public: virtual void Init(); virtual void Done(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SteppingStone_Analyzer(conn); } static bool Available() { return stp_correlate_pair; } diff --git a/src/Syslog-binpac.cc b/src/Syslog-binpac.cc index c8697d0f3f..37449004c7 100644 --- a/src/Syslog-binpac.cc +++ b/src/Syslog-binpac.cc @@ -2,7 +2,7 @@ #include "TCP_Reassembler.h" Syslog_Analyzer_binpac::Syslog_Analyzer_binpac(Connection* conn) -: Analyzer(AnalyzerTag::SYSLOG_BINPAC, conn) +: Analyzer("SYSLOG_BINPAC", conn) { interp = new binpac::Syslog::Syslog_Conn(this); did_session_done = 0; @@ -45,7 +45,7 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // } //Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn) -//: TCP_ApplicationAnalyzer(AnalyzerTag::Syslog_TCP_BINPAC, conn) +//: TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h index fcd75edf0e..85caf5aaa4 100644 --- a/src/Syslog-binpac.h +++ b/src/Syslog-binpac.h @@ -6,7 +6,7 @@ #include "syslog_pac.h" -class Syslog_Analyzer_binpac : public Analyzer { +class Syslog_Analyzer_binpac : public analyzer::Analyzer { public: Syslog_Analyzer_binpac(Connection* conn); virtual ~Syslog_Analyzer_binpac(); @@ -15,7 +15,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Syslog_Analyzer_binpac(conn); } static bool Available() @@ -42,7 +42,7 @@ protected: // virtual void Undelivered(int seq, int len, bool orig); // virtual void EndpointEOF(TCP_Reassembler* endp); // -// static Analyzer* InstantiateAnalyzer(Connection* conn) +// static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) // { return new Syslog_TCP_Analyzer_binpac(conn); } // // static bool Available() diff --git a/src/TCP.cc b/src/TCP.cc index da977d8157..feb21c3271 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -32,7 +32,7 @@ static const int ORIG = 1; static const int RESP = 2; TCP_Analyzer::TCP_Analyzer(Connection* conn) -: TransportLayerAnalyzer(AnalyzerTag::TCP, conn) +: TransportLayerAnalyzer("TCP", conn) { // Set a timer to eventually time out this connection. ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer, @@ -1551,6 +1551,10 @@ void TCP_Analyzer::DeleteTimer(double /* t */) sessions->Remove(Conn()); } +void TCP_Analyzer::ConnDeleteTimer(double t) + { + Conn()->DeleteTimer(t); + } // The following need to be consistent with bro.init. #define CONTENTS_NONE 0 @@ -1847,7 +1851,7 @@ void TCP_ApplicationAnalyzer::Init() { Analyzer::Init(); - if ( Parent()->GetTag() == AnalyzerTag::TCP ) + if ( Parent()->IsAnalyzer("TCP") ) SetTCP(static_cast(Parent())); } @@ -1883,7 +1887,7 @@ void TCP_ApplicationAnalyzer::SetEnv(bool /* is_orig */, char* name, char* val) void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig) { - SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters; + analyzer::SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters; for ( ; sa; sa = sa->Sibling() ) static_cast(sa)->EndpointEOF(is_orig); } @@ -1891,7 +1895,7 @@ void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig) void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, int gen_event) { - SupportAnalyzer* sa = + analyzer::SupportAnalyzer* sa = endpoint->IsOrig() ? orig_supporters : resp_supporters; for ( ; sa; sa = sa->Sibling() ) @@ -1901,30 +1905,30 @@ void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint, void TCP_ApplicationAnalyzer::ConnectionFinished(int half_finished) { - for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa) ->ConnectionFinished(half_finished); - for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa) ->ConnectionFinished(half_finished); } void TCP_ApplicationAnalyzer::ConnectionReset() { - for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->ConnectionReset(); - for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->ConnectionReset(); } void TCP_ApplicationAnalyzer::PacketWithRST() { - for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->PacketWithRST(); - for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) + for ( analyzer::SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() ) static_cast(sa)->PacketWithRST(); } @@ -2060,7 +2064,7 @@ RecordVal* TCPStats_Endpoint::BuildStats() } TCPStats_Analyzer::TCPStats_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer(AnalyzerTag::TCPStats, c) +: TCP_ApplicationAnalyzer("TCPSTATS", c) { } diff --git a/src/TCP.h b/src/TCP.h index 635fda7960..93c008af58 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -3,10 +3,12 @@ #ifndef TCP_H #define TCP_H -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "TCP.h" #include "PacketDumper.h" #include "IPAddr.h" +#include "TCP_Endpoint.h" +#include "Conn.h" // We define two classes here: // - TCP_Analyzer is the analyzer for the TCP protocol itself. @@ -16,6 +18,7 @@ class PIA_TCP; class TCP_ApplicationAnalyzer; class TCP_Reassembler; +class TCP_Endpoint; class TCP_Flags { public: @@ -32,7 +35,7 @@ protected: u_char flags; }; -class TCP_Analyzer : public TransportLayerAnalyzer { +class TCP_Analyzer : public analyzer::TransportLayerAnalyzer { public: TCP_Analyzer(Connection* conn); virtual ~TCP_Analyzer(); @@ -41,7 +44,7 @@ public: // Add a child analyzer that will always get the packets, // independently of whether we do any reassembly. - void AddChildPacketAnalyzer(Analyzer* a) + void AddChildPacketAnalyzer(analyzer::Analyzer* a) { packet_children.push_back(a); a->SetParent(this); } // True if the connection has closed in some sense, false otherwise. @@ -85,7 +88,7 @@ public: proc_tcp_option_t proc, TCP_Analyzer* analyzer, bool is_orig, void* cookie); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCP_Analyzer(conn); } static bool Available() { return true; } @@ -213,7 +216,7 @@ protected: void ExpireTimer(double t); void ResetTimer(double t); void DeleteTimer(double t); - void ConnDeleteTimer(double t) { Conn()->DeleteTimer(t); } + void ConnDeleteTimer(double t); void EndpointEOF(TCP_Reassembler* endp); void ConnectionClosed(TCP_Endpoint* endpoint, @@ -240,6 +243,7 @@ private: TCP_Endpoint* orig; TCP_Endpoint* resp; + typedef list analyzer_list; analyzer_list packet_children; unsigned int first_packet_seen: 2; @@ -259,10 +263,10 @@ private: unsigned int seen_first_ACK: 1; }; -class TCP_ApplicationAnalyzer : public Analyzer { +class TCP_ApplicationAnalyzer : public analyzer::Analyzer { public: - TCP_ApplicationAnalyzer(AnalyzerTag::Tag tag, Connection* conn) - : Analyzer(tag, conn) + TCP_ApplicationAnalyzer(const char* name, Connection* conn) + : Analyzer(name, conn) { tcp = 0; } virtual ~TCP_ApplicationAnalyzer() { } @@ -273,8 +277,7 @@ public: { return tcp ? tcp : - static_cast( - Conn()->FindAnalyzer(AnalyzerTag::TCP)); + static_cast(Conn()->FindAnalyzer("TCP")); } void SetTCP(TCP_Analyzer* arg_tcp) { tcp = arg_tcp; } @@ -308,17 +311,14 @@ public: // delete them when done with them. virtual void SetEnv(bool orig, char* name, char* val); -protected: - TCP_ApplicationAnalyzer() { }; - private: TCP_Analyzer* tcp; }; -class TCP_SupportAnalyzer : public SupportAnalyzer { +class TCP_SupportAnalyzer : public analyzer::SupportAnalyzer { public: - TCP_SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig) - : SupportAnalyzer(tag, conn, arg_orig) { } + TCP_SupportAnalyzer(const char* name, Connection* conn, bool arg_orig) + : analyzer::SupportAnalyzer(name, conn, arg_orig) { } virtual ~TCP_SupportAnalyzer() {} @@ -362,7 +362,7 @@ public: virtual void Init(); virtual void Done(); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCPStats_Analyzer(conn); } static bool Available() { return conn_stats || tcp_rexmit; } diff --git a/src/TCP_Reassembler.cc b/src/TCP_Reassembler.cc index eb2709373c..a9c25781c4 100644 --- a/src/TCP_Reassembler.cc +++ b/src/TCP_Reassembler.cc @@ -1,6 +1,6 @@ #include -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "TCP_Reassembler.h" #include "TCP.h" #include "TCP_Endpoint.h" @@ -25,7 +25,7 @@ static uint64 last_ack_bytes = 0; static uint64 last_gap_events = 0; static uint64 last_gap_bytes = 0; -TCP_Reassembler::TCP_Reassembler(Analyzer* arg_dst_analyzer, +TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, TCP_Reassembler::Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp) diff --git a/src/TCP_Reassembler.h b/src/TCP_Reassembler.h index cb1750e2a2..410aa7cbbc 100644 --- a/src/TCP_Reassembler.h +++ b/src/TCP_Reassembler.h @@ -14,7 +14,7 @@ class BroFile; class Connection; class TCP_Analyzer; -class Analyzer; +namespace analyzer { class Analyzer; } const int STOP_ON_GAP = 1; const int PUNT_ON_PARTIAL = 1; @@ -26,7 +26,7 @@ public: Forward, // forward to destination analyzer's children }; - TCP_Reassembler(Analyzer* arg_dst_analyzer, + TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp); @@ -34,7 +34,7 @@ public: void Done(); - void SetDstAnalyzer(Analyzer* analyzer) { dst_analyzer = analyzer; } + void SetDstAnalyzer(analyzer::Analyzer* analyzer) { dst_analyzer = analyzer; } void SetType(Type arg_type) { type = arg_type; } TCP_Analyzer* GetTCPAnalyzer() { return tcp_analyzer; } @@ -125,7 +125,7 @@ private: BroFile* record_contents_file; // file on which to reassemble contents - Analyzer* dst_analyzer; + analyzer::Analyzer* dst_analyzer; TCP_Analyzer* tcp_analyzer; Type type; diff --git a/src/Telnet.cc b/src/Telnet.cc index 62c7d7b500..47991177f2 100644 --- a/src/Telnet.cc +++ b/src/Telnet.cc @@ -6,7 +6,7 @@ #include "NVT.h" Telnet_Analyzer::Telnet_Analyzer(Connection* conn) -: Login_Analyzer(AnalyzerTag::Telnet, conn) +: Login_Analyzer("TELNET", conn) { NVT_Analyzer* nvt_orig = new NVT_Analyzer(conn, true); NVT_Analyzer* nvt_resp = new NVT_Analyzer(conn, false); diff --git a/src/Telnet.h b/src/Telnet.h index 5675775789..6e1695be9c 100644 --- a/src/Telnet.h +++ b/src/Telnet.h @@ -10,7 +10,7 @@ public: Telnet_Analyzer(Connection* conn); virtual ~Telnet_Analyzer() {} - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Telnet_Analyzer(conn); } static bool Available() diff --git a/src/Teredo.cc b/src/Teredo.cc index 7794d1cb3b..88ed6d582e 100644 --- a/src/Teredo.cc +++ b/src/Teredo.cc @@ -1,5 +1,7 @@ #include "Teredo.h" +#include "TunnelEncapsulation.h" +#include "Conn.h" #include "IP.h" #include "Reporter.h" diff --git a/src/Teredo.h b/src/Teredo.h index e720d3f37c..d3e3336f9b 100644 --- a/src/Teredo.h +++ b/src/Teredo.h @@ -1,12 +1,13 @@ #ifndef Teredo_h #define Teredo_h -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include "NetVar.h" +#include "Reporter.h" -class Teredo_Analyzer : public Analyzer { +class Teredo_Analyzer : public analyzer::Analyzer { public: - Teredo_Analyzer(Connection* conn) : Analyzer(AnalyzerTag::Teredo, conn), + Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn), valid_orig(false), valid_resp(false) {} @@ -18,7 +19,7 @@ public: virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Teredo_Analyzer(conn); } static bool Available() diff --git a/src/UDP.cc b/src/UDP.cc index d85cb39edd..2fd80cfce3 100644 --- a/src/UDP.cc +++ b/src/UDP.cc @@ -8,9 +8,10 @@ #include "NetVar.h" #include "UDP.h" #include "Reporter.h" +#include "Conn.h" UDP_Analyzer::UDP_Analyzer(Connection* conn) -: TransportLayerAnalyzer(AnalyzerTag::UDP, conn) +: TransportLayerAnalyzer("UDP", conn) { conn->EnableStatusUpdateTimer(); conn->SetInactivityTimeout(udp_inactivity_timeout); diff --git a/src/UDP.h b/src/UDP.h index b93d4da97f..36a9b84dcd 100644 --- a/src/UDP.h +++ b/src/UDP.h @@ -3,7 +3,7 @@ #ifndef udp_h #define udp_h -#include "Analyzer.h" +#include "analyzer/Analyzer.h" #include typedef enum { @@ -11,7 +11,7 @@ typedef enum { UDP_ACTIVE, // packets seen } UDP_EndpointState; -class UDP_Analyzer : public TransportLayerAnalyzer { +class UDP_Analyzer : public analyzer::TransportLayerAnalyzer { public: UDP_Analyzer(Connection* conn); virtual ~UDP_Analyzer(); @@ -20,7 +20,7 @@ public: virtual void UpdateConnVal(RecordVal *conn_val); - static Analyzer* InstantiateAnalyzer(Connection* conn) + static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new UDP_Analyzer(conn); } static bool Available() { return true; } diff --git a/src/Val.cc b/src/Val.cc index 5133550236..8b55049706 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -1049,6 +1049,11 @@ StringVal::StringVal(const char* s) : Val(TYPE_STRING) val.string_val = new BroString(s); } +StringVal::StringVal(const string& s) : Val(TYPE_STRING) + { + val.string_val = new BroString(s.c_str()); + } + StringVal* StringVal::ToUpper() { val.string_val->ToUpper(); diff --git a/src/Val.h b/src/Val.h index 4b2705c5b4..019c390699 100644 --- a/src/Val.h +++ b/src/Val.h @@ -608,6 +608,7 @@ class StringVal : public Val { public: StringVal(BroString* s); StringVal(const char* s); + StringVal(const string& s); StringVal(int length, const char* s); Val* SizeVal() const diff --git a/src/ZIP.cc b/src/ZIP.cc index 0ebe93abe6..d3d9b1c38b 100644 --- a/src/ZIP.cc +++ b/src/ZIP.cc @@ -3,7 +3,7 @@ #include "ZIP.h" ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method) -: TCP_SupportAnalyzer(AnalyzerTag::Zip, conn, orig) +: TCP_SupportAnalyzer("ZIP", conn, orig) { zip = 0; zip_status = Z_OK; diff --git a/src/analyzer.bif b/src/analyzer.bif new file mode 100644 index 0000000000..2ce5af992d --- /dev/null +++ b/src/analyzer.bif @@ -0,0 +1,39 @@ +##! Internal functions and types used by the logging framework. + +module Analyzer; + +%%{ +#include "NetVar.h" + +#include "analyzer/Manager.h" +%%} + +function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool + %{ + bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal()); + return new Val(result, TYPE_BOOL); + %} + +function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool + %{ + bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal()); + return new Val(result, TYPE_BOOL); + %} + +function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool + %{ + bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p); + return new Val(result, TYPE_BOOL); + %} + +function Analyzer::__expect_connection%(orig: addr, resp: addr, resp_p: port, + analyzer: Analyzer::Tag, tout: interval%) : bool + %{ + analyzer_mgr->ExpectConnection(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout, 0); + return new Val(true, TYPE_BOOL); + %} + +function __name%(atype: Analyzer::Tag%) : string + %{ + return new StringVal(analyzer_mgr->GetAnalyzerName(atype)); + %} diff --git a/src/Analyzer.cc b/src/analyzer/Analyzer.cc similarity index 65% rename from src/Analyzer.cc rename to src/analyzer/Analyzer.cc index 15926dfa2a..ca15ad56e1 100644 --- a/src/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -1,186 +1,13 @@ + #include #include "Analyzer.h" -#include "PIA.h" -#include "Event.h" +#include "Manager.h" -#include "AYIYA.h" -#include "BackDoor.h" -#include "BitTorrent.h" -#include "BitTorrentTracker.h" -#include "Finger.h" -#include "InterConn.h" -#include "NTP.h" -#include "HTTP.h" -#include "HTTP-binpac.h" -#include "ICMP.h" -#include "SteppingStone.h" -#include "IRC.h" -#include "SMTP.h" -#include "FTP.h" -#include "FileAnalyzer.h" -#include "DNS.h" -#include "DNS-binpac.h" -#include "DHCP-binpac.h" -#include "Telnet.h" -#include "Rlogin.h" -#include "RSH.h" -#include "DCE_RPC.h" -#include "Gnutella.h" -#include "Ident.h" -#include "Modbus.h" -#include "NCP.h" -#include "NetbiosSSN.h" -#include "SMB.h" -#include "NFS.h" -#include "Portmap.h" -#include "POP3.h" -#include "SOCKS.h" -#include "SSH.h" -#include "SSL.h" -#include "Syslog-binpac.h" -#include "Teredo.h" -#include "ConnSizeAnalyzer.h" -#include "GTPv1.h" +#include "../PIA.h" +#include "../Event.h" -// Keep same order here as in AnalyzerTag definition! -const Analyzer::Config Analyzer::analyzer_configs[] = { - { AnalyzerTag::Error, "", 0, 0, 0, false }, - - { AnalyzerTag::PIA_TCP, "PIA_TCP", PIA_TCP::InstantiateAnalyzer, - PIA_TCP::Available, 0, false }, - { AnalyzerTag::PIA_UDP, "PIA_UDP", PIA_UDP::InstantiateAnalyzer, - PIA_UDP::Available, 0, false }, - - { AnalyzerTag::ICMP, "ICMP", ICMP_Analyzer::InstantiateAnalyzer, - ICMP_Analyzer::Available, 0, false }, - - { AnalyzerTag::TCP, "TCP", TCP_Analyzer::InstantiateAnalyzer, - TCP_Analyzer::Available, 0, false }, - { AnalyzerTag::UDP, "UDP", UDP_Analyzer::InstantiateAnalyzer, - UDP_Analyzer::Available, 0, false }, - - { AnalyzerTag::BitTorrent, "BITTORRENT", - BitTorrent_Analyzer::InstantiateAnalyzer, - BitTorrent_Analyzer::Available, 0, false }, - { AnalyzerTag::BitTorrentTracker, "BITTORRENTTRACKER", - BitTorrentTracker_Analyzer::InstantiateAnalyzer, - BitTorrentTracker_Analyzer::Available, 0, false }, - { AnalyzerTag::DCE_RPC, "DCE_RPC", - DCE_RPC_Analyzer::InstantiateAnalyzer, - DCE_RPC_Analyzer::Available, 0, false }, - { AnalyzerTag::DNS, "DNS", DNS_Analyzer::InstantiateAnalyzer, - DNS_Analyzer::Available, 0, false }, - { AnalyzerTag::Finger, "FINGER", Finger_Analyzer::InstantiateAnalyzer, - Finger_Analyzer::Available, 0, false }, - { AnalyzerTag::FTP, "FTP", FTP_Analyzer::InstantiateAnalyzer, - FTP_Analyzer::Available, 0, false }, - { AnalyzerTag::Gnutella, "GNUTELLA", - Gnutella_Analyzer::InstantiateAnalyzer, - Gnutella_Analyzer::Available, 0, false }, - { AnalyzerTag::HTTP, "HTTP", HTTP_Analyzer::InstantiateAnalyzer, - HTTP_Analyzer::Available, 0, false }, - { AnalyzerTag::Ident, "IDENT", Ident_Analyzer::InstantiateAnalyzer, - Ident_Analyzer::Available, 0, false }, - { AnalyzerTag::IRC, "IRC", IRC_Analyzer::InstantiateAnalyzer, - IRC_Analyzer::Available, 0, false }, - { AnalyzerTag::Login, "LOGIN", 0, 0, 0, false }, // just a base class - { AnalyzerTag::NCP, "NCP", NCP_Analyzer::InstantiateAnalyzer, - NCP_Analyzer::Available, 0, false }, - { AnalyzerTag::NetbiosSSN, "NetbiosSSN", - NetbiosSSN_Analyzer::InstantiateAnalyzer, - NetbiosSSN_Analyzer::Available, 0, false }, - { AnalyzerTag::NFS, "NFS", NFS_Analyzer::InstantiateAnalyzer, - NFS_Analyzer::Available, 0, false }, - { AnalyzerTag::NTP, "NTP", NTP_Analyzer::InstantiateAnalyzer, - NTP_Analyzer::Available, 0, false }, - { AnalyzerTag::POP3, "POP3", POP3_Analyzer::InstantiateAnalyzer, - POP3_Analyzer::Available, 0, false }, - { AnalyzerTag::Portmapper, "PORTMAPPER", - Portmapper_Analyzer::InstantiateAnalyzer, - Portmapper_Analyzer::Available, 0, false }, - { AnalyzerTag::Rlogin, "RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer, - Rlogin_Analyzer::Available, 0, false }, - { AnalyzerTag::RPC, "RPC", 0, 0, 0, false }, - { AnalyzerTag::Rsh, "RSH", Rsh_Analyzer::InstantiateAnalyzer, - Rsh_Analyzer::Available, 0, false }, - { AnalyzerTag::SMB, "SMB", SMB_Analyzer::InstantiateAnalyzer, - SMB_Analyzer::Available, 0, false }, - { AnalyzerTag::SMTP, "SMTP", SMTP_Analyzer::InstantiateAnalyzer, - SMTP_Analyzer::Available, 0, false }, - { AnalyzerTag::SSH, "SSH", SSH_Analyzer::InstantiateAnalyzer, - SSH_Analyzer::Available, 0, false }, - { AnalyzerTag::Telnet, "TELNET", Telnet_Analyzer::InstantiateAnalyzer, - Telnet_Analyzer::Available, 0, false }, - - { AnalyzerTag::DHCP_BINPAC, "DHCP_BINPAC", - DHCP_Analyzer_binpac::InstantiateAnalyzer, - DHCP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::DNS_TCP_BINPAC, "DNS_TCP_BINPAC", - DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, - DNS_TCP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::DNS_UDP_BINPAC, "DNS_UDP_BINPAC", - DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, - DNS_UDP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::HTTP_BINPAC, "HTTP_BINPAC", - HTTP_Analyzer_binpac::InstantiateAnalyzer, - HTTP_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::SSL, "SSL", - SSL_Analyzer::InstantiateAnalyzer, - SSL_Analyzer::Available, 0, false }, - { AnalyzerTag::SYSLOG_BINPAC, "SYSLOG_BINPAC", - Syslog_Analyzer_binpac::InstantiateAnalyzer, - Syslog_Analyzer_binpac::Available, 0, false }, - { AnalyzerTag::Modbus, "MODBUS", - ModbusTCP_Analyzer::InstantiateAnalyzer, - ModbusTCP_Analyzer::Available, 0, false }, - - { AnalyzerTag::AYIYA, "AYIYA", - AYIYA_Analyzer::InstantiateAnalyzer, - AYIYA_Analyzer::Available, 0, false }, - { AnalyzerTag::SOCKS, "SOCKS", - SOCKS_Analyzer::InstantiateAnalyzer, - SOCKS_Analyzer::Available, 0, false }, - { AnalyzerTag::Teredo, "TEREDO", - Teredo_Analyzer::InstantiateAnalyzer, - Teredo_Analyzer::Available, 0, false }, - { AnalyzerTag::GTPv1, "GTPV1", - GTPv1_Analyzer::InstantiateAnalyzer, - GTPv1_Analyzer::Available, 0, false }, - - { AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer, - File_Analyzer::Available, 0, false }, - { AnalyzerTag::Backdoor, "BACKDOOR", - BackDoor_Analyzer::InstantiateAnalyzer, - BackDoor_Analyzer::Available, 0, false }, - { AnalyzerTag::InterConn, "INTERCONN", - InterConn_Analyzer::InstantiateAnalyzer, - InterConn_Analyzer::Available, 0, false }, - { AnalyzerTag::SteppingStone, "STEPPINGSTONE", - SteppingStone_Analyzer::InstantiateAnalyzer, - SteppingStone_Analyzer::Available, 0, false }, - { AnalyzerTag::TCPStats, "TCPSTATS", - TCPStats_Analyzer::InstantiateAnalyzer, - TCPStats_Analyzer::Available, 0, false }, - { AnalyzerTag::ConnSize, "CONNSIZE", - ConnSize_Analyzer::InstantiateAnalyzer, - ConnSize_Analyzer::Available, 0, false }, - - { AnalyzerTag::Contents, "CONTENTS", 0, 0, 0, false }, - { AnalyzerTag::ContentLine, "CONTENTLINE", 0, 0, 0, false }, - { AnalyzerTag::NVT, "NVT", 0, 0, 0, false }, - { AnalyzerTag::Zip, "ZIP", 0, 0, 0, false }, - { AnalyzerTag::Contents_DNS, "CONTENTS_DNS", 0, 0, 0, false }, - { AnalyzerTag::Contents_NetbiosSSN, "CONTENTS_NETBIOSSSN", 0, 0, 0, false }, - { AnalyzerTag::Contents_NCP, "CONTENTS_NCP", 0, 0, 0, false }, - { AnalyzerTag::Contents_Rlogin, "CONTENTS_Rlogin", 0, 0, 0, false }, - { AnalyzerTag::Contents_Rsh, "CONTENTS_RSH", 0, 0, 0, false }, - { AnalyzerTag::Contents_DCE_RPC, "CONTENTS_DCE_RPC", 0, 0, 0, false }, - { AnalyzerTag::Contents_SMB, "CONTENTS_SMB", 0, 0, 0, false }, - { AnalyzerTag::Contents_RPC, "CONTENTS_RPC", 0, 0, 0, false }, - { AnalyzerTag::Contents_NFS, "CONTENTS_NFS", 0, 0, 0, false }, - { AnalyzerTag::FTP_ADAT, "FTP_ADAT", 0, 0, 0, false }, -}; +using namespace analyzer; AnalyzerTimer::~AnalyzerTimer() { @@ -212,41 +39,25 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, Ref(analyzer->Conn()); } -AnalyzerID Analyzer::id_counter = 0;; +analyzer::ID Analyzer::id_counter = 0;; -Analyzer* Analyzer::InstantiateAnalyzer(AnalyzerTag::Tag tag, Connection* c) +bool Analyzer::IsAnalyzer(const char* name) { - Analyzer* a = analyzer_configs[tag].factory(c); - assert(a); - return a; - } - -const char* Analyzer::GetTagName(AnalyzerTag::Tag tag) - { - return analyzer_configs[tag].name; - } - -AnalyzerTag::Tag Analyzer::GetTag(const char* name) - { - for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ ) - if ( strcasecmp(analyzer_configs[i].name, name) == 0 ) - return analyzer_configs[i].tag; - - return AnalyzerTag::Error; + return analyzer_mgr->GetAnalyzerName(Tag()) == name; } // Used in debugging output. static string fmt_analyzer(Analyzer* a) { - return string(a->GetTagName()) + fmt("[%d]", a->GetID()); + return analyzer_mgr->GetAnalyzerName(a->GetTag()) + fmt("[%d]", a->GetID()); } -Analyzer::Analyzer(AnalyzerTag::Tag arg_tag, Connection* arg_conn) +Analyzer::Analyzer(const char* name, Connection* arg_conn) { // Don't Ref conn here to avoid circular ref'ing. It can't be deleted // before us. conn = arg_conn; - tag = arg_tag; + tag = analyzer_mgr->GetAnalyzerTag(name); id = ++id_counter; protocol_confirmed = false; skip = false; @@ -257,6 +68,10 @@ Analyzer::Analyzer(AnalyzerTag::Tag arg_tag, Connection* arg_conn) resp_supporters = 0; signature = 0; output_handler = 0; + + if ( ! tag ) + reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::PluginComponent?", name); + } Analyzer::~Analyzer() @@ -351,11 +166,6 @@ void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, int seq, } } -const char* Analyzer::GetTagName() const - { - return GetTagName(tag); - } - void Analyzer::NextStream(int len, const u_char* data, bool is_orig) { if ( skip ) @@ -533,12 +343,15 @@ void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) fmt_analyzer(this).c_str(), fmt_analyzer(analyzer).c_str()); } -Analyzer* Analyzer::AddChildAnalyzer(AnalyzerTag::Tag analyzer) +Analyzer* Analyzer::AddChildAnalyzer(Tag analyzer) { if ( ! HasChildAnalyzer(analyzer) ) { - Analyzer* a = InstantiateAnalyzer(analyzer, conn); - AddChildAnalyzer(a); + Analyzer* a = analyzer_mgr->InstantiateAnalyzer(analyzer, conn); + + if ( a ) + AddChildAnalyzer(a); + return a; } @@ -563,12 +376,12 @@ void Analyzer::RemoveChildAnalyzer(Analyzer* analyzer) } } -void Analyzer::RemoveChildAnalyzer(AnalyzerID id) +void Analyzer::RemoveChildAnalyzer(ID id) { LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", GetTagName(), id, + DBG_LOG(DBG_DPD, "%s disabling child %s", analyzer_mgr->GetAnalyzerName(GetTag()).c_str(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -576,7 +389,7 @@ void Analyzer::RemoveChildAnalyzer(AnalyzerID id) } } -bool Analyzer::HasChildAnalyzer(AnalyzerTag::Tag tag) +bool Analyzer::HasChildAnalyzer(Tag tag) { LOOP_OVER_CHILDREN(i) if ( (*i)->tag == tag ) @@ -589,7 +402,7 @@ bool Analyzer::HasChildAnalyzer(AnalyzerTag::Tag tag) return false; } -Analyzer* Analyzer::FindChild(AnalyzerID arg_id) +Analyzer* Analyzer::FindChild(ID arg_id) { if ( id == arg_id ) return this; @@ -604,7 +417,7 @@ Analyzer* Analyzer::FindChild(AnalyzerID arg_id) return 0; } -Analyzer* Analyzer::FindChild(AnalyzerTag::Tag arg_tag) +Analyzer* Analyzer::FindChild(Tag arg_tag) { if ( tag == arg_tag ) return this; @@ -619,6 +432,12 @@ Analyzer* Analyzer::FindChild(AnalyzerTag::Tag arg_tag) return 0; } +Analyzer* Analyzer::FindChild(const string& name) + { + Tag tag = analyzer_mgr->GetAnalyzerTag(name); + return tag != Tag::ERROR ? FindChild(tag) : 0; + } + void Analyzer::DeleteChild(analyzer_list::iterator i) { Analyzer* child = *i; @@ -707,7 +526,7 @@ void Analyzer::RemoveSupportAnalyzer(SupportAnalyzer* analyzer) return; } -bool Analyzer::HasSupportAnalyzer(AnalyzerTag::Tag tag, bool orig) +bool Analyzer::HasSupportAnalyzer(Tag tag, bool orig) { SupportAnalyzer* s = orig ? orig_supporters : resp_supporters; for ( ; s; s = s->sibling ) @@ -772,7 +591,7 @@ void Analyzer::ProtocolConfirmation() val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(new Val(tag, TYPE_COUNT)); + vl->append(tag.Val()); vl->append(new Val(id, TYPE_COUNT)); // We immediately raise the event so that the analyzer can quickly @@ -800,7 +619,7 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(new Val(tag, TYPE_COUNT)); + vl->append(tag.Val()); vl->append(new Val(id, TYPE_COUNT)); vl->append(r); @@ -872,6 +691,31 @@ void Analyzer::UpdateConnVal(RecordVal *conn_val) (*i)->UpdateConnVal(conn_val); } +RecordVal* Analyzer::BuildConnVal() + { + return conn->BuildConnVal(); + } + +void Analyzer::Event(EventHandlerPtr f, const char* name) + { + conn->Event(f, this, name); + } + +void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2) + { + conn->Event(f, this, v1, v2); + } + +void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl) + { + conn->ConnectionEvent(f, this, vl); + } + +void Analyzer::Weird(const char* name, const char* addl) + { + conn->Weird(name, addl); + } + void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { diff --git a/src/Analyzer.h b/src/analyzer/Analyzer.h similarity index 81% rename from src/Analyzer.h rename to src/analyzer/Analyzer.h index 6ccd7648d3..db65670ad6 100644 --- a/src/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -1,19 +1,30 @@ // Main analyzer interface. -#ifndef ANALYZER_H -#define ANALYZER_H +#ifndef ANALYZER_ANALYZER_H +#define ANALYZER_ANALYZER_H #include -#include "AnalyzerTags.h" -#include "Conn.h" -#include "Obj.h" +#include "Tag.h" -class DPM; +#include "../Obj.h" +#include "../EventHandler.h" +#include "../Timer.h" + +class Rule; +class Connection; class PIA; -class Analyzer; +class IP_Hdr; +class TCP_ApplicationAnalyzer; + +namespace analyzer { class Analyzer; } + +namespace analyzer { + typedef list analyzer_list; +typedef uint32 ID; + typedef void (Analyzer::*analyzer_timer_func)(double t); // FIXME: This is a copy of ConnectionTimer, which we may eventually be @@ -56,7 +67,8 @@ class OutputHandler; class Analyzer { public: - Analyzer(AnalyzerTag::Tag tag, Connection* conn); + // "name" must match the one used in + Analyzer(const char* name, Connection* conn); virtual ~Analyzer(); virtual void Init(); @@ -94,7 +106,7 @@ public: // Report a message boundary to all child analyzers virtual void ForwardEndOfData(bool orig); - AnalyzerID GetID() const { return id; } + ID GetID() const { return id; } Connection* Conn() const { return conn; } // An OutputHandler can be used to get access to data extracted by this @@ -128,12 +140,8 @@ public: bool IsFinished() const { return finished; } - AnalyzerTag::Tag GetTag() const { return tag; } - const char* GetTagName() const; - static AnalyzerTag::Tag GetTag(const char* tag); - static const char* GetTagName(AnalyzerTag::Tag tag); - static bool IsAvailable(AnalyzerTag::Tag tag) - { return analyzer_configs[tag].available(); } + Tag GetTag() const { return tag; } + bool IsAnalyzer(const char* name); // Management of the tree. // @@ -141,18 +149,21 @@ public: // of the same type. void AddChildAnalyzer(Analyzer* analyzer) { AddChildAnalyzer(analyzer, true); } - Analyzer* AddChildAnalyzer(AnalyzerTag::Tag tag); + Analyzer* AddChildAnalyzer(Tag tag); void RemoveChildAnalyzer(Analyzer* analyzer); - void RemoveChildAnalyzer(AnalyzerID id); + void RemoveChildAnalyzer(ID id); - bool HasChildAnalyzer(AnalyzerTag::Tag tag); + bool HasChildAnalyzer(Tag tag); // Recursive; returns nil if not found. - Analyzer* FindChild(AnalyzerID id); + Analyzer* FindChild(ID id); // Recursive; returns first found, or nil. - Analyzer* FindChild(AnalyzerTag::Tag tag); + Analyzer* FindChild(Tag tag); + + // Recursive; returns first found, or nil. + Analyzer* FindChild(const string& name); const analyzer_list& GetChildren() { return children; } @@ -240,27 +251,17 @@ public: // The following methods are proxies: calls are directly forwarded // to the connection instance. These are for convenience only, // allowing us to reuse more of the old analyzer code unchanged. - RecordVal* BuildConnVal() - { return conn->BuildConnVal(); } - void Event(EventHandlerPtr f, const char* name = 0) - { conn->Event(f, this, name); } - void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0) - { conn->Event(f, this, v1, v2); } - void ConnectionEvent(EventHandlerPtr f, val_list* vl) - { conn->ConnectionEvent(f, this, vl); } - void Weird(const char* name, const char* addl = "") - { conn->Weird(name, addl); } - - // Factory function to instantiate new analyzers. - static Analyzer* InstantiateAnalyzer(AnalyzerTag::Tag tag, Connection* c); + RecordVal* BuildConnVal(); + void Event(EventHandlerPtr f, const char* name = 0); + void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0); + void ConnectionEvent(EventHandlerPtr f, val_list* vl); + void Weird(const char* name, const char* addl = ""); protected: - friend class DPM; friend class Connection; friend class AnalyzerTimer; friend class TCP_ApplicationAnalyzer; - - Analyzer() { } + friend class Manager; // Associates a connection with this analyzer. Must be called if // we're using the default ctor. @@ -275,7 +276,7 @@ protected: void RemoveTimer(Timer* t); void CancelTimers(); - bool HasSupportAnalyzer(AnalyzerTag::Tag tag, bool orig); + bool HasSupportAnalyzer(Tag tag, bool orig); void AddChildAnalyzer(Analyzer* analyzer, bool init); void InitChildren(); @@ -286,8 +287,8 @@ private: // already Done(). void DeleteChild(analyzer_list::iterator i); - AnalyzerTag::Tag tag; - AnalyzerID id; + Tag tag; + ID id; Connection* conn; Analyzer* parent; @@ -308,49 +309,32 @@ private: bool finished; bool removing; - static AnalyzerID id_counter; - - typedef bool (*available_callback)(); - typedef Analyzer* (*factory_callback)(Connection* conn); - typedef bool (*match_callback)(Connection*); - - struct Config { - AnalyzerTag::Tag tag; - const char* name; - factory_callback factory; - available_callback available; - match_callback match; - bool partial; - }; - - // Table of analyzers. - static const Config analyzer_configs[]; - + static ID id_counter; }; #define ADD_ANALYZER_TIMER(timer, t, do_expire, type) \ - AddTimer(analyzer_timer_func(timer), (t), (do_expire), (type)) + AddTimer(analyzer::analyzer_timer_func(timer), (t), (do_expire), (type)) #define LOOP_OVER_CHILDREN(var) \ - for ( analyzer_list::iterator var = children.begin(); \ + for ( analyzer::analyzer_list::iterator var = children.begin(); \ var != children.end(); var++ ) #define LOOP_OVER_CONST_CHILDREN(var) \ - for ( analyzer_list::const_iterator var = children.begin(); \ + for ( analyzer::analyzer_list::const_iterator var = children.begin(); \ var != children.end(); var++ ) #define LOOP_OVER_GIVEN_CHILDREN(var, the_kids) \ - for ( analyzer_list::iterator var = the_kids.begin(); \ + for ( analyzer::analyzer_list::iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) #define LOOP_OVER_GIVEN_CONST_CHILDREN(var, the_kids) \ - for ( analyzer_list::const_iterator var = the_kids.begin(); \ + for ( analyzer::analyzer_list::const_iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) class SupportAnalyzer : public Analyzer { public: - SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig) - : Analyzer(tag, conn) { orig = arg_orig; sibling = 0; } + SupportAnalyzer(const char* name, Connection* conn, bool arg_orig) + : Analyzer(name, conn) { orig = arg_orig; sibling = 0; } virtual ~SupportAnalyzer() {} @@ -366,7 +350,6 @@ public: protected: friend class Analyzer; - SupportAnalyzer() { } private: bool orig; @@ -378,8 +361,8 @@ private: class TransportLayerAnalyzer : public Analyzer { public: - TransportLayerAnalyzer(AnalyzerTag::Tag tag, Connection* conn) - : Analyzer(tag, conn) { pia = 0; } + TransportLayerAnalyzer(const char* name, Connection* conn) + : Analyzer(name, conn) { pia = 0; } virtual void Done(); virtual bool IsReuse(double t, const u_char* pkt) = 0; @@ -393,11 +376,10 @@ public: // Raises packet_contents event. void PacketContents(const u_char* data, int len); -protected: - TransportLayerAnalyzer() { } - private: PIA* pia; }; +} + #endif diff --git a/src/analyzer/BuiltinAnalyzers.cc b/src/analyzer/BuiltinAnalyzers.cc new file mode 100644 index 0000000000..e65dbdb62e --- /dev/null +++ b/src/analyzer/BuiltinAnalyzers.cc @@ -0,0 +1,127 @@ + +#include "BuiltInAnalyzers.h" +#include "PluginComponent.h" + +#include "../binpac_bro.h" + +#include "AYIYA.h" +#include "BackDoor.h" +#include "BitTorrent.h" +#include "BitTorrentTracker.h" +#include "Finger.h" +#include "InterConn.h" +#include "NTP.h" +#include "HTTP.h" +#include "HTTP-binpac.h" +#include "ICMP.h" +#include "SteppingStone.h" +#include "IRC.h" +#include "SMTP.h" +#include "FTP.h" +#include "FileAnalyzer.h" +#include "DNS.h" +#include "DNS-binpac.h" +#include "DHCP-binpac.h" +#include "Telnet.h" +#include "Rlogin.h" +#include "RSH.h" +#include "DCE_RPC.h" +#include "Gnutella.h" +#include "Ident.h" +#include "Modbus.h" +#include "NCP.h" +#include "NetbiosSSN.h" +#include "SMB.h" +#include "NFS.h" +#include "Portmap.h" +#include "POP3.h" +#include "SOCKS.h" +#include "SSH.h" +#include "SSL.h" +#include "Syslog-binpac.h" +#include "Teredo.h" +#include "ConnSizeAnalyzer.h" +#include "GTPv1.h" + +using namespace analyzer; + +#define DEFINE_ANALYZER(name, factory, enabled, partial) \ + AddComponent(new PluginComponent(name, factory, enabled, partial)) + +void BuiltinAnalyzers::Init() + { + plugin::Description desc; + desc.name = "Core-Analyzers"; + desc.description = "Built-in protocol analyzers"; + desc.version = plugin::API_BUILTIN; + SetDescription(desc); + + DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); + DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); + DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("LOGIN", 0, true, false); // just a base class + DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("RPC", 0, true, false); + DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + DEFINE_ANALYZER("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + DEFINE_ANALYZER("HTTP_BINPAC", HTTP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + DEFINE_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer, true, false); + + DEFINE_ANALYZER("CONTENTS", 0, true, false); + DEFINE_ANALYZER("CONTENTLINE", 0, true, false); + DEFINE_ANALYZER("NVT", 0, true, false); + DEFINE_ANALYZER("ZIP", 0, true, false); + DEFINE_ANALYZER("CONTENTS_DNS", 0, true, false); + DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0, true, false); + DEFINE_ANALYZER("CONTENTS_NCP", 0, true, false); + DEFINE_ANALYZER("CONTENTS_RLOGIN", 0, true, false); + DEFINE_ANALYZER("CONTENTS_RSH", 0, true, false); + DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0, true, false); + DEFINE_ANALYZER("CONTENTS_SMB", 0, true, false); + DEFINE_ANALYZER("CONTENTS_RPC", 0, true, false); + DEFINE_ANALYZER("CONTENTS_NFS", 0, true, false); + DEFINE_ANALYZER("FTP_ADAT", 0, true, false); + } + diff --git a/src/analyzer/BuiltinAnalyzers.h b/src/analyzer/BuiltinAnalyzers.h new file mode 100644 index 0000000000..6097bfa078 --- /dev/null +++ b/src/analyzer/BuiltinAnalyzers.h @@ -0,0 +1,17 @@ + +#ifndef ANALYZER_BUILTIN_ANALYZERS_H +#define ANALYZER_BUILTIN_ANALYZERS_H + +#include "plugin/Plugin.h" + +namespace analyzer { + +class BuiltinAnalyzers : public plugin::Plugin { +public: + virtual void Init(); +}; + +} + + +#endif diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc new file mode 100644 index 0000000000..b2d35215f3 --- /dev/null +++ b/src/analyzer/Manager.cc @@ -0,0 +1,691 @@ + +#include "Manager.h" + +#include "PIA.h" +#include "Hash.h" +#include "ICMP.h" +#include "UDP.h" +#include "TCP.h" +#include "Val.h" +#include "BackDoor.h" +#include "InterConn.h" +#include "SteppingStone.h" +#include "ConnSizeAnalyzer.h" + +#include "plugin/Manager.h" + +using namespace analyzer; + +ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto) + { + if ( _orig == IPAddr(string("0.0.0.0")) ) + // don't use the IPv4 mapping, use the literal unspecified address + // to indicate a wildcard + orig = IPAddr(string("::")); + else + orig = _orig; + resp = _resp; + resp_p = _resp_p; + proto = _proto; + } + +ExpectedConn::ExpectedConn(const ExpectedConn& c) + { + orig = c.orig; + resp = c.resp; + resp_p = c.resp_p; + proto = c.proto; + } + +Manager::Manager() + : expected_conns_queue(AssignedAnalyzer::compare) + { + tag_enum_type = new EnumType("Analyzer::Tag"); + ::ID* id = install_ID("Tag", "Analyzer", true, true); + add_type(id, tag_enum_type, 0, 0); + } + +Manager::~Manager() + { + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_tcp.begin(); i != analyzers_by_port_tcp.end(); i++ ) + delete i->second; + + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_udp.begin(); i != analyzers_by_port_udp.end(); i++ ) + delete i->second; + + analyzers_by_port_udp.clear(); + analyzers_by_port_tcp.clear(); + + // Clean up expected-connection table. + while ( expected_conns_queue.size() ) + { + AssignedAnalyzer* a = expected_conns_queue.top(); + if ( ! a->deleted ) + { + HashKey* key = BuildExpectedConnHashKey(a->conn); + expected_conns.Remove(key); + delete key; + } + + expected_conns_queue.pop(); + delete a; + } + } + +void Manager::Init() + { + std::list analyzers = plugin_mgr->Components(plugin::component::ANALYZER); + + for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) + RegisterAnalyzerComponent(*i); + + // Caache these tags. + analyzer_backdoor = GetAnalyzerTag("BACKDOOR"); + analyzer_connsize = GetAnalyzerTag("CONNSIZE"); + analyzer_interconn = GetAnalyzerTag("INTERCONN"); + analyzer_stepping = GetAnalyzerTag("STEPPINGSTONE"); + analyzer_tcpstats = GetAnalyzerTag("TCPSTATS"); + } + +void Manager::DumpDebug() + { +#ifdef DEBUG + DBG_LOG(DBG_DPD, "Available analyzers after bro_init():"); + for ( analyzer_map_by_name::const_iterator i = analyzers_by_name.begin(); i != analyzers_by_name.end(); i++ ) + DBG_LOG(DBG_DPD, " %s (%s)", i->second->Name().c_str(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); + + DBG_LOG(DBG_DPD, ""); + DBG_LOG(DBG_DPD, "Analyzers by port:"); + + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_tcp.begin(); i != analyzers_by_port_tcp.end(); i++ ) + { + string s; + + for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) + s += GetAnalyzerName(*j) + " "; + + DBG_LOG(DBG_DPD, " %d/tcp: %s", i->first, s.c_str()); + } + + for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_udp.begin(); i != analyzers_by_port_udp.end(); i++ ) + { + string s; + + for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) + s += GetAnalyzerName(*j) + " "; + + DBG_LOG(DBG_DPD, " %d/udp: %s", i->first, s.c_str()); + } + +#if 0 + ODesc d; + tag_enum_type->Describe(&d); + + DBG_LOG(DBG_DPD, ""); + DBG_LOG(DBG_DPD, "Analyzer::Tag type: %s", d.Description()); +#endif + +#endif + } + +void Manager::Done() + { + } + +void Manager::RegisterAnalyzerComponent(PluginComponent* component) + { + if ( Lookup(component->Name()) ) + reporter->FatalError("Analyzer %s defined more than once", component->Name().c_str()); + + DBG_LOG(DBG_DPD, "Registering analyzer %s (tag %s)", + component->Name().c_str(), component->Tag().AsString().c_str()); + + analyzers_by_name.insert(std::make_pair(component->Name(), component)); + analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); + analyzers_by_val.insert(std::make_pair(component->Tag().Val()->InternalInt(), component)); + + // Install enum "Analyzer::ANALYZER_*" + string name = to_upper(component->Name()); + string id = fmt("ANALYZER_%s", name.c_str()); + tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().Val()->InternalInt(), true); + } + +bool Manager::EnableAnalyzer(Tag tag) + { + PluginComponent* p = Lookup(tag); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + + return true; + } + +bool Manager::EnableAnalyzer(EnumVal* val) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + p->SetEnabled(true); + + return true; + } + +bool Manager::DisableAnalyzer(Tag tag) + { + PluginComponent* p = Lookup(tag); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + + return true; + } + +bool Manager::DisableAnalyzer(EnumVal* val) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + return false; + } + + DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + p->SetEnabled(false); + + return true; + } + +bool Manager::IsEnabled(Tag tag) + { + if ( ! tag ) + return false; + + PluginComponent* p = Lookup(tag); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + return false; + } + + return p->Enabled(); + } + +bool Manager::IsEnabled(EnumVal* val) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + return false; + } + + return p->Enabled(); + } + + +bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to register port for non-existing analyzer"); + return false; + } + + return RegisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); + } + +bool Manager::UnregisterAnalyzerForPort(EnumVal* val, PortVal* port) + { + PluginComponent* p = Lookup(val); + + if ( ! p ) + { + DBG_LOG(DBG_DPD, "Asked to unregister port fork non-existing analyzer"); + return false; + } + + return UnregisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); + } + +bool Manager::RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port) + { + tag_set* l = LookupPort(proto, port, true); + +#ifdef DEBUG + std::string name = GetAnalyzerName(tag); + DBG_LOG(DBG_DPD, "Registering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); +#endif + + l->insert(tag); + return true; + } + +bool Manager::UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port) + { + tag_set* l = LookupPort(proto, port, true); + +#ifdef DEBUG + std::string name = GetAnalyzerName(tag); + DBG_LOG(DBG_DPD, "Unregistering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); +#endif + + l->erase(tag); + return true; + } + +Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) + { + PluginComponent* c = Lookup(tag); + + if ( ! c ) + reporter->InternalError("request to instantiate unknown analyzer"); + + if ( ! c->Enabled() ) + return 0; + + assert(c->Factory()); + Analyzer* a = c->Factory()(conn); + + if ( ! a ) + reporter->InternalError("analyzer instantiation failed"); + + return a; + } + +string Manager::GetAnalyzerName(Tag tag) + { + if ( ! tag ) + return ""; + + PluginComponent* c = Lookup(tag); + + if ( ! c ) + reporter->InternalError("request for name of unknown analyzer tag %s", tag.AsString().c_str()); + + return c->Name(); + } + +string Manager::GetAnalyzerName(Val* val) + { + return GetAnalyzerName(Tag(val->AsEnumVal())); + } + +Tag Manager::GetAnalyzerTag(const string& name) + { + PluginComponent* c = Lookup(name); + return c ? c->Tag() : Tag::ERROR; + } + +Tag Manager::GetAnalyzerTag(const char* name) + { + PluginComponent* c = Lookup(name); + return c ? c->Tag() : Tag::ERROR; + } + +EnumType* Manager::GetTagEnumType() + { + return tag_enum_type; + } + + +PluginComponent* Manager::Lookup(const string& name) + { + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + return i != analyzers_by_name.end() ? i->second : 0; + } + +PluginComponent* Manager::Lookup(const char* name) + { + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + return i != analyzers_by_name.end() ? i->second : 0; + } + +PluginComponent* Manager::Lookup(const Tag& tag) + { + analyzer_map_by_tag::const_iterator i = analyzers_by_tag.find(tag); + return i != analyzers_by_tag.end() ? i->second : 0; + } + +PluginComponent* Manager::Lookup(EnumVal* val) + { + analyzer_map_by_val::const_iterator i = analyzers_by_val.find(val->InternalInt()); + return i != analyzers_by_val.end() ? i->second : 0; + } + +Manager::tag_set* Manager::LookupPort(TransportProto proto, uint32 port, bool add_if_not_found) + { + analyzer_map_by_port* m = 0; + + switch ( proto ) { + case TRANSPORT_TCP: + m = &analyzers_by_port_tcp; + break; + + case TRANSPORT_UDP: + m = &analyzers_by_port_udp; + break; + + default: + reporter->InternalError("unsupport transport protocol in analyzer::Manager::LookupPort"); + } + + analyzer_map_by_port::const_iterator i = m->find(port); + + if ( i != m->end() ) + return i->second; + + if ( ! add_if_not_found ) + return 0; + + tag_set* l = new tag_set; + m->insert(std::make_pair(port, l)); + return l; + } + +Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found) + { + return LookupPort(val->PortType(), val->Port(), add_if_not_found); + } + +Tag Manager::GetExpected(int proto, const Connection* conn) + { + if ( ! expected_conns.Length() ) + return Tag::ERROR; + + ExpectedConn c(conn->OrigAddr(), conn->RespAddr(), + ntohs(conn->RespPort()), proto); + + HashKey* key = BuildExpectedConnHashKey(c); + AssignedAnalyzer* a = expected_conns.Lookup(key); + delete key; + + if ( ! a ) + { + // Wildcard for originator. + c.orig = IPAddr(string("::")); + + HashKey* key = BuildExpectedConnHashKey(c); + a = expected_conns.Lookup(key); + delete key; + } + + if ( ! a ) + return Tag::ERROR; + + // We don't delete it here. It will be expired eventually. + return a->analyzer; + } + +bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, + const u_char* data) + { + Analyzer* analyzer = 0; + TCP_Analyzer* tcp = 0; + UDP_Analyzer* udp = 0; + ICMP_Analyzer* icmp = 0; + TransportLayerAnalyzer* root = 0; + Tag expected = Tag::ERROR; + PIA* pia = 0; + bool analyzed = false; + bool check_port = false; + + switch ( proto ) { + + case TRANSPORT_TCP: + root = tcp = new TCP_Analyzer(conn); + pia = new PIA_TCP(conn); + expected = GetExpected(proto, conn); + check_port = true; + DBG_DPD(conn, "activated TCP analyzer"); + break; + + case TRANSPORT_UDP: + root = udp = new UDP_Analyzer(conn); + pia = new PIA_UDP(conn); + expected = GetExpected(proto, conn); + check_port = true; + DBG_DPD(conn, "activated UDP analyzer"); + break; + + case TRANSPORT_ICMP: { + root = icmp = new ICMP_Analyzer(conn); + DBG_DPD(conn, "activated ICMP analyzer"); + analyzed = true; + break; + } + + default: + reporter->InternalError("unknown protocol"); + } + + if ( ! root ) + { + DBG_DPD(conn, "cannot build analyzer tree"); + return false; + } + + // Any scheduled analyzer? + if ( expected ) + { + Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(expected, conn); + + if ( analyzer ) + { + root->AddChildAnalyzer(analyzer, false); + + DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled", + analyzer_mgr->GetAnalyzerName(expected).c_str()); + } + + // Hmm... Do we want *just* the expected analyzer, or all + // other potential analyzers as well? For now we only take + // the scheduled one. + } + + else + { // Let's see if it's a port we know. + if ( check_port && ! dpd_ignore_ports ) + { + int resp_port = ntohs(conn->RespPort()); + tag_set* ports = LookupPort(proto, resp_port, false); + + if ( ports ) + { + for ( tag_set::const_iterator j = ports->begin(); j != ports->end(); ++j ) + { + Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(*j, conn); + + if ( ! analyzer ) + continue; + + root->AddChildAnalyzer(analyzer, false); + DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", + analyzer_mgr->GetAnalyzerName(*j).c_str(), resp_port); + } + } + } + } + + if ( tcp ) + { + // We have to decide whether to reassamble the stream. + // We turn it on right away if we already have an app-layer + // analyzer, reassemble_first_packets is true, or the user + // asks us to do so. In all other cases, reassembly may + // be turned on later by the TCP PIA. + + bool reass = root->GetChildren().size() || + dpd_reassemble_first_packets || + tcp_content_deliver_all_orig || + tcp_content_deliver_all_resp; + + if ( tcp_contents && ! reass ) + { + PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP); + Val* result; + + if ( ! reass ) + reass = tcp_content_delivery_ports_orig->Lookup(&dport); + + if ( ! reass ) + reass = tcp_content_delivery_ports_resp->Lookup(&dport); + } + + if ( reass ) + tcp->EnableReassembly(); + + if ( IsEnabled(analyzer_backdoor) ) + // Add a BackDoor analyzer if requested. This analyzer + // can handle both reassembled and non-reassembled input. + tcp->AddChildAnalyzer(new BackDoor_Analyzer(conn), false); + + if ( IsEnabled(analyzer_interconn) ) + // Add a InterConn analyzer if requested. This analyzer + // can handle both reassembled and non-reassembled input. + tcp->AddChildAnalyzer(new InterConn_Analyzer(conn), false); + + if ( IsEnabled(analyzer_stepping) ) + { + // Add a SteppingStone analyzer if requested. The port + // should really not be hardcoded here, but as it can + // handle non-reassembled data, it doesn't really fit into + // our general framing ... Better would be to turn it + // on *after* we discover we have interactive traffic. + uint16 resp_port = ntohs(conn->RespPort()); + if ( resp_port == 22 || resp_port == 23 || resp_port == 513 ) + { + AddrVal src(conn->OrigAddr()); + if ( ! stp_skip_src->Lookup(&src) ) + tcp->AddChildAnalyzer(new SteppingStone_Analyzer(conn), false); + } + } + + if ( IsEnabled(analyzer_tcpstats) ) + // Add TCPStats analyzer. This needs to see packets so + // we cannot add it as a normal child. + tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); + + if ( IsEnabled(analyzer_connsize) ) + // Add ConnSize analyzer. Needs to see packets, not stream. + tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); + } + + else + { + if ( IsEnabled(analyzer_connsize) ) + // Add ConnSize analyzer. Needs to see packets, not stream. + udp->AddChildAnalyzer(new ConnSize_Analyzer(conn)); + } + + if ( pia ) + root->AddChildAnalyzer(pia->AsAnalyzer()); + + if ( root->GetChildren().size() ) + analyzed = true; + + conn->SetRootAnalyzer(root, pia); + root->Init(); + root->InitChildren(); + + if ( ! analyzed ) + conn->SetLifetime(non_analyzed_lifetime); + + if ( expected != Tag::ERROR ) + conn->Event(expected_connection_seen, 0, + new Val(expected, TYPE_COUNT)); + + return true; + } + +void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, + uint16 resp_p, + TransportProto proto, Tag analyzer, + double timeout, void* cookie) + { + // Use the chance to see if the oldest entry is already expired. + if ( expected_conns_queue.size() ) + { + AssignedAnalyzer* a = expected_conns_queue.top(); + if ( a->timeout < network_time ) + { + if ( ! a->deleted ) + { + HashKey* key = BuildExpectedConnHashKey(a->conn); + expected_conns.Remove(key); + delete key; + } + + expected_conns_queue.pop(); + + DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s", + analyzer_mgr->GetAnalyzerName(analyzer).c_str(), + fmt_conn_id(a->conn.orig, 0, + a->conn.resp, + a->conn.resp_p)); + + delete a; + } + } + + ExpectedConn c(orig, resp, resp_p, proto); + + HashKey* key = BuildExpectedConnHashKey(c); + + AssignedAnalyzer* a = expected_conns.Lookup(key); + + if ( a ) + a->deleted = true; + + a = new AssignedAnalyzer(c); + + a->analyzer = analyzer; + a->cookie = cookie; + a->timeout = network_time + timeout; + a->deleted = false; + + expected_conns.Insert(key, a); + expected_conns_queue.push(a); + delete key; + } + +void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, + uint16 resp_p, + TransportProto proto, const string& analyzer, + double timeout, void* cookie) + { + Tag tag = GetAnalyzerTag(analyzer); + + if ( tag != Tag::ERROR ) + ExpectConnection(orig, resp, resp_p, proto, tag, timeout, cookie); + } + +void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* analyzer, double timeout, void* cookie) + { + EnumVal* ev = analyzer->AsEnumVal(); + return ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(), Tag(ev), timeout, cookie); + } diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h new file mode 100644 index 0000000000..e6143cada6 --- /dev/null +++ b/src/analyzer/Manager.h @@ -0,0 +1,182 @@ +// The central management unit for dynamic analyzer selection. + +#ifndef ANALYZER_MANAGER_H +#define ANALYZER_MANAGER_H + +#include + +#include "Tag.h" +#include "PluginComponent.h" + +#include "Analyzer.h" +#include "../Dict.h" +#include "../net_util.h" +#include "../IP.h" + +namespace analyzer { + +// Manager debug logging, which includes the connection id into the message. +#ifdef DEBUG +# define DBG_DPD(conn, txt) \ + DBG_LOG(DBG_DPD, "%s " txt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort()))); +# define DBG_DPD_ARGS(conn, fmt, args...) \ + DBG_LOG(DBG_DPD, "%s " fmt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort())), ##args); +#else +# define DBG_DPD(conn, txt) +# define DBG_DPD_ARGS(conn, fmt, args...) +#endif + +// Map index to assign expected connections to analyzers. +class ExpectedConn { +public: + ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto); + + ExpectedConn(const ExpectedConn& c); + + IPAddr orig; + IPAddr resp; + uint16 resp_p; + uint16 proto; +}; + +// Associates an analyzer for an expected future connection. +class AssignedAnalyzer { +public: + AssignedAnalyzer(const ExpectedConn& c) + : conn(c) { } + + ExpectedConn conn; + Tag analyzer; + double timeout; + void* cookie; + bool deleted; + + static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2) + { return a1->timeout > a2->timeout; } +}; + +declare(PDict, AssignedAnalyzer); + +class Manager { +public: + Manager(); + ~Manager(); + + void Init(); // Called before script's are parsed. + void Done(); + void DumpDebug(); // Called after bro_init() events. + + bool EnableAnalyzer(Tag tag); + bool EnableAnalyzer(EnumVal* tag); + + bool DisableAnalyzer(Tag tag); + bool DisableAnalyzer(EnumVal* tag); + + bool IsEnabled(Tag tag); + bool IsEnabled(EnumVal* tag); + + bool RegisterAnalyzerForPort(EnumVal* tag, PortVal* port); + bool RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + + bool UnregisterAnalyzerForPort(EnumVal* tag, PortVal* port); + bool UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + + Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled. + + string GetAnalyzerName(Tag tag); + string GetAnalyzerName(Val* val); + Tag GetAnalyzerTag(const string& name); // Tag::ERROR when not known. + Tag GetAnalyzerTag(const char* name); // Tag::ERROR when not known. + + EnumType* GetTagEnumType(); + + // Given info about the first packet, build initial analyzer tree. + // + // It would be more flexible if we simply pass in the IP header and + // then extract the information we need. However, when this method + // is called from the session management, protocol and ports have + // already been extracted there and it would be a waste to do it + // again. + // + // Returns 0 if we can't build a tree (e.g., because the necessary + // analyzers have not been converted to the Manager framework yet...) + bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, + const u_char* data); + + // Schedules a particular analyzer for an upcoming connection. 0 acts + // as a wildcard for orig. (Cookie is currently unused. Eventually, + // we may pass it on to the analyzer). + void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + TransportProto proto, Tag::Tag analyzer, + double timeout, void* cookie); + + void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + TransportProto proto, const string& analyzer, + double timeout, void* cookie); + + void ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* val, double timeout, void* cookie); + + // Activates signature matching for protocol detection. (Called when + // an Manager signatures is found.) + void ActivateSigs() { sigs_activated = true; } + bool SigsActivated() const { return sigs_activated; } + +private: + typedef set tag_set; + typedef map analyzer_map_by_name; + typedef map analyzer_map_by_tag; + typedef map analyzer_map_by_val; + typedef map analyzer_map_by_port; + + void RegisterAnalyzerComponent(PluginComponent* component); // Takes ownership. + + PluginComponent* Lookup(const string& name); + PluginComponent* Lookup(const char* name); + PluginComponent* Lookup(const Tag& tag); + PluginComponent* Lookup(EnumVal* val); + + tag_set* LookupPort(PortVal* val, bool add_if_not_found); + tag_set* LookupPort(TransportProto proto, uint32 port, bool add_if_not_found); + + // Return analyzer if any has been scheduled with ExpectConnection() + // Tag::::Error if none. + Tag GetExpected(int proto, const Connection* conn); + + analyzer_map_by_port analyzers_by_port_tcp; + analyzer_map_by_port analyzers_by_port_udp; + analyzer_map_by_name analyzers_by_name; + analyzer_map_by_tag analyzers_by_tag; + analyzer_map_by_val analyzers_by_val; + + Tag analyzer_backdoor; + Tag analyzer_connsize; + Tag analyzer_interconn; + Tag analyzer_stepping; + Tag analyzer_tcpstats; + + EnumType* tag_enum_type; + + // True if signature-matching has been activated. + bool sigs_activated; + + PDict(AssignedAnalyzer) expected_conns; + + typedef priority_queue< + AssignedAnalyzer*, + vector, + bool (*)(const AssignedAnalyzer*, + const AssignedAnalyzer*)> conn_queue; + conn_queue expected_conns_queue; +}; + +} + +extern analyzer::Manager* analyzer_mgr; + +#endif diff --git a/src/analyzer/PluginComponent.cc b/src/analyzer/PluginComponent.cc new file mode 100644 index 0000000000..fed3ca225a --- /dev/null +++ b/src/analyzer/PluginComponent.cc @@ -0,0 +1,37 @@ + +#include "PluginComponent.h" + +#include "../Desc.h" + +using namespace analyzer; + +Tag::type_t PluginComponent::type_counter = 0; + +PluginComponent::PluginComponent(std::string arg_name, factory_callback arg_factory, bool arg_enabled, bool arg_partial) + : Component(plugin::component::ANALYZER) + { + name = arg_name; + factory = arg_factory; + enabled = arg_enabled; + partial = arg_partial; + + tag = analyzer::Tag(++type_counter, 0); + } + +PluginComponent::PluginComponent(std::string arg_name, Tag::subtype_t arg_stype, factory_callback arg_factory, bool arg_enabled, bool arg_partial) + : Component(plugin::component::ANALYZER) + { + name = arg_name; + factory = arg_factory; + enabled = arg_enabled; + partial = arg_partial; + + tag = analyzer::Tag(++type_counter, arg_stype); + } + +void PluginComponent::Describe(ODesc* d) + { + plugin::Component::Describe(d); + d->Add(name); + } + diff --git a/src/analyzer/PluginComponent.h b/src/analyzer/PluginComponent.h new file mode 100644 index 0000000000..6db5aaf994 --- /dev/null +++ b/src/analyzer/PluginComponent.h @@ -0,0 +1,51 @@ + +#ifndef ANALYZER_PLUGIN_COMPONENT_H +#define ANALYZER_PLUGIN_COMPONENT_H + +#include + +#include "../config.h" +#include "../util.h" + +#include "plugin/Component.h" +#include "Tag.h" + +class Connection; + +namespace analyzer { + +class Analyzer; + +// This can be copied by value. +class PluginComponent : public plugin::Component { +public: + typedef bool (*available_callback)(); + typedef Analyzer* (*factory_callback)(Connection* conn); + + PluginComponent(std::string name, factory_callback factory, bool enabled, bool partial); + PluginComponent(std::string name, Tag::subtype_t subtype, factory_callback factory, bool enabled, bool partial); + + std::string Name() const { return name; } + factory_callback Factory() const { return factory; } + bool Partial() const { return partial; } + bool Enabled() const { return enabled; } + analyzer::Tag Tag() const { return tag; } + + void SetEnabled(bool arg_enabled) { enabled = arg_enabled; } + + virtual void Describe(ODesc* d); + +private: + std::string name; + factory_callback factory; + bool partial; + + analyzer::Tag tag; + bool enabled; + + static analyzer::Tag::type_t type_counter; +}; + +} + +#endif diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc new file mode 100644 index 0000000000..fbf1bcd2b7 --- /dev/null +++ b/src/analyzer/Tag.cc @@ -0,0 +1,69 @@ + +#include "Tag.h" +#include "Manager.h" + +#include "../NetVar.h" + +using namespace analyzer; + +Tag Tag::ERROR; + +Tag::Tag(type_t arg_type, subtype_t arg_subtype) + { + assert(arg_type > 0); + type = arg_type; + subtype = arg_subtype; + int64_t i = (int64)(type) | ((int64)subtype << 31); + + EnumType* etype = analyzer_mgr->GetTagEnumType(); + Ref(etype); + val = new EnumVal(i, etype); + } + +Tag::Tag(EnumVal* arg_val) + { + assert(val); + val = arg_val; + Ref(val); + + int64 i = val->InternalInt(); + type = i & 0xffffffff; + subtype = (i >> 31) & 0xffffffff; + } + +Tag::Tag(const Tag& other) : type(other.type), subtype(other.subtype) + { + type = other.type; + subtype = other.subtype; + val = other.val; + + if ( val ) + Ref(val); + } + +Tag::Tag() + { + type = 0; + subtype = 0; + val = 0; + } + +EnumVal* Tag::Val() + { + if ( ! val ) + { + assert(analyzer_mgr); + assert(type == 0 && subtype == 0); + EnumType* etype = analyzer_mgr->GetTagEnumType(); + Ref(etype); + val = new EnumVal(0, etype); + } + + return val; + } + +std::string Tag::AsString() const + { + return fmt("%" PRIu32 "/%" PRIu32, type, subtype); + } + diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h new file mode 100644 index 0000000000..dab8563982 --- /dev/null +++ b/src/analyzer/Tag.h @@ -0,0 +1,59 @@ + +#ifndef ANALYZER_TAG_H +#define ANALYZER_TAG_H + +// Each kind of analyzer gets a tag consisting of a main type and subtype. +// The former is an identifier that's unique all analyzer classes. The latter +// is passed through analyzer instances, yet not further interpreted by the +// analyzer infrastructure; it allows an analyzer to branch out into a set of +// sub-analyzers internally. Jointly, main type and subtype form an analyzer +// "tag". Each unique tag corresponds to a single "analyzer" from the user's +// perspective. + +#include "config.h" +#include "util.h" + +class EnumVal; + +namespace analyzer { + +/// This has supports all operations to be used as a map index. +class Tag { +public: + typedef uint32 type_t; + typedef uint32 subtype_t; + + Tag(type_t type, subtype_t subtype = 0); + Tag(EnumVal* val); + Tag(const Tag& other); + Tag(); // Tag::ERROR value + + type_t Type() const { return type; } + subtype_t Subtype() const { return subtype; } + + // Returns an identifying integer for this tag that's guaranteed to + // be unique across all tags. + EnumVal* Val(); + + std::string AsString() const; + + operator bool() const { return *this != Tag(); } + bool operator==(const Tag& other) const { return type == other.type && subtype == other.subtype; } + bool operator!=(const Tag& other) const { return type != other.type || subtype != other.subtype; } + bool operator<(const Tag& other) const + { + return type != other.type ? type < other.type : (subtype < other.subtype); + } + + + static Tag ERROR; + +private: + type_t type; + subtype_t subtype; + EnumVal* val; +}; + +} + +#endif diff --git a/src/ayiya.pac b/src/ayiya.pac index 58fa196c15..ff0af4d47c 100644 --- a/src/ayiya.pac +++ b/src/ayiya.pac @@ -1,3 +1,4 @@ + %include binpac.pac %include bro.pac diff --git a/src/binpac_bro.h b/src/binpac_bro.h index dcdbe94f57..5f46d8f458 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -1,20 +1,24 @@ #ifndef binpac_bro_h #define binpac_bro_h -class Analyzer; +class Connection; class Val; class PortVal; +namespace analyzer { class Analyzer; } + #include "util.h" -#include "Analyzer.h" #include "Val.h" #include "event.bif.func_h" +#include "TunnelEncapsulation.h" +#include "analyzer/Analyzer.h" +#include "Conn.h" #include "binpac.h" namespace binpac { -typedef Analyzer* BroAnalyzer; +typedef analyzer::Analyzer* BroAnalyzer; typedef Val* BroVal; typedef PortVal* BroPortVal; typedef StringVal* BroStringVal; diff --git a/src/bro.bif b/src/bro.bif index ac54da0e75..4c88a7dd77 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3353,14 +3353,14 @@ const char* conn_id_string(Val* c) ## .. bro:see:: skip_smtp_data function skip_http_entity_data%(c: connection, is_orig: bool%): any %{ - AnalyzerID id = mgr.CurrentAnalyzer(); + analyzer::ID id = mgr.CurrentAnalyzer(); if ( id ) { - Analyzer* ha = c->FindAnalyzer(id); + analyzer::Analyzer* ha = c->FindAnalyzer(id); if ( ha ) { - if ( ha->GetTag() == AnalyzerTag::HTTP ) + if ( ha->IsAnalyzer("HTTP") ) static_cast(ha)->SkipEntityData(is_orig); else reporter->Error("non-HTTP analyzer associated with connection record"); @@ -4074,36 +4074,9 @@ function file_mode%(mode: count%): string # =========================================================================== %%{ -#include "DPM.h" +#include "analyzer/Manager.h" %%} -## Schedules an analyzer for a future connection from a given IP address and -## port. The function ignores the scheduling request if the connection did -## not occur within the specified time interval. -## -## orig: The IP address originating a connection in the future. -## -## resp: The IP address responding to a connection from *orig*. -## -## resp_p: The destination port at *resp*. -## -## analyzer: The analyzer ID. -## -## tout: The timeout interval after which to ignore the scheduling request. -## -## Returns: True (unconditionally). -## -## .. bro:see:: disable_analyzer analyzer_name -## -## .. todo:: The return value should be changed to any. -function expect_connection%(orig: addr, resp: addr, resp_p: port, - analyzer: count, tout: interval%) : any - %{ - dpm->ExpectConnection(orig->AsAddr(), resp->AsAddr(), resp_p->Port(), - resp_p->PortType(), (AnalyzerTag::Tag) analyzer, tout, 0); - return new Val(1, TYPE_BOOL); - %} - ## Disables the analyzer which raised the current event (if the analyzer ## belongs to the given connection). ## @@ -4124,7 +4097,7 @@ function disable_analyzer%(cid: conn_id, aid: count%) : bool return new Val(0, TYPE_BOOL); } - Analyzer* a = c->FindAnalyzer(aid); + analyzer::Analyzer* a = c->FindAnalyzer(aid); if ( ! a ) { reporter->Error("connection does not have analyzer specified to disable"); @@ -4135,18 +4108,6 @@ function disable_analyzer%(cid: conn_id, aid: count%) : bool return new Val(1, TYPE_BOOL); %} -## Translate an analyzer type to an ASCII string. -## -## aid: The analyzer ID. -## -## Returns: The analyzer *aid* as string. -## -## .. bro:see:: expect_connection disable_analyzer current_analyzer -function analyzer_name%(aid: count%) : string - %{ - return new StringVal(Analyzer::GetTagName((AnalyzerTag::Tag) aid)); - %} - ## Informs Bro that it should skip any further processing of the contents of ## a given connection. In particular, Bro will refrain from reassembling the ## TCP byte stream and from generating events relating to any analyzers that @@ -4321,7 +4282,7 @@ function get_login_state%(cid: conn_id%): count if ( ! c ) return new Val(0, TYPE_BOOL); - Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login); + analyzer::Analyzer* la = c->FindAnalyzer("Login"); if ( ! la ) return new Val(0, TYPE_BOOL); @@ -4346,7 +4307,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool if ( ! c ) return new Val(0, TYPE_BOOL); - Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login); + analyzer::Analyzer* la = c->FindAnalyzer("Login"); if ( ! la ) return new Val(0, TYPE_BOOL); @@ -4377,7 +4338,7 @@ function get_orig_seq%(cid: conn_id%): count if ( c->ConnTransport() != TRANSPORT_TCP ) return new Val(0, TYPE_COUNT); - Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP); + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) return new Val(static_cast(tc)->OrigSeq(), TYPE_COUNT); @@ -4407,7 +4368,7 @@ function get_resp_seq%(cid: conn_id%): count if ( c->ConnTransport() != TRANSPORT_TCP ) return new Val(0, TYPE_COUNT); - Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP); + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) return new Val(static_cast(tc)->RespSeq(), TYPE_COUNT); @@ -4429,7 +4390,7 @@ function get_resp_seq%(cid: conn_id%): count ## .. bro:see:: skip_http_entity_data function skip_smtp_data%(c: connection%): any %{ - Analyzer* sa = c->FindAnalyzer(AnalyzerTag::SMTP); + analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); if ( sa ) static_cast(sa)->SkipData(); return 0; diff --git a/src/builtin-func.y b/src/builtin-func.y index 474f321ccd..b5d076a56e 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -197,11 +197,11 @@ char* concat(const char* str1, const char* str2) void print_event_c_prototype(FILE *fp, bool is_header) { if ( is_header ) - fprintf(fp, "%s void %s(Analyzer* analyzer%s", + fprintf(fp, "%s void %s(analyzer::Analyzer* analyzer%s", decl.generate_c_namespace_start.c_str(), decl.generate_bare_name.c_str(), args.size() ? ", " : "" ); else - fprintf(fp, "void %s(Analyzer* analyzer%s", + fprintf(fp, "void %s(analyzer::Analyzer* analyzer%s", decl.generate_c_fullname.c_str(), args.size() ? ", " : "" ); for ( int i = 0; i < (int) args.size(); ++i ) diff --git a/src/event.bif b/src/event.bif index 393021024a..dd7ab3c1d6 100644 --- a/src/event.bif +++ b/src/event.bif @@ -841,8 +841,8 @@ event gap_report%(dt: interval, info: gap_info%); ## c: The connection. ## ## atype: The type of the analyzer confirming that its protocol is in -## use. The value is one of the ``ANALYZER_*`` constants. For example, -## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed +## use. The value is one of the ``Analyzer::ANALYZER_*`` constants. For example, +## ``Analyzer::ANALYZER_HTTP`` means the HTTP analyzer determined that it's indeed ## parsing an HTTP connection. ## ## aid: A unique integer ID identifying the specific *instance* of the @@ -857,7 +857,7 @@ event gap_report%(dt: interval, info: gap_info%); ## Bro's default scripts use this event to determine the ``service`` column ## of :bro:type:`Conn::Info`: once confirmed, the protocol will be listed ## there (and thus in ``conn.log``). -event protocol_confirmation%(c: connection, atype: count, aid: count%); +event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); ## Generated when a protocol analyzer determines that a connection it is parsing ## is not conforming to the protocol it expects. Bro's dynamic protocol @@ -869,8 +869,8 @@ event protocol_confirmation%(c: connection, atype: count, aid: count%); ## c: The connection. ## ## atype: The type of the analyzer confirming that its protocol is in -## use. The value is one of the ``ANALYZER_*`` constants. For example, -## ``ANALYZER_HTTP`` means the HTTP analyzers determined that it's indeed +## use. The value is one of the ``Analyzer::ANALYZER_*`` constants. For example, +## ``Analyzer::ANALYZER_HTTP`` means the HTTP analyzer determined that it's indeed ## parsing an HTTP connection. ## ## aid: A unique integer ID identifying the specific *instance* of the @@ -888,7 +888,7 @@ event protocol_confirmation%(c: connection, atype: count, aid: count%); ## :bro:id:`disable_analyzer` if it's parsing the wrong protocol. That's ## however a script-level decision and not done automatically by the event ## engine. -event protocol_violation%(c: connection, atype: count, aid: count, reason: string%); +event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%); ## Generated for each packet sent by a UDP flow's originator. This a potentially ## expensive event due to the volume of UDP traffic and should be used with @@ -1389,8 +1389,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); ## TODO. @@ -1636,8 +1636,8 @@ event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event finger_request%(c: connection, full: bool, username: string, hostname: string%); ## Generated for Finger replies. @@ -1653,8 +1653,8 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event finger_reply%(c: connection, reply_line: string%); @@ -1669,8 +1669,8 @@ event finger_reply%(c: connection, reply_line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## TODO. @@ -1683,8 +1683,8 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ttl: count, hops: count, msg_len: count, payload: string, payload_len: count, @@ -1700,8 +1700,8 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_partial_binary_msg%(c: connection, orig: bool, msg: string, len: count%); @@ -1715,8 +1715,8 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_establish%(c: connection%); ## TODO. @@ -1729,8 +1729,8 @@ event gnutella_establish%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_not_establish%(c: connection%); ## TODO. @@ -1743,8 +1743,8 @@ event gnutella_not_establish%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event gnutella_http_notify%(c: connection%); ## Generated for Ident requests. @@ -1762,8 +1762,8 @@ event gnutella_http_notify%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ident_request%(c: connection, lport: port, rport: port%); ## Generated for Ident replies. @@ -1785,8 +1785,8 @@ event ident_request%(c: connection, lport: port, rport: port%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); ## Generated for Ident error replies. @@ -1806,8 +1806,8 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ident_error%(c: connection, lport: port, rport: port, line: string%); ## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects @@ -1840,8 +1840,8 @@ event ident_error%(c: connection, lport: port, rport: port, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects @@ -1874,8 +1874,8 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for lines of input on Telnet/Rlogin sessions. The line will have @@ -1890,8 +1890,8 @@ event login_success%(c: connection, user: string, client_user: string, password: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_input_line%(c: connection, line: string%); ## Generated for lines of output on Telnet/Rlogin sessions. The line will have @@ -1906,8 +1906,8 @@ event login_input_line%(c: connection, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_output_line%(c: connection, line: string%); ## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's @@ -1932,8 +1932,8 @@ event login_output_line%(c: connection, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_confused%(c: connection, msg: string, line: string%); ## Generated after getting confused while tracking a Telnet/Rlogin @@ -1952,8 +1952,8 @@ event login_confused%(c: connection, msg: string, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_confused_text%(c: connection, line: string%); ## Generated for clients transmitting a terminal type in a Telnet session. This @@ -1968,8 +1968,8 @@ event login_confused_text%(c: connection, line: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_terminal%(c: connection, terminal: string%); ## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This @@ -1984,8 +1984,8 @@ event login_terminal%(c: connection, terminal: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_display%(c: connection, display: string%); ## Generated when a Telnet authentication has been successful. The Telnet @@ -2008,8 +2008,8 @@ event login_display%(c: connection, display: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event authentication_accepted%(name: string, c: connection%); ## Generated when a Telnet authentication has been unsuccessful. The Telnet @@ -2032,8 +2032,8 @@ event authentication_accepted%(name: string, c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event authentication_rejected%(name: string, c: connection%); ## Generated for Telnet/Rlogin sessions when a pattern match indicates @@ -2055,8 +2055,8 @@ event authentication_rejected%(name: string, c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event authentication_skipped%(c: connection%); ## Generated for clients transmitting a terminal prompt in a Telnet session. @@ -2075,8 +2075,8 @@ event authentication_skipped%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event login_prompt%(c: connection, prompt: string%); ## Generated for Telnet sessions when encryption is activated. The Telnet @@ -2126,8 +2126,8 @@ event inconsistent_option%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event bad_option%(c: connection%); ## Generated for a Telnet option that's incorrectly terminated. @@ -2144,8 +2144,8 @@ event bad_option%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event bad_option_termination%(c: connection%); ## Generated for client side commands on an RSH connection. @@ -2174,8 +2174,8 @@ event bad_option_termination%(c: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); ## Generated for client side commands on an RSH connection. @@ -2202,8 +2202,8 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); ## Generated for client-side FTP commands. @@ -2569,8 +2569,8 @@ event mime_content_hash%(c: connection, content_len: count, hash_value: string%) ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); ## Generated for RPC *call* messages. @@ -2595,8 +2595,8 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); ## Generated for RPC *reply* messages. @@ -2618,8 +2618,8 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); ## Generated for Portmapper requests of type *null*. @@ -2637,8 +2637,8 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_null%(r: connection%); ## Generated for Portmapper request/reply dialogues of type *set*. @@ -2662,8 +2662,8 @@ event pm_request_null%(r: connection%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *unset*. @@ -2687,8 +2687,8 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## Generated for Portmapper request/reply dialogues of type *getport*. @@ -2710,8 +2710,8 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## Generated for Portmapper request/reply dialogues of type *dump*. @@ -2731,8 +2731,8 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_dump%(r: connection, m: pm_mappings%); ## Generated for Portmapper request/reply dialogues of type *callit*. @@ -2754,8 +2754,8 @@ event pm_request_dump%(r: connection, m: pm_mappings%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## Generated for failed Portmapper requests of type *null*. @@ -2776,8 +2776,8 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_null%(r: connection, status: rpc_status%); ## Generated for failed Portmapper requests of type *set*. @@ -2800,8 +2800,8 @@ event pm_attempt_null%(r: connection, status: rpc_status%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## Generated for failed Portmapper requests of type *unset*. @@ -2824,8 +2824,8 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## Generated for failed Portmapper requests of type *getport*. @@ -2848,8 +2848,8 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); ## Generated for failed Portmapper requests of type *dump*. @@ -2870,8 +2870,8 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_dump%(r: connection, status: rpc_status%); ## Generated for failed Portmapper requests of type *callit*. @@ -2894,8 +2894,8 @@ event pm_attempt_dump%(r: connection, status: rpc_status%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); ## Generated for Portmapper requests or replies that include an invalid port @@ -2918,8 +2918,8 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pm_bad_port%(r: connection, bad_p: count%); ## Generated for NFSv3 request/reply dialogues of type *null*. The event is @@ -2941,8 +2941,8 @@ event pm_bad_port%(r: connection, bad_p: count%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is @@ -2969,8 +2969,8 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); ## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is @@ -2997,8 +2997,8 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *read*. The event is @@ -3025,8 +3025,8 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is @@ -3053,8 +3053,8 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *write*. The event is @@ -3082,8 +3082,8 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *create*. The event is @@ -3110,8 +3110,8 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is @@ -3138,8 +3138,8 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *remove*. The event is @@ -3166,8 +3166,8 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is @@ -3194,8 +3194,8 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is @@ -3222,8 +3222,8 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); ## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 @@ -3245,8 +3245,8 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); ## Generated for each NFSv3 reply message received, reporting just the @@ -3263,8 +3263,8 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## Generated for all NTP messages. Different from many other of Bro's events, @@ -3284,8 +3284,8 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer @@ -3316,8 +3316,8 @@ event ntp_message%(u: connection, msg: ntp_msg, excess: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); ## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS @@ -3344,8 +3344,8 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_request%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *positive session response*. Bro's @@ -3372,8 +3372,8 @@ event netbios_session_request%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_accepted%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *negative session response*. Bro's @@ -3400,8 +3400,8 @@ event netbios_session_accepted%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_rejected%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *session message* that are not @@ -3435,8 +3435,8 @@ event netbios_session_rejected%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS @@ -3465,8 +3465,8 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer @@ -3493,8 +3493,8 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event netbios_session_keepalive%(c: connection, msg: string%); ## Generated for all SMB/CIFS messages. @@ -3526,8 +3526,8 @@ event netbios_session_keepalive%(c: connection, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); ## Generated for SMB/CIFS messages of type *tree connect andx*. @@ -3553,8 +3553,8 @@ event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); ## Generated for SMB/CIFS messages of type *tree disconnect*. @@ -3576,8 +3576,8 @@ event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, serv ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *nt create andx*. @@ -3601,8 +3601,8 @@ event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## Generated for SMB/CIFS messages of type *nt transaction*. @@ -3630,8 +3630,8 @@ event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *nt transaction 2*. @@ -3659,8 +3659,8 @@ event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction mailslot*. @@ -3688,8 +3688,8 @@ event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction rap*. @@ -3717,8 +3717,8 @@ event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, dat ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *transaction pipe*. @@ -3746,8 +3746,8 @@ event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: sm ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); ## Generated for SMB/CIFS messages of type *read andx*. @@ -3771,8 +3771,8 @@ event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: s ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *read andx*. @@ -3796,8 +3796,8 @@ event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## Generated for SMB/CIFS messages of type *get dfs referral*. @@ -3824,8 +3824,8 @@ event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); ## Generated for SMB/CIFS messages of type *negotiate*. @@ -3846,8 +3846,8 @@ event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: cou ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *negotiate response*. @@ -3870,8 +3870,8 @@ event smb_com_negotiate%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); ## Generated for SMB/CIFS messages of type *setup andx*. @@ -3893,8 +3893,8 @@ event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: co ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *generic andx*. @@ -3916,8 +3916,8 @@ event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *close*. @@ -3939,8 +3939,8 @@ event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_close%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages of type *logoff andx*. @@ -3962,8 +3962,8 @@ event smb_com_close%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## Generated for SMB/CIFS messages that indicate an error. This event is @@ -3988,8 +3988,8 @@ event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); ## Generated for all DNS messages. @@ -4500,8 +4500,8 @@ event dns_end%(c: connection, msg: dns_msg%) &group="dns"; ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## Generated for DHCP messages of type *offer*. @@ -4535,8 +4535,8 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); ## Generated for DHCP messages of type *request*. @@ -4566,8 +4566,8 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_ ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); ## Generated for DHCP messages of type *decline*. @@ -4593,8 +4593,8 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_decline%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *acknowledgment*. @@ -4628,8 +4628,8 @@ event dhcp_decline%(c: connection, msg: dhcp_msg%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); ## Generated for DHCP messages of type *negative acknowledgment*. @@ -4655,8 +4655,8 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_nak%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *release*. @@ -4682,8 +4682,8 @@ event dhcp_nak%(c: connection, msg: dhcp_msg%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_release%(c: connection, msg: dhcp_msg%); ## Generated for DHCP messages of type *inform*. @@ -4709,8 +4709,8 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dhcp_inform%(c: connection, msg: dhcp_msg%); ## Generated for HTTP requests. Bro supports persistent and pipelined HTTP @@ -5186,8 +5186,8 @@ event x509_error%(c: connection, is_orig: bool, err: count%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); ## TODO. @@ -5197,8 +5197,8 @@ event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_bind%(c: connection, uuid: string%); ## TODO. @@ -5208,8 +5208,8 @@ event dce_rpc_bind%(c: connection, uuid: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_request%(c: connection, opnum: count, stub: string%); ## TODO. @@ -5219,8 +5219,8 @@ event dce_rpc_request%(c: connection, opnum: count, stub: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event dce_rpc_response%(c: connection, opnum: count, stub: string%); ## TODO. @@ -5230,8 +5230,8 @@ event dce_rpc_response%(c: connection, opnum: count, stub: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## Generated for NCP requests (Netware Core Protocol). @@ -5251,8 +5251,8 @@ event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ncp_request%(c: connection, frame_type: count, length: count, func: count%); ## Generated for NCP replies (Netware Core Protocol). @@ -5276,8 +5276,8 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count% ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); ## Generated for client-side commands on POP3 connections. @@ -5299,8 +5299,8 @@ event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: cou ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_request%(c: connection, is_orig: bool, command: string, arg: string%); @@ -5326,8 +5326,8 @@ event pop3_request%(c: connection, is_orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## Generated for server-side multi-line responses on POP3 connections. POP3 @@ -5349,8 +5349,8 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_data%(c: connection, is_orig: bool, data: string%); ## Generated for errors encountered on POP3 sessions. If the POP3 analyzer @@ -5373,8 +5373,8 @@ event pop3_data%(c: connection, is_orig: bool, data: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); @@ -5400,8 +5400,8 @@ event pop3_unexpected%(c: connection, is_orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## Generated for successful authentications on POP3 connections. @@ -5423,8 +5423,8 @@ event pop3_terminate%(c: connection, is_orig: bool, msg: string%); ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_login_success%(c: connection, is_orig: bool, user: string, password: string%); @@ -5447,8 +5447,8 @@ event pop3_login_success%(c: connection, is_orig: bool, ## ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. event pop3_login_failure%(c: connection, is_orig: bool, user: string, password: string%); diff --git a/src/main.cc b/src/main.cc index 2232180c5e..08756c1bf3 100644 --- a/src/main.cc +++ b/src/main.cc @@ -49,7 +49,6 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "PersistenceSerializer.h" #include "EventRegistry.h" #include "Stats.h" -#include "DPM.h" #include "BroDoc.h" #include "Brofiler.h" @@ -57,6 +56,9 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "input/Manager.h" #include "logging/Manager.h" #include "logging/writers/Ascii.h" +#include "analyzer/BuiltinAnalyzers.h" +#include "analyzer/Manager.h" +#include "plugin/Manager.h" #include "binpac_bro.h" @@ -86,6 +88,8 @@ TimerMgr* timer_mgr; logging::Manager* log_mgr = 0; threading::Manager* thread_mgr = 0; input::Manager* input_mgr = 0; +plugin::Manager* plugin_mgr = 0; +analyzer::Manager* analyzer_mgr = 0; Stmt* stmts; EventHandlerPtr net_done = 0; RuleMatcher* rule_matcher = 0; @@ -99,7 +103,6 @@ ProfileLogger* profiling_logger = 0; ProfileLogger* segment_logger = 0; SampleLogger* sample_logger = 0; int signal_val = 0; -DPM* dpm = 0; int optimize = 0; int do_notice_analysis = 0; int rule_bench = 0; @@ -176,6 +179,7 @@ void usage() fprintf(stderr, " -I|--print-id | print out given ID\n"); fprintf(stderr, " -K|--md5-hashkey | set key for MD5-keyed hashing\n"); fprintf(stderr, " -L|--rule-benchmark | benchmark for rules\n"); + fprintf(stderr, " -N|--print-plugins | print all available plugins and exit\n"); fprintf(stderr, " -O|--optimize | optimize policy script\n"); fprintf(stderr, " -P|--prime-dns | prime DNS\n"); fprintf(stderr, " -R|--replay | replay events\n"); @@ -233,6 +237,27 @@ void usage() exit(1); } +void show_plugins() + { + plugin::Manager::plugin_list plugins = plugin_mgr->Plugins(); + + if ( ! plugins.size() ) + { + printf("No plugins registered, not even any built-ins. This is probably a bug.\n"); + return; + } + + ODesc d; + + for ( plugin::Manager::plugin_list::const_iterator i = plugins.begin(); i != plugins.end(); i++ ) + { + (*i)->Describe(&d); + d.NL(); + } + + printf("%s", d.Description()); + } + void done_with_network() { set_processing_status("TERMINATING", "done_with_network"); @@ -262,7 +287,7 @@ void done_with_network() terminating = true; - dpm->Done(); + analyzer_mgr->Done(); timer_mgr->Expire(); dns_mgr->Flush(); mgr.Drain(); @@ -324,6 +349,8 @@ void terminate_bro() mgr.Drain(); + plugin_mgr->FinishPlugins(); + delete timer_mgr; delete dns_mgr; delete persistence_serializer; @@ -333,8 +360,9 @@ void terminate_bro() delete event_registry; delete secondary_path; delete remote_serializer; - delete dpm; + delete analyzer_mgr; delete log_mgr; + delete plugin_mgr; delete thread_mgr; delete reporter; @@ -412,6 +440,7 @@ int main(int argc, char** argv) int override_ignore_checksums = 0; int rule_debug = 0; int RE_level = 4; + int print_plugins = 0; static struct option long_opts[] = { {"bare-mode", no_argument, 0, 'b'}, @@ -440,6 +469,7 @@ int main(int argc, char** argv) {"set-seed", required_argument, 0, 'J'}, {"md5-hashkey", required_argument, 0, 'K'}, {"rule-benchmark", no_argument, 0, 'L'}, + {"print-plugins", no_argument, 0, 'N'}, {"optimize", no_argument, 0, 'O'}, {"prime-dns", no_argument, 0, 'P'}, {"replay", required_argument, 0, 'R'}, @@ -494,7 +524,7 @@ int main(int argc, char** argv) opterr = 0; char opts[256]; - safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLOPSWbdghvZ", + safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLNOPSWbdghvZ", sizeof(opts)); #ifdef USE_PERFTOOLS_DEBUG @@ -609,6 +639,10 @@ int main(int argc, char** argv) ++rule_bench; break; + case 'N': + print_plugins = 1; + break; + case 'O': optimize = 1; break; @@ -764,6 +798,8 @@ int main(int argc, char** argv) add_input_file(argv[optind++]); } + push_scope(0); + dns_mgr = new DNS_Mgr(dns_type); // It would nice if this were configurable. This is similar to the @@ -774,19 +810,28 @@ int main(int argc, char** argv) persistence_serializer = new PersistenceSerializer(); remote_serializer = new RemoteSerializer(); event_registry = new EventRegistry(); + + analyzer_mgr = new analyzer::Manager(); log_mgr = new logging::Manager(); - input_mgr = new input::Manager(); + input_mgr = new input::Manager(); + plugin_mgr = new plugin::Manager(); + + plugin_mgr->RegisterPlugin(new analyzer::BuiltinAnalyzers()); + plugin_mgr->InitPlugins(); + + if ( print_plugins ) + { + show_plugins(); + exit(1); + } + + analyzer_mgr->Init(); if ( events_file ) event_player = new EventPlayer(events_file); init_event_handlers(); - push_scope(0); - - dpm = new DPM; - dpm->PreScriptInit(); - // The leak-checker tends to produce some false // positives (memory which had already been // allocated before we start the checking is @@ -1045,12 +1090,12 @@ int main(int argc, char** argv) mgr.QueueEvent(bro_script_loaded, vl); } - dpm->PostScriptInit(); - reporter->ReportViaEvents(true); mgr.Drain(); + analyzer_mgr->DumpDebug(); + have_pending_timers = ! reading_traces && timer_mgr->Size() > 0; io_sources.Register(thread_mgr, true); diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc new file mode 100644 index 0000000000..c4276ca1ff --- /dev/null +++ b/src/plugin/Component.cc @@ -0,0 +1,47 @@ + +#include "Component.h" + +#include "../Desc.h" +#include "../Reporter.h" + +using namespace plugin; + +Component::Component(component::Type arg_type) + { + type = arg_type; + } + +Component::~Component() + { + } + +component::Type Component::Type() const + { + return type; + } + +void Component::Describe(ODesc* d) + { + d->Add(" "); + d->Add("["); + + switch ( type ) { + case component::READER: + d->Add("Reader"); + break; + + case component::WRITER: + d->Add("Writer"); + break; + + case component::ANALYZER: + d->Add("Analyzer"); + break; + + default: + reporter->InternalError("unknown component type in plugin::Component::Describe"); + } + + d->Add("]"); + d->Add(" "); + } diff --git a/src/plugin/Component.h b/src/plugin/Component.h new file mode 100644 index 0000000000..09357effd2 --- /dev/null +++ b/src/plugin/Component.h @@ -0,0 +1,37 @@ + +#ifndef PLUGIN_COMPONENT_H +#define PLUGIN_COMPONENT_H + +class ODesc; + +namespace plugin { + +namespace component { + enum Type { + READER, + WRITER, + ANALYZER + }; +} + +namespace input { class PluginComponent; } +namespace logging { class PluginComponent; } +namespace analyzer { class PluginComponent; } + +class Component +{ +public: + Component(component::Type type); + virtual ~Component(); + + component::Type Type() const; + + virtual void Describe(ODesc* d); + +private: + component::Type type; +}; + +} + +#endif diff --git a/src/plugin/DummyPlugin.cc b/src/plugin/DummyPlugin.cc new file mode 100644 index 0000000000..8a7889c682 --- /dev/null +++ b/src/plugin/DummyPlugin.cc @@ -0,0 +1,28 @@ + +#include "Plugin.h" + +class DummyPlugin { +public: + virtual void Init() + { + plugin::Description desc; + desc.name = "Dummy"; + desc.description = "My little dummy plugin"; + desc.version = 2; + desc.url = "http://dummy.bro.org"; + SetDescription(desc); + + analyzer::PluginComponent dummy("DUMMY", "Analyzer::DUMMY", dummy::Instantiate, dummy::Available, 0, false); + AddComponent(dummy); + } + +Plugin* bro_plugin() + { + return new DummyPlugin(); + } + + + + + + diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc new file mode 100644 index 0000000000..62440c0039 --- /dev/null +++ b/src/plugin/Manager.cc @@ -0,0 +1,81 @@ + +#include "Manager.h" + +#include "../Reporter.h" + +using namespace plugin; + +Manager::Manager() + { + init = false; + } + +Manager::~Manager() + { + assert(! init); + } + +bool Manager::LoadPlugin(const std::string& path) + { + assert(! init); + reporter->InternalError("plugin::Manager::LoadPlugin not yet implemented"); + return false; + } + +bool Manager::LoadPluginsFrom(const std::string& dir) + { + assert(! init); + reporter->InternalError("plugin::Manager::LoadPluginsFrom not yet implemented"); + return false; + } + +bool Manager::RegisterPlugin(Plugin *plugin) + { + assert(! init); + + plugin::Description desc = plugin->GetDescription(); + + if ( desc.version != plugin::API_BUILTIN ) + { + if ( desc.api_version == API_ERROR ) + reporter->InternalError("API version of plugin %s not initialized", desc.name.c_str()); + + if ( desc.api_version != API_VERSION ) + reporter->FatalError("API version mismatch for plugin %s: expected %d, but have %d", + desc.name.c_str(), API_VERSION, desc.version); + } + + plugins.push_back(plugin); + return true; + } + +void Manager::InitPlugins() + { + assert(! init); + + for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + (*i)->Init(); + + init = true; + } + +void Manager::FinishPlugins() + { + assert(init); + + for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + { + (*i)->Done(); + delete *i; + } + + plugins.clear(); + + init = false; + } + +Manager::plugin_list Manager::Plugins() const + { + return plugins; +} + diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h new file mode 100644 index 0000000000..26f07dc944 --- /dev/null +++ b/src/plugin/Manager.h @@ -0,0 +1,87 @@ + +#ifndef PLUGIN_MANAGER_H +#define PLUGIN_MANAGER_H + +#include "Plugin.h" +#include "Component.h" + +#include "../Reporter.h" + +namespace plugin { + +class Manager +{ +public: + typedef std::list plugin_list; + typedef Plugin::component_list component_list; + + Manager(); + ~Manager(); + + /** + */ + bool LoadPlugin(const std::string& file); + + /** + * + */ + bool LoadPluginsFrom(const std::string& dir); + + /** + * + * @param plugin: The plugin to register. The method takes ownership. + */ + bool RegisterPlugin(Plugin *plugin); // Takes ownership. + + /** + * + */ + void InitPlugins(); + + /** + * + */ + void FinishPlugins(); + + /** + * + */ + plugin_list Plugins() const; + + /** + * + */ + template + std::list Components(component::Type type) const; + +private: + bool init; + plugin_list plugins; +}; + +template +std::list Manager::Components(component::Type type) const + { + std::list result; + + for ( plugin_list::const_iterator p = plugins.begin(); p != plugins.end(); p++ ) + { + component_list components = (*p)->Components(); + + for ( component_list::const_iterator c = components.begin(); c != components.end(); c++ ) + { + T* t = dynamic_cast(*c); + + if ( t ) + result.push_back(t); + } + } + + return result; + } + +} + +extern plugin::Manager* plugin_mgr; + +#endif diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc new file mode 100644 index 0000000000..e5a09e0dcc --- /dev/null +++ b/src/plugin/Plugin.cc @@ -0,0 +1,94 @@ + +#include + +#include "Plugin.h" +#include "Component.h" + +#include "../Desc.h" + +using namespace plugin; + +Description::Description() + { + name = ""; + api_version = API_VERSION; + } + +Plugin::Plugin() + { + } + +Description Plugin::GetDescription() const + { + return description; + } + +void Plugin::SetDescription(Description& desc) + { + description = desc; + } + +Plugin::~Plugin() + { + Done(); + } + +void Plugin::Init() + { + } + +void Plugin::Done() + { + for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) + delete *i; + + components.clear(); + } + +Plugin::component_list Plugin::Components() + { + return components; + } + +void Plugin::AddComponent(Component* c) + { + components.push_back(c); + } + +void Plugin::Describe(ODesc* d) + { + d->Add("Plugin: "); + d->Add(description.name); + + if ( description.description.size() ) + { + d->Add(" - "); + d->Add(description.description); + } + + if ( description.version != API_BUILTIN ) + { + d->Add(" (version "); + d->Add(description.version); + + if ( description.url.size() ) + { + d->Add(", from "); + d->Add(description.url); + } + + d->Add(")"); + } + + else + d->Add(" (built-in)"); + + d->NL(); + + for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) + { + (*i)->Describe(d); + d->NL(); + } + } + diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h new file mode 100644 index 0000000000..f62b81772f --- /dev/null +++ b/src/plugin/Plugin.h @@ -0,0 +1,60 @@ + +#ifndef PLUGIN_PLUGIN_H +#define PLUGIN_PLUGIN_H + +#include +#include + +class ODesc; + +namespace plugin { + +class Manager; +class Component; + +static const int API_VERSION = 1; +static const int API_BUILTIN = -1; +static const int API_ERROR = -2; + +struct Description { + std::string name; + std::string description; + std::string url; + int version; + int api_version; + + Description(); + void Describe(ODesc* d); + }; + +class Plugin { +public: + typedef std::list component_list; + + Plugin(); + virtual ~Plugin(); + + Description GetDescription() const; + void SetDescription(Description& desc); + + component_list Components(); + + virtual void Init(); + virtual void Done(); + + void Describe(ODesc* d); + +protected: + /** + * Takes ownership. + */ + void AddComponent(Component* c); + +private: + plugin::Description description; + component_list components; +}; + +} + +#endif diff --git a/src/scan.l b/src/scan.l index ffbc125728..6a649fb93b 100644 --- a/src/scan.l +++ b/src/scan.l @@ -22,9 +22,11 @@ #include "PolicyFile.h" #include "broparse.h" #include "BroDoc.h" -#include "Analyzer.h" -#include "AnalyzerTags.h" #include "Reporter.h" +#include "RE.h" +#include "Net.h" + +#include "analyzer/analyzer.h" extern YYLTYPE yylloc; // holds start line and column of token extern int print_loaded_scripts; @@ -67,8 +69,10 @@ void clear_reST_doc_comments(); // Adds changes to capture_filter to the current script's reST documentation. static void check_capture_filter_changes(); +#if 0 // Adds changes to dpd_config to the current script's reST documentation. static void check_dpd_config_changes(); +#endif static const char* canon_doc_comment(const char* comment) { @@ -822,7 +826,9 @@ int yywrap() while ( input_files.length() > 0 ) { check_capture_filter_changes(); +#if 0 check_dpd_config_changes(); +#endif if ( load_files(input_files[0]) ) { @@ -838,7 +844,9 @@ int yywrap() } check_capture_filter_changes(); +#if 0 check_dpd_config_changes(); +#endif // For each file scanned so far, and for each @prefix, look for a // prefixed and flattened version of the loaded file in BROPATH. The @@ -1003,6 +1011,7 @@ static void check_capture_filter_changes() } } +#if 0 static void check_dpd_config_changes() { if ( ! generate_documentation ) @@ -1047,6 +1056,7 @@ static void check_dpd_config_changes() dpd_table->RemoveAll(); } +#endif void print_current_reST_doc_comments() { diff --git a/src/util.cc b/src/util.cc index 0051f9f6fe..5d6104ce46 100644 --- a/src/util.cc +++ b/src/util.cc @@ -16,6 +16,7 @@ #include #include +#include #include #include #include @@ -298,6 +299,13 @@ void to_upper(char* s) } } +string to_upper(const std::string& s) + { + string t = s; + std::transform(t.begin(), t.end(), t.begin(), ::toupper); + return t; + } + const char* strchr_n(const char* s, const char* end_of_s, char ch) { for ( ; s < end_of_s; ++s ) diff --git a/src/util.h b/src/util.h index f717ecd333..7e0c1ba085 100644 --- a/src/util.h +++ b/src/util.h @@ -114,6 +114,7 @@ extern char* skip_digits(char* s); extern char* get_word(char*& s); extern void get_word(int length, const char* s, int& pwlen, const char*& pw); extern void to_upper(char* s); +extern std::string to_upper(const std::string& s); extern const char* strchr_n(const char* s, const char* end_of_s, char ch); extern const char* strrchr_n(const char* s, const char* end_of_s, char ch); extern int decode_hex(char ch); From eef48586929b538baab34b95802eae7374a4ace2 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 26 Mar 2013 13:08:03 -0700 Subject: [PATCH 02/70] Fixes for non-OSX. --- aux/bro-aux | 2 +- aux/broctl | 2 +- src/CMakeLists.txt | 2 +- src/RuleAction.h | 2 +- src/analyzer/Analyzer.h | 4 ++-- src/analyzer/{BuiltinAnalyzers.cc => BuiltInAnalyzers.cc} | 0 src/analyzer/{BuiltinAnalyzers.h => BuiltInAnalyzers.h} | 0 src/analyzer/Manager.h | 8 ++++---- src/main.cc | 3 ++- src/scan.l | 2 +- 10 files changed, 13 insertions(+), 12 deletions(-) rename src/analyzer/{BuiltinAnalyzers.cc => BuiltInAnalyzers.cc} (100%) rename src/analyzer/{BuiltinAnalyzers.h => BuiltInAnalyzers.h} (100%) diff --git a/aux/bro-aux b/aux/bro-aux index ae14da422b..7068100754 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit ae14da422bfb252c8a53bd00d3e5fd7da8bc112e +Subproject commit 70681007546aad6e5648494e882b71adb9165105 diff --git a/aux/broctl b/aux/broctl index 3e3ada3c2e..2b35d03313 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 3e3ada3c2efebeda1278b8897859dd7c7d61e671 +Subproject commit 2b35d0331366865fbf0119919cc9692d55c4538c diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 318a014a19..b635360ac9 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -451,7 +451,7 @@ set(bro_SRCS plugin/Plugin.cc analyzer/Analyzer.cc - analyzer/BuiltinAnalyzers.cc + analyzer/BuiltInAnalyzers.cc analyzer/Manager.cc analyzer/PluginComponent.cc analyzer/Tag.cc diff --git a/src/RuleAction.h b/src/RuleAction.h index f4c2ae4cfa..ec7e5c3735 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -5,7 +5,7 @@ #include "List.h" #include "util.h" -#include "analyzer/tag.h" +#include "analyzer/Tag.h" class Rule; class RuleEndpointState; diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index db65670ad6..bc20d208b8 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -258,10 +258,10 @@ public: void Weird(const char* name, const char* addl = ""); protected: - friend class Connection; friend class AnalyzerTimer; - friend class TCP_ApplicationAnalyzer; friend class Manager; + friend class ::Connection; + friend class ::TCP_ApplicationAnalyzer; // Associates a connection with this analyzer. Must be called if // we're using the default ctor. diff --git a/src/analyzer/BuiltinAnalyzers.cc b/src/analyzer/BuiltInAnalyzers.cc similarity index 100% rename from src/analyzer/BuiltinAnalyzers.cc rename to src/analyzer/BuiltInAnalyzers.cc diff --git a/src/analyzer/BuiltinAnalyzers.h b/src/analyzer/BuiltInAnalyzers.h similarity index 100% rename from src/analyzer/BuiltinAnalyzers.h rename to src/analyzer/BuiltInAnalyzers.h diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index e6143cada6..47a70df716 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -5,10 +5,10 @@ #include -#include "Tag.h" -#include "PluginComponent.h" - #include "Analyzer.h" +#include "PluginComponent.h" +#include "Tag.h" + #include "../Dict.h" #include "../net_util.h" #include "../IP.h" @@ -112,7 +112,7 @@ public: // as a wildcard for orig. (Cookie is currently unused. Eventually, // we may pass it on to the analyzer). void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, Tag::Tag analyzer, + TransportProto proto, Tag analyzer, double timeout, void* cookie); void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, diff --git a/src/main.cc b/src/main.cc index 08756c1bf3..8bfc9300c4 100644 --- a/src/main.cc +++ b/src/main.cc @@ -56,8 +56,9 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "input/Manager.h" #include "logging/Manager.h" #include "logging/writers/Ascii.h" -#include "analyzer/BuiltinAnalyzers.h" +#include "analyzer/BuiltInAnalyzers.h" #include "analyzer/Manager.h" +#include "analyzer/Tag.h" #include "plugin/Manager.h" #include "binpac_bro.h" diff --git a/src/scan.l b/src/scan.l index 6a649fb93b..faa831ea93 100644 --- a/src/scan.l +++ b/src/scan.l @@ -26,7 +26,7 @@ #include "RE.h" #include "Net.h" -#include "analyzer/analyzer.h" +#include "analyzer/Analyzer.h" extern YYLTYPE yylloc; // holds start line and column of token extern int print_loaded_scripts; From 2be985433c23127cc0d129e10935ec8d7b84f751 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 26 Mar 2013 13:57:17 -0700 Subject: [PATCH 03/70] Test-suite passes. All tests pass with one exception: some Broxygen tests are broken because dpd_config doesn't exist anymore. Need to update the mechanism for auto-documenting well-known ports. --- doc/scripts/DocSourcesList.cmake | 2 ++ doc/scripts/example.bro | 12 +++++++----- scripts/base/frameworks/analyzer/main.bro | 8 ++++++++ scripts/base/protocols/dns/main.bro | 2 ++ .../policy/frameworks/dpd/detect-protocols.bro | 12 ++++++------ src/RuleAction.cc | 6 ++++++ src/analyzer/Analyzer.cc | 15 ++++++++++----- src/analyzer/Analyzer.h | 3 ++- src/analyzer/Manager.cc | 14 ++++++++------ src/analyzer/Manager.h | 4 ++-- src/analyzer/PluginComponent.h | 2 +- .../canonified_loaded_scripts.log | 7 +++++-- .../canonified_loaded_scripts.log | 7 +++++-- .../Baseline/istate.events-ssl/events.rec.log | 1 - .../Baseline/istate.events-ssl/events.snd.log | 1 - .../Baseline/istate.events-ssl/receiver.http.log | 6 +++--- .../Baseline/istate.events-ssl/sender.http.log | 6 +++--- .../btest/Baseline/istate.events/events.rec.log | 1 - .../btest/Baseline/istate.events/events.snd.log | 1 - .../Baseline/istate.events/receiver.http.log | 6 +++--- .../btest/Baseline/istate.events/sender.http.log | 6 +++--- .../btest/Baseline/signatures.dpd/dpd-ipv4.out | 4 +--- .../btest/Baseline/signatures.dpd/dpd-ipv6.out | 4 +--- .../btest/Baseline/signatures.dpd/nosig-ipv4.out | 4 +--- .../btest/Baseline/signatures.dpd/nosig-ipv6.out | 4 +--- testing/btest/bifs/analyzer_name.bro | 4 ++-- testing/btest/core/tunnels/gtp/non_recursive.test | 2 +- testing/btest/signatures/dpd.bro | 2 +- 28 files changed, 84 insertions(+), 62 deletions(-) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 117430223e..af8f2de94b 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,6 +16,7 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) @@ -24,6 +25,7 @@ rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) +rest_target(${psd} base/frameworks/analyzer/main.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro) diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro index 9f6f656ee1..4e2f533226 100644 --- a/doc/scripts/example.bro +++ b/doc/scripts/example.bro @@ -54,11 +54,13 @@ global example_ports = { 443/tcp, 562/tcp, } &redef; -# redefinitions of "dpd_config" are self-documenting and -# go into the generated doc's "Port Analysis" section -redef dpd_config += { - [ANALYZER_SSL] = [$ports = example_ports] -}; + +event bro_init() + { + # Registering a well-known port is self-documenting and + # go into the generated doc's "Port Analysis" section + Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, example_ports); + } # redefinitions of "Notice::Type" are self-documenting, but # more information can be supplied in two different ways diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index b93ebcba24..d2f2b3172b 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -20,6 +20,9 @@ export { ## XXX. global registered_ports: function(tag: Analyzer::Tag) : set[port]; + ## XXX + global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; + ## Translate an analyzer type to an ASCII string. ## ## atype: The analyzer tag. @@ -106,6 +109,11 @@ function registered_ports(tag: Analyzer::Tag) : set[port] return tag in ports ? ports[tag] : set(); } +function all_registered_ports(): table[Analyzer::Tag] of set[port] + { + return ports; + } + function name(atype: Analyzer::Tag) : string { return __name(atype); diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 66cdbc6241..6279ba4dab 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -126,6 +126,8 @@ event bro_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_tcp_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_udp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports); Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports); } diff --git a/scripts/policy/frameworks/dpd/detect-protocols.bro b/scripts/policy/frameworks/dpd/detect-protocols.bro index c45486b776..d50e4599ed 100644 --- a/scripts/policy/frameworks/dpd/detect-protocols.bro +++ b/scripts/policy/frameworks/dpd/detect-protocols.bro @@ -70,7 +70,7 @@ export { } # Table that tracks currently active dynamic analyzers per connection. -global conns: table[conn_id] of set[count]; +global conns: table[conn_id] of set[Analyzer::Tag]; # Table of reports by other analyzers about the protocol used in a connection. global protocols: table[conn_id] of set[string]; @@ -80,7 +80,7 @@ type protocol : record { sub: string; # "sub-protocols" reported by other sources }; -function get_protocol(c: connection, a: count) : protocol +function get_protocol(c: connection, a: Analyzer::Tag) : protocol { local str = ""; if ( c$id in protocols ) @@ -97,7 +97,7 @@ function fmt_protocol(p: protocol) : string return p$sub != "" ? fmt("%s (via %s)", p$sub, p$a) : p$a; } -function do_notice(c: connection, a: count, d: dir) +function do_notice(c: connection, a: Analyzer::Tag, d: dir) { if ( d == BOTH ) return; @@ -113,7 +113,7 @@ function do_notice(c: connection, a: count, d: dir) NOTICE([$note=Protocol_Found, $msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p), - $sub=s, $conn=c, $n=a]); + $sub=s, $conn=c]); # We report multiple Server_Found's per host if we find a new # sub-protocol. @@ -129,7 +129,7 @@ function do_notice(c: connection, a: count, d: dir) NOTICE([$note=Server_Found, $msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s, c$id$resp_p, (known ? " (update)" : "")), - $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h, $n=a]); + $p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h]); if ( ! known ) servers[c$id$resp_h, c$id$resp_p, p$a] = set(); @@ -214,7 +214,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) } } -function found_protocol(c: connection, analyzer: Analyzer::tag, protocol: string) +function found_protocol(c: connection, atype: Analyzer::Tag, protocol: string) { # Don't report anything running on a well-known port. if ( c$id$resp_p in Analyzer::registered_ports(atype) ) diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 808bead3d8..c0a4809c88 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -42,10 +42,16 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) string arg = str.substr(0, pos); analyzer = analyzer_mgr->GetAnalyzerTag(arg); + if ( ! analyzer ) + reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); + if ( pos != string::npos ) { arg = str.substr(pos + 1); child_analyzer = analyzer_mgr->GetAnalyzerTag(arg); + + if ( ! child_analyzer ) + reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); } else child_analyzer = analyzer::Tag::ERROR; diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index ca15ad56e1..6ef67eb497 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -41,15 +41,20 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, analyzer::ID Analyzer::id_counter = 0;; +const string& Analyzer::GetAnalyzerName() const + { + return analyzer_mgr->GetAnalyzerName(tag); + } + bool Analyzer::IsAnalyzer(const char* name) { - return analyzer_mgr->GetAnalyzerName(Tag()) == name; + return analyzer_mgr->GetAnalyzerName(tag) == name; } // Used in debugging output. static string fmt_analyzer(Analyzer* a) { - return analyzer_mgr->GetAnalyzerName(a->GetTag()) + fmt("[%d]", a->GetID()); + return a->GetAnalyzerName() + fmt("[%d]", a->GetID()); } Analyzer::Analyzer(const char* name, Connection* arg_conn) @@ -320,7 +325,7 @@ void Analyzer::ForwardEndOfData(bool orig) void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) { - if ( HasChildAnalyzer(analyzer->GetTag()) ) + if ( HasChildAnalyzer(analyzer->GetAnalyzerTag()) ) { analyzer->Done(); delete analyzer; @@ -381,7 +386,7 @@ void Analyzer::RemoveChildAnalyzer(ID id) LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", analyzer_mgr->GetAnalyzerName(GetTag()).c_str(), id, + DBG_LOG(DBG_DPD, "%s disabling child %s", GetAnalyzerName().c_str(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -460,7 +465,7 @@ void Analyzer::DeleteChild(analyzer_list::iterator i) void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer) { - if ( HasSupportAnalyzer(analyzer->GetTag(), analyzer->IsOrig()) ) + if ( HasSupportAnalyzer(analyzer->GetAnalyzerTag(), analyzer->IsOrig()) ) { DBG_LOG(DBG_DPD, "%s already has %s %s", fmt_analyzer(this).c_str(), diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index bc20d208b8..704c131bca 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -140,7 +140,8 @@ public: bool IsFinished() const { return finished; } - Tag GetTag() const { return tag; } + Tag GetAnalyzerTag() const { return tag; } + const string& GetAnalyzerName() const; bool IsAnalyzer(const char* name); // Management of the tree. diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index b2d35215f3..78c086d409 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -316,10 +316,12 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) return a; } -string Manager::GetAnalyzerName(Tag tag) +const string& Manager::GetAnalyzerName(Tag tag) { + static string error = ""; + if ( ! tag ) - return ""; + return error; PluginComponent* c = Lookup(tag); @@ -329,7 +331,7 @@ string Manager::GetAnalyzerName(Tag tag) return c->Name(); } -string Manager::GetAnalyzerName(Val* val) +const string& Manager::GetAnalyzerName(Val* val) { return GetAnalyzerName(Tag(val->AsEnumVal())); } @@ -354,13 +356,13 @@ EnumType* Manager::GetTagEnumType() PluginComponent* Manager::Lookup(const string& name) { - analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } PluginComponent* Manager::Lookup(const char* name) { - analyzer_map_by_name::const_iterator i = analyzers_by_name.find(name); + analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } @@ -598,7 +600,7 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, { if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - udp->AddChildAnalyzer(new ConnSize_Analyzer(conn)); + root->AddChildAnalyzer(new ConnSize_Analyzer(conn)); } if ( pia ) diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 47a70df716..ceca74bf0c 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -88,8 +88,8 @@ public: Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled. - string GetAnalyzerName(Tag tag); - string GetAnalyzerName(Val* val); + const string& GetAnalyzerName(Tag tag); + const string& GetAnalyzerName(Val* val); Tag GetAnalyzerTag(const string& name); // Tag::ERROR when not known. Tag GetAnalyzerTag(const char* name); // Tag::ERROR when not known. diff --git a/src/analyzer/PluginComponent.h b/src/analyzer/PluginComponent.h index 6db5aaf994..baad63f9f8 100644 --- a/src/analyzer/PluginComponent.h +++ b/src/analyzer/PluginComponent.h @@ -25,7 +25,7 @@ public: PluginComponent(std::string name, factory_callback factory, bool enabled, bool partial); PluginComponent(std::string name, Tag::subtype_t subtype, factory_callback factory, bool enabled, bool partial); - std::string Name() const { return name; } + const std::string& Name() const { return name; } factory_callback Factory() const { return factory; } bool Partial() const { return partial; } bool Enabled() const { return enabled; } diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 41209a4084..b476306ae6 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2012-07-20-14-34-11 +#open 2013-03-26-20-58-03 #fields name #types string scripts/base/init-bare.bro @@ -29,5 +29,8 @@ scripts/base/init-bare.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/./main.bro + build/src/base/analyzer.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2012-07-20-14-34-11 +#close 2013-03-26-20-58-03 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index d9e8ee0703..ddcae1d0eb 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-02-11-18-44-43 +#open 2013-03-26-20-58-16 #fields name #types string scripts/base/init-bare.bro @@ -29,6 +29,9 @@ scripts/base/init-bare.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/./main.bro + build/src/base/analyzer.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -119,4 +122,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-02-11-18-44-43 +#close 2013-03-26-20-58-16 diff --git a/testing/btest/Baseline/istate.events-ssl/events.rec.log b/testing/btest/Baseline/istate.events-ssl/events.rec.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events-ssl/events.rec.log +++ b/testing/btest/Baseline/istate.events-ssl/events.rec.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events-ssl/events.snd.log b/testing/btest/Baseline/istate.events-ssl/events.snd.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events-ssl/events.snd.log +++ b/testing/btest/Baseline/istate.events-ssl/events.snd.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log index 3fc7f1b66f..5b56c38e66 100644 --- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log +++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-03 +#open 2013-03-26-21-06-26 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-04 +1364331986.091724 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-27 diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log index 3fc7f1b66f..5b56c38e66 100644 --- a/testing/btest/Baseline/istate.events-ssl/sender.http.log +++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-03 +#open 2013-03-26-21-06-26 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-04 +1364331986.091724 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-27 diff --git a/testing/btest/Baseline/istate.events/events.rec.log b/testing/btest/Baseline/istate.events/events.rec.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events/events.rec.log +++ b/testing/btest/Baseline/istate.events/events.rec.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events/events.snd.log b/testing/btest/Baseline/istate.events/events.snd.log index 04993fb84a..8c7f4f621c 100644 --- a/testing/btest/Baseline/istate.events/events.snd.log +++ b/testing/btest/Baseline/istate.events/events.snd.log @@ -8,7 +8,6 @@ http_all_headers http_content_type http_end_entity http_message_done -http_signature_found http_reply http_begin_entity http_header diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log index 6862c08b98..2863571349 100644 --- a/testing/btest/Baseline/istate.events/receiver.http.log +++ b/testing/btest/Baseline/istate.events/receiver.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-12 +#open 2013-03-26-21-06-18 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-13 +1364331977.210008 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-19 diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log index 6862c08b98..484eb11f11 100644 --- a/testing/btest/Baseline/istate.events/sender.http.log +++ b/testing/btest/Baseline/istate.events/sender.http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2012-07-20-01-53-12 +#open 2013-03-26-21-06-17 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - -#close 2012-07-20-01-53-13 +1364331977.210008 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - - +#close 2013-03-26-21-06-18 diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out index abb41f330c..d9f5126aab 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out @@ -1,6 +1,4 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request 141.142.220.235:50003 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out index a2227ee890..f26ff25291 100644 --- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out @@ -1,6 +1,4 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready. ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out index 55566505d8..1b3be8e060 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out @@ -1,3 +1 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out index 55566505d8..1b3be8e060 100644 --- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out +++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out @@ -1,3 +1 @@ -dpd_config, { - -} +|Analyzer::all_registered_ports()|, 0 diff --git a/testing/btest/bifs/analyzer_name.bro b/testing/btest/bifs/analyzer_name.bro index 9297d2ca27..266d1c159f 100644 --- a/testing/btest/bifs/analyzer_name.bro +++ b/testing/btest/bifs/analyzer_name.bro @@ -4,6 +4,6 @@ event bro_init() { - local a = 1; - print analyzer_name(a); + local a = Analyzer::ANALYZER_PIA_TCP; + print Analyzer::name(a); } diff --git a/testing/btest/core/tunnels/gtp/non_recursive.test b/testing/btest/core/tunnels/gtp/non_recursive.test index d44bfce79d..0b03c0d6ae 100644 --- a/testing/btest/core/tunnels/gtp/non_recursive.test +++ b/testing/btest/core/tunnels/gtp/non_recursive.test @@ -5,7 +5,7 @@ # So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152, # it is just a UDP packet, but not another GTP tunnel. -event protocol_violation(c: connection, atype: count, aid: count, reason: string) +event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) { print "protocol_violation", c$id, reason; } diff --git a/testing/btest/signatures/dpd.bro b/testing/btest/signatures/dpd.bro index d6ae02cb50..a311ae3bd3 100644 --- a/testing/btest/signatures/dpd.bro +++ b/testing/btest/signatures/dpd.bro @@ -33,7 +33,7 @@ signature my_ftp_server { event bro_init() { # no analyzer attached to any port by default, depends entirely on sigs - print "dpd_config", dpd_config; + print "|Analyzer::all_registered_ports()|", |Analyzer::all_registered_ports()|; } event signature_match(state: signature_state, msg: string, data: string) From 19c1816ebb20d574255b9c1bf2ee6cdb5f162de5 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 28 Mar 2013 21:47:44 -0700 Subject: [PATCH 04/70] Infrastructure for modularizing protocol analyzers. There's now a new directory "src/protocols/", and the plan is for each protocol analyzer to eventually have its own subdirectory in there that contains everything it defines (C++/pac/bif). The infrastructure to make that happen is in place, and two analyzers have been converted to the new model, HTTP and SSL; there's no further HTTP/SSL-specific code anywhere else in the core anymore (I believe :-) Further changes: - -N lists available plugins, -NN lists more details on what these plugins provide (analyzers, bif elements). (The latter does not work for analyzers that haven't been converted yet). - *.bif.bro files now go into scripts/base/bif/; and scripts/base/bif/plugins/ for bif files provided by plugins. - I've factored out the bifcl/binpac CMake magic from src/CMakeLists.txt to cmake/{BifCl,Binpac} - There's a new cmake/BroPlugin that contains magic to allow plugins to have a simple CMakeLists.txt. The hope is that eventually the same CMakeLists.txt can be used for compiling a plugin either statically or dynamically. - bifcl has a new option -c that changes the code it generates so that it can be used with a plugin. TODOs: - "make install" is probably broken. - Broxygen is probably broken for plugin-defined events. - event groups are broken (do we want to keep them?) --- bro-path-dev.in | 2 +- cmake | 2 +- scripts/base/frameworks/analyzer/main.bro | 2 +- scripts/base/frameworks/input/main.bro | 2 +- scripts/base/frameworks/logging/main.bro | 2 +- scripts/base/init-bare.bro | 14 +- src/CMakeLists.txt | 101 ++--- src/EventRegistry.cc | 4 +- src/FTP.cc | 13 +- src/Gnutella.cc | 7 +- src/Sessions.cc | 1 - src/analyzer/Manager.cc | 6 + src/analyzer/Manager.h | 3 +- src/bro-bif.h | 11 + src/bro.bif | 54 --- src/builtin-func.l | 151 +++++- src/builtin-func.y | 35 +- src/event.bif | 428 ------------------ src/main.cc | 32 +- src/plugin/Component.cc | 1 - src/plugin/Macros.h | 42 ++ src/plugin/Manager.cc | 47 +- src/plugin/Manager.h | 16 +- src/plugin/Plugin.cc | 80 +++- src/plugin/Plugin.h | 28 +- .../BuiltInAnalyzers.cc | 18 +- .../BuiltInAnalyzers.h | 0 src/protocols/CMakeLists.txt | 3 + src/protocols/http/CMakeLists.txt | 11 + src/{ => protocols/http}/HTTP.cc | 9 + src/{ => protocols/http}/HTTP.h | 2 + src/protocols/http/events.bif | 232 ++++++++++ src/protocols/http/functions.bif | 56 +++ src/protocols/ssl/CMakeLists.txt | 10 + src/protocols/ssl/Plugin.cc | 10 + src/{ => protocols/ssl}/SSL.cc | 1 + src/{ => protocols/ssl}/SSL.h | 2 + src/protocols/ssl/events.bif | 195 ++++++++ src/{ => protocols/ssl}/ssl-analyzer.pac | 0 src/{ => protocols/ssl}/ssl-defs.pac | 0 src/{ => protocols/ssl}/ssl-protocol.pac | 0 src/{ => protocols/ssl}/ssl.pac | 4 + src/{ => protocols/unused}/HTTP-binpac.cc | 0 src/{ => protocols/unused}/HTTP-binpac.h | 0 44 files changed, 974 insertions(+), 663 deletions(-) create mode 100644 src/bro-bif.h create mode 100644 src/plugin/Macros.h rename src/{analyzer => protocols}/BuiltInAnalyzers.cc (91%) rename src/{analyzer => protocols}/BuiltInAnalyzers.h (100%) create mode 100644 src/protocols/CMakeLists.txt create mode 100644 src/protocols/http/CMakeLists.txt rename src/{ => protocols/http}/HTTP.cc (99%) rename src/{ => protocols/http}/HTTP.h (99%) create mode 100644 src/protocols/http/events.bif create mode 100644 src/protocols/http/functions.bif create mode 100644 src/protocols/ssl/CMakeLists.txt create mode 100644 src/protocols/ssl/Plugin.cc rename src/{ => protocols/ssl}/SSL.cc (99%) rename src/{ => protocols/ssl}/SSL.h (97%) create mode 100644 src/protocols/ssl/events.bif rename src/{ => protocols/ssl}/ssl-analyzer.pac (100%) rename src/{ => protocols/ssl}/ssl-defs.pac (100%) rename src/{ => protocols/ssl}/ssl-protocol.pac (100%) rename src/{ => protocols/ssl}/ssl.pac (94%) rename src/{ => protocols/unused}/HTTP-binpac.cc (100%) rename src/{ => protocols/unused}/HTTP-binpac.h (100%) diff --git a/bro-path-dev.in b/bro-path-dev.in index 81d4f111fc..2c17d057c9 100755 --- a/bro-path-dev.in +++ b/bro-path-dev.in @@ -12,7 +12,7 @@ broPolicies=${BRO_SCRIPT_SOURCE_PATH}:${BRO_SCRIPT_SOURCE_PATH}/policy:${BRO_SCRIPT_SOURCE_PATH}/site -broGenPolicies=${CMAKE_BINARY_DIR}/src +broGenPolicies=${CMAKE_BINARY_DIR}/scripts installedPolicies=${BRO_SCRIPT_INSTALL_PATH}:${BRO_SCRIPT_INSTALL_PATH}/site diff --git a/cmake b/cmake index 94e72a3075..870dd2c240 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 94e72a3075bb0b9550ad05758963afda394bfb2c +Subproject commit 870dd2c240acaee5c2d75da0feb5fd5044177123 diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index d2f2b3172b..ea5ccb727c 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -59,7 +59,7 @@ export { &redef; } -@load base/analyzer.bif +@load base/bif/analyzer.bif global ports: table[Analyzer::Tag] of set[port]; diff --git a/scripts/base/frameworks/input/main.bro b/scripts/base/frameworks/input/main.bro index 1a05abce71..4de98ea0f2 100644 --- a/scripts/base/frameworks/input/main.bro +++ b/scripts/base/frameworks/input/main.bro @@ -149,7 +149,7 @@ export { global end_of_data: event(name: string, source:string); } -@load base/input.bif +@load base/bif/input.bif module Input; diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro index 054ad4a30b..05a03ab11d 100644 --- a/scripts/base/frameworks/logging/main.bro +++ b/scripts/base/frameworks/logging/main.bro @@ -357,7 +357,7 @@ export { # We keep a script-level copy of all filters so that we can manipulate them. global filters: table[ID, string] of Filter; -@load base/logging.bif # Needs Filter and Stream defined. +@load base/bif/logging.bif # Needs Filter and Stream defined. module Log; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d8f38ed124..3afabd9ae0 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1,5 +1,5 @@ -@load base/const.bif -@load base/types.bif +@load base/bif/const.bif.bro +@load base/bif/types.bif # Type declarations @@ -646,9 +646,9 @@ type entropy_test_result: record { }; # Prototypes of Bro built-in functions. -@load base/strings.bif -@load base/bro.bif -@load base/reporter.bif +@load base/bif/strings.bif +@load base/bif/bro.bif +@load base/bif/reporter.bif ## Deprecated. This is superseded by the new logging framework. global log_file_name: function(tag: string): string &redef; @@ -2656,7 +2656,7 @@ export { } module GLOBAL; -@load base/event.bif +@load base/bif/event.bif ## BPF filter the user has set via the -f command line options. Empty if none. const cmd_line_bpf_filter = "" &redef; @@ -3004,3 +3004,5 @@ const snaplen = 8192 &redef; @load base/frameworks/input @load base/frameworks/analyzer +# Load BiF defined by plugins. +@load base/bif/plugins diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index b635360ac9..31192a8757 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -100,45 +100,7 @@ target_link_libraries(bifcl) ######################################################################## ## bifcl-dependent targets -# A macro to define a command that uses the BIF compiler to produce -# C++ segments and Bro language declarations from .bif file -# The outputs are appended to list ALL_BIF_OUTPUTS -# Outputs that should be installed are appended to INSTALL_BIF_OUTPUTS -macro(BIF_TARGET bifInput) - get_bif_output_files(${bifInput} bifOutputs) - add_custom_command(OUTPUT ${bifOutputs} - COMMAND bifcl - ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} || (rm -f ${bifOutputs} && exit 1) - # In order be able to run bro from the build directory, - # the generated bro script needs to be inside a - # a directory tree named the same way it will be - # referenced from an @load. - COMMAND "${CMAKE_COMMAND}" - ARGS -E copy ${bifInput}.bro base/${bifInput}.bro - COMMAND "${CMAKE_COMMAND}" - ARGS -E remove -f ${bifInput}.bro - DEPENDS ${bifInput} - DEPENDS bifcl - COMMENT "[BIFCL] Processing ${bifInput}" - ) - list(APPEND ALL_BIF_OUTPUTS ${bifOutputs}) - list(APPEND INSTALL_BIF_OUTPUTS - ${CMAKE_CURRENT_BINARY_DIR}/base/${bifInput}.bro) -endmacro(BIF_TARGET) - -# returns a list of output files that bifcl will produce -# for given input file in ${outputFileVar} -macro(GET_BIF_OUTPUT_FILES inputFile outputFileVar) - set(${outputFileVar} - base/${inputFile}.bro - ${inputFile}.func_def - ${inputFile}.func_h - ${inputFile}.func_init - ${inputFile}.netvar_def - ${inputFile}.netvar_h - ${inputFile}.netvar_init - ) -endmacro(GET_BIF_OUTPUT_FILES) +include(BifCl) set(BIF_SRCS analyzer.bif @@ -156,36 +118,18 @@ foreach (bift ${BIF_SRCS}) bif_target(${bift}) endforeach () +add_custom_target(generate_standard_bifs DEPENDS ${ALL_BIF_OUTPUTS}) + ######################################################################## ## BinPAC-dependent targets -set(BINPAC_AUXSRC - binpac.pac - bro.pac - binpac_bro.h -) +include(BinPAC) -# A macro to define a command that uses the BinPac compiler to -# produce C++ code that implements a protocol parser/analyzer -# The outputs of the command are appended to list ALL_BINPAC_OUTPUTS -# All arguments to this macro are appended to list ALL_BINPAC_INPUTS -macro(BINPAC_TARGET pacFile) - get_filename_component(basename ${pacFile} NAME_WE) - add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h - ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc - COMMAND ${BinPAC_EXE} - ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR} - -I ${CMAKE_CURRENT_SOURCE_DIR} - ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile} - DEPENDS ${BinPAC_EXE} ${pacFile} - ${BINPAC_AUXSRC} ${ARGN} - COMMENT "[BINPAC] Processing ${pacFile}" - ) - list(APPEND ALL_BINPAC_INPUTS ${ARGV}) - list(APPEND ALL_BINPAC_OUTPUTS - ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h - ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc) -endmacro(BINPAC_TARGET) +set(BINPAC_AUXSRC + ${CMAKE_SOURCE_DIR}/src/binpac.pac + ${CMAKE_SOURCE_DIR}/src/bro.pac + ${CMAKE_SOURCE_DIR}/src/binpac_bro.h +) binpac_target(binpac-lib.pac) binpac_target(binpac_bro-lib.pac) @@ -206,8 +150,8 @@ binpac_target(dns_tcp.pac dns.pac) binpac_target(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) -binpac_target(http.pac - http-protocol.pac http-analyzer.pac) +# binpac_target(http.pac +# http-protocol.pac http-analyzer.pac) binpac_target(ncp.pac) binpac_target(netflow.pac netflow-protocol.pac netflow-analyzer.pac) @@ -215,13 +159,20 @@ binpac_target(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) binpac_target(socks.pac socks-protocol.pac socks-analyzer.pac) -binpac_target(ssl.pac - ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac) +# binpac_target(ssl.pac +# ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac) binpac_target(syslog.pac syslog-protocol.pac syslog-analyzer.pac) binpac_target(modbus.pac modbus-protocol.pac modbus-analyzer.pac) +######################################################################## +## Including plug-ins that are compiled in statically. +######################################################################## + +set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) +add_subdirectory(protocols) + ######################################################################## ## bro target @@ -334,8 +285,6 @@ set(bro_SRCS Func.cc Gnutella.cc GTPv1.cc - HTTP.cc - HTTP-binpac.cc Hash.cc ICMP.cc ID.cc @@ -390,7 +339,6 @@ set(bro_SRCS SMTP.cc SOCKS.cc SSH.cc - SSL.cc Scope.cc SerializationFormat.cc SerialObj.cc @@ -451,18 +399,19 @@ set(bro_SRCS plugin/Plugin.cc analyzer/Analyzer.cc - analyzer/BuiltInAnalyzers.cc analyzer/Manager.cc analyzer/PluginComponent.cc analyzer/Tag.cc + protocols/BuiltInAnalyzers.cc + nb_dns.c digest.h ) collect_headers(bro_HEADERS ${bro_SRCS}) -add_executable(bro ${bro_SRCS} ${bro_HEADERS}) +add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_PLUGIN_OBJECT_LIBS}) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT}) @@ -471,3 +420,7 @@ install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) + +include(BroPlugin) +bro_plugin_bif_create_loader(bif_loader ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) +add_dependencies(bro bif_loader) diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc index 4d29c5d95f..f51f624833 100644 --- a/src/EventRegistry.cc +++ b/src/EventRegistry.cc @@ -87,9 +87,11 @@ void EventRegistry::PrintDebug() void EventRegistry::SetGroup(const char* name, const char* group) { + return; // FIXME. THis triggers the error below for plugin events. + EventHandler* eh = Lookup(name); if ( ! eh ) - reporter->InternalError("unknown event handler in SetGroup()"); + reporter->InternalError("unknown event handler %s in SetGroup()", name); eh->SetGroup(group); } diff --git a/src/FTP.cc b/src/FTP.cc index 5430b9e754..a0cc25292c 100644 --- a/src/FTP.cc +++ b/src/FTP.cc @@ -8,8 +8,8 @@ #include "FTP.h" #include "NVT.h" #include "Event.h" -#include "SSL.h" #include "Base64.h" +#include "analyzer/Manager.h" FTP_Analyzer::FTP_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("FTP", conn) @@ -154,10 +154,13 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) // Server wants to proceed with an ADAT exchange and we // know how to analyze the GSI mechanism, so attach analyzer // to look for that. - SSL_Analyzer* ssl = new SSL_Analyzer(Conn()); - ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), true)); - ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), false)); - AddChildAnalyzer(ssl); + Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn()); + if ( ssl ) + { + ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), true)); + ssl->AddSupportAnalyzer(new FTP_ADAT_Analyzer(Conn(), false)); + AddChildAnalyzer(ssl); + } } vl->append(new Val(reply_code, TYPE_COUNT)); diff --git a/src/Gnutella.cc b/src/Gnutella.cc index 6c8d4ee3f6..9cfab4ff1a 100644 --- a/src/Gnutella.cc +++ b/src/Gnutella.cc @@ -7,10 +7,10 @@ #include #include "NetVar.h" -#include "HTTP.h" #include "Gnutella.h" #include "Event.h" #include "PIA.h" +#include "analyzer/Manager.h" GnutellaMsgState::GnutellaMsgState() { @@ -129,9 +129,10 @@ int Gnutella_Analyzer::IsHTTP(string header) ConnectionEvent(gnutella_http_notify, vl); } - if ( HTTP_Analyzer::Available() ) + analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); + + if ( a ) { - analyzer::Analyzer* a = new HTTP_Analyzer(Conn()); Parent()->AddChildAnalyzer(a); if ( Parent()->IsAnalyzer("TCP") ) diff --git a/src/Sessions.cc b/src/Sessions.cc index f18d12ef90..7586899e14 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -20,7 +20,6 @@ #include "UDP.h" #include "DNS-binpac.h" -#include "HTTP-binpac.h" #include "SteppingStone.h" #include "BackDoor.h" diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 78c086d409..060595aea2 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -316,6 +316,12 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) return a; } +Analyzer* Manager::InstantiateAnalyzer(const char* name, Connection* conn) + { + Tag tag = GetAnalyzerTag(name); + return tag ? InstantiateAnalyzer(tag, conn) : 0; + } + const string& Manager::GetAnalyzerName(Tag tag) { static string error = ""; diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index ceca74bf0c..33b27ed38a 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -86,7 +86,8 @@ public: bool UnregisterAnalyzerForPort(EnumVal* tag, PortVal* port); bool UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); - Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled. + Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled or not available. + Analyzer* InstantiateAnalyzer(const char* name, Connection* c); // Null if disabled or not available. const string& GetAnalyzerName(Tag tag); const string& GetAnalyzerName(Val* val); diff --git a/src/bro-bif.h b/src/bro-bif.h new file mode 100644 index 0000000000..24312e4753 --- /dev/null +++ b/src/bro-bif.h @@ -0,0 +1,11 @@ + +#ifndef BRO_BIF_H +#define BRO_BIF_H + +// Headers to include by generated BiF code. +#include "analyzer/Analyzer.h" +#include "Conn.h" +#include "NetVar.h" +#include "Event.h" + +#endif diff --git a/src/bro.bif b/src/bro.bif index 4c88a7dd77..9b3eb946e2 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3327,8 +3327,6 @@ function lookup_connection%(cid: conn_id%): connection %} %%{ -#include "HTTP.h" - const char* conn_id_string(Val* c) { Val* id = (*(c->AsRecord()))[0]; @@ -3344,58 +3342,6 @@ const char* conn_id_string(Val* c) } %%} -## Skips the data of the HTTP entity. -## -## c: The HTTP connection. -## -## is_orig: If true, the client data is skipped, and the server data otherwise. -## -## .. bro:see:: skip_smtp_data -function skip_http_entity_data%(c: connection, is_orig: bool%): any - %{ - analyzer::ID id = mgr.CurrentAnalyzer(); - if ( id ) - { - analyzer::Analyzer* ha = c->FindAnalyzer(id); - - if ( ha ) - { - if ( ha->IsAnalyzer("HTTP") ) - static_cast(ha)->SkipEntityData(is_orig); - else - reporter->Error("non-HTTP analyzer associated with connection record"); - } - else - reporter->Error("could not find analyzer for skip_http_entity_data"); - - } - else - reporter->Error("no analyzer associated with connection record"); - - return 0; - %} - -## Unescapes all characters in a URI (decode every ``%xx`` group). -## -## URI: The URI to unescape. -## -## Returns: The unescaped URI with all ``%xx`` groups decoded. -## -## .. note:: -## -## Unescaping reserved characters may cause loss of information. RFC 2396: -## A URI is always in an "escaped" form, since escaping or unescaping a -## completed URI might change its semantics. Normally, the only time -## escape encodings can safely be made is when the URI is being created -## from its component parts. -function unescape_URI%(URI: string%): string - %{ - const u_char* line = URI->Bytes(); - const u_char* const line_end = line + URI->Len(); - - return new StringVal(unescape_URI(line, line_end, 0)); - %} - ## Writes the current packet to a file. ## ## file_name: The name of the file to write the packet to. diff --git a/src/builtin-func.l b/src/builtin-func.l index 9baeb1a9f9..ec60f1c7ec 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -27,7 +27,7 @@ int check_c_mode(int t) WS [ \t]+ /* Note, bifcl only accepts a single "::" in IDs while the policy - layer acceptes multiple. (But the policy layer doesn't have + layer acceptes multiple. (But the policy layer doesn't have a hierachy. */ IDCOMPONENT [A-Za-z_][A-Za-z_0-9]* ID {IDCOMPONENT}(::{IDCOMPONENT})? @@ -137,6 +137,8 @@ int yywrap() extern int yyparse(); char* input_filename = 0; +char* input_filename_with_path = 0; +char* plugin = 0; FILE* fp_bro_init = 0; FILE* fp_func_def = 0; @@ -168,15 +170,108 @@ FILE* open_output_file(const char* surfix) return fp; } +void usage() + { + fprintf(stderr, "usage: bifcl [-p] *.bif\n"); + exit(1); + } + +void init_plugin_mode() + { + fp_bro_init = open_output_file("bro"); + fp_func_h = open_output_file("h"); + fp_func_def = open_output_file("cc"); + fp_func_init = open_output_file("init.cc"); + + fp_netvar_h = fp_func_h; + fp_netvar_def = fp_func_def; + fp_netvar_init = fp_func_init; + + int n = 1024 + strlen(input_filename); + char auto_gen_comment[n]; + + snprintf(auto_gen_comment, n, + "This file was automatically generated by bifcl from %s (plugin mode).", + input_filename_with_path); + + fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); + fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); + fprintf(fp_func_h, "// %s\n\n", auto_gen_comment); + fprintf(fp_func_init, "// %s\n\n", auto_gen_comment); + + static char guard[1024]; + getcwd(guard, sizeof(guard)); + strncat(guard, "/", sizeof(guard)); + strncat(guard, input_filename, sizeof(guard)); + + for ( char* p = guard; *p; p++ ) + { + if ( strchr("/.", *p) ) + *p = '_'; + } + + fprintf(fp_func_h, "#ifndef %s\n", guard); + fprintf(fp_func_h, "#define %s\n", guard); + fprintf(fp_func_h, "\n"); + fprintf(fp_func_h, "#include \"bro-bif.h\"\n"); + + fprintf(fp_func_def, "\n"); + fprintf(fp_func_def, "#include \"%s.h\"\n", input_filename); + fprintf(fp_func_def, "\n"); + + static char name[1024]; + strncpy(name, input_filename, sizeof(name)); + char* dot = strchr(name, '.'); + if ( dot ) + *dot = '\0'; + + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "#include \n"); + fprintf(fp_func_init, "#include \n"); + fprintf(fp_func_init, "#include \"%s.h\"\n", input_filename); + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin); + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); + fprintf(fp_func_init, "\t{\n"); + fprintf(fp_func_init, "\tstd::list > bifs;\n"); + fprintf(fp_func_init, "\n"); + } + +void finish_plugin_mode() + { + fprintf(fp_func_h, "\n"); + fprintf(fp_func_h, "#endif\n"); + + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "\treturn bifs;\n"); + fprintf(fp_func_init, "\t}\n"); + fprintf(fp_func_init, "} }\n"); + fprintf(fp_func_init, "\n"); + } int main(int argc, char* argv[]) { - for ( int i = 1; i < argc; i++ ) + char opt; + + while ( (opt = getopt(argc, argv, "p:")) != -1 ) + { + switch ( opt ) { + case 'p': + plugin = optarg; + break; + + default: + usage(); + } + } + + for ( int i = optind; i < argc; i++ ) { FILE* fp_input; char* slash; - input_filename = argv[i]; + input_filename = input_filename_with_path = argv[i]; slash = strrchr(input_filename, '/'); if ( (fp_input = fopen(input_filename, "r")) == NULL ) @@ -189,17 +284,41 @@ int main(int argc, char* argv[]) if ( slash ) input_filename = slash + 1; - fp_bro_init = open_output_file("bro"); - fp_func_h = open_output_file("func_h"); - fp_func_def = open_output_file("func_def"); - fp_func_init = open_output_file("func_init"); - fp_netvar_h = open_output_file("netvar_h"); - fp_netvar_def = open_output_file("netvar_def"); - fp_netvar_init = open_output_file("netvar_init"); + if ( ! plugin ) + { + fp_bro_init = open_output_file("bro"); + fp_func_h = open_output_file("func_h"); + fp_func_def = open_output_file("func_def"); + fp_func_init = open_output_file("func_init"); + fp_netvar_h = open_output_file("netvar_h"); + fp_netvar_def = open_output_file("netvar_def"); + fp_netvar_init = open_output_file("netvar_init"); + + int n = 1024 + strlen(input_filename); + char auto_gen_comment[n]; + + snprintf(auto_gen_comment, n, + "This file was automatically generated by bifcl from %s.", + input_filename); + + fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); + fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); + fprintf(fp_func_h, "// %s\n\n", auto_gen_comment); + fprintf(fp_func_init, "// %s\n\n", auto_gen_comment); + fprintf(fp_netvar_def, "// %s\n\n", auto_gen_comment); + fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment); + fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment); + } + + else + init_plugin_mode(); yy_switch_to_buffer(yy_create_buffer(fp_input, YY_BUF_SIZE)); yyparse(); + if ( plugin ) + finish_plugin_mode(); + fclose(fp_input); close_all_output_files(); @@ -219,9 +338,13 @@ void close_all_output_files(void) close_if_open(&fp_func_h); close_if_open(&fp_func_def); close_if_open(&fp_func_init); - close_if_open(&fp_netvar_h); - close_if_open(&fp_netvar_def); - close_if_open(&fp_netvar_init); + + if ( ! plugin ) + { + close_if_open(&fp_netvar_h); + close_if_open(&fp_netvar_def); + close_if_open(&fp_netvar_init); + } } void remove_file(const char *surfix) @@ -232,7 +355,7 @@ void remove_file(const char *surfix) unlink(fn); } -void err_exit(void) +void err_exit(void) { close_all_output_files(); /* clean up. remove all output files we've generated so far */ diff --git a/src/builtin-func.y b/src/builtin-func.y index b5d076a56e..58acf64c8e 100644 --- a/src/builtin-func.y +++ b/src/builtin-func.y @@ -15,6 +15,7 @@ using namespace std; extern int line_number; extern char* input_filename; +extern char* plugin; #define print_line_directive(fp) fprintf(fp, "\n#line %d \"%s\"\n", line_number, input_filename) @@ -265,6 +266,15 @@ void print_event_c_body(FILE *fp) fprintf(fp, "\t} // event generation\n"); //fprintf(fp, "%s // end namespace\n", decl.generate_c_namespace_end.c_str()); } + +void record_bif_item(const char* id, int type) + { + if ( ! plugin ) + return; + + fprintf(fp_func_init, "\tbifs.push_back(std::make_pair(\"%s\", %d));\n", id, type); + } + %} %token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG @@ -304,21 +314,6 @@ definitions: definitions definition opt_ws } | opt_ws { - int n = 1024 + strlen(input_filename); - char auto_gen_comment[n]; - - snprintf(auto_gen_comment, n, - "This file was automatically generated by bifcl from %s.", - input_filename); - - fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); - fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); - fprintf(fp_func_h, "// %s\n\n", auto_gen_comment); - fprintf(fp_func_init, "// %s\n\n", auto_gen_comment); - fprintf(fp_netvar_def, "// %s\n\n", auto_gen_comment); - fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment); - fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment); - fprintf(fp_bro_init, "%s", $1); fprintf(fp_bro_init, "export {\n"); } @@ -362,6 +357,8 @@ type_def: TOK_TYPE opt_ws TOK_ID opt_ws ':' opt_ws type_def_types opt_ws ';' "\t%s = internal_type(\"%s\")->As%sType();\n", decl.c_fullname.c_str(), decl.bro_fullname.c_str(), type_name.c_str()); + + record_bif_item(decl.bro_fullname.c_str(), 5); } ; @@ -402,6 +399,8 @@ enum_def: enum_def_1 enum_list TOK_RPB fprintf(fp_netvar_init, "\t%s = internal_type(\"%s\")->AsEnumType();\n", decl.c_fullname.c_str(), decl.bro_fullname.c_str()); + + record_bif_item(decl.bro_fullname.c_str(), 5); } ; @@ -456,6 +455,8 @@ const_def: TOK_CONST opt_ws TOK_ID opt_ws ':' opt_ws TOK_ID opt_ws ';' fprintf(fp_netvar_init, "\t%s = internal_const_val(\"%s\")%s;\n", decl.c_fullname.c_str(), decl.bro_fullname.c_str(), accessor); + + record_bif_item(decl.bro_fullname.c_str(), 3); } @@ -545,6 +546,8 @@ head_1: TOK_ID opt_ws arg_begin fprintf(fp_func_def, "Val* %s(Frame* frame, val_list* %s)", decl.c_fullname.c_str(), arg_list_name); + + record_bif_item(decl.bro_fullname.c_str(), 1); } else if ( definition_type == EVENT_DEF ) { @@ -561,6 +564,8 @@ head_1: TOK_ID opt_ws arg_begin "\t%s = internal_handler(\"%s\");\n", decl.c_fullname.c_str(), decl.bro_fullname.c_str()); + record_bif_item(decl.bro_fullname.c_str(), 2); + // C++ prototypes of bro_event_* functions will // be generated later. } diff --git a/src/event.bif b/src/event.bif index dd7ab3c1d6..fbc02ef8b5 100644 --- a/src/event.bif +++ b/src/event.bif @@ -4713,238 +4713,6 @@ event dhcp_release%(c: connection, msg: dhcp_msg%); ## register a port for it or add a DPD payload signature. event dhcp_inform%(c: connection, msg: dhcp_msg%); -## Generated for HTTP requests. Bro supports persistent and pipelined HTTP -## sessions and raises corresponding events as it parses client/server -## dialogues. This event is generated as soon as a request's initial line has -## been parsed, and before any :bro:id:`http_header` events are raised. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``). -## -## original_URI: The unprocessed URI as specified in the request. -## -## unescaped_URI: The URI with all percent-encodings decoded. -## -## version: The version number specified in the request (e.g., ``1.1``). -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_message_done http_reply http_stats -## truncate_http_URI -event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; - -## Generated for HTTP replies. Bro supports persistent and pipelined HTTP -## sessions and raises corresponding events as it parses client/server -## dialogues. This event is generated as soon as a reply's initial line has -## been parsed, and before any :bro:id:`http_header` events are raised. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## version: The version number specified in the reply (e.g., ``1.1``). -## -## code: The numerical response code returned by the server. -## -## reason: The textual description returned by the server along with *code*. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_message_done http_request -## http_stats -event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; - -## Generated for HTTP headers. Bro supports persistent and pipelined HTTP -## sessions and raises corresponding events as it parses client/server -## dialogues. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the header was sent by the originator of the TCP connection. -## -## name: The name of the header. -## -## value: The value of the header. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_message_done http_reply http_request -## http_stats -## -## .. note:: This event is also raised for headers found in nested body -## entities. -event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; - -## Generated for HTTP headers, passing on all headers of an HTTP message at -## once. Bro supports persistent and pipelined HTTP sessions and raises -## corresponding events as it parses client/server dialogues. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the header was sent by the originator of the TCP connection. -## -## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, -## 2 for the second, etc.). -## -## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data -## http_event http_header http_message_done http_reply http_request http_stats -## -## .. note:: This event is also raised for headers found in nested body -## entities. -event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; - -## Generated when starting to parse an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and -## potentially more than once if the body contains further nested MIME -## entities. Bro raises this event just before it starts parsing each entity's -## content. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data -## http_event http_header http_message_done http_reply http_request http_stats -## mime_begin_entity -event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; - -## Generated when finishing parsing an HTTP body entity. This event is generated -## at least once for each non-empty (client or server) HTTP body; and -## potentially more than once if the body contains further nested MIME -## entities. Bro raises this event at the point when it has finished parsing an -## entity's content. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data -## http_event http_header http_message_done http_reply http_request -## http_stats mime_end_entity -event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; - -## Generated when parsing an HTTP body entity, passing on the data. This event -## can potentially be raised many times for each entity, each time passing a -## chunk of the data of not further defined size. -## -## A common idiom for using this event is to first *reassemble* the data -## at the scripting layer by concatenating it to a successively growing -## string; and only perform further content analysis once the corresponding -## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so -## can be quite expensive for HTTP tranders. At the very least, one should -## impose an upper size limit on how much data is being buffered. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## length: The length of *data*. -## -## data: One chunk of raw entity data. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_event http_header http_message_done http_reply http_request http_stats -## mime_entity_data http_entity_data_delivery_size skip_http_data -event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; - -## Generated for reporting an HTTP body's content type. This event is -## generated at the end of parsing an HTTP header, passing on the MIME -## type as specified by the ``Content-Type`` header. If that header is -## missing, this event is still raised with a default value of ``text/plain``. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## ty: The main type. -## -## subty: The subtype. -## -## .. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data -## http_event http_header http_message_done http_reply http_request http_stats -## -## .. note:: This event is also raised for headers found in nested body -## entities. -event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body"; - -## Generated once at the end of parsing an HTTP message. Bro supports persistent -## and pipelined HTTP sessions and raises corresponding events as it parses -## client/server dialogues. A "message" is one top-level HTTP entity, such as a -## complete request or reply. Each message can have further nested sub-entities -## inside. This event is raised once all sub-entities belonging to a top-level -## message have been processed (and their corresponding ``http_entity_*`` events -## generated). -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## is_orig: True if the entity was sent by the originator of the TCP -## connection. -## -## stat: Further meta information about the message. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_reply http_request http_stats -event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body"; - -## Generated for errors found when decoding HTTP requests or replies. -## -## See `Wikipedia `__ -## for more information about the HTTP protocol. -## -## c: The connection. -## -## event_type: A string describing the general category of the problem found -## (e.g., ``illegal format``). -## -## detail: Further more detailed description of the error. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_header http_message_done http_reply http_request -## http_stats mime_event -event http_event%(c: connection, event_type: string, detail: string%); - -## Generated at the end of an HTTP session to report statistics about it. This -## event is raised after all of an HTTP session's requests and replies have been -## fully processed. -## -## c: The connection. -## -## stats: Statistics summarizing HTTP-level properties of the finished -## connection. -## -## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_message_done http_reply -## http_request -event http_stats%(c: connection, stats: http_stats_rec%); - ## Generated when seeing an SSH client's version identification. The SSH ## protocol starts with a clear-text handshake message that reports client and ## server protocol/software versions. This event provides access to what the @@ -4983,202 +4751,6 @@ event ssh_client_version%(c: connection, version: string%); ## encrypted, Bro cannot further analyze SSH sessions. event ssh_server_version%(c: connection, version: string%); -## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions -## start with an unencrypted handshake, and Bro extracts as much information out -## of that as it can. This event provides access to the initial information -## sent by the client. -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## version: The protocol version as extracted from the client's message. The -## values are standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::version_strings` table maps them to descriptive names. -## -## possible_ts: The current time as sent by the client. Note that SSL/TLS does -## not require clocks to be set correctly, so treat with care. -## -## session_id: The session ID sent by the client (if any). -## -## ciphers: The list of ciphers the client offered to use. The values are -## standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. -## -## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); - -## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions -## start with an unencrypted handshake, and Bro extracts as much information out -## of that as it can. This event provides access to the initial information -## sent by the client. -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## version: The protocol version as extracted from the server's message. -## The values are standardized as part of the SSL/TLS protocol. The -## :bro:id:`SSL::version_strings` table maps them to descriptive names. -## -## possible_ts: The current time as sent by the server. Note that SSL/TLS does -## not require clocks to be set correctly, so treat with care. -## -## session_id: The session ID as sent back by the server (if any). -## -## cipher: The cipher chosen by the server. The values are standardized as part -## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps -## them to descriptive names. -## -## comp_method: The compression method chosen by the client. The values are -## standardized as part of the SSL/TLS protocol. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); - -## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS -## sessions start with an unencrypted handshake, and Bro extracts as much -## information out of that as it can. This event provides access to any -## extensions either side sends as part of an extended *hello* message. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## code: The numerical code of the extension. The values are standardized as -## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps -## them to descriptive names. -## -## val: The raw extension value that was sent in the message. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); - -## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with -## an unencrypted handshake, and Bro extracts as much information out of that -## as it can. This event signals the time when an SSL/TLS has finished the -## handshake and its endpoints consider it as fully established. Typically, -## everything from now on will be encrypted. -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_established%(c: connection%); - -## Generated for SSL/TLS alert records. SSL/TLS sessions start with an -## unencrypted handshake, and Bro extracts as much information out of that as -## it can. If during that handshake, an endpoint encounters a fatal error, it -## sends an *alert* record, that in turn triggers this event. After an *alert*, -## any endpoint may close the connection immediately. -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## level: The severity level, as sent in the *alert*. The values are defined as -## part of the SSL/TLS protocol. -## -## desc: A numerical value identifying the cause of the *alert*. The values are -## defined as part of the SSL/TLS protocol. -## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello -## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); - -## Generated for SSL/TLS handshake messages that are a part of the -## stateless-server session resumption mechanism. SSL/TLS sessions start with -## an unencrypted handshake, and Bro extracts as much information out of that -## as it can. This event is raised when an SSL/TLS server passes a session -## ticket to the client that can later be used for resuming the session. The -## mechanism is described in :rfc:`4507` -## -## See `Wikipedia `__ for -## more information about the SSL/TLS protocol. -## -## c: The connection. -## -## ticket_lifetime_hint: A hint from the server about how long the ticket -## should be stored by the client. -## -## ticket: The raw ticket data. -## -## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello -## x509_certificate x509_error x509_extension ssl_alert -event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); - -## Generated for X509 certificates seen in SSL/TLS connections. During the -## initial SSL/TLS handshake, certificates are exchanged in the clear. Bro -## raises this event for each certificate seen (including both a site's primary -## cert, and further certs sent as part of the validation chain). -## -## See `Wikipedia `__ for more information -## about the X.509 format. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## cert: The parsed certificate. -## -## chain_idx: The index in the validation chain that this cert has. Index zero -## indicates an endpoint's primary cert, while higher indices -## indicate the place in the validation chain (which has length -## *chain_len*). -## -## chain_len: The total length of the validation chain that this cert is part -## of. -## -## der_cert: The complete cert encoded in `DER -## `__ -## format. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension -## ssl_server_hello x509_error x509_extension x509_verify -event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%); - -## Generated for X509 extensions seen in a certificate. -## -## See `Wikipedia `__ for more information -## about the X.509 format. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## data: The raw data associated with the extension. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension -## ssl_server_hello x509_certificate x509_error x509_verify -event x509_extension%(c: connection, is_orig: bool, data: string%); - -## Generated when errors occur during parsing an X509 certificate. -## -## See `Wikipedia `__ for more information -## about the X.509 format. -## -## c: The connection. -## -## is_orig: True if event is raised for originator side of the connection. -## -## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` -## maps error codes to a textual description. -## -## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension -## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify -event x509_error%(c: connection, is_orig: bool, err: count%); - ## TODO. ## ## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request diff --git a/src/main.cc b/src/main.cc index 8bfc9300c4..7a86bde6da 100644 --- a/src/main.cc +++ b/src/main.cc @@ -56,7 +56,6 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void); #include "input/Manager.h" #include "logging/Manager.h" #include "logging/writers/Ascii.h" -#include "analyzer/BuiltInAnalyzers.h" #include "analyzer/Manager.h" #include "analyzer/Tag.h" #include "plugin/Manager.h" @@ -180,7 +179,7 @@ void usage() fprintf(stderr, " -I|--print-id | print out given ID\n"); fprintf(stderr, " -K|--md5-hashkey | set key for MD5-keyed hashing\n"); fprintf(stderr, " -L|--rule-benchmark | benchmark for rules\n"); - fprintf(stderr, " -N|--print-plugins | print all available plugins and exit\n"); + fprintf(stderr, " -N|--print-plugins | print available plugins and exit (-NN for verbose)\n"); fprintf(stderr, " -O|--optimize | optimize policy script\n"); fprintf(stderr, " -P|--prime-dns | prime DNS\n"); fprintf(stderr, " -R|--replay | replay events\n"); @@ -238,7 +237,7 @@ void usage() exit(1); } -void show_plugins() +void show_plugins(int level) { plugin::Manager::plugin_list plugins = plugin_mgr->Plugins(); @@ -250,10 +249,15 @@ void show_plugins() ODesc d; + if ( level == 1 ) + d.SetShort(); + for ( plugin::Manager::plugin_list::const_iterator i = plugins.begin(); i != plugins.end(); i++ ) { (*i)->Describe(&d); - d.NL(); + + if ( ! d.IsShort() ) + d.Add("\n"); } printf("%s", d.Description()); @@ -641,7 +645,7 @@ int main(int argc, char** argv) break; case 'N': - print_plugins = 1; + ++print_plugins; break; case 'O': @@ -785,7 +789,7 @@ int main(int argc, char** argv) if ( optind == argc && read_files.length() == 0 && flow_files.length() == 0 && interfaces.length() == 0 && - ! (id_name || bst_file) && ! command_line_policy ) + ! (id_name || bst_file) && ! command_line_policy && ! print_plugins ) add_input_file("-"); // Process remaining arguments. X=Y arguments indicate script @@ -816,16 +820,8 @@ int main(int argc, char** argv) log_mgr = new logging::Manager(); input_mgr = new input::Manager(); plugin_mgr = new plugin::Manager(); - - plugin_mgr->RegisterPlugin(new analyzer::BuiltinAnalyzers()); plugin_mgr->InitPlugins(); - if ( print_plugins ) - { - show_plugins(); - exit(1); - } - analyzer_mgr->Init(); if ( events_file ) @@ -846,6 +842,14 @@ int main(int argc, char** argv) yyparse(); + plugin_mgr->InitPluginsBif(); + + if ( print_plugins ) + { + show_plugins(print_plugins); + exit(1); + } + #ifdef USE_PERFTOOLS_DEBUG } #endif diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc index c4276ca1ff..ddedf7abbb 100644 --- a/src/plugin/Component.cc +++ b/src/plugin/Component.cc @@ -1,4 +1,3 @@ - #include "Component.h" #include "../Desc.h" diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h new file mode 100644 index 0000000000..f10d6adf45 --- /dev/null +++ b/src/plugin/Macros.h @@ -0,0 +1,42 @@ + +#ifndef PLUGIN_MACROS_H +#define PLUGIN_MACROS_H + +#include "analyzer/PluginComponent.h" + +#define BRO_PLUGIN_VERSION_BUILTIN -1 +#define BRO_PLUGIN_API_VERSION 1 + +#define _BRO_PLUGIN_VERSION_DEFAULT -1 + +#define BRO_PLUGIN_BEGIN(_name) \ + namespace plugin { namespace _name { \ + class Plugin : public plugin::Plugin { \ + protected: \ + void Init() \ + { \ + plugin::Description _desc; \ + _desc.name = #_name; \ + _desc.version = _BRO_PLUGIN_VERSION_DEFAULT; \ + _desc.api_version = BRO_PLUGIN_API_VERSION; + +#define BRO_PLUGIN_END \ + SetDescription(_desc); \ + } \ + }; \ + \ + static Plugin __plugin; \ + } } + +#define BRO_PLUGIN_DESCRIPTION _desc.description +#define BRO_PLUGIN_URL _desc.url +#define BRO_PLUGIN_VERSION _desc.version + +#define BRO_PLUGIN_BIF_FILE(file) \ + std::list > __bif_##file##_init(); \ + AddBifInitFunction(&__bif_##file##_init); + +#define BRO_PLUGIN_ANALYZER(tag, factory, enabled, partial) \ + AddComponent(new ::analyzer::PluginComponent(tag, factory, enabled, partial)); + +#endif diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index 62440c0039..b969e581c7 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -31,21 +31,7 @@ bool Manager::LoadPluginsFrom(const std::string& dir) bool Manager::RegisterPlugin(Plugin *plugin) { - assert(! init); - - plugin::Description desc = plugin->GetDescription(); - - if ( desc.version != plugin::API_BUILTIN ) - { - if ( desc.api_version == API_ERROR ) - reporter->InternalError("API version of plugin %s not initialized", desc.name.c_str()); - - if ( desc.api_version != API_VERSION ) - reporter->FatalError("API version mismatch for plugin %s: expected %d, but have %d", - desc.name.c_str(), API_VERSION, desc.version); - } - - plugins.push_back(plugin); + Manager::PluginsInternal()->push_back(plugin); return true; } @@ -53,29 +39,48 @@ void Manager::InitPlugins() { assert(! init); - for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) (*i)->Init(); init = true; } +void Manager::InitPluginsBif() + { + assert(init); + + for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) + (*i)->InitBif(); + + init = true; + } + void Manager::FinishPlugins() { assert(init); - for ( plugin_list::iterator i = plugins.begin(); i != plugins.end(); i++ ) + for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) { (*i)->Done(); - delete *i; +// delete *i; } - plugins.clear(); + Manager::PluginsInternal()->clear(); init = false; } Manager::plugin_list Manager::Plugins() const { - return plugins; -} + return *Manager::PluginsInternal(); + } +Manager::plugin_list* Manager::PluginsInternal() + { + static plugin_list* plugins = 0; + + if ( ! plugins ) + plugins = new plugin_list; + + return plugins; + } diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index 26f07dc944..44ec8913c6 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -29,15 +29,22 @@ public: /** * - * @param plugin: The plugin to register. The method takes ownership. + * @param plugin: The plugin to register. The method does not take + * ownershop but assume the pointer will leave at least until the + * Manager is destroyed. */ - bool RegisterPlugin(Plugin *plugin); // Takes ownership. + static bool RegisterPlugin(Plugin *plugin); /** * */ void InitPlugins(); + /** + * + */ + void InitPluginsBif(); + /** * */ @@ -55,8 +62,9 @@ public: std::list Components(component::Type type) const; private: + static plugin_list* PluginsInternal(); + bool init; - plugin_list plugins; }; template @@ -64,7 +72,7 @@ std::list Manager::Components(component::Type type) const { std::list result; - for ( plugin_list::const_iterator p = plugins.begin(); p != plugins.end(); p++ ) + for ( plugin_list::const_iterator p = PluginsInternal()->begin(); p != PluginsInternal()->end(); p++ ) { component_list components = (*p)->Components(); diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index e5a09e0dcc..69377fd97a 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -2,6 +2,7 @@ #include #include "Plugin.h" +#include "Manager.h" #include "Component.h" #include "../Desc.h" @@ -11,11 +12,15 @@ using namespace plugin; Description::Description() { name = ""; - api_version = API_VERSION; + + // These will be reset by the BRO_PLUGIN_* macros. + version = -9999; + api_version = -9999; } Plugin::Plugin() { + Manager::RegisterPlugin(this); } Description Plugin::GetDescription() const @@ -37,6 +42,27 @@ void Plugin::Init() { } +void Plugin::InitBif() + { + for ( bif_init_func_list::const_iterator f = bif_inits.begin(); f != bif_inits.end(); f++ ) + { + bif_init_func_result items = (**f)(); + + for ( bif_init_func_result::const_iterator i = items.begin(); i != items.end(); i++ ) + { + BifItem bi; + bi.id = (*i).first; + bi.type = (BifItem::Type)(*i).second; + bif_items.push_back(bi); + } + } + } + +const Plugin::bif_item_list& Plugin::BifItems() + { + return bif_items; + } + void Plugin::Done() { for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) @@ -55,6 +81,11 @@ void Plugin::AddComponent(Component* c) components.push_back(c); } +void Plugin::AddBifInitFunction(bif_init_func c) + { + bif_inits.push_back(c); + } + void Plugin::Describe(ODesc* d) { d->Add("Plugin: "); @@ -66,7 +97,7 @@ void Plugin::Describe(ODesc* d) d->Add(description.description); } - if ( description.version != API_BUILTIN ) + if ( description.version != BRO_PLUGIN_VERSION_BUILTIN ) { d->Add(" (version "); d->Add(description.version); @@ -83,12 +114,53 @@ void Plugin::Describe(ODesc* d) else d->Add(" (built-in)"); - d->NL(); + d->Add("\n"); + + if ( d->IsShort() ) + return; for ( component_list::const_iterator i = components.begin(); i != components.end(); i++ ) { (*i)->Describe(d); - d->NL(); + d->Add("\n"); + } + + for ( bif_item_list::const_iterator i = bif_items.begin(); i != bif_items.end(); i++ ) + { + const char* type = 0; + + switch ( (*i).type ) { + case BifItem::FUNCTION: + type = "Function"; + break; + + case BifItem::EVENT: + type = "Event"; + break; + + case BifItem::CONSTANT: + type = "Constant"; + break; + + case BifItem::GLOBAL: + type = "Global"; + break; + + case BifItem::TYPE: + type = "Type"; + break; + + default: + type = ""; + } + + d->Add(" "); + d->Add("["); + d->Add(type); + d->Add("] "); + d->Add((*i).id); + d->Add("\n"); } } + diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index f62b81772f..314de47083 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -5,6 +5,8 @@ #include #include +#include "Macros.h" + class ODesc; namespace plugin { @@ -12,10 +14,6 @@ namespace plugin { class Manager; class Component; -static const int API_VERSION = 1; -static const int API_BUILTIN = -1; -static const int API_ERROR = -2; - struct Description { std::string name; std::string description; @@ -27,9 +25,18 @@ struct Description { void Describe(ODesc* d); }; +struct BifItem { + // Values must match the integers bifcl generates. + enum Type { FUNCTION = 1, EVENT = 2, CONSTANT = 3, GLOBAL = 4, TYPE = 5 }; + + std::string id; + Type type; +}; + class Plugin { public: typedef std::list component_list; + typedef std::list bif_item_list; Plugin(); virtual ~Plugin(); @@ -39,6 +46,11 @@ public: component_list Components(); + void InitBif(); + + // Must be called after InitBif() only. + const bif_item_list& BifItems(); + virtual void Init(); virtual void Done(); @@ -50,9 +62,17 @@ protected: */ void AddComponent(Component* c); + typedef std::list > bif_init_func_result; + typedef bif_init_func_result (*bif_init_func)(); + void AddBifInitFunction(bif_init_func c); + private: + typedef std::list bif_init_func_list; + plugin::Description description; component_list components; + bif_item_list bif_items; + bif_init_func_list bif_inits; }; } diff --git a/src/analyzer/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc similarity index 91% rename from src/analyzer/BuiltInAnalyzers.cc rename to src/protocols/BuiltInAnalyzers.cc index e65dbdb62e..0c96ab17e4 100644 --- a/src/analyzer/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -1,6 +1,9 @@ +// TODO: This file will eventually go away once we've converrted all +// analyzers into separate plugins. + #include "BuiltInAnalyzers.h" -#include "PluginComponent.h" +#include "analyzer/PluginComponent.h" #include "../binpac_bro.h" @@ -11,8 +14,6 @@ #include "Finger.h" #include "InterConn.h" #include "NTP.h" -#include "HTTP.h" -#include "HTTP-binpac.h" #include "ICMP.h" #include "SteppingStone.h" #include "IRC.h" @@ -37,7 +38,6 @@ #include "POP3.h" #include "SOCKS.h" #include "SSH.h" -#include "SSL.h" #include "Syslog-binpac.h" #include "Teredo.h" #include "ConnSizeAnalyzer.h" @@ -45,6 +45,8 @@ using namespace analyzer; +BuiltinAnalyzers builtin_analyzers; + #define DEFINE_ANALYZER(name, factory, enabled, partial) \ AddComponent(new PluginComponent(name, factory, enabled, partial)) @@ -53,7 +55,7 @@ void BuiltinAnalyzers::Init() plugin::Description desc; desc.name = "Core-Analyzers"; desc.description = "Built-in protocol analyzers"; - desc.version = plugin::API_BUILTIN; + desc.version = BRO_PLUGIN_VERSION_BUILTIN; SetDescription(desc); DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer, true, false); @@ -71,7 +73,7 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); + // DEFINE_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("LOGIN", 0, true, false); // just a base class @@ -92,8 +94,8 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); DEFINE_ANALYZER("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - DEFINE_ANALYZER("HTTP_BINPAC", HTTP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - DEFINE_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); + // DEFINE_ANALYZER("HTTP_BINPAC", HTTP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); + // DEFINE_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer, true, false); DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer, true, false); diff --git a/src/analyzer/BuiltInAnalyzers.h b/src/protocols/BuiltInAnalyzers.h similarity index 100% rename from src/analyzer/BuiltInAnalyzers.h rename to src/protocols/BuiltInAnalyzers.h diff --git a/src/protocols/CMakeLists.txt b/src/protocols/CMakeLists.txt new file mode 100644 index 0000000000..35db6549fa --- /dev/null +++ b/src/protocols/CMakeLists.txt @@ -0,0 +1,3 @@ + +add_subdirectory(http) +add_subdirectory(ssl) diff --git a/src/protocols/http/CMakeLists.txt b/src/protocols/http/CMakeLists.txt new file mode 100644 index 0000000000..b6d877cdd7 --- /dev/null +++ b/src/protocols/http/CMakeLists.txt @@ -0,0 +1,11 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(HTTP) +bro_plugin_cc(HTTP.cc) +bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) +bro_plugin_end() + diff --git a/src/HTTP.cc b/src/protocols/http/HTTP.cc similarity index 99% rename from src/HTTP.cc rename to src/protocols/http/HTTP.cc index 5b49f8844e..2812f3662b 100644 --- a/src/HTTP.cc +++ b/src/protocols/http/HTTP.cc @@ -13,6 +13,15 @@ #include "Event.h" #include "MIME.h" +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(HTTP) + BRO_PLUGIN_DESCRIPTION = "HTTP Analyzer"; + BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, true, false); + BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); +BRO_PLUGIN_END + const bool DEBUG_http = false; // The EXPECT_*_NOTHING states are used to prevent further parsing. Used if a diff --git a/src/HTTP.h b/src/protocols/http/HTTP.h similarity index 99% rename from src/HTTP.h rename to src/protocols/http/HTTP.h index e8746e9d52..6cb2199696 100644 --- a/src/HTTP.h +++ b/src/protocols/http/HTTP.h @@ -9,6 +9,8 @@ #include "binpac_bro.h" #include "ZIP.h" #include "IPAddr.h" +#include "HTTP.h" +#include "events.bif.h" enum CHUNKED_TRANSFER_STATE { NON_CHUNKED_TRANSFER, diff --git a/src/protocols/http/events.bif b/src/protocols/http/events.bif new file mode 100644 index 0000000000..e4f71f70fc --- /dev/null +++ b/src/protocols/http/events.bif @@ -0,0 +1,232 @@ + +## Generated for HTTP requests. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a request's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## method: The HTTP method extracted from the request (e.g., ``GET``, ``POST``). +## +## original_URI: The unprocessed URI as specified in the request. +## +## unescaped_URI: The URI with all percent-encodings decoded. +## +## version: The version number specified in the request (e.g., ``1.1``). +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_header http_message_done ply http_stats +## truncate_http_URI +event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; + +## Generated for HTTP replies. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. This event is generated as soon as a reply's initial line has +## been parsed, and before any :bro:id:`http_header` events are raised. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## version: The version number specified in the reply (e.g., ``1.1``). +## +## code: The numerical response code returned by the server. +## +## reason: The textual description returned by the server along with *code*. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_header http_message_done http_request +## http_stats +event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; + +## Generated for HTTP headers. Bro supports persistent and pipelined HTTP +## sessions and raises corresponding events as it parses client/server +## dialogues. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the header was sent by the originator of the TCP connection. +## +## name: The name of the header. +## +## value: The value of the header. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_message_done http_reply http_request +## http_stats +## +## .. note:: This event is also raised for headers found in nested body +## entities. +event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; + +## Generated for HTTP headers, passing on all headers of an HTTP message at +## once. Bro supports persistent and pipelined HTTP sessions and raises +## corresponding events as it parses client/server dialogues. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the header was sent by the originator of the TCP connection. +## +## hlist: A *table* containing all headers extracted from the current entity. +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). +## +## .. bro:see:: http_begin_entity http_content_type http_end_entity http_entity_data +## http_event http_header http_message_done http_reply http_request http_stats +## +## .. note:: This event is also raised for headers found in nested body +## entities. +event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; + +## Generated when starting to parse an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event just before it starts parsing each entity's +## content. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data +## http_event http_header http_message_done http_reply http_request http_stats +## mime_begin_entity +event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; + +## Generated when finishing parsing an HTTP body entity. This event is generated +## at least once for each non-empty (client or server) HTTP body; and +## potentially more than once if the body contains further nested MIME +## entities. Bro raises this event at the point when it has finished parsing an +## entity's content. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data +## http_event http_header http_message_done http_reply http_request +## http_stats mime_end_entity +event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; + +## Generated when parsing an HTTP body entity, passing on the data. This event +## can potentially be raised many times for each entity, each time passing a +## chunk of the data of not further defined size. +## +## A common idiom for using this event is to first *reassemble* the data +## at the scripting layer by concatenating it to a successively growing +## string; and only perform further content analysis once the corresponding +## :bro:id:`http_end_entity` event has been raised. Note, however, that doing so +## can be quite expensive for HTTP tranders. At the very least, one should +## impose an upper size limit on how much data is being buffered. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## length: The length of *data*. +## +## data: One chunk of raw entity data. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_event http_header http_message_done http_reply http_request http_stats +## mime_entity_data http_entity_data_delivery_size skip_http_data +event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; + +## Generated for reporting an HTTP body's content type. This event is +## generated at the end of parsing an HTTP header, passing on the MIME +## type as specified by the ``Content-Type`` header. If that header is +## missing, this event is still raised with a default value of ``text/plain``. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## ty: The main type. +## +## subty: The subtype. +## +## .. bro:see:: http_all_headers http_begin_entity http_end_entity http_entity_data +## http_event http_header http_message_done http_reply http_request http_stats +## +## .. note:: This event is also raised for headers found in nested body +## entities. +event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body"; + +## Generated once at the end of parsing an HTTP message. Bro supports persistent +## and pipelined HTTP sessions and raises corresponding events as it parses +## client/server dialogues. A "message" is one top-level HTTP entity, such as a +## complete request or reply. Each message can have further nested sub-entities +## inside. This event is raised once all sub-entities belonging to a top-level +## message have been processed (and their corresponding ``http_entity_*`` events +## generated). +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## is_orig: True if the entity was sent by the originator of the TCP +## connection. +## +## stat: Further meta information about the message. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_header http_reply http_request http_stats +event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body"; + +## Generated for errors found when decoding HTTP requests or replies. +## +## See `Wikipedia `__ +## for more information about the HTTP protocol. +## +## c: The connection. +## +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). +## +## detail: Further more detailed description of the error. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_header http_message_done http_reply http_request +## http_stats mime_event +event http_event%(c: connection, event_type: string, detail: string%); + +## Generated at the end of an HTTP session to report statistics about it. This +## event is raised after all of an HTTP session's requests and replies have been +## fully processed. +## +## c: The connection. +## +## stats: Statistics summarizing HTTP-level properties of the finished +## connection. +## +## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity +## http_entity_data http_event http_header http_message_done http_reply +## http_request +event http_stats%(c: connection, stats: http_stats_rec%); diff --git a/src/protocols/http/functions.bif b/src/protocols/http/functions.bif new file mode 100644 index 0000000000..0e1c63f721 --- /dev/null +++ b/src/protocols/http/functions.bif @@ -0,0 +1,56 @@ + +%%{ +#include "protocols/http/HTTP.h" +%%} + +## Skips the data of the HTTP entity. +## +## c: The HTTP connection. +## +## is_orig: If true, the client data is skipped, and the server data otherwise. +## +## .. bro:see:: skip_smtp_data +function skip_http_entity_data%(c: connection, is_orig: bool%): any + %{ + analyzer::ID id = mgr.CurrentAnalyzer(); + if ( id ) + { + analyzer::Analyzer* ha = c->FindAnalyzer(id); + + if ( ha ) + { + if ( ha->IsAnalyzer("HTTP") ) + static_cast(ha)->SkipEntityData(is_orig); + else + reporter->Error("non-HTTP analyzer associated with connection record"); + } + else + reporter->Error("could not find analyzer for skip_http_entity_data"); + + } + else + reporter->Error("no analyzer associated with connection record"); + + return 0; + %} + +## Unescapes all characters in a URI (decode every ``%xx`` group). +## +## URI: The URI to unescape. +## +## Returns: The unescaped URI with all ``%xx`` groups decoded. +## +## .. note:: +## +## Unescaping reserved characters may cause loss of information. RFC 2396: +## A URI is always in an "escaped" form, since escaping or unescaping a +## completed URI might change its semantics. Normally, the only time +## escape encodings can safely be made is when the URI is being created +## from its component parts. +function unescape_URI%(URI: string%): string + %{ + const u_char* line = URI->Bytes(); + const u_char* const line_end = line + URI->Len(); + + return new StringVal(unescape_URI(line, line_end, 0)); + %} diff --git a/src/protocols/ssl/CMakeLists.txt b/src/protocols/ssl/CMakeLists.txt new file mode 100644 index 0000000000..9ee8fd9b1e --- /dev/null +++ b/src/protocols/ssl/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SSL) +bro_plugin_cc(SSL.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(ssl.pac ssl-analyzer.pac ssl-protocol.pac ssl-defs.pac) +bro_plugin_end() diff --git a/src/protocols/ssl/Plugin.cc b/src/protocols/ssl/Plugin.cc new file mode 100644 index 0000000000..3e42ae0c32 --- /dev/null +++ b/src/protocols/ssl/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SSL.h" + +BRO_PLUGIN_BEGIN(SSL) + BRO_PLUGIN_DESCRIPTION = "SSL Analyzer"; + BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SSL.cc b/src/protocols/ssl/SSL.cc similarity index 99% rename from src/SSL.cc rename to src/protocols/ssl/SSL.cc index 7dd2e0525a..da3e1e55f3 100644 --- a/src/SSL.cc +++ b/src/protocols/ssl/SSL.cc @@ -1,3 +1,4 @@ + #include "SSL.h" #include "TCP_Reassembler.h" #include "Reporter.h" diff --git a/src/SSL.h b/src/protocols/ssl/SSL.h similarity index 97% rename from src/SSL.h rename to src/protocols/ssl/SSL.h index ee2148450f..cf6269a6e4 100644 --- a/src/SSL.h +++ b/src/protocols/ssl/SSL.h @@ -1,6 +1,8 @@ #ifndef ssl_h #define ssl_h +#include "events.bif.h" + #include "TCP.h" #include "ssl_pac.h" diff --git a/src/protocols/ssl/events.bif b/src/protocols/ssl/events.bif new file mode 100644 index 0000000000..3d0c7e9d6a --- /dev/null +++ b/src/protocols/ssl/events.bif @@ -0,0 +1,195 @@ +## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions +## start with an unencrypted handshake, and Bro extracts as much information out +## of that as it can. This event provides access to the initial information +## sent by the client. +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## version: The protocol version as extracted from the client's message. The +## values are standardized as part of the SSL/TLS protocol. The +## :bro:id:`SSL::version_strings` table maps them to descriptive names. +## +## possible_ts: The current time as sent by the client. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. +## +## session_id: The session ID sent by the client (if any). +## +## ciphers: The list of ciphers the client offered to use. The values are +## standardized as part of the SSL/TLS protocol. The +## :bro:id:`SSL::cipher_desc` table maps them to descriptive names. +## +## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); + +## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions +## start with an unencrypted handshake, and Bro extracts as much information out +## of that as it can. This event provides access to the initial information +## sent by the client. +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## version: The protocol version as extracted from the server's message. +## The values are standardized as part of the SSL/TLS protocol. The +## :bro:id:`SSL::version_strings` table maps them to descriptive names. +## +## possible_ts: The current time as sent by the server. Note that SSL/TLS does +## not require clocks to be set correctly, so treat with care. +## +## session_id: The session ID as sent back by the server (if any). +## +## cipher: The cipher chosen by the server. The values are standardized as part +## of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps +## them to descriptive names. +## +## comp_method: The compression method chosen by the client. The values are +## standardized as part of the SSL/TLS protocol. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); + +## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS +## sessions start with an unencrypted handshake, and Bro extracts as much +## information out of that as it can. This event provides access to any +## extensions either side sends as part of an extended *hello* message. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## code: The numerical code of the extension. The values are standardized as +## part of the SSL/TLS protocol. The :bro:id:`SSL::extensions` table maps +## them to descriptive names. +## +## val: The raw extension value that was sent in the message. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); + +## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event signals the time when an SSL/TLS has finished the +## handshake and its endpoints consider it as fully established. Typically, +## everything from now on will be encrypted. +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_extension ssl_server_hello +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_established%(c: connection%); + +## Generated for SSL/TLS alert records. SSL/TLS sessions start with an +## unencrypted handshake, and Bro extracts as much information out of that as +## it can. If during that handshake, an endpoint encounters a fatal error, it +## sends an *alert* record, that in turn triggers this event. After an *alert*, +## any endpoint may close the connection immediately. +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## level: The severity level, as sent in the *alert*. The values are defined as +## part of the SSL/TLS protocol. +## +## desc: A numerical value identifying the cause of the *alert*. The values are +## defined as part of the SSL/TLS protocol. +## +## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## ssl_session_ticket_handshake x509_certificate x509_error x509_extension +event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); + +## Generated for SSL/TLS handshake messages that are a part of the +## stateless-server session resumption mechanism. SSL/TLS sessions start with +## an unencrypted handshake, and Bro extracts as much information out of that +## as it can. This event is raised when an SSL/TLS server passes a session +## ticket to the client that can later be used for resuming the session. The +## mechanism is described in :rfc:`4507` +## +## See `Wikipedia `__ for +## more information about the SSL/TLS protocol. +## +## c: The connection. +## +## ticket_lifetime_hint: A hint from the server about how long the ticket +## should be stored by the client. +## +## ticket: The raw ticket data. +## +## .. bro:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello +## x509_certificate x509_error x509_extension ssl_alert +event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%); + +## Generated for X509 certificates seen in SSL/TLS connections. During the +## initial SSL/TLS handshake, certificates are exchanged in the clear. Bro +## raises this event for each certificate seen (including both a site's primary +## cert, and further certs sent as part of the validation chain). +## +## See `Wikipedia `__ for more information +## about the X.509 format. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## cert: The parsed certificate. +## +## chain_idx: The index in the validation chain that this cert has. Index zero +## indicates an endpoint's primary cert, while higher indices +## indicate the place in the validation chain (which has length +## *chain_len*). +## +## chain_len: The total length of the validation chain that this cert is part +## of. +## +## der_cert: The complete cert encoded in `DER +## `__ +## format. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## ssl_server_hello x509_error x509_extension x509_verify +event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%); + +## Generated for X509 extensions seen in a certificate. +## +## See `Wikipedia `__ for more information +## about the X.509 format. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## data: The raw data associated with the extension. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## ssl_server_hello x509_certificate x509_error x509_verify +event x509_extension%(c: connection, is_orig: bool, data: string%); + +## Generated when errors occur during parsing an X509 certificate. +## +## See `Wikipedia `__ for more information +## about the X.509 format. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors` +## maps error codes to a textual description. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension +## ssl_server_hello x509_certificate x509_extension x509_err2str x509_verify +event x509_error%(c: connection, is_orig: bool, err: count%); diff --git a/src/ssl-analyzer.pac b/src/protocols/ssl/ssl-analyzer.pac similarity index 100% rename from src/ssl-analyzer.pac rename to src/protocols/ssl/ssl-analyzer.pac diff --git a/src/ssl-defs.pac b/src/protocols/ssl/ssl-defs.pac similarity index 100% rename from src/ssl-defs.pac rename to src/protocols/ssl/ssl-defs.pac diff --git a/src/ssl-protocol.pac b/src/protocols/ssl/ssl-protocol.pac similarity index 100% rename from src/ssl-protocol.pac rename to src/protocols/ssl/ssl-protocol.pac diff --git a/src/ssl.pac b/src/protocols/ssl/ssl.pac similarity index 94% rename from src/ssl.pac rename to src/protocols/ssl/ssl.pac index 25aed7a66f..150dc222cb 100644 --- a/src/ssl.pac +++ b/src/protocols/ssl/ssl.pac @@ -5,6 +5,10 @@ # - ssl-analyzer.pac: contains the SSL analyzer code # - ssl-record-layer.pac: describes the SSL record layer +%extern{ + #include "events.bif.h" +%} + %include binpac.pac %include bro.pac diff --git a/src/HTTP-binpac.cc b/src/protocols/unused/HTTP-binpac.cc similarity index 100% rename from src/HTTP-binpac.cc rename to src/protocols/unused/HTTP-binpac.cc diff --git a/src/HTTP-binpac.h b/src/protocols/unused/HTTP-binpac.h similarity index 100% rename from src/HTTP-binpac.h rename to src/protocols/unused/HTTP-binpac.h From e532aff687ed3d5c8fade43f8dca441c2742f386 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 29 Mar 2013 20:00:09 -0700 Subject: [PATCH 05/70] Updating cmake submodule. --- cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake b/cmake index 870dd2c240..1a592a96f7 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 870dd2c240acaee5c2d75da0feb5fd5044177123 +Subproject commit 1a592a96f702d2cfcf1a88d7f40b4c62405735a6 From e0c4bd1a82a6887b6160ab79e32a02a75d1c9119 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 30 Mar 2013 19:29:20 -0700 Subject: [PATCH 06/70] Lots of cleanup and API documentation for the analyzer/* classes. I've used the opportunity to also cleanup DPD's expect_connection() infrastructure, and renamed that bif to schedule_analyzer(), which seems more appropiate. One can now also schedule more than one analyzer per connection. TODOs: - "make install" is probably broken. - Broxygen is probably broken for plugin-defined events. - event groups are broken (do we want to keep them?) - parallel btest is broken, but I'm not sure why ... (tests all pass individually, but lots of error when running in parallel; must be related to *.bif restructuring). - Document API for src/plugin/* - Document API for src/analyzer/Analyzer.h - Document API for scripts/base/frameworks/analyzer --- doc/scripts/DocSourcesList.cmake | 3 + scripts/base/frameworks/analyzer/main.bro | 6 +- scripts/base/protocols/ftp/main.bro | 6 +- scripts/base/protocols/irc/dcc-send.bro | 2 +- src/CMakeLists.txt | 2 +- src/DCE_RPC.cc | 4 +- src/DebugLogger.h | 2 +- src/IPAddr.cc | 17 - src/IPAddr.h | 1 - src/PIA.cc | 12 +- src/RuleAction.cc | 11 +- src/Sessions.cc | 2 +- src/TCP.cc | 2 +- src/analyzer.bif | 4 +- src/analyzer/Analyzer.cc | 32 +- src/analyzer/Component.cc | 29 ++ src/analyzer/Component.h | 121 +++++ src/analyzer/Manager.cc | 344 ++++++------- src/analyzer/Manager.h | 453 ++++++++++++++---- src/analyzer/PluginComponent.cc | 37 -- src/analyzer/PluginComponent.h | 51 -- src/analyzer/Tag.cc | 9 +- src/analyzer/Tag.h | 122 ++++- src/event.bif | 38 +- src/plugin/Macros.h | 9 +- src/protocols/BuiltInAnalyzers.cc | 128 ++--- src/protocols/http/HTTP.cc | 2 +- src/protocols/ssl/Plugin.cc | 2 +- .../canonified_loaded_scripts.log | 26 +- .../canonified_loaded_scripts.log | 26 +- .../output | 5 + .../frameworks/analyzer/schedule-analyzer.bro | 36 ++ 32 files changed, 994 insertions(+), 550 deletions(-) create mode 100644 src/analyzer/Component.cc create mode 100644 src/analyzer/Component.h delete mode 100644 src/analyzer/PluginComponent.cc delete mode 100644 src/analyzer/PluginComponent.h create mode 100644 testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output create mode 100644 testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index af8f2de94b..c71d7798ea 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -22,6 +22,9 @@ rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index ea5ccb727c..dcadb402fb 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -45,7 +45,7 @@ export { ## tout: The timeout interval after which to ignore the scheduling request. ## ## Returns: True if succesful. - global expect_connection: function(orig: addr, resp: addr, resp_p: port, + global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool; ## Analyzers to disable at startup. @@ -119,9 +119,9 @@ function name(atype: Analyzer::Tag) : string return __name(atype); } -function expect_connection(orig: addr, resp: addr, resp_p: port, +function schedule_analyzer(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool { - return __expect_connection(orig, resp, resp_p, analyzer, tout); + return __schedule_analyzer(orig, resp, resp_p, analyzer, tout); } diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index e2b77e0099..868fa99bef 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -228,7 +228,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 { c$ftp$passive=F; ftp_data_expected[data$h, data$p] = c$ftp; - Analyzer::expect_connection(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); + Analyzer::schedule_analyzer(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { @@ -281,7 +281,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior data$h = id$resp_h; ftp_data_expected[data$h, data$p] = c$ftp; - Analyzer::expect_connection(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); + Analyzer::schedule_analyzer(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins); } else { @@ -312,7 +312,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior } -event expected_connection_seen(c: connection, a: count) &priority=10 +event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10 { local id = c$id; if ( [id$resp_h, id$resp_p] in ftp_data_expected ) diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 621ad42826..45746aae2b 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool, c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; local p = count_to_port(dest_port, tcp); - Analyzer::expect_connection(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min); + Analyzer::schedule_analyzer(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 31192a8757..5109f71105 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -400,7 +400,7 @@ set(bro_SRCS analyzer/Analyzer.cc analyzer/Manager.cc - analyzer/PluginComponent.cc + analyzer/Component.cc analyzer/Tag.cc protocols/BuiltInAnalyzers.cc diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc index 0cb9ab3c3f..f01edc9c8a 100644 --- a/src/DCE_RPC.cc +++ b/src/DCE_RPC.cc @@ -161,8 +161,8 @@ static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr, // of the dce_rpc_endpoints table. // FIXME: Don't hard-code the timeout. - analyzer_mgr->ExpectConnection(IPAddr(), addr.addr, addr.port, addr.proto, - "DCE_RPC", 5 * 60, 0); + analyzer_mgr->ScheduleAnalyzer(IPAddr(), addr.addr, addr.port, addr.proto, + "DCE_RPC", 5 * 60); } DCE_RPC_Header::DCE_RPC_Header(analyzer::Analyzer* a, const u_char* b) diff --git a/src/DebugLogger.h b/src/DebugLogger.h index ca422072c5..74eea4520d 100644 --- a/src/DebugLogger.h +++ b/src/DebugLogger.h @@ -21,7 +21,7 @@ enum DebugStream { DBG_STRING, // String code DBG_NOTIFIERS, // Notifiers (see StateAccess.h) DBG_MAINLOOP, // Main IOSource loop - DBG_DPD, // Dynamic application detection framework + DBG_ANALYZER, // Analyzer framework DBG_TM, // Time-machine packet input via Brocolli DBG_LOGGING, // Logging streams DBG_INPUT, // Input streams diff --git a/src/IPAddr.cc b/src/IPAddr.cc index cc52de31ed..7fd3755042 100644 --- a/src/IPAddr.cc +++ b/src/IPAddr.cc @@ -45,23 +45,6 @@ HashKey* BuildConnIDHashKey(const ConnID& id) return new HashKey(&key, sizeof(key)); } -HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c) - { - struct { - in6_addr orig; - in6_addr resp; - uint16 resp_p; - uint16 proto; - } key; - - key.orig = c.orig.in6; - key.resp = c.resp.in6; - key.resp_p = c.resp_p; - key.proto = c.proto; - - return new HashKey(&key, sizeof(key)); - } - void IPAddr::Mask(int top_bits_to_keep) { if ( top_bits_to_keep < 0 || top_bits_to_keep > 128 ) diff --git a/src/IPAddr.h b/src/IPAddr.h index e79f3aa0a9..0c6942c61e 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -363,7 +363,6 @@ public: void ConvertToThreadingValue(threading::Value::addr_t* v) const; friend HashKey* BuildConnIDHashKey(const ConnID& id); - friend HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); unsigned int MemoryAllocation() const { return padded_sizeof(*this); } diff --git a/src/PIA.cc b/src/PIA.cc index f2eb633cd4..2e4cf06e86 100644 --- a/src/PIA.cc +++ b/src/PIA.cc @@ -63,7 +63,7 @@ void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig) void PIA::ReplayPacketBuffer(analyzer::Analyzer* analyzer) { - DBG_LOG(DBG_DPD, "PIA replaying %d total packet bytes", pkt_buffer.size); + DBG_LOG(DBG_ANALYZER, "PIA replaying %d total packet bytes", pkt_buffer.size); for ( DataBlock* b = pkt_buffer.head; b; b = b->next ) analyzer->DeliverPacket(b->len, b->data, b->is_orig, -1, 0, 0); @@ -133,7 +133,7 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( pkt_buffer.state == MATCHING_ONLY ) { - DBG_LOG(DBG_DPD, "analyzer found but buffer already exceeded"); + DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded"); // FIXME: This is where to check whether an analyzer // supports partial connections once we get such. return; @@ -180,7 +180,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip) static struct tcphdr* tcp4 = 0; static IP_Hdr* ip4_hdr = 0; - DBG_LOG(DBG_DPD, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F")); + DBG_LOG(DBG_ANALYZER, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F")); if ( ! ip ) { @@ -266,7 +266,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) { if ( stream_buffer.state == MATCHING_ONLY ) { - DBG_LOG(DBG_DPD, "analyzer found but buffer already exceeded"); + DBG_LOG(DBG_ANALYZER, "analyzer found but buffer already exceeded"); // FIXME: This is where to check whether an analyzer supports // partial connections once we get such. return; @@ -305,7 +305,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) // (4) We hand the two reassemblers to the TCP Analyzer (our parent), // turning reassembly now on for all subsequent data. - DBG_LOG(DBG_DPD, "PIA_TCP switching from packet-mode to stream-mode"); + DBG_LOG(DBG_ANALYZER, "PIA_TCP switching from packet-mode to stream-mode"); stream_mode = true; // FIXME: The reassembler will query the endpoint for state. Not sure @@ -378,7 +378,7 @@ void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag) void PIA_TCP::ReplayStreamBuffer(analyzer::Analyzer* analyzer) { - DBG_LOG(DBG_DPD, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); + DBG_LOG(DBG_ANALYZER, "PIA_TCP replaying %d total stream bytes", stream_buffer.size); for ( DataBlock* b = stream_buffer.head; b; b = b->next ) { diff --git a/src/RuleAction.cc b/src/RuleAction.cc index c0a4809c88..7d594e695f 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -54,15 +54,12 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); } else - child_analyzer = analyzer::Tag::ERROR; - - if ( analyzer != analyzer::Tag::ERROR ) - analyzer_mgr->ActivateSigs(); + child_analyzer = analyzer::Tag(); } void RuleActionAnalyzer::PrintDebug() { - if ( child_analyzer == analyzer::Tag::ERROR ) + if ( ! child_analyzer ) fprintf(stderr, "|%s|\n", analyzer_mgr->GetAnalyzerName(analyzer).c_str()); else fprintf(stderr, "|%s:%s|\n", @@ -74,7 +71,7 @@ void RuleActionAnalyzer::PrintDebug() void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == analyzer::Tag::ERROR ) + if ( ! ChildAnalyzer() ) { if ( ! analyzer_mgr->IsEnabled(Analyzer()) ) return; @@ -103,7 +100,7 @@ void RuleActionEnable::PrintDebug() void RuleActionDisable::DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) { - if ( ChildAnalyzer() == analyzer::Tag::ERROR ) + if ( ! ChildAnalyzer() ) { if ( state->PIA() ) state->PIA()->DeactivateAnalyzer(Analyzer()); diff --git a/src/Sessions.cc b/src/Sessions.cc index 7586899e14..782bf4c496 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -1178,7 +1178,7 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, Connection* conn = new Connection(this, k, t, id, flow_label, encapsulation); conn->SetTransport(tproto); - analyzer_mgr->BuildInitialAnalyzerTree(tproto, conn, data); + analyzer_mgr->BuildInitialAnalyzerTree(conn); bool external = conn->IsExternal(); diff --git a/src/TCP.cc b/src/TCP.cc index feb21c3271..058e6608ca 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -1874,7 +1874,7 @@ void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); - DBG_LOG(DBG_DPD, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %d, %p, %d) [%s%s]", + DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %d, %p, %d) [%s%s]", len, is_orig ? "T" : "F", seq, ip, caplen, fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); } diff --git a/src/analyzer.bif b/src/analyzer.bif index 2ce5af992d..92b533308a 100644 --- a/src/analyzer.bif +++ b/src/analyzer.bif @@ -26,10 +26,10 @@ function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool return new Val(result, TYPE_BOOL); %} -function Analyzer::__expect_connection%(orig: addr, resp: addr, resp_p: port, +function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval%) : bool %{ - analyzer_mgr->ExpectConnection(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout, 0); + analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout); return new Val(true, TYPE_BOOL); %} diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 6ef67eb497..ff02e83f18 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -75,7 +75,7 @@ Analyzer::Analyzer(const char* name, Connection* arg_conn) output_handler = 0; if ( ! tag ) - reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::PluginComponent?", name); + reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::Component?", name); } @@ -344,7 +344,7 @@ void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init) if ( init ) analyzer->Init(); - DBG_LOG(DBG_DPD, "%s added child %s", + DBG_LOG(DBG_ANALYZER, "%s added child %s", fmt_analyzer(this).c_str(), fmt_analyzer(analyzer).c_str()); } @@ -368,7 +368,7 @@ void Analyzer::RemoveChildAnalyzer(Analyzer* analyzer) LOOP_OVER_CHILDREN(i) if ( *i == analyzer && ! (analyzer->finished || analyzer->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", + DBG_LOG(DBG_ANALYZER, "%s disabling child %s", fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // We just flag it as being removed here but postpone // actually doing that to later. Otherwise, we'd need @@ -386,7 +386,7 @@ void Analyzer::RemoveChildAnalyzer(ID id) LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_DPD, "%s disabling child %s", GetAnalyzerName().c_str(), id, + DBG_LOG(DBG_ANALYZER, "%s disabling child %s", GetAnalyzerName().c_str(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -440,7 +440,7 @@ Analyzer* Analyzer::FindChild(Tag arg_tag) Analyzer* Analyzer::FindChild(const string& name) { Tag tag = analyzer_mgr->GetAnalyzerTag(name); - return tag != Tag::ERROR ? FindChild(tag) : 0; + return tag ? FindChild(tag) : 0; } void Analyzer::DeleteChild(analyzer_list::iterator i) @@ -456,7 +456,7 @@ void Analyzer::DeleteChild(analyzer_list::iterator i) child->removing = false; } - DBG_LOG(DBG_DPD, "%s deleted child %s 3", + DBG_LOG(DBG_ANALYZER, "%s deleted child %s 3", fmt_analyzer(this).c_str(), fmt_analyzer(child).c_str()); children.erase(i); @@ -467,7 +467,7 @@ void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer) { if ( HasSupportAnalyzer(analyzer->GetAnalyzerTag(), analyzer->IsOrig()) ) { - DBG_LOG(DBG_DPD, "%s already has %s %s", + DBG_LOG(DBG_ANALYZER, "%s already has %s %s", fmt_analyzer(this).c_str(), analyzer->IsOrig() ? "originator" : "responder", fmt_analyzer(analyzer).c_str()); @@ -495,7 +495,7 @@ void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer) analyzer->Init(); - DBG_LOG(DBG_DPD, "%s added %s support %s", + DBG_LOG(DBG_ANALYZER, "%s added %s support %s", fmt_analyzer(this).c_str(), analyzer->IsOrig() ? "originator" : "responder", fmt_analyzer(analyzer).c_str()); @@ -519,7 +519,7 @@ void Analyzer::RemoveSupportAnalyzer(SupportAnalyzer* analyzer) else *head = s->sibling; - DBG_LOG(DBG_DPD, "%s removed support %s", + DBG_LOG(DBG_ANALYZER, "%s removed support %s", fmt_analyzer(this).c_str(), analyzer->IsOrig() ? "originator" : "responder", fmt_analyzer(analyzer).c_str()); @@ -544,33 +544,33 @@ bool Analyzer::HasSupportAnalyzer(Tag tag, bool orig) void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { - DBG_LOG(DBG_DPD, "%s DeliverPacket(%d, %s, %d, %p, %d) [%s%s]", + DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %d, %p, %d) [%s%s]", fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen, fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); } void Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - DBG_LOG(DBG_DPD, "%s DeliverStream(%d, %s) [%s%s]", + DBG_LOG(DBG_ANALYZER, "%s DeliverStream(%d, %s) [%s%s]", fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : ""); } void Analyzer::Undelivered(int seq, int len, bool is_orig) { - DBG_LOG(DBG_DPD, "%s Undelivered(%d, %d, %s)", + DBG_LOG(DBG_ANALYZER, "%s Undelivered(%d, %d, %s)", fmt_analyzer(this).c_str(), seq, len, is_orig ? "T" : "F"); } void Analyzer::EndOfData(bool is_orig) { - DBG_LOG(DBG_DPD, "%s EndOfData(%s)", + DBG_LOG(DBG_ANALYZER, "%s EndOfData(%s)", fmt_analyzer(this).c_str(), is_orig ? "T" : "F"); } void Analyzer::FlipRoles() { - DBG_LOG(DBG_DPD, "%s FlipRoles()"); + DBG_LOG(DBG_ANALYZER, "%s FlipRoles()"); LOOP_OVER_CHILDREN(i) (*i)->FlipRoles(); @@ -596,7 +596,7 @@ void Analyzer::ProtocolConfirmation() val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(tag.Val()); + vl->append(tag.AsEnumVal()); vl->append(new Val(id, TYPE_COUNT)); // We immediately raise the event so that the analyzer can quickly @@ -624,7 +624,7 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(tag.Val()); + vl->append(tag.AsEnumVal()); vl->append(new Val(id, TYPE_COUNT)); vl->append(r); diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc new file mode 100644 index 0000000000..9640d6d8ac --- /dev/null +++ b/src/analyzer/Component.cc @@ -0,0 +1,29 @@ + +#include "Component.h" + +#include "../Desc.h" + +using namespace analyzer; + +Tag::type_t Component::type_counter = 0; + +Component::Component(std::string arg_name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) + : plugin::Component(plugin::component::ANALYZER) + { + name = arg_name; + factory = arg_factory; + enabled = arg_enabled; + partial = arg_partial; + + tag = analyzer::Tag(++type_counter, arg_subtype); + } + +void Component::Describe(ODesc* d) + { + plugin::Component::Describe(d); + d->Add(name); + d->Add(" ("); + d->Add(enabled ? "enabled" : "disabled"); + d->Add(")"); + } + diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h new file mode 100644 index 0000000000..0a48c0546f --- /dev/null +++ b/src/analyzer/Component.h @@ -0,0 +1,121 @@ + +#ifndef ANALYZER_PLUGIN_COMPONENT_H +#define ANALYZER_PLUGIN_COMPONENT_H + +#include + +#include "Tag.h" +#include "plugin/Component.h" + +#include "../config.h" +#include "../util.h" + +class Connection; + +namespace analyzer { + +class Analyzer; + +/** + * Component description for plugins providing analyzers. + * + * A plugin can provide a specific protocol analyzer by registering this + * analyzer component, describing the analyzer. + * + * This class is safe to copy by value. + */ +class Component : public plugin::Component { +public: + typedef bool (*available_callback)(); + typedef Analyzer* (*factory_callback)(Connection* conn); + + /** + * Constructor. + * + * @param name The name of the provided analyzer. This name is used + * across the system to identify the analyzer, e.g., when calling + * analyzer::Manager::InstantiateAnalyzer with a name. + * + * @param factory A factory function to instantiate instances of the + * analyzer's class, which must be derived directly or indirectly + * from analyzer::Analyzer. This is typically a static \c + * Instatiate() method inside the class that just allocates and + * returns a new instance. + * + * @param subtype A subtype associated with this component that + * further. The subtype will be integrated into the analyzer::Tag + * that the manager associates with this analyzer, and analyzer + * instances can accordingly access it via analyzer::Tag(). If not + * used, leave at zero. + * + * @param enabled If false the analyzer starts out as disabled and + * hence won't be used. It can still be enabled later via the + * manager, including from script-land. + * + * @param partial If true, the analyzer can deal with payload from + * partial connections, i.e., when Bro enters the stream mid-way + * after not seeing the beginning. Note that handling of partial + * connections has generally not seen much testing yet as virtually + * no existing analyzer supports it. + */ + Component(std::string name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true, bool partial = false); + + /** + * Returns the name of the analyzer. This name is unique across all + * analyzers and used to identify it. + */ + const std::string& Name() const { return name; } + + /** + * Returns the analyzer's factory function. + */ + factory_callback Factory() const { return factory; } + + /** + * Returns whether the analyzer supports partial connections. Partial + * connections are those where Bro starts processing payload + * mid-stream, after missing the beginning. + */ + bool Partial() const { return partial; } + + /** + * Returns true if the analyzer is currently enabled and hence + * available for use. + */ + bool Enabled() const { return enabled; } + + /** + * Returns the analyzer's tag. Note that this is automatically + * generated for each new Components, and hence unique across all of + * them. + */ + analyzer::Tag Tag() const { return tag; } + + /** + * Enables or disables this analyzer. + * + * @param arg_enabled True to enabled, false to disable. + * + */ + void SetEnabled(bool arg_enabled) { enabled = arg_enabled; } + + /** + * Generates a human-readable description of the component's main + * parameters. This goes into the output of \c "bro -NN". + */ + virtual void Describe(ODesc* d); + +private: + std::string name; // The analyzer's name. + factory_callback factory; // The analyzer's factory callback. + bool partial; // True if the analyzer supports partial connections. + analyzer::Tag tag; // The automatically assigned analyzer tag. + bool enabled; // True if the analyzer is enabled. + + // Global counter used to generate unique tags. + static analyzer::Tag::type_t type_counter; +}; + +} + +#endif diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 060595aea2..e30976b9e3 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -16,8 +16,8 @@ using namespace analyzer; -ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto) +Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto) { if ( _orig == IPAddr(string("0.0.0.0")) ) // don't use the IPv4 mapping, use the literal unspecified address @@ -25,21 +25,37 @@ ExpectedConn::ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, orig = IPAddr(string("::")); else orig = _orig; + resp = _resp; resp_p = _resp_p; proto = _proto; } -ExpectedConn::ExpectedConn(const ExpectedConn& c) +Manager::ConnIndex::ConnIndex() { - orig = c.orig; - resp = c.resp; - resp_p = c.resp_p; - proto = c.proto; + orig = resp = IPAddr("0.0.0.0"); + resp_p = 0; + proto = 0; + } + +bool Manager::ConnIndex::operator<(const ConnIndex& other) const + { + if ( orig != other.orig ) + return orig < other.orig; + + if ( resp != other.resp ) + return resp < other.resp; + + if ( proto != other.proto ) + return proto < other.proto; + + if ( resp_p != other.resp_p ) + return resp_p < other.resp_p; + + return false; } Manager::Manager() - : expected_conns_queue(AssignedAnalyzer::compare) { tag_enum_type = new EnumType("Analyzer::Tag"); ::ID* id = install_ID("Tag", "Analyzer", true, true); @@ -58,26 +74,19 @@ Manager::~Manager() analyzers_by_port_tcp.clear(); // Clean up expected-connection table. - while ( expected_conns_queue.size() ) + while ( conns_by_timeout.size() ) { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } - - expected_conns_queue.pop(); + ScheduledAnalyzer* a = conns_by_timeout.top(); + conns_by_timeout.pop(); delete a; } } void Manager::Init() { - std::list analyzers = plugin_mgr->Components(plugin::component::ANALYZER); + std::list analyzers = plugin_mgr->Components(plugin::component::ANALYZER); - for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) + for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) RegisterAnalyzerComponent(*i); // Caache these tags. @@ -91,12 +100,12 @@ void Manager::Init() void Manager::DumpDebug() { #ifdef DEBUG - DBG_LOG(DBG_DPD, "Available analyzers after bro_init():"); + DBG_LOG(DBG_ANALYZER, "Available analyzers after bro_init():"); for ( analyzer_map_by_name::const_iterator i = analyzers_by_name.begin(); i != analyzers_by_name.end(); i++ ) - DBG_LOG(DBG_DPD, " %s (%s)", i->second->Name().c_str(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); + DBG_LOG(DBG_ANALYZER, " %s (%s)", i->second->Name().c_str(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); - DBG_LOG(DBG_DPD, ""); - DBG_LOG(DBG_DPD, "Analyzers by port:"); + DBG_LOG(DBG_ANALYZER, ""); + DBG_LOG(DBG_ANALYZER, "Analyzers by port:"); for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_tcp.begin(); i != analyzers_by_port_tcp.end(); i++ ) { @@ -105,7 +114,7 @@ void Manager::DumpDebug() for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) s += GetAnalyzerName(*j) + " "; - DBG_LOG(DBG_DPD, " %d/tcp: %s", i->first, s.c_str()); + DBG_LOG(DBG_ANALYZER, " %d/tcp: %s", i->first, s.c_str()); } for ( analyzer_map_by_port::const_iterator i = analyzers_by_port_udp.begin(); i != analyzers_by_port_udp.end(); i++ ) @@ -115,15 +124,15 @@ void Manager::DumpDebug() for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) s += GetAnalyzerName(*j) + " "; - DBG_LOG(DBG_DPD, " %d/udp: %s", i->first, s.c_str()); + DBG_LOG(DBG_ANALYZER, " %d/udp: %s", i->first, s.c_str()); } #if 0 ODesc d; tag_enum_type->Describe(&d); - DBG_LOG(DBG_DPD, ""); - DBG_LOG(DBG_DPD, "Analyzer::Tag type: %s", d.Description()); + DBG_LOG(DBG_ANALYZER, ""); + DBG_LOG(DBG_ANALYZER, "Analyzer::Tag type: %s", d.Description()); #endif #endif @@ -133,35 +142,35 @@ void Manager::Done() { } -void Manager::RegisterAnalyzerComponent(PluginComponent* component) +void Manager::RegisterAnalyzerComponent(Component* component) { if ( Lookup(component->Name()) ) reporter->FatalError("Analyzer %s defined more than once", component->Name().c_str()); - DBG_LOG(DBG_DPD, "Registering analyzer %s (tag %s)", + DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", component->Name().c_str(), component->Tag().AsString().c_str()); analyzers_by_name.insert(std::make_pair(component->Name(), component)); analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); - analyzers_by_val.insert(std::make_pair(component->Tag().Val()->InternalInt(), component)); + analyzers_by_val.insert(std::make_pair(component->Tag().AsEnumVal()->InternalInt(), component)); // Install enum "Analyzer::ANALYZER_*" string name = to_upper(component->Name()); string id = fmt("ANALYZER_%s", name.c_str()); - tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().Val()->InternalInt(), true); + tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().AsEnumVal()->InternalInt(), true); } bool Manager::EnableAnalyzer(Tag tag) { - PluginComponent* p = Lookup(tag); + Component* p = Lookup(tag); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to enable non-existing analyzer"); return false; } - DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); return true; @@ -169,15 +178,15 @@ bool Manager::EnableAnalyzer(Tag tag) bool Manager::EnableAnalyzer(EnumVal* val) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to enable non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to enable non-existing analyzer"); return false; } - DBG_LOG(DBG_DPD, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); return true; @@ -185,15 +194,15 @@ bool Manager::EnableAnalyzer(EnumVal* val) bool Manager::DisableAnalyzer(Tag tag) { - PluginComponent* p = Lookup(tag); + Component* p = Lookup(tag); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to disable non-existing analyzer"); return false; } - DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); return true; @@ -201,15 +210,15 @@ bool Manager::DisableAnalyzer(Tag tag) bool Manager::DisableAnalyzer(EnumVal* val) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to disable non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to disable non-existing analyzer"); return false; } - DBG_LOG(DBG_DPD, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); return true; @@ -220,11 +229,11 @@ bool Manager::IsEnabled(Tag tag) if ( ! tag ) return false; - PluginComponent* p = Lookup(tag); + Component* p = Lookup(tag); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to check non-existing analyzer"); return false; } @@ -233,11 +242,11 @@ bool Manager::IsEnabled(Tag tag) bool Manager::IsEnabled(EnumVal* val) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to check non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to check non-existing analyzer"); return false; } @@ -247,11 +256,11 @@ bool Manager::IsEnabled(EnumVal* val) bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to register port for non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to register port for non-existing analyzer"); return false; } @@ -260,11 +269,11 @@ bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) bool Manager::UnregisterAnalyzerForPort(EnumVal* val, PortVal* port) { - PluginComponent* p = Lookup(val); + Component* p = Lookup(val); if ( ! p ) { - DBG_LOG(DBG_DPD, "Asked to unregister port fork non-existing analyzer"); + DBG_LOG(DBG_ANALYZER, "Asked to unregister port fork non-existing analyzer"); return false; } @@ -277,7 +286,7 @@ bool Manager::RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port #ifdef DEBUG std::string name = GetAnalyzerName(tag); - DBG_LOG(DBG_DPD, "Registering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); + DBG_LOG(DBG_ANALYZER, "Registering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); #endif l->insert(tag); @@ -290,7 +299,7 @@ bool Manager::UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 po #ifdef DEBUG std::string name = GetAnalyzerName(tag); - DBG_LOG(DBG_DPD, "Unregistering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); + DBG_LOG(DBG_ANALYZER, "Unregistering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); #endif l->erase(tag); @@ -299,7 +308,7 @@ bool Manager::UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 po Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) { - PluginComponent* c = Lookup(tag); + Component* c = Lookup(tag); if ( ! c ) reporter->InternalError("request to instantiate unknown analyzer"); @@ -329,7 +338,7 @@ const string& Manager::GetAnalyzerName(Tag tag) if ( ! tag ) return error; - PluginComponent* c = Lookup(tag); + Component* c = Lookup(tag); if ( ! c ) reporter->InternalError("request for name of unknown analyzer tag %s", tag.AsString().c_str()); @@ -344,14 +353,14 @@ const string& Manager::GetAnalyzerName(Val* val) Tag Manager::GetAnalyzerTag(const string& name) { - PluginComponent* c = Lookup(name); - return c ? c->Tag() : Tag::ERROR; + Component* c = Lookup(name); + return c ? c->Tag() : Tag(); } Tag Manager::GetAnalyzerTag(const char* name) { - PluginComponent* c = Lookup(name); - return c ? c->Tag() : Tag::ERROR; + Component* c = Lookup(name); + return c ? c->Tag() : Tag(); } EnumType* Manager::GetTagEnumType() @@ -359,26 +368,25 @@ EnumType* Manager::GetTagEnumType() return tag_enum_type; } - -PluginComponent* Manager::Lookup(const string& name) +Component* Manager::Lookup(const string& name) { analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } -PluginComponent* Manager::Lookup(const char* name) +Component* Manager::Lookup(const char* name) { analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); return i != analyzers_by_name.end() ? i->second : 0; } -PluginComponent* Manager::Lookup(const Tag& tag) +Component* Manager::Lookup(const Tag& tag) { analyzer_map_by_tag::const_iterator i = analyzers_by_tag.find(tag); return i != analyzers_by_tag.end() ? i->second : 0; } -PluginComponent* Manager::Lookup(EnumVal* val) +Component* Manager::Lookup(EnumVal* val) { analyzer_map_by_val::const_iterator i = analyzers_by_val.find(val->InternalInt()); return i != analyzers_by_val.end() ? i->second : 0; @@ -419,69 +427,39 @@ Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found) return LookupPort(val->PortType(), val->Port(), add_if_not_found); } -Tag Manager::GetExpected(int proto, const Connection* conn) - { - if ( ! expected_conns.Length() ) - return Tag::ERROR; - - ExpectedConn c(conn->OrigAddr(), conn->RespAddr(), - ntohs(conn->RespPort()), proto); - - HashKey* key = BuildExpectedConnHashKey(c); - AssignedAnalyzer* a = expected_conns.Lookup(key); - delete key; - - if ( ! a ) - { - // Wildcard for originator. - c.orig = IPAddr(string("::")); - - HashKey* key = BuildExpectedConnHashKey(c); - a = expected_conns.Lookup(key); - delete key; - } - - if ( ! a ) - return Tag::ERROR; - - // We don't delete it here. It will be expired eventually. - return a->analyzer; - } - -bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data) +bool Manager::BuildInitialAnalyzerTree(Connection* conn) { Analyzer* analyzer = 0; TCP_Analyzer* tcp = 0; UDP_Analyzer* udp = 0; ICMP_Analyzer* icmp = 0; TransportLayerAnalyzer* root = 0; - Tag expected = Tag::ERROR; + tag_set expected; PIA* pia = 0; bool analyzed = false; bool check_port = false; - switch ( proto ) { + switch ( conn->ConnTransport() ) { case TRANSPORT_TCP: root = tcp = new TCP_Analyzer(conn); pia = new PIA_TCP(conn); - expected = GetExpected(proto, conn); + expected = GetScheduled(conn); check_port = true; - DBG_DPD(conn, "activated TCP analyzer"); + DBG_ANALYZER(conn, "activated TCP analyzer"); break; case TRANSPORT_UDP: root = udp = new UDP_Analyzer(conn); pia = new PIA_UDP(conn); - expected = GetExpected(proto, conn); + expected = GetScheduled(conn); check_port = true; - DBG_DPD(conn, "activated UDP analyzer"); + DBG_ANALYZER(conn, "activated UDP analyzer"); break; case TRANSPORT_ICMP: { root = icmp = new ICMP_Analyzer(conn); - DBG_DPD(conn, "activated ICMP analyzer"); + DBG_ANALYZER(conn, "activated ICMP analyzer"); analyzed = true; break; } @@ -492,34 +470,34 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, if ( ! root ) { - DBG_DPD(conn, "cannot build analyzer tree"); + DBG_ANALYZER(conn, "cannot build analyzer tree"); return false; } // Any scheduled analyzer? - if ( expected ) + for ( tag_set::iterator i = expected.begin(); i != expected.end(); i++ ) { - Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(expected, conn); + Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(*i, conn); if ( analyzer ) { root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled", - analyzer_mgr->GetAnalyzerName(expected).c_str()); + DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled", + analyzer_mgr->GetAnalyzerName(*i).c_str()); } - // Hmm... Do we want *just* the expected analyzer, or all - // other potential analyzers as well? For now we only take - // the scheduled one. } - else + // Hmm... Do we want *just* the expected analyzer, or all + // other potential analyzers as well? For now we only take + // the scheduled ones. + if ( expected.size() == 0 ) { // Let's see if it's a port we know. if ( check_port && ! dpd_ignore_ports ) { int resp_port = ntohs(conn->RespPort()); - tag_set* ports = LookupPort(proto, resp_port, false); + tag_set* ports = LookupPort(conn->ConnTransport(), resp_port, false); if ( ports ) { @@ -531,7 +509,7 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, continue; root->AddChildAnalyzer(analyzer, false); - DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", + DBG_ANALYZER_ARGS(conn, "activated %s analyzer due to port %d", analyzer_mgr->GetAnalyzerName(*j).c_str(), resp_port); } } @@ -622,78 +600,116 @@ bool Manager::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, if ( ! analyzed ) conn->SetLifetime(non_analyzed_lifetime); - if ( expected != Tag::ERROR ) - conn->Event(expected_connection_seen, 0, - new Val(expected, TYPE_COUNT)); + for ( tag_set::iterator i = expected.begin(); i != expected.end(); i++ ) + conn->Event(scheduled_analyzer_applied, 0, i->AsEnumVal()); return true; } -void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, - uint16 resp_p, - TransportProto proto, Tag analyzer, - double timeout, void* cookie) +void Manager::ExpireScheduledAnalyzers() { - // Use the chance to see if the oldest entry is already expired. - if ( expected_conns_queue.size() ) + if ( ! network_time ) + return; + + while ( conns_by_timeout.size() ) { - AssignedAnalyzer* a = expected_conns_queue.top(); - if ( a->timeout < network_time ) + ScheduledAnalyzer* a = conns_by_timeout.top(); + + if ( a->timeout > network_time ) + return; + + conns_by_timeout.pop(); + + std::pair all = conns.equal_range(a->conn); + + bool found = false; + + for ( conns_map::iterator i = all.first; i != all.second; i++ ) { - if ( ! a->deleted ) - { - HashKey* key = BuildExpectedConnHashKey(a->conn); - expected_conns.Remove(key); - delete key; - } + if ( i->second != a ) + continue; - expected_conns_queue.pop(); + conns.erase(i); - DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s", - analyzer_mgr->GetAnalyzerName(analyzer).c_str(), - fmt_conn_id(a->conn.orig, 0, - a->conn.resp, - a->conn.resp_p)); + DBG_LOG(DBG_ANALYZER, "Expiring expected analyzer %s for connection %s", + analyzer_mgr->GetAnalyzerName(a->analyzer).c_str(), + fmt_conn_id(a->conn.orig, 0, a->conn.resp, a->conn.resp_p)); delete a; + found = true; + break; } + + assert(found); } - - ExpectedConn c(orig, resp, resp_p, proto); - - HashKey* key = BuildExpectedConnHashKey(c); - - AssignedAnalyzer* a = expected_conns.Lookup(key); - - if ( a ) - a->deleted = true; - - a = new AssignedAnalyzer(c); - - a->analyzer = analyzer; - a->cookie = cookie; - a->timeout = network_time + timeout; - a->deleted = false; - - expected_conns.Insert(key, a); - expected_conns_queue.push(a); - delete key; } -void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, +void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, + uint16 resp_p, + TransportProto proto, Tag analyzer, + double timeout) + { + if ( ! network_time ) + { + reporter->Warning("cannot schedule analyzers before processing begins; ignored"); + return; + } + + assert(timeout); + + // Use the chance to see if the oldest entry is already expired. + ExpireScheduledAnalyzers(); + + ScheduledAnalyzer* a = new ScheduledAnalyzer; + a->conn = ConnIndex(orig, resp, resp_p, proto); + a->analyzer = analyzer; + a->timeout = network_time + timeout; + + conns.insert(std::make_pair(a->conn, a)); + conns_by_timeout.push(a); + } + +void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, TransportProto proto, const string& analyzer, - double timeout, void* cookie) + double timeout) { Tag tag = GetAnalyzerTag(analyzer); - if ( tag != Tag::ERROR ) - ExpectConnection(orig, resp, resp_p, proto, tag, timeout, cookie); + if ( tag != Tag() ) + ScheduleAnalyzer(orig, resp, resp_p, proto, tag, timeout); } -void Manager::ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, - Val* analyzer, double timeout, void* cookie) +void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* analyzer, double timeout) { EnumVal* ev = analyzer->AsEnumVal(); - return ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(), Tag(ev), timeout, cookie); + return ScheduleAnalyzer(orig, resp, resp_p->Port(), resp_p->PortType(), Tag(ev), timeout); + } + +Manager::tag_set Manager::GetScheduled(const Connection* conn) + { + ConnIndex c(conn->OrigAddr(), conn->RespAddr(), + ntohs(conn->RespPort()), conn->ConnTransport()); + + std::pair all = conns.equal_range(c); + + tag_set result; + + for ( conns_map::iterator i = all.first; i != all.second; i++ ) + result.insert(i->second->analyzer); + + // Try wildcard for originator. + c.orig = IPAddr(string("::")); + all = conns.equal_range(c); + + for ( conns_map::iterator i = all.first; i != all.second; i++ ) + { + if ( i->second->timeout > network_time ) + result.insert(i->second->analyzer); + } + + // We don't delete scheduled analyzers here. They will be expired + // eventually. + return result; } diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 33b27ed38a..0284504f35 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -1,12 +1,28 @@ -// The central management unit for dynamic analyzer selection. - +/** + * The central management unit for registering and instantiating analyzers. + * + * For each protocol that Bro supports, there's one class derived from + * analyzer::Analyzer. Once we have decided that a connection's payload is to + * be parsed as a given protocol, we instantiate the corresponding + * analyzer-derived class and add the new instance as a child node into the + * connection's analyzer tree. + * + * In addition to the analyzer-derived class itself, for each protocol + * there's also "meta-class" derived from analyzer::Component that describes + * the analyzer, including status information on if that particular protocol + * analysis is currently enabled. + * + * To identify an analyzer (or to be precise: a component), the manager + * maintains mappings of (1) analyzer::Tag to component, and (2) + * human-readable analyzer name to component. + */ #ifndef ANALYZER_MANAGER_H #define ANALYZER_MANAGER_H #include #include "Analyzer.h" -#include "PluginComponent.h" +#include "Component.h" #include "Tag.h" #include "../Dict.h" @@ -15,139 +31,333 @@ namespace analyzer { -// Manager debug logging, which includes the connection id into the message. -#ifdef DEBUG -# define DBG_DPD(conn, txt) \ - DBG_LOG(DBG_DPD, "%s " txt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort()))); -# define DBG_DPD_ARGS(conn, fmt, args...) \ - DBG_LOG(DBG_DPD, "%s " fmt, \ - fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ - conn->RespAddr(), ntohs(conn->RespPort())), ##args); -#else -# define DBG_DPD(conn, txt) -# define DBG_DPD_ARGS(conn, fmt, args...) -#endif - -// Map index to assign expected connections to analyzers. -class ExpectedConn { -public: - ExpectedConn(const IPAddr& _orig, const IPAddr& _resp, - uint16 _resp_p, uint16 _proto); - - ExpectedConn(const ExpectedConn& c); - - IPAddr orig; - IPAddr resp; - uint16 resp_p; - uint16 proto; -}; - -// Associates an analyzer for an expected future connection. -class AssignedAnalyzer { -public: - AssignedAnalyzer(const ExpectedConn& c) - : conn(c) { } - - ExpectedConn conn; - Tag analyzer; - double timeout; - void* cookie; - bool deleted; - - static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2) - { return a1->timeout > a2->timeout; } -}; - -declare(PDict, AssignedAnalyzer); - +/** + * Class maintaining and scheduling available protocol analyzers. + * + * The manager maintains a registry of all available protocol analyzers, + * including a mapping between their textual names and analyzer::Tag. It + * instantantiates new analyzers on demand. For new connections, the manager + * sets up their initial analyzer tree, including adding the right \c PIA, + * respecting well-known ports, and tracking any analyzers specifically + * scheduled for individidual connections. + */ class Manager { public: + /** + * Constructor. + */ Manager(); + + /** + * Destructor. + */ ~Manager(); - void Init(); // Called before script's are parsed. + /** + * Initializes the manager's operation. Must be called before scripts + * are parsed. + */ + void Init(); + + /** + * Finished the manager's operations. + */ void Done(); + + /** + * Dumps out the state of all registered analyzers to the \c analyzer + * debug stream. Should be called only after any \c bro_init events + * have executed to ensure that any of their changes are applied. + */ void DumpDebug(); // Called after bro_init() events. + /** + * Enables an analyzer type. Only enabled analyzers will be + * instantiated for new connections. + * + * @param tag The analyzer's tag. + * + * @return True if sucessful. + */ bool EnableAnalyzer(Tag tag); + + /** + * Enables an analyzer type. Only enabled analyzers will be + * instantiated for new connections. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @return True if sucessful. + */ bool EnableAnalyzer(EnumVal* tag); + /** + * Enables an analyzer type. Disabled analyzers will not be + * instantiated for new connections. + * + * @param tag The analyzer's tag. + * + * @return True if sucessful. + */ bool DisableAnalyzer(Tag tag); + + /** + * Enables an analyzer type. Disabled analyzers will not be + * instantiated for new connections. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @return True if sucessful. + */ bool DisableAnalyzer(EnumVal* tag); + /** + * Returns true if an analyzer is enabled. + * + * @param tag The analyzer's tag. + */ bool IsEnabled(Tag tag); + + /** + * Returns true if an analyzer is enabled. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + */ bool IsEnabled(EnumVal* tag); + /** + * Registers a well-known port for an analyzer. Once registered, + * connection on that port will start with a corresponding analyzer + * assigned. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @param port The well-known port. + * + * @return True if sucessful. + */ bool RegisterAnalyzerForPort(EnumVal* tag, PortVal* port); + + /** + * Registers a well-known port for an analyzer. Once registered, + * connection on that port will start with a corresponding analyzer + * assigned. + * + * @param tag The analyzer's tag. + * + * @param proto The port's protocol. + * + * @param port The port's number. + * + * @return True if sucessful. + */ bool RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + /** + * Unregisters a well-known port for an anlyzers. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + * + * @param port The well-known port. + * + * @return True if sucessful (incl. when the port wasn't actually + * registered for the analyzer). + * + */ bool UnregisterAnalyzerForPort(EnumVal* tag, PortVal* port); + + /** + * Unregisters a well-known port for an anlyzers. + * + * @param tag The analyzer's tag. + * + * @param proto The port's protocol. + * + * @param port The port's number. + * + * @param tag The analyzer's tag as an enum of script type \c + * Analyzer::Tag. + */ bool UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); + /** + * Instantiates a new analyzer instance for a connection. + * + * @param tag The analyzer's tag. + * + * @param conn The connection the analyzer is to be associated with. + * + * @return The new analyzer instance. Note that the analyzer will not + * have been added to the connection's analyzer tree yet. Returns + * null if tag is invalid or the requested analyzer is disabled. + */ Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled or not available. + + /** + * Instantiates a new analyzer instance for a connection. + * + * @param name The name of the analyzer. + * + * @param conn The connection the analyzer is to be associated with. + * + * @return The new analyzer instance. Note that the analyzer will not + * have been added to the connection's analyzer tree yet. Returns + * null if the name is not known or if the requested analyzer that is + * disabled. + */ Analyzer* InstantiateAnalyzer(const char* name, Connection* c); // Null if disabled or not available. + /** + * Translates an analyzer tag into corresponding analyzer name. + * + * @param tag The analyzer tag. + * + * @return The name, or an empty string if the tag is invalid. + */ const string& GetAnalyzerName(Tag tag); - const string& GetAnalyzerName(Val* val); - Tag GetAnalyzerTag(const string& name); // Tag::ERROR when not known. - Tag GetAnalyzerTag(const char* name); // Tag::ERROR when not known. + /** + * Translates an script-level analyzer tag into corresponding + * analyzer name. + * + * @param val The analyzer tag as an script-level enum value of type + * \c Analyzer::Tag. + * + * @return The name, or an empty string if the tag is invalid. + */ + const string& GetAnalyzerName(Val* val); + + /** + * Translates an analyzer name into the corresponding tag. + * + * @param name The name. + * + * @return The tag. If the name does not correspond to a valid + * analyzer, the returned tag will evaluate to false. + */ + Tag GetAnalyzerTag(const string& name); + + /** + * Translates an analyzer name into the corresponding tag. + * + * @param name The name. + * + * @return The tag. If the name does not correspond to a valid + * analyzer, the returned tag will evaluate to false. + */ + Tag GetAnalyzerTag(const char* name); + + /** + * Returns the enum type that corresponds to the script-level type \c + * Analyzer::Tag. + */ EnumType* GetTagEnumType(); - // Given info about the first packet, build initial analyzer tree. - // - // It would be more flexible if we simply pass in the IP header and - // then extract the information we need. However, when this method - // is called from the session management, protocol and ports have - // already been extracted there and it would be a waste to do it - // again. - // - // Returns 0 if we can't build a tree (e.g., because the necessary - // analyzers have not been converted to the Manager framework yet...) - bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn, - const u_char* data); + /** + * Given the first packet of a connection, builds its initial + * analyzer tree. + * + * @param conn The connection to add the initial set of analyzers to. + * + * @return False if the tree cannot be build; that's usually an + * internally error. + */ + bool BuildInitialAnalyzerTree(Connection* conn); - // Schedules a particular analyzer for an upcoming connection. 0 acts - // as a wildcard for orig. (Cookie is currently unused. Eventually, - // we may pass it on to the analyzer). - void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, Tag analyzer, - double timeout, void* cookie); + /** + * Schedules a particular analyzer for an upcoming connection. Once + * the connection is seen, BuildInitAnalyzerTree() will add the + * specified analyzer to its tree. + * + * @param orig The connection's anticipated originator address. + * 0.0.0.0 can be used as a wildcard matching any originator. + * + * @param resp The connection's anticipated responder address (no + * wilcard). + * + * @param resp_p The connection's anticipated responder port. + * + * @param proto The connection's anticipated transport protocol. + * + * @param analyzer The analyzer to use once the connection is seen. + * + * @param timeout An interval after which to timeout the request to + * schedule this analyzer. Must be non-zero. + */ + void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + TransportProto proto, Tag analyzer, double timeout); - void ExpectConnection(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, + /** + * Schedules a particular analyzer for an upcoming connection. Once + * the connection is seen, BuildInitAnalyzerTree() will add the + * specified analyzer to its tree. + * + * @param orig The connection's anticipated originator address. 0 can + * be used as a wildcard matching any originator. + * + * @param resp The The connection's anticipated responder address (no + * wilcard). + * + * @param resp_p The connection's anticipated responder port. + * + * @param proto The connection's anticipated transport protocol. + * + * @param analyzer The name of the analyzer to use once the + * connection is seen. + * + * @param timeout An interval after which to timeout the request to + * schedule this analyzer. Must be non-zero. + */ + void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, TransportProto proto, const string& analyzer, - double timeout, void* cookie); + double timeout); - void ExpectConnection(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, - Val* val, double timeout, void* cookie); - - // Activates signature matching for protocol detection. (Called when - // an Manager signatures is found.) - void ActivateSigs() { sigs_activated = true; } - bool SigsActivated() const { return sigs_activated; } + /** + * Schedules a particular analyzer for an upcoming connection. Once + * the connection is seen, BuildInitAnalyzerTree() will add the + * specified analyzer to its tree. + * + * @param orig The connection's anticipated originator address. 0 can + * be used as a wildcard matching any originator. + * + * @param resp The connection's anticipated responder address (no + * wilcard). + * + * @param resp_p The connection's anticipated responder port. + * + * @param analyzer The analyzer to use once the connection is seen as + * an enum value of script-type \c Analyzer::Tag. + * + * @param timeout An interval after which to timeout the request to + * schedule this analyzer. Must be non-zero. + */ + void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal* resp_p, + Val* analyzer, double timeout); private: typedef set tag_set; - typedef map analyzer_map_by_name; - typedef map analyzer_map_by_tag; - typedef map analyzer_map_by_val; + typedef map analyzer_map_by_name; + typedef map analyzer_map_by_tag; + typedef map analyzer_map_by_val; typedef map analyzer_map_by_port; - void RegisterAnalyzerComponent(PluginComponent* component); // Takes ownership. + void RegisterAnalyzerComponent(Component* component); // Takes ownership. - PluginComponent* Lookup(const string& name); - PluginComponent* Lookup(const char* name); - PluginComponent* Lookup(const Tag& tag); - PluginComponent* Lookup(EnumVal* val); + Component* Lookup(const string& name); + Component* Lookup(const char* name); + Component* Lookup(const Tag& tag); + Component* Lookup(EnumVal* val); tag_set* LookupPort(PortVal* val, bool add_if_not_found); tag_set* LookupPort(TransportProto proto, uint32 port, bool add_if_not_found); - // Return analyzer if any has been scheduled with ExpectConnection() - // Tag::::Error if none. - Tag GetExpected(int proto, const Connection* conn); + tag_set GetScheduled(const Connection* conn); + void ExpireScheduledAnalyzers(); analyzer_map_by_port analyzers_by_port_tcp; analyzer_map_by_port analyzers_by_port_udp; @@ -163,21 +373,62 @@ private: EnumType* tag_enum_type; - // True if signature-matching has been activated. - bool sigs_activated; + //// Data structures to track analyzed scheduled for future connections. - PDict(AssignedAnalyzer) expected_conns; + // The index for a scheduled connection. + struct ConnIndex { + IPAddr orig; + IPAddr resp; + uint16 resp_p; + uint16 proto; - typedef priority_queue< - AssignedAnalyzer*, - vector, - bool (*)(const AssignedAnalyzer*, - const AssignedAnalyzer*)> conn_queue; - conn_queue expected_conns_queue; + ConnIndex(const IPAddr& _orig, const IPAddr& _resp, + uint16 _resp_p, uint16 _proto); + ConnIndex(); + + bool operator<(const ConnIndex& other) const; + }; + + // Information associated with a scheduled connection. + struct ScheduledAnalyzer { + ConnIndex conn; + Tag analyzer; + double timeout; + + struct Comparator { + bool operator() (ScheduledAnalyzer* a, ScheduledAnalyzer* b) { + return a->timeout > b->timeout; + } + }; + }; + + typedef std::multimap conns_map; + typedef std::priority_queue, + ScheduledAnalyzer::Comparator> conns_queue; + + conns_map conns; + conns_queue conns_by_timeout; }; } extern analyzer::Manager* analyzer_mgr; +// Macros for anayzer debug logging which include the connection id into the +// message. +#ifdef DEBUG +# define DBG_ANALYZER(conn, txt) \ + DBG_LOG(DBG_ANALYZER, "%s " txt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort()))); +# define DBG_ANALYZER_ARGS(conn, fmt, args...) \ + DBG_LOG(DBG_ANALYZER, "%s " fmt, \ + fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \ + conn->RespAddr(), ntohs(conn->RespPort())), ##args); +#else +# define DBG_ANALYZER(conn, txt) +# define DBG_ANALYZER_ARGS(conn, fmt, args...) +#endif + #endif diff --git a/src/analyzer/PluginComponent.cc b/src/analyzer/PluginComponent.cc deleted file mode 100644 index fed3ca225a..0000000000 --- a/src/analyzer/PluginComponent.cc +++ /dev/null @@ -1,37 +0,0 @@ - -#include "PluginComponent.h" - -#include "../Desc.h" - -using namespace analyzer; - -Tag::type_t PluginComponent::type_counter = 0; - -PluginComponent::PluginComponent(std::string arg_name, factory_callback arg_factory, bool arg_enabled, bool arg_partial) - : Component(plugin::component::ANALYZER) - { - name = arg_name; - factory = arg_factory; - enabled = arg_enabled; - partial = arg_partial; - - tag = analyzer::Tag(++type_counter, 0); - } - -PluginComponent::PluginComponent(std::string arg_name, Tag::subtype_t arg_stype, factory_callback arg_factory, bool arg_enabled, bool arg_partial) - : Component(plugin::component::ANALYZER) - { - name = arg_name; - factory = arg_factory; - enabled = arg_enabled; - partial = arg_partial; - - tag = analyzer::Tag(++type_counter, arg_stype); - } - -void PluginComponent::Describe(ODesc* d) - { - plugin::Component::Describe(d); - d->Add(name); - } - diff --git a/src/analyzer/PluginComponent.h b/src/analyzer/PluginComponent.h deleted file mode 100644 index baad63f9f8..0000000000 --- a/src/analyzer/PluginComponent.h +++ /dev/null @@ -1,51 +0,0 @@ - -#ifndef ANALYZER_PLUGIN_COMPONENT_H -#define ANALYZER_PLUGIN_COMPONENT_H - -#include - -#include "../config.h" -#include "../util.h" - -#include "plugin/Component.h" -#include "Tag.h" - -class Connection; - -namespace analyzer { - -class Analyzer; - -// This can be copied by value. -class PluginComponent : public plugin::Component { -public: - typedef bool (*available_callback)(); - typedef Analyzer* (*factory_callback)(Connection* conn); - - PluginComponent(std::string name, factory_callback factory, bool enabled, bool partial); - PluginComponent(std::string name, Tag::subtype_t subtype, factory_callback factory, bool enabled, bool partial); - - const std::string& Name() const { return name; } - factory_callback Factory() const { return factory; } - bool Partial() const { return partial; } - bool Enabled() const { return enabled; } - analyzer::Tag Tag() const { return tag; } - - void SetEnabled(bool arg_enabled) { enabled = arg_enabled; } - - virtual void Describe(ODesc* d); - -private: - std::string name; - factory_callback factory; - bool partial; - - analyzer::Tag tag; - bool enabled; - - static analyzer::Tag::type_t type_counter; -}; - -} - -#endif diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index fbf1bcd2b7..0b765742dc 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -6,11 +6,10 @@ using namespace analyzer; -Tag Tag::ERROR; - Tag::Tag(type_t arg_type, subtype_t arg_subtype) { assert(arg_type > 0); + type = arg_type; subtype = arg_subtype; int64_t i = (int64)(type) | ((int64)subtype << 31); @@ -23,6 +22,7 @@ Tag::Tag(type_t arg_type, subtype_t arg_subtype) Tag::Tag(EnumVal* arg_val) { assert(val); + val = arg_val; Ref(val); @@ -37,7 +37,7 @@ Tag::Tag(const Tag& other) : type(other.type), subtype(other.subtype) subtype = other.subtype; val = other.val; - if ( val ) + if ( val ) Ref(val); } @@ -48,7 +48,7 @@ Tag::Tag() val = 0; } -EnumVal* Tag::Val() +EnumVal* Tag::AsEnumVal() const { if ( ! val ) { @@ -66,4 +66,3 @@ std::string Tag::AsString() const { return fmt("%" PRIu32 "/%" PRIu32, type, subtype); } - diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index dab8563982..90a6804dc4 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -2,14 +2,6 @@ #ifndef ANALYZER_TAG_H #define ANALYZER_TAG_H -// Each kind of analyzer gets a tag consisting of a main type and subtype. -// The former is an identifier that's unique all analyzer classes. The latter -// is passed through analyzer instances, yet not further interpreted by the -// analyzer infrastructure; it allows an analyzer to branch out into a set of -// sub-analyzers internally. Jointly, main type and subtype form an analyzer -// "tag". Each unique tag corresponds to a single "analyzer" from the user's -// perspective. - #include "config.h" #include "util.h" @@ -17,41 +9,129 @@ class EnumVal; namespace analyzer { -/// This has supports all operations to be used as a map index. +class Manager; +class Component; + +/** + * Class to identify an analyzdr type. + * + * Each analyzer type gets a tag consisting of a main type and subtype. The + * former is an identifier that's unique all analyzer classes. The latter is + * passed through to the analyzer instances for their use, yet not further + * interpreted by the analyzer infrastructure; it allows an analyzer to + * branch out into a set of sub-analyzers internally. Jointly, main type and + * subtype form an analyzer "tag". Each unique tag corresponds to a single + * "analyzer" from the user's perspective. At the script layer, these tags + * are mapped into enums of type \c Analyzer::Tag. Internally, the + * analyzer::Mangager maintains the mapping of tag to analyzer (and it also + * assigns them their main types), and analyzer::Component creates new + * tags. + * + * The Tag class supports all operations necessary to act at the index in a + * \c std::map. + */ class Tag { public: + /** + * Type for the analyzer's main type. + */ typedef uint32 type_t; + + /** + * Type for the analyzer's subtype. + */ typedef uint32 subtype_t; - Tag(type_t type, subtype_t subtype = 0); - Tag(EnumVal* val); + /* + * Copy constructor. + */ Tag(const Tag& other); - Tag(); // Tag::ERROR value + /** + * Default constructor. This initializes the tag with an error value + * that will make \c operator \c bool return false. + */ + Tag(); + + /** + * Returns the tag's main type. + */ type_t Type() const { return type; } + + /** + * Returns the tag's subtype. + */ subtype_t Subtype() const { return subtype; } - // Returns an identifying integer for this tag that's guaranteed to - // be unique across all tags. - EnumVal* Val(); + /** + * Returns the \c Analyzer::Tag enum that corresponds to this tag. + * The returned value is \a does not have its ref-count increased. + */ + EnumVal* AsEnumVal() const; + /** + * Returns the numerical values for main and subtype inside a string + * suitable for printing. This is primarily for debugging. + */ std::string AsString() const; + /** + * Returns false if the tag represents an error value rather than a + * legal analyzer type. + */ operator bool() const { return *this != Tag(); } - bool operator==(const Tag& other) const { return type == other.type && subtype == other.subtype; } - bool operator!=(const Tag& other) const { return type != other.type || subtype != other.subtype; } + + /** + * Compares two tags for equality. + */ + bool operator==(const Tag& other) const + { + return type == other.type && subtype == other.subtype; + } + + /** + * Compares two tags for inequality. + */ + bool operator!=(const Tag& other) const + { + return type != other.type || subtype != other.subtype; + } + + /** + * Compares two tags for less-than relationship. + */ bool operator<(const Tag& other) const { return type != other.type ? type < other.type : (subtype < other.subtype); } +protected: + friend class analyzer::Manager; + friend class analyzer::Component; - static Tag ERROR; + /** + * Constructor. Note + * + * @param type The main type. Note that the \a analyzer::Manager + * manages the value space internally, so noone else should assign + * any main tyoes. + * + * @param subtype The sub type, which is left to an analyzer for + * interpretation. By default it's set to zero. + */ + Tag(type_t type, subtype_t subtype = 0); + + /** + * Constructor. + * + * @param val An enuam value of script type \c Analyzer::Tag. + */ + Tag(EnumVal* val); private: - type_t type; - subtype_t subtype; - EnumVal* val; + type_t type; // Main type. + subtype_t subtype; // Subtype. + mutable EnumVal* val; // Analyzer::Tag value. }; } diff --git a/src/event.bif b/src/event.bif index fbc02ef8b5..65ff3a5731 100644 --- a/src/event.bif +++ b/src/event.bif @@ -134,7 +134,7 @@ event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection_contents partial_connection +## scheduled_analyzer_applied new_connection_contents partial_connection ## ## .. note:: ## @@ -168,7 +168,7 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection partial_connection +## scheduled_analyzer_applied new_connection partial_connection event new_connection_contents%(c: connection%); ## Generated for an unsuccessful connection attempt. This event is raised when @@ -183,7 +183,7 @@ event new_connection_contents%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); @@ -199,7 +199,7 @@ event connection_attempt%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_established%(c: connection%); @@ -215,7 +215,7 @@ event connection_established%(c: connection%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection new_connection_contents +## scheduled_analyzer_applied new_connection new_connection_contents ## event partial_connection%(c: connection%); @@ -231,7 +231,7 @@ event partial_connection%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_partial_close%(c: connection%); @@ -244,7 +244,7 @@ event connection_partial_close%(c: connection%); ## connection_established connection_external connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_finished%(c: connection%); @@ -258,7 +258,7 @@ event connection_finished%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_half_finished%(c: connection%); @@ -270,7 +270,7 @@ event connection_half_finished%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## c: The connection. @@ -294,7 +294,7 @@ event connection_rejected%(c: connection%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection new_connection_contents +## scheduled_analyzer_applied new_connection new_connection_contents ## partial_connection event connection_reset%(c: connection%); @@ -306,7 +306,7 @@ event connection_reset%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection bro_done event connection_pending%(c: connection%); @@ -323,7 +323,7 @@ event connection_pending%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection udp_inactivity_timeout ## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats event connection_state_remove%(c: connection%); @@ -339,7 +339,7 @@ event connection_state_remove%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -360,7 +360,7 @@ event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## connection_established connection_external connection_finished ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -379,7 +379,7 @@ event connection_first_ACK%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update expected_connection_seen +## connection_state_remove connection_status_update scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -402,7 +402,7 @@ event connection_timeout%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_reused%(c: connection%); @@ -416,7 +416,7 @@ event connection_reused%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_timeout expected_connection_seen +## connection_state_remove connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_status_update%(c: connection%); @@ -446,7 +446,7 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_EOF%(c: connection, is_orig: bool%); @@ -481,7 +481,7 @@ event connection_external%(c: connection, tag: string%); ## ## .. todo:: We don't have a good way to document the automatically generated ## ``ANALYZER_*`` constants right now. -event expected_connection_seen%(c: connection, a: count%); +event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%); ## Generated for every packet Bro sees. This is a very low-level and expensive ## event that should be avoided when at all possible. It's usually infeasible to diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index f10d6adf45..f132927560 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -2,7 +2,7 @@ #ifndef PLUGIN_MACROS_H #define PLUGIN_MACROS_H -#include "analyzer/PluginComponent.h" +#include "analyzer/Component.h" #define BRO_PLUGIN_VERSION_BUILTIN -1 #define BRO_PLUGIN_API_VERSION 1 @@ -36,7 +36,10 @@ std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); -#define BRO_PLUGIN_ANALYZER(tag, factory, enabled, partial) \ - AddComponent(new ::analyzer::PluginComponent(tag, factory, enabled, partial)); +#define BRO_PLUGIN_ANALYZER(tag, factory) \ + AddComponent(new ::analyzer::Component(tag, factory)); + +#define BRO_PLUGIN_ANALYZER_EXT(tag, factory, enabled, partial) \ + AddComponent(new ::analyzer::Component(tag, factory, 0, enabled, partial)); #endif diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc index 0c96ab17e4..ff7bd11c1c 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -3,7 +3,7 @@ // analyzers into separate plugins. #include "BuiltInAnalyzers.h" -#include "analyzer/PluginComponent.h" +#include "analyzer/Component.h" #include "../binpac_bro.h" @@ -47,8 +47,13 @@ using namespace analyzer; BuiltinAnalyzers builtin_analyzers; -#define DEFINE_ANALYZER(name, factory, enabled, partial) \ - AddComponent(new PluginComponent(name, factory, enabled, partial)) +#define DEFINE_ANALYZER(name, factory) \ + AddComponent(new Component(name, factory)) + +#define DEFINE_ANALYZER_VERSION_BINPAC(name, factory) \ + AddComponent(new Component(name, factory, 0, FLAGS_use_binpac)) +#define DEFINE_ANALYZER_VERSION_NON_BINPAC(name, factory) \ + AddComponent(new Component(name, factory, 0, ! FLAGS_use_binpac)) void BuiltinAnalyzers::Init() { @@ -58,72 +63,69 @@ void BuiltinAnalyzers::Init() desc.version = BRO_PLUGIN_VERSION_BUILTIN; SetDescription(desc); - DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); + DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); - DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); - DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer, true, false); - // DEFINE_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, ! FLAGS_use_binpac, false); - DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("LOGIN", 0, true, false); // just a base class - DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("RPC", 0, true, false); - DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER_VERSION_NON_BINPAC("DNS", DNS_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("LOGIN", 0); // just a base class + DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("RPC", 0); + DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - DEFINE_ANALYZER("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - // DEFINE_ANALYZER("HTTP_BINPAC", HTTP_Analyzer_binpac::InstantiateAnalyzer, FLAGS_use_binpac, false); - // DEFINE_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); + DEFINE_ANALYZER_VERSION_BINPAC("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer); + DEFINE_ANALYZER_VERSION_BINPAC("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer); + DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer); + DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer, true, false); - DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer, true, false); + DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("CONTENTS", 0, true, false); - DEFINE_ANALYZER("CONTENTLINE", 0, true, false); - DEFINE_ANALYZER("NVT", 0, true, false); - DEFINE_ANALYZER("ZIP", 0, true, false); - DEFINE_ANALYZER("CONTENTS_DNS", 0, true, false); - DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0, true, false); - DEFINE_ANALYZER("CONTENTS_NCP", 0, true, false); - DEFINE_ANALYZER("CONTENTS_RLOGIN", 0, true, false); - DEFINE_ANALYZER("CONTENTS_RSH", 0, true, false); - DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0, true, false); - DEFINE_ANALYZER("CONTENTS_SMB", 0, true, false); - DEFINE_ANALYZER("CONTENTS_RPC", 0, true, false); - DEFINE_ANALYZER("CONTENTS_NFS", 0, true, false); - DEFINE_ANALYZER("FTP_ADAT", 0, true, false); + DEFINE_ANALYZER("CONTENTS", 0); + DEFINE_ANALYZER("CONTENTLINE", 0); + DEFINE_ANALYZER("NVT", 0); + DEFINE_ANALYZER("ZIP", 0); + DEFINE_ANALYZER("CONTENTS_DNS", 0); + DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0); + DEFINE_ANALYZER("CONTENTS_NCP", 0); + DEFINE_ANALYZER("CONTENTS_RLOGIN", 0); + DEFINE_ANALYZER("CONTENTS_RSH", 0); + DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0); + DEFINE_ANALYZER("CONTENTS_SMB", 0); + DEFINE_ANALYZER("CONTENTS_RPC", 0); + DEFINE_ANALYZER("CONTENTS_NFS", 0); + DEFINE_ANALYZER("FTP_ADAT", 0); } diff --git a/src/protocols/http/HTTP.cc b/src/protocols/http/HTTP.cc index 2812f3662b..d5d911bbc6 100644 --- a/src/protocols/http/HTTP.cc +++ b/src/protocols/http/HTTP.cc @@ -17,7 +17,7 @@ BRO_PLUGIN_BEGIN(HTTP) BRO_PLUGIN_DESCRIPTION = "HTTP Analyzer"; - BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer, true, false); + BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/protocols/ssl/Plugin.cc b/src/protocols/ssl/Plugin.cc index 3e42ae0c32..fb47c9b946 100644 --- a/src/protocols/ssl/Plugin.cc +++ b/src/protocols/ssl/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SSL) BRO_PLUGIN_DESCRIPTION = "SSL Analyzer"; - BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer, true, false); + BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index b476306ae6..0482b574f8 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-03-26-20-58-03 +#open 2013-04-01-19-44-31 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/./main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/./postprocessors/__load__.bro scripts/base/frameworks/logging/./postprocessors/./scp.bro scripts/base/frameworks/logging/./postprocessors/./sftp.bro @@ -25,12 +25,16 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/./writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/./main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro scripts/base/frameworks/analyzer/__load__.bro scripts/base/frameworks/analyzer/./main.bro - build/src/base/analyzer.bif.bro + build/scripts/base/bif/analyzer.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./HTTP.events.bif.bro + build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./SSL.events.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-03-26-20-58-03 +#close 2013-04-01-19-44-31 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index ddcae1d0eb..390040ab4a 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-03-26-20-58-16 +#open 2013-04-01-19-44-38 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/./main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/./postprocessors/__load__.bro scripts/base/frameworks/logging/./postprocessors/./scp.bro scripts/base/frameworks/logging/./postprocessors/./sftp.bro @@ -25,13 +25,17 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/./writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/./main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/./readers/ascii.bro scripts/base/frameworks/input/./readers/raw.bro scripts/base/frameworks/input/./readers/benchmark.bro scripts/base/frameworks/analyzer/__load__.bro scripts/base/frameworks/analyzer/./main.bro - build/src/base/analyzer.bif.bro + build/scripts/base/bif/analyzer.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./HTTP.events.bif.bro + build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./SSL.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -122,4 +126,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-03-26-20-58-16 +#close 2013-04-01-19-44-38 diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output new file mode 100644 index 0000000000..69285a4dbe --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output @@ -0,0 +1,5 @@ +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_DNS +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_FTP +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_SSH +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_HTTP +APPLIED:, 1299499195.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=8/tcp], Analyzer::ANALYZER_DNS diff --git a/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro new file mode 100644 index 0000000000..e67a4fa82b --- /dev/null +++ b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro @@ -0,0 +1,36 @@ +# +# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT >output +# @TEST-EXEC: btest-diff output + +global x = 0; + +event new_connection(c: connection) + { + # Make sure expiration executes. + Analyzer::schedule_analyzer(1.2.3.4, 1.2.3.4, 8/tcp, Analyzer::ANALYZER_MODBUS, 100hrs); + + if ( x > 0 ) + return; + + x = 1; + + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_SSH, 100hrs); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_HTTP, 100hrs); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_DNS, 100hrs); + Analyzer::schedule_analyzer(0.0.0.0, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_FTP, 100hrs); + + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 7/tcp, Analyzer::ANALYZER_SSH, 1sec); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 8/tcp, Analyzer::ANALYZER_HTTP, 1sec); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 8/tcp, Analyzer::ANALYZER_DNS, 100hrs); + Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 9/tcp, Analyzer::ANALYZER_FTP, 1sec); + } + +event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) + { + print "APPLIED:", network_time(), c$id, a; + } + + + + + From bfda42b9e929e5a9dcefa8333690d51a8a14e03a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 3 Apr 2013 13:38:08 -0700 Subject: [PATCH 07/70] Removing legacy binpac analyzer for DNS and HTTP. --- scripts/base/protocols/dns/main.bro | 12 +- src/CMakeLists.txt | 9 - src/DNS-binpac.cc | 90 -------- src/DNS-binpac.h | 60 ----- src/Sessions.cc | 2 - src/dns-analyzer.pac | 343 ---------------------------- src/dns-protocol.pac | 215 ----------------- src/dns.pac | 9 - src/dns_tcp.pac | 45 ---- src/protocols/BuiltInAnalyzers.cc | 10 +- src/protocols/http/HTTP.h | 2 +- src/protocols/unused/HTTP-binpac.cc | 46 ---- src/protocols/unused/HTTP-binpac.h | 28 --- 13 files changed, 5 insertions(+), 866 deletions(-) delete mode 100644 src/DNS-binpac.cc delete mode 100644 src/DNS-binpac.h delete mode 100644 src/dns-analyzer.pac delete mode 100644 src/dns-protocol.pac delete mode 100644 src/dns.pac delete mode 100644 src/dns_tcp.pac delete mode 100644 src/protocols/unused/HTTP-binpac.cc delete mode 100644 src/protocols/unused/HTTP-binpac.h diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro index 6279ba4dab..f1264a9f52 100644 --- a/scripts/base/protocols/dns/main.bro +++ b/scripts/base/protocols/dns/main.bro @@ -117,19 +117,13 @@ redef capture_filters += { ["netbios-ns"] = "udp port 137", }; -const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp }; -const dns_tcp_ports = { 53/tcp }; - -redef likely_server_ports += { dns_udp_ports, dns_tcp_ports }; +const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp }; +redef likely_server_ports += { ports }; event bro_init() &priority=5 { Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]); - - Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_tcp_ports); - Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, dns_udp_ports); - Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports); - Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports); } function new_session(c: connection, trans_id: count): Info diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 5109f71105..e847255258 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -144,14 +144,8 @@ binpac_target(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac) binpac_target(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac) -binpac_target(dns.pac - dns-protocol.pac dns-analyzer.pac) -binpac_target(dns_tcp.pac - dns.pac) binpac_target(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) -# binpac_target(http.pac -# http-protocol.pac http-analyzer.pac) binpac_target(ncp.pac) binpac_target(netflow.pac netflow-protocol.pac netflow-analyzer.pac) @@ -159,8 +153,6 @@ binpac_target(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) binpac_target(socks.pac socks-protocol.pac socks-analyzer.pac) -# binpac_target(ssl.pac -# ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac) binpac_target(syslog.pac syslog-protocol.pac syslog-analyzer.pac) binpac_target(modbus.pac @@ -258,7 +250,6 @@ set(bro_SRCS DFA.cc DHCP-binpac.cc DNS.cc - DNS-binpac.cc DNS_Mgr.cc DbgBreakpoint.cc DbgHelp.cc diff --git a/src/DNS-binpac.cc b/src/DNS-binpac.cc deleted file mode 100644 index 4ab84d1cfe..0000000000 --- a/src/DNS-binpac.cc +++ /dev/null @@ -1,90 +0,0 @@ -#include "DNS-binpac.h" -#include "TCP_Reassembler.h" - -DNS_UDP_Analyzer_binpac::DNS_UDP_Analyzer_binpac(Connection* conn) -: Analyzer("DNS_UDP_BINPAC", conn) - { - interp = new binpac::DNS::DNS_Conn(this); - did_session_done = 0; - ADD_ANALYZER_TIMER(&DNS_UDP_Analyzer_binpac::ExpireTimer, - network_time + dns_session_timeout, 1, TIMER_DNS_EXPIRE); - } - -DNS_UDP_Analyzer_binpac::~DNS_UDP_Analyzer_binpac() - { - delete interp; - } - -void DNS_UDP_Analyzer_binpac::Done() - { - Analyzer::Done(); - - if ( ! did_session_done ) - Event(udp_session_done); - } - -void DNS_UDP_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) - { - Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); - interp->NewData(orig, data, data + len); - } - -void DNS_UDP_Analyzer_binpac::ExpireTimer(double t) - { - // The - 1.0 in the following is to allow 1 second for the - // common case of a single request followed by a single reply, - // so we don't needlessly set the timer twice in that case. - if ( t - Conn()->LastTime() >= dns_session_timeout - 1.0 || terminating ) - { - Event(connection_timeout); - sessions->Remove(Conn()); - } - else - ADD_ANALYZER_TIMER(&DNS_UDP_Analyzer_binpac::ExpireTimer, - t + dns_session_timeout, 1, TIMER_DNS_EXPIRE); - } - -DNS_TCP_Analyzer_binpac::DNS_TCP_Analyzer_binpac(Connection* conn) -: TCP_ApplicationAnalyzer("DNS_TCP_BINPAC", conn) - { - interp = new binpac::DNS_on_TCP::DNS_TCP_Conn(this); - } - -DNS_TCP_Analyzer_binpac::~DNS_TCP_Analyzer_binpac() - { - delete interp; - } - -void DNS_TCP_Analyzer_binpac::Done() - { - TCP_ApplicationAnalyzer::Done(); - - interp->FlowEOF(true); - interp->FlowEOF(false); - } - -void DNS_TCP_Analyzer_binpac::EndpointEOF(bool is_orig) - { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); - interp->FlowEOF(is_orig); - } - -void DNS_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data, - bool orig) - { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); - - assert(TCP()); - - if ( TCP()->IsPartial() || TCP()->HadGap(orig) ) - // punt-on-partial or stop-on-gap. - return; - - interp->NewData(orig, data, data + len); - } - -void DNS_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig) - { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); - interp->NewGap(orig, len); - } diff --git a/src/DNS-binpac.h b/src/DNS-binpac.h deleted file mode 100644 index 2f241b89ae..0000000000 --- a/src/DNS-binpac.h +++ /dev/null @@ -1,60 +0,0 @@ -#ifndef dns_binpac_h -#define dns_binpac_h - -#include "UDP.h" -#include "TCP.h" - -#include "dns_pac.h" - -// FIXME: As the binpac analyer for DNS-TCP and DNS-UDP are currently -// structured, we cannot directly combine them into one analyzer. Can we -// change that easily? (Ideally, the TCP preprocessing would become a -// support-analyzer as it is done for the traditional DNS analyzer.) - -class DNS_UDP_Analyzer_binpac : public analyzer::Analyzer { -public: - DNS_UDP_Analyzer_binpac(Connection* conn); - virtual ~DNS_UDP_Analyzer_binpac(); - - virtual void Done(); - virtual void DeliverPacket(int len, const u_char* data, bool orig, - int seq, const IP_Hdr* ip, int caplen); - - static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new DNS_UDP_Analyzer_binpac(conn); } - - static bool Available() - { return (dns_request || dns_full_request) && FLAGS_use_binpac; } - -protected: - friend class AnalyzerTimer; - void ExpireTimer(double t); - - int did_session_done; - - binpac::DNS::DNS_Conn* interp; -}; - -#include "dns_tcp_pac.h" - -class DNS_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer { -public: - DNS_TCP_Analyzer_binpac(Connection* conn); - virtual ~DNS_TCP_Analyzer_binpac(); - - virtual void Done(); - virtual void DeliverStream(int len, const u_char* data, bool orig); - virtual void Undelivered(int seq, int len, bool orig); - virtual void EndpointEOF(bool is_orig); - - static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new DNS_TCP_Analyzer_binpac(conn); } - - static bool Available() - { return (dns_request || dns_full_request) && FLAGS_use_binpac; } - -protected: - binpac::DNS_on_TCP::DNS_TCP_Conn* interp; -}; - -#endif diff --git a/src/Sessions.cc b/src/Sessions.cc index 782bf4c496..dc3f54efe6 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -19,8 +19,6 @@ #include "ICMP.h" #include "UDP.h" -#include "DNS-binpac.h" - #include "SteppingStone.h" #include "BackDoor.h" #include "InterConn.h" diff --git a/src/dns-analyzer.pac b/src/dns-analyzer.pac deleted file mode 100644 index e92b6ef709..0000000000 --- a/src/dns-analyzer.pac +++ /dev/null @@ -1,343 +0,0 @@ -%extern{ -#include -%} - -%code{ -int add_to_name_buffer(DNS_name* name, char* buf, const int buf_n, int buf_i) - { - for ( int i = 0; i < int(name->labels()->size()); ++i ) - { - DNS_label* label = (*name->labels())[i]; - if ( label->label_type() == 0 ) - { - bytestring const &label_str = label->label(); - if ( buf_i > 0 && buf_i < buf_n ) - buf[buf_i++] = '.'; - BINPAC_ASSERT(buf_i + label_str.length() <= buf_n); - memcpy(buf + buf_i, label_str.begin(), - label_str.length()); - buf_i += label_str.length(); - } - else if ( label->label_type() == 3 ) - { - return add_to_name_buffer(label->ptr(), buf, - buf_n, buf_i); - } - } - - return buf_i; - } - -StringVal* name_to_val(DNS_name* name) - { - char name_buf[520]; - int n = add_to_name_buffer(name, name_buf, sizeof(name_buf), 0); - if ( n > 0 ) - --n; // remove the trailing '.' - - BINPAC_ASSERT(n < int(sizeof(name_buf))); - - name_buf[n] = 0; - for ( int i = 0; i < n; ++i ) - if ( isupper(name_buf[i]) ) - name_buf[i] = tolower(name_buf[i]); - - return new StringVal(name_buf); - } -%} - -connection DNS_Conn(bro_analyzer: BroAnalyzer) -{ - upflow = DNS_Flow; - downflow = DNS_Flow; -}; - -flow DNS_Flow -{ - datagram = DNS_message withcontext(connection, this); - - %member{ - set pointer_set; - BroVal dns_msg_val_; - %} - - %init{ - dns_msg_val_ = 0; - %} - - %cleanup{ - Unref(dns_msg_val_); - dns_msg_val_ = 0; - %} - - # Return a byte segment starting at in the original message. - function get_pointer(msgdata: const_bytestring, - offset: int): const_bytestring - %{ - if ( offset < 0 || offset >= msgdata.length() ) - return const_bytestring(0, 0); - - if ( pointer_set.find(offset) != pointer_set.end() ) - throw Exception("DNS pointer loop!"); - - pointer_set.insert(offset); - return const_bytestring(msgdata.begin() + offset, msgdata.end()); - %} - - function reset_pointer_set(): bool - %{ - pointer_set.clear(); - return true; - %} - - function process_dns_header(hdr: DNS_header): bool - %{ - Unref(dns_msg_val_); - - RecordVal* r = new RecordVal(dns_msg); - - r->Assign(0, new Val(${hdr.id}, TYPE_COUNT)); - r->Assign(1, new Val(${hdr.opcode}, TYPE_COUNT)); - r->Assign(2, new Val(${hdr.rcode}, TYPE_COUNT)); - r->Assign(3, new Val(${hdr.qr}, TYPE_BOOL)); - r->Assign(4, new Val(${hdr.aa}, TYPE_BOOL)); - r->Assign(5, new Val(${hdr.tc}, TYPE_BOOL)); - r->Assign(6, new Val(${hdr.rd}, TYPE_BOOL)); - r->Assign(7, new Val(${hdr.ra}, TYPE_BOOL)); - r->Assign(8, new Val(${hdr.z}, TYPE_COUNT)); - - r->Assign(9, new Val(${hdr.qdcount}, TYPE_COUNT)); - r->Assign(10, new Val(${hdr.ancount}, TYPE_COUNT)); - r->Assign(11, new Val(${hdr.nscount}, TYPE_COUNT)); - r->Assign(12, new Val(${hdr.arcount}, TYPE_COUNT)); - - dns_msg_val_ = r; - - return true; - %} - - function process_dns_question(question: DNS_question): bool - %{ - DNS_message* msg = question->msg(); - - if ( msg->header()->qr() == 0 ) - { - BifEvent::generate_dns_request( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - name_to_val(question->qname()), - question->qtype(), - question->qclass()); - } - - else if ( msg->header()->ancount() == 0 && - msg->header()->nscount() == 0 && - msg->header()->arcount() == 0 ) - { - BifEvent::generate_dns_rejected( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - name_to_val(question->qname()), - question->qtype(), - question->qclass()); - } - - return true; - %} - - function build_dns_answer(rr: DNS_rr): BroVal - %{ - RecordVal* r = new RecordVal(dns_answer); - - r->Assign(0, new Val(rr->answer_type(), TYPE_COUNT)); - r->Assign(1, name_to_val(rr->rr_name())); - r->Assign(2, new Val(rr->rr_type(), TYPE_COUNT)); - r->Assign(3, new Val(rr->rr_class(), TYPE_COUNT)); - r->Assign(4, new IntervalVal(double(rr->rr_ttl()), Seconds)); - - return r; - %} - - function build_dns_soa(soa: DNS_rdata_SOA): BroVal - %{ - RecordVal* r = new RecordVal(dns_soa); - - r->Assign(0, name_to_val(soa->mname())); - r->Assign(1, name_to_val(soa->rname())); - r->Assign(2, new Val(soa->serial(), TYPE_COUNT)); - r->Assign(3, new IntervalVal(double(soa->refresh()), Seconds)); - r->Assign(4, new IntervalVal(double(soa->retry()), Seconds)); - r->Assign(5, new IntervalVal(double(soa->expire()), Seconds)); - r->Assign(6, new IntervalVal(double(soa->minimum()), Seconds)); - - return r; - %} - - function build_edns_additional(rr: DNS_rr): BroVal - %{ - // We have to treat the additional record type in EDNS - // differently than a regular resource record. - RecordVal* r = new RecordVal(dns_edns_additional); - - r->Assign(0, new Val(int(rr->answer_type()), TYPE_COUNT)); - r->Assign(1, name_to_val(rr->rr_name())); - - // Type = 0x29 or 41 = EDNS - r->Assign(2, new Val(rr->rr_type(), TYPE_COUNT)); - - // Sender's UDP payload size, per RFC 2671 4.3 - r->Assign(3, new Val(rr->rr_class(), TYPE_COUNT)); - - // Need to break the TTL field into three components: - // initial: [------------- ttl (32) ---------------------] - // after: [DO][ ext rcode (7)][ver # (8)][ Z field (16)] - - unsigned int ercode = (rr->rr_ttl() & 0xff000000) >> 24; - unsigned int version = (rr->rr_ttl() & 0x00ff0000) >> 16; - unsigned int z = (rr->rr_ttl() & 0x0000ffff); - - int rcode = rr->msg()->header()->rcode(); - unsigned int return_error = (ercode << 8) | rcode; - - r->Assign(4, new Val(return_error, TYPE_COUNT)); - r->Assign(5, new Val(version, TYPE_COUNT)); - r->Assign(6, new Val(z, TYPE_COUNT)); - r->Assign(7, new IntervalVal(double(rr->rr_ttl()), Seconds)); - r->Assign(8, new Val(rr->msg()->header()->qr() == 0, TYPE_COUNT)); - - return r; - %} - - function process_dns_rr(rr: DNS_rr): bool - %{ - const DNS_rdata* rd = rr->rr_rdata(); - - switch ( rr->rr_type() ) { - case TYPE_A: - if ( dns_A_reply ) - { - ::uint32 addr = rd->type_a(); - BifEvent::generate_dns_A_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), build_dns_answer(rr), - new AddrVal(htonl(addr))); - } - break; - - case TYPE_A6: - if ( dns_A6_reply ) - { - ::uint32 addr[4]; - for ( unsigned int i = 0; i < 4; ++i ) - addr[i] = htonl((*rd->type_aaaa())[i]); - - BifEvent::generate_dns_A6_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), build_dns_answer(rr), - new AddrVal(addr)); - } - break; - - case TYPE_AAAA: - if ( dns_AAAA_reply ) - { - ::uint32 addr[4]; - for ( unsigned int i = 0; i < 4; ++i ) - addr[i] = htonl((*rd->type_aaaa())[i]); - - BifEvent::generate_dns_AAAA_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), build_dns_answer(rr), - new AddrVal(addr)); - } - break; - - case TYPE_NS: - if ( dns_NS_reply ) - { - BifEvent::generate_dns_NS_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - name_to_val(rr->rr_rdata()->type_ns())); - } - break; - - case TYPE_CNAME: - if ( dns_CNAME_reply ) - { - BifEvent::generate_dns_CNAME_reply( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - name_to_val(rr->rr_rdata()->type_cname())); - } - break; - - case TYPE_SOA: - if ( dns_SOA_reply ) - { - BifEvent::generate_dns_SOA_reply( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - build_dns_soa(rr->rr_rdata()->type_soa())); - } - break; - - case TYPE_PTR: - if ( dns_PTR_reply ) - { - BifEvent::generate_dns_PTR_reply( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - name_to_val(rr->rr_rdata()->type_ptr())); - } - break; - - case TYPE_MX: - if ( dns_MX_reply ) - { - BifEvent::generate_dns_MX_reply( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_dns_answer(rr), - name_to_val(rr->rr_rdata()->type_mx()->name()), - rr->rr_rdata()->type_mx()->preference()); - } - break; - - case TYPE_EDNS: - if ( dns_EDNS_addl ) - { - BifEvent::generate_dns_EDNS_addl( - connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - dns_msg_val_->Ref(), - build_edns_additional(rr)); - } - break; - } - - return true; - %} -}; - -refine typeattr DNS_header += &let { - proc_dns_header = $context.flow.process_dns_header(this); -}; - -refine typeattr DNS_question += &let { - proc_dns_question = $context.flow.process_dns_question(this); -}; - -refine typeattr DNS_rr += &let { - proc_dns_rr = $context.flow.process_dns_rr(this); -}; diff --git a/src/dns-protocol.pac b/src/dns-protocol.pac deleted file mode 100644 index fbeb9d0fa3..0000000000 --- a/src/dns-protocol.pac +++ /dev/null @@ -1,215 +0,0 @@ -enum DNS_answer_type { - DNS_QUESTION, - DNS_ANSWER, - DNS_AUTHORITY, - DNS_ADDITIONAL, -}; - -enum DNS_rdata_type { - TYPE_A = 1, - TYPE_NS = 2, - TYPE_MD = 3, - TYPE_MF = 4, - TYPE_CNAME = 5, - TYPE_SOA = 6, - TYPE_MB = 7, - TYPE_MG = 8, - TYPE_MR = 9, - TYPE_NULL = 10, - TYPE_WKS = 11, - TYPE_PTR = 12, - TYPE_HINFO = 13, - TYPE_MINFO = 14, - TYPE_MX = 15, - TYPE_TXT = 16, - TYPE_AAAA = 28, # IPv6 (RFC 1886) - TYPE_NBS = 32, # Netbios name (RFC 1002) - TYPE_A6 = 38, # IPv6 with indirection (RFC 2874) - TYPE_EDNS = 41, # < OPT pseudo-RR (RFC 2671) -}; - -# 1 1 1 1 1 1 -# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | ID | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# |QR| Opcode |AA|TC|RD|RA| Z | RCODE | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | QDCOUNT | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | ANCOUNT | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | NSCOUNT | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | ARCOUNT | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -type DNS_header = record { - id : uint16; - qrop : uint16; - qdcount : uint16; - ancount : uint16; - nscount : uint16; - arcount : uint16; -} &let { - qr: bool = qrop >> 15; - opcode: uint8 = (qrop >> 11) & 0xf; - aa: bool = (qrop >> 10) & 0x1; - tc: bool = (qrop >> 9) & 0x1; - rd: bool = (qrop >> 8) & 0x1; - ra: bool = (qrop >> 7) & 0x1; - z: uint8 = (qrop >> 4) & 0x7; - rcode: uint8 = qrop & 0xf; -}; - -type DNS_label(msg: DNS_message) = record { - length: uint8; - data: case label_type of { - 0 -> label: bytestring &length = length; - 3 -> ptr_lo: uint8; - }; -} &let { - label_type: uint8 = length >> 6; - last: bool = (length == 0) || (label_type == 3); - - # A name pointer. - ptr: DNS_name(msg) - withinput $context.flow.get_pointer(msg.sourcedata, - ((length & 0x3f) << 8) | ptr_lo) - &if(label_type == 3); - - clear_pointer_set: bool = $context.flow.reset_pointer_set() - &if(last); -}; - -type DNS_name(msg: DNS_message) = record { - labels: DNS_label(msg)[] &until($element.last); -}; - -type DNS_char_string = record { - length: uint8; - data: bytestring &length = length; -}; - -# 1 1 1 1 1 1 -# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | | -# / QNAME / -# / / -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | QTYPE | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | QCLASS | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -type DNS_question(msg: DNS_message) = record { - qname: DNS_name(msg); - qtype: uint16; - qclass: uint16; -}; - -type DNS_rdata_MX(msg: DNS_message) = record { - preference: uint16; - name: DNS_name(msg); -}; - -type DNS_rdata_SOA(msg: DNS_message) = record { - mname: DNS_name(msg); - rname: DNS_name(msg); - serial: uint32; - refresh: uint32; - retry: uint32; - expire: uint32; - minimum: uint32; -}; - -type DNS_rdata_WKS = record { - address: uint32; - protocol: uint8; - bitmap: bytestring &restofdata; -}; - -type DNS_rdata_HINFO = record { - cpu: DNS_char_string; - os: DNS_char_string; -}; - -type DNS_rdata(msg: DNS_message, - rr_type: uint16, - rr_class: uint16) = case rr_type of { - - TYPE_A -> type_a: uint32 &check(rr_class == CLASS_IN); - TYPE_NS -> type_ns: DNS_name(msg); - TYPE_CNAME -> type_cname: DNS_name(msg); - TYPE_SOA -> type_soa: DNS_rdata_SOA(msg); - TYPE_PTR -> type_ptr: DNS_name(msg); - TYPE_MX -> type_mx: DNS_rdata_MX(msg); - TYPE_AAAA, TYPE_A6 - -> type_aaaa: uint32[4]; - - # TYPE_WKS -> type_wks: DNS_rdata_WKS; - # TYPE_HINFO -> type_hinfo: DNS_rdata_HINFO; - # TYPE_TXT -> type_txt: bytestring &restofdata; - - # 3 -> type_md: DNS_rdata_MD; - # 4 -> type_mf: DNS_rdata_MF; - # 7 -> type_mb: DNS_rdata_MB; - # 8 -> type_mg: DNS_rdata_MG; - # 9 -> type_mr: DNS_rdata_MR; - # 10 -> type_null: DNS_rdata_NULL; - # 14 -> type_minfo: DNS_rdata_MINFO; - # 32 -> type_nbs: DNS_rdata_NBS; - - default -> unknown: bytestring &restofdata; -}; - -# 1 1 1 1 1 1 -# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | | -# / / -# / NAME / -# | | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | TYPE | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | CLASS | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | TTL | -# | | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ -# | RDLENGTH | -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--| -# / RDATA / -# / / -# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ - -type DNS_rr(msg: DNS_message, answer_type: DNS_answer_type) = record { - rr_name: DNS_name(msg); - rr_type: uint16; - rr_class: uint16; - rr_ttl: uint32; - rr_rdlength: uint16; - rr_rdata: DNS_rdata(msg, rr_type, rr_class) &length = rr_rdlength; -}; - -# +---------------------+ -# | Header | -# +---------------------+ -# | Question | the question for the name server -# +---------------------+ -# | Answer | RRs answering the question -# +---------------------+ -# | Authority | RRs pointing toward an authority -# +---------------------+ -# | Additional | RRs holding additional information -# +---------------------+ - -type DNS_message = record { - header: DNS_header; - question: DNS_question(this)[header.qdcount]; - answer: DNS_rr(this, DNS_ANSWER)[header.ancount]; - authority: DNS_rr(this, DNS_AUTHORITY)[header.nscount]; - additional: DNS_rr(this, DNS_ADDITIONAL)[header.arcount]; -} &byteorder = bigendian, &exportsourcedata; diff --git a/src/dns.pac b/src/dns.pac deleted file mode 100644 index aeffdf0bc7..0000000000 --- a/src/dns.pac +++ /dev/null @@ -1,9 +0,0 @@ -%include bro.pac - -analyzer DNS withcontext { - connection: DNS_Conn; - flow: DNS_Flow; -}; - -%include dns-protocol.pac -%include dns-analyzer.pac diff --git a/src/dns_tcp.pac b/src/dns_tcp.pac deleted file mode 100644 index d31ff58c6e..0000000000 --- a/src/dns_tcp.pac +++ /dev/null @@ -1,45 +0,0 @@ -%extern{ -#include "dns_pac.h" // for DNS_Conn -%} - -%include bro.pac - -analyzer DNS_on_TCP withcontext { - connection: DNS_TCP_Conn; - flow: DNS_TCP_Flow; -}; - -type DNS_TCP_PDU(is_orig: bool) = record { - msglen: uint16; - msg: bytestring &length = msglen; -} &byteorder = bigendian, &length = 2 + msglen, &let { - deliver: bool = $context.connection.deliver_dns_message(is_orig, msg); -}; - -connection DNS_TCP_Conn(bro_analyzer: BroAnalyzer) { - upflow = DNS_TCP_Flow(true); - downflow = DNS_TCP_Flow(false); - - %member{ - DNS::DNS_Conn *abstract_dns_connection_; - %} - - %init{ - abstract_dns_connection_ = new DNS::DNS_Conn(bro_analyzer); - %} - - %cleanup{ - delete abstract_dns_connection_; - abstract_dns_connection_ = 0; - %} - - function deliver_dns_message(is_orig: bool, msg: const_bytestring): bool - %{ - abstract_dns_connection_->NewData(is_orig, msg.begin(), msg.end()); - return true; - %} -}; - -flow DNS_TCP_Flow(is_orig: bool) { - flowunit = DNS_TCP_PDU(is_orig) withcontext(connection, this); -}; diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc index ff7bd11c1c..39e8eefac0 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -21,7 +21,6 @@ #include "FTP.h" #include "FileAnalyzer.h" #include "DNS.h" -#include "DNS-binpac.h" #include "DHCP-binpac.h" #include "Telnet.h" #include "Rlogin.h" @@ -50,11 +49,6 @@ BuiltinAnalyzers builtin_analyzers; #define DEFINE_ANALYZER(name, factory) \ AddComponent(new Component(name, factory)) -#define DEFINE_ANALYZER_VERSION_BINPAC(name, factory) \ - AddComponent(new Component(name, factory, 0, FLAGS_use_binpac)) -#define DEFINE_ANALYZER_VERSION_NON_BINPAC(name, factory) \ - AddComponent(new Component(name, factory, 0, ! FLAGS_use_binpac)) - void BuiltinAnalyzers::Init() { plugin::Description desc; @@ -74,7 +68,7 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER_VERSION_NON_BINPAC("DNS", DNS_Analyzer::InstantiateAnalyzer); + DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); @@ -96,8 +90,6 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER_VERSION_BINPAC("DNS_TCP_BINPAC", DNS_TCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER_VERSION_BINPAC("DNS_UDP_BINPAC", DNS_UDP_Analyzer_binpac::InstantiateAnalyzer); DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer); DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); diff --git a/src/protocols/http/HTTP.h b/src/protocols/http/HTTP.h index 6cb2199696..66cdf091bf 100644 --- a/src/protocols/http/HTTP.h +++ b/src/protocols/http/HTTP.h @@ -183,7 +183,7 @@ public: { return (http_request || http_reply || http_header || http_all_headers || http_begin_entity || http_end_entity || http_content_type || http_entity_data || http_message_done || - http_event || http_stats) && !FLAGS_use_binpac; } + http_event || http_stats); } protected: void GenStats(); diff --git a/src/protocols/unused/HTTP-binpac.cc b/src/protocols/unused/HTTP-binpac.cc deleted file mode 100644 index a23ef0043a..0000000000 --- a/src/protocols/unused/HTTP-binpac.cc +++ /dev/null @@ -1,46 +0,0 @@ -#include "HTTP-binpac.h" -#include "TCP_Reassembler.h" - -HTTP_Analyzer_binpac::HTTP_Analyzer_binpac(Connection *c) -: TCP_ApplicationAnalyzer("HTTP_BINPAC", c) - { - interp = new binpac::HTTP::HTTP_Conn(this); - } - -HTTP_Analyzer_binpac::~HTTP_Analyzer_binpac() - { - delete interp; - } - -void HTTP_Analyzer_binpac::Done() - { - TCP_ApplicationAnalyzer::Done(); - - interp->FlowEOF(true); - interp->FlowEOF(false); - } - -void HTTP_Analyzer_binpac::EndpointEOF(bool is_orig) - { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); - interp->FlowEOF(is_orig); - } - -void HTTP_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig) - { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); - - assert(TCP()); - - if ( TCP()->IsPartial() ) - // punt on partial. - return; - - interp->NewData(orig, data, data + len); - } - -void HTTP_Analyzer_binpac::Undelivered(int seq, int len, bool orig) - { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); - interp->NewGap(orig, len); - } diff --git a/src/protocols/unused/HTTP-binpac.h b/src/protocols/unused/HTTP-binpac.h deleted file mode 100644 index 8f0370afda..0000000000 --- a/src/protocols/unused/HTTP-binpac.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef http_binpac_h -#define http_binpac_h - -#include "TCP.h" - -#include "http_pac.h" - -class HTTP_Analyzer_binpac : public TCP_ApplicationAnalyzer { -public: - HTTP_Analyzer_binpac(Connection* conn); - virtual ~HTTP_Analyzer_binpac(); - - virtual void Done(); - virtual void DeliverStream(int len, const u_char* data, bool orig); - virtual void Undelivered(int seq, int len, bool orig); - virtual void EndpointEOF(bool is_orig); - - static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new HTTP_Analyzer_binpac(conn); } - - static bool Available() - { return (http_request || http_reply) && FLAGS_use_binpac; } - -protected: - binpac::HTTP::HTTP_Conn* interp; -}; - -#endif From 40ca718e90491fbb894b27aa318db59ae6e52ffb Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 3 Apr 2013 13:40:49 -0700 Subject: [PATCH 08/70] Removing the --use-binpac switch. --- src/DHCP-binpac.h | 2 +- src/DNS.h | 3 +-- src/Syslog-binpac.h | 2 +- src/binpac_bro.h | 2 -- src/main.cc | 6 ------ 5 files changed, 3 insertions(+), 12 deletions(-) diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h index a3890b399d..df47ec7765 100644 --- a/src/DHCP-binpac.h +++ b/src/DHCP-binpac.h @@ -19,7 +19,7 @@ public: { return new DHCP_Analyzer_binpac(conn); } static bool Available() - { return dhcp_request && FLAGS_use_binpac; } + { return dhcp_request; } protected: binpac::DHCP::DHCP_Conn* interp; diff --git a/src/DNS.h b/src/DNS.h index 28e68cccad..569af906bf 100644 --- a/src/DNS.h +++ b/src/DNS.h @@ -271,8 +271,7 @@ public: static bool Available() { - return (dns_request || dns_full_request) && - ! FLAGS_use_binpac; + return (dns_request || dns_full_request); } protected: diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h index 85caf5aaa4..88b64c5f70 100644 --- a/src/Syslog-binpac.h +++ b/src/Syslog-binpac.h @@ -46,7 +46,7 @@ protected: // { return new Syslog_TCP_Analyzer_binpac(conn); } // // static bool Available() -// { return (Syslog_request || Syslog_full_request) && FLAGS_use_binpac; } +// { return (Syslog_request || Syslog_full_request); } // //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; diff --git a/src/binpac_bro.h b/src/binpac_bro.h index 5f46d8f458..5902c52113 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -35,6 +35,4 @@ inline StringVal* bytestring_to_val(const_bytestring const &str) } // namespace binpac -extern int FLAGS_use_binpac; - #endif diff --git a/src/main.cc b/src/main.cc index 7a86bde6da..cb3fbd7f6e 100644 --- a/src/main.cc +++ b/src/main.cc @@ -114,8 +114,6 @@ vector params; char* proc_status_file = 0; int snaplen = 0; // this gets set from the scripting-layer's value -int FLAGS_use_binpac = false; - extern std::list docs_generated; // Keep copy of command line @@ -204,8 +202,6 @@ void usage() fprintf(stderr, " -n|--idmef-dtd | specify path to IDMEF DTD file\n"); #endif - fprintf(stderr, " --use-binpac | use new-style BinPAC parsers when available\n"); - fprintf(stderr, " $BROPATH | file search path (%s)\n", bro_path()); fprintf(stderr, " $BRO_PREFIXES | prefix list (%s)\n", bro_prefixes()); fprintf(stderr, " $BRO_DNS_FAKE | disable DNS lookups (%s)\n", bro_dns_fake()); @@ -497,8 +493,6 @@ int main(int argc, char** argv) {"pseudo-realtime", optional_argument, 0, 'E'}, - {"use-binpac", no_argument, &FLAGS_use_binpac, 1}, - {0, 0, 0, 0}, }; From b122b39874dd0526e15382fea2677c60c3b9e5b1 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 15:15:33 -0700 Subject: [PATCH 09/70] Removing all Analyzer::Available() methods. --- src/AYIYA.h | 4 ---- src/BackDoor.h | 9 --------- src/BitTorrent.h | 3 --- src/BitTorrentTracker.h | 3 --- src/ConnSizeAnalyzer.h | 2 -- src/DCE_RPC.h | 3 --- src/DHCP-binpac.h | 3 --- src/DNS.h | 5 ----- src/FTP.h | 3 --- src/FileAnalyzer.h | 2 -- src/Finger.h | 2 -- src/GTPv1.h | 4 ---- src/Gnutella.h | 7 ------- src/ICMP.h | 2 -- src/IRC.cc | 32 -------------------------------- src/IRC.h | 2 -- src/Ident.h | 3 --- src/InterConn.h | 2 -- src/Modbus.h | 33 --------------------------------- src/NCP.h | 2 -- src/NFS.h | 10 ---------- src/NTP.h | 2 -- src/NetbiosSSN.h | 7 ------- src/PIA.h | 2 -- src/POP3.h | 5 ----- src/Portmap.h | 3 --- src/RSH.h | 3 --- src/Rlogin.h | 6 ------ src/SMB.h | 6 ------ src/SMTP.h | 6 ------ src/SOCKS.h | 5 ----- src/SSH.h | 3 --- src/SteppingStone.h | 2 -- src/Syslog-binpac.h | 6 ------ src/TCP.h | 4 ---- src/Telnet.h | 6 ------ src/Teredo.h | 4 ---- src/UDP.h | 2 -- 38 files changed, 208 deletions(-) diff --git a/src/AYIYA.h b/src/AYIYA.h index f6025b709f..563cf86613 100644 --- a/src/AYIYA.h +++ b/src/AYIYA.h @@ -15,10 +15,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new AYIYA_Analyzer(conn); } - static bool Available() - { return BifConst::Tunnel::enable_ayiya && - BifConst::Tunnel::max_depth > 0; } - protected: friend class AnalyzerTimer; void ExpireTimer(double t); diff --git a/src/BackDoor.h b/src/BackDoor.h index 2286138239..d3687bad0b 100644 --- a/src/BackDoor.h +++ b/src/BackDoor.h @@ -74,15 +74,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BackDoor_Analyzer(conn); } - static bool Available() - { - return backdoor_stats || rlogin_signature_found || - telnet_signature_found || ssh_signature_found || - root_backdoor_signature_found || ftp_signature_found || - napster_signature_found || kazaa_signature_found || - http_signature_found || http_proxy_signature_found; - } - protected: // We support both packet and stream input, and can be instantiated // even if the TCP analyzer is not yet reassembling. diff --git a/src/BitTorrent.h b/src/BitTorrent.h index eb2aeb422e..6c1ef677e1 100644 --- a/src/BitTorrent.h +++ b/src/BitTorrent.h @@ -20,9 +20,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrent_Analyzer(conn); } - static bool Available() - { return bittorrent_peer_handshake || bittorrent_peer_piece; } - protected: void DeliverWeird(const char* msg, bool orig); diff --git a/src/BitTorrentTracker.h b/src/BitTorrentTracker.h index cc17d98af3..41a902befa 100644 --- a/src/BitTorrentTracker.h +++ b/src/BitTorrentTracker.h @@ -53,9 +53,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new BitTorrentTracker_Analyzer(conn); } - static bool Available() - { return bt_tracker_request || bt_tracker_response; } - protected: void ClientRequest(int len, const u_char* data); void ServerReply(int len, const u_char* data); diff --git a/src/ConnSizeAnalyzer.h b/src/ConnSizeAnalyzer.h index 23f7975617..6eac519c88 100644 --- a/src/ConnSizeAnalyzer.h +++ b/src/ConnSizeAnalyzer.h @@ -23,8 +23,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ConnSize_Analyzer(conn); } - static bool Available() { return BifConst::use_conn_size_analyzer ; } - protected: virtual void DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen); diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h index cfffc73c4e..61de358dbd 100644 --- a/src/DCE_RPC.h +++ b/src/DCE_RPC.h @@ -177,9 +177,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DCE_RPC_Analyzer(conn); } - static bool Available() - { return DCE_RPC_Session::any_dce_rpc_event(); } - protected: DCE_RPC_Session* session; bool speculative; diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h index df47ec7765..4b59ac15b2 100644 --- a/src/DHCP-binpac.h +++ b/src/DHCP-binpac.h @@ -18,9 +18,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DHCP_Analyzer_binpac(conn); } - static bool Available() - { return dhcp_request; } - protected: binpac::DHCP::DHCP_Conn* interp; }; diff --git a/src/DNS.h b/src/DNS.h index 569af906bf..7a342dc757 100644 --- a/src/DNS.h +++ b/src/DNS.h @@ -269,11 +269,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new DNS_Analyzer(conn); } - static bool Available() - { - return (dns_request || dns_full_request); - } - protected: DNS_Interpreter* interp; Contents_DNS* contents_dns_orig; diff --git a/src/FTP.h b/src/FTP.h index 849b18f50b..19393fc5aa 100644 --- a/src/FTP.h +++ b/src/FTP.h @@ -18,9 +18,6 @@ public: return new FTP_Analyzer(conn); } - static bool Available() { return ftp_request || ftp_reply; } - - protected: NVT_Analyzer* nvt_orig; NVT_Analyzer* nvt_resp; diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h index 6edda1646f..1d2a956ef2 100644 --- a/src/FileAnalyzer.h +++ b/src/FileAnalyzer.h @@ -18,8 +18,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new File_Analyzer(conn); } - static bool Available() { return file_transferred; } - protected: void Identify(); diff --git a/src/Finger.h b/src/Finger.h index 5de0086dbc..0be0c0eb19 100644 --- a/src/Finger.h +++ b/src/Finger.h @@ -19,8 +19,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Finger_Analyzer(conn); } - static bool Available() { return finger_request || finger_reply; } - protected: ContentLine_Analyzer* content_line_orig; ContentLine_Analyzer* content_line_resp; diff --git a/src/GTPv1.h b/src/GTPv1.h index e6c2066df0..89befa04bf 100644 --- a/src/GTPv1.h +++ b/src/GTPv1.h @@ -15,10 +15,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new GTPv1_Analyzer(conn); } - static bool Available() - { return BifConst::Tunnel::enable_gtpv1 && - BifConst::Tunnel::max_depth > 0; } - protected: friend class AnalyzerTimer; void ExpireTimer(double t); diff --git a/src/Gnutella.h b/src/Gnutella.h index 88a8bcb4c7..2dd2a2ad12 100644 --- a/src/Gnutella.h +++ b/src/Gnutella.h @@ -43,13 +43,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Gnutella_Analyzer(conn); } - static bool Available() - { - return gnutella_text_msg || gnutella_binary_msg || - gnutella_partial_binary_msg || gnutella_establish || - gnutella_not_establish || gnutella_http_notify; - } - private: int NextLine(const u_char* data, int len); diff --git a/src/ICMP.h b/src/ICMP.h index fbf61f7993..e798bd2c9b 100644 --- a/src/ICMP.h +++ b/src/ICMP.h @@ -22,8 +22,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ICMP_Analyzer(conn); } - static bool Available() { return true; } - protected: ICMP_Analyzer(analyzer::Tag tag, Connection* conn); diff --git a/src/IRC.cc b/src/IRC.cc index 35156ccb40..e778023553 100644 --- a/src/IRC.cc +++ b/src/IRC.cc @@ -22,38 +22,6 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn) AddSupportAnalyzer(new ContentLine_Analyzer(conn, false)); } -bool IRC_Analyzer::Available() - { - static bool did_avail = false; - static bool avail = false; - - if ( ! did_avail ) - { - // It's a lot of events, but for consistency with other - // analyzers we need to check for all of them. - avail = irc_request || irc_reply || - irc_message || irc_quit_message || - irc_privmsg_message || irc_notice_message || - irc_squery_message || irc_join_message || - irc_part_message || irc_nick_message || - irc_invalid_nick || irc_network_info || - irc_server_info || irc_channel_info || irc_who_line || - irc_who_message || irc_whois_message || - irc_whois_user_line || irc_whois_operator_line || - irc_whois_channel_line || irc_oper_message || - irc_oper_response || irc_kick_message || - irc_error_message || irc_invite_message || - irc_mode_message || irc_squit_message || - irc_names_info || irc_dcc_message || - irc_global_users || irc_user_message || - irc_channel_topic || irc_password_message; - - did_avail = true; - } - - return avail; - } - void IRC_Analyzer::Done() { TCP_ApplicationAnalyzer::Done(); diff --git a/src/IRC.h b/src/IRC.h index 657532f5f1..6a78bad025 100644 --- a/src/IRC.h +++ b/src/IRC.h @@ -35,8 +35,6 @@ public: return new IRC_Analyzer(conn); } - static bool Available(); - protected: int orig_status; int orig_zip_status; diff --git a/src/Ident.h b/src/Ident.h index e0cf44f5a4..ffc927a73c 100644 --- a/src/Ident.h +++ b/src/Ident.h @@ -16,9 +16,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Ident_Analyzer(conn); } - static bool Available() - { return ident_request || ident_reply || ident_error; } - protected: const char* ParsePair(const char* line, const char* end_of_line, int& p1, int &p2); diff --git a/src/InterConn.h b/src/InterConn.h index 1abec4058b..741bea45ba 100644 --- a/src/InterConn.h +++ b/src/InterConn.h @@ -50,8 +50,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new InterConn_Analyzer(conn); } - static bool Available() { return interconn_stats; } - protected: // We support both packet and stream input and can be put in place even // if the TCP analyzer is not yet reassembling. diff --git a/src/Modbus.h b/src/Modbus.h index 84389b0554..b00a074ada 100644 --- a/src/Modbus.h +++ b/src/Modbus.h @@ -18,39 +18,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new ModbusTCP_Analyzer(conn); } - // Put event names in this function - static bool Available() - { - return modbus_message - | modbus_exception - | modbus_read_coils_request - | modbus_read_coils_response - | modbus_read_discrete_inputs_request - | modbus_read_discrete_inputs_response - | modbus_read_holding_registers_request - | modbus_read_holding_registers_response - | modbus_read_input_registers_request - | modbus_read_input_registers_response - | modbus_write_single_coil_request - | modbus_write_single_coil_response - | modbus_write_single_register_request - | modbus_write_single_register_response - | modbus_write_multiple_coils_request - | modbus_write_multiple_coils_response - | modbus_write_multiple_registers_request - | modbus_write_multiple_registers_response - | modbus_read_file_record_request - | modbus_read_file_record_response - | modbus_write_file_record_request - | modbus_write_file_record_response - | modbus_mask_write_register_request - | modbus_mask_write_register_response - | modbus_read_write_multiple_registers_request - | modbus_read_write_multiple_registers_response - | modbus_read_fifo_queue_request - | modbus_read_fifo_queue_response; - } - protected: binpac::ModbusTCP::ModbusTCP_Conn* interp; }; diff --git a/src/NCP.h b/src/NCP.h index 833d030394..4fcddfca39 100644 --- a/src/NCP.h +++ b/src/NCP.h @@ -105,8 +105,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NCP_Analyzer(conn); } - static bool Available() { return NCP_Session::any_ncp_event(); } - protected: NCP_Session* session; diff --git a/src/NFS.h b/src/NFS.h index ecb89ff7bf..18acff4b37 100644 --- a/src/NFS.h +++ b/src/NFS.h @@ -77,16 +77,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NFS_Analyzer(conn); } - - static bool Available() - { - return ( nfs_proc_null || nfs_proc_not_implemented || nfs_proc_getattr || - nfs_proc_lookup || nfs_proc_read || nfs_proc_readlink || - nfs_proc_write || nfs_proc_create || nfs_proc_mkdir || - nfs_proc_remove || nfs_proc_rmdir || nfs_proc_readdir || - nfs_reply_status || - rpc_dialogue || rpc_call || rpc_reply ); - } }; diff --git a/src/NTP.h b/src/NTP.h index 3ae44d4cf7..9dc5dc6af9 100644 --- a/src/NTP.h +++ b/src/NTP.h @@ -42,8 +42,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NTP_Analyzer(conn); } - static bool Available() { return ntp_message; } - protected: virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, diff --git a/src/NetbiosSSN.h b/src/NetbiosSSN.h index c3851516a0..8d2cc92089 100644 --- a/src/NetbiosSSN.h +++ b/src/NetbiosSSN.h @@ -160,13 +160,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new NetbiosSSN_Analyzer(conn); } - static bool Available() - { - return NetbiosSSN_Interpreter::any_netbios_ssn_event() || - SMB_Session::any_smb_event() || - DCE_RPC_Session::any_dce_rpc_event(); - } - protected: virtual void ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, int gen_event); diff --git a/src/PIA.h b/src/PIA.h index d0521a6885..920bd9c976 100644 --- a/src/PIA.h +++ b/src/PIA.h @@ -37,8 +37,6 @@ public: // as pointer to an Analyzer. analyzer::Analyzer* AsAnalyzer() { return as_analyzer; } - static bool Available() { return true; } - protected: void PIA_Done(); void PIA_DeliverPacket(int len, const u_char* data, bool is_orig, diff --git a/src/POP3.h b/src/POP3.h index bab2737fca..5c10865ba3 100644 --- a/src/POP3.h +++ b/src/POP3.h @@ -73,11 +73,6 @@ public: return new POP3_Analyzer(conn); } - static bool Available() - { - return pop3_request || pop3_reply || pop3_data || pop3_unexpected; - } - protected: int masterState; int subState; diff --git a/src/Portmap.h b/src/Portmap.h index 1a98537153..bf7ab30891 100644 --- a/src/Portmap.h +++ b/src/Portmap.h @@ -31,9 +31,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Portmapper_Analyzer(conn); } - - static bool Available() - { return pm_request || rpc_call; } }; #endif diff --git a/src/RSH.h b/src/RSH.h index 31e5fe683f..c4eb8fb689 100644 --- a/src/RSH.h +++ b/src/RSH.h @@ -50,9 +50,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rsh_Analyzer(conn); } - static bool Available() - { return login_failure || login_success || login_input_line || login_output_line; } - Contents_Rsh_Analyzer* contents_orig; Contents_Rsh_Analyzer* contents_resp; }; diff --git a/src/Rlogin.h b/src/Rlogin.h index 04486e4262..5fcd209896 100644 --- a/src/Rlogin.h +++ b/src/Rlogin.h @@ -62,12 +62,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Rlogin_Analyzer(conn); } - - static bool Available() - { - return login_failure || login_success || - login_input_line || login_output_line; - } }; #endif diff --git a/src/SMB.h b/src/SMB.h index 23af04720e..7e7f1cea1d 100644 --- a/src/SMB.h +++ b/src/SMB.h @@ -198,12 +198,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SMB_Analyzer(conn); } - static bool Available() - { - return SMB_Session::any_smb_event() || - DCE_RPC_Session::any_dce_rpc_event(); - } - protected: SMB_Session* smb_session; Contents_SMB* o_smb; diff --git a/src/SMTP.h b/src/SMTP.h index 563b99cc32..d4b7dd63a6 100644 --- a/src/SMTP.h +++ b/src/SMTP.h @@ -52,12 +52,6 @@ public: return new SMTP_Analyzer(conn); } - static bool Available() - { - return smtp_request || smtp_reply || - smtp_data || smtp_unexpected; - } - protected: void ProcessLine(int length, const char* line, bool orig); diff --git a/src/SOCKS.h b/src/SOCKS.h index 9557dc761d..767d0a1eb7 100644 --- a/src/SOCKS.h +++ b/src/SOCKS.h @@ -28,11 +28,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SOCKS_Analyzer(conn); } - static bool Available() - { - return socks_request || socks_reply; - } - protected: bool orig_done; diff --git a/src/SSH.h b/src/SSH.h index 0d3fa4d6e6..a6a2f4e154 100644 --- a/src/SSH.h +++ b/src/SSH.h @@ -15,9 +15,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SSH_Analyzer(conn); } - static bool Available() - { return ssh_client_version || ssh_server_version; } - private: ContentLine_Analyzer* orig; ContentLine_Analyzer* resp; diff --git a/src/SteppingStone.h b/src/SteppingStone.h index aab411a46d..4ec4dbc2e1 100644 --- a/src/SteppingStone.h +++ b/src/SteppingStone.h @@ -54,8 +54,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new SteppingStone_Analyzer(conn); } - static bool Available() { return stp_correlate_pair; } - protected: // We support both packet and stream input and can be put in place even // if the TCP analyzer is not yet reassebmling. diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h index 88b64c5f70..e6d05df356 100644 --- a/src/Syslog-binpac.h +++ b/src/Syslog-binpac.h @@ -18,9 +18,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Syslog_Analyzer_binpac(conn); } - static bool Available() - { return syslog_message; } - protected: friend class AnalyzerTimer; void ExpireTimer(double t); @@ -45,9 +42,6 @@ protected: // static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) // { return new Syslog_TCP_Analyzer_binpac(conn); } // -// static bool Available() -// { return (Syslog_request || Syslog_full_request); } -// //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; //}; diff --git a/src/TCP.h b/src/TCP.h index 93c008af58..61bcd7ef7c 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -91,8 +91,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCP_Analyzer(conn); } - static bool Available() { return true; } - protected: friend class TCP_ApplicationAnalyzer; friend class TCP_Reassembler; @@ -365,8 +363,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new TCPStats_Analyzer(conn); } - static bool Available() { return conn_stats || tcp_rexmit; } - protected: virtual void DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen); diff --git a/src/Telnet.h b/src/Telnet.h index 6e1695be9c..290382846b 100644 --- a/src/Telnet.h +++ b/src/Telnet.h @@ -12,12 +12,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Telnet_Analyzer(conn); } - - static bool Available() - { - return login_failure || login_success || - login_input_line || login_output_line; - } }; #endif diff --git a/src/Teredo.h b/src/Teredo.h index d3e3336f9b..4f38b29947 100644 --- a/src/Teredo.h +++ b/src/Teredo.h @@ -22,10 +22,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new Teredo_Analyzer(conn); } - static bool Available() - { return BifConst::Tunnel::enable_teredo && - BifConst::Tunnel::max_depth > 0; } - /** * Emits a weird only if the analyzer has previously been able to * decapsulate a Teredo packet in both directions or if *force* param is diff --git a/src/UDP.h b/src/UDP.h index 36a9b84dcd..67048781a7 100644 --- a/src/UDP.h +++ b/src/UDP.h @@ -23,8 +23,6 @@ public: static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) { return new UDP_Analyzer(conn); } - static bool Available() { return true; } - protected: virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, From bccaea68831adf38041412fa029d4196a94125ec Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 15:24:15 -0700 Subject: [PATCH 10/70] Adding options Analyzer::disable_all to disable all analyzers at startup. One can then selectively enable the ones one wants inside a bro_init() handler. --- scripts/base/frameworks/analyzer/main.bro | 8 +++++++- src/analyzer.bif | 6 ++++++ src/analyzer/Manager.cc | 8 ++++++++ src/analyzer/Manager.h | 5 +++++ 4 files changed, 26 insertions(+), 1 deletion(-) diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index dcadb402fb..8d2df76e4f 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -5,6 +5,9 @@ module Analyzer; # as they are loaded. export { + ## XXX + global disable_all = F &redef; + ## XXX. global enable_analyzer: function(tag: Analyzer::Tag) : bool; @@ -63,8 +66,11 @@ export { global ports: table[Analyzer::Tag] of set[port]; -event bro_init() +event bro_init() &priority=-5 { + if ( disable_all ) + __disable_all_analyzers(); + for ( a in disabled_analyzers ) disable_analyzer(a); } diff --git a/src/analyzer.bif b/src/analyzer.bif index 92b533308a..69c648f7d3 100644 --- a/src/analyzer.bif +++ b/src/analyzer.bif @@ -20,6 +20,12 @@ function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool return new Val(result, TYPE_BOOL); %} +function Analyzer::__disable_all_analyzers%(%) : any + %{ + analyzer_mgr->DisableAllAnalyzers(); + return 0; + %} + function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool %{ bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p); diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index e30976b9e3..70b22bfc26 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -224,6 +224,14 @@ bool Manager::DisableAnalyzer(EnumVal* val) return true; } +void Manager::DisableAllAnalyzers() + { + DBG_LOG(DBG_ANALYZER, "Disabling all analyzers"); + + for ( analyzer_map_by_tag::const_iterator i = analyzers_by_tag.begin(); i != analyzers_by_tag.end(); i++ ) + i->second->SetEnabled(false); + } + bool Manager::IsEnabled(Tag tag) { if ( ! tag ) diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 0284504f35..cb749bab7f 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -113,6 +113,11 @@ public: */ bool DisableAnalyzer(EnumVal* tag); + /** + * Disables all currently registered analyzers. + */ + void DisableAllAnalyzers(); + /** * Returns true if an analyzer is enabled. * From 897be0e14727f9d0b3593857a9656b5848bc303e Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 16:53:21 -0700 Subject: [PATCH 11/70] Giving analyzer/ its own CMakeLists.txt. Also moving src/analyzer.bif to src/analyzer/analyzer.bif, along with the infrastructure to build/incude bif code at other locations. We should generally move to having per-directory CMakeLists.txt. I'll convert the others over later. --- src/CMakeLists.txt | 19 ++++++---- src/Func.cc | 3 -- src/NetVar.cc | 1 - src/NetVar.h | 1 - src/analyzer/CMakeLists.txt | 16 ++++++++ src/analyzer/Manager.cc | 8 +++- src/analyzer/Manager.h | 8 ++++ src/{ => analyzer}/analyzer.bif | 0 src/builtin-func.l | 66 +++++++++++++++++++-------------- src/main.cc | 1 + 10 files changed, 83 insertions(+), 40 deletions(-) create mode 100644 src/analyzer/CMakeLists.txt rename src/{ => analyzer}/analyzer.bif (100%) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index e847255258..1b26d56575 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -103,7 +103,6 @@ target_link_libraries(bifcl) include(BifCl) set(BIF_SRCS - analyzer.bif bro.bif logging.bif input.bif @@ -158,6 +157,17 @@ binpac_target(syslog.pac binpac_target(modbus.pac modbus-protocol.pac modbus-analyzer.pac) +######################################################################## +## Including subdirectories. +######################################################################## + +add_subdirectory(analyzer) + +set(bro_SUBDIRS + $ +) + + ######################################################################## ## Including plug-ins that are compiled in statically. ######################################################################## @@ -389,11 +399,6 @@ set(bro_SRCS plugin/Manager.cc plugin/Plugin.cc - analyzer/Analyzer.cc - analyzer/Manager.cc - analyzer/Component.cc - analyzer/Tag.cc - protocols/BuiltInAnalyzers.cc nb_dns.c @@ -402,7 +407,7 @@ set(bro_SRCS collect_headers(bro_HEADERS ${bro_SRCS}) -add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_PLUGIN_OBJECT_LIBS}) +add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_PLUGIN_OBJECT_LIBS} ${bro_SUBDIRS}) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT}) diff --git a/src/Func.cc b/src/Func.cc index cedf729301..02f8dd4f29 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -548,14 +548,12 @@ void builtin_error(const char* msg, BroObj* arg) reporter->Error(msg, arg); } -#include "analyzer.bif.func_h" #include "bro.bif.func_h" #include "logging.bif.func_h" #include "input.bif.func_h" #include "reporter.bif.func_h" #include "strings.bif.func_h" -#include "analyzer.bif.func_def" #include "bro.bif.func_def" #include "logging.bif.func_def" #include "input.bif.func_def" @@ -571,7 +569,6 @@ void init_builtin_funcs() var_sizes = internal_type("var_sizes")->AsTableType(); gap_info = internal_type("gap_info")->AsRecordType(); -#include "analyzer.bif.func_init" #include "bro.bif.func_init" #include "logging.bif.func_init" #include "input.bif.func_init" diff --git a/src/NetVar.cc b/src/NetVar.cc index 97bf9fd559..7483728e44 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -238,7 +238,6 @@ TableType* record_field_table; StringVal* cmd_line_bpf_filter; -#include "analyzer.bif.netvar_def" #include "const.bif.netvar_def" #include "types.bif.netvar_def" #include "event.bif.netvar_def" diff --git a/src/NetVar.h b/src/NetVar.h index 6a1103ebb9..88b5478149 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -248,7 +248,6 @@ extern void init_general_global_var(); extern void init_event_handlers(); extern void init_net_var(); -#include "analyzer.bif.netvar_h" #include "const.bif.netvar_h" #include "types.bif.netvar_h" #include "event.bif.netvar_h" diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt new file mode 100644 index 0000000000..68742116ef --- /dev/null +++ b/src/analyzer/CMakeLists.txt @@ -0,0 +1,16 @@ + +include_directories(BEFORE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR} +) + +set(analyzer_SRCS + Analyzer.cc + Manager.cc + Component.cc + Tag.cc +) + +bif_target_for_subdir(analyzer.bif) + +add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H}) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 70b22bfc26..dca4084c2c 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -89,12 +89,18 @@ void Manager::Init() for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) RegisterAnalyzerComponent(*i); - // Caache these tags. + // Cache these tags. analyzer_backdoor = GetAnalyzerTag("BACKDOOR"); analyzer_connsize = GetAnalyzerTag("CONNSIZE"); analyzer_interconn = GetAnalyzerTag("INTERCONN"); analyzer_stepping = GetAnalyzerTag("STEPPINGSTONE"); analyzer_tcpstats = GetAnalyzerTag("TCPSTATS"); + + } + +void Manager::InitBifs() + { + #include "analyzer.bif.init.cc" } void Manager::DumpDebug() diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index cb749bab7f..750ac986fb 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -29,6 +29,8 @@ #include "../net_util.h" #include "../IP.h" +#include "analyzer/analyzer.bif.h" + namespace analyzer { /** @@ -59,6 +61,12 @@ public: */ void Init(); + /** + * Initializes the analyze-related BiFs. Must be called after scripts + * are parsed. + */ + void InitBifs(); + /** * Finished the manager's operations. */ diff --git a/src/analyzer.bif b/src/analyzer/analyzer.bif similarity index 100% rename from src/analyzer.bif rename to src/analyzer/analyzer.bif diff --git a/src/builtin-func.l b/src/builtin-func.l index ec60f1c7ec..2128c21f6b 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -139,6 +139,7 @@ extern int yyparse(); char* input_filename = 0; char* input_filename_with_path = 0; char* plugin = 0; +int alternative_mode = 0; FILE* fp_bro_init = 0; FILE* fp_func_def = 0; @@ -176,7 +177,7 @@ void usage() exit(1); } -void init_plugin_mode() +void init_alternative_mode() { fp_bro_init = open_output_file("bro"); fp_func_h = open_output_file("h"); @@ -191,8 +192,8 @@ void init_plugin_mode() char auto_gen_comment[n]; snprintf(auto_gen_comment, n, - "This file was automatically generated by bifcl from %s (plugin mode).", - input_filename_with_path); + "This file was automatically generated by bifcl from %s (%s mode).", + input_filename_with_path, plugin ? "plugin" : "subdir"); fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); @@ -225,42 +226,53 @@ void init_plugin_mode() if ( dot ) *dot = '\0'; - fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "#include \n"); - fprintf(fp_func_init, "#include \n"); - fprintf(fp_func_init, "#include \"%s.h\"\n", input_filename); - fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin); - fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); - fprintf(fp_func_init, "\t{\n"); - fprintf(fp_func_init, "\tstd::list > bifs;\n"); - fprintf(fp_func_init, "\n"); + if ( plugin ) + { + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "#include \n"); + fprintf(fp_func_init, "#include \n"); + fprintf(fp_func_init, "#include \"%s.h\"\n", input_filename); + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin); + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); + fprintf(fp_func_init, "\t{\n"); + fprintf(fp_func_init, "\tstd::list > bifs;\n"); + fprintf(fp_func_init, "\n"); + } } -void finish_plugin_mode() +void finish_alternative_mode() { fprintf(fp_func_h, "\n"); fprintf(fp_func_h, "#endif\n"); - fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "\treturn bifs;\n"); - fprintf(fp_func_init, "\t}\n"); - fprintf(fp_func_init, "} }\n"); - fprintf(fp_func_init, "\n"); - } + if ( plugin ) + { + fprintf(fp_func_init, "\n"); + fprintf(fp_func_init, "\treturn bifs;\n"); + fprintf(fp_func_init, "\t}\n"); + fprintf(fp_func_init, "} }\n"); + fprintf(fp_func_init, "\n"); + } + } int main(int argc, char* argv[]) { char opt; - while ( (opt = getopt(argc, argv, "p:")) != -1 ) + while ( (opt = getopt(argc, argv, "p:s")) != -1 ) { switch ( opt ) { case 'p': + alternative_mode = 1; plugin = optarg; break; + case 's': + alternative_mode = 1; + break; + default: usage(); } @@ -284,7 +296,7 @@ int main(int argc, char* argv[]) if ( slash ) input_filename = slash + 1; - if ( ! plugin ) + if ( ! alternative_mode ) { fp_bro_init = open_output_file("bro"); fp_func_h = open_output_file("func_h"); @@ -311,13 +323,13 @@ int main(int argc, char* argv[]) } else - init_plugin_mode(); + init_alternative_mode(); yy_switch_to_buffer(yy_create_buffer(fp_input, YY_BUF_SIZE)); yyparse(); - if ( plugin ) - finish_plugin_mode(); + if ( alternative_mode ) + finish_alternative_mode(); fclose(fp_input); close_all_output_files(); @@ -339,7 +351,7 @@ void close_all_output_files(void) close_if_open(&fp_func_def); close_if_open(&fp_func_init); - if ( ! plugin ) + if ( ! alternative_mode ) { close_if_open(&fp_netvar_h); close_if_open(&fp_netvar_def); diff --git a/src/main.cc b/src/main.cc index cb3fbd7f6e..59a383543c 100644 --- a/src/main.cc +++ b/src/main.cc @@ -836,6 +836,7 @@ int main(int argc, char** argv) yyparse(); + analyzer_mgr->InitBifs(); plugin_mgr->InitPluginsBif(); if ( print_plugins ) From 20be34526f39824fbd89bffba4513fb19bbb0df6 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 16:56:17 -0700 Subject: [PATCH 12/70] Updating submodule. --- cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake b/cmake index 1a592a96f7..39c1516be5 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 1a592a96f702d2cfcf1a88d7f40b4c62405735a6 +Subproject commit 39c1516be5e630bd5d78082e974fae708faa4e8c From 2bbce6b15f9bddd55f8f1c3b494413d81532989b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 4 Apr 2013 18:36:44 -0700 Subject: [PATCH 13/70] Documenting Analyzer API, plus some cleanup. --- src/AYIYA.h | 1 - src/GTPv1.h | 1 - src/Syslog-binpac.h | 1 - src/TCP.cc | 6 - src/Teredo.h | 1 - src/analyzer/Analyzer.cc | 31 ++ src/analyzer/Analyzer.h | 809 ++++++++++++++++++++++++++++--------- src/protocols/http/HTTP.cc | 2 +- 8 files changed, 646 insertions(+), 206 deletions(-) diff --git a/src/AYIYA.h b/src/AYIYA.h index 563cf86613..c0897d84ff 100644 --- a/src/AYIYA.h +++ b/src/AYIYA.h @@ -16,7 +16,6 @@ public: { return new AYIYA_Analyzer(conn); } protected: - friend class AnalyzerTimer; void ExpireTimer(double t); binpac::AYIYA::AYIYA_Conn* interp; diff --git a/src/GTPv1.h b/src/GTPv1.h index 89befa04bf..2e4a405878 100644 --- a/src/GTPv1.h +++ b/src/GTPv1.h @@ -16,7 +16,6 @@ public: { return new GTPv1_Analyzer(conn); } protected: - friend class AnalyzerTimer; void ExpireTimer(double t); binpac::GTPv1::GTPv1_Conn* interp; diff --git a/src/Syslog-binpac.h b/src/Syslog-binpac.h index e6d05df356..176f2d5b70 100644 --- a/src/Syslog-binpac.h +++ b/src/Syslog-binpac.h @@ -19,7 +19,6 @@ public: { return new Syslog_Analyzer_binpac(conn); } protected: - friend class AnalyzerTimer; void ExpireTimer(double t); int did_session_done; diff --git a/src/TCP.cc b/src/TCP.cc index 058e6608ca..004deb2edd 100644 --- a/src/TCP.cc +++ b/src/TCP.cc @@ -1556,12 +1556,6 @@ void TCP_Analyzer::ConnDeleteTimer(double t) Conn()->DeleteTimer(t); } -// The following need to be consistent with bro.init. -#define CONTENTS_NONE 0 -#define CONTENTS_ORIG 1 -#define CONTENTS_RESP 2 -#define CONTENTS_BOTH 3 - void TCP_Analyzer::SetContentsFile(unsigned int direction, BroFile* f) { if ( direction == CONTENTS_NONE ) diff --git a/src/Teredo.h b/src/Teredo.h index 4f38b29947..f8cc0a15d7 100644 --- a/src/Teredo.h +++ b/src/Teredo.h @@ -47,7 +47,6 @@ public: } protected: - friend class AnalyzerTimer; void ExpireTimer(double t); bool valid_orig; diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index ff02e83f18..0bc8d28c8f 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -7,8 +7,39 @@ #include "../PIA.h" #include "../Event.h" +namespace analyzer { + + +class AnalyzerTimer : public Timer { +public: + AnalyzerTimer(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, + double arg_t, int arg_do_expire, TimerType arg_type); + + virtual ~AnalyzerTimer(); + + void Dispatch(double t, int is_expire); + +protected: + AnalyzerTimer() {} + + void Init(Analyzer* analyzer, analyzer_timer_func timer, int do_expire); + + Analyzer* analyzer; + analyzer_timer_func timer; + int do_expire; +}; + +} + using namespace analyzer; +AnalyzerTimer::AnalyzerTimer(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, + double arg_t, int arg_do_expire, TimerType arg_type) + : Timer(arg_t, arg_type) + { + Init(arg_analyzer, arg_timer, arg_do_expire); + } + AnalyzerTimer::~AnalyzerTimer() { analyzer->RemoveTimer(this); diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 704c131bca..07e5d5acf4 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -17,270 +17,556 @@ class PIA; class IP_Hdr; class TCP_ApplicationAnalyzer; -namespace analyzer { class Analyzer; } - namespace analyzer { -typedef list analyzer_list; - -typedef uint32 ID; - -typedef void (Analyzer::*analyzer_timer_func)(double t); - -// FIXME: This is a copy of ConnectionTimer, which we may eventually be -// able to get rid of. -class AnalyzerTimer : public Timer { -public: - AnalyzerTimer(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, - double arg_t, int arg_do_expire, TimerType arg_type) - : Timer(arg_t, arg_type) - { Init(arg_analyzer, arg_timer, arg_do_expire); } - virtual ~AnalyzerTimer(); - - void Dispatch(double t, int is_expire); - -protected: - AnalyzerTimer() {} - - void Init(Analyzer* analyzer, analyzer_timer_func timer, int do_expire); - - Analyzer* analyzer; - analyzer_timer_func timer; - int do_expire; -}; - - -// Main analyzer interface. -// -// Each analyzer is part of a tree, having a parent analyzer and an -// arbitrary number of child analyzers. Each analyzer also has a list of -// *suppport analyzers*. All its input first passes through this list of -// support analyzers, which can perform arbitrary preprocessing. Support -// analyzers share the same interface as regular analyzers, except that -// they are unidirectional, i.e., they see only one side of a connection. -// -// When overiding any of these methods, always make sure to call the -// base-class version first. - +class Analyzer; +class AnalyzerTimer; class SupportAnalyzer; class OutputHandler; +typedef list analyzer_list; +typedef uint32 ID; +typedef void (Analyzer::*analyzer_timer_func)(double t); + + /** + * XXX + */ +class OutputHandler { +public: + virtual ~OutputHandler() { } + + virtual void DeliverPacket(int len, const u_char* data, + bool orig, int seq, + const IP_Hdr* ip, int caplen) + { } + virtual void DeliverStream(int len, const u_char* data, + bool orig) { } + virtual void Undelivered(int seq, int len, bool orig) { } +}; + + +/** + * Main analyzer interface. + * + * Each analyzer is part of a tree, having a parent analyzer and an arbitrary + * number of child analyzers. Each analyzer also has a list of + * SupportAnalyzer. All analyzer input first passes through this list of + * support analyzers, which can perform arbitrary preprocessing. + * + * When overiding any of the class' methods, always make sure to call the + * base-class version first. + */ class Analyzer { public: - // "name" must match the one used in + /** + * Constructor. + * + * @param name A name for the protocol the analyzer is parsing. The + * name must match the one the corresponding Component registers. + * + * @param conn The connection the analyzer is associated with. + */ Analyzer(const char* name, Connection* conn); + + /** + * Destructor. + */ virtual ~Analyzer(); + /** + * Initializes the analyzer before input processing starts. + */ virtual void Init(); + + /** + * Finishes the analyzer's operation after all input has been parsed. + */ virtual void Done(); - // Pass data to the analyzer (it's automatically passed through its - // support analyzers first). We have packet-wise and stream-wise - // interfaces. For the packet-interface, some analyzers may require - // more information than others, so IP/caplen and seq may or may - // not be set. - void NextPacket(int len, const u_char* data, bool orig, + /** + * Passes packet input to the analyzer for processing. The analyzer + * will process the input with any support analyzers first and then + * forward the data to DeliverStream(), which derived classes can + * override. + * + * Note that there is a separate method for stream input, + * NextStream(). + * + * @param len The number of bytes passed in. + * + * @param data Pointer the input to process. + * + * @param is_orig True if this is originator-side input. + * + * @param seq Current sequence number, if available (only supported + * if the data is coming from the TCP analyzer. + * + * @param ip An IP packet header associated with the data, if + * available. + * + * @param caplen The packet's capture length, if available. + */ + void NextPacket(int len, const u_char* data, bool is_orig, int seq = -1, const IP_Hdr* ip = 0, int caplen = 0); + + /** + * Passes stream input to the analyzer for processing. The analyzer + * will process the input with any support analyzers first and then + * forward the data to DeliverStream(), which derived classes can + * override. + * + * Note that there is a separate method for packet input, + * NextPacket(). + * + * @param len The number of bytes passed in. + * + * @param data Pointer the input to process. + * + * @param is_orig True if this is originator-side input. + */ void NextStream(int len, const u_char* data, bool is_orig); - // Used for data that can't be delivered (e.g., due to a previous - // sequence hole/gap). + /** + * Informs the analyzer about a gap in the TCP stream, i.e., data + * that can't be delivered. This method triggers Undelivered(), which + * derived classes can override. + * + * @param seq The sequence number of the first byte of gap. + * + * @param len The length of the gap. + * + * @param is_orig True if this is about originator-side input. + */ void NextUndelivered(int seq, int len, bool is_orig); - // Report message boundary. (See EndOfData() below.) - void NextEndOfData(bool orig); + /** + * Reports a message boundary. This is a generic method that can be + * used by an Analyzer if all data of a PDU has been delivered, e.g., + * to report that HTTP body has been delivered completely by the HTTP + * analyzer before it starts with the next body. A final EndOfData() + * is automatically generated by the analyzer's Done() method. This + * method triggers EndOfData(), which derived classes can override. + * + * @param is_orig True if this is about originator-side input. + */ + void NextEndOfData(bool is_orig); - // Pass data on to all child analyzer(s). For SupportAnalyzers (see - // below), this is overridden to pass it on to the next sibling (or - // finally to the parent, if it's the last support analyzer). - // - // If we have an associated OutputHandler (see below), the data is - // additionally passed to that, too. For SupportAnalyzers, it is *only* - // delivered to the OutputHandler. + /** + * Forwards packet input on to all child analyzers. If the analyzer + * has an associated OutputHandlers, that one receives the input as + * well. + * + * Parameters are the same as for NextPacket(). + */ virtual void ForwardPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); + + /** + * Forwards stream input on to all child analyzers. If the analyzer + * has an associated OutputHandlers, that one receives the input as + * well. + * + * Parameters are the same as for NextStream(). + */ virtual void ForwardStream(int len, const u_char* data, bool orig); + + /** + * Forwards a sequence gap on to all child analyzers. + * + * Parameters are the same as for NextUndelivered(). + */ virtual void ForwardUndelivered(int seq, int len, bool orig); - // Report a message boundary to all child analyzers + /** + * Forwards an end-of-data notification on to all child analyzers. + * + * Parameters are the same as for NextPacket(). + */ virtual void ForwardEndOfData(bool orig); - ID GetID() const { return id; } - Connection* Conn() const { return conn; } - - // An OutputHandler can be used to get access to data extracted by this - // analyzer (i.e., all data which is passed to - // Forward{Packet,Stream,Undelivered}). We take the ownership of - // the handler. - class OutputHandler { - public: - virtual ~OutputHandler() { } - - virtual void DeliverPacket(int len, const u_char* data, - bool orig, int seq, - const IP_Hdr* ip, int caplen) - { } - virtual void DeliverStream(int len, const u_char* data, - bool orig) { } - virtual void Undelivered(int seq, int len, bool orig) { } - }; - - OutputHandler* GetOutputHandler() const { return output_handler; } - void SetOutputHandler(OutputHandler* handler) - { output_handler = handler; } - - // If an analyzer was triggered by a signature match, this returns the - // name of the signature; nil if not. - const Rule* Signature() const { return signature; } - void SetSignature(const Rule* sig) { signature = sig; } - - void SetSkip(bool do_skip) { skip = do_skip; } - bool Skipping() const { return skip; } - - bool IsFinished() const { return finished; } - - Tag GetAnalyzerTag() const { return tag; } - const string& GetAnalyzerName() const; - bool IsAnalyzer(const char* name); - - // Management of the tree. - // - // We immediately discard an added analyzer if there's already a child - // of the same type. - void AddChildAnalyzer(Analyzer* analyzer) - { AddChildAnalyzer(analyzer, true); } - Analyzer* AddChildAnalyzer(Tag tag); - - void RemoveChildAnalyzer(Analyzer* analyzer); - void RemoveChildAnalyzer(ID id); - - bool HasChildAnalyzer(Tag tag); - - // Recursive; returns nil if not found. - Analyzer* FindChild(ID id); - - // Recursive; returns first found, or nil. - Analyzer* FindChild(Tag tag); - - // Recursive; returns first found, or nil. - Analyzer* FindChild(const string& name); - - const analyzer_list& GetChildren() { return children; } - - Analyzer* Parent() const { return parent; } - void SetParent(Analyzer* p) { parent = p; } - - // Remove this child analyzer from the parent's list. - void Remove() { assert(parent); parent->RemoveChildAnalyzer(this); } - - // Management of support analyzers. Support analyzers are associated - // with a direction, and will only see data in the corresponding flow. - // - // We immediately discard an added analyzer if there's already a child - // of the same type for the same direction. - - // Adds to tail of list. - void AddSupportAnalyzer(SupportAnalyzer* analyzer); - - void RemoveSupportAnalyzer(SupportAnalyzer* analyzer); - - // These are the methods where the analyzer actually gets its input. - // Each analyzer has only to implement the schemes it supports. - - // Packet-wise (or more generally chunk-wise) input. "data" points - // to the payload that the analyzer is supposed to examine. If it's - // part of a full packet, "ip" points to its IP header. An analyzer - // may or may not require to be given the full packet (and its caplen) - // as well. + /** + * Hook for accessing packet input for parsing. This is called by + * NextDeliverPacket() and can be overridden by derived classes. + * Parameters are the same. + */ virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); - // Stream-wise payload input. + /** + * Hook for accessing stream input for parsing. This is called by + * NextDeliverStream() and can be overridden by derived classes. + * Parameters are the same. + */ virtual void DeliverStream(int len, const u_char* data, bool orig); - // If a parent analyzer can't turn a sequence of packets into a stream - // (e.g., due to holes), it can pass the remaining data through this - // method to the child. + /** + * Hook for accessing input gap during parsing. This is called by + * NextUndelivered() and can be overridden by derived classes. + * Parameters are the same. + */ virtual void Undelivered(int seq, int len, bool orig); - // Report a message boundary. This is a generic method that can be used - // by specific Analyzers if all data of a message has been delivered, - // e.g., to report that HTTP body has been delivered completely by the - // HTTP analyzer before it starts with the next body. EndOfData() is - // automatically generated by the analyzer's Done() method. + /** + * Hook for accessing end-of-data notifications. This is called by + * NextEndOfData() and can be overridden by derived classes. + * Parameters are the same. + */ virtual void EndOfData(bool is_orig); - // Occasionally we may find during analysis that we got the direction - // of the connection wrong. In these cases, this method is called - // to swap state if necessary. This will not happen after payload - // has already been passed on, so most analyzers don't need to care. + /** + * Signals the analyzer that its associated connection had its + * endpoint flipped. This can happen if during analysis it turns out + * that we got the direction of the connection wrong. In these + * cases, this method is called to swap state if necessary. This + * will not happen after payload has already been passed on, so most + * analyzers don't need to care. + */ virtual void FlipRoles(); - // Feedback about protocol conformance, to be called by the - // analyzer's processing. The methods raise the correspondiong - // protocol_confirmation and protocol_violation events. + /** + * Returns the analyzer instance's internal ID. These IDs are unique + * across all analyzer instantiated and can thus be used to indentify + * a specific instance. + */ + ID GetID() const { return id; } - // Report that we believe we're parsing the right protocol. This - // should be called as early as possible during a connection's - // life-time. The protocol_confirmed event is only raised once per - // analyzer, even if the method is called multiple times. - virtual void ProtocolConfirmation(); + /** + * Returns the connection that the analyzer is associated with. + */ + Connection* Conn() const { return conn; } - // Return whether the analyzer previously called ProtocolConfirmation() - // at least once before. - bool ProtocolConfirmed() const - { return protocol_confirmed; } + /** + * Returns the OutputHandler associated with the connection, or null + * if none. + */ + OutputHandler* GetOutputHandler() const { return output_handler; } - // Report that we found a significant protocol violation which might - // indicate that the analyzed data is in fact not the expected - // protocol. The protocol_violation event is raised once per call to - // this method so that the script-level may build up some notion of - // how "severely" protocol semantics are violated. + /** + * Associates an OutputHandler with the connnection. + * + * @param handler The handler. + */ + void SetOutputHandler(OutputHandler* handler) + { output_handler = handler; } + + /** + * If this analyzer was activated by a signature match, this returns + * the signature that did so. Returns null otherwise. + */ + const Rule* Signature() const { return signature; } + + /** + * Sets the signature that activated this analyzer, if any. + * + * @param sig The signature. + */ + void SetSignature(const Rule* sig) { signature = sig; } + + /** + * Signals the analyzer to skip all further input processsing. The \a + * Next*() methods check this flag and discard the input if its set. + * + * @param do_skipe If true, further processing will be skipped. + */ + void SetSkip(bool do_skip) { skip = do_skip; } + + /** + * Returns true if the analyzer has been told to skip processing all + * further input. + */ + bool Skipping() const { return skip; } + + /** + * Returns true if Done() has been called. + */ + bool IsFinished() const { return finished; } + + /** + * Returns the tag associated with the analyzer's type. + */ + Tag GetAnalyzerTag() const { return tag; } + + /** + * Returns a textual description of the analyzer's type. This is + * what's passed to the constructor and usally corresponds to the + * protocol name, e.g., "HTTP". + */ + const string& GetAnalyzerName() const; + + /** + * Returns true if this analyzer's type matches the name passes in. + * This is shortcut for comparing GetAnalyzerName() with the given + * name. + * + * @param name The name to check. + */ + bool IsAnalyzer(const char* name); + + /** + * Adds a new child analyzer to the analyzer tree. If an analyzer of + * the same type already exists, the one passes in is silenty + * discarded. + * + * @param analyzer The ananlyzer to add. Takes ownership. + */ + void AddChildAnalyzer(Analyzer* analyzer) + { AddChildAnalyzer(analyzer, true); } + + /** + * Adds a new child analyzer to the analyzer tree. If an analyzer of + * the same type already exists, the one passes in is silenty + * discarded. + * + * @param tag The type of analyzer to add. + */ + Analyzer* AddChildAnalyzer(Tag tag); + + /** + * Removes a child analyzer. It's ok for the analyzer to not to be a + * child, in which case the method does nothing. + * + * @param analyzer The analyzer to remove. + */ + void RemoveChildAnalyzer(Analyzer* analyzer); + + /** + * Removes a child analyzer. It's ok for the analyzer to not to be a + * child, in which case the method does nothing. + * + * @param tag The type of analyzer to remove. + */ + void RemoveChildAnalyzer(ID id); + + /** + * Returns true if analyzer has a direct child of a given type. + * + * @param tag The type of analyzer to check for. + */ + bool HasChildAnalyzer(Tag tag); + + /** + * Recursively searches all (direct or indirect) childs of the + * analyzer for an analyzer with a specific ID. + * + * @param id The analyzer id to search. This is the ID that GetID() + * returns. + * + * @return The analyzer, or null if not found. + */ + Analyzer* FindChild(ID id); + + /** + * Recursively searches all (direct or indirect) childs of the + * analyzer for an analyzer of a given type. + * + * @param tag The analyzer type to search. + * + * @return The first analyzer of the given type found, or null if + * none. + */ + Analyzer* FindChild(Tag tag); + + /** + * Recursively searches all (direct or indirect) childs of the + * analyzer for an analyzer of a given type. + * + * @param name The naem of the analyzer type to search (e.g., + * "HTTP"). + * + * @return The first analyzer of the given type found, or null if + * none. + */ + Analyzer* FindChild(const string& name); + + /** + * Returns a list of all direct child analyzers. + */ + const analyzer_list& GetChildren() { return children; } + + /** + * Returns a pointer to the parent analyzer, or null if this instance + * has not yet been added to an analyzer tree. + */ + Analyzer* Parent() const { return parent; } + + /** + * Sets the parent analyzer. + * + * @param p The new parent. + */ + void SetParent(Analyzer* p) { parent = p; } + + /** + * Remove the analyzer form its parent. The analyzer must have a + * parent associated with it. + */ + void Remove() { assert(parent); parent->RemoveChildAnalyzer(this); } + + /** + * Appends a support analyzer to the current list. + * + * @param analyzer The support analyzer to add. + */ + void AddSupportAnalyzer(SupportAnalyzer* analyzer); + + /** + * Remove a support analyzer. + * + * @param analyzer The analyzer to remove. The function is a no-op if + * that analyzer is not part of the list of support analyzer. + */ + void RemoveSupportAnalyzer(SupportAnalyzer* analyzer); + + /** + * Signals Bro's protocol detection that the analyzer has recognized + * the input to indeed conform to the expected protocol. This should + * be called as early as possible during a connection's life-time. It + * may turn into \c protocol_confirmed event at the script-layer (but + * only once per analyzer for each connection, even if the method is + * called multiple times). + */ + virtual void ProtocolConfirmation(); + + /** + * Signals Bro's protocol detection that the analyzer has found a + * severe protocol violation that could indicate that it's not + * parsing the expected protocol. This turns into \c + * protocol_violation events at the script-layer (one such event is + * raised for each call to this method so that the script-layer can + * built up a notion of how prevalent protocol violations are; the + * more, the less likely it's the right protocol). + * + * @param reason A textual description of the error encountered. + * + * @param data An optional pointer to the malformed data. + * + * @param len If \a data is given, the length of it. + */ virtual void ProtocolViolation(const char* reason, const char* data = 0, int len = 0); - virtual unsigned int MemoryAllocation() const; + /** + * Returns true if ProtocolConfirmation() has been called at least + * once. + */ + bool ProtocolConfirmed() const + { return protocol_confirmed; } - // Called whenever the connection value needs to be updated. Per - // default, this method will be called for each analyzer in the tree. - // Analyzers can use this method to attach additional data to the - // connections. A call to BuildConnVal will in turn trigger a call to - // UpdateConnVal. + /** + * Called whenever the connection value is updated. Per default, this + * method will be called for each analyzer in the tree. Analyzers can + * use this method to attach additional data to the connections. A + * call to BuildConnVal() will in turn trigger a call to + * UpdateConnVal(). + * + * @param conn_val The connenction value being updated. + */ virtual void UpdateConnVal(RecordVal *conn_val); - // The following methods are proxies: calls are directly forwarded - // to the connection instance. These are for convenience only, - // allowing us to reuse more of the old analyzer code unchanged. + /** + * Convinience function that forwards directly to + * Connection::BuildConnVal(). + */ RecordVal* BuildConnVal(); + + /** + * Convinience function that forwards directly to the corresponding + * Connection::Event(). + */ void Event(EventHandlerPtr f, const char* name = 0); + + /** + * Convinience function that forwards directly to the corresponding + * Connection::Event(). + */ void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0); + + /** + * Convinience function that forwards directly to + * Connection::ConnectionEvent(). + */ void ConnectionEvent(EventHandlerPtr f, val_list* vl); + + /** + * Convinience function that forwards directly to the corresponding + * Connection::Weird(). + */ void Weird(const char* name, const char* addl = ""); + /** + * Internal method. + */ + virtual unsigned int MemoryAllocation() const; + protected: friend class AnalyzerTimer; friend class Manager; friend class ::Connection; friend class ::TCP_ApplicationAnalyzer; - // Associates a connection with this analyzer. Must be called if - // we're using the default ctor. + /** + * Associates a connection with this analyzer. Must be called if + * using the default ctor. + * + * @param c The connection. + */ void SetConnection(Connection* c) { conn = c; } - // Creates the given timer to expire at time t. If do_expire - // is true, then the timer is also evaluated when Bro terminates, - // otherwise not. + /** + * Instantiates a new timer associated with the analyzer. + * + * @param timer The callback function to execute when the timer + * fires. + * + * @param t The absolute time when the timer will fire. + * + * @param do_expire If true, the timer will also fire when Bro + * terminates even if \a t has not been reache yet. + * + * @param type The timer's type. + */ void AddTimer(analyzer_timer_func timer, double t, int do_expire, TimerType type); - void RemoveTimer(Timer* t); + /** + * Cancels all timers added previously via AddTimer(). + */ void CancelTimers(); + /** + * Removes a given timer. This is an internal method and shouldn't be + * used by derived class. It does not cancel the timer. + */ + void RemoveTimer(Timer* t); + + /** + * Returnsn true if the analyzer has associated an SupportAnalyzer of a given type. + * + * @param tag The type to check for. + * + * @param orig True if asking about the originator side. + */ bool HasSupportAnalyzer(Tag tag, bool orig); + /** + * Adds a a new child analyzer with the option whether to intialize + * it. This is an internal method. + * + * @param analyzer The analyzer to add. Takes ownership. + * + * @param init If true, Init() will be calle.d + */ void AddChildAnalyzer(Analyzer* analyzer, bool init); + + /** + * Inits all child analyzers. This is an internal method. + */ void InitChildren(); + + /** + * Reorganizes the child data structure. This is an internal method. + */ void AppendNewChildren(); private: @@ -313,39 +599,109 @@ private: static ID id_counter; }; +/** + * Convenience macro to add a new timer. + */ #define ADD_ANALYZER_TIMER(timer, t, do_expire, type) \ AddTimer(analyzer::analyzer_timer_func(timer), (t), (do_expire), (type)) +/** + * Internal convenience macro to iterate over the list of child analyzers. + */ #define LOOP_OVER_CHILDREN(var) \ for ( analyzer::analyzer_list::iterator var = children.begin(); \ var != children.end(); var++ ) +/** + * Internal convenience macro to iterate over the constant list of child + * analyzers. + */ #define LOOP_OVER_CONST_CHILDREN(var) \ for ( analyzer::analyzer_list::const_iterator var = children.begin(); \ var != children.end(); var++ ) +/** + * Convenience macro to iterate over a given list of child analyzers. + */ #define LOOP_OVER_GIVEN_CHILDREN(var, the_kids) \ for ( analyzer::analyzer_list::iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) +/** + * Convenience macro to iterate over a given constant list of child + * analyzers. + */ #define LOOP_OVER_GIVEN_CONST_CHILDREN(var, the_kids) \ for ( analyzer::analyzer_list::const_iterator var = the_kids.begin(); \ var != the_kids.end(); var++ ) +/** + * Support analyzer preprocess input before it reaches an analyzer's main + * processing. They share the input interface with of an Analyzer but they + * are uni-directional: they receive data only from one side of a connection. + * + */ class SupportAnalyzer : public Analyzer { public: + /** + * Constructor. + * + * @param name A name for the protocol the analyzer is parsing. The + * name must match the one the corresponding Component registers. + * + * @param conn The connection the analyzer is associated with. + * + * @param arg_orig: If true, this is a support analyzer for the + * connection originator side, and otherwise for the responder side. + */ SupportAnalyzer(const char* name, Connection* conn, bool arg_orig) : Analyzer(name, conn) { orig = arg_orig; sibling = 0; } + /** + * Destructor. + */ virtual ~SupportAnalyzer() {} + /** + * Returns true if this is a support analyzer for the connection's + * originator side. + */ bool IsOrig() const { return orig; } + /** + * Passes packet input to the next sibling SupportAnalyzer if any, or + * on to the associated main analyzer if none. If however there's an + * output handler associated with this support analyzer, the data is + * passed only to there. + * + * Parameters same as for Analyzer::ForwardPacket. + */ virtual void ForwardPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); + + /** + * Passes stream input to the next sibling SupportAnalyzer if any, or + * on to the associated main analyzer if none. If however there's an + * output handler associated with this support analyzer, the data is + * passed only to there. + * + * Parameters same as for Analyzer::ForwardStream. + */ virtual void ForwardStream(int len, const u_char* data, bool orig); + + /** + * Passes gap information to the next sibling SupportAnalyzer if any, + * or on to the associated main analyzer if none. If however there's + * an output handler associated with this support analyzer, the gap is + * passed only to there. + * + * Parameters same as for Analyzer::ForwardPacket. + */ virtual void ForwardUndelivered(int seq, int len, bool orig); + /** + * Returns the analyzer next sibling, or null if none. + */ SupportAnalyzer* Sibling() const { return sibling; } protected: @@ -359,22 +715,85 @@ private: SupportAnalyzer* sibling; }; +// The following need to be consistent with bro.init. +#define CONTENTS_NONE 0 +#define CONTENTS_ORIG 1 +#define CONTENTS_RESP 2 +#define CONTENTS_BOTH 3 +/** + * Base class for analyzers parsing transport-layer protocols. + */ class TransportLayerAnalyzer : public Analyzer { public: + /** + * Constructor. + * + * @param name A name for the protocol the analyzer is parsing. The + * name must match the one the corresponding Component registers. + * + * @param conn The connection the analyzer is associated with. + */ TransportLayerAnalyzer(const char* name, Connection* conn) : Analyzer(name, conn) { pia = 0; } + /** + * Overridden from parent class. + */ virtual void Done(); + + /** + * Returns true if the analyzer determines that in fact a new + * connection has started without the connection statement having + * terminated the previous one, i.e., the new data is arriving at + * what's the analyzer for the previous instance. This is used only + * for TCP. + */ virtual bool IsReuse(double t, const u_char* pkt) = 0; + /** + * Associates a file with the analyzer in which to record all + * analyzed input. This must only be called with derived classes that + * overide the method; the default implementation will abort. + * + * @param direction One of the CONTENTS_* constants indicating which + * direction of the input stream is to be recorded. + * + * @param f The file to record to. + * + */ virtual void SetContentsFile(unsigned int direction, BroFile* f); + + /** + * Returns an associated contents file, if any. This must only be + * called with derived classes that overide the method; the default + * implementation will abort. + * + * @param direction One of the CONTENTS_* constants indicating which + * direction the query is for. + */ virtual BroFile* GetContentsFile(unsigned int direction) const; + /** + * Associates a PIA with this analyzer. A PIA takes the + * transport-layer input and determine which protocol analyzer(s) to + * use for parsing it. + */ void SetPIA(PIA* arg_PIA) { pia = arg_PIA; } + + /** + * Returns the associated PIA, or null of none. Does not take + * ownership. + */ PIA* GetPIA() const { return pia; } - // Raises packet_contents event. + /** + * Helper to raise a \c packet_contents event. + * + * @param data The dass to pass to the event. + * + * @param len The length of \a data. + */ void PacketContents(const u_char* data, int len); private: diff --git a/src/protocols/http/HTTP.cc b/src/protocols/http/HTTP.cc index d5d911bbc6..a58d5a6bf3 100644 --- a/src/protocols/http/HTTP.cc +++ b/src/protocols/http/HTTP.cc @@ -170,7 +170,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) DeliverBody(len, data, trailing_CRLF); } -class HTTP_Entity::UncompressedOutput : public analyzer::Analyzer::OutputHandler { +class HTTP_Entity::UncompressedOutput : public analyzer::OutputHandler { public: UncompressedOutput(HTTP_Entity* e) { entity = e; } virtual ~UncompressedOutput() { } From 86551cd42923ca88be1a216e7417eb39ca350a81 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 5 Apr 2013 12:38:21 -0700 Subject: [PATCH 14/70] Fixing test. --- doc/scripts/DocSourcesList.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index c71d7798ea..5442c1024a 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,7 +16,7 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) From d5865c67cbb64c9e3e91311214358422a3638a12 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 5 Apr 2013 12:40:09 -0700 Subject: [PATCH 15/70] Removing some debugging output. --- src/analyzer/Manager.cc | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index dca4084c2c..68869b3799 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -171,10 +171,7 @@ bool Manager::EnableAnalyzer(Tag tag) Component* p = Lookup(tag); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to enable non-existing analyzer"); return false; - } DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); @@ -187,10 +184,7 @@ bool Manager::EnableAnalyzer(EnumVal* val) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to enable non-existing analyzer"); return false; - } DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); p->SetEnabled(true); @@ -203,10 +197,7 @@ bool Manager::DisableAnalyzer(Tag tag) Component* p = Lookup(tag); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to disable non-existing analyzer"); return false; - } DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); @@ -219,10 +210,7 @@ bool Manager::DisableAnalyzer(EnumVal* val) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to disable non-existing analyzer"); return false; - } DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); p->SetEnabled(false); @@ -246,10 +234,7 @@ bool Manager::IsEnabled(Tag tag) Component* p = Lookup(tag); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to check non-existing analyzer"); return false; - } return p->Enabled(); } @@ -259,10 +244,7 @@ bool Manager::IsEnabled(EnumVal* val) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to check non-existing analyzer"); return false; - } return p->Enabled(); } @@ -273,11 +255,8 @@ bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to register port for non-existing analyzer"); return false; - } - + return RegisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); } @@ -286,10 +265,7 @@ bool Manager::UnregisterAnalyzerForPort(EnumVal* val, PortVal* port) Component* p = Lookup(val); if ( ! p ) - { - DBG_LOG(DBG_ANALYZER, "Asked to unregister port fork non-existing analyzer"); return false; - } return UnregisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); } From 1a30a5781630124284a90cebd6dc2a3ab521d641 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 5 Apr 2013 13:12:16 -0700 Subject: [PATCH 16/70] Porting syslog analyzer as another example. The diff to this commit shows what "porting" involves ... This also adds a small test for syslog. --- scripts/base/protocols/syslog/main.bro | 2 +- src/CMakeLists.txt | 3 -- src/event.bif | 17 ---------- src/protocols/BuiltInAnalyzers.cc | 2 -- src/protocols/CMakeLists.txt | 1 + src/protocols/syslog/CMakeLists.txt | 10 ++++++ src/protocols/syslog/Plugin.cc | 10 ++++++ .../syslog/Syslog.cc} | 31 +++++++++--------- .../syslog/Syslog.h} | 21 ++++++------ src/protocols/syslog/events.bif | 17 ++++++++++ .../syslog}/syslog-analyzer.pac | 0 .../syslog}/syslog-protocol.pac | 0 src/{ => protocols/syslog}/syslog.pac | 5 +++ .../syslog.log | 10 ++++++ testing/btest/Traces/syslog-single-udp.trace | Bin 0 -> 125 bytes .../scripts/base/protocols/syslog/trace.test | 4 +++ 16 files changed, 85 insertions(+), 48 deletions(-) create mode 100644 src/protocols/syslog/CMakeLists.txt create mode 100644 src/protocols/syslog/Plugin.cc rename src/{Syslog-binpac.cc => protocols/syslog/Syslog.cc} (62%) rename src/{Syslog-binpac.h => protocols/syslog/Syslog.h} (63%) create mode 100644 src/protocols/syslog/events.bif rename src/{ => protocols/syslog}/syslog-analyzer.pac (100%) rename src/{ => protocols/syslog}/syslog-protocol.pac (100%) rename src/{ => protocols/syslog}/syslog.pac (79%) create mode 100644 testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log create mode 100644 testing/btest/Traces/syslog-single-udp.trace create mode 100644 testing/btest/scripts/base/protocols/syslog/trace.test diff --git a/scripts/base/protocols/syslog/main.bro b/scripts/base/protocols/syslog/main.bro index 8e6a807c24..7c15fb4fae 100644 --- a/scripts/base/protocols/syslog/main.bro +++ b/scripts/base/protocols/syslog/main.bro @@ -38,7 +38,7 @@ redef record connection += { event bro_init() &priority=5 { Log::create_stream(Syslog::LOG, [$columns=Info]); - Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports); + Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports); } event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5 diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 1b26d56575..c54abea7a6 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -152,8 +152,6 @@ binpac_target(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) binpac_target(socks.pac socks-protocol.pac socks-analyzer.pac) -binpac_target(syslog.pac - syslog-protocol.pac syslog-analyzer.pac) binpac_target(modbus.pac modbus-protocol.pac modbus-analyzer.pac) @@ -349,7 +347,6 @@ set(bro_SRCS Stats.cc SteppingStone.cc Stmt.cc - Syslog-binpac.cc TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc diff --git a/src/event.bif b/src/event.bif index 65ff3a5731..8a44e8723e 100644 --- a/src/event.bif +++ b/src/event.bif @@ -5828,23 +5828,6 @@ event irc_password_message%(c: connection, is_orig: bool, password: string%); ## event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); -## Generated for monitored Syslog messages. -## -## See `Wikipedia `__ for more -## information about the Syslog protocol. -## -## c: The connection record for the underlying transport-layer session/flow. -## -## facility: The "facility" included in the message. -## -## severity: The "severity" included in the message. -## -## msg: The message logged. -## -## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP -## syslog will be added soon. -event syslog_message%(c: connection, facility: count, severity: count, msg: string%); - ## Generated when a signature matches. Bro's signature engine provides ## high-performance pattern matching separately from the normal script ## processing. If a signature with an ``event`` action matches, this event is diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc index 39e8eefac0..3bc15621fd 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -37,7 +37,6 @@ #include "POP3.h" #include "SOCKS.h" #include "SSH.h" -#include "Syslog-binpac.h" #include "Teredo.h" #include "ConnSizeAnalyzer.h" #include "GTPv1.h" @@ -90,7 +89,6 @@ void BuiltinAnalyzers::Init() DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER("SYSLOG_BINPAC", Syslog_Analyzer_binpac::InstantiateAnalyzer); DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); diff --git a/src/protocols/CMakeLists.txt b/src/protocols/CMakeLists.txt index 35db6549fa..19dda0c770 100644 --- a/src/protocols/CMakeLists.txt +++ b/src/protocols/CMakeLists.txt @@ -1,3 +1,4 @@ add_subdirectory(http) add_subdirectory(ssl) +add_subdirectory(syslog) diff --git a/src/protocols/syslog/CMakeLists.txt b/src/protocols/syslog/CMakeLists.txt new file mode 100644 index 0000000000..3fc6b9ea69 --- /dev/null +++ b/src/protocols/syslog/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Syslog) +bro_plugin_cc(Syslog.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac) +bro_plugin_end() diff --git a/src/protocols/syslog/Plugin.cc b/src/protocols/syslog/Plugin.cc new file mode 100644 index 0000000000..a0a2934411 --- /dev/null +++ b/src/protocols/syslog/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Syslog.h" + +BRO_PLUGIN_BEGIN(Syslog) + BRO_PLUGIN_DESCRIPTION = "Syslog Analyzer (UDP-only currently)"; + BRO_PLUGIN_ANALYZER("SYSLOG", Syslog_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/Syslog-binpac.cc b/src/protocols/syslog/Syslog.cc similarity index 62% rename from src/Syslog-binpac.cc rename to src/protocols/syslog/Syslog.cc index 37449004c7..137cecbd18 100644 --- a/src/Syslog-binpac.cc +++ b/src/protocols/syslog/Syslog.cc @@ -1,21 +1,22 @@ -#include "Syslog-binpac.h" + +#include "Syslog.h" #include "TCP_Reassembler.h" -Syslog_Analyzer_binpac::Syslog_Analyzer_binpac(Connection* conn) -: Analyzer("SYSLOG_BINPAC", conn) +Syslog_Analyzer::Syslog_Analyzer(Connection* conn) +: Analyzer("SYSLOG", conn) { interp = new binpac::Syslog::Syslog_Conn(this); did_session_done = 0; - //ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer, + //ADD_ANALYZER_TIMER(&Syslog_Analyzer::ExpireTimer, // network_time + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); } -Syslog_Analyzer_binpac::~Syslog_Analyzer_binpac() +Syslog_Analyzer::~Syslog_Analyzer() { delete interp; } -void Syslog_Analyzer_binpac::Done() +void Syslog_Analyzer::Done() { Analyzer::Done(); @@ -23,13 +24,13 @@ void Syslog_Analyzer_binpac::Done() Event(udp_session_done); } -void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) +void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); interp->NewData(orig, data, data + len); } -//void Syslog_Analyzer_binpac::ExpireTimer(double t) +//void Syslog_Analyzer::ExpireTimer(double t) // { // // The - 1.0 in the following is to allow 1 second for the // // common case of a single request followed by a single reply, @@ -40,22 +41,22 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // sessions->Remove(Conn()); // } // else -// ADD_ANALYZER_TIMER(&Syslog_Analyzer_binpac::ExpireTimer, +// ADD_ANALYZER_TIMER(&Syslog_Analyzer::ExpireTimer, // t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); // } -//Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn) +//Syslog_TCP_Analyzer::Syslog_TCP_Analyzer(Connection* conn) //: TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } -//Syslog_TCP_Analyzer_binpac::~Syslog_TCP_Analyzer_binpac() +//Syslog_TCP_Analyzer::~Syslog_TCP_Analyzer() // { // delete interp; // } -//void Syslog_TCP_Analyzer_binpac::Done() +//void Syslog_TCP_Analyzer::Done() // { // TCP_ApplicationAnalyzer::Done(); // @@ -63,13 +64,13 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // interp->FlowEOF(false); // } -//void Syslog_TCP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp) +//void Syslog_TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) // { // TCP_ApplicationAnalyzer::EndpointEOF(endp); // interp->FlowEOF(endp->IsOrig()); // } -//void Syslog_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data, +//void Syslog_TCP_Analyzer::DeliverStream(int len, const u_char* data, // bool orig) // { // TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); @@ -83,7 +84,7 @@ void Syslog_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool ori // interp->NewData(orig, data, data + len); // } -//void Syslog_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig) +//void Syslog_TCP_Analyzer::Undelivered(int seq, int len, bool orig) // { // TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // interp->NewGap(orig, len); diff --git a/src/Syslog-binpac.h b/src/protocols/syslog/Syslog.h similarity index 63% rename from src/Syslog-binpac.h rename to src/protocols/syslog/Syslog.h index 176f2d5b70..2a96bd8ae6 100644 --- a/src/Syslog-binpac.h +++ b/src/protocols/syslog/Syslog.h @@ -1,22 +1,23 @@ -#ifndef Syslog_binpac_h -#define Syslog_binpac_h + +#ifndef Syslog_h +#define Syslog_h #include "UDP.h" #include "TCP.h" #include "syslog_pac.h" -class Syslog_Analyzer_binpac : public analyzer::Analyzer { +class Syslog_Analyzer : public analyzer::Analyzer { public: - Syslog_Analyzer_binpac(Connection* conn); - virtual ~Syslog_Analyzer_binpac(); + Syslog_Analyzer(Connection* conn); + virtual ~Syslog_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new Syslog_Analyzer_binpac(conn); } + { return new Syslog_Analyzer(conn); } protected: void ExpireTimer(double t); @@ -28,10 +29,10 @@ protected: // #include "Syslog_tcp_pac.h" // -//class Syslog_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer { +//class Syslog_TCP_Analyzer : public TCP_ApplicationAnalyzer { //public: -// Syslog_TCP_Analyzer_binpac(Connection* conn); -// virtual ~Syslog_TCP_Analyzer_binpac(); +// Syslog_TCP_Analyzer(Connection* conn); +// virtual ~Syslog_TCP_Analyzer(); // // virtual void Done(); // virtual void DeliverStream(int len, const u_char* data, bool orig); @@ -39,7 +40,7 @@ protected: // virtual void EndpointEOF(TCP_Reassembler* endp); // // static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) -// { return new Syslog_TCP_Analyzer_binpac(conn); } +// { return new Syslog_TCP_Analyzer(conn); } // //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; diff --git a/src/protocols/syslog/events.bif b/src/protocols/syslog/events.bif new file mode 100644 index 0000000000..f82adc7e69 --- /dev/null +++ b/src/protocols/syslog/events.bif @@ -0,0 +1,17 @@ + +## Generated for monitored Syslog messages. +## +## See `Wikipedia `__ for more +## information about the Syslog protocol. +## +## c: The connection record for the underlying transport-layer session/flow. +## +## facility: The "facility" included in the message. +## +## severity: The "severity" included in the message. +## +## msg: The message logged. +## +## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP +## syslog will be added soon. +event syslog_message%(c: connection, facility: count, severity: count, msg: string%); diff --git a/src/syslog-analyzer.pac b/src/protocols/syslog/syslog-analyzer.pac similarity index 100% rename from src/syslog-analyzer.pac rename to src/protocols/syslog/syslog-analyzer.pac diff --git a/src/syslog-protocol.pac b/src/protocols/syslog/syslog-protocol.pac similarity index 100% rename from src/syslog-protocol.pac rename to src/protocols/syslog/syslog-protocol.pac diff --git a/src/syslog.pac b/src/protocols/syslog/syslog.pac similarity index 79% rename from src/syslog.pac rename to src/protocols/syslog/syslog.pac index 3c0ecfb10d..5e7176da2a 100644 --- a/src/syslog.pac +++ b/src/protocols/syslog/syslog.pac @@ -1,3 +1,8 @@ + +%extern{ + #include "events.bif.h" +%} + %include binpac.pac %include bro.pac diff --git a/testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log b/testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log new file mode 100644 index 0000000000..df53ef42f6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.syslog.trace/syslog.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path syslog +#open 2013-04-05-20-06-27 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto facility severity message +#types time string addr port addr port enum string string string +1365191811.424495 UWkUyAuUGXf 127.0.0.1 57067 127.0.0.1 514 udp LOCAL0 NOTICE Apr 5 12:56:51 robin: Hello, syslog!\x00 +#close 2013-04-05-20-06-27 diff --git a/testing/btest/Traces/syslog-single-udp.trace b/testing/btest/Traces/syslog-single-udp.trace new file mode 100644 index 0000000000000000000000000000000000000000..9e1505a38a8c761b7657ea4deac4ee3242f5a4ca GIT binary patch literal 125 zcmca|c+)~A1{MYw`2U}Qff2}Q)`<_)uVP~e1+qaH8E`PTGBCJj`a3W<2wo1U2WkM} zd#{<87>os{*ccic+c_2#DJYmK7#dlbnpv3|Diq}>W#(Bac% Date: Tue, 9 Apr 2013 15:54:31 -0700 Subject: [PATCH 17/70] Removing event groups. --- doc/scripts/DocSourcesList.cmake | 2 +- scripts/policy/misc/analysis-groups.bro | 31 ----------- scripts/test-all-policy.bro | 1 - src/EventHandler.cc | 2 - src/EventHandler.h | 5 -- src/EventRegistry.cc | 26 --------- src/EventRegistry.h | 6 --- src/ID.cc | 16 +----- src/bro.bif | 25 --------- src/event.bif | 54 +++++++++---------- src/parse.y | 6 +-- src/protocols/http/events.bif | 18 +++---- src/scan.l | 1 - .../canonified_loaded_scripts.log | 5 +- .../canonified_loaded_scripts.log | 5 +- 15 files changed, 46 insertions(+), 157 deletions(-) delete mode 100644 scripts/policy/misc/analysis-groups.bro diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 5442c1024a..0f76c1881a 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -25,6 +25,7 @@ rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/protocols/syslog/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) @@ -134,7 +135,6 @@ rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) rest_target(${psd} policy/integration/collective-intel/main.bro) -rest_target(${psd} policy/misc/analysis-groups.bro) rest_target(${psd} policy/misc/capture-loss.bro) rest_target(${psd} policy/misc/loaded-scripts.bro) rest_target(${psd} policy/misc/profiling.bro) diff --git a/scripts/policy/misc/analysis-groups.bro b/scripts/policy/misc/analysis-groups.bro deleted file mode 100644 index 17f5bab845..0000000000 --- a/scripts/policy/misc/analysis-groups.bro +++ /dev/null @@ -1,31 +0,0 @@ -##! This script gives the capability to selectively enable and disable event -##! groups at runtime. No events will be raised for all members of a disabled -##! event group. - -module AnalysisGroups; - -export { - ## By default, all event groups are enabled. - ## We disable all groups in this table. - const disabled: set[string] &redef; -} - -# Set to remember all groups which were disabled by the last update. -global currently_disabled: set[string]; - -# This is the event that the control framework uses when it needs to indicate -# that an update control action happened. -event Control::configuration_update() - { - # Reenable those which are not to be disabled anymore. - for ( g in currently_disabled ) - if ( g !in disabled ) - enable_event_group(g); - - # Disable those which are not already disabled. - for ( g in disabled ) - if ( g !in currently_disabled ) - disable_event_group(g); - - currently_disabled = copy(disabled); - } \ No newline at end of file diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index a213031f4c..dc1b4e4154 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -34,7 +34,6 @@ @load integration/barnyard2/types.bro @load integration/collective-intel/__load__.bro @load integration/collective-intel/main.bro -@load misc/analysis-groups.bro @load misc/capture-loss.bro @load misc/loaded-scripts.bro @load misc/profiling.bro diff --git a/src/EventHandler.cc b/src/EventHandler.cc index 5598f93f98..4a74d68a08 100644 --- a/src/EventHandler.cc +++ b/src/EventHandler.cc @@ -10,7 +10,6 @@ EventHandler::EventHandler(const char* arg_name) used = false; local = 0; type = 0; - group = 0; error_handler = false; enabled = true; } @@ -19,7 +18,6 @@ EventHandler::~EventHandler() { Unref(local); delete [] name; - delete [] group; } EventHandler::operator bool() const diff --git a/src/EventHandler.h b/src/EventHandler.h index a86b8a285c..786d9f94ba 100644 --- a/src/EventHandler.h +++ b/src/EventHandler.h @@ -41,10 +41,6 @@ public: void SetErrorHandler() { error_handler = true; } bool ErrorHandler() { return error_handler; } - const char* Group() { return group; } - void SetGroup(const char* arg_group) - { group = copy_string(arg_group); } - void SetEnable(bool arg_enable) { enabled = arg_enable; } // We don't serialize the handler(s) itself here, but @@ -54,7 +50,6 @@ public: private: const char* name; - const char* group; Func* local; FuncType* type; bool used; // this handler is indeed used somewhere diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc index f51f624833..cf8aa6802e 100644 --- a/src/EventRegistry.cc +++ b/src/EventRegistry.cc @@ -85,17 +85,6 @@ void EventRegistry::PrintDebug() } } -void EventRegistry::SetGroup(const char* name, const char* group) - { - return; // FIXME. THis triggers the error below for plugin events. - - EventHandler* eh = Lookup(name); - if ( ! eh ) - reporter->InternalError("unknown event handler %s in SetGroup()", name); - - eh->SetGroup(group); - } - void EventRegistry::SetErrorHandler(const char* name) { EventHandler* eh = Lookup(name); @@ -105,18 +94,3 @@ void EventRegistry::SetErrorHandler(const char* name) eh->SetErrorHandler(); } -void EventRegistry::EnableGroup(const char* group, bool enable) - { - IterCookie* c = handlers.InitForIteration(); - - HashKey* k; - EventHandler* v; - while ( (v = handlers.NextEntry(k, c)) ) - { - delete k; - - if ( v->Group() && strcmp(v->Group(), group) == 0 ) - v->SetEnable(enable); - } - } - diff --git a/src/EventRegistry.h b/src/EventRegistry.h index 6ee5e3bcbd..3b4c8df918 100644 --- a/src/EventRegistry.h +++ b/src/EventRegistry.h @@ -26,17 +26,11 @@ public: typedef PList(constchar) string_list; string_list* Match(RE_Matcher* pattern); - // Associates a group with the given event. - void SetGroup(const char* name, const char* group); - // Marks a handler as handling errors. Error handler will not be called // recursively to avoid infinite loops in case they trigger an error // themselves. void SetErrorHandler(const char* name); - // Enable/disable all members of the group. - void EnableGroup(const char* group, bool enable); - string_list* UnusedHandlers(); string_list* UsedHandlers(); void PrintDebug(); diff --git a/src/ID.cc b/src/ID.cc index 959ad9b07d..a6e592146b 100644 --- a/src/ID.cc +++ b/src/ID.cc @@ -221,21 +221,7 @@ void ID::UpdateValAttrs() if ( Type()->Tag() == TYPE_FUNC ) { - Attr* attr = attrs->FindAttr(ATTR_GROUP); - - if ( attr ) - { - Val* group = attr->AttrExpr()->ExprVal(); - if ( group ) - { - if ( group->Type()->Tag() == TYPE_STRING ) - event_registry->SetGroup(Name(), group->AsString()->CheckString()); - else - Error("&group attribute takes string"); - } - } - - attr = attrs->FindAttr(ATTR_ERROR_HANDLER); + Attr* attr = attrs->FindAttr(ATTR_ERROR_HANDLER); if ( attr ) event_registry->SetErrorHandler(Name()); diff --git a/src/bro.bif b/src/bro.bif index 9b3eb946e2..4366d26951 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -4342,31 +4342,6 @@ function skip_smtp_data%(c: connection%): any return 0; %} -## Enables all event handlers in a given group. One can tag event handlers with -## the :bro:attr:`&group` attribute to logically group them together, e.g, -## ``event foo() &group="bar"``. This function enables all event handlers that -## belong to such a group. -## -## group: The group. -## -## .. bro:see:: disable_event_group -function enable_event_group%(group: string%) : any - %{ - event_registry->EnableGroup(group->CheckString(), true); - return 0; - %} - -## Disables all event handlers in a given group. -## -## group: The group. -## -## .. bro:see:: enable_event_group -function disable_event_group%(group: string%) : any - %{ - event_registry->EnableGroup(group->CheckString(), false); - return 0; - %} - # =========================================================================== # # Files and Directories diff --git a/src/event.bif b/src/event.bif index 8a44e8723e..ab44495fdc 100644 --- a/src/event.bif +++ b/src/event.bif @@ -2219,7 +2219,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## ## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; +event ftp_request%(c: connection, command: string, arg: string%); ## Generated for server-side FTP replies. ## @@ -2239,7 +2239,7 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp"; ## ## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port ## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &group="ftp"; +event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); ## Generated for client-side SMTP commands. ## @@ -2264,7 +2264,7 @@ event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &gro ## smtp_data smtp_reply ## ## .. note:: Bro does not support the newer ETRN extension yet. -event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) &group="smtp"; +event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%); ## Generated for server-side SMTP commands. ## @@ -2295,7 +2295,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) ## smtp_data smtp_request ## ## .. note:: Bro doesn't support the newer ETRN extension yet. -event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%) &group="smtp"; +event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%); ## Generated for DATA transmitted on SMTP sessions. This event is raised for ## subsequent chunks of raw data following the ``DATA`` SMTP command until the @@ -2320,7 +2320,7 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s ## .. note:: This event receives the unprocessed raw data. There is a separate ## set of ``mime_*`` events that strip out the outer MIME-layer of emails and ## provide structured access to their content. -event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; +event smtp_data%(c: connection, is_orig: bool, data: string%); ## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks ## the state of SMTP sessions and reports commands and other activity with this @@ -2340,7 +2340,7 @@ event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp"; ## detail: The actual SMTP line triggering the event. ## ## .. bro:see:: smtp_data smtp_request smtp_reply -event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp"; +event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); ## Generated when starting to parse an email MIME entity. MIME is a ## protocol-independent data format for encoding text and files, along with @@ -4014,7 +4014,7 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: ## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected ## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &group="dns"; +event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); ## Generated for DNS requests. For requests with multiple queries, this event ## is raised once for each. @@ -4041,7 +4041,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &gro ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; +event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); ## Generated for DNS replies that reject a query. This event is raised if a DNS ## reply either indicates failure via its status code or does not pass on any @@ -4070,7 +4070,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns"; +event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); ## Generated for DNS replies with an *ok* status code but no question section. ## @@ -4097,7 +4097,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc ## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth event dns_query_reply%(c: connection, msg: dns_msg, query: string, - qtype: count, qclass: count%) &group="dns"; + qtype: count, qclass: count%); ## Generated when the DNS analyzer processes what seems to be a non-DNS packet. ## @@ -4108,7 +4108,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string, ## ## .. note:: This event is deprecated and superseded by Bro's dynamic protocol ## detection framework. -event non_dns_request%(c: connection, msg: string%) &group="dns"; +event non_dns_request%(c: connection, msg: string%); ## Generated for DNS replies of type *A*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. @@ -4133,7 +4133,7 @@ event non_dns_request%(c: connection, msg: string%) &group="dns"; ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; +event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## Generated for DNS replies of type *AAAA*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4158,7 +4158,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &grou ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; +event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## Generated for DNS replies of type *A6*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. @@ -4183,7 +4183,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &g ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns"; +event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); ## Generated for DNS replies of type *NS*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. @@ -4208,7 +4208,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &gro ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; +event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); ## Generated for DNS replies of type *CNAME*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4233,7 +4233,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; +event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); ## Generated for DNS replies of type *PTR*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4258,7 +4258,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns"; +event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); ## Generated for DNS replies of type *CNAME*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4283,7 +4283,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string% ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns"; +event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%); ## Generated for DNS replies of type *WKS*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4306,7 +4306,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa% ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; +event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## Generated for DNS replies of type *HINFO*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4329,7 +4329,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; +event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## Generated for DNS replies of type *MX*. For replies with multiple answers, an ## individual event of the corresponding type is raised for each. @@ -4356,7 +4356,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns"; +event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%); ## Generated for DNS replies of type *TXT*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4381,7 +4381,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns"; +event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%); ## Generated for DNS replies of type *SRV*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4404,7 +4404,7 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"; +event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%); ## Generated for DNS replies of type *EDNS*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4427,7 +4427,7 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns" ## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request ## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl ## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns"; +event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); ## Generated for DNS replies of type *TSIG*. For replies with multiple answers, ## an individual event of the corresponding type is raised for each. @@ -4450,7 +4450,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &gr ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns"; +event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); ## Generated at the end of processing a DNS packet. This event is the last ## ``dns_*`` event that will be raised for a DNS query/reply and signals that @@ -4472,7 +4472,7 @@ event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &gr ## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply ## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout ## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_end%(c: connection, msg: dns_msg%) &group="dns"; +event dns_end%(c: connection, msg: dns_msg%); ## Generated for DHCP messages of type *discover*. ## @@ -6610,7 +6610,7 @@ event gaobot_signature_found%(c: connection%); ## ## .. todo:: Unclear what this event is for; it's never raised. We should just ## remove it. -event dns_full_request%(%) &group="dns"; +event dns_full_request%(%); ## Deprecated. Will be removed. event anonymization_mapping%(orig: addr, mapped: addr%); diff --git a/src/parse.y b/src/parse.y index 7ce1174595..520623de2c 100644 --- a/src/parse.y +++ b/src/parse.y @@ -2,7 +2,7 @@ // See the file "COPYING" in the main distribution directory for copyright. %} -%expect 88 +%expect 85 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF @@ -23,7 +23,7 @@ %token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE %token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED %token TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE -%token TOK_ATTR_PRIORITY TOK_ATTR_GROUP TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER +%token TOK_ATTR_PRIORITY TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER %token TOK_ATTR_TYPE_COLUMN %token TOK_DEBUG @@ -1362,8 +1362,6 @@ attr: { $$ = new Attr(ATTR_MERGEABLE); } | TOK_ATTR_PRIORITY '=' expr { $$ = new Attr(ATTR_PRIORITY, $3); } - | TOK_ATTR_GROUP '=' expr - { $$ = new Attr(ATTR_GROUP, $3); } | TOK_ATTR_TYPE_COLUMN '=' expr { $$ = new Attr(ATTR_TYPE_COLUMN, $3); } | TOK_ATTR_LOG diff --git a/src/protocols/http/events.bif b/src/protocols/http/events.bif index e4f71f70fc..ead8bc254b 100644 --- a/src/protocols/http/events.bif +++ b/src/protocols/http/events.bif @@ -20,7 +20,7 @@ ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done ply http_stats ## truncate_http_URI -event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request"; +event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%); ## Generated for HTTP replies. Bro supports persistent and pipelined HTTP ## sessions and raises corresponding events as it parses client/server @@ -41,7 +41,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_message_done http_request ## http_stats -event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply"; +event http_reply%(c: connection, version: string, code: count, reason: string%); ## Generated for HTTP headers. Bro supports persistent and pipelined HTTP ## sessions and raises corresponding events as it parses client/server @@ -64,7 +64,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%) ## ## .. note:: This event is also raised for headers found in nested body ## entities. -event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header"; +event http_header%(c: connection, is_orig: bool, name: string, value: string%); ## Generated for HTTP headers, passing on all headers of an HTTP message at ## once. Bro supports persistent and pipelined HTTP sessions and raises @@ -86,7 +86,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%) & ## ## .. note:: This event is also raised for headers found in nested body ## entities. -event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header"; +event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%); ## Generated when starting to parse an HTTP body entity. This event is generated ## at least once for each non-empty (client or server) HTTP body; and @@ -105,7 +105,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) ## .. bro:see:: http_all_headers http_content_type http_end_entity http_entity_data ## http_event http_header http_message_done http_reply http_request http_stats ## mime_begin_entity -event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; +event http_begin_entity%(c: connection, is_orig: bool%); ## Generated when finishing parsing an HTTP body entity. This event is generated ## at least once for each non-empty (client or server) HTTP body; and @@ -124,7 +124,7 @@ event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body"; ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data ## http_event http_header http_message_done http_reply http_request ## http_stats mime_end_entity -event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; +event http_end_entity%(c: connection, is_orig: bool%); ## Generated when parsing an HTTP body entity, passing on the data. This event ## can potentially be raised many times for each entity, each time passing a @@ -152,7 +152,7 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body"; ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_event http_header http_message_done http_reply http_request http_stats ## mime_entity_data http_entity_data_delivery_size skip_http_data -event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body"; +event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%); ## Generated for reporting an HTTP body's content type. This event is ## generated at the end of parsing an HTTP header, passing on the MIME @@ -176,7 +176,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin ## ## .. note:: This event is also raised for headers found in nested body ## entities. -event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body"; +event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%); ## Generated once at the end of parsing an HTTP message. Bro supports persistent ## and pipelined HTTP sessions and raises corresponding events as it parses @@ -198,7 +198,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity ## http_entity_data http_event http_header http_reply http_request http_stats -event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body"; +event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%); ## Generated for errors found when decoding HTTP requests or replies. ## diff --git a/src/scan.l b/src/scan.l index faa831ea93..a4d80c88ed 100644 --- a/src/scan.l +++ b/src/scan.l @@ -332,7 +332,6 @@ when return TOK_WHEN; &encrypt return TOK_ATTR_ENCRYPT; &error_handler return TOK_ATTR_ERROR_HANDLER; &expire_func return TOK_ATTR_EXPIRE_FUNC; -&group return TOK_ATTR_GROUP; &log return TOK_ATTR_LOG; &mergeable return TOK_ATTR_MERGEABLE; &optional return TOK_ATTR_OPTIONAL; diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 0482b574f8..0db69c1f17 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-01-19-44-31 +#open 2013-04-09-22-37-59 #fields name #types string scripts/base/init-bare.bro @@ -36,5 +36,6 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./Syslog.events.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-01-19-44-31 +#close 2013-04-09-22-37-59 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 390040ab4a..aa406976a0 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-01-19-44-38 +#open 2013-04-09-22-38-15 #fields name #types string scripts/base/init-bare.bro @@ -36,6 +36,7 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./Syslog.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -126,4 +127,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-01-19-44-38 +#close 2013-04-09-22-38-15 From 2002787c6ed22e98fe3a04123ecf2100146851a5 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 9 Apr 2013 16:23:20 -0700 Subject: [PATCH 18/70] A set of interface changes in preparation for merging into BinPAC++ branch. --- cmake | 2 +- src/CMakeLists.txt | 17 ++-- src/Conn.cc | 2 +- src/Conn.h | 2 +- src/EventRegistry.cc | 6 +- src/ID.h | 1 + src/RuleAction.cc | 10 +-- src/TCP.h | 4 + src/analyzer/Analyzer.cc | 56 ++++++++++--- src/analyzer/Analyzer.h | 40 ++++++++-- src/analyzer/Component.cc | 37 ++++++++- src/analyzer/Component.h | 28 ++++--- src/analyzer/Manager.cc | 56 ++++++------- src/analyzer/Manager.h | 20 ++--- src/analyzer/Tag.cc | 23 +++++- src/analyzer/Tag.h | 10 +++ src/builtin-func.l | 4 +- src/main.cc | 2 +- src/plugin/Macros.h | 15 ++-- src/plugin/Plugin.cc | 126 ++++++++++++++++++++++-------- src/plugin/Plugin.h | 68 +++++++++++----- src/protocols/BuiltInAnalyzers.cc | 8 +- src/protocols/http/HTTP.cc | 2 +- src/protocols/ssl/Plugin.cc | 2 +- src/protocols/syslog/Plugin.cc | 2 +- src/scan.l | 4 +- src/util.h | 6 ++ 27 files changed, 381 insertions(+), 172 deletions(-) diff --git a/cmake b/cmake index 39c1516be5..8cc03d64d0 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 39c1516be5e630bd5d78082e974fae708faa4e8c +Subproject commit 8cc03d64d00676cb75a38543800ac0de192557dd diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index c54abea7a6..aa51e68e91 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -117,7 +117,7 @@ foreach (bift ${BIF_SRCS}) bif_target(${bift}) endforeach () -add_custom_target(generate_standard_bifs DEPENDS ${ALL_BIF_OUTPUTS}) +add_custom_target(generate_bifs DEPENDS ${ALL_BIF_OUTPUTS}) ######################################################################## ## BinPAC-dependent targets @@ -159,20 +159,16 @@ binpac_target(modbus.pac ## Including subdirectories. ######################################################################## +set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) + add_subdirectory(analyzer) +add_subdirectory(protocols) set(bro_SUBDIRS $ + ${bro_PLUGIN_OBJECT_LIBS} ) - -######################################################################## -## Including plug-ins that are compiled in statically. -######################################################################## - -set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) -add_subdirectory(protocols) - ######################################################################## ## bro target @@ -403,8 +399,7 @@ set(bro_SRCS ) collect_headers(bro_HEADERS ${bro_SRCS}) - -add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_PLUGIN_OBJECT_LIBS} ${bro_SUBDIRS}) +add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS}) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT}) diff --git a/src/Conn.cc b/src/Conn.cc index e7687c5464..e476dd674b 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -413,7 +413,7 @@ analyzer::Analyzer* Connection::FindAnalyzer(analyzer::Tag tag) return root_analyzer ? root_analyzer->FindChild(tag) : 0; } -analyzer::Analyzer* Connection::FindAnalyzer(const string& name) +analyzer::Analyzer* Connection::FindAnalyzer(const char* name) { return root_analyzer->FindChild(name); } diff --git a/src/Conn.h b/src/Conn.h index 1989ce0b43..1b13500fad 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -107,7 +107,7 @@ public: analyzer::Analyzer* FindAnalyzer(analyzer::ID id); analyzer::Analyzer* FindAnalyzer(analyzer::Tag tag); // find first in tree. - analyzer::Analyzer* FindAnalyzer(const string& name); // find first in tree. + analyzer::Analyzer* FindAnalyzer(const char* name); // find first in tree. TransportProto ConnTransport() const { return proto; } diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc index cf8aa6802e..2da16de51d 100644 --- a/src/EventRegistry.cc +++ b/src/EventRegistry.cc @@ -80,8 +80,10 @@ void EventRegistry::PrintDebug() while ( (v = handlers.NextEntry(k, c)) ) { delete k; - fprintf(stderr, "Registered event %s (%s handler)\n", v->Name(), - v->LocalHandler()? "local" : "no"); + fprintf(stderr, "Registered event %s (%s handler / %s)\n", v->Name(), + v->LocalHandler()? "local" : "no", + *v ? "active" : "not active" + ); } } diff --git a/src/ID.h b/src/ID.h index 9c1f56e80f..57e1222511 100644 --- a/src/ID.h +++ b/src/ID.h @@ -26,6 +26,7 @@ public: bool IsGlobal() const { return scope != SCOPE_FUNCTION; } bool IsExport() const { return is_export; } + void SetExport() { is_export = true; } string ModuleName() const; diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 7d594e695f..6bbd7243cd 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -40,7 +40,7 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) string str(arg_analyzer); string::size_type pos = str.find(':'); string arg = str.substr(0, pos); - analyzer = analyzer_mgr->GetAnalyzerTag(arg); + analyzer = analyzer_mgr->GetAnalyzerTag(arg.c_str()); if ( ! analyzer ) reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); @@ -48,7 +48,7 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) if ( pos != string::npos ) { arg = str.substr(pos + 1); - child_analyzer = analyzer_mgr->GetAnalyzerTag(arg); + child_analyzer = analyzer_mgr->GetAnalyzerTag(arg.c_str()); if ( ! child_analyzer ) reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str()); @@ -60,11 +60,11 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer) void RuleActionAnalyzer::PrintDebug() { if ( ! child_analyzer ) - fprintf(stderr, "|%s|\n", analyzer_mgr->GetAnalyzerName(analyzer).c_str()); + fprintf(stderr, "|%s|\n", analyzer_mgr->GetAnalyzerName(analyzer)); else fprintf(stderr, "|%s:%s|\n", - analyzer_mgr->GetAnalyzerName(analyzer).c_str(), - analyzer_mgr->GetAnalyzerName(child_analyzer).c_str()); + analyzer_mgr->GetAnalyzerName(analyzer), + analyzer_mgr->GetAnalyzerName(child_analyzer)); } diff --git a/src/TCP.h b/src/TCP.h index 61bcd7ef7c..be91d473c2 100644 --- a/src/TCP.h +++ b/src/TCP.h @@ -267,6 +267,10 @@ public: : Analyzer(name, conn) { tcp = 0; } + TCP_ApplicationAnalyzer(Connection* conn) + : Analyzer(conn) + { tcp = 0; } + virtual ~TCP_ApplicationAnalyzer() { } // This may be nil if we are not directly associated with a TCP diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 0bc8d28c8f..c482ddd792 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -72,28 +72,56 @@ void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer, analyzer::ID Analyzer::id_counter = 0;; -const string& Analyzer::GetAnalyzerName() const +const char* Analyzer::GetAnalyzerName() const { + assert(tag); return analyzer_mgr->GetAnalyzerName(tag); } +void Analyzer::SetAnalyzerTag(const Tag& arg_tag) + { + assert(! tag || tag == arg_tag); + tag = arg_tag; + } + bool Analyzer::IsAnalyzer(const char* name) { - return analyzer_mgr->GetAnalyzerName(tag) == name; + assert(tag); + return strcmp(analyzer_mgr->GetAnalyzerName(tag), name) == 0; } // Used in debugging output. static string fmt_analyzer(Analyzer* a) { - return a->GetAnalyzerName() + fmt("[%d]", a->GetID()); + return string(a->GetAnalyzerName()) + fmt("[%d]", a->GetID()); } -Analyzer::Analyzer(const char* name, Connection* arg_conn) +Analyzer::Analyzer(const char* name, Connection* conn) + { + Tag tag = analyzer_mgr->GetAnalyzerTag(name); + + if ( ! tag ) + reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::Component?", name); + + CtorInit(tag, conn); + } + +Analyzer::Analyzer(const Tag& tag, Connection* conn) + { + CtorInit(tag, conn); + } + +Analyzer::Analyzer(Connection* conn) + { + CtorInit(Tag(), conn); + } + +void Analyzer::CtorInit(const Tag& arg_tag, Connection* arg_conn) { // Don't Ref conn here to avoid circular ref'ing. It can't be deleted // before us. conn = arg_conn; - tag = analyzer_mgr->GetAnalyzerTag(name); + tag = arg_tag; id = ++id_counter; protocol_confirmed = false; skip = false; @@ -104,10 +132,6 @@ Analyzer::Analyzer(const char* name, Connection* arg_conn) resp_supporters = 0; signature = 0; output_handler = 0; - - if ( ! tag ) - reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::Component?", name); - } Analyzer::~Analyzer() @@ -417,7 +441,7 @@ void Analyzer::RemoveChildAnalyzer(ID id) LOOP_OVER_CHILDREN(i) if ( (*i)->id == id && ! ((*i)->finished || (*i)->removing) ) { - DBG_LOG(DBG_ANALYZER, "%s disabling child %s", GetAnalyzerName().c_str(), id, + DBG_LOG(DBG_ANALYZER, "%s disabling child %s", GetAnalyzerName(), id, fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str()); // See comment above. (*i)->removing = true; @@ -468,7 +492,7 @@ Analyzer* Analyzer::FindChild(Tag arg_tag) return 0; } -Analyzer* Analyzer::FindChild(const string& name) +Analyzer* Analyzer::FindChild(const char* name) { Tag tag = analyzer_mgr->GetAnalyzerTag(name); return tag ? FindChild(tag) : 0; @@ -625,9 +649,12 @@ void Analyzer::ProtocolConfirmation() if ( protocol_confirmed ) return; + EnumVal* tval = tag.AsEnumVal(); + Ref(tval); + val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(tag.AsEnumVal()); + vl->append(tval); vl->append(new Val(id, TYPE_COUNT)); // We immediately raise the event so that the analyzer can quickly @@ -653,9 +680,12 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) else r = new StringVal(reason); + EnumVal* tval = tag.AsEnumVal(); + Ref(tval); + val_list* vl = new val_list; vl->append(BuildConnVal()); - vl->append(tag.AsEnumVal()); + vl->append(tval); vl->append(new Val(id, TYPE_COUNT)); vl->append(r); diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 07e5d5acf4..f509f79941 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -61,13 +61,32 @@ public: /** * Constructor. * - * @param name A name for the protocol the analyzer is parsing. The - * name must match the one the corresponding Component registers. + * @param name The name for the type of analyzer. The name must match + * the one the corresponding Component registers. * * @param conn The connection the analyzer is associated with. */ Analyzer(const char* name, Connection* conn); + /** + * Constructor. + * + * @param tag The tag for the type of analyzer. The tag must map to + * the name the corresponding Component registers. + * + * @param conn The connection the analyzer is associated with. + */ + Analyzer(const Tag& tag, Connection* conn); + + /** + * Constructor. As this version of the constructor does not receive a + * name or tag, setTag() must be called before the instance can be + * used. + * + * @param conn The connection the analyzer is associated with. + */ + Analyzer(Connection* conn); + /** * Destructor. */ @@ -285,14 +304,22 @@ public: /** * Returns the tag associated with the analyzer's type. */ - Tag GetAnalyzerTag() const { return tag; } + Tag GetAnalyzerTag() const { assert(tag); return tag; } + + /** + * Sets the tag associated with the analyzer's type. Note that this + * can be called only right after construction, if the constructor + * did not receive a name or tag. The method cannot be used to change + * an existing tag. + */ + void SetAnalyzerTag(const Tag& tag); /** * Returns a textual description of the analyzer's type. This is * what's passed to the constructor and usally corresponds to the * protocol name, e.g., "HTTP". */ - const string& GetAnalyzerName() const; + const char* GetAnalyzerName() const; /** * Returns true if this analyzer's type matches the name passes in. @@ -377,7 +404,7 @@ public: * @return The first analyzer of the given type found, or null if * none. */ - Analyzer* FindChild(const string& name); + Analyzer* FindChild(const char* name); /** * Returns a list of all direct child analyzers. @@ -574,6 +601,9 @@ private: // already Done(). void DeleteChild(analyzer_list::iterator i); + // Helper for the ctors. + void CtorInit(const Tag& tag, Connection* conn); + Tag tag; ID id; diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc index 9640d6d8ac..6ce433a594 100644 --- a/src/analyzer/Component.cc +++ b/src/analyzer/Component.cc @@ -7,10 +7,10 @@ using namespace analyzer; Tag::type_t Component::type_counter = 0; -Component::Component(std::string arg_name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) +Component::Component(const char* arg_name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) : plugin::Component(plugin::component::ANALYZER) { - name = arg_name; + name = copy_string(arg_name); factory = arg_factory; enabled = arg_enabled; partial = arg_partial; @@ -18,6 +18,26 @@ Component::Component(std::string arg_name, factory_callback arg_factory, Tag::su tag = analyzer::Tag(++type_counter, arg_subtype); } +Component::Component(const Component& other) + : plugin::Component(Type()) + { + name = copy_string(other.name); + factory = other.factory; + enabled = other.enabled; + partial = other.partial; + tag = other.tag; + } + +Component::~Component() + { + delete [] name; + } + +analyzer::Tag Component::Tag() const + { + return tag; + } + void Component::Describe(ODesc* d) { plugin::Component::Describe(d); @@ -27,3 +47,16 @@ void Component::Describe(ODesc* d) d->Add(")"); } +Component& Component::operator=(const Component& other) + { + if ( &other != this ) + { + name = copy_string(other.name); + factory = other.factory; + enabled = other.enabled; + partial = other.partial; + tag = other.tag; + } + + return *this; + } diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index 0a48c0546f..67751e1b35 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -2,8 +2,6 @@ #ifndef ANALYZER_PLUGIN_COMPONENT_H #define ANALYZER_PLUGIN_COMPONENT_H -#include - #include "Tag.h" #include "plugin/Component.h" @@ -21,8 +19,6 @@ class Analyzer; * * A plugin can provide a specific protocol analyzer by registering this * analyzer component, describing the analyzer. - * - * This class is safe to copy by value. */ class Component : public plugin::Component { public: @@ -58,13 +54,23 @@ public: * connections has generally not seen much testing yet as virtually * no existing analyzer supports it. */ - Component(std::string name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true, bool partial = false); + Component(const char* name, factory_callback factory, Tag::subtype_t subtype = 0, bool enabled = true, bool partial = false); + + /** + * Copy constructor. + */ + Component(const Component& other); + + /** + * Destructor. + */ + ~Component(); /** * Returns the name of the analyzer. This name is unique across all * analyzers and used to identify it. */ - const std::string& Name() const { return name; } + const char* Name() const { return name; } /** * Returns the analyzer's factory function. @@ -74,7 +80,7 @@ public: /** * Returns whether the analyzer supports partial connections. Partial * connections are those where Bro starts processing payload - * mid-stream, after missing the beginning. + * mid-stream, after missing the beginning. */ bool Partial() const { return partial; } @@ -89,7 +95,7 @@ public: * generated for each new Components, and hence unique across all of * them. */ - analyzer::Tag Tag() const { return tag; } + analyzer::Tag Tag() const; /** * Enables or disables this analyzer. @@ -105,15 +111,17 @@ public: */ virtual void Describe(ODesc* d); + Component& operator=(const Component& other); + private: - std::string name; // The analyzer's name. + const char* name; // The analyzer's name. factory_callback factory; // The analyzer's factory callback. bool partial; // True if the analyzer supports partial connections. analyzer::Tag tag; // The automatically assigned analyzer tag. bool enabled; // True if the analyzer is enabled. // Global counter used to generate unique tags. - static analyzer::Tag::type_t type_counter; + static analyzer::Tag::type_t type_counter; }; } diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 68869b3799..056c3c2b7d 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -108,7 +108,7 @@ void Manager::DumpDebug() #ifdef DEBUG DBG_LOG(DBG_ANALYZER, "Available analyzers after bro_init():"); for ( analyzer_map_by_name::const_iterator i = analyzers_by_name.begin(); i != analyzers_by_name.end(); i++ ) - DBG_LOG(DBG_ANALYZER, " %s (%s)", i->second->Name().c_str(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); + DBG_LOG(DBG_ANALYZER, " %s (%s)", i->second->Name(), IsEnabled(i->second->Tag()) ? "enabled" : "disabled"); DBG_LOG(DBG_ANALYZER, ""); DBG_LOG(DBG_ANALYZER, "Analyzers by port:"); @@ -118,7 +118,7 @@ void Manager::DumpDebug() string s; for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) - s += GetAnalyzerName(*j) + " "; + s += string(GetAnalyzerName(*j)) + " "; DBG_LOG(DBG_ANALYZER, " %d/tcp: %s", i->first, s.c_str()); } @@ -128,7 +128,7 @@ void Manager::DumpDebug() string s; for ( tag_set::const_iterator j = i->second->begin(); j != i->second->end(); j++ ) - s += GetAnalyzerName(*j) + " "; + s += string(GetAnalyzerName(*j)) + " "; DBG_LOG(DBG_ANALYZER, " %d/udp: %s", i->first, s.c_str()); } @@ -151,10 +151,10 @@ void Manager::Done() void Manager::RegisterAnalyzerComponent(Component* component) { if ( Lookup(component->Name()) ) - reporter->FatalError("Analyzer %s defined more than once", component->Name().c_str()); + reporter->FatalError("Analyzer %s defined more than once", component->Name()); DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", - component->Name().c_str(), component->Tag().AsString().c_str()); + component->Name(), component->Tag().AsString().c_str()); analyzers_by_name.insert(std::make_pair(component->Name(), component)); analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); @@ -173,7 +173,7 @@ bool Manager::EnableAnalyzer(Tag tag) if ( ! p ) return false; - DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name()); p->SetEnabled(true); return true; @@ -186,7 +186,7 @@ bool Manager::EnableAnalyzer(EnumVal* val) if ( ! p ) return false; - DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Enabling analyzer %s", p->Name()); p->SetEnabled(true); return true; @@ -199,7 +199,7 @@ bool Manager::DisableAnalyzer(Tag tag) if ( ! p ) return false; - DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name()); p->SetEnabled(false); return true; @@ -212,7 +212,7 @@ bool Manager::DisableAnalyzer(EnumVal* val) if ( ! p ) return false; - DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name().c_str()); + DBG_LOG(DBG_ANALYZER, "Disabling analyzer %s", p->Name()); p->SetEnabled(false); return true; @@ -256,7 +256,7 @@ bool Manager::RegisterAnalyzerForPort(EnumVal* val, PortVal* port) if ( ! p ) return false; - + return RegisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port()); } @@ -275,8 +275,8 @@ bool Manager::RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port tag_set* l = LookupPort(proto, port, true); #ifdef DEBUG - std::string name = GetAnalyzerName(tag); - DBG_LOG(DBG_ANALYZER, "Registering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); + const char* name = GetAnalyzerName(tag); + DBG_LOG(DBG_ANALYZER, "Registering analyzer %s for port %" PRIu32 "/%d", name, port, proto); #endif l->insert(tag); @@ -288,8 +288,8 @@ bool Manager::UnregisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 po tag_set* l = LookupPort(proto, port, true); #ifdef DEBUG - std::string name = GetAnalyzerName(tag); - DBG_LOG(DBG_ANALYZER, "Unregistering analyzer %s for port %" PRIu32 "/%d", name.c_str(), port, proto); + const char* name = GetAnalyzerName(tag); + DBG_LOG(DBG_ANALYZER, "Unregistering analyzer %s for port %" PRIu32 "/%d", name, port, proto); #endif l->erase(tag); @@ -312,6 +312,8 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) if ( ! a ) reporter->InternalError("analyzer instantiation failed"); + a->SetAnalyzerTag(tag); + return a; } @@ -321,9 +323,9 @@ Analyzer* Manager::InstantiateAnalyzer(const char* name, Connection* conn) return tag ? InstantiateAnalyzer(tag, conn) : 0; } -const string& Manager::GetAnalyzerName(Tag tag) +const char* Manager::GetAnalyzerName(Tag tag) { - static string error = ""; + static const char* error = ""; if ( ! tag ) return error; @@ -336,17 +338,11 @@ const string& Manager::GetAnalyzerName(Tag tag) return c->Name(); } -const string& Manager::GetAnalyzerName(Val* val) +const char* Manager::GetAnalyzerName(Val* val) { return GetAnalyzerName(Tag(val->AsEnumVal())); } -Tag Manager::GetAnalyzerTag(const string& name) - { - Component* c = Lookup(name); - return c ? c->Tag() : Tag(); - } - Tag Manager::GetAnalyzerTag(const char* name) { Component* c = Lookup(name); @@ -358,12 +354,6 @@ EnumType* Manager::GetTagEnumType() return tag_enum_type; } -Component* Manager::Lookup(const string& name) - { - analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); - return i != analyzers_by_name.end() ? i->second : 0; - } - Component* Manager::Lookup(const char* name) { analyzer_map_by_name::const_iterator i = analyzers_by_name.find(to_upper(name)); @@ -474,7 +464,7 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) root->AddChildAnalyzer(analyzer, false); DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled", - analyzer_mgr->GetAnalyzerName(*i).c_str()); + analyzer_mgr->GetAnalyzerName(*i)); } } @@ -500,7 +490,7 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) root->AddChildAnalyzer(analyzer, false); DBG_ANALYZER_ARGS(conn, "activated %s analyzer due to port %d", - analyzer_mgr->GetAnalyzerName(*j).c_str(), resp_port); + analyzer_mgr->GetAnalyzerName(*j), resp_port); } } } @@ -622,7 +612,7 @@ void Manager::ExpireScheduledAnalyzers() conns.erase(i); DBG_LOG(DBG_ANALYZER, "Expiring expected analyzer %s for connection %s", - analyzer_mgr->GetAnalyzerName(a->analyzer).c_str(), + analyzer_mgr->GetAnalyzerName(a->analyzer), fmt_conn_id(a->conn.orig, 0, a->conn.resp, a->conn.resp_p)); delete a; @@ -661,7 +651,7 @@ void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, const string& analyzer, + TransportProto proto, const char* analyzer, double timeout) { Tag tag = GetAnalyzerTag(analyzer); diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 750ac986fb..371cad956d 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -42,6 +42,10 @@ namespace analyzer { * sets up their initial analyzer tree, including adding the right \c PIA, * respecting well-known ports, and tracking any analyzers specifically * scheduled for individidual connections. + * + * Note that we keep the public interface of this class free of std::* + * classes. This allows to external analyzer code to potentially use a + * different C++ standard library. */ class Manager { public: @@ -232,7 +236,7 @@ public: * * @return The name, or an empty string if the tag is invalid. */ - const string& GetAnalyzerName(Tag tag); + const char* GetAnalyzerName(Tag tag); /** * Translates an script-level analyzer tag into corresponding @@ -243,17 +247,7 @@ public: * * @return The name, or an empty string if the tag is invalid. */ - const string& GetAnalyzerName(Val* val); - - /** - * Translates an analyzer name into the corresponding tag. - * - * @param name The name. - * - * @return The tag. If the name does not correspond to a valid - * analyzer, the returned tag will evaluate to false. - */ - Tag GetAnalyzerTag(const string& name); + const char* GetAnalyzerName(Val* val); /** * Translates an analyzer name into the corresponding tag. @@ -327,7 +321,7 @@ public: * schedule this analyzer. Must be non-zero. */ void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16 resp_p, - TransportProto proto, const string& analyzer, + TransportProto proto, const char* analyzer, double timeout); /** diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index 0b765742dc..09c3c26caf 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -31,7 +31,7 @@ Tag::Tag(EnumVal* arg_val) subtype = (i >> 31) & 0xffffffff; } -Tag::Tag(const Tag& other) : type(other.type), subtype(other.subtype) +Tag::Tag(const Tag& other) { type = other.type; subtype = other.subtype; @@ -48,6 +48,27 @@ Tag::Tag() val = 0; } +Tag::~Tag() + { + Unref(val); + val = 0; + } + +Tag& Tag::operator=(const Tag& other) + { + if ( this != &other ) + { + type = other.type; + subtype = other.subtype; + val = other.val; + + if ( val ) + Ref(val); + } + + return *this; + } + EnumVal* Tag::AsEnumVal() const { if ( ! val ) diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index 90a6804dc4..ca3bc8b02f 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -53,6 +53,11 @@ public: */ Tag(); + /** + * Destructor. + */ + ~Tag(); + /** * Returns the tag's main type. */ @@ -81,6 +86,11 @@ public: */ operator bool() const { return *this != Tag(); } + /** + * Assignment operator. + */ + Tag& operator=(const Tag& other); + /** * Compares two tags for equality. */ diff --git a/src/builtin-func.l b/src/builtin-func.l index 2128c21f6b..b23ef43e22 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -235,9 +235,9 @@ void init_alternative_mode() fprintf(fp_func_init, "\n"); fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin); fprintf(fp_func_init, "\n"); - fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); + fprintf(fp_func_init, "std::list > __bif_%s_init()\n", name); fprintf(fp_func_init, "\t{\n"); - fprintf(fp_func_init, "\tstd::list > bifs;\n"); + fprintf(fp_func_init, "\tstd::list > bifs;\n"); fprintf(fp_func_init, "\n"); } } diff --git a/src/main.cc b/src/main.cc index 59a383543c..b3747226b3 100644 --- a/src/main.cc +++ b/src/main.cc @@ -814,8 +814,8 @@ int main(int argc, char** argv) log_mgr = new logging::Manager(); input_mgr = new input::Manager(); plugin_mgr = new plugin::Manager(); - plugin_mgr->InitPlugins(); + plugin_mgr->InitPlugins(); analyzer_mgr->Init(); if ( events_file ) diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index f132927560..1ddcb1afc8 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -15,25 +15,22 @@ protected: \ void Init() \ { \ - plugin::Description _desc; \ - _desc.name = #_name; \ - _desc.version = _BRO_PLUGIN_VERSION_DEFAULT; \ - _desc.api_version = BRO_PLUGIN_API_VERSION; + SetName(#_name); \ + SetVersion(_BRO_PLUGIN_VERSION_DEFAULT); \ + SetAPIVersion(BRO_PLUGIN_API_VERSION); #define BRO_PLUGIN_END \ - SetDescription(_desc); \ } \ }; \ \ static Plugin __plugin; \ } } -#define BRO_PLUGIN_DESCRIPTION _desc.description -#define BRO_PLUGIN_URL _desc.url -#define BRO_PLUGIN_VERSION _desc.version +#define BRO_PLUGIN_DESCRIPTION(x) SetDescription(x) +#define BRO_PLUGIN_VERSION(x) SetVersion(x) #define BRO_PLUGIN_BIF_FILE(file) \ - std::list > __bif_##file##_init(); \ + std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); #define BRO_PLUGIN_ANALYZER(tag, factory) \ diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 69377fd97a..99c73339b3 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -9,33 +9,86 @@ using namespace plugin; -Description::Description() +BifItem::BifItem(const BifItem& other) { - name = ""; + id = copy_string(other.id); + type = other.type; + } - // These will be reset by the BRO_PLUGIN_* macros. - version = -9999; - api_version = -9999; +BifItem& BifItem::operator=(const BifItem& other) + { + if ( this != &other ) + { + id = copy_string(other.id); + type = other.type; + } + + return *this; + } + +BifItem::~BifItem() + { + delete [] id; } Plugin::Plugin() { + name = copy_string(""); + description = copy_string(""); + + // These will be reset by the BRO_PLUGIN_* macros. + version = -9999; + api_version = -9999; + Manager::RegisterPlugin(this); } -Description Plugin::GetDescription() const - { - return description; - } - -void Plugin::SetDescription(Description& desc) - { - description = desc; - } - Plugin::~Plugin() { Done(); + + delete [] name; + delete [] description; + } + +const char* Plugin::Name() + { + return name; + } + +void Plugin::SetName(const char* arg_name) + { + name = copy_string(arg_name); + } + +const char* Plugin::Description() + { + return description; + } + +void Plugin::SetDescription(const char* arg_description) + { + description = copy_string(arg_description); + } + +int Plugin::Version() + { + return version; + } + +void Plugin::SetVersion(int arg_version) + { + version = arg_version; + } + +int Plugin::APIVersion() + { + return api_version; + } + +void Plugin::SetAPIVersion(int arg_version) + { + api_version = arg_version; } void Plugin::Init() @@ -50,17 +103,26 @@ void Plugin::InitBif() for ( bif_init_func_result::const_iterator i = items.begin(); i != items.end(); i++ ) { - BifItem bi; - bi.id = (*i).first; - bi.type = (BifItem::Type)(*i).second; + BifItem bi((*i).first, (BifItem::Type)(*i).second); bif_items.push_back(bi); } } } -const Plugin::bif_item_list& Plugin::BifItems() +Plugin::bif_item_list Plugin::BifItems() { - return bif_items; + bif_item_list l1 = bif_items; + bif_item_list l2 = CustomBifItems(); + + for ( bif_item_list::const_iterator i = l2.begin(); i != l2.end(); i++ ) + l1.push_back(*i); + + return l1; + } + +Plugin::bif_item_list Plugin::CustomBifItems() + { + return bif_item_list(); } void Plugin::Done() @@ -89,24 +151,18 @@ void Plugin::AddBifInitFunction(bif_init_func c) void Plugin::Describe(ODesc* d) { d->Add("Plugin: "); - d->Add(description.name); + d->Add(name); - if ( description.description.size() ) + if ( description && *description ) { d->Add(" - "); - d->Add(description.description); + d->Add(description); } - if ( description.version != BRO_PLUGIN_VERSION_BUILTIN ) + if ( version != BRO_PLUGIN_VERSION_BUILTIN ) { d->Add(" (version "); - d->Add(description.version); - - if ( description.url.size() ) - { - d->Add(", from "); - d->Add(description.url); - } + d->Add(version); d->Add(")"); } @@ -125,11 +181,13 @@ void Plugin::Describe(ODesc* d) d->Add("\n"); } - for ( bif_item_list::const_iterator i = bif_items.begin(); i != bif_items.end(); i++ ) + bif_item_list items = BifItems(); + + for ( bif_item_list::const_iterator i = items.begin(); i != items.end(); i++ ) { const char* type = 0; - switch ( (*i).type ) { + switch ( (*i).GetType() ) { case BifItem::FUNCTION: type = "Function"; break; @@ -158,7 +216,7 @@ void Plugin::Describe(ODesc* d) d->Add("["); d->Add(type); d->Add("] "); - d->Add((*i).id); + d->Add((*i).GetID()); d->Add("\n"); } } diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 314de47083..c5753767db 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -14,25 +14,30 @@ namespace plugin { class Manager; class Component; -struct Description { - std::string name; - std::string description; - std::string url; - int version; - int api_version; - - Description(); - void Describe(ODesc* d); - }; - -struct BifItem { +class BifItem { +public: // Values must match the integers bifcl generates. enum Type { FUNCTION = 1, EVENT = 2, CONSTANT = 3, GLOBAL = 4, TYPE = 5 }; - std::string id; + BifItem(const std::string& id, Type type); + BifItem(const BifItem& other); + BifItem& operator=(const BifItem& other); + ~BifItem(); + + const char* GetID() const { return id; } + Type GetType() const { return type; } + +private: + const char* id; Type type; }; +inline BifItem::BifItem(const std::string& arg_id, Type arg_type) + { + id = copy_string(arg_id.c_str()); + type = arg_type; + } + class Plugin { public: typedef std::list component_list; @@ -41,15 +46,17 @@ public: Plugin(); virtual ~Plugin(); - Description GetDescription() const; - void SetDescription(Description& desc); + const char* Name(); + const char* Description(); + int Version(); + int APIVersion(); component_list Components(); void InitBif(); // Must be called after InitBif() only. - const bif_item_list& BifItems(); + bif_item_list BifItems(); virtual void Init(); virtual void Done(); @@ -57,19 +64,42 @@ public: void Describe(ODesc* d); protected: + typedef std::list > bif_init_func_result; + typedef bif_init_func_result (*bif_init_func)(); + + void SetName(const char* name); + void SetDescription(const char* descr); + void SetVersion(int version); + void SetAPIVersion(int version); + /** * Takes ownership. */ void AddComponent(Component* c); - typedef std::list > bif_init_func_result; - typedef bif_init_func_result (*bif_init_func)(); + /** + * Can be overriden by derived class to inform the plugin about + * further BiF items they provide on their own (i.e., outside of the + * standard mechanism processing *.bif files automatically.). This + * information is for information purpuses only and will show up in + * the result of BifItem() as well as in the Describe() output. + */ + virtual bif_item_list CustomBifItems() ; + + /** + * Internal function adding an entry point for registering + * auto-generated BiFs. + */ void AddBifInitFunction(bif_init_func c); private: typedef std::list bif_init_func_list; - plugin::Description description; + const char* name; + const char* description; + int version; + int api_version; + component_list components; bif_item_list bif_items; bif_init_func_list bif_inits; diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/protocols/BuiltInAnalyzers.cc index 3bc15621fd..b3597c63df 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/protocols/BuiltInAnalyzers.cc @@ -50,11 +50,9 @@ BuiltinAnalyzers builtin_analyzers; void BuiltinAnalyzers::Init() { - plugin::Description desc; - desc.name = "Core-Analyzers"; - desc.description = "Built-in protocol analyzers"; - desc.version = BRO_PLUGIN_VERSION_BUILTIN; - SetDescription(desc); + SetName("Core-Analyzers"); + SetDescription("Built-in protocol analyzers"); + SetVersion(BRO_PLUGIN_VERSION_BUILTIN); DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); diff --git a/src/protocols/http/HTTP.cc b/src/protocols/http/HTTP.cc index a58d5a6bf3..61ce2e0833 100644 --- a/src/protocols/http/HTTP.cc +++ b/src/protocols/http/HTTP.cc @@ -16,7 +16,7 @@ #include "plugin/Plugin.h" BRO_PLUGIN_BEGIN(HTTP) - BRO_PLUGIN_DESCRIPTION = "HTTP Analyzer"; + BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); diff --git a/src/protocols/ssl/Plugin.cc b/src/protocols/ssl/Plugin.cc index fb47c9b946..743401896d 100644 --- a/src/protocols/ssl/Plugin.cc +++ b/src/protocols/ssl/Plugin.cc @@ -4,7 +4,7 @@ #include "SSL.h" BRO_PLUGIN_BEGIN(SSL) - BRO_PLUGIN_DESCRIPTION = "SSL Analyzer"; + BRO_PLUGIN_DESCRIPTION("SSL Analyzer"); BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/protocols/syslog/Plugin.cc b/src/protocols/syslog/Plugin.cc index a0a2934411..8560ee7c48 100644 --- a/src/protocols/syslog/Plugin.cc +++ b/src/protocols/syslog/Plugin.cc @@ -4,7 +4,7 @@ #include "Syslog.h" BRO_PLUGIN_BEGIN(Syslog) - BRO_PLUGIN_DESCRIPTION = "Syslog Analyzer (UDP-only currently)"; + BRO_PLUGIN_DESCRIPTION("Syslog Analyzer (UDP-only currently)"); BRO_PLUGIN_ANALYZER("SYSLOG", Syslog_Analyzer::InstantiateAnalyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/scan.l b/src/scan.l index a4d80c88ed..babe036027 100644 --- a/src/scan.l +++ b/src/scan.l @@ -1042,6 +1042,7 @@ static void check_dpd_config_changes() valdesc.PushIndent(); v->Describe(&valdesc); +#if 0 if ( tag < AnalyzerTag::Error || tag > AnalyzerTag::LastAnalyzer ) { fprintf(stderr, "Warning: skipped bad analyzer tag: %i\n", tag); @@ -1049,8 +1050,9 @@ static void check_dpd_config_changes() } last_reST_doc->AddPortAnalysis( - Analyzer::GetTagName((AnalyzerTag::Tag)tag), + Analyzer::GetTagName((AnalyzerTag)tag), valdesc.Description()); +#endif } dpd_table->RemoveAll(); diff --git a/src/util.h b/src/util.h index 7e0c1ba085..a07d83f761 100644 --- a/src/util.h +++ b/src/util.h @@ -5,8 +5,14 @@ // Expose C99 functionality from inttypes.h, which would otherwise not be // available in C++. +#ifndef __STDC_FORMAT_MACROS #define __STDC_FORMAT_MACROS +#endif + +#ifndef __STDC_LIMIT_MACROS #define __STDC_LIMIT_MACROS +#endif + #include #include From eb94c6becd22eb9ad3e6338d4e0ae18d58a792a4 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 9 Apr 2013 17:38:01 -0700 Subject: [PATCH 19/70] Fixing ref counting bug. --- src/analyzer/Manager.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 056c3c2b7d..8ac8cbf824 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -581,7 +581,11 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) conn->SetLifetime(non_analyzed_lifetime); for ( tag_set::iterator i = expected.begin(); i != expected.end(); i++ ) - conn->Event(scheduled_analyzer_applied, 0, i->AsEnumVal()); + { + EnumVal* tag = i->AsEnumVal(); + Ref(tag); + conn->Event(scheduled_analyzer_applied, 0, tag); + } return true; } From aeddca65230e9eb463299d5c29dab92b7f6cda8e Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 13:56:24 -0700 Subject: [PATCH 20/70] More API documentation. --- scripts/base/frameworks/analyzer/main.bro | 91 +++++++++++++++++------ src/analyzer/Analyzer.h | 24 +++++- 2 files changed, 90 insertions(+), 25 deletions(-) diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index 8d2df76e4f..50ff6b775d 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -1,43 +1,90 @@ - +##! Framework for managing Bro's protocol analyzers. +##! +##! The analyzer framework allows to dynamically enable or disable analyzers, as +##! well as to manage the well-known ports which automatically active a particular +##! analyzer for new connections. +##! +##! Protocol analyzers are identified by unique tags of type +##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP` and +##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by the +##! analyzers themselves, and documented in their analyzer-specific description along with the +##! events that they generate. +##! +##! .. todo: ``The ANALYZER_*`` are in fact not yet documented, we need to add that +##! to Broxygen. module Analyzer; -# Analyzer::Tag is defined in types.bif, and automatically extended by plugins -# as they are loaded. - export { - ## XXX + ## If true, all available analyzers are initially disabled at startup. One can + ## then selectively enable them with :bro:id:`enable_analyzer`. global disable_all = F &redef; - ## XXX. + ## Enables an analyzer. Once enabled, the analyzer may be used for analysis of + ## future connections as decided by Bro's dynamic protocol detection. + ## + ## tag: The tag of the analyzer to enable. + ## + ## Returns: True if the analyzer was successfully enabled. global enable_analyzer: function(tag: Analyzer::Tag) : bool; - ## XXX. + ## Disables an analyzer. Once disabled, the analyzer will not be used + ## further for analysis of future connections. + ## + ## tag: The tag of the analyzer to disable. + ## + ## Returns: True if the analyzer was successfully disabled. global disable_analyzer: function(tag: Analyzer::Tag) : bool; - ## XXX. + ## Registers a set of well-known ports for an analyzer. If a future connection + ## on one of these ports is seen, the analyzer will be automatically assigned + ## to parsing it. The function *adds* to all ports already registered, it doesn't + ## replace them . + ## + ## tag: The tag of the analyzer. + ## + ## ports: The set of well-known ports to associate with the analyzer. + ## + ## Returns: True if the ports were sucessfully registered. global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool; - ## XXX. + ## Registers an individual well-known port for an analyzer. If a future connection + ## on this ports is seen, the analyzer will be automatically assigned to parsing + ## it. The function *adds* to all ports already registered, it doesn't + ## replace them . + ## + ## tag: The tag of the analyzer. + ## + ## p: The well-known port to associate with the analyzer. + ## + ## Returns: True if the port was sucessfully registered. global register_for_port: function(tag: Analyzer::Tag, p: port) : bool; - ## XXX. + ## Returns a set of all well-known ports currently registered for a + ## specific analyzer. + ## + ## tag: The tag of the analyzer. + ## + ## Returns: The set of ports. global registered_ports: function(tag: Analyzer::Tag) : set[port]; - ## XXX + ## Returns a table of all ports-to-analyzer mappings currently registered. + ## + ## Returns: A table mapping each analyzer to the set of ports + ## registered for it. global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; - ## Translate an analyzer type to an ASCII string. + ## Translates an analyzer type to a string with the analyzer's. ## - ## atype: The analyzer tag. + ## tag: The analyzer tag. ## - ## Returns: The analyzer *aid* as string. - global name: function(atype: Analyzer::Tag) : string; + ## Returns: The analyzer name corresponding to the tag. + global name: function(tag: Analyzer::Tag) : string; - ## Schedules an analyzer for a future connection from a given IP address and - ## port. The function ignores the scheduling request if the connection did - ## not occur within the specified time interval. + ## Schedules an analyzer for a future connection originating from a given IP + ## address and port. ## - ## orig: The IP address originating a connection in the future. + ## orig: The IP address originating a connection in the future. + ## 0.0.0.0 can be used as a wildcard to match any originator address. ## ## resp: The IP address responding to a connection from *orig*. ## @@ -45,13 +92,15 @@ export { ## ## analyzer: The analyzer ID. ## - ## tout: The timeout interval after which to ignore the scheduling request. + ## tout: A timeout interval after which the scheduling request will be + ## discarded if the connection has not yet been seen. ## ## Returns: True if succesful. global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool; - ## Analyzers to disable at startup. + ## A set of analyzers to disable by at startup. The default set + ## contains legacy analyzers that are no longer supported. global disabled_analyzers: set[Analyzer::Tag] = { ANALYZER_INTERCONN, ANALYZER_STEPPINGSTONE, diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index f509f79941..3800307c82 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -28,23 +28,39 @@ typedef list analyzer_list; typedef uint32 ID; typedef void (Analyzer::*analyzer_timer_func)(double t); - /** - * XXX - */ +/** + * Class to receive processed output from an anlyzer. + */ class OutputHandler { public: + /** + * Destructor. + */ virtual ~OutputHandler() { } + /** + * Hook for receiving packet data. Parameters are the same as for + * Analyzer::DeliverPacket(). + */ virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { } + + /** + * Hook for receiving stream data. Parameters are the same as for + * Analyzer::DeliverStream(). + */ virtual void DeliverStream(int len, const u_char* data, bool orig) { } + + /** + * Hook for receiving notification of stream gaps. Parameters are the + * same as for Analyzer::Undelivered(). + */ virtual void Undelivered(int seq, int len, bool orig) { } }; - /** * Main analyzer interface. * From e6eddbd9182fee32a962d0658d72fca38751cebc Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 13:56:35 -0700 Subject: [PATCH 21/70] Missing dependency. --- src/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index aa51e68e91..5d21c36e71 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -411,4 +411,5 @@ set(BRO_EXE bro include(BroPlugin) bro_plugin_bif_create_loader(bif_loader ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) +add_dependencies(bif_loader ${bro_SUBDIRS}) add_dependencies(bro bif_loader) From 7a95f5322c8bad9ce821088133df81daa14d661b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 14:29:11 -0700 Subject: [PATCH 22/70] Moving src/protocols to src/analyzer/protocols. This is for consistency with where readers/writers are located: inside the subdirectories of the corresponding code. --- src/CMakeLists.txt | 3 +-- src/analyzer/CMakeLists.txt | 2 ++ src/{ => analyzer}/protocols/BuiltInAnalyzers.cc | 2 +- src/{ => analyzer}/protocols/BuiltInAnalyzers.h | 0 src/{ => analyzer}/protocols/CMakeLists.txt | 0 src/{ => analyzer}/protocols/http/CMakeLists.txt | 0 src/{ => analyzer}/protocols/http/HTTP.cc | 0 src/{ => analyzer}/protocols/http/HTTP.h | 0 src/{ => analyzer}/protocols/http/events.bif | 0 src/{ => analyzer}/protocols/http/functions.bif | 0 src/{ => analyzer}/protocols/ssl/CMakeLists.txt | 0 src/{ => analyzer}/protocols/ssl/Plugin.cc | 0 src/{ => analyzer}/protocols/ssl/SSL.cc | 0 src/{ => analyzer}/protocols/ssl/SSL.h | 0 src/{ => analyzer}/protocols/ssl/events.bif | 0 src/{ => analyzer}/protocols/ssl/ssl-analyzer.pac | 0 src/{ => analyzer}/protocols/ssl/ssl-defs.pac | 0 src/{ => analyzer}/protocols/ssl/ssl-protocol.pac | 0 src/{ => analyzer}/protocols/ssl/ssl.pac | 0 src/{ => analyzer}/protocols/syslog/CMakeLists.txt | 0 src/{ => analyzer}/protocols/syslog/Plugin.cc | 0 src/{ => analyzer}/protocols/syslog/Syslog.cc | 0 src/{ => analyzer}/protocols/syslog/Syslog.h | 0 src/{ => analyzer}/protocols/syslog/events.bif | 0 src/{ => analyzer}/protocols/syslog/syslog-analyzer.pac | 0 src/{ => analyzer}/protocols/syslog/syslog-protocol.pac | 0 src/{ => analyzer}/protocols/syslog/syslog.pac | 0 27 files changed, 4 insertions(+), 3 deletions(-) rename src/{ => analyzer}/protocols/BuiltInAnalyzers.cc (99%) rename src/{ => analyzer}/protocols/BuiltInAnalyzers.h (100%) rename src/{ => analyzer}/protocols/CMakeLists.txt (100%) rename src/{ => analyzer}/protocols/http/CMakeLists.txt (100%) rename src/{ => analyzer}/protocols/http/HTTP.cc (100%) rename src/{ => analyzer}/protocols/http/HTTP.h (100%) rename src/{ => analyzer}/protocols/http/events.bif (100%) rename src/{ => analyzer}/protocols/http/functions.bif (100%) rename src/{ => analyzer}/protocols/ssl/CMakeLists.txt (100%) rename src/{ => analyzer}/protocols/ssl/Plugin.cc (100%) rename src/{ => analyzer}/protocols/ssl/SSL.cc (100%) rename src/{ => analyzer}/protocols/ssl/SSL.h (100%) rename src/{ => analyzer}/protocols/ssl/events.bif (100%) rename src/{ => analyzer}/protocols/ssl/ssl-analyzer.pac (100%) rename src/{ => analyzer}/protocols/ssl/ssl-defs.pac (100%) rename src/{ => analyzer}/protocols/ssl/ssl-protocol.pac (100%) rename src/{ => analyzer}/protocols/ssl/ssl.pac (100%) rename src/{ => analyzer}/protocols/syslog/CMakeLists.txt (100%) rename src/{ => analyzer}/protocols/syslog/Plugin.cc (100%) rename src/{ => analyzer}/protocols/syslog/Syslog.cc (100%) rename src/{ => analyzer}/protocols/syslog/Syslog.h (100%) rename src/{ => analyzer}/protocols/syslog/events.bif (100%) rename src/{ => analyzer}/protocols/syslog/syslog-analyzer.pac (100%) rename src/{ => analyzer}/protocols/syslog/syslog-protocol.pac (100%) rename src/{ => analyzer}/protocols/syslog/syslog.pac (100%) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 5d21c36e71..bc68d0d67f 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -162,7 +162,6 @@ binpac_target(modbus.pac set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) add_subdirectory(analyzer) -add_subdirectory(protocols) set(bro_SUBDIRS $ @@ -392,7 +391,7 @@ set(bro_SRCS plugin/Manager.cc plugin/Plugin.cc - protocols/BuiltInAnalyzers.cc + analyzer/protocols/BuiltInAnalyzers.cc nb_dns.c digest.h diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 68742116ef..1172b0d811 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -4,6 +4,8 @@ include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR} ) +add_subdirectory(protocols) + set(analyzer_SRCS Analyzer.cc Manager.cc diff --git a/src/protocols/BuiltInAnalyzers.cc b/src/analyzer/protocols/BuiltInAnalyzers.cc similarity index 99% rename from src/protocols/BuiltInAnalyzers.cc rename to src/analyzer/protocols/BuiltInAnalyzers.cc index b3597c63df..8403b1bb25 100644 --- a/src/protocols/BuiltInAnalyzers.cc +++ b/src/analyzer/protocols/BuiltInAnalyzers.cc @@ -5,7 +5,7 @@ #include "BuiltInAnalyzers.h" #include "analyzer/Component.h" -#include "../binpac_bro.h" +#include "../../binpac_bro.h" #include "AYIYA.h" #include "BackDoor.h" diff --git a/src/protocols/BuiltInAnalyzers.h b/src/analyzer/protocols/BuiltInAnalyzers.h similarity index 100% rename from src/protocols/BuiltInAnalyzers.h rename to src/analyzer/protocols/BuiltInAnalyzers.h diff --git a/src/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt similarity index 100% rename from src/protocols/CMakeLists.txt rename to src/analyzer/protocols/CMakeLists.txt diff --git a/src/protocols/http/CMakeLists.txt b/src/analyzer/protocols/http/CMakeLists.txt similarity index 100% rename from src/protocols/http/CMakeLists.txt rename to src/analyzer/protocols/http/CMakeLists.txt diff --git a/src/protocols/http/HTTP.cc b/src/analyzer/protocols/http/HTTP.cc similarity index 100% rename from src/protocols/http/HTTP.cc rename to src/analyzer/protocols/http/HTTP.cc diff --git a/src/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h similarity index 100% rename from src/protocols/http/HTTP.h rename to src/analyzer/protocols/http/HTTP.h diff --git a/src/protocols/http/events.bif b/src/analyzer/protocols/http/events.bif similarity index 100% rename from src/protocols/http/events.bif rename to src/analyzer/protocols/http/events.bif diff --git a/src/protocols/http/functions.bif b/src/analyzer/protocols/http/functions.bif similarity index 100% rename from src/protocols/http/functions.bif rename to src/analyzer/protocols/http/functions.bif diff --git a/src/protocols/ssl/CMakeLists.txt b/src/analyzer/protocols/ssl/CMakeLists.txt similarity index 100% rename from src/protocols/ssl/CMakeLists.txt rename to src/analyzer/protocols/ssl/CMakeLists.txt diff --git a/src/protocols/ssl/Plugin.cc b/src/analyzer/protocols/ssl/Plugin.cc similarity index 100% rename from src/protocols/ssl/Plugin.cc rename to src/analyzer/protocols/ssl/Plugin.cc diff --git a/src/protocols/ssl/SSL.cc b/src/analyzer/protocols/ssl/SSL.cc similarity index 100% rename from src/protocols/ssl/SSL.cc rename to src/analyzer/protocols/ssl/SSL.cc diff --git a/src/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h similarity index 100% rename from src/protocols/ssl/SSL.h rename to src/analyzer/protocols/ssl/SSL.h diff --git a/src/protocols/ssl/events.bif b/src/analyzer/protocols/ssl/events.bif similarity index 100% rename from src/protocols/ssl/events.bif rename to src/analyzer/protocols/ssl/events.bif diff --git a/src/protocols/ssl/ssl-analyzer.pac b/src/analyzer/protocols/ssl/ssl-analyzer.pac similarity index 100% rename from src/protocols/ssl/ssl-analyzer.pac rename to src/analyzer/protocols/ssl/ssl-analyzer.pac diff --git a/src/protocols/ssl/ssl-defs.pac b/src/analyzer/protocols/ssl/ssl-defs.pac similarity index 100% rename from src/protocols/ssl/ssl-defs.pac rename to src/analyzer/protocols/ssl/ssl-defs.pac diff --git a/src/protocols/ssl/ssl-protocol.pac b/src/analyzer/protocols/ssl/ssl-protocol.pac similarity index 100% rename from src/protocols/ssl/ssl-protocol.pac rename to src/analyzer/protocols/ssl/ssl-protocol.pac diff --git a/src/protocols/ssl/ssl.pac b/src/analyzer/protocols/ssl/ssl.pac similarity index 100% rename from src/protocols/ssl/ssl.pac rename to src/analyzer/protocols/ssl/ssl.pac diff --git a/src/protocols/syslog/CMakeLists.txt b/src/analyzer/protocols/syslog/CMakeLists.txt similarity index 100% rename from src/protocols/syslog/CMakeLists.txt rename to src/analyzer/protocols/syslog/CMakeLists.txt diff --git a/src/protocols/syslog/Plugin.cc b/src/analyzer/protocols/syslog/Plugin.cc similarity index 100% rename from src/protocols/syslog/Plugin.cc rename to src/analyzer/protocols/syslog/Plugin.cc diff --git a/src/protocols/syslog/Syslog.cc b/src/analyzer/protocols/syslog/Syslog.cc similarity index 100% rename from src/protocols/syslog/Syslog.cc rename to src/analyzer/protocols/syslog/Syslog.cc diff --git a/src/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h similarity index 100% rename from src/protocols/syslog/Syslog.h rename to src/analyzer/protocols/syslog/Syslog.h diff --git a/src/protocols/syslog/events.bif b/src/analyzer/protocols/syslog/events.bif similarity index 100% rename from src/protocols/syslog/events.bif rename to src/analyzer/protocols/syslog/events.bif diff --git a/src/protocols/syslog/syslog-analyzer.pac b/src/analyzer/protocols/syslog/syslog-analyzer.pac similarity index 100% rename from src/protocols/syslog/syslog-analyzer.pac rename to src/analyzer/protocols/syslog/syslog-analyzer.pac diff --git a/src/protocols/syslog/syslog-protocol.pac b/src/analyzer/protocols/syslog/syslog-protocol.pac similarity index 100% rename from src/protocols/syslog/syslog-protocol.pac rename to src/analyzer/protocols/syslog/syslog-protocol.pac diff --git a/src/protocols/syslog/syslog.pac b/src/analyzer/protocols/syslog/syslog.pac similarity index 100% rename from src/protocols/syslog/syslog.pac rename to src/analyzer/protocols/syslog/syslog.pac From a191eed7db7b625d40336ef7aabbd2d245cbb54a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 14:43:20 -0700 Subject: [PATCH 23/70] Adding separate Plugin.cc for HTTP analyzer for consistency. --- src/analyzer/protocols/http/CMakeLists.txt | 2 +- src/analyzer/protocols/http/HTTP.cc | 9 --------- src/analyzer/protocols/http/Plugin.cc | 10 ++++++++++ 3 files changed, 11 insertions(+), 10 deletions(-) create mode 100644 src/analyzer/protocols/http/Plugin.cc diff --git a/src/analyzer/protocols/http/CMakeLists.txt b/src/analyzer/protocols/http/CMakeLists.txt index b6d877cdd7..68bdb632a4 100644 --- a/src/analyzer/protocols/http/CMakeLists.txt +++ b/src/analyzer/protocols/http/CMakeLists.txt @@ -4,7 +4,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) bro_plugin_begin(HTTP) -bro_plugin_cc(HTTP.cc) +bro_plugin_cc(HTTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/http/HTTP.cc b/src/analyzer/protocols/http/HTTP.cc index 61ce2e0833..98c8ad484e 100644 --- a/src/analyzer/protocols/http/HTTP.cc +++ b/src/analyzer/protocols/http/HTTP.cc @@ -13,15 +13,6 @@ #include "Event.h" #include "MIME.h" -#include "plugin/Plugin.h" - -BRO_PLUGIN_BEGIN(HTTP) - BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); - BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_BIF_FILE(events); - BRO_PLUGIN_BIF_FILE(functions); -BRO_PLUGIN_END - const bool DEBUG_http = false; // The EXPECT_*_NOTHING states are used to prevent further parsing. Used if a diff --git a/src/analyzer/protocols/http/Plugin.cc b/src/analyzer/protocols/http/Plugin.cc new file mode 100644 index 0000000000..5dab5c3c18 --- /dev/null +++ b/src/analyzer/protocols/http/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "HTTP.h" + +BRO_PLUGIN_BEGIN(HTTP) + BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); + BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END From 56edef16462b4fa078fc07b8cc12dfb43e40de69 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 14:47:17 -0700 Subject: [PATCH 24/70] Removing left-overs from BinPAC http analyzer. --- src/http-analyzer.pac | 430 ------------------------------------------ src/http-protocol.pac | 140 -------------- src/http.pac | 10 - 3 files changed, 580 deletions(-) delete mode 100644 src/http-analyzer.pac delete mode 100644 src/http-protocol.pac delete mode 100644 src/http.pac diff --git a/src/http-analyzer.pac b/src/http-analyzer.pac deleted file mode 100644 index e12be59438..0000000000 --- a/src/http-analyzer.pac +++ /dev/null @@ -1,430 +0,0 @@ -%extern{ -#include - -// Used by unescape_URI(). -extern int is_reserved_URI_char(unsigned char ch); -extern int is_unreserved_URI_char(unsigned char ch); -%} - -# Remember to call bytestring::free() on the result. -function to_upper(s: const_bytestring): bytestring - %{ - char* buf = new char[s.length() + 1]; - const char* sp = (const char*) s.begin(); - - for ( int i = 0; i < s.length(); ++i ) - if ( islower(sp[i]) ) - buf[i] = toupper(sp[i]); - else - buf[i] = sp[i]; - - buf[s.length()] = '\0'; - - return bytestring((uint8*) buf, s.length()); - %} - -connection HTTP_Conn(bro_analyzer: BroAnalyzer) { - upflow = HTTP_Flow(true); - downflow = HTTP_Flow(false); -}; - -flow HTTP_Flow(is_orig: bool) { - flowunit = HTTP_PDU(is_orig) withcontext (connection, this); - - # States. - %member{ - int content_length_; - DeliveryMode delivery_mode_; - bytestring end_of_multipart_; - - double msg_start_time_; - int msg_begin_seq_; - int msg_header_end_seq_; - - bool build_headers_; - vector headers_; - %} - - %init{ - content_length_ = 0; - delivery_mode_ = UNKNOWN_DELIVERY_MODE; - - msg_start_time_ = 0; - msg_begin_seq_ = 0; - msg_header_end_seq_ = -1; - - build_headers_ = (::http_all_headers != 0); - %} - - %cleanup{ - end_of_multipart_.free(); - %} - - function content_length(): int - %{ - return content_length_; - %} - - function delivery_mode(): DeliveryMode - %{ - return delivery_mode_; - %} - - function end_of_multipart(): const_bytestring - %{ - return end_of_multipart_; - %} - - # Methods. - function http_request(method: const_bytestring, uri: const_bytestring, - vers: HTTP_Version): bool - %{ - if ( ::http_request ) - { - bytestring unescaped_uri = unescape_uri(uri); - BifEvent::generate_http_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - bytestring_to_val(method), - bytestring_to_val(uri), - bytestring_to_val(unescaped_uri), - bytestring_to_val(${vers.vers_str})); - unescaped_uri.free(); - } - - http_message_begin(); - - return true; - %} - - function http_reply(vers: HTTP_Version, code: int, - reason: const_bytestring): bool - %{ - if ( ::http_reply ) - { - BifEvent::generate_http_reply(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - bytestring_to_val(${vers.vers_str}), code, - bytestring_to_val(reason)); - } - - http_message_begin(); - - return true; - %} - - function build_http_header_val(name: const_bytestring, - value: const_bytestring): BroVal - %{ - RecordVal* header_record = new RecordVal(mime_header_rec); - - StringVal* name_val = 0; - if ( name.length() > 0 ) - { - // Make it all uppercase. - name_val = new StringVal(name.length(), - (const char*) name.begin()); - name_val->ToUpper(); - } - else - name_val = new StringVal(""); - - header_record->Assign(0, name_val); - header_record->Assign(1, bytestring_to_val(value)); - - return header_record; - %} - - function extract_boundary(value: const_bytestring): bytestring - %{ - const char* boundary_prefix = "boundary="; - const char* boundary_begin = strcasestr( - (const char*) value.begin(), - boundary_prefix); - - if ( ! boundary_begin ) - return bytestring(); - - boundary_begin += 9; - - const char* boundary_end = strcasestr(boundary_begin, ";"); - if ( ! boundary_end ) - boundary_end = (const char*) value.end(); - - return bytestring((const uint8*) boundary_begin, - (const uint8*) boundary_end); - %} - - function is_end_of_multipart(line: const_bytestring): bool - %{ - if ( line.length() < 4 + end_of_multipart_.length() ) - return false; - - int len = end_of_multipart_.length(); - - // line =?= "--" end_of_multipart_ "--" - return ( line[0] == '-' && line[1] == '-' && - line[len + 2] == '-' && line[len + 3] == '-' && - strncmp((const char*) line.begin() + 2, - (const char*) end_of_multipart_.begin(), - len) == 0 ); - %} - - function http_header(name_colon: const_bytestring, - value: const_bytestring): bool - %{ - const_bytestring name( - name_colon.begin(), - name_colon.length() > 0 ? - name_colon.end() - 1 : - name_colon.end()); - - if ( bytestring_casecmp(name, "CONTENT-LENGTH") == 0 ) - { - content_length_ = bytestring_to_int(value, 10); - delivery_mode_ = CONTENT_LENGTH; - } - - else if ( bytestring_casecmp(name, "TRANSFER-ENCODING") == 0 ) - { - if ( bytestring_caseprefix(value, "CHUNKED") ) - delivery_mode_ = CHUNKED; - } - - else if ( bytestring_casecmp(name, "CONTENT-TYPE") == 0 ) - { - if ( bytestring_caseprefix(value, "MULTIPART") ) - { - end_of_multipart_.free(); - end_of_multipart_ = extract_boundary(value); - if ( end_of_multipart_.length() > 0 ) - delivery_mode_ = MULTIPART; - } - } - - if ( ::http_header ) - { - BifEvent::generate_http_header(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - is_orig(), - bytestring_to_val(name)->ToUpper(), - bytestring_to_val(value)); - } - - if ( build_headers_ ) - headers_.push_back(build_http_header_val(name, value)); - - return true; - %} - - function build_http_headers_val(): BroVal - %{ - TableVal* t = new TableVal(mime_header_list); - - for ( unsigned int i = 0; i < headers_.size(); ++i ) - { // index starting from 1 - Val* index = new Val(i + 1, TYPE_COUNT); - t->Assign(index, headers_[i]); - Unref(index); - } - - return t; - %} - - function gen_http_all_headers(): void - %{ - if ( ::http_all_headers ) - { - BifEvent::generate_http_all_headers(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - is_orig(), - build_http_headers_val()); - } - - headers_.clear(); - %} - - function http_end_of_headers(headers: HTTP_Headers): bool - %{ - if ( delivery_mode_ != CHUNKED && build_headers_ ) - gen_http_all_headers(); - - // Check if this is the first set of headers - // (i.e. not headers after chunks). - if ( msg_header_end_seq_ == -1 ) - msg_header_end_seq_ = flow_buffer_->data_seq(); - - return true; - %} - - function http_message_begin(): void - %{ - msg_start_time_ = network_time(); - if ( ::http_begin_entity ) - { - BifEvent::generate_http_begin_entity(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), is_orig()); - } - %} - - function build_http_message_stat(): BroVal - %{ - int msg_header_length = msg_header_end_seq_ - msg_begin_seq_; - int msg_body_length = - flow_buffer_->data_seq() - msg_header_end_seq_; - - bool msg_interrupted = false; - - RecordVal* stat = new RecordVal(http_message_stat); - int field = 0; - stat->Assign(field++, new Val(msg_start_time_, TYPE_TIME)); - stat->Assign(field++, new Val(msg_interrupted, TYPE_BOOL)); - stat->Assign(field++, new StringVal("")); - stat->Assign(field++, new Val(msg_body_length, TYPE_COUNT)); - stat->Assign(field++, new Val(0, TYPE_COUNT)); - stat->Assign(field++, new Val(msg_header_length, TYPE_COUNT)); - - return stat; - %} - - function http_message_done(pdu: HTTP_PDU): bool - %{ - if ( ! headers_.empty() ) - gen_http_all_headers(); - - if ( ::http_end_entity ) - { - BifEvent::generate_http_end_entity(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), is_orig()); - } - - if ( ::http_message_done ) - { - BifEvent::generate_http_message_done(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - is_orig(), build_http_message_stat()); - } - - end_of_multipart_.free(); - - // Initialize for next message. - msg_begin_seq_ = flow_buffer_->data_seq(); - msg_header_end_seq_ = -1; - - return true; - %} - - # Remember to call bytestring::free() on the result - function unescape_uri(uri: const_bytestring): bytestring - %{ - const u_char* line = uri.begin(); - const u_char* line_end = uri.end(); - BroAnalyzer a = connection()->bro_analyzer(); - - // ### Copied from HTTP.cc - byte_vec decoded_URI = new u_char[line_end - line + 1]; - byte_vec URI_p = decoded_URI; - - // An 'unescaped_special_char' here means a character that - // *should* be escaped, but isn't in the URI. A control - // character that appears directly in the URI would be an - // example. The RFC implies that if we do not unescape the - // URI that we see in the trace, every character should be a - // printable one -- either reserved or unreserved (or '%'). - // - // Counting the number of unescaped characters and generating - // a weird event on URI's with unescaped characters (which - // are rare) will let us locate strange-looking URI's in the - // trace -- those URI's are often interesting. - - int unescaped_special_char = 0; - - while ( line < line_end ) - { - if ( *line == '%' ) - { - ++line; - - if ( line == line_end ) - { - // How to deal with % at end of line? - // *URI_p++ = '%'; - if ( a ) - a->Weird("illegal_%_at_end_of_URI"); - break; - } - - else if ( *line == '%' ) - { - // Double '%' might be either due to - // software bug, or, more likely, an - // evasion (e.g., used by Nimda). - // *URI_p++ = '%'; - if ( a ) - a->Weird("double_%_in_URI"); - --line; // ignore the first '%' - } - - else if ( isxdigit(line[0]) && isxdigit(line[1]) ) - { - *URI_p++ = (decode_hex(line[0]) << 4) + - decode_hex(line[1]); - ++line; // place line at last hex digit - } - - else - { - if ( a ) - a->Weird("unescaped_%_in_URI"); - *URI_p++ = '%'; // put back initial '%' - // Take char. without interpretation.. - *URI_p++ = *line; - } - } - - else - { - if ( ! is_reserved_URI_char(*line) && - ! is_unreserved_URI_char(*line) ) - // Count these up as a way to compress - // the corresponding Weird event to a - // single instance. - ++unescaped_special_char; - *URI_p++ = *line; - } - - ++line; - } - - URI_p[0] = 0; - - if ( unescaped_special_char && a ) - a->Weird("unescaped_special_URI_char"); - - return bytestring(decoded_URI, URI_p - decoded_URI); - %} -}; - -refine typeattr HTTP_RequestLine += &let { - process_request: bool = - $context.flow.http_request(method, uri, version); -}; - -refine typeattr HTTP_ReplyLine += &let { - process_reply: bool = - $context.flow.http_reply(version, status.stat_num, reason); -}; - -refine typeattr HTTP_Header += &let { - process_header: bool = - $context.flow.http_header(name, value); -}; - -refine typeattr HTTP_Headers += &let { - process_end_of_headers: bool = - $context.flow.http_end_of_headers(this); -}; - -refine typeattr HTTP_PDU += &let { - process_message: bool = - $context.flow.http_message_done(this); -}; diff --git a/src/http-protocol.pac b/src/http-protocol.pac deleted file mode 100644 index e4487a75e3..0000000000 --- a/src/http-protocol.pac +++ /dev/null @@ -1,140 +0,0 @@ -enum ExpectBody { - BODY_EXPECTED, - BODY_NOT_EXPECTED, - BODY_MAYBE, -}; - -enum DeliveryMode { - UNKNOWN_DELIVERY_MODE, - CONTENT_LENGTH, - CHUNKED, - MULTIPART, -}; - -## token = 1* -## separators = "(" | ")" | "<" | ">" | "@" -## | "," | ";" | ":" | "\" | <"> -## | "/" | "[" | "]" | "?" | "=" -## | "{" | "}" | SP | HT -## reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | -## "$" | "," - -type HTTP_TOKEN = RE/[^()<>@,;:\\"\/\[\]?={} \t]+/; -type HTTP_WS = RE/[ \t]*/; -type HTTP_URI = RE/[[:alnum:][:punct:]]+/; - -type HTTP_PDU(is_orig: bool) = case is_orig of { - true -> request: HTTP_Request; - false -> reply: HTTP_Reply; -}; - -type HTTP_Request = record { - request: HTTP_RequestLine; - msg: HTTP_Message(BODY_MAYBE); -}; - -function expect_reply_body(reply_status: int): ExpectBody - %{ - // TODO: check if the request is "HEAD" - if ( (reply_status >= 100 && reply_status < 200) || - reply_status == 204 || reply_status == 304 ) - return BODY_NOT_EXPECTED; - return BODY_EXPECTED; - %} - -type HTTP_Reply = record { - reply: HTTP_ReplyLine; - msg: HTTP_Message(expect_reply_body(reply.status.stat_num)); -}; - -type HTTP_RequestLine = record { - method: HTTP_TOKEN; - : HTTP_WS; - uri: HTTP_URI; - : HTTP_WS; - version: HTTP_Version; -} &oneline; - -type HTTP_ReplyLine = record { - version: HTTP_Version; - : HTTP_WS; - status: HTTP_Status; - : HTTP_WS; - reason: bytestring &restofdata; -} &oneline; - -type HTTP_Status = record { - stat_str: RE/[0-9]{3}/; -} &let { - stat_num: int = bytestring_to_int(stat_str, 10); -}; - -type HTTP_Version = record { - : "HTTP/"; - vers_str: RE/[0-9]+\.[0-9]+/; -} &let { - vers_num: double = bytestring_to_double(vers_str); -}; - -type HTTP_Headers = HTTP_Header[] &until($input.length() == 0); - -type HTTP_Message(expect_body: ExpectBody) = record { - headers: HTTP_Headers; - body_or_not: case expect_body of { - BODY_NOT_EXPECTED -> none: empty; - default -> body: HTTP_Body(expect_body); - }; -}; - -# Multi-line headers are supported by allowing header names to be -# empty. -# -type HTTP_HEADER_NAME = RE/|([^: \t]+:)/; -type HTTP_Header = record { - name: HTTP_HEADER_NAME &transient; - : HTTP_WS; - value: bytestring &restofdata &transient; -} &oneline; - -type MIME_Line = record { - line: bytestring &restofdata &transient; -} &oneline; - -type MIME_Lines = MIME_Line[] - &until($context.flow.is_end_of_multipart($input)); - -# TODO: parse multipart message according to MIME -type HTTP_Body(expect_body: ExpectBody) = - case $context.flow.delivery_mode() of { - - CONTENT_LENGTH -> body: bytestring - &length = $context.flow.content_length(), - &chunked; - - CHUNKED -> chunks: HTTP_Chunks; - - MULTIPART -> multipart: MIME_Lines; - - default -> unknown: HTTP_UnknownBody(expect_body); -}; - -type HTTP_UnknownBody(expect_body: ExpectBody) = case expect_body of { - BODY_MAYBE, BODY_NOT_EXPECTED -> maybenot: empty; - BODY_EXPECTED -> rest: bytestring &restofflow &chunked; -}; - -type HTTP_Chunks = record { - chunks: HTTP_Chunk[] &until($element.chunk_length == 0); - headers: HTTP_Headers; -}; - -type HTTP_Chunk = record { - length_line: bytestring &oneline; - data: bytestring &length = chunk_length &chunked; - opt_crlf: case chunk_length of { - 0 -> none: empty; - default -> crlf: bytestring &oneline &check(trailing_crlf == ""); - }; -} &let { - chunk_length: int = bytestring_to_int(length_line, 16); -}; diff --git a/src/http.pac b/src/http.pac deleted file mode 100644 index 38e6ad0b5e..0000000000 --- a/src/http.pac +++ /dev/null @@ -1,10 +0,0 @@ -%include binpac.pac -%include bro.pac - -analyzer HTTP withcontext { - connection: HTTP_Conn; - flow: HTTP_Flow; -}; - -%include http-protocol.pac -%include http-analyzer.pac From dfc4cb08812a1658f93028693e1cc42dc67bf977 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 16 Apr 2013 16:07:20 -0700 Subject: [PATCH 25/70] Moving all analyzers over to new structure. This is a checkpoint, it works but there's more cleanup to do. TODOs in src/analyzer/protocols/TODO. --- doc/scripts/DocSourcesList.cmake | 41 +++++- src/CMakeLists.txt | 67 +--------- src/Conn.cc | 2 +- src/Func.cc | 2 +- src/RuleAction.cc | 2 +- src/RuleCondition.cc | 2 +- src/Sessions.cc | 10 +- src/Sessions.h | 2 + src/Stats.cc | 78 ------------ src/Stats.h | 64 ---------- src/analyzer/Analyzer.cc | 2 +- src/analyzer/Manager.cc | 30 +++-- src/analyzer/protocols/BuiltInAnalyzers.cc | 119 ------------------ src/analyzer/protocols/BuiltInAnalyzers.h | 17 --- src/analyzer/protocols/CMakeLists.txt | 33 +++++ src/analyzer/protocols/TODO | 10 ++ src/{ => analyzer/protocols/ayiya}/AYIYA.cc | 0 src/{ => analyzer/protocols/ayiya}/AYIYA.h | 0 src/analyzer/protocols/ayiya/CMakeLists.txt | 10 ++ src/analyzer/protocols/ayiya/Plugin.cc | 10 ++ .../protocols/ayiya}/ayiya-analyzer.pac | 0 .../protocols/ayiya}/ayiya-protocol.pac | 0 src/{ => analyzer/protocols/ayiya}/ayiya.pac | 0 src/analyzer/protocols/ayiya/events.bif | 0 .../protocols/backdoor}/BackDoor.cc | 2 +- .../protocols/backdoor}/BackDoor.h | 4 +- .../protocols/backdoor/CMakeLists.txt | 9 ++ src/analyzer/protocols/backdoor/Plugin.cc | 10 ++ src/analyzer/protocols/backdoor/events.bif | 0 .../protocols/bittorrent}/BitTorrent.cc | 2 +- .../protocols/bittorrent}/BitTorrent.h | 2 +- .../bittorrent}/BitTorrentTracker.cc | 2 +- .../protocols/bittorrent}/BitTorrentTracker.h | 2 +- .../protocols/bittorrent/CMakeLists.txt | 10 ++ src/analyzer/protocols/bittorrent/Plugin.cc | 12 ++ .../bittorrent}/bittorrent-analyzer.pac | 0 .../bittorrent}/bittorrent-protocol.pac | 0 .../protocols/bittorrent}/bittorrent.pac | 0 src/analyzer/protocols/bittorrent/events.bif | 0 .../protocols/conn-size/CMakeLists.txt | 9 ++ .../protocols/conn-size/ConnSize.cc} | 4 +- .../protocols/conn-size/ConnSize.h} | 0 src/analyzer/protocols/conn-size/Plugin.cc | 10 ++ src/analyzer/protocols/conn-size/events.bif | 0 src/analyzer/protocols/dce-rpc/CMakeLists.txt | 11 ++ .../protocols/dce-rpc}/DCE_RPC.cc | 0 .../protocols/dce-rpc}/DCE_RPC.h | 2 +- src/analyzer/protocols/dce-rpc/Plugin.cc | 11 ++ .../protocols/dce-rpc}/dce_rpc-analyzer.pac | 0 .../protocols/dce-rpc}/dce_rpc-protocol.pac | 0 .../protocols/dce-rpc}/dce_rpc.pac | 0 .../protocols/dce-rpc}/dce_rpc_simple.pac | 0 .../protocols/dce-rpc}/epmapper.pac | 0 src/analyzer/protocols/dce-rpc/events.bif | 0 src/analyzer/protocols/dhcp/CMakeLists.txt | 10 ++ .../protocols/dhcp/DHCP.cc} | 11 +- .../protocols/dhcp/DHCP.h} | 11 +- src/analyzer/protocols/dhcp/Plugin.cc | 10 ++ .../protocols/dhcp}/dhcp-analyzer.pac | 0 .../protocols/dhcp}/dhcp-protocol.pac | 0 src/{ => analyzer/protocols/dhcp}/dhcp.pac | 0 src/analyzer/protocols/dhcp/events.bif | 0 src/analyzer/protocols/dns/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/dns}/DNS.cc | 0 src/{ => analyzer/protocols/dns}/DNS.h | 2 +- src/analyzer/protocols/dns/Plugin.cc | 11 ++ src/analyzer/protocols/dns/events.bif | 0 src/analyzer/protocols/file/CMakeLists.txt | 9 ++ .../protocols/file/File.cc} | 2 +- .../protocols/file/File.h} | 2 +- src/analyzer/protocols/file/Plugin.cc | 10 ++ src/analyzer/protocols/file/events.bif | 0 src/analyzer/protocols/finger/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/finger}/Finger.cc | 2 +- src/{ => analyzer/protocols/finger}/Finger.h | 2 +- src/analyzer/protocols/finger/Plugin.cc | 10 ++ src/analyzer/protocols/finger/events.bif | 0 src/analyzer/protocols/ftp/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/ftp}/FTP.cc | 2 +- src/{ => analyzer/protocols/ftp}/FTP.h | 4 +- src/analyzer/protocols/ftp/Plugin.cc | 11 ++ src/analyzer/protocols/ftp/events.bif | 0 .../protocols/gnutella/CMakeLists.txt | 9 ++ .../protocols/gnutella}/Gnutella.cc | 2 +- .../protocols/gnutella}/Gnutella.h | 2 +- src/analyzer/protocols/gnutella/Plugin.cc | 10 ++ src/analyzer/protocols/gnutella/events.bif | 0 src/analyzer/protocols/gtpv1/CMakeLists.txt | 10 ++ src/{ => analyzer/protocols/gtpv1}/GTPv1.cc | 0 src/{ => analyzer/protocols/gtpv1}/GTPv1.h | 0 src/analyzer/protocols/gtpv1/Plugin.cc | 10 ++ src/analyzer/protocols/gtpv1/events.bif | 0 .../protocols/gtpv1}/gtpv1-analyzer.pac | 0 .../protocols/gtpv1}/gtpv1-protocol.pac | 0 src/{ => analyzer/protocols/gtpv1}/gtpv1.pac | 0 src/analyzer/protocols/http/HTTP.h | 9 +- src/analyzer/protocols/icmp/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/icmp}/ICMP.cc | 0 src/{ => analyzer/protocols/icmp}/ICMP.h | 0 src/analyzer/protocols/icmp/Plugin.cc | 10 ++ src/analyzer/protocols/icmp/events.bif | 0 src/analyzer/protocols/ident/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/ident}/Ident.cc | 0 src/{ => analyzer/protocols/ident}/Ident.h | 4 +- src/analyzer/protocols/ident/Plugin.cc | 10 ++ src/analyzer/protocols/ident/events.bif | 0 .../protocols/interconn/CMakeLists.txt | 9 ++ .../protocols/interconn}/InterConn.cc | 2 +- .../protocols/interconn}/InterConn.h | 2 +- src/analyzer/protocols/interconn/Plugin.cc | 10 ++ src/analyzer/protocols/interconn/events.bif | 0 src/analyzer/protocols/irc/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/irc}/IRC.cc | 4 +- src/{ => analyzer/protocols/irc}/IRC.h | 2 +- src/analyzer/protocols/irc/Plugin.cc | 10 ++ src/analyzer/protocols/irc/events.bif | 0 src/analyzer/protocols/login/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/login}/Login.cc | 0 src/{ => analyzer/protocols/login}/Login.h | 2 +- src/{ => analyzer/protocols/login}/NVT.cc | 2 +- src/{ => analyzer/protocols/login}/NVT.h | 2 +- src/analyzer/protocols/login/Plugin.cc | 19 +++ src/{ => analyzer/protocols/login}/RSH.cc | 0 src/{ => analyzer/protocols/login}/RSH.h | 2 +- src/{ => analyzer/protocols/login}/Rlogin.cc | 0 src/{ => analyzer/protocols/login}/Rlogin.h | 2 +- src/{ => analyzer/protocols/login}/Telnet.cc | 0 src/{ => analyzer/protocols/login}/Telnet.h | 0 src/analyzer/protocols/login/events.bif | 0 src/analyzer/protocols/modbus/CMakeLists.txt | 10 ++ src/{ => analyzer/protocols/modbus}/Modbus.cc | 2 +- src/{ => analyzer/protocols/modbus}/Modbus.h | 2 +- src/analyzer/protocols/modbus/Plugin.cc | 10 ++ src/analyzer/protocols/modbus/events.bif | 0 .../protocols/modbus}/modbus-analyzer.pac | 0 .../protocols/modbus}/modbus-protocol.pac | 0 .../protocols/modbus}/modbus.pac | 0 src/analyzer/protocols/ncp/CMakeLists.txt | 10 ++ src/{ => analyzer/protocols/ncp}/NCP.cc | 0 src/{ => analyzer/protocols/ncp}/NCP.h | 2 +- src/{ => analyzer/protocols/ncp}/NCP_func.def | 0 src/analyzer/protocols/ncp/Plugin.cc | 11 ++ src/analyzer/protocols/ncp/events.bif | 0 src/{ => analyzer/protocols/ncp}/ncp.pac | 0 .../protocols/netbios-ssn/CMakeLists.txt | 9 ++ .../protocols/netbios-ssn}/NetbiosSSN.cc | 0 .../protocols/netbios-ssn}/NetbiosSSN.h | 6 +- src/analyzer/protocols/netbios-ssn/Plugin.cc | 11 ++ src/analyzer/protocols/netbios-ssn/events.bif | 0 src/analyzer/protocols/ntp/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/ntp}/NTP.cc | 0 src/{ => analyzer/protocols/ntp}/NTP.h | 2 +- src/analyzer/protocols/ntp/Plugin.cc | 10 ++ src/analyzer/protocols/ntp/events.bif | 0 src/analyzer/protocols/pia/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/pia}/PIA.cc | 2 +- src/{ => analyzer/protocols/pia}/PIA.h | 2 +- src/analyzer/protocols/pia/Plugin.cc | 11 ++ src/analyzer/protocols/pia/events.bif | 0 src/analyzer/protocols/pop3/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/pop3}/POP3.cc | 2 +- src/{ => analyzer/protocols/pop3}/POP3.h | 4 +- .../protocols/pop3}/POP3_cmd.def | 0 src/analyzer/protocols/pop3/Plugin.cc | 10 ++ src/analyzer/protocols/pop3/events.bif | 0 src/analyzer/protocols/rpc/CMakeLists.txt | 9 ++ src/{ => analyzer/protocols/rpc}/NFS.cc | 0 src/{ => analyzer/protocols/rpc}/NFS.h | 0 src/analyzer/protocols/rpc/Plugin.cc | 15 +++ src/{ => analyzer/protocols/rpc}/Portmap.cc | 0 src/{ => analyzer/protocols/rpc}/Portmap.h | 0 src/{ => analyzer/protocols/rpc}/RPC.cc | 0 src/{ => analyzer/protocols/rpc}/RPC.h | 4 +- src/{ => analyzer/protocols/rpc}/XDR.cc | 0 src/{ => analyzer/protocols/rpc}/XDR.h | 0 src/analyzer/protocols/rpc/events.bif | 0 src/analyzer/protocols/smb/CMakeLists.txt | 10 ++ src/analyzer/protocols/smb/Plugin.cc | 11 ++ src/{ => analyzer/protocols/smb}/SMB.cc | 0 src/{ => analyzer/protocols/smb}/SMB.h | 4 +- src/{ => analyzer/protocols/smb}/SMB_COM.def | 0 src/analyzer/protocols/smb/events.bif | 0 .../protocols/smb}/smb-mailslot.pac | 0 src/{ => analyzer/protocols/smb}/smb-pipe.pac | 0 .../protocols/smb}/smb-protocol.pac | 0 src/{ => analyzer/protocols/smb}/smb.pac | 0 src/analyzer/protocols/smtp/CMakeLists.txt | 9 ++ src/analyzer/protocols/smtp/Plugin.cc | 10 ++ src/{ => analyzer/protocols/smtp}/SMTP.cc | 2 +- src/{ => analyzer/protocols/smtp}/SMTP.h | 2 +- .../protocols/smtp}/SMTP_cmd.def | 0 src/analyzer/protocols/smtp/events.bif | 0 src/analyzer/protocols/socks/CMakeLists.txt | 10 ++ src/analyzer/protocols/socks/Plugin.cc | 10 ++ src/{ => analyzer/protocols/socks}/SOCKS.cc | 2 +- src/{ => analyzer/protocols/socks}/SOCKS.h | 4 +- src/analyzer/protocols/socks/events.bif | 0 .../protocols/socks}/socks-analyzer.pac | 0 .../protocols/socks}/socks-protocol.pac | 0 src/{ => analyzer/protocols/socks}/socks.pac | 0 src/analyzer/protocols/ssh/CMakeLists.txt | 9 ++ src/analyzer/protocols/ssh/Plugin.cc | 10 ++ src/{ => analyzer/protocols/ssh}/SSH.cc | 2 +- src/{ => analyzer/protocols/ssh}/SSH.h | 4 +- src/analyzer/protocols/ssh/events.bif | 0 src/analyzer/protocols/ssl/SSL.cc | 2 +- src/analyzer/protocols/ssl/SSL.h | 2 +- .../protocols/stepping-stone/CMakeLists.txt | 9 ++ .../protocols/stepping-stone/Plugin.cc | 10 ++ .../stepping-stone}/SteppingStone.cc | 2 +- .../protocols/stepping-stone}/SteppingStone.h | 2 +- .../protocols/stepping-stone/events.bif | 0 src/analyzer/protocols/syslog/Syslog.cc | 2 +- src/analyzer/protocols/syslog/Syslog.h | 4 +- src/analyzer/protocols/tcp/CMakeLists.txt | 9 ++ .../protocols/tcp}/ContentLine.cc | 2 +- .../protocols/tcp}/ContentLine.h | 2 +- src/analyzer/protocols/tcp/Plugin.cc | 13 ++ src/analyzer/protocols/tcp/Stats.cc | 79 ++++++++++++ src/analyzer/protocols/tcp/Stats.h | 67 ++++++++++ src/{ => analyzer/protocols/tcp}/TCP.cc | 7 +- src/{ => analyzer/protocols/tcp}/TCP.h | 2 +- .../protocols/tcp}/TCP_Endpoint.cc | 2 +- .../protocols/tcp}/TCP_Endpoint.h | 0 .../protocols/tcp}/TCP_Reassembler.cc | 2 +- .../protocols/tcp}/TCP_Reassembler.h | 0 src/analyzer/protocols/tcp/events.bif | 0 src/analyzer/protocols/teredo/CMakeLists.txt | 9 ++ src/analyzer/protocols/teredo/Plugin.cc | 10 ++ src/{ => analyzer/protocols/teredo}/Teredo.cc | 0 src/{ => analyzer/protocols/teredo}/Teredo.h | 0 src/analyzer/protocols/teredo/events.bif | 0 src/analyzer/protocols/udp/CMakeLists.txt | 9 ++ src/analyzer/protocols/udp/Plugin.cc | 10 ++ src/{ => analyzer/protocols/udp}/UDP.cc | 2 +- src/{ => analyzer/protocols/udp}/UDP.h | 0 src/analyzer/protocols/udp/events.bif | 0 src/analyzer/protocols/zip/CMakeLists.txt | 9 ++ src/analyzer/protocols/zip/Plugin.cc | 10 ++ src/{ => analyzer/protocols/zip}/ZIP.cc | 0 src/{ => analyzer/protocols/zip}/ZIP.h | 2 +- src/analyzer/protocols/zip/events.bif | 0 src/bro.bif | 6 +- src/builtin-func.l | 2 +- src/parse.y | 2 +- src/plugin/Macros.h | 3 + .../canonified_loaded_scripts.log | 40 +++++- .../canonified_loaded_scripts.log | 40 +++++- .../output | 2 +- .../frameworks/analyzer/schedule-analyzer.bro | 2 +- 250 files changed, 1095 insertions(+), 470 deletions(-) delete mode 100644 src/analyzer/protocols/BuiltInAnalyzers.cc delete mode 100644 src/analyzer/protocols/BuiltInAnalyzers.h create mode 100644 src/analyzer/protocols/TODO rename src/{ => analyzer/protocols/ayiya}/AYIYA.cc (100%) rename src/{ => analyzer/protocols/ayiya}/AYIYA.h (100%) create mode 100644 src/analyzer/protocols/ayiya/CMakeLists.txt create mode 100644 src/analyzer/protocols/ayiya/Plugin.cc rename src/{ => analyzer/protocols/ayiya}/ayiya-analyzer.pac (100%) rename src/{ => analyzer/protocols/ayiya}/ayiya-protocol.pac (100%) rename src/{ => analyzer/protocols/ayiya}/ayiya.pac (100%) create mode 100644 src/analyzer/protocols/ayiya/events.bif rename src/{ => analyzer/protocols/backdoor}/BackDoor.cc (99%) rename src/{ => analyzer/protocols/backdoor}/BackDoor.h (97%) create mode 100644 src/analyzer/protocols/backdoor/CMakeLists.txt create mode 100644 src/analyzer/protocols/backdoor/Plugin.cc create mode 100644 src/analyzer/protocols/backdoor/events.bif rename src/{ => analyzer/protocols/bittorrent}/BitTorrent.cc (98%) rename src/{ => analyzer/protocols/bittorrent}/BitTorrent.h (94%) rename src/{ => analyzer/protocols/bittorrent}/BitTorrentTracker.cc (99%) rename src/{ => analyzer/protocols/bittorrent}/BitTorrentTracker.h (98%) create mode 100644 src/analyzer/protocols/bittorrent/CMakeLists.txt create mode 100644 src/analyzer/protocols/bittorrent/Plugin.cc rename src/{ => analyzer/protocols/bittorrent}/bittorrent-analyzer.pac (100%) rename src/{ => analyzer/protocols/bittorrent}/bittorrent-protocol.pac (100%) rename src/{ => analyzer/protocols/bittorrent}/bittorrent.pac (100%) create mode 100644 src/analyzer/protocols/bittorrent/events.bif create mode 100644 src/analyzer/protocols/conn-size/CMakeLists.txt rename src/{ConnSizeAnalyzer.cc => analyzer/protocols/conn-size/ConnSize.cc} (96%) rename src/{ConnSizeAnalyzer.h => analyzer/protocols/conn-size/ConnSize.h} (100%) create mode 100644 src/analyzer/protocols/conn-size/Plugin.cc create mode 100644 src/analyzer/protocols/conn-size/events.bif create mode 100644 src/analyzer/protocols/dce-rpc/CMakeLists.txt rename src/{ => analyzer/protocols/dce-rpc}/DCE_RPC.cc (100%) rename src/{ => analyzer/protocols/dce-rpc}/DCE_RPC.h (99%) create mode 100644 src/analyzer/protocols/dce-rpc/Plugin.cc rename src/{ => analyzer/protocols/dce-rpc}/dce_rpc-analyzer.pac (100%) rename src/{ => analyzer/protocols/dce-rpc}/dce_rpc-protocol.pac (100%) rename src/{ => analyzer/protocols/dce-rpc}/dce_rpc.pac (100%) rename src/{ => analyzer/protocols/dce-rpc}/dce_rpc_simple.pac (100%) rename src/{ => analyzer/protocols/dce-rpc}/epmapper.pac (100%) create mode 100644 src/analyzer/protocols/dce-rpc/events.bif create mode 100644 src/analyzer/protocols/dhcp/CMakeLists.txt rename src/{DHCP-binpac.cc => analyzer/protocols/dhcp/DHCP.cc} (54%) rename src/{DHCP-binpac.h => analyzer/protocols/dhcp/DHCP.h} (63%) create mode 100644 src/analyzer/protocols/dhcp/Plugin.cc rename src/{ => analyzer/protocols/dhcp}/dhcp-analyzer.pac (100%) rename src/{ => analyzer/protocols/dhcp}/dhcp-protocol.pac (100%) rename src/{ => analyzer/protocols/dhcp}/dhcp.pac (100%) create mode 100644 src/analyzer/protocols/dhcp/events.bif create mode 100644 src/analyzer/protocols/dns/CMakeLists.txt rename src/{ => analyzer/protocols/dns}/DNS.cc (100%) rename src/{ => analyzer/protocols/dns}/DNS.h (99%) create mode 100644 src/analyzer/protocols/dns/Plugin.cc create mode 100644 src/analyzer/protocols/dns/events.bif create mode 100644 src/analyzer/protocols/file/CMakeLists.txt rename src/{FileAnalyzer.cc => analyzer/protocols/file/File.cc} (98%) rename src/{FileAnalyzer.h => analyzer/protocols/file/File.h} (93%) create mode 100644 src/analyzer/protocols/file/Plugin.cc create mode 100644 src/analyzer/protocols/file/events.bif create mode 100644 src/analyzer/protocols/finger/CMakeLists.txt rename src/{ => analyzer/protocols/finger}/Finger.cc (97%) rename src/{ => analyzer/protocols/finger}/Finger.h (93%) create mode 100644 src/analyzer/protocols/finger/Plugin.cc create mode 100644 src/analyzer/protocols/finger/events.bif create mode 100644 src/analyzer/protocols/ftp/CMakeLists.txt rename src/{ => analyzer/protocols/ftp}/FTP.cc (99%) rename src/{ => analyzer/protocols/ftp}/FTP.h (94%) create mode 100644 src/analyzer/protocols/ftp/Plugin.cc create mode 100644 src/analyzer/protocols/ftp/events.bif create mode 100644 src/analyzer/protocols/gnutella/CMakeLists.txt rename src/{ => analyzer/protocols/gnutella}/Gnutella.cc (99%) rename src/{ => analyzer/protocols/gnutella}/Gnutella.h (97%) create mode 100644 src/analyzer/protocols/gnutella/Plugin.cc create mode 100644 src/analyzer/protocols/gnutella/events.bif create mode 100644 src/analyzer/protocols/gtpv1/CMakeLists.txt rename src/{ => analyzer/protocols/gtpv1}/GTPv1.cc (100%) rename src/{ => analyzer/protocols/gtpv1}/GTPv1.h (100%) create mode 100644 src/analyzer/protocols/gtpv1/Plugin.cc create mode 100644 src/analyzer/protocols/gtpv1/events.bif rename src/{ => analyzer/protocols/gtpv1}/gtpv1-analyzer.pac (100%) rename src/{ => analyzer/protocols/gtpv1}/gtpv1-protocol.pac (100%) rename src/{ => analyzer/protocols/gtpv1}/gtpv1.pac (100%) create mode 100644 src/analyzer/protocols/icmp/CMakeLists.txt rename src/{ => analyzer/protocols/icmp}/ICMP.cc (100%) rename src/{ => analyzer/protocols/icmp}/ICMP.h (100%) create mode 100644 src/analyzer/protocols/icmp/Plugin.cc create mode 100644 src/analyzer/protocols/icmp/events.bif create mode 100644 src/analyzer/protocols/ident/CMakeLists.txt rename src/{ => analyzer/protocols/ident}/Ident.cc (100%) rename src/{ => analyzer/protocols/ident}/Ident.h (90%) create mode 100644 src/analyzer/protocols/ident/Plugin.cc create mode 100644 src/analyzer/protocols/ident/events.bif create mode 100644 src/analyzer/protocols/interconn/CMakeLists.txt rename src/{ => analyzer/protocols/interconn}/InterConn.cc (99%) rename src/{ => analyzer/protocols/interconn}/InterConn.h (97%) create mode 100644 src/analyzer/protocols/interconn/Plugin.cc create mode 100644 src/analyzer/protocols/interconn/events.bif create mode 100644 src/analyzer/protocols/irc/CMakeLists.txt rename src/{ => analyzer/protocols/irc}/IRC.cc (99%) rename src/{ => analyzer/protocols/irc}/IRC.h (97%) create mode 100644 src/analyzer/protocols/irc/Plugin.cc create mode 100644 src/analyzer/protocols/irc/events.bif create mode 100644 src/analyzer/protocols/login/CMakeLists.txt rename src/{ => analyzer/protocols/login}/Login.cc (100%) rename src/{ => analyzer/protocols/login}/Login.h (98%) rename src/{ => analyzer/protocols/login}/NVT.cc (99%) rename src/{ => analyzer/protocols/login}/NVT.h (98%) create mode 100644 src/analyzer/protocols/login/Plugin.cc rename src/{ => analyzer/protocols/login}/RSH.cc (100%) rename src/{ => analyzer/protocols/login}/RSH.h (96%) rename src/{ => analyzer/protocols/login}/Rlogin.cc (100%) rename src/{ => analyzer/protocols/login}/Rlogin.h (97%) rename src/{ => analyzer/protocols/login}/Telnet.cc (100%) rename src/{ => analyzer/protocols/login}/Telnet.h (100%) create mode 100644 src/analyzer/protocols/login/events.bif create mode 100644 src/analyzer/protocols/modbus/CMakeLists.txt rename src/{ => analyzer/protocols/modbus}/Modbus.cc (94%) rename src/{ => analyzer/protocols/modbus}/Modbus.h (93%) create mode 100644 src/analyzer/protocols/modbus/Plugin.cc create mode 100644 src/analyzer/protocols/modbus/events.bif rename src/{ => analyzer/protocols/modbus}/modbus-analyzer.pac (100%) rename src/{ => analyzer/protocols/modbus}/modbus-protocol.pac (100%) rename src/{ => analyzer/protocols/modbus}/modbus.pac (100%) create mode 100644 src/analyzer/protocols/ncp/CMakeLists.txt rename src/{ => analyzer/protocols/ncp}/NCP.cc (100%) rename src/{ => analyzer/protocols/ncp}/NCP.h (98%) rename src/{ => analyzer/protocols/ncp}/NCP_func.def (100%) create mode 100644 src/analyzer/protocols/ncp/Plugin.cc create mode 100644 src/analyzer/protocols/ncp/events.bif rename src/{ => analyzer/protocols/ncp}/ncp.pac (100%) create mode 100644 src/analyzer/protocols/netbios-ssn/CMakeLists.txt rename src/{ => analyzer/protocols/netbios-ssn}/NetbiosSSN.cc (100%) rename src/{ => analyzer/protocols/netbios-ssn}/NetbiosSSN.h (97%) create mode 100644 src/analyzer/protocols/netbios-ssn/Plugin.cc create mode 100644 src/analyzer/protocols/netbios-ssn/events.bif create mode 100644 src/analyzer/protocols/ntp/CMakeLists.txt rename src/{ => analyzer/protocols/ntp}/NTP.cc (100%) rename src/{ => analyzer/protocols/ntp}/NTP.h (97%) create mode 100644 src/analyzer/protocols/ntp/Plugin.cc create mode 100644 src/analyzer/protocols/ntp/events.bif create mode 100644 src/analyzer/protocols/pia/CMakeLists.txt rename src/{ => analyzer/protocols/pia}/PIA.cc (99%) rename src/{ => analyzer/protocols/pia}/PIA.h (99%) create mode 100644 src/analyzer/protocols/pia/Plugin.cc create mode 100644 src/analyzer/protocols/pia/events.bif create mode 100644 src/analyzer/protocols/pop3/CMakeLists.txt rename src/{ => analyzer/protocols/pop3}/POP3.cc (99%) rename src/{ => analyzer/protocols/pop3}/POP3.h (95%) rename src/{ => analyzer/protocols/pop3}/POP3_cmd.def (100%) create mode 100644 src/analyzer/protocols/pop3/Plugin.cc create mode 100644 src/analyzer/protocols/pop3/events.bif create mode 100644 src/analyzer/protocols/rpc/CMakeLists.txt rename src/{ => analyzer/protocols/rpc}/NFS.cc (100%) rename src/{ => analyzer/protocols/rpc}/NFS.h (100%) create mode 100644 src/analyzer/protocols/rpc/Plugin.cc rename src/{ => analyzer/protocols/rpc}/Portmap.cc (100%) rename src/{ => analyzer/protocols/rpc}/Portmap.h (100%) rename src/{ => analyzer/protocols/rpc}/RPC.cc (100%) rename src/{ => analyzer/protocols/rpc}/RPC.h (98%) rename src/{ => analyzer/protocols/rpc}/XDR.cc (100%) rename src/{ => analyzer/protocols/rpc}/XDR.h (100%) create mode 100644 src/analyzer/protocols/rpc/events.bif create mode 100644 src/analyzer/protocols/smb/CMakeLists.txt create mode 100644 src/analyzer/protocols/smb/Plugin.cc rename src/{ => analyzer/protocols/smb}/SMB.cc (100%) rename src/{ => analyzer/protocols/smb}/SMB.h (98%) rename src/{ => analyzer/protocols/smb}/SMB_COM.def (100%) create mode 100644 src/analyzer/protocols/smb/events.bif rename src/{ => analyzer/protocols/smb}/smb-mailslot.pac (100%) rename src/{ => analyzer/protocols/smb}/smb-pipe.pac (100%) rename src/{ => analyzer/protocols/smb}/smb-protocol.pac (100%) rename src/{ => analyzer/protocols/smb}/smb.pac (100%) create mode 100644 src/analyzer/protocols/smtp/CMakeLists.txt create mode 100644 src/analyzer/protocols/smtp/Plugin.cc rename src/{ => analyzer/protocols/smtp}/SMTP.cc (99%) rename src/{ => analyzer/protocols/smtp}/SMTP.h (98%) rename src/{ => analyzer/protocols/smtp}/SMTP_cmd.def (100%) create mode 100644 src/analyzer/protocols/smtp/events.bif create mode 100644 src/analyzer/protocols/socks/CMakeLists.txt create mode 100644 src/analyzer/protocols/socks/Plugin.cc rename src/{ => analyzer/protocols/socks}/SOCKS.cc (96%) rename src/{ => analyzer/protocols/socks}/SOCKS.h (89%) create mode 100644 src/analyzer/protocols/socks/events.bif rename src/{ => analyzer/protocols/socks}/socks-analyzer.pac (100%) rename src/{ => analyzer/protocols/socks}/socks-protocol.pac (100%) rename src/{ => analyzer/protocols/socks}/socks.pac (100%) create mode 100644 src/analyzer/protocols/ssh/CMakeLists.txt create mode 100644 src/analyzer/protocols/ssh/Plugin.cc rename src/{ => analyzer/protocols/ssh}/SSH.cc (97%) rename src/{ => analyzer/protocols/ssh}/SSH.h (83%) create mode 100644 src/analyzer/protocols/ssh/events.bif create mode 100644 src/analyzer/protocols/stepping-stone/CMakeLists.txt create mode 100644 src/analyzer/protocols/stepping-stone/Plugin.cc rename src/{ => analyzer/protocols/stepping-stone}/SteppingStone.cc (99%) rename src/{ => analyzer/protocols/stepping-stone}/SteppingStone.h (98%) create mode 100644 src/analyzer/protocols/stepping-stone/events.bif create mode 100644 src/analyzer/protocols/tcp/CMakeLists.txt rename src/{ => analyzer/protocols/tcp}/ContentLine.cc (99%) rename src/{ => analyzer/protocols/tcp}/ContentLine.h (98%) create mode 100644 src/analyzer/protocols/tcp/Plugin.cc create mode 100644 src/analyzer/protocols/tcp/Stats.cc create mode 100644 src/analyzer/protocols/tcp/Stats.h rename src/{ => analyzer/protocols/tcp}/TCP.cc (99%) rename src/{ => analyzer/protocols/tcp}/TCP.h (99%) rename src/{ => analyzer/protocols/tcp}/TCP_Endpoint.cc (99%) rename src/{ => analyzer/protocols/tcp}/TCP_Endpoint.h (100%) rename src/{ => analyzer/protocols/tcp}/TCP_Reassembler.cc (99%) rename src/{ => analyzer/protocols/tcp}/TCP_Reassembler.h (100%) create mode 100644 src/analyzer/protocols/tcp/events.bif create mode 100644 src/analyzer/protocols/teredo/CMakeLists.txt create mode 100644 src/analyzer/protocols/teredo/Plugin.cc rename src/{ => analyzer/protocols/teredo}/Teredo.cc (100%) rename src/{ => analyzer/protocols/teredo}/Teredo.h (100%) create mode 100644 src/analyzer/protocols/teredo/events.bif create mode 100644 src/analyzer/protocols/udp/CMakeLists.txt create mode 100644 src/analyzer/protocols/udp/Plugin.cc rename src/{ => analyzer/protocols/udp}/UDP.cc (99%) rename src/{ => analyzer/protocols/udp}/UDP.h (100%) create mode 100644 src/analyzer/protocols/udp/events.bif create mode 100644 src/analyzer/protocols/zip/CMakeLists.txt create mode 100644 src/analyzer/protocols/zip/Plugin.cc rename src/{ => analyzer/protocols/zip}/ZIP.cc (100%) rename src/{ => analyzer/protocols/zip}/ZIP.h (92%) create mode 100644 src/analyzer/protocols/zip/events.bif diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 0f76c1881a..00cba8bab7 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -17,15 +17,48 @@ rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ayiya/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/backdoor/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/bittorrent/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/conn-size/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dce-rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dhcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dns/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/file/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/finger/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ftp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gnutella/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gtpv1/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/icmp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ident/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/interconn/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/irc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/login/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/modbus/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ncp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/netbios-ssn/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ntp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pia/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pop3/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smb/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smtp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/socks/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssh/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssl/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/stepping-stone/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/syslog/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/tcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/teredo/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/udp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/zip/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/syslog/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index bc68d0d67f..4d3e6dd917 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -133,27 +133,8 @@ set(BINPAC_AUXSRC binpac_target(binpac-lib.pac) binpac_target(binpac_bro-lib.pac) -binpac_target(ayiya.pac - ayiya-protocol.pac ayiya-analyzer.pac) -binpac_target(bittorrent.pac - bittorrent-protocol.pac bittorrent-analyzer.pac) -binpac_target(dce_rpc.pac - dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac) -binpac_target(dce_rpc_simple.pac - dce_rpc-protocol.pac epmapper.pac) -binpac_target(dhcp.pac - dhcp-protocol.pac dhcp-analyzer.pac) -binpac_target(gtpv1.pac - gtpv1-protocol.pac gtpv1-analyzer.pac) -binpac_target(ncp.pac) binpac_target(netflow.pac netflow-protocol.pac netflow-analyzer.pac) -binpac_target(smb.pac - smb-protocol.pac smb-pipe.pac smb-mailslot.pac) -binpac_target(socks.pac - socks-protocol.pac socks-analyzer.pac) -binpac_target(modbus.pac - modbus-protocol.pac modbus-analyzer.pac) ######################################################################## ## Including subdirectories. @@ -233,11 +214,7 @@ set(bro_SRCS Anon.cc ARP.cc Attr.cc - AYIYA.cc - BackDoor.cc Base64.cc - BitTorrent.cc - BitTorrentTracker.cc BPF_Program.cc BroDoc.cc BroDocObj.cc @@ -247,13 +224,7 @@ set(bro_SRCS ChunkedIO.cc CompHash.cc Conn.cc - ConnSizeAnalyzer.cc - ContentLine.cc - DCE_RPC.cc DFA.cc - DHCP-binpac.cc - DNS.cc - DNS_Mgr.cc DbgBreakpoint.cc DbgHelp.cc DbgWatch.cc @@ -263,45 +234,30 @@ set(bro_SRCS Desc.cc Dict.cc Discard.cc + DNS_Mgr.cc EquivClass.cc Event.cc EventHandler.cc EventLauncher.cc EventRegistry.cc Expr.cc - FTP.cc File.cc - FileAnalyzer.cc - Finger.cc FlowSrc.cc Frag.cc Frame.cc Func.cc - Gnutella.cc - GTPv1.cc Hash.cc - ICMP.cc ID.cc - Ident.cc IntSet.cc - InterConn.cc IOSource.cc IP.cc IPAddr.cc - IRC.cc List.cc Reporter.cc - Login.cc MIME.cc - Modbus.cc - NCP.cc NFA.cc - NFS.cc - NTP.cc - NVT.cc Net.cc NetVar.cc - NetbiosSSN.cc Obj.cc OpaqueVal.cc OSFinger.cc @@ -309,30 +265,20 @@ set(bro_SRCS PacketSort.cc PersistenceSerializer.cc PktSrc.cc - PIA.cc PolicyFile.cc - POP3.cc - Portmap.cc PrefixTable.cc PriorityQueue.cc Queue.cc RandTest.cc RE.cc - RPC.cc Reassem.cc RemoteSerializer.cc - Rlogin.cc - RSH.cc Rule.cc RuleAction.cc RuleCondition.cc RuleMatcher.cc ScriptAnaly.cc SmithWaterman.cc - SMB.cc - SMTP.cc - SOCKS.cc - SSH.cc Scope.cc SerializationFormat.cc SerialObj.cc @@ -340,23 +286,14 @@ set(bro_SRCS Sessions.cc StateAccess.cc Stats.cc - SteppingStone.cc Stmt.cc - TCP.cc - TCP_Endpoint.cc - TCP_Reassembler.cc - Telnet.cc - Teredo.cc Timer.cc Traverse.cc Trigger.cc TunnelEncapsulation.cc Type.cc - UDP.cc Val.cc Var.cc - XDR.cc - ZIP.cc bsd-getopt-long.c bro_inet_ntop.c cq.c @@ -391,8 +328,6 @@ set(bro_SRCS plugin/Manager.cc plugin/Plugin.cc - analyzer/protocols/BuiltInAnalyzers.cc - nb_dns.c digest.h ) diff --git a/src/Conn.cc b/src/Conn.cc index e476dd674b..d6fc41c0b9 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -11,7 +11,7 @@ #include "Sessions.h" #include "Reporter.h" #include "Timer.h" -#include "PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "binpac.h" #include "TunnelEncapsulation.h" #include "analyzer/Analyzer.h" diff --git a/src/Func.cc b/src/Func.cc index 02f8dd4f29..82cd1998ce 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -38,7 +38,7 @@ #include "Func.h" #include "Frame.h" #include "Var.h" -#include "Login.h" +#include "analyzer/protocols/login/Login.h" #include "Sessions.h" #include "RE.h" #include "Serializer.h" diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 6bbd7243cd..4e279e2cab 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -8,7 +8,7 @@ using std::string; #include "Conn.h" #include "Event.h" #include "NetVar.h" -#include "PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "analyzer/Manager.h" diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index b31976711c..b26ed9c9f5 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -1,7 +1,7 @@ #include "config.h" #include "RuleCondition.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "Scope.h" static inline bool is_established(const TCP_Endpoint* e) diff --git a/src/Sessions.cc b/src/Sessions.cc index dc3f54efe6..739bbbe5e7 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -16,12 +16,12 @@ #include "Reporter.h" #include "OSFinger.h" -#include "ICMP.h" -#include "UDP.h" +#include "analyzer/protocols/icmp/ICMP.h" +#include "analyzer/protocols/udp/UDP.h" -#include "SteppingStone.h" -#include "BackDoor.h" -#include "InterConn.h" +#include "analyzer/protocols/stepping-stone/SteppingStone.h" +#include "analyzer/protocols/backdoor/BackDoor.h" +#include "analyzer/protocols/interconn/InterConn.h" #include "Discard.h" #include "RuleMatcher.h" diff --git a/src/Sessions.h b/src/Sessions.h index abaa8b49d0..5b87518033 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -12,6 +12,8 @@ #include "Stats.h" #include "NetVar.h" #include "TunnelEncapsulation.h" +#include "analyzer/protocols/tcp/Stats.h" + #include struct pcap_pkthdr; diff --git a/src/Stats.cc b/src/Stats.cc index 1bccb8f9be..9b839ec672 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -389,84 +389,6 @@ void SegmentProfiler::Report() reporter->SegmentProfile(name, loc, dtime, dmem); } - -TCPStateStats::TCPStateStats() - { - for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) - for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) - state_cnt[i][j] = 0; - } - -void TCPStateStats::ChangeState(EndpointState o_prev, EndpointState o_now, - EndpointState r_prev, EndpointState r_now) - { - --state_cnt[o_prev][r_prev]; - ++state_cnt[o_now][r_now]; - } - -void TCPStateStats::FlipState(EndpointState orig, EndpointState resp) - { - --state_cnt[orig][resp]; - ++state_cnt[resp][orig]; - } - -unsigned int TCPStateStats::NumStatePartial() const - { - unsigned int sum = 0; - for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) - { - sum += state_cnt[TCP_ENDPOINT_PARTIAL][i]; - sum += state_cnt[i][TCP_ENDPOINT_PARTIAL]; - } - - return sum; - } - -void TCPStateStats::PrintStats(BroFile* file, const char* prefix) - { - file->Write(prefix); - file->Write(" Inact. Syn. SA Part. Est. Fin. Rst.\n"); - - for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) - { - file->Write(prefix); - - switch ( i ) { -#define STATE_STRING(state, str) \ - case state: \ - file->Write(str); \ - break; - - STATE_STRING(TCP_ENDPOINT_INACTIVE, "Inact."); - STATE_STRING(TCP_ENDPOINT_SYN_SENT, "Syn. "); - STATE_STRING(TCP_ENDPOINT_SYN_ACK_SENT, "SA "); - STATE_STRING(TCP_ENDPOINT_PARTIAL, "Part. "); - STATE_STRING(TCP_ENDPOINT_ESTABLISHED, "Est. "); - STATE_STRING(TCP_ENDPOINT_CLOSED, "Fin. "); - STATE_STRING(TCP_ENDPOINT_RESET, "Rst. "); - - } - - file->Write(" "); - - for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) - { - unsigned int n = state_cnt[i][j]; - if ( n > 0 ) - { - char buf[32]; - safe_snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]); - file->Write(buf); - } - else - file->Write(" "); - } - - file->Write("\n"); - } - } - - PacketProfiler::PacketProfiler(unsigned int mode, double freq, BroFile* arg_file) { diff --git a/src/Stats.h b/src/Stats.h index a11d66828a..8137ad16cf 100644 --- a/src/Stats.h +++ b/src/Stats.h @@ -7,9 +7,6 @@ #include #include -#include "TCP_Endpoint.h" - - // Object called by SegmentProfiler when it is done and reports its // cumulative CPU/memory statistics. class SegmentStatsReporter { @@ -121,67 +118,6 @@ extern uint64 tot_ack_bytes; extern uint64 tot_gap_events; extern uint64 tot_gap_bytes; - -// A TCPStateStats object tracks the distribution of TCP states for -// the currently active connections. -class TCPStateStats { -public: - TCPStateStats(); - ~TCPStateStats() { } - - void ChangeState(EndpointState o_prev, EndpointState o_now, - EndpointState r_prev, EndpointState r_now); - void FlipState(EndpointState orig, EndpointState resp); - - void StateEntered (EndpointState o_state, EndpointState r_state) - { ++state_cnt[o_state][r_state]; } - void StateLeft (EndpointState o_state, EndpointState r_state) - { --state_cnt[o_state][r_state]; } - - unsigned int Cnt(EndpointState state) const - { return Cnt(state, state); } - unsigned int Cnt(EndpointState state1, EndpointState state2) const - { return state_cnt[state1][state2]; } - - unsigned int NumStateEstablished() const - { return Cnt(TCP_ENDPOINT_ESTABLISHED); } - unsigned int NumStateHalfClose() const - { // corresponds to S2,S3 - return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_CLOSED) + - Cnt(TCP_ENDPOINT_CLOSED, TCP_ENDPOINT_ESTABLISHED); - } - unsigned int NumStateHalfRst() const - { - return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_RESET) + - Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_ESTABLISHED); - } - unsigned int NumStateClosed() const - { return Cnt(TCP_ENDPOINT_CLOSED); } - unsigned int NumStateRequest() const - { - assert(Cnt(TCP_ENDPOINT_INACTIVE, TCP_ENDPOINT_SYN_SENT)==0); - return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_INACTIVE); - } - unsigned int NumStateSuccRequest() const - { - return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_SYN_ACK_SENT) + - Cnt(TCP_ENDPOINT_SYN_ACK_SENT, TCP_ENDPOINT_SYN_SENT); - } - unsigned int NumStateRstRequest() const - { - return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_RESET) + - Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_SYN_SENT); - } - unsigned int NumStateInactive() const - { return Cnt(TCP_ENDPOINT_INACTIVE); } - unsigned int NumStatePartial() const; - - void PrintStats(BroFile* file, const char* prefix); - -private: - unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; -}; - class PacketProfiler { public: PacketProfiler(unsigned int mode, double freq, BroFile* arg_file); diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index c482ddd792..098535d0a9 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -4,7 +4,7 @@ #include "Analyzer.h" #include "Manager.h" -#include "../PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "../Event.h" namespace analyzer { diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 8ac8cbf824..aba7f26a56 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -1,16 +1,17 @@ #include "Manager.h" -#include "PIA.h" #include "Hash.h" -#include "ICMP.h" -#include "UDP.h" -#include "TCP.h" #include "Val.h" -#include "BackDoor.h" -#include "InterConn.h" -#include "SteppingStone.h" -#include "ConnSizeAnalyzer.h" + +#include "analyzer/protocols/backdoor/BackDoor.h" +#include "analyzer/protocols/conn-size/ConnSize.h" +#include "analyzer/protocols/icmp/ICMP.h" +#include "analyzer/protocols/interconn/InterConn.h" +#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocols/stepping-stone/SteppingStone.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/udp/UDP.h" #include "plugin/Manager.h" @@ -153,15 +154,16 @@ void Manager::RegisterAnalyzerComponent(Component* component) if ( Lookup(component->Name()) ) reporter->FatalError("Analyzer %s defined more than once", component->Name()); - DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", - component->Name(), component->Tag().AsString().c_str()); + string name = to_upper(component->Name()); - analyzers_by_name.insert(std::make_pair(component->Name(), component)); + DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", + name.c_str(), component->Tag().AsString().c_str()); + + analyzers_by_name.insert(std::make_pair(name, component)); analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); analyzers_by_val.insert(std::make_pair(component->Tag().AsEnumVal()->InternalInt(), component)); // Install enum "Analyzer::ANALYZER_*" - string name = to_upper(component->Name()); string id = fmt("ANALYZER_%s", name.c_str()); tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().AsEnumVal()->InternalInt(), true); } @@ -306,7 +308,9 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) if ( ! c->Enabled() ) return 0; - assert(c->Factory()); + if ( ! c->Factory() ) + reporter->InternalError("analyzer %s cannot be instantiated dynamically", GetAnalyzerName(tag)); + Analyzer* a = c->Factory()(conn); if ( ! a ) diff --git a/src/analyzer/protocols/BuiltInAnalyzers.cc b/src/analyzer/protocols/BuiltInAnalyzers.cc deleted file mode 100644 index 8403b1bb25..0000000000 --- a/src/analyzer/protocols/BuiltInAnalyzers.cc +++ /dev/null @@ -1,119 +0,0 @@ - -// TODO: This file will eventually go away once we've converrted all -// analyzers into separate plugins. - -#include "BuiltInAnalyzers.h" -#include "analyzer/Component.h" - -#include "../../binpac_bro.h" - -#include "AYIYA.h" -#include "BackDoor.h" -#include "BitTorrent.h" -#include "BitTorrentTracker.h" -#include "Finger.h" -#include "InterConn.h" -#include "NTP.h" -#include "ICMP.h" -#include "SteppingStone.h" -#include "IRC.h" -#include "SMTP.h" -#include "FTP.h" -#include "FileAnalyzer.h" -#include "DNS.h" -#include "DHCP-binpac.h" -#include "Telnet.h" -#include "Rlogin.h" -#include "RSH.h" -#include "DCE_RPC.h" -#include "Gnutella.h" -#include "Ident.h" -#include "Modbus.h" -#include "NCP.h" -#include "NetbiosSSN.h" -#include "SMB.h" -#include "NFS.h" -#include "Portmap.h" -#include "POP3.h" -#include "SOCKS.h" -#include "SSH.h" -#include "Teredo.h" -#include "ConnSizeAnalyzer.h" -#include "GTPv1.h" - -using namespace analyzer; - -BuiltinAnalyzers builtin_analyzers; - -#define DEFINE_ANALYZER(name, factory) \ - AddComponent(new Component(name, factory)) - -void BuiltinAnalyzers::Init() - { - SetName("Core-Analyzers"); - SetDescription("Built-in protocol analyzers"); - SetVersion(BRO_PLUGIN_VERSION_BUILTIN); - - DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); - DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); - - DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("LOGIN", 0); // just a base class - DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("RPC", 0); - DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("CONTENTS", 0); - DEFINE_ANALYZER("CONTENTLINE", 0); - DEFINE_ANALYZER("NVT", 0); - DEFINE_ANALYZER("ZIP", 0); - DEFINE_ANALYZER("CONTENTS_DNS", 0); - DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0); - DEFINE_ANALYZER("CONTENTS_NCP", 0); - DEFINE_ANALYZER("CONTENTS_RLOGIN", 0); - DEFINE_ANALYZER("CONTENTS_RSH", 0); - DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0); - DEFINE_ANALYZER("CONTENTS_SMB", 0); - DEFINE_ANALYZER("CONTENTS_RPC", 0); - DEFINE_ANALYZER("CONTENTS_NFS", 0); - DEFINE_ANALYZER("FTP_ADAT", 0); - } - diff --git a/src/analyzer/protocols/BuiltInAnalyzers.h b/src/analyzer/protocols/BuiltInAnalyzers.h deleted file mode 100644 index 6097bfa078..0000000000 --- a/src/analyzer/protocols/BuiltInAnalyzers.h +++ /dev/null @@ -1,17 +0,0 @@ - -#ifndef ANALYZER_BUILTIN_ANALYZERS_H -#define ANALYZER_BUILTIN_ANALYZERS_H - -#include "plugin/Plugin.h" - -namespace analyzer { - -class BuiltinAnalyzers : public plugin::Plugin { -public: - virtual void Init(); -}; - -} - - -#endif diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt index 19dda0c770..9fcbbdd2d5 100644 --- a/src/analyzer/protocols/CMakeLists.txt +++ b/src/analyzer/protocols/CMakeLists.txt @@ -1,4 +1,37 @@ +add_subdirectory(ayiya) +add_subdirectory(backdoor) +add_subdirectory(bittorrent) +add_subdirectory(conn-size) +add_subdirectory(dce-rpc) +add_subdirectory(dhcp) +add_subdirectory(dns) +add_subdirectory(file) +add_subdirectory(finger) +add_subdirectory(ftp) +add_subdirectory(gnutella) +add_subdirectory(gtpv1) add_subdirectory(http) +add_subdirectory(icmp) +add_subdirectory(ident) +add_subdirectory(interconn) +add_subdirectory(irc) +add_subdirectory(login) +add_subdirectory(modbus) +add_subdirectory(ncp) +add_subdirectory(netbios-ssn) +add_subdirectory(ntp) +add_subdirectory(pia) +add_subdirectory(pop3) +add_subdirectory(rpc) +add_subdirectory(smb) +add_subdirectory(smtp) +add_subdirectory(socks) +add_subdirectory(ssh) add_subdirectory(ssl) +add_subdirectory(stepping-stone) add_subdirectory(syslog) +add_subdirectory(tcp) +add_subdirectory(teredo) +add_subdirectory(udp) +add_subdirectory(zip) diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocols/TODO new file mode 100644 index 0000000000..6168bf4686 --- /dev/null +++ b/src/analyzer/protocols/TODO @@ -0,0 +1,10 @@ + +- introduce namespace into analyzers +- fill events.bif +- add functions.bif where needed +- move ARP +- move NetFlow +- update *.h guards +- cleanup analyzer descriptions +- can now lower-case the analyzer name in plugin + diff --git a/src/AYIYA.cc b/src/analyzer/protocols/ayiya/AYIYA.cc similarity index 100% rename from src/AYIYA.cc rename to src/analyzer/protocols/ayiya/AYIYA.cc diff --git a/src/AYIYA.h b/src/analyzer/protocols/ayiya/AYIYA.h similarity index 100% rename from src/AYIYA.h rename to src/analyzer/protocols/ayiya/AYIYA.h diff --git a/src/analyzer/protocols/ayiya/CMakeLists.txt b/src/analyzer/protocols/ayiya/CMakeLists.txt new file mode 100644 index 0000000000..8f578a763b --- /dev/null +++ b/src/analyzer/protocols/ayiya/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(AYIYA) +bro_plugin_cc(AYIYA.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/ayiya/Plugin.cc b/src/analyzer/protocols/ayiya/Plugin.cc new file mode 100644 index 0000000000..1ec9887534 --- /dev/null +++ b/src/analyzer/protocols/ayiya/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "AYIYA.h" + +BRO_PLUGIN_BEGIN(AYIYA) + BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer"); + BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/ayiya-analyzer.pac b/src/analyzer/protocols/ayiya/ayiya-analyzer.pac similarity index 100% rename from src/ayiya-analyzer.pac rename to src/analyzer/protocols/ayiya/ayiya-analyzer.pac diff --git a/src/ayiya-protocol.pac b/src/analyzer/protocols/ayiya/ayiya-protocol.pac similarity index 100% rename from src/ayiya-protocol.pac rename to src/analyzer/protocols/ayiya/ayiya-protocol.pac diff --git a/src/ayiya.pac b/src/analyzer/protocols/ayiya/ayiya.pac similarity index 100% rename from src/ayiya.pac rename to src/analyzer/protocols/ayiya/ayiya.pac diff --git a/src/analyzer/protocols/ayiya/events.bif b/src/analyzer/protocols/ayiya/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/BackDoor.cc b/src/analyzer/protocols/backdoor/BackDoor.cc similarity index 99% rename from src/BackDoor.cc rename to src/analyzer/protocols/backdoor/BackDoor.cc index 333dc9c806..00a1319e53 100644 --- a/src/BackDoor.cc +++ b/src/analyzer/protocols/backdoor/BackDoor.cc @@ -5,7 +5,7 @@ #include "BackDoor.h" #include "Event.h" #include "Net.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e) { diff --git a/src/BackDoor.h b/src/analyzer/protocols/backdoor/BackDoor.h similarity index 97% rename from src/BackDoor.h rename to src/analyzer/protocols/backdoor/BackDoor.h index d3687bad0b..1865cdd1ef 100644 --- a/src/BackDoor.h +++ b/src/analyzer/protocols/backdoor/BackDoor.h @@ -3,10 +3,10 @@ #ifndef backdoor_h #define backdoor_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" -#include "Login.h" +#include "analyzer/protocols/login/Login.h" class BackDoorEndpoint { public: diff --git a/src/analyzer/protocols/backdoor/CMakeLists.txt b/src/analyzer/protocols/backdoor/CMakeLists.txt new file mode 100644 index 0000000000..b065cc2c95 --- /dev/null +++ b/src/analyzer/protocols/backdoor/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(BackDoor) +bro_plugin_cc(BackDoor.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/backdoor/Plugin.cc b/src/analyzer/protocols/backdoor/Plugin.cc new file mode 100644 index 0000000000..586b9ef139 --- /dev/null +++ b/src/analyzer/protocols/backdoor/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "BackDoor.h" + +BRO_PLUGIN_BEGIN(BackDoor) + BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/backdoor/events.bif b/src/analyzer/protocols/backdoor/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/BitTorrent.cc b/src/analyzer/protocols/bittorrent/BitTorrent.cc similarity index 98% rename from src/BitTorrent.cc rename to src/analyzer/protocols/bittorrent/BitTorrent.cc index de033cbbe7..05e9ae8fba 100644 --- a/src/BitTorrent.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrent.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrent.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("BITTORRENT", c) diff --git a/src/BitTorrent.h b/src/analyzer/protocols/bittorrent/BitTorrent.h similarity index 94% rename from src/BitTorrent.h rename to src/analyzer/protocols/bittorrent/BitTorrent.h index 6c1ef677e1..0a36442ab9 100644 --- a/src/BitTorrent.h +++ b/src/analyzer/protocols/bittorrent/BitTorrent.h @@ -3,7 +3,7 @@ #ifndef bittorrent_h #define bittorrent_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "bittorrent_pac.h" diff --git a/src/BitTorrentTracker.cc b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc similarity index 99% rename from src/BitTorrentTracker.cc rename to src/analyzer/protocols/bittorrent/BitTorrentTracker.cc index 81b97f44d4..cf8dcff6ba 100644 --- a/src/BitTorrentTracker.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrentTracker.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" #include #include diff --git a/src/BitTorrentTracker.h b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h similarity index 98% rename from src/BitTorrentTracker.h rename to src/analyzer/protocols/bittorrent/BitTorrentTracker.h index 41a902befa..70f3004acb 100644 --- a/src/BitTorrentTracker.h +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h @@ -3,7 +3,7 @@ #ifndef bittorrenttracker_h #define bittorrenttracker_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define BTTRACKER_BUF 2048 diff --git a/src/analyzer/protocols/bittorrent/CMakeLists.txt b/src/analyzer/protocols/bittorrent/CMakeLists.txt new file mode 100644 index 0000000000..5a3f9372bb --- /dev/null +++ b/src/analyzer/protocols/bittorrent/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(BitTorrent) +bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/bittorrent/Plugin.cc b/src/analyzer/protocols/bittorrent/Plugin.cc new file mode 100644 index 0000000000..c028956ce9 --- /dev/null +++ b/src/analyzer/protocols/bittorrent/Plugin.cc @@ -0,0 +1,12 @@ + +#include "plugin/Plugin.h" + +#include "BitTorrent.h" +#include "BitTorrentTracker.h" + +BRO_PLUGIN_BEGIN(BitTorrent) + BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); + BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/bittorrent-analyzer.pac b/src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac similarity index 100% rename from src/bittorrent-analyzer.pac rename to src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac diff --git a/src/bittorrent-protocol.pac b/src/analyzer/protocols/bittorrent/bittorrent-protocol.pac similarity index 100% rename from src/bittorrent-protocol.pac rename to src/analyzer/protocols/bittorrent/bittorrent-protocol.pac diff --git a/src/bittorrent.pac b/src/analyzer/protocols/bittorrent/bittorrent.pac similarity index 100% rename from src/bittorrent.pac rename to src/analyzer/protocols/bittorrent/bittorrent.pac diff --git a/src/analyzer/protocols/bittorrent/events.bif b/src/analyzer/protocols/bittorrent/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/conn-size/CMakeLists.txt b/src/analyzer/protocols/conn-size/CMakeLists.txt new file mode 100644 index 0000000000..e5edd9c947 --- /dev/null +++ b/src/analyzer/protocols/conn-size/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ConnSize) +bro_plugin_cc(ConnSize.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/ConnSizeAnalyzer.cc b/src/analyzer/protocols/conn-size/ConnSize.cc similarity index 96% rename from src/ConnSizeAnalyzer.cc rename to src/analyzer/protocols/conn-size/ConnSize.cc index 82672dba7c..a5a401a816 100644 --- a/src/ConnSizeAnalyzer.cc +++ b/src/analyzer/protocols/conn-size/ConnSize.cc @@ -3,8 +3,8 @@ // See ConnSize.h for more extensive comments. -#include "ConnSizeAnalyzer.h" -#include "TCP.h" +#include "ConnSize.h" +#include "analyzer/protocols/tcp/TCP.h" diff --git a/src/ConnSizeAnalyzer.h b/src/analyzer/protocols/conn-size/ConnSize.h similarity index 100% rename from src/ConnSizeAnalyzer.h rename to src/analyzer/protocols/conn-size/ConnSize.h diff --git a/src/analyzer/protocols/conn-size/Plugin.cc b/src/analyzer/protocols/conn-size/Plugin.cc new file mode 100644 index 0000000000..7520d9b7b5 --- /dev/null +++ b/src/analyzer/protocols/conn-size/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "ConnSize.h" + +BRO_PLUGIN_BEGIN(ConnSize) + BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); + BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/conn-size/events.bif b/src/analyzer/protocols/conn-size/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/dce-rpc/CMakeLists.txt b/src/analyzer/protocols/dce-rpc/CMakeLists.txt new file mode 100644 index 0000000000..61e6170640 --- /dev/null +++ b/src/analyzer/protocols/dce-rpc/CMakeLists.txt @@ -0,0 +1,11 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(DCE_RPC) +bro_plugin_cc(DCE_RPC.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac) +bro_plugin_pac(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac) +bro_plugin_end() diff --git a/src/DCE_RPC.cc b/src/analyzer/protocols/dce-rpc/DCE_RPC.cc similarity index 100% rename from src/DCE_RPC.cc rename to src/analyzer/protocols/dce-rpc/DCE_RPC.cc diff --git a/src/DCE_RPC.h b/src/analyzer/protocols/dce-rpc/DCE_RPC.h similarity index 99% rename from src/DCE_RPC.h rename to src/analyzer/protocols/dce-rpc/DCE_RPC.h index 61de358dbd..7ad3cd1e13 100644 --- a/src/DCE_RPC.h +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.h @@ -7,7 +7,7 @@ // Windows systems) and shouldn't be considered as stable. #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "IPAddr.h" #include "dce_rpc_simple_pac.h" diff --git a/src/analyzer/protocols/dce-rpc/Plugin.cc b/src/analyzer/protocols/dce-rpc/Plugin.cc new file mode 100644 index 0000000000..b818806076 --- /dev/null +++ b/src/analyzer/protocols/dce-rpc/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "DCE_RPC.h" + +BRO_PLUGIN_BEGIN(DCE_RPC) + BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer"); + BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/dce_rpc-analyzer.pac b/src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac similarity index 100% rename from src/dce_rpc-analyzer.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac diff --git a/src/dce_rpc-protocol.pac b/src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac similarity index 100% rename from src/dce_rpc-protocol.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac diff --git a/src/dce_rpc.pac b/src/analyzer/protocols/dce-rpc/dce_rpc.pac similarity index 100% rename from src/dce_rpc.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc.pac diff --git a/src/dce_rpc_simple.pac b/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac similarity index 100% rename from src/dce_rpc_simple.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac diff --git a/src/epmapper.pac b/src/analyzer/protocols/dce-rpc/epmapper.pac similarity index 100% rename from src/epmapper.pac rename to src/analyzer/protocols/dce-rpc/epmapper.pac diff --git a/src/analyzer/protocols/dce-rpc/events.bif b/src/analyzer/protocols/dce-rpc/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/dhcp/CMakeLists.txt b/src/analyzer/protocols/dhcp/CMakeLists.txt new file mode 100644 index 0000000000..f4552b666a --- /dev/null +++ b/src/analyzer/protocols/dhcp/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(DHCP) +bro_plugin_cc(DHCP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac) +bro_plugin_end() diff --git a/src/DHCP-binpac.cc b/src/analyzer/protocols/dhcp/DHCP.cc similarity index 54% rename from src/DHCP-binpac.cc rename to src/analyzer/protocols/dhcp/DHCP.cc index d2847966ae..a590db19ca 100644 --- a/src/DHCP-binpac.cc +++ b/src/analyzer/protocols/dhcp/DHCP.cc @@ -1,22 +1,23 @@ -#include "DHCP-binpac.h" -DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn) +#include "DHCP.h" + +DHCP_Analyzer::DHCP_Analyzer(Connection* conn) : Analyzer("DHCP", conn) { interp = new binpac::DHCP::DHCP_Conn(this); } -DHCP_Analyzer_binpac::~DHCP_Analyzer_binpac() +DHCP_Analyzer::~DHCP_Analyzer() { delete interp; } -void DHCP_Analyzer_binpac::Done() +void DHCP_Analyzer::Done() { Analyzer::Done(); } -void DHCP_Analyzer_binpac::DeliverPacket(int len, const u_char* data, +void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); diff --git a/src/DHCP-binpac.h b/src/analyzer/protocols/dhcp/DHCP.h similarity index 63% rename from src/DHCP-binpac.h rename to src/analyzer/protocols/dhcp/DHCP.h index 4b59ac15b2..5c12e52cc5 100644 --- a/src/DHCP-binpac.h +++ b/src/analyzer/protocols/dhcp/DHCP.h @@ -1,22 +1,21 @@ #ifndef dhcp_binpac_h #define dhcp_binpac_h -#include "UDP.h" +#include "analyzer/protocols/udp/UDP.h" #include "dhcp_pac.h" - -class DHCP_Analyzer_binpac : public analyzer::Analyzer { +class DHCP_Analyzer : public analyzer::Analyzer { public: - DHCP_Analyzer_binpac(Connection* conn); - virtual ~DHCP_Analyzer_binpac(); + DHCP_Analyzer(Connection* conn); + virtual ~DHCP_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new DHCP_Analyzer_binpac(conn); } + { return new DHCP_Analyzer(conn); } protected: binpac::DHCP::DHCP_Conn* interp; diff --git a/src/analyzer/protocols/dhcp/Plugin.cc b/src/analyzer/protocols/dhcp/Plugin.cc new file mode 100644 index 0000000000..32225d5bec --- /dev/null +++ b/src/analyzer/protocols/dhcp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "DHCP.h" + +BRO_PLUGIN_BEGIN(DHCP) + BRO_PLUGIN_DESCRIPTION("DHCP Analyzer"); + BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/dhcp-analyzer.pac b/src/analyzer/protocols/dhcp/dhcp-analyzer.pac similarity index 100% rename from src/dhcp-analyzer.pac rename to src/analyzer/protocols/dhcp/dhcp-analyzer.pac diff --git a/src/dhcp-protocol.pac b/src/analyzer/protocols/dhcp/dhcp-protocol.pac similarity index 100% rename from src/dhcp-protocol.pac rename to src/analyzer/protocols/dhcp/dhcp-protocol.pac diff --git a/src/dhcp.pac b/src/analyzer/protocols/dhcp/dhcp.pac similarity index 100% rename from src/dhcp.pac rename to src/analyzer/protocols/dhcp/dhcp.pac diff --git a/src/analyzer/protocols/dhcp/events.bif b/src/analyzer/protocols/dhcp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/dns/CMakeLists.txt b/src/analyzer/protocols/dns/CMakeLists.txt new file mode 100644 index 0000000000..38a4cedd03 --- /dev/null +++ b/src/analyzer/protocols/dns/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(DNS) +bro_plugin_cc(DNS.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/DNS.cc b/src/analyzer/protocols/dns/DNS.cc similarity index 100% rename from src/DNS.cc rename to src/analyzer/protocols/dns/DNS.cc diff --git a/src/DNS.h b/src/analyzer/protocols/dns/DNS.h similarity index 99% rename from src/DNS.h rename to src/analyzer/protocols/dns/DNS.h index 7a342dc757..ca87f862c0 100644 --- a/src/DNS.h +++ b/src/analyzer/protocols/dns/DNS.h @@ -3,7 +3,7 @@ #ifndef dns_h #define dns_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "binpac_bro.h" typedef enum { diff --git a/src/analyzer/protocols/dns/Plugin.cc b/src/analyzer/protocols/dns/Plugin.cc new file mode 100644 index 0000000000..6bd4415f0e --- /dev/null +++ b/src/analyzer/protocols/dns/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "DNS.h" + +BRO_PLUGIN_BEGIN(DNS) + BRO_PLUGIN_DESCRIPTION("DNS Analyzer"); + BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dns/events.bif b/src/analyzer/protocols/dns/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/file/CMakeLists.txt b/src/analyzer/protocols/file/CMakeLists.txt new file mode 100644 index 0000000000..924aadd406 --- /dev/null +++ b/src/analyzer/protocols/file/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(File) +bro_plugin_cc(File.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/FileAnalyzer.cc b/src/analyzer/protocols/file/File.cc similarity index 98% rename from src/FileAnalyzer.cc rename to src/analyzer/protocols/file/File.cc index 9663d51260..664e0a8c4c 100644 --- a/src/FileAnalyzer.cc +++ b/src/analyzer/protocols/file/File.cc @@ -1,6 +1,6 @@ #include -#include "FileAnalyzer.h" +#include "File.h" #include "Reporter.h" #include "util.h" diff --git a/src/FileAnalyzer.h b/src/analyzer/protocols/file/File.h similarity index 93% rename from src/FileAnalyzer.h rename to src/analyzer/protocols/file/File.h index 1d2a956ef2..ae55a34885 100644 --- a/src/FileAnalyzer.h +++ b/src/analyzer/protocols/file/File.h @@ -3,7 +3,7 @@ #ifndef FILEANALYZER_H #define FILEANALYZER_H -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include diff --git a/src/analyzer/protocols/file/Plugin.cc b/src/analyzer/protocols/file/Plugin.cc new file mode 100644 index 0000000000..a5868e0d7e --- /dev/null +++ b/src/analyzer/protocols/file/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "./File.h" + +BRO_PLUGIN_BEGIN(File) + BRO_PLUGIN_DESCRIPTION("Generic File Analyzer"); + BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/file/events.bif b/src/analyzer/protocols/file/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/finger/CMakeLists.txt b/src/analyzer/protocols/finger/CMakeLists.txt new file mode 100644 index 0000000000..f51f892390 --- /dev/null +++ b/src/analyzer/protocols/finger/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Finger) +bro_plugin_cc(Finger.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Finger.cc b/src/analyzer/protocols/finger/Finger.cc similarity index 97% rename from src/Finger.cc rename to src/analyzer/protocols/finger/Finger.cc index 35809194d4..cdebed9bb9 100644 --- a/src/Finger.cc +++ b/src/analyzer/protocols/finger/Finger.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "Finger.h" #include "Event.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" Finger_Analyzer::Finger_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("FINGER", conn) diff --git a/src/Finger.h b/src/analyzer/protocols/finger/Finger.h similarity index 93% rename from src/Finger.h rename to src/analyzer/protocols/finger/Finger.h index 0be0c0eb19..f069daa8c7 100644 --- a/src/Finger.h +++ b/src/analyzer/protocols/finger/Finger.h @@ -3,7 +3,7 @@ #ifndef finger_h #define finger_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class ContentLine_Analyzer; diff --git a/src/analyzer/protocols/finger/Plugin.cc b/src/analyzer/protocols/finger/Plugin.cc new file mode 100644 index 0000000000..98fd1f5985 --- /dev/null +++ b/src/analyzer/protocols/finger/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Finger.h" + +BRO_PLUGIN_BEGIN(Finger) + BRO_PLUGIN_DESCRIPTION("Finger Analyzer"); + BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/finger/events.bif b/src/analyzer/protocols/finger/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ftp/CMakeLists.txt b/src/analyzer/protocols/ftp/CMakeLists.txt new file mode 100644 index 0000000000..b8b2e1bb3e --- /dev/null +++ b/src/analyzer/protocols/ftp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(FTP) +bro_plugin_cc(FTP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/FTP.cc b/src/analyzer/protocols/ftp/FTP.cc similarity index 99% rename from src/FTP.cc rename to src/analyzer/protocols/ftp/FTP.cc index a0cc25292c..b371099c01 100644 --- a/src/FTP.cc +++ b/src/analyzer/protocols/ftp/FTP.cc @@ -6,10 +6,10 @@ #include "NetVar.h" #include "FTP.h" -#include "NVT.h" #include "Event.h" #include "Base64.h" #include "analyzer/Manager.h" +#include "analyzer/protocols/login/NVT.h" FTP_Analyzer::FTP_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("FTP", conn) diff --git a/src/FTP.h b/src/analyzer/protocols/ftp/FTP.h similarity index 94% rename from src/FTP.h rename to src/analyzer/protocols/ftp/FTP.h index 19393fc5aa..aaecfb98f1 100644 --- a/src/FTP.h +++ b/src/analyzer/protocols/ftp/FTP.h @@ -3,8 +3,8 @@ #ifndef ftp_h #define ftp_h -#include "NVT.h" -#include "TCP.h" +#include "analyzer/protocols/login/NVT.h" +#include "analyzer/protocols/tcp/TCP.h" class FTP_Analyzer : public TCP_ApplicationAnalyzer { public: diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocols/ftp/Plugin.cc new file mode 100644 index 0000000000..2a250b97ee --- /dev/null +++ b/src/analyzer/protocols/ftp/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "FTP.h" + +BRO_PLUGIN_BEGIN(FTP) + BRO_PLUGIN_DESCRIPTION("FTP Analyzer"); + BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ftp/events.bif b/src/analyzer/protocols/ftp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/gnutella/CMakeLists.txt b/src/analyzer/protocols/gnutella/CMakeLists.txt new file mode 100644 index 0000000000..7418ab46ba --- /dev/null +++ b/src/analyzer/protocols/gnutella/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Gnutella) +bro_plugin_cc(Gnutella.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Gnutella.cc b/src/analyzer/protocols/gnutella/Gnutella.cc similarity index 99% rename from src/Gnutella.cc rename to src/analyzer/protocols/gnutella/Gnutella.cc index 9cfab4ff1a..bf2be877c0 100644 --- a/src/Gnutella.cc +++ b/src/analyzer/protocols/gnutella/Gnutella.cc @@ -9,7 +9,7 @@ #include "NetVar.h" #include "Gnutella.h" #include "Event.h" -#include "PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "analyzer/Manager.h" GnutellaMsgState::GnutellaMsgState() diff --git a/src/Gnutella.h b/src/analyzer/protocols/gnutella/Gnutella.h similarity index 97% rename from src/Gnutella.h rename to src/analyzer/protocols/gnutella/Gnutella.h index 2dd2a2ad12..085d4fbf56 100644 --- a/src/Gnutella.h +++ b/src/analyzer/protocols/gnutella/Gnutella.h @@ -3,7 +3,7 @@ #ifndef gnutella_h #define gnutella_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define ORIG_OK 0x1 #define RESP_OK 0x2 diff --git a/src/analyzer/protocols/gnutella/Plugin.cc b/src/analyzer/protocols/gnutella/Plugin.cc new file mode 100644 index 0000000000..6cc0b02771 --- /dev/null +++ b/src/analyzer/protocols/gnutella/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Gnutella.h" + +BRO_PLUGIN_BEGIN(Gnutella) + BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer"); + BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gnutella/events.bif b/src/analyzer/protocols/gnutella/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/gtpv1/CMakeLists.txt b/src/analyzer/protocols/gtpv1/CMakeLists.txt new file mode 100644 index 0000000000..e414876df5 --- /dev/null +++ b/src/analyzer/protocols/gtpv1/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(GTPV1) +bro_plugin_cc(GTPv1.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) +bro_plugin_end() diff --git a/src/GTPv1.cc b/src/analyzer/protocols/gtpv1/GTPv1.cc similarity index 100% rename from src/GTPv1.cc rename to src/analyzer/protocols/gtpv1/GTPv1.cc diff --git a/src/GTPv1.h b/src/analyzer/protocols/gtpv1/GTPv1.h similarity index 100% rename from src/GTPv1.h rename to src/analyzer/protocols/gtpv1/GTPv1.h diff --git a/src/analyzer/protocols/gtpv1/Plugin.cc b/src/analyzer/protocols/gtpv1/Plugin.cc new file mode 100644 index 0000000000..caa9755828 --- /dev/null +++ b/src/analyzer/protocols/gtpv1/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "GTPv1.h" + +BRO_PLUGIN_BEGIN(GTPV1) + BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer"); + BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gtpv1/events.bif b/src/analyzer/protocols/gtpv1/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/gtpv1-analyzer.pac b/src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac similarity index 100% rename from src/gtpv1-analyzer.pac rename to src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac diff --git a/src/gtpv1-protocol.pac b/src/analyzer/protocols/gtpv1/gtpv1-protocol.pac similarity index 100% rename from src/gtpv1-protocol.pac rename to src/analyzer/protocols/gtpv1/gtpv1-protocol.pac diff --git a/src/gtpv1.pac b/src/analyzer/protocols/gtpv1/gtpv1.pac similarity index 100% rename from src/gtpv1.pac rename to src/analyzer/protocols/gtpv1/gtpv1.pac diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h index 66cdf091bf..dae8fc1dcf 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocols/http/HTTP.h @@ -3,15 +3,16 @@ #ifndef http_h #define http_h -#include "TCP.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocols/zip/ZIP.h" #include "MIME.h" #include "binpac_bro.h" -#include "ZIP.h" #include "IPAddr.h" -#include "HTTP.h" #include "events.bif.h" +#include "HTTP.h" + enum CHUNKED_TRANSFER_STATE { NON_CHUNKED_TRANSFER, BEFORE_CHUNK, diff --git a/src/analyzer/protocols/icmp/CMakeLists.txt b/src/analyzer/protocols/icmp/CMakeLists.txt new file mode 100644 index 0000000000..e867bac238 --- /dev/null +++ b/src/analyzer/protocols/icmp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ICMP) +bro_plugin_cc(ICMP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/ICMP.cc b/src/analyzer/protocols/icmp/ICMP.cc similarity index 100% rename from src/ICMP.cc rename to src/analyzer/protocols/icmp/ICMP.cc diff --git a/src/ICMP.h b/src/analyzer/protocols/icmp/ICMP.h similarity index 100% rename from src/ICMP.h rename to src/analyzer/protocols/icmp/ICMP.h diff --git a/src/analyzer/protocols/icmp/Plugin.cc b/src/analyzer/protocols/icmp/Plugin.cc new file mode 100644 index 0000000000..517b243e24 --- /dev/null +++ b/src/analyzer/protocols/icmp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "ICMP.h" + +BRO_PLUGIN_BEGIN(ICMP) + BRO_PLUGIN_DESCRIPTION("ICMP Analyzer"); + BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/icmp/events.bif b/src/analyzer/protocols/icmp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ident/CMakeLists.txt b/src/analyzer/protocols/ident/CMakeLists.txt new file mode 100644 index 0000000000..a8d4102a58 --- /dev/null +++ b/src/analyzer/protocols/ident/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Ident) +bro_plugin_cc(Ident.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Ident.cc b/src/analyzer/protocols/ident/Ident.cc similarity index 100% rename from src/Ident.cc rename to src/analyzer/protocols/ident/Ident.cc diff --git a/src/Ident.h b/src/analyzer/protocols/ident/Ident.h similarity index 90% rename from src/Ident.h rename to src/analyzer/protocols/ident/Ident.h index ffc927a73c..95383429ce 100644 --- a/src/Ident.h +++ b/src/analyzer/protocols/ident/Ident.h @@ -3,8 +3,8 @@ #ifndef ident_h #define ident_h -#include "TCP.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" class Ident_Analyzer : public TCP_ApplicationAnalyzer { public: diff --git a/src/analyzer/protocols/ident/Plugin.cc b/src/analyzer/protocols/ident/Plugin.cc new file mode 100644 index 0000000000..2c7ea208cd --- /dev/null +++ b/src/analyzer/protocols/ident/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Ident.h" + +BRO_PLUGIN_BEGIN(Ident) + BRO_PLUGIN_DESCRIPTION("Ident Analyzer"); + BRO_PLUGIN_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ident/events.bif b/src/analyzer/protocols/ident/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/interconn/CMakeLists.txt b/src/analyzer/protocols/interconn/CMakeLists.txt new file mode 100644 index 0000000000..6a5ae1f3fe --- /dev/null +++ b/src/analyzer/protocols/interconn/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(InterConn) +bro_plugin_cc(InterConn.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/InterConn.cc b/src/analyzer/protocols/interconn/InterConn.cc similarity index 99% rename from src/InterConn.cc rename to src/analyzer/protocols/interconn/InterConn.cc index 65e814a962..70860a6532 100644 --- a/src/InterConn.cc +++ b/src/analyzer/protocols/interconn/InterConn.cc @@ -5,7 +5,7 @@ #include "InterConn.h" #include "Event.h" #include "Net.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" InterConnEndpoint::InterConnEndpoint(TCP_Endpoint* e) { diff --git a/src/InterConn.h b/src/analyzer/protocols/interconn/InterConn.h similarity index 97% rename from src/InterConn.h rename to src/analyzer/protocols/interconn/InterConn.h index 741bea45ba..9ee73d2ae8 100644 --- a/src/InterConn.h +++ b/src/analyzer/protocols/interconn/InterConn.h @@ -3,7 +3,7 @@ #ifndef interconn_h #define interconn_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" diff --git a/src/analyzer/protocols/interconn/Plugin.cc b/src/analyzer/protocols/interconn/Plugin.cc new file mode 100644 index 0000000000..ba80cf52af --- /dev/null +++ b/src/analyzer/protocols/interconn/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "InterConn.h" + +BRO_PLUGIN_BEGIN(InterConn) + BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/interconn/events.bif b/src/analyzer/protocols/interconn/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/irc/CMakeLists.txt b/src/analyzer/protocols/irc/CMakeLists.txt new file mode 100644 index 0000000000..2e7ed7616b --- /dev/null +++ b/src/analyzer/protocols/irc/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(IRC) +bro_plugin_cc(IRC.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/IRC.cc b/src/analyzer/protocols/irc/IRC.cc similarity index 99% rename from src/IRC.cc rename to src/analyzer/protocols/irc/IRC.cc index e778023553..2411efbabb 100644 --- a/src/IRC.cc +++ b/src/analyzer/protocols/irc/IRC.cc @@ -2,10 +2,10 @@ #include #include "IRC.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" #include "NetVar.h" #include "Event.h" -#include "ZIP.h" +#include "analyzer/protocols/zip/ZIP.h" #include "analyzer/Manager.h" diff --git a/src/IRC.h b/src/analyzer/protocols/irc/IRC.h similarity index 97% rename from src/IRC.h rename to src/analyzer/protocols/irc/IRC.h index 6a78bad025..17b91f51e5 100644 --- a/src/IRC.h +++ b/src/analyzer/protocols/irc/IRC.h @@ -2,7 +2,7 @@ #ifndef irc_h #define irc_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" /** * \brief Main class for analyzing IRC traffic. diff --git a/src/analyzer/protocols/irc/Plugin.cc b/src/analyzer/protocols/irc/Plugin.cc new file mode 100644 index 0000000000..bb6ade5f1f --- /dev/null +++ b/src/analyzer/protocols/irc/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "IRC.h" + +BRO_PLUGIN_BEGIN(IRC) + BRO_PLUGIN_DESCRIPTION("IRC Analyzer"); + BRO_PLUGIN_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/irc/events.bif b/src/analyzer/protocols/irc/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/login/CMakeLists.txt b/src/analyzer/protocols/login/CMakeLists.txt new file mode 100644 index 0000000000..219c249d5e --- /dev/null +++ b/src/analyzer/protocols/login/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Login) +bro_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Login.cc b/src/analyzer/protocols/login/Login.cc similarity index 100% rename from src/Login.cc rename to src/analyzer/protocols/login/Login.cc diff --git a/src/Login.h b/src/analyzer/protocols/login/Login.h similarity index 98% rename from src/Login.h rename to src/analyzer/protocols/login/Login.h index 6337738e7d..67b6a3c094 100644 --- a/src/Login.h +++ b/src/analyzer/protocols/login/Login.h @@ -3,7 +3,7 @@ #ifndef login_h #define login_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" typedef enum { LOGIN_STATE_AUTHENTICATE, // trying to authenticate diff --git a/src/NVT.cc b/src/analyzer/protocols/login/NVT.cc similarity index 99% rename from src/NVT.cc rename to src/analyzer/protocols/login/NVT.cc index 641ad211e4..d51d562bd5 100644 --- a/src/NVT.cc +++ b/src/analyzer/protocols/login/NVT.cc @@ -7,7 +7,7 @@ #include "NVT.h" #include "NetVar.h" #include "Event.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254) diff --git a/src/NVT.h b/src/analyzer/protocols/login/NVT.h similarity index 98% rename from src/NVT.h rename to src/analyzer/protocols/login/NVT.h index 61aa1ef740..da97a251f0 100644 --- a/src/NVT.h +++ b/src/analyzer/protocols/login/NVT.h @@ -3,7 +3,7 @@ #ifndef nvt_h #define nvt_h -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" #define TELNET_OPTION_BINARY 0 diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocols/login/Plugin.cc new file mode 100644 index 0000000000..10166783c0 --- /dev/null +++ b/src/analyzer/protocols/login/Plugin.cc @@ -0,0 +1,19 @@ + +#include "plugin/Plugin.h" + +#include "Login.h" +#include "Telnet.h" +#include "RSH.h" +#include "Rlogin.h" + +BRO_PLUGIN_BEGIN(Login) + BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer"); + BRO_PLUGIN_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NVT", 0); + BRO_PLUGIN_ANALYZER("Login", 0); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/RSH.cc b/src/analyzer/protocols/login/RSH.cc similarity index 100% rename from src/RSH.cc rename to src/analyzer/protocols/login/RSH.cc diff --git a/src/RSH.h b/src/analyzer/protocols/login/RSH.h similarity index 96% rename from src/RSH.h rename to src/analyzer/protocols/login/RSH.h index c4eb8fb689..80cc4a6559 100644 --- a/src/RSH.h +++ b/src/analyzer/protocols/login/RSH.h @@ -4,7 +4,7 @@ #define rsh_h #include "Login.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" typedef enum { RSH_FIRST_NULL, // waiting to see first NUL diff --git a/src/Rlogin.cc b/src/analyzer/protocols/login/Rlogin.cc similarity index 100% rename from src/Rlogin.cc rename to src/analyzer/protocols/login/Rlogin.cc diff --git a/src/Rlogin.h b/src/analyzer/protocols/login/Rlogin.h similarity index 97% rename from src/Rlogin.h rename to src/analyzer/protocols/login/Rlogin.h index 5fcd209896..0ad72b1908 100644 --- a/src/Rlogin.h +++ b/src/analyzer/protocols/login/Rlogin.h @@ -4,7 +4,7 @@ #define rlogin_h #include "Login.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" typedef enum { RLOGIN_FIRST_NULL, // waiting to see first NUL diff --git a/src/Telnet.cc b/src/analyzer/protocols/login/Telnet.cc similarity index 100% rename from src/Telnet.cc rename to src/analyzer/protocols/login/Telnet.cc diff --git a/src/Telnet.h b/src/analyzer/protocols/login/Telnet.h similarity index 100% rename from src/Telnet.h rename to src/analyzer/protocols/login/Telnet.h diff --git a/src/analyzer/protocols/login/events.bif b/src/analyzer/protocols/login/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/modbus/CMakeLists.txt b/src/analyzer/protocols/modbus/CMakeLists.txt new file mode 100644 index 0000000000..120e352f36 --- /dev/null +++ b/src/analyzer/protocols/modbus/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Modbus) +bro_plugin_cc(Modbus.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(modbus.pac modbus-analyzer.pac modbus-protocol.pac) +bro_plugin_end() diff --git a/src/Modbus.cc b/src/analyzer/protocols/modbus/Modbus.cc similarity index 94% rename from src/Modbus.cc rename to src/analyzer/protocols/modbus/Modbus.cc index 22772daea0..841638cd0b 100644 --- a/src/Modbus.cc +++ b/src/analyzer/protocols/modbus/Modbus.cc @@ -1,6 +1,6 @@ #include "Modbus.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("MODBUS", c) diff --git a/src/Modbus.h b/src/analyzer/protocols/modbus/Modbus.h similarity index 93% rename from src/Modbus.h rename to src/analyzer/protocols/modbus/Modbus.h index b00a074ada..41b0267dc8 100644 --- a/src/Modbus.h +++ b/src/analyzer/protocols/modbus/Modbus.h @@ -1,7 +1,7 @@ #ifndef MODBUS_H #define MODBUS_H -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "modbus_pac.h" class ModbusTCP_Analyzer : public TCP_ApplicationAnalyzer { diff --git a/src/analyzer/protocols/modbus/Plugin.cc b/src/analyzer/protocols/modbus/Plugin.cc new file mode 100644 index 0000000000..9c53c8b814 --- /dev/null +++ b/src/analyzer/protocols/modbus/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Modbus.h" + +BRO_PLUGIN_BEGIN(Modbus) + BRO_PLUGIN_DESCRIPTION("Modbus Analyzer"); + BRO_PLUGIN_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/modbus/events.bif b/src/analyzer/protocols/modbus/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/modbus-analyzer.pac b/src/analyzer/protocols/modbus/modbus-analyzer.pac similarity index 100% rename from src/modbus-analyzer.pac rename to src/analyzer/protocols/modbus/modbus-analyzer.pac diff --git a/src/modbus-protocol.pac b/src/analyzer/protocols/modbus/modbus-protocol.pac similarity index 100% rename from src/modbus-protocol.pac rename to src/analyzer/protocols/modbus/modbus-protocol.pac diff --git a/src/modbus.pac b/src/analyzer/protocols/modbus/modbus.pac similarity index 100% rename from src/modbus.pac rename to src/analyzer/protocols/modbus/modbus.pac diff --git a/src/analyzer/protocols/ncp/CMakeLists.txt b/src/analyzer/protocols/ncp/CMakeLists.txt new file mode 100644 index 0000000000..021561f0aa --- /dev/null +++ b/src/analyzer/protocols/ncp/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NCP) +bro_plugin_cc(NCP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(ncp.pac) +bro_plugin_end() diff --git a/src/NCP.cc b/src/analyzer/protocols/ncp/NCP.cc similarity index 100% rename from src/NCP.cc rename to src/analyzer/protocols/ncp/NCP.cc diff --git a/src/NCP.h b/src/analyzer/protocols/ncp/NCP.h similarity index 98% rename from src/NCP.h rename to src/analyzer/protocols/ncp/NCP.h index 4fcddfca39..ae54b7b9ee 100644 --- a/src/NCP.h +++ b/src/analyzer/protocols/ncp/NCP.h @@ -19,7 +19,7 @@ // http://faydoc.tripod.com/structures/21/2149.htm #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "ncp_pac.h" diff --git a/src/NCP_func.def b/src/analyzer/protocols/ncp/NCP_func.def similarity index 100% rename from src/NCP_func.def rename to src/analyzer/protocols/ncp/NCP_func.def diff --git a/src/analyzer/protocols/ncp/Plugin.cc b/src/analyzer/protocols/ncp/Plugin.cc new file mode 100644 index 0000000000..bc52a2c065 --- /dev/null +++ b/src/analyzer/protocols/ncp/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "NCP.h" + +BRO_PLUGIN_BEGIN(NCP) + BRO_PLUGIN_DESCRIPTION("NCP Analyzer"); + BRO_PLUGIN_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ncp/events.bif b/src/analyzer/protocols/ncp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/ncp.pac b/src/analyzer/protocols/ncp/ncp.pac similarity index 100% rename from src/ncp.pac rename to src/analyzer/protocols/ncp/ncp.pac diff --git a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt new file mode 100644 index 0000000000..8292c11546 --- /dev/null +++ b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NetbiosSSN) +bro_plugin_cc(NetbiosSSN.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/NetbiosSSN.cc b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc similarity index 100% rename from src/NetbiosSSN.cc rename to src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc diff --git a/src/NetbiosSSN.h b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h similarity index 97% rename from src/NetbiosSSN.h rename to src/analyzer/protocols/netbios-ssn/NetbiosSSN.h index 8d2cc92089..9830d192ad 100644 --- a/src/NetbiosSSN.h +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h @@ -3,9 +3,9 @@ #ifndef netbios_ssn_h #define netbios_ssn_h -#include "UDP.h" -#include "TCP.h" -#include "SMB.h" +#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/smb/SMB.h" typedef enum { NETBIOS_SSN_MSG = 0x0, diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios-ssn/Plugin.cc new file mode 100644 index 0000000000..b14c3a9d8f --- /dev/null +++ b/src/analyzer/protocols/netbios-ssn/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "NetbiosSSN.h" + +BRO_PLUGIN_BEGIN(NetbiosSSN) + BRO_PLUGIN_DESCRIPTION("NetbiosSSN Analyzer"); + BRO_PLUGIN_ANALYZER("NetbiosSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netbios-ssn/events.bif b/src/analyzer/protocols/netbios-ssn/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ntp/CMakeLists.txt b/src/analyzer/protocols/ntp/CMakeLists.txt new file mode 100644 index 0000000000..b16c1edee9 --- /dev/null +++ b/src/analyzer/protocols/ntp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NTP) +bro_plugin_cc(NTP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/NTP.cc b/src/analyzer/protocols/ntp/NTP.cc similarity index 100% rename from src/NTP.cc rename to src/analyzer/protocols/ntp/NTP.cc diff --git a/src/NTP.h b/src/analyzer/protocols/ntp/NTP.h similarity index 97% rename from src/NTP.h rename to src/analyzer/protocols/ntp/NTP.h index 9dc5dc6af9..d161b4795d 100644 --- a/src/NTP.h +++ b/src/analyzer/protocols/ntp/NTP.h @@ -3,7 +3,7 @@ #ifndef ntp_h #define ntp_h -#include "UDP.h" +#include "analyzer/protocols/udp/UDP.h" // The following are from the tcpdump distribution, credited there diff --git a/src/analyzer/protocols/ntp/Plugin.cc b/src/analyzer/protocols/ntp/Plugin.cc new file mode 100644 index 0000000000..f2a0e487c9 --- /dev/null +++ b/src/analyzer/protocols/ntp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "NTP.h" + +BRO_PLUGIN_BEGIN(NTP) + BRO_PLUGIN_DESCRIPTION("NTP Analyzer"); + BRO_PLUGIN_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ntp/events.bif b/src/analyzer/protocols/ntp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/pia/CMakeLists.txt b/src/analyzer/protocols/pia/CMakeLists.txt new file mode 100644 index 0000000000..8c55deca09 --- /dev/null +++ b/src/analyzer/protocols/pia/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(PIA) +bro_plugin_cc(PIA.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/PIA.cc b/src/analyzer/protocols/pia/PIA.cc similarity index 99% rename from src/PIA.cc rename to src/analyzer/protocols/pia/PIA.cc index 2e4cf06e86..eb21fc7331 100644 --- a/src/PIA.cc +++ b/src/analyzer/protocols/pia/PIA.cc @@ -1,6 +1,6 @@ #include "PIA.h" #include "RuleMatcher.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" PIA::PIA(analyzer::Analyzer* arg_as_analyzer) { diff --git a/src/PIA.h b/src/analyzer/protocols/pia/PIA.h similarity index 99% rename from src/PIA.h rename to src/analyzer/protocols/pia/PIA.h index 920bd9c976..a91a516165 100644 --- a/src/PIA.h +++ b/src/analyzer/protocols/pia/PIA.h @@ -4,7 +4,7 @@ #define PIA_H #include "analyzer/Analyzer.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class RuleEndpointState; diff --git a/src/analyzer/protocols/pia/Plugin.cc b/src/analyzer/protocols/pia/Plugin.cc new file mode 100644 index 0000000000..a62e757164 --- /dev/null +++ b/src/analyzer/protocols/pia/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "PIA.h" + +BRO_PLUGIN_BEGIN(PIA) + BRO_PLUGIN_DESCRIPTION("Protocol Identificatin Analyzers"); + BRO_PLUGIN_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pia/events.bif b/src/analyzer/protocols/pia/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/pop3/CMakeLists.txt b/src/analyzer/protocols/pop3/CMakeLists.txt new file mode 100644 index 0000000000..5af5a7f624 --- /dev/null +++ b/src/analyzer/protocols/pop3/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(POP3) +bro_plugin_cc(POP3.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/POP3.cc b/src/analyzer/protocols/pop3/POP3.cc similarity index 99% rename from src/POP3.cc rename to src/analyzer/protocols/pop3/POP3.cc index 697dc0434e..6b4fda8169 100644 --- a/src/POP3.cc +++ b/src/analyzer/protocols/pop3/POP3.cc @@ -12,8 +12,8 @@ #include "NetVar.h" #include "POP3.h" #include "Event.h" -#include "NVT.h" #include "Reporter.h" +#include "analyzer/protocols/login/NVT.h" #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) #cmd, diff --git a/src/POP3.h b/src/analyzer/protocols/pop3/POP3.h similarity index 95% rename from src/POP3.h rename to src/analyzer/protocols/pop3/POP3.h index 5c10865ba3..10dbe9d085 100644 --- a/src/POP3.h +++ b/src/analyzer/protocols/pop3/POP3.h @@ -9,8 +9,8 @@ #include #include -#include "NVT.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/login/NVT.h" #include "MIME.h" diff --git a/src/POP3_cmd.def b/src/analyzer/protocols/pop3/POP3_cmd.def similarity index 100% rename from src/POP3_cmd.def rename to src/analyzer/protocols/pop3/POP3_cmd.def diff --git a/src/analyzer/protocols/pop3/Plugin.cc b/src/analyzer/protocols/pop3/Plugin.cc new file mode 100644 index 0000000000..5f56ade93a --- /dev/null +++ b/src/analyzer/protocols/pop3/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "POP3.h" + +BRO_PLUGIN_BEGIN(POP3) + BRO_PLUGIN_DESCRIPTION("POP3 Analyzer"); + BRO_PLUGIN_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pop3/events.bif b/src/analyzer/protocols/pop3/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/rpc/CMakeLists.txt b/src/analyzer/protocols/rpc/CMakeLists.txt new file mode 100644 index 0000000000..edf6371dd1 --- /dev/null +++ b/src/analyzer/protocols/rpc/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(RPC) +bro_plugin_cc(RPC.cc NFS.cc Portmap.cc XDR.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/NFS.cc b/src/analyzer/protocols/rpc/NFS.cc similarity index 100% rename from src/NFS.cc rename to src/analyzer/protocols/rpc/NFS.cc diff --git a/src/NFS.h b/src/analyzer/protocols/rpc/NFS.h similarity index 100% rename from src/NFS.h rename to src/analyzer/protocols/rpc/NFS.h diff --git a/src/analyzer/protocols/rpc/Plugin.cc b/src/analyzer/protocols/rpc/Plugin.cc new file mode 100644 index 0000000000..25c958859b --- /dev/null +++ b/src/analyzer/protocols/rpc/Plugin.cc @@ -0,0 +1,15 @@ + +#include "plugin/Plugin.h" + +#include "RPC.h" +#include "NFS.h" +#include "Portmap.h" + +BRO_PLUGIN_BEGIN(RPC) + BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); + BRO_PLUGIN_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_RPC"); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NFS"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/Portmap.cc b/src/analyzer/protocols/rpc/Portmap.cc similarity index 100% rename from src/Portmap.cc rename to src/analyzer/protocols/rpc/Portmap.cc diff --git a/src/Portmap.h b/src/analyzer/protocols/rpc/Portmap.h similarity index 100% rename from src/Portmap.h rename to src/analyzer/protocols/rpc/Portmap.h diff --git a/src/RPC.cc b/src/analyzer/protocols/rpc/RPC.cc similarity index 100% rename from src/RPC.cc rename to src/analyzer/protocols/rpc/RPC.cc diff --git a/src/RPC.h b/src/analyzer/protocols/rpc/RPC.h similarity index 98% rename from src/RPC.h rename to src/analyzer/protocols/rpc/RPC.h index 960b9c744a..da39e9f220 100644 --- a/src/RPC.h +++ b/src/analyzer/protocols/rpc/RPC.h @@ -3,8 +3,8 @@ #ifndef rpc_h #define rpc_h -#include "TCP.h" -#include "UDP.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/udp/UDP.h" enum { RPC_CALL = 0, diff --git a/src/XDR.cc b/src/analyzer/protocols/rpc/XDR.cc similarity index 100% rename from src/XDR.cc rename to src/analyzer/protocols/rpc/XDR.cc diff --git a/src/XDR.h b/src/analyzer/protocols/rpc/XDR.h similarity index 100% rename from src/XDR.h rename to src/analyzer/protocols/rpc/XDR.h diff --git a/src/analyzer/protocols/rpc/events.bif b/src/analyzer/protocols/rpc/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/smb/CMakeLists.txt b/src/analyzer/protocols/smb/CMakeLists.txt new file mode 100644 index 0000000000..30338d91f5 --- /dev/null +++ b/src/analyzer/protocols/smb/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SMB) +bro_plugin_cc(SMB.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/smb/Plugin.cc b/src/analyzer/protocols/smb/Plugin.cc new file mode 100644 index 0000000000..543638faf4 --- /dev/null +++ b/src/analyzer/protocols/smb/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "SMB.h" + +BRO_PLUGIN_BEGIN(SMB) + BRO_PLUGIN_DESCRIPTION("SMB Analyzer"); + BRO_PLUGIN_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SMB.cc b/src/analyzer/protocols/smb/SMB.cc similarity index 100% rename from src/SMB.cc rename to src/analyzer/protocols/smb/SMB.cc diff --git a/src/SMB.h b/src/analyzer/protocols/smb/SMB.h similarity index 98% rename from src/SMB.h rename to src/analyzer/protocols/smb/SMB.h index 7e7f1cea1d..83f3811010 100644 --- a/src/SMB.h +++ b/src/analyzer/protocols/smb/SMB.h @@ -6,8 +6,8 @@ // SMB (CIFS) analyzer. // Reference: http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf -#include "TCP.h" -#include "DCE_RPC.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/dce-rpc/DCE_RPC.h" #include "smb_pac.h" enum IPC_named_pipe { diff --git a/src/SMB_COM.def b/src/analyzer/protocols/smb/SMB_COM.def similarity index 100% rename from src/SMB_COM.def rename to src/analyzer/protocols/smb/SMB_COM.def diff --git a/src/analyzer/protocols/smb/events.bif b/src/analyzer/protocols/smb/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/smb-mailslot.pac b/src/analyzer/protocols/smb/smb-mailslot.pac similarity index 100% rename from src/smb-mailslot.pac rename to src/analyzer/protocols/smb/smb-mailslot.pac diff --git a/src/smb-pipe.pac b/src/analyzer/protocols/smb/smb-pipe.pac similarity index 100% rename from src/smb-pipe.pac rename to src/analyzer/protocols/smb/smb-pipe.pac diff --git a/src/smb-protocol.pac b/src/analyzer/protocols/smb/smb-protocol.pac similarity index 100% rename from src/smb-protocol.pac rename to src/analyzer/protocols/smb/smb-protocol.pac diff --git a/src/smb.pac b/src/analyzer/protocols/smb/smb.pac similarity index 100% rename from src/smb.pac rename to src/analyzer/protocols/smb/smb.pac diff --git a/src/analyzer/protocols/smtp/CMakeLists.txt b/src/analyzer/protocols/smtp/CMakeLists.txt new file mode 100644 index 0000000000..53f9dd1246 --- /dev/null +++ b/src/analyzer/protocols/smtp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SMTP) +bro_plugin_cc(SMTP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocols/smtp/Plugin.cc new file mode 100644 index 0000000000..6b9f7a0aeb --- /dev/null +++ b/src/analyzer/protocols/smtp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SMTP.h" + +BRO_PLUGIN_BEGIN(SMTP) + BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); + BRO_PLUGIN_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SMTP.cc b/src/analyzer/protocols/smtp/SMTP.cc similarity index 99% rename from src/SMTP.cc rename to src/analyzer/protocols/smtp/SMTP.cc index 16be4480dc..c674c120ec 100644 --- a/src/SMTP.cc +++ b/src/analyzer/protocols/smtp/SMTP.cc @@ -7,8 +7,8 @@ #include "NetVar.h" #include "SMTP.h" #include "Event.h" -#include "ContentLine.h" #include "Reporter.h" +#include "analyzer/protocols/tcp/ContentLine.h" #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) #cmd, diff --git a/src/SMTP.h b/src/analyzer/protocols/smtp/SMTP.h similarity index 98% rename from src/SMTP.h rename to src/analyzer/protocols/smtp/SMTP.h index d4b7dd63a6..d525fb11af 100644 --- a/src/SMTP.h +++ b/src/analyzer/protocols/smtp/SMTP.h @@ -6,7 +6,7 @@ #include using namespace std; -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "MIME.h" diff --git a/src/SMTP_cmd.def b/src/analyzer/protocols/smtp/SMTP_cmd.def similarity index 100% rename from src/SMTP_cmd.def rename to src/analyzer/protocols/smtp/SMTP_cmd.def diff --git a/src/analyzer/protocols/smtp/events.bif b/src/analyzer/protocols/smtp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/socks/CMakeLists.txt b/src/analyzer/protocols/socks/CMakeLists.txt new file mode 100644 index 0000000000..451dfd53f4 --- /dev/null +++ b/src/analyzer/protocols/socks/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SOCKS) +bro_plugin_cc(SOCKS.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(socks.pac socks-protocol.pac socks-analyzer.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/socks/Plugin.cc b/src/analyzer/protocols/socks/Plugin.cc new file mode 100644 index 0000000000..080a8329de --- /dev/null +++ b/src/analyzer/protocols/socks/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SOCKS.h" + +BRO_PLUGIN_BEGIN(SOCKS) + BRO_PLUGIN_DESCRIPTION("SOCKS Analyzer"); + BRO_PLUGIN_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SOCKS.cc b/src/analyzer/protocols/socks/SOCKS.cc similarity index 96% rename from src/SOCKS.cc rename to src/analyzer/protocols/socks/SOCKS.cc index 0157c19cd7..25ebf9796e 100644 --- a/src/SOCKS.cc +++ b/src/analyzer/protocols/socks/SOCKS.cc @@ -1,6 +1,6 @@ #include "SOCKS.h" #include "socks_pac.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("SOCKS", conn) diff --git a/src/SOCKS.h b/src/analyzer/protocols/socks/SOCKS.h similarity index 89% rename from src/SOCKS.h rename to src/analyzer/protocols/socks/SOCKS.h index 767d0a1eb7..8abdfe3a3f 100644 --- a/src/SOCKS.h +++ b/src/analyzer/protocols/socks/SOCKS.h @@ -3,8 +3,8 @@ // SOCKS v4 analyzer. -#include "TCP.h" -#include "PIA.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/pia/PIA.h" namespace binpac { namespace SOCKS { diff --git a/src/analyzer/protocols/socks/events.bif b/src/analyzer/protocols/socks/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/socks-analyzer.pac b/src/analyzer/protocols/socks/socks-analyzer.pac similarity index 100% rename from src/socks-analyzer.pac rename to src/analyzer/protocols/socks/socks-analyzer.pac diff --git a/src/socks-protocol.pac b/src/analyzer/protocols/socks/socks-protocol.pac similarity index 100% rename from src/socks-protocol.pac rename to src/analyzer/protocols/socks/socks-protocol.pac diff --git a/src/socks.pac b/src/analyzer/protocols/socks/socks.pac similarity index 100% rename from src/socks.pac rename to src/analyzer/protocols/socks/socks.pac diff --git a/src/analyzer/protocols/ssh/CMakeLists.txt b/src/analyzer/protocols/ssh/CMakeLists.txt new file mode 100644 index 0000000000..659e3207ab --- /dev/null +++ b/src/analyzer/protocols/ssh/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SSH) +bro_plugin_cc(SSH.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/ssh/Plugin.cc b/src/analyzer/protocols/ssh/Plugin.cc new file mode 100644 index 0000000000..76603220d3 --- /dev/null +++ b/src/analyzer/protocols/ssh/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SSH.h" + +BRO_PLUGIN_BEGIN(SSH) + BRO_PLUGIN_DESCRIPTION("SSH Analyzer"); + BRO_PLUGIN_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SSH.cc b/src/analyzer/protocols/ssh/SSH.cc similarity index 97% rename from src/SSH.cc rename to src/analyzer/protocols/ssh/SSH.cc index 0bb710ac2f..3b89422d5a 100644 --- a/src/SSH.cc +++ b/src/analyzer/protocols/ssh/SSH.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "SSH.h" #include "Event.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" SSH_Analyzer::SSH_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("SSH", c) diff --git a/src/SSH.h b/src/analyzer/protocols/ssh/SSH.h similarity index 83% rename from src/SSH.h rename to src/analyzer/protocols/ssh/SSH.h index a6a2f4e154..d3cda5f2f5 100644 --- a/src/SSH.h +++ b/src/analyzer/protocols/ssh/SSH.h @@ -3,8 +3,8 @@ #ifndef ssh_h #define ssh_h -#include "TCP.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" class SSH_Analyzer : public TCP_ApplicationAnalyzer { public: diff --git a/src/analyzer/protocols/ssh/events.bif b/src/analyzer/protocols/ssh/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ssl/SSL.cc b/src/analyzer/protocols/ssl/SSL.cc index da3e1e55f3..deec34e5d9 100644 --- a/src/analyzer/protocols/ssl/SSL.cc +++ b/src/analyzer/protocols/ssl/SSL.cc @@ -1,6 +1,6 @@ #include "SSL.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" #include "Reporter.h" #include "util.h" diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h index cf6269a6e4..1d451a40ef 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocols/ssl/SSL.h @@ -3,7 +3,7 @@ #include "events.bif.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "ssl_pac.h" class SSL_Analyzer : public TCP_ApplicationAnalyzer { diff --git a/src/analyzer/protocols/stepping-stone/CMakeLists.txt b/src/analyzer/protocols/stepping-stone/CMakeLists.txt new file mode 100644 index 0000000000..4de6210027 --- /dev/null +++ b/src/analyzer/protocols/stepping-stone/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SteppingStone) +bro_plugin_cc(SteppingStone.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/stepping-stone/Plugin.cc b/src/analyzer/protocols/stepping-stone/Plugin.cc new file mode 100644 index 0000000000..18bfa41063 --- /dev/null +++ b/src/analyzer/protocols/stepping-stone/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SteppingStone.h" + +BRO_PLUGIN_BEGIN(SteppingStone) + BRO_PLUGIN_DESCRIPTION("SteppingStone Analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SteppingStone.cc b/src/analyzer/protocols/stepping-stone/SteppingStone.cc similarity index 99% rename from src/SteppingStone.cc rename to src/analyzer/protocols/stepping-stone/SteppingStone.cc index 1809b4abef..f2f4561de6 100644 --- a/src/SteppingStone.cc +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.cc @@ -7,7 +7,7 @@ #include "Event.h" #include "Net.h" #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "SteppingStone.h" #include "util.h" diff --git a/src/SteppingStone.h b/src/analyzer/protocols/stepping-stone/SteppingStone.h similarity index 98% rename from src/SteppingStone.h rename to src/analyzer/protocols/stepping-stone/SteppingStone.h index 4ec4dbc2e1..cbf22e7715 100644 --- a/src/SteppingStone.h +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.h @@ -4,7 +4,7 @@ #define steppingstone_h #include "Queue.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class NetSessions; diff --git a/src/analyzer/protocols/stepping-stone/events.bif b/src/analyzer/protocols/stepping-stone/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/syslog/Syslog.cc b/src/analyzer/protocols/syslog/Syslog.cc index 137cecbd18..94ca996cce 100644 --- a/src/analyzer/protocols/syslog/Syslog.cc +++ b/src/analyzer/protocols/syslog/Syslog.cc @@ -1,6 +1,6 @@ #include "Syslog.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" Syslog_Analyzer::Syslog_Analyzer(Connection* conn) : Analyzer("SYSLOG", conn) diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h index 2a96bd8ae6..32b7b3439a 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocols/syslog/Syslog.h @@ -2,8 +2,8 @@ #ifndef Syslog_h #define Syslog_h -#include "UDP.h" -#include "TCP.h" +#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "syslog_pac.h" diff --git a/src/analyzer/protocols/tcp/CMakeLists.txt b/src/analyzer/protocols/tcp/CMakeLists.txt new file mode 100644 index 0000000000..b8cf0e2bf4 --- /dev/null +++ b/src/analyzer/protocols/tcp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(TCP) +bro_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/ContentLine.cc b/src/analyzer/protocols/tcp/ContentLine.cc similarity index 99% rename from src/ContentLine.cc rename to src/analyzer/protocols/tcp/ContentLine.cc index 2a79272cbd..bcfca4ecc6 100644 --- a/src/ContentLine.cc +++ b/src/analyzer/protocols/tcp/ContentLine.cc @@ -1,7 +1,7 @@ #include #include "ContentLine.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) : TCP_SupportAnalyzer("CONTENTLINE", conn, orig) diff --git a/src/ContentLine.h b/src/analyzer/protocols/tcp/ContentLine.h similarity index 98% rename from src/ContentLine.h rename to src/analyzer/protocols/tcp/ContentLine.h index 849f457075..e83251d43d 100644 --- a/src/ContentLine.h +++ b/src/analyzer/protocols/tcp/ContentLine.h @@ -3,7 +3,7 @@ #ifndef CONTENTLINE_H #define CONTENTLINE_H -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define CR_as_EOL 1 #define LF_as_EOL 2 diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocols/tcp/Plugin.cc new file mode 100644 index 0000000000..d76789bf30 --- /dev/null +++ b/src/analyzer/protocols/tcp/Plugin.cc @@ -0,0 +1,13 @@ + +#include "plugin/Plugin.h" + +#include "TCP.h" + +BRO_PLUGIN_BEGIN(TCP) + BRO_PLUGIN_DESCRIPTION("TCP Analyzer"); + BRO_PLUGIN_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("TCPStats", TCPStats_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/tcp/Stats.cc b/src/analyzer/protocols/tcp/Stats.cc new file mode 100644 index 0000000000..6157d54537 --- /dev/null +++ b/src/analyzer/protocols/tcp/Stats.cc @@ -0,0 +1,79 @@ + +#include "Stats.h" +#include "File.h" + +TCPStateStats::TCPStateStats() + { + for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) + for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) + state_cnt[i][j] = 0; + } + +void TCPStateStats::ChangeState(EndpointState o_prev, EndpointState o_now, + EndpointState r_prev, EndpointState r_now) + { + --state_cnt[o_prev][r_prev]; + ++state_cnt[o_now][r_now]; + } + +void TCPStateStats::FlipState(EndpointState orig, EndpointState resp) + { + --state_cnt[orig][resp]; + ++state_cnt[resp][orig]; + } + +unsigned int TCPStateStats::NumStatePartial() const + { + unsigned int sum = 0; + for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) + { + sum += state_cnt[TCP_ENDPOINT_PARTIAL][i]; + sum += state_cnt[i][TCP_ENDPOINT_PARTIAL]; + } + + return sum; + } + +void TCPStateStats::PrintStats(BroFile* file, const char* prefix) + { + file->Write(prefix); + file->Write(" Inact. Syn. SA Part. Est. Fin. Rst.\n"); + + for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) + { + file->Write(prefix); + + switch ( i ) { +#define STATE_STRING(state, str) \ + case state: \ + file->Write(str); \ + break; + + STATE_STRING(TCP_ENDPOINT_INACTIVE, "Inact."); + STATE_STRING(TCP_ENDPOINT_SYN_SENT, "Syn. "); + STATE_STRING(TCP_ENDPOINT_SYN_ACK_SENT, "SA "); + STATE_STRING(TCP_ENDPOINT_PARTIAL, "Part. "); + STATE_STRING(TCP_ENDPOINT_ESTABLISHED, "Est. "); + STATE_STRING(TCP_ENDPOINT_CLOSED, "Fin. "); + STATE_STRING(TCP_ENDPOINT_RESET, "Rst. "); + + } + + file->Write(" "); + + for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) + { + unsigned int n = state_cnt[i][j]; + if ( n > 0 ) + { + char buf[32]; + safe_snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]); + file->Write(buf); + } + else + file->Write(" "); + } + + file->Write("\n"); + } + } diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocols/tcp/Stats.h new file mode 100644 index 0000000000..01c95620ce --- /dev/null +++ b/src/analyzer/protocols/tcp/Stats.h @@ -0,0 +1,67 @@ + +#ifndef ANALYZER_PROTOCOLS_TCP_STATS_H +#define ANALYZER_PROTOCOLS_TCP_STATS_H + +#include "TCP_Endpoint.h" + +// A TCPStateStats object tracks the distribution of TCP states for +// the currently active connections. +class TCPStateStats { +public: + TCPStateStats(); + ~TCPStateStats() { } + + void ChangeState(EndpointState o_prev, EndpointState o_now, + EndpointState r_prev, EndpointState r_now); + void FlipState(EndpointState orig, EndpointState resp); + + void StateEntered (EndpointState o_state, EndpointState r_state) + { ++state_cnt[o_state][r_state]; } + void StateLeft (EndpointState o_state, EndpointState r_state) + { --state_cnt[o_state][r_state]; } + + unsigned int Cnt(EndpointState state) const + { return Cnt(state, state); } + unsigned int Cnt(EndpointState state1, EndpointState state2) const + { return state_cnt[state1][state2]; } + + unsigned int NumStateEstablished() const + { return Cnt(TCP_ENDPOINT_ESTABLISHED); } + unsigned int NumStateHalfClose() const + { // corresponds to S2,S3 + return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_CLOSED) + + Cnt(TCP_ENDPOINT_CLOSED, TCP_ENDPOINT_ESTABLISHED); + } + unsigned int NumStateHalfRst() const + { + return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_RESET) + + Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_ESTABLISHED); + } + unsigned int NumStateClosed() const + { return Cnt(TCP_ENDPOINT_CLOSED); } + unsigned int NumStateRequest() const + { + assert(Cnt(TCP_ENDPOINT_INACTIVE, TCP_ENDPOINT_SYN_SENT)==0); + return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_INACTIVE); + } + unsigned int NumStateSuccRequest() const + { + return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_SYN_ACK_SENT) + + Cnt(TCP_ENDPOINT_SYN_ACK_SENT, TCP_ENDPOINT_SYN_SENT); + } + unsigned int NumStateRstRequest() const + { + return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_RESET) + + Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_SYN_SENT); + } + unsigned int NumStateInactive() const + { return Cnt(TCP_ENDPOINT_INACTIVE); } + unsigned int NumStatePartial() const; + + void PrintStats(BroFile* file, const char* prefix); + +private: + unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; +}; + +#endif diff --git a/src/TCP.cc b/src/analyzer/protocols/tcp/TCP.cc similarity index 99% rename from src/TCP.cc rename to src/analyzer/protocols/tcp/TCP.cc index 004deb2edd..66bf9d2a83 100644 --- a/src/TCP.cc +++ b/src/analyzer/protocols/tcp/TCP.cc @@ -3,13 +3,14 @@ #include #include "NetVar.h" -#include "PIA.h" #include "File.h" -#include "TCP.h" -#include "TCP_Reassembler.h" #include "OSFinger.h" #include "Event.h" +#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" + namespace { // local namespace const bool DEBUG_tcp_data_sent = false; const bool DEBUG_tcp_connection_close = false; diff --git a/src/TCP.h b/src/analyzer/protocols/tcp/TCP.h similarity index 99% rename from src/TCP.h rename to src/analyzer/protocols/tcp/TCP.h index be91d473c2..ee89cef8e4 100644 --- a/src/TCP.h +++ b/src/analyzer/protocols/tcp/TCP.h @@ -4,7 +4,7 @@ #define TCP_H #include "analyzer/Analyzer.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "PacketDumper.h" #include "IPAddr.h" #include "TCP_Endpoint.h" diff --git a/src/TCP_Endpoint.cc b/src/analyzer/protocols/tcp/TCP_Endpoint.cc similarity index 99% rename from src/TCP_Endpoint.cc rename to src/analyzer/protocols/tcp/TCP_Endpoint.cc index 69c08870d9..adb2c101d4 100644 --- a/src/TCP_Endpoint.cc +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.cc @@ -2,7 +2,7 @@ #include "Net.h" #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "TCP_Reassembler.h" #include "Sessions.h" #include "Event.h" diff --git a/src/TCP_Endpoint.h b/src/analyzer/protocols/tcp/TCP_Endpoint.h similarity index 100% rename from src/TCP_Endpoint.h rename to src/analyzer/protocols/tcp/TCP_Endpoint.h diff --git a/src/TCP_Reassembler.cc b/src/analyzer/protocols/tcp/TCP_Reassembler.cc similarity index 99% rename from src/TCP_Reassembler.cc rename to src/analyzer/protocols/tcp/TCP_Reassembler.cc index a9c25781c4..5bfd536a10 100644 --- a/src/TCP_Reassembler.cc +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.cc @@ -2,7 +2,7 @@ #include "analyzer/Analyzer.h" #include "TCP_Reassembler.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "TCP_Endpoint.h" // Only needed for gap_report events. diff --git a/src/TCP_Reassembler.h b/src/analyzer/protocols/tcp/TCP_Reassembler.h similarity index 100% rename from src/TCP_Reassembler.h rename to src/analyzer/protocols/tcp/TCP_Reassembler.h diff --git a/src/analyzer/protocols/tcp/events.bif b/src/analyzer/protocols/tcp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/teredo/CMakeLists.txt b/src/analyzer/protocols/teredo/CMakeLists.txt new file mode 100644 index 0000000000..cf4d2a9bcf --- /dev/null +++ b/src/analyzer/protocols/teredo/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Teredo) +bro_plugin_cc(Teredo.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/teredo/Plugin.cc b/src/analyzer/protocols/teredo/Plugin.cc new file mode 100644 index 0000000000..9fc0fa4e7a --- /dev/null +++ b/src/analyzer/protocols/teredo/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Teredo.h" + +BRO_PLUGIN_BEGIN(Teredo) + BRO_PLUGIN_DESCRIPTION("Teredo Analyzer"); + BRO_PLUGIN_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/Teredo.cc b/src/analyzer/protocols/teredo/Teredo.cc similarity index 100% rename from src/Teredo.cc rename to src/analyzer/protocols/teredo/Teredo.cc diff --git a/src/Teredo.h b/src/analyzer/protocols/teredo/Teredo.h similarity index 100% rename from src/Teredo.h rename to src/analyzer/protocols/teredo/Teredo.h diff --git a/src/analyzer/protocols/teredo/events.bif b/src/analyzer/protocols/teredo/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/udp/CMakeLists.txt b/src/analyzer/protocols/udp/CMakeLists.txt new file mode 100644 index 0000000000..077c4136b5 --- /dev/null +++ b/src/analyzer/protocols/udp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(UDP) +bro_plugin_cc(UDP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/udp/Plugin.cc b/src/analyzer/protocols/udp/Plugin.cc new file mode 100644 index 0000000000..1a9b462013 --- /dev/null +++ b/src/analyzer/protocols/udp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "analyzer/protocols/udp/UDP.h" + +BRO_PLUGIN_BEGIN(UDP) + BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); + BRO_PLUGIN_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/UDP.cc b/src/analyzer/protocols/udp/UDP.cc similarity index 99% rename from src/UDP.cc rename to src/analyzer/protocols/udp/UDP.cc index 2fd80cfce3..f85f5ad991 100644 --- a/src/UDP.cc +++ b/src/analyzer/protocols/udp/UDP.cc @@ -6,7 +6,7 @@ #include "Net.h" #include "NetVar.h" -#include "UDP.h" +#include "analyzer/protocols/udp/UDP.h" #include "Reporter.h" #include "Conn.h" diff --git a/src/UDP.h b/src/analyzer/protocols/udp/UDP.h similarity index 100% rename from src/UDP.h rename to src/analyzer/protocols/udp/UDP.h diff --git a/src/analyzer/protocols/udp/events.bif b/src/analyzer/protocols/udp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/zip/CMakeLists.txt b/src/analyzer/protocols/zip/CMakeLists.txt new file mode 100644 index 0000000000..5b2864c618 --- /dev/null +++ b/src/analyzer/protocols/zip/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ZIP) +bro_plugin_cc(ZIP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/zip/Plugin.cc b/src/analyzer/protocols/zip/Plugin.cc new file mode 100644 index 0000000000..89382dd0cd --- /dev/null +++ b/src/analyzer/protocols/zip/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "ZIP.h" + +BRO_PLUGIN_BEGIN(ZIP) + BRO_PLUGIN_DESCRIPTION("Generic ZIP support analyzer"); + BRO_PLUGIN_ANALYZER("ZIP", 0); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/ZIP.cc b/src/analyzer/protocols/zip/ZIP.cc similarity index 100% rename from src/ZIP.cc rename to src/analyzer/protocols/zip/ZIP.cc diff --git a/src/ZIP.h b/src/analyzer/protocols/zip/ZIP.h similarity index 92% rename from src/ZIP.h rename to src/analyzer/protocols/zip/ZIP.h index 6a8a180d1a..24ec919f70 100644 --- a/src/ZIP.h +++ b/src/analyzer/protocols/zip/ZIP.h @@ -6,7 +6,7 @@ #include "config.h" #include "zlib.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class ZIP_Analyzer : public TCP_SupportAnalyzer { public: diff --git a/src/analyzer/protocols/zip/events.bif b/src/analyzer/protocols/zip/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/bro.bif b/src/bro.bif index 4366d26951..aa15443e64 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2914,7 +2914,7 @@ function decode_base64_custom%(s: string, a: string%): string %} %%{ -#include "DCE_RPC.h" +#include "analyzer/protocols/dce-rpc/DCE_RPC.h" typedef struct { uint32 time_low; @@ -4262,7 +4262,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool %} %%{ -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" %%} ## Get the originator sequence number of a TCP connection. Sequence numbers @@ -4326,7 +4326,7 @@ function get_resp_seq%(cid: conn_id%): count %} %%{ -#include "SMTP.h" +#include "analyzer/protocols/smtp/SMTP.h" %%} ## Skips SMTP data until the next email in a connection. diff --git a/src/builtin-func.l b/src/builtin-func.l index b23ef43e22..b2da7cb7c3 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -207,7 +207,7 @@ void init_alternative_mode() for ( char* p = guard; *p; p++ ) { - if ( strchr("/.", *p) ) + if ( strchr("/.-", *p) ) *p = '_'; } diff --git a/src/parse.y b/src/parse.y index 520623de2c..449b472c0c 100644 --- a/src/parse.y +++ b/src/parse.y @@ -79,7 +79,7 @@ #include "Expr.h" #include "Stmt.h" #include "Var.h" -#include "DNS.h" +/* #include "analyzer/protocols/dns/DNS.h" */ #include "RE.h" #include "Scope.h" #include "Reporter.h" diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 1ddcb1afc8..39bb190f8c 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -36,6 +36,9 @@ #define BRO_PLUGIN_ANALYZER(tag, factory) \ AddComponent(new ::analyzer::Component(tag, factory)); +#define BRO_PLUGIN_SUPPORT_ANALYZER(tag) \ + AddComponent(new ::analyzer::Component(tag, 0)); + #define BRO_PLUGIN_ANALYZER_EXT(tag, factory, enabled, partial) \ AddComponent(new ::analyzer::Component(tag, factory, 0, enabled, partial)); diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 0db69c1f17..a4933aba7b 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-09-22-37-59 +#open 2013-04-17-03-50-16 #fields name #types string scripts/base/init-bare.bro @@ -33,9 +33,45 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./AYIYA.events.bif.bro + build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro + build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro + build/scripts/base/bif/plugins/./BackDoor.events.bif.bro + build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/./ConnSize.events.bif.bro + build/scripts/base/bif/plugins/./DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/./DHCP.events.bif.bro + build/scripts/base/bif/plugins/./DNS.events.bif.bro + build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./File.events.bif.bro + build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro + build/scripts/base/bif/plugins/./Finger.events.bif.bro + build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./ICMP.events.bif.bro + build/scripts/base/bif/plugins/./IRC.events.bif.bro + build/scripts/base/bif/plugins/./Ident.events.bif.bro + build/scripts/base/bif/plugins/./InterConn.events.bif.bro + build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Modbus.events.bif.bro + build/scripts/base/bif/plugins/./NCP.events.bif.bro + build/scripts/base/bif/plugins/./NTP.events.bif.bro + build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./PIA.events.bif.bro + build/scripts/base/bif/plugins/./POP3.events.bif.bro + build/scripts/base/bif/plugins/./RPC.events.bif.bro + build/scripts/base/bif/plugins/./SMB.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SOCKS.events.bif.bro + build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro + build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./Teredo.events.bif.bro + build/scripts/base/bif/plugins/./UDP.events.bif.bro + build/scripts/base/bif/plugins/./ZIP.events.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-09-22-37-59 +#close 2013-04-17-03-50-16 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index aa406976a0..d469dad0bc 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-09-22-38-15 +#open 2013-04-17-03-50-51 #fields name #types string scripts/base/init-bare.bro @@ -33,10 +33,46 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./AYIYA.events.bif.bro + build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro + build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro + build/scripts/base/bif/plugins/./BackDoor.events.bif.bro + build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/./ConnSize.events.bif.bro + build/scripts/base/bif/plugins/./DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/./DHCP.events.bif.bro + build/scripts/base/bif/plugins/./DNS.events.bif.bro + build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./File.events.bif.bro + build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro + build/scripts/base/bif/plugins/./Finger.events.bif.bro + build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./ICMP.events.bif.bro + build/scripts/base/bif/plugins/./IRC.events.bif.bro + build/scripts/base/bif/plugins/./Ident.events.bif.bro + build/scripts/base/bif/plugins/./InterConn.events.bif.bro + build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Modbus.events.bif.bro + build/scripts/base/bif/plugins/./NCP.events.bif.bro + build/scripts/base/bif/plugins/./NTP.events.bif.bro + build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./PIA.events.bif.bro + build/scripts/base/bif/plugins/./POP3.events.bif.bro + build/scripts/base/bif/plugins/./RPC.events.bif.bro + build/scripts/base/bif/plugins/./SMB.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SOCKS.events.bif.bro + build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro + build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./Teredo.events.bif.bro + build/scripts/base/bif/plugins/./UDP.events.bif.bro + build/scripts/base/bif/plugins/./ZIP.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -127,4 +163,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-09-22-38-15 +#close 2013-04-17-03-50-51 diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output index 69285a4dbe..600f353088 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output +++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output @@ -1,5 +1,5 @@ APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_DNS APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_FTP -APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_SSH APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_HTTP +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_SSH APPLIED:, 1299499195.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=8/tcp], Analyzer::ANALYZER_DNS diff --git a/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro index e67a4fa82b..114ea73673 100644 --- a/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro +++ b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT >output +# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT | sort >output # @TEST-EXEC: btest-diff output global x = 0; From 5dc630f722e2a505bd69490532f5bebb45d63ef4 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 18 Apr 2013 14:39:32 -0700 Subject: [PATCH 26/70] Working on TODOs. - Introducing analyzer:: namespaces. - Moving protocol-specific events out of events.bif into analyzer/protocol//events.bif - Moving ARP over (even though it's not an actual analyzer). - Moving NetFlow over (even though it's not an actual analyzer). - Moving MIME over (even though it's not an actual analyzer). --- cmake | 2 +- src/CMakeLists.txt | 5 - src/Conn.cc | 2 +- src/Conn.h | 6 +- src/NetVar.cc | 9 - src/NetVar.h | 1 - src/RuleCondition.cc | 10 +- src/RuleMatcher.cc | 6 +- src/RuleMatcher.h | 16 +- src/Sessions.cc | 29 +- src/Sessions.h | 14 +- src/analyzer/Analyzer.h | 13 +- src/analyzer/CMakeLists.txt | 4 + src/analyzer/Manager.cc | 32 +- src/analyzer/protocols/CMakeLists.txt | 3 + src/analyzer/protocols/TODO | 6 +- src/{ => analyzer/protocols/arp}/ARP.cc | 3 + src/{ => analyzer/protocols/arp}/ARP.h | 4 + src/analyzer/protocols/arp/CMakeLists.txt | 15 + src/analyzer/protocols/arp/Plugin.cc | 7 + src/analyzer/protocols/arp/events.bif | 63 + src/analyzer/protocols/ayiya/AYIYA.cc | 5 + src/analyzer/protocols/ayiya/AYIYA.h | 4 + src/analyzer/protocols/ayiya/Plugin.cc | 2 +- src/analyzer/protocols/ayiya/ayiya.pac | 4 + src/analyzer/protocols/backdoor/BackDoor.cc | 14 +- src/analyzer/protocols/backdoor/BackDoor.h | 10 +- src/analyzer/protocols/backdoor/Plugin.cc | 2 +- src/analyzer/protocols/backdoor/events.bif | 32 + .../protocols/bittorrent/BitTorrent.cc | 14 +- .../protocols/bittorrent/BitTorrent.h | 6 +- .../protocols/bittorrent/BitTorrentTracker.cc | 14 +- .../protocols/bittorrent/BitTorrentTracker.h | 6 +- src/analyzer/protocols/bittorrent/Plugin.cc | 4 +- .../protocols/bittorrent/bittorrent.pac | 2 + src/analyzer/protocols/bittorrent/events.bif | 226 + src/analyzer/protocols/conn-size/ConnSize.cc | 2 + src/analyzer/protocols/conn-size/ConnSize.h | 3 + src/analyzer/protocols/conn-size/Plugin.cc | 2 +- src/analyzer/protocols/dce-rpc/DCE_RPC.cc | 16 +- src/analyzer/protocols/dce-rpc/DCE_RPC.h | 10 +- src/analyzer/protocols/dce-rpc/Plugin.cc | 2 +- src/analyzer/protocols/dce-rpc/dce_rpc.pac | 4 + .../protocols/dce-rpc/dce_rpc_simple.pac | 4 + src/analyzer/protocols/dce-rpc/events.bif | 55 + src/analyzer/protocols/dhcp/DHCP.cc | 4 + src/analyzer/protocols/dhcp/DHCP.h | 4 + src/analyzer/protocols/dhcp/Plugin.cc | 2 +- src/analyzer/protocols/dhcp/dhcp.pac | 4 + src/analyzer/protocols/dhcp/events.bif | 239 + src/analyzer/protocols/dns/DNS.cc | 16 +- src/analyzer/protocols/dns/DNS.h | 12 +- src/analyzer/protocols/dns/Plugin.cc | 2 +- src/analyzer/protocols/dns/events.bif | 482 ++ src/analyzer/protocols/file/File.cc | 10 +- src/analyzer/protocols/file/File.h | 6 +- src/analyzer/protocols/file/Plugin.cc | 2 +- src/analyzer/protocols/file/events.bif | 3 + src/analyzer/protocols/finger/Finger.cc | 16 +- src/analyzer/protocols/finger/Finger.h | 11 +- src/analyzer/protocols/finger/Plugin.cc | 2 +- src/analyzer/protocols/finger/events.bif | 38 + src/analyzer/protocols/ftp/FTP.cc | 18 +- src/analyzer/protocols/ftp/FTP.h | 10 +- src/analyzer/protocols/ftp/Plugin.cc | 2 +- src/analyzer/protocols/ftp/events.bif | 35 + src/analyzer/protocols/gnutella/Gnutella.cc | 14 +- src/analyzer/protocols/gnutella/Gnutella.h | 6 +- src/analyzer/protocols/gnutella/Plugin.cc | 2 +- src/analyzer/protocols/gnutella/events.bif | 88 + src/analyzer/protocols/gtpv1/GTPv1.cc | 6 + src/analyzer/protocols/gtpv1/GTPv1.h | 4 + src/analyzer/protocols/gtpv1/Plugin.cc | 2 +- src/analyzer/protocols/gtpv1/events.bif | 74 + src/analyzer/protocols/gtpv1/gtpv1.pac | 4 + src/analyzer/protocols/http/HTTP.cc | 144 +- src/analyzer/protocols/http/HTTP.h | 42 +- src/analyzer/protocols/http/Plugin.cc | 2 +- src/analyzer/protocols/http/functions.bif | 4 +- src/analyzer/protocols/icmp/ICMP.cc | 8 +- src/analyzer/protocols/icmp/ICMP.h | 4 + src/analyzer/protocols/icmp/Plugin.cc | 2 +- src/analyzer/protocols/icmp/events.bif | 300 + src/analyzer/protocols/ident/Ident.cc | 40 +- src/analyzer/protocols/ident/Ident.h | 10 +- src/analyzer/protocols/ident/Plugin.cc | 2 +- src/analyzer/protocols/ident/events.bif | 63 + src/analyzer/protocols/interconn/InterConn.cc | 18 +- src/analyzer/protocols/interconn/InterConn.h | 10 +- src/analyzer/protocols/interconn/Plugin.cc | 2 +- src/analyzer/protocols/interconn/events.bif | 8 + src/analyzer/protocols/irc/IRC.cc | 19 +- src/analyzer/protocols/irc/IRC.h | 6 +- src/analyzer/protocols/irc/Plugin.cc | 2 +- src/analyzer/protocols/irc/events.bif | 799 +++ src/analyzer/protocols/login/Login.cc | 14 +- src/analyzer/protocols/login/Login.h | 6 +- src/analyzer/protocols/login/NVT.cc | 8 +- src/analyzer/protocols/login/NVT.h | 8 +- src/analyzer/protocols/login/Plugin.cc | 10 +- src/analyzer/protocols/login/RSH.cc | 11 +- src/analyzer/protocols/login/RSH.h | 6 +- src/analyzer/protocols/login/Rlogin.cc | 15 +- src/analyzer/protocols/login/Rlogin.h | 6 +- src/analyzer/protocols/login/Telnet.cc | 4 + src/analyzer/protocols/login/Telnet.h | 4 + src/analyzer/protocols/login/events.bif | 395 ++ src/analyzer/protocols/mime/CMakeLists.txt | 15 + src/{ => analyzer/protocols/mime}/MIME.cc | 626 +- src/{ => analyzer/protocols/mime}/MIME.h | 4 + src/analyzer/protocols/mime/Plugin.cc | 7 + src/analyzer/protocols/mime/events.bif | 196 + src/analyzer/protocols/modbus/Modbus.cc | 4 + src/analyzer/protocols/modbus/Modbus.h | 6 +- src/analyzer/protocols/modbus/Plugin.cc | 2 +- src/analyzer/protocols/modbus/events.bif | 295 + src/analyzer/protocols/modbus/modbus.pac | 4 + src/analyzer/protocols/ncp/NCP.cc | 19 +- src/analyzer/protocols/ncp/NCP.h | 8 +- src/analyzer/protocols/ncp/Plugin.cc | 2 +- src/analyzer/protocols/ncp/events.bif | 46 + src/analyzer/protocols/ncp/ncp.pac | 4 + .../protocols/netbios-ssn/NetbiosSSN.cc | 26 +- .../protocols/netbios-ssn/NetbiosSSN.h | 29 +- src/analyzer/protocols/netbios-ssn/Plugin.cc | 2 +- src/analyzer/protocols/netbios-ssn/events.bif | 209 + src/analyzer/protocols/netflow/CMakeLists.txt | 16 + src/analyzer/protocols/netflow/Plugin.cc | 7 + src/analyzer/protocols/netflow/events.bif | 18 + .../protocols/netflow}/netflow-analyzer.pac | 0 .../protocols/netflow}/netflow-protocol.pac | 0 .../protocols/netflow}/netflow.pac | 2 + src/analyzer/protocols/ntp/NTP.cc | 3 + src/analyzer/protocols/ntp/NTP.h | 5 +- src/analyzer/protocols/ntp/Plugin.cc | 2 +- src/analyzer/protocols/ntp/events.bif | 21 + src/analyzer/protocols/pia/PIA.cc | 28 +- src/analyzer/protocols/pia/PIA.h | 8 +- src/analyzer/protocols/pia/Plugin.cc | 4 +- src/analyzer/protocols/pop3/POP3.cc | 16 +- src/analyzer/protocols/pop3/POP3.h | 11 +- src/analyzer/protocols/pop3/Plugin.cc | 2 +- src/analyzer/protocols/pop3/events.bif | 172 + src/analyzer/protocols/rpc/NFS.cc | 4 + src/analyzer/protocols/rpc/NFS.h | 4 + src/analyzer/protocols/rpc/Plugin.cc | 4 +- src/analyzer/protocols/rpc/Portmap.cc | 4 + src/analyzer/protocols/rpc/Portmap.h | 4 + src/analyzer/protocols/rpc/RPC.cc | 24 +- src/analyzer/protocols/rpc/RPC.h | 8 +- src/analyzer/protocols/rpc/XDR.cc | 16 +- src/analyzer/protocols/rpc/XDR.h | 4 + src/analyzer/protocols/rpc/events.bif | 728 ++ src/analyzer/protocols/smb/Plugin.cc | 2 +- src/analyzer/protocols/smb/SMB.cc | 12 +- src/analyzer/protocols/smb/SMB.h | 19 +- src/analyzer/protocols/smb/events.bif | 495 ++ src/analyzer/protocols/smb/smb.pac | 4 + src/analyzer/protocols/smtp/Plugin.cc | 2 +- src/analyzer/protocols/smtp/SMTP.cc | 20 +- src/analyzer/protocols/smtp/SMTP.h | 11 +- src/analyzer/protocols/smtp/events.bif | 100 + src/analyzer/protocols/socks/Plugin.cc | 2 +- src/analyzer/protocols/socks/SOCKS.cc | 16 +- src/analyzer/protocols/socks/SOCKS.h | 7 +- src/analyzer/protocols/socks/events.bif | 29 + src/analyzer/protocols/socks/socks.pac | 4 +- src/analyzer/protocols/ssh/Plugin.cc | 2 +- src/analyzer/protocols/ssh/SSH.cc | 14 +- src/analyzer/protocols/ssh/SSH.h | 10 +- src/analyzer/protocols/ssh/events.bif | 38 + src/analyzer/protocols/ssl/Plugin.cc | 2 +- src/analyzer/protocols/ssl/SSL.cc | 14 +- src/analyzer/protocols/ssl/SSL.h | 8 +- src/analyzer/protocols/ssl/ssl-defs.pac | 2 + src/analyzer/protocols/ssl/ssl.pac | 8 +- .../protocols/stepping-stone/Plugin.cc | 2 +- .../protocols/stepping-stone/SteppingStone.cc | 16 +- .../protocols/stepping-stone/SteppingStone.h | 10 +- .../protocols/stepping-stone/events.bif | 17 + src/analyzer/protocols/syslog/Plugin.cc | 2 +- src/analyzer/protocols/syslog/Syslog.cc | 26 +- src/analyzer/protocols/syslog/Syslog.h | 14 +- src/analyzer/protocols/syslog/syslog.pac | 8 +- src/analyzer/protocols/tcp/ContentLine.cc | 4 + src/analyzer/protocols/tcp/ContentLine.h | 4 + src/analyzer/protocols/tcp/Plugin.cc | 4 +- src/analyzer/protocols/tcp/Stats.cc | 4 + src/analyzer/protocols/tcp/Stats.h | 4 + src/analyzer/protocols/tcp/TCP.cc | 8 +- src/analyzer/protocols/tcp/TCP.h | 15 +- src/analyzer/protocols/tcp/TCP_Endpoint.cc | 4 + src/analyzer/protocols/tcp/TCP_Endpoint.h | 15 +- src/analyzer/protocols/tcp/TCP_Reassembler.cc | 4 + src/analyzer/protocols/tcp/TCP_Reassembler.h | 16 +- src/analyzer/protocols/tcp/events.bif | 289 + src/analyzer/protocols/teredo/Plugin.cc | 2 +- src/analyzer/protocols/teredo/Teredo.cc | 4 + src/analyzer/protocols/teredo/Teredo.h | 4 + src/analyzer/protocols/teredo/events.bif | 55 + src/analyzer/protocols/udp/Plugin.cc | 2 +- src/analyzer/protocols/udp/UDP.cc | 4 + src/analyzer/protocols/udp/UDP.h | 4 + src/analyzer/protocols/udp/events.bif | 38 + src/analyzer/protocols/zip/Plugin.cc | 2 +- src/analyzer/protocols/zip/ZIP.cc | 8 +- src/analyzer/protocols/zip/ZIP.h | 6 +- src/bro.bif | 10 +- src/event.bif | 5850 +---------------- src/plugin/Macros.h | 10 +- 210 files changed, 7080 insertions(+), 6608 deletions(-) rename src/{ => analyzer/protocols/arp}/ARP.cc (99%) rename src/{ => analyzer/protocols/arp}/ARP.h (93%) create mode 100644 src/analyzer/protocols/arp/CMakeLists.txt create mode 100644 src/analyzer/protocols/arp/Plugin.cc create mode 100644 src/analyzer/protocols/arp/events.bif create mode 100644 src/analyzer/protocols/mime/CMakeLists.txt rename src/{ => analyzer/protocols/mime}/MIME.cc (99%) rename src/{ => analyzer/protocols/mime}/MIME.h (99%) create mode 100644 src/analyzer/protocols/mime/Plugin.cc create mode 100644 src/analyzer/protocols/mime/events.bif create mode 100644 src/analyzer/protocols/netflow/CMakeLists.txt create mode 100644 src/analyzer/protocols/netflow/Plugin.cc create mode 100644 src/analyzer/protocols/netflow/events.bif rename src/{ => analyzer/protocols/netflow}/netflow-analyzer.pac (100%) rename src/{ => analyzer/protocols/netflow}/netflow-protocol.pac (100%) rename src/{ => analyzer/protocols/netflow}/netflow.pac (88%) diff --git a/cmake b/cmake index 8cc03d64d0..c50757259f 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 8cc03d64d00676cb75a38543800ac0de192557dd +Subproject commit c50757259f509f13227cf28bbd4fd281828a39d2 diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 4d3e6dd917..b374c64d2c 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -133,9 +133,6 @@ set(BINPAC_AUXSRC binpac_target(binpac-lib.pac) binpac_target(binpac_bro-lib.pac) -binpac_target(netflow.pac - netflow-protocol.pac netflow-analyzer.pac) - ######################################################################## ## Including subdirectories. ######################################################################## @@ -212,7 +209,6 @@ set(bro_SRCS util.cc module_util.cc Anon.cc - ARP.cc Attr.cc Base64.cc BPF_Program.cc @@ -254,7 +250,6 @@ set(bro_SRCS IPAddr.cc List.cc Reporter.cc - MIME.cc NFA.cc Net.cc NetVar.cc diff --git a/src/Conn.cc b/src/Conn.cc index d6fc41c0b9..1756d3860e 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -935,7 +935,7 @@ error: return false; } -void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia) +void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia) { root_analyzer = analyzer; primary_PIA = pia; diff --git a/src/Conn.h b/src/Conn.h index 1b13500fad..95c521d875 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -245,9 +245,9 @@ public: void DeleteTimer(double t); // Sets the root of the analyzer tree as well as the primary PIA. - void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia); + void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia); analyzer::TransportLayerAnalyzer* GetRootAnalyzer() { return root_analyzer; } - PIA* GetPrimaryPIA() { return primary_PIA; } + analyzer::pia::PIA* GetPrimaryPIA() { return primary_PIA; } // Sets the transport protocol in use. void SetTransport(TransportProto arg_proto) { proto = arg_proto; } @@ -319,7 +319,7 @@ protected: uint32 hist_seen; analyzer::TransportLayerAnalyzer* root_analyzer; - PIA* primary_PIA; + analyzer::pia::PIA* primary_PIA; uint64 uid; // Globally unique connection ID. }; diff --git a/src/NetVar.cc b/src/NetVar.cc index 7483728e44..32ab4a63c1 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -93,7 +93,6 @@ RecordType* http_stats_rec; RecordType* http_message_stat; int truncate_http_URI; -int pm_request; RecordType* pm_mapping; TableType* pm_mappings; RecordType* pm_port_request; @@ -408,14 +407,6 @@ void init_net_var() http_message_stat = internal_type("http_message_stat")->AsRecordType(); truncate_http_URI = opt_internal_int("truncate_http_URI"); - pm_request = pm_request_null || pm_request_set || - pm_request_unset || pm_request_getport || - pm_request_dump || pm_request_callit || - pm_attempt_null || pm_attempt_set || - pm_attempt_unset || pm_attempt_getport || - pm_attempt_dump || pm_attempt_callit || - pm_bad_port; - pm_mapping = internal_type("pm_mapping")->AsRecordType(); pm_mappings = internal_type("pm_mappings")->AsTableType(); pm_port_request = internal_type("pm_port_request")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index 88b5478149..35b94e09b7 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -96,7 +96,6 @@ extern RecordType* http_stats_rec; extern RecordType* http_message_stat; extern int truncate_http_URI; -extern int pm_request; extern RecordType* pm_mapping; extern TableType* pm_mappings; extern RecordType* pm_port_request; diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index b26ed9c9f5..2296628878 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -4,15 +4,15 @@ #include "analyzer/protocols/tcp/TCP.h" #include "Scope.h" -static inline bool is_established(const TCP_Endpoint* e) +static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e) { // We more or less follow Snort here: an established session // is one for which the initial handshake has succeded (but we // add partial connections). The connection tear-down is part // of the connection. - return e->state != TCP_ENDPOINT_INACTIVE && - e->state != TCP_ENDPOINT_SYN_SENT && - e->state != TCP_ENDPOINT_SYN_ACK_SENT; + return e->state != analyzer::tcp::TCP_ENDPOINT_INACTIVE && + e->state != analyzer::tcp::TCP_ENDPOINT_SYN_SENT && + e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT; } bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, @@ -23,7 +23,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state, if ( ! root || ! root->IsAnalyzer("TCP") ) return false; - TCP_Analyzer* ta = static_cast(root); + analyzer::tcp::TCP_Analyzer* ta = static_cast(root); if ( tcpstates & STATE_STATELESS ) return true; diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 4c69576524..5b6f673a8a 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -161,7 +161,7 @@ void RuleHdrTest::PrintDebug() RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, RuleEndpointState* arg_opposite, - ::PIA* arg_PIA) + analyzer::pia::PIA* arg_PIA) { payload_size = -1; analyzer = arg_analyzer; @@ -565,7 +565,7 @@ static inline bool compare(const vector& prefixes, const IPAddr& a, RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, int caplen, RuleEndpointState* opposite, - bool from_orig, PIA* pia) + bool from_orig, analyzer::pia::PIA* pia) { RuleEndpointState* state = new RuleEndpointState(analyzer, from_orig, opposite, pia); @@ -1301,7 +1301,7 @@ uint32 id_to_uint(const char* id) } void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, - int caplen, bool from_orig, PIA* pia) + int caplen, bool from_orig, analyzer::pia::PIA* pia) { if ( ! rule_matcher ) return; diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index 1b2756594d..351c3c30bf 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -35,8 +35,10 @@ extern const char* current_rule_file; class RuleMatcher; extern RuleMatcher* rule_matcher; -namespace analyzer { class Analyzer; } -class PIA; +namespace analyzer { + namespace pia { class PIA; } + class Analyzer; +} // RuleHdrTest and associated things: @@ -152,7 +154,7 @@ public: // Returns -1 if no chunk has been fed yet at all. int PayloadSize() { return payload_size; } - ::PIA* PIA() const { return pia; } + analyzer::pia::PIA* PIA() const { return pia; } private: friend class RuleMatcher; @@ -160,7 +162,7 @@ private: // Constructor is private; use RuleMatcher::InitEndpoint() // for creating an instance. RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig, - RuleEndpointState* arg_opposite, ::PIA* arg_PIA); + RuleEndpointState* arg_opposite, analyzer::pia::PIA* arg_PIA); struct Matcher { RE_Match_State* state; @@ -173,7 +175,7 @@ private: bool is_orig; analyzer::Analyzer* analyzer; RuleEndpointState* opposite; - ::PIA* pia; + analyzer::pia::PIA* pia; matcher_list matchers; rule_hdr_test_list hdr_tests; @@ -208,7 +210,7 @@ public: // this endpoint). If the matching is triggered by an PIA, a pointer to // it needs to be given. RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip, - int caplen, RuleEndpointState* opposite, bool is_orig, PIA* pia); + int caplen, RuleEndpointState* opposite, bool is_orig, analyzer::pia::PIA* pia); // Finish matching for this stream. void FinishEndpoint(RuleEndpointState* state); @@ -311,7 +313,7 @@ public: // ip may be nil. void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip, - int caplen, bool from_orig, PIA* pia = 0); + int caplen, bool from_orig, analyzer::pia::PIA* pia = 0); // bol/eol should be set to false for type Rule::PAYLOAD; they're // deduced automatically. diff --git a/src/Sessions.cc b/src/Sessions.cc index 739bbbe5e7..29c7a57e8f 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -20,8 +20,13 @@ #include "analyzer/protocols/udp/UDP.h" #include "analyzer/protocols/stepping-stone/SteppingStone.h" +#include "analyzer/protocols/stepping-stone/events.bif.h" #include "analyzer/protocols/backdoor/BackDoor.h" +#include "analyzer/protocols/backdoor/events.bif.h" #include "analyzer/protocols/interconn/InterConn.h" +#include "analyzer/protocols/interconn/events.bif.h" +#include "analyzer/protocols/arp/ARP.h" +#include "analyzer/protocols/arp/events.bif.h" #include "Discard.h" #include "RuleMatcher.h" @@ -102,7 +107,7 @@ NetSessions::NetSessions() fragments.SetDeleteFunc(bro_obj_delete_func); if ( stp_correlate_pair ) - stp_manager = new SteppingStoneManager(); + stp_manager = new analyzer::stepping_stone::SteppingStoneManager(); else stp_manager = 0; @@ -141,7 +146,7 @@ NetSessions::NetSessions() pkt_profiler = 0; if ( arp_request || arp_reply || bad_arp ) - arp_analyzer = new ARP_Analyzer(); + arp_analyzer = new analyzer::arp::ARP_Analyzer(); else arp_analyzer = 0; } @@ -254,7 +259,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr, DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0); } - else if ( ARP_Analyzer::IsARP(pkt, hdr_size) ) + else if ( analyzer::arp::ARP_Analyzer::IsARP(pkt, hdr_size) ) { if ( arp_analyzer ) arp_analyzer->NextPacket(t, hdr, pkt, hdr_size); @@ -521,9 +526,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, const struct icmp* icmpp = (const struct icmp *) data; id.src_port = icmpp->icmp_type; - id.dst_port = ICMP4_counterpart(icmpp->icmp_type, - icmpp->icmp_code, - id.is_one_way); + id.dst_port = analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type, + icmpp->icmp_code, + id.is_one_way); id.src_port = htons(id.src_port); id.dst_port = htons(id.dst_port); @@ -537,9 +542,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr, const struct icmp* icmpp = (const struct icmp *) data; id.src_port = icmpp->icmp_type; - id.dst_port = ICMP6_counterpart(icmpp->icmp_type, - icmpp->icmp_code, - id.is_one_way); + id.dst_port = analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type, + icmpp->icmp_code, + id.is_one_way); id.src_port = htons(id.src_port); id.dst_port = htons(id.dst_port); @@ -962,12 +967,12 @@ void NetSessions::Remove(Connection* c) { c->CancelTimers(); - TCP_Analyzer* ta = (TCP_Analyzer*) c->GetRootAnalyzer(); + analyzer::tcp::TCP_Analyzer* ta = (analyzer::tcp::TCP_Analyzer*) c->GetRootAnalyzer(); if ( ta && c->ConnTransport() == TRANSPORT_TCP ) { assert(ta->IsAnalyzer("TCP")); - TCP_Endpoint* to = ta->Orig(); - TCP_Endpoint* tr = ta->Resp(); + analyzer::tcp::TCP_Endpoint* to = ta->Orig(); + analyzer::tcp::TCP_Endpoint* tr = ta->Resp(); tcp_stats.StateLeft(to->state, tr->state); } diff --git a/src/Sessions.h b/src/Sessions.h index 5b87518033..a5488bd188 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -6,7 +6,6 @@ #include "Dict.h" #include "CompHash.h" #include "IP.h" -#include "ARP.h" #include "Frag.h" #include "PacketFilter.h" #include "Stats.h" @@ -28,11 +27,12 @@ declare(PDict,Connection); declare(PDict,FragReassembler); class Discarder; -class SteppingStoneManager; class PacketFilter; - class PacketSortElement; +namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } } +namespace analyzer { namespace arp { class ARP_Analyzer; } } + struct SessionStats { int num_TCP_conns; int num_UDP_conns; @@ -129,7 +129,7 @@ public: void ExpireTimerMgrs(); - SteppingStoneManager* GetSTPManager() { return stp_manager; } + analyzer::stepping_stone::SteppingStoneManager* GetSTPManager() { return stp_manager; } unsigned int CurrentConnections() { @@ -185,7 +185,7 @@ public: unsigned int ConnectionMemoryUsage(); unsigned int ConnectionMemoryUsageConnVals(); unsigned int MemoryAllocation(); - TCPStateStats tcp_stats; // keeps statistics on TCP states + analyzer::tcp::TCPStateStats tcp_stats; // keeps statistics on TCP states protected: friend class RemoteSerializer; @@ -257,9 +257,9 @@ protected: typedef std::map IPTunnelMap; IPTunnelMap ip_tunnels; - ARP_Analyzer* arp_analyzer; + analyzer::arp::ARP_Analyzer* arp_analyzer; - SteppingStoneManager* stp_manager; + analyzer::stepping_stone::SteppingStoneManager* stp_manager; Discarder* discarder; PacketFilter* packet_filter; OSFingerprint* SYN_OS_Fingerprinter; diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 3800307c82..5769a6c58a 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -13,12 +13,13 @@ class Rule; class Connection; -class PIA; class IP_Hdr; -class TCP_ApplicationAnalyzer; namespace analyzer { +namespace tcp { class TCP_ApplicationAnalyzer; } +namespace pia { class PIA; } + class Analyzer; class AnalyzerTimer; class SupportAnalyzer; @@ -546,7 +547,7 @@ protected: friend class AnalyzerTimer; friend class Manager; friend class ::Connection; - friend class ::TCP_ApplicationAnalyzer; + friend class tcp::TCP_ApplicationAnalyzer; /** * Associates a connection with this analyzer. Must be called if @@ -825,13 +826,13 @@ public: * transport-layer input and determine which protocol analyzer(s) to * use for parsing it. */ - void SetPIA(PIA* arg_PIA) { pia = arg_PIA; } + void SetPIA(pia::PIA* arg_PIA) { pia = arg_PIA; } /** * Returns the associated PIA, or null of none. Does not take * ownership. */ - PIA* GetPIA() const { return pia; } + pia::PIA* GetPIA() const { return pia; } /** * Helper to raise a \c packet_contents event. @@ -843,7 +844,7 @@ public: void PacketContents(const u_char* data, int len); private: - PIA* pia; + pia::PIA* pia; }; } diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 1172b0d811..1d0589c5bf 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -15,4 +15,8 @@ set(analyzer_SRCS bif_target_for_subdir(analyzer.bif) +bro_plugin_dependencies(DCE_RPC generate_analyzer.bif) + add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H}) + +add_dependencies(bro_analyzer generate_events.bif) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index aba7f26a56..45fce936fd 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -15,6 +15,8 @@ #include "plugin/Manager.h" +#include "protocols/tcp/events.bif.h" + using namespace analyzer; Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp, @@ -414,35 +416,35 @@ Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found) bool Manager::BuildInitialAnalyzerTree(Connection* conn) { Analyzer* analyzer = 0; - TCP_Analyzer* tcp = 0; - UDP_Analyzer* udp = 0; - ICMP_Analyzer* icmp = 0; + tcp::TCP_Analyzer* tcp = 0; + udp::UDP_Analyzer* udp = 0; + icmp::ICMP_Analyzer* icmp = 0; TransportLayerAnalyzer* root = 0; tag_set expected; - PIA* pia = 0; + pia::PIA* pia = 0; bool analyzed = false; bool check_port = false; switch ( conn->ConnTransport() ) { case TRANSPORT_TCP: - root = tcp = new TCP_Analyzer(conn); - pia = new PIA_TCP(conn); + root = tcp = new tcp::TCP_Analyzer(conn); + pia = new pia::PIA_TCP(conn); expected = GetScheduled(conn); check_port = true; DBG_ANALYZER(conn, "activated TCP analyzer"); break; case TRANSPORT_UDP: - root = udp = new UDP_Analyzer(conn); - pia = new PIA_UDP(conn); + root = udp = new udp::UDP_Analyzer(conn); + pia = new pia::PIA_UDP(conn); expected = GetScheduled(conn); check_port = true; DBG_ANALYZER(conn, "activated UDP analyzer"); break; case TRANSPORT_ICMP: { - root = icmp = new ICMP_Analyzer(conn); + root = icmp = new icmp::ICMP_Analyzer(conn); DBG_ANALYZER(conn, "activated ICMP analyzer"); analyzed = true; break; @@ -531,12 +533,12 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) if ( IsEnabled(analyzer_backdoor) ) // Add a BackDoor analyzer if requested. This analyzer // can handle both reassembled and non-reassembled input. - tcp->AddChildAnalyzer(new BackDoor_Analyzer(conn), false); + tcp->AddChildAnalyzer(new backdoor::BackDoor_Analyzer(conn), false); if ( IsEnabled(analyzer_interconn) ) // Add a InterConn analyzer if requested. This analyzer // can handle both reassembled and non-reassembled input. - tcp->AddChildAnalyzer(new InterConn_Analyzer(conn), false); + tcp->AddChildAnalyzer(new interconn::InterConn_Analyzer(conn), false); if ( IsEnabled(analyzer_stepping) ) { @@ -550,25 +552,25 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) { AddrVal src(conn->OrigAddr()); if ( ! stp_skip_src->Lookup(&src) ) - tcp->AddChildAnalyzer(new SteppingStone_Analyzer(conn), false); + tcp->AddChildAnalyzer(new stepping_stone::SteppingStone_Analyzer(conn), false); } } if ( IsEnabled(analyzer_tcpstats) ) // Add TCPStats analyzer. This needs to see packets so // we cannot add it as a normal child. - tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn)); + tcp->AddChildPacketAnalyzer(new tcp::TCPStats_Analyzer(conn)); if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn)); + tcp->AddChildPacketAnalyzer(new conn_size::ConnSize_Analyzer(conn)); } else { if ( IsEnabled(analyzer_connsize) ) // Add ConnSize analyzer. Needs to see packets, not stream. - root->AddChildAnalyzer(new ConnSize_Analyzer(conn)); + root->AddChildAnalyzer(new conn_size::ConnSize_Analyzer(conn)); } if ( pia ) diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt index 9fcbbdd2d5..004ec72d35 100644 --- a/src/analyzer/protocols/CMakeLists.txt +++ b/src/analyzer/protocols/CMakeLists.txt @@ -1,4 +1,5 @@ +add_subdirectory(arp) add_subdirectory(ayiya) add_subdirectory(backdoor) add_subdirectory(bittorrent) @@ -18,7 +19,9 @@ add_subdirectory(interconn) add_subdirectory(irc) add_subdirectory(login) add_subdirectory(modbus) +add_subdirectory(mime) add_subdirectory(ncp) +add_subdirectory(netflow) add_subdirectory(netbios-ssn) add_subdirectory(ntp) add_subdirectory(pia) diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocols/TODO index 6168bf4686..41a4d579bc 100644 --- a/src/analyzer/protocols/TODO +++ b/src/analyzer/protocols/TODO @@ -1,10 +1,8 @@ -- introduce namespace into analyzers -- fill events.bif - add functions.bif where needed -- move ARP -- move NetFlow - update *.h guards - cleanup analyzer descriptions - can now lower-case the analyzer name in plugin +- not sure cmake dependencies work right yet +- rename analyzers/protocols to analyzer/protocol diff --git a/src/ARP.cc b/src/analyzer/protocols/arp/ARP.cc similarity index 99% rename from src/ARP.cc rename to src/analyzer/protocols/arp/ARP.cc index 7ffd82764c..9173e853aa 100644 --- a/src/ARP.cc +++ b/src/analyzer/protocols/arp/ARP.cc @@ -5,6 +5,9 @@ #include "Event.h" #include "Reporter.h" +#include "events.bif.h" + +using namespace analyzer::arp; ARP_Analyzer::ARP_Analyzer() { diff --git a/src/ARP.h b/src/analyzer/protocols/arp/ARP.h similarity index 93% rename from src/ARP.h rename to src/analyzer/protocols/arp/ARP.h index f4b623c513..ee01669e92 100644 --- a/src/ARP.h +++ b/src/analyzer/protocols/arp/ARP.h @@ -24,7 +24,9 @@ #endif #include "NetVar.h" +#include "PacketSort.h" +namespace analyzer { namespace arp { class ARP_Analyzer : public BroObj { public: @@ -53,4 +55,6 @@ protected: EventHandlerPtr arp_reply; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/arp/CMakeLists.txt b/src/analyzer/protocols/arp/CMakeLists.txt new file mode 100644 index 0000000000..5654802b07 --- /dev/null +++ b/src/analyzer/protocols/arp/CMakeLists.txt @@ -0,0 +1,15 @@ + +# This is not an actual analyzer, but used by the core. We still +# maintain it here along with the other analyzers because conceptually +# it's also parsing a protocol just like them. The current structure +# is merely a left-over from when this code was written. + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ARP) +bro_plugin_cc(ARP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() + diff --git a/src/analyzer/protocols/arp/Plugin.cc b/src/analyzer/protocols/arp/Plugin.cc new file mode 100644 index 0000000000..06b4940719 --- /dev/null +++ b/src/analyzer/protocols/arp/Plugin.cc @@ -0,0 +1,7 @@ + +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(ARP) + BRO_PLUGIN_DESCRIPTION("ARP Parsing Code"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/arp/events.bif b/src/analyzer/protocols/arp/events.bif new file mode 100644 index 0000000000..efee33d7f4 --- /dev/null +++ b/src/analyzer/protocols/arp/events.bif @@ -0,0 +1,63 @@ +## Generated for ARP requests. +## +## See `Wikipedia `__ +## for more information about the ARP protocol. +## +## mac_src: The request's source MAC address. +## +## mac_dst: The request's destination MAC address. +## +## SPA: The sender protocol address. +## +## SHA: The sender hardware address. +## +## TPA: The target protocol address. +## +## THA: The target hardware address. +## +## .. bro:see:: arp_reply bad_arp +event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, + TPA: addr, THA: string%); + +## Generated for ARP replies. +## +## See `Wikipedia `__ +## for more information about the ARP protocol. +## +## mac_src: The reply's source MAC address. +## +## mac_dst: The reply's destination MAC address. +## +## SPA: The sender protocol address. +## +## SHA: The sender hardware address. +## +## TPA: The target protocol address. +## +## THA: The target hardware address. +## +## .. bro:see:: arp_request bad_arp +event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, + TPA: addr, THA: string%); + +## Generated for ARP packets that Bro cannot interpret. Examples are packets +## with non-standard hardware address formats or hardware addresses that do not +## match the originator of the packet. +## +## SPA: The sender protocol address. +## +## SHA: The sender hardware address. +## +## TPA: The target protocol address. +## +## THA: The target hardware address. +## +## explanation: A short description of why the ARP packet is considered "bad". +## +## .. bro:see:: arp_reply arp_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); diff --git a/src/analyzer/protocols/ayiya/AYIYA.cc b/src/analyzer/protocols/ayiya/AYIYA.cc index 2154ae4b30..070a3ef3e1 100644 --- a/src/analyzer/protocols/ayiya/AYIYA.cc +++ b/src/analyzer/protocols/ayiya/AYIYA.cc @@ -1,4 +1,9 @@ + #include "AYIYA.h" +#include "Func.h" +#include "events.bif.h" + +using namespace analyzer::ayiya; AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) : Analyzer("AYIYA", conn) diff --git a/src/analyzer/protocols/ayiya/AYIYA.h b/src/analyzer/protocols/ayiya/AYIYA.h index c0897d84ff..2995131be5 100644 --- a/src/analyzer/protocols/ayiya/AYIYA.h +++ b/src/analyzer/protocols/ayiya/AYIYA.h @@ -3,6 +3,8 @@ #include "ayiya_pac.h" +namespace analyzer { namespace ayiya { + class AYIYA_Analyzer : public analyzer::Analyzer { public: AYIYA_Analyzer(Connection* conn); @@ -21,4 +23,6 @@ protected: binpac::AYIYA::AYIYA_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ayiya/Plugin.cc b/src/analyzer/protocols/ayiya/Plugin.cc index 1ec9887534..069aedde0a 100644 --- a/src/analyzer/protocols/ayiya/Plugin.cc +++ b/src/analyzer/protocols/ayiya/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(AYIYA) BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer"); - BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("AYIYA", ayiya::AYIYA_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ayiya/ayiya.pac b/src/analyzer/protocols/ayiya/ayiya.pac index ff0af4d47c..b1f3a6ef77 100644 --- a/src/analyzer/protocols/ayiya/ayiya.pac +++ b/src/analyzer/protocols/ayiya/ayiya.pac @@ -2,6 +2,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer AYIYA withcontext { connection: AYIYA_Conn; flow: AYIYA_Flow; diff --git a/src/analyzer/protocols/backdoor/BackDoor.cc b/src/analyzer/protocols/backdoor/BackDoor.cc index 00a1319e53..19b1a341a7 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.cc +++ b/src/analyzer/protocols/backdoor/BackDoor.cc @@ -7,7 +7,11 @@ #include "Net.h" #include "analyzer/protocols/tcp/TCP.h" -BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e) +#include "events.bif.h" + +using namespace analyzer::backdoor; + +BackDoorEndpoint::BackDoorEndpoint(tcp::TCP_Endpoint* e) { endp = e; is_partial = 0; @@ -53,7 +57,7 @@ int BackDoorEndpoint::DataSent(double /* t */, int seq, if ( len <= 0 ) return 0; - if ( endp->state == TCP_ENDPOINT_PARTIAL ) + if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL ) is_partial = 1; int ack = endp->AckSeq() - endp->StartSeq(); @@ -681,7 +685,7 @@ int BackDoorEndpoint::CheckForString(const char* str, BackDoor_Analyzer::BackDoor_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("BACKDOOR", c) +: tcp::TCP_ApplicationAnalyzer("BACKDOOR", c) { orig_endp = resp_endp = 0; @@ -701,7 +705,7 @@ BackDoor_Analyzer::~BackDoor_Analyzer() void BackDoor_Analyzer::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new BackDoorEndpoint(TCP()->Orig()); @@ -740,7 +744,7 @@ void BackDoor_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void BackDoor_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( ! IsFinished() ) { diff --git a/src/analyzer/protocols/backdoor/BackDoor.h b/src/analyzer/protocols/backdoor/BackDoor.h index 1865cdd1ef..bab981cf89 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.h +++ b/src/analyzer/protocols/backdoor/BackDoor.h @@ -8,9 +8,11 @@ #include "NetVar.h" #include "analyzer/protocols/login/Login.h" +namespace analyzer { namespace backdoor { + class BackDoorEndpoint { public: - BackDoorEndpoint(TCP_Endpoint* e); + BackDoorEndpoint(tcp::TCP_Endpoint* e); int DataSent(double t, int seq, int len, int caplen, const u_char* data, const IP_Hdr* ip, const struct tcphdr* tp); @@ -44,7 +46,7 @@ protected: int CheckForFullString(const char* str, const u_char* data, int len); int CheckForString(const char* str, const u_char* data, int len); - TCP_Endpoint* endp; + tcp::TCP_Endpoint* endp; int is_partial; int max_top_seq; @@ -62,7 +64,7 @@ protected: uint32 num_7bit_ascii; }; -class BackDoor_Analyzer : public TCP_ApplicationAnalyzer { +class BackDoor_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: BackDoor_Analyzer(Connection* c); ~BackDoor_Analyzer(); @@ -105,4 +107,6 @@ protected: BackDoor_Analyzer* analyzer; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/backdoor/Plugin.cc b/src/analyzer/protocols/backdoor/Plugin.cc index 586b9ef139..afcf60edbc 100644 --- a/src/analyzer/protocols/backdoor/Plugin.cc +++ b/src/analyzer/protocols/backdoor/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(BackDoor) BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("BACKDOOR", backdoor::BackDoor_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/backdoor/events.bif b/src/analyzer/protocols/backdoor/events.bif index e69de29bb2..81676ee43b 100644 --- a/src/analyzer/protocols/backdoor/events.bif +++ b/src/analyzer/protocols/backdoor/events.bif @@ -0,0 +1,32 @@ +## Deprecated. Will be removed. +event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%); + +## Deprecated. Will be removed. +event backdoor_remove_conn%(c: connection%); + +## Deprecated. Will be removed. +event ftp_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event gnutella_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event http_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event irc_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event telnet_signature_found%(c: connection, is_orig: bool, len: count%); + +## Deprecated. Will be removed. +event ssh_signature_found%(c: connection, is_orig: bool%); + +## Deprecated. Will be removed. +event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%); + +## Deprecated. Will be removed. +event smtp_signature_found%(c: connection%); + +## Deprecated. Will be removed. +event http_proxy_signature_found%(c: connection%); diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.cc b/src/analyzer/protocols/bittorrent/BitTorrent.cc index 05e9ae8fba..fc66987cc7 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrent.cc @@ -3,8 +3,12 @@ #include "BitTorrent.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::bittorrent; + BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("BITTORRENT", c) +: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) { interp = new binpac::BitTorrent::BitTorrent_Conn(this); stop_orig = stop_resp = false; @@ -18,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer() void BitTorrent_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -29,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp; bool& this_stop = orig ? stop_orig : stop_resp; - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -66,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // TODO: Code commented out for now. I think that shoving data that // is definitely wrong into the parser seems like a really bad idea. @@ -108,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig) void BitTorrent_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.h b/src/analyzer/protocols/bittorrent/BitTorrent.h index 0a36442ab9..7812261f04 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.h +++ b/src/analyzer/protocols/bittorrent/BitTorrent.h @@ -7,7 +7,9 @@ #include "bittorrent_pac.h" -class BitTorrent_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace bittorrent { + +class BitTorrent_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: BitTorrent_Analyzer(Connection* conn); virtual ~BitTorrent_Analyzer(); @@ -28,4 +30,6 @@ protected: uint64 stream_len_orig, stream_len_resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc index cf8dcff6ba..18d1fe8ab9 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc @@ -3,6 +3,8 @@ #include "BitTorrentTracker.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + #include #include @@ -11,6 +13,8 @@ # define FMT_INT "%" PRId64 # define FMT_UINT "%" PRIu64 +using namespace analyzer::bittorrent; + static TableType* bt_tracker_headers = 0; static RecordType* bittorrent_peer; static TableType* bittorrent_peer_set; @@ -18,7 +22,7 @@ static RecordType* bittorrent_benc_value; static TableType* bittorrent_benc_dir; BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("BITTORRENT", c) +: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c) { if ( ! bt_tracker_headers ) { @@ -74,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer() void BitTorrentTracker_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); } void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -205,7 +209,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data) void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); ProtocolViolation("BitTorrentTracker: cannot recover from content gap"); @@ -217,7 +221,7 @@ void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig) void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); } void BitTorrentTracker_Analyzer::InitBencParser(void) diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h index 70f3004acb..8db92c6af7 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h @@ -7,6 +7,8 @@ #define BTTRACKER_BUF 2048 +namespace analyzer { namespace bittorrent { + // If the following is defined, then the analyzer will store all of // the headers seen in tracker messages. //#define BTTRACKER_STORE_HEADERS 1 @@ -40,7 +42,7 @@ enum btt_benc_states { BENC_STATE_STR2, }; -class BitTorrentTracker_Analyzer : public TCP_ApplicationAnalyzer { +class BitTorrentTracker_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: BitTorrentTracker_Analyzer(Connection* conn); virtual ~BitTorrentTracker_Analyzer(); @@ -126,4 +128,6 @@ protected: bool stop_orig, stop_resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/bittorrent/Plugin.cc b/src/analyzer/protocols/bittorrent/Plugin.cc index c028956ce9..59e81749ce 100644 --- a/src/analyzer/protocols/bittorrent/Plugin.cc +++ b/src/analyzer/protocols/bittorrent/Plugin.cc @@ -6,7 +6,7 @@ BRO_PLUGIN_BEGIN(BitTorrent) BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); - BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("BitTorrent", bittorrent::BitTorrent_Analyzer); + BRO_PLUGIN_ANALYZER("BitTorrentTracker", bittorrent::BitTorrent_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/bittorrent/bittorrent.pac b/src/analyzer/protocols/bittorrent/bittorrent.pac index f6255902dd..39e53596dd 100644 --- a/src/analyzer/protocols/bittorrent/bittorrent.pac +++ b/src/analyzer/protocols/bittorrent/bittorrent.pac @@ -5,6 +5,8 @@ %extern{ #define MSGLEN_LIMIT 0x40000 + +#include "events.bif.h" %} analyzer BitTorrent withcontext { diff --git a/src/analyzer/protocols/bittorrent/events.bif b/src/analyzer/protocols/bittorrent/events.bif index e69de29bb2..8c4ddc146f 100644 --- a/src/analyzer/protocols/bittorrent/events.bif +++ b/src/analyzer/protocols/bittorrent/events.bif @@ -0,0 +1,226 @@ +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_handshake%(c: connection, is_orig: bool, + reserved: string, info_hash: string, peer_id: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bittorrent_peer_choke%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request +## bittorrent_peer_unknown bittorrent_peer_weird +event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_interested%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake +## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive +## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, + begin: count, length: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, + begin: count, piece_length: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, + begin: count, length: count%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown +## bittorrent_peer_weird +event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_weird +event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, + data: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown +event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_request%(c: connection, uri: string, + headers: bt_tracker_headers%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_response%(c: connection, status: count, + headers: bt_tracker_headers, + peers: bittorrent_peer_set, + benc: bittorrent_benc_dir%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_response_not_ok%(c: connection, status: count, + headers: bt_tracker_headers%); + +## TODO. +## +## See `Wikipedia `__ for +## more information about the BitTorrent protocol. +## +## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke +## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested +## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece +## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke +## bittorrent_peer_unknown bittorrent_peer_weird +event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); + diff --git a/src/analyzer/protocols/conn-size/ConnSize.cc b/src/analyzer/protocols/conn-size/ConnSize.cc index a5a401a816..7d85fe4a0c 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.cc +++ b/src/analyzer/protocols/conn-size/ConnSize.cc @@ -6,7 +6,9 @@ #include "ConnSize.h" #include "analyzer/protocols/tcp/TCP.h" +#include "events.bif.h" +using namespace analyzer::conn_size; ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) : Analyzer("CONNSIZE", c) diff --git a/src/analyzer/protocols/conn-size/ConnSize.h b/src/analyzer/protocols/conn-size/ConnSize.h index 6eac519c88..567895a9f5 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.h +++ b/src/analyzer/protocols/conn-size/ConnSize.h @@ -7,6 +7,7 @@ #include "analyzer/Analyzer.h" #include "NetVar.h" +namespace analyzer { namespace conn_size { class ConnSize_Analyzer : public analyzer::Analyzer { public: @@ -34,4 +35,6 @@ protected: uint64_t resp_pkts; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/conn-size/Plugin.cc b/src/analyzer/protocols/conn-size/Plugin.cc index 7520d9b7b5..5ff2ed201d 100644 --- a/src/analyzer/protocols/conn-size/Plugin.cc +++ b/src/analyzer/protocols/conn-size/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ConnSize) BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); - BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("CONNSIZE", conn_size::ConnSize_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.cc b/src/analyzer/protocols/dce-rpc/DCE_RPC.cc index f01edc9c8a..dd31cfa8a7 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.cc +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.cc @@ -13,6 +13,10 @@ using namespace std; #include "analyzer/Manager.h" +#include "events.bif.h" + +using namespace analyzer::dce_rpc; + #define xbyte(b, n) (((const u_char*) (b))[n]) #define extract_uint16(little_endian, bytes) \ @@ -27,7 +31,7 @@ static int uuid_index[] = { 12, 13, 14, 15 }; -const char* uuid_to_string(const u_char* uuid_data) +const char* analyzer::dce_rpc::uuid_to_string(const u_char* uuid_data) { static char s[1024]; char* sp = s; @@ -443,7 +447,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse( Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* arg_session, bool speculative) -: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig) { session = arg_session; msg_buf = 0; @@ -475,10 +479,10 @@ Contents_DCE_RPC_Analyzer::~Contents_DCE_RPC_Analyzer() void Contents_DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = + static_cast(Parent())->TCP(); if ( tcp->HadGap(orig) || tcp->IsPartial() ) return; @@ -567,7 +571,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader() } DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative) -: TCP_ApplicationAnalyzer("DCE_RPC", conn) +: tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn) { session = new DCE_RPC_Session(this); speculative = arg_speculative; diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.h b/src/analyzer/protocols/dce-rpc/DCE_RPC.h index 7ad3cd1e13..fabd68912e 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.h @@ -8,10 +8,14 @@ #include "NetVar.h" #include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/dce-rpc/events.bif.h" #include "IPAddr.h" #include "dce_rpc_simple_pac.h" + +namespace analyzer { namespace dce_rpc { + class UUID { public: UUID(); @@ -145,7 +149,7 @@ protected: } mapped; }; -class Contents_DCE_RPC_Analyzer : public TCP_SupportAnalyzer { +class Contents_DCE_RPC_Analyzer : public tcp::TCP_SupportAnalyzer { public: Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session, bool speculative); @@ -169,7 +173,7 @@ protected: DCE_RPC_Session* session; }; -class DCE_RPC_Analyzer : public TCP_ApplicationAnalyzer { +class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: DCE_RPC_Analyzer(Connection* conn, bool speculative = false); ~DCE_RPC_Analyzer(); @@ -182,4 +186,6 @@ protected: bool speculative; }; +} } // namespace analyzer::* + #endif /* dce_rpc_h */ diff --git a/src/analyzer/protocols/dce-rpc/Plugin.cc b/src/analyzer/protocols/dce-rpc/Plugin.cc index b818806076..5e35af7c0d 100644 --- a/src/analyzer/protocols/dce-rpc/Plugin.cc +++ b/src/analyzer/protocols/dce-rpc/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(DCE_RPC) BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer"); - BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("DCE_RPC", dce_rpc::DCE_RPC_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc.pac b/src/analyzer/protocols/dce-rpc/dce_rpc.pac index cbcd0cbdc4..632d2304a1 100644 --- a/src/analyzer/protocols/dce-rpc/dce_rpc.pac +++ b/src/analyzer/protocols/dce-rpc/dce_rpc.pac @@ -1,6 +1,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer DCE_RPC withcontext { connection: DCE_RPC_Conn; flow: DCE_RPC_Flow; diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac b/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac index f31c2a078b..1bf0387b1d 100644 --- a/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac +++ b/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac @@ -1,5 +1,9 @@ %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer DCE_RPC_Simple withcontext {}; %include dce_rpc-protocol.pac diff --git a/src/analyzer/protocols/dce-rpc/events.bif b/src/analyzer/protocols/dce-rpc/events.bif index e69de29bb2..bdabb674fa 100644 --- a/src/analyzer/protocols/dce-rpc/events.bif +++ b/src/analyzer/protocols/dce-rpc/events.bif @@ -0,0 +1,55 @@ +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_bind%(c: connection, uuid: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_request%(c: connection, opnum: count, stub: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message +## dce_rpc_request rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dce_rpc_response%(c: connection, opnum: count, stub: string%); + +## TODO. +## +## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message +## dce_rpc_request dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); + diff --git a/src/analyzer/protocols/dhcp/DHCP.cc b/src/analyzer/protocols/dhcp/DHCP.cc index a590db19ca..8d05aef37d 100644 --- a/src/analyzer/protocols/dhcp/DHCP.cc +++ b/src/analyzer/protocols/dhcp/DHCP.cc @@ -1,6 +1,10 @@ #include "DHCP.h" +#include "events.bif.h" + +using namespace analyzer::dhcp; + DHCP_Analyzer::DHCP_Analyzer(Connection* conn) : Analyzer("DHCP", conn) { diff --git a/src/analyzer/protocols/dhcp/DHCP.h b/src/analyzer/protocols/dhcp/DHCP.h index 5c12e52cc5..189e04ecab 100644 --- a/src/analyzer/protocols/dhcp/DHCP.h +++ b/src/analyzer/protocols/dhcp/DHCP.h @@ -5,6 +5,8 @@ #include "dhcp_pac.h" +namespace analyzer { namespace dhcp { + class DHCP_Analyzer : public analyzer::Analyzer { public: DHCP_Analyzer(Connection* conn); @@ -21,4 +23,6 @@ protected: binpac::DHCP::DHCP_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/dhcp/Plugin.cc b/src/analyzer/protocols/dhcp/Plugin.cc index 32225d5bec..e1ee02db95 100644 --- a/src/analyzer/protocols/dhcp/Plugin.cc +++ b/src/analyzer/protocols/dhcp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(DHCP) BRO_PLUGIN_DESCRIPTION("DHCP Analyzer"); - BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("DHCP", dhcp::DHCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dhcp/dhcp.pac b/src/analyzer/protocols/dhcp/dhcp.pac index 9e9d7755a4..c4a684badc 100644 --- a/src/analyzer/protocols/dhcp/dhcp.pac +++ b/src/analyzer/protocols/dhcp/dhcp.pac @@ -1,5 +1,9 @@ %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer DHCP withcontext { connection: DHCP_Conn; flow: DHCP_Flow; diff --git a/src/analyzer/protocols/dhcp/events.bif b/src/analyzer/protocols/dhcp/events.bif index e69de29bb2..741504185e 100644 --- a/src/analyzer/protocols/dhcp/events.bif +++ b/src/analyzer/protocols/dhcp/events.bif @@ -0,0 +1,239 @@ +## Generated for DHCP messages of type *discover*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## req_addr: The specific address requested by the client. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); + +## Generated for DHCP messages of type *offer*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: TODO. +## +## mask: The subnet mask specified by the message. +## +## router: The list of routers specified by the message. +## +## lease: The least interval specified by the message. +## +## serv_addr: The server address specified by the message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); + +## Generated for DHCP messages of type *request*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## req_addr: The client address specified by the message. +## +## serv_addr: The server address specified by the message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); + +## Generated for DHCP messages of type *decline*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_decline%(c: connection, msg: dhcp_msg%); + +## Generated for DHCP messages of type *acknowledgment*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## mask: The subnet mask specified by the message. +## +## router: The list of routers specified by the message. +## +## lease: The least interval specified by the message. +## +## serv_addr: The server address specified by the message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); + +## Generated for DHCP messages of type *negative acknowledgment*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_nak%(c: connection, msg: dhcp_msg%); + +## Generated for DHCP messages of type *release*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_release%(c: connection, msg: dhcp_msg%); + +## Generated for DHCP messages of type *inform*. +## +## See `Wikipedia +## `__ for +## more information about the DHCP protocol. +## +## c: The connection record describing the underlying UDP flow. +## +## msg: The parsed type-independent part of the DHCP message. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request +## +## .. note:: Bro does not support broadcast packets (as used by the DHCP +## protocol). It treats broadcast addresses just like any other and +## associates packets into transport-level flows in the same way as usual. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event dhcp_inform%(c: connection, msg: dhcp_msg%); + diff --git a/src/analyzer/protocols/dns/DNS.cc b/src/analyzer/protocols/dns/DNS.cc index 7cab27c4b9..4901df4417 100644 --- a/src/analyzer/protocols/dns/DNS.cc +++ b/src/analyzer/protocols/dns/DNS.cc @@ -12,6 +12,10 @@ #include "Sessions.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::dns; + DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) { analyzer = arg_analyzer; @@ -993,7 +997,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val() Contents_DNS::Contents_DNS(Connection* conn, bool orig, DNS_Interpreter* arg_interp) -: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig) { interp = arg_interp; @@ -1080,7 +1084,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig) } DNS_Analyzer::DNS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("DNS", conn) +: tcp::TCP_ApplicationAnalyzer("DNS", conn) { interp = new DNS_Interpreter(this); contents_dns_orig = contents_dns_resp = 0; @@ -1112,7 +1116,7 @@ void DNS_Analyzer::Init() void DNS_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) Event(udp_session_done); @@ -1123,7 +1127,7 @@ void DNS_Analyzer::Done() void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); if ( orig ) { @@ -1141,10 +1145,10 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, } -void DNS_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer, +void DNS_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer, int gen_event) { - TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); assert(contents_dns_orig && contents_dns_resp); contents_dns_orig->Flush(); diff --git a/src/analyzer/protocols/dns/DNS.h b/src/analyzer/protocols/dns/DNS.h index ca87f862c0..fc19fe82b3 100644 --- a/src/analyzer/protocols/dns/DNS.h +++ b/src/analyzer/protocols/dns/DNS.h @@ -6,6 +6,8 @@ #include "analyzer/protocols/tcp/TCP.h" #include "binpac_bro.h" +namespace analyzer { namespace dns { + typedef enum { DNS_OP_QUERY = 0, ///< standard query DNS_OP_IQUERY = 1, ///< reverse query @@ -229,7 +231,7 @@ typedef enum { // Support analyzer which chunks the TCP stream into "packets". // ### This should be merged with TCP_Contents_RPC. -class Contents_DNS : public TCP_SupportAnalyzer { +class Contents_DNS : public tcp::TCP_SupportAnalyzer { public: Contents_DNS(Connection* c, bool orig, DNS_Interpreter* interp); ~Contents_DNS(); @@ -251,7 +253,7 @@ protected: }; // Works for both TCP and UDP. -class DNS_Analyzer : public TCP_ApplicationAnalyzer { +class DNS_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: DNS_Analyzer(Connection* conn); ~DNS_Analyzer(); @@ -261,8 +263,8 @@ public: virtual void Init(); virtual void Done(); - virtual void ConnectionClosed(TCP_Endpoint* endpoint, - TCP_Endpoint* peer, int gen_event); + virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint, + tcp::TCP_Endpoint* peer, int gen_event); void ExpireTimer(double t); @@ -279,4 +281,6 @@ protected: // FIXME: Doesn't really fit into new analyzer structure. What to do? int IsReuse(double t, const u_char* pkt); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/dns/Plugin.cc b/src/analyzer/protocols/dns/Plugin.cc index 6bd4415f0e..e731f191da 100644 --- a/src/analyzer/protocols/dns/Plugin.cc +++ b/src/analyzer/protocols/dns/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(DNS) BRO_PLUGIN_DESCRIPTION("DNS Analyzer"); - BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("DNS", dns::DNS_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dns/events.bif b/src/analyzer/protocols/dns/events.bif index e69de29bb2..95c604a8b8 100644 --- a/src/analyzer/protocols/dns/events.bif +++ b/src/analyzer/protocols/dns/events.bif @@ -0,0 +1,482 @@ +## Generated for all DNS messages. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## msg: The parsed DNS message header. +## +## len: The length of the message's raw representation (i.e., the DNS payload). +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected +## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); + +## Generated for DNS requests. For requests with multiple queries, this event +## is raised once for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## query: The queried name. +## +## qtype: The queried resource record type. +## +## qclass: The queried resource record class. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); + +## Generated for DNS replies that reject a query. This event is raised if a DNS +## reply either indicates failure via its status code or does not pass on any +## answers to a query. Note that all of the event's parameters are parsed out of +## the reply; there's no stateful correlation with the query. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## query: The queried name. +## +## qtype: The queried resource record type. +## +## qclass: The queried resource record class. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); + +## Generated for DNS replies with an *ok* status code but no question section. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## query: The queried name. +## +## qtype: The queried resource record type. +## +## qclass: The queried resource record class. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end +## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected +## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_query_reply%(c: connection, msg: dns_msg, query: string, + qtype: count, qclass: count%); + +## Generated for DNS replies of type *A*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## a: The address returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply +## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); + +## Generated for DNS replies of type *AAAA*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## a: The address returned by the reply. +## +## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); + +## Generated for DNS replies of type *A6*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## a: The address returned by the reply. +## +## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); + +## Generated for DNS replies of type *NS*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); + +## Generated for DNS replies of type *CNAME*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); + +## Generated for DNS replies of type *PTR*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); + +## Generated for DNS replies of type *CNAME*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## soa: The parsed SOA value. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%); + +## Generated for DNS replies of type *WKS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); + +## Generated for DNS replies of type *HINFO*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); + +## Generated for DNS replies of type *MX*. For replies with multiple answers, an +## individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## name: The name returned by the reply. +## +## preference: The preference for *name* specified by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%); + +## Generated for DNS replies of type *TXT*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## str: The textual information returned by the reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%); + +## Generated for DNS replies of type *SRV*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The type-independent part of the parsed answer record. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%); + +## Generated for DNS replies of type *EDNS*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The parsed EDNS reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply +## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl +## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered +## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request +## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl +## dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); + +## Generated for DNS replies of type *TSIG*. For replies with multiple answers, +## an individual event of the corresponding type is raised for each. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## ans: The parsed TSIG reply. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); + +## Generated at the end of processing a DNS packet. This event is the last +## ``dns_*`` event that will be raised for a DNS query/reply and signals that +## all resource records have been passed on. +## +## See `Wikipedia `__ for more +## information about the DNS protocol. Bro analyzes both UDP and TCP DNS +## sessions. +## +## c: The connection, which may be UDP or TCP depending on the type of the +## transport-layer session being analyzed. +## +## msg: The parsed DNS message header. +## +## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl +## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply +## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request +## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply +## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout +## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth +event dns_end%(c: connection, msg: dns_msg%); + +## Deprecated. Will be removed. +## +## .. todo:: Unclear what this event is for; it's never raised. We should just +## remove it. +event dns_full_request%(%); + +## msg: The raw DNS payload. +## +## .. note:: This event is deprecated and superseded by Bro's dynamic protocol +## detection framework. +event non_dns_request%(c: connection, msg: string%); diff --git a/src/analyzer/protocols/file/File.cc b/src/analyzer/protocols/file/File.cc index 664e0a8c4c..66de4c2cb4 100644 --- a/src/analyzer/protocols/file/File.cc +++ b/src/analyzer/protocols/file/File.cc @@ -4,11 +4,15 @@ #include "Reporter.h" #include "util.h" +#include "events.bif.h" + +using namespace analyzer::file; + magic_t File_Analyzer::magic = 0; magic_t File_Analyzer::magic_mime = 0; File_Analyzer::File_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("FILE", conn) +: tcp::TCP_ApplicationAnalyzer("FILE", conn) { buffer_len = 0; @@ -18,7 +22,7 @@ File_Analyzer::File_Analyzer(Connection* conn) void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); int n = min(len, BUFFER_SIZE - buffer_len); @@ -35,7 +39,7 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void File_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( buffer_len && buffer_len != BUFFER_SIZE ) Identify(); diff --git a/src/analyzer/protocols/file/File.h b/src/analyzer/protocols/file/File.h index ae55a34885..ae6a815378 100644 --- a/src/analyzer/protocols/file/File.h +++ b/src/analyzer/protocols/file/File.h @@ -7,7 +7,9 @@ #include -class File_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace file { + +class File_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: File_Analyzer(Connection* conn); @@ -29,4 +31,6 @@ protected: static magic_t magic_mime; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/file/Plugin.cc b/src/analyzer/protocols/file/Plugin.cc index a5868e0d7e..ad4e917742 100644 --- a/src/analyzer/protocols/file/Plugin.cc +++ b/src/analyzer/protocols/file/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(File) BRO_PLUGIN_DESCRIPTION("Generic File Analyzer"); - BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("File", file::File_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/file/events.bif b/src/analyzer/protocols/file/events.bif index e69de29bb2..4277f1975f 100644 --- a/src/analyzer/protocols/file/events.bif +++ b/src/analyzer/protocols/file/events.bif @@ -0,0 +1,3 @@ +## TODO. +## +event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); diff --git a/src/analyzer/protocols/finger/Finger.cc b/src/analyzer/protocols/finger/Finger.cc index cdebed9bb9..dce2cfef9f 100644 --- a/src/analyzer/protocols/finger/Finger.cc +++ b/src/analyzer/protocols/finger/Finger.cc @@ -9,25 +9,29 @@ #include "Event.h" #include "analyzer/protocols/tcp/ContentLine.h" +#include "events.bif.h" + +using namespace analyzer::finger; + Finger_Analyzer::Finger_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("FINGER", conn) +: tcp::TCP_ApplicationAnalyzer("FINGER", conn) { did_deliver = 0; - content_line_orig = new ContentLine_Analyzer(conn, true); + content_line_orig = new tcp::ContentLine_Analyzer(conn, true); content_line_orig->SetIsNULSensitive(true); - content_line_resp = new ContentLine_Analyzer(conn, false); + content_line_resp = new tcp::ContentLine_Analyzer(conn, false); AddSupportAnalyzer(content_line_orig); AddSupportAnalyzer(content_line_resp); } void Finger_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || content_line_orig->HasPartialLine()) && - (TCP()->OrigState() == TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_finger_request"); } diff --git a/src/analyzer/protocols/finger/Finger.h b/src/analyzer/protocols/finger/Finger.h index f069daa8c7..d80549bb4c 100644 --- a/src/analyzer/protocols/finger/Finger.h +++ b/src/analyzer/protocols/finger/Finger.h @@ -4,10 +4,11 @@ #define finger_h #include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" -class ContentLine_Analyzer; +namespace analyzer { namespace finger { -class Finger_Analyzer : public TCP_ApplicationAnalyzer { +class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Finger_Analyzer(Connection* conn); virtual ~Finger_Analyzer() {} @@ -20,9 +21,11 @@ public: { return new Finger_Analyzer(conn); } protected: - ContentLine_Analyzer* content_line_orig; - ContentLine_Analyzer* content_line_resp; + tcp::ContentLine_Analyzer* content_line_orig; + tcp::ContentLine_Analyzer* content_line_resp; int did_deliver; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/finger/Plugin.cc b/src/analyzer/protocols/finger/Plugin.cc index 98fd1f5985..603bbd004e 100644 --- a/src/analyzer/protocols/finger/Plugin.cc +++ b/src/analyzer/protocols/finger/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Finger) BRO_PLUGIN_DESCRIPTION("Finger Analyzer"); - BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("FINGER", finger::Finger_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/finger/events.bif b/src/analyzer/protocols/finger/events.bif index e69de29bb2..e495263b12 100644 --- a/src/analyzer/protocols/finger/events.bif +++ b/src/analyzer/protocols/finger/events.bif @@ -0,0 +1,38 @@ +## Generated for Finger requests. +## +## See `Wikipedia `__ for more +## information about the Finger protocol. +## +## c: The connection. +## +## full: True if verbose information is requested (``/W`` switch). +## +## username: The request's user name. +## +## hostname: The request's host name. +## +## .. bro:see:: finger_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event finger_request%(c: connection, full: bool, username: string, hostname: string%); + +## Generated for Finger replies. +## +## See `Wikipedia `__ for more +## information about the Finger protocol. +## +## c: The connection. +## +## reply_line: The reply as returned by the server +## +## .. bro:see:: finger_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event finger_reply%(c: connection, reply_line: string%); + diff --git a/src/analyzer/protocols/ftp/FTP.cc b/src/analyzer/protocols/ftp/FTP.cc index b371099c01..aed14b8de8 100644 --- a/src/analyzer/protocols/ftp/FTP.cc +++ b/src/analyzer/protocols/ftp/FTP.cc @@ -11,18 +11,22 @@ #include "analyzer/Manager.h" #include "analyzer/protocols/login/NVT.h" +#include "events.bif.h" + +using namespace analyzer::ftp; + FTP_Analyzer::FTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("FTP", conn) +: tcp::TCP_ApplicationAnalyzer("FTP", conn) { pending_reply = 0; - nvt_orig = new NVT_Analyzer(conn, true); + nvt_orig = new login::NVT_Analyzer(conn, true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetIsNULSensitive(true); nvt_orig->SetCRLFAsEOL(LF_as_EOL); nvt_orig->SetIsNULSensitive(LF_as_EOL); - nvt_resp = new NVT_Analyzer(conn, false); + nvt_resp = new login::NVT_Analyzer(conn, false); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetIsNULSensitive(true); nvt_resp->SetCRLFAsEOL(LF_as_EOL); @@ -37,11 +41,11 @@ FTP_Analyzer::FTP_Analyzer(Connection* conn) void FTP_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( nvt_orig->HasPartialLine() && - (TCP()->OrigState() == TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) ) + (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) ) // ### should include the partial text Weird("partial_ftp_request"); } @@ -56,7 +60,7 @@ static uint32 get_reply_code(int len, const char* line) void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) ) return; diff --git a/src/analyzer/protocols/ftp/FTP.h b/src/analyzer/protocols/ftp/FTP.h index aaecfb98f1..9ebf38b2f7 100644 --- a/src/analyzer/protocols/ftp/FTP.h +++ b/src/analyzer/protocols/ftp/FTP.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/login/NVT.h" #include "analyzer/protocols/tcp/TCP.h" -class FTP_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ftp { + +class FTP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: FTP_Analyzer(Connection* conn); @@ -19,8 +21,8 @@ public: } protected: - NVT_Analyzer* nvt_orig; - NVT_Analyzer* nvt_resp; + login::NVT_Analyzer* nvt_orig; + login::NVT_Analyzer* nvt_resp; uint32 pending_reply; // code associated with multi-line reply, or 0 string auth_requested; // AUTH method requested }; @@ -47,4 +49,6 @@ protected: bool first_token; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocols/ftp/Plugin.cc index 2a250b97ee..9a58990a63 100644 --- a/src/analyzer/protocols/ftp/Plugin.cc +++ b/src/analyzer/protocols/ftp/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(FTP) BRO_PLUGIN_DESCRIPTION("FTP Analyzer"); - BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ftp/events.bif b/src/analyzer/protocols/ftp/events.bif index e69de29bb2..16faa417d3 100644 --- a/src/analyzer/protocols/ftp/events.bif +++ b/src/analyzer/protocols/ftp/events.bif @@ -0,0 +1,35 @@ +## Generated for client-side FTP commands. +## +## See `Wikipedia `__ for +## more information about the FTP protocol. +## +## c: The connection. +## +## command: The FTP command issued by the client (without any arguments). +## +## arg: The arguments going with the command. +## +## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port +## parse_ftp_epsv parse_ftp_pasv parse_ftp_port +event ftp_request%(c: connection, command: string, arg: string%); + +## Generated for server-side FTP replies. +## +## See `Wikipedia `__ for +## more information about the FTP protocol. +## +## c: The connection. +## +## code: The numerical response code the server responded with. +## +## msg: The textual message of the response. +## +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want +## to reassemble the pieces before processing the response any +## further. +## +## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port +## parse_ftp_epsv parse_ftp_pasv parse_ftp_port +event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); + diff --git a/src/analyzer/protocols/gnutella/Gnutella.cc b/src/analyzer/protocols/gnutella/Gnutella.cc index bf2be877c0..a0d8812218 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.cc +++ b/src/analyzer/protocols/gnutella/Gnutella.cc @@ -12,6 +12,10 @@ #include "analyzer/protocols/pia/PIA.h" #include "analyzer/Manager.h" +#include "events.bif.h" + +using namespace analyzer::gnutella; + GnutellaMsgState::GnutellaMsgState() { buffer = ""; @@ -30,7 +34,7 @@ GnutellaMsgState::GnutellaMsgState() Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("GNUTELLA", conn) +: tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn) { state = 0; new_state = 0; @@ -50,7 +54,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer() void Gnutella_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) { @@ -138,9 +142,9 @@ int Gnutella_Analyzer::IsHTTP(string header) if ( Parent()->IsAnalyzer("TCP") ) { // Replay buffered data. - PIA* pia = static_cast(Parent())->GetPIA(); + pia::PIA* pia = static_cast(Parent())->GetPIA(); if ( pia ) - static_cast(pia)->ReplayStreamBuffer(a); + static_cast(pia)->ReplayStreamBuffer(a); } Parent()->RemoveChildAnalyzer(this); @@ -328,7 +332,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig) void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); ms = orig ? orig_msg_state : resp_msg_state; ms->current_offset = 0; diff --git a/src/analyzer/protocols/gnutella/Gnutella.h b/src/analyzer/protocols/gnutella/Gnutella.h index 085d4fbf56..3a6e51d0c4 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.h +++ b/src/analyzer/protocols/gnutella/Gnutella.h @@ -11,6 +11,8 @@ #define GNUTELLA_MSG_SIZE 23 #define GNUTELLA_MAX_PAYLOAD 1024 +namespace analyzer { namespace gnutella { + class GnutellaMsgState { public: GnutellaMsgState (); @@ -32,7 +34,7 @@ public: }; -class Gnutella_Analyzer : public TCP_ApplicationAnalyzer { +class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Gnutella_Analyzer(Connection* conn); ~Gnutella_Analyzer(); @@ -67,4 +69,6 @@ private: GnutellaMsgState* ms; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/gnutella/Plugin.cc b/src/analyzer/protocols/gnutella/Plugin.cc index 6cc0b02771..eca9adb001 100644 --- a/src/analyzer/protocols/gnutella/Plugin.cc +++ b/src/analyzer/protocols/gnutella/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Gnutella) BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer"); - BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("GNUTELLA", gnutella::Gnutella_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gnutella/events.bif b/src/analyzer/protocols/gnutella/events.bif index e69de29bb2..9384f34e88 100644 --- a/src/analyzer/protocols/gnutella/events.bif +++ b/src/analyzer/protocols/gnutella/events.bif @@ -0,0 +1,88 @@ +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found +## +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_text_msg%(c: connection, orig: bool, headers: string%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, + ttl: count, hops: count, msg_len: count, + payload: string, payload_len: count, + trunc: bool, complete: bool%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## gnutella_not_establish gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_partial_binary_msg%(c: connection, orig: bool, + msg: string, len: count%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_establish%(c: connection%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_not_establish%(c: connection%); + +## TODO. +## +## See `Wikipedia `__ for more +## information about the Gnutella protocol. +## +## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish +## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event gnutella_http_notify%(c: connection%); diff --git a/src/analyzer/protocols/gtpv1/GTPv1.cc b/src/analyzer/protocols/gtpv1/GTPv1.cc index 86a2615690..0a94a28554 100644 --- a/src/analyzer/protocols/gtpv1/GTPv1.cc +++ b/src/analyzer/protocols/gtpv1/GTPv1.cc @@ -1,5 +1,11 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "GTPv1.h" +#include "events.bif.h" + +using namespace analyzer::gtpv1; + GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) : Analyzer("GTPV1", conn) { diff --git a/src/analyzer/protocols/gtpv1/GTPv1.h b/src/analyzer/protocols/gtpv1/GTPv1.h index 2e4a405878..3fb7634534 100644 --- a/src/analyzer/protocols/gtpv1/GTPv1.h +++ b/src/analyzer/protocols/gtpv1/GTPv1.h @@ -3,6 +3,8 @@ #include "gtpv1_pac.h" +namespace analyzer { namespace gtpv1 { + class GTPv1_Analyzer : public analyzer::Analyzer { public: GTPv1_Analyzer(Connection* conn); @@ -21,4 +23,6 @@ protected: binpac::GTPv1::GTPv1_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/gtpv1/Plugin.cc b/src/analyzer/protocols/gtpv1/Plugin.cc index caa9755828..39233384dc 100644 --- a/src/analyzer/protocols/gtpv1/Plugin.cc +++ b/src/analyzer/protocols/gtpv1/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(GTPV1) BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer"); - BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("GTPV1", gtpv1::GTPv1_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gtpv1/events.bif b/src/analyzer/protocols/gtpv1/events.bif index e69de29bb2..b3bac93a2e 100644 --- a/src/analyzer/protocols/gtpv1/events.bif +++ b/src/analyzer/protocols/gtpv1/events.bif @@ -0,0 +1,74 @@ +## Generated for any GTP message with a GTPv1 header. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +event gtpv1_message%(c: connection, hdr: gtpv1_hdr%); + +## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload +## that includes a GTP header followed by an IPv4 or IPv6 packet. +## +## outer: The GTP outer tunnel connection. +## +## inner_gtp: The GTP header. +## +## inner_ip: The inner IP and transport layer packet headers. +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); + +## Generated for GTPv1-C Create PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Create PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%); + +## Generated for GTPv1-C Update PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Update PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%); + +## Generated for GTPv1-C Delete PDP Context Request messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%); + +## Generated for GTPv1-C Delete PDP Context Response messages. +## +## c: The connection over which the message is sent. +## +## hdr: The GTPv1 header. +## +## elements: The set of Information Elements comprising the message. +event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%); + diff --git a/src/analyzer/protocols/gtpv1/gtpv1.pac b/src/analyzer/protocols/gtpv1/gtpv1.pac index d155ecfd67..0305951cc5 100644 --- a/src/analyzer/protocols/gtpv1/gtpv1.pac +++ b/src/analyzer/protocols/gtpv1/gtpv1.pac @@ -1,6 +1,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer GTPv1 withcontext { connection: GTPv1_Conn; flow: GTPv1_Flow; diff --git a/src/analyzer/protocols/http/HTTP.cc b/src/analyzer/protocols/http/HTTP.cc index 98c8ad484e..899c7de01f 100644 --- a/src/analyzer/protocols/http/HTTP.cc +++ b/src/analyzer/protocols/http/HTTP.cc @@ -11,7 +11,11 @@ #include "NetVar.h" #include "HTTP.h" #include "Event.h" -#include "MIME.h" +#include "analyzer/protocols/mime/MIME.h" + +#include "events.bif.h" + +using namespace analyzer::http; const bool DEBUG_http = false; @@ -77,7 +81,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) if ( end_of_data ) { // Multipart entities may have trailers - if ( content_type != CONTENT_TYPE_MULTIPART ) + if ( content_type != mime::CONTENT_TYPE_MULTIPART ) IllegalFormat("data trailing the end of entity"); return; } @@ -93,8 +97,8 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF) } // Entity body. - if ( content_type == CONTENT_TYPE_MULTIPART || - content_type == CONTENT_TYPE_MESSAGE ) + if ( content_type == mime::CONTENT_TYPE_MULTIPART || + content_type == mime::CONTENT_TYPE_MESSAGE ) DeliverBody(len, data, trailing_CRLF); else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER ) @@ -177,14 +181,14 @@ void HTTP_Entity::DeliverBody(int len, const char* data, int trailing_CRLF) { if ( encoding == GZIP || encoding == DEFLATE ) { - ZIP_Analyzer::Method method = + zip::ZIP_Analyzer::Method method = encoding == GZIP ? - ZIP_Analyzer::GZIP : ZIP_Analyzer::DEFLATE; + zip::ZIP_Analyzer::GZIP : zip::ZIP_Analyzer::DEFLATE; if ( ! zip ) { // We don't care about the direction here. - zip = new ZIP_Analyzer( + zip = new zip::ZIP_Analyzer( http_message->MyHTTP_Analyzer()->Conn(), false, method); zip->SetOutputHandler(new UncompressedOutput(this)); @@ -291,12 +295,12 @@ void HTTP_Entity::SetPlainDelivery(int64_t length) // expect_data_length. } -void HTTP_Entity::SubmitHeader(MIME_Header* h) +void HTTP_Entity::SubmitHeader(mime::MIME_Header* h) { - if ( strcasecmp_n(h->get_name(), "content-length") == 0 ) + if ( mime::strcasecmp_n(h->get_name(), "content-length") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( ! is_null_data_chunk(vt) ) + if ( ! mime::is_null_data_chunk(vt) ) { int64_t n; if ( atoi_n(vt.length, vt.data, 0, 10, n) ) @@ -308,8 +312,8 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h) // Figure out content-length for HTTP 206 Partial Content response // that uses multipart/byteranges content-type. - else if ( strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() && - Parent()->MIMEContentType() == CONTENT_TYPE_MULTIPART && + else if ( mime::strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() && + Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART && http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 ) { data_chunk_t vt = h->get_value_token(); @@ -367,19 +371,19 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h) } } - else if ( strcasecmp_n(h->get_name(), "transfer-encoding") == 0 ) + else if ( mime::strcasecmp_n(h->get_name(), "transfer-encoding") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( strcasecmp_n(vt, "chunked") == 0 ) + if ( mime::strcasecmp_n(vt, "chunked") == 0 ) chunked_transfer_state = BEFORE_CHUNK; } - else if ( strcasecmp_n(h->get_name(), "content-encoding") == 0 ) + else if ( mime::strcasecmp_n(h->get_name(), "content-encoding") == 0 ) { data_chunk_t vt = h->get_value_token(); - if ( strcasecmp_n(vt, "gzip") == 0 ) + if ( mime::strcasecmp_n(vt, "gzip") == 0 ) encoding = GZIP; - if ( strcasecmp_n(vt, "deflate") == 0 ) + if ( mime::strcasecmp_n(vt, "deflate") == 0 ) encoding = DEFLATE; } @@ -413,8 +417,8 @@ void HTTP_Entity::SubmitAllHeaders() return; } - if ( content_type == CONTENT_TYPE_MULTIPART || - content_type == CONTENT_TYPE_MESSAGE ) + if ( content_type == mime::CONTENT_TYPE_MULTIPART || + content_type == mime::CONTENT_TYPE_MESSAGE ) { // Do nothing. // Make sure that we check for multiple/message contents first, @@ -463,7 +467,7 @@ void HTTP_Entity::SubmitAllHeaders() } HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer, - ContentLine_Analyzer* arg_cl, bool arg_is_orig, + tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig, int expect_body, int64_t init_header_length) : MIME_Message (arg_analyzer) { @@ -546,7 +550,7 @@ int HTTP_Message::Undelivered(int64_t len) return 0; } -void HTTP_Message::BeginEntity(MIME_Entity* entity) +void HTTP_Message::BeginEntity(mime::MIME_Entity* entity) { if ( DEBUG_http ) DEBUG_MSG("%.6f: begin entity (%d)\n", network_time, is_orig); @@ -562,7 +566,7 @@ void HTTP_Message::BeginEntity(MIME_Entity* entity) } } -void HTTP_Message::EndEntity(MIME_Entity* entity) +void HTTP_Message::EndEntity(mime::MIME_Entity* entity) { if ( DEBUG_http ) DEBUG_MSG("%.6f: end entity (%d)\n", network_time, is_orig); @@ -588,12 +592,12 @@ void HTTP_Message::EndEntity(MIME_Entity* entity) Done(); } -void HTTP_Message::SubmitHeader(MIME_Header* h) +void HTTP_Message::SubmitHeader(mime::MIME_Header* h) { MyHTTP_Analyzer()->HTTP_Header(is_orig, h); } -void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist) +void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) { if ( http_all_headers ) { @@ -620,7 +624,7 @@ void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist) } } -void HTTP_Message::SubmitTrailingHeaders(MIME_HeaderList& /* hlist */) +void HTTP_Message::SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */) { // Do nothing for now. } @@ -664,15 +668,15 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail) const char* category = ""; switch ( event_type ) { - case MIME_EVENT_ILLEGAL_FORMAT: + case mime::MIME_EVENT_ILLEGAL_FORMAT: category = "illegal format"; break; - case MIME_EVENT_ILLEGAL_ENCODING: + case mime::MIME_EVENT_ILLEGAL_ENCODING: category = "illegal encoding"; break; - case MIME_EVENT_CONTENT_GAP: + case mime::MIME_EVENT_CONTENT_GAP: category = "content gap"; break; @@ -787,7 +791,7 @@ void HTTP_Message::Weird(const char* msg) } HTTP_Analyzer::HTTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("HTTP", conn) +: tcp::TCP_ApplicationAnalyzer("HTTP", conn) { num_requests = num_replies = 0; num_request_lines = num_reply_lines = 0; @@ -807,10 +811,10 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn) reply_code = 0; reply_reason_phrase = 0; - content_line_orig = new ContentLine_Analyzer(conn, true); + content_line_orig = new tcp::ContentLine_Analyzer(conn, true); AddSupportAnalyzer(content_line_orig); - content_line_resp = new ContentLine_Analyzer(conn, false); + content_line_resp = new tcp::ContentLine_Analyzer(conn, false); content_line_resp->SetSkipPartial(true); AddSupportAnalyzer(content_line_resp); } @@ -828,7 +832,7 @@ void HTTP_Analyzer::Done() if ( IsFinished() ) return; - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); RequestMade(1, "message interrupted when connection done"); ReplyMade(1, "message interrupted when connection done"); @@ -850,7 +854,7 @@ void HTTP_Analyzer::Done() void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( TCP() && TCP()->IsPartial() ) return; @@ -858,7 +862,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) const char* line = reinterpret_cast(data); const char* end_of_line = line + len; - ContentLine_Analyzer* content_line = + tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( content_line->IsPlainDelivery() ) @@ -907,7 +911,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { if ( ! RequestExpected() ) HTTP_Event("crud_trailing_HTTP_request", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); else { // We do see HTTP requests with a @@ -986,20 +990,20 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); // DEBUG_MSG("Undelivered from %d: %d bytes\n", seq, length); HTTP_Message* msg = is_orig ? request_message : reply_message; - ContentLine_Analyzer* content_line = + tcp::ContentLine_Analyzer* content_line = is_orig ? content_line_orig : content_line_resp; if ( ! content_line->IsSkippedContents(seq, len) ) { if ( msg ) - msg->SubmitEvent(MIME_EVENT_CONTENT_GAP, + msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP, fmt("seq=%d, len=%d", seq, len)); } @@ -1030,7 +1034,7 @@ void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig) void HTTP_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); // DEBUG_MSG("%.6f eof\n", network_time); @@ -1042,7 +1046,7 @@ void HTTP_Analyzer::EndpointEOF(bool is_orig) void HTTP_Analyzer::ConnectionFinished(int half_finished) { - TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); // DEBUG_MSG("%.6f connection finished\n", network_time); RequestMade(1, "message ends as connection is finished"); @@ -1051,7 +1055,7 @@ void HTTP_Analyzer::ConnectionFinished(int half_finished) void HTTP_Analyzer::ConnectionReset() { - TCP_ApplicationAnalyzer::ConnectionReset(); + tcp::TCP_ApplicationAnalyzer::ConnectionReset(); RequestMade(1, "message interrupted by RST"); ReplyMade(1, "message interrupted by RST"); @@ -1059,7 +1063,7 @@ void HTTP_Analyzer::ConnectionReset() void HTTP_Analyzer::PacketWithRST() { - TCP_ApplicationAnalyzer::PacketWithRST(); + tcp::TCP_ApplicationAnalyzer::PacketWithRST(); RequestMade(1, "message interrupted by RST"); ReplyMade(1, "message interrupted by RST"); @@ -1203,10 +1207,10 @@ int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line) version_end = version_start + 3; if ( skip_whitespace(version_end, end_of_line) != end_of_line ) HTTP_Event("crud after HTTP version is ignored", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); } else - HTTP_Event("bad_HTTP_version", new_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_version", mime::new_string_val(line, end_of_line)); } // NormalizeURI(line, end_of_uri); @@ -1230,7 +1234,7 @@ double HTTP_Analyzer::HTTP_Version(int len, const char* data) } else { - HTTP_Event("bad_HTTP_version", new_string_val(len, data)); + HTTP_Event("bad_HTTP_version", mime::new_string_val(len, data)); return 0; } } @@ -1409,20 +1413,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line) // ##TODO: some server replies with an HTML document // without a status line and a MIME header, when the // request is malformed. - HTTP_Event("bad_HTTP_reply", new_string_val(line, end_of_line)); + HTTP_Event("bad_HTTP_reply", mime::new_string_val(line, end_of_line)); return 0; } SetVersion(reply_version, HTTP_Version(end_of_line - rest, rest)); for ( ; rest < end_of_line; ++rest ) - if ( is_lws(*rest) ) + if ( mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); return 0; } @@ -1431,20 +1435,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line) if ( rest + 3 > end_of_line ) { HTTP_Event("HTTP_reply_code_missing", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); return 0; } reply_code = HTTP_ReplyCode(rest); for ( rest += 3; rest < end_of_line; ++rest ) - if ( is_lws(*rest) ) + if ( mime::is_lws(*rest) ) break; if ( rest >= end_of_line ) { HTTP_Event("HTTP_reply_reason_phrase_missing", - new_string_val(line, end_of_line)); + mime::new_string_val(line, end_of_line)); // Tolerate missing reason phrase? return 1; } @@ -1491,7 +1495,7 @@ int HTTP_Analyzer::ExpectReplyMessageBody() return HTTP_BODY_EXPECTED; } -void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) +void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h) { #if 0 // ### Only call ParseVersion if we're tracking versions: @@ -1508,16 +1512,16 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) // side, and if seen assume the connection to be persistent. // This seems fairly safe - at worst, the client does indeed // send additional requests, and the server ignores them. - if ( is_orig && strcasecmp_n(h->get_name(), "connection") == 0 ) + if ( is_orig && mime::strcasecmp_n(h->get_name(), "connection") == 0 ) { - if ( strcasecmp_n(h->get_value_token(), "keep-alive") == 0 ) + if ( mime::strcasecmp_n(h->get_value_token(), "keep-alive") == 0 ) keep_alive = 1; } if ( ! is_orig && - strcasecmp_n(h->get_name(), "connection") == 0 ) + mime::strcasecmp_n(h->get_name(), "connection") == 0 ) { - if ( strcasecmp_n(h->get_value_token(), "close") == 0 ) + if ( mime::strcasecmp_n(h->get_value_token(), "close") == 0 ) connection_close = 1; } @@ -1540,8 +1544,8 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h) val_list* vl = new val_list(); vl->append(BuildConnVal()); vl->append(new Val(is_orig, TYPE_BOOL)); - vl->append(new_string_val(h->get_name())->ToUpper()); - vl->append(new_string_val(h->get_value())); + vl->append(mime::new_string_val(h->get_name())->ToUpper()); + vl->append(mime::new_string_val(h->get_value())); if ( DEBUG_http ) DEBUG_MSG("%.6f http_header\n", network_time); ConnectionEvent(http_header, vl); @@ -1570,7 +1574,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, while ( len > 0 ) { // Skip white space. - while ( len && is_lws(*data) ) + while ( len && mime::is_lws(*data) ) { ++data; --len; @@ -1583,7 +1587,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, // Find end of comment. const char* data_start = data; const char* eoc = - data + MIME_skip_lws_comments(len, data); + data + mime::MIME_skip_lws_comments(len, data); // Split into parts. // (This may get confused by nested comments, @@ -1593,7 +1597,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, while ( 1 ) { // Eat spaces. - while ( data < eoc && is_lws(*data) ) + while ( data < eoc && mime::is_lws(*data) ) ++data; // Find end of token. @@ -1606,7 +1610,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, break; // Delete spaces at end of token. - for ( ; eot > data && is_lws(*(eot-1)); --eot ) + for ( ; eot > data && mime::is_lws(*(eot-1)); --eot ) ; if ( data != eot && software_version_found ) @@ -1619,7 +1623,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, continue; } - offset = MIME_get_slash_token_pair(len, data, + offset = mime::MIME_get_slash_token_pair(len, data, &product, &product_version); if ( offset < 0 ) { @@ -1627,10 +1631,10 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host, // so we do not complain in the final version if ( num_version == 0 ) HTTP_Event("bad_HTTP_version", - new_string_val(len, data)); + mime::new_string_val(len, data)); // Try to simply skip next token. - offset = MIME_get_token(len, data, &product); + offset = mime::MIME_get_token(len, data, &product); if ( offset < 0 ) break; @@ -1694,7 +1698,7 @@ void HTTP_Analyzer::HTTP_MessageDone(int is_orig, HTTP_Message* /* message */) ReplyMade(0, "message ends normally"); } -void HTTP_Analyzer::InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, +void HTTP_Analyzer::InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, int expect_body, int64_t init_header_length) { if ( message ) @@ -1718,24 +1722,24 @@ void HTTP_Analyzer::SkipEntityData(int is_orig) msg->SkipEntityData(); } -int is_reserved_URI_char(unsigned char ch) +int analyzer::http::is_reserved_URI_char(unsigned char ch) { // see RFC 2396 (definition of URI) return strchr(";/?:@&=+$,", ch) != 0; } -int is_unreserved_URI_char(unsigned char ch) +int analyzer::http::is_unreserved_URI_char(unsigned char ch) { // see RFC 2396 (definition of URI) return isalnum(ch) || strchr("-_.!~*\'()", ch) != 0; } -void escape_URI_char(unsigned char ch, unsigned char*& p) +void analyzer::http::escape_URI_char(unsigned char ch, unsigned char*& p) { *p++ = '%'; *p++ = encode_hex((ch >> 4) & 0xf); *p++ = encode_hex(ch & 0xf); } -BroString* unescape_URI(const u_char* line, const u_char* line_end, +BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_end, analyzer::Analyzer* analyzer) { byte_vec decoded_URI = new u_char[line_end - line + 1]; diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h index dae8fc1dcf..49235ae173 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocols/http/HTTP.h @@ -6,13 +6,15 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" #include "analyzer/protocols/zip/ZIP.h" -#include "MIME.h" +#include "analyzer/protocols/mime/MIME.h" #include "binpac_bro.h" #include "IPAddr.h" #include "events.bif.h" #include "HTTP.h" +namespace analyzer { namespace http { + enum CHUNKED_TRANSFER_STATE { NON_CHUNKED_TRANSFER, BEFORE_CHUNK, @@ -27,7 +29,7 @@ class HTTP_Entity; class HTTP_Message; class HTTP_Analyzer; -class HTTP_Entity : public MIME_Entity { +class HTTP_Entity : public mime::MIME_Entity { public: HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity, int expect_body); @@ -57,7 +59,7 @@ protected: int64_t header_length; int deliver_body; enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding; - ZIP_Analyzer* zip; + zip::ZIP_Analyzer* zip; MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); } @@ -68,7 +70,7 @@ protected: void SetPlainDelivery(int64_t length); - void SubmitHeader(MIME_Header* h); + void SubmitHeader(mime::MIME_Header* h); void SubmitAllHeaders(); }; @@ -89,9 +91,9 @@ enum { // HTTP_Message::EndEntity -> Message::Done // HTTP_MessageDone -> {Request,Reply}Made -class HTTP_Message : public MIME_Message { +class HTTP_Message : public mime::MIME_Message { public: - HTTP_Message(HTTP_Analyzer* analyzer, ContentLine_Analyzer* cl, + HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl, bool is_orig, int expect_body, int64_t init_header_length); ~HTTP_Message(); void Done(const int interrupted, const char* msg); @@ -99,16 +101,16 @@ public: int Undelivered(int64_t len); - void BeginEntity(MIME_Entity* /* entity */); - void EndEntity(MIME_Entity* entity); - void SubmitHeader(MIME_Header* h); - void SubmitAllHeaders(MIME_HeaderList& /* hlist */); + void BeginEntity(mime::MIME_Entity* /* entity */); + void EndEntity(mime::MIME_Entity* entity); + void SubmitHeader(mime::MIME_Header* h); + void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */); void SubmitData(int len, const char* buf); int RequestBuffer(int* plen, char** pbuf); void SubmitAllData(); void SubmitEvent(int event_type, const char* detail); - void SubmitTrailingHeaders(MIME_HeaderList& /* hlist */); + void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */); void SetPlainDelivery(int64_t length); void SkipEntityData(); @@ -120,7 +122,7 @@ public: protected: HTTP_Analyzer* analyzer; - ContentLine_Analyzer* content_line; + tcp::ContentLine_Analyzer* content_line; bool is_orig; vector buffers; @@ -148,14 +150,14 @@ protected: Val* BuildMessageStat(const int interrupted, const char* msg); }; -class HTTP_Analyzer : public TCP_ApplicationAnalyzer { +class HTTP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: HTTP_Analyzer(Connection* conn); ~HTTP_Analyzer(); - void Undelivered(TCP_Endpoint* sender, int seq, int len); + void Undelivered(tcp::TCP_Endpoint* sender, int seq, int len); - void HTTP_Header(int is_orig, MIME_Header* h); + void HTTP_Header(int is_orig, mime::MIME_Header* h); void HTTP_EntityData(int is_orig, const BroString* entity_data); void HTTP_MessageDone(int is_orig, HTTP_Message* message); void HTTP_Event(const char* category, const char* detail); @@ -171,7 +173,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(int seq, int len, bool orig); - // Overriden from TCP_ApplicationAnalyzer + // Overriden from tcp::TCP_ApplicationAnalyzer virtual void EndpointEOF(bool is_orig); virtual void ConnectionFinished(int half_finished); virtual void ConnectionReset(); @@ -192,7 +194,7 @@ protected: int HTTP_RequestLine(const char* line, const char* end_of_line); int HTTP_ReplyLine(const char* line, const char* end_of_line); - void InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, + void InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig, int expect_body, int64_t init_header_length); const char* PrefixMatch(const char* line, const char* end_of_line, @@ -244,8 +246,8 @@ protected: int reply_code; Val* reply_reason_phrase; - ContentLine_Analyzer* content_line_orig; - ContentLine_Analyzer* content_line_resp; + tcp::ContentLine_Analyzer* content_line_orig; + tcp::ContentLine_Analyzer* content_line_resp; HTTP_Message* request_message; HTTP_Message* reply_message; @@ -257,4 +259,6 @@ extern void escape_URI_char(unsigned char ch, unsigned char*& p); extern BroString* unescape_URI(const u_char* line, const u_char* line_end, analyzer::Analyzer* analyzer); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/http/Plugin.cc b/src/analyzer/protocols/http/Plugin.cc index 5dab5c3c18..a0e6e28f43 100644 --- a/src/analyzer/protocols/http/Plugin.cc +++ b/src/analyzer/protocols/http/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(HTTP) BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); - BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/http/functions.bif b/src/analyzer/protocols/http/functions.bif index 0e1c63f721..eb9caf2a9a 100644 --- a/src/analyzer/protocols/http/functions.bif +++ b/src/analyzer/protocols/http/functions.bif @@ -20,7 +20,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any if ( ha ) { if ( ha->IsAnalyzer("HTTP") ) - static_cast(ha)->SkipEntityData(is_orig); + static_cast(ha)->SkipEntityData(is_orig); else reporter->Error("non-HTTP analyzer associated with connection record"); } @@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string const u_char* line = URI->Bytes(); const u_char* const line_end = line + URI->Len(); - return new StringVal(unescape_URI(line, line_end, 0)); + return new StringVal(analyzer::http::unescape_URI(line, line_end, 0)); %} diff --git a/src/analyzer/protocols/icmp/ICMP.cc b/src/analyzer/protocols/icmp/ICMP.cc index 538d25dfc3..732727d709 100644 --- a/src/analyzer/protocols/icmp/ICMP.cc +++ b/src/analyzer/protocols/icmp/ICMP.cc @@ -10,8 +10,12 @@ #include "ICMP.h" #include "Conn.h" +#include "events.bif.h" + #include +using namespace analyzer::icmp; + ICMP_Analyzer::ICMP_Analyzer(Connection* c) : TransportLayerAnalyzer("ICMP", c) { @@ -828,7 +832,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data) return vv; } -int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) +int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) { is_one_way = false; @@ -855,7 +859,7 @@ int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) } } -int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) +int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) { is_one_way = false; diff --git a/src/analyzer/protocols/icmp/ICMP.h b/src/analyzer/protocols/icmp/ICMP.h index e798bd2c9b..6a9ba3282c 100644 --- a/src/analyzer/protocols/icmp/ICMP.h +++ b/src/analyzer/protocols/icmp/ICMP.h @@ -6,6 +6,8 @@ #include "RuleMatcher.h" #include "analyzer/Analyzer.h" +namespace analyzer { namespace icmp { + typedef enum { ICMP_INACTIVE, // no packet seen ICMP_ACTIVE, // packets seen @@ -92,4 +94,6 @@ private: extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/icmp/Plugin.cc b/src/analyzer/protocols/icmp/Plugin.cc index 517b243e24..0d3a90e168 100644 --- a/src/analyzer/protocols/icmp/Plugin.cc +++ b/src/analyzer/protocols/icmp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ICMP) BRO_PLUGIN_DESCRIPTION("ICMP Analyzer"); - BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("ICMP", icmp::ICMP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/icmp/events.bif b/src/analyzer/protocols/icmp/events.bif index e69de29bb2..c471ca0ee6 100644 --- a/src/analyzer/protocols/icmp/events.bif +++ b/src/analyzer/protocols/icmp/events.bif @@ -0,0 +1,300 @@ +## Generated for all ICMP messages that are not handled separately with +## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages +## directly with dedicated events. This event acts as a fallback for those it +## doesn't. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## .. bro:see:: icmp_error_message +event icmp_sent%(c: connection, icmp: icmp_conn%); + +## Generated for ICMP *echo request* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## id: The *echo request* identifier. +## +## seq: The *echo request* sequence number. +## +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. +## +## .. bro:see:: icmp_echo_reply +event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); + +## Generated for ICMP *echo reply* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## id: The *echo reply* identifier. +## +## seq: The *echo reply* sequence number. +## +## payload: The message-specific data of the packet payload, i.e., everything +## after the first 8 bytes of the ICMP header. +## +## .. bro:see:: icmp_echo_request +event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); + +## Generated for all ICMPv6 error messages that are not handled +## separately with dedicated events. Bro's ICMP analyzer handles a number +## of ICMP error messages directly with dedicated events. This event acts +## as a fallback for those it doesn't. +## +## See `Wikipedia +## `__ for more +## information about the ICMPv6 protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard +## connection record *c*. +## +## code: The ICMP code of the error message. +## +## context: A record with specifics of the original packet that the message +## refers to. +## +## .. bro:see:: icmp_unreachable icmp_packet_too_big +## icmp_time_exceeded icmp_parameter_problem +event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMP *destination unreachable* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *unreachable* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *unreachable* +## includes only a partial IP header for some reason, no +## fields of *context* will be filled out. +## +## .. bro:see:: icmp_error_message icmp_packet_too_big +## icmp_time_exceeded icmp_parameter_problem +event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMPv6 *packet too big* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMPv6 protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *too big* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Too big* messages should include the original IP header +## from the packet that triggered them, and Bro parses that into +## the *context* structure. Note that if the *too big* includes only +## a partial IP header for some reason, no fields of *context* will +## be filled out. +## +## .. bro:see:: icmp_error_message icmp_unreachable +## icmp_time_exceeded icmp_parameter_problem +event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMP *time exceeded* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *exceeded* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Unreachable* messages should include the original IP +## header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *exceeded* includes +## only a partial IP header for some reason, no fields of *context* +## will be filled out. +## +## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## icmp_parameter_problem +event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMPv6 *parameter problem* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMPv6 protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## code: The ICMP code of the *parameter problem* message. +## +## context: A record with specifics of the original packet that the message +## refers to. *Parameter problem* messages should include the original +## IP header from the packet that triggered them, and Bro parses that +## into the *context* structure. Note that if the *parameter problem* +## includes only a partial IP header for some reason, no fields +## of *context* will be filled out. +## +## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big +## icmp_time_exceeded +event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); + +## Generated for ICMP *router solicitation* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_advertisement +## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect +event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); + +## Generated for ICMP *router advertisement* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## cur_hop_limit: The default value that should be placed in Hop Count field +## for outgoing IP packets. +## +## managed: Managed address configuration flag, :rfc:`4861`. +## +## other: Other stateful configuration flag, :rfc:`4861`. +## +## home_agent: Mobile IPv6 home agent flag, :rfc:`3775`. +## +## pref: Router selection preferences, :rfc:`4191`. +## +## proxy: Neighbor discovery proxy flag, :rfc:`4389`. +## +## rsv: Remaining two reserved bits of router advertisement flags. +## +## router_lifetime: How long this router should be used as a default router. +## +## reachable_time: How long a neighbor should be considered reachable. +## +## retrans_timer: How long a host should wait before retransmitting. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation +## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect +event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); + +## Generated for ICMP *neighbor solicitation* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## tgt: The IP address of the target of the solicitation. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_advertisement icmp_redirect +event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); + +## Generated for ICMP *neighbor advertisement* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## router: Flag indicating the sender is a router. +## +## solicited: Flag indicating advertisement is in response to a solicitation. +## +## override: Flag indicating advertisement should override existing caches. +## +## tgt: the Target Address in the soliciting message or the address whose +## link-layer address has changed for unsolicited adverts. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_solicitation icmp_redirect +event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); + +## Generated for ICMP *redirect* messages. +## +## See `Wikipedia +## `__ for more +## information about the ICMP protocol. +## +## c: The connection record for the corresponding ICMP flow. +## +## icmp: Additional ICMP-specific information augmenting the standard connection +## record *c*. +## +## tgt: The address that is supposed to be a better first hop to use for +## ICMP Destination Address. +## +## dest: The address of the destination which is redirected to the target. +## +## options: Any Neighbor Discovery options included with message (:rfc:`4861`). +## +## .. bro:see:: icmp_router_solicitation icmp_router_advertisement +## icmp_neighbor_solicitation icmp_neighbor_advertisement +event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); + diff --git a/src/analyzer/protocols/ident/Ident.cc b/src/analyzer/protocols/ident/Ident.cc index e9ba679b0b..8e25775af8 100644 --- a/src/analyzer/protocols/ident/Ident.cc +++ b/src/analyzer/protocols/ident/Ident.cc @@ -8,13 +8,17 @@ #include "Ident.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::ident; + Ident_Analyzer::Ident_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("IDENT", conn) +: tcp::TCP_ApplicationAnalyzer("IDENT", conn) { did_bad_reply = did_deliver = 0; - orig_ident = new ContentLine_Analyzer(conn, true); - resp_ident = new ContentLine_Analyzer(conn, false); + orig_ident = new tcp::ContentLine_Analyzer(conn, true); + resp_ident = new tcp::ContentLine_Analyzer(conn, false); orig_ident->SetIsNULSensitive(true); resp_ident->SetIsNULSensitive(true); @@ -25,29 +29,29 @@ Ident_Analyzer::Ident_Analyzer(Connection* conn) void Ident_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( TCP() ) if ( (! did_deliver || orig_ident->HasPartialLine()) && - (TCP()->OrigState() == TCP_ENDPOINT_CLOSED || - TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) && - TCP()->OrigPrevState() != TCP_ENDPOINT_PARTIAL && - TCP()->RespPrevState() != TCP_ENDPOINT_PARTIAL && - TCP()->OrigPrevState() != TCP_ENDPOINT_INACTIVE && - TCP()->RespPrevState() != TCP_ENDPOINT_INACTIVE ) + (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED || + TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) && + TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_PARTIAL && + TCP()->RespPrevState() != tcp::TCP_ENDPOINT_PARTIAL && + TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_INACTIVE && + TCP()->RespPrevState() != tcp::TCP_ENDPOINT_INACTIVE ) Weird("partial_ident_request"); } void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); int remote_port, local_port; const char* line = (const char*) data; const char* orig_line = line; const char* end_of_line = line + length; - TCP_Endpoint* s = 0; + tcp::TCP_Endpoint* s = 0; if ( TCP() ) s = is_orig ? TCP()->Orig() : TCP()->Resp(); @@ -60,9 +64,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) line = ParsePair(line, end_of_line, remote_port, local_port); if ( ! line ) { - if ( s && s->state == TCP_ENDPOINT_CLOSED && - (s->prev_state == TCP_ENDPOINT_INACTIVE || - s->prev_state == TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; @@ -95,9 +99,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( ! line || line == end_of_line || line[0] != ':' ) { - if ( s && s->state == TCP_ENDPOINT_CLOSED && - (s->prev_state == TCP_ENDPOINT_INACTIVE || - s->prev_state == TCP_ENDPOINT_PARTIAL) ) + if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED && + (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE || + s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) ) // not surprising the request is mangled. return; diff --git a/src/analyzer/protocols/ident/Ident.h b/src/analyzer/protocols/ident/Ident.h index 95383429ce..473d201e65 100644 --- a/src/analyzer/protocols/ident/Ident.h +++ b/src/analyzer/protocols/ident/Ident.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" -class Ident_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ident { + +class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Ident_Analyzer(Connection* conn); virtual void Done(); @@ -25,11 +27,13 @@ protected: void BadRequest(int length, const char* line); void BadReply(int length, const char* line); - ContentLine_Analyzer* orig_ident; - ContentLine_Analyzer* resp_ident; + tcp::ContentLine_Analyzer* orig_ident; + tcp::ContentLine_Analyzer* resp_ident; unsigned int did_deliver:1; unsigned int did_bad_reply:1; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ident/Plugin.cc b/src/analyzer/protocols/ident/Plugin.cc index 2c7ea208cd..d0abef8280 100644 --- a/src/analyzer/protocols/ident/Plugin.cc +++ b/src/analyzer/protocols/ident/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Ident) BRO_PLUGIN_DESCRIPTION("Ident Analyzer"); - BRO_PLUGIN_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("IDENT", ident::Ident_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ident/events.bif b/src/analyzer/protocols/ident/events.bif index e69de29bb2..96a7f37a31 100644 --- a/src/analyzer/protocols/ident/events.bif +++ b/src/analyzer/protocols/ident/events.bif @@ -0,0 +1,63 @@ +## Generated for Ident requests. +## +## See `Wikipedia `__ for more +## information about the Ident protocol. +## +## c: The connection. +## +## lport: The request's local port. +## +## rport: The request's remote port. +## +## .. bro:see:: ident_error ident_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ident_request%(c: connection, lport: port, rport: port%); + +## Generated for Ident replies. +## +## See `Wikipedia `__ for more +## information about the Ident protocol. +## +## c: The connection. +## +## lport: The corresponding request's local port. +## +## rport: The corresponding request's remote port. +## +## user_id: The user id returned by the reply. +## +## system: The operating system returned by the reply. +## +## .. bro:see:: ident_error ident_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); + +## Generated for Ident error replies. +## +## See `Wikipedia `__ for more +## information about the Ident protocol. +## +## c: The connection. +## +## lport: The corresponding request's local port. +## +## rport: The corresponding request's remote port. +## +## line: The error description returned by the reply. +## +## .. bro:see:: ident_reply ident_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ident_error%(c: connection, lport: port, rport: port, line: string%); + diff --git a/src/analyzer/protocols/interconn/InterConn.cc b/src/analyzer/protocols/interconn/InterConn.cc index 70860a6532..58dc6c2bf0 100644 --- a/src/analyzer/protocols/interconn/InterConn.cc +++ b/src/analyzer/protocols/interconn/InterConn.cc @@ -7,7 +7,11 @@ #include "Net.h" #include "analyzer/protocols/tcp/TCP.h" -InterConnEndpoint::InterConnEndpoint(TCP_Endpoint* e) +#include "events.bif.h" + +using namespace analyzer::interconn; + +InterConnEndpoint::InterConnEndpoint(tcp::TCP_Endpoint* e) { endp = e; max_top_seq = 0; @@ -30,7 +34,7 @@ int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen, if ( len <= 0 ) return 0; - if ( endp->state == TCP_ENDPOINT_PARTIAL ) + if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL ) is_partial = 1; int ack = endp->AckSeq() - endp->StartSeq(); @@ -153,7 +157,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const } InterConn_Analyzer::InterConn_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("INTERCONN", c) +: tcp::TCP_ApplicationAnalyzer("INTERCONN", c) { orig_endp = resp_endp = 0; orig_stream_pos = resp_stream_pos = 1; @@ -172,7 +176,7 @@ InterConn_Analyzer::~InterConn_Analyzer() void InterConn_Analyzer::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new InterConnEndpoint(TCP()->Orig()); @@ -182,7 +186,7 @@ void InterConn_Analyzer::Init() void InterConn_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); if ( is_orig ) @@ -193,7 +197,7 @@ void InterConn_Analyzer::DeliverPacket(int len, const u_char* data, void InterConn_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( is_orig ) { @@ -218,7 +222,7 @@ void InterConn_Analyzer::Done() RemoveEvent(); } - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); } void InterConn_Analyzer::StatTimer(double t, int is_expire) diff --git a/src/analyzer/protocols/interconn/InterConn.h b/src/analyzer/protocols/interconn/InterConn.h index 9ee73d2ae8..c51113c156 100644 --- a/src/analyzer/protocols/interconn/InterConn.h +++ b/src/analyzer/protocols/interconn/InterConn.h @@ -7,9 +7,11 @@ #include "Timer.h" #include "NetVar.h" +namespace analyzer { namespace interconn { + class InterConnEndpoint : public BroObj { public: - InterConnEndpoint(TCP_Endpoint* e); + InterConnEndpoint(tcp::TCP_Endpoint* e); int DataSent(double t, int seq, int len, int caplen, const u_char* data, const IP_Hdr* ip, const struct tcphdr* tp); @@ -21,7 +23,7 @@ protected: int IsPotentialKeystrokePacket(int len) const; int IsNormalKeystrokeInterarrival(double t) const; - TCP_Endpoint* endp; + tcp::TCP_Endpoint* endp; double last_keystroke_time; int max_top_seq; uint32 num_pkts; @@ -38,7 +40,7 @@ protected: }; -class InterConn_Analyzer : public TCP_ApplicationAnalyzer { +class InterConn_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: InterConn_Analyzer(Connection* c); ~InterConn_Analyzer(); @@ -81,4 +83,6 @@ protected: InterConn_Analyzer* analyzer; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/interconn/Plugin.cc b/src/analyzer/protocols/interconn/Plugin.cc index ba80cf52af..cb4ac076af 100644 --- a/src/analyzer/protocols/interconn/Plugin.cc +++ b/src/analyzer/protocols/interconn/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(InterConn) BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("INTERCONN", interconn::InterConn_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/interconn/events.bif b/src/analyzer/protocols/interconn/events.bif index e69de29bb2..6e859da668 100644 --- a/src/analyzer/protocols/interconn/events.bif +++ b/src/analyzer/protocols/interconn/events.bif @@ -0,0 +1,8 @@ +# ##### Deprecated events. Proposed for removal. + +## Deprecated. Will be removed. +event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%); + +## Deprecated. Will be removed. +event interconn_remove_conn%(c: connection%); + diff --git a/src/analyzer/protocols/irc/IRC.cc b/src/analyzer/protocols/irc/IRC.cc index 2411efbabb..7ac06a708f 100644 --- a/src/analyzer/protocols/irc/IRC.cc +++ b/src/analyzer/protocols/irc/IRC.cc @@ -6,11 +6,14 @@ #include "NetVar.h" #include "Event.h" #include "analyzer/protocols/zip/ZIP.h" - #include "analyzer/Manager.h" +#include "events.bif.h" + +using namespace analyzer::irc; + IRC_Analyzer::IRC_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("IRC", conn) +: tcp::TCP_ApplicationAnalyzer("IRC", conn) { invalid_msg_count = 0; invalid_msg_max_count = 20; @@ -18,18 +21,18 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn) resp_status = WAIT_FOR_REGISTRATION; orig_zip_status = NO_ZIP; resp_zip_status = NO_ZIP; - AddSupportAnalyzer(new ContentLine_Analyzer(conn, true)); - AddSupportAnalyzer(new ContentLine_Analyzer(conn, false)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false)); } void IRC_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); } void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); // check line size if ( length > 512 ) @@ -1158,8 +1161,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { orig_zip_status = ZIP_LOADED; resp_zip_status = ZIP_LOADED; - AddSupportAnalyzer(new ZIP_Analyzer(Conn(), true)); - AddSupportAnalyzer(new ZIP_Analyzer(Conn(), false)); + AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), true)); + AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), false)); } return; diff --git a/src/analyzer/protocols/irc/IRC.h b/src/analyzer/protocols/irc/IRC.h index 17b91f51e5..d5fa3b57e5 100644 --- a/src/analyzer/protocols/irc/IRC.h +++ b/src/analyzer/protocols/irc/IRC.h @@ -4,10 +4,12 @@ #define irc_h #include "analyzer/protocols/tcp/TCP.h" +namespace analyzer { namespace irc { + /** * \brief Main class for analyzing IRC traffic. */ -class IRC_Analyzer : public TCP_ApplicationAnalyzer { +class IRC_Analyzer : public tcp::TCP_ApplicationAnalyzer { enum { WAIT_FOR_REGISTRATION, REGISTERED, }; enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, }; public: @@ -60,4 +62,6 @@ private: }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/irc/Plugin.cc b/src/analyzer/protocols/irc/Plugin.cc index bb6ade5f1f..72b89fda0e 100644 --- a/src/analyzer/protocols/irc/Plugin.cc +++ b/src/analyzer/protocols/irc/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(IRC) BRO_PLUGIN_DESCRIPTION("IRC Analyzer"); - BRO_PLUGIN_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("IRC", irc::IRC_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/irc/events.bif b/src/analyzer/protocols/irc/events.bif index e69de29bb2..4e69b9ad33 100644 --- a/src/analyzer/protocols/irc/events.bif +++ b/src/analyzer/protocols/irc/events.bif @@ -0,0 +1,799 @@ + +## Generated for all client-side IRC commands. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: Always true. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## command: The command. +## +## arguments: The arguments for the command. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +## +## .. note:: This event is generated only for messages that originate +## at the client-side. Commands coming in from remote trigger +## the :bro:id:`irc_message` event instead. +event irc_request%(c: connection, is_orig: bool, prefix: string, + command: string, arguments: string%); + +## Generated for all IRC replies. IRC replies are sent in response to a +## request and come with a reply code. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the reply. IRC uses the prefix to +## indicate the true origin of a message. +## +## code: The reply code, as specified by the protocol. +## +## params: The reply's parameters. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_reply%(c: connection, is_orig: bool, prefix: string, + code: count, params: string%); + +## Generated for IRC commands forwarded from the server to the client. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## command: The command. +## +## message: TODO. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +## +## .. note:: +## +## This event is generated only for messages that are forwarded by the server +## to the client. Commands coming from client trigger the +## :bro:id:`irc_request` event instead. +event irc_message%(c: connection, is_orig: bool, prefix: string, + command: string, message: string%); + +## Generated for IRC messages of type *quit*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname coming with the message. +## +## message: The text included with the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); + +## Generated for IRC messages of type *privmsg*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## source: The source of the private communication. +## +## target: The target of the private communication. +## +## message: The text of communication. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_privmsg_message%(c: connection, is_orig: bool, source: string, + target: string, message: string%); + +## Generated for IRC messages of type *notice*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## source: The source of the private communication. +## +## target: The target of the private communication. +## +## message: The text of communication. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_notice_message%(c: connection, is_orig: bool, source: string, + target: string, message: string%); + +## Generated for IRC messages of type *squery*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## source: The source of the private communication. +## +## target: The target of the private communication. +## +## message: The text of communication. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_squery_message%(c: connection, is_orig: bool, source: string, + target: string, message: string%); + +## Generated for IRC messages of type *join*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## info_list: The user information coming with the command. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); + +## Generated for IRC messages of type *part*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname coming with the message. +## +## chans: The set of channels affected. +## +## message: The text coming with the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_password_message +event irc_part_message%(c: connection, is_orig: bool, nick: string, + chans: string_set, message: string%); + +## Generated for IRC messages of type *nick*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## who: The user changing its nickname. +## +## newnick: The new nickname. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%); + +## Generated when a server rejects an IRC nickname. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_invalid_nick%(c: connection, is_orig: bool%); + +## Generated for an IRC reply of type *luserclient*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## users: The number of users as returned in the reply. +## +## services: The number of services as returned in the reply. +## +## servers: The number of servers as returned in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_network_info%(c: connection, is_orig: bool, users: count, + services: count, servers: count%); + +## Generated for an IRC reply of type *luserme*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## users: The number of users as returned in the reply. +## +## services: The number of services as returned in the reply. +## +## servers: The number of servers as returned in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_server_info%(c: connection, is_orig: bool, users: count, + services: count, servers: count%); + +## Generated for an IRC reply of type *luserchannels*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## chans: The number of channels as returned in the reply. +## +## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_channel_info%(c: connection, is_orig: bool, chans: count%); + +## Generated for an IRC reply of type *whoreply*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## target_nick: The target nickname. +## +## channel: The channel. +## +## user: The user. +## +## host: The host. +## +## server: The server. +## +## nick: The nickname. +## +## params: The parameters. +## +## hops: The hop count. +## +## real_name: The real name. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_who_line%(c: connection, is_orig: bool, target_nick: string, + channel: string, user: string, host: string, + server: string, nick: string, params: string, + hops: count, real_name: string%); + + +## Generated for an IRC reply of type *namereply*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## c_type: The channel type. +## +## channel: The channel. +## +## users: The set of users. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_names_info%(c: connection, is_orig: bool, c_type: string, + channel: string, users: string_set%); + +## Generated for an IRC reply of type *whoisoperator*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname specified in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); + +## Generated for an IRC reply of type *whoischannels*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname specified in the reply. +## +## chans: The set of channels returned. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, + chans: string_set%); + +## Generated for an IRC reply of type *whoisuser*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## nick: The nickname specified in the reply. +## +## user: The user name specified in the reply. +## +## host: The host name specified in the reply. +## +## real_name: The real name specified in the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, + user: string, host: string, real_name: string%); + +## Generated for IRC replies of type *youreoper* and *nooperhost*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## got_oper: True if the *oper* command was executed successfully +## (*youreport*) and false otherwise (*nooperhost*). +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_part_message +## irc_password_message +event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); + +## Generated for an IRC reply of type *globalusers*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## msg: The message coming with the reply. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%); + +## Generated for an IRC reply of type *topic*. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## channel: The channel name specified in the reply. +## +## topic: The topic specified in the reply. +## +## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); + +## Generated for IRC messages of type *who*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## mask: The mask specified in the message. +## +## oper: True if the operator flag was set. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); + +## Generated for IRC messages of type *whois*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## server: TODO. +## +## users: TODO. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); + +## Generated for IRC messages of type *oper*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## user: The user specified in the message. +## +## password: The password specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_response irc_part_message +## irc_password_message +event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); + +## Generated for IRC messages of type *kick*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## chans: The channels specified in the message. +## +## users: The users specified in the message. +## +## comment: The comment specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_kick_message%(c: connection, is_orig: bool, prefix: string, + chans: string, users: string, comment: string%); + +## Generated for IRC messages of type *error*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## message: The textual description specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%); + +## Generated for IRC messages of type *invite*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## nickname: The nickname specified in the message. +## +## channel: The channel specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_invite_message%(c: connection, is_orig: bool, prefix: string, + nickname: string, channel: string%); + +## Generated for IRC messages of type *mode*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## params: The parameters coming with the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); + +## Generated for IRC messages of type *squit*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## server: The server specified in the message. +## +## message: The textual description specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_squit_message%(c: connection, is_orig: bool, prefix: string, + server: string, message: string%); + +## Generated for IRC messages of type *dcc*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## prefix: The optional prefix coming with the command. IRC uses the prefix to +## indicate the true origin of a message. +## +## target: The target specified in the message. +## +## dcc_type: The DCC type specified in the message. +## +## argument: The argument specified in the message. +## +## address: The address specified in the message. +## +## dest_port: The destination port specified in the message. +## +## size: The size specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users +## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message +## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message +## irc_notice_message irc_oper_message irc_oper_response irc_part_message +## irc_password_message +event irc_dcc_message%(c: connection, is_orig: bool, + prefix: string, target: string, + dcc_type: string, argument: string, + address: addr, dest_port: count, size: count%); + +## Generated for IRC messages of type *user*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## user: The user specified in the message. +## +## host: The host name specified in the message. +## +## server: The server name specified in the message. +## +## real_name: The real name specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message irc_password_message +event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%); + +## Generated for IRC messages of type *password*. This event is generated for +## messages coming from both the client and the server. +## +## See `Wikipedia `__ for more +## information about the IRC protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## password: The password specified in the message. +## +## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message +## irc_global_users irc_invalid_nick irc_invite_message irc_join_message +## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info +## irc_nick_message irc_notice_message irc_oper_message irc_oper_response +## irc_part_message +event irc_password_message%(c: connection, is_orig: bool, password: string%); diff --git a/src/analyzer/protocols/login/Login.cc b/src/analyzer/protocols/login/Login.cc index 2eb4900692..335b855f1d 100644 --- a/src/analyzer/protocols/login/Login.cc +++ b/src/analyzer/protocols/login/Login.cc @@ -10,6 +10,10 @@ #include "RE.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::login; + static RE_Matcher* re_skip_authentication = 0; static RE_Matcher* re_direct_login_prompts; static RE_Matcher* re_login_prompts; @@ -21,7 +25,7 @@ static RE_Matcher* re_login_timeouts; static RE_Matcher* init_RE(ListVal* l); Login_Analyzer::Login_Analyzer(const char* name, Connection* conn) -: TCP_ApplicationAnalyzer(name, conn) +: tcp::TCP_ApplicationAnalyzer(name, conn) { state = LOGIN_STATE_AUTHENTICATE; num_user_lines_seen = lines_scanned = 0; @@ -65,7 +69,7 @@ Login_Analyzer::~Login_Analyzer() void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); char* str = new char[length+1]; @@ -102,8 +106,8 @@ void Login_Analyzer::NewLine(bool orig, char* line) if ( state == LOGIN_STATE_AUTHENTICATE ) { - if ( TCP()->OrigState() == TCP_ENDPOINT_PARTIAL || - TCP()->RespState() == TCP_ENDPOINT_PARTIAL ) + if ( TCP()->OrigState() == tcp::TCP_ENDPOINT_PARTIAL || + TCP()->RespState() == tcp::TCP_ENDPOINT_PARTIAL ) state = LOGIN_STATE_CONFUSED; // unknown login state else { @@ -361,7 +365,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) void Login_Analyzer::EndpointEOF(bool orig) { - TCP_ApplicationAnalyzer::EndpointEOF(orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() ) { diff --git a/src/analyzer/protocols/login/Login.h b/src/analyzer/protocols/login/Login.h index 67b6a3c094..55d12c80da 100644 --- a/src/analyzer/protocols/login/Login.h +++ b/src/analyzer/protocols/login/Login.h @@ -5,6 +5,8 @@ #include "analyzer/protocols/tcp/TCP.h" +namespace analyzer { namespace login { + typedef enum { LOGIN_STATE_AUTHENTICATE, // trying to authenticate @@ -19,7 +21,7 @@ typedef enum { // Maximum # lines look after login for failure. #define MAX_LOGIN_LOOKAHEAD 10 -class Login_Analyzer : public TCP_ApplicationAnalyzer { +class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: Login_Analyzer(const char* name, Connection* conn); ~Login_Analyzer(); @@ -82,4 +84,6 @@ protected: int saw_ploy; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/NVT.cc b/src/analyzer/protocols/login/NVT.cc index d51d562bd5..2c79fd7195 100644 --- a/src/analyzer/protocols/login/NVT.cc +++ b/src/analyzer/protocols/login/NVT.cc @@ -9,6 +9,8 @@ #include "Event.h" #include "analyzer/protocols/tcp/TCP.h" +#include "events.bif.h" + #define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254) #define TELNET_OPT_SB 250 @@ -24,6 +26,8 @@ #define TELNET_IAC 255 +using namespace analyzer::login; + TelnetOption::TelnetOption(NVT_Analyzer* arg_endp, unsigned int arg_code) { endp = arg_endp; @@ -287,7 +291,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len) break; } - static_cast + static_cast (endp->Parent())->SetEnv(endp->IsOrig(), var_name, var_val); } @@ -360,7 +364,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */) NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig) -: ContentLine_Analyzer("NVT", conn, orig) +: tcp::ContentLine_Analyzer("NVT", conn, orig) { peer = 0; is_suboption = last_was_IAC = pending_IAC = 0; diff --git a/src/analyzer/protocols/login/NVT.h b/src/analyzer/protocols/login/NVT.h index da97a251f0..dea4c90ad5 100644 --- a/src/analyzer/protocols/login/NVT.h +++ b/src/analyzer/protocols/login/NVT.h @@ -5,7 +5,6 @@ #include "analyzer/protocols/tcp/ContentLine.h" - #define TELNET_OPTION_BINARY 0 #define TELNET_OPTION_TERMINAL 24 #define TELNET_OPTION_AUTHENTICATE 37 @@ -13,8 +12,9 @@ #define TELNET_OPTION_ENVIRON 39 #define NUM_TELNET_OPTIONS 5 -class NVT_Analyzer; +namespace analyzer { namespace login { +class NVT_Analyzer; class TelnetOption { public: @@ -123,7 +123,7 @@ protected: void InconsistentOption(unsigned int type); }; -class NVT_Analyzer : public ContentLine_Analyzer { +class NVT_Analyzer : public tcp::ContentLine_Analyzer { public: NVT_Analyzer(Connection* conn, bool orig); ~NVT_Analyzer(); @@ -170,4 +170,6 @@ protected: int num_options; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocols/login/Plugin.cc index 10166783c0..3f98f99d2c 100644 --- a/src/analyzer/protocols/login/Plugin.cc +++ b/src/analyzer/protocols/login/Plugin.cc @@ -8,11 +8,11 @@ BRO_PLUGIN_BEGIN(Login) BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer"); - BRO_PLUGIN_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("NVT", 0); - BRO_PLUGIN_ANALYZER("Login", 0); + BRO_PLUGIN_ANALYZER("TELNET", login::Telnet_Analyzer); + BRO_PLUGIN_ANALYZER("RSH", login::Rsh_Analyzer); + BRO_PLUGIN_ANALYZER("RLOGIN", login::Rlogin_Analyzer); + BRO_PLUGIN_ANALYZER_BARE("NVT"); + BRO_PLUGIN_ANALYZER_BARE("Login"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/login/RSH.cc b/src/analyzer/protocols/login/RSH.cc index 09d403fe59..1890fc3098 100644 --- a/src/analyzer/protocols/login/RSH.cc +++ b/src/analyzer/protocols/login/RSH.cc @@ -6,12 +6,15 @@ #include "Event.h" #include "RSH.h" +#include "events.bif.h" + +using namespace analyzer::login; // FIXME: this code should probably be merged with Rlogin.cc. Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* arg_analyzer) -: ContentLine_Analyzer("CONTENTS_RSH", conn, orig) +: tcp::ContentLine_Analyzer("CONTENTS_RSH", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -28,7 +31,7 @@ Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer() void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) { - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -42,10 +45,10 @@ void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RSH_FIRST_NULL: - if ( endp_state == TCP_ENDPOINT_PARTIAL || + if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == TCP_ENDPOINT_CLOSED ) + endp_state == tcp::TCP_ENDPOINT_CLOSED ) { state = RSH_UNKNOWN; ++len, --data; // put back c and reprocess diff --git a/src/analyzer/protocols/login/RSH.h b/src/analyzer/protocols/login/RSH.h index 80cc4a6559..2738060a9f 100644 --- a/src/analyzer/protocols/login/RSH.h +++ b/src/analyzer/protocols/login/RSH.h @@ -6,6 +6,8 @@ #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" +namespace analyzer { namespace login { + typedef enum { RSH_FIRST_NULL, // waiting to see first NUL RSH_CLIENT_USER_NAME, // scanning client user name up to NUL @@ -21,7 +23,7 @@ typedef enum { class Rsh_Analyzer; -class Contents_Rsh_Analyzer : public ContentLine_Analyzer { +class Contents_Rsh_Analyzer : public tcp::ContentLine_Analyzer { public: Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* analyzer); ~Contents_Rsh_Analyzer(); @@ -54,4 +56,6 @@ public: Contents_Rsh_Analyzer* contents_resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/Rlogin.cc b/src/analyzer/protocols/login/Rlogin.cc index b09e24d2cb..9a31a47aa1 100644 --- a/src/analyzer/protocols/login/Rlogin.cc +++ b/src/analyzer/protocols/login/Rlogin.cc @@ -6,9 +6,12 @@ #include "Event.h" #include "Rlogin.h" +#include "events.bif.h" + +using namespace analyzer::login; Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer) -: ContentLine_Analyzer("CONTENTLINE", conn, orig) +: tcp::ContentLine_Analyzer("CONTENTLINE", conn, orig) { num_bytes_to_scan = 0; analyzer = arg_analyzer; @@ -26,7 +29,7 @@ Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer() void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) { - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); assert(tcp); int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState(); @@ -40,10 +43,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) switch ( state ) { case RLOGIN_FIRST_NULL: - if ( endp_state == TCP_ENDPOINT_PARTIAL || + if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == TCP_ENDPOINT_CLOSED ) + endp_state == tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess @@ -85,10 +88,10 @@ void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data) break; case RLOGIN_SERVER_ACK: - if ( endp_state == TCP_ENDPOINT_PARTIAL || + if ( endp_state == tcp::TCP_ENDPOINT_PARTIAL || // We can be in closed if the data's due to // a dataful FIN being the first thing we see. - endp_state == TCP_ENDPOINT_CLOSED ) + endp_state == tcp::TCP_ENDPOINT_CLOSED ) { state = RLOGIN_UNKNOWN; ++len, --data; // put back c and reprocess diff --git a/src/analyzer/protocols/login/Rlogin.h b/src/analyzer/protocols/login/Rlogin.h index 0ad72b1908..c4cdfd7516 100644 --- a/src/analyzer/protocols/login/Rlogin.h +++ b/src/analyzer/protocols/login/Rlogin.h @@ -6,6 +6,8 @@ #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" +namespace analyzer { namespace login { + typedef enum { RLOGIN_FIRST_NULL, // waiting to see first NUL RLOGIN_CLIENT_USER_NAME, // scanning client user name up to NUL @@ -29,7 +31,7 @@ typedef enum { class Rlogin_Analyzer; -class Contents_Rlogin_Analyzer : public ContentLine_Analyzer { +class Contents_Rlogin_Analyzer : public tcp::ContentLine_Analyzer { public: Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* analyzer); @@ -64,4 +66,6 @@ public: { return new Rlogin_Analyzer(conn); } }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/Telnet.cc b/src/analyzer/protocols/login/Telnet.cc index 47991177f2..c22b2afc5e 100644 --- a/src/analyzer/protocols/login/Telnet.cc +++ b/src/analyzer/protocols/login/Telnet.cc @@ -5,6 +5,10 @@ #include "Telnet.h" #include "NVT.h" +#include "events.bif.h" + +using namespace analyzer::login; + Telnet_Analyzer::Telnet_Analyzer(Connection* conn) : Login_Analyzer("TELNET", conn) { diff --git a/src/analyzer/protocols/login/Telnet.h b/src/analyzer/protocols/login/Telnet.h index 290382846b..a13fe230af 100644 --- a/src/analyzer/protocols/login/Telnet.h +++ b/src/analyzer/protocols/login/Telnet.h @@ -5,6 +5,8 @@ #include "Login.h" +namespace analyzer { namespace login { + class Telnet_Analyzer : public Login_Analyzer { public: Telnet_Analyzer(Connection* conn); @@ -14,4 +16,6 @@ public: { return new Telnet_Analyzer(conn); } }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/login/events.bif b/src/analyzer/protocols/login/events.bif index e69de29bb2..084f53eaad 100644 --- a/src/analyzer/protocols/login/events.bif +++ b/src/analyzer/protocols/login/events.bif @@ -0,0 +1,395 @@ +## Generated for client side commands on an RSH connection. +## +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. +## +## c: The connection. +## +## client_user: The client-side user name as sent in the initial protocol +## handshake. +## +## server_user: The server-side user name as sent in the initial protocol +## handshake. +## +## line: The command line sent in the request. +## +## new_session: True if this is the first command of the Rsh session. +## +## .. bro:see:: rsh_reply login_confused login_confused_text login_display +## login_failure login_input_line login_output_line login_prompt login_success +## login_terminal +## +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); + +## Generated for client side commands on an RSH connection. +## +## See `RFC 1258 `__ for more information +## about the Rlogin/Rsh protocol. +## +## c: The connection. +## +## client_user: The client-side user name as sent in the initial protocol +## handshake. +## +## server_user: The server-side user name as sent in the initial protocol +## handshake. +## +## line: The command line sent in the request. +## +## .. bro:see:: rsh_request login_confused login_confused_text login_display +## login_failure login_input_line login_output_line login_prompt login_success +## login_terminal +## +## .. note:: For historical reasons, these events are separate from the +## ``login_`` events. Ideally, they would all be handled uniquely. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); + +## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects +## Telnet/Rlogin sessions to heuristically extract username and password +## information as well as the text returned by the login server. This event is +## raised if a login attempt appears to have been unsuccessful. +## +## c: The connection. +## +## user: The user name tried. +## +## client_user: For Telnet connections, this is an empty string, but for Rlogin +## connections, it is the client name passed in the initial authentication +## information (to check against .rhosts). +## +## password: The password tried. +## +## line: The line of text that led the analyzer to conclude that the +## authentication had failed. +## +## .. bro:see:: login_confused login_confused_text login_display login_input_line +## login_output_line login_prompt login_success login_terminal direct_login_prompts +## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs +## login_timeouts set_login_state +## +## .. note:: The login analyzer depends on a set of script-level variables that +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); + +## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects +## Telnet/Rlogin sessions to heuristically extract username and password +## information as well as the text returned by the login server. This event is +## raised if a login attempt appears to have been successful. +## +## c: The connection. +## +## user: The user name used. +## +## client_user: For Telnet connections, this is an empty string, but for Rlogin +## connections, it is the client name passed in the initial authentication +## information (to check against .rhosts). +## +## password: The password used. +## +## line: The line of text that led the analyzer to conclude that the +## authentication had succeeded. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_output_line login_prompt login_terminal +## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs +## login_prompts login_success_msgs login_timeouts set_login_state +## +## .. note:: The login analyzer depends on a set of script-level variables that +## need to be configured with patterns identifying login attempts. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); + +## Generated for lines of input on Telnet/Rlogin sessions. The line will have +## control characters (such as in-band Telnet options) removed. +## +## c: The connection. +## +## line: The input line. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_output_line login_prompt login_success login_terminal rsh_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_input_line%(c: connection, line: string%); + +## Generated for lines of output on Telnet/Rlogin sessions. The line will have +## control characters (such as in-band Telnet options) removed. +## +## c: The connection. +## +## line: The ouput line. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_prompt login_success login_terminal rsh_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_output_line%(c: connection, line: string%); + +## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's +## *login* analyzer uses a number of heuristics to extract authentication +## information, it may become confused. If it can no longer correctly track +## the authentication dialog, it raises this event. +## +## c: The connection. +## +## msg: Gives the particular problem the heuristics detected (for example, +## ``multiple_login_prompts`` means that the engine saw several login +## prompts in a row, without the type-ahead from the client side presumed +## necessary to cause them) +## +## line: The line of text that caused the heuristics to conclude they were +## confused. +## +## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line +## login_prompt login_success login_terminal direct_login_prompts get_login_state +## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs +## login_timeouts set_login_state +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_confused%(c: connection, msg: string, line: string%); + +## Generated after getting confused while tracking a Telnet/Rlogin +## authentication dialog. The *login* analyzer generates this even for every +## line of user input after it has reported :bro:id:`login_confused` for a +## connection. +## +## c: The connection. +## +## line: The line the user typed. +## +## .. bro:see:: login_confused login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal direct_login_prompts +## get_login_state login_failure_msgs login_non_failure_msgs login_prompts +## login_success_msgs login_timeouts set_login_state +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_confused_text%(c: connection, line: string%); + +## Generated for clients transmitting a terminal type in a Telnet session. This +## information is extracted out of environment variables sent as Telnet options. +## +## c: The connection. +## +## terminal: The TERM value transmitted. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_output_line login_prompt login_success +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_terminal%(c: connection, terminal: string%); + +## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This +## information is extracted out of environment variables sent as Telnet options. +## +## c: The connection. +## +## display: The DISPLAY transmitted. +## +## .. bro:see:: login_confused login_confused_text login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_display%(c: connection, display: string%); + +## Generated when a Telnet authentication has been successful. The Telnet +## protocol includes options for negotiating authentication. When such an +## option is sent from client to server and the server replies that it accepts +## the authentication, then the event engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## name: The authenticated name. +## +## c: The connection. +## +## .. bro:see:: authentication_rejected authentication_skipped login_success +## +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines success by watching +## session data. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event authentication_accepted%(name: string, c: connection%); + +## Generated when a Telnet authentication has been unsuccessful. The Telnet +## protocol includes options for negotiating authentication. When such an option +## is sent from client to server and the server replies that it did not accept +## the authentication, then the event engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## name: The attempted authentication name. +## +## c: The connection. +## +## .. bro:see:: authentication_accepted authentication_skipped login_failure +## +## .. note:: This event inspects the corresponding Telnet option +## while :bro:id:`login_success` heuristically determines failure by watching +## session data. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event authentication_rejected%(name: string, c: connection%); + +## Generated for Telnet/Rlogin sessions when a pattern match indicates +## that no authentication is performed. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts +## get_login_state login_failure_msgs login_non_failure_msgs login_prompts +## login_success_msgs login_timeouts set_login_state +## +## .. note:: The login analyzer depends on a set of script-level variables that +## need to be configured with patterns identifying activity. This +## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and +## the analyzer is therefore not directly usable at the moment. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event authentication_skipped%(c: connection%); + +## Generated for clients transmitting a terminal prompt in a Telnet session. +## This information is extracted out of environment variables sent as Telnet +## options. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## prompt: The TTYPROMPT transmitted. +## +## .. bro:see:: login_confused login_confused_text login_display login_failure +## login_input_line login_output_line login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event login_prompt%(c: connection, prompt: string%); + +## Generated for Telnet sessions when encryption is activated. The Telnet +## protocol includes options for negotiating encryption. When such a series of +## options is successfully negotiated, the event engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped +## login_confused login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +event activating_encryption%(c: connection%); + +## Generated for an inconsistent Telnet option. Telnet options are specified +## by the client and server stating which options they are willing to +## support vs. which they are not, and then instructing one another which in +## fact they should or should not use for the current connection. If the event +## engine sees a peer violate either what the other peer has instructed it to +## do, or what it itself offered in terms of options in the past, then the +## engine generates this event. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: bad_option bad_option_termination authentication_accepted +## authentication_rejected authentication_skipped login_confused +## login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +event inconsistent_option%(c: connection%); + +## Generated for an ill-formed or unrecognized Telnet option. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted +## authentication_rejected authentication_skipped login_confused +## login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event bad_option%(c: connection%); + +## Generated for a Telnet option that's incorrectly terminated. +## +## See `Wikipedia `__ for more information +## about the Telnet protocol. +## +## c: The connection. +## +## .. bro:see:: inconsistent_option bad_option authentication_accepted +## authentication_rejected authentication_skipped login_confused +## login_confused_text login_display login_failure login_input_line +## login_output_line login_prompt login_success login_terminal +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event bad_option_termination%(c: connection%); diff --git a/src/analyzer/protocols/mime/CMakeLists.txt b/src/analyzer/protocols/mime/CMakeLists.txt new file mode 100644 index 0000000000..1df45cd395 --- /dev/null +++ b/src/analyzer/protocols/mime/CMakeLists.txt @@ -0,0 +1,15 @@ + +# This is not an actual analyzer, but used by others. We still +# maintain it here along with the other analyzers because conceptually +# it's also parsing a protocol just like them. The current structure +# is merely a left-over from when this code was written. + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(MIME) +bro_plugin_cc(MIME.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() + diff --git a/src/MIME.cc b/src/analyzer/protocols/mime/MIME.cc similarity index 99% rename from src/MIME.cc rename to src/analyzer/protocols/mime/MIME.cc index 011857ee6e..3a6a1ace13 100644 --- a/src/MIME.cc +++ b/src/analyzer/protocols/mime/MIME.cc @@ -6,6 +6,8 @@ #include "Reporter.h" #include "digest.h" +#include "events.bif.h" + // Here are a few things to do: // // 1. Add a Bro internal function 'stop_deliver_data_of_entity' so @@ -16,44 +18,10 @@ // headers of form: =; =; // =; ... (so that +namespace analyzer { namespace mime { + static const data_chunk_t null_data_chunk = { 0, 0 }; -int is_null_data_chunk(data_chunk_t b) - { - return b.data == 0; - } - -int fputs(data_chunk_t b, FILE* fp) - { - for ( int i = 0; i < b.length; ++i ) - if ( fputc(b.data[i], fp) == EOF ) - return EOF; - return 0; - } - -StringVal* new_string_val(int length, const char* data) - { - return new StringVal(length, data); - } - -StringVal* new_string_val(const char* data, const char* end_of_data) - { - return new StringVal(end_of_data - data, data); - } - -StringVal* new_string_val(const data_chunk_t buf) - { - return new_string_val(buf.length, buf.data); - } - -data_chunk_t get_data_chunk(BroString* s) - { - data_chunk_t b; - b.length = s->Len(); - b.data = (const char*) s->Bytes(); - return b; - } - int mime_header_only = 0; int mime_decode_data = 1; int mime_submit_data = 1; @@ -129,6 +97,319 @@ static const char* MIMEContentEncodingName[] = { 0, }; +int is_null_data_chunk(data_chunk_t b) + { + return b.data == 0; + } + +int is_lws(char ch) + { + return ch == 9 || ch == 32; + } + +StringVal* new_string_val(int length, const char* data) + { + return new StringVal(length, data); + } + +StringVal* new_string_val(const char* data, const char* end_of_data) + { + return new StringVal(end_of_data - data, data); + } + +StringVal* new_string_val(const data_chunk_t buf) + { + return new_string_val(buf.length, buf.data); + } + +static data_chunk_t get_data_chunk(BroString* s) + { + data_chunk_t b; + b.length = s->Len(); + b.data = (const char*) s->Bytes(); + return b; + } + +int fputs(data_chunk_t b, FILE* fp) + { + for ( int i = 0; i < b.length; ++i ) + if ( fputc(b.data[i], fp) == EOF ) + return EOF; + return 0; + } + +int strcasecmp_n(data_chunk_t s, const char* t) + { + return ::strcasecmp_n(s.length, s.data, t); + } + +int MIME_count_leading_lws(int len, const char* data) + { + int i; + for ( i = 0; i < len; ++i ) + if ( ! is_lws(data[i]) ) + break; + return i; + } + +int MIME_count_trailing_lws(int len, const char* data) + { + int i; + for ( i = 0; i < len; ++i ) + if ( ! is_lws(data[len - 1 - i]) ) + break; + return i; + } + +// See RFC 2822, page 11 +int MIME_skip_comments(int len, const char* data) + { + if ( len == 0 || data[0] != '(' ) + return 0; + + int par = 0; + for ( int i = 0; i < len; ++i ) + { + switch ( data[i] ) { + case '(': + ++par; + break; + + case ')': + --par; + if ( par == 0 ) + return i + 1; + break; + + case '\\': + ++i; + break; + } + } + + return len; + } + +// Skip over lws and comments, but not tspecials. Do not use this +// function in quoted-string or comments. +int MIME_skip_lws_comments(int len, const char* data) + { + int i = 0; + while ( i < len ) + { + if ( is_lws(data[i]) ) + ++i; + else + { + if ( data[i] == '(' ) + i += MIME_skip_comments(len - i, data + i); + else + return i; + } + } + + return len; + } + +int MIME_get_field_name(int len, const char* data, data_chunk_t* name) + { + int i = MIME_skip_lws_comments(len, data); + while ( i < len ) + { + int j; + if ( MIME_is_field_name_char(data[i]) ) + { + name->data = data + i; + + for ( j = i; j < len; ++j ) + if ( ! MIME_is_field_name_char(data[j]) ) + break; + + name->length = j - i; + return j; + } + + j = MIME_skip_lws_comments(len - i, data + i); + i += (j > 0) ? j : 1; + } + + return -1; + } + +// See RFC 2045, page 12. +int MIME_is_tspecial (char ch) + { + return ch == '(' || ch == ')' || ch == '<' || ch == '>' || ch == '@' || + ch == ',' || ch == ';' || ch == ':' || ch == '\\' || ch == '"' || + ch == '/' || ch == '[' || ch == ']' || ch == '?' || ch == '='; + } + +int MIME_is_field_name_char (char ch) + { + return ch >= 33 && ch <= 126 && ch != ':'; + } + +int MIME_is_token_char (char ch) + { + return ch >= 33 && ch <= 126 && ! MIME_is_tspecial(ch); + } + +// See RFC 2045, page 12. +// A token is composed of characters that are not SPACE, CTLs or tspecials +int MIME_get_token(int len, const char* data, data_chunk_t* token) + { + int i = MIME_skip_lws_comments(len, data); + while ( i < len ) + { + int j; + + if ( MIME_is_token_char(data[i]) ) + { + token->data = (data + i); + for ( j = i; j < len; ++j ) + { + if ( ! MIME_is_token_char(data[j]) ) + break; + } + + token->length = j - i; + return j; + } + + j = MIME_skip_lws_comments(len - i, data + i); + i += (j > 0) ? j : 1; + } + + return -1; + } + +int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second) + { + int offset; + const char* data_start = data; + + offset = MIME_get_token(len, data, first); + if ( offset < 0 ) + { + // DEBUG_MSG("first token missing in slash token pair"); + return -1; + } + + data += offset; + len -= offset; + + offset = MIME_skip_lws_comments(len, data); + if ( offset < 0 || offset >= len || data[offset] != '/' ) + { + // DEBUG_MSG("/ not found in slash token pair"); + return -1; + } + + ++offset; + data += offset; + len -= offset; + + offset = MIME_get_token(len, data, second); + if ( offset < 0 ) + { + // DEBUG_MSG("second token missing in slash token pair"); + return -1; + } + + data += offset; + len -= offset; + + return data - data_start; + } + +// See RFC 2822, page 13. +int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str) + { + int offset = MIME_skip_lws_comments(len, data); + + len -= offset; + data += offset; + + if ( len <= 0 || *data != '"' ) + return -1; + + for ( int i = 1; i < len; ++i ) + { + switch ( data[i] ) { + case '"': + str->data = data + 1; + str->length = i - 1; + return offset + i + 1; + + case '\\': + ++i; + break; + } + } + + return -1; + } + +int MIME_get_value(int len, const char* data, BroString*& buf) + { + int offset = MIME_skip_lws_comments(len, data); + + len -= offset; + data += offset; + + if ( len > 0 && *data == '"' ) + { + data_chunk_t str; + int end = MIME_get_quoted_string(len, data, &str); + if ( end < 0 ) + return -1; + + buf = MIME_decode_quoted_pairs(str); + return offset + end; + } + + else + { + data_chunk_t str; + int end = MIME_get_token(len, data, &str); + if ( end < 0 ) + return -1; + + buf = new BroString((const u_char*)str.data, str.length, 1); + return offset + end; + } + } + +// Decode each quoted-pair: a '\' followed by a character by the +// quoted character. The decoded string is returned. + +BroString* MIME_decode_quoted_pairs(data_chunk_t buf) + { + const char* data = buf.data; + char* dest = new char[buf.length+1]; + int j = 0; + for ( int i = 0; i < buf.length; ++i ) + if ( data[i] == '\\' ) + { + if ( ++i < buf.length ) + dest[j++] = data[i]; + else + { + // a trailing '\' -- don't know what + // to do with it -- ignore it. + } + } + else + dest[j++] = data[i]; + dest[j] = 0; + + return new BroString(1, (byte_vec) dest, j); + } + + +} } // namespace analyzer::* + +using namespace analyzer::mime; MIME_Multiline::MIME_Multiline() { @@ -1193,276 +1474,3 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail) } } - -int strcasecmp_n(data_chunk_t s, const char* t) - { - return strcasecmp_n(s.length, s.data, t); - } - -int is_lws(char ch) - { - return ch == 9 || ch == 32; - } - -int MIME_count_leading_lws(int len, const char* data) - { - int i; - for ( i = 0; i < len; ++i ) - if ( ! is_lws(data[i]) ) - break; - return i; - } - -int MIME_count_trailing_lws(int len, const char* data) - { - int i; - for ( i = 0; i < len; ++i ) - if ( ! is_lws(data[len - 1 - i]) ) - break; - return i; - } - -// See RFC 2822, page 11 -int MIME_skip_comments(int len, const char* data) - { - if ( len == 0 || data[0] != '(' ) - return 0; - - int par = 0; - for ( int i = 0; i < len; ++i ) - { - switch ( data[i] ) { - case '(': - ++par; - break; - - case ')': - --par; - if ( par == 0 ) - return i + 1; - break; - - case '\\': - ++i; - break; - } - } - - return len; - } - -// Skip over lws and comments, but not tspecials. Do not use this -// function in quoted-string or comments. -int MIME_skip_lws_comments(int len, const char* data) - { - int i = 0; - while ( i < len ) - { - if ( is_lws(data[i]) ) - ++i; - else - { - if ( data[i] == '(' ) - i += MIME_skip_comments(len - i, data + i); - else - return i; - } - } - - return len; - } - -int MIME_get_field_name(int len, const char* data, data_chunk_t* name) - { - int i = MIME_skip_lws_comments(len, data); - while ( i < len ) - { - int j; - if ( MIME_is_field_name_char(data[i]) ) - { - name->data = data + i; - - for ( j = i; j < len; ++j ) - if ( ! MIME_is_field_name_char(data[j]) ) - break; - - name->length = j - i; - return j; - } - - j = MIME_skip_lws_comments(len - i, data + i); - i += (j > 0) ? j : 1; - } - - return -1; - } - -// See RFC 2045, page 12. -int MIME_is_tspecial (char ch) - { - return ch == '(' || ch == ')' || ch == '<' || ch == '>' || ch == '@' || - ch == ',' || ch == ';' || ch == ':' || ch == '\\' || ch == '"' || - ch == '/' || ch == '[' || ch == ']' || ch == '?' || ch == '='; - } - -int MIME_is_field_name_char (char ch) - { - return ch >= 33 && ch <= 126 && ch != ':'; - } - -int MIME_is_token_char (char ch) - { - return ch >= 33 && ch <= 126 && ! MIME_is_tspecial(ch); - } - -// See RFC 2045, page 12. -// A token is composed of characters that are not SPACE, CTLs or tspecials -int MIME_get_token(int len, const char* data, data_chunk_t* token) - { - int i = MIME_skip_lws_comments(len, data); - while ( i < len ) - { - int j; - - if ( MIME_is_token_char(data[i]) ) - { - token->data = (data + i); - for ( j = i; j < len; ++j ) - { - if ( ! MIME_is_token_char(data[j]) ) - break; - } - - token->length = j - i; - return j; - } - - j = MIME_skip_lws_comments(len - i, data + i); - i += (j > 0) ? j : 1; - } - - return -1; - } - -int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second) - { - int offset; - const char* data_start = data; - - offset = MIME_get_token(len, data, first); - if ( offset < 0 ) - { - // DEBUG_MSG("first token missing in slash token pair"); - return -1; - } - - data += offset; - len -= offset; - - offset = MIME_skip_lws_comments(len, data); - if ( offset < 0 || offset >= len || data[offset] != '/' ) - { - // DEBUG_MSG("/ not found in slash token pair"); - return -1; - } - - ++offset; - data += offset; - len -= offset; - - offset = MIME_get_token(len, data, second); - if ( offset < 0 ) - { - // DEBUG_MSG("second token missing in slash token pair"); - return -1; - } - - data += offset; - len -= offset; - - return data - data_start; - } - -// See RFC 2822, page 13. -int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str) - { - int offset = MIME_skip_lws_comments(len, data); - - len -= offset; - data += offset; - - if ( len <= 0 || *data != '"' ) - return -1; - - for ( int i = 1; i < len; ++i ) - { - switch ( data[i] ) { - case '"': - str->data = data + 1; - str->length = i - 1; - return offset + i + 1; - - case '\\': - ++i; - break; - } - } - - return -1; - } - -int MIME_get_value(int len, const char* data, BroString*& buf) - { - int offset = MIME_skip_lws_comments(len, data); - - len -= offset; - data += offset; - - if ( len > 0 && *data == '"' ) - { - data_chunk_t str; - int end = MIME_get_quoted_string(len, data, &str); - if ( end < 0 ) - return -1; - - buf = MIME_decode_quoted_pairs(str); - return offset + end; - } - - else - { - data_chunk_t str; - int end = MIME_get_token(len, data, &str); - if ( end < 0 ) - return -1; - - buf = new BroString((const u_char*)str.data, str.length, 1); - return offset + end; - } - } - -// Decode each quoted-pair: a '\' followed by a character by the -// quoted character. The decoded string is returned. - -BroString* MIME_decode_quoted_pairs(data_chunk_t buf) - { - const char* data = buf.data; - char* dest = new char[buf.length+1]; - int j = 0; - for ( int i = 0; i < buf.length; ++i ) - if ( data[i] == '\\' ) - { - if ( ++i < buf.length ) - dest[j++] = data[i]; - else - { - // a trailing '\' -- don't know what - // to do with it -- ignore it. - } - } - else - dest[j++] = data[i]; - dest[j] = 0; - - return new BroString(1, (byte_vec) dest, j); - } diff --git a/src/MIME.h b/src/analyzer/protocols/mime/MIME.h similarity index 99% rename from src/MIME.h rename to src/analyzer/protocols/mime/MIME.h index 3f8c3281fc..d6ef2b5375 100644 --- a/src/MIME.h +++ b/src/analyzer/protocols/mime/MIME.h @@ -12,6 +12,8 @@ using namespace std; #include "BroString.h" #include "analyzer/Analyzer.h" +namespace analyzer { namespace mime { + // MIME: Multipurpose Internet Mail Extensions // Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME) // See related files: SMTP.h and SMTP.cc @@ -273,4 +275,6 @@ extern int MIME_get_value(int len, const char* data, BroString*& buf); extern int MIME_get_field_name(int len, const char* data, data_chunk_t* name); extern BroString* MIME_decode_quoted_pairs(data_chunk_t buf); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/mime/Plugin.cc b/src/analyzer/protocols/mime/Plugin.cc new file mode 100644 index 0000000000..98dee2a2eb --- /dev/null +++ b/src/analyzer/protocols/mime/Plugin.cc @@ -0,0 +1,7 @@ + +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(MIME) + BRO_PLUGIN_DESCRIPTION("MIME Parsing Code"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/mime/events.bif b/src/analyzer/protocols/mime/events.bif new file mode 100644 index 0000000000..e9e5f66fda --- /dev/null +++ b/src/analyzer/protocols/mime/events.bif @@ -0,0 +1,196 @@ +## Generated when starting to parse an email MIME entity. MIME is a +## protocol-independent data format for encoding text and files, along with +## corresponding metadata, for transmission. Bro raises this event when it +## begins parsing a MIME entity extracted from an email protocol. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data +## http_begin_entity +## +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_begin_entity` instead. +event mime_begin_entity%(c: connection%); + +## Generated when finishing parsing an email MIME entity. MIME is a +## protocol-independent data format for encoding text and files, along with +## corresponding metadata, for transmission. Bro raises this event when it +## finished parsing a MIME entity extracted from an email protocol. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data +## http_end_entity +## +## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, +## however, it raises :bro:id:`http_end_entity` instead. +event mime_end_entity%(c: connection%); + +## Generated for individual MIME headers extracted from email MIME +## entities. MIME is a protocol-independent data format for encoding text and +## files, along with corresponding metadata, for transmission. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## h: The parsed MIME header. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_segment_data +## http_header http_all_headers +## +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. +event mime_one_header%(c: connection, h: mime_header_rec%); + +## Generated for MIME headers extracted from email MIME entities, passing all +## headers at once. MIME is a protocol-independent data format for encoding +## text and files, along with corresponding metadata, for transmission. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## hlist: A *table* containing all headers extracted from the current entity. +## The table is indexed by the position of the header (1 for the first, +## 2 for the second, etc.). +## +## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data +## http_header http_all_headers +## +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_header` instead. +event mime_all_headers%(c: connection, hlist: mime_header_list%); + +## Generated for chunks of decoded MIME data from email MIME entities. MIME +## is a protocol-independent data format for encoding text and files, along with +## corresponding metadata, for transmission. As Bro parses the data of an +## entity, it raises a sequence of these events, each coming as soon as a new +## chunk of data is available. In contrast, there is also +## :bro:id:`mime_entity_data`, which passes all of an entities data at once +## in a single block. While the latter is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer +## the data. Thus, if possible, this event should be preferred. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## length: The length of *data*. +## +## data: The raw data of one segment of the current entity. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data +## mime_segment_length mime_segment_overlap_length +## +## .. note:: Bro also extracts MIME data from HTTP sessions. For those, +## however, it raises :bro:id:`http_entity_data` (sic!) instead. +event mime_segment_data%(c: connection, length: count, data: string%); + +## Generated for data decoded from an email MIME entity. This event delivers +## the complete content of a single MIME entity. In contrast, there is also +## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as +## they come in. While ``mime_entity_data`` is more convenient to handle, +## ``mime_segment_data`` is more efficient as Bro does not need to buffer the +## data. Thus, if possible, the latter should be preferred. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## length: The length of *data*. +## +## data: The raw data of the complete entity. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_event mime_one_header mime_segment_data +## +## .. note:: While Bro also decodes MIME entities extracted from HTTP +## sessions, there's no corresponding event for that currently. +event mime_entity_data%(c: connection, length: count, data: string%); + +## Generated for passing on all data decoded from a single email MIME +## message. If an email message has more than one MIME entity, this event +## combines all their data into a single value for analysis. Note that because +## of the potentially significant buffering necessary, using this event can be +## expensive. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## length: The length of *data*. +## +## data: The raw data of all MIME entities concatenated. +## +## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data +## +## .. note:: While Bro also decodes MIME entities extracted from HTTP +## sessions, there's no corresponding event for that currently. +event mime_all_data%(c: connection, length: count, data: string%); + +## Generated for errors found when decoding email MIME entities. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## event_type: A string describing the general category of the problem found +## (e.g., ``illegal format``). +## +## detail: Further more detailed description of the error. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event +## +## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, +## however, it raises :bro:id:`http_event` instead. +event mime_event%(c: connection, event_type: string, detail: string%); + +## Generated for decoded MIME entities extracted from email messages, passing on +## their MD5 checksums. Bro computes the MD5 over the complete decoded data of +## each MIME entity. +## +## Bro's MIME analyzer for emails currently supports SMTP and POP3. See +## `Wikipedia `__ for more information +## about MIME. +## +## c: The connection. +## +## content_len: The length of the entity being hashed. +## +## hash_value: The MD5 hash. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity +## mime_entity_data mime_event mime_one_header mime_segment_data +## +## .. note:: While Bro also decodes MIME entities extracted from HTTP +## sessions, there's no corresponding event for that currently. +event mime_content_hash%(c: connection, content_len: count, hash_value: string%); + diff --git a/src/analyzer/protocols/modbus/Modbus.cc b/src/analyzer/protocols/modbus/Modbus.cc index 841638cd0b..b36b916d06 100644 --- a/src/analyzer/protocols/modbus/Modbus.cc +++ b/src/analyzer/protocols/modbus/Modbus.cc @@ -2,6 +2,10 @@ #include "Modbus.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::modbus; + ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("MODBUS", c) { diff --git a/src/analyzer/protocols/modbus/Modbus.h b/src/analyzer/protocols/modbus/Modbus.h index 41b0267dc8..063014cf2b 100644 --- a/src/analyzer/protocols/modbus/Modbus.h +++ b/src/analyzer/protocols/modbus/Modbus.h @@ -4,7 +4,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "modbus_pac.h" -class ModbusTCP_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace modbus { + +class ModbusTCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: ModbusTCP_Analyzer(Connection* conn); virtual ~ModbusTCP_Analyzer(); @@ -22,4 +24,6 @@ protected: binpac::ModbusTCP::ModbusTCP_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/modbus/Plugin.cc b/src/analyzer/protocols/modbus/Plugin.cc index 9c53c8b814..ba93063560 100644 --- a/src/analyzer/protocols/modbus/Plugin.cc +++ b/src/analyzer/protocols/modbus/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Modbus) BRO_PLUGIN_DESCRIPTION("Modbus Analyzer"); - BRO_PLUGIN_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("MODBUS", modbus::ModbusTCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/modbus/events.bif b/src/analyzer/protocols/modbus/events.bif index e69de29bb2..1cd17381ee 100644 --- a/src/analyzer/protocols/modbus/events.bif +++ b/src/analyzer/protocols/modbus/events.bif @@ -0,0 +1,295 @@ +## Generated for any modbus message regardless if the particular function +## is further supported or not. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## is_orig: True if the event is raised for the originator side. +event modbus_message%(c: connection, headers: ModbusHeaders, is_orig: bool%); + +## Generated for any modbus exception message. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## code: The exception code. +event modbus_exception%(c: connection, headers: ModbusHeaders, code: count%); + +## Generated for a Modbus read coils request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address where of the first coil to be read. +## +## quantity: The number of coils to be read. +event modbus_read_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read coils response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## coils: The coil values returned from the device. +event modbus_read_coils_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); + +## Generated for a Modbus read discrete inputs request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first coil to be read. +## +## quantity: The number of coils to be read. +event modbus_read_discrete_inputs_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read discrete inputs response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## coils: The coil values returned from the device. +event modbus_read_discrete_inputs_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); + +## Generated for a Modbus read holding registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register to be read. +## +## quantity: The number of registers to be read. +event modbus_read_holding_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read holding registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## registers: The register values returned from the device. +event modbus_read_holding_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); + +## Generated for a Modbus read input registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register to be read. +## +## quantity: The number of registers to be read. +event modbus_read_input_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read input registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## registers: The register values returned from the device. +event modbus_read_input_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); + +## Generated for a Modbus write single coil request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the coil to be written. +## +## value: The value to be written to the coil. +event modbus_write_single_coil_request%(c: connection, headers: ModbusHeaders, address: count, value: bool%); + +## Generated for a Modbus write single coil response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the coil that was written. +## +## value: The value that was written to the coil. +event modbus_write_single_coil_response%(c: connection, headers: ModbusHeaders, address: count, value: bool%); + +## Generated for a Modbus write single register request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register to be written. +## +## value: The value to be written to the register. +event modbus_write_single_register_request%(c: connection, headers: ModbusHeaders, address: count, value: count%); + +## Generated for a Modbus write single register response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register that was written. +## +## value: The value that was written to the register. +event modbus_write_single_register_response%(c: connection, headers: ModbusHeaders, address: count, value: count%); + +## Generated for a Modbus write multiple coils request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first coil to be written. +## +## value: The values to be written to the coils. +event modbus_write_multiple_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils%); + +## Generated for a Modbus write multiple coils response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first coil that was written. +## +## quantity: The quantity of coils that were written. +event modbus_write_multiple_coils_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus write multiple registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register to be written. +## +## registers: The values to be written to the registers. +event modbus_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, registers: ModbusRegisters%); + +## Generated for a Modbus write multiple registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The memory address of the first register that was written. +## +## quantity: The quantity of registers that were written. +event modbus_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); + +## Generated for a Modbus read file record request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus read file record response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus write file record request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus write file record response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## .. note: This event is incomplete. The information from the data structure is not +## yet passed through to the event. +event modbus_write_file_record_response%(c: connection, headers: ModbusHeaders%); + +## Generated for a Modbus mask write register request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register where the masks should be applied. +## +## and_mask: The value of the logical AND mask to apply to the register. +## +## or_mask: The value of the logical OR mask to apply to the register. +event modbus_mask_write_register_request%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); + +## Generated for a Modbus mask write register request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## address: The memory address of the register where the masks were applied. +## +## and_mask: The value of the logical AND mask applied register. +## +## or_mask: The value of the logical OR mask applied to the register. +event modbus_mask_write_register_response%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); + +## Generated for a Modbus read/write multiple registers request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## read_start_address: The memory address of the first register to be read. +## +## read_quantity: The number of registers to read. +## +## write_start_address: The memory address of the first register to be written. +## +## write_registers: The values to be written to the registers. +event modbus_read_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, read_start_address: count, read_quantity: count, write_start_address: count, write_registers: ModbusRegisters%); + +## Generated for a Modbus read/write multiple registers response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## written_registers: The register values read from the registers specified in the request. +event modbus_read_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, written_registers: ModbusRegisters%); + +## Generated for a Modbus read FIFO queue request. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## start_address: The address of the FIFO queue to read. +event modbus_read_fifo_queue_request%(c: connection, headers: ModbusHeaders, start_address: count%); + +## Generated for a Modbus read FIFO queue response. +## +## c: The connection. +## +## headers: The headers for the modbus function. +## +## fifos: The register values read from the FIFO queue on the device. +event modbus_read_fifo_queue_response%(c: connection, headers: ModbusHeaders, fifos: ModbusRegisters%); + diff --git a/src/analyzer/protocols/modbus/modbus.pac b/src/analyzer/protocols/modbus/modbus.pac index 9148997295..28b657abc5 100644 --- a/src/analyzer/protocols/modbus/modbus.pac +++ b/src/analyzer/protocols/modbus/modbus.pac @@ -9,6 +9,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer ModbusTCP withcontext { connection: ModbusTCP_Conn; flow: ModbusTCP_Flow; diff --git a/src/analyzer/protocols/ncp/NCP.cc b/src/analyzer/protocols/ncp/NCP.cc index bdf484cad7..75b6c9f4be 100644 --- a/src/analyzer/protocols/ncp/NCP.cc +++ b/src/analyzer/protocols/ncp/NCP.cc @@ -6,7 +6,12 @@ #include #include +#include "NCP.h" + +#include "events.bif.h" + using namespace std; +using namespace analyzer::ncp; #include "NCP.h" #include "Sessions.h" @@ -150,15 +155,15 @@ void NCP_FrameBuffer::compute_msg_length() } Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* arg_session) -: TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_NCP", conn, orig) { session = arg_session; resync = true; - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); if ( tcp ) resync = (orig ? tcp->OrigState() : tcp->RespState()) != - TCP_ENDPOINT_ESTABLISHED; + tcp::TCP_ENDPOINT_ESTABLISHED; } Contents_NCP_Analyzer::~Contents_NCP_Analyzer() @@ -167,9 +172,9 @@ Contents_NCP_Analyzer::~Contents_NCP_Analyzer() void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); - TCP_Analyzer* tcp = static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = static_cast(Parent())->TCP(); if ( tcp && tcp->HadGap(orig) ) return; @@ -208,14 +213,14 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_SupportAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); buffer.Reset(); resync = true; } NCP_Analyzer::NCP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("NCP", conn) +: tcp::TCP_ApplicationAnalyzer("NCP", conn) { session = new NCP_Session(this); o_ncp = new Contents_NCP_Analyzer(conn, true, session); diff --git a/src/analyzer/protocols/ncp/NCP.h b/src/analyzer/protocols/ncp/NCP.h index ae54b7b9ee..0ab73707fb 100644 --- a/src/analyzer/protocols/ncp/NCP.h +++ b/src/analyzer/protocols/ncp/NCP.h @@ -23,6 +23,8 @@ #include "ncp_pac.h" +namespace analyzer { namespace ncp { + // Create a general NCP_Session class so that it can be used in // case the RPC conversation is tunneled through other connections, // e.g., through an SMB session. @@ -81,7 +83,7 @@ protected: void compute_msg_length(); }; -class Contents_NCP_Analyzer : public TCP_SupportAnalyzer { +class Contents_NCP_Analyzer : public tcp::TCP_SupportAnalyzer { public: Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* session); ~Contents_NCP_Analyzer(); @@ -97,7 +99,7 @@ protected: bool resync; }; -class NCP_Analyzer : public TCP_ApplicationAnalyzer { +class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: NCP_Analyzer(Connection* conn); virtual ~NCP_Analyzer(); @@ -112,4 +114,6 @@ protected: Contents_NCP_Analyzer * r_ncp; }; +} } // namespace analyzer::* + #endif /* ncp_h */ diff --git a/src/analyzer/protocols/ncp/Plugin.cc b/src/analyzer/protocols/ncp/Plugin.cc index bc52a2c065..6bfc2b70f6 100644 --- a/src/analyzer/protocols/ncp/Plugin.cc +++ b/src/analyzer/protocols/ncp/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(NCP) BRO_PLUGIN_DESCRIPTION("NCP Analyzer"); - BRO_PLUGIN_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NCP", ncp::NCP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ncp/events.bif b/src/analyzer/protocols/ncp/events.bif index e69de29bb2..9b5b7d77a7 100644 --- a/src/analyzer/protocols/ncp/events.bif +++ b/src/analyzer/protocols/ncp/events.bif @@ -0,0 +1,46 @@ +## Generated for NCP requests (Netware Core Protocol). +## +## See `Wikipedia `__ for +## more information about the NCP protocol. +## +## c: The connection. +## +## frame_type: The frame type, as specified by the protocol. +## +## length: The length of the request body, excluding the frame header. +## +## func: The requested function, as specified by the protocol. +## +## .. bro:see:: ncp_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ncp_request%(c: connection, frame_type: count, length: count, func: count%); + +## Generated for NCP replies (Netware Core Protocol). +## +## See `Wikipedia `__ for +## more information about the NCP protocol. +## +## c: The connection. +## +## frame_type: The frame type, as specified by the protocol. +## +## length: The length of the request body, excluding the frame header. +## +## req_frame: The frame type from the corresponding request. +## +## req_func: The function code from the corresponding request. +## +## completion_code: The reply's completion code, as specified by the protocol. +## +## .. bro:see:: ncp_request +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); + diff --git a/src/analyzer/protocols/ncp/ncp.pac b/src/analyzer/protocols/ncp/ncp.pac index 86b8bca5da..d4d5734a54 100644 --- a/src/analyzer/protocols/ncp/ncp.pac +++ b/src/analyzer/protocols/ncp/ncp.pac @@ -2,6 +2,10 @@ %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer NCP withcontext {}; type ncp_request(length: uint32) = record { diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc index fd3a4f6111..01544c4b2c 100644 --- a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc @@ -9,6 +9,10 @@ #include "Sessions.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::netbios_ssn; + double netbios_ssn_session_timeout = 15.0; #define MAKE_INT16(dest, src) dest = *src; dest <<=8; src++; dest |= *src; src++; @@ -44,7 +48,7 @@ NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len) NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(analyzer::Analyzer* arg_analyzer, - SMB_Session* arg_smb_session) + smb::SMB_Session* arg_smb_session) { analyzer = arg_analyzer; smb_session = arg_smb_session; @@ -340,7 +344,7 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data, Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig, NetbiosSSN_Interpreter* arg_interp) -: TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_NETBIOSSSN", conn, orig) { interp = arg_interp; type = flags = msg_size = 0; @@ -365,7 +369,7 @@ void Contents_NetbiosSSN::Flush() void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( state == NETBIOS_SSN_TYPE ) { @@ -455,9 +459,9 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig) } NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("NETBIOS", conn) +: tcp::TCP_ApplicationAnalyzer("NETBIOS", conn) { - smb_session = new SMB_Session(this); + smb_session = new smb::SMB_Session(this); interp = new NetbiosSSN_Interpreter(this, smb_session); orig_netbios = resp_netbios = 0; did_session_done = 0; @@ -485,7 +489,7 @@ NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer() void NetbiosSSN_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done ) @@ -496,15 +500,15 @@ void NetbiosSSN_Analyzer::Done() void NetbiosSSN_Analyzer::EndpointEOF(bool orig) { - TCP_ApplicationAnalyzer::EndpointEOF(orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig); (orig ? orig_netbios : resp_netbios)->Flush(); } -void NetbiosSSN_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, - TCP_Endpoint* peer, int gen_event) +void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, + tcp::TCP_Endpoint* peer, int gen_event) { - TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); + tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event); // Question: Why do we flush *both* endpoints upon connection close? // orig_netbios->Flush(); @@ -514,7 +518,7 @@ void NetbiosSSN_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); if ( orig ) interp->ParseMessageUDP(data, len, 1); diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h index 9830d192ad..df065c4348 100644 --- a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h @@ -7,6 +7,8 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/smb/SMB.h" +namespace analyzer { namespace netbios_ssn { + typedef enum { NETBIOS_SSN_MSG = 0x0, NETBIOS_DGM_DIRECT_UNIQUE = 0x10, @@ -62,7 +64,7 @@ struct NetbiosDGM_RawMsgHdr { class NetbiosSSN_Interpreter { public: - NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, SMB_Session* smb_session); + NetbiosSSN_Interpreter(analyzer::Analyzer* analyzer, smb::SMB_Session* smb_session); int ParseMessage(unsigned int type, unsigned int flags, const u_char* data, int len, int is_query); @@ -73,17 +75,6 @@ public: void Timeout() { } - static bool any_netbios_ssn_event() - { - return netbios_session_message || - netbios_session_request || - netbios_session_accepted || - netbios_session_rejected || - netbios_session_raw_message || - netbios_session_ret_arg_resp || - netbios_session_keepalive; - } - protected: int ParseSessionMsg(const u_char* data, int len, int is_query); int ParseSessionReq(const u_char* data, int len, int is_query); @@ -109,7 +100,7 @@ protected: protected: analyzer::Analyzer* analyzer; - SMB_Session* smb_session; + smb::SMB_Session* smb_session; }; @@ -122,7 +113,7 @@ typedef enum { } NetbiosSSN_State; // ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS. -class Contents_NetbiosSSN : public TCP_SupportAnalyzer { +class Contents_NetbiosSSN : public tcp::TCP_SupportAnalyzer { public: Contents_NetbiosSSN(Connection* conn, bool orig, NetbiosSSN_Interpreter* interp); @@ -148,7 +139,7 @@ protected: NetbiosSSN_State state; }; -class NetbiosSSN_Analyzer : public TCP_ApplicationAnalyzer { +class NetbiosSSN_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: NetbiosSSN_Analyzer(Connection* conn); ~NetbiosSSN_Analyzer(); @@ -161,14 +152,14 @@ public: { return new NetbiosSSN_Analyzer(conn); } protected: - virtual void ConnectionClosed(TCP_Endpoint* endpoint, - TCP_Endpoint* peer, int gen_event); + virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint, + tcp::TCP_Endpoint* peer, int gen_event); virtual void EndpointEOF(bool is_orig); void ExpireTimer(double t); NetbiosSSN_Interpreter* interp; - SMB_Session* smb_session; + smb::SMB_Session* smb_session; Contents_NetbiosSSN* orig_netbios; Contents_NetbiosSSN* resp_netbios; int did_session_done; @@ -177,4 +168,6 @@ protected: // FIXME: Doesn't really fit into new analyzer structure. What to do? int IsReuse(double t, const u_char* pkt); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios-ssn/Plugin.cc index b14c3a9d8f..8ed7824634 100644 --- a/src/analyzer/protocols/netbios-ssn/Plugin.cc +++ b/src/analyzer/protocols/netbios-ssn/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(NetbiosSSN) BRO_PLUGIN_DESCRIPTION("NetbiosSSN Analyzer"); - BRO_PLUGIN_ANALYZER("NetbiosSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netbios-ssn/events.bif b/src/analyzer/protocols/netbios-ssn/events.bif index e69de29bb2..bf382e1663 100644 --- a/src/analyzer/protocols/netbios-ssn/events.bif +++ b/src/analyzer/protocols/netbios-ssn/events.bif @@ -0,0 +1,209 @@ +## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## msg_type: The general type of message, as defined in Section 4.3.1 of +## `RFC 1002 `__. +## +## data_len: The length of the message's payload. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_raw_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); + +## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS +## analyzer processes the NetBIOS session service running on TCP port 139, and +## (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_raw_message netbios_session_rejected +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_request%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *positive session response*. Bro's +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_keepalive netbios_session_message +## netbios_session_raw_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_accepted%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *negative session response*. Bro's +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_raw_message netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_rejected%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *session message* that are not +## carrying an SMB payload. +## +## NetBIOS analyzer processes the NetBIOS session service running on TCP port +## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header (i.e., the ``user_data``). +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: This is an oddly named event. In fact, it's probably an odd event +## to have to begin with. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); + +## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS +## analyzer processes the NetBIOS session service running on TCP port 139, and +## (despite its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_keepalive +## netbios_session_message netbios_session_raw_message netbios_session_rejected +## netbios_session_request decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: This is an oddly named event. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_ret_arg_resp%(c: connection, msg: string%); + +## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer +## processes the NetBIOS session service running on TCP port 139, and (despite +## its name!) the NetBIOS datagram service on UDP port 138. +## +## See `Wikipedia `__ for more information +## about NetBIOS. `RFC 1002 `__ describes +## the packet format for NetBIOS over TCP/IP, which Bro parses. +## +## c: The connection, which may be TCP or UDP, depending on the type of the +## NetBIOS session. +## +## msg: The raw payload of the message sent, excluding the common NetBIOS +## header. +## +## .. bro:see:: netbios_session_accepted netbios_session_message +## netbios_session_raw_message netbios_session_rejected netbios_session_request +## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type +## +## .. note:: These days, NetBIOS is primarily used as a transport mechanism for +## `SMB/CIFS `__. Bro's +## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event netbios_session_keepalive%(c: connection, msg: string%); + diff --git a/src/analyzer/protocols/netflow/CMakeLists.txt b/src/analyzer/protocols/netflow/CMakeLists.txt new file mode 100644 index 0000000000..c45f410b26 --- /dev/null +++ b/src/analyzer/protocols/netflow/CMakeLists.txt @@ -0,0 +1,16 @@ + +# This is not an actual analyzer, but used by the core. We still +# maintain it here along with the other analyzers because conceptually +# it's also parsing a protocol just like them. The current structure +# is merely a left-over from when this code was written. + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NetFlow) +bro_plugin_cc(Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(netflow.pac netflow-protocol.pac netflow-analyzer.pac) +bro_plugin_end() + diff --git a/src/analyzer/protocols/netflow/Plugin.cc b/src/analyzer/protocols/netflow/Plugin.cc new file mode 100644 index 0000000000..f7c36e943a --- /dev/null +++ b/src/analyzer/protocols/netflow/Plugin.cc @@ -0,0 +1,7 @@ + +#include "plugin/Plugin.h" + +BRO_PLUGIN_BEGIN(NetFlow) + BRO_PLUGIN_DESCRIPTION("NetFlow Parsing Code"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netflow/events.bif b/src/analyzer/protocols/netflow/events.bif new file mode 100644 index 0000000000..69c196de9e --- /dev/null +++ b/src/analyzer/protocols/netflow/events.bif @@ -0,0 +1,18 @@ +## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow header on the port it's +## listening on, or reads one from a trace file. +## +## h: The parsed NetFlow header. +## +## .. bro:see:: netflow_v5_record +event netflow_v5_header%(h: nf_v5_header%); + +## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises +## this event whenever it either receives a NetFlow record on the port it's +## listening on, or reads one from a trace file. +## +## r: The parsed NetFlow record. +## +## .. bro:see:: netflow_v5_record +event netflow_v5_record%(r: nf_v5_record%); + diff --git a/src/netflow-analyzer.pac b/src/analyzer/protocols/netflow/netflow-analyzer.pac similarity index 100% rename from src/netflow-analyzer.pac rename to src/analyzer/protocols/netflow/netflow-analyzer.pac diff --git a/src/netflow-protocol.pac b/src/analyzer/protocols/netflow/netflow-protocol.pac similarity index 100% rename from src/netflow-protocol.pac rename to src/analyzer/protocols/netflow/netflow-protocol.pac diff --git a/src/netflow.pac b/src/analyzer/protocols/netflow/netflow.pac similarity index 88% rename from src/netflow.pac rename to src/analyzer/protocols/netflow/netflow.pac index 91040aadeb..57e1b71a76 100644 --- a/src/netflow.pac +++ b/src/analyzer/protocols/netflow/netflow.pac @@ -4,6 +4,8 @@ #include "net_util.h" #include "Event.h" extern RecordType* conn_id; + +#include "events.bif.h" %} %include bro.pac diff --git a/src/analyzer/protocols/ntp/NTP.cc b/src/analyzer/protocols/ntp/NTP.cc index 729edee923..b4b63d5634 100644 --- a/src/analyzer/protocols/ntp/NTP.cc +++ b/src/analyzer/protocols/ntp/NTP.cc @@ -7,6 +7,9 @@ #include "Sessions.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::ntp; NTP_Analyzer::NTP_Analyzer(Connection* conn) : Analyzer("NTP", conn) diff --git a/src/analyzer/protocols/ntp/NTP.h b/src/analyzer/protocols/ntp/NTP.h index d161b4795d..2c989da4d1 100644 --- a/src/analyzer/protocols/ntp/NTP.h +++ b/src/analyzer/protocols/ntp/NTP.h @@ -5,12 +5,13 @@ #include "analyzer/protocols/udp/UDP.h" - // The following are from the tcpdump distribution, credited there // to the U of MD implementation. #define JAN_1970 2208988800.0 /* 1970 - 1900 in seconds */ +namespace analyzer { namespace ntp { + struct l_fixedpt { unsigned int int_part; unsigned int fraction; @@ -63,4 +64,6 @@ protected: void ExpireTimer(double t); }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ntp/Plugin.cc b/src/analyzer/protocols/ntp/Plugin.cc index f2a0e487c9..8331c25dee 100644 --- a/src/analyzer/protocols/ntp/Plugin.cc +++ b/src/analyzer/protocols/ntp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(NTP) BRO_PLUGIN_DESCRIPTION("NTP Analyzer"); - BRO_PLUGIN_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NTP", ntp::NTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ntp/events.bif b/src/analyzer/protocols/ntp/events.bif index e69de29bb2..bba2dfbbe5 100644 --- a/src/analyzer/protocols/ntp/events.bif +++ b/src/analyzer/protocols/ntp/events.bif @@ -0,0 +1,21 @@ +## Generated for all NTP messages. Different from many other of Bro's events, +## this one is generated for both client-side and server-side messages. +## +## See `Wikipedia `__ for +## more information about the NTP protocol. +## +## u: The connection record describing the corresponding UDP flow. +## +## msg: The parsed NTP message. +## +## excess: The raw bytes of any optional parts of the NTP packet. Bro does not +## further parse any optional fields. +## +## .. bro:see:: ntp_session_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event ntp_message%(u: connection, msg: ntp_msg, excess: string%); + diff --git a/src/analyzer/protocols/pia/PIA.cc b/src/analyzer/protocols/pia/PIA.cc index eb21fc7331..d5defc018e 100644 --- a/src/analyzer/protocols/pia/PIA.cc +++ b/src/analyzer/protocols/pia/PIA.cc @@ -2,6 +2,10 @@ #include "RuleMatcher.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::pia; + PIA::PIA(analyzer::Analyzer* arg_as_analyzer) { current_packet.data = 0; @@ -163,11 +167,11 @@ PIA_TCP::~PIA_TCP() void PIA_TCP::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); if ( Parent()->IsAnalyzer("TCP") ) { - TCP_Analyzer* tcp = static_cast(Parent()); + tcp::TCP_Analyzer* tcp = static_cast(Parent()); SetTCP(tcp); tcp->SetPIA(this); } @@ -223,7 +227,7 @@ void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip) void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( stream_buffer.state == SKIPPING ) return; @@ -253,7 +257,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig) void PIA_TCP::Undelivered(int seq, int len, bool is_orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( stream_buffer.state == BUFFERING ) // We use data=nil to mark an undelivered. @@ -294,7 +298,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) // // Here's what we do: // - // (1) We create new TCP_Reassemblers and feed them the buffered + // (1) We create new tcp::TCP_Reassemblers and feed them the buffered // packets. // // (2) The reassembler will give us their results via the @@ -322,14 +326,14 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) return; } - TCP_Analyzer* tcp = (TCP_Analyzer*) Parent(); + tcp::TCP_Analyzer* tcp = (tcp::TCP_Analyzer*) Parent(); - TCP_Reassembler* reass_orig = - new TCP_Reassembler(this, tcp, TCP_Reassembler::Direct, + tcp::TCP_Reassembler* reass_orig = + new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct, true, tcp->Orig()); - TCP_Reassembler* reass_resp = - new TCP_Reassembler(this, tcp, TCP_Reassembler::Direct, + tcp::TCP_Reassembler* reass_resp = + new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct, false, tcp->Resp()); int orig_seq = 0; @@ -365,8 +369,8 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) reass_orig->AckReceived(orig_seq); reass_resp->AckReceived(resp_seq); - reass_orig->SetType(TCP_Reassembler::Forward); - reass_resp->SetType(TCP_Reassembler::Forward); + reass_orig->SetType(tcp::TCP_Reassembler::Forward); + reass_resp->SetType(tcp::TCP_Reassembler::Forward); tcp->SetReassembler(reass_orig, reass_resp); } diff --git a/src/analyzer/protocols/pia/PIA.h b/src/analyzer/protocols/pia/PIA.h index a91a516165..1d788d39a6 100644 --- a/src/analyzer/protocols/pia/PIA.h +++ b/src/analyzer/protocols/pia/PIA.h @@ -8,6 +8,8 @@ class RuleEndpointState; +namespace analyzer { namespace pia { + // Abstract PIA class providing common functionality for both TCP and UDP. // Accepts only packet input. // @@ -115,10 +117,10 @@ protected: // PIA for TCP. Accepts both packet and stream input (and reassembles // packets before passing payload on to children). -class PIA_TCP : public PIA, public TCP_ApplicationAnalyzer { +class PIA_TCP : public PIA, public tcp::TCP_ApplicationAnalyzer { public: PIA_TCP(Connection* conn) - : PIA(this), TCP_ApplicationAnalyzer("PIA_TCP", conn) + : PIA(this), tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn) { stream_mode = false; SetConn(conn); } virtual ~PIA_TCP(); @@ -169,4 +171,6 @@ private: bool stream_mode; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/pia/Plugin.cc b/src/analyzer/protocols/pia/Plugin.cc index a62e757164..2d56f80038 100644 --- a/src/analyzer/protocols/pia/Plugin.cc +++ b/src/analyzer/protocols/pia/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(PIA) BRO_PLUGIN_DESCRIPTION("Protocol Identificatin Analyzers"); - BRO_PLUGIN_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("PIA_TCP", pia::PIA_TCP); + BRO_PLUGIN_ANALYZER("PIA_UDP", pia::PIA_UDP); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pop3/POP3.cc b/src/analyzer/protocols/pop3/POP3.cc index 6b4fda8169..7a81da1b5e 100644 --- a/src/analyzer/protocols/pop3/POP3.cc +++ b/src/analyzer/protocols/pop3/POP3.cc @@ -15,6 +15,10 @@ #include "Reporter.h" #include "analyzer/protocols/login/NVT.h" +#include "events.bif.h" + +using namespace analyzer::pop3; + #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) #cmd, @@ -26,7 +30,7 @@ static const char* pop3_cmd_word[] = { POP3_Analyzer::POP3_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("POP3", conn) +: tcp::TCP_ApplicationAnalyzer("POP3", conn) { masterState = POP3_START; subState = POP3_WOK; @@ -41,8 +45,8 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn) mail = 0; - AddSupportAnalyzer(new ContentLine_Analyzer(conn, true)); - AddSupportAnalyzer(new ContentLine_Analyzer(conn, false)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true)); + AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false)); } POP3_Analyzer::~POP3_Analyzer() @@ -51,7 +55,7 @@ POP3_Analyzer::~POP3_Analyzer() void POP3_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -60,7 +64,7 @@ void POP3_Analyzer::Done() void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); if ( (TCP() && TCP()->IsPartial()) || backOff ) return; @@ -802,7 +806,7 @@ void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::BeginData() { delete mail; - mail = new MIME_Mail(this); + mail = new mime::MIME_Mail(this); } void POP3_Analyzer::EndData() diff --git a/src/analyzer/protocols/pop3/POP3.h b/src/analyzer/protocols/pop3/POP3.h index 10dbe9d085..37620c0024 100644 --- a/src/analyzer/protocols/pop3/POP3.h +++ b/src/analyzer/protocols/pop3/POP3.h @@ -11,12 +11,13 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/login/NVT.h" -#include "MIME.h" - +#include "analyzer/protocols/mime/MIME.h" #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) POP3_CMD_##cmd, +namespace analyzer { namespace pop3 { + typedef enum { #include "POP3_cmd.def" } POP3_Cmd; @@ -60,7 +61,7 @@ typedef enum { POP3_WOK, } POP3_SubState; -class POP3_Analyzer : public TCP_ApplicationAnalyzer { +class POP3_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: POP3_Analyzer(Connection* conn); ~POP3_Analyzer(); @@ -103,11 +104,13 @@ protected: void POP3Event(EventHandlerPtr event, bool is_orig, const char* arg1 = 0, const char* arg2 = 0); - MIME_Mail* mail; + mime::MIME_Mail* mail; list cmds; private: bool backOff; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/pop3/Plugin.cc b/src/analyzer/protocols/pop3/Plugin.cc index 5f56ade93a..056cb36682 100644 --- a/src/analyzer/protocols/pop3/Plugin.cc +++ b/src/analyzer/protocols/pop3/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(POP3) BRO_PLUGIN_DESCRIPTION("POP3 Analyzer"); - BRO_PLUGIN_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("POP3", pop3::POP3_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pop3/events.bif b/src/analyzer/protocols/pop3/events.bif index e69de29bb2..7692c61f6b 100644 --- a/src/analyzer/protocols/pop3/events.bif +++ b/src/analyzer/protocols/pop3/events.bif @@ -0,0 +1,172 @@ +## Generated for client-side commands on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## command: The command sent. +## +## arg: The argument to the command. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply +## pop3_terminate pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_request%(c: connection, is_orig: bool, + command: string, arg: string%); + +## Generated for server-side replies to commands on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the command was sent by the originator of the TCP +## connection. +## +## cmd: The success indicator sent by the server. This corresponds to the +## first token on the line sent, and should be either ``OK`` or ``ERR``. +## +## msg: The textual description the server sent along with *cmd*. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request +## pop3_terminate pop3_unexpected +## +## .. todo:: This event is receiving odd parameters, should unify. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); + +## Generated for server-side multi-line responses on POP3 connections. POP3 +## connections use multi-line responses to send bulk data, such as the actual +## mails. This event is generated once for each line that's part of such a +## response. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the data was sent by the originator of the TCP connection. +## +## data: The data sent. +## +## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request +## pop3_terminate pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_data%(c: connection, is_orig: bool, data: string%); + +## Generated for errors encountered on POP3 sessions. If the POP3 analyzer +## finds state transitions that do not conform to the protocol specification, +## or other situations it can't handle, it raises this event. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: True if the data was sent by the originator of the TCP connection. +## +## msg: A textual description of the situation. +## +## detail: The input that triggered the event. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request +## pop3_terminate +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_unexpected%(c: connection, is_orig: bool, + msg: string, detail: string%); + +## Generated when a POP3 connection goes encrypted. While POP3 is by default a +## clear-text protocol, extensions exist to switch to encryption. This event is +## generated if that happens and the analyzer then stops processing the +## connection. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## msg: A descriptive message why processing was stopped. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request +## pop3_unexpected +## +## .. note:: Currently, only the ``STARTLS`` command is recognized and +## triggers this. +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_terminate%(c: connection, is_orig: bool, msg: string%); + +## Generated for successful authentications on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## user: The user name used for authentication. The event is only generated if +## a non-empty user name was used. +## +## password: The password used for authentication. +## +## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request pop3_terminate +## pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_login_success%(c: connection, is_orig: bool, + user: string, password: string%); + +## Generated for unsuccessful authentications on POP3 connections. +## +## See `Wikipedia `__ for more information +## about the POP3 protocol. +## +## c: The connection. +## +## is_orig: Always false. +## +## user: The user name attempted for authentication. The event is only +## generated if a non-empty user name was used. +## +## password: The password attempted for authentication. +## +## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request pop3_terminate +## pop3_unexpected +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pop3_login_failure%(c: connection, is_orig: bool, + user: string, password: string%); + diff --git a/src/analyzer/protocols/rpc/NFS.cc b/src/analyzer/protocols/rpc/NFS.cc index 461ac44c4f..51d1b90691 100644 --- a/src/analyzer/protocols/rpc/NFS.cc +++ b/src/analyzer/protocols/rpc/NFS.cc @@ -9,6 +9,10 @@ #include "NFS.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::rpc; + int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) { if ( c->Program() != 100003 ) diff --git a/src/analyzer/protocols/rpc/NFS.h b/src/analyzer/protocols/rpc/NFS.h index 18acff4b37..e9e978eaa2 100644 --- a/src/analyzer/protocols/rpc/NFS.h +++ b/src/analyzer/protocols/rpc/NFS.h @@ -7,6 +7,8 @@ #include "XDR.h" #include "Event.h" +namespace analyzer { namespace rpc { + class NFS_Interp : public RPC_Interpreter { public: NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } @@ -80,4 +82,6 @@ public: }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/Plugin.cc b/src/analyzer/protocols/rpc/Plugin.cc index 25c958859b..23f5d0e667 100644 --- a/src/analyzer/protocols/rpc/Plugin.cc +++ b/src/analyzer/protocols/rpc/Plugin.cc @@ -7,8 +7,8 @@ BRO_PLUGIN_BEGIN(RPC) BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); - BRO_PLUGIN_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NFS", rpc::NFS_Analyzer); + BRO_PLUGIN_ANALYZER("PORTMAPPER", rpc::Portmapper_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_RPC"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NFS"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/rpc/Portmap.cc b/src/analyzer/protocols/rpc/Portmap.cc index 9bebd0f8a6..f57d9a915c 100644 --- a/src/analyzer/protocols/rpc/Portmap.cc +++ b/src/analyzer/protocols/rpc/Portmap.cc @@ -7,6 +7,10 @@ #include "Portmap.h" #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::rpc; + #define PMAPPROC_NULL 0 #define PMAPPROC_SET 1 #define PMAPPROC_UNSET 2 diff --git a/src/analyzer/protocols/rpc/Portmap.h b/src/analyzer/protocols/rpc/Portmap.h index bf7ab30891..6aa1173f02 100644 --- a/src/analyzer/protocols/rpc/Portmap.h +++ b/src/analyzer/protocols/rpc/Portmap.h @@ -5,6 +5,8 @@ #include "RPC.h" +namespace analyzer { namespace rpc { + class PortmapperInterp : public RPC_Interpreter { public: PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { } @@ -33,4 +35,6 @@ public: { return new Portmapper_Analyzer(conn); } }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/RPC.cc b/src/analyzer/protocols/rpc/RPC.cc index 2dd11c215e..ea037c227f 100644 --- a/src/analyzer/protocols/rpc/RPC.cc +++ b/src/analyzer/protocols/rpc/RPC.cc @@ -11,6 +11,10 @@ #include "RPC.h" #include "Sessions.h" +#include "events.bif.h" + +using namespace analyzer::rpc; + namespace { // local namespace const bool DEBUG_rpc_resync = false; } @@ -373,7 +377,7 @@ bool RPC_Reasm_Buffer::ConsumeChunk(const u_char*& data, int& len) Contents_RPC::Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* arg_interp) - : TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) + : tcp::TCP_SupportAnalyzer("CONTENTS_RPC", conn, orig) { interp = arg_interp; state = WAIT_FOR_MESSAGE; @@ -385,7 +389,7 @@ Contents_RPC::Contents_RPC(Connection* conn, bool orig, void Contents_RPC::Init() { - TCP_SupportAnalyzer::Init(); + tcp::TCP_SupportAnalyzer::Init(); } Contents_RPC::~Contents_RPC() @@ -394,7 +398,7 @@ Contents_RPC::~Contents_RPC() void Contents_RPC::Undelivered(int seq, int len, bool orig) { - TCP_SupportAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig); NeedResync(); } @@ -413,12 +417,12 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) // is fully established we are in sync (since it's the first chunk // of data after the SYN if its not established we need to // resync. - TCP_Analyzer* tcp = - static_cast(Parent())->TCP(); + tcp::TCP_Analyzer* tcp = + static_cast(Parent())->TCP(); assert(tcp); if ( (IsOrig() ? tcp->OrigState() : tcp->RespState()) != - TCP_ENDPOINT_ESTABLISHED ) + tcp::TCP_ENDPOINT_ESTABLISHED ) { NeedResync(); } @@ -578,7 +582,7 @@ bool Contents_RPC::CheckResync(int& len, const u_char*& data, bool orig) void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); uint32 marker; bool last_frag; @@ -675,7 +679,7 @@ void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig) RPC_Analyzer::RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp) -: TCP_ApplicationAnalyzer(name, conn) +: tcp::TCP_ApplicationAnalyzer(name, conn) { interp = arg_interp; @@ -692,7 +696,7 @@ RPC_Analyzer::~RPC_Analyzer() void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen); len = min(len, caplen); if ( orig ) @@ -709,7 +713,7 @@ void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, void RPC_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->Timeout(); } diff --git a/src/analyzer/protocols/rpc/RPC.h b/src/analyzer/protocols/rpc/RPC.h index da39e9f220..504f2eb194 100644 --- a/src/analyzer/protocols/rpc/RPC.h +++ b/src/analyzer/protocols/rpc/RPC.h @@ -6,6 +6,8 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/udp/UDP.h" +namespace analyzer { namespace rpc { + enum { RPC_CALL = 0, RPC_REPLY = 1, @@ -176,7 +178,7 @@ protected: }; /* Support Analyzer for reassembling RPC-over-TCP messages */ -class Contents_RPC : public TCP_SupportAnalyzer { +class Contents_RPC : public tcp::TCP_SupportAnalyzer { public: Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* interp); virtual ~Contents_RPC(); @@ -222,7 +224,7 @@ protected: int resync_toskip; }; -class RPC_Analyzer : public TCP_ApplicationAnalyzer { +class RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: RPC_Analyzer(const char* name, Connection* conn, RPC_Interpreter* arg_interp); @@ -242,4 +244,6 @@ protected: Contents_RPC* resp_rpc; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/XDR.cc b/src/analyzer/protocols/rpc/XDR.cc index 96d855ddbd..981a982716 100644 --- a/src/analyzer/protocols/rpc/XDR.cc +++ b/src/analyzer/protocols/rpc/XDR.cc @@ -6,7 +6,11 @@ #include "XDR.h" -uint32 extract_XDR_uint32(const u_char*& buf, int& len) +#include "events.bif.h" + +using namespace analyzer::rpc; + +uint32 analyzer::rpc::extract_XDR_uint32(const u_char*& buf, int& len) { if ( ! buf ) return 0; @@ -26,7 +30,7 @@ uint32 extract_XDR_uint32(const u_char*& buf, int& len) return bits32; } -uint64 extract_XDR_uint64(const u_char*& buf, int& len) +uint64 analyzer::rpc::extract_XDR_uint64(const u_char*& buf, int& len) { if ( ! buf || len < 8 ) { @@ -40,7 +44,7 @@ uint64 extract_XDR_uint64(const u_char*& buf, int& len) return (uhi << 32) + ulo; } -double extract_XDR_time(const u_char*& buf, int& len) +double analyzer::rpc::extract_XDR_time(const u_char*& buf, int& len) { if ( ! buf || len < 8 ) { @@ -54,7 +58,7 @@ double extract_XDR_time(const u_char*& buf, int& len) return double(uhi) + double(ulo) / 1e9; } -const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len, bool short_buf_ok) +const u_char* analyzer::rpc::extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len, bool short_buf_ok) { n = int(extract_XDR_uint32(buf, len)); if ( ! buf ) @@ -78,7 +82,7 @@ const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_l return opaque; } -const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) +const u_char* analyzer::rpc::extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) { if ( ! buf ) return 0; @@ -97,7 +101,7 @@ const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n) } -uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len) +uint32 analyzer::rpc::skip_XDR_opaque_auth(const u_char*& buf, int& len) { uint32 auth_flavor = extract_XDR_uint32(buf, len); if ( ! buf ) diff --git a/src/analyzer/protocols/rpc/XDR.h b/src/analyzer/protocols/rpc/XDR.h index 65192d6067..2f4a7d59e4 100644 --- a/src/analyzer/protocols/rpc/XDR.h +++ b/src/analyzer/protocols/rpc/XDR.h @@ -8,6 +8,8 @@ #include "util.h" +namespace analyzer { namespace rpc { + extern uint32 extract_XDR_uint32(const u_char*& buf, int& len); extern uint64 extract_XDR_uint64(const u_char*& buf, int& len); extern double extract_XDR_time(const u_char*& buf, int& len); @@ -16,4 +18,6 @@ extern const u_char* extract_XDR_opaque(const u_char*& buf, int& len, extern const u_char* extract_XDR_opaque_fixed(const u_char*& buf, int& len, int n); extern uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len); +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/rpc/events.bif b/src/analyzer/protocols/rpc/events.bif index e69de29bb2..f0050ab446 100644 --- a/src/analyzer/protocols/rpc/events.bif +++ b/src/analyzer/protocols/rpc/events.bif @@ -0,0 +1,728 @@ +## Generated for NFSv3 request/reply dialogues of type *null*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink +## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_null%(c: connection, info: NFS3::info_t%); + +## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## fh: TODO. +## +## attrs: The attributes returned in the reply. The values may not be valid if +## the request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply file_mode +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); + +## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: The arguments passed in the request. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *read*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: The arguments passed in the request. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir +## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply +## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## fh: The file handle passed in the request. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *write*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call +## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only +## NFS3::return_data_max +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *create*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status +## rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *remove*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); + +## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is +## generated once we have either seen both the request and its corresponding +## reply, or an unanswered request has timed out. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## req: TODO. +## +## rep: The response returned in the reply. The values may not be valid if the +## request was unsuccessful. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink +## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); + +## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 +## analyzer does not implement. +## +## NFS is a service running on top of RPC. See `Wikipedia +## `__ for more +## information about the service. +## +## c: The RPC connection. +## +## info: Reports the status of the dialogue, along with some meta information. +## +## proc: The procedure called that Bro does not implement. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove +## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); + +## Generated for each NFSv3 reply message received, reporting just the +## status included. +## +## n: The connection. +## +## info: Reports the status included in the reply. +## +## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir +## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir +## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event nfs_reply_status%(n: connection, info: NFS3::info_t%); + +## Generated for Portmapper requests of type *null*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_getport pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_null%(r: connection%); + +## Generated for Portmapper request/reply dialogues of type *set*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## m: The argument to the request. +## +## success: True if the request was successful, according to the corresponding +## reply. If no reply was seen, this will be false once the request +## times out. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_set%(r: connection, m: pm_mapping, success: bool%); + +## Generated for Portmapper request/reply dialogues of type *unset*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## m: The argument to the request. +## +## success: True if the request was successful, according to the corresponding +## reply. If no reply was seen, this will be false once the request +## times out. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); + +## Generated for Portmapper request/reply dialogues of type *getport*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## pr: The argument to the request. +## +## p: The port returned by the server. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); + +## Generated for Portmapper request/reply dialogues of type *dump*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## m: The mappings returned by the server. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_dump%(r: connection, m: pm_mappings%); + +## Generated for Portmapper request/reply dialogues of type *callit*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## call: The argument to the request. +## +## p: The port value returned by the call. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); + +## Generated for failed Portmapper requests of type *null*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_null%(r: connection, status: rpc_status%); + +## Generated for failed Portmapper requests of type *set*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## m: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); + +## Generated for failed Portmapper requests of type *unset*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## m: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); + +## Generated for failed Portmapper requests of type *getport*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## pr: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); + +## Generated for failed Portmapper requests of type *dump*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_getport pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_dump%(r: connection, status: rpc_status%); + +## Generated for failed Portmapper requests of type *callit*. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## call: The argument to the original request. +## +## .. bro:see:: epm_map_response pm_attempt_dump pm_attempt_getport pm_attempt_null +## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump +## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call +## rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); + +## Generated for Portmapper requests or replies that include an invalid port +## number. Since ports are represented by unsigned 4-byte integers, they can +## stray outside the allowed range of 0--65535 by being >= 65536. If so, this +## event is generated. +## +## Portmapper is a service running on top of RPC. See `Wikipedia +## `__ for more information about the +## service. +## +## r: The RPC connection. +## +## bad_p: The invalid port value. +## +## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport +## pm_attempt_null pm_attempt_set pm_attempt_unset pm_request_callit +## pm_request_dump pm_request_getport pm_request_null pm_request_set +## pm_request_unset rpc_call rpc_dialogue rpc_reply +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event pm_bad_port%(r: connection, bad_p: count%); + +## Generated for RPC request/reply *pairs*. The RPC analyzer associates request +## and reply by their transaction identifiers and raises this event once both +## have been seen. If there's not a reply, this event will still be generated +## eventually on timeout. In that case, *status* will be set to +## :bro:enum:`RPC_TIMEOUT`. +## +## See `Wikipedia `__ for more information +## about the ONC RPC protocol. +## +## c: The connection. +## +## prog: The remote program to call. +## +## ver: The version of the remote program to call. +## +## proc: The procedure of the remote program to call. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## start_time: The time when the *call* was seen. +## +## call_len: The size of the *call_body* PDU. +## +## reply_len: The size of the *reply_body* PDU. +## +## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); + +## Generated for RPC *call* messages. +## +## See `Wikipedia `__ for more information +## about the ONC RPC protocol. +## +## c: The connection. +## +## xid: The transaction identifier allowing to match requests with replies. +## +## prog: The remote program to call. +## +## ver: The version of the remote program to call. +## +## proc: The procedure of the remote program to call. +## +## call_len: The size of the *call_body* PDU. +## +## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); + +## Generated for RPC *reply* messages. +## +## See `Wikipedia `__ for more information +## about the ONC RPC protocol. +## +## c: The connection. +## +## xid: The transaction identifier allowing to match requests with replies. +## +## status: The status of the reply, which should be one of the index values of +## :bro:id:`RPC_status`. +## +## reply_len: The size of the *reply_body* PDU. +## +## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request +## dce_rpc_response rpc_timeout +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to add a +## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); diff --git a/src/analyzer/protocols/smb/Plugin.cc b/src/analyzer/protocols/smb/Plugin.cc index 543638faf4..2f83460984 100644 --- a/src/analyzer/protocols/smb/Plugin.cc +++ b/src/analyzer/protocols/smb/Plugin.cc @@ -5,7 +5,7 @@ BRO_PLUGIN_BEGIN(SMB) BRO_PLUGIN_DESCRIPTION("SMB Analyzer"); - BRO_PLUGIN_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SMB", smb::SMB_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/smb/SMB.cc b/src/analyzer/protocols/smb/SMB.cc index 24cbf2dc1a..798e2bfd1f 100644 --- a/src/analyzer/protocols/smb/SMB.cc +++ b/src/analyzer/protocols/smb/SMB.cc @@ -6,6 +6,10 @@ #include "Val.h" #include "Reporter.h" +#include "events.bif.h" + +using namespace analyzer::smb; + namespace { const bool DEBUG_smb_ipc = true; } @@ -1093,7 +1097,7 @@ bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data) if ( LooksLikeRPC(data_count, data) ) { if ( ! dce_rpc_session ) - dce_rpc_session = new DCE_RPC_Session(analyzer); + dce_rpc_session = new dce_rpc::DCE_RPC_Session(analyzer); dce_rpc_session->DeliverPDU(is_orig, data_count, data); @@ -1104,7 +1108,7 @@ bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data) } Contents_SMB::Contents_SMB(Connection* conn, bool orig, SMB_Session* s) -: TCP_SupportAnalyzer("CONTENTS_SMB", conn, orig) +: tcp::TCP_SupportAnalyzer("CONTENTS_SMB", conn, orig) { smb_session = s; msg_buf = 0; @@ -1145,7 +1149,7 @@ void Contents_SMB::DeliverSMB(int len, const u_char* data) void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); while ( len > 0 ) { @@ -1221,7 +1225,7 @@ void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig) } SMB_Analyzer::SMB_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("SMB", conn) +: tcp::TCP_ApplicationAnalyzer("SMB", conn) { smb_session = new SMB_Session(this); o_smb = new Contents_SMB(conn, true, smb_session); diff --git a/src/analyzer/protocols/smb/SMB.h b/src/analyzer/protocols/smb/SMB.h index 83f3811010..0b67c96710 100644 --- a/src/analyzer/protocols/smb/SMB.h +++ b/src/analyzer/protocols/smb/SMB.h @@ -10,6 +10,8 @@ #include "analyzer/protocols/dce-rpc/DCE_RPC.h" #include "smb_pac.h" +namespace analyzer { namespace smb { + enum IPC_named_pipe { IPC_NONE, IPC_LOCATOR, @@ -44,15 +46,6 @@ public: void Deliver(int is_orig, int len, const u_char* msg); - static bool any_smb_event() - { - return smb_message || - smb_com_tree_connect_andx || - smb_com_nt_create_andx || smb_com_transaction || - smb_com_transaction2 || smb_com_read_andx || - smb_com_write_andx; - } - protected: void ParseMessage(int is_orig, int cmd, binpac::SMB::SMB_header const &hdr, @@ -159,7 +152,7 @@ protected: Val* BuildTransactionDataVal(binpac::SMB::SMB_transaction_data* data); analyzer::Analyzer* analyzer; - DCE_RPC_Session* dce_rpc_session; + dce_rpc::DCE_RPC_Session* dce_rpc_session; enum IPC_named_pipe IPC_pipe; int is_IPC; int req_cmd; @@ -170,7 +163,7 @@ protected: binpac::SMB::SMB_andx* andx_[2]; }; -class Contents_SMB : public TCP_SupportAnalyzer { +class Contents_SMB : public tcp::TCP_SupportAnalyzer { public: Contents_SMB(Connection* conn, bool orig, SMB_Session* smb_session); ~Contents_SMB(); @@ -190,7 +183,7 @@ protected: int buf_len; // size off msg_buf }; -class SMB_Analyzer : public TCP_ApplicationAnalyzer { +class SMB_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SMB_Analyzer(Connection* conn); ~SMB_Analyzer(); @@ -204,4 +197,6 @@ protected: Contents_SMB* r_smb; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/smb/events.bif b/src/analyzer/protocols/smb/events.bif index e69de29bb2..74cb1feb77 100644 --- a/src/analyzer/protocols/smb/events.bif +++ b/src/analyzer/protocols/smb/events.bif @@ -0,0 +1,495 @@ +## Generated for all SMB/CIFS messages. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## is_orig: True if the message was sent by the originator of the underlying +## transport-level connection. +## +## cmd: A string mnemonic of the SMB command code. +## +## body_length: The length of the SMB message body, i.e. the data starting after +## the SMB header. +## +## body: The raw SMB message body, i.e., the data starting after the SMB header. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error +## smb_get_dfs_referral +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); + +## Generated for SMB/CIFS messages of type *tree connect andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## path: The ``path`` attribute specified in the message. +## +## service: The ``service`` attribute specified in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); + +## Generated for SMB/CIFS messages of type *tree disconnect*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *nt create andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## name: The ``name`` attribute specified in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); + +## Generated for SMB/CIFS messages of type *nt transaction*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe +## smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *nt transaction 2*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe +## smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *transaction mailslot*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *transaction rap*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error +## smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *transaction pipe*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## trans: The parsed transaction header. +## +## data: The raw transaction data. +## +## is_orig: True if the message was sent by the originator of the connection. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); + +## Generated for SMB/CIFS messages of type *read andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## data: Always empty. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); + +## Generated for SMB/CIFS messages of type *read andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## data: Always empty. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_error +## smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); + +## Generated for SMB/CIFS messages of type *get dfs referral*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## max_referral_level: The ``max_referral_level`` attribute specified in the +## message. +## +## file_name: The ``filene_name`` attribute specified in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); + +## Generated for SMB/CIFS messages of type *negotiate*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx +## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction +## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect +## smb_com_write_andx smb_error smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_negotiate%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *negotiate response*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## dialect_index: The ``dialect`` indicated in the message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx +## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction +## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect +## smb_com_write_andx smb_error smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); + +## Generated for SMB/CIFS messages of type *setup andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *generic andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_logoff_andx smb_com_negotiate +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *close*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_close%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages of type *logoff andx*. +## +## See `Wikipedia `__ for +## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses +## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate +## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx +## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap +## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx +## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral +## smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); + +## Generated for SMB/CIFS messages that indicate an error. This event is +## triggered by an SMB header including a status that signals an error. +## +## c: The connection. +## +## hdr: The parsed header of the SMB message. +## +## cmd: The SMB command code. +## +## cmd_str: A string mnemonic of the SMB command code. +## +## data: The raw SMB message body, i.e., the data starting after the SMB header. +## +## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx +## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx +## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot +## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 +## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx +## smb_get_dfs_referral smb_message +## +## .. todo:: Bro's current default configuration does not activate the protocol +## analyzer that generates this event; the corresponding script has not yet +## been ported to Bro 2.x. To still enable this event, one needs to +## register a port for it or add a DPD payload signature. +event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); + diff --git a/src/analyzer/protocols/smb/smb.pac b/src/analyzer/protocols/smb/smb.pac index 740ad47991..1fdab27d90 100644 --- a/src/analyzer/protocols/smb/smb.pac +++ b/src/analyzer/protocols/smb/smb.pac @@ -1,6 +1,10 @@ %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer SMB withcontext { }; %include smb-protocol.pac diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocols/smtp/Plugin.cc index 6b9f7a0aeb..8a5095381d 100644 --- a/src/analyzer/protocols/smtp/Plugin.cc +++ b/src/analyzer/protocols/smtp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SMTP) BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); - BRO_PLUGIN_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SMTP", smtp::SMTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/smtp/SMTP.cc b/src/analyzer/protocols/smtp/SMTP.cc index c674c120ec..7bbb7ec69e 100644 --- a/src/analyzer/protocols/smtp/SMTP.cc +++ b/src/analyzer/protocols/smtp/SMTP.cc @@ -10,6 +10,10 @@ #include "Reporter.h" #include "analyzer/protocols/tcp/ContentLine.h" +#include "events.bif.h" + +using namespace analyzer::smtp; + #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) #cmd, @@ -21,7 +25,7 @@ static const char* smtp_cmd_word[] = { SMTP_Analyzer::SMTP_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("SMTP", conn) +: tcp::TCP_ApplicationAnalyzer("SMTP", conn) { expect_sender = 0; expect_recver = 1; @@ -40,12 +44,12 @@ SMTP_Analyzer::SMTP_Analyzer(Connection* conn) line_after_gap = 0; mail = 0; UpdateState(first_cmd, 0); - ContentLine_Analyzer* cl_orig = new ContentLine_Analyzer(conn, true); + tcp::ContentLine_Analyzer* cl_orig = new tcp::ContentLine_Analyzer(conn, true); cl_orig->SetIsNULSensitive(true); cl_orig->SetSkipPartial(true); AddSupportAnalyzer(cl_orig); - ContentLine_Analyzer* cl_resp = new ContentLine_Analyzer(conn, false); + tcp::ContentLine_Analyzer* cl_resp = new tcp::ContentLine_Analyzer(conn, false); cl_resp->SetIsNULSensitive(true); cl_resp->SetSkipPartial(true); AddSupportAnalyzer(cl_resp); @@ -53,7 +57,7 @@ SMTP_Analyzer::SMTP_Analyzer(Connection* conn) void SMTP_Analyzer::ConnectionFinished(int half_finished) { - TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); + tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished); if ( ! half_finished && mail ) EndData(); @@ -66,7 +70,7 @@ SMTP_Analyzer::~SMTP_Analyzer() void SMTP_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); if ( mail ) EndData(); @@ -74,7 +78,7 @@ void SMTP_Analyzer::Done() void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig); if ( len <= 0 ) return; @@ -107,7 +111,7 @@ void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig) void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig); // NOTE: do not use IsOrig() here, because of TURN command. int is_sender = orig_is_sender ? orig : ! orig; @@ -868,7 +872,7 @@ void SMTP_Analyzer::BeginData() delete mail; } - mail = new MIME_Mail(this); + mail = new mime::MIME_Mail(this); } void SMTP_Analyzer::EndData() diff --git a/src/analyzer/protocols/smtp/SMTP.h b/src/analyzer/protocols/smtp/SMTP.h index d525fb11af..02322f09c7 100644 --- a/src/analyzer/protocols/smtp/SMTP.h +++ b/src/analyzer/protocols/smtp/SMTP.h @@ -7,12 +7,13 @@ using namespace std; #include "analyzer/protocols/tcp/TCP.h" -#include "MIME.h" - +#include "analyzer/protocols/mime/MIME.h" #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) SMTP_CMD_##cmd, +namespace analyzer { namespace smtp { + typedef enum { #include "SMTP_cmd.def" } SMTP_Cmd; @@ -35,7 +36,7 @@ typedef enum { } SMTP_State; -class SMTP_Analyzer : public TCP_ApplicationAnalyzer { +class SMTP_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SMTP_Analyzer(Connection* conn); ~SMTP_Analyzer(); @@ -87,7 +88,9 @@ protected: BroString* line_after_gap; // last line before the first reply // after a gap - MIME_Mail* mail; + mime::MIME_Mail* mail; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/smtp/events.bif b/src/analyzer/protocols/smtp/events.bif index e69de29bb2..4a376bcbf8 100644 --- a/src/analyzer/protocols/smtp/events.bif +++ b/src/analyzer/protocols/smtp/events.bif @@ -0,0 +1,100 @@ +## Generated for client-side SMTP commands. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the command is the originator of the TCP +## connection. Note that this is not redundant: the SMTP ``TURN`` command +## allows client and server to flip roles on established SMTP sessions, +## and hence a "request" might still come from the TCP-level responder. +## In practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. +## +## command: The request's command, without any arguments. +## +## arg: The request command's arguments. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data +## smtp_data smtp_reply +## +## .. note:: Bro does not support the newer ETRN extension yet. +event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%); + +## Generated for server-side SMTP commands. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the command is the originator of the TCP +## connection. Note that this is not redundant: the SMTP ``TURN`` command +## allows client and server to flip roles on established SMTP sessions, +## and hence a "reply" might still come from the TCP-level originator. In +## practice, however, that will rarely happen as TURN is considered +## insecure and rarely used. +## +## code: The reply's numerical code. +## +## cmd: TODO. +## +## msg: The reply's textual description. +## +## cont_resp: True if the reply line is tagged as being continued to the next +## line. If so, further events will be raised and a handler may want to +## reassemble the pieces before processing the response any further. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data +## smtp_data smtp_request +## +## .. note:: Bro doesn't support the newer ETRN extension yet. +event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%); + +## Generated for DATA transmitted on SMTP sessions. This event is raised for +## subsequent chunks of raw data following the ``DATA`` SMTP command until the +## corresponding end marker ``.`` is seen. A handler may want to reassemble +## the pieces as they come in if stream-analysis is required. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the data is the originator of the TCP +## connection. +## +## data: The raw data. Note that the size of each chunk is undefined and +## depends on specifics of the underlying TCP connection. +## +## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash +## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data +## smtp_reply smtp_request skip_smtp_data +## +## .. note:: This event receives the unprocessed raw data. There is a separate +## set of ``mime_*`` events that strip out the outer MIME-layer of emails and +## provide structured access to their content. +event smtp_data%(c: connection, is_orig: bool, data: string%); + +## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks +## the state of SMTP sessions and reports commands and other activity with this +## event that it sees even though it would not expect so at the current point +## of the communication. +## +## See `Wikipedia `__ +## for more information about the SMTP protocol. +## +## c: The connection. +## +## is_orig: True if the sender of the unexpected activity is the originator of +## the TCP connection. +## +## msg: A descriptive message of what was unexpected. +## +## detail: The actual SMTP line triggering the event. +## +## .. bro:see:: smtp_data smtp_request smtp_reply +event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); diff --git a/src/analyzer/protocols/socks/Plugin.cc b/src/analyzer/protocols/socks/Plugin.cc index 080a8329de..3c849e6e23 100644 --- a/src/analyzer/protocols/socks/Plugin.cc +++ b/src/analyzer/protocols/socks/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SOCKS) BRO_PLUGIN_DESCRIPTION("SOCKS Analyzer"); - BRO_PLUGIN_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SOCKS", socks::SOCKS_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/socks/SOCKS.cc b/src/analyzer/protocols/socks/SOCKS.cc index 25ebf9796e..dab464abf7 100644 --- a/src/analyzer/protocols/socks/SOCKS.cc +++ b/src/analyzer/protocols/socks/SOCKS.cc @@ -2,8 +2,12 @@ #include "socks_pac.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::socks; + SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) -: TCP_ApplicationAnalyzer("SOCKS", conn) +: tcp::TCP_ApplicationAnalyzer("SOCKS", conn) { interp = new binpac::SOCKS::SOCKS_Conn(this); orig_done = resp_done = false; @@ -25,7 +29,7 @@ void SOCKS_Analyzer::EndpointDone(bool orig) void SOCKS_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -33,13 +37,13 @@ void SOCKS_Analyzer::Done() void SOCKS_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); @@ -57,7 +61,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) if ( ! pia ) { - pia = new PIA_TCP(Conn()); + pia = new pia::PIA_TCP(Conn()); AddChildAnalyzer(pia); pia->FirstPacket(true, 0); pia->FirstPacket(false, 0); @@ -80,7 +84,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SOCKS_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); interp->NewGap(orig, len); } diff --git a/src/analyzer/protocols/socks/SOCKS.h b/src/analyzer/protocols/socks/SOCKS.h index 8abdfe3a3f..7aed5c02a3 100644 --- a/src/analyzer/protocols/socks/SOCKS.h +++ b/src/analyzer/protocols/socks/SOCKS.h @@ -12,8 +12,9 @@ namespace binpac { } } +namespace analyzer { namespace socks { -class SOCKS_Analyzer : public TCP_ApplicationAnalyzer { +class SOCKS_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SOCKS_Analyzer(Connection* conn); ~SOCKS_Analyzer(); @@ -33,8 +34,10 @@ protected: bool orig_done; bool resp_done; - PIA_TCP *pia; + pia::PIA_TCP *pia; binpac::SOCKS::SOCKS_Conn* interp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/socks/events.bif b/src/analyzer/protocols/socks/events.bif index e69de29bb2..4f1f8ad1cd 100644 --- a/src/analyzer/protocols/socks/events.bif +++ b/src/analyzer/protocols/socks/events.bif @@ -0,0 +1,29 @@ +## Generated when a SOCKS request is analyzed. +## +## c: The parent connection of the proxy. +## +## version: The version of SOCKS this message used. +## +## request_type: The type of the request. +## +## sa: Address that the tunneled traffic should be sent to. +## +## p: The destination port for the proxied traffic. +## +## user: Username given for the SOCKS connection. This is not yet implemented +## for SOCKSv5. +event socks_request%(c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string%); + +## Generated when a SOCKS reply is analyzed. +## +## c: The parent connection of the proxy. +## +## version: The version of SOCKS this message used. +## +## reply: The status reply from the server. +## +## sa: The address that the server sent the traffic to. +## +## p: The destination port for the proxied traffic. +event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%); + diff --git a/src/analyzer/protocols/socks/socks.pac b/src/analyzer/protocols/socks/socks.pac index 15d3580674..a9c4099508 100644 --- a/src/analyzer/protocols/socks/socks.pac +++ b/src/analyzer/protocols/socks/socks.pac @@ -3,6 +3,8 @@ %extern{ #include "SOCKS.h" + +#include "events.bif.h" %} analyzer SOCKS withcontext { @@ -21,4 +23,4 @@ flow SOCKS_Flow(is_orig: bool) { datagram = SOCKS_Version(is_orig) withcontext(connection, this); }; -%include socks-analyzer.pac \ No newline at end of file +%include socks-analyzer.pac diff --git a/src/analyzer/protocols/ssh/Plugin.cc b/src/analyzer/protocols/ssh/Plugin.cc index 76603220d3..57acbe222c 100644 --- a/src/analyzer/protocols/ssh/Plugin.cc +++ b/src/analyzer/protocols/ssh/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SSH) BRO_PLUGIN_DESCRIPTION("SSH Analyzer"); - BRO_PLUGIN_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SSH", ssh::SSH_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ssh/SSH.cc b/src/analyzer/protocols/ssh/SSH.cc index 3b89422d5a..c2ff9a066c 100644 --- a/src/analyzer/protocols/ssh/SSH.cc +++ b/src/analyzer/protocols/ssh/SSH.cc @@ -9,15 +9,19 @@ #include "Event.h" #include "analyzer/protocols/tcp/ContentLine.h" +#include "events.bif.h" + +using namespace analyzer::ssh; + SSH_Analyzer::SSH_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("SSH", c) +: tcp::TCP_ApplicationAnalyzer("SSH", c) { - orig = new ContentLine_Analyzer(c, true); + orig = new tcp::ContentLine_Analyzer(c, true); orig->SetSkipPartial(true); orig->SetCRLFAsEOL(LF_as_EOL); AddSupportAnalyzer(orig); - resp = new ContentLine_Analyzer(c, false); + resp = new tcp::ContentLine_Analyzer(c, false); resp->SetSkipPartial(true); resp->SetCRLFAsEOL(LF_as_EOL); AddSupportAnalyzer(resp); @@ -25,7 +29,7 @@ SSH_Analyzer::SSH_Analyzer(Connection* c) void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig); // We're all done processing this endpoint - flag it as such, // before we even determine whether we have any event generation @@ -38,7 +42,7 @@ void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( TCP() ) { // Don't try to parse version if there has already been a gap. - TCP_Endpoint* endp = is_orig ? TCP()->Orig() : TCP()->Resp(); + tcp::TCP_Endpoint* endp = is_orig ? TCP()->Orig() : TCP()->Resp(); if ( endp->HadGap() ) return; } diff --git a/src/analyzer/protocols/ssh/SSH.h b/src/analyzer/protocols/ssh/SSH.h index d3cda5f2f5..644444136d 100644 --- a/src/analyzer/protocols/ssh/SSH.h +++ b/src/analyzer/protocols/ssh/SSH.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" -class SSH_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ssh { + +class SSH_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SSH_Analyzer(Connection* conn); @@ -16,8 +18,10 @@ public: { return new SSH_Analyzer(conn); } private: - ContentLine_Analyzer* orig; - ContentLine_Analyzer* resp; + tcp::ContentLine_Analyzer* orig; + tcp::ContentLine_Analyzer* resp; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ssh/events.bif b/src/analyzer/protocols/ssh/events.bif index e69de29bb2..9d73f5e483 100644 --- a/src/analyzer/protocols/ssh/events.bif +++ b/src/analyzer/protocols/ssh/events.bif @@ -0,0 +1,38 @@ +## Generated when seeing an SSH client's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## client sent. +## +## +## See `Wikipedia `__ for more +## information about the SSH protocol. +## +## c: The connection. +## +## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`). +## +## .. bro:see:: ssh_server_version +## +## .. note:: As everything after the initial version handshake proceeds +## encrypted, Bro cannot further analyze SSH sessions. +event ssh_client_version%(c: connection, version: string%); + +## Generated when seeing an SSH server's version identification. The SSH +## protocol starts with a clear-text handshake message that reports client and +## server protocol/software versions. This event provides access to what the +## server sent. +## +## See `Wikipedia `__ for more +## information about the SSH protocol. +## +## c: The connection. +## +## version: The version string the server sent (e.g., +## ``SSH-1.99-OpenSSH_3.9p1``). +## +## .. bro:see:: ssh_client_version +## +## .. note:: As everything coming after the initial version handshake proceeds +## encrypted, Bro cannot further analyze SSH sessions. +event ssh_server_version%(c: connection, version: string%); + diff --git a/src/analyzer/protocols/ssl/Plugin.cc b/src/analyzer/protocols/ssl/Plugin.cc index 743401896d..6fe3308818 100644 --- a/src/analyzer/protocols/ssl/Plugin.cc +++ b/src/analyzer/protocols/ssl/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SSL) BRO_PLUGIN_DESCRIPTION("SSL Analyzer"); - BRO_PLUGIN_ANALYZER("SSL", SSL_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ssl/SSL.cc b/src/analyzer/protocols/ssl/SSL.cc index deec34e5d9..cf41f273f6 100644 --- a/src/analyzer/protocols/ssl/SSL.cc +++ b/src/analyzer/protocols/ssl/SSL.cc @@ -4,8 +4,12 @@ #include "Reporter.h" #include "util.h" +#include "events.bif.h" + +using namespace analyzer::ssl; + SSL_Analyzer::SSL_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("SSL", c) +: tcp::TCP_ApplicationAnalyzer("SSL", c) { interp = new binpac::SSL::SSL_Conn(this); had_gap = false; @@ -18,7 +22,7 @@ SSL_Analyzer::~SSL_Analyzer() void SSL_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -26,13 +30,13 @@ void SSL_Analyzer::Done() void SSL_Analyzer::EndpointEOF(bool is_orig) { - TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -55,7 +59,7 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) void SSL_Analyzer::Undelivered(int seq, int len, bool orig) { - TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h index 1d451a40ef..b8d6f20db1 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocols/ssl/SSL.h @@ -6,7 +6,9 @@ #include "analyzer/protocols/tcp/TCP.h" #include "ssl_pac.h" -class SSL_Analyzer : public TCP_ApplicationAnalyzer { +namespace analyzer { namespace ssl { + +class SSL_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SSL_Analyzer(Connection* conn); virtual ~SSL_Analyzer(); @@ -16,7 +18,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(int seq, int len, bool orig); - // Overriden from TCP_ApplicationAnalyzer. + // Overriden from tcp::TCP_ApplicationAnalyzer. virtual void EndpointEOF(bool is_orig); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) @@ -35,4 +37,6 @@ protected: }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/ssl/ssl-defs.pac b/src/analyzer/protocols/ssl/ssl-defs.pac index 4f715bbddd..c35fc56e85 100644 --- a/src/analyzer/protocols/ssl/ssl-defs.pac +++ b/src/analyzer/protocols/ssl/ssl-defs.pac @@ -3,6 +3,8 @@ %extern{ #include using std::string; + +#include "events.bif.h" %} enum ContentType { diff --git a/src/analyzer/protocols/ssl/ssl.pac b/src/analyzer/protocols/ssl/ssl.pac index 150dc222cb..4a32227088 100644 --- a/src/analyzer/protocols/ssl/ssl.pac +++ b/src/analyzer/protocols/ssl/ssl.pac @@ -5,13 +5,13 @@ # - ssl-analyzer.pac: contains the SSL analyzer code # - ssl-record-layer.pac: describes the SSL record layer -%extern{ - #include "events.bif.h" -%} - %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer SSL withcontext { connection: SSL_Conn; flow: SSL_Flow; diff --git a/src/analyzer/protocols/stepping-stone/Plugin.cc b/src/analyzer/protocols/stepping-stone/Plugin.cc index 18bfa41063..748c5fac5f 100644 --- a/src/analyzer/protocols/stepping-stone/Plugin.cc +++ b/src/analyzer/protocols/stepping-stone/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(SteppingStone) BRO_PLUGIN_DESCRIPTION("SteppingStone Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("STEPPINGSTONE", stepping_stone::SteppingStone_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.cc b/src/analyzer/protocols/stepping-stone/SteppingStone.cc index f2f4561de6..2b25a2e080 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.cc @@ -11,7 +11,11 @@ #include "SteppingStone.h" #include "util.h" -SteppingStoneEndpoint::SteppingStoneEndpoint(TCP_Endpoint* e, SteppingStoneManager* m) +#include "events.bif.h" + +using namespace analyzer::stepping_stone; + +SteppingStoneEndpoint::SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m) { endp = e; stp_max_top_seq = 0; @@ -157,7 +161,7 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) } SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) -: TCP_ApplicationAnalyzer("STEPPINGSTONE", c) +: tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c) { stp_manager = sessions->GetSTPManager(); @@ -167,7 +171,7 @@ SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c) void SteppingStone_Analyzer::Init() { - TCP_ApplicationAnalyzer::Init(); + tcp::TCP_ApplicationAnalyzer::Init(); assert(TCP()); orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager); @@ -178,7 +182,7 @@ void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen) { - TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, + tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); if ( is_orig ) @@ -190,7 +194,7 @@ void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data, void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) { - TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); + tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig); if ( is_orig ) { @@ -209,7 +213,7 @@ void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data, void SteppingStone_Analyzer::Done() { - TCP_ApplicationAnalyzer::Done(); + tcp::TCP_ApplicationAnalyzer::Done(); orig_endp->Done(); resp_endp->Done(); diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.h b/src/analyzer/protocols/stepping-stone/SteppingStone.h index cbf22e7715..f818a0ee70 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.h @@ -8,6 +8,8 @@ class NetSessions; +namespace analyzer { namespace stepping_stone { + class SteppingStoneEndpoint; class SteppingStoneManager; @@ -16,7 +18,7 @@ declare(PDict,SteppingStoneEndpoint); class SteppingStoneEndpoint : public BroObj { public: - SteppingStoneEndpoint(TCP_Endpoint* e, SteppingStoneManager* m); + SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m); ~SteppingStoneEndpoint(); void Done(); @@ -27,7 +29,7 @@ protected: void Event(EventHandlerPtr f, int id1, int id2 = -1); void CreateEndpEvent(int is_orig); - TCP_Endpoint* endp; + tcp::TCP_Endpoint* endp; int stp_max_top_seq; double stp_last_time; double stp_resume_time; @@ -43,7 +45,7 @@ protected: PDict(SteppingStoneEndpoint) stp_outbound_endps; }; -class SteppingStone_Analyzer : public TCP_ApplicationAnalyzer { +class SteppingStone_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: SteppingStone_Analyzer(Connection* c); virtual ~SteppingStone_Analyzer() {}; @@ -85,4 +87,6 @@ protected: int endp_cnt; }; +} } // namespace analyzer::* + #endif /* steppingstone_h */ diff --git a/src/analyzer/protocols/stepping-stone/events.bif b/src/analyzer/protocols/stepping-stone/events.bif index e69de29bb2..8d578eba64 100644 --- a/src/analyzer/protocols/stepping-stone/events.bif +++ b/src/analyzer/protocols/stepping-stone/events.bif @@ -0,0 +1,17 @@ +## Deprecated. Will be removed. +event stp_create_endp%(c: connection, e: int, is_orig: bool%); + +# ##### Internal events. Not further documented. + +## Event internal to the stepping stone detector. +event stp_resume_endp%(e: int%); + +## Event internal to the stepping stone detector. +event stp_correlate_pair%(e1: int, e2: int%); + +## Event internal to the stepping stone detector. +event stp_remove_pair%(e1: int, e2: int%); + +## Event internal to the stepping stone detector. +event stp_remove_endp%(e: int%); + diff --git a/src/analyzer/protocols/syslog/Plugin.cc b/src/analyzer/protocols/syslog/Plugin.cc index 8560ee7c48..f5d955942b 100644 --- a/src/analyzer/protocols/syslog/Plugin.cc +++ b/src/analyzer/protocols/syslog/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Syslog) BRO_PLUGIN_DESCRIPTION("Syslog Analyzer (UDP-only currently)"); - BRO_PLUGIN_ANALYZER("SYSLOG", Syslog_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("SYSLOG", syslog::Syslog_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/syslog/Syslog.cc b/src/analyzer/protocols/syslog/Syslog.cc index 94ca996cce..e1667ea38b 100644 --- a/src/analyzer/protocols/syslog/Syslog.cc +++ b/src/analyzer/protocols/syslog/Syslog.cc @@ -2,6 +2,10 @@ #include "Syslog.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::syslog; + Syslog_Analyzer::Syslog_Analyzer(Connection* conn) : Analyzer("SYSLOG", conn) { @@ -45,35 +49,35 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int // t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); // } -//Syslog_TCP_Analyzer::Syslog_TCP_Analyzer(Connection* conn) -//: TCP_ApplicationAnalyzer(conn) +//Syslog_tcp::TCP_Analyzer::Syslog_tcp::TCP_Analyzer(Connection* conn) +//: tcp::TCP_ApplicationAnalyzer(conn) // { // interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); // } -//Syslog_TCP_Analyzer::~Syslog_TCP_Analyzer() +//Syslog_tcp::TCP_Analyzer::~Syslog_tcp::TCP_Analyzer() // { // delete interp; // } -//void Syslog_TCP_Analyzer::Done() +//void Syslog_tcp::TCP_Analyzer::Done() // { -// TCP_ApplicationAnalyzer::Done(); +// tcp::TCP_ApplicationAnalyzer::Done(); // // interp->FlowEOF(true); // interp->FlowEOF(false); // } -//void Syslog_TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) +//void Syslog_tcp::TCP_Analyzer::EndpointEOF(tcp::TCP_Reassembler* endp) // { -// TCP_ApplicationAnalyzer::EndpointEOF(endp); +// tcp::TCP_ApplicationAnalyzer::EndpointEOF(endp); // interp->FlowEOF(endp->IsOrig()); // } -//void Syslog_TCP_Analyzer::DeliverStream(int len, const u_char* data, +//void Syslog_tcp::TCP_Analyzer::DeliverStream(int len, const u_char* data, // bool orig) // { -// TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); +// tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); // // assert(TCP()); // @@ -84,8 +88,8 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int // interp->NewData(orig, data, data + len); // } -//void Syslog_TCP_Analyzer::Undelivered(int seq, int len, bool orig) +//void Syslog_tcp::TCP_Analyzer::Undelivered(int seq, int len, bool orig) // { -// TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); +// tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); // interp->NewGap(orig, len); // } diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h index 32b7b3439a..391c5115b3 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocols/syslog/Syslog.h @@ -7,6 +7,8 @@ #include "syslog_pac.h" +namespace analyzer { namespace syslog { + class Syslog_Analyzer : public analyzer::Analyzer { public: Syslog_Analyzer(Connection* conn); @@ -29,21 +31,23 @@ protected: // #include "Syslog_tcp_pac.h" // -//class Syslog_TCP_Analyzer : public TCP_ApplicationAnalyzer { +//class Syslog_tcp::TCP_Analyzer : public tcp::TCP_ApplicationAnalyzer { //public: -// Syslog_TCP_Analyzer(Connection* conn); -// virtual ~Syslog_TCP_Analyzer(); +// Syslog_tcp::TCP_Analyzer(Connection* conn); +// virtual ~Syslog_tcp::TCP_Analyzer(); // // virtual void Done(); // virtual void DeliverStream(int len, const u_char* data, bool orig); // virtual void Undelivered(int seq, int len, bool orig); -// virtual void EndpointEOF(TCP_Reassembler* endp); +// virtual void EndpointEOF(tcp::TCP_Reassembler* endp); // // static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) -// { return new Syslog_TCP_Analyzer(conn); } +// { return new Syslog_tcp::TCP_Analyzer(conn); } // //protected: // binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; //}; // +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/syslog/syslog.pac b/src/analyzer/protocols/syslog/syslog.pac index 5e7176da2a..2c1fdd10d0 100644 --- a/src/analyzer/protocols/syslog/syslog.pac +++ b/src/analyzer/protocols/syslog/syslog.pac @@ -1,11 +1,11 @@ -%extern{ - #include "events.bif.h" -%} - %include binpac.pac %include bro.pac +%extern{ +#include "events.bif.h" +%} + analyzer Syslog withcontext { connection: Syslog_Conn; flow: Syslog_Flow; diff --git a/src/analyzer/protocols/tcp/ContentLine.cc b/src/analyzer/protocols/tcp/ContentLine.cc index bcfca4ecc6..c1738ccc64 100644 --- a/src/analyzer/protocols/tcp/ContentLine.cc +++ b/src/analyzer/protocols/tcp/ContentLine.cc @@ -3,6 +3,10 @@ #include "ContentLine.h" #include "analyzer/protocols/tcp/TCP.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) : TCP_SupportAnalyzer("CONTENTLINE", conn, orig) { diff --git a/src/analyzer/protocols/tcp/ContentLine.h b/src/analyzer/protocols/tcp/ContentLine.h index e83251d43d..ca48393cb4 100644 --- a/src/analyzer/protocols/tcp/ContentLine.h +++ b/src/analyzer/protocols/tcp/ContentLine.h @@ -5,6 +5,8 @@ #include "analyzer/protocols/tcp/TCP.h" +namespace analyzer { namespace tcp { + #define CR_as_EOL 1 #define LF_as_EOL 2 @@ -104,4 +106,6 @@ protected: unsigned int skip_partial:1; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocols/tcp/Plugin.cc index d76789bf30..defb0b330d 100644 --- a/src/analyzer/protocols/tcp/Plugin.cc +++ b/src/analyzer/protocols/tcp/Plugin.cc @@ -5,8 +5,8 @@ BRO_PLUGIN_BEGIN(TCP) BRO_PLUGIN_DESCRIPTION("TCP Analyzer"); - BRO_PLUGIN_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); - BRO_PLUGIN_ANALYZER("TCPStats", TCPStats_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("TCP", tcp::TCP_Analyzer); + BRO_PLUGIN_ANALYZER("TCPStats", tcp::TCPStats_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/tcp/Stats.cc b/src/analyzer/protocols/tcp/Stats.cc index 6157d54537..b5337fa2db 100644 --- a/src/analyzer/protocols/tcp/Stats.cc +++ b/src/analyzer/protocols/tcp/Stats.cc @@ -2,6 +2,10 @@ #include "Stats.h" #include "File.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + TCPStateStats::TCPStateStats() { for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocols/tcp/Stats.h index 01c95620ce..42c03ab321 100644 --- a/src/analyzer/protocols/tcp/Stats.h +++ b/src/analyzer/protocols/tcp/Stats.h @@ -4,6 +4,8 @@ #include "TCP_Endpoint.h" +namespace analyzer { namespace tcp { + // A TCPStateStats object tracks the distribution of TCP states for // the currently active connections. class TCPStateStats { @@ -64,4 +66,6 @@ private: unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/TCP.cc b/src/analyzer/protocols/tcp/TCP.cc index 66bf9d2a83..23de51642b 100644 --- a/src/analyzer/protocols/tcp/TCP.cc +++ b/src/analyzer/protocols/tcp/TCP.cc @@ -11,6 +11,10 @@ #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + namespace { // local namespace const bool DEBUG_tcp_data_sent = false; const bool DEBUG_tcp_connection_close = false; @@ -954,7 +958,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip) { if ( is_orig && ! (first_packet_seen & ORIG) ) { - PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); + pia::PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= ORIG; @@ -962,7 +966,7 @@ void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip) if ( ! is_orig && ! (first_packet_seen & RESP) ) { - PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); + pia::PIA_TCP* pia = static_cast(Conn()->GetPrimaryPIA()); if ( pia ) pia->FirstPacket(is_orig, ip); first_packet_seen |= RESP; diff --git a/src/analyzer/protocols/tcp/TCP.h b/src/analyzer/protocols/tcp/TCP.h index ee89cef8e4..6b0b9e8637 100644 --- a/src/analyzer/protocols/tcp/TCP.h +++ b/src/analyzer/protocols/tcp/TCP.h @@ -14,11 +14,14 @@ // - TCP_Analyzer is the analyzer for the TCP protocol itself. // - TCP_ApplicationAnalyzer is an abstract base class for analyzers for a // protocol running on top of TCP. +// +namespace analyzer { namespace pia { class PIA_TCP; } }; -class PIA_TCP; +namespace analyzer { namespace tcp { + +class TCP_Endpoint; class TCP_ApplicationAnalyzer; class TCP_Reassembler; -class TCP_Endpoint; class TCP_Flags { public: @@ -94,7 +97,7 @@ public: protected: friend class TCP_ApplicationAnalyzer; friend class TCP_Reassembler; - friend class PIA_TCP; + friend class analyzer::pia::PIA_TCP; // Analyzer interface. virtual void Init(); @@ -223,7 +226,7 @@ protected: void ConnectionReset(); void PacketWithRST(); - void SetReassembler(TCP_Reassembler* rorig, TCP_Reassembler* rresp); + void SetReassembler(tcp::TCP_Reassembler* rorig, tcp::TCP_Reassembler* rresp); Val* BuildSYNPacketVal(int is_orig, const IP_Hdr* ip, const struct tcphdr* tcp); @@ -356,7 +359,7 @@ protected: int endian_type; }; -class TCPStats_Analyzer : public TCP_ApplicationAnalyzer { +class TCPStats_Analyzer : public tcp::TCP_ApplicationAnalyzer { public: TCPStats_Analyzer(Connection* c); ~TCPStats_Analyzer(); @@ -375,4 +378,6 @@ protected: TCPStats_Endpoint* resp_stats; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.cc b/src/analyzer/protocols/tcp/TCP_Endpoint.cc index adb2c101d4..922c52693a 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.cc @@ -9,6 +9,10 @@ #include "File.h" #include "Val.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig) { contents_processor = 0; diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.h b/src/analyzer/protocols/tcp/TCP_Endpoint.h index 52a757b256..6cc2fefebf 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.h @@ -5,6 +5,14 @@ #include "IPAddr.h" +class Connection; +class IP_Hdr; + +namespace analyzer { namespace tcp { + +class TCP_Analyzer; +class TCP_Reassembler; + typedef enum { TCP_ENDPOINT_INACTIVE, // no SYN (or other packets) seen for this side TCP_ENDPOINT_SYN_SENT, // SYN seen, but no ack @@ -16,11 +24,6 @@ typedef enum { TCP_ENDPOINT_RESET // RST seen } EndpointState; -class Connection; -class TCP_Reassembler; -class IP_Hdr; -class TCP_Analyzer; - // One endpoint of a TCP connection. class TCP_Endpoint { public: @@ -157,4 +160,6 @@ protected: #define ENDIAN_BIG 2 #define ENDIAN_CONFUSED 3 +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.cc b/src/analyzer/protocols/tcp/TCP_Reassembler.cc index 5bfd536a10..e54a1494af 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.cc @@ -8,6 +8,10 @@ // Only needed for gap_report events. #include "Event.h" +#include "events.bif.h" + +using namespace analyzer::tcp; + // Note, sequence numbers are relative. I.e., they start with 1. // TODO: The Reassembler should start using 64 bit ints for keeping track of diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.h b/src/analyzer/protocols/tcp/TCP_Reassembler.h index 410aa7cbbc..ab6eb97b70 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.h @@ -13,8 +13,10 @@ class BroFile; class Connection; + +namespace analyzer { namespace tcp { + class TCP_Analyzer; -namespace analyzer { class Analyzer; } const int STOP_ON_GAP = 1; const int PUNT_ON_PARTIAL = 1; @@ -26,7 +28,7 @@ public: Forward, // forward to destination analyzer's children }; - TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer, + TCP_Reassembler(Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer, Type arg_type, bool arg_is_orig, TCP_Endpoint* arg_endp); @@ -34,7 +36,7 @@ public: void Done(); - void SetDstAnalyzer(analyzer::Analyzer* analyzer) { dst_analyzer = analyzer; } + void SetDstAnalyzer(Analyzer* analyzer) { dst_analyzer = analyzer; } void SetType(Type arg_type) { type = arg_type; } TCP_Analyzer* GetTCPAnalyzer() { return tcp_analyzer; } @@ -69,6 +71,8 @@ public: // Skip up to seq, as if there's a content gap. // Can be used to skip HTTP data for performance considerations. void SkipToSeq(int seq); +} } // namespace analyzer::* + #endif int DataSent(double t, int seq, int len, const u_char* data, @@ -95,6 +99,8 @@ public: #ifdef ENABLE_SEQ_TO_SKIP bool IsSkippedContents(int seq, int length) const { return seq + length <= seq_to_skip; } +} } // namespace analyzer::* + #endif private: @@ -125,11 +131,13 @@ private: BroFile* record_contents_file; // file on which to reassemble contents - analyzer::Analyzer* dst_analyzer; + Analyzer* dst_analyzer; TCP_Analyzer* tcp_analyzer; Type type; bool is_orig; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/tcp/events.bif b/src/analyzer/protocols/tcp/events.bif index e69de29bb2..05a280024d 100644 --- a/src/analyzer/protocols/tcp/events.bif +++ b/src/analyzer/protocols/tcp/events.bif @@ -0,0 +1,289 @@ + +## Generated when reassembly starts for a TCP connection. This event is raised +## at the moment when Bro's TCP analyzer enables stream reassembly for a +## connection. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_rejected connection_reset connection_reused +## connection_state_remove connection_status_update connection_timeout +## expected_connection_seen new_connection partial_connection +event new_connection_contents%(c: connection%); + +## Generated for an unsuccessful connection attempt. This event is raised when +## an originator unsuccessfully attempted to establish a connection. +## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds +## having elapsed since the originator first sent a connection establishment +## packet to the destination without seeing a reply. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_established +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_attempt%(c: connection%); + +## Generated when a SYN-ACK packet is seen in response to a SYN packet during +## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may +## or may not occur later, one way to tell is to check the *history* field of +## :bro:type:`connection` to see if the originator sent an ACK, indicated by +## 'A' in the history string. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_established%(c: connection%); + +## Generated for a new active TCP connection if Bro did not see the initial +## handshake. This event is raised when Bro has observed traffic from each +## endpoint, but the activity did not begin with the usual connection +## establishment. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_rejected connection_reset connection_reused +## connection_state_remove connection_status_update connection_timeout +## expected_connection_seen new_connection new_connection_contents +## +event partial_connection%(c: connection%); + +## Generated when a previously inactive endpoint attempts to close a TCP +## connection via a normal FIN handshake or an abort RST sequence. When the +## endpoint sent one of these packets, Bro waits +## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give +## the other endpoint a chance to close the connection normally. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_partial_close%(c: connection%); + +## Generated for a TCP connection that finished normally. The event is raised +## when a regular FIN handshake from both endpoints was observed. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_finished%(c: connection%); + +## Generated when one endpoint of a TCP connection attempted to gracefully close +## the connection, but the other endpoint is in the TCP_INACTIVE state. This can +## happen due to split routing, in which Bro only sees one side of a connection. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_half_finished%(c: connection%); + +## Generated for a rejected TCP connection. This event is raised when an +## originator attempted to setup a TCP connection but the responder replied +## with a RST packet denying it. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +## +## c: The connection. +## +## .. note:: +## +## If the responder does not respond at all, :bro:id:`connection_attempt` is +## raised instead. If the responder initially accepts the connection but +## aborts it later, Bro first generates :bro:id:`connection_established` +## and then :bro:id:`connection_reset`. +event connection_rejected%(c: connection%); + +## Generated when an endpoint aborted a TCP connection. The event is raised +## when one endpoint of an established TCP connection aborted by sending a RST +## packet. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_pending connection_rejected connection_reused +## connection_state_remove connection_status_update connection_timeout +## expected_connection_seen new_connection new_connection_contents +## partial_connection +event connection_reset%(c: connection%); + +## Generated for each still-open TCP connection when Bro terminates. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_first_ACK connection_half_finished connection_partial_close +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection bro_done +event connection_pending%(c: connection%); + +## Generated for a SYN packet. Bro raises this event for every SYN packet seen +## by its TCP analyzer. +## +## c: The connection. +## +## pkt: Information extracted from the SYN packet. +## +## .. bro:see:: connection_EOF connection_attempt connection_established +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +## +## .. note:: +## +## This event has quite low-level semantics and can potentially be expensive +## to generate. It should only be used if one really needs the specific +## information passed into the handler via the ``pkt`` argument. If not, +## handling one of the other ``connection_*`` events is typically the +## better approach. +event connection_SYN_packet%(c: connection, pkt: SYN_packet%); + +## Generated for the first ACK packet seen for a TCP connection from +## its *originator*. +## +## c: The connection. +## +## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt +## connection_established connection_external connection_finished +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +## +## .. note:: +## +## This event has quite low-level semantics and should be used only rarely. +event connection_first_ACK%(c: connection%); + +## Generated at the end of reassembled TCP connections. The TCP reassembler +## raised the event once for each endpoint of a connection when it finished +## reassembling the corresponding side of the communication. +## +## c: The connection. +## +## is_orig: True if the event is raised for the originator side. +## +## .. bro:see:: connection_SYN_packet connection_attempt connection_established +## connection_external connection_finished connection_first_ACK +## connection_half_finished connection_partial_close connection_pending +## connection_rejected connection_reset connection_reused connection_state_remove +## connection_status_update connection_timeout expected_connection_seen +## new_connection new_connection_contents partial_connection +event connection_EOF%(c: connection, is_orig: bool%); + +## Generated for every TCP packet. This is a very low-level and expensive event +## that should be avoided when at all possible. It's usually infeasible to +## handle when processing even medium volumes of traffic in real-time. It's +## slightly better than :bro:id:`new_packet` because it affects only TCP, but +## not much. That said, if you work from a trace and want to do some +## packet-level analysis, it may come in handy. +## +## c: The connection the packet is part of. +## +## is_orig: True if the packet was sent by the connection's originator. +## +## flags: A string with the packet's TCP flags. In the string, each character +## corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN; +## ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH. +## +## seq: The packet's TCP sequence number. +## +## ack: The packet's ACK number. +## +## len: The length of the TCP payload, as specified in the packet header. +## +## payload: The raw TCP payload. Note that this may be shorter than *len* if +## the packet was not fully captured. +## +## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit +event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); + +## Generated for each option found in a TCP header. Like many of the ``tcp_*`` +## events, this is a very low-level event and potentially expensive as it may +## be raised very often. +## +## c: The connection the packet is part of. +## +## is_orig: True if the packet was sent by the connection's originator. +## +## opt: The numerical option number, as found in the TCP header. +## +## optlen: The length of the options value. +## +## .. bro:see:: tcp_packet tcp_contents tcp_rexmit +## +## .. note:: There is currently no way to get the actual option value, if any. +event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); + +## Generated for each chunk of reassembled TCP payload. When content delivery is +## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`, +## :bro:id:`tcp_content_delivery_ports_resp`, +## :bro:id:`tcp_content_deliver_all_orig`, +## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk +## of in-order payload reconstructed from the packet stream. Note that this +## event is potentially expensive if many connections carry significant amounts +## of data as then all that data needs to be passed on to the scripting layer. +## +## c: The connection the payload is part of. +## +## is_orig: True if the packet was sent by the connection's originator. +## +## seq: The sequence number corresponding to the first byte of the payload +## chunk. +## +## contents: The raw payload, which will be non-empty. +## +## .. bro:see:: tcp_packet tcp_option tcp_rexmit +## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp +## tcp_content_deliver_all_resp tcp_content_deliver_all_orig +## +## .. note:: +## +## The payload received by this event is the same that is also passed into +## application-layer protocol analyzers internally. Subsequent invocations of +## this event for the same connection receive non-overlapping in-order chunks +## of its TCP payload stream. It is however undefined what size each chunk +## has; while Bro passes the data on as soon as possible, specifics depend on +## network-level effects such as latency, acknowledgements, reordering, etc. +event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); + +## TODO. +event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); + diff --git a/src/analyzer/protocols/teredo/Plugin.cc b/src/analyzer/protocols/teredo/Plugin.cc index 9fc0fa4e7a..1ea1c03238 100644 --- a/src/analyzer/protocols/teredo/Plugin.cc +++ b/src/analyzer/protocols/teredo/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(Teredo) BRO_PLUGIN_DESCRIPTION("Teredo Analyzer"); - BRO_PLUGIN_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("TEREDO", teredo::Teredo_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/teredo/Teredo.cc b/src/analyzer/protocols/teredo/Teredo.cc index 88ed6d582e..d81f90d840 100644 --- a/src/analyzer/protocols/teredo/Teredo.cc +++ b/src/analyzer/protocols/teredo/Teredo.cc @@ -5,6 +5,10 @@ #include "IP.h" #include "Reporter.h" +#include "events.bif.h" + +using namespace analyzer::teredo; + void Teredo_Analyzer::Done() { Analyzer::Done(); diff --git a/src/analyzer/protocols/teredo/Teredo.h b/src/analyzer/protocols/teredo/Teredo.h index f8cc0a15d7..b202a6e729 100644 --- a/src/analyzer/protocols/teredo/Teredo.h +++ b/src/analyzer/protocols/teredo/Teredo.h @@ -5,6 +5,8 @@ #include "NetVar.h" #include "Reporter.h" +namespace analyzer { namespace teredo { + class Teredo_Analyzer : public analyzer::Analyzer { public: Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn), @@ -89,4 +91,6 @@ protected: const Teredo_Analyzer* analyzer; }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/teredo/events.bif b/src/analyzer/protocols/teredo/events.bif index e69de29bb2..62bc7d06cd 100644 --- a/src/analyzer/protocols/teredo/events.bif +++ b/src/analyzer/protocols/teredo/events.bif @@ -0,0 +1,55 @@ +## Generated for any IPv6 packet encapsulated in a Teredo tunnel. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_packet%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo authentication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_authentication%(outer: connection, inner: teredo_hdr%); + +## Generated for IPv6 packets encapsulated in a Teredo tunnel that +## use the Teredo origin indication encapsulation method. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_authentication teredo_bubble +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); + +## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated +## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. +## See :rfc:`4380` for more information about the Teredo protocol. +## +## outer: The Teredo tunnel connection. +## +## inner: The Teredo-encapsulated IPv6 packet header and transport header. +## +## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication +## +## .. note:: Since this event may be raised on a per-packet basis, handling +## it may become particularly expensive for real-time analysis. +event teredo_bubble%(outer: connection, inner: teredo_hdr%); + diff --git a/src/analyzer/protocols/udp/Plugin.cc b/src/analyzer/protocols/udp/Plugin.cc index 1a9b462013..a013c55a87 100644 --- a/src/analyzer/protocols/udp/Plugin.cc +++ b/src/analyzer/protocols/udp/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(UDP) BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); - BRO_PLUGIN_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("UDP", udp::UDP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/udp/UDP.cc b/src/analyzer/protocols/udp/UDP.cc index f85f5ad991..8092a511c3 100644 --- a/src/analyzer/protocols/udp/UDP.cc +++ b/src/analyzer/protocols/udp/UDP.cc @@ -10,6 +10,10 @@ #include "Reporter.h" #include "Conn.h" +#include "events.bif.h" + +using namespace analyzer::udp; + UDP_Analyzer::UDP_Analyzer(Connection* conn) : TransportLayerAnalyzer("UDP", conn) { diff --git a/src/analyzer/protocols/udp/UDP.h b/src/analyzer/protocols/udp/UDP.h index 67048781a7..b3ef3bcf2d 100644 --- a/src/analyzer/protocols/udp/UDP.h +++ b/src/analyzer/protocols/udp/UDP.h @@ -6,6 +6,8 @@ #include "analyzer/Analyzer.h" #include +namespace analyzer { namespace udp { + typedef enum { UDP_INACTIVE, // no packet seen UDP_ACTIVE, // packets seen @@ -45,4 +47,6 @@ private: #define HIST_RESP_CORRUPT_PKT 0x8 }; +} } // namespace analyzer::* + #endif diff --git a/src/analyzer/protocols/udp/events.bif b/src/analyzer/protocols/udp/events.bif index e69de29bb2..394181cf5d 100644 --- a/src/analyzer/protocols/udp/events.bif +++ b/src/analyzer/protocols/udp/events.bif @@ -0,0 +1,38 @@ +## Generated for each packet sent by a UDP flow's originator. This a potentially +## expensive event due to the volume of UDP traffic and should be used with +## care. +## +## u: The connection record for the corresponding UDP flow. +## +## .. bro:see:: udp_contents udp_reply udp_session_done +event udp_request%(u: connection%); + +## Generated for each packet sent by a UDP flow's responder. This a potentially +## expensive event due to the volume of UDP traffic and should be used with +## care. +## +## u: The connection record for the corresponding UDP flow. +## +## .. bro:see:: udp_contents udp_request udp_session_done +event udp_reply%(u: connection%); + +## Generated for UDP packets to pass on their payload. As the number of UDP +## packets can be very large, this event is normally raised only for those on +## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets +## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` +## (for packets sent by the flow's responder). However, delivery can be enabled +## for all UDP request and reply packets by setting +## :bro:id:`udp_content_deliver_all_orig` or +## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this +## event is also raised for all matching UDP packets, including empty ones. +## +## u: The connection record for the corresponding UDP flow. +## +## is_orig: True if the event is raised for the originator side. +## +## contents: TODO. +## +## .. bro:see:: udp_reply udp_request udp_session_done +## udp_content_deliver_all_orig udp_content_deliver_all_resp +## udp_content_delivery_ports_orig udp_content_delivery_ports_resp +event udp_contents%(u: connection, is_orig: bool, contents: string%); diff --git a/src/analyzer/protocols/zip/Plugin.cc b/src/analyzer/protocols/zip/Plugin.cc index 89382dd0cd..5ab2b60baf 100644 --- a/src/analyzer/protocols/zip/Plugin.cc +++ b/src/analyzer/protocols/zip/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ZIP) BRO_PLUGIN_DESCRIPTION("Generic ZIP support analyzer"); - BRO_PLUGIN_ANALYZER("ZIP", 0); + BRO_PLUGIN_ANALYZER_BARE("ZIP"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/zip/ZIP.cc b/src/analyzer/protocols/zip/ZIP.cc index d3d9b1c38b..132515f29a 100644 --- a/src/analyzer/protocols/zip/ZIP.cc +++ b/src/analyzer/protocols/zip/ZIP.cc @@ -2,8 +2,12 @@ #include "ZIP.h" +#include "events.bif.h" + +using namespace analyzer::zip; + ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method) -: TCP_SupportAnalyzer("ZIP", conn, orig) +: tcp::TCP_SupportAnalyzer("ZIP", conn, orig) { zip = 0; zip_status = Z_OK; @@ -44,7 +48,7 @@ void ZIP_Analyzer::Done() void ZIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - TCP_SupportAnalyzer::DeliverStream(len, data, orig); + tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig); if ( ! len || zip_status != Z_OK ) return; diff --git a/src/analyzer/protocols/zip/ZIP.h b/src/analyzer/protocols/zip/ZIP.h index 24ec919f70..7eda1e295f 100644 --- a/src/analyzer/protocols/zip/ZIP.h +++ b/src/analyzer/protocols/zip/ZIP.h @@ -8,7 +8,9 @@ #include "zlib.h" #include "analyzer/protocols/tcp/TCP.h" -class ZIP_Analyzer : public TCP_SupportAnalyzer { +namespace analyzer { namespace zip { + +class ZIP_Analyzer : public tcp::TCP_SupportAnalyzer { public: enum Method { GZIP, DEFLATE }; @@ -26,4 +28,6 @@ protected: Method method; }; +} } // namespace analyzer::* + #endif diff --git a/src/bro.bif b/src/bro.bif index aa15443e64..aa8229f92d 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -4232,7 +4232,7 @@ function get_login_state%(cid: conn_id%): count if ( ! la ) return new Val(0, TYPE_BOOL); - return new Val(int(static_cast(la)->LoginState()), + return new Val(int(static_cast(la)->LoginState()), TYPE_COUNT); %} @@ -4257,7 +4257,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool if ( ! la ) return new Val(0, TYPE_BOOL); - static_cast(la)->SetLoginState(login_state(new_state)); + static_cast(la)->SetLoginState(analyzer::login::login_state(new_state)); return new Val(1, TYPE_BOOL); %} @@ -4286,7 +4286,7 @@ function get_orig_seq%(cid: conn_id%): count analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) - return new Val(static_cast(tc)->OrigSeq(), + return new Val(static_cast(tc)->OrigSeq(), TYPE_COUNT); else { @@ -4316,7 +4316,7 @@ function get_resp_seq%(cid: conn_id%): count analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); if ( tc ) - return new Val(static_cast(tc)->RespSeq(), + return new Val(static_cast(tc)->RespSeq(), TYPE_COUNT); else { @@ -4338,7 +4338,7 @@ function skip_smtp_data%(c: connection%): any %{ analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); if ( sa ) - static_cast(sa)->SkipData(); + static_cast(sa)->SkipData(); return 0; %} diff --git a/src/event.bif b/src/event.bif index ab44495fdc..76c4ff09f5 100644 --- a/src/event.bif +++ b/src/event.bif @@ -1,7 +1,9 @@ -##! The events that the C/C++ core of Bro can generate. This is mostly -##! consisting of high-level network events that protocol analyzers detect, -##! but there are also several general-utility events generated by internal -##! Bro frameworks. +##! The protocol-independent events that the C/C++ core of Bro can generate. +##! +##! This is mostly events not related to a specific transport- or +##! application-layer protocol, but also includes a few that may be generated +##! by more than one protocols analyzer (like events generated by both UDP and +##! TCP analysis.) # # Documentation conventions: @@ -59,69 +61,6 @@ event bro_init%(%); ## is not generated. event bro_done%(%); -## Generated when an internal DNS lookup produces the same result as last time. -## Bro keeps an internal DNS cache for host names and IP addresses it has -## already resolved. This event is generated when a subsequent lookup returns -## the same result as stored in the cache. -## -## dm: A record describing the new resolver result (which matches the old one). -## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified -event dns_mapping_valid%(dm: dns_mapping%); - -## Generated when an internal DNS lookup got no answer even though it had -## succeeded in the past. Bro keeps an internal DNS cache for host names and IP -## addresses it has already resolved. This event is generated when a -## subsequent lookup does not produce an answer even though we have -## already stored a result in the cache. -## -## dm: A record describing the old resolver result. -## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_valid -event dns_mapping_unverified%(dm: dns_mapping%); - -## Generated when an internal DNS lookup succeeded but an earlier attempt -## did not. Bro keeps an internal DNS cache for host names and IP -## addresses it has already resolved. This event is generated when a subsequent -## lookup produces an answer for a query that was marked as failed in the cache. -## -## dm: A record describing the new resolver result. -## -## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified -## dns_mapping_valid -event dns_mapping_new_name%(dm: dns_mapping%); - -## Generated when an internal DNS lookup returned zero answers even though it -## had succeeded in the past. Bro keeps an internal DNS cache for host names -## and IP addresses it has already resolved. This event is generated when -## on a subsequent lookup we receive an answer that is empty even -## though we have already stored a result in the cache. -## -## dm: A record describing the old resolver result. -## -## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid -event dns_mapping_lost_name%(dm: dns_mapping%); - -## Generated when an internal DNS lookup produced a different result than in -## the past. Bro keeps an internal DNS cache for host names and IP addresses -## it has already resolved. This event is generated when a subsequent lookup -## returns a different answer than we have stored in the cache. -## -## dm: A record describing the new resolver result. -## -## old_addrs: Addresses that used to be part of the returned set for the query -## described by *dm*, but are not anymore. -## -## new_addrs: Addresses that were not part of the returned set for the query -## described by *dm*, but now are. -## -## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid -event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); - ## Generated for every new connection. This event is raised with the first ## packet of a previously unknown connection. Bro uses a flow-based definition ## of "connection" here that includes not only TCP sessions but also UDP and @@ -157,9 +96,10 @@ event new_connection%(c: connection%); ## e: The new encapsulation. event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); -## Generated when reassembly starts for a TCP connection. This event is raised -## at the moment when Bro's TCP analyzer enables stream reassembly for a -## connection. +## Generated when a TCP connection timed out. This event is raised when +## no activity was seen for an interval of at least +## :bro:id:`tcp_connection_linger`, and either one endpoint has already +## closed the connection or one side never became active. ## ## c: The connection. ## @@ -167,148 +107,18 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update connection_timeout -## scheduled_analyzer_applied new_connection partial_connection -event new_connection_contents%(c: connection%); - -## Generated for an unsuccessful connection attempt. This event is raised when -## an originator unsuccessfully attempted to establish a connection. -## "Unsuccessful" is defined as at least :bro:id:`tcp_attempt_delay` seconds -## having elapsed since the originator first sent a connection establishment -## packet to the destination without seeing a reply. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_established -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied +## connection_state_remove connection_status_update expected_connection_seen ## new_connection new_connection_contents partial_connection -event connection_attempt%(c: connection%); - -## Generated when a SYN-ACK packet is seen in response to a SYN packet during -## a TCP handshake. The final ACK of the handshake in response to SYN-ACK may -## or may not occur later, one way to tell is to check the *history* field of -## :bro:type:`connection` to see if the originator sent an ACK, indicated by -## 'A' in the history string. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_established%(c: connection%); - -## Generated for a new active TCP connection if Bro did not see the initial -## handshake. This event is raised when Bro has observed traffic from each -## endpoint, but the activity did not begin with the usual connection -## establishment. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update connection_timeout -## scheduled_analyzer_applied new_connection new_connection_contents -## -event partial_connection%(c: connection%); - -## Generated when a previously inactive endpoint attempts to close a TCP -## connection via a normal FIN handshake or an abort RST sequence. When the -## endpoint sent one of these packets, Bro waits -## :bro:id:`tcp_partial_close_delay` prior to generating the event, to give -## the other endpoint a chance to close the connection normally. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_partial_close%(c: connection%); - -## Generated for a TCP connection that finished normally. The event is raised -## when a regular FIN handshake from both endpoints was observed. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_finished%(c: connection%); - -## Generated when one endpoint of a TCP connection attempted to gracefully close -## the connection, but the other endpoint is in the TCP_INACTIVE state. This can -## happen due to split routing, in which Bro only sees one side of a connection. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_half_finished%(c: connection%); - -## Generated for a rejected TCP connection. This event is raised when an -## originator attempted to setup a TCP connection but the responder replied -## with a RST packet denying it. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## c: The connection. ## ## .. note:: ## -## If the responder does not respond at all, :bro:id:`connection_attempt` is -## raised instead. If the responder initially accepts the connection but -## aborts it later, Bro first generates :bro:id:`connection_established` -## and then :bro:id:`connection_reset`. -event connection_rejected%(c: connection%); - -## Generated when an endpoint aborted a TCP connection. The event is raised -## when one endpoint of an established TCP connection aborted by sending a RST -## packet. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_rejected connection_reused -## connection_state_remove connection_status_update connection_timeout -## scheduled_analyzer_applied new_connection new_connection_contents -## partial_connection -event connection_reset%(c: connection%); - -## Generated for each still-open connection when Bro terminates. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection bro_done -event connection_pending%(c: connection%); +## The precise semantics of this event can be unintuitive as it only +## covers a subset of cases where a connection times out. Often, handling +## :bro:id:`connection_state_remove` is the better option. That one will be +## generated reliably when an interval of ``tcp_inactivity_timeout`` has +## passed without any activity seen (but also for all other ways a +## connection may terminate). +event connection_timeout%(c: connection%); ## Generated when a connection's internal state is about to be removed from ## memory. Bro generates this event reliably once for every connection when it @@ -328,70 +138,6 @@ event connection_pending%(c: connection%); ## tcp_inactivity_timeout icmp_inactivity_timeout conn_stats event connection_state_remove%(c: connection%); -## Generated for a SYN packet. Bro raises this event for every SYN packet seen -## by its TCP analyzer. -## -## c: The connection. -## -## pkt: Information extracted from the SYN packet. -## -## .. bro:see:: connection_EOF connection_attempt connection_established -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## .. note:: -## -## This event has quite low-level semantics and can potentially be expensive -## to generate. It should only be used if one really needs the specific -## information passed into the handler via the ``pkt`` argument. If not, -## handling one of the other ``connection_*`` events is typically the -## better approach. -event connection_SYN_packet%(c: connection, pkt: SYN_packet%); - -## Generated for the first ACK packet seen for a TCP connection from -## its *originator*. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## .. note:: -## -## This event has quite low-level semantics and should be used only rarely. -event connection_first_ACK%(c: connection%); - -## Generated when a TCP connection timed out. This event is raised when -## no activity was seen for an interval of at least -## :bro:id:`tcp_connection_linger`, and either one endpoint has already -## closed the connection or one side never became active. -## -## c: The connection. -## -## .. bro:see:: connection_EOF connection_SYN_packet connection_attempt -## connection_established connection_external connection_finished -## connection_first_ACK connection_half_finished connection_partial_close -## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -## -## .. note:: -## -## The precise semantics of this event can be unintuitive as it only -## covers a subset of cases where a connection times out. Often, handling -## :bro:id:`connection_state_remove` is the better option. That one will be -## generated reliably when an interval of ``tcp_inactivity_timeout`` has -## passed without any activity seen (but also for all other ways a -## connection may terminate). -event connection_timeout%(c: connection%); - ## Generated when a connection 4-tuple is reused. This event is raised when Bro ## sees a new TCP session or UDP flow using a 4-tuple matching that of an ## earlier connection it still considers active. @@ -434,22 +180,6 @@ event connection_status_update%(c: connection%); ## .. bro:see:: connection_established new_connection event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%); -## Generated at the end of reassembled TCP connections. The TCP reassembler -## raised the event once for each endpoint of a connection when it finished -## reassembling the corresponding side of the communication. -## -## c: The connection. -## -## is_orig: True if the event is raised for the originator side. -## -## .. bro:see:: connection_SYN_packet connection_attempt connection_established -## connection_external connection_finished connection_first_ACK -## connection_half_finished connection_partial_close connection_pending -## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout scheduled_analyzer_applied -## new_connection new_connection_contents partial_connection -event connection_EOF%(c: connection, is_orig: bool%); - ## Generated for a new connection received from the communication subsystem. ## Remote peers can inject packets into Bro's packet loop, for example via ## :doc:`Broccoli `. The communication system @@ -460,6 +190,16 @@ event connection_EOF%(c: connection, is_orig: bool%); ## tag: TODO. event connection_external%(c: connection, tag: string%); +## Generated when a UDP session for a supported protocol has finished. Some of +## Bro's application-layer UDP analyzers flag the end of a session by raising +## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, +## Teredo, and GTPv1 support this. +## +## u: The connection record for the corresponding UDP flow. +## +## .. bro:see:: udp_contents udp_reply udp_request +event udp_session_done%(u: connection%); + ## Generated when a connection is seen that is marked as being expected. ## The function :bro:id:`expect_connection` tells Bro to expect a particular ## connection to come up, and which analyzer to associate with it. Once the @@ -522,135 +262,6 @@ event esp_packet%(p: pkt_hdr%); ## .. bro:see:: new_packet tcp_packet ipv6_ext_headers event mobile_ipv6_message%(p: pkt_hdr%); -## Generated for any IPv6 packet encapsulated in a Teredo tunnel. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_authentication teredo_origin_indication teredo_bubble -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_packet%(outer: connection, inner: teredo_hdr%); - -## Generated for IPv6 packets encapsulated in a Teredo tunnel that -## use the Teredo authentication encapsulation method. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_packet teredo_origin_indication teredo_bubble -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_authentication%(outer: connection, inner: teredo_hdr%); - -## Generated for IPv6 packets encapsulated in a Teredo tunnel that -## use the Teredo origin indication encapsulation method. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_packet teredo_authentication teredo_bubble -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_origin_indication%(outer: connection, inner: teredo_hdr%); - -## Generated for Teredo bubble packets. That is, IPv6 packets encapsulated -## in a Teredo tunnel that have a Next Header value of :bro:id:`IPPROTO_NONE`. -## See :rfc:`4380` for more information about the Teredo protocol. -## -## outer: The Teredo tunnel connection. -## -## inner: The Teredo-encapsulated IPv6 packet header and transport header. -## -## .. bro:see:: teredo_packet teredo_authentication teredo_origin_indication -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event teredo_bubble%(outer: connection, inner: teredo_hdr%); - -## Generated for any GTP message with a GTPv1 header. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -event gtpv1_message%(c: connection, hdr: gtpv1_hdr%); - -## Generated for GTPv1 G-PDU packets. That is, packets with a UDP payload -## that includes a GTP header followed by an IPv4 or IPv6 packet. -## -## outer: The GTP outer tunnel connection. -## -## inner_gtp: The GTP header. -## -## inner_ip: The inner IP and transport layer packet headers. -## -## .. note:: Since this event may be raised on a per-packet basis, handling -## it may become particularly expensive for real-time analysis. -event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%); - -## Generated for GTPv1-C Create PDP Context Request messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%); - -## Generated for GTPv1-C Create PDP Context Response messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%); - -## Generated for GTPv1-C Update PDP Context Request messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%); - -## Generated for GTPv1-C Update PDP Context Response messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%); - -## Generated for GTPv1-C Delete PDP Context Request messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%); - -## Generated for GTPv1-C Delete PDP Context Response messages. -## -## c: The connection over which the message is sent. -## -## hdr: The GTPv1 header. -## -## elements: The set of Information Elements comprising the message. -event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%); - ## Generated for every packet that has a non-empty transport-layer payload. ## This is a very low-level and expensive event that should be avoided when ## at all possible. It's usually infeasible to handle when processing even @@ -665,85 +276,6 @@ event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gt ## .. bro:see:: new_packet tcp_packet event packet_contents%(c: connection, contents: string%); -## Generated for every TCP packet. This is a very low-level and expensive event -## that should be avoided when at all possible. It's usually infeasible to -## handle when processing even medium volumes of traffic in real-time. It's -## slightly better than :bro:id:`new_packet` because it affects only TCP, but -## not much. That said, if you work from a trace and want to do some -## packet-level analysis, it may come in handy. -## -## c: The connection the packet is part of. -## -## is_orig: True if the packet was sent by the connection's originator. -## -## flags: A string with the packet's TCP flags. In the string, each character -## corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN; -## ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH. -## -## seq: The packet's TCP sequence number. -## -## ack: The packet's ACK number. -## -## len: The length of the TCP payload, as specified in the packet header. -## -## payload: The raw TCP payload. Note that this may be shorter than *len* if -## the packet was not fully captured. -## -## .. bro:see:: new_packet packet_contents tcp_option tcp_contents tcp_rexmit -event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%); - -## Generated for each option found in a TCP header. Like many of the ``tcp_*`` -## events, this is a very low-level event and potentially expensive as it may -## be raised very often. -## -## c: The connection the packet is part of. -## -## is_orig: True if the packet was sent by the connection's originator. -## -## opt: The numerical option number, as found in the TCP header. -## -## optlen: The length of the options value. -## -## .. bro:see:: tcp_packet tcp_contents tcp_rexmit -## -## .. note:: There is currently no way to get the actual option value, if any. -event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%); - -## Generated for each chunk of reassembled TCP payload. When content delivery is -## enabled for a TCP connection (via :bro:id:`tcp_content_delivery_ports_orig`, -## :bro:id:`tcp_content_delivery_ports_resp`, -## :bro:id:`tcp_content_deliver_all_orig`, -## :bro:id:`tcp_content_deliver_all_resp`), this event is raised for each chunk -## of in-order payload reconstructed from the packet stream. Note that this -## event is potentially expensive if many connections carry significant amounts -## of data as then all that data needs to be passed on to the scripting layer. -## -## c: The connection the payload is part of. -## -## is_orig: True if the packet was sent by the connection's originator. -## -## seq: The sequence number corresponding to the first byte of the payload -## chunk. -## -## contents: The raw payload, which will be non-empty. -## -## .. bro:see:: tcp_packet tcp_option tcp_rexmit -## tcp_content_delivery_ports_orig tcp_content_delivery_ports_resp -## tcp_content_deliver_all_resp tcp_content_deliver_all_orig -## -## .. note:: -## -## The payload received by this event is the same that is also passed into -## application-layer protocol analyzers internally. Subsequent invocations of -## this event for the same connection receive non-overlapping in-order chunks -## of its TCP payload stream. It is however undefined what size each chunk -## has; while Bro passes the data on as soon as possible, specifics depend on -## network-level effects such as latency, acknowledgements, reordering, etc. -event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%); - -## TODO. -event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%); - ## Generated when Bro detects a TCP retransmission inconsistency. When ## reassembling a TCP stream, Bro buffers all payload until it sees the ## responder acking it. If during that time, the sender resends a chunk of @@ -831,7 +363,6 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%); ## is exceeded. event gap_report%(dt: interval, info: gap_info%); - ## Generated when a protocol analyzer confirms that a connection is indeed ## using that protocol. Bro's dynamic protocol detection heuristically activates ## analyzers as soon as it believes a connection *could* be using a particular @@ -890,355 +421,6 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%); ## engine. event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%); -## Generated for each packet sent by a UDP flow's originator. This a potentially -## expensive event due to the volume of UDP traffic and should be used with -## care. -## -## u: The connection record for the corresponding UDP flow. -## -## .. bro:see:: udp_contents udp_reply udp_session_done -event udp_request%(u: connection%); - -## Generated for each packet sent by a UDP flow's responder. This a potentially -## expensive event due to the volume of UDP traffic and should be used with -## care. -## -## u: The connection record for the corresponding UDP flow. -## -## .. bro:see:: udp_contents udp_request udp_session_done -event udp_reply%(u: connection%); - -## Generated for UDP packets to pass on their payload. As the number of UDP -## packets can be very large, this event is normally raised only for those on -## ports configured in :bro:id:`udp_content_delivery_ports_orig` (for packets -## sent by the flow's originator) or :bro:id:`udp_content_delivery_ports_resp` -## (for packets sent by the flow's responder). However, delivery can be enabled -## for all UDP request and reply packets by setting -## :bro:id:`udp_content_deliver_all_orig` or -## :bro:id:`udp_content_deliver_all_resp`, respectively. Note that this -## event is also raised for all matching UDP packets, including empty ones. -## -## u: The connection record for the corresponding UDP flow. -## -## is_orig: True if the event is raised for the originator side. -## -## contents: TODO. -## -## .. bro:see:: udp_reply udp_request udp_session_done -## udp_content_deliver_all_orig udp_content_deliver_all_resp -## udp_content_delivery_ports_orig udp_content_delivery_ports_resp -event udp_contents%(u: connection, is_orig: bool, contents: string%); - -## Generated when a UDP session for a supported protocol has finished. Some of -## Bro's application-layer UDP analyzers flag the end of a session by raising -## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA, -## Teredo, and GTPv1 support this. -## -## u: The connection record for the corresponding UDP flow. -## -## .. bro:see:: udp_contents udp_reply udp_request -event udp_session_done%(u: connection%); - -## Generated for all ICMP messages that are not handled separately with -## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages -## directly with dedicated events. This event acts as a fallback for those it -## doesn't. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard -## connection record *c*. -## -## .. bro:see:: icmp_error_message -event icmp_sent%(c: connection, icmp: icmp_conn%); - -## Generated for ICMP *echo request* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard -## connection record *c*. -## -## id: The *echo request* identifier. -## -## seq: The *echo request* sequence number. -## -## payload: The message-specific data of the packet payload, i.e., everything -## after the first 8 bytes of the ICMP header. -## -## .. bro:see:: icmp_echo_reply -event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); - -## Generated for ICMP *echo reply* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## id: The *echo reply* identifier. -## -## seq: The *echo reply* sequence number. -## -## payload: The message-specific data of the packet payload, i.e., everything -## after the first 8 bytes of the ICMP header. -## -## .. bro:see:: icmp_echo_request -event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%); - -## Generated for all ICMPv6 error messages that are not handled -## separately with dedicated events. Bro's ICMP analyzer handles a number -## of ICMP error messages directly with dedicated events. This event acts -## as a fallback for those it doesn't. -## -## See `Wikipedia -## `__ for more -## information about the ICMPv6 protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard -## connection record *c*. -## -## code: The ICMP code of the error message. -## -## context: A record with specifics of the original packet that the message -## refers to. -## -## .. bro:see:: icmp_unreachable icmp_packet_too_big -## icmp_time_exceeded icmp_parameter_problem -event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMP *destination unreachable* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *unreachable* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Unreachable* messages should include the original IP -## header from the packet that triggered them, and Bro parses that -## into the *context* structure. Note that if the *unreachable* -## includes only a partial IP header for some reason, no -## fields of *context* will be filled out. -## -## .. bro:see:: icmp_error_message icmp_packet_too_big -## icmp_time_exceeded icmp_parameter_problem -event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMPv6 *packet too big* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMPv6 protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *too big* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Too big* messages should include the original IP header -## from the packet that triggered them, and Bro parses that into -## the *context* structure. Note that if the *too big* includes only -## a partial IP header for some reason, no fields of *context* will -## be filled out. -## -## .. bro:see:: icmp_error_message icmp_unreachable -## icmp_time_exceeded icmp_parameter_problem -event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMP *time exceeded* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *exceeded* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Unreachable* messages should include the original IP -## header from the packet that triggered them, and Bro parses that -## into the *context* structure. Note that if the *exceeded* includes -## only a partial IP header for some reason, no fields of *context* -## will be filled out. -## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big -## icmp_parameter_problem -event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMPv6 *parameter problem* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMPv6 protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## code: The ICMP code of the *parameter problem* message. -## -## context: A record with specifics of the original packet that the message -## refers to. *Parameter problem* messages should include the original -## IP header from the packet that triggered them, and Bro parses that -## into the *context* structure. Note that if the *parameter problem* -## includes only a partial IP header for some reason, no fields -## of *context* will be filled out. -## -## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big -## icmp_time_exceeded -event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%); - -## Generated for ICMP *router solicitation* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_advertisement -## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%); - -## Generated for ICMP *router advertisement* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## cur_hop_limit: The default value that should be placed in Hop Count field -## for outgoing IP packets. -## -## managed: Managed address configuration flag, :rfc:`4861`. -## -## other: Other stateful configuration flag, :rfc:`4861`. -## -## home_agent: Mobile IPv6 home agent flag, :rfc:`3775`. -## -## pref: Router selection preferences, :rfc:`4191`. -## -## proxy: Neighbor discovery proxy flag, :rfc:`4389`. -## -## rsv: Remaining two reserved bits of router advertisement flags. -## -## router_lifetime: How long this router should be used as a default router. -## -## reachable_time: How long a neighbor should be considered reachable. -## -## retrans_timer: How long a host should wait before retransmitting. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation -## icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect -event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%); - -## Generated for ICMP *neighbor solicitation* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## tgt: The IP address of the target of the solicitation. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement -## icmp_neighbor_advertisement icmp_redirect -event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%); - -## Generated for ICMP *neighbor advertisement* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## router: Flag indicating the sender is a router. -## -## solicited: Flag indicating advertisement is in response to a solicitation. -## -## override: Flag indicating advertisement should override existing caches. -## -## tgt: the Target Address in the soliciting message or the address whose -## link-layer address has changed for unsolicited adverts. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement -## icmp_neighbor_solicitation icmp_redirect -event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%); - -## Generated for ICMP *redirect* messages. -## -## See `Wikipedia -## `__ for more -## information about the ICMP protocol. -## -## c: The connection record for the corresponding ICMP flow. -## -## icmp: Additional ICMP-specific information augmenting the standard connection -## record *c*. -## -## tgt: The address that is supposed to be a better first hop to use for -## ICMP Destination Address. -## -## dest: The address of the destination which is redirected to the target. -## -## options: Any Neighbor Discovery options included with message (:rfc:`4861`). -## -## .. bro:see:: icmp_router_solicitation icmp_router_advertisement -## icmp_neighbor_solicitation icmp_neighbor_advertisement -event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%); - ## Generated when a TCP connection terminated, passing on statistics about the ## two endpoints. This event is always generated when Bro flushes the internal ## connection state, independent of how a connection terminates. @@ -1329,4505 +511,6 @@ event net_weird%(name: string%); ## dmem: The difference in memory usage caused by processing the sampled packet. event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%); -## Generated for ARP requests. -## -## See `Wikipedia `__ -## for more information about the ARP protocol. -## -## mac_src: The request's source MAC address. -## -## mac_dst: The request's destination MAC address. -## -## SPA: The sender protocol address. -## -## SHA: The sender hardware address. -## -## TPA: The target protocol address. -## -## THA: The target hardware address. -## -## .. bro:see:: arp_reply bad_arp -event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string%); - -## Generated for ARP replies. -## -## See `Wikipedia `__ -## for more information about the ARP protocol. -## -## mac_src: The reply's source MAC address. -## -## mac_dst: The reply's destination MAC address. -## -## SPA: The sender protocol address. -## -## SHA: The sender hardware address. -## -## TPA: The target protocol address. -## -## THA: The target hardware address. -## -## .. bro:see:: arp_request bad_arp -event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string, - TPA: addr, THA: string%); - -## Generated for ARP packets that Bro cannot interpret. Examples are packets -## with non-standard hardware address formats or hardware addresses that do not -## match the originator of the packet. -## -## SPA: The sender protocol address. -## -## SHA: The sender hardware address. -## -## TPA: The target protocol address. -## -## THA: The target hardware address. -## -## explanation: A short description of why the ARP packet is considered "bad". -## -## .. bro:see:: arp_reply arp_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_handshake%(c: connection, is_orig: bool, - reserved: string, info_hash: string, peer_id: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bittorrent_peer_choke%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request -## bittorrent_peer_unknown bittorrent_peer_weird -event bittorrent_peer_unchoke%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_interested%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_not_interested%(c: connection, is_orig: bool%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_interested bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake -## bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive -## bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_request%(c: connection, is_orig: bool, index: count, - begin: count, length: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count, - begin: count, piece_length: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count, - begin: count, length: count%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown -## bittorrent_peer_weird -event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_weird -event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count, - data: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown -event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_request%(c: connection, uri: string, - headers: bt_tracker_headers%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_response%(c: connection, status: count, - headers: bt_tracker_headers, - peers: bittorrent_peer_set, - benc: bittorrent_benc_dir%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_response_not_ok%(c: connection, status: count, - headers: bt_tracker_headers%); - -## TODO. -## -## See `Wikipedia `__ for -## more information about the BitTorrent protocol. -## -## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke -## bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested -## bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece -## bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke -## bittorrent_peer_unknown bittorrent_peer_weird -event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%); - -## Generated for Finger requests. -## -## See `Wikipedia `__ for more -## information about the Finger protocol. -## -## c: The connection. -## -## full: True if verbose information is requested (``/W`` switch). -## -## username: The request's user name. -## -## hostname: The request's host name. -## -## .. bro:see:: finger_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event finger_request%(c: connection, full: bool, username: string, hostname: string%); - -## Generated for Finger replies. -## -## See `Wikipedia `__ for more -## information about the Finger protocol. -## -## c: The connection. -## -## reply_line: The reply as returned by the server -## -## .. bro:see:: finger_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event finger_reply%(c: connection, reply_line: string%); - - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found -## -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_text_msg%(c: connection, orig: bool, headers: string%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, - ttl: count, hops: count, msg_len: count, - payload: string, payload_len: count, - trunc: bool, complete: bool%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_not_establish gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_partial_binary_msg%(c: connection, orig: bool, - msg: string, len: count%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_establish%(c: connection%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_not_establish%(c: connection%); - -## TODO. -## -## See `Wikipedia `__ for more -## information about the Gnutella protocol. -## -## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event gnutella_http_notify%(c: connection%); - -## Generated for Ident requests. -## -## See `Wikipedia `__ for more -## information about the Ident protocol. -## -## c: The connection. -## -## lport: The request's local port. -## -## rport: The request's remote port. -## -## .. bro:see:: ident_error ident_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ident_request%(c: connection, lport: port, rport: port%); - -## Generated for Ident replies. -## -## See `Wikipedia `__ for more -## information about the Ident protocol. -## -## c: The connection. -## -## lport: The corresponding request's local port. -## -## rport: The corresponding request's remote port. -## -## user_id: The user id returned by the reply. -## -## system: The operating system returned by the reply. -## -## .. bro:see:: ident_error ident_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%); - -## Generated for Ident error replies. -## -## See `Wikipedia `__ for more -## information about the Ident protocol. -## -## c: The connection. -## -## lport: The corresponding request's local port. -## -## rport: The corresponding request's remote port. -## -## line: The error description returned by the reply. -## -## .. bro:see:: ident_reply ident_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ident_error%(c: connection, lport: port, rport: port, line: string%); - -## Generated for Telnet/Rlogin login failures. The *login* analyzer inspects -## Telnet/Rlogin sessions to heuristically extract username and password -## information as well as the text returned by the login server. This event is -## raised if a login attempt appears to have been unsuccessful. -## -## c: The connection. -## -## user: The user name tried. -## -## client_user: For Telnet connections, this is an empty string, but for Rlogin -## connections, it is the client name passed in the initial authentication -## information (to check against .rhosts). -## -## password: The password tried. -## -## line: The line of text that led the analyzer to conclude that the -## authentication had failed. -## -## .. bro:see:: login_confused login_confused_text login_display login_input_line -## login_output_line login_prompt login_success login_terminal direct_login_prompts -## get_login_state login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs -## login_timeouts set_login_state -## -## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying login attempts. This -## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and -## the analyzer is therefore not directly usable at the moment. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); - -## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects -## Telnet/Rlogin sessions to heuristically extract username and password -## information as well as the text returned by the login server. This event is -## raised if a login attempt appears to have been successful. -## -## c: The connection. -## -## user: The user name used. -## -## client_user: For Telnet connections, this is an empty string, but for Rlogin -## connections, it is the client name passed in the initial authentication -## information (to check against .rhosts). -## -## password: The password used. -## -## line: The line of text that led the analyzer to conclude that the -## authentication had succeeded. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_output_line login_prompt login_terminal -## direct_login_prompts get_login_state login_failure_msgs login_non_failure_msgs -## login_prompts login_success_msgs login_timeouts set_login_state -## -## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying login attempts. This -## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and -## the analyzer is therefore not directly usable at the moment. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); - -## Generated for lines of input on Telnet/Rlogin sessions. The line will have -## control characters (such as in-band Telnet options) removed. -## -## c: The connection. -## -## line: The input line. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_output_line login_prompt login_success login_terminal rsh_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_input_line%(c: connection, line: string%); - -## Generated for lines of output on Telnet/Rlogin sessions. The line will have -## control characters (such as in-band Telnet options) removed. -## -## c: The connection. -## -## line: The ouput line. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_prompt login_success login_terminal rsh_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_output_line%(c: connection, line: string%); - -## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's -## *login* analyzer uses a number of heuristics to extract authentication -## information, it may become confused. If it can no longer correctly track -## the authentication dialog, it raises this event. -## -## c: The connection. -## -## msg: Gives the particular problem the heuristics detected (for example, -## ``multiple_login_prompts`` means that the engine saw several login -## prompts in a row, without the type-ahead from the client side presumed -## necessary to cause them) -## -## line: The line of text that caused the heuristics to conclude they were -## confused. -## -## .. bro:see:: login_confused_text login_display login_failure login_input_line login_output_line -## login_prompt login_success login_terminal direct_login_prompts get_login_state -## login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs -## login_timeouts set_login_state -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_confused%(c: connection, msg: string, line: string%); - -## Generated after getting confused while tracking a Telnet/Rlogin -## authentication dialog. The *login* analyzer generates this even for every -## line of user input after it has reported :bro:id:`login_confused` for a -## connection. -## -## c: The connection. -## -## line: The line the user typed. -## -## .. bro:see:: login_confused login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal direct_login_prompts -## get_login_state login_failure_msgs login_non_failure_msgs login_prompts -## login_success_msgs login_timeouts set_login_state -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_confused_text%(c: connection, line: string%); - -## Generated for clients transmitting a terminal type in a Telnet session. This -## information is extracted out of environment variables sent as Telnet options. -## -## c: The connection. -## -## terminal: The TERM value transmitted. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_output_line login_prompt login_success -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_terminal%(c: connection, terminal: string%); - -## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This -## information is extracted out of environment variables sent as Telnet options. -## -## c: The connection. -## -## display: The DISPLAY transmitted. -## -## .. bro:see:: login_confused login_confused_text login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_display%(c: connection, display: string%); - -## Generated when a Telnet authentication has been successful. The Telnet -## protocol includes options for negotiating authentication. When such an -## option is sent from client to server and the server replies that it accepts -## the authentication, then the event engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## name: The authenticated name. -## -## c: The connection. -## -## .. bro:see:: authentication_rejected authentication_skipped login_success -## -## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines success by watching -## session data. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event authentication_accepted%(name: string, c: connection%); - -## Generated when a Telnet authentication has been unsuccessful. The Telnet -## protocol includes options for negotiating authentication. When such an option -## is sent from client to server and the server replies that it did not accept -## the authentication, then the event engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## name: The attempted authentication name. -## -## c: The connection. -## -## .. bro:see:: authentication_accepted authentication_skipped login_failure -## -## .. note:: This event inspects the corresponding Telnet option -## while :bro:id:`login_success` heuristically determines failure by watching -## session data. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event authentication_rejected%(name: string, c: connection%); - -## Generated for Telnet/Rlogin sessions when a pattern match indicates -## that no authentication is performed. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: authentication_accepted authentication_rejected direct_login_prompts -## get_login_state login_failure_msgs login_non_failure_msgs login_prompts -## login_success_msgs login_timeouts set_login_state -## -## .. note:: The login analyzer depends on a set of script-level variables that -## need to be configured with patterns identifying activity. This -## configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and -## the analyzer is therefore not directly usable at the moment. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event authentication_skipped%(c: connection%); - -## Generated for clients transmitting a terminal prompt in a Telnet session. -## This information is extracted out of environment variables sent as Telnet -## options. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## prompt: The TTYPROMPT transmitted. -## -## .. bro:see:: login_confused login_confused_text login_display login_failure -## login_input_line login_output_line login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event login_prompt%(c: connection, prompt: string%); - -## Generated for Telnet sessions when encryption is activated. The Telnet -## protocol includes options for negotiating encryption. When such a series of -## options is successfully negotiated, the event engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: authentication_accepted authentication_rejected authentication_skipped -## login_confused login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -event activating_encryption%(c: connection%); - -## Generated for an inconsistent Telnet option. Telnet options are specified -## by the client and server stating which options they are willing to -## support vs. which they are not, and then instructing one another which in -## fact they should or should not use for the current connection. If the event -## engine sees a peer violate either what the other peer has instructed it to -## do, or what it itself offered in terms of options in the past, then the -## engine generates this event. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: bad_option bad_option_termination authentication_accepted -## authentication_rejected authentication_skipped login_confused -## login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -event inconsistent_option%(c: connection%); - -## Generated for an ill-formed or unrecognized Telnet option. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: inconsistent_option bad_option_termination authentication_accepted -## authentication_rejected authentication_skipped login_confused -## login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event bad_option%(c: connection%); - -## Generated for a Telnet option that's incorrectly terminated. -## -## See `Wikipedia `__ for more information -## about the Telnet protocol. -## -## c: The connection. -## -## .. bro:see:: inconsistent_option bad_option authentication_accepted -## authentication_rejected authentication_skipped login_confused -## login_confused_text login_display login_failure login_input_line -## login_output_line login_prompt login_success login_terminal -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event bad_option_termination%(c: connection%); - -## Generated for client side commands on an RSH connection. -## -## See `RFC 1258 `__ for more information -## about the Rlogin/Rsh protocol. -## -## c: The connection. -## -## client_user: The client-side user name as sent in the initial protocol -## handshake. -## -## server_user: The server-side user name as sent in the initial protocol -## handshake. -## -## line: The command line sent in the request. -## -## new_session: True if this is the first command of the Rsh session. -## -## .. bro:see:: rsh_reply login_confused login_confused_text login_display -## login_failure login_input_line login_output_line login_prompt login_success -## login_terminal -## -## .. note:: For historical reasons, these events are separate from the -## ``login_`` events. Ideally, they would all be handled uniquely. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%); - -## Generated for client side commands on an RSH connection. -## -## See `RFC 1258 `__ for more information -## about the Rlogin/Rsh protocol. -## -## c: The connection. -## -## client_user: The client-side user name as sent in the initial protocol -## handshake. -## -## server_user: The server-side user name as sent in the initial protocol -## handshake. -## -## line: The command line sent in the request. -## -## .. bro:see:: rsh_request login_confused login_confused_text login_display -## login_failure login_input_line login_output_line login_prompt login_success -## login_terminal -## -## .. note:: For historical reasons, these events are separate from the -## ``login_`` events. Ideally, they would all be handled uniquely. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%); - -## Generated for client-side FTP commands. -## -## See `Wikipedia `__ for -## more information about the FTP protocol. -## -## c: The connection. -## -## command: The FTP command issued by the client (without any arguments). -## -## arg: The arguments going with the command. -## -## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port -## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_request%(c: connection, command: string, arg: string%); - -## Generated for server-side FTP replies. -## -## See `Wikipedia `__ for -## more information about the FTP protocol. -## -## c: The connection. -## -## code: The numerical response code the server responded with. -## -## msg: The textual message of the response. -## -## cont_resp: True if the reply line is tagged as being continued to the next -## line. If so, further events will be raised and a handler may want -## to reassemble the pieces before processing the response any -## further. -## -## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port -## parse_ftp_epsv parse_ftp_pasv parse_ftp_port -event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%); - -## Generated for client-side SMTP commands. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the command is the originator of the TCP -## connection. Note that this is not redundant: the SMTP ``TURN`` command -## allows client and server to flip roles on established SMTP sessions, -## and hence a "request" might still come from the TCP-level responder. -## In practice, however, that will rarely happen as TURN is considered -## insecure and rarely used. -## -## command: The request's command, without any arguments. -## -## arg: The request command's arguments. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data -## smtp_data smtp_reply -## -## .. note:: Bro does not support the newer ETRN extension yet. -event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%); - -## Generated for server-side SMTP commands. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the command is the originator of the TCP -## connection. Note that this is not redundant: the SMTP ``TURN`` command -## allows client and server to flip roles on established SMTP sessions, -## and hence a "reply" might still come from the TCP-level originator. In -## practice, however, that will rarely happen as TURN is considered -## insecure and rarely used. -## -## code: The reply's numerical code. -## -## cmd: TODO. -## -## msg: The reply's textual description. -## -## cont_resp: True if the reply line is tagged as being continued to the next -## line. If so, further events will be raised and a handler may want to -## reassemble the pieces before processing the response any further. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data -## smtp_data smtp_request -## -## .. note:: Bro doesn't support the newer ETRN extension yet. -event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%); - -## Generated for DATA transmitted on SMTP sessions. This event is raised for -## subsequent chunks of raw data following the ``DATA`` SMTP command until the -## corresponding end marker ``.`` is seen. A handler may want to reassemble -## the pieces as they come in if stream-analysis is required. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the data is the originator of the TCP -## connection. -## -## data: The raw data. Note that the size of each chunk is undefined and -## depends on specifics of the underlying TCP connection. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data -## smtp_reply smtp_request skip_smtp_data -## -## .. note:: This event receives the unprocessed raw data. There is a separate -## set of ``mime_*`` events that strip out the outer MIME-layer of emails and -## provide structured access to their content. -event smtp_data%(c: connection, is_orig: bool, data: string%); - -## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks -## the state of SMTP sessions and reports commands and other activity with this -## event that it sees even though it would not expect so at the current point -## of the communication. -## -## See `Wikipedia `__ -## for more information about the SMTP protocol. -## -## c: The connection. -## -## is_orig: True if the sender of the unexpected activity is the originator of -## the TCP connection. -## -## msg: A descriptive message of what was unexpected. -## -## detail: The actual SMTP line triggering the event. -## -## .. bro:see:: smtp_data smtp_request smtp_reply -event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%); - -## Generated when starting to parse an email MIME entity. MIME is a -## protocol-independent data format for encoding text and files, along with -## corresponding metadata, for transmission. Bro raises this event when it -## begins parsing a MIME entity extracted from an email protocol. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## .. bro:see:: mime_all_data mime_all_headers mime_content_hash mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data -## http_begin_entity -## -## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_begin_entity` instead. -event mime_begin_entity%(c: connection%); - -## Generated when finishing parsing an email MIME entity. MIME is a -## protocol-independent data format for encoding text and files, along with -## corresponding metadata, for transmission. Bro raises this event when it -## finished parsing a MIME entity extracted from an email protocol. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_entity_data mime_event mime_one_header mime_segment_data smtp_data -## http_end_entity -## -## .. note:: Bro also extracts MIME entities from HTTP sessions. For those, -## however, it raises :bro:id:`http_end_entity` instead. -event mime_end_entity%(c: connection%); - -## Generated for individual MIME headers extracted from email MIME -## entities. MIME is a protocol-independent data format for encoding text and -## files, along with corresponding metadata, for transmission. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## h: The parsed MIME header. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_segment_data -## http_header http_all_headers -## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. -event mime_one_header%(c: connection, h: mime_header_rec%); - -## Generated for MIME headers extracted from email MIME entities, passing all -## headers at once. MIME is a protocol-independent data format for encoding -## text and files, along with corresponding metadata, for transmission. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## hlist: A *table* containing all headers extracted from the current entity. -## The table is indexed by the position of the header (1 for the first, -## 2 for the second, etc.). -## -## .. bro:see:: mime_all_data mime_begin_entity mime_content_hash mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data -## http_header http_all_headers -## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_header` instead. -event mime_all_headers%(c: connection, hlist: mime_header_list%); - -## Generated for chunks of decoded MIME data from email MIME entities. MIME -## is a protocol-independent data format for encoding text and files, along with -## corresponding metadata, for transmission. As Bro parses the data of an -## entity, it raises a sequence of these events, each coming as soon as a new -## chunk of data is available. In contrast, there is also -## :bro:id:`mime_entity_data`, which passes all of an entities data at once -## in a single block. While the latter is more convenient to handle, -## ``mime_segment_data`` is more efficient as Bro does not need to buffer -## the data. Thus, if possible, this event should be preferred. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## length: The length of *data*. -## -## data: The raw data of one segment of the current entity. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data -## mime_segment_length mime_segment_overlap_length -## -## .. note:: Bro also extracts MIME data from HTTP sessions. For those, -## however, it raises :bro:id:`http_entity_data` (sic!) instead. -event mime_segment_data%(c: connection, length: count, data: string%); - -## Generated for data decoded from an email MIME entity. This event delivers -## the complete content of a single MIME entity. In contrast, there is also -## :bro:id:`mime_segment_data`, which passes on a sequence of data chunks as -## they come in. While ``mime_entity_data`` is more convenient to handle, -## ``mime_segment_data`` is more efficient as Bro does not need to buffer the -## data. Thus, if possible, the latter should be preferred. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## length: The length of *data*. -## -## data: The raw data of the complete entity. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_event mime_one_header mime_segment_data -## -## .. note:: While Bro also decodes MIME entities extracted from HTTP -## sessions, there's no corresponding event for that currently. -event mime_entity_data%(c: connection, length: count, data: string%); - -## Generated for passing on all data decoded from a single email MIME -## message. If an email message has more than one MIME entity, this event -## combines all their data into a single value for analysis. Note that because -## of the potentially significant buffering necessary, using this event can be -## expensive. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## length: The length of *data*. -## -## data: The raw data of all MIME entities concatenated. -## -## .. bro:see:: mime_all_headers mime_begin_entity mime_content_hash mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data -## -## .. note:: While Bro also decodes MIME entities extracted from HTTP -## sessions, there's no corresponding event for that currently. -event mime_all_data%(c: connection, length: count, data: string%); - -## Generated for errors found when decoding email MIME entities. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## event_type: A string describing the general category of the problem found -## (e.g., ``illegal format``). -## -## detail: Further more detailed description of the error. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash -## mime_end_entity mime_entity_data mime_one_header mime_segment_data http_event -## -## .. note:: Bro also extracts MIME headers from HTTP sessions. For those, -## however, it raises :bro:id:`http_event` instead. -event mime_event%(c: connection, event_type: string, detail: string%); - -## Generated for decoded MIME entities extracted from email messages, passing on -## their MD5 checksums. Bro computes the MD5 over the complete decoded data of -## each MIME entity. -## -## Bro's MIME analyzer for emails currently supports SMTP and POP3. See -## `Wikipedia `__ for more information -## about MIME. -## -## c: The connection. -## -## content_len: The length of the entity being hashed. -## -## hash_value: The MD5 hash. -## -## .. bro:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity -## mime_entity_data mime_event mime_one_header mime_segment_data -## -## .. note:: While Bro also decodes MIME entities extracted from HTTP -## sessions, there's no corresponding event for that currently. -event mime_content_hash%(c: connection, content_len: count, hash_value: string%); - -## Generated for RPC request/reply *pairs*. The RPC analyzer associates request -## and reply by their transaction identifiers and raises this event once both -## have been seen. If there's not a reply, this event will still be generated -## eventually on timeout. In that case, *status* will be set to -## :bro:enum:`RPC_TIMEOUT`. -## -## See `Wikipedia `__ for more information -## about the ONC RPC protocol. -## -## c: The connection. -## -## prog: The remote program to call. -## -## ver: The version of the remote program to call. -## -## proc: The procedure of the remote program to call. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## start_time: The time when the *call* was seen. -## -## call_len: The size of the *call_body* PDU. -## -## reply_len: The size of the *reply_body* PDU. -## -## .. bro:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); - -## Generated for RPC *call* messages. -## -## See `Wikipedia `__ for more information -## about the ONC RPC protocol. -## -## c: The connection. -## -## xid: The transaction identifier allowing to match requests with replies. -## -## prog: The remote program to call. -## -## ver: The version of the remote program to call. -## -## proc: The procedure of the remote program to call. -## -## call_len: The size of the *call_body* PDU. -## -## .. bro:see:: rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); - -## Generated for RPC *reply* messages. -## -## See `Wikipedia `__ for more information -## about the ONC RPC protocol. -## -## c: The connection. -## -## xid: The transaction identifier allowing to match requests with replies. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## reply_len: The size of the *reply_body* PDU. -## -## .. bro:see:: rpc_call rpc_dialogue dce_rpc_bind dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); - -## Generated for Portmapper requests of type *null*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_null%(r: connection%); - -## Generated for Portmapper request/reply dialogues of type *set*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## m: The argument to the request. -## -## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request -## times out. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_set%(r: connection, m: pm_mapping, success: bool%); - -## Generated for Portmapper request/reply dialogues of type *unset*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## m: The argument to the request. -## -## success: True if the request was successful, according to the corresponding -## reply. If no reply was seen, this will be false once the request -## times out. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_set rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_unset%(r: connection, m: pm_mapping, success: bool%); - -## Generated for Portmapper request/reply dialogues of type *getport*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## pr: The argument to the request. -## -## p: The port returned by the server. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_dump pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_getport%(r: connection, pr: pm_port_request, p: port%); - -## Generated for Portmapper request/reply dialogues of type *dump*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## m: The mappings returned by the server. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_dump%(r: connection, m: pm_mappings%); - -## Generated for Portmapper request/reply dialogues of type *callit*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## call: The argument to the request. -## -## p: The port value returned by the call. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_bad_port pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_request_callit%(r: connection, call: pm_callit_request, p: port%); - -## Generated for failed Portmapper requests of type *null*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_null%(r: connection, status: rpc_status%); - -## Generated for failed Portmapper requests of type *set*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## m: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%); - -## Generated for failed Portmapper requests of type *unset*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## m: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%); - -## Generated for failed Portmapper requests of type *getport*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## pr: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%); - -## Generated for failed Portmapper requests of type *dump*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_getport pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_dump%(r: connection, status: rpc_status%); - -## Generated for failed Portmapper requests of type *callit*. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## status: The status of the reply, which should be one of the index values of -## :bro:id:`RPC_status`. -## -## call: The argument to the original request. -## -## .. bro:see:: epm_map_response pm_attempt_dump pm_attempt_getport pm_attempt_null -## pm_attempt_set pm_attempt_unset pm_bad_port pm_request_callit pm_request_dump -## pm_request_getport pm_request_null pm_request_set pm_request_unset rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%); - -## Generated for Portmapper requests or replies that include an invalid port -## number. Since ports are represented by unsigned 4-byte integers, they can -## stray outside the allowed range of 0--65535 by being >= 65536. If so, this -## event is generated. -## -## Portmapper is a service running on top of RPC. See `Wikipedia -## `__ for more information about the -## service. -## -## r: The RPC connection. -## -## bad_p: The invalid port value. -## -## .. bro:see:: epm_map_response pm_attempt_callit pm_attempt_dump pm_attempt_getport -## pm_attempt_null pm_attempt_set pm_attempt_unset pm_request_callit -## pm_request_dump pm_request_getport pm_request_null pm_request_set -## pm_request_unset rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pm_bad_port%(r: connection, bad_p: count%); - -## Generated for NFSv3 request/reply dialogues of type *null*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_read nfs_proc_readdir nfs_proc_readlink -## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_null%(c: connection, info: NFS3::info_t%); - -## Generated for NFSv3 request/reply dialogues of type *getattr*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## fh: TODO. -## -## attrs: The attributes returned in the reply. The values may not be valid if -## the request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply file_mode -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%); - -## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: The arguments passed in the request. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *read*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: The arguments passed in the request. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_remove nfs_proc_rmdir -## nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply -## NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *readlink*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## fh: The file handle passed in the request. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *write*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_reply_status rpc_call -## rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only -## NFS3::return_data_max -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *create*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *mkdir*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status -## rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *remove*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *rmdir*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%); - -## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is -## generated once we have either seen both the request and its corresponding -## reply, or an unanswered request has timed out. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## req: TODO. -## -## rep: The response returned in the reply. The values may not be valid if the -## request was unsuccessful. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readlink -## nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%); - -## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3 -## analyzer does not implement. -## -## NFS is a service running on top of RPC. See `Wikipedia -## `__ for more -## information about the service. -## -## c: The RPC connection. -## -## info: Reports the status of the dialogue, along with some meta information. -## -## proc: The procedure called that Bro does not implement. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove -## nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%); - -## Generated for each NFSv3 reply message received, reporting just the -## status included. -## -## n: The connection. -## -## info: Reports the status included in the reply. -## -## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir -## nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir -## nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call -## rpc_dialogue rpc_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event nfs_reply_status%(n: connection, info: NFS3::info_t%); - -## Generated for all NTP messages. Different from many other of Bro's events, -## this one is generated for both client-side and server-side messages. -## -## See `Wikipedia `__ for -## more information about the NTP protocol. -## -## u: The connection record describing the corresponding UDP flow. -## -## msg: The parsed NTP message. -## -## excess: The raw bytes of any optional parts of the NTP packet. Bro does not -## further parse any optional fields. -## -## .. bro:see:: ntp_session_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ntp_message%(u: connection, msg: ntp_msg, excess: string%); - -## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite -## its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## msg_type: The general type of message, as defined in Section 4.3.1 of -## `RFC 1002 `__. -## -## data_len: The length of the message's payload. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_raw_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%); - -## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS -## analyzer processes the NetBIOS session service running on TCP port 139, and -## (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_raw_message netbios_session_rejected -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_request%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *positive session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port -## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_keepalive netbios_session_message -## netbios_session_raw_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_accepted%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *negative session response*. Bro's -## NetBIOS analyzer processes the NetBIOS session service running on TCP port -## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_raw_message netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_rejected%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *session message* that are not -## carrying an SMB payload. -## -## NetBIOS analyzer processes the NetBIOS session service running on TCP port -## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header (i.e., the ``user_data``). -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: This is an oddly named event. In fact, it's probably an odd event -## to have to begin with. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%); - -## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS -## analyzer processes the NetBIOS session service running on TCP port 139, and -## (despite its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_keepalive -## netbios_session_message netbios_session_raw_message netbios_session_rejected -## netbios_session_request decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: This is an oddly named event. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_ret_arg_resp%(c: connection, msg: string%); - -## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer -## processes the NetBIOS session service running on TCP port 139, and (despite -## its name!) the NetBIOS datagram service on UDP port 138. -## -## See `Wikipedia `__ for more information -## about NetBIOS. `RFC 1002 `__ describes -## the packet format for NetBIOS over TCP/IP, which Bro parses. -## -## c: The connection, which may be TCP or UDP, depending on the type of the -## NetBIOS session. -## -## msg: The raw payload of the message sent, excluding the common NetBIOS -## header. -## -## .. bro:see:: netbios_session_accepted netbios_session_message -## netbios_session_raw_message netbios_session_rejected netbios_session_request -## netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type -## -## .. note:: These days, NetBIOS is primarily used as a transport mechanism for -## `SMB/CIFS `__. Bro's -## SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event netbios_session_keepalive%(c: connection, msg: string%); - -## Generated for all SMB/CIFS messages. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## is_orig: True if the message was sent by the originator of the underlying -## transport-level connection. -## -## cmd: A string mnemonic of the SMB command code. -## -## body_length: The length of the SMB message body, i.e. the data starting after -## the SMB header. -## -## body: The raw SMB message body, i.e., the data starting after the SMB header. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error -## smb_get_dfs_referral -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%); - -## Generated for SMB/CIFS messages of type *tree connect andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## path: The ``path`` attribute specified in the message. -## -## service: The ``service`` attribute specified in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%); - -## Generated for SMB/CIFS messages of type *tree disconnect*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *nt create andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## name: The ``name`` attribute specified in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%); - -## Generated for SMB/CIFS messages of type *nt transaction*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe -## smb_com_trans_rap smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *nt transaction 2*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe -## smb_com_trans_rap smb_com_transaction smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *transaction mailslot*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *transaction rap*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error -## smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *transaction pipe*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## trans: The parsed transaction header. -## -## data: The raw transaction data. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%); - -## Generated for SMB/CIFS messages of type *read andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## data: Always empty. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%); - -## Generated for SMB/CIFS messages of type *read andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## data: Always empty. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_error -## smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%); - -## Generated for SMB/CIFS messages of type *get dfs referral*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## max_referral_level: The ``max_referral_level`` attribute specified in the -## message. -## -## file_name: The ``filene_name`` attribute specified in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx smb_error -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%); - -## Generated for SMB/CIFS messages of type *negotiate*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx -## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction -## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect -## smb_com_write_andx smb_error smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_negotiate%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *negotiate response*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## dialect_index: The ``dialect`` indicated in the message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_nt_create_andx smb_com_read_andx smb_com_setup_andx -## smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap smb_com_transaction -## smb_com_transaction2 smb_com_tree_connect_andx smb_com_tree_disconnect -## smb_com_write_andx smb_error smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%); - -## Generated for SMB/CIFS messages of type *setup andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_setup_andx%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *generic andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_logoff_andx smb_com_negotiate -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_generic_andx%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *close*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_generic_andx smb_com_logoff_andx smb_com_negotiate -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_close%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages of type *logoff andx*. -## -## See `Wikipedia `__ for -## more information about the SMB/CIFS protocol. Bro's SMB/CIFS analyzer parses -## both SMB-over-NetBIOS on ports 138/139 and SMB-over-TCP on port 445. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_negotiate -## smb_com_negotiate_response smb_com_nt_create_andx smb_com_read_andx -## smb_com_setup_andx smb_com_trans_mailslot smb_com_trans_pipe smb_com_trans_rap -## smb_com_transaction smb_com_transaction2 smb_com_tree_connect_andx -## smb_com_tree_disconnect smb_com_write_andx smb_error smb_get_dfs_referral -## smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%); - -## Generated for SMB/CIFS messages that indicate an error. This event is -## triggered by an SMB header including a status that signals an error. -## -## c: The connection. -## -## hdr: The parsed header of the SMB message. -## -## cmd: The SMB command code. -## -## cmd_str: A string mnemonic of the SMB command code. -## -## data: The raw SMB message body, i.e., the data starting after the SMB header. -## -## .. bro:see:: smb_com_close smb_com_generic_andx smb_com_logoff_andx -## smb_com_negotiate smb_com_negotiate_response smb_com_nt_create_andx -## smb_com_read_andx smb_com_setup_andx smb_com_trans_mailslot -## smb_com_trans_pipe smb_com_trans_rap smb_com_transaction smb_com_transaction2 -## smb_com_tree_connect_andx smb_com_tree_disconnect smb_com_write_andx -## smb_get_dfs_referral smb_message -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%); - -## Generated for all DNS messages. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## is_orig: True if the message was sent by the originator of the connection. -## -## msg: The parsed DNS message header. -## -## len: The length of the message's raw representation (i.e., the DNS payload). -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_query_reply dns_rejected -## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%); - -## Generated for DNS requests. For requests with multiple queries, this event -## is raised once for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); - -## Generated for DNS replies that reject a query. This event is raised if a DNS -## reply either indicates failure via its status code or does not pass on any -## answers to a query. Note that all of the event's parameters are parsed out of -## the reply; there's no stateful correlation with the query. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%); - -## Generated for DNS replies with an *ok* status code but no question section. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## query: The queried name. -## -## qtype: The queried resource record type. -## -## qclass: The queried resource record class. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_rejected -## dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_query_reply%(c: connection, msg: dns_msg, query: string, - qtype: count, qclass: count%); - -## Generated when the DNS analyzer processes what seems to be a non-DNS packet. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The raw DNS payload. -## -## .. note:: This event is deprecated and superseded by Bro's dynamic protocol -## detection framework. -event non_dns_request%(c: connection, msg: string%); - -## Generated for DNS replies of type *A*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## a: The address returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply -## dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); - -## Generated for DNS replies of type *AAAA*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## a: The address returned by the reply. -## -## .. bro:see:: dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); - -## Generated for DNS replies of type *A6*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## a: The address returned by the reply. -## -## .. bro:see:: dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%); - -## Generated for DNS replies of type *NS*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); - -## Generated for DNS replies of type *CNAME*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); - -## Generated for DNS replies of type *PTR*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%); - -## Generated for DNS replies of type *CNAME*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## soa: The parsed SOA value. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%); - -## Generated for DNS replies of type *WKS*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%); - -## Generated for DNS replies of type *HINFO*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%); - -## Generated for DNS replies of type *MX*. For replies with multiple answers, an -## individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## name: The name returned by the reply. -## -## preference: The preference for *name* specified by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%); - -## Generated for DNS replies of type *TXT*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## str: The textual information returned by the reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%); - -## Generated for DNS replies of type *SRV*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The type-independent part of the parsed answer record. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%); - -## Generated for DNS replies of type *EDNS*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The parsed EDNS reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply -## dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl -## dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered -## dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified -## dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request -## non_dns_request dns_max_queries dns_session_timeout dns_skip_addl -## dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%); - -## Generated for DNS replies of type *TSIG*. For replies with multiple answers, -## an individual event of the corresponding type is raised for each. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## ans: The parsed TSIG reply. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TXT_reply dns_WKS_reply dns_end dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%); - -## Generated at the end of processing a DNS packet. This event is the last -## ``dns_*`` event that will be raised for a DNS query/reply and signals that -## all resource records have been passed on. -## -## See `Wikipedia `__ for more -## information about the DNS protocol. Bro analyzes both UDP and TCP DNS -## sessions. -## -## c: The connection, which may be UDP or TCP depending on the type of the -## transport-layer session being analyzed. -## -## msg: The parsed DNS message header. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request -## dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -event dns_end%(c: connection, msg: dns_msg%); - -## Generated for DHCP messages of type *discover*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## req_addr: The specific address requested by the client. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout -## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%); - -## Generated for DHCP messages of type *offer*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: TODO. -## -## mask: The subnet mask specified by the message. -## -## router: The list of routers specified by the message. -## -## lease: The least interval specified by the message. -## -## serv_addr: The server address specified by the message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); - -## Generated for DHCP messages of type *request*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## req_addr: The client address specified by the message. -## -## serv_addr: The server address specified by the message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%); - -## Generated for DHCP messages of type *decline*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_decline%(c: connection, msg: dhcp_msg%); - -## Generated for DHCP messages of type *acknowledgment*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## mask: The subnet mask specified by the message. -## -## router: The list of routers specified by the message. -## -## lease: The least interval specified by the message. -## -## serv_addr: The server address specified by the message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%); - -## Generated for DHCP messages of type *negative acknowledgment*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_nak%(c: connection, msg: dhcp_msg%); - -## Generated for DHCP messages of type *release*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_release%(c: connection, msg: dhcp_msg%); - -## Generated for DHCP messages of type *inform*. -## -## See `Wikipedia -## `__ for -## more information about the DHCP protocol. -## -## c: The connection record describing the underlying UDP flow. -## -## msg: The parsed type-independent part of the DHCP message. -## -## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl -## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply -## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end -## dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name -## dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply -## dns_rejected dns_request non_dns_request -## -## .. note:: Bro does not support broadcast packets (as used by the DHCP -## protocol). It treats broadcast addresses just like any other and -## associates packets into transport-level flows in the same way as usual. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dhcp_inform%(c: connection, msg: dhcp_msg%); - -## Generated when seeing an SSH client's version identification. The SSH -## protocol starts with a clear-text handshake message that reports client and -## server protocol/software versions. This event provides access to what the -## client sent. -## -## -## See `Wikipedia `__ for more -## information about the SSH protocol. -## -## c: The connection. -## -## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`). -## -## .. bro:see:: ssh_server_version -## -## .. note:: As everything after the initial version handshake proceeds -## encrypted, Bro cannot further analyze SSH sessions. -event ssh_client_version%(c: connection, version: string%); - -## Generated when seeing an SSH server's version identification. The SSH -## protocol starts with a clear-text handshake message that reports client and -## server protocol/software versions. This event provides access to what the -## server sent. -## -## See `Wikipedia `__ for more -## information about the SSH protocol. -## -## c: The connection. -## -## version: The version string the server sent (e.g., -## ``SSH-1.99-OpenSSH_3.9p1``). -## -## .. bro:see:: ssh_client_version -## -## .. note:: As everything coming after the initial version handshake proceeds -## encrypted, Bro cannot further analyze SSH sessions. -event ssh_server_version%(c: connection, version: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_message dce_rpc_request -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_bind%(c: connection, uuid: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message -## dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_request%(c: connection, opnum: count, stub: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message -## dce_rpc_request rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event dce_rpc_response%(c: connection, opnum: count, stub: string%); - -## TODO. -## -## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message -## dce_rpc_request dce_rpc_response rpc_timeout -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event epm_map_response%(c: connection, uuid: string, p: port, h: addr%); - -## Generated for NCP requests (Netware Core Protocol). -## -## See `Wikipedia `__ for -## more information about the NCP protocol. -## -## c: The connection. -## -## frame_type: The frame type, as specified by the protocol. -## -## length: The length of the request body, excluding the frame header. -## -## func: The requested function, as specified by the protocol. -## -## .. bro:see:: ncp_reply -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ncp_request%(c: connection, frame_type: count, length: count, func: count%); - -## Generated for NCP replies (Netware Core Protocol). -## -## See `Wikipedia `__ for -## more information about the NCP protocol. -## -## c: The connection. -## -## frame_type: The frame type, as specified by the protocol. -## -## length: The length of the request body, excluding the frame header. -## -## req_frame: The frame type from the corresponding request. -## -## req_func: The function code from the corresponding request. -## -## completion_code: The reply's completion code, as specified by the protocol. -## -## .. bro:see:: ncp_request -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%); - -## Generated for client-side commands on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## command: The command sent. -## -## arg: The argument to the command. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply -## pop3_terminate pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_request%(c: connection, is_orig: bool, - command: string, arg: string%); - -## Generated for server-side replies to commands on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## cmd: The success indicator sent by the server. This corresponds to the -## first token on the line sent, and should be either ``OK`` or ``ERR``. -## -## msg: The textual description the server sent along with *cmd*. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_request -## pop3_terminate pop3_unexpected -## -## .. todo:: This event is receiving odd parameters, should unify. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%); - -## Generated for server-side multi-line responses on POP3 connections. POP3 -## connections use multi-line responses to send bulk data, such as the actual -## mails. This event is generated once for each line that's part of such a -## response. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the data was sent by the originator of the TCP connection. -## -## data: The data sent. -## -## .. bro:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request -## pop3_terminate pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_data%(c: connection, is_orig: bool, data: string%); - -## Generated for errors encountered on POP3 sessions. If the POP3 analyzer -## finds state transitions that do not conform to the protocol specification, -## or other situations it can't handle, it raises this event. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: True if the data was sent by the originator of the TCP connection. -## -## msg: A textual description of the situation. -## -## detail: The input that triggered the event. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request -## pop3_terminate -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_unexpected%(c: connection, is_orig: bool, - msg: string, detail: string%); - -## Generated when a POP3 connection goes encrypted. While POP3 is by default a -## clear-text protocol, extensions exist to switch to encryption. This event is -## generated if that happens and the analyzer then stops processing the -## connection. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## msg: A descriptive message why processing was stopped. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request -## pop3_unexpected -## -## .. note:: Currently, only the ``STARTLS`` command is recognized and -## triggers this. -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_terminate%(c: connection, is_orig: bool, msg: string%); - -## Generated for successful authentications on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## user: The user name used for authentication. The event is only generated if -## a non-empty user name was used. -## -## password: The password used for authentication. -## -## .. bro:see:: pop3_data pop3_login_failure pop3_reply pop3_request pop3_terminate -## pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_login_success%(c: connection, is_orig: bool, - user: string, password: string%); - -## Generated for unsuccessful authentications on POP3 connections. -## -## See `Wikipedia `__ for more information -## about the POP3 protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## user: The user name attempted for authentication. The event is only -## generated if a non-empty user name was used. -## -## password: The password attempted for authentication. -## -## .. bro:see:: pop3_data pop3_login_success pop3_reply pop3_request pop3_terminate -## pop3_unexpected -## -## .. todo:: Bro's current default configuration does not activate the protocol -## analyzer that generates this event; the corresponding script has not yet -## been ported to Bro 2.x. To still enable this event, one needs to -## register a port for it or add a DPD payload signature. -event pop3_login_failure%(c: connection, is_orig: bool, - user: string, password: string%); - - -## Generated for all client-side IRC commands. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: Always true. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## command: The command. -## -## arguments: The arguments for the command. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -## -## .. note:: This event is generated only for messages that originate -## at the client-side. Commands coming in from remote trigger -## the :bro:id:`irc_message` event instead. -event irc_request%(c: connection, is_orig: bool, prefix: string, - command: string, arguments: string%); - -## Generated for all IRC replies. IRC replies are sent in response to a -## request and come with a reply code. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the reply. IRC uses the prefix to -## indicate the true origin of a message. -## -## code: The reply code, as specified by the protocol. -## -## params: The reply's parameters. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_reply%(c: connection, is_orig: bool, prefix: string, - code: count, params: string%); - -## Generated for IRC commands forwarded from the server to the client. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: Always false. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## command: The command. -## -## message: TODO. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -## -## .. note:: -## -## This event is generated only for messages that are forwarded by the server -## to the client. Commands coming from client trigger the -## :bro:id:`irc_request` event instead. -event irc_message%(c: connection, is_orig: bool, prefix: string, - command: string, message: string%); - -## Generated for IRC messages of type *quit*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname coming with the message. -## -## message: The text included with the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%); - -## Generated for IRC messages of type *privmsg*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## source: The source of the private communication. -## -## target: The target of the private communication. -## -## message: The text of communication. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_privmsg_message%(c: connection, is_orig: bool, source: string, - target: string, message: string%); - -## Generated for IRC messages of type *notice*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## source: The source of the private communication. -## -## target: The target of the private communication. -## -## message: The text of communication. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_notice_message%(c: connection, is_orig: bool, source: string, - target: string, message: string%); - -## Generated for IRC messages of type *squery*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## source: The source of the private communication. -## -## target: The target of the private communication. -## -## message: The text of communication. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_squery_message%(c: connection, is_orig: bool, source: string, - target: string, message: string%); - -## Generated for IRC messages of type *join*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## info_list: The user information coming with the command. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%); - -## Generated for IRC messages of type *part*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname coming with the message. -## -## chans: The set of channels affected. -## -## message: The text coming with the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_password_message -event irc_part_message%(c: connection, is_orig: bool, nick: string, - chans: string_set, message: string%); - -## Generated for IRC messages of type *nick*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## who: The user changing its nickname. -## -## newnick: The new nickname. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%); - -## Generated when a server rejects an IRC nickname. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_invalid_nick%(c: connection, is_orig: bool%); - -## Generated for an IRC reply of type *luserclient*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## users: The number of users as returned in the reply. -## -## services: The number of services as returned in the reply. -## -## servers: The number of servers as returned in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_network_info%(c: connection, is_orig: bool, users: count, - services: count, servers: count%); - -## Generated for an IRC reply of type *luserme*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## users: The number of users as returned in the reply. -## -## services: The number of services as returned in the reply. -## -## servers: The number of servers as returned in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_server_info%(c: connection, is_orig: bool, users: count, - services: count, servers: count%); - -## Generated for an IRC reply of type *luserchannels*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## chans: The number of channels as returned in the reply. -## -## .. bro:see:: irc_channel_topic irc_dcc_message irc_error_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_channel_info%(c: connection, is_orig: bool, chans: count%); - -## Generated for an IRC reply of type *whoreply*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## target_nick: The target nickname. -## -## channel: The channel. -## -## user: The user. -## -## host: The host. -## -## server: The server. -## -## nick: The nickname. -## -## params: The parameters. -## -## hops: The hop count. -## -## real_name: The real name. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_who_line%(c: connection, is_orig: bool, target_nick: string, - channel: string, user: string, host: string, - server: string, nick: string, params: string, - hops: count, real_name: string%); - - -## Generated for an IRC reply of type *namereply*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## c_type: The channel type. -## -## channel: The channel. -## -## users: The set of users. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_names_info%(c: connection, is_orig: bool, c_type: string, - channel: string, users: string_set%); - -## Generated for an IRC reply of type *whoisoperator*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname specified in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%); - -## Generated for an IRC reply of type *whoischannels*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname specified in the reply. -## -## chans: The set of channels returned. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string, - chans: string_set%); - -## Generated for an IRC reply of type *whoisuser*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## nick: The nickname specified in the reply. -## -## user: The user name specified in the reply. -## -## host: The host name specified in the reply. -## -## real_name: The real name specified in the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_user_line%(c: connection, is_orig: bool, nick: string, - user: string, host: string, real_name: string%); - -## Generated for IRC replies of type *youreoper* and *nooperhost*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## got_oper: True if the *oper* command was executed successfully -## (*youreport*) and false otherwise (*nooperhost*). -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_part_message -## irc_password_message -event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%); - -## Generated for an IRC reply of type *globalusers*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## msg: The message coming with the reply. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%); - -## Generated for an IRC reply of type *topic*. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## channel: The channel name specified in the reply. -## -## topic: The topic specified in the reply. -## -## .. bro:see:: irc_channel_info irc_dcc_message irc_error_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%); - -## Generated for IRC messages of type *who*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## mask: The mask specified in the message. -## -## oper: True if the operator flag was set. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%); - -## Generated for IRC messages of type *whois*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## server: TODO. -## -## users: TODO. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%); - -## Generated for IRC messages of type *oper*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## user: The user specified in the message. -## -## password: The password specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_response irc_part_message -## irc_password_message -event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%); - -## Generated for IRC messages of type *kick*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## chans: The channels specified in the message. -## -## users: The users specified in the message. -## -## comment: The comment specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_kick_message%(c: connection, is_orig: bool, prefix: string, - chans: string, users: string, comment: string%); - -## Generated for IRC messages of type *error*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## message: The textual description specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%); - -## Generated for IRC messages of type *invite*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## nickname: The nickname specified in the message. -## -## channel: The channel specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_invite_message%(c: connection, is_orig: bool, prefix: string, - nickname: string, channel: string%); - -## Generated for IRC messages of type *mode*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## params: The parameters coming with the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%); - -## Generated for IRC messages of type *squit*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## server: The server specified in the message. -## -## message: The textual description specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_squit_message%(c: connection, is_orig: bool, prefix: string, - server: string, message: string%); - -## Generated for IRC messages of type *dcc*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## prefix: The optional prefix coming with the command. IRC uses the prefix to -## indicate the true origin of a message. -## -## target: The target specified in the message. -## -## dcc_type: The DCC type specified in the message. -## -## argument: The argument specified in the message. -## -## address: The address specified in the message. -## -## dest_port: The destination port specified in the message. -## -## size: The size specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_error_message irc_global_users -## irc_invalid_nick irc_invite_message irc_join_message irc_kick_message -## irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message -## irc_notice_message irc_oper_message irc_oper_response irc_part_message -## irc_password_message -event irc_dcc_message%(c: connection, is_orig: bool, - prefix: string, target: string, - dcc_type: string, argument: string, - address: addr, dest_port: count, size: count%); - -## Generated for IRC messages of type *user*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## user: The user specified in the message. -## -## host: The host name specified in the message. -## -## server: The server name specified in the message. -## -## real_name: The real name specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message irc_password_message -event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%); - -## Generated for IRC messages of type *password*. This event is generated for -## messages coming from both the client and the server. -## -## See `Wikipedia `__ for more -## information about the IRC protocol. -## -## c: The connection. -## -## is_orig: True if the command was sent by the originator of the TCP -## connection. -## -## password: The password specified in the message. -## -## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message -## irc_global_users irc_invalid_nick irc_invite_message irc_join_message -## irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info -## irc_nick_message irc_notice_message irc_oper_message irc_oper_response -## irc_part_message -event irc_password_message%(c: connection, is_orig: bool, password: string%); - -## TODO. -## -event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); - ## Generated when a signature matches. Bro's signature engine provides ## high-performance pattern matching separately from the normal script ## processing. If a signature with an ``event`` action matches, this event is @@ -5847,35 +530,6 @@ event file_transferred%(c: connection, prefix: string, descr: string, mime_type: ## triggering the match will be passed on to the event. event signature_match%(state: signature_state, msg: string, data: string%); -## Generated when a SOCKS request is analyzed. -## -## c: The parent connection of the proxy. -## -## version: The version of SOCKS this message used. -## -## request_type: The type of the request. -## -## sa: Address that the tunneled traffic should be sent to. -## -## p: The destination port for the proxied traffic. -## -## user: Username given for the SOCKS connection. This is not yet implemented -## for SOCKSv5. -event socks_request%(c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string%); - -## Generated when a SOCKS reply is analyzed. -## -## c: The parent connection of the proxy. -## -## version: The version of SOCKS this message used. -## -## reply: The status reply from the server. -## -## sa: The address that the server sent the traffic to. -## -## p: The destination port for the proxied traffic. -event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port%); - ## Generated when a protocol analyzer finds an identification of a software ## used on a system. This is a protocol-independent event that is fed by ## different analyzers. For example, the HTTP analyzer reports user-agent and @@ -5893,7 +547,7 @@ event socks_reply%(c: connection, version: count, reply: count, sa: SOCKS::Addre ## ## .. bro:see:: software_parse_error software_unparsed_version_found OS_version_found event software_version_found%(c: connection, host: addr, - s: software, descr: string%); + s: software, descr: string%); ## Generated when a protocol analyzer finds an identification of a software ## used on a system but cannot parse it. This is a protocol-independent event @@ -6004,8 +658,6 @@ event remote_event_registered%(p: event_peer, name: string%); ## remote_state_inconsistency print_hook event remote_connection_error%(p: event_peer, reason: string%); - - ## Generated when a remote peer sent us a capture filter. While this event is ## intended primarily for use by Bro's communication framework, it can also ## trigger additional code if helpful. @@ -6124,7 +776,7 @@ event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%); ## remote_event_registered remote_log remote_state_access_performed ## remote_state_inconsistency print_hook event remote_pong%(p: event_peer, seq: count, - d1: interval, d2: interval, d3: interval%); + d1: interval, d2: interval, d3: interval%); ## Generated each time a remote state access has been replayed locally. This ## event is primarily intended for debugging. @@ -6151,326 +803,6 @@ event remote_state_access_performed%(id: string, v: any%); ## .. bro:see:: profiling_interval expensive_profiling_multiple event profiling_update%(f: file, expensive: bool%); -## Generated each time Bro's script interpreter opens a file. This event is -## triggered only for files opened via :bro:id:`open`, and in particular not for -## normal log files as created by log writers. -## -## f: The opened file. -event file_opened%(f: file%); - -## Generated for a received NetFlow v5 header. Bro's NetFlow processor raises -## this event whenever it either receives a NetFlow header on the port it's -## listening on, or reads one from a trace file. -## -## h: The parsed NetFlow header. -## -## .. bro:see:: netflow_v5_record -event netflow_v5_header%(h: nf_v5_header%); - -## Generated for a received NetFlow v5 record. Bro's NetFlow processor raises -## this event whenever it either receives a NetFlow record on the port it's -## listening on, or reads one from a trace file. -## -## r: The parsed NetFlow record. -## -## .. bro:see:: netflow_v5_record -event netflow_v5_record%(r: nf_v5_record%); - -## Generated for any modbus message regardless if the particular function -## is further supported or not. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## is_orig: True if the event is raised for the originator side. -event modbus_message%(c: connection, headers: ModbusHeaders, is_orig: bool%); - -## Generated for any modbus exception message. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## code: The exception code. -event modbus_exception%(c: connection, headers: ModbusHeaders, code: count%); - -## Generated for a Modbus read coils request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address where of the first coil to be read. -## -## quantity: The number of coils to be read. -event modbus_read_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read coils response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## coils: The coil values returned from the device. -event modbus_read_coils_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); - -## Generated for a Modbus read discrete inputs request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first coil to be read. -## -## quantity: The number of coils to be read. -event modbus_read_discrete_inputs_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read discrete inputs response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## coils: The coil values returned from the device. -event modbus_read_discrete_inputs_response%(c: connection, headers: ModbusHeaders, coils: ModbusCoils%); - -## Generated for a Modbus read holding registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register to be read. -## -## quantity: The number of registers to be read. -event modbus_read_holding_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read holding registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## registers: The register values returned from the device. -event modbus_read_holding_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); - -## Generated for a Modbus read input registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register to be read. -## -## quantity: The number of registers to be read. -event modbus_read_input_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read input registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## registers: The register values returned from the device. -event modbus_read_input_registers_response%(c: connection, headers: ModbusHeaders, registers: ModbusRegisters%); - -## Generated for a Modbus write single coil request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the coil to be written. -## -## value: The value to be written to the coil. -event modbus_write_single_coil_request%(c: connection, headers: ModbusHeaders, address: count, value: bool%); - -## Generated for a Modbus write single coil response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the coil that was written. -## -## value: The value that was written to the coil. -event modbus_write_single_coil_response%(c: connection, headers: ModbusHeaders, address: count, value: bool%); - -## Generated for a Modbus write single register request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register to be written. -## -## value: The value to be written to the register. -event modbus_write_single_register_request%(c: connection, headers: ModbusHeaders, address: count, value: count%); - -## Generated for a Modbus write single register response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register that was written. -## -## value: The value that was written to the register. -event modbus_write_single_register_response%(c: connection, headers: ModbusHeaders, address: count, value: count%); - -## Generated for a Modbus write multiple coils request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first coil to be written. -## -## value: The values to be written to the coils. -event modbus_write_multiple_coils_request%(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils%); - -## Generated for a Modbus write multiple coils response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first coil that was written. -## -## quantity: The quantity of coils that were written. -event modbus_write_multiple_coils_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus write multiple registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register to be written. -## -## registers: The values to be written to the registers. -event modbus_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, start_address: count, registers: ModbusRegisters%); - -## Generated for a Modbus write multiple registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The memory address of the first register that was written. -## -## quantity: The quantity of registers that were written. -event modbus_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, start_address: count, quantity: count%); - -## Generated for a Modbus read file record request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_read_file_record_request%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus read file record response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_read_file_record_response%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus write file record request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_write_file_record_request%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus write file record response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## .. note: This event is incomplete. The information from the data structure is not -## yet passed through to the event. -event modbus_write_file_record_response%(c: connection, headers: ModbusHeaders%); - -## Generated for a Modbus mask write register request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register where the masks should be applied. -## -## and_mask: The value of the logical AND mask to apply to the register. -## -## or_mask: The value of the logical OR mask to apply to the register. -event modbus_mask_write_register_request%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); - -## Generated for a Modbus mask write register request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## address: The memory address of the register where the masks were applied. -## -## and_mask: The value of the logical AND mask applied register. -## -## or_mask: The value of the logical OR mask applied to the register. -event modbus_mask_write_register_response%(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count%); - -## Generated for a Modbus read/write multiple registers request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## read_start_address: The memory address of the first register to be read. -## -## read_quantity: The number of registers to read. -## -## write_start_address: The memory address of the first register to be written. -## -## write_registers: The values to be written to the registers. -event modbus_read_write_multiple_registers_request%(c: connection, headers: ModbusHeaders, read_start_address: count, read_quantity: count, write_start_address: count, write_registers: ModbusRegisters%); - -## Generated for a Modbus read/write multiple registers response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## written_registers: The register values read from the registers specified in the request. -event modbus_read_write_multiple_registers_response%(c: connection, headers: ModbusHeaders, written_registers: ModbusRegisters%); - -## Generated for a Modbus read FIFO queue request. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## start_address: The address of the FIFO queue to read. -event modbus_read_fifo_queue_request%(c: connection, headers: ModbusHeaders, start_address: count%); - -## Generated for a Modbus read FIFO queue response. -## -## c: The connection. -## -## headers: The headers for the modbus function. -## -## fifos: The register values read from the FIFO queue on the device. -event modbus_read_fifo_queue_response%(c: connection, headers: ModbusHeaders, fifos: ModbusRegisters%); - ## Raised for informational messages reported via Bro's reporter framework. Such ## messages may be generated internally by the event engine and also by other ## scripts calling :bro:id:`Reporter::info`. @@ -6536,82 +868,88 @@ event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## recursively for each ``@load``. event bro_script_loaded%(path: string, level: count%); -## Deprecated. Will be removed. -event stp_create_endp%(c: connection, e: int, is_orig: bool%); +## Generated each time Bro's script interpreter opens a file. This event is +## triggered only for files opened via :bro:id:`open`, and in particular not for +## normal log files as created by log writers. +## +## f: The opened file. +event file_opened%(f: file%); -# ##### Internal events. Not further documented. +## Generated when an internal DNS lookup produces the same result as last time. +## Bro keeps an internal DNS cache for host names and IP addresses it has +## already resolved. This event is generated when a subsequent lookup returns +## the same result as stored in the cache. +## +## dm: A record describing the new resolver result (which matches the old one). +## +## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_unverified +event dns_mapping_valid%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_resume_endp%(e: int%); +## Generated when an internal DNS lookup got no answer even though it had +## succeeded in the past. Bro keeps an internal DNS cache for host names and IP +## addresses it has already resolved. This event is generated when a +## subsequent lookup does not produce an answer even though we have +## already stored a result in the cache. +## +## dm: A record describing the old resolver result. +## +## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name +## dns_mapping_valid +event dns_mapping_unverified%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_correlate_pair%(e1: int, e2: int%); +## Generated when an internal DNS lookup succeeded but an earlier attempt +## did not. Bro keeps an internal DNS cache for host names and IP +## addresses it has already resolved. This event is generated when a subsequent +## lookup produces an answer for a query that was marked as failed in the cache. +## +## dm: A record describing the new resolver result. +## +## .. bro:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_unverified +## dns_mapping_valid +event dns_mapping_new_name%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_remove_pair%(e1: int, e2: int%); +## Generated when an internal DNS lookup returned zero answers even though it +## had succeeded in the past. Bro keeps an internal DNS cache for host names +## and IP addresses it has already resolved. This event is generated when +## on a subsequent lookup we receive an answer that is empty even +## though we have already stored a result in the cache. +## +## dm: A record describing the old resolver result. +## +## .. bro:see:: dns_mapping_altered dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid +event dns_mapping_lost_name%(dm: dns_mapping%); -## Event internal to the stepping stone detector. -event stp_remove_endp%(e: int%); - -# ##### Deprecated events. Proposed for removal. - -## Deprecated. Will be removed. -event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%); - -## Deprecated. Will be removed. -event interconn_remove_conn%(c: connection%); - -## Deprecated. Will be removed. -event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%); - -## Deprecated. Will be removed. -event backdoor_remove_conn%(c: connection%); - -## Deprecated. Will be removed. -event ssh_signature_found%(c: connection, is_orig: bool%); - -## Deprecated. Will be removed. -event telnet_signature_found%(c: connection, is_orig: bool, len: count%); - -## Deprecated. Will be removed. -event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%); +## Generated when an internal DNS lookup produced a different result than in +## the past. Bro keeps an internal DNS cache for host names and IP addresses +## it has already resolved. This event is generated when a subsequent lookup +## returns a different answer than we have stored in the cache. +## +## dm: A record describing the new resolver result. +## +## old_addrs: Addresses that used to be part of the returned set for the query +## described by *dm*, but are not anymore. +## +## new_addrs: Addresses that were not part of the returned set for the query +## described by *dm*, but now are. +## +## .. bro:see:: dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified +## dns_mapping_valid +event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%); ## Deprecated. Will be removed. event root_backdoor_signature_found%(c: connection%); -## Deprecated. Will be removed. -event ftp_signature_found%(c: connection%); - ## Deprecated. Will be removed. event napster_signature_found%(c: connection%); -## Deprecated. Will be removed. -event gnutella_signature_found%(c: connection%); - ## Deprecated. Will be removed. event kazaa_signature_found%(c: connection%); -## Deprecated. Will be removed. -event http_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event http_proxy_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event smtp_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event irc_signature_found%(c: connection%); - ## Deprecated. Will be removed. event gaobot_signature_found%(c: connection%); -## Deprecated. Will be removed. -## -## .. todo:: Unclear what this event is for; it's never raised. We should just -## remove it. -event dns_full_request%(%); - ## Deprecated. Will be removed. event anonymization_mapping%(orig: addr, mapped: addr%); diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 39bb190f8c..6912023cc4 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -33,13 +33,13 @@ std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); -#define BRO_PLUGIN_ANALYZER(tag, factory) \ - AddComponent(new ::analyzer::Component(tag, factory)); +#define BRO_PLUGIN_ANALYZER(tag, cls) \ + AddComponent(new ::analyzer::Component(tag, ::analyzer::cls::InstantiateAnalyzer)); + +#define BRO_PLUGIN_ANALYZER_BARE(tag) \ + AddComponent(new ::analyzer::Component(tag, 0)); #define BRO_PLUGIN_SUPPORT_ANALYZER(tag) \ AddComponent(new ::analyzer::Component(tag, 0)); -#define BRO_PLUGIN_ANALYZER_EXT(tag, factory, enabled, partial) \ - AddComponent(new ::analyzer::Component(tag, factory, 0, enabled, partial)); - #endif From 3959e254e2697b13a185b0a50593a93396195d94 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:25:18 -0700 Subject: [PATCH 27/70] Moving protocol-specific BiFs out of bro.bif. I hope I found them all ... --- src/Func.cc | 1 - src/analyzer/protocols/ftp/CMakeLists.txt | 1 + src/analyzer/protocols/ftp/Plugin.cc | 1 + src/analyzer/protocols/ftp/functions.bif | 220 ++++++ src/analyzer/protocols/http/Plugin.cc | 1 + src/analyzer/protocols/login/CMakeLists.txt | 1 + src/analyzer/protocols/login/Plugin.cc | 1 + src/analyzer/protocols/login/functions.bif | 62 ++ .../protocols/netbios-ssn/CMakeLists.txt | 1 + src/analyzer/protocols/netbios-ssn/Plugin.cc | 1 + .../protocols/netbios-ssn/functions.bif | 50 ++ src/analyzer/protocols/smtp/CMakeLists.txt | 1 + src/analyzer/protocols/smtp/Plugin.cc | 1 + src/analyzer/protocols/smtp/functions.bif | 17 + .../protocols/socks/socks-analyzer.pac | 8 +- src/analyzer/protocols/ssl/CMakeLists.txt | 1 + src/analyzer/protocols/ssl/Plugin.cc | 1 + src/analyzer/protocols/ssl/functions.bif | 132 ++++ src/analyzer/protocols/tcp/CMakeLists.txt | 1 + src/analyzer/protocols/tcp/Plugin.cc | 1 + src/analyzer/protocols/tcp/functions.bif | 159 +++++ src/bro.bif | 634 ------------------ 22 files changed, 657 insertions(+), 639 deletions(-) create mode 100644 src/analyzer/protocols/ftp/functions.bif create mode 100644 src/analyzer/protocols/login/functions.bif create mode 100644 src/analyzer/protocols/netbios-ssn/functions.bif create mode 100644 src/analyzer/protocols/smtp/functions.bif create mode 100644 src/analyzer/protocols/ssl/functions.bif create mode 100644 src/analyzer/protocols/tcp/functions.bif diff --git a/src/Func.cc b/src/Func.cc index 82cd1998ce..668499d2ed 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -562,7 +562,6 @@ void builtin_error(const char* msg, BroObj* arg) void init_builtin_funcs() { - ftp_port = internal_type("ftp_port")->AsRecordType(); bro_resources = internal_type("bro_resources")->AsRecordType(); net_stats = internal_type("NetStats")->AsRecordType(); matcher_stats = internal_type("matcher_stats")->AsRecordType(); diff --git a/src/analyzer/protocols/ftp/CMakeLists.txt b/src/analyzer/protocols/ftp/CMakeLists.txt index b8b2e1bb3e..9a92d95116 100644 --- a/src/analyzer/protocols/ftp/CMakeLists.txt +++ b/src/analyzer/protocols/ftp/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(FTP) bro_plugin_cc(FTP.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocols/ftp/Plugin.cc index 9a58990a63..d6bc3313e6 100644 --- a/src/analyzer/protocols/ftp/Plugin.cc +++ b/src/analyzer/protocols/ftp/Plugin.cc @@ -8,4 +8,5 @@ BRO_PLUGIN_BEGIN(FTP) BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ftp/functions.bif b/src/analyzer/protocols/ftp/functions.bif new file mode 100644 index 0000000000..a667d8ca88 --- /dev/null +++ b/src/analyzer/protocols/ftp/functions.bif @@ -0,0 +1,220 @@ + +type ftp_port: record; + +%%{ + +static Val* parse_port(const char* line) + { + RecordVal* r = new RecordVal(BifType::Record::ftp_port); + + int bytes[6]; + if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d", + &bytes[0], &bytes[1], &bytes[2], + &bytes[3], &bytes[4], &bytes[5]) == 6 ) + { + int good = 1; + + for ( int i = 0; i < 6; ++i ) + if ( bytes[i] < 0 || bytes[i] > 255 ) + { + good = 0; + break; + } + + uint32 addr = (bytes[0] << 24) | (bytes[1] << 16) | + (bytes[2] << 8) | bytes[3]; + uint32 port = (bytes[4] << 8) | bytes[5]; + + // Since port is unsigned, no need to check for < 0. + if ( port > 65535 ) + { + port = 0; + good = 0; + } + + r->Assign(0, new AddrVal(htonl(addr))); + r->Assign(1, new PortVal(port, TRANSPORT_TCP)); + r->Assign(2, new Val(good, TYPE_BOOL)); + } + else + { + r->Assign(0, new AddrVal(uint32(0))); + r->Assign(1, new PortVal(0, TRANSPORT_TCP)); + r->Assign(2, new Val(0, TYPE_BOOL)); + } + + return r; + } + +static Val* parse_eftp(const char* line) + { + RecordVal* r = new RecordVal(BifType::Record::ftp_port); + + int net_proto = 0; // currently not used + IPAddr addr; // unspecified IPv6 address (all 128 bits zero) + int port = 0; + int good = 0; + + if ( line ) + { + while ( isspace(*line) ) // skip whitespace + ++line; + + char delimiter = *line; + char* next_delim; + + if ( *line ) + { + good = 1; + ++line; // skip delimiter + + net_proto = strtol(line, &next_delim, 10); + if ( *next_delim != delimiter ) + good = 0; + + line = next_delim; + if ( *line ) + ++line; + + if ( *line && *line != delimiter ) + { + const char* nptr = strchr(line, delimiter); + if ( nptr == NULL ) + { + nptr = line + strlen(line); + good = 0; + } + + string s(line, nptr-line); // extract IP address + IPAddr tmp(s); + // on error, "tmp" will have all 128 bits zero + if ( tmp == addr ) + good = 0; + + addr = tmp; + } + + line = strchr(line, delimiter); + + if ( line != NULL ) + { + ++line; // now the port + port = strtol(line, &next_delim, 10); + if ( *next_delim != delimiter ) + good = 0; + } + + } + + } + + r->Assign(0, new AddrVal(addr)); + r->Assign(1, new PortVal(port, TRANSPORT_TCP)); + r->Assign(2, new Val(good, TYPE_BOOL)); + + return r; + } +%%} + +## Converts a string representation of the FTP PORT command to an ``ftp_port``. +## +## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``. +## +## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` +## +## .. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port +function parse_ftp_port%(s: string%): ftp_port + %{ + return parse_port(s->CheckString()); + %} + +## Converts a string representation of the FTP EPRT command to an ``ftp_port``. +## See `RFC 2428 `_. +## The format is ``EPRT``, +## where ```` is a delimiter in the ASCII range 33-126 (usually ``|``). +## +## s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``. +## +## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` +## +## .. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port +function parse_eftp_port%(s: string%): ftp_port + %{ + return parse_eftp(s->CheckString()); + %} + +## Converts the result of the FTP PASV command to an ``ftp_port``. +## +## str: The string containing the result of the FTP PASV command. +## +## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` +## +## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port +function parse_ftp_pasv%(str: string%): ftp_port + %{ + const char* s = str->CheckString(); + const char* line = strchr(s, '('); + if ( line ) + ++line; // move past '(' + else if ( (line = strstr(s, "PORT")) ) + line += 5; // Skip over + else if ( (line = strchr(s, ',')) ) + { // Look for comma-separated list. + while ( --line >= s && isdigit(*line) ) + ; // Back up over preceding digits. + ++line; // now points to first digit, or beginning of s + } + + return parse_port(line); + %} + +## Converts the result of the FTP EPSV command to an ``ftp_port``. +## See `RFC 2428 `_. +## The format is `` ()``, where ```` is a +## delimiter in the ASCII range 33-126 (usually ``|``). +## +## str: The string containing the result of the FTP EPSV command. +## +## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` +## +## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port +function parse_ftp_epsv%(str: string%): ftp_port + %{ + const char* s = str->CheckString(); + const char* line = strchr(s, '('); + if ( line ) + ++line; // move past '(' + return parse_eftp(line); + %} + +## Formats an IP address and TCP port as an FTP PORT command. For example, +## ``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``. +## +## a: The IP address. +## +## p: The TCP port. +## +## Returns: The FTP PORT string. +## +## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv +function fmt_ftp_port%(a: addr, p: port%): string + %{ + const uint32* addr; + int len = a->AsAddr().GetBytes(&addr); + if ( len == 1 ) + { + uint32 a = ntohl(addr[0]); + uint32 pn = p->Port(); + return new StringVal(fmt("%d,%d,%d,%d,%d,%d", + a >> 24, (a >> 16) & 0xff, + (a >> 8) & 0xff, a & 0xff, + pn >> 8, pn & 0xff)); + } + else + { + builtin_error("conversion of non-IPv4 address in fmt_ftp_port", + @ARG@[0]); + return new StringVal(""); + } + %} + diff --git a/src/analyzer/protocols/http/Plugin.cc b/src/analyzer/protocols/http/Plugin.cc index a0e6e28f43..86f1cb0333 100644 --- a/src/analyzer/protocols/http/Plugin.cc +++ b/src/analyzer/protocols/http/Plugin.cc @@ -7,4 +7,5 @@ BRO_PLUGIN_BEGIN(HTTP) BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/login/CMakeLists.txt b/src/analyzer/protocols/login/CMakeLists.txt index 219c249d5e..60a5b57ec5 100644 --- a/src/analyzer/protocols/login/CMakeLists.txt +++ b/src/analyzer/protocols/login/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(Login) bro_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocols/login/Plugin.cc index 3f98f99d2c..43784ba262 100644 --- a/src/analyzer/protocols/login/Plugin.cc +++ b/src/analyzer/protocols/login/Plugin.cc @@ -16,4 +16,5 @@ BRO_PLUGIN_BEGIN(Login) BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin"); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/login/functions.bif b/src/analyzer/protocols/login/functions.bif new file mode 100644 index 0000000000..c3d7cbf82b --- /dev/null +++ b/src/analyzer/protocols/login/functions.bif @@ -0,0 +1,62 @@ + +%%{ +#include "Login.h" +%%} + +## Returns the state of the given login (Telnet or Rlogin) connection. +## +## cid: The connection ID. +## +## Returns: False if the connection is not active or is not tagged as a +## login analyzer. Otherwise the function returns the state, which can +## be one of: +## +## - ``LOGIN_STATE_AUTHENTICATE``: The connection is in its +## initial authentication dialog. +## - ``LOGIN_STATE_LOGGED_IN``: The analyzer believes the user has +## successfully authenticated. +## - ``LOGIN_STATE_SKIP``: The analyzer has skipped any further +## processing of the connection. +## - ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it +## does not correctly know the state of the connection, and/or +## the username associated with it. +## +## .. bro:see:: set_login_state +function get_login_state%(cid: conn_id%): count + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_BOOL); + + analyzer::Analyzer* la = c->FindAnalyzer("Login"); + if ( ! la ) + return new Val(0, TYPE_BOOL); + + return new Val(int(static_cast(la)->LoginState()), + TYPE_COUNT); + %} + +## Sets the login state of a connection with a login analyzer. +## +## cid: The connection ID. +## +## new_state: The new state of the login analyzer. See +## :bro:id:`get_login_state` for possible values. +## +## Returns: Returns false if *cid* is not an active connection +## or is not tagged as a login analyzer, and true otherwise. +## +## .. bro:see:: get_login_state +function set_login_state%(cid: conn_id, new_state: count%): bool + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_BOOL); + + analyzer::Analyzer* la = c->FindAnalyzer("Login"); + if ( ! la ) + return new Val(0, TYPE_BOOL); + + static_cast(la)->SetLoginState(analyzer::login::login_state(new_state)); + return new Val(1, TYPE_BOOL); + %} diff --git a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt index 8292c11546..4318fa2b34 100644 --- a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt +++ b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(NetbiosSSN) bro_plugin_cc(NetbiosSSN.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios-ssn/Plugin.cc index 8ed7824634..66b4e82d51 100644 --- a/src/analyzer/protocols/netbios-ssn/Plugin.cc +++ b/src/analyzer/protocols/netbios-ssn/Plugin.cc @@ -8,4 +8,5 @@ BRO_PLUGIN_BEGIN(NetbiosSSN) BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netbios-ssn/functions.bif b/src/analyzer/protocols/netbios-ssn/functions.bif new file mode 100644 index 0000000000..d4316d0c66 --- /dev/null +++ b/src/analyzer/protocols/netbios-ssn/functions.bif @@ -0,0 +1,50 @@ + +## Decode a NetBIOS name. See http://support.microsoft.com/kb/194203. +## +## name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"``. +## +## Returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAME"``. +## +## .. bro:see:: decode_netbios_name_type +function decode_netbios_name%(name: string%): string + %{ + char buf[16]; + char result[16]; + const u_char* s = name->Bytes(); + int i, j; + + for ( i = 0, j = 0; i < 16; ++i ) + { + char c0 = (j < name->Len()) ? toupper(s[j++]) : 'A'; + char c1 = (j < name->Len()) ? toupper(s[j++]) : 'A'; + buf[i] = ((c0 - 'A') << 4) + (c1 - 'A'); + } + + for ( i = 0; i < 15; ++i ) + { + if ( isalnum(buf[i]) || ispunct(buf[i]) || + // \x01\x02 is seen in at least one case as the first two bytes. + // I think that any \x01 and \x02 should always be passed through. + buf[i] < 3 ) + result[i] = buf[i]; + else + break; + } + + return new StringVal(i, result); + %} + +## Converts a NetBIOS name type to its corresponding numeric value. +## See http://support.microsoft.com/kb/163409. +## +## name: The NetBIOS name type. +## +## Returns: The numeric value of *name*. +## +## .. bro:see:: decode_netbios_name +function decode_netbios_name_type%(name: string%): count + %{ + const u_char* s = name->Bytes(); + char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A'); + return new Val(return_val, TYPE_COUNT); + %} diff --git a/src/analyzer/protocols/smtp/CMakeLists.txt b/src/analyzer/protocols/smtp/CMakeLists.txt index 53f9dd1246..1f4779c0f8 100644 --- a/src/analyzer/protocols/smtp/CMakeLists.txt +++ b/src/analyzer/protocols/smtp/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(SMTP) bro_plugin_cc(SMTP.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocols/smtp/Plugin.cc index 8a5095381d..6550733b92 100644 --- a/src/analyzer/protocols/smtp/Plugin.cc +++ b/src/analyzer/protocols/smtp/Plugin.cc @@ -7,4 +7,5 @@ BRO_PLUGIN_BEGIN(SMTP) BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); BRO_PLUGIN_ANALYZER("SMTP", smtp::SMTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/smtp/functions.bif b/src/analyzer/protocols/smtp/functions.bif new file mode 100644 index 0000000000..2bb0c52319 --- /dev/null +++ b/src/analyzer/protocols/smtp/functions.bif @@ -0,0 +1,17 @@ + +%%{ +#include "analyzer/protocols/smtp/SMTP.h" +%%} + +## Skips SMTP data until the next email in a connection. +## +## c: The SMTP connection. +## +## .. bro:see:: skip_http_entity_data +function skip_smtp_data%(c: connection%): any + %{ + analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); + if ( sa ) + static_cast(sa)->SkipData(); + return 0; + %} diff --git a/src/analyzer/protocols/socks/socks-analyzer.pac b/src/analyzer/protocols/socks/socks-analyzer.pac index 7ce364670b..80051f0b27 100644 --- a/src/analyzer/protocols/socks/socks-analyzer.pac +++ b/src/analyzer/protocols/socks/socks-analyzer.pac @@ -35,7 +35,7 @@ refine connection SOCKS_Conn += { new PortVal(${request.port} | TCP_PORT_MASK), array_to_string(${request.user})); - static_cast(bro_analyzer())->EndpointDone(true); + static_cast(bro_analyzer())->EndpointDone(true); return true; %} @@ -53,7 +53,7 @@ refine connection SOCKS_Conn += { new PortVal(${reply.port} | TCP_PORT_MASK)); bro_analyzer()->ProtocolConfirmation(); - static_cast(bro_analyzer())->EndpointDone(false); + static_cast(bro_analyzer())->EndpointDone(false); return true; %} @@ -97,7 +97,7 @@ refine connection SOCKS_Conn += { new PortVal(${request.port} | TCP_PORT_MASK), new StringVal("")); - static_cast(bro_analyzer())->EndpointDone(true); + static_cast(bro_analyzer())->EndpointDone(true); return true; %} @@ -136,7 +136,7 @@ refine connection SOCKS_Conn += { new PortVal(${reply.port} | TCP_PORT_MASK)); bro_analyzer()->ProtocolConfirmation(); - static_cast(bro_analyzer())->EndpointDone(false); + static_cast(bro_analyzer())->EndpointDone(false); return true; %} diff --git a/src/analyzer/protocols/ssl/CMakeLists.txt b/src/analyzer/protocols/ssl/CMakeLists.txt index 9ee8fd9b1e..57f9b47e4d 100644 --- a/src/analyzer/protocols/ssl/CMakeLists.txt +++ b/src/analyzer/protocols/ssl/CMakeLists.txt @@ -6,5 +6,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(SSL) bro_plugin_cc(SSL.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_pac(ssl.pac ssl-analyzer.pac ssl-protocol.pac ssl-defs.pac) bro_plugin_end() diff --git a/src/analyzer/protocols/ssl/Plugin.cc b/src/analyzer/protocols/ssl/Plugin.cc index 6fe3308818..b406e4aa8b 100644 --- a/src/analyzer/protocols/ssl/Plugin.cc +++ b/src/analyzer/protocols/ssl/Plugin.cc @@ -7,4 +7,5 @@ BRO_PLUGIN_BEGIN(SSL) BRO_PLUGIN_DESCRIPTION("SSL Analyzer"); BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ssl/functions.bif b/src/analyzer/protocols/ssl/functions.bif new file mode 100644 index 0000000000..f2d4861007 --- /dev/null +++ b/src/analyzer/protocols/ssl/functions.bif @@ -0,0 +1,132 @@ + +%%{ +#include +#include +#include + +// This is the indexed map of X509 certificate stores. +static map x509_stores; + +// ### NOTE: while d2i_X509 does not take a const u_char** pointer, +// here we assume d2i_X509 does not write to , so it is safe to +// convert data to a non-const pointer. Could some X509 guru verify +// this? + +X509* d2i_X509_(X509** px, const u_char** in, int len) + { +#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR + return d2i_X509(px, in, len); +#else + return d2i_X509(px, (u_char**)in, len); +#endif + } + +%%} + + +## Verifies a certificate. +## +## der_cert: The X.509 certificate in DER format. +## +## cert_stack: Specifies a certificate chain to validate against, with index 0 +## typically being the root CA. Bro uses the Mozilla root CA list +## by default. +## +## root_certs: A list of additional root certificates that extends +## *cert_stack*. +## +## Returns: A status code of the verification which can be converted into an +## ASCII string via :bro:id:`x509_err2str`. +## +## .. bro:see:: x509_err2str +function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: table_string_of_string%): count + %{ + X509_STORE* ctx = 0; + int i = 0; + + // If this certificate store was built previously, just reuse the old one. + if ( x509_stores.count(root_certs) > 0 ) + ctx = x509_stores[root_certs]; + + if ( ! ctx ) // lookup to see if we have this one built already! + { + ctx = X509_STORE_new(); + TableVal* root_certs2 = root_certs->AsTableVal(); + ListVal* idxs = root_certs2->ConvertToPureList(); + + // Build the validation store + for ( i = 0; i < idxs->Length(); ++i ) + { + Val* key = idxs->Index(i); + StringVal *sv = root_certs2->Lookup(key)->AsStringVal(); + const uint8* data = sv->Bytes(); + X509* x = d2i_X509_(NULL, &data, sv->Len()); + if ( ! x ) + { + builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); + return new Val((uint64) ERR_get_error(), TYPE_COUNT); + } + X509_STORE_add_cert(ctx, x); + } + delete idxs; + + // Save the newly constructed certificate store into the cacheing map. + x509_stores[root_certs] = ctx; + } + + const uint8 *cert_data = der_cert->Bytes(); + X509* cert = d2i_X509_(NULL, &cert_data, der_cert->Len()); + if ( ! cert ) + { + builtin_error(fmt("Certificate error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); + return new Val((uint64) ERR_get_error(), TYPE_COUNT); + } + + STACK_OF(X509)* untrusted_certs = sk_X509_new_null(); + if ( ! untrusted_certs ) + { + builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); + return new Val((uint64) ERR_get_error(), TYPE_COUNT); + } + + VectorVal *cert_stack_vec = cert_stack->AsVectorVal(); + for ( i = 0; i < (int) cert_stack_vec->Size(); ++i ) + { + StringVal *sv = cert_stack_vec->Lookup(i)->AsStringVal(); + const uint8 *data = sv->Bytes(); + X509* x = d2i_X509_(NULL, &data, sv->Len()); + if ( ! x ) + { + X509_free(cert); + sk_X509_pop_free(untrusted_certs, X509_free); + builtin_error(fmt("Untrusted certificate stack creation error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); + return new Val((uint64) ERR_get_error(), TYPE_COUNT); + } + sk_X509_push(untrusted_certs, x); + } + + X509_STORE_CTX csc; + X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs); + X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time); + + int result = X509_verify_cert(&csc); + X509_STORE_CTX_cleanup(&csc); + + if ( untrusted_certs ) + sk_X509_pop_free(untrusted_certs, X509_free); + X509_free(cert); + + return new Val((uint64) csc.error, TYPE_COUNT); + %} + +## Converts a certificate verification error code into an ASCII string. +## +## err_num: The error code. +## +## Returns: A string representation of *err_num*. +## +## .. bro:see:: x509_verify +function x509_err2str%(err_num: count%): string + %{ + return new StringVal(X509_verify_cert_error_string(err_num)); + %} diff --git a/src/analyzer/protocols/tcp/CMakeLists.txt b/src/analyzer/protocols/tcp/CMakeLists.txt index b8cf0e2bf4..f61f27495b 100644 --- a/src/analyzer/protocols/tcp/CMakeLists.txt +++ b/src/analyzer/protocols/tcp/CMakeLists.txt @@ -6,4 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI bro_plugin_begin(TCP) bro_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc) bro_plugin_bif(events.bif) +bro_plugin_bif(functions.bif) bro_plugin_end() diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocols/tcp/Plugin.cc index defb0b330d..376c54d332 100644 --- a/src/analyzer/protocols/tcp/Plugin.cc +++ b/src/analyzer/protocols/tcp/Plugin.cc @@ -10,4 +10,5 @@ BRO_PLUGIN_BEGIN(TCP) BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents"); BRO_PLUGIN_BIF_FILE(events); + BRO_PLUGIN_BIF_FILE(functions); BRO_PLUGIN_END diff --git a/src/analyzer/protocols/tcp/functions.bif b/src/analyzer/protocols/tcp/functions.bif new file mode 100644 index 0000000000..b0178a1279 --- /dev/null +++ b/src/analyzer/protocols/tcp/functions.bif @@ -0,0 +1,159 @@ + +%%{ +#include "analyzer/protocols/tcp/TCP.h" +%%} + +## Get the originator sequence number of a TCP connection. Sequence numbers +## are absolute (i.e., they reflect the values seen directly in packet headers; +## they are not relative to the beginning of the connection). +## +## cid: The connection ID. +## +## Returns: The highest sequence number sent by a connection's originator, or 0 +## if *cid* does not point to an active TCP connection. +## +## .. bro:see:: get_resp_seq +function get_orig_seq%(cid: conn_id%): count + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_COUNT); + + if ( c->ConnTransport() != TRANSPORT_TCP ) + return new Val(0, TYPE_COUNT); + + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); + if ( tc ) + return new Val(static_cast(tc)->OrigSeq(), + TYPE_COUNT); + else + { + reporter->Error("connection does not have TCP analyzer"); + return new Val(0, TYPE_COUNT); + } + %} + +## Get the responder sequence number of a TCP connection. Sequence numbers +## are absolute (i.e., they reflect the values seen directly in packet headers; +## they are not relative to the beginning of the connection). +## +## cid: The connection ID. +## +## Returns: The highest sequence number sent by a connection's responder, or 0 +## if *cid* does not point to an active TCP connection. +## +## .. bro:see:: get_orig_seq +function get_resp_seq%(cid: conn_id%): count + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_COUNT); + + if ( c->ConnTransport() != TRANSPORT_TCP ) + return new Val(0, TYPE_COUNT); + + analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); + if ( tc ) + return new Val(static_cast(tc)->RespSeq(), + TYPE_COUNT); + else + { + reporter->Error("connection does not have TCP analyzer"); + return new Val(0, TYPE_COUNT); + } + %} + +## Returns statistics about TCP gaps. +## +## Returns: A record with TCP gap statistics. +## +## .. bro:see:: do_profiling +## net_stats +## resource_usage +## dump_rule_stats +## get_matcher_stats +function get_gap_summary%(%): gap_info + %{ + RecordVal* r = new RecordVal(gap_info); + r->Assign(0, new Val(tot_ack_events, TYPE_COUNT)); + r->Assign(1, new Val(tot_ack_bytes, TYPE_COUNT)); + r->Assign(2, new Val(tot_gap_events, TYPE_COUNT)); + r->Assign(3, new Val(tot_gap_bytes, TYPE_COUNT)); + + return r; + %} + +## Associates a file handle with a connection for writing TCP byte stream +## contents. +## +## cid: The connection ID. +## +## direction: Controls what sides of the connection to record. The argument can +## take one of the four values: +## +## - ``CONTENTS_NONE``: Stop recording the connection's content. +## - ``CONTENTS_ORIG``: Record the data sent by the connection +## originator (often the client). +## - ``CONTENTS_RESP``: Record the data sent by the connection +## responder (often the server). +## - ``CONTENTS_BOTH``: Record the data sent in both directions. +## Results in the two directions being +## intermixed in the file, in the order the +## data was seen by Bro. +## +## f: The file handle of the file to write the contents to. +## +## Returns: Returns false if *cid* does not point to an active connection, and +## true otherwise. +## +## .. note:: +## +## The data recorded to the file reflects the byte stream, not the +## contents of individual packets. Reordering and duplicates are +## removed. If any data is missing, the recording stops at the +## missing data; this can happen, e.g., due to an +## :bro:id:`ack_above_hole` event. +## +## .. bro:see:: get_contents_file set_record_packets +function set_contents_file%(cid: conn_id, direction: count, f: file%): bool + %{ + Connection* c = sessions->FindConnection(cid); + if ( ! c ) + return new Val(0, TYPE_BOOL); + + c->GetRootAnalyzer()->SetContentsFile(direction, f); + return new Val(1, TYPE_BOOL); + %} + +## Returns the file handle of the contents file of a connection. +## +## cid: The connection ID. +## +## direction: Controls what sides of the connection to record. See +## :bro:id:`set_contents_file` for possible values. +## +## Returns: The :bro:type:`file` handle for the contents file of the +## connection identified by *cid*. If the connection exists +## but there is no contents file for *direction*, then the function +## generates an error and returns a file handle to ``stderr``. +## +## .. bro:see:: set_contents_file set_record_packets +function get_contents_file%(cid: conn_id, direction: count%): file + %{ + Connection* c = sessions->FindConnection(cid); + BroFile* f = c ? c->GetRootAnalyzer()->GetContentsFile(direction) : 0; + + if ( f ) + { + Ref(f); + return new Val(f); + } + + // Return some sort of error value. + if ( ! c ) + builtin_error("unknown connection id in get_contents_file()", cid); + else + builtin_error("no contents file for given direction"); + + return new Val(new BroFile(stderr, "-", "w")); + %} diff --git a/src/bro.bif b/src/bro.bif index aa8229f92d..5c39e335a6 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -20,7 +20,6 @@ using namespace std; -RecordType* ftp_port; RecordType* net_stats; RecordType* bro_resources; RecordType* matcher_stats; @@ -1786,26 +1785,6 @@ function get_matcher_stats%(%): matcher_stats return r; %} -## Returns statistics about TCP gaps. -## -## Returns: A record with TCP gap statistics. -## -## .. bro:see:: do_profiling -## net_stats -## resource_usage -## dump_rule_stats -## get_matcher_stats -function get_gap_summary%(%): gap_info - %{ - RecordVal* r = new RecordVal(gap_info); - r->Assign(0, new Val(tot_ack_events, TYPE_COUNT)); - r->Assign(1, new Val(tot_ack_bytes, TYPE_COUNT)); - r->Assign(2, new Val(tot_gap_events, TYPE_COUNT)); - r->Assign(3, new Val(tot_gap_bytes, TYPE_COUNT)); - - return r; - %} - ## Generates a table of the size of all global variables. The table index is ## the variable name and the value is the variable size in bytes. ## @@ -2541,273 +2520,6 @@ function addr_to_ptr_name%(a: addr%): string return new StringVal(a->AsAddr().PtrName().c_str()); %} - -%%{ -static Val* parse_port(const char* line) - { - RecordVal* r = new RecordVal(ftp_port); - - int bytes[6]; - if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d", - &bytes[0], &bytes[1], &bytes[2], - &bytes[3], &bytes[4], &bytes[5]) == 6 ) - { - int good = 1; - - for ( int i = 0; i < 6; ++i ) - if ( bytes[i] < 0 || bytes[i] > 255 ) - { - good = 0; - break; - } - - uint32 addr = (bytes[0] << 24) | (bytes[1] << 16) | - (bytes[2] << 8) | bytes[3]; - uint32 port = (bytes[4] << 8) | bytes[5]; - - // Since port is unsigned, no need to check for < 0. - if ( port > 65535 ) - { - port = 0; - good = 0; - } - - r->Assign(0, new AddrVal(htonl(addr))); - r->Assign(1, new PortVal(port, TRANSPORT_TCP)); - r->Assign(2, new Val(good, TYPE_BOOL)); - } - else - { - r->Assign(0, new AddrVal(uint32(0))); - r->Assign(1, new PortVal(0, TRANSPORT_TCP)); - r->Assign(2, new Val(0, TYPE_BOOL)); - } - - return r; - } - -static Val* parse_eftp(const char* line) - { - RecordVal* r = new RecordVal(ftp_port); - - int net_proto = 0; // currently not used - IPAddr addr; // unspecified IPv6 address (all 128 bits zero) - int port = 0; - int good = 0; - - if ( line ) - { - while ( isspace(*line) ) // skip whitespace - ++line; - - char delimiter = *line; - char* next_delim; - - if ( *line ) - { - good = 1; - ++line; // skip delimiter - - net_proto = strtol(line, &next_delim, 10); - if ( *next_delim != delimiter ) - good = 0; - - line = next_delim; - if ( *line ) - ++line; - - if ( *line && *line != delimiter ) - { - const char* nptr = strchr(line, delimiter); - if ( nptr == NULL ) - { - nptr = line + strlen(line); - good = 0; - } - - string s(line, nptr-line); // extract IP address - IPAddr tmp(s); - // on error, "tmp" will have all 128 bits zero - if ( tmp == addr ) - good = 0; - - addr = tmp; - } - - line = strchr(line, delimiter); - - if ( line != NULL ) - { - ++line; // now the port - port = strtol(line, &next_delim, 10); - if ( *next_delim != delimiter ) - good = 0; - } - - } - - } - - r->Assign(0, new AddrVal(addr)); - r->Assign(1, new PortVal(port, TRANSPORT_TCP)); - r->Assign(2, new Val(good, TYPE_BOOL)); - - return r; - } -%%} - -## Converts a string representation of the FTP PORT command to an ``ftp_port``. -## -## s: The string of the FTP PORT command, e.g., ``"10,0,0,1,4,31"``. -## -## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` -## -## .. bro:see:: parse_eftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port -function parse_ftp_port%(s: string%): ftp_port - %{ - return parse_port(s->CheckString()); - %} - -## Converts a string representation of the FTP EPRT command to an ``ftp_port``. -## See `RFC 2428 `_. -## The format is ``EPRT``, -## where ```` is a delimiter in the ASCII range 33-126 (usually ``|``). -## -## s: The string of the FTP EPRT command, e.g., ``"|1|10.0.0.1|1055|"``. -## -## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` -## -## .. bro:see:: parse_ftp_port parse_ftp_pasv parse_ftp_epsv fmt_ftp_port -function parse_eftp_port%(s: string%): ftp_port - %{ - return parse_eftp(s->CheckString()); - %} - -## Converts the result of the FTP PASV command to an ``ftp_port``. -## -## str: The string containing the result of the FTP PASV command. -## -## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` -## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_epsv fmt_ftp_port -function parse_ftp_pasv%(str: string%): ftp_port - %{ - const char* s = str->CheckString(); - const char* line = strchr(s, '('); - if ( line ) - ++line; // move past '(' - else if ( (line = strstr(s, "PORT")) ) - line += 5; // Skip over - else if ( (line = strchr(s, ',')) ) - { // Look for comma-separated list. - while ( --line >= s && isdigit(*line) ) - ; // Back up over preceding digits. - ++line; // now points to first digit, or beginning of s - } - - return parse_port(line); - %} - -## Converts the result of the FTP EPSV command to an ``ftp_port``. -## See `RFC 2428 `_. -## The format is `` ()``, where ```` is a -## delimiter in the ASCII range 33-126 (usually ``|``). -## -## str: The string containing the result of the FTP EPSV command. -## -## Returns: The FTP PORT, e.g., ``[h=10.0.0.1, p=1055/tcp, valid=T]`` -## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv fmt_ftp_port -function parse_ftp_epsv%(str: string%): ftp_port - %{ - const char* s = str->CheckString(); - const char* line = strchr(s, '('); - if ( line ) - ++line; // move past '(' - return parse_eftp(line); - %} - -## Formats an IP address and TCP port as an FTP PORT command. For example, -## ``10.0.0.1`` and ``1055/tcp`` yields ``"10,0,0,1,4,31"``. -## -## a: The IP address. -## -## p: The TCP port. -## -## Returns: The FTP PORT string. -## -## .. bro:see:: parse_ftp_port parse_eftp_port parse_ftp_pasv parse_ftp_epsv -function fmt_ftp_port%(a: addr, p: port%): string - %{ - const uint32* addr; - int len = a->AsAddr().GetBytes(&addr); - if ( len == 1 ) - { - uint32 a = ntohl(addr[0]); - uint32 pn = p->Port(); - return new StringVal(fmt("%d,%d,%d,%d,%d,%d", - a >> 24, (a >> 16) & 0xff, - (a >> 8) & 0xff, a & 0xff, - pn >> 8, pn & 0xff)); - } - else - { - builtin_error("conversion of non-IPv4 address in fmt_ftp_port", - @ARG@[0]); - return new StringVal(""); - } - %} - -## Decode a NetBIOS name. See http://support.microsoft.com/kb/194203. -## -## name: The encoded NetBIOS name, e.g., ``"FEEIEFCAEOEFFEECEJEPFDCAEOEBENEF"``. -## -## Returns: The decoded NetBIOS name, e.g., ``"THE NETBIOS NAME"``. -## -## .. bro:see:: decode_netbios_name_type -function decode_netbios_name%(name: string%): string - %{ - char buf[16]; - char result[16]; - const u_char* s = name->Bytes(); - int i, j; - - for ( i = 0, j = 0; i < 16; ++i ) - { - char c0 = (j < name->Len()) ? toupper(s[j++]) : 'A'; - char c1 = (j < name->Len()) ? toupper(s[j++]) : 'A'; - buf[i] = ((c0 - 'A') << 4) + (c1 - 'A'); - } - - for ( i = 0; i < 15; ++i ) - { - if ( isalnum(buf[i]) || ispunct(buf[i]) || - // \x01\x02 is seen in at least one case as the first two bytes. - // I think that any \x01 and \x02 should always be passed through. - buf[i] < 3 ) - result[i] = buf[i]; - else - break; - } - - return new StringVal(i, result); - %} - -## Converts a NetBIOS name type to its corresponding numeric value. -## See http://support.microsoft.com/kb/163409. -## -## name: The NetBIOS name type. -## -## Returns: The numeric value of *name*. -## -## .. bro:see:: decode_netbios_name -function decode_netbios_name_type%(name: string%): count - %{ - const u_char* s = name->Bytes(); - char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A'); - return new Val(return_val, TYPE_COUNT); - %} - ## Converts a string of bytes into its hexadecimal representation. ## For example, ``"04"`` would be converted to ``"3034"``. ## @@ -3789,138 +3501,6 @@ function lookup_asn%(a: addr%) : count return new Val(0, TYPE_COUNT); %} -%%{ -#include -#include -#include - -// This is the indexed map of X509 certificate stores. -static map x509_stores; - -// ### NOTE: while d2i_X509 does not take a const u_char** pointer, -// here we assume d2i_X509 does not write to , so it is safe to -// convert data to a non-const pointer. Could some X509 guru verify -// this? - -X509* d2i_X509_(X509** px, const u_char** in, int len) - { -#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR - return d2i_X509(px, in, len); -#else - return d2i_X509(px, (u_char**)in, len); -#endif - } - -%%} - - -## Verifies a certificate. -## -## der_cert: The X.509 certificate in DER format. -## -## cert_stack: Specifies a certificate chain to validate against, with index 0 -## typically being the root CA. Bro uses the Mozilla root CA list -## by default. -## -## root_certs: A list of additional root certificates that extends -## *cert_stack*. -## -## Returns: A status code of the verification which can be converted into an -## ASCII string via :bro:id:`x509_err2str`. -## -## .. bro:see:: x509_err2str -function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: table_string_of_string%): count - %{ - X509_STORE* ctx = 0; - int i = 0; - - // If this certificate store was built previously, just reuse the old one. - if ( x509_stores.count(root_certs) > 0 ) - ctx = x509_stores[root_certs]; - - if ( ! ctx ) // lookup to see if we have this one built already! - { - ctx = X509_STORE_new(); - TableVal* root_certs2 = root_certs->AsTableVal(); - ListVal* idxs = root_certs2->ConvertToPureList(); - - // Build the validation store - for ( i = 0; i < idxs->Length(); ++i ) - { - Val* key = idxs->Index(i); - StringVal *sv = root_certs2->Lookup(key)->AsStringVal(); - const uint8* data = sv->Bytes(); - X509* x = d2i_X509_(NULL, &data, sv->Len()); - if ( ! x ) - { - builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); - return new Val((uint64) ERR_get_error(), TYPE_COUNT); - } - X509_STORE_add_cert(ctx, x); - } - delete idxs; - - // Save the newly constructed certificate store into the cacheing map. - x509_stores[root_certs] = ctx; - } - - const uint8 *cert_data = der_cert->Bytes(); - X509* cert = d2i_X509_(NULL, &cert_data, der_cert->Len()); - if ( ! cert ) - { - builtin_error(fmt("Certificate error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); - return new Val((uint64) ERR_get_error(), TYPE_COUNT); - } - - STACK_OF(X509)* untrusted_certs = sk_X509_new_null(); - if ( ! untrusted_certs ) - { - builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); - return new Val((uint64) ERR_get_error(), TYPE_COUNT); - } - - VectorVal *cert_stack_vec = cert_stack->AsVectorVal(); - for ( i = 0; i < (int) cert_stack_vec->Size(); ++i ) - { - StringVal *sv = cert_stack_vec->Lookup(i)->AsStringVal(); - const uint8 *data = sv->Bytes(); - X509* x = d2i_X509_(NULL, &data, sv->Len()); - if ( ! x ) - { - X509_free(cert); - sk_X509_pop_free(untrusted_certs, X509_free); - builtin_error(fmt("Untrusted certificate stack creation error: %s", ERR_error_string(ERR_peek_last_error(),NULL))); - return new Val((uint64) ERR_get_error(), TYPE_COUNT); - } - sk_X509_push(untrusted_certs, x); - } - - X509_STORE_CTX csc; - X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs); - X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time); - - int result = X509_verify_cert(&csc); - X509_STORE_CTX_cleanup(&csc); - - if ( untrusted_certs ) - sk_X509_pop_free(untrusted_certs, X509_free); - X509_free(cert); - - return new Val((uint64) csc.error, TYPE_COUNT); - %} - -## Converts a certificate verification error code into an ASCII string. -## -## err_num: The error code. -## -## Returns: A string representation of *err_num*. -## -## .. bro:see:: x509_verify -function x509_err2str%(err_num: count%): string - %{ - return new StringVal(X509_verify_cert_error_string(err_num)); - %} - ## Converts UNIX file permissions given by a mode to an ASCII string. ## ## mode: The permissions (an octal number like 0644 converted to decimal). @@ -4108,81 +3688,6 @@ function set_record_packets%(cid: conn_id, do_record: bool%): bool return new Val(1, TYPE_BOOL); %} -## Associates a file handle with a connection for writing TCP byte stream -## contents. -## -## cid: The connection ID. -## -## direction: Controls what sides of the connection to record. The argument can -## take one of the four values: -## -## - ``CONTENTS_NONE``: Stop recording the connection's content. -## - ``CONTENTS_ORIG``: Record the data sent by the connection -## originator (often the client). -## - ``CONTENTS_RESP``: Record the data sent by the connection -## responder (often the server). -## - ``CONTENTS_BOTH``: Record the data sent in both directions. -## Results in the two directions being -## intermixed in the file, in the order the -## data was seen by Bro. -## -## f: The file handle of the file to write the contents to. -## -## Returns: Returns false if *cid* does not point to an active connection, and -## true otherwise. -## -## .. note:: -## -## The data recorded to the file reflects the byte stream, not the -## contents of individual packets. Reordering and duplicates are -## removed. If any data is missing, the recording stops at the -## missing data; this can happen, e.g., due to an -## :bro:id:`ack_above_hole` event. -## -## .. bro:see:: get_contents_file set_record_packets -function set_contents_file%(cid: conn_id, direction: count, f: file%): bool - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_BOOL); - - c->GetRootAnalyzer()->SetContentsFile(direction, f); - return new Val(1, TYPE_BOOL); - %} - -## Returns the file handle of the contents file of a connection. -## -## cid: The connection ID. -## -## direction: Controls what sides of the connection to record. See -## :bro:id:`set_contents_file` for possible values. -## -## Returns: The :bro:type:`file` handle for the contents file of the -## connection identified by *cid*. If the connection exists -## but there is no contents file for *direction*, then the function -## generates an error and returns a file handle to ``stderr``. -## -## .. bro:see:: set_contents_file set_record_packets -function get_contents_file%(cid: conn_id, direction: count%): file - %{ - Connection* c = sessions->FindConnection(cid); - BroFile* f = c ? c->GetRootAnalyzer()->GetContentsFile(direction) : 0; - - if ( f ) - { - Ref(f); - return new Val(f); - } - - // Return some sort of error value. - if ( ! c ) - builtin_error("unknown connection id in get_contents_file()", cid); - else - builtin_error("no contents file for given direction"); - - return new Val(new BroFile(stderr, "-", "w")); - %} - ## Sets an individual inactivity timeout for a connection and thus ## overrides the global inactivity timeout. ## @@ -4203,145 +3708,6 @@ function set_inactivity_timeout%(cid: conn_id, t: interval%): interval return new Val(old_timeout, TYPE_INTERVAL); %} -## Returns the state of the given login (Telnet or Rlogin) connection. -## -## cid: The connection ID. -## -## Returns: False if the connection is not active or is not tagged as a -## login analyzer. Otherwise the function returns the state, which can -## be one of: -## -## - ``LOGIN_STATE_AUTHENTICATE``: The connection is in its -## initial authentication dialog. -## - ``LOGIN_STATE_LOGGED_IN``: The analyzer believes the user has -## successfully authenticated. -## - ``LOGIN_STATE_SKIP``: The analyzer has skipped any further -## processing of the connection. -## - ``LOGIN_STATE_CONFUSED``: The analyzer has concluded that it -## does not correctly know the state of the connection, and/or -## the username associated with it. -## -## .. bro:see:: set_login_state -function get_login_state%(cid: conn_id%): count - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_BOOL); - - analyzer::Analyzer* la = c->FindAnalyzer("Login"); - if ( ! la ) - return new Val(0, TYPE_BOOL); - - return new Val(int(static_cast(la)->LoginState()), - TYPE_COUNT); - %} - -## Sets the login state of a connection with a login analyzer. -## -## cid: The connection ID. -## -## new_state: The new state of the login analyzer. See -## :bro:id:`get_login_state` for possible values. -## -## Returns: Returns false if *cid* is not an active connection -## or is not tagged as a login analyzer, and true otherwise. -## -## .. bro:see:: get_login_state -function set_login_state%(cid: conn_id, new_state: count%): bool - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_BOOL); - - analyzer::Analyzer* la = c->FindAnalyzer("Login"); - if ( ! la ) - return new Val(0, TYPE_BOOL); - - static_cast(la)->SetLoginState(analyzer::login::login_state(new_state)); - return new Val(1, TYPE_BOOL); - %} - -%%{ -#include "analyzer/protocols/tcp/TCP.h" -%%} - -## Get the originator sequence number of a TCP connection. Sequence numbers -## are absolute (i.e., they reflect the values seen directly in packet headers; -## they are not relative to the beginning of the connection). -## -## cid: The connection ID. -## -## Returns: The highest sequence number sent by a connection's originator, or 0 -## if *cid* does not point to an active TCP connection. -## -## .. bro:see:: get_resp_seq -function get_orig_seq%(cid: conn_id%): count - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_COUNT); - - if ( c->ConnTransport() != TRANSPORT_TCP ) - return new Val(0, TYPE_COUNT); - - analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); - if ( tc ) - return new Val(static_cast(tc)->OrigSeq(), - TYPE_COUNT); - else - { - reporter->Error("connection does not have TCP analyzer"); - return new Val(0, TYPE_COUNT); - } - %} - -## Get the responder sequence number of a TCP connection. Sequence numbers -## are absolute (i.e., they reflect the values seen directly in packet headers; -## they are not relative to the beginning of the connection). -## -## cid: The connection ID. -## -## Returns: The highest sequence number sent by a connection's responder, or 0 -## if *cid* does not point to an active TCP connection. -## -## .. bro:see:: get_orig_seq -function get_resp_seq%(cid: conn_id%): count - %{ - Connection* c = sessions->FindConnection(cid); - if ( ! c ) - return new Val(0, TYPE_COUNT); - - if ( c->ConnTransport() != TRANSPORT_TCP ) - return new Val(0, TYPE_COUNT); - - analyzer::Analyzer* tc = c->FindAnalyzer("TCP"); - if ( tc ) - return new Val(static_cast(tc)->RespSeq(), - TYPE_COUNT); - else - { - reporter->Error("connection does not have TCP analyzer"); - return new Val(0, TYPE_COUNT); - } - %} - -%%{ -#include "analyzer/protocols/smtp/SMTP.h" -%%} - -## Skips SMTP data until the next email in a connection. -## -## c: The SMTP connection. -## -## .. bro:see:: skip_http_entity_data -function skip_smtp_data%(c: connection%): any - %{ - analyzer::Analyzer* sa = c->FindAnalyzer("SMTP"); - if ( sa ) - static_cast(sa)->SkipData(); - return 0; - %} - # =========================================================================== # # Files and Directories From d8259b34ddd1713d9cf691dc22efa8cabae71471 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:38:08 -0700 Subject: [PATCH 28/70] Unifying *.h guards. --- src/analyzer/protocols/TODO | 1 - src/analyzer/protocols/arp/ARP.h | 4 ++-- src/analyzer/protocols/ayiya/AYIYA.h | 4 ++-- src/analyzer/protocols/backdoor/BackDoor.h | 4 ++-- src/analyzer/protocols/bittorrent/BitTorrent.h | 4 ++-- src/analyzer/protocols/bittorrent/BitTorrentTracker.h | 4 ++-- src/analyzer/protocols/conn-size/ConnSize.h | 4 ++-- src/analyzer/protocols/dce-rpc/DCE_RPC.h | 6 +++--- src/analyzer/protocols/dhcp/DHCP.h | 4 ++-- src/analyzer/protocols/dns/DNS.h | 4 ++-- src/analyzer/protocols/file/File.h | 4 ++-- src/analyzer/protocols/finger/Finger.h | 4 ++-- src/analyzer/protocols/ftp/FTP.h | 4 ++-- src/analyzer/protocols/gnutella/Gnutella.h | 4 ++-- src/analyzer/protocols/gtpv1/GTPv1.h | 4 ++-- src/analyzer/protocols/http/HTTP.h | 4 ++-- src/analyzer/protocols/icmp/ICMP.h | 4 ++-- src/analyzer/protocols/ident/Ident.h | 4 ++-- src/analyzer/protocols/interconn/InterConn.h | 4 ++-- src/analyzer/protocols/irc/IRC.h | 4 ++-- src/analyzer/protocols/login/Login.h | 4 ++-- src/analyzer/protocols/login/NVT.h | 4 ++-- src/analyzer/protocols/login/RSH.h | 4 ++-- src/analyzer/protocols/login/Rlogin.h | 4 ++-- src/analyzer/protocols/login/Telnet.h | 4 ++-- src/analyzer/protocols/mime/MIME.h | 4 ++-- src/analyzer/protocols/modbus/Modbus.h | 4 ++-- src/analyzer/protocols/ncp/NCP.h | 6 +++--- src/analyzer/protocols/netbios-ssn/NetbiosSSN.h | 4 ++-- src/analyzer/protocols/ntp/NTP.h | 4 ++-- src/analyzer/protocols/pia/PIA.h | 4 ++-- src/analyzer/protocols/pop3/POP3.h | 4 ++-- src/analyzer/protocols/rpc/NFS.h | 4 ++-- src/analyzer/protocols/rpc/Portmap.h | 4 ++-- src/analyzer/protocols/rpc/RPC.h | 4 ++-- src/analyzer/protocols/rpc/XDR.h | 4 ++-- src/analyzer/protocols/smb/SMB.h | 4 ++-- src/analyzer/protocols/smtp/SMTP.h | 4 ++-- src/analyzer/protocols/socks/SOCKS.h | 4 ++-- src/analyzer/protocols/ssh/SSH.h | 4 ++-- src/analyzer/protocols/ssl/SSL.h | 4 ++-- src/analyzer/protocols/stepping-stone/SteppingStone.h | 4 ++-- src/analyzer/protocols/syslog/Syslog.h | 4 ++-- src/analyzer/protocols/tcp/ContentLine.h | 4 ++-- src/analyzer/protocols/tcp/Stats.h | 4 ++-- src/analyzer/protocols/tcp/TCP.h | 4 ++-- src/analyzer/protocols/tcp/TCP_Endpoint.h | 4 ++-- src/analyzer/protocols/tcp/TCP_Reassembler.h | 4 ++-- src/analyzer/protocols/teredo/Teredo.h | 4 ++-- src/analyzer/protocols/udp/UDP.h | 4 ++-- src/analyzer/protocols/zip/ZIP.h | 4 ++-- 51 files changed, 102 insertions(+), 103 deletions(-) diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocols/TODO index 41a4d579bc..61a17a95c9 100644 --- a/src/analyzer/protocols/TODO +++ b/src/analyzer/protocols/TODO @@ -1,5 +1,4 @@ -- add functions.bif where needed - update *.h guards - cleanup analyzer descriptions - can now lower-case the analyzer name in plugin diff --git a/src/analyzer/protocols/arp/ARP.h b/src/analyzer/protocols/arp/ARP.h index ee01669e92..f09dc6c398 100644 --- a/src/analyzer/protocols/arp/ARP.h +++ b/src/analyzer/protocols/arp/ARP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef arp_h -#define arp_h +#ifndef ANALYZER_PROTOCOL_ARP_ARP_H +#define ANALYZER_PROTOCOL_ARP_ARP_H #include "config.h" #include diff --git a/src/analyzer/protocols/ayiya/AYIYA.h b/src/analyzer/protocols/ayiya/AYIYA.h index 2995131be5..f5bb379cf4 100644 --- a/src/analyzer/protocols/ayiya/AYIYA.h +++ b/src/analyzer/protocols/ayiya/AYIYA.h @@ -1,5 +1,5 @@ -#ifndef AYIYA_h -#define AYIYA_h +#ifndef ANALYZER_PROTOCOL_AYIYA_AYIYA_H +#define ANALYZER_PROTOCOL_AYIYA_AYIYA_H #include "ayiya_pac.h" diff --git a/src/analyzer/protocols/backdoor/BackDoor.h b/src/analyzer/protocols/backdoor/BackDoor.h index bab981cf89..36c8430c34 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.h +++ b/src/analyzer/protocols/backdoor/BackDoor.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef backdoor_h -#define backdoor_h +#ifndef ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H +#define ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H #include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.h b/src/analyzer/protocols/bittorrent/BitTorrent.h index 7812261f04..4065b45648 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.h +++ b/src/analyzer/protocols/bittorrent/BitTorrent.h @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. -#ifndef bittorrent_h -#define bittorrent_h +#ifndef ANALYZER_PROTOCOL_BITTORRENT_BITTORRENT_H +#define ANALYZER_PROTOCOL_BITTORRENT_BITTORRENT_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h index 8db92c6af7..572a8d2093 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. -#ifndef bittorrenttracker_h -#define bittorrenttracker_h +#ifndef ANALYZER_PROTOCOL_BITTORRENT_BITTORRENTTRACKER_H +#define ANALYZER_PROTOCOL_BITTORRENT_BITTORRENTTRACKER_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/conn-size/ConnSize.h b/src/analyzer/protocols/conn-size/ConnSize.h index 567895a9f5..25f096dd32 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.h +++ b/src/analyzer/protocols/conn-size/ConnSize.h @@ -1,8 +1,8 @@ // See the file "COPYING" in the main distribution directory for copyright. // -#ifndef CONNSTATS_H -#define CONNSTATS_H +#ifndef ANALYZER_PROTOCOL_CONN_SIZE_CONNSIZE_H +#define ANALYZER_PROTOCOL_CONN_SIZE_CONNSIZE_H #include "analyzer/Analyzer.h" #include "NetVar.h" diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.h b/src/analyzer/protocols/dce-rpc/DCE_RPC.h index fabd68912e..ff85e16ee1 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef dce_rpc_h -#define dce_rpc_h +#ifndef ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_H +#define ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_H // NOTE: This is a somewhat crude analyzer for DCE/RPC (used on Microsoft // Windows systems) and shouldn't be considered as stable. @@ -88,7 +88,7 @@ enum DCE_RPC_PTYPE { }; */ -#define DCE_RPC_HEADER_LENGTH 16 +#define ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_HEADER_LENGTH 16 class DCE_RPC_Header { public: diff --git a/src/analyzer/protocols/dhcp/DHCP.h b/src/analyzer/protocols/dhcp/DHCP.h index 189e04ecab..207651d7c1 100644 --- a/src/analyzer/protocols/dhcp/DHCP.h +++ b/src/analyzer/protocols/dhcp/DHCP.h @@ -1,5 +1,5 @@ -#ifndef dhcp_binpac_h -#define dhcp_binpac_h +#ifndef ANALYZER_PROTOCOL_DHCP_DHCP_H +#define ANALYZER_PROTOCOL_DHCP_DHCP_H #include "analyzer/protocols/udp/UDP.h" diff --git a/src/analyzer/protocols/dns/DNS.h b/src/analyzer/protocols/dns/DNS.h index fc19fe82b3..9c7874400d 100644 --- a/src/analyzer/protocols/dns/DNS.h +++ b/src/analyzer/protocols/dns/DNS.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef dns_h -#define dns_h +#ifndef ANALYZER_PROTOCOL_DNS_DNS_H +#define ANALYZER_PROTOCOL_DNS_DNS_H #include "analyzer/protocols/tcp/TCP.h" #include "binpac_bro.h" diff --git a/src/analyzer/protocols/file/File.h b/src/analyzer/protocols/file/File.h index ae6a815378..368fe22dae 100644 --- a/src/analyzer/protocols/file/File.h +++ b/src/analyzer/protocols/file/File.h @@ -1,7 +1,7 @@ // Analyzer for connections that transfer binary data. -#ifndef FILEANALYZER_H -#define FILEANALYZER_H +#ifndef ANALYZER_PROTOCOL_FILE_FILE_H +#define ANALYZER_PROTOCOL_FILE_FILE_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/finger/Finger.h b/src/analyzer/protocols/finger/Finger.h index d80549bb4c..5624030f80 100644 --- a/src/analyzer/protocols/finger/Finger.h +++ b/src/analyzer/protocols/finger/Finger.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef finger_h -#define finger_h +#ifndef ANALYZER_PROTOCOL_FINGER_FINGER_H +#define ANALYZER_PROTOCOL_FINGER_FINGER_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/ftp/FTP.h b/src/analyzer/protocols/ftp/FTP.h index 9ebf38b2f7..577082644a 100644 --- a/src/analyzer/protocols/ftp/FTP.h +++ b/src/analyzer/protocols/ftp/FTP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ftp_h -#define ftp_h +#ifndef ANALYZER_PROTOCOL_FTP_FTP_H +#define ANALYZER_PROTOCOL_FTP_FTP_H #include "analyzer/protocols/login/NVT.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/gnutella/Gnutella.h b/src/analyzer/protocols/gnutella/Gnutella.h index 3a6e51d0c4..d67d319c4e 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.h +++ b/src/analyzer/protocols/gnutella/Gnutella.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef gnutella_h -#define gnutella_h +#ifndef ANALYZER_PROTOCOL_GNUTELLA_GNUTELLA_H +#define ANALYZER_PROTOCOL_GNUTELLA_GNUTELLA_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/gtpv1/GTPv1.h b/src/analyzer/protocols/gtpv1/GTPv1.h index 3fb7634534..b58405ea7f 100644 --- a/src/analyzer/protocols/gtpv1/GTPv1.h +++ b/src/analyzer/protocols/gtpv1/GTPv1.h @@ -1,5 +1,5 @@ -#ifndef GTPv1_h -#define GTPv1_h +#ifndef ANALYZER_PROTOCOL_GTPV1_GTPV1_H +#define ANALYZER_PROTOCOL_GTPV1_GTPV1_H #include "gtpv1_pac.h" diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h index 49235ae173..cb53e30c9a 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocols/http/HTTP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef http_h -#define http_h +#ifndef ANALYZER_PROTOCOL_HTTP_HTTP_H +#define ANALYZER_PROTOCOL_HTTP_HTTP_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/icmp/ICMP.h b/src/analyzer/protocols/icmp/ICMP.h index 6a9ba3282c..e371f53889 100644 --- a/src/analyzer/protocols/icmp/ICMP.h +++ b/src/analyzer/protocols/icmp/ICMP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef icmp_h -#define icmp_h +#ifndef ANALYZER_PROTOCOL_ICMP_ICMP_H +#define ANALYZER_PROTOCOL_ICMP_ICMP_H #include "RuleMatcher.h" #include "analyzer/Analyzer.h" diff --git a/src/analyzer/protocols/ident/Ident.h b/src/analyzer/protocols/ident/Ident.h index 473d201e65..7e1b7508c5 100644 --- a/src/analyzer/protocols/ident/Ident.h +++ b/src/analyzer/protocols/ident/Ident.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ident_h -#define ident_h +#ifndef ANALYZER_PROTOCOL_IDENT_IDENT_H +#define ANALYZER_PROTOCOL_IDENT_IDENT_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/interconn/InterConn.h b/src/analyzer/protocols/interconn/InterConn.h index c51113c156..4faa684818 100644 --- a/src/analyzer/protocols/interconn/InterConn.h +++ b/src/analyzer/protocols/interconn/InterConn.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef interconn_h -#define interconn_h +#ifndef ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H +#define ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H #include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" diff --git a/src/analyzer/protocols/irc/IRC.h b/src/analyzer/protocols/irc/IRC.h index d5fa3b57e5..a0f35639d3 100644 --- a/src/analyzer/protocols/irc/IRC.h +++ b/src/analyzer/protocols/irc/IRC.h @@ -1,7 +1,7 @@ // An IRC analyzer contributed by Roland Gruber. -#ifndef irc_h -#define irc_h +#ifndef ANALYZER_PROTOCOL_IRC_IRC_H +#define ANALYZER_PROTOCOL_IRC_IRC_H #include "analyzer/protocols/tcp/TCP.h" namespace analyzer { namespace irc { diff --git a/src/analyzer/protocols/login/Login.h b/src/analyzer/protocols/login/Login.h index 55d12c80da..3d41ad94c3 100644 --- a/src/analyzer/protocols/login/Login.h +++ b/src/analyzer/protocols/login/Login.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef login_h -#define login_h +#ifndef ANALYZER_PROTOCOL_LOGIN_LOGIN_H +#define ANALYZER_PROTOCOL_LOGIN_LOGIN_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/login/NVT.h b/src/analyzer/protocols/login/NVT.h index dea4c90ad5..9fb85c8823 100644 --- a/src/analyzer/protocols/login/NVT.h +++ b/src/analyzer/protocols/login/NVT.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef nvt_h -#define nvt_h +#ifndef ANALYZER_PROTOCOL_LOGIN_NVT_H +#define ANALYZER_PROTOCOL_LOGIN_NVT_H #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/login/RSH.h b/src/analyzer/protocols/login/RSH.h index 2738060a9f..c2d19c8958 100644 --- a/src/analyzer/protocols/login/RSH.h +++ b/src/analyzer/protocols/login/RSH.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef rsh_h -#define rsh_h +#ifndef ANALYZER_PROTOCOL_LOGIN_RSH_H +#define ANALYZER_PROTOCOL_LOGIN_RSH_H #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/login/Rlogin.h b/src/analyzer/protocols/login/Rlogin.h index c4cdfd7516..3efdfa8107 100644 --- a/src/analyzer/protocols/login/Rlogin.h +++ b/src/analyzer/protocols/login/Rlogin.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef rlogin_h -#define rlogin_h +#ifndef ANALYZER_PROTOCOL_LOGIN_RLOGIN_H +#define ANALYZER_PROTOCOL_LOGIN_RLOGIN_H #include "Login.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/login/Telnet.h b/src/analyzer/protocols/login/Telnet.h index a13fe230af..332281013c 100644 --- a/src/analyzer/protocols/login/Telnet.h +++ b/src/analyzer/protocols/login/Telnet.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef telnet_h -#define telnet_h +#ifndef ANALYZER_PROTOCOL_LOGIN_TELNET_H +#define ANALYZER_PROTOCOL_LOGIN_TELNET_H #include "Login.h" diff --git a/src/analyzer/protocols/mime/MIME.h b/src/analyzer/protocols/mime/MIME.h index d6ef2b5375..10d4da3fd1 100644 --- a/src/analyzer/protocols/mime/MIME.h +++ b/src/analyzer/protocols/mime/MIME.h @@ -1,5 +1,5 @@ -#ifndef mime_h -#define mime_h +#ifndef ANALYZER_PROTOCOL_MIME_MIME_H +#define ANALYZER_PROTOCOL_MIME_MIME_H #include #include diff --git a/src/analyzer/protocols/modbus/Modbus.h b/src/analyzer/protocols/modbus/Modbus.h index 063014cf2b..9ecd952e2e 100644 --- a/src/analyzer/protocols/modbus/Modbus.h +++ b/src/analyzer/protocols/modbus/Modbus.h @@ -1,5 +1,5 @@ -#ifndef MODBUS_H -#define MODBUS_H +#ifndef ANALYZER_PROTOCOL_MODBUS_MODBUS_H +#define ANALYZER_PROTOCOL_MODBUS_MODBUS_H #include "analyzer/protocols/tcp/TCP.h" #include "modbus_pac.h" diff --git a/src/analyzer/protocols/ncp/NCP.h b/src/analyzer/protocols/ncp/NCP.h index 0ab73707fb..aa667657ca 100644 --- a/src/analyzer/protocols/ncp/NCP.h +++ b/src/analyzer/protocols/ncp/NCP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ncp_h -#define ncp_h +#ifndef ANALYZER_PROTOCOL_NCP_NCP_H +#define ANALYZER_PROTOCOL_NCP_NCP_H // A very crude analyzer for NCP (Netware Core Protocol) // @@ -73,7 +73,7 @@ protected: int buf_len; // size off msg_buf }; -#define NCP_TCPIP_HEADER_LENGTH 8 +#define ANALYZER_PROTOCOL_NCP_NCP_HEADER_LENGTH 8 class NCP_FrameBuffer : public FrameBuffer { public: diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h index df065c4348..5908250669 100644 --- a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef netbios_ssn_h -#define netbios_ssn_h +#ifndef ANALYZER_PROTOCOL_NETBIOS_SSN_NETBIOSSSN_H +#define ANALYZER_PROTOCOL_NETBIOS_SSN_NETBIOSSSN_H #include "analyzer/protocols/udp/UDP.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/ntp/NTP.h b/src/analyzer/protocols/ntp/NTP.h index 2c989da4d1..25cc9bad43 100644 --- a/src/analyzer/protocols/ntp/NTP.h +++ b/src/analyzer/protocols/ntp/NTP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ntp_h -#define ntp_h +#ifndef ANALYZER_PROTOCOL_NTP_NTP_H +#define ANALYZER_PROTOCOL_NTP_NTP_H #include "analyzer/protocols/udp/UDP.h" diff --git a/src/analyzer/protocols/pia/PIA.h b/src/analyzer/protocols/pia/PIA.h index 1d788d39a6..a117a60978 100644 --- a/src/analyzer/protocols/pia/PIA.h +++ b/src/analyzer/protocols/pia/PIA.h @@ -1,7 +1,7 @@ // An analyzer for application-layer protocol-detection. -#ifndef PIA_H -#define PIA_H +#ifndef ANALYZER_PROTOCOL_PIA_PIA_H +#define ANALYZER_PROTOCOL_PIA_PIA_H #include "analyzer/Analyzer.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/pop3/POP3.h b/src/analyzer/protocols/pop3/POP3.h index 37620c0024..bd882f480b 100644 --- a/src/analyzer/protocols/pop3/POP3.h +++ b/src/analyzer/protocols/pop3/POP3.h @@ -2,8 +2,8 @@ // // An analyser for the POP3 protocol. -#ifndef pop3_h -#define pop3_h +#ifndef ANALYZER_PROTOCOL_POP3_POP3_H +#define ANALYZER_PROTOCOL_POP3_POP3_H #include #include diff --git a/src/analyzer/protocols/rpc/NFS.h b/src/analyzer/protocols/rpc/NFS.h index e9e978eaa2..7656450d94 100644 --- a/src/analyzer/protocols/rpc/NFS.h +++ b/src/analyzer/protocols/rpc/NFS.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef nfs_h -#define nfs_h +#ifndef ANALYZER_PROTOCOL_RPC_NFS_H +#define ANALYZER_PROTOCOL_RPC_NFS_H #include "RPC.h" #include "XDR.h" diff --git a/src/analyzer/protocols/rpc/Portmap.h b/src/analyzer/protocols/rpc/Portmap.h index 6aa1173f02..52d0c21a04 100644 --- a/src/analyzer/protocols/rpc/Portmap.h +++ b/src/analyzer/protocols/rpc/Portmap.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef portmap_h -#define portmap_h +#ifndef ANALYZER_PROTOCOL_RPC_PORTMAP_H +#define ANALYZER_PROTOCOL_RPC_PORTMAP_H #include "RPC.h" diff --git a/src/analyzer/protocols/rpc/RPC.h b/src/analyzer/protocols/rpc/RPC.h index 504f2eb194..0face29d50 100644 --- a/src/analyzer/protocols/rpc/RPC.h +++ b/src/analyzer/protocols/rpc/RPC.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef rpc_h -#define rpc_h +#ifndef ANALYZER_PROTOCOL_RPC_RPC_H +#define ANALYZER_PROTOCOL_RPC_RPC_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/udp/UDP.h" diff --git a/src/analyzer/protocols/rpc/XDR.h b/src/analyzer/protocols/rpc/XDR.h index 2f4a7d59e4..a1be0a1e05 100644 --- a/src/analyzer/protocols/rpc/XDR.h +++ b/src/analyzer/protocols/rpc/XDR.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef xdr_h -#define xdr_h +#ifndef ANALYZER_PROTOCOL_RPC_XDR_H +#define ANALYZER_PROTOCOL_RPC_XDR_H #include #include diff --git a/src/analyzer/protocols/smb/SMB.h b/src/analyzer/protocols/smb/SMB.h index 0b67c96710..eed1d2e5a0 100644 --- a/src/analyzer/protocols/smb/SMB.h +++ b/src/analyzer/protocols/smb/SMB.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef smb_h -#define smb_h +#ifndef ANALYZER_PROTOCOL_SMB_SMB_H +#define ANALYZER_PROTOCOL_SMB_SMB_H // SMB (CIFS) analyzer. // Reference: http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf diff --git a/src/analyzer/protocols/smtp/SMTP.h b/src/analyzer/protocols/smtp/SMTP.h index 02322f09c7..c179db4ecb 100644 --- a/src/analyzer/protocols/smtp/SMTP.h +++ b/src/analyzer/protocols/smtp/SMTP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef smtp_h -#define smtp_h +#ifndef ANALYZER_PROTOCOL_SMTP_SMTP_H +#define ANALYZER_PROTOCOL_SMTP_SMTP_H #include using namespace std; diff --git a/src/analyzer/protocols/socks/SOCKS.h b/src/analyzer/protocols/socks/SOCKS.h index 7aed5c02a3..424443c826 100644 --- a/src/analyzer/protocols/socks/SOCKS.h +++ b/src/analyzer/protocols/socks/SOCKS.h @@ -1,5 +1,5 @@ -#ifndef socks_h -#define socks_h +#ifndef ANALYZER_PROTOCOL_SOCKS_SOCKS_H +#define ANALYZER_PROTOCOL_SOCKS_SOCKS_H // SOCKS v4 analyzer. diff --git a/src/analyzer/protocols/ssh/SSH.h b/src/analyzer/protocols/ssh/SSH.h index 644444136d..6587425807 100644 --- a/src/analyzer/protocols/ssh/SSH.h +++ b/src/analyzer/protocols/ssh/SSH.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef ssh_h -#define ssh_h +#ifndef ANALYZER_PROTOCOL_SSH_SSH_H +#define ANALYZER_PROTOCOL_SSH_SSH_H #include "analyzer/protocols/tcp/TCP.h" #include "analyzer/protocols/tcp/ContentLine.h" diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h index b8d6f20db1..f1323566af 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocols/ssl/SSL.h @@ -1,5 +1,5 @@ -#ifndef ssl_h -#define ssl_h +#ifndef ANALYZER_PROTOCOL_SSL_SSL_H +#define ANALYZER_PROTOCOL_SSL_SSL_H #include "events.bif.h" diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.h b/src/analyzer/protocols/stepping-stone/SteppingStone.h index f818a0ee70..212899f32c 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef steppingstone_h -#define steppingstone_h +#ifndef ANALYZER_PROTOCOL_STEPPING_STONE_STEPPINGSTONE_H +#define ANALYZER_PROTOCOL_STEPPING_STONE_STEPPINGSTONE_H #include "Queue.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h index 391c5115b3..fd929a478e 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocols/syslog/Syslog.h @@ -1,6 +1,6 @@ -#ifndef Syslog_h -#define Syslog_h +#ifndef ANALYZER_PROTOCOL_SYSLOG_SYSLOG_H +#define ANALYZER_PROTOCOL_SYSLOG_SYSLOG_H #include "analyzer/protocols/udp/UDP.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/tcp/ContentLine.h b/src/analyzer/protocols/tcp/ContentLine.h index ca48393cb4..f5d3ef8211 100644 --- a/src/analyzer/protocols/tcp/ContentLine.h +++ b/src/analyzer/protocols/tcp/ContentLine.h @@ -1,7 +1,7 @@ // Support-analyzer to split a reassembled stream into lines. -#ifndef CONTENTLINE_H -#define CONTENTLINE_H +#ifndef ANALYZER_PROTOCOL_TCP_CONTENTLINE_H +#define ANALYZER_PROTOCOL_TCP_CONTENTLINE_H #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocols/tcp/Stats.h index 42c03ab321..721d898d95 100644 --- a/src/analyzer/protocols/tcp/Stats.h +++ b/src/analyzer/protocols/tcp/Stats.h @@ -1,6 +1,6 @@ -#ifndef ANALYZER_PROTOCOLS_TCP_STATS_H -#define ANALYZER_PROTOCOLS_TCP_STATS_H +#ifndef ANALYZER_PROTOCOL_TCP_STATS_H +#define ANALYZER_PROTOCOL_TCP_STATS_H #include "TCP_Endpoint.h" diff --git a/src/analyzer/protocols/tcp/TCP.h b/src/analyzer/protocols/tcp/TCP.h index 6b0b9e8637..ded3cd7270 100644 --- a/src/analyzer/protocols/tcp/TCP.h +++ b/src/analyzer/protocols/tcp/TCP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef TCP_H -#define TCP_H +#ifndef ANALYZER_PROTOCOL_TCP_TCP_H +#define ANALYZER_PROTOCOL_TCP_TCP_H #include "analyzer/Analyzer.h" #include "analyzer/protocols/tcp/TCP.h" diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.h b/src/analyzer/protocols/tcp/TCP_Endpoint.h index 6cc2fefebf..31e239225b 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.h +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef tcpendpoint_h -#define tcpendpoint_h +#ifndef ANALYZER_PROTOCOL_TCP_TCP_ENDPOINT_H +#define ANALYZER_PROTOCOL_TCP_TCP_ENDPOINT_H #include "IPAddr.h" diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.h b/src/analyzer/protocols/tcp/TCP_Reassembler.h index ab6eb97b70..8bb80a0570 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.h +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.h @@ -1,5 +1,5 @@ -#ifndef TCP_REASSEMBLER_H -#define TCP_REASSEMBLER_H +#ifndef ANALYZER_PROTOCOL_TCP_TCP_REASSEMBLER_H +#define ANALYZER_PROTOCOL_TCP_TCP_REASSEMBLER_H #include "Reassem.h" #include "TCP_Endpoint.h" diff --git a/src/analyzer/protocols/teredo/Teredo.h b/src/analyzer/protocols/teredo/Teredo.h index b202a6e729..0da007187d 100644 --- a/src/analyzer/protocols/teredo/Teredo.h +++ b/src/analyzer/protocols/teredo/Teredo.h @@ -1,5 +1,5 @@ -#ifndef Teredo_h -#define Teredo_h +#ifndef ANALYZER_PROTOCOL_TEREDO_TEREDO_H +#define ANALYZER_PROTOCOL_TEREDO_TEREDO_H #include "analyzer/Analyzer.h" #include "NetVar.h" diff --git a/src/analyzer/protocols/udp/UDP.h b/src/analyzer/protocols/udp/UDP.h index b3ef3bcf2d..bcfee401b0 100644 --- a/src/analyzer/protocols/udp/UDP.h +++ b/src/analyzer/protocols/udp/UDP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef udp_h -#define udp_h +#ifndef ANALYZER_PROTOCOL_UDP_UDP_H +#define ANALYZER_PROTOCOL_UDP_UDP_H #include "analyzer/Analyzer.h" #include diff --git a/src/analyzer/protocols/zip/ZIP.h b/src/analyzer/protocols/zip/ZIP.h index 7eda1e295f..7753ac2945 100644 --- a/src/analyzer/protocols/zip/ZIP.h +++ b/src/analyzer/protocols/zip/ZIP.h @@ -1,7 +1,7 @@ // See the file "COPYING" in the main distribution directory for copyright. -#ifndef zip_h -#define zip_h +#ifndef ANALYZER_PROTOCOL_ZIP_ZIP_H +#define ANALYZER_PROTOCOL_ZIP_ZIP_H #include "config.h" From f7a10d915bfb9c33fa647524a33bddee232f6b00 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:40:03 -0700 Subject: [PATCH 29/70] Renaming analyzer. --- src/analyzer/protocols/CMakeLists.txt | 2 +- .../protocols/{netbios-ssn => netbios}/CMakeLists.txt | 2 +- src/analyzer/protocols/{netbios-ssn => netbios}/NetbiosSSN.cc | 0 src/analyzer/protocols/{netbios-ssn => netbios}/NetbiosSSN.h | 0 src/analyzer/protocols/{netbios-ssn => netbios}/Plugin.cc | 4 ++-- src/analyzer/protocols/{netbios-ssn => netbios}/events.bif | 0 src/analyzer/protocols/{netbios-ssn => netbios}/functions.bif | 0 7 files changed, 4 insertions(+), 4 deletions(-) rename src/analyzer/protocols/{netbios-ssn => netbios}/CMakeLists.txt (88%) rename src/analyzer/protocols/{netbios-ssn => netbios}/NetbiosSSN.cc (100%) rename src/analyzer/protocols/{netbios-ssn => netbios}/NetbiosSSN.h (100%) rename src/analyzer/protocols/{netbios-ssn => netbios}/Plugin.cc (75%) rename src/analyzer/protocols/{netbios-ssn => netbios}/events.bif (100%) rename src/analyzer/protocols/{netbios-ssn => netbios}/functions.bif (100%) diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt index 004ec72d35..a4e170f52b 100644 --- a/src/analyzer/protocols/CMakeLists.txt +++ b/src/analyzer/protocols/CMakeLists.txt @@ -22,7 +22,7 @@ add_subdirectory(modbus) add_subdirectory(mime) add_subdirectory(ncp) add_subdirectory(netflow) -add_subdirectory(netbios-ssn) +add_subdirectory(netbios) add_subdirectory(ntp) add_subdirectory(pia) add_subdirectory(pop3) diff --git a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt b/src/analyzer/protocols/netbios/CMakeLists.txt similarity index 88% rename from src/analyzer/protocols/netbios-ssn/CMakeLists.txt rename to src/analyzer/protocols/netbios/CMakeLists.txt index 4318fa2b34..6e7c5251a3 100644 --- a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt +++ b/src/analyzer/protocols/netbios/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(NetbiosSSN) +bro_plugin_begin(Netbios) bro_plugin_cc(NetbiosSSN.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc b/src/analyzer/protocols/netbios/NetbiosSSN.cc similarity index 100% rename from src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc rename to src/analyzer/protocols/netbios/NetbiosSSN.cc diff --git a/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h b/src/analyzer/protocols/netbios/NetbiosSSN.h similarity index 100% rename from src/analyzer/protocols/netbios-ssn/NetbiosSSN.h rename to src/analyzer/protocols/netbios/NetbiosSSN.h diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios/Plugin.cc similarity index 75% rename from src/analyzer/protocols/netbios-ssn/Plugin.cc rename to src/analyzer/protocols/netbios/Plugin.cc index 66b4e82d51..7f71dbbe10 100644 --- a/src/analyzer/protocols/netbios-ssn/Plugin.cc +++ b/src/analyzer/protocols/netbios/Plugin.cc @@ -3,8 +3,8 @@ #include "NetbiosSSN.h" -BRO_PLUGIN_BEGIN(NetbiosSSN) - BRO_PLUGIN_DESCRIPTION("NetbiosSSN Analyzer"); +BRO_PLUGIN_BEGIN(Netbios) + BRO_PLUGIN_DESCRIPTION("Netbios Analyzer (SSN only)"); BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocols/netbios-ssn/events.bif b/src/analyzer/protocols/netbios/events.bif similarity index 100% rename from src/analyzer/protocols/netbios-ssn/events.bif rename to src/analyzer/protocols/netbios/events.bif diff --git a/src/analyzer/protocols/netbios-ssn/functions.bif b/src/analyzer/protocols/netbios/functions.bif similarity index 100% rename from src/analyzer/protocols/netbios-ssn/functions.bif rename to src/analyzer/protocols/netbios/functions.bif From 4bc2ba60c941d3a4f7f74a854fe3528a19d4250c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:50:57 -0700 Subject: [PATCH 30/70] Rename analyzer/protocols -> analyzer/protocol --- src/Conn.cc | 2 +- src/Func.cc | 2 +- src/RuleAction.cc | 2 +- src/RuleCondition.cc | 2 +- src/Sessions.cc | 20 +++++++++---------- src/Sessions.h | 2 +- src/analyzer/Analyzer.cc | 2 +- src/analyzer/CMakeLists.txt | 2 +- src/analyzer/Manager.cc | 16 +++++++-------- .../{protocols => protocol}/CMakeLists.txt | 0 src/analyzer/{protocols => protocol}/TODO | 2 -- .../{protocols => protocol}/arp/ARP.cc | 0 .../{protocols => protocol}/arp/ARP.h | 0 .../arp/CMakeLists.txt | 0 .../{protocols => protocol}/arp/Plugin.cc | 0 .../{protocols => protocol}/arp/events.bif | 0 .../{protocols => protocol}/ayiya/AYIYA.cc | 0 .../{protocols => protocol}/ayiya/AYIYA.h | 0 .../ayiya/CMakeLists.txt | 0 .../{protocols => protocol}/ayiya/Plugin.cc | 0 .../ayiya/ayiya-analyzer.pac | 0 .../ayiya/ayiya-protocol.pac | 0 .../{protocols => protocol}/ayiya/ayiya.pac | 0 .../{protocols => protocol}/ayiya/events.bif | 0 .../backdoor/BackDoor.cc | 2 +- .../backdoor/BackDoor.h | 4 ++-- .../backdoor/CMakeLists.txt | 0 .../backdoor/Plugin.cc | 0 .../backdoor/events.bif | 0 .../bittorrent/BitTorrent.cc | 2 +- .../bittorrent/BitTorrent.h | 2 +- .../bittorrent/BitTorrentTracker.cc | 2 +- .../bittorrent/BitTorrentTracker.h | 2 +- .../bittorrent/CMakeLists.txt | 0 .../bittorrent/Plugin.cc | 0 .../bittorrent/bittorrent-analyzer.pac | 0 .../bittorrent/bittorrent-protocol.pac | 0 .../bittorrent/bittorrent.pac | 0 .../bittorrent/events.bif | 0 .../conn-size/CMakeLists.txt | 0 .../conn-size/ConnSize.cc | 2 +- .../conn-size/ConnSize.h | 0 .../conn-size/Plugin.cc | 0 .../conn-size/events.bif | 0 .../dce-rpc/CMakeLists.txt | 0 .../dce-rpc/DCE_RPC.cc | 0 .../{protocols => protocol}/dce-rpc/DCE_RPC.h | 6 +++--- .../{protocols => protocol}/dce-rpc/Plugin.cc | 0 .../dce-rpc/dce_rpc-analyzer.pac | 0 .../dce-rpc/dce_rpc-protocol.pac | 0 .../dce-rpc/dce_rpc.pac | 0 .../dce-rpc/dce_rpc_simple.pac | 0 .../dce-rpc/epmapper.pac | 0 .../dce-rpc/events.bif | 0 .../dhcp/CMakeLists.txt | 0 .../{protocols => protocol}/dhcp/DHCP.cc | 0 .../{protocols => protocol}/dhcp/DHCP.h | 2 +- .../{protocols => protocol}/dhcp/Plugin.cc | 0 .../dhcp/dhcp-analyzer.pac | 0 .../dhcp/dhcp-protocol.pac | 0 .../{protocols => protocol}/dhcp/dhcp.pac | 0 .../{protocols => protocol}/dhcp/events.bif | 0 .../dns/CMakeLists.txt | 0 .../{protocols => protocol}/dns/DNS.cc | 0 .../{protocols => protocol}/dns/DNS.h | 2 +- .../{protocols => protocol}/dns/Plugin.cc | 0 .../{protocols => protocol}/dns/events.bif | 0 .../file/CMakeLists.txt | 0 .../{protocols => protocol}/file/File.cc | 0 .../{protocols => protocol}/file/File.h | 2 +- .../{protocols => protocol}/file/Plugin.cc | 0 .../{protocols => protocol}/file/events.bif | 0 .../finger/CMakeLists.txt | 0 .../{protocols => protocol}/finger/Finger.cc | 2 +- .../{protocols => protocol}/finger/Finger.h | 4 ++-- .../{protocols => protocol}/finger/Plugin.cc | 0 .../{protocols => protocol}/finger/events.bif | 0 .../ftp/CMakeLists.txt | 0 .../{protocols => protocol}/ftp/FTP.cc | 2 +- .../{protocols => protocol}/ftp/FTP.h | 4 ++-- .../{protocols => protocol}/ftp/Plugin.cc | 0 .../{protocols => protocol}/ftp/events.bif | 0 .../{protocols => protocol}/ftp/functions.bif | 0 .../gnutella/CMakeLists.txt | 0 .../gnutella/Gnutella.cc | 2 +- .../gnutella/Gnutella.h | 2 +- .../gnutella/Plugin.cc | 0 .../gnutella/events.bif | 0 .../gtpv1/CMakeLists.txt | 0 .../{protocols => protocol}/gtpv1/GTPv1.cc | 0 .../{protocols => protocol}/gtpv1/GTPv1.h | 0 .../{protocols => protocol}/gtpv1/Plugin.cc | 0 .../{protocols => protocol}/gtpv1/events.bif | 0 .../gtpv1/gtpv1-analyzer.pac | 0 .../gtpv1/gtpv1-protocol.pac | 0 .../{protocols => protocol}/gtpv1/gtpv1.pac | 0 .../http/CMakeLists.txt | 0 .../{protocols => protocol}/http/HTTP.cc | 2 +- .../{protocols => protocol}/http/HTTP.h | 8 ++++---- .../{protocols => protocol}/http/Plugin.cc | 0 .../{protocols => protocol}/http/events.bif | 0 .../http/functions.bif | 2 +- .../icmp/CMakeLists.txt | 0 .../{protocols => protocol}/icmp/ICMP.cc | 0 .../{protocols => protocol}/icmp/ICMP.h | 0 .../{protocols => protocol}/icmp/Plugin.cc | 0 .../{protocols => protocol}/icmp/events.bif | 0 .../ident/CMakeLists.txt | 0 .../{protocols => protocol}/ident/Ident.cc | 0 .../{protocols => protocol}/ident/Ident.h | 4 ++-- .../{protocols => protocol}/ident/Plugin.cc | 0 .../{protocols => protocol}/ident/events.bif | 0 .../interconn/CMakeLists.txt | 0 .../interconn/InterConn.cc | 2 +- .../interconn/InterConn.h | 2 +- .../interconn/Plugin.cc | 0 .../interconn/events.bif | 0 .../irc/CMakeLists.txt | 0 .../{protocols => protocol}/irc/IRC.cc | 4 ++-- .../{protocols => protocol}/irc/IRC.h | 2 +- .../{protocols => protocol}/irc/Plugin.cc | 0 .../{protocols => protocol}/irc/events.bif | 0 .../login/CMakeLists.txt | 0 .../{protocols => protocol}/login/Login.cc | 0 .../{protocols => protocol}/login/Login.h | 2 +- .../{protocols => protocol}/login/NVT.cc | 2 +- .../{protocols => protocol}/login/NVT.h | 2 +- .../{protocols => protocol}/login/Plugin.cc | 0 .../{protocols => protocol}/login/RSH.cc | 0 .../{protocols => protocol}/login/RSH.h | 2 +- .../{protocols => protocol}/login/Rlogin.cc | 0 .../{protocols => protocol}/login/Rlogin.h | 2 +- .../{protocols => protocol}/login/Telnet.cc | 0 .../{protocols => protocol}/login/Telnet.h | 0 .../{protocols => protocol}/login/events.bif | 0 .../login/functions.bif | 0 .../mime/CMakeLists.txt | 0 .../{protocols => protocol}/mime/MIME.cc | 0 .../{protocols => protocol}/mime/MIME.h | 0 .../{protocols => protocol}/mime/Plugin.cc | 0 .../{protocols => protocol}/mime/events.bif | 0 .../modbus/CMakeLists.txt | 0 .../{protocols => protocol}/modbus/Modbus.cc | 2 +- .../{protocols => protocol}/modbus/Modbus.h | 2 +- .../{protocols => protocol}/modbus/Plugin.cc | 0 .../{protocols => protocol}/modbus/events.bif | 0 .../modbus/modbus-analyzer.pac | 0 .../modbus/modbus-protocol.pac | 0 .../{protocols => protocol}/modbus/modbus.pac | 0 .../ncp/CMakeLists.txt | 0 .../{protocols => protocol}/ncp/NCP.cc | 0 .../{protocols => protocol}/ncp/NCP.h | 4 ++-- .../{protocols => protocol}/ncp/NCP_func.def | 0 .../{protocols => protocol}/ncp/Plugin.cc | 0 .../{protocols => protocol}/ncp/events.bif | 0 .../{protocols => protocol}/ncp/ncp.pac | 0 .../netbios/CMakeLists.txt | 0 .../netbios/NetbiosSSN.cc | 0 .../netbios/NetbiosSSN.h | 6 +++--- .../{protocols => protocol}/netbios/Plugin.cc | 0 .../netbios/events.bif | 0 .../netbios/functions.bif | 0 .../netflow/CMakeLists.txt | 0 .../{protocols => protocol}/netflow/Plugin.cc | 0 .../netflow/events.bif | 0 .../netflow/netflow-analyzer.pac | 0 .../netflow/netflow-protocol.pac | 0 .../netflow/netflow.pac | 0 .../ntp/CMakeLists.txt | 0 .../{protocols => protocol}/ntp/NTP.cc | 0 .../{protocols => protocol}/ntp/NTP.h | 2 +- .../{protocols => protocol}/ntp/Plugin.cc | 0 .../{protocols => protocol}/ntp/events.bif | 0 .../pia/CMakeLists.txt | 0 .../{protocols => protocol}/pia/PIA.cc | 2 +- .../{protocols => protocol}/pia/PIA.h | 2 +- .../{protocols => protocol}/pia/Plugin.cc | 0 .../{protocols => protocol}/pia/events.bif | 0 .../pop3/CMakeLists.txt | 0 .../{protocols => protocol}/pop3/POP3.cc | 2 +- .../{protocols => protocol}/pop3/POP3.h | 6 +++--- .../{protocols => protocol}/pop3/POP3_cmd.def | 0 .../{protocols => protocol}/pop3/Plugin.cc | 0 .../{protocols => protocol}/pop3/events.bif | 0 .../rpc/CMakeLists.txt | 0 .../{protocols => protocol}/rpc/NFS.cc | 0 .../{protocols => protocol}/rpc/NFS.h | 0 .../{protocols => protocol}/rpc/Plugin.cc | 0 .../{protocols => protocol}/rpc/Portmap.cc | 0 .../{protocols => protocol}/rpc/Portmap.h | 0 .../{protocols => protocol}/rpc/RPC.cc | 0 .../{protocols => protocol}/rpc/RPC.h | 4 ++-- .../{protocols => protocol}/rpc/XDR.cc | 0 .../{protocols => protocol}/rpc/XDR.h | 0 .../{protocols => protocol}/rpc/events.bif | 0 .../smb/CMakeLists.txt | 0 .../{protocols => protocol}/smb/Plugin.cc | 0 .../{protocols => protocol}/smb/SMB.cc | 0 .../{protocols => protocol}/smb/SMB.h | 4 ++-- .../{protocols => protocol}/smb/SMB_COM.def | 0 .../{protocols => protocol}/smb/events.bif | 0 .../smb/smb-mailslot.pac | 0 .../{protocols => protocol}/smb/smb-pipe.pac | 0 .../smb/smb-protocol.pac | 0 .../{protocols => protocol}/smb/smb.pac | 0 .../smtp/CMakeLists.txt | 0 .../{protocols => protocol}/smtp/Plugin.cc | 0 .../{protocols => protocol}/smtp/SMTP.cc | 2 +- .../{protocols => protocol}/smtp/SMTP.h | 4 ++-- .../{protocols => protocol}/smtp/SMTP_cmd.def | 0 .../{protocols => protocol}/smtp/events.bif | 0 .../smtp/functions.bif | 2 +- .../socks/CMakeLists.txt | 0 .../{protocols => protocol}/socks/Plugin.cc | 0 .../{protocols => protocol}/socks/SOCKS.cc | 2 +- .../{protocols => protocol}/socks/SOCKS.h | 4 ++-- .../{protocols => protocol}/socks/events.bif | 0 .../socks/socks-analyzer.pac | 0 .../socks/socks-protocol.pac | 0 .../{protocols => protocol}/socks/socks.pac | 0 .../ssh/CMakeLists.txt | 0 .../{protocols => protocol}/ssh/Plugin.cc | 0 .../{protocols => protocol}/ssh/SSH.cc | 2 +- .../{protocols => protocol}/ssh/SSH.h | 4 ++-- .../{protocols => protocol}/ssh/events.bif | 0 .../ssl/CMakeLists.txt | 0 .../{protocols => protocol}/ssl/Plugin.cc | 0 .../{protocols => protocol}/ssl/SSL.cc | 2 +- .../{protocols => protocol}/ssl/SSL.h | 2 +- .../{protocols => protocol}/ssl/events.bif | 0 .../{protocols => protocol}/ssl/functions.bif | 0 .../ssl/ssl-analyzer.pac | 0 .../{protocols => protocol}/ssl/ssl-defs.pac | 0 .../ssl/ssl-protocol.pac | 0 .../{protocols => protocol}/ssl/ssl.pac | 0 .../stepping-stone/CMakeLists.txt | 0 .../stepping-stone/Plugin.cc | 0 .../stepping-stone/SteppingStone.cc | 2 +- .../stepping-stone/SteppingStone.h | 2 +- .../stepping-stone/events.bif | 0 .../syslog/CMakeLists.txt | 0 .../{protocols => protocol}/syslog/Plugin.cc | 0 .../{protocols => protocol}/syslog/Syslog.cc | 2 +- .../{protocols => protocol}/syslog/Syslog.h | 4 ++-- .../{protocols => protocol}/syslog/events.bif | 0 .../syslog/syslog-analyzer.pac | 0 .../syslog/syslog-protocol.pac | 0 .../{protocols => protocol}/syslog/syslog.pac | 0 .../tcp/CMakeLists.txt | 0 .../tcp/ContentLine.cc | 2 +- .../{protocols => protocol}/tcp/ContentLine.h | 2 +- .../{protocols => protocol}/tcp/Plugin.cc | 0 .../{protocols => protocol}/tcp/Stats.cc | 0 .../{protocols => protocol}/tcp/Stats.h | 0 .../{protocols => protocol}/tcp/TCP.cc | 6 +++--- .../{protocols => protocol}/tcp/TCP.h | 2 +- .../tcp/TCP_Endpoint.cc | 2 +- .../tcp/TCP_Endpoint.h | 0 .../tcp/TCP_Reassembler.cc | 2 +- .../tcp/TCP_Reassembler.h | 0 .../{protocols => protocol}/tcp/events.bif | 0 .../{protocols => protocol}/tcp/functions.bif | 2 +- .../teredo/CMakeLists.txt | 0 .../{protocols => protocol}/teredo/Plugin.cc | 0 .../{protocols => protocol}/teredo/Teredo.cc | 0 .../{protocols => protocol}/teredo/Teredo.h | 0 .../{protocols => protocol}/teredo/events.bif | 0 .../udp/CMakeLists.txt | 0 .../{protocols => protocol}/udp/Plugin.cc | 2 +- .../{protocols => protocol}/udp/UDP.cc | 2 +- .../{protocols => protocol}/udp/UDP.h | 0 .../{protocols => protocol}/udp/events.bif | 0 .../zip/CMakeLists.txt | 0 .../{protocols => protocol}/zip/Plugin.cc | 0 .../{protocols => protocol}/zip/ZIP.cc | 0 .../{protocols => protocol}/zip/ZIP.h | 2 +- .../{protocols => protocol}/zip/events.bif | 0 src/bro.bif | 2 +- src/parse.y | 2 +- 279 files changed, 114 insertions(+), 116 deletions(-) rename src/analyzer/{protocols => protocol}/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/TODO (64%) rename src/analyzer/{protocols => protocol}/arp/ARP.cc (100%) rename src/analyzer/{protocols => protocol}/arp/ARP.h (100%) rename src/analyzer/{protocols => protocol}/arp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/arp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/arp/events.bif (100%) rename src/analyzer/{protocols => protocol}/ayiya/AYIYA.cc (100%) rename src/analyzer/{protocols => protocol}/ayiya/AYIYA.h (100%) rename src/analyzer/{protocols => protocol}/ayiya/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ayiya/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ayiya/ayiya-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/ayiya/ayiya-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/ayiya/ayiya.pac (100%) rename src/analyzer/{protocols => protocol}/ayiya/events.bif (100%) rename src/analyzer/{protocols => protocol}/backdoor/BackDoor.cc (99%) rename src/analyzer/{protocols => protocol}/backdoor/BackDoor.h (97%) rename src/analyzer/{protocols => protocol}/backdoor/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/backdoor/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/backdoor/events.bif (100%) rename src/analyzer/{protocols => protocol}/bittorrent/BitTorrent.cc (98%) rename src/analyzer/{protocols => protocol}/bittorrent/BitTorrent.h (95%) rename src/analyzer/{protocols => protocol}/bittorrent/BitTorrentTracker.cc (99%) rename src/analyzer/{protocols => protocol}/bittorrent/BitTorrentTracker.h (98%) rename src/analyzer/{protocols => protocol}/bittorrent/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/bittorrent/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/bittorrent/bittorrent-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/bittorrent/bittorrent-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/bittorrent/bittorrent.pac (100%) rename src/analyzer/{protocols => protocol}/bittorrent/events.bif (100%) rename src/analyzer/{protocols => protocol}/conn-size/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/conn-size/ConnSize.cc (98%) rename src/analyzer/{protocols => protocol}/conn-size/ConnSize.h (100%) rename src/analyzer/{protocols => protocol}/conn-size/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/conn-size/events.bif (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/DCE_RPC.cc (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/DCE_RPC.h (96%) rename src/analyzer/{protocols => protocol}/dce-rpc/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/dce_rpc-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/dce_rpc-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/dce_rpc.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/dce_rpc_simple.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/epmapper.pac (100%) rename src/analyzer/{protocols => protocol}/dce-rpc/events.bif (100%) rename src/analyzer/{protocols => protocol}/dhcp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/dhcp/DHCP.cc (100%) rename src/analyzer/{protocols => protocol}/dhcp/DHCP.h (93%) rename src/analyzer/{protocols => protocol}/dhcp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/dhcp/dhcp-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/dhcp/dhcp-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/dhcp/dhcp.pac (100%) rename src/analyzer/{protocols => protocol}/dhcp/events.bif (100%) rename src/analyzer/{protocols => protocol}/dns/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/dns/DNS.cc (100%) rename src/analyzer/{protocols => protocol}/dns/DNS.h (99%) rename src/analyzer/{protocols => protocol}/dns/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/dns/events.bif (100%) rename src/analyzer/{protocols => protocol}/file/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/file/File.cc (100%) rename src/analyzer/{protocols => protocol}/file/File.h (94%) rename src/analyzer/{protocols => protocol}/file/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/file/events.bif (100%) rename src/analyzer/{protocols => protocol}/finger/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/finger/Finger.cc (97%) rename src/analyzer/{protocols => protocol}/finger/Finger.h (89%) rename src/analyzer/{protocols => protocol}/finger/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/finger/events.bif (100%) rename src/analyzer/{protocols => protocol}/ftp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ftp/FTP.cc (99%) rename src/analyzer/{protocols => protocol}/ftp/FTP.h (94%) rename src/analyzer/{protocols => protocol}/ftp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ftp/events.bif (100%) rename src/analyzer/{protocols => protocol}/ftp/functions.bif (100%) rename src/analyzer/{protocols => protocol}/gnutella/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/gnutella/Gnutella.cc (99%) rename src/analyzer/{protocols => protocol}/gnutella/Gnutella.h (97%) rename src/analyzer/{protocols => protocol}/gnutella/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/gnutella/events.bif (100%) rename src/analyzer/{protocols => protocol}/gtpv1/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/gtpv1/GTPv1.cc (100%) rename src/analyzer/{protocols => protocol}/gtpv1/GTPv1.h (100%) rename src/analyzer/{protocols => protocol}/gtpv1/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/gtpv1/events.bif (100%) rename src/analyzer/{protocols => protocol}/gtpv1/gtpv1-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/gtpv1/gtpv1-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/gtpv1/gtpv1.pac (100%) rename src/analyzer/{protocols => protocol}/http/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/http/HTTP.cc (99%) rename src/analyzer/{protocols => protocol}/http/HTTP.h (97%) rename src/analyzer/{protocols => protocol}/http/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/http/events.bif (100%) rename src/analyzer/{protocols => protocol}/http/functions.bif (97%) rename src/analyzer/{protocols => protocol}/icmp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/icmp/ICMP.cc (100%) rename src/analyzer/{protocols => protocol}/icmp/ICMP.h (100%) rename src/analyzer/{protocols => protocol}/icmp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/icmp/events.bif (100%) rename src/analyzer/{protocols => protocol}/ident/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ident/Ident.cc (100%) rename src/analyzer/{protocols => protocol}/ident/Ident.h (91%) rename src/analyzer/{protocols => protocol}/ident/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ident/events.bif (100%) rename src/analyzer/{protocols => protocol}/interconn/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/interconn/InterConn.cc (99%) rename src/analyzer/{protocols => protocol}/interconn/InterConn.h (98%) rename src/analyzer/{protocols => protocol}/interconn/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/interconn/events.bif (100%) rename src/analyzer/{protocols => protocol}/irc/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/irc/IRC.cc (99%) rename src/analyzer/{protocols => protocol}/irc/IRC.h (97%) rename src/analyzer/{protocols => protocol}/irc/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/irc/events.bif (100%) rename src/analyzer/{protocols => protocol}/login/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/login/Login.cc (100%) rename src/analyzer/{protocols => protocol}/login/Login.h (98%) rename src/analyzer/{protocols => protocol}/login/NVT.cc (99%) rename src/analyzer/{protocols => protocol}/login/NVT.h (98%) rename src/analyzer/{protocols => protocol}/login/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/login/RSH.cc (100%) rename src/analyzer/{protocols => protocol}/login/RSH.h (96%) rename src/analyzer/{protocols => protocol}/login/Rlogin.cc (100%) rename src/analyzer/{protocols => protocol}/login/Rlogin.h (97%) rename src/analyzer/{protocols => protocol}/login/Telnet.cc (100%) rename src/analyzer/{protocols => protocol}/login/Telnet.h (100%) rename src/analyzer/{protocols => protocol}/login/events.bif (100%) rename src/analyzer/{protocols => protocol}/login/functions.bif (100%) rename src/analyzer/{protocols => protocol}/mime/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/mime/MIME.cc (100%) rename src/analyzer/{protocols => protocol}/mime/MIME.h (100%) rename src/analyzer/{protocols => protocol}/mime/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/mime/events.bif (100%) rename src/analyzer/{protocols => protocol}/modbus/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/modbus/Modbus.cc (94%) rename src/analyzer/{protocols => protocol}/modbus/Modbus.h (94%) rename src/analyzer/{protocols => protocol}/modbus/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/modbus/events.bif (100%) rename src/analyzer/{protocols => protocol}/modbus/modbus-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/modbus/modbus-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/modbus/modbus.pac (100%) rename src/analyzer/{protocols => protocol}/ncp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ncp/NCP.cc (100%) rename src/analyzer/{protocols => protocol}/ncp/NCP.h (96%) rename src/analyzer/{protocols => protocol}/ncp/NCP_func.def (100%) rename src/analyzer/{protocols => protocol}/ncp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ncp/events.bif (100%) rename src/analyzer/{protocols => protocol}/ncp/ncp.pac (100%) rename src/analyzer/{protocols => protocol}/netbios/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/netbios/NetbiosSSN.cc (100%) rename src/analyzer/{protocols => protocol}/netbios/NetbiosSSN.h (97%) rename src/analyzer/{protocols => protocol}/netbios/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/netbios/events.bif (100%) rename src/analyzer/{protocols => protocol}/netbios/functions.bif (100%) rename src/analyzer/{protocols => protocol}/netflow/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/netflow/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/netflow/events.bif (100%) rename src/analyzer/{protocols => protocol}/netflow/netflow-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/netflow/netflow-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/netflow/netflow.pac (100%) rename src/analyzer/{protocols => protocol}/ntp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ntp/NTP.cc (100%) rename src/analyzer/{protocols => protocol}/ntp/NTP.h (97%) rename src/analyzer/{protocols => protocol}/ntp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ntp/events.bif (100%) rename src/analyzer/{protocols => protocol}/pia/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/pia/PIA.cc (99%) rename src/analyzer/{protocols => protocol}/pia/PIA.h (99%) rename src/analyzer/{protocols => protocol}/pia/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/pia/events.bif (100%) rename src/analyzer/{protocols => protocol}/pop3/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/pop3/POP3.cc (99%) rename src/analyzer/{protocols => protocol}/pop3/POP3.h (94%) rename src/analyzer/{protocols => protocol}/pop3/POP3_cmd.def (100%) rename src/analyzer/{protocols => protocol}/pop3/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/pop3/events.bif (100%) rename src/analyzer/{protocols => protocol}/rpc/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/rpc/NFS.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/NFS.h (100%) rename src/analyzer/{protocols => protocol}/rpc/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/Portmap.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/Portmap.h (100%) rename src/analyzer/{protocols => protocol}/rpc/RPC.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/RPC.h (98%) rename src/analyzer/{protocols => protocol}/rpc/XDR.cc (100%) rename src/analyzer/{protocols => protocol}/rpc/XDR.h (100%) rename src/analyzer/{protocols => protocol}/rpc/events.bif (100%) rename src/analyzer/{protocols => protocol}/smb/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/smb/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/smb/SMB.cc (100%) rename src/analyzer/{protocols => protocol}/smb/SMB.h (98%) rename src/analyzer/{protocols => protocol}/smb/SMB_COM.def (100%) rename src/analyzer/{protocols => protocol}/smb/events.bif (100%) rename src/analyzer/{protocols => protocol}/smb/smb-mailslot.pac (100%) rename src/analyzer/{protocols => protocol}/smb/smb-pipe.pac (100%) rename src/analyzer/{protocols => protocol}/smb/smb-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/smb/smb.pac (100%) rename src/analyzer/{protocols => protocol}/smtp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/smtp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/smtp/SMTP.cc (99%) rename src/analyzer/{protocols => protocol}/smtp/SMTP.h (97%) rename src/analyzer/{protocols => protocol}/smtp/SMTP_cmd.def (100%) rename src/analyzer/{protocols => protocol}/smtp/events.bif (100%) rename src/analyzer/{protocols => protocol}/smtp/functions.bif (88%) rename src/analyzer/{protocols => protocol}/socks/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/socks/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/socks/SOCKS.cc (97%) rename src/analyzer/{protocols => protocol}/socks/SOCKS.h (91%) rename src/analyzer/{protocols => protocol}/socks/events.bif (100%) rename src/analyzer/{protocols => protocol}/socks/socks-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/socks/socks-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/socks/socks.pac (100%) rename src/analyzer/{protocols => protocol}/ssh/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ssh/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ssh/SSH.cc (98%) rename src/analyzer/{protocols => protocol}/ssh/SSH.h (86%) rename src/analyzer/{protocols => protocol}/ssh/events.bif (100%) rename src/analyzer/{protocols => protocol}/ssl/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/ssl/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/ssl/SSL.cc (96%) rename src/analyzer/{protocols => protocol}/ssl/SSL.h (95%) rename src/analyzer/{protocols => protocol}/ssl/events.bif (100%) rename src/analyzer/{protocols => protocol}/ssl/functions.bif (100%) rename src/analyzer/{protocols => protocol}/ssl/ssl-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/ssl/ssl-defs.pac (100%) rename src/analyzer/{protocols => protocol}/ssl/ssl-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/ssl/ssl.pac (100%) rename src/analyzer/{protocols => protocol}/stepping-stone/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/stepping-stone/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/stepping-stone/SteppingStone.cc (99%) rename src/analyzer/{protocols => protocol}/stepping-stone/SteppingStone.h (98%) rename src/analyzer/{protocols => protocol}/stepping-stone/events.bif (100%) rename src/analyzer/{protocols => protocol}/syslog/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/syslog/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/syslog/Syslog.cc (97%) rename src/analyzer/{protocols => protocol}/syslog/Syslog.h (94%) rename src/analyzer/{protocols => protocol}/syslog/events.bif (100%) rename src/analyzer/{protocols => protocol}/syslog/syslog-analyzer.pac (100%) rename src/analyzer/{protocols => protocol}/syslog/syslog-protocol.pac (100%) rename src/analyzer/{protocols => protocol}/syslog/syslog.pac (100%) rename src/analyzer/{protocols => protocol}/tcp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/tcp/ContentLine.cc (99%) rename src/analyzer/{protocols => protocol}/tcp/ContentLine.h (98%) rename src/analyzer/{protocols => protocol}/tcp/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/tcp/Stats.cc (100%) rename src/analyzer/{protocols => protocol}/tcp/Stats.h (100%) rename src/analyzer/{protocols => protocol}/tcp/TCP.cc (99%) rename src/analyzer/{protocols => protocol}/tcp/TCP.h (99%) rename src/analyzer/{protocols => protocol}/tcp/TCP_Endpoint.cc (99%) rename src/analyzer/{protocols => protocol}/tcp/TCP_Endpoint.h (100%) rename src/analyzer/{protocols => protocol}/tcp/TCP_Reassembler.cc (99%) rename src/analyzer/{protocols => protocol}/tcp/TCP_Reassembler.h (100%) rename src/analyzer/{protocols => protocol}/tcp/events.bif (100%) rename src/analyzer/{protocols => protocol}/tcp/functions.bif (99%) rename src/analyzer/{protocols => protocol}/teredo/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/teredo/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/teredo/Teredo.cc (100%) rename src/analyzer/{protocols => protocol}/teredo/Teredo.h (100%) rename src/analyzer/{protocols => protocol}/teredo/events.bif (100%) rename src/analyzer/{protocols => protocol}/udp/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/udp/Plugin.cc (82%) rename src/analyzer/{protocols => protocol}/udp/UDP.cc (99%) rename src/analyzer/{protocols => protocol}/udp/UDP.h (100%) rename src/analyzer/{protocols => protocol}/udp/events.bif (100%) rename src/analyzer/{protocols => protocol}/zip/CMakeLists.txt (100%) rename src/analyzer/{protocols => protocol}/zip/Plugin.cc (100%) rename src/analyzer/{protocols => protocol}/zip/ZIP.cc (100%) rename src/analyzer/{protocols => protocol}/zip/ZIP.h (94%) rename src/analyzer/{protocols => protocol}/zip/events.bif (100%) diff --git a/src/Conn.cc b/src/Conn.cc index 1756d3860e..fb6ca3d810 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -11,7 +11,7 @@ #include "Sessions.h" #include "Reporter.h" #include "Timer.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/pia/PIA.h" #include "binpac.h" #include "TunnelEncapsulation.h" #include "analyzer/Analyzer.h" diff --git a/src/Func.cc b/src/Func.cc index 668499d2ed..f3718fe231 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -38,7 +38,7 @@ #include "Func.h" #include "Frame.h" #include "Var.h" -#include "analyzer/protocols/login/Login.h" +#include "analyzer/protocol/login/Login.h" #include "Sessions.h" #include "RE.h" #include "Serializer.h" diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 4e279e2cab..a13392ee40 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -8,7 +8,7 @@ using std::string; #include "Conn.h" #include "Event.h" #include "NetVar.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/pia/PIA.h" #include "analyzer/Manager.h" diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index 2296628878..36d8cba39d 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -1,7 +1,7 @@ #include "config.h" #include "RuleCondition.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "Scope.h" static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e) diff --git a/src/Sessions.cc b/src/Sessions.cc index 29c7a57e8f..6fa26c6f36 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -16,17 +16,17 @@ #include "Reporter.h" #include "OSFinger.h" -#include "analyzer/protocols/icmp/ICMP.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/icmp/ICMP.h" +#include "analyzer/protocol/udp/UDP.h" -#include "analyzer/protocols/stepping-stone/SteppingStone.h" -#include "analyzer/protocols/stepping-stone/events.bif.h" -#include "analyzer/protocols/backdoor/BackDoor.h" -#include "analyzer/protocols/backdoor/events.bif.h" -#include "analyzer/protocols/interconn/InterConn.h" -#include "analyzer/protocols/interconn/events.bif.h" -#include "analyzer/protocols/arp/ARP.h" -#include "analyzer/protocols/arp/events.bif.h" +#include "analyzer/protocol/stepping-stone/SteppingStone.h" +#include "analyzer/protocol/stepping-stone/events.bif.h" +#include "analyzer/protocol/backdoor/BackDoor.h" +#include "analyzer/protocol/backdoor/events.bif.h" +#include "analyzer/protocol/interconn/InterConn.h" +#include "analyzer/protocol/interconn/events.bif.h" +#include "analyzer/protocol/arp/ARP.h" +#include "analyzer/protocol/arp/events.bif.h" #include "Discard.h" #include "RuleMatcher.h" diff --git a/src/Sessions.h b/src/Sessions.h index a5488bd188..27b052ba2d 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -11,7 +11,7 @@ #include "Stats.h" #include "NetVar.h" #include "TunnelEncapsulation.h" -#include "analyzer/protocols/tcp/Stats.h" +#include "analyzer/protocol/tcp/Stats.h" #include diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 098535d0a9..72dbb2d4a5 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -4,7 +4,7 @@ #include "Analyzer.h" #include "Manager.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/pia/PIA.h" #include "../Event.h" namespace analyzer { diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 1d0589c5bf..026bbac80a 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -4,7 +4,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR} ) -add_subdirectory(protocols) +add_subdirectory(protocol) set(analyzer_SRCS Analyzer.cc diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 45fce936fd..d337c0b849 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -4,14 +4,14 @@ #include "Hash.h" #include "Val.h" -#include "analyzer/protocols/backdoor/BackDoor.h" -#include "analyzer/protocols/conn-size/ConnSize.h" -#include "analyzer/protocols/icmp/ICMP.h" -#include "analyzer/protocols/interconn/InterConn.h" -#include "analyzer/protocols/pia/PIA.h" -#include "analyzer/protocols/stepping-stone/SteppingStone.h" -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/backdoor/BackDoor.h" +#include "analyzer/protocol/conn-size/ConnSize.h" +#include "analyzer/protocol/icmp/ICMP.h" +#include "analyzer/protocol/interconn/InterConn.h" +#include "analyzer/protocol/pia/PIA.h" +#include "analyzer/protocol/stepping-stone/SteppingStone.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/udp/UDP.h" #include "plugin/Manager.h" diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/CMakeLists.txt rename to src/analyzer/protocol/CMakeLists.txt diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocol/TODO similarity index 64% rename from src/analyzer/protocols/TODO rename to src/analyzer/protocol/TODO index 61a17a95c9..4302252a49 100644 --- a/src/analyzer/protocols/TODO +++ b/src/analyzer/protocol/TODO @@ -1,7 +1,5 @@ -- update *.h guards - cleanup analyzer descriptions - can now lower-case the analyzer name in plugin - not sure cmake dependencies work right yet -- rename analyzers/protocols to analyzer/protocol diff --git a/src/analyzer/protocols/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc similarity index 100% rename from src/analyzer/protocols/arp/ARP.cc rename to src/analyzer/protocol/arp/ARP.cc diff --git a/src/analyzer/protocols/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h similarity index 100% rename from src/analyzer/protocols/arp/ARP.h rename to src/analyzer/protocol/arp/ARP.h diff --git a/src/analyzer/protocols/arp/CMakeLists.txt b/src/analyzer/protocol/arp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/arp/CMakeLists.txt rename to src/analyzer/protocol/arp/CMakeLists.txt diff --git a/src/analyzer/protocols/arp/Plugin.cc b/src/analyzer/protocol/arp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/arp/Plugin.cc rename to src/analyzer/protocol/arp/Plugin.cc diff --git a/src/analyzer/protocols/arp/events.bif b/src/analyzer/protocol/arp/events.bif similarity index 100% rename from src/analyzer/protocols/arp/events.bif rename to src/analyzer/protocol/arp/events.bif diff --git a/src/analyzer/protocols/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc similarity index 100% rename from src/analyzer/protocols/ayiya/AYIYA.cc rename to src/analyzer/protocol/ayiya/AYIYA.cc diff --git a/src/analyzer/protocols/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h similarity index 100% rename from src/analyzer/protocols/ayiya/AYIYA.h rename to src/analyzer/protocol/ayiya/AYIYA.h diff --git a/src/analyzer/protocols/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ayiya/CMakeLists.txt rename to src/analyzer/protocol/ayiya/CMakeLists.txt diff --git a/src/analyzer/protocols/ayiya/Plugin.cc b/src/analyzer/protocol/ayiya/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ayiya/Plugin.cc rename to src/analyzer/protocol/ayiya/Plugin.cc diff --git a/src/analyzer/protocols/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac similarity index 100% rename from src/analyzer/protocols/ayiya/ayiya-analyzer.pac rename to src/analyzer/protocol/ayiya/ayiya-analyzer.pac diff --git a/src/analyzer/protocols/ayiya/ayiya-protocol.pac b/src/analyzer/protocol/ayiya/ayiya-protocol.pac similarity index 100% rename from src/analyzer/protocols/ayiya/ayiya-protocol.pac rename to src/analyzer/protocol/ayiya/ayiya-protocol.pac diff --git a/src/analyzer/protocols/ayiya/ayiya.pac b/src/analyzer/protocol/ayiya/ayiya.pac similarity index 100% rename from src/analyzer/protocols/ayiya/ayiya.pac rename to src/analyzer/protocol/ayiya/ayiya.pac diff --git a/src/analyzer/protocols/ayiya/events.bif b/src/analyzer/protocol/ayiya/events.bif similarity index 100% rename from src/analyzer/protocols/ayiya/events.bif rename to src/analyzer/protocol/ayiya/events.bif diff --git a/src/analyzer/protocols/backdoor/BackDoor.cc b/src/analyzer/protocol/backdoor/BackDoor.cc similarity index 99% rename from src/analyzer/protocols/backdoor/BackDoor.cc rename to src/analyzer/protocol/backdoor/BackDoor.cc index 19b1a341a7..a466938ff6 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.cc +++ b/src/analyzer/protocol/backdoor/BackDoor.cc @@ -5,7 +5,7 @@ #include "BackDoor.h" #include "Event.h" #include "Net.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/backdoor/BackDoor.h b/src/analyzer/protocol/backdoor/BackDoor.h similarity index 97% rename from src/analyzer/protocols/backdoor/BackDoor.h rename to src/analyzer/protocol/backdoor/BackDoor.h index 36c8430c34..5bc8a67381 100644 --- a/src/analyzer/protocols/backdoor/BackDoor.h +++ b/src/analyzer/protocol/backdoor/BackDoor.h @@ -3,10 +3,10 @@ #ifndef ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H #define ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" -#include "analyzer/protocols/login/Login.h" +#include "analyzer/protocol/login/Login.h" namespace analyzer { namespace backdoor { diff --git a/src/analyzer/protocols/backdoor/CMakeLists.txt b/src/analyzer/protocol/backdoor/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/backdoor/CMakeLists.txt rename to src/analyzer/protocol/backdoor/CMakeLists.txt diff --git a/src/analyzer/protocols/backdoor/Plugin.cc b/src/analyzer/protocol/backdoor/Plugin.cc similarity index 100% rename from src/analyzer/protocols/backdoor/Plugin.cc rename to src/analyzer/protocol/backdoor/Plugin.cc diff --git a/src/analyzer/protocols/backdoor/events.bif b/src/analyzer/protocol/backdoor/events.bif similarity index 100% rename from src/analyzer/protocols/backdoor/events.bif rename to src/analyzer/protocol/backdoor/events.bif diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc similarity index 98% rename from src/analyzer/protocols/bittorrent/BitTorrent.cc rename to src/analyzer/protocol/bittorrent/BitTorrent.cc index fc66987cc7..99fd9dc132 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrent.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrent.h b/src/analyzer/protocol/bittorrent/BitTorrent.h similarity index 95% rename from src/analyzer/protocols/bittorrent/BitTorrent.h rename to src/analyzer/protocol/bittorrent/BitTorrent.h index 4065b45648..7739463052 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrent.h +++ b/src/analyzer/protocol/bittorrent/BitTorrent.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_BITTORRENT_BITTORRENT_H #define ANALYZER_PROTOCOL_BITTORRENT_BITTORRENT_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "bittorrent_pac.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc similarity index 99% rename from src/analyzer/protocols/bittorrent/BitTorrentTracker.cc rename to src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index 18d1fe8ab9..b32db9a8bd 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrentTracker.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h similarity index 98% rename from src/analyzer/protocols/bittorrent/BitTorrentTracker.h rename to src/analyzer/protocol/bittorrent/BitTorrentTracker.h index 572a8d2093..b041e556b7 100644 --- a/src/analyzer/protocols/bittorrent/BitTorrentTracker.h +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_BITTORRENT_BITTORRENTTRACKER_H #define ANALYZER_PROTOCOL_BITTORRENT_BITTORRENTTRACKER_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #define BTTRACKER_BUF 2048 diff --git a/src/analyzer/protocols/bittorrent/CMakeLists.txt b/src/analyzer/protocol/bittorrent/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/bittorrent/CMakeLists.txt rename to src/analyzer/protocol/bittorrent/CMakeLists.txt diff --git a/src/analyzer/protocols/bittorrent/Plugin.cc b/src/analyzer/protocol/bittorrent/Plugin.cc similarity index 100% rename from src/analyzer/protocols/bittorrent/Plugin.cc rename to src/analyzer/protocol/bittorrent/Plugin.cc diff --git a/src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac similarity index 100% rename from src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac rename to src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac diff --git a/src/analyzer/protocols/bittorrent/bittorrent-protocol.pac b/src/analyzer/protocol/bittorrent/bittorrent-protocol.pac similarity index 100% rename from src/analyzer/protocols/bittorrent/bittorrent-protocol.pac rename to src/analyzer/protocol/bittorrent/bittorrent-protocol.pac diff --git a/src/analyzer/protocols/bittorrent/bittorrent.pac b/src/analyzer/protocol/bittorrent/bittorrent.pac similarity index 100% rename from src/analyzer/protocols/bittorrent/bittorrent.pac rename to src/analyzer/protocol/bittorrent/bittorrent.pac diff --git a/src/analyzer/protocols/bittorrent/events.bif b/src/analyzer/protocol/bittorrent/events.bif similarity index 100% rename from src/analyzer/protocols/bittorrent/events.bif rename to src/analyzer/protocol/bittorrent/events.bif diff --git a/src/analyzer/protocols/conn-size/CMakeLists.txt b/src/analyzer/protocol/conn-size/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/conn-size/CMakeLists.txt rename to src/analyzer/protocol/conn-size/CMakeLists.txt diff --git a/src/analyzer/protocols/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc similarity index 98% rename from src/analyzer/protocols/conn-size/ConnSize.cc rename to src/analyzer/protocol/conn-size/ConnSize.cc index 7d85fe4a0c..b912fe3d2d 100644 --- a/src/analyzer/protocols/conn-size/ConnSize.cc +++ b/src/analyzer/protocol/conn-size/ConnSize.cc @@ -4,7 +4,7 @@ #include "ConnSize.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/conn-size/ConnSize.h b/src/analyzer/protocol/conn-size/ConnSize.h similarity index 100% rename from src/analyzer/protocols/conn-size/ConnSize.h rename to src/analyzer/protocol/conn-size/ConnSize.h diff --git a/src/analyzer/protocols/conn-size/Plugin.cc b/src/analyzer/protocol/conn-size/Plugin.cc similarity index 100% rename from src/analyzer/protocols/conn-size/Plugin.cc rename to src/analyzer/protocol/conn-size/Plugin.cc diff --git a/src/analyzer/protocols/conn-size/events.bif b/src/analyzer/protocol/conn-size/events.bif similarity index 100% rename from src/analyzer/protocols/conn-size/events.bif rename to src/analyzer/protocol/conn-size/events.bif diff --git a/src/analyzer/protocols/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/dce-rpc/CMakeLists.txt rename to src/analyzer/protocol/dce-rpc/CMakeLists.txt diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.cc b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc similarity index 100% rename from src/analyzer/protocols/dce-rpc/DCE_RPC.cc rename to src/analyzer/protocol/dce-rpc/DCE_RPC.cc diff --git a/src/analyzer/protocols/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h similarity index 96% rename from src/analyzer/protocols/dce-rpc/DCE_RPC.h rename to src/analyzer/protocol/dce-rpc/DCE_RPC.h index ff85e16ee1..2abfb584b5 100644 --- a/src/analyzer/protocols/dce-rpc/DCE_RPC.h +++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h @@ -7,8 +7,8 @@ // Windows systems) and shouldn't be considered as stable. #include "NetVar.h" -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/dce-rpc/events.bif.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/dce-rpc/events.bif.h" #include "IPAddr.h" #include "dce_rpc_simple_pac.h" @@ -88,7 +88,7 @@ enum DCE_RPC_PTYPE { }; */ -#define ANALYZER_PROTOCOL_DCE_RPC_DCE_RPC_HEADER_LENGTH 16 +#define DCE_RPC_HEADER_LENGTH 16 class DCE_RPC_Header { public: diff --git a/src/analyzer/protocols/dce-rpc/Plugin.cc b/src/analyzer/protocol/dce-rpc/Plugin.cc similarity index 100% rename from src/analyzer/protocols/dce-rpc/Plugin.cc rename to src/analyzer/protocol/dce-rpc/Plugin.cc diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac rename to src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac rename to src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc.pac b/src/analyzer/protocol/dce-rpc/dce_rpc.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/dce_rpc.pac rename to src/analyzer/protocol/dce-rpc/dce_rpc.pac diff --git a/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac b/src/analyzer/protocol/dce-rpc/dce_rpc_simple.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac rename to src/analyzer/protocol/dce-rpc/dce_rpc_simple.pac diff --git a/src/analyzer/protocols/dce-rpc/epmapper.pac b/src/analyzer/protocol/dce-rpc/epmapper.pac similarity index 100% rename from src/analyzer/protocols/dce-rpc/epmapper.pac rename to src/analyzer/protocol/dce-rpc/epmapper.pac diff --git a/src/analyzer/protocols/dce-rpc/events.bif b/src/analyzer/protocol/dce-rpc/events.bif similarity index 100% rename from src/analyzer/protocols/dce-rpc/events.bif rename to src/analyzer/protocol/dce-rpc/events.bif diff --git a/src/analyzer/protocols/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/dhcp/CMakeLists.txt rename to src/analyzer/protocol/dhcp/CMakeLists.txt diff --git a/src/analyzer/protocols/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc similarity index 100% rename from src/analyzer/protocols/dhcp/DHCP.cc rename to src/analyzer/protocol/dhcp/DHCP.cc diff --git a/src/analyzer/protocols/dhcp/DHCP.h b/src/analyzer/protocol/dhcp/DHCP.h similarity index 93% rename from src/analyzer/protocols/dhcp/DHCP.h rename to src/analyzer/protocol/dhcp/DHCP.h index 207651d7c1..a1c06e8b85 100644 --- a/src/analyzer/protocols/dhcp/DHCP.h +++ b/src/analyzer/protocol/dhcp/DHCP.h @@ -1,7 +1,7 @@ #ifndef ANALYZER_PROTOCOL_DHCP_DHCP_H #define ANALYZER_PROTOCOL_DHCP_DHCP_H -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/udp/UDP.h" #include "dhcp_pac.h" diff --git a/src/analyzer/protocols/dhcp/Plugin.cc b/src/analyzer/protocol/dhcp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/dhcp/Plugin.cc rename to src/analyzer/protocol/dhcp/Plugin.cc diff --git a/src/analyzer/protocols/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac similarity index 100% rename from src/analyzer/protocols/dhcp/dhcp-analyzer.pac rename to src/analyzer/protocol/dhcp/dhcp-analyzer.pac diff --git a/src/analyzer/protocols/dhcp/dhcp-protocol.pac b/src/analyzer/protocol/dhcp/dhcp-protocol.pac similarity index 100% rename from src/analyzer/protocols/dhcp/dhcp-protocol.pac rename to src/analyzer/protocol/dhcp/dhcp-protocol.pac diff --git a/src/analyzer/protocols/dhcp/dhcp.pac b/src/analyzer/protocol/dhcp/dhcp.pac similarity index 100% rename from src/analyzer/protocols/dhcp/dhcp.pac rename to src/analyzer/protocol/dhcp/dhcp.pac diff --git a/src/analyzer/protocols/dhcp/events.bif b/src/analyzer/protocol/dhcp/events.bif similarity index 100% rename from src/analyzer/protocols/dhcp/events.bif rename to src/analyzer/protocol/dhcp/events.bif diff --git a/src/analyzer/protocols/dns/CMakeLists.txt b/src/analyzer/protocol/dns/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/dns/CMakeLists.txt rename to src/analyzer/protocol/dns/CMakeLists.txt diff --git a/src/analyzer/protocols/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc similarity index 100% rename from src/analyzer/protocols/dns/DNS.cc rename to src/analyzer/protocol/dns/DNS.cc diff --git a/src/analyzer/protocols/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h similarity index 99% rename from src/analyzer/protocols/dns/DNS.h rename to src/analyzer/protocol/dns/DNS.h index 9c7874400d..373250e8f4 100644 --- a/src/analyzer/protocols/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_DNS_DNS_H #define ANALYZER_PROTOCOL_DNS_DNS_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "binpac_bro.h" namespace analyzer { namespace dns { diff --git a/src/analyzer/protocols/dns/Plugin.cc b/src/analyzer/protocol/dns/Plugin.cc similarity index 100% rename from src/analyzer/protocols/dns/Plugin.cc rename to src/analyzer/protocol/dns/Plugin.cc diff --git a/src/analyzer/protocols/dns/events.bif b/src/analyzer/protocol/dns/events.bif similarity index 100% rename from src/analyzer/protocols/dns/events.bif rename to src/analyzer/protocol/dns/events.bif diff --git a/src/analyzer/protocols/file/CMakeLists.txt b/src/analyzer/protocol/file/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/file/CMakeLists.txt rename to src/analyzer/protocol/file/CMakeLists.txt diff --git a/src/analyzer/protocols/file/File.cc b/src/analyzer/protocol/file/File.cc similarity index 100% rename from src/analyzer/protocols/file/File.cc rename to src/analyzer/protocol/file/File.cc diff --git a/src/analyzer/protocols/file/File.h b/src/analyzer/protocol/file/File.h similarity index 94% rename from src/analyzer/protocols/file/File.h rename to src/analyzer/protocol/file/File.h index 368fe22dae..a41ab380ae 100644 --- a/src/analyzer/protocols/file/File.h +++ b/src/analyzer/protocol/file/File.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_FILE_FILE_H #define ANALYZER_PROTOCOL_FILE_FILE_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include diff --git a/src/analyzer/protocols/file/Plugin.cc b/src/analyzer/protocol/file/Plugin.cc similarity index 100% rename from src/analyzer/protocols/file/Plugin.cc rename to src/analyzer/protocol/file/Plugin.cc diff --git a/src/analyzer/protocols/file/events.bif b/src/analyzer/protocol/file/events.bif similarity index 100% rename from src/analyzer/protocols/file/events.bif rename to src/analyzer/protocol/file/events.bif diff --git a/src/analyzer/protocols/finger/CMakeLists.txt b/src/analyzer/protocol/finger/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/finger/CMakeLists.txt rename to src/analyzer/protocol/finger/CMakeLists.txt diff --git a/src/analyzer/protocols/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc similarity index 97% rename from src/analyzer/protocols/finger/Finger.cc rename to src/analyzer/protocol/finger/Finger.cc index dce2cfef9f..bf9bdcc68a 100644 --- a/src/analyzer/protocols/finger/Finger.cc +++ b/src/analyzer/protocol/finger/Finger.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "Finger.h" #include "Event.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/finger/Finger.h b/src/analyzer/protocol/finger/Finger.h similarity index 89% rename from src/analyzer/protocols/finger/Finger.h rename to src/analyzer/protocol/finger/Finger.h index 5624030f80..efea0fae6b 100644 --- a/src/analyzer/protocols/finger/Finger.h +++ b/src/analyzer/protocol/finger/Finger.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_FINGER_FINGER_H #define ANALYZER_PROTOCOL_FINGER_FINGER_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace finger { diff --git a/src/analyzer/protocols/finger/Plugin.cc b/src/analyzer/protocol/finger/Plugin.cc similarity index 100% rename from src/analyzer/protocols/finger/Plugin.cc rename to src/analyzer/protocol/finger/Plugin.cc diff --git a/src/analyzer/protocols/finger/events.bif b/src/analyzer/protocol/finger/events.bif similarity index 100% rename from src/analyzer/protocols/finger/events.bif rename to src/analyzer/protocol/finger/events.bif diff --git a/src/analyzer/protocols/ftp/CMakeLists.txt b/src/analyzer/protocol/ftp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ftp/CMakeLists.txt rename to src/analyzer/protocol/ftp/CMakeLists.txt diff --git a/src/analyzer/protocols/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc similarity index 99% rename from src/analyzer/protocols/ftp/FTP.cc rename to src/analyzer/protocol/ftp/FTP.cc index aed14b8de8..91afe6f8a4 100644 --- a/src/analyzer/protocols/ftp/FTP.cc +++ b/src/analyzer/protocol/ftp/FTP.cc @@ -9,7 +9,7 @@ #include "Event.h" #include "Base64.h" #include "analyzer/Manager.h" -#include "analyzer/protocols/login/NVT.h" +#include "analyzer/protocol/login/NVT.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/ftp/FTP.h b/src/analyzer/protocol/ftp/FTP.h similarity index 94% rename from src/analyzer/protocols/ftp/FTP.h rename to src/analyzer/protocol/ftp/FTP.h index 577082644a..1cffa19b1d 100644 --- a/src/analyzer/protocols/ftp/FTP.h +++ b/src/analyzer/protocol/ftp/FTP.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_FTP_FTP_H #define ANALYZER_PROTOCOL_FTP_FTP_H -#include "analyzer/protocols/login/NVT.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/login/NVT.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace ftp { diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocol/ftp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ftp/Plugin.cc rename to src/analyzer/protocol/ftp/Plugin.cc diff --git a/src/analyzer/protocols/ftp/events.bif b/src/analyzer/protocol/ftp/events.bif similarity index 100% rename from src/analyzer/protocols/ftp/events.bif rename to src/analyzer/protocol/ftp/events.bif diff --git a/src/analyzer/protocols/ftp/functions.bif b/src/analyzer/protocol/ftp/functions.bif similarity index 100% rename from src/analyzer/protocols/ftp/functions.bif rename to src/analyzer/protocol/ftp/functions.bif diff --git a/src/analyzer/protocols/gnutella/CMakeLists.txt b/src/analyzer/protocol/gnutella/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/gnutella/CMakeLists.txt rename to src/analyzer/protocol/gnutella/CMakeLists.txt diff --git a/src/analyzer/protocols/gnutella/Gnutella.cc b/src/analyzer/protocol/gnutella/Gnutella.cc similarity index 99% rename from src/analyzer/protocols/gnutella/Gnutella.cc rename to src/analyzer/protocol/gnutella/Gnutella.cc index a0d8812218..c0bab92007 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.cc +++ b/src/analyzer/protocol/gnutella/Gnutella.cc @@ -9,7 +9,7 @@ #include "NetVar.h" #include "Gnutella.h" #include "Event.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/pia/PIA.h" #include "analyzer/Manager.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/gnutella/Gnutella.h b/src/analyzer/protocol/gnutella/Gnutella.h similarity index 97% rename from src/analyzer/protocols/gnutella/Gnutella.h rename to src/analyzer/protocol/gnutella/Gnutella.h index d67d319c4e..11d51cf276 100644 --- a/src/analyzer/protocols/gnutella/Gnutella.h +++ b/src/analyzer/protocol/gnutella/Gnutella.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_GNUTELLA_GNUTELLA_H #define ANALYZER_PROTOCOL_GNUTELLA_GNUTELLA_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #define ORIG_OK 0x1 #define RESP_OK 0x2 diff --git a/src/analyzer/protocols/gnutella/Plugin.cc b/src/analyzer/protocol/gnutella/Plugin.cc similarity index 100% rename from src/analyzer/protocols/gnutella/Plugin.cc rename to src/analyzer/protocol/gnutella/Plugin.cc diff --git a/src/analyzer/protocols/gnutella/events.bif b/src/analyzer/protocol/gnutella/events.bif similarity index 100% rename from src/analyzer/protocols/gnutella/events.bif rename to src/analyzer/protocol/gnutella/events.bif diff --git a/src/analyzer/protocols/gtpv1/CMakeLists.txt b/src/analyzer/protocol/gtpv1/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/gtpv1/CMakeLists.txt rename to src/analyzer/protocol/gtpv1/CMakeLists.txt diff --git a/src/analyzer/protocols/gtpv1/GTPv1.cc b/src/analyzer/protocol/gtpv1/GTPv1.cc similarity index 100% rename from src/analyzer/protocols/gtpv1/GTPv1.cc rename to src/analyzer/protocol/gtpv1/GTPv1.cc diff --git a/src/analyzer/protocols/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h similarity index 100% rename from src/analyzer/protocols/gtpv1/GTPv1.h rename to src/analyzer/protocol/gtpv1/GTPv1.h diff --git a/src/analyzer/protocols/gtpv1/Plugin.cc b/src/analyzer/protocol/gtpv1/Plugin.cc similarity index 100% rename from src/analyzer/protocols/gtpv1/Plugin.cc rename to src/analyzer/protocol/gtpv1/Plugin.cc diff --git a/src/analyzer/protocols/gtpv1/events.bif b/src/analyzer/protocol/gtpv1/events.bif similarity index 100% rename from src/analyzer/protocols/gtpv1/events.bif rename to src/analyzer/protocol/gtpv1/events.bif diff --git a/src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac similarity index 100% rename from src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac rename to src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac diff --git a/src/analyzer/protocols/gtpv1/gtpv1-protocol.pac b/src/analyzer/protocol/gtpv1/gtpv1-protocol.pac similarity index 100% rename from src/analyzer/protocols/gtpv1/gtpv1-protocol.pac rename to src/analyzer/protocol/gtpv1/gtpv1-protocol.pac diff --git a/src/analyzer/protocols/gtpv1/gtpv1.pac b/src/analyzer/protocol/gtpv1/gtpv1.pac similarity index 100% rename from src/analyzer/protocols/gtpv1/gtpv1.pac rename to src/analyzer/protocol/gtpv1/gtpv1.pac diff --git a/src/analyzer/protocols/http/CMakeLists.txt b/src/analyzer/protocol/http/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/http/CMakeLists.txt rename to src/analyzer/protocol/http/CMakeLists.txt diff --git a/src/analyzer/protocols/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc similarity index 99% rename from src/analyzer/protocols/http/HTTP.cc rename to src/analyzer/protocol/http/HTTP.cc index 899c7de01f..f0d81482c0 100644 --- a/src/analyzer/protocols/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -11,7 +11,7 @@ #include "NetVar.h" #include "HTTP.h" #include "Event.h" -#include "analyzer/protocols/mime/MIME.h" +#include "analyzer/protocol/mime/MIME.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h similarity index 97% rename from src/analyzer/protocols/http/HTTP.h rename to src/analyzer/protocol/http/HTTP.h index cb53e30c9a..8896d4fa07 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocol/http/HTTP.h @@ -3,10 +3,10 @@ #ifndef ANALYZER_PROTOCOL_HTTP_HTTP_H #define ANALYZER_PROTOCOL_HTTP_HTTP_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/ContentLine.h" -#include "analyzer/protocols/zip/ZIP.h" -#include "analyzer/protocols/mime/MIME.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" +#include "analyzer/protocol/zip/ZIP.h" +#include "analyzer/protocol/mime/MIME.h" #include "binpac_bro.h" #include "IPAddr.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/http/Plugin.cc b/src/analyzer/protocol/http/Plugin.cc similarity index 100% rename from src/analyzer/protocols/http/Plugin.cc rename to src/analyzer/protocol/http/Plugin.cc diff --git a/src/analyzer/protocols/http/events.bif b/src/analyzer/protocol/http/events.bif similarity index 100% rename from src/analyzer/protocols/http/events.bif rename to src/analyzer/protocol/http/events.bif diff --git a/src/analyzer/protocols/http/functions.bif b/src/analyzer/protocol/http/functions.bif similarity index 97% rename from src/analyzer/protocols/http/functions.bif rename to src/analyzer/protocol/http/functions.bif index eb9caf2a9a..c4e5df80d5 100644 --- a/src/analyzer/protocols/http/functions.bif +++ b/src/analyzer/protocol/http/functions.bif @@ -1,6 +1,6 @@ %%{ -#include "protocols/http/HTTP.h" +#include "protocol/http/HTTP.h" %%} ## Skips the data of the HTTP entity. diff --git a/src/analyzer/protocols/icmp/CMakeLists.txt b/src/analyzer/protocol/icmp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/icmp/CMakeLists.txt rename to src/analyzer/protocol/icmp/CMakeLists.txt diff --git a/src/analyzer/protocols/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc similarity index 100% rename from src/analyzer/protocols/icmp/ICMP.cc rename to src/analyzer/protocol/icmp/ICMP.cc diff --git a/src/analyzer/protocols/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h similarity index 100% rename from src/analyzer/protocols/icmp/ICMP.h rename to src/analyzer/protocol/icmp/ICMP.h diff --git a/src/analyzer/protocols/icmp/Plugin.cc b/src/analyzer/protocol/icmp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/icmp/Plugin.cc rename to src/analyzer/protocol/icmp/Plugin.cc diff --git a/src/analyzer/protocols/icmp/events.bif b/src/analyzer/protocol/icmp/events.bif similarity index 100% rename from src/analyzer/protocols/icmp/events.bif rename to src/analyzer/protocol/icmp/events.bif diff --git a/src/analyzer/protocols/ident/CMakeLists.txt b/src/analyzer/protocol/ident/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ident/CMakeLists.txt rename to src/analyzer/protocol/ident/CMakeLists.txt diff --git a/src/analyzer/protocols/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc similarity index 100% rename from src/analyzer/protocols/ident/Ident.cc rename to src/analyzer/protocol/ident/Ident.cc diff --git a/src/analyzer/protocols/ident/Ident.h b/src/analyzer/protocol/ident/Ident.h similarity index 91% rename from src/analyzer/protocols/ident/Ident.h rename to src/analyzer/protocol/ident/Ident.h index 7e1b7508c5..31df1dcdc6 100644 --- a/src/analyzer/protocols/ident/Ident.h +++ b/src/analyzer/protocol/ident/Ident.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_IDENT_IDENT_H #define ANALYZER_PROTOCOL_IDENT_IDENT_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace ident { diff --git a/src/analyzer/protocols/ident/Plugin.cc b/src/analyzer/protocol/ident/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ident/Plugin.cc rename to src/analyzer/protocol/ident/Plugin.cc diff --git a/src/analyzer/protocols/ident/events.bif b/src/analyzer/protocol/ident/events.bif similarity index 100% rename from src/analyzer/protocols/ident/events.bif rename to src/analyzer/protocol/ident/events.bif diff --git a/src/analyzer/protocols/interconn/CMakeLists.txt b/src/analyzer/protocol/interconn/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/interconn/CMakeLists.txt rename to src/analyzer/protocol/interconn/CMakeLists.txt diff --git a/src/analyzer/protocols/interconn/InterConn.cc b/src/analyzer/protocol/interconn/InterConn.cc similarity index 99% rename from src/analyzer/protocols/interconn/InterConn.cc rename to src/analyzer/protocol/interconn/InterConn.cc index 58dc6c2bf0..4b298eaa52 100644 --- a/src/analyzer/protocols/interconn/InterConn.cc +++ b/src/analyzer/protocol/interconn/InterConn.cc @@ -5,7 +5,7 @@ #include "InterConn.h" #include "Event.h" #include "Net.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/interconn/InterConn.h b/src/analyzer/protocol/interconn/InterConn.h similarity index 98% rename from src/analyzer/protocols/interconn/InterConn.h rename to src/analyzer/protocol/interconn/InterConn.h index 4faa684818..b13abecab1 100644 --- a/src/analyzer/protocols/interconn/InterConn.h +++ b/src/analyzer/protocol/interconn/InterConn.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H #define ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" diff --git a/src/analyzer/protocols/interconn/Plugin.cc b/src/analyzer/protocol/interconn/Plugin.cc similarity index 100% rename from src/analyzer/protocols/interconn/Plugin.cc rename to src/analyzer/protocol/interconn/Plugin.cc diff --git a/src/analyzer/protocols/interconn/events.bif b/src/analyzer/protocol/interconn/events.bif similarity index 100% rename from src/analyzer/protocols/interconn/events.bif rename to src/analyzer/protocol/interconn/events.bif diff --git a/src/analyzer/protocols/irc/CMakeLists.txt b/src/analyzer/protocol/irc/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/irc/CMakeLists.txt rename to src/analyzer/protocol/irc/CMakeLists.txt diff --git a/src/analyzer/protocols/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc similarity index 99% rename from src/analyzer/protocols/irc/IRC.cc rename to src/analyzer/protocol/irc/IRC.cc index 7ac06a708f..71f591635f 100644 --- a/src/analyzer/protocols/irc/IRC.cc +++ b/src/analyzer/protocol/irc/IRC.cc @@ -2,10 +2,10 @@ #include #include "IRC.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "NetVar.h" #include "Event.h" -#include "analyzer/protocols/zip/ZIP.h" +#include "analyzer/protocol/zip/ZIP.h" #include "analyzer/Manager.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/irc/IRC.h b/src/analyzer/protocol/irc/IRC.h similarity index 97% rename from src/analyzer/protocols/irc/IRC.h rename to src/analyzer/protocol/irc/IRC.h index a0f35639d3..a4112ccb12 100644 --- a/src/analyzer/protocols/irc/IRC.h +++ b/src/analyzer/protocol/irc/IRC.h @@ -2,7 +2,7 @@ #ifndef ANALYZER_PROTOCOL_IRC_IRC_H #define ANALYZER_PROTOCOL_IRC_IRC_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace irc { diff --git a/src/analyzer/protocols/irc/Plugin.cc b/src/analyzer/protocol/irc/Plugin.cc similarity index 100% rename from src/analyzer/protocols/irc/Plugin.cc rename to src/analyzer/protocol/irc/Plugin.cc diff --git a/src/analyzer/protocols/irc/events.bif b/src/analyzer/protocol/irc/events.bif similarity index 100% rename from src/analyzer/protocols/irc/events.bif rename to src/analyzer/protocol/irc/events.bif diff --git a/src/analyzer/protocols/login/CMakeLists.txt b/src/analyzer/protocol/login/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/login/CMakeLists.txt rename to src/analyzer/protocol/login/CMakeLists.txt diff --git a/src/analyzer/protocols/login/Login.cc b/src/analyzer/protocol/login/Login.cc similarity index 100% rename from src/analyzer/protocols/login/Login.cc rename to src/analyzer/protocol/login/Login.cc diff --git a/src/analyzer/protocols/login/Login.h b/src/analyzer/protocol/login/Login.h similarity index 98% rename from src/analyzer/protocols/login/Login.h rename to src/analyzer/protocol/login/Login.h index 3d41ad94c3..2178bdff1a 100644 --- a/src/analyzer/protocols/login/Login.h +++ b/src/analyzer/protocol/login/Login.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_LOGIN_LOGIN_H #define ANALYZER_PROTOCOL_LOGIN_LOGIN_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace login { diff --git a/src/analyzer/protocols/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc similarity index 99% rename from src/analyzer/protocols/login/NVT.cc rename to src/analyzer/protocol/login/NVT.cc index 2c79fd7195..62e4d0c050 100644 --- a/src/analyzer/protocols/login/NVT.cc +++ b/src/analyzer/protocol/login/NVT.cc @@ -7,7 +7,7 @@ #include "NVT.h" #include "NetVar.h" #include "Event.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/login/NVT.h b/src/analyzer/protocol/login/NVT.h similarity index 98% rename from src/analyzer/protocols/login/NVT.h rename to src/analyzer/protocol/login/NVT.h index 9fb85c8823..3bcadcdc8e 100644 --- a/src/analyzer/protocols/login/NVT.h +++ b/src/analyzer/protocol/login/NVT.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_LOGIN_NVT_H #define ANALYZER_PROTOCOL_LOGIN_NVT_H -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #define TELNET_OPTION_BINARY 0 #define TELNET_OPTION_TERMINAL 24 diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocol/login/Plugin.cc similarity index 100% rename from src/analyzer/protocols/login/Plugin.cc rename to src/analyzer/protocol/login/Plugin.cc diff --git a/src/analyzer/protocols/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc similarity index 100% rename from src/analyzer/protocols/login/RSH.cc rename to src/analyzer/protocol/login/RSH.cc diff --git a/src/analyzer/protocols/login/RSH.h b/src/analyzer/protocol/login/RSH.h similarity index 96% rename from src/analyzer/protocols/login/RSH.h rename to src/analyzer/protocol/login/RSH.h index c2d19c8958..2036ea966a 100644 --- a/src/analyzer/protocols/login/RSH.h +++ b/src/analyzer/protocol/login/RSH.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_LOGIN_RSH_H #include "Login.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace login { diff --git a/src/analyzer/protocols/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc similarity index 100% rename from src/analyzer/protocols/login/Rlogin.cc rename to src/analyzer/protocol/login/Rlogin.cc diff --git a/src/analyzer/protocols/login/Rlogin.h b/src/analyzer/protocol/login/Rlogin.h similarity index 97% rename from src/analyzer/protocols/login/Rlogin.h rename to src/analyzer/protocol/login/Rlogin.h index 3efdfa8107..79de3b8952 100644 --- a/src/analyzer/protocols/login/Rlogin.h +++ b/src/analyzer/protocol/login/Rlogin.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_LOGIN_RLOGIN_H #include "Login.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace login { diff --git a/src/analyzer/protocols/login/Telnet.cc b/src/analyzer/protocol/login/Telnet.cc similarity index 100% rename from src/analyzer/protocols/login/Telnet.cc rename to src/analyzer/protocol/login/Telnet.cc diff --git a/src/analyzer/protocols/login/Telnet.h b/src/analyzer/protocol/login/Telnet.h similarity index 100% rename from src/analyzer/protocols/login/Telnet.h rename to src/analyzer/protocol/login/Telnet.h diff --git a/src/analyzer/protocols/login/events.bif b/src/analyzer/protocol/login/events.bif similarity index 100% rename from src/analyzer/protocols/login/events.bif rename to src/analyzer/protocol/login/events.bif diff --git a/src/analyzer/protocols/login/functions.bif b/src/analyzer/protocol/login/functions.bif similarity index 100% rename from src/analyzer/protocols/login/functions.bif rename to src/analyzer/protocol/login/functions.bif diff --git a/src/analyzer/protocols/mime/CMakeLists.txt b/src/analyzer/protocol/mime/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/mime/CMakeLists.txt rename to src/analyzer/protocol/mime/CMakeLists.txt diff --git a/src/analyzer/protocols/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc similarity index 100% rename from src/analyzer/protocols/mime/MIME.cc rename to src/analyzer/protocol/mime/MIME.cc diff --git a/src/analyzer/protocols/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h similarity index 100% rename from src/analyzer/protocols/mime/MIME.h rename to src/analyzer/protocol/mime/MIME.h diff --git a/src/analyzer/protocols/mime/Plugin.cc b/src/analyzer/protocol/mime/Plugin.cc similarity index 100% rename from src/analyzer/protocols/mime/Plugin.cc rename to src/analyzer/protocol/mime/Plugin.cc diff --git a/src/analyzer/protocols/mime/events.bif b/src/analyzer/protocol/mime/events.bif similarity index 100% rename from src/analyzer/protocols/mime/events.bif rename to src/analyzer/protocol/mime/events.bif diff --git a/src/analyzer/protocols/modbus/CMakeLists.txt b/src/analyzer/protocol/modbus/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/modbus/CMakeLists.txt rename to src/analyzer/protocol/modbus/CMakeLists.txt diff --git a/src/analyzer/protocols/modbus/Modbus.cc b/src/analyzer/protocol/modbus/Modbus.cc similarity index 94% rename from src/analyzer/protocols/modbus/Modbus.cc rename to src/analyzer/protocol/modbus/Modbus.cc index b36b916d06..9d216d356b 100644 --- a/src/analyzer/protocols/modbus/Modbus.cc +++ b/src/analyzer/protocol/modbus/Modbus.cc @@ -1,6 +1,6 @@ #include "Modbus.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/modbus/Modbus.h b/src/analyzer/protocol/modbus/Modbus.h similarity index 94% rename from src/analyzer/protocols/modbus/Modbus.h rename to src/analyzer/protocol/modbus/Modbus.h index 9ecd952e2e..6f566be828 100644 --- a/src/analyzer/protocols/modbus/Modbus.h +++ b/src/analyzer/protocol/modbus/Modbus.h @@ -1,7 +1,7 @@ #ifndef ANALYZER_PROTOCOL_MODBUS_MODBUS_H #define ANALYZER_PROTOCOL_MODBUS_MODBUS_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "modbus_pac.h" namespace analyzer { namespace modbus { diff --git a/src/analyzer/protocols/modbus/Plugin.cc b/src/analyzer/protocol/modbus/Plugin.cc similarity index 100% rename from src/analyzer/protocols/modbus/Plugin.cc rename to src/analyzer/protocol/modbus/Plugin.cc diff --git a/src/analyzer/protocols/modbus/events.bif b/src/analyzer/protocol/modbus/events.bif similarity index 100% rename from src/analyzer/protocols/modbus/events.bif rename to src/analyzer/protocol/modbus/events.bif diff --git a/src/analyzer/protocols/modbus/modbus-analyzer.pac b/src/analyzer/protocol/modbus/modbus-analyzer.pac similarity index 100% rename from src/analyzer/protocols/modbus/modbus-analyzer.pac rename to src/analyzer/protocol/modbus/modbus-analyzer.pac diff --git a/src/analyzer/protocols/modbus/modbus-protocol.pac b/src/analyzer/protocol/modbus/modbus-protocol.pac similarity index 100% rename from src/analyzer/protocols/modbus/modbus-protocol.pac rename to src/analyzer/protocol/modbus/modbus-protocol.pac diff --git a/src/analyzer/protocols/modbus/modbus.pac b/src/analyzer/protocol/modbus/modbus.pac similarity index 100% rename from src/analyzer/protocols/modbus/modbus.pac rename to src/analyzer/protocol/modbus/modbus.pac diff --git a/src/analyzer/protocols/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ncp/CMakeLists.txt rename to src/analyzer/protocol/ncp/CMakeLists.txt diff --git a/src/analyzer/protocols/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc similarity index 100% rename from src/analyzer/protocols/ncp/NCP.cc rename to src/analyzer/protocol/ncp/NCP.cc diff --git a/src/analyzer/protocols/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h similarity index 96% rename from src/analyzer/protocols/ncp/NCP.h rename to src/analyzer/protocol/ncp/NCP.h index aa667657ca..34174df74e 100644 --- a/src/analyzer/protocols/ncp/NCP.h +++ b/src/analyzer/protocol/ncp/NCP.h @@ -19,7 +19,7 @@ // http://faydoc.tripod.com/structures/21/2149.htm #include "NetVar.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "ncp_pac.h" @@ -73,7 +73,7 @@ protected: int buf_len; // size off msg_buf }; -#define ANALYZER_PROTOCOL_NCP_NCP_HEADER_LENGTH 8 +#define NCP_TCPIP_HEADER_LENGTH 8 class NCP_FrameBuffer : public FrameBuffer { public: diff --git a/src/analyzer/protocols/ncp/NCP_func.def b/src/analyzer/protocol/ncp/NCP_func.def similarity index 100% rename from src/analyzer/protocols/ncp/NCP_func.def rename to src/analyzer/protocol/ncp/NCP_func.def diff --git a/src/analyzer/protocols/ncp/Plugin.cc b/src/analyzer/protocol/ncp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ncp/Plugin.cc rename to src/analyzer/protocol/ncp/Plugin.cc diff --git a/src/analyzer/protocols/ncp/events.bif b/src/analyzer/protocol/ncp/events.bif similarity index 100% rename from src/analyzer/protocols/ncp/events.bif rename to src/analyzer/protocol/ncp/events.bif diff --git a/src/analyzer/protocols/ncp/ncp.pac b/src/analyzer/protocol/ncp/ncp.pac similarity index 100% rename from src/analyzer/protocols/ncp/ncp.pac rename to src/analyzer/protocol/ncp/ncp.pac diff --git a/src/analyzer/protocols/netbios/CMakeLists.txt b/src/analyzer/protocol/netbios/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/netbios/CMakeLists.txt rename to src/analyzer/protocol/netbios/CMakeLists.txt diff --git a/src/analyzer/protocols/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc similarity index 100% rename from src/analyzer/protocols/netbios/NetbiosSSN.cc rename to src/analyzer/protocol/netbios/NetbiosSSN.cc diff --git a/src/analyzer/protocols/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h similarity index 97% rename from src/analyzer/protocols/netbios/NetbiosSSN.h rename to src/analyzer/protocol/netbios/NetbiosSSN.h index 5908250669..7c2728ef9a 100644 --- a/src/analyzer/protocols/netbios/NetbiosSSN.h +++ b/src/analyzer/protocol/netbios/NetbiosSSN.h @@ -3,9 +3,9 @@ #ifndef ANALYZER_PROTOCOL_NETBIOS_SSN_NETBIOSSSN_H #define ANALYZER_PROTOCOL_NETBIOS_SSN_NETBIOSSSN_H -#include "analyzer/protocols/udp/UDP.h" -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/smb/SMB.h" +#include "analyzer/protocol/udp/UDP.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/smb/SMB.h" namespace analyzer { namespace netbios_ssn { diff --git a/src/analyzer/protocols/netbios/Plugin.cc b/src/analyzer/protocol/netbios/Plugin.cc similarity index 100% rename from src/analyzer/protocols/netbios/Plugin.cc rename to src/analyzer/protocol/netbios/Plugin.cc diff --git a/src/analyzer/protocols/netbios/events.bif b/src/analyzer/protocol/netbios/events.bif similarity index 100% rename from src/analyzer/protocols/netbios/events.bif rename to src/analyzer/protocol/netbios/events.bif diff --git a/src/analyzer/protocols/netbios/functions.bif b/src/analyzer/protocol/netbios/functions.bif similarity index 100% rename from src/analyzer/protocols/netbios/functions.bif rename to src/analyzer/protocol/netbios/functions.bif diff --git a/src/analyzer/protocols/netflow/CMakeLists.txt b/src/analyzer/protocol/netflow/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/netflow/CMakeLists.txt rename to src/analyzer/protocol/netflow/CMakeLists.txt diff --git a/src/analyzer/protocols/netflow/Plugin.cc b/src/analyzer/protocol/netflow/Plugin.cc similarity index 100% rename from src/analyzer/protocols/netflow/Plugin.cc rename to src/analyzer/protocol/netflow/Plugin.cc diff --git a/src/analyzer/protocols/netflow/events.bif b/src/analyzer/protocol/netflow/events.bif similarity index 100% rename from src/analyzer/protocols/netflow/events.bif rename to src/analyzer/protocol/netflow/events.bif diff --git a/src/analyzer/protocols/netflow/netflow-analyzer.pac b/src/analyzer/protocol/netflow/netflow-analyzer.pac similarity index 100% rename from src/analyzer/protocols/netflow/netflow-analyzer.pac rename to src/analyzer/protocol/netflow/netflow-analyzer.pac diff --git a/src/analyzer/protocols/netflow/netflow-protocol.pac b/src/analyzer/protocol/netflow/netflow-protocol.pac similarity index 100% rename from src/analyzer/protocols/netflow/netflow-protocol.pac rename to src/analyzer/protocol/netflow/netflow-protocol.pac diff --git a/src/analyzer/protocols/netflow/netflow.pac b/src/analyzer/protocol/netflow/netflow.pac similarity index 100% rename from src/analyzer/protocols/netflow/netflow.pac rename to src/analyzer/protocol/netflow/netflow.pac diff --git a/src/analyzer/protocols/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ntp/CMakeLists.txt rename to src/analyzer/protocol/ntp/CMakeLists.txt diff --git a/src/analyzer/protocols/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc similarity index 100% rename from src/analyzer/protocols/ntp/NTP.cc rename to src/analyzer/protocol/ntp/NTP.cc diff --git a/src/analyzer/protocols/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h similarity index 97% rename from src/analyzer/protocols/ntp/NTP.h rename to src/analyzer/protocol/ntp/NTP.h index 25cc9bad43..201c5a8774 100644 --- a/src/analyzer/protocols/ntp/NTP.h +++ b/src/analyzer/protocol/ntp/NTP.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_NTP_NTP_H #define ANALYZER_PROTOCOL_NTP_NTP_H -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/udp/UDP.h" // The following are from the tcpdump distribution, credited there // to the U of MD implementation. diff --git a/src/analyzer/protocols/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ntp/Plugin.cc rename to src/analyzer/protocol/ntp/Plugin.cc diff --git a/src/analyzer/protocols/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif similarity index 100% rename from src/analyzer/protocols/ntp/events.bif rename to src/analyzer/protocol/ntp/events.bif diff --git a/src/analyzer/protocols/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/pia/CMakeLists.txt rename to src/analyzer/protocol/pia/CMakeLists.txt diff --git a/src/analyzer/protocols/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc similarity index 99% rename from src/analyzer/protocols/pia/PIA.cc rename to src/analyzer/protocol/pia/PIA.cc index d5defc018e..cc1dd7ea0e 100644 --- a/src/analyzer/protocols/pia/PIA.cc +++ b/src/analyzer/protocol/pia/PIA.cc @@ -1,6 +1,6 @@ #include "PIA.h" #include "RuleMatcher.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h similarity index 99% rename from src/analyzer/protocols/pia/PIA.h rename to src/analyzer/protocol/pia/PIA.h index a117a60978..d8c272d219 100644 --- a/src/analyzer/protocols/pia/PIA.h +++ b/src/analyzer/protocol/pia/PIA.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_PIA_PIA_H #include "analyzer/Analyzer.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" class RuleEndpointState; diff --git a/src/analyzer/protocols/pia/Plugin.cc b/src/analyzer/protocol/pia/Plugin.cc similarity index 100% rename from src/analyzer/protocols/pia/Plugin.cc rename to src/analyzer/protocol/pia/Plugin.cc diff --git a/src/analyzer/protocols/pia/events.bif b/src/analyzer/protocol/pia/events.bif similarity index 100% rename from src/analyzer/protocols/pia/events.bif rename to src/analyzer/protocol/pia/events.bif diff --git a/src/analyzer/protocols/pop3/CMakeLists.txt b/src/analyzer/protocol/pop3/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/pop3/CMakeLists.txt rename to src/analyzer/protocol/pop3/CMakeLists.txt diff --git a/src/analyzer/protocols/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc similarity index 99% rename from src/analyzer/protocols/pop3/POP3.cc rename to src/analyzer/protocol/pop3/POP3.cc index 7a81da1b5e..652fd20e32 100644 --- a/src/analyzer/protocols/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -13,7 +13,7 @@ #include "POP3.h" #include "Event.h" #include "Reporter.h" -#include "analyzer/protocols/login/NVT.h" +#include "analyzer/protocol/login/NVT.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h similarity index 94% rename from src/analyzer/protocols/pop3/POP3.h rename to src/analyzer/protocol/pop3/POP3.h index bd882f480b..ab535420e5 100644 --- a/src/analyzer/protocols/pop3/POP3.h +++ b/src/analyzer/protocol/pop3/POP3.h @@ -9,9 +9,9 @@ #include #include -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/login/NVT.h" -#include "analyzer/protocols/mime/MIME.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/login/NVT.h" +#include "analyzer/protocol/mime/MIME.h" #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) POP3_CMD_##cmd, diff --git a/src/analyzer/protocols/pop3/POP3_cmd.def b/src/analyzer/protocol/pop3/POP3_cmd.def similarity index 100% rename from src/analyzer/protocols/pop3/POP3_cmd.def rename to src/analyzer/protocol/pop3/POP3_cmd.def diff --git a/src/analyzer/protocols/pop3/Plugin.cc b/src/analyzer/protocol/pop3/Plugin.cc similarity index 100% rename from src/analyzer/protocols/pop3/Plugin.cc rename to src/analyzer/protocol/pop3/Plugin.cc diff --git a/src/analyzer/protocols/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif similarity index 100% rename from src/analyzer/protocols/pop3/events.bif rename to src/analyzer/protocol/pop3/events.bif diff --git a/src/analyzer/protocols/rpc/CMakeLists.txt b/src/analyzer/protocol/rpc/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/rpc/CMakeLists.txt rename to src/analyzer/protocol/rpc/CMakeLists.txt diff --git a/src/analyzer/protocols/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc similarity index 100% rename from src/analyzer/protocols/rpc/NFS.cc rename to src/analyzer/protocol/rpc/NFS.cc diff --git a/src/analyzer/protocols/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h similarity index 100% rename from src/analyzer/protocols/rpc/NFS.h rename to src/analyzer/protocol/rpc/NFS.h diff --git a/src/analyzer/protocols/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc similarity index 100% rename from src/analyzer/protocols/rpc/Plugin.cc rename to src/analyzer/protocol/rpc/Plugin.cc diff --git a/src/analyzer/protocols/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc similarity index 100% rename from src/analyzer/protocols/rpc/Portmap.cc rename to src/analyzer/protocol/rpc/Portmap.cc diff --git a/src/analyzer/protocols/rpc/Portmap.h b/src/analyzer/protocol/rpc/Portmap.h similarity index 100% rename from src/analyzer/protocols/rpc/Portmap.h rename to src/analyzer/protocol/rpc/Portmap.h diff --git a/src/analyzer/protocols/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc similarity index 100% rename from src/analyzer/protocols/rpc/RPC.cc rename to src/analyzer/protocol/rpc/RPC.cc diff --git a/src/analyzer/protocols/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h similarity index 98% rename from src/analyzer/protocols/rpc/RPC.h rename to src/analyzer/protocol/rpc/RPC.h index 0face29d50..a705d272f6 100644 --- a/src/analyzer/protocols/rpc/RPC.h +++ b/src/analyzer/protocol/rpc/RPC.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_RPC_RPC_H #define ANALYZER_PROTOCOL_RPC_RPC_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/udp/UDP.h" namespace analyzer { namespace rpc { diff --git a/src/analyzer/protocols/rpc/XDR.cc b/src/analyzer/protocol/rpc/XDR.cc similarity index 100% rename from src/analyzer/protocols/rpc/XDR.cc rename to src/analyzer/protocol/rpc/XDR.cc diff --git a/src/analyzer/protocols/rpc/XDR.h b/src/analyzer/protocol/rpc/XDR.h similarity index 100% rename from src/analyzer/protocols/rpc/XDR.h rename to src/analyzer/protocol/rpc/XDR.h diff --git a/src/analyzer/protocols/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif similarity index 100% rename from src/analyzer/protocols/rpc/events.bif rename to src/analyzer/protocol/rpc/events.bif diff --git a/src/analyzer/protocols/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/smb/CMakeLists.txt rename to src/analyzer/protocol/smb/CMakeLists.txt diff --git a/src/analyzer/protocols/smb/Plugin.cc b/src/analyzer/protocol/smb/Plugin.cc similarity index 100% rename from src/analyzer/protocols/smb/Plugin.cc rename to src/analyzer/protocol/smb/Plugin.cc diff --git a/src/analyzer/protocols/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc similarity index 100% rename from src/analyzer/protocols/smb/SMB.cc rename to src/analyzer/protocol/smb/SMB.cc diff --git a/src/analyzer/protocols/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h similarity index 98% rename from src/analyzer/protocols/smb/SMB.h rename to src/analyzer/protocol/smb/SMB.h index eed1d2e5a0..b54852e5b7 100644 --- a/src/analyzer/protocols/smb/SMB.h +++ b/src/analyzer/protocol/smb/SMB.h @@ -6,8 +6,8 @@ // SMB (CIFS) analyzer. // Reference: http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/dce-rpc/DCE_RPC.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/dce-rpc/DCE_RPC.h" #include "smb_pac.h" namespace analyzer { namespace smb { diff --git a/src/analyzer/protocols/smb/SMB_COM.def b/src/analyzer/protocol/smb/SMB_COM.def similarity index 100% rename from src/analyzer/protocols/smb/SMB_COM.def rename to src/analyzer/protocol/smb/SMB_COM.def diff --git a/src/analyzer/protocols/smb/events.bif b/src/analyzer/protocol/smb/events.bif similarity index 100% rename from src/analyzer/protocols/smb/events.bif rename to src/analyzer/protocol/smb/events.bif diff --git a/src/analyzer/protocols/smb/smb-mailslot.pac b/src/analyzer/protocol/smb/smb-mailslot.pac similarity index 100% rename from src/analyzer/protocols/smb/smb-mailslot.pac rename to src/analyzer/protocol/smb/smb-mailslot.pac diff --git a/src/analyzer/protocols/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac similarity index 100% rename from src/analyzer/protocols/smb/smb-pipe.pac rename to src/analyzer/protocol/smb/smb-pipe.pac diff --git a/src/analyzer/protocols/smb/smb-protocol.pac b/src/analyzer/protocol/smb/smb-protocol.pac similarity index 100% rename from src/analyzer/protocols/smb/smb-protocol.pac rename to src/analyzer/protocol/smb/smb-protocol.pac diff --git a/src/analyzer/protocols/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac similarity index 100% rename from src/analyzer/protocols/smb/smb.pac rename to src/analyzer/protocol/smb/smb.pac diff --git a/src/analyzer/protocols/smtp/CMakeLists.txt b/src/analyzer/protocol/smtp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/smtp/CMakeLists.txt rename to src/analyzer/protocol/smtp/CMakeLists.txt diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocol/smtp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/smtp/Plugin.cc rename to src/analyzer/protocol/smtp/Plugin.cc diff --git a/src/analyzer/protocols/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc similarity index 99% rename from src/analyzer/protocols/smtp/SMTP.cc rename to src/analyzer/protocol/smtp/SMTP.cc index 7bbb7ec69e..dea418242b 100644 --- a/src/analyzer/protocols/smtp/SMTP.cc +++ b/src/analyzer/protocol/smtp/SMTP.cc @@ -8,7 +8,7 @@ #include "SMTP.h" #include "Event.h" #include "Reporter.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h similarity index 97% rename from src/analyzer/protocols/smtp/SMTP.h rename to src/analyzer/protocol/smtp/SMTP.h index c179db4ecb..cc12167d30 100644 --- a/src/analyzer/protocols/smtp/SMTP.h +++ b/src/analyzer/protocol/smtp/SMTP.h @@ -6,8 +6,8 @@ #include using namespace std; -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/mime/MIME.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/mime/MIME.h" #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) SMTP_CMD_##cmd, diff --git a/src/analyzer/protocols/smtp/SMTP_cmd.def b/src/analyzer/protocol/smtp/SMTP_cmd.def similarity index 100% rename from src/analyzer/protocols/smtp/SMTP_cmd.def rename to src/analyzer/protocol/smtp/SMTP_cmd.def diff --git a/src/analyzer/protocols/smtp/events.bif b/src/analyzer/protocol/smtp/events.bif similarity index 100% rename from src/analyzer/protocols/smtp/events.bif rename to src/analyzer/protocol/smtp/events.bif diff --git a/src/analyzer/protocols/smtp/functions.bif b/src/analyzer/protocol/smtp/functions.bif similarity index 88% rename from src/analyzer/protocols/smtp/functions.bif rename to src/analyzer/protocol/smtp/functions.bif index 2bb0c52319..8630685096 100644 --- a/src/analyzer/protocols/smtp/functions.bif +++ b/src/analyzer/protocol/smtp/functions.bif @@ -1,6 +1,6 @@ %%{ -#include "analyzer/protocols/smtp/SMTP.h" +#include "analyzer/protocol/smtp/SMTP.h" %%} ## Skips SMTP data until the next email in a connection. diff --git a/src/analyzer/protocols/socks/CMakeLists.txt b/src/analyzer/protocol/socks/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/socks/CMakeLists.txt rename to src/analyzer/protocol/socks/CMakeLists.txt diff --git a/src/analyzer/protocols/socks/Plugin.cc b/src/analyzer/protocol/socks/Plugin.cc similarity index 100% rename from src/analyzer/protocols/socks/Plugin.cc rename to src/analyzer/protocol/socks/Plugin.cc diff --git a/src/analyzer/protocols/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc similarity index 97% rename from src/analyzer/protocols/socks/SOCKS.cc rename to src/analyzer/protocol/socks/SOCKS.cc index dab464abf7..f9d81b8a16 100644 --- a/src/analyzer/protocols/socks/SOCKS.cc +++ b/src/analyzer/protocol/socks/SOCKS.cc @@ -1,6 +1,6 @@ #include "SOCKS.h" #include "socks_pac.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/socks/SOCKS.h b/src/analyzer/protocol/socks/SOCKS.h similarity index 91% rename from src/analyzer/protocols/socks/SOCKS.h rename to src/analyzer/protocol/socks/SOCKS.h index 424443c826..f005967fd8 100644 --- a/src/analyzer/protocols/socks/SOCKS.h +++ b/src/analyzer/protocol/socks/SOCKS.h @@ -3,8 +3,8 @@ // SOCKS v4 analyzer. -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/pia/PIA.h" namespace binpac { namespace SOCKS { diff --git a/src/analyzer/protocols/socks/events.bif b/src/analyzer/protocol/socks/events.bif similarity index 100% rename from src/analyzer/protocols/socks/events.bif rename to src/analyzer/protocol/socks/events.bif diff --git a/src/analyzer/protocols/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac similarity index 100% rename from src/analyzer/protocols/socks/socks-analyzer.pac rename to src/analyzer/protocol/socks/socks-analyzer.pac diff --git a/src/analyzer/protocols/socks/socks-protocol.pac b/src/analyzer/protocol/socks/socks-protocol.pac similarity index 100% rename from src/analyzer/protocols/socks/socks-protocol.pac rename to src/analyzer/protocol/socks/socks-protocol.pac diff --git a/src/analyzer/protocols/socks/socks.pac b/src/analyzer/protocol/socks/socks.pac similarity index 100% rename from src/analyzer/protocols/socks/socks.pac rename to src/analyzer/protocol/socks/socks.pac diff --git a/src/analyzer/protocols/ssh/CMakeLists.txt b/src/analyzer/protocol/ssh/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ssh/CMakeLists.txt rename to src/analyzer/protocol/ssh/CMakeLists.txt diff --git a/src/analyzer/protocols/ssh/Plugin.cc b/src/analyzer/protocol/ssh/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ssh/Plugin.cc rename to src/analyzer/protocol/ssh/Plugin.cc diff --git a/src/analyzer/protocols/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc similarity index 98% rename from src/analyzer/protocols/ssh/SSH.cc rename to src/analyzer/protocol/ssh/SSH.cc index c2ff9a066c..ab3f6a5e5b 100644 --- a/src/analyzer/protocols/ssh/SSH.cc +++ b/src/analyzer/protocol/ssh/SSH.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "SSH.h" #include "Event.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/ContentLine.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h similarity index 86% rename from src/analyzer/protocols/ssh/SSH.h rename to src/analyzer/protocol/ssh/SSH.h index 6587425807..3878881693 100644 --- a/src/analyzer/protocols/ssh/SSH.h +++ b/src/analyzer/protocol/ssh/SSH.h @@ -3,8 +3,8 @@ #ifndef ANALYZER_PROTOCOL_SSH_SSH_H #define ANALYZER_PROTOCOL_SSH_SSH_H -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/ContentLine.h" namespace analyzer { namespace ssh { diff --git a/src/analyzer/protocols/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif similarity index 100% rename from src/analyzer/protocols/ssh/events.bif rename to src/analyzer/protocol/ssh/events.bif diff --git a/src/analyzer/protocols/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/ssl/CMakeLists.txt rename to src/analyzer/protocol/ssl/CMakeLists.txt diff --git a/src/analyzer/protocols/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc similarity index 100% rename from src/analyzer/protocols/ssl/Plugin.cc rename to src/analyzer/protocol/ssl/Plugin.cc diff --git a/src/analyzer/protocols/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc similarity index 96% rename from src/analyzer/protocols/ssl/SSL.cc rename to src/analyzer/protocol/ssl/SSL.cc index cf41f273f6..6cd2fa59f8 100644 --- a/src/analyzer/protocols/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -1,6 +1,6 @@ #include "SSL.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "Reporter.h" #include "util.h" diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h similarity index 95% rename from src/analyzer/protocols/ssl/SSL.h rename to src/analyzer/protocol/ssl/SSL.h index f1323566af..6423d1b155 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -3,7 +3,7 @@ #include "events.bif.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "ssl_pac.h" namespace analyzer { namespace ssl { diff --git a/src/analyzer/protocols/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif similarity index 100% rename from src/analyzer/protocols/ssl/events.bif rename to src/analyzer/protocol/ssl/events.bif diff --git a/src/analyzer/protocols/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif similarity index 100% rename from src/analyzer/protocols/ssl/functions.bif rename to src/analyzer/protocol/ssl/functions.bif diff --git a/src/analyzer/protocols/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac similarity index 100% rename from src/analyzer/protocols/ssl/ssl-analyzer.pac rename to src/analyzer/protocol/ssl/ssl-analyzer.pac diff --git a/src/analyzer/protocols/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac similarity index 100% rename from src/analyzer/protocols/ssl/ssl-defs.pac rename to src/analyzer/protocol/ssl/ssl-defs.pac diff --git a/src/analyzer/protocols/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac similarity index 100% rename from src/analyzer/protocols/ssl/ssl-protocol.pac rename to src/analyzer/protocol/ssl/ssl-protocol.pac diff --git a/src/analyzer/protocols/ssl/ssl.pac b/src/analyzer/protocol/ssl/ssl.pac similarity index 100% rename from src/analyzer/protocols/ssl/ssl.pac rename to src/analyzer/protocol/ssl/ssl.pac diff --git a/src/analyzer/protocols/stepping-stone/CMakeLists.txt b/src/analyzer/protocol/stepping-stone/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/stepping-stone/CMakeLists.txt rename to src/analyzer/protocol/stepping-stone/CMakeLists.txt diff --git a/src/analyzer/protocols/stepping-stone/Plugin.cc b/src/analyzer/protocol/stepping-stone/Plugin.cc similarity index 100% rename from src/analyzer/protocols/stepping-stone/Plugin.cc rename to src/analyzer/protocol/stepping-stone/Plugin.cc diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc similarity index 99% rename from src/analyzer/protocols/stepping-stone/SteppingStone.cc rename to src/analyzer/protocol/stepping-stone/SteppingStone.cc index 2b25a2e080..09a7444213 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc @@ -7,7 +7,7 @@ #include "Event.h" #include "Net.h" #include "NetVar.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "SteppingStone.h" #include "util.h" diff --git a/src/analyzer/protocols/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h similarity index 98% rename from src/analyzer/protocols/stepping-stone/SteppingStone.h rename to src/analyzer/protocol/stepping-stone/SteppingStone.h index 212899f32c..1471c08a3b 100644 --- a/src/analyzer/protocols/stepping-stone/SteppingStone.h +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_STEPPING_STONE_STEPPINGSTONE_H #include "Queue.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" class NetSessions; diff --git a/src/analyzer/protocols/stepping-stone/events.bif b/src/analyzer/protocol/stepping-stone/events.bif similarity index 100% rename from src/analyzer/protocols/stepping-stone/events.bif rename to src/analyzer/protocol/stepping-stone/events.bif diff --git a/src/analyzer/protocols/syslog/CMakeLists.txt b/src/analyzer/protocol/syslog/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/syslog/CMakeLists.txt rename to src/analyzer/protocol/syslog/CMakeLists.txt diff --git a/src/analyzer/protocols/syslog/Plugin.cc b/src/analyzer/protocol/syslog/Plugin.cc similarity index 100% rename from src/analyzer/protocols/syslog/Plugin.cc rename to src/analyzer/protocol/syslog/Plugin.cc diff --git a/src/analyzer/protocols/syslog/Syslog.cc b/src/analyzer/protocol/syslog/Syslog.cc similarity index 97% rename from src/analyzer/protocols/syslog/Syslog.cc rename to src/analyzer/protocol/syslog/Syslog.cc index e1667ea38b..2b783afc64 100644 --- a/src/analyzer/protocols/syslog/Syslog.cc +++ b/src/analyzer/protocol/syslog/Syslog.cc @@ -1,6 +1,6 @@ #include "Syslog.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h similarity index 94% rename from src/analyzer/protocols/syslog/Syslog.h rename to src/analyzer/protocol/syslog/Syslog.h index fd929a478e..355863e36e 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocol/syslog/Syslog.h @@ -2,8 +2,8 @@ #ifndef ANALYZER_PROTOCOL_SYSLOG_SYSLOG_H #define ANALYZER_PROTOCOL_SYSLOG_SYSLOG_H -#include "analyzer/protocols/udp/UDP.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/udp/UDP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "syslog_pac.h" diff --git a/src/analyzer/protocols/syslog/events.bif b/src/analyzer/protocol/syslog/events.bif similarity index 100% rename from src/analyzer/protocols/syslog/events.bif rename to src/analyzer/protocol/syslog/events.bif diff --git a/src/analyzer/protocols/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/syslog-analyzer.pac similarity index 100% rename from src/analyzer/protocols/syslog/syslog-analyzer.pac rename to src/analyzer/protocol/syslog/syslog-analyzer.pac diff --git a/src/analyzer/protocols/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/syslog-protocol.pac similarity index 100% rename from src/analyzer/protocols/syslog/syslog-protocol.pac rename to src/analyzer/protocol/syslog/syslog-protocol.pac diff --git a/src/analyzer/protocols/syslog/syslog.pac b/src/analyzer/protocol/syslog/syslog.pac similarity index 100% rename from src/analyzer/protocols/syslog/syslog.pac rename to src/analyzer/protocol/syslog/syslog.pac diff --git a/src/analyzer/protocols/tcp/CMakeLists.txt b/src/analyzer/protocol/tcp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/tcp/CMakeLists.txt rename to src/analyzer/protocol/tcp/CMakeLists.txt diff --git a/src/analyzer/protocols/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc similarity index 99% rename from src/analyzer/protocols/tcp/ContentLine.cc rename to src/analyzer/protocol/tcp/ContentLine.cc index c1738ccc64..2a810c5dd1 100644 --- a/src/analyzer/protocols/tcp/ContentLine.cc +++ b/src/analyzer/protocol/tcp/ContentLine.cc @@ -1,7 +1,7 @@ #include #include "ContentLine.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h similarity index 98% rename from src/analyzer/protocols/tcp/ContentLine.h rename to src/analyzer/protocol/tcp/ContentLine.h index f5d3ef8211..ecc1347984 100644 --- a/src/analyzer/protocols/tcp/ContentLine.h +++ b/src/analyzer/protocol/tcp/ContentLine.h @@ -3,7 +3,7 @@ #ifndef ANALYZER_PROTOCOL_TCP_CONTENTLINE_H #define ANALYZER_PROTOCOL_TCP_CONTENTLINE_H -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace tcp { diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocol/tcp/Plugin.cc similarity index 100% rename from src/analyzer/protocols/tcp/Plugin.cc rename to src/analyzer/protocol/tcp/Plugin.cc diff --git a/src/analyzer/protocols/tcp/Stats.cc b/src/analyzer/protocol/tcp/Stats.cc similarity index 100% rename from src/analyzer/protocols/tcp/Stats.cc rename to src/analyzer/protocol/tcp/Stats.cc diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocol/tcp/Stats.h similarity index 100% rename from src/analyzer/protocols/tcp/Stats.h rename to src/analyzer/protocol/tcp/Stats.h diff --git a/src/analyzer/protocols/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc similarity index 99% rename from src/analyzer/protocols/tcp/TCP.cc rename to src/analyzer/protocol/tcp/TCP.cc index 23de51642b..ee8a5938f5 100644 --- a/src/analyzer/protocols/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -7,9 +7,9 @@ #include "OSFinger.h" #include "Event.h" -#include "analyzer/protocols/pia/PIA.h" -#include "analyzer/protocols/tcp/TCP.h" -#include "analyzer/protocols/tcp/TCP_Reassembler.h" +#include "analyzer/protocol/pia/PIA.h" +#include "analyzer/protocol/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP_Reassembler.h" #include "events.bif.h" diff --git a/src/analyzer/protocols/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h similarity index 99% rename from src/analyzer/protocols/tcp/TCP.h rename to src/analyzer/protocol/tcp/TCP.h index ded3cd7270..b2649b4ab8 100644 --- a/src/analyzer/protocols/tcp/TCP.h +++ b/src/analyzer/protocol/tcp/TCP.h @@ -4,7 +4,7 @@ #define ANALYZER_PROTOCOL_TCP_TCP_H #include "analyzer/Analyzer.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "PacketDumper.h" #include "IPAddr.h" #include "TCP_Endpoint.h" diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc similarity index 99% rename from src/analyzer/protocols/tcp/TCP_Endpoint.cc rename to src/analyzer/protocol/tcp/TCP_Endpoint.cc index 922c52693a..3beafdeb8a 100644 --- a/src/analyzer/protocols/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc @@ -2,7 +2,7 @@ #include "Net.h" #include "NetVar.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "TCP_Reassembler.h" #include "Sessions.h" #include "Event.h" diff --git a/src/analyzer/protocols/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h similarity index 100% rename from src/analyzer/protocols/tcp/TCP_Endpoint.h rename to src/analyzer/protocol/tcp/TCP_Endpoint.h diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc similarity index 99% rename from src/analyzer/protocols/tcp/TCP_Reassembler.cc rename to src/analyzer/protocol/tcp/TCP_Reassembler.cc index e54a1494af..949be9f599 100644 --- a/src/analyzer/protocols/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -2,7 +2,7 @@ #include "analyzer/Analyzer.h" #include "TCP_Reassembler.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" #include "TCP_Endpoint.h" // Only needed for gap_report events. diff --git a/src/analyzer/protocols/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h similarity index 100% rename from src/analyzer/protocols/tcp/TCP_Reassembler.h rename to src/analyzer/protocol/tcp/TCP_Reassembler.h diff --git a/src/analyzer/protocols/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif similarity index 100% rename from src/analyzer/protocols/tcp/events.bif rename to src/analyzer/protocol/tcp/events.bif diff --git a/src/analyzer/protocols/tcp/functions.bif b/src/analyzer/protocol/tcp/functions.bif similarity index 99% rename from src/analyzer/protocols/tcp/functions.bif rename to src/analyzer/protocol/tcp/functions.bif index b0178a1279..ff812b80ee 100644 --- a/src/analyzer/protocols/tcp/functions.bif +++ b/src/analyzer/protocol/tcp/functions.bif @@ -1,6 +1,6 @@ %%{ -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" %%} ## Get the originator sequence number of a TCP connection. Sequence numbers diff --git a/src/analyzer/protocols/teredo/CMakeLists.txt b/src/analyzer/protocol/teredo/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/teredo/CMakeLists.txt rename to src/analyzer/protocol/teredo/CMakeLists.txt diff --git a/src/analyzer/protocols/teredo/Plugin.cc b/src/analyzer/protocol/teredo/Plugin.cc similarity index 100% rename from src/analyzer/protocols/teredo/Plugin.cc rename to src/analyzer/protocol/teredo/Plugin.cc diff --git a/src/analyzer/protocols/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc similarity index 100% rename from src/analyzer/protocols/teredo/Teredo.cc rename to src/analyzer/protocol/teredo/Teredo.cc diff --git a/src/analyzer/protocols/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h similarity index 100% rename from src/analyzer/protocols/teredo/Teredo.h rename to src/analyzer/protocol/teredo/Teredo.h diff --git a/src/analyzer/protocols/teredo/events.bif b/src/analyzer/protocol/teredo/events.bif similarity index 100% rename from src/analyzer/protocols/teredo/events.bif rename to src/analyzer/protocol/teredo/events.bif diff --git a/src/analyzer/protocols/udp/CMakeLists.txt b/src/analyzer/protocol/udp/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/udp/CMakeLists.txt rename to src/analyzer/protocol/udp/CMakeLists.txt diff --git a/src/analyzer/protocols/udp/Plugin.cc b/src/analyzer/protocol/udp/Plugin.cc similarity index 82% rename from src/analyzer/protocols/udp/Plugin.cc rename to src/analyzer/protocol/udp/Plugin.cc index a013c55a87..c18a846e00 100644 --- a/src/analyzer/protocols/udp/Plugin.cc +++ b/src/analyzer/protocol/udp/Plugin.cc @@ -1,7 +1,7 @@ #include "plugin/Plugin.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/udp/UDP.h" BRO_PLUGIN_BEGIN(UDP) BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); diff --git a/src/analyzer/protocols/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc similarity index 99% rename from src/analyzer/protocols/udp/UDP.cc rename to src/analyzer/protocol/udp/UDP.cc index 8092a511c3..3050ea5648 100644 --- a/src/analyzer/protocols/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -6,7 +6,7 @@ #include "Net.h" #include "NetVar.h" -#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocol/udp/UDP.h" #include "Reporter.h" #include "Conn.h" diff --git a/src/analyzer/protocols/udp/UDP.h b/src/analyzer/protocol/udp/UDP.h similarity index 100% rename from src/analyzer/protocols/udp/UDP.h rename to src/analyzer/protocol/udp/UDP.h diff --git a/src/analyzer/protocols/udp/events.bif b/src/analyzer/protocol/udp/events.bif similarity index 100% rename from src/analyzer/protocols/udp/events.bif rename to src/analyzer/protocol/udp/events.bif diff --git a/src/analyzer/protocols/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt similarity index 100% rename from src/analyzer/protocols/zip/CMakeLists.txt rename to src/analyzer/protocol/zip/CMakeLists.txt diff --git a/src/analyzer/protocols/zip/Plugin.cc b/src/analyzer/protocol/zip/Plugin.cc similarity index 100% rename from src/analyzer/protocols/zip/Plugin.cc rename to src/analyzer/protocol/zip/Plugin.cc diff --git a/src/analyzer/protocols/zip/ZIP.cc b/src/analyzer/protocol/zip/ZIP.cc similarity index 100% rename from src/analyzer/protocols/zip/ZIP.cc rename to src/analyzer/protocol/zip/ZIP.cc diff --git a/src/analyzer/protocols/zip/ZIP.h b/src/analyzer/protocol/zip/ZIP.h similarity index 94% rename from src/analyzer/protocols/zip/ZIP.h rename to src/analyzer/protocol/zip/ZIP.h index 7753ac2945..b284529d86 100644 --- a/src/analyzer/protocols/zip/ZIP.h +++ b/src/analyzer/protocol/zip/ZIP.h @@ -6,7 +6,7 @@ #include "config.h" #include "zlib.h" -#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocol/tcp/TCP.h" namespace analyzer { namespace zip { diff --git a/src/analyzer/protocols/zip/events.bif b/src/analyzer/protocol/zip/events.bif similarity index 100% rename from src/analyzer/protocols/zip/events.bif rename to src/analyzer/protocol/zip/events.bif diff --git a/src/bro.bif b/src/bro.bif index 5c39e335a6..6ad7dccc3a 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2626,7 +2626,7 @@ function decode_base64_custom%(s: string, a: string%): string %} %%{ -#include "analyzer/protocols/dce-rpc/DCE_RPC.h" +#include "analyzer/protocol/dce-rpc/DCE_RPC.h" typedef struct { uint32 time_low; diff --git a/src/parse.y b/src/parse.y index 449b472c0c..5c54706168 100644 --- a/src/parse.y +++ b/src/parse.y @@ -79,7 +79,7 @@ #include "Expr.h" #include "Stmt.h" #include "Var.h" -/* #include "analyzer/protocols/dns/DNS.h" */ +/* #include "analyzer/protocol/dns/DNS.h" */ #include "RE.h" #include "Scope.h" #include "Reporter.h" From da696c4b24201bad474a776f753d50491bd14ce1 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 15:58:13 -0700 Subject: [PATCH 31/70] Unifying analyzer names and descriptions. --- src/analyzer/protocol/backdoor/Plugin.cc | 2 +- src/analyzer/protocol/conn-size/Plugin.cc | 2 +- src/analyzer/protocol/dce-rpc/Plugin.cc | 2 +- src/analyzer/protocol/dhcp/Plugin.cc | 2 +- src/analyzer/protocol/dns/Plugin.cc | 2 +- src/analyzer/protocol/file/Plugin.cc | 2 +- src/analyzer/protocol/finger/Plugin.cc | 4 ++-- src/analyzer/protocol/ftp/Plugin.cc | 2 +- src/analyzer/protocol/gnutella/Plugin.cc | 4 ++-- src/analyzer/protocol/gtpv1/CMakeLists.txt | 2 +- src/analyzer/protocol/gtpv1/Plugin.cc | 6 +++--- src/analyzer/protocol/http/Plugin.cc | 2 +- src/analyzer/protocol/icmp/Plugin.cc | 2 +- src/analyzer/protocol/ident/Plugin.cc | 4 ++-- src/analyzer/protocol/interconn/Plugin.cc | 4 ++-- src/analyzer/protocol/irc/Plugin.cc | 2 +- src/analyzer/protocol/login/Plugin.cc | 8 ++++---- src/analyzer/protocol/mime/Plugin.cc | 2 +- src/analyzer/protocol/modbus/Plugin.cc | 2 +- src/analyzer/protocol/ncp/Plugin.cc | 2 +- src/analyzer/protocol/netbios/CMakeLists.txt | 2 +- src/analyzer/protocol/netbios/Plugin.cc | 4 ++-- src/analyzer/protocol/netflow/Plugin.cc | 2 +- src/analyzer/protocol/ntp/Plugin.cc | 2 +- src/analyzer/protocol/pia/Plugin.cc | 2 +- src/analyzer/protocol/pop3/Plugin.cc | 2 +- src/analyzer/protocol/rpc/Plugin.cc | 2 +- src/analyzer/protocol/smb/Plugin.cc | 2 +- src/analyzer/protocol/smtp/Plugin.cc | 2 +- src/analyzer/protocol/socks/Plugin.cc | 2 +- src/analyzer/protocol/ssh/Plugin.cc | 2 +- src/analyzer/protocol/ssl/Plugin.cc | 2 +- src/analyzer/protocol/stepping-stone/Plugin.cc | 4 ++-- src/analyzer/protocol/syslog/Plugin.cc | 4 ++-- src/analyzer/protocol/tcp/Plugin.cc | 2 +- src/analyzer/protocol/teredo/Plugin.cc | 4 ++-- 36 files changed, 49 insertions(+), 49 deletions(-) diff --git a/src/analyzer/protocol/backdoor/Plugin.cc b/src/analyzer/protocol/backdoor/Plugin.cc index afcf60edbc..b350e835a1 100644 --- a/src/analyzer/protocol/backdoor/Plugin.cc +++ b/src/analyzer/protocol/backdoor/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(BackDoor) BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("BACKDOOR", backdoor::BackDoor_Analyzer); + BRO_PLUGIN_ANALYZER("BackDoor", backdoor::BackDoor_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/conn-size/Plugin.cc b/src/analyzer/protocol/conn-size/Plugin.cc index 5ff2ed201d..d72b97dac6 100644 --- a/src/analyzer/protocol/conn-size/Plugin.cc +++ b/src/analyzer/protocol/conn-size/Plugin.cc @@ -5,6 +5,6 @@ BRO_PLUGIN_BEGIN(ConnSize) BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); - BRO_PLUGIN_ANALYZER("CONNSIZE", conn_size::ConnSize_Analyzer); + BRO_PLUGIN_ANALYZER("ConnSize", conn_size::ConnSize_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/dce-rpc/Plugin.cc b/src/analyzer/protocol/dce-rpc/Plugin.cc index 5e35af7c0d..368cffdc7f 100644 --- a/src/analyzer/protocol/dce-rpc/Plugin.cc +++ b/src/analyzer/protocol/dce-rpc/Plugin.cc @@ -4,7 +4,7 @@ #include "DCE_RPC.h" BRO_PLUGIN_BEGIN(DCE_RPC) - BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer"); + BRO_PLUGIN_DESCRIPTION("DCE-RPC analyzer"); BRO_PLUGIN_ANALYZER("DCE_RPC", dce_rpc::DCE_RPC_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/dhcp/Plugin.cc b/src/analyzer/protocol/dhcp/Plugin.cc index e1ee02db95..8bc1c68a6b 100644 --- a/src/analyzer/protocol/dhcp/Plugin.cc +++ b/src/analyzer/protocol/dhcp/Plugin.cc @@ -4,7 +4,7 @@ #include "DHCP.h" BRO_PLUGIN_BEGIN(DHCP) - BRO_PLUGIN_DESCRIPTION("DHCP Analyzer"); + BRO_PLUGIN_DESCRIPTION("DHCP analyzer"); BRO_PLUGIN_ANALYZER("DHCP", dhcp::DHCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/dns/Plugin.cc b/src/analyzer/protocol/dns/Plugin.cc index e731f191da..f4275b4181 100644 --- a/src/analyzer/protocol/dns/Plugin.cc +++ b/src/analyzer/protocol/dns/Plugin.cc @@ -4,7 +4,7 @@ #include "DNS.h" BRO_PLUGIN_BEGIN(DNS) - BRO_PLUGIN_DESCRIPTION("DNS Analyzer"); + BRO_PLUGIN_DESCRIPTION("DNS analyzer"); BRO_PLUGIN_ANALYZER("DNS", dns::DNS_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/file/Plugin.cc b/src/analyzer/protocol/file/Plugin.cc index ad4e917742..06d3ba9373 100644 --- a/src/analyzer/protocol/file/Plugin.cc +++ b/src/analyzer/protocol/file/Plugin.cc @@ -4,7 +4,7 @@ #include "./File.h" BRO_PLUGIN_BEGIN(File) - BRO_PLUGIN_DESCRIPTION("Generic File Analyzer"); + BRO_PLUGIN_DESCRIPTION("Generic file analyzer"); BRO_PLUGIN_ANALYZER("File", file::File_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/finger/Plugin.cc b/src/analyzer/protocol/finger/Plugin.cc index 603bbd004e..a20c0765c1 100644 --- a/src/analyzer/protocol/finger/Plugin.cc +++ b/src/analyzer/protocol/finger/Plugin.cc @@ -4,7 +4,7 @@ #include "Finger.h" BRO_PLUGIN_BEGIN(Finger) - BRO_PLUGIN_DESCRIPTION("Finger Analyzer"); - BRO_PLUGIN_ANALYZER("FINGER", finger::Finger_Analyzer); + BRO_PLUGIN_DESCRIPTION("Finger analyzer"); + BRO_PLUGIN_ANALYZER("Finger", finger::Finger_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ftp/Plugin.cc b/src/analyzer/protocol/ftp/Plugin.cc index d6bc3313e6..e35185d5c5 100644 --- a/src/analyzer/protocol/ftp/Plugin.cc +++ b/src/analyzer/protocol/ftp/Plugin.cc @@ -4,7 +4,7 @@ #include "FTP.h" BRO_PLUGIN_BEGIN(FTP) - BRO_PLUGIN_DESCRIPTION("FTP Analyzer"); + BRO_PLUGIN_DESCRIPTION("FTP analyzer"); BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/gnutella/Plugin.cc b/src/analyzer/protocol/gnutella/Plugin.cc index eca9adb001..b52d545bc3 100644 --- a/src/analyzer/protocol/gnutella/Plugin.cc +++ b/src/analyzer/protocol/gnutella/Plugin.cc @@ -4,7 +4,7 @@ #include "Gnutella.h" BRO_PLUGIN_BEGIN(Gnutella) - BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer"); - BRO_PLUGIN_ANALYZER("GNUTELLA", gnutella::Gnutella_Analyzer); + BRO_PLUGIN_DESCRIPTION("Gnutella analyzer"); + BRO_PLUGIN_ANALYZER("Gnutella", gnutella::Gnutella_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/gtpv1/CMakeLists.txt b/src/analyzer/protocol/gtpv1/CMakeLists.txt index e414876df5..b739330b37 100644 --- a/src/analyzer/protocol/gtpv1/CMakeLists.txt +++ b/src/analyzer/protocol/gtpv1/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(GTPV1) +bro_plugin_begin(GTPv1) bro_plugin_cc(GTPv1.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) diff --git a/src/analyzer/protocol/gtpv1/Plugin.cc b/src/analyzer/protocol/gtpv1/Plugin.cc index 39233384dc..5a39dd3980 100644 --- a/src/analyzer/protocol/gtpv1/Plugin.cc +++ b/src/analyzer/protocol/gtpv1/Plugin.cc @@ -3,8 +3,8 @@ #include "GTPv1.h" -BRO_PLUGIN_BEGIN(GTPV1) - BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer"); - BRO_PLUGIN_ANALYZER("GTPV1", gtpv1::GTPv1_Analyzer); +BRO_PLUGIN_BEGIN(GTPv1) + BRO_PLUGIN_DESCRIPTION("GTPv1 analyzer"); + BRO_PLUGIN_ANALYZER("GTPv1", gtpv1::GTPv1_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/http/Plugin.cc b/src/analyzer/protocol/http/Plugin.cc index 86f1cb0333..2908a37511 100644 --- a/src/analyzer/protocol/http/Plugin.cc +++ b/src/analyzer/protocol/http/Plugin.cc @@ -4,7 +4,7 @@ #include "HTTP.h" BRO_PLUGIN_BEGIN(HTTP) - BRO_PLUGIN_DESCRIPTION("HTTP Analyzer"); + BRO_PLUGIN_DESCRIPTION("HTTP analyzer"); BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); diff --git a/src/analyzer/protocol/icmp/Plugin.cc b/src/analyzer/protocol/icmp/Plugin.cc index 0d3a90e168..fa0c885a3e 100644 --- a/src/analyzer/protocol/icmp/Plugin.cc +++ b/src/analyzer/protocol/icmp/Plugin.cc @@ -4,7 +4,7 @@ #include "ICMP.h" BRO_PLUGIN_BEGIN(ICMP) - BRO_PLUGIN_DESCRIPTION("ICMP Analyzer"); + BRO_PLUGIN_DESCRIPTION("ICMP analyzer"); BRO_PLUGIN_ANALYZER("ICMP", icmp::ICMP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ident/Plugin.cc b/src/analyzer/protocol/ident/Plugin.cc index d0abef8280..d520374552 100644 --- a/src/analyzer/protocol/ident/Plugin.cc +++ b/src/analyzer/protocol/ident/Plugin.cc @@ -4,7 +4,7 @@ #include "Ident.h" BRO_PLUGIN_BEGIN(Ident) - BRO_PLUGIN_DESCRIPTION("Ident Analyzer"); - BRO_PLUGIN_ANALYZER("IDENT", ident::Ident_Analyzer); + BRO_PLUGIN_DESCRIPTION("Ident analyzer"); + BRO_PLUGIN_ANALYZER("Ident", ident::Ident_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/interconn/Plugin.cc b/src/analyzer/protocol/interconn/Plugin.cc index cb4ac076af..e1792dc3ef 100644 --- a/src/analyzer/protocol/interconn/Plugin.cc +++ b/src/analyzer/protocol/interconn/Plugin.cc @@ -4,7 +4,7 @@ #include "InterConn.h" BRO_PLUGIN_BEGIN(InterConn) - BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("INTERCONN", interconn::InterConn_Analyzer); + BRO_PLUGIN_DESCRIPTION("InterConn analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("InterConn", interconn::InterConn_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/irc/Plugin.cc b/src/analyzer/protocol/irc/Plugin.cc index 72b89fda0e..046d1b5a02 100644 --- a/src/analyzer/protocol/irc/Plugin.cc +++ b/src/analyzer/protocol/irc/Plugin.cc @@ -4,7 +4,7 @@ #include "IRC.h" BRO_PLUGIN_BEGIN(IRC) - BRO_PLUGIN_DESCRIPTION("IRC Analyzer"); + BRO_PLUGIN_DESCRIPTION("IRC analyzer"); BRO_PLUGIN_ANALYZER("IRC", irc::IRC_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/login/Plugin.cc b/src/analyzer/protocol/login/Plugin.cc index 43784ba262..8c7287afae 100644 --- a/src/analyzer/protocol/login/Plugin.cc +++ b/src/analyzer/protocol/login/Plugin.cc @@ -7,10 +7,10 @@ #include "Rlogin.h" BRO_PLUGIN_BEGIN(Login) - BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer"); - BRO_PLUGIN_ANALYZER("TELNET", login::Telnet_Analyzer); - BRO_PLUGIN_ANALYZER("RSH", login::Rsh_Analyzer); - BRO_PLUGIN_ANALYZER("RLOGIN", login::Rlogin_Analyzer); + BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin analyzers"); + BRO_PLUGIN_ANALYZER("Telnet", login::Telnet_Analyzer); + BRO_PLUGIN_ANALYZER("Rsh", login::Rsh_Analyzer); + BRO_PLUGIN_ANALYZER("Rlogin", login::Rlogin_Analyzer); BRO_PLUGIN_ANALYZER_BARE("NVT"); BRO_PLUGIN_ANALYZER_BARE("Login"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); diff --git a/src/analyzer/protocol/mime/Plugin.cc b/src/analyzer/protocol/mime/Plugin.cc index 98dee2a2eb..ff90d9d671 100644 --- a/src/analyzer/protocol/mime/Plugin.cc +++ b/src/analyzer/protocol/mime/Plugin.cc @@ -2,6 +2,6 @@ #include "plugin/Plugin.h" BRO_PLUGIN_BEGIN(MIME) - BRO_PLUGIN_DESCRIPTION("MIME Parsing Code"); + BRO_PLUGIN_DESCRIPTION("MIME parsing code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/modbus/Plugin.cc b/src/analyzer/protocol/modbus/Plugin.cc index ba93063560..e03f8dbb9b 100644 --- a/src/analyzer/protocol/modbus/Plugin.cc +++ b/src/analyzer/protocol/modbus/Plugin.cc @@ -4,7 +4,7 @@ #include "Modbus.h" BRO_PLUGIN_BEGIN(Modbus) - BRO_PLUGIN_DESCRIPTION("Modbus Analyzer"); + BRO_PLUGIN_DESCRIPTION("Modbus analyzer"); BRO_PLUGIN_ANALYZER("MODBUS", modbus::ModbusTCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ncp/Plugin.cc b/src/analyzer/protocol/ncp/Plugin.cc index 6bfc2b70f6..5e1a955606 100644 --- a/src/analyzer/protocol/ncp/Plugin.cc +++ b/src/analyzer/protocol/ncp/Plugin.cc @@ -4,7 +4,7 @@ #include "NCP.h" BRO_PLUGIN_BEGIN(NCP) - BRO_PLUGIN_DESCRIPTION("NCP Analyzer"); + BRO_PLUGIN_DESCRIPTION("NCP analyzer"); BRO_PLUGIN_ANALYZER("NCP", ncp::NCP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/netbios/CMakeLists.txt b/src/analyzer/protocol/netbios/CMakeLists.txt index 6e7c5251a3..ab31cd6e0a 100644 --- a/src/analyzer/protocol/netbios/CMakeLists.txt +++ b/src/analyzer/protocol/netbios/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Netbios) +bro_plugin_begin(NetBIOS) bro_plugin_cc(NetbiosSSN.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/netbios/Plugin.cc b/src/analyzer/protocol/netbios/Plugin.cc index 7f71dbbe10..36ec458138 100644 --- a/src/analyzer/protocol/netbios/Plugin.cc +++ b/src/analyzer/protocol/netbios/Plugin.cc @@ -3,8 +3,8 @@ #include "NetbiosSSN.h" -BRO_PLUGIN_BEGIN(Netbios) - BRO_PLUGIN_DESCRIPTION("Netbios Analyzer (SSN only)"); +BRO_PLUGIN_BEGIN(NetBIOS) + BRO_PLUGIN_DESCRIPTION("NetBIOS analyzer (support only SSN currently)"); BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/netflow/Plugin.cc b/src/analyzer/protocol/netflow/Plugin.cc index f7c36e943a..cd7a937171 100644 --- a/src/analyzer/protocol/netflow/Plugin.cc +++ b/src/analyzer/protocol/netflow/Plugin.cc @@ -2,6 +2,6 @@ #include "plugin/Plugin.h" BRO_PLUGIN_BEGIN(NetFlow) - BRO_PLUGIN_DESCRIPTION("NetFlow Parsing Code"); + BRO_PLUGIN_DESCRIPTION("NetFlow parsing code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc index 8331c25dee..bf2bd5df15 100644 --- a/src/analyzer/protocol/ntp/Plugin.cc +++ b/src/analyzer/protocol/ntp/Plugin.cc @@ -4,7 +4,7 @@ #include "NTP.h" BRO_PLUGIN_BEGIN(NTP) - BRO_PLUGIN_DESCRIPTION("NTP Analyzer"); + BRO_PLUGIN_DESCRIPTION("NTP analyzer"); BRO_PLUGIN_ANALYZER("NTP", ntp::NTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/pia/Plugin.cc b/src/analyzer/protocol/pia/Plugin.cc index 2d56f80038..6c4bf1a6b2 100644 --- a/src/analyzer/protocol/pia/Plugin.cc +++ b/src/analyzer/protocol/pia/Plugin.cc @@ -4,7 +4,7 @@ #include "PIA.h" BRO_PLUGIN_BEGIN(PIA) - BRO_PLUGIN_DESCRIPTION("Protocol Identificatin Analyzers"); + BRO_PLUGIN_DESCRIPTION("Analyzers implementing Dynamic Protocol Detection"); BRO_PLUGIN_ANALYZER("PIA_TCP", pia::PIA_TCP); BRO_PLUGIN_ANALYZER("PIA_UDP", pia::PIA_UDP); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/pop3/Plugin.cc b/src/analyzer/protocol/pop3/Plugin.cc index 056cb36682..b686e2fbee 100644 --- a/src/analyzer/protocol/pop3/Plugin.cc +++ b/src/analyzer/protocol/pop3/Plugin.cc @@ -4,7 +4,7 @@ #include "POP3.h" BRO_PLUGIN_BEGIN(POP3) - BRO_PLUGIN_DESCRIPTION("POP3 Analyzer"); + BRO_PLUGIN_DESCRIPTION("POP3 analyzer"); BRO_PLUGIN_ANALYZER("POP3", pop3::POP3_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc index 23f5d0e667..815cf14362 100644 --- a/src/analyzer/protocol/rpc/Plugin.cc +++ b/src/analyzer/protocol/rpc/Plugin.cc @@ -8,7 +8,7 @@ BRO_PLUGIN_BEGIN(RPC) BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); BRO_PLUGIN_ANALYZER("NFS", rpc::NFS_Analyzer); - BRO_PLUGIN_ANALYZER("PORTMAPPER", rpc::Portmapper_Analyzer); + BRO_PLUGIN_ANALYZER("Portmapper", rpc::Portmapper_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_RPC"); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NFS"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/smb/Plugin.cc b/src/analyzer/protocol/smb/Plugin.cc index 2f83460984..97ea10f5d8 100644 --- a/src/analyzer/protocol/smb/Plugin.cc +++ b/src/analyzer/protocol/smb/Plugin.cc @@ -4,7 +4,7 @@ #include "SMB.h" BRO_PLUGIN_BEGIN(SMB) - BRO_PLUGIN_DESCRIPTION("SMB Analyzer"); + BRO_PLUGIN_DESCRIPTION("SMB analyzer"); BRO_PLUGIN_ANALYZER("SMB", smb::SMB_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/smtp/Plugin.cc b/src/analyzer/protocol/smtp/Plugin.cc index 6550733b92..f1567098d2 100644 --- a/src/analyzer/protocol/smtp/Plugin.cc +++ b/src/analyzer/protocol/smtp/Plugin.cc @@ -4,7 +4,7 @@ #include "SMTP.h" BRO_PLUGIN_BEGIN(SMTP) - BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); + BRO_PLUGIN_DESCRIPTION("SMTP analyzer"); BRO_PLUGIN_ANALYZER("SMTP", smtp::SMTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); diff --git a/src/analyzer/protocol/socks/Plugin.cc b/src/analyzer/protocol/socks/Plugin.cc index 3c849e6e23..3c659de628 100644 --- a/src/analyzer/protocol/socks/Plugin.cc +++ b/src/analyzer/protocol/socks/Plugin.cc @@ -4,7 +4,7 @@ #include "SOCKS.h" BRO_PLUGIN_BEGIN(SOCKS) - BRO_PLUGIN_DESCRIPTION("SOCKS Analyzer"); + BRO_PLUGIN_DESCRIPTION("SOCKS analyzer"); BRO_PLUGIN_ANALYZER("SOCKS", socks::SOCKS_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ssh/Plugin.cc b/src/analyzer/protocol/ssh/Plugin.cc index 57acbe222c..4bb2a0ffdb 100644 --- a/src/analyzer/protocol/ssh/Plugin.cc +++ b/src/analyzer/protocol/ssh/Plugin.cc @@ -4,7 +4,7 @@ #include "SSH.h" BRO_PLUGIN_BEGIN(SSH) - BRO_PLUGIN_DESCRIPTION("SSH Analyzer"); + BRO_PLUGIN_DESCRIPTION("SSH analyzer"); BRO_PLUGIN_ANALYZER("SSH", ssh::SSH_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc index b406e4aa8b..5edbecd480 100644 --- a/src/analyzer/protocol/ssl/Plugin.cc +++ b/src/analyzer/protocol/ssl/Plugin.cc @@ -4,7 +4,7 @@ #include "SSL.h" BRO_PLUGIN_BEGIN(SSL) - BRO_PLUGIN_DESCRIPTION("SSL Analyzer"); + BRO_PLUGIN_DESCRIPTION("SSL analyzer"); BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_BIF_FILE(functions); diff --git a/src/analyzer/protocol/stepping-stone/Plugin.cc b/src/analyzer/protocol/stepping-stone/Plugin.cc index 748c5fac5f..bde87384fa 100644 --- a/src/analyzer/protocol/stepping-stone/Plugin.cc +++ b/src/analyzer/protocol/stepping-stone/Plugin.cc @@ -4,7 +4,7 @@ #include "SteppingStone.h" BRO_PLUGIN_BEGIN(SteppingStone) - BRO_PLUGIN_DESCRIPTION("SteppingStone Analyzer (deprecated)"); - BRO_PLUGIN_ANALYZER("STEPPINGSTONE", stepping_stone::SteppingStone_Analyzer); + BRO_PLUGIN_DESCRIPTION("Stepping stone analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("SteppingStone", stepping_stone::SteppingStone_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/syslog/Plugin.cc b/src/analyzer/protocol/syslog/Plugin.cc index f5d955942b..0616cace14 100644 --- a/src/analyzer/protocol/syslog/Plugin.cc +++ b/src/analyzer/protocol/syslog/Plugin.cc @@ -4,7 +4,7 @@ #include "Syslog.h" BRO_PLUGIN_BEGIN(Syslog) - BRO_PLUGIN_DESCRIPTION("Syslog Analyzer (UDP-only currently)"); - BRO_PLUGIN_ANALYZER("SYSLOG", syslog::Syslog_Analyzer); + BRO_PLUGIN_DESCRIPTION("Syslog analyzer (UDP-only currently)"); + BRO_PLUGIN_ANALYZER("Syslog", syslog::Syslog_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/tcp/Plugin.cc b/src/analyzer/protocol/tcp/Plugin.cc index 376c54d332..8342f2ed3e 100644 --- a/src/analyzer/protocol/tcp/Plugin.cc +++ b/src/analyzer/protocol/tcp/Plugin.cc @@ -4,7 +4,7 @@ #include "TCP.h" BRO_PLUGIN_BEGIN(TCP) - BRO_PLUGIN_DESCRIPTION("TCP Analyzer"); + BRO_PLUGIN_DESCRIPTION("TCP analyzer"); BRO_PLUGIN_ANALYZER("TCP", tcp::TCP_Analyzer); BRO_PLUGIN_ANALYZER("TCPStats", tcp::TCPStats_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); diff --git a/src/analyzer/protocol/teredo/Plugin.cc b/src/analyzer/protocol/teredo/Plugin.cc index 1ea1c03238..38f3a8edd9 100644 --- a/src/analyzer/protocol/teredo/Plugin.cc +++ b/src/analyzer/protocol/teredo/Plugin.cc @@ -4,7 +4,7 @@ #include "Teredo.h" BRO_PLUGIN_BEGIN(Teredo) - BRO_PLUGIN_DESCRIPTION("Teredo Analyzer"); - BRO_PLUGIN_ANALYZER("TEREDO", teredo::Teredo_Analyzer); + BRO_PLUGIN_DESCRIPTION("Teredo analyzer"); + BRO_PLUGIN_ANALYZER("Teredo", teredo::Teredo_Analyzer); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END From eb3218590e69dcfac86ddd1eba725a259929fb86 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 16:26:19 -0700 Subject: [PATCH 32/70] Cleaning up analyzer naming. Also adding the script-level ID to the -NN output. --- src/analyzer/Component.cc | 27 +++++++++++++++++++++++++++ src/analyzer/Component.h | 13 ++++++++++++- src/analyzer/Manager.cc | 22 +++++++--------------- src/analyzer/protocol/TODO | 5 +---- 4 files changed, 47 insertions(+), 20 deletions(-) diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc index 6ce433a594..78705643e9 100644 --- a/src/analyzer/Component.cc +++ b/src/analyzer/Component.cc @@ -1,5 +1,6 @@ #include "Component.h" +#include "Manager.h" #include "../Desc.h" @@ -7,10 +8,26 @@ using namespace analyzer; Tag::type_t Component::type_counter = 0; +static const char* canonify_name(const char* name) + { + unsigned int len = strlen(name); + char* nname = new char[len + 1]; + + for ( unsigned int i = 0; i < len; i++ ) + { + char c = isalnum(name[i]) ? name[i] : '_'; + nname[i] = toupper(c); + } + + nname[len] = '\0'; + return nname; + } + Component::Component(const char* arg_name, factory_callback arg_factory, Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial) : plugin::Component(plugin::component::ANALYZER) { name = copy_string(arg_name); + canon_name = canonify_name(arg_name); factory = arg_factory; enabled = arg_enabled; partial = arg_partial; @@ -22,6 +39,7 @@ Component::Component(const Component& other) : plugin::Component(Type()) { name = copy_string(other.name); + canon_name = copy_string(other.canon_name); factory = other.factory; enabled = other.enabled; partial = other.partial; @@ -31,6 +49,7 @@ Component::Component(const Component& other) Component::~Component() { delete [] name; + delete [] canon_name; } analyzer::Tag Component::Tag() const @@ -43,6 +62,14 @@ void Component::Describe(ODesc* d) plugin::Component::Describe(d); d->Add(name); d->Add(" ("); + + if ( factory ) + { + d->Add("ANALYZER_"); + d->Add(canon_name); + d->Add(", "); + } + d->Add(enabled ? "enabled" : "disabled"); d->Add(")"); } diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index 67751e1b35..6e72f87155 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -68,10 +68,20 @@ public: /** * Returns the name of the analyzer. This name is unique across all - * analyzers and used to identify it. + * analyzers and used to identify it. The returned name is derived + * from what's passed to the constructor but upper-cased and + * canonified to allow being part of a script-level ID. */ const char* Name() const { return name; } + /** + * Returns a canonocalized version of the analyzer's name. The + * returned name is derived from what's passed to the constructor but + * upper-cased and transformed to allow being part of a script-level + * ID. + */ + const char* CanonicalName() const { return canon_name; } + /** * Returns the analyzer's factory function. */ @@ -115,6 +125,7 @@ public: private: const char* name; // The analyzer's name. + const char* canon_name; // The analyzer's canonical name. factory_callback factory; // The analyzer's factory callback. bool partial; // True if the analyzer supports partial connections. analyzer::Tag tag; // The automatically assigned analyzer tag. diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index d337c0b849..4f33ccef93 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -136,14 +136,6 @@ void Manager::DumpDebug() DBG_LOG(DBG_ANALYZER, " %d/udp: %s", i->first, s.c_str()); } -#if 0 - ODesc d; - tag_enum_type->Describe(&d); - - DBG_LOG(DBG_ANALYZER, ""); - DBG_LOG(DBG_ANALYZER, "Analyzer::Tag type: %s", d.Description()); -#endif - #endif } @@ -153,20 +145,20 @@ void Manager::Done() void Manager::RegisterAnalyzerComponent(Component* component) { - if ( Lookup(component->Name()) ) - reporter->FatalError("Analyzer %s defined more than once", component->Name()); + const char* cname = component->CanonicalName(); - string name = to_upper(component->Name()); + if ( Lookup(cname) ) + reporter->FatalError("Analyzer %s defined more than once", cname); DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", - name.c_str(), component->Tag().AsString().c_str()); + component->Name(), component->Tag().AsString().c_str()); - analyzers_by_name.insert(std::make_pair(name, component)); + analyzers_by_name.insert(std::make_pair(cname, component)); analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); analyzers_by_val.insert(std::make_pair(component->Tag().AsEnumVal()->InternalInt(), component)); // Install enum "Analyzer::ANALYZER_*" - string id = fmt("ANALYZER_%s", name.c_str()); + string id = fmt("ANALYZER_%s", cname); tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().AsEnumVal()->InternalInt(), true); } @@ -341,7 +333,7 @@ const char* Manager::GetAnalyzerName(Tag tag) if ( ! c ) reporter->InternalError("request for name of unknown analyzer tag %s", tag.AsString().c_str()); - return c->Name(); + return c->CanonicalName(); } const char* Manager::GetAnalyzerName(Val* val) diff --git a/src/analyzer/protocol/TODO b/src/analyzer/protocol/TODO index 4302252a49..d1888a18f1 100644 --- a/src/analyzer/protocol/TODO +++ b/src/analyzer/protocol/TODO @@ -1,5 +1,2 @@ - -- cleanup analyzer descriptions -- can now lower-case the analyzer name in plugin -- not sure cmake dependencies work right yet +- cmake dependencies don't work right yet From 10dc8b927907332aa6a70fee0dc91b9325d047c8 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 19 Apr 2013 16:35:24 -0700 Subject: [PATCH 33/70] Updating tests. --- doc/scripts/DocSourcesList.cmake | 83 ++++++++++--------- .../canonified_loaded_scripts.log | 20 +++-- .../canonified_loaded_scripts.log | 20 +++-- .../scripts/base/protocols/modbus/events.bro | 2 +- 4 files changed, 73 insertions(+), 52 deletions(-) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 00cba8bab7..0dc98999ca 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -17,43 +17,52 @@ rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ayiya/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/backdoor/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/bittorrent/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/conn-size/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dce-rpc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dhcp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dns/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/file/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/finger/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ftp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gnutella/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gtpv1/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/icmp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ident/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/interconn/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/irc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/login/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/modbus/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ncp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/netbios-ssn/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ntp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pia/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pop3/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/rpc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smb/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smtp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/socks/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssh/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssl/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/stepping-stone/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/syslog/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/tcp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/teredo/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/udp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/zip/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/arp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ayiya/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/backdoor/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/bittorrent/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/conn-size/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dce-rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dhcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dns/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/file/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/finger/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ftp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ftp/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/gnutella/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/gtpv1/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/http/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/http/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/icmp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ident/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/interconn/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/irc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/login/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/login/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/mime/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/modbus/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ncp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netbios/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netbios/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netflow/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ntp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/pia/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/pop3/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smb/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smtp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smtp/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/socks/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssh/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssl/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssl/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/stepping-stone/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/syslog/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/tcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/tcp/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/teredo/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/udp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/zip/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index a4933aba7b..3843616bda 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-17-03-50-16 +#open 2013-04-19-23-31-06 #fields name #types string scripts/base/init-bare.bro @@ -33,9 +33,8 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./ARP.events.bif.bro build/scripts/base/bif/plugins/./AYIYA.events.bif.bro - build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro - build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro build/scripts/base/bif/plugins/./BackDoor.events.bif.bro build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro build/scripts/base/bif/plugins/./ConnSize.events.bif.bro @@ -43,10 +42,10 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./DHCP.events.bif.bro build/scripts/base/bif/plugins/./DNS.events.bif.bro build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./FTP.functions.bif.bro build/scripts/base/bif/plugins/./File.events.bif.bro - build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro build/scripts/base/bif/plugins/./Finger.events.bif.bro - build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./GTPv1.events.bif.bro build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro @@ -55,23 +54,30 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./Ident.events.bif.bro build/scripts/base/bif/plugins/./InterConn.events.bif.bro build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Login.functions.bif.bro + build/scripts/base/bif/plugins/./MIME.events.bif.bro build/scripts/base/bif/plugins/./Modbus.events.bif.bro build/scripts/base/bif/plugins/./NCP.events.bif.bro build/scripts/base/bif/plugins/./NTP.events.bif.bro - build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/./NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/./NetFlow.events.bif.bro build/scripts/base/bif/plugins/./PIA.events.bif.bro build/scripts/base/bif/plugins/./POP3.events.bif.bro build/scripts/base/bif/plugins/./RPC.events.bif.bro build/scripts/base/bif/plugins/./SMB.events.bif.bro build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.functions.bif.bro build/scripts/base/bif/plugins/./SOCKS.events.bif.bro build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SSL.functions.bif.bro build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./TCP.functions.bif.bro build/scripts/base/bif/plugins/./Teredo.events.bif.bro build/scripts/base/bif/plugins/./UDP.events.bif.bro build/scripts/base/bif/plugins/./ZIP.events.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-17-03-50-16 +#close 2013-04-19-23-31-06 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index d469dad0bc..af0b205971 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-17-03-50-51 +#open 2013-04-19-23-31-58 #fields name #types string scripts/base/init-bare.bro @@ -33,9 +33,8 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./ARP.events.bif.bro build/scripts/base/bif/plugins/./AYIYA.events.bif.bro - build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro - build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro build/scripts/base/bif/plugins/./BackDoor.events.bif.bro build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro build/scripts/base/bif/plugins/./ConnSize.events.bif.bro @@ -43,10 +42,10 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./DHCP.events.bif.bro build/scripts/base/bif/plugins/./DNS.events.bif.bro build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./FTP.functions.bif.bro build/scripts/base/bif/plugins/./File.events.bif.bro - build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro build/scripts/base/bif/plugins/./Finger.events.bif.bro - build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./GTPv1.events.bif.bro build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro @@ -55,21 +54,28 @@ scripts/base/init-bare.bro build/scripts/base/bif/plugins/./Ident.events.bif.bro build/scripts/base/bif/plugins/./InterConn.events.bif.bro build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Login.functions.bif.bro + build/scripts/base/bif/plugins/./MIME.events.bif.bro build/scripts/base/bif/plugins/./Modbus.events.bif.bro build/scripts/base/bif/plugins/./NCP.events.bif.bro build/scripts/base/bif/plugins/./NTP.events.bif.bro - build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/./NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/./NetFlow.events.bif.bro build/scripts/base/bif/plugins/./PIA.events.bif.bro build/scripts/base/bif/plugins/./POP3.events.bif.bro build/scripts/base/bif/plugins/./RPC.events.bif.bro build/scripts/base/bif/plugins/./SMB.events.bif.bro build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.functions.bif.bro build/scripts/base/bif/plugins/./SOCKS.events.bif.bro build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SSL.functions.bif.bro build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./TCP.functions.bif.bro build/scripts/base/bif/plugins/./Teredo.events.bif.bro build/scripts/base/bif/plugins/./UDP.events.bif.bro build/scripts/base/bif/plugins/./ZIP.events.bif.bro @@ -163,4 +169,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-17-03-50-51 +#close 2013-04-19-23-31-58 diff --git a/testing/btest/scripts/base/protocols/modbus/events.bro b/testing/btest/scripts/base/protocols/modbus/events.bro index f648a0adde..a0c8e20258 100644 --- a/testing/btest/scripts/base/protocols/modbus/events.bro +++ b/testing/btest/scripts/base/protocols/modbus/events.bro @@ -2,7 +2,7 @@ # @TEST-EXEC: bro -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output # @TEST-EXEC: btest-diff output # @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered -# @TEST-EXEC: cat ${DIST}/src/event.bif | grep "^event modbus_" | wc -l >total +# @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif | grep "^event modbus_" | wc -l >total # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage # @TEST-EXEC: btest-diff coverage From 87528709678e450f6c9d5596af035711d627f871 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 15 May 2013 20:22:51 -0700 Subject: [PATCH 34/70] Fixing cmake dependencies and "make {install,clean}" Also includes a bunch of cleanup. --- cmake | 2 +- src/CMakeLists.txt | 34 ++++++++++++------- src/FlowSrc.cc | 2 +- src/analyzer/CMakeLists.txt | 10 ++---- src/analyzer/Manager.cc | 18 +++++----- src/analyzer/protocol/arp/CMakeLists.txt | 2 +- src/analyzer/protocol/arp/Plugin.cc | 2 +- src/analyzer/protocol/ayiya/CMakeLists.txt | 2 +- src/analyzer/protocol/ayiya/Plugin.cc | 2 +- src/analyzer/protocol/backdoor/CMakeLists.txt | 2 +- src/analyzer/protocol/backdoor/Plugin.cc | 2 +- .../protocol/bittorrent/CMakeLists.txt | 2 +- src/analyzer/protocol/bittorrent/Plugin.cc | 2 +- .../protocol/conn-size/CMakeLists.txt | 2 +- src/analyzer/protocol/conn-size/Plugin.cc | 2 +- src/analyzer/protocol/dce-rpc/CMakeLists.txt | 3 +- src/analyzer/protocol/dce-rpc/Plugin.cc | 2 +- src/analyzer/protocol/dhcp/CMakeLists.txt | 2 +- src/analyzer/protocol/dhcp/Plugin.cc | 2 +- src/analyzer/protocol/dns/CMakeLists.txt | 2 +- src/analyzer/protocol/dns/Plugin.cc | 2 +- src/analyzer/protocol/file/CMakeLists.txt | 2 +- src/analyzer/protocol/file/Plugin.cc | 2 +- src/analyzer/protocol/finger/CMakeLists.txt | 2 +- src/analyzer/protocol/finger/Plugin.cc | 2 +- src/analyzer/protocol/ftp/CMakeLists.txt | 2 +- src/analyzer/protocol/ftp/Plugin.cc | 2 +- src/analyzer/protocol/gnutella/CMakeLists.txt | 2 +- src/analyzer/protocol/gnutella/Plugin.cc | 2 +- src/analyzer/protocol/gtpv1/CMakeLists.txt | 2 +- src/analyzer/protocol/gtpv1/Plugin.cc | 2 +- src/analyzer/protocol/http/CMakeLists.txt | 2 +- src/analyzer/protocol/http/Plugin.cc | 2 +- src/analyzer/protocol/icmp/CMakeLists.txt | 2 +- src/analyzer/protocol/icmp/Plugin.cc | 2 +- src/analyzer/protocol/ident/CMakeLists.txt | 2 +- src/analyzer/protocol/ident/Plugin.cc | 2 +- .../protocol/interconn/CMakeLists.txt | 2 +- src/analyzer/protocol/interconn/Plugin.cc | 2 +- src/analyzer/protocol/irc/CMakeLists.txt | 2 +- src/analyzer/protocol/irc/Plugin.cc | 2 +- src/analyzer/protocol/login/CMakeLists.txt | 2 +- src/analyzer/protocol/login/Plugin.cc | 2 +- src/analyzer/protocol/mime/CMakeLists.txt | 2 +- src/analyzer/protocol/mime/Plugin.cc | 2 +- src/analyzer/protocol/modbus/CMakeLists.txt | 2 +- src/analyzer/protocol/modbus/Plugin.cc | 2 +- src/analyzer/protocol/ncp/CMakeLists.txt | 2 +- src/analyzer/protocol/ncp/Plugin.cc | 2 +- src/analyzer/protocol/netbios/CMakeLists.txt | 5 ++- src/analyzer/protocol/netbios/Plugin.cc | 2 +- src/analyzer/protocol/netflow/CMakeLists.txt | 2 +- src/analyzer/protocol/netflow/Plugin.cc | 2 +- src/analyzer/protocol/ntp/CMakeLists.txt | 2 +- src/analyzer/protocol/ntp/Plugin.cc | 2 +- src/analyzer/protocol/pia/CMakeLists.txt | 2 +- src/analyzer/protocol/pia/Plugin.cc | 2 +- src/analyzer/protocol/pop3/CMakeLists.txt | 2 +- src/analyzer/protocol/pop3/Plugin.cc | 2 +- src/analyzer/protocol/rpc/CMakeLists.txt | 2 +- src/analyzer/protocol/rpc/Plugin.cc | 2 +- src/analyzer/protocol/smb/CMakeLists.txt | 3 +- src/analyzer/protocol/smb/Plugin.cc | 2 +- src/analyzer/protocol/smtp/CMakeLists.txt | 2 +- src/analyzer/protocol/smtp/Plugin.cc | 2 +- src/analyzer/protocol/socks/CMakeLists.txt | 2 +- src/analyzer/protocol/socks/Plugin.cc | 2 +- src/analyzer/protocol/ssh/CMakeLists.txt | 2 +- src/analyzer/protocol/ssh/Plugin.cc | 2 +- src/analyzer/protocol/ssl/CMakeLists.txt | 2 +- src/analyzer/protocol/ssl/Plugin.cc | 2 +- .../protocol/stepping-stone/CMakeLists.txt | 2 +- .../protocol/stepping-stone/Plugin.cc | 2 +- src/analyzer/protocol/syslog/CMakeLists.txt | 2 +- src/analyzer/protocol/syslog/Plugin.cc | 2 +- src/analyzer/protocol/tcp/CMakeLists.txt | 2 +- src/analyzer/protocol/tcp/Plugin.cc | 2 +- src/analyzer/protocol/teredo/CMakeLists.txt | 2 +- src/analyzer/protocol/teredo/Plugin.cc | 2 +- src/analyzer/protocol/udp/CMakeLists.txt | 2 +- src/analyzer/protocol/udp/Plugin.cc | 2 +- src/analyzer/protocol/zip/CMakeLists.txt | 2 +- src/analyzer/protocol/zip/Plugin.cc | 2 +- src/bro.bif | 2 -- src/builtin-func.l | 9 +++-- src/plugin/Macros.h | 8 ++--- 86 files changed, 130 insertions(+), 116 deletions(-) diff --git a/cmake b/cmake index c50757259f..0034421286 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit c50757259f509f13227cf28bbd4fd281828a39d2 +Subproject commit 0034421286f23a3d7ab2044d658c3ac72797569b diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index b374c64d2c..0ab11fc85e 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -3,6 +3,9 @@ include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR} ) +# This collects generated bif and pac files from subdirectories. +set(bro_ALL_GENERATED_OUTPUTS CACHE INTERNAL "automatically generated files" FORCE) + configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c) configure_file(util-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/util-config.h) @@ -114,11 +117,9 @@ set(BIF_SRCS ) foreach (bift ${BIF_SRCS}) - bif_target(${bift}) + bif_target(${bift} "standard") endforeach () -add_custom_target(generate_bifs DEPENDS ${ALL_BIF_OUTPUTS}) - ######################################################################## ## BinPAC-dependent targets @@ -131,7 +132,10 @@ set(BINPAC_AUXSRC ) binpac_target(binpac-lib.pac) +list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}") + binpac_target(binpac_bro-lib.pac) +list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}") ######################################################################## ## Including subdirectories. @@ -156,7 +160,7 @@ find_package (Threads) macro(COLLECT_HEADERS _var) foreach (src ${ARGN}) get_filename_component(ext ${src} EXT) - if (${ext} STREQUAL ".cc" OR ${ext} STREQUAL ".c") + if ("${ext}" STREQUAL ".cc" OR "${ext}" STREQUAL ".c") get_filename_component(base ${src} NAME_WE) get_filename_component(dir ${src} PATH) if (NOT "${dir}") @@ -189,10 +193,8 @@ set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS set(bro_SRCS ${CMAKE_CURRENT_BINARY_DIR}/version.c ${BIF_SRCS} - ${ALL_BIF_OUTPUTS} ${BINPAC_AUXSRC} - ${ALL_BINPAC_INPUTS} - ${ALL_BINPAC_OUTPUTS} + ${BINPAC_OUTPUTS} ${TRANSFORMED_BISON_OUTPUTS} ${FLEX_RuleScanner_OUTPUTS} ${FLEX_RuleScanner_INPUT} @@ -333,12 +335,20 @@ add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS}) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT}) install(TARGETS bro DESTINATION bin) -install(FILES ${INSTALL_BIF_OUTPUTS} DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base) set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) -include(BroPlugin) -bro_plugin_bif_create_loader(bif_loader ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) -add_dependencies(bif_loader ${bro_SUBDIRS}) -add_dependencies(bro bif_loader) +add_custom_target(generate_outputs DEPENDS ${bro_ALL_GENERATED_OUTPUTS}) + +# Build __load__.bro files for plugins/*.bif.bro. +bro_bif_create_loader(bif_loader_plugins ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) +add_dependencies(bif_loader_plugins ${bro_SUBDIRS}) +add_dependencies(bro bif_loader_plugins) + +# Install *.bif.bro. +install(DIRECTORY ${CMAKE_BINARY_DIR}/scripts/base/bif DESTINATION ${BRO_SCRIPT_INSTALL_PATH}/base) + +# Make clean removes the bif directory. +set_directory_properties(PROPERTIES ADDITIONAL_MAKE_CLEAN_FILES ${CMAKE_BINARY_DIR}/scripts/base/bif) + diff --git a/src/FlowSrc.cc b/src/FlowSrc.cc index 59ce3fd6a4..f5fb0bd1e6 100644 --- a/src/FlowSrc.cc +++ b/src/FlowSrc.cc @@ -9,7 +9,7 @@ #include "FlowSrc.h" #include "Net.h" -#include "netflow_pac.h" +#include "analyzer/protocol/netflow/netflow_pac.h" #include FlowSrc::FlowSrc() diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 026bbac80a..1e91141114 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -13,10 +13,6 @@ set(analyzer_SRCS Tag.cc ) -bif_target_for_subdir(analyzer.bif) - -bro_plugin_dependencies(DCE_RPC generate_analyzer.bif) - -add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H}) - -add_dependencies(bro_analyzer generate_events.bif) +bif_target(analyzer.bif) +add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC}) +add_dependencies(bro_analyzer generate_outputs) diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 4f33ccef93..22912ad19d 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -4,18 +4,18 @@ #include "Hash.h" #include "Val.h" -#include "analyzer/protocol/backdoor/BackDoor.h" -#include "analyzer/protocol/conn-size/ConnSize.h" -#include "analyzer/protocol/icmp/ICMP.h" -#include "analyzer/protocol/interconn/InterConn.h" -#include "analyzer/protocol/pia/PIA.h" -#include "analyzer/protocol/stepping-stone/SteppingStone.h" -#include "analyzer/protocol/tcp/TCP.h" -#include "analyzer/protocol/udp/UDP.h" +#include "protocol/backdoor/BackDoor.h" +#include "protocol/conn-size/ConnSize.h" +#include "protocol/icmp/ICMP.h" +#include "protocol/interconn/InterConn.h" +#include "protocol/pia/PIA.h" +#include "protocol/stepping-stone/SteppingStone.h" +#include "protocol/tcp/TCP.h" +#include "protocol/udp/UDP.h" #include "plugin/Manager.h" -#include "protocols/tcp/events.bif.h" +#include "protocol/tcp/events.bif.h" using namespace analyzer; diff --git a/src/analyzer/protocol/arp/CMakeLists.txt b/src/analyzer/protocol/arp/CMakeLists.txt index 5654802b07..eec6755a18 100644 --- a/src/analyzer/protocol/arp/CMakeLists.txt +++ b/src/analyzer/protocol/arp/CMakeLists.txt @@ -8,7 +8,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(ARP) +bro_plugin_begin(Bro ARP) bro_plugin_cc(ARP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/arp/Plugin.cc b/src/analyzer/protocol/arp/Plugin.cc index 06b4940719..9045ef412f 100644 --- a/src/analyzer/protocol/arp/Plugin.cc +++ b/src/analyzer/protocol/arp/Plugin.cc @@ -1,7 +1,7 @@ #include "plugin/Plugin.h" -BRO_PLUGIN_BEGIN(ARP) +BRO_PLUGIN_BEGIN(Bro, ARP) BRO_PLUGIN_DESCRIPTION("ARP Parsing Code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt index 8f578a763b..ae23c25e2d 100644 --- a/src/analyzer/protocol/ayiya/CMakeLists.txt +++ b/src/analyzer/protocol/ayiya/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(AYIYA) +bro_plugin_begin(Bro AYIYA) bro_plugin_cc(AYIYA.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac) diff --git a/src/analyzer/protocol/ayiya/Plugin.cc b/src/analyzer/protocol/ayiya/Plugin.cc index 069aedde0a..0fc96eff3c 100644 --- a/src/analyzer/protocol/ayiya/Plugin.cc +++ b/src/analyzer/protocol/ayiya/Plugin.cc @@ -3,7 +3,7 @@ #include "AYIYA.h" -BRO_PLUGIN_BEGIN(AYIYA) +BRO_PLUGIN_BEGIN(Bro, AYIYA) BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer"); BRO_PLUGIN_ANALYZER("AYIYA", ayiya::AYIYA_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/backdoor/CMakeLists.txt b/src/analyzer/protocol/backdoor/CMakeLists.txt index b065cc2c95..5df04769f6 100644 --- a/src/analyzer/protocol/backdoor/CMakeLists.txt +++ b/src/analyzer/protocol/backdoor/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(BackDoor) +bro_plugin_begin(Bro BackDoor) bro_plugin_cc(BackDoor.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/backdoor/Plugin.cc b/src/analyzer/protocol/backdoor/Plugin.cc index b350e835a1..0983aaf5d3 100644 --- a/src/analyzer/protocol/backdoor/Plugin.cc +++ b/src/analyzer/protocol/backdoor/Plugin.cc @@ -3,7 +3,7 @@ #include "BackDoor.h" -BRO_PLUGIN_BEGIN(BackDoor) +BRO_PLUGIN_BEGIN(Bro, BackDoor) BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); BRO_PLUGIN_ANALYZER("BackDoor", backdoor::BackDoor_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/bittorrent/CMakeLists.txt b/src/analyzer/protocol/bittorrent/CMakeLists.txt index 5a3f9372bb..630ea03498 100644 --- a/src/analyzer/protocol/bittorrent/CMakeLists.txt +++ b/src/analyzer/protocol/bittorrent/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(BitTorrent) +bro_plugin_begin(Bro BitTorrent) bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac) diff --git a/src/analyzer/protocol/bittorrent/Plugin.cc b/src/analyzer/protocol/bittorrent/Plugin.cc index 59e81749ce..2da9972d0d 100644 --- a/src/analyzer/protocol/bittorrent/Plugin.cc +++ b/src/analyzer/protocol/bittorrent/Plugin.cc @@ -4,7 +4,7 @@ #include "BitTorrent.h" #include "BitTorrentTracker.h" -BRO_PLUGIN_BEGIN(BitTorrent) +BRO_PLUGIN_BEGIN(Bro, BitTorrent) BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); BRO_PLUGIN_ANALYZER("BitTorrent", bittorrent::BitTorrent_Analyzer); BRO_PLUGIN_ANALYZER("BitTorrentTracker", bittorrent::BitTorrent_Analyzer); diff --git a/src/analyzer/protocol/conn-size/CMakeLists.txt b/src/analyzer/protocol/conn-size/CMakeLists.txt index e5edd9c947..efaadef401 100644 --- a/src/analyzer/protocol/conn-size/CMakeLists.txt +++ b/src/analyzer/protocol/conn-size/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(ConnSize) +bro_plugin_begin(Bro ConnSize) bro_plugin_cc(ConnSize.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/conn-size/Plugin.cc b/src/analyzer/protocol/conn-size/Plugin.cc index d72b97dac6..6993e15ff8 100644 --- a/src/analyzer/protocol/conn-size/Plugin.cc +++ b/src/analyzer/protocol/conn-size/Plugin.cc @@ -3,7 +3,7 @@ #include "ConnSize.h" -BRO_PLUGIN_BEGIN(ConnSize) +BRO_PLUGIN_BEGIN(Bro, ConnSize) BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); BRO_PLUGIN_ANALYZER("ConnSize", conn_size::ConnSize_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt index 61e6170640..d9baa08acf 100644 --- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt +++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt @@ -3,9 +3,10 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(DCE_RPC) +bro_plugin_begin(Bro DCE_RPC) bro_plugin_cc(DCE_RPC.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac) bro_plugin_pac(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac) bro_plugin_end() + diff --git a/src/analyzer/protocol/dce-rpc/Plugin.cc b/src/analyzer/protocol/dce-rpc/Plugin.cc index 368cffdc7f..d9f3ce16c8 100644 --- a/src/analyzer/protocol/dce-rpc/Plugin.cc +++ b/src/analyzer/protocol/dce-rpc/Plugin.cc @@ -3,7 +3,7 @@ #include "DCE_RPC.h" -BRO_PLUGIN_BEGIN(DCE_RPC) +BRO_PLUGIN_BEGIN(Bro, DCE_RPC) BRO_PLUGIN_DESCRIPTION("DCE-RPC analyzer"); BRO_PLUGIN_ANALYZER("DCE_RPC", dce_rpc::DCE_RPC_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); diff --git a/src/analyzer/protocol/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt index f4552b666a..646a11f9ab 100644 --- a/src/analyzer/protocol/dhcp/CMakeLists.txt +++ b/src/analyzer/protocol/dhcp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(DHCP) +bro_plugin_begin(Bro DHCP) bro_plugin_cc(DHCP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac) diff --git a/src/analyzer/protocol/dhcp/Plugin.cc b/src/analyzer/protocol/dhcp/Plugin.cc index 8bc1c68a6b..73603f8cb1 100644 --- a/src/analyzer/protocol/dhcp/Plugin.cc +++ b/src/analyzer/protocol/dhcp/Plugin.cc @@ -3,7 +3,7 @@ #include "DHCP.h" -BRO_PLUGIN_BEGIN(DHCP) +BRO_PLUGIN_BEGIN(Bro, DHCP) BRO_PLUGIN_DESCRIPTION("DHCP analyzer"); BRO_PLUGIN_ANALYZER("DHCP", dhcp::DHCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/dns/CMakeLists.txt b/src/analyzer/protocol/dns/CMakeLists.txt index 38a4cedd03..c63b2dc690 100644 --- a/src/analyzer/protocol/dns/CMakeLists.txt +++ b/src/analyzer/protocol/dns/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(DNS) +bro_plugin_begin(Bro DNS) bro_plugin_cc(DNS.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/dns/Plugin.cc b/src/analyzer/protocol/dns/Plugin.cc index f4275b4181..bb96692cd0 100644 --- a/src/analyzer/protocol/dns/Plugin.cc +++ b/src/analyzer/protocol/dns/Plugin.cc @@ -3,7 +3,7 @@ #include "DNS.h" -BRO_PLUGIN_BEGIN(DNS) +BRO_PLUGIN_BEGIN(Bro, DNS) BRO_PLUGIN_DESCRIPTION("DNS analyzer"); BRO_PLUGIN_ANALYZER("DNS", dns::DNS_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); diff --git a/src/analyzer/protocol/file/CMakeLists.txt b/src/analyzer/protocol/file/CMakeLists.txt index 924aadd406..978c28c9c4 100644 --- a/src/analyzer/protocol/file/CMakeLists.txt +++ b/src/analyzer/protocol/file/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(File) +bro_plugin_begin(Bro File) bro_plugin_cc(File.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/file/Plugin.cc b/src/analyzer/protocol/file/Plugin.cc index 06d3ba9373..5a674c47c0 100644 --- a/src/analyzer/protocol/file/Plugin.cc +++ b/src/analyzer/protocol/file/Plugin.cc @@ -3,7 +3,7 @@ #include "./File.h" -BRO_PLUGIN_BEGIN(File) +BRO_PLUGIN_BEGIN(Bro, File) BRO_PLUGIN_DESCRIPTION("Generic file analyzer"); BRO_PLUGIN_ANALYZER("File", file::File_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/finger/CMakeLists.txt b/src/analyzer/protocol/finger/CMakeLists.txt index f51f892390..52dd3816f9 100644 --- a/src/analyzer/protocol/finger/CMakeLists.txt +++ b/src/analyzer/protocol/finger/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Finger) +bro_plugin_begin(Bro Finger) bro_plugin_cc(Finger.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/finger/Plugin.cc b/src/analyzer/protocol/finger/Plugin.cc index a20c0765c1..6cf909ca54 100644 --- a/src/analyzer/protocol/finger/Plugin.cc +++ b/src/analyzer/protocol/finger/Plugin.cc @@ -3,7 +3,7 @@ #include "Finger.h" -BRO_PLUGIN_BEGIN(Finger) +BRO_PLUGIN_BEGIN(Bro, Finger) BRO_PLUGIN_DESCRIPTION("Finger analyzer"); BRO_PLUGIN_ANALYZER("Finger", finger::Finger_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ftp/CMakeLists.txt b/src/analyzer/protocol/ftp/CMakeLists.txt index 9a92d95116..ab657f9260 100644 --- a/src/analyzer/protocol/ftp/CMakeLists.txt +++ b/src/analyzer/protocol/ftp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(FTP) +bro_plugin_begin(Bro FTP) bro_plugin_cc(FTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/ftp/Plugin.cc b/src/analyzer/protocol/ftp/Plugin.cc index e35185d5c5..db8e20e7ed 100644 --- a/src/analyzer/protocol/ftp/Plugin.cc +++ b/src/analyzer/protocol/ftp/Plugin.cc @@ -3,7 +3,7 @@ #include "FTP.h" -BRO_PLUGIN_BEGIN(FTP) +BRO_PLUGIN_BEGIN(Bro, FTP) BRO_PLUGIN_DESCRIPTION("FTP analyzer"); BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); diff --git a/src/analyzer/protocol/gnutella/CMakeLists.txt b/src/analyzer/protocol/gnutella/CMakeLists.txt index 7418ab46ba..ee5415b924 100644 --- a/src/analyzer/protocol/gnutella/CMakeLists.txt +++ b/src/analyzer/protocol/gnutella/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Gnutella) +bro_plugin_begin(Bro Gnutella) bro_plugin_cc(Gnutella.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/gnutella/Plugin.cc b/src/analyzer/protocol/gnutella/Plugin.cc index b52d545bc3..73b91af002 100644 --- a/src/analyzer/protocol/gnutella/Plugin.cc +++ b/src/analyzer/protocol/gnutella/Plugin.cc @@ -3,7 +3,7 @@ #include "Gnutella.h" -BRO_PLUGIN_BEGIN(Gnutella) +BRO_PLUGIN_BEGIN(Bro, Gnutella) BRO_PLUGIN_DESCRIPTION("Gnutella analyzer"); BRO_PLUGIN_ANALYZER("Gnutella", gnutella::Gnutella_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/gtpv1/CMakeLists.txt b/src/analyzer/protocol/gtpv1/CMakeLists.txt index b739330b37..b45f32e883 100644 --- a/src/analyzer/protocol/gtpv1/CMakeLists.txt +++ b/src/analyzer/protocol/gtpv1/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(GTPv1) +bro_plugin_begin(Bro GTPv1) bro_plugin_cc(GTPv1.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) diff --git a/src/analyzer/protocol/gtpv1/Plugin.cc b/src/analyzer/protocol/gtpv1/Plugin.cc index 5a39dd3980..83d1557e4d 100644 --- a/src/analyzer/protocol/gtpv1/Plugin.cc +++ b/src/analyzer/protocol/gtpv1/Plugin.cc @@ -3,7 +3,7 @@ #include "GTPv1.h" -BRO_PLUGIN_BEGIN(GTPv1) +BRO_PLUGIN_BEGIN(Bro, GTPv1) BRO_PLUGIN_DESCRIPTION("GTPv1 analyzer"); BRO_PLUGIN_ANALYZER("GTPv1", gtpv1::GTPv1_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/http/CMakeLists.txt b/src/analyzer/protocol/http/CMakeLists.txt index 68bdb632a4..d1fbed07f0 100644 --- a/src/analyzer/protocol/http/CMakeLists.txt +++ b/src/analyzer/protocol/http/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(HTTP) +bro_plugin_begin(Bro HTTP) bro_plugin_cc(HTTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/http/Plugin.cc b/src/analyzer/protocol/http/Plugin.cc index 2908a37511..1a2a05cbed 100644 --- a/src/analyzer/protocol/http/Plugin.cc +++ b/src/analyzer/protocol/http/Plugin.cc @@ -3,7 +3,7 @@ #include "HTTP.h" -BRO_PLUGIN_BEGIN(HTTP) +BRO_PLUGIN_BEGIN(Bro, HTTP) BRO_PLUGIN_DESCRIPTION("HTTP analyzer"); BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/icmp/CMakeLists.txt b/src/analyzer/protocol/icmp/CMakeLists.txt index e867bac238..7b8bd9c7fe 100644 --- a/src/analyzer/protocol/icmp/CMakeLists.txt +++ b/src/analyzer/protocol/icmp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(ICMP) +bro_plugin_begin(Bro ICMP) bro_plugin_cc(ICMP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/icmp/Plugin.cc b/src/analyzer/protocol/icmp/Plugin.cc index fa0c885a3e..f313842c2a 100644 --- a/src/analyzer/protocol/icmp/Plugin.cc +++ b/src/analyzer/protocol/icmp/Plugin.cc @@ -3,7 +3,7 @@ #include "ICMP.h" -BRO_PLUGIN_BEGIN(ICMP) +BRO_PLUGIN_BEGIN(Bro, ICMP) BRO_PLUGIN_DESCRIPTION("ICMP analyzer"); BRO_PLUGIN_ANALYZER("ICMP", icmp::ICMP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ident/CMakeLists.txt b/src/analyzer/protocol/ident/CMakeLists.txt index a8d4102a58..658dff141e 100644 --- a/src/analyzer/protocol/ident/CMakeLists.txt +++ b/src/analyzer/protocol/ident/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Ident) +bro_plugin_begin(Bro Ident) bro_plugin_cc(Ident.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/ident/Plugin.cc b/src/analyzer/protocol/ident/Plugin.cc index d520374552..c053689b8f 100644 --- a/src/analyzer/protocol/ident/Plugin.cc +++ b/src/analyzer/protocol/ident/Plugin.cc @@ -3,7 +3,7 @@ #include "Ident.h" -BRO_PLUGIN_BEGIN(Ident) +BRO_PLUGIN_BEGIN(Bro, Ident) BRO_PLUGIN_DESCRIPTION("Ident analyzer"); BRO_PLUGIN_ANALYZER("Ident", ident::Ident_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/interconn/CMakeLists.txt b/src/analyzer/protocol/interconn/CMakeLists.txt index 6a5ae1f3fe..ef5ca13a9a 100644 --- a/src/analyzer/protocol/interconn/CMakeLists.txt +++ b/src/analyzer/protocol/interconn/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(InterConn) +bro_plugin_begin(Bro InterConn) bro_plugin_cc(InterConn.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/interconn/Plugin.cc b/src/analyzer/protocol/interconn/Plugin.cc index e1792dc3ef..c135d0fb07 100644 --- a/src/analyzer/protocol/interconn/Plugin.cc +++ b/src/analyzer/protocol/interconn/Plugin.cc @@ -3,7 +3,7 @@ #include "InterConn.h" -BRO_PLUGIN_BEGIN(InterConn) +BRO_PLUGIN_BEGIN(Bro, InterConn) BRO_PLUGIN_DESCRIPTION("InterConn analyzer (deprecated)"); BRO_PLUGIN_ANALYZER("InterConn", interconn::InterConn_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/irc/CMakeLists.txt b/src/analyzer/protocol/irc/CMakeLists.txt index 2e7ed7616b..5f97482365 100644 --- a/src/analyzer/protocol/irc/CMakeLists.txt +++ b/src/analyzer/protocol/irc/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(IRC) +bro_plugin_begin(Bro IRC) bro_plugin_cc(IRC.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/irc/Plugin.cc b/src/analyzer/protocol/irc/Plugin.cc index 046d1b5a02..fc7de1bd6d 100644 --- a/src/analyzer/protocol/irc/Plugin.cc +++ b/src/analyzer/protocol/irc/Plugin.cc @@ -3,7 +3,7 @@ #include "IRC.h" -BRO_PLUGIN_BEGIN(IRC) +BRO_PLUGIN_BEGIN(Bro, IRC) BRO_PLUGIN_DESCRIPTION("IRC analyzer"); BRO_PLUGIN_ANALYZER("IRC", irc::IRC_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/login/CMakeLists.txt b/src/analyzer/protocol/login/CMakeLists.txt index 60a5b57ec5..66f8eb1568 100644 --- a/src/analyzer/protocol/login/CMakeLists.txt +++ b/src/analyzer/protocol/login/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Login) +bro_plugin_begin(Bro Login) bro_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/login/Plugin.cc b/src/analyzer/protocol/login/Plugin.cc index 8c7287afae..6b8d1a8fed 100644 --- a/src/analyzer/protocol/login/Plugin.cc +++ b/src/analyzer/protocol/login/Plugin.cc @@ -6,7 +6,7 @@ #include "RSH.h" #include "Rlogin.h" -BRO_PLUGIN_BEGIN(Login) +BRO_PLUGIN_BEGIN(Bro, Login) BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin analyzers"); BRO_PLUGIN_ANALYZER("Telnet", login::Telnet_Analyzer); BRO_PLUGIN_ANALYZER("Rsh", login::Rsh_Analyzer); diff --git a/src/analyzer/protocol/mime/CMakeLists.txt b/src/analyzer/protocol/mime/CMakeLists.txt index 1df45cd395..0a038625f8 100644 --- a/src/analyzer/protocol/mime/CMakeLists.txt +++ b/src/analyzer/protocol/mime/CMakeLists.txt @@ -8,7 +8,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(MIME) +bro_plugin_begin(Bro MIME) bro_plugin_cc(MIME.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/mime/Plugin.cc b/src/analyzer/protocol/mime/Plugin.cc index ff90d9d671..d519a8f84e 100644 --- a/src/analyzer/protocol/mime/Plugin.cc +++ b/src/analyzer/protocol/mime/Plugin.cc @@ -1,7 +1,7 @@ #include "plugin/Plugin.h" -BRO_PLUGIN_BEGIN(MIME) +BRO_PLUGIN_BEGIN(Bro, MIME) BRO_PLUGIN_DESCRIPTION("MIME parsing code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/modbus/CMakeLists.txt b/src/analyzer/protocol/modbus/CMakeLists.txt index 120e352f36..e6705cdd22 100644 --- a/src/analyzer/protocol/modbus/CMakeLists.txt +++ b/src/analyzer/protocol/modbus/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Modbus) +bro_plugin_begin(Bro Modbus) bro_plugin_cc(Modbus.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(modbus.pac modbus-analyzer.pac modbus-protocol.pac) diff --git a/src/analyzer/protocol/modbus/Plugin.cc b/src/analyzer/protocol/modbus/Plugin.cc index e03f8dbb9b..c84992cbae 100644 --- a/src/analyzer/protocol/modbus/Plugin.cc +++ b/src/analyzer/protocol/modbus/Plugin.cc @@ -3,7 +3,7 @@ #include "Modbus.h" -BRO_PLUGIN_BEGIN(Modbus) +BRO_PLUGIN_BEGIN(Bro, Modbus) BRO_PLUGIN_DESCRIPTION("Modbus analyzer"); BRO_PLUGIN_ANALYZER("MODBUS", modbus::ModbusTCP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt index 021561f0aa..bd06d4e426 100644 --- a/src/analyzer/protocol/ncp/CMakeLists.txt +++ b/src/analyzer/protocol/ncp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(NCP) +bro_plugin_begin(Bro NCP) bro_plugin_cc(NCP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(ncp.pac) diff --git a/src/analyzer/protocol/ncp/Plugin.cc b/src/analyzer/protocol/ncp/Plugin.cc index 5e1a955606..85cd318fe0 100644 --- a/src/analyzer/protocol/ncp/Plugin.cc +++ b/src/analyzer/protocol/ncp/Plugin.cc @@ -3,7 +3,7 @@ #include "NCP.h" -BRO_PLUGIN_BEGIN(NCP) +BRO_PLUGIN_BEGIN(Bro, NCP) BRO_PLUGIN_DESCRIPTION("NCP analyzer"); BRO_PLUGIN_ANALYZER("NCP", ncp::NCP_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); diff --git a/src/analyzer/protocol/netbios/CMakeLists.txt b/src/analyzer/protocol/netbios/CMakeLists.txt index ab31cd6e0a..ad6009d171 100644 --- a/src/analyzer/protocol/netbios/CMakeLists.txt +++ b/src/analyzer/protocol/netbios/CMakeLists.txt @@ -2,9 +2,12 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) +include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc) +include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../smb) -bro_plugin_begin(NetBIOS) +bro_plugin_begin(Bro NetBIOS) bro_plugin_cc(NetbiosSSN.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) bro_plugin_end() + diff --git a/src/analyzer/protocol/netbios/Plugin.cc b/src/analyzer/protocol/netbios/Plugin.cc index 36ec458138..15daeb1ab5 100644 --- a/src/analyzer/protocol/netbios/Plugin.cc +++ b/src/analyzer/protocol/netbios/Plugin.cc @@ -3,7 +3,7 @@ #include "NetbiosSSN.h" -BRO_PLUGIN_BEGIN(NetBIOS) +BRO_PLUGIN_BEGIN(Bro, NetBIOS) BRO_PLUGIN_DESCRIPTION("NetBIOS analyzer (support only SSN currently)"); BRO_PLUGIN_ANALYZER("NetbiosSSN", netbios_ssn::NetbiosSSN_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); diff --git a/src/analyzer/protocol/netflow/CMakeLists.txt b/src/analyzer/protocol/netflow/CMakeLists.txt index c45f410b26..3afc9fd66a 100644 --- a/src/analyzer/protocol/netflow/CMakeLists.txt +++ b/src/analyzer/protocol/netflow/CMakeLists.txt @@ -8,7 +8,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(NetFlow) +bro_plugin_begin(Bro NetFlow) bro_plugin_cc(Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(netflow.pac netflow-protocol.pac netflow-analyzer.pac) diff --git a/src/analyzer/protocol/netflow/Plugin.cc b/src/analyzer/protocol/netflow/Plugin.cc index cd7a937171..b994caa5d8 100644 --- a/src/analyzer/protocol/netflow/Plugin.cc +++ b/src/analyzer/protocol/netflow/Plugin.cc @@ -1,7 +1,7 @@ #include "plugin/Plugin.h" -BRO_PLUGIN_BEGIN(NetFlow) +BRO_PLUGIN_BEGIN(Bro, NetFlow) BRO_PLUGIN_DESCRIPTION("NetFlow parsing code"); BRO_PLUGIN_BIF_FILE(events); BRO_PLUGIN_END diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt index b16c1edee9..a8b8bb1872 100644 --- a/src/analyzer/protocol/ntp/CMakeLists.txt +++ b/src/analyzer/protocol/ntp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(NTP) +bro_plugin_begin(Bro NTP) bro_plugin_cc(NTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc index bf2bd5df15..ce4ce5680f 100644 --- a/src/analyzer/protocol/ntp/Plugin.cc +++ b/src/analyzer/protocol/ntp/Plugin.cc @@ -3,7 +3,7 @@ #include "NTP.h" -BRO_PLUGIN_BEGIN(NTP) +BRO_PLUGIN_BEGIN(Bro, NTP) BRO_PLUGIN_DESCRIPTION("NTP analyzer"); BRO_PLUGIN_ANALYZER("NTP", ntp::NTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt index 8c55deca09..ff55bcf0aa 100644 --- a/src/analyzer/protocol/pia/CMakeLists.txt +++ b/src/analyzer/protocol/pia/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(PIA) +bro_plugin_begin(Bro PIA) bro_plugin_cc(PIA.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/pia/Plugin.cc b/src/analyzer/protocol/pia/Plugin.cc index 6c4bf1a6b2..7d52801475 100644 --- a/src/analyzer/protocol/pia/Plugin.cc +++ b/src/analyzer/protocol/pia/Plugin.cc @@ -3,7 +3,7 @@ #include "PIA.h" -BRO_PLUGIN_BEGIN(PIA) +BRO_PLUGIN_BEGIN(Bro, PIA) BRO_PLUGIN_DESCRIPTION("Analyzers implementing Dynamic Protocol Detection"); BRO_PLUGIN_ANALYZER("PIA_TCP", pia::PIA_TCP); BRO_PLUGIN_ANALYZER("PIA_UDP", pia::PIA_UDP); diff --git a/src/analyzer/protocol/pop3/CMakeLists.txt b/src/analyzer/protocol/pop3/CMakeLists.txt index 5af5a7f624..8071d6a74d 100644 --- a/src/analyzer/protocol/pop3/CMakeLists.txt +++ b/src/analyzer/protocol/pop3/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(POP3) +bro_plugin_begin(Bro POP3) bro_plugin_cc(POP3.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/pop3/Plugin.cc b/src/analyzer/protocol/pop3/Plugin.cc index b686e2fbee..edd99e2617 100644 --- a/src/analyzer/protocol/pop3/Plugin.cc +++ b/src/analyzer/protocol/pop3/Plugin.cc @@ -3,7 +3,7 @@ #include "POP3.h" -BRO_PLUGIN_BEGIN(POP3) +BRO_PLUGIN_BEGIN(Bro, POP3) BRO_PLUGIN_DESCRIPTION("POP3 analyzer"); BRO_PLUGIN_ANALYZER("POP3", pop3::POP3_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/rpc/CMakeLists.txt b/src/analyzer/protocol/rpc/CMakeLists.txt index edf6371dd1..5696a74cd6 100644 --- a/src/analyzer/protocol/rpc/CMakeLists.txt +++ b/src/analyzer/protocol/rpc/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(RPC) +bro_plugin_begin(Bro RPC) bro_plugin_cc(RPC.cc NFS.cc Portmap.cc XDR.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc index 815cf14362..9760df0623 100644 --- a/src/analyzer/protocol/rpc/Plugin.cc +++ b/src/analyzer/protocol/rpc/Plugin.cc @@ -5,7 +5,7 @@ #include "NFS.h" #include "Portmap.h" -BRO_PLUGIN_BEGIN(RPC) +BRO_PLUGIN_BEGIN(Bro, RPC) BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); BRO_PLUGIN_ANALYZER("NFS", rpc::NFS_Analyzer); BRO_PLUGIN_ANALYZER("Portmapper", rpc::Portmapper_Analyzer); diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt index 30338d91f5..feec283197 100644 --- a/src/analyzer/protocol/smb/CMakeLists.txt +++ b/src/analyzer/protocol/smb/CMakeLists.txt @@ -2,8 +2,9 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) +include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc) -bro_plugin_begin(SMB) +bro_plugin_begin(Bro SMB) bro_plugin_cc(SMB.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) diff --git a/src/analyzer/protocol/smb/Plugin.cc b/src/analyzer/protocol/smb/Plugin.cc index 97ea10f5d8..af564c067c 100644 --- a/src/analyzer/protocol/smb/Plugin.cc +++ b/src/analyzer/protocol/smb/Plugin.cc @@ -3,7 +3,7 @@ #include "SMB.h" -BRO_PLUGIN_BEGIN(SMB) +BRO_PLUGIN_BEGIN(Bro, SMB) BRO_PLUGIN_DESCRIPTION("SMB analyzer"); BRO_PLUGIN_ANALYZER("SMB", smb::SMB_Analyzer); BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); diff --git a/src/analyzer/protocol/smtp/CMakeLists.txt b/src/analyzer/protocol/smtp/CMakeLists.txt index 1f4779c0f8..82918656a0 100644 --- a/src/analyzer/protocol/smtp/CMakeLists.txt +++ b/src/analyzer/protocol/smtp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SMTP) +bro_plugin_begin(Bro SMTP) bro_plugin_cc(SMTP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/smtp/Plugin.cc b/src/analyzer/protocol/smtp/Plugin.cc index f1567098d2..e089d7ffb1 100644 --- a/src/analyzer/protocol/smtp/Plugin.cc +++ b/src/analyzer/protocol/smtp/Plugin.cc @@ -3,7 +3,7 @@ #include "SMTP.h" -BRO_PLUGIN_BEGIN(SMTP) +BRO_PLUGIN_BEGIN(Bro, SMTP) BRO_PLUGIN_DESCRIPTION("SMTP analyzer"); BRO_PLUGIN_ANALYZER("SMTP", smtp::SMTP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/socks/CMakeLists.txt b/src/analyzer/protocol/socks/CMakeLists.txt index 451dfd53f4..5157c8d368 100644 --- a/src/analyzer/protocol/socks/CMakeLists.txt +++ b/src/analyzer/protocol/socks/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SOCKS) +bro_plugin_begin(Bro SOCKS) bro_plugin_cc(SOCKS.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(socks.pac socks-protocol.pac socks-analyzer.pac) diff --git a/src/analyzer/protocol/socks/Plugin.cc b/src/analyzer/protocol/socks/Plugin.cc index 3c659de628..d01f4520b7 100644 --- a/src/analyzer/protocol/socks/Plugin.cc +++ b/src/analyzer/protocol/socks/Plugin.cc @@ -3,7 +3,7 @@ #include "SOCKS.h" -BRO_PLUGIN_BEGIN(SOCKS) +BRO_PLUGIN_BEGIN(Bro, SOCKS) BRO_PLUGIN_DESCRIPTION("SOCKS analyzer"); BRO_PLUGIN_ANALYZER("SOCKS", socks::SOCKS_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ssh/CMakeLists.txt b/src/analyzer/protocol/ssh/CMakeLists.txt index 659e3207ab..505c89332e 100644 --- a/src/analyzer/protocol/ssh/CMakeLists.txt +++ b/src/analyzer/protocol/ssh/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SSH) +bro_plugin_begin(Bro SSH) bro_plugin_cc(SSH.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/ssh/Plugin.cc b/src/analyzer/protocol/ssh/Plugin.cc index 4bb2a0ffdb..53a0294a88 100644 --- a/src/analyzer/protocol/ssh/Plugin.cc +++ b/src/analyzer/protocol/ssh/Plugin.cc @@ -3,7 +3,7 @@ #include "SSH.h" -BRO_PLUGIN_BEGIN(SSH) +BRO_PLUGIN_BEGIN(Bro, SSH) BRO_PLUGIN_DESCRIPTION("SSH analyzer"); BRO_PLUGIN_ANALYZER("SSH", ssh::SSH_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index 57f9b47e4d..f1838e5f3b 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SSL) +bro_plugin_begin(Bro SSL) bro_plugin_cc(SSL.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc index 5edbecd480..c63be864f8 100644 --- a/src/analyzer/protocol/ssl/Plugin.cc +++ b/src/analyzer/protocol/ssl/Plugin.cc @@ -3,7 +3,7 @@ #include "SSL.h" -BRO_PLUGIN_BEGIN(SSL) +BRO_PLUGIN_BEGIN(Bro, SSL) BRO_PLUGIN_DESCRIPTION("SSL analyzer"); BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/stepping-stone/CMakeLists.txt b/src/analyzer/protocol/stepping-stone/CMakeLists.txt index 4de6210027..042f5bc858 100644 --- a/src/analyzer/protocol/stepping-stone/CMakeLists.txt +++ b/src/analyzer/protocol/stepping-stone/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(SteppingStone) +bro_plugin_begin(Bro SteppingStone) bro_plugin_cc(SteppingStone.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/stepping-stone/Plugin.cc b/src/analyzer/protocol/stepping-stone/Plugin.cc index bde87384fa..129b95fb25 100644 --- a/src/analyzer/protocol/stepping-stone/Plugin.cc +++ b/src/analyzer/protocol/stepping-stone/Plugin.cc @@ -3,7 +3,7 @@ #include "SteppingStone.h" -BRO_PLUGIN_BEGIN(SteppingStone) +BRO_PLUGIN_BEGIN(Bro, SteppingStone) BRO_PLUGIN_DESCRIPTION("Stepping stone analyzer (deprecated)"); BRO_PLUGIN_ANALYZER("SteppingStone", stepping_stone::SteppingStone_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/syslog/CMakeLists.txt b/src/analyzer/protocol/syslog/CMakeLists.txt index 3fc6b9ea69..5366f94642 100644 --- a/src/analyzer/protocol/syslog/CMakeLists.txt +++ b/src/analyzer/protocol/syslog/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Syslog) +bro_plugin_begin(Bro Syslog) bro_plugin_cc(Syslog.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac) diff --git a/src/analyzer/protocol/syslog/Plugin.cc b/src/analyzer/protocol/syslog/Plugin.cc index 0616cace14..67abaaf970 100644 --- a/src/analyzer/protocol/syslog/Plugin.cc +++ b/src/analyzer/protocol/syslog/Plugin.cc @@ -3,7 +3,7 @@ #include "Syslog.h" -BRO_PLUGIN_BEGIN(Syslog) +BRO_PLUGIN_BEGIN(Bro, Syslog) BRO_PLUGIN_DESCRIPTION("Syslog analyzer (UDP-only currently)"); BRO_PLUGIN_ANALYZER("Syslog", syslog::Syslog_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/tcp/CMakeLists.txt b/src/analyzer/protocol/tcp/CMakeLists.txt index f61f27495b..d4b2dc3eab 100644 --- a/src/analyzer/protocol/tcp/CMakeLists.txt +++ b/src/analyzer/protocol/tcp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(TCP) +bro_plugin_begin(Bro TCP) bro_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_bif(functions.bif) diff --git a/src/analyzer/protocol/tcp/Plugin.cc b/src/analyzer/protocol/tcp/Plugin.cc index 8342f2ed3e..6132b6f386 100644 --- a/src/analyzer/protocol/tcp/Plugin.cc +++ b/src/analyzer/protocol/tcp/Plugin.cc @@ -3,7 +3,7 @@ #include "TCP.h" -BRO_PLUGIN_BEGIN(TCP) +BRO_PLUGIN_BEGIN(Bro, TCP) BRO_PLUGIN_DESCRIPTION("TCP analyzer"); BRO_PLUGIN_ANALYZER("TCP", tcp::TCP_Analyzer); BRO_PLUGIN_ANALYZER("TCPStats", tcp::TCPStats_Analyzer); diff --git a/src/analyzer/protocol/teredo/CMakeLists.txt b/src/analyzer/protocol/teredo/CMakeLists.txt index cf4d2a9bcf..c9c4a84db6 100644 --- a/src/analyzer/protocol/teredo/CMakeLists.txt +++ b/src/analyzer/protocol/teredo/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(Teredo) +bro_plugin_begin(Bro Teredo) bro_plugin_cc(Teredo.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/teredo/Plugin.cc b/src/analyzer/protocol/teredo/Plugin.cc index 38f3a8edd9..91de23b318 100644 --- a/src/analyzer/protocol/teredo/Plugin.cc +++ b/src/analyzer/protocol/teredo/Plugin.cc @@ -3,7 +3,7 @@ #include "Teredo.h" -BRO_PLUGIN_BEGIN(Teredo) +BRO_PLUGIN_BEGIN(Bro, Teredo) BRO_PLUGIN_DESCRIPTION("Teredo analyzer"); BRO_PLUGIN_ANALYZER("Teredo", teredo::Teredo_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/udp/CMakeLists.txt b/src/analyzer/protocol/udp/CMakeLists.txt index 077c4136b5..0c92be60a3 100644 --- a/src/analyzer/protocol/udp/CMakeLists.txt +++ b/src/analyzer/protocol/udp/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(UDP) +bro_plugin_begin(Bro UDP) bro_plugin_cc(UDP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/udp/Plugin.cc b/src/analyzer/protocol/udp/Plugin.cc index c18a846e00..0dbf0f80ca 100644 --- a/src/analyzer/protocol/udp/Plugin.cc +++ b/src/analyzer/protocol/udp/Plugin.cc @@ -3,7 +3,7 @@ #include "analyzer/protocol/udp/UDP.h" -BRO_PLUGIN_BEGIN(UDP) +BRO_PLUGIN_BEGIN(Bro, UDP) BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); BRO_PLUGIN_ANALYZER("UDP", udp::UDP_Analyzer); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/analyzer/protocol/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt index 5b2864c618..814119f9f7 100644 --- a/src/analyzer/protocol/zip/CMakeLists.txt +++ b/src/analyzer/protocol/zip/CMakeLists.txt @@ -3,7 +3,7 @@ include(BroPlugin) include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) -bro_plugin_begin(ZIP) +bro_plugin_begin(Bro ZIP) bro_plugin_cc(ZIP.cc Plugin.cc) bro_plugin_bif(events.bif) bro_plugin_end() diff --git a/src/analyzer/protocol/zip/Plugin.cc b/src/analyzer/protocol/zip/Plugin.cc index 5ab2b60baf..b55accccb3 100644 --- a/src/analyzer/protocol/zip/Plugin.cc +++ b/src/analyzer/protocol/zip/Plugin.cc @@ -3,7 +3,7 @@ #include "ZIP.h" -BRO_PLUGIN_BEGIN(ZIP) +BRO_PLUGIN_BEGIN(Bro, ZIP) BRO_PLUGIN_DESCRIPTION("Generic ZIP support analyzer"); BRO_PLUGIN_ANALYZER_BARE("ZIP"); BRO_PLUGIN_BIF_FILE(events); diff --git a/src/bro.bif b/src/bro.bif index 6ad7dccc3a..4120bbdc9d 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2626,8 +2626,6 @@ function decode_base64_custom%(s: string, a: string%): string %} %%{ -#include "analyzer/protocol/dce-rpc/DCE_RPC.h" - typedef struct { uint32 time_low; uint16 time_mid; diff --git a/src/builtin-func.l b/src/builtin-func.l index b2da7cb7c3..9555103857 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -193,7 +193,7 @@ void init_alternative_mode() snprintf(auto_gen_comment, n, "This file was automatically generated by bifcl from %s (%s mode).", - input_filename_with_path, plugin ? "plugin" : "subdir"); + input_filename_with_path, plugin ? "plugin" : "alternative"); fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment); fprintf(fp_func_def, "// %s\n\n", auto_gen_comment); @@ -211,10 +211,15 @@ void init_alternative_mode() *p = '_'; } + fprintf(fp_func_h, "#if defined(BRO_IN_NETVAR) || ! defined(%s)\n", guard); + + fprintf(fp_func_h, "#ifndef BRO_IN_NETVAR\n"); fprintf(fp_func_h, "#ifndef %s\n", guard); fprintf(fp_func_h, "#define %s\n", guard); - fprintf(fp_func_h, "\n"); fprintf(fp_func_h, "#include \"bro-bif.h\"\n"); + fprintf(fp_func_h, "#endif\n"); + fprintf(fp_func_h, "#endif\n"); + fprintf(fp_func_h, "\n"); fprintf(fp_func_def, "\n"); fprintf(fp_func_def, "#include \"%s.h\"\n", input_filename); diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 6912023cc4..4f84b037f9 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -9,14 +9,14 @@ #define _BRO_PLUGIN_VERSION_DEFAULT -1 -#define BRO_PLUGIN_BEGIN(_name) \ - namespace plugin { namespace _name { \ +#define BRO_PLUGIN_BEGIN(_ns, _name) \ + namespace plugin { namespace _ns ## _ ## _name {\ class Plugin : public plugin::Plugin { \ protected: \ void Init() \ { \ - SetName(#_name); \ - SetVersion(_BRO_PLUGIN_VERSION_DEFAULT); \ + SetName(#_ns "::" #_name); \ + SetVersion(_BRO_PLUGIN_VERSION_DEFAULT);\ SetAPIVersion(BRO_PLUGIN_API_VERSION); #define BRO_PLUGIN_END \ From 11fd12b18e16433a140f4d7bbf1f7b1546f4c001 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 16 May 2013 16:57:49 -0700 Subject: [PATCH 35/70] Band-aid to get Broxygen's bif documentation back. We'll need a different approach here eventually. --- doc/scripts/CMakeLists.txt | 6 +- doc/scripts/DocSourcesList.cmake | 110 +++++++++++++++---------------- doc/scripts/genDocSourcesList.sh | 6 +- src/BroDoc.cc | 4 +- src/plugin/Macros.h | 2 +- src/util-config.h.in | 3 +- src/util.cc | 6 +- 7 files changed, 72 insertions(+), 65 deletions(-) diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index 33d473b005..7f168f672f 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -46,7 +46,7 @@ macro(REST_TARGET srcDir broInput) set(sumTextSrc ${absSrcPath}) set(ogSourceFile ${absSrcPath}) if (${extension} STREQUAL ".bif.bro") - set(ogSourceFile ${BIF_SRC_DIR}/${basename}) + # set(ogSourceFile ${BIF_SRC_DIR}/${basename}) # the summary text is taken at configure time, but .bif.bro files # may not have been generated yet, so read .bif file instead set(sumTextSrc ${ogSourceFile}) @@ -70,7 +70,7 @@ macro(REST_TARGET srcDir broInput) if (NOT "${ARGN}" STREQUAL "") set(group ${ARGN}) - elseif (${extension} STREQUAL ".bif.bro") + elseif (${broInput} MATCHES "\\.bif\\.bro$") set(group bifs) elseif (relDstDir) set(group ${relDstDir}/index) @@ -86,6 +86,8 @@ macro(REST_TARGET srcDir broInput) set(group "") endif () + message("${broInput} ${extension} -> ${group}") + if (NOT "${group}" STREQUAL "") # add group to master group list if not already in it list(FIND MASTER_GROUP_LIST ${group} _found) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 0dc98999ca..3580a6979b 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,61 +16,61 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/arp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ayiya/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/backdoor/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/bittorrent/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/conn-size/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dce-rpc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dhcp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/dns/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/file/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/finger/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ftp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ftp/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/gnutella/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/gtpv1/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/http/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/http/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/icmp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ident/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/interconn/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/irc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/login/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/login/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/mime/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/modbus/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ncp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netbios/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netbios/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/netflow/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ntp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/pia/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/pop3/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/rpc/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smb/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smtp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/smtp/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/socks/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssh/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssl/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/ssl/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/stepping-stone/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/syslog/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/tcp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/tcp/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/teredo/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/udp/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocol/zip/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/bro.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/const.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/event.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/input.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/logging.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ARP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_AYIYA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BackDoor.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BitTorrent.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ConnSize.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DCE_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DHCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DNS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_File.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Finger.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_GTPv1.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Gnutella.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ICMP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_IRC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Ident.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_InterConn.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_MIME.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Modbus.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetFlow.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_PIA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_POP3.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMB.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SOCKS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSH.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SteppingStone.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Syslog.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Teredo.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_UDP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ZIP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/reporter.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/strings.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/types.bif.bro) rest_target(${psd} base/frameworks/analyzer/main.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) diff --git a/doc/scripts/genDocSourcesList.sh b/doc/scripts/genDocSourcesList.sh index a10121221a..31905c68db 100755 --- a/doc/scripts/genDocSourcesList.sh +++ b/doc/scripts/genDocSourcesList.sh @@ -67,12 +67,12 @@ sourcedir=${thisdir}/../.. echo "$statictext" > $outfile -bifs=`( cd ${sourcedir}/src && find . -name \*\.bif | sort )` +bifs=`( cd ${sourcedir}/build/scripts/base && find . -name \*\.bif.bro | sort )` for file in $bifs do - f=${file:2}.bro - echo "rest_target(\${CMAKE_BINARY_DIR}/src base/$f)" >> $outfile + f=${file:2} + echo "rest_target(\${CMAKE_BINARY_DIR}/scripts base/$f)" >> $outfile done scriptfiles=`( cd ${sourcedir}/scripts && find . -name \*\.bro | sort )` diff --git a/src/BroDoc.cc b/src/BroDoc.cc index 23b1f56aaa..984bdc90a4 100644 --- a/src/BroDoc.cc +++ b/src/BroDoc.cc @@ -35,12 +35,14 @@ BroDoc::BroDoc(const std::string& rel, const std::string& abs) downloadable_filename = source_filename; +#if 0 size_t ext_pos = downloadable_filename.find(".bif.bro"); if ( std::string::npos != ext_pos ) downloadable_filename.erase(ext_pos + 4); +#endif reST_filename = doc_title; - ext_pos = reST_filename.find(".bro"); + size_t ext_pos = reST_filename.find(".bro"); if ( std::string::npos == ext_pos ) reST_filename += ".rst"; diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 4f84b037f9..2288af0d79 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -30,7 +30,7 @@ #define BRO_PLUGIN_VERSION(x) SetVersion(x) #define BRO_PLUGIN_BIF_FILE(file) \ - std::list > __bif_##file##_init(); \ + extern std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); #define BRO_PLUGIN_ANALYZER(tag, cls) \ diff --git a/src/util-config.h.in b/src/util-config.h.in index c50c4e6b48..23b3137018 100644 --- a/src/util-config.h.in +++ b/src/util-config.h.in @@ -1,3 +1,4 @@ #define BRO_SCRIPT_INSTALL_PATH "@BRO_SCRIPT_INSTALL_PATH@" #define BRO_SCRIPT_SOURCE_PATH "@BRO_SCRIPT_SOURCE_PATH@" -#define BRO_BUILD_PATH "@CMAKE_CURRENT_BINARY_DIR@" +#define BRO_BUILD_SOURCE_PATH "@CMAKE_BINARY_DIR@/src" +#define BRO_BUILD_SCRIPTS_PATH "@CMAKE_BINARY_DIR@/scripts" diff --git a/src/util.cc b/src/util.cc index 5d6104ce46..38da72c4b8 100644 --- a/src/util.cc +++ b/src/util.cc @@ -1024,8 +1024,10 @@ void get_script_subpath(const std::string& full_filename, const char** subpath) my_subpath.erase(0, strlen(BRO_SCRIPT_INSTALL_PATH)); else if ( (p = my_subpath.find(BRO_SCRIPT_SOURCE_PATH)) != std::string::npos ) my_subpath.erase(0, strlen(BRO_SCRIPT_SOURCE_PATH)); - else if ( (p = my_subpath.find(BRO_BUILD_PATH)) != std::string::npos ) - my_subpath.erase(0, strlen(BRO_BUILD_PATH)); + else if ( (p = my_subpath.find(BRO_BUILD_SOURCE_PATH)) != std::string::npos ) + my_subpath.erase(0, strlen(BRO_BUILD_SOURCE_PATH)); + else if ( (p = my_subpath.find(BRO_BUILD_SCRIPTS_PATH)) != std::string::npos ) + my_subpath.erase(0, strlen(BRO_BUILD_SCRIPTS_PATH)); // if root path found, remove path separators until next path component if ( p != std::string::npos ) From 28351e8e8d59a27386d6cc5157fdfd3b9b3e7d80 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 16 May 2013 17:00:04 -0700 Subject: [PATCH 36/70] Removing debugging output. --- doc/scripts/CMakeLists.txt | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index 7f168f672f..9cce43d13a 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -86,8 +86,6 @@ macro(REST_TARGET srcDir broInput) set(group "") endif () - message("${broInput} ${extension} -> ${group}") - if (NOT "${group}" STREQUAL "") # add group to master group list if not already in it list(FIND MASTER_GROUP_LIST ${group} _found) From 7b50f97d390c47e0fe4374224c2e7fb004042d5f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 16 May 2013 21:09:44 -0700 Subject: [PATCH 37/70] Removing Broxygen's dpd_config magic. The table doesn't exist anymore. The functionality has been replaced with a function call but I can't really see how to get it out of there. We could get it from the analyzer manager, however then we can't tie it back to a script anymore. What we could do eventually is add this to the information about the analyzer plugin. --- src/parse.y | 3 +-- src/scan.l | 62 +---------------------------------------------------- 2 files changed, 2 insertions(+), 63 deletions(-) diff --git a/src/parse.y b/src/parse.y index 5c54706168..90babf3467 100644 --- a/src/parse.y +++ b/src/parse.y @@ -1081,8 +1081,7 @@ decl: add_global($2, $3, $4, $5, $6, VAR_REDEF); if ( generate_documentation && - ! streq("capture_filters", $2->Name()) && - ! streq("dpd_config", $2->Name()) ) + ! streq("capture_filters", $2->Name()) ) { ID* fake_id = create_dummy_id($2, $2->Type()); BroDocObj* o = new BroDocObj(fake_id, reST_doc_comments, true); diff --git a/src/scan.l b/src/scan.l index babe036027..8da74b3da6 100644 --- a/src/scan.l +++ b/src/scan.l @@ -69,11 +69,6 @@ void clear_reST_doc_comments(); // Adds changes to capture_filter to the current script's reST documentation. static void check_capture_filter_changes(); -#if 0 -// Adds changes to dpd_config to the current script's reST documentation. -static void check_dpd_config_changes(); -#endif - static const char* canon_doc_comment(const char* comment) { // "##Text" and "## Text" are treated the same in order to be able @@ -555,7 +550,7 @@ YYLTYPE GetCurrentLocation() static int load_files(const char* orig_file) { // Whether we pushed on a FileInfo that will restore the - // current module after the final file has been scanned. + // current module after the final file has been scanned. bool did_module_restore = false; const char* full_filename = ""; @@ -825,9 +820,6 @@ int yywrap() while ( input_files.length() > 0 ) { check_capture_filter_changes(); -#if 0 - check_dpd_config_changes(); -#endif if ( load_files(input_files[0]) ) { @@ -843,9 +835,6 @@ int yywrap() } check_capture_filter_changes(); -#if 0 - check_dpd_config_changes(); -#endif // For each file scanned so far, and for each @prefix, look for a // prefixed and flattened version of the loaded file in BROPATH. The @@ -1010,55 +999,6 @@ static void check_capture_filter_changes() } } -#if 0 -static void check_dpd_config_changes() - { - if ( ! generate_documentation ) - return; - - // Lookup the "dpd_config" identifier, if it has any defined value, - // add it to the script's documentation, and clear the table so that - // it doesn't taint the documentation for subsequent scripts. - ID* dpd_config = global_scope()->Lookup("dpd_config"); - if ( ! dpd_config ) - return; - - TableVal* dpd_table = dpd_config->ID_Val()->AsTableVal(); - ListVal* dpd_list = dpd_table->ConvertToList(); - - for ( int i = 0; i < dpd_list->Length(); ++i ) - { - Val* key = dpd_list->Index(i); - if ( ! key ) - continue; - - Val* v = dpd_table->Lookup(key); - if ( ! v ) - continue; - - int tag = key->AsListVal()->Index(0)->AsCount(); - ODesc valdesc; - valdesc.SetIndentSpaces(4); - valdesc.PushIndent(); - v->Describe(&valdesc); - -#if 0 - if ( tag < AnalyzerTag::Error || tag > AnalyzerTag::LastAnalyzer ) - { - fprintf(stderr, "Warning: skipped bad analyzer tag: %i\n", tag); - continue; - } - - last_reST_doc->AddPortAnalysis( - Analyzer::GetTagName((AnalyzerTag)tag), - valdesc.Description()); -#endif - } - - dpd_table->RemoveAll(); - } -#endif - void print_current_reST_doc_comments() { if ( ! reST_doc_comments ) From 4ccd6d76fd520554aa3ae9af8654b40b0b57c799 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 17 May 2013 18:09:59 -0700 Subject: [PATCH 38/70] Fixing tests. Part of this involves making the file-analysis tests independent of specific hash values. I've done that only partially though. --- doc/scripts/DocSourcesList.cmake | 67 +++++++++++++--- scripts/base/protocols/ftp/main.bro | 70 ++++++++--------- scripts/base/protocols/irc/dcc-send.bro | 2 +- scripts/test-all-policy.bro | 1 - src/AnalyzerTags.h | 57 -------------- src/analyzer/Tag.cc | 2 + src/analyzer/Tag.h | 2 + src/file_analysis/File.h | 3 +- src/file_analysis/Manager.h | 2 +- .../canonified_loaded_scripts.log | 72 +++++++++++++++--- .../canonified_loaded_scripts.log | 72 +++++++++++++++--- .../doc.autogen-reST-example/example.rst | 11 --- .../out | 4 +- .../{Cx92a0ym5R8-file => 1-file} | 0 .../{kg59rqyYxN-file => 2-file} | 0 .../a.size | 2 +- .../b.out | 8 +- .../b.size | 2 +- .../c.out | 4 +- .../c.size | 2 +- .../{aFQKI8SPOL2-file => 1-file} | 0 .../{CCU3vUEr06l-file => 2-file} | 0 .../{HCzA0dVwDPj-file => 3-file} | Bin .../{a1Zu1fteVEf-file => 4-file} | Bin .../{xXlF7wFdsR-file => 5-file} | Bin .../{v5HLI7MxPQh-file => 1-file} | 0 .../{PZS1XGHkIf1-file => 2-file} | 0 ...-item-Rqjkzoroau4-0.dat => ftp-item-0.dat} | 0 ...-item-BTsa70Ua9x7-1.dat => ftp-item-1.dat} | 0 ...-item-VLQvJybrm38-2.dat => ftp-item-2.dat} | 0 ...-item-zrfwSs9K1yk-3.dat => ftp-item-3.dat} | 0 .../ftp.log | 12 +-- ...p-item-BFymS6bFgT3-0.dat => http-item.dat} | 0 .../http.log | 6 +- ...tem-wqKMAamJVSb-0.dat => irc-dcc-item.dat} | Bin .../irc.log | 6 +- ...ty-cwR7l6Zctxb-0.dat => smtp-entity-0.dat} | 0 ...ty-Ltd7QO7jEv3-1.dat => smtp-entity-1.dat} | 0 .../smtp_entities.log | 8 +- .../core/tunnels/teredo-known-services.test | 4 +- .../frameworks/file-analysis/http/get.bro | 12 +-- .../file-analysis/http/partial-content.bro | 8 +- .../file-analysis/http/pipeline.bro | 14 ++-- .../frameworks/file-analysis/http/post.bro | 8 +- .../base/protocols/ftp/ftp-extract.bro | 12 ++- .../protocols/http/http-extract-files.bro | 3 +- .../base/protocols/irc/dcc-extract.test | 5 +- .../base/protocols/smtp/mime-extract.test | 10 ++- 48 files changed, 294 insertions(+), 197 deletions(-) delete mode 100644 src/AnalyzerTags.h rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/{Cx92a0ym5R8-file => 1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/{kg59rqyYxN-file => 2-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{aFQKI8SPOL2-file => 1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{CCU3vUEr06l-file => 2-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{HCzA0dVwDPj-file => 3-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{a1Zu1fteVEf-file => 4-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/{xXlF7wFdsR-file => 5-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/{v5HLI7MxPQh-file => 1-file} (100%) rename testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/{PZS1XGHkIf1-file => 2-file} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-Rqjkzoroau4-0.dat => ftp-item-0.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-BTsa70Ua9x7-1.dat => ftp-item-1.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-VLQvJybrm38-2.dat => ftp-item-2.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/{ftp-item-zrfwSs9K1yk-3.dat => ftp-item-3.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/{http-item-BFymS6bFgT3-0.dat => http-item.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/{irc-dcc-item-wqKMAamJVSb-0.dat => irc-dcc-item.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/{smtp-entity-cwR7l6Zctxb-0.dat => smtp-entity-0.dat} (100%) rename testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/{smtp-entity-Ltd7QO7jEv3-1.dat => smtp-entity-1.dat} (100%) diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index e4c92a0777..0b077c2c50 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -16,15 +16,63 @@ rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal) rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) -rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/file_analysis.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/bro.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/const.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/event.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/file_analysis.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/input.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/logging.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ARP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_AYIYA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BackDoor.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_BitTorrent.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ConnSize.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DCE_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DHCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_DNS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_FTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_File.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Finger.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_GTPv1.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Gnutella.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_HTTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ICMP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_IRC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Ident.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_InterConn.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Login.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_MIME.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Modbus.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetBIOS.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_NetFlow.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_PIA.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_POP3.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_RPC.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMB.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SMTP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SOCKS.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSH.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SSL.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_SteppingStone.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Syslog.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Teredo.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_UDP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ZIP.events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/reporter.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/strings.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/types.bif.bro) +rest_target(${psd} base/frameworks/analyzer/main.bro) rest_target(${psd} base/frameworks/cluster/main.bro) rest_target(${psd} base/frameworks/cluster/nodes/manager.bro) rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro) @@ -146,7 +194,6 @@ rest_target(${psd} policy/frameworks/software/vulnerable.bro) rest_target(${psd} policy/integration/barnyard2/main.bro) rest_target(${psd} policy/integration/barnyard2/types.bro) rest_target(${psd} policy/integration/collective-intel/main.bro) -rest_target(${psd} policy/misc/analysis-groups.bro) rest_target(${psd} policy/misc/app-metrics.bro) rest_target(${psd} policy/misc/capture-loss.bro) rest_target(${psd} policy/misc/detect-traceroute/main.bro) diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 48407e39ab..88e1fbeeb8 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -1,6 +1,6 @@ ##! The logging this script does is primarily focused on logging FTP commands ##! along with metadata. For example, if files are transferred, the argument -##! will take on the full path that the client is at along with the requested +##! will take on the full path that the client is at along with the requested ##! file name. @load ./utils-commands @@ -13,16 +13,16 @@ module FTP; export { ## The FTP protocol logging stream identifier. redef enum Log::ID += { LOG }; - + ## List of commands that should have their command/response pairs logged. const logged_commands = { "APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT", "EPSV" } &redef; - + ## This setting changes if passwords used in FTP sessions are captured or not. const default_capture_password = F &redef; - + ## User IDs that can be considered "anonymous". const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef; @@ -37,7 +37,7 @@ export { ## The port at which the acceptor is listening for the data connection. resp_p: port &log; }; - + type Info: record { ## Time when the command was sent. ts: time &log; @@ -53,12 +53,12 @@ export { command: string &log &optional; ## Argument for the command if one is given. arg: string &log &optional; - + ## Libmagic "sniffed" file type if the command indicates a file transfer. mime_type: string &log &optional; ## Size of the file if the command indicates a file transfer. file_size: count &log &optional; - + ## Reply code from the server in response to the command. reply_code: count &log &optional; ## Reply message from the server in response to the command. @@ -74,31 +74,31 @@ export { ## more concrete is discovered that the existing but unknown ## directory is ok to use. cwd: string &default="."; - + ## Command that is currently waiting for a response. cmdarg: CmdArg &optional; - ## Queue for commands that have been sent but not yet responded to + ## Queue for commands that have been sent but not yet responded to ## are tracked here. pending_commands: PendingCmds; - + ## Indicates if the session is in active or passive mode. passive: bool &default=F; - + ## Determines if the password will be captured for this request. capture_password: bool &default=default_capture_password; }; - ## This record is to hold a parsed FTP reply code. For example, for the + ## This record is to hold a parsed FTP reply code. For example, for the ## 201 status code, the digits would be parsed as: x->2, y->0, z=>1. type ReplyCode: record { x: count; y: count; z: count; }; - + ## Parse FTP reply codes into the three constituent single digit values. global parse_ftp_reply_code: function(code: count): ReplyCode; - + ## Event that can be handled to access the :bro:type:`FTP::Info` ## record as it is sent on to the logging framework. global log_ftp: event(rec: Info); @@ -166,7 +166,7 @@ function set_ftp_session(c: connection) s$uid=c$uid; s$id=c$id; c$ftp=s; - + # Add a shim command so the server can respond with some init response. add_pending_cmd(c$ftp$pending_commands, "", ""); } @@ -178,13 +178,13 @@ function ftp_message(s: Info) # or it's a deliberately logged command. if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) ) { - if ( s?$password && - ! s$capture_password && + if ( s?$password && + ! s$capture_password && to_lower(s$user) !in guest_ids ) { s$password = ""; } - + local arg = s$cmdarg$arg; if ( s$cmdarg$cmd in file_cmds ) { @@ -194,7 +194,7 @@ function ftp_message(s: Info) arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path); } - + s$ts=s$cmdarg$ts; s$command=s$cmdarg$cmd; if ( arg == "" ) @@ -204,9 +204,9 @@ function ftp_message(s: Info) Log::write(FTP::LOG, s); } - - # The MIME and file_size fields are specific to file transfer commands - # and may not be used in all commands so they need reset to "blank" + + # The MIME and file_size fields are specific to file transfer commands + # and may not be used in all commands so they need reset to "blank" # values after logging. delete s$mime_type; delete s$file_size; @@ -237,19 +237,19 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 remove_pending_cmd(c$ftp$pending_commands, c$ftp$cmdarg); ftp_message(c$ftp); } - + local id = c$id; set_ftp_session(c); - + # Queue up the new command and argument add_pending_cmd(c$ftp$pending_commands, command, arg); - + if ( command == "USER" ) c$ftp$user = arg; - + else if ( command == "PASS" ) c$ftp$password = arg; - + else if ( command == "PORT" || command == "EPRT" ) { local data = (command == "PORT") ? @@ -277,7 +277,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior # TODO: figure out what to do with continued FTP response (not used much) if ( cont_resp ) return; - + # TODO: do some sort of generic clear text login processing here. local response_xyz = parse_ftp_reply_code(code); #if ( response_xyz$x == 2 && # successful @@ -293,18 +293,20 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior # if that's given as well which would be more correct. c$ftp$file_size = extract_count(msg); } - + # PASV and EPSV processing else if ( (code == 227 || code == 229) && (c$ftp$cmdarg$cmd == "PASV" || c$ftp$cmdarg$cmd == "EPSV") ) { local data = (code == 227) ? parse_ftp_pasv(msg) : parse_ftp_epsv(msg); - + if ( data$valid ) { c$ftp$passive=T; - + if ( code == 229 && data$h == [::] ) + data$h = c$id$resp_h; + add_expected_data_channel(c$ftp, [$passive=T, $orig_h=c$id$orig_h, $resp_h=data$h, $resp_p=data$p]); } @@ -325,9 +327,9 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior else if ( c$ftp$cmdarg$cmd == "PWD" || c$ftp$cmdarg$cmd == "XPWD" ) c$ftp$cwd = extract_path(msg); } - + # In case there are multiple commands queued, go ahead and remove the - # command here and log because we can't do the normal processing pipeline + # command here and log because we can't do the normal processing pipeline # to wait for a new command before logging the command/response pair. if ( |c$ftp$pending_commands| > 1 ) { @@ -359,7 +361,7 @@ event connection_reused(c: connection) &priority=5 if ( "ftp-data" in c$service ) c$ftp_data_reuse = T; } - + event connection_state_remove(c: connection) &priority=-5 { if ( c$ftp_data_reuse ) return; diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index 8ec7655202..f5dc72e9ce 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -179,7 +179,7 @@ event irc_dcc_message(c: connection, is_orig: bool, dcc_expected_transfers[address, p] = c$irc; } -event expected_connection_seen(c: connection, a: count) &priority=10 +event expected_connection_seen(c: connection, a: Analyzer::Tag) &priority=10 { local id = c$id; if ( [id$resp_h, id$resp_p] in dcc_expected_transfers ) diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro index 7b349b64a3..daad03d9b6 100644 --- a/scripts/test-all-policy.bro +++ b/scripts/test-all-policy.bro @@ -31,7 +31,6 @@ @load integration/barnyard2/types.bro @load integration/collective-intel/__load__.bro @load integration/collective-intel/main.bro -@load misc/analysis-groups.bro @load misc/app-metrics.bro @load misc/capture-loss.bro @load misc/detect-traceroute/__load__.bro diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h deleted file mode 100644 index 8429dec335..0000000000 --- a/src/AnalyzerTags.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef ANALYZERTAGS_H -#define ANALYZERTAGS_H - -// Each kind of analyzer gets a tag. When adding an analyzer here, also adapt -// the table of analyzers in Analyzer.cc. -// -// Using a namespace here is kind of a hack: ideally this would be in "class -// Analyzer {...}". But then we'd have circular dependencies across the header -// files. - -#include "util.h" - -typedef uint32 AnalyzerID; - -namespace AnalyzerTag { - enum Tag { - Error = 0, // used as error code - - // Analyzer in charge of protocol detection. - PIA_TCP, PIA_UDP, - - // Transport-layer analyzers. - ICMP, TCP, UDP, - - // Application-layer analyzers (hand-written). - BitTorrent, BitTorrentTracker, - DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC, - Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin, - RPC, Rsh, SMB, SMTP, SSH, - Telnet, - - // Application-layer analyzers, binpac-generated. - DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC, - HTTP_BINPAC, SSL, SYSLOG_BINPAC, - Modbus, - - // Decapsulation analyzers. - AYIYA, - SOCKS, - Teredo, - GTPv1, - - // Other - File, IRC_Data, FTP_Data, Backdoor, InterConn, SteppingStone, TCPStats, - ConnSize, - - // Support-analyzers - Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP, - Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh, - Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS, - FTP_ADAT, - // End-marker. - LastAnalyzer - }; -}; - -#endif diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index 09c3c26caf..0459a91a32 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -6,6 +6,8 @@ using namespace analyzer; +Tag Tag::Error; + Tag::Tag(type_t arg_type, subtype_t arg_subtype) { assert(arg_type > 0); diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index ca3bc8b02f..4d91e19641 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -115,6 +115,8 @@ public: return type != other.type ? type < other.type : (subtype < other.subtype); } + static Tag Error; + protected: friend class analyzer::Manager; friend class analyzer::Component; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 7542d31700..40446934e1 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -6,7 +6,6 @@ #include #include -#include "AnalyzerTags.h" #include "Conn.h" #include "Val.h" #include "AnalyzerSet.h" @@ -132,7 +131,7 @@ protected: * Constructor; only file_analysis::Manager should be creating these. */ File(const string& unique, Connection* conn = 0, - analyzer::Tag tag = AnalyzerTag::Error, bool is_orig = false); + analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false); /** * Updates the "conn_ids" and "conn_uids" fields in #val record with the diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index d8d434b779..99121b8575 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -134,7 +134,7 @@ protected: * fields. */ File* GetFile(const string& unique, Connection* conn = 0, - analyzer::Tag tag = AnalyzerTag::Error, + analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false, bool update_conn = true); /** diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 840f555711..06652e37e7 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-05-15-23-01-21 +#open 2013-05-17-03-57-47 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/postprocessors/__load__.bro scripts/base/frameworks/logging/postprocessors/scp.bro scripts/base/frameworks/logging/postprocessors/sftp.bro @@ -26,15 +26,65 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/readers/ascii.bro scripts/base/frameworks/input/readers/raw.bro scripts/base/frameworks/input/readers/benchmark.bro scripts/base/frameworks/input/readers/binary.bro scripts/base/frameworks/input/readers/sqlite.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/main.bro + build/scripts/base/bif/analyzer.bif.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro - build/src/base/file_analysis.bif.bro + build/scripts/base/bif/file_analysis.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro + build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_File.events.bif.bro + build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro + build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro + build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro + build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro + build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro + build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro + build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro + build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro + build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro scripts/policy/misc/loaded-scripts.bro scripts/base/utils/paths.bro -#close 2013-05-15-23-01-21 +#close 2013-05-17-03-57-47 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 3cfd9b58a7..cb92b663f0 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-05-16-00-19-22 +#open 2013-05-17-03-58-48 #fields name #types string scripts/base/init-bare.bro - build/src/base/const.bif.bro - build/src/base/types.bif.bro - build/src/base/strings.bif.bro - build/src/base/bro.bif.bro - build/src/base/reporter.bif.bro - build/src/base/event.bif.bro + build/scripts/base/bif/const.bif.bro + build/scripts/base/bif/types.bif.bro + build/scripts/base/bif/strings.bif.bro + build/scripts/base/bif/bro.bif.bro + build/scripts/base/bif/reporter.bif.bro + build/scripts/base/bif/event.bif.bro scripts/base/frameworks/logging/__load__.bro scripts/base/frameworks/logging/main.bro - build/src/base/logging.bif.bro + build/scripts/base/bif/logging.bif.bro scripts/base/frameworks/logging/postprocessors/__load__.bro scripts/base/frameworks/logging/postprocessors/scp.bro scripts/base/frameworks/logging/postprocessors/sftp.bro @@ -26,15 +26,65 @@ scripts/base/init-bare.bro scripts/base/frameworks/logging/writers/none.bro scripts/base/frameworks/input/__load__.bro scripts/base/frameworks/input/main.bro - build/src/base/input.bif.bro + build/scripts/base/bif/input.bif.bro scripts/base/frameworks/input/readers/ascii.bro scripts/base/frameworks/input/readers/raw.bro scripts/base/frameworks/input/readers/benchmark.bro scripts/base/frameworks/input/readers/binary.bro scripts/base/frameworks/input/readers/sqlite.bro + scripts/base/frameworks/analyzer/__load__.bro + scripts/base/frameworks/analyzer/main.bro + build/scripts/base/bif/analyzer.bif.bro scripts/base/frameworks/file-analysis/__load__.bro scripts/base/frameworks/file-analysis/main.bro - build/src/base/file_analysis.bif.bro + build/scripts/base/bif/file_analysis.bif.bro + build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro + build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro + build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro + build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro + build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_File.events.bif.bro + build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro + build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro + build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro + build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro + build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro + build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.events.bif.bro + build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro + build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro + build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro + build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro + build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro + build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro + build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro + build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro + build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro + build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro + build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro + build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro + build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro + build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro + build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro + build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro + build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/patterns.bro @@ -141,4 +191,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-05-16-00-19-22 +#close 2013-05-17-03-58-48 diff --git a/testing/btest/Baseline/doc.autogen-reST-example/example.rst b/testing/btest/Baseline/doc.autogen-reST-example/example.rst index 1f60efe70b..2cb75a6b9f 100644 --- a/testing/btest/Baseline/doc.autogen-reST-example/example.rst +++ b/testing/btest/Baseline/doc.autogen-reST-example/example.rst @@ -109,17 +109,6 @@ Notices Configuration Changes ##################### -Port Analysis -^^^^^^^^^^^^^ -Loading this script makes the following changes to :bro:see:`dpd_config`. - -SSL:: - - [ports={ - 443/tcp, - 562/tcp - }] - Packet Filter ^^^^^^^^^^^^^ Loading this script makes the following changes to :bro:see:`capture_filters`. diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out index 2e1907c91c..a24c711b36 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out @@ -1,11 +1,11 @@ FILE_NEW -sidhzrR4IT8, 0, 0 +5LcdtqrLA97, 0, 0 FILE_BOF_BUFFER The Nationa MIME_TYPE text/x-pascal FILE_STATE_REMOVE -sidhzrR4IT8, 16557, 0 +5LcdtqrLA97, 16557, 0 [orig_h=141.142.228.5, orig_p=50737/tcp, resp_h=141.142.192.162, resp_p=38141/tcp] source: FTP_DATA MD5: 7192a8075196267203adb3dfaa5c908d diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/Cx92a0ym5R8-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/Cx92a0ym5R8-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/kg59rqyYxN-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/kg59rqyYxN-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.get/2-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size index 13d0c3c958..49f10feff1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.size @@ -1 +1 @@ -555523 7gZBKVUgy4l-file0 +555523 file-0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out index 8ea01332c8..5b892c7e9a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out @@ -1,19 +1,19 @@ FILE_NEW -oDwT1BbzjM1, 0, 0 +Cvu8OAp0WEd, 0, 0 MIME_TYPE application/x-dosexec FILE_STATE_REMOVE -oDwT1BbzjM1, 1022920, 0 +Cvu8OAp0WEd, 1022920, 0 [orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp] total bytes: 1022920 source: HTTP FILE_NEW -oDwT1BbzjM1, 0, 0 +Cvu8OAp0WEd, 0, 0 MIME_TYPE application/octet-stream FILE_TIMEOUT FILE_STATE_REMOVE -oDwT1BbzjM1, 206024, 0 +Cvu8OAp0WEd, 206024, 0 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] total bytes: 1022920 source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size index c1c1d71db7..5066aeab6d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.size @@ -1 +1 @@ -1022920 oDwT1BbzjM1-file0 +1022920 file-0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out index 1ad4f52f36..886abee0f2 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out @@ -1,10 +1,10 @@ FILE_NEW -uHS14uhRKGe, 0, 0 +me4WAjZH0Ik, 0, 0 MIME_TYPE application/octet-stream FILE_OVER_NEW_CONNECTION FILE_STATE_REMOVE -uHS14uhRKGe, 498702, 0 +me4WAjZH0Ik, 498702, 0 [orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp] [orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp] total bytes: 498668 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size index da0f4d480c..e38aaa1e25 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.size @@ -1 +1 @@ -498668 uHS14uhRKGe-file0 +498668 file-0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/aFQKI8SPOL2-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/aFQKI8SPOL2-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/CCU3vUEr06l-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/CCU3vUEr06l-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/2-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/HCzA0dVwDPj-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/3-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/HCzA0dVwDPj-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/3-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/a1Zu1fteVEf-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/4-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/a1Zu1fteVEf-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/4-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/xXlF7wFdsR-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/5-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/xXlF7wFdsR-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.pipeline/5-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/v5HLI7MxPQh-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/1-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/v5HLI7MxPQh-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/1-file diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/PZS1XGHkIf1-file b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/2-file similarity index 100% rename from testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/PZS1XGHkIf1-file rename to testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.post/2-file diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-0.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-0.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-1.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-1.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-2.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-2.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-3.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat rename to testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-3.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log index 27fda32d84..948d737979 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path ftp -#open 2013-04-12-16-32-25 +#open 2013-05-18-00-48-19 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg tags data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p extraction_file #types time string addr port addr port string string string string string count count string table[string] bool addr addr port string 1329843175.680248 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,90) (empty) T 141.142.220.235 199.233.217.249 56666 - 1329843175.791528 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - - 1329843179.815947 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,91) (empty) T 141.142.220.235 199.233.217.249 56667 - -1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 - - - - - - - (empty) - - - - ftp-item-Rqjkzoroau4-0.dat -1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 - - - - - - - (empty) - - - - ftp-item-BTsa70Ua9x7-1.dat +1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 - - - - - - - (empty) - - - - ftp-item-pVhQhhFsB2b-0.dat +1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 - - - - - - - (empty) - - - - ftp-item-fFCPkV1sEsc-1.dat 1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - - 1329843194.040188 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,131,46 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 33582 - 1329843194.095782 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - - 1329843197.672179 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,147,203 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 37835 - -1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 - - - - - - - (empty) - - - - ftp-item-VLQvJybrm38-2.dat +1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 - - - - - - - (empty) - - - - ftp-item-g3zS3MuJFh-2.dat 1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - - -1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 - - - - - - - (empty) - - - - ftp-item-zrfwSs9K1yk-3.dat -#close 2013-04-12-16-32-25 +1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 - - - - - - - (empty) - - - - ftp-item-lMf4UWRkEO5-3.dat +#close 2013-05-18-00-48-19 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat rename to testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log index 789896072f..9c891f4c74 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path http -#open 2013-03-22-14-38-28 +#open 2013-05-17-23-19-09 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string -1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-BFymS6bFgT3-0.dat -#close 2013-03-22-14-38-28 +1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-54zlJFqn0x6-0.dat +#close 2013-05-17-23-19-09 diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat rename to testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log index 4e70587ff0..2d37e2626f 100644 --- a/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log +++ b/testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log @@ -3,11 +3,11 @@ #empty_field (empty) #unset_field - #path irc -#open 2013-03-27-18-49-16 +#open 2013-05-17-23-19-21 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user command value addl dcc_file_name dcc_file_size dcc_mime_type extraction_file #types time string addr port addr port string string string string string string count string string 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - NICK bloed - - - - - 1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - 1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje JOIN #easymovies (empty) - - - - -1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item-wqKMAamJVSb-0.dat -#close 2013-03-27-18-49-16 +1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item-A3OSdqG9zvk-0.dat +#close 2013-05-17-23-19-21 diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-0.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-0.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-1.dat similarity index 100% rename from testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat rename to testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-1.dat diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log index 0051ddba61..039af42a2b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log +++ b/testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path smtp_entities -#open 2013-03-26-20-43-14 +#open 2013-05-17-23-19-41 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth filename content_len mime_type md5 extraction_file excerpt #types time string addr port addr port count string count string string string string -1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-cwR7l6Zctxb-0.dat (empty) +1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-mR3f2AAKo11-0.dat (empty) 1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 1918 text/html - - (empty) -1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-Ltd7QO7jEv3-1.dat (empty) -#close 2013-03-26-20-43-14 +1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-ZNp0KBSLByc-1.dat (empty) +#close 2013-05-17-23-19-41 diff --git a/testing/btest/core/tunnels/teredo-known-services.test b/testing/btest/core/tunnels/teredo-known-services.test index 862930758f..c207d9a2ab 100644 --- a/testing/btest/core/tunnels/teredo-known-services.test +++ b/testing/btest/core/tunnels/teredo-known-services.test @@ -1,6 +1,6 @@ -# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: test ! -e known_services.log -# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: btest-diff known_services.log # The first case using Tunnel::delay_teredo_confirmation=T doesn't produce diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro index 317a6276e6..f7f4a0395b 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro @@ -1,13 +1,15 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out -# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT >get-gzip.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT c=1 >get.out +# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT c=2 >get-gzip.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: btest-diff get-gzip.out -# @TEST-EXEC: btest-diff Cx92a0ym5R8-file -# @TEST-EXEC: btest-diff kg59rqyYxN-file +# @TEST-EXEC: btest-diff 1-file +# @TEST-EXEC: btest-diff 2-file redef test_file_analysis_source = "HTTP"; +global c = 0 &redef; + redef test_get_file_name = function(f: fa_file): string { - return fmt("%s-file", f$id); + return fmt("%d-file", c); }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro index 1f3d54daea..93443f0ca8 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro @@ -1,16 +1,16 @@ # @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out # @TEST-EXEC: btest-diff a.out -# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 | sed 's/^[ \t]* //g' >a.size +# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >a.size # @TEST-EXEC: btest-diff a.size # @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out # @TEST-EXEC: btest-diff b.out -# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 | sed 's/^[ \t]* //g' >b.size +# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >b.size # @TEST-EXEC: btest-diff b.size # @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out # @TEST-EXEC: btest-diff c.out -# @TEST-EXEC: wc -c uHS14uhRKGe-file0 | sed 's/^[ \t]* //g' >c.size +# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >c.size # @TEST-EXEC: btest-diff c.size global cnt: count = 0; @@ -19,7 +19,7 @@ redef test_file_analysis_source = "HTTP"; redef test_get_file_name = function(f: fa_file): string { - local rval: string = fmt("%s-file%d", f$id, cnt); + local rval: string = fmt("file-%d", cnt); ++cnt; return rval; }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro index 5135b03786..36743a8bad 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro @@ -1,14 +1,16 @@ # @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out -# @TEST-EXEC: btest-diff aFQKI8SPOL2-file -# @TEST-EXEC: btest-diff CCU3vUEr06l-file -# @TEST-EXEC: btest-diff HCzA0dVwDPj-file -# @TEST-EXEC: btest-diff a1Zu1fteVEf-file -# @TEST-EXEC: btest-diff xXlF7wFdsR-file +# @TEST-EXEC: btest-diff 1-file +# @TEST-EXEC: btest-diff 2-file +# @TEST-EXEC: btest-diff 3-file +# @TEST-EXEC: btest-diff 4-file +# @TEST-EXEC: btest-diff 5-file redef test_file_analysis_source = "HTTP"; +global c = 0; + redef test_get_file_name = function(f: fa_file): string { - return fmt("%s-file", f$id); + return fmt("%d-file", ++c); }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro index 5db64c9ff0..79ac1cb5c1 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro @@ -1,11 +1,13 @@ # @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out -# @TEST-EXEC: btest-diff v5HLI7MxPQh-file -# @TEST-EXEC: btest-diff PZS1XGHkIf1-file +# @TEST-EXEC: btest-diff 1-file +# @TEST-EXEC: btest-diff 2-file redef test_file_analysis_source = "HTTP"; +global c = 0; + redef test_get_file_name = function(f: fa_file): string { - return fmt("%s-file", f$id); + return fmt("%d-file", ++c); }; diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro index 9ae5280757..de1025ed82 100644 --- a/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro +++ b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro @@ -3,10 +3,14 @@ # @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT # @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff ftp.log -# @TEST-EXEC: btest-diff ftp-item-Rqjkzoroau4-0.dat -# @TEST-EXEC: btest-diff ftp-item-BTsa70Ua9x7-1.dat -# @TEST-EXEC: btest-diff ftp-item-VLQvJybrm38-2.dat -# @TEST-EXEC: btest-diff ftp-item-zrfwSs9K1yk-3.dat +# @TEST-EXEC: mv ftp-item-*-0.dat ftp-item-0.dat +# @TEST-EXEC: mv ftp-item-*-1.dat ftp-item-1.dat +# @TEST-EXEC: mv ftp-item-*-2.dat ftp-item-2.dat +# @TEST-EXEC: mv ftp-item-*-3.dat ftp-item-3.dat +# @TEST-EXEC: btest-diff ftp-item-0.dat +# @TEST-EXEC: btest-diff ftp-item-1.dat +# @TEST-EXEC: btest-diff ftp-item-2.dat +# @TEST-EXEC: btest-diff ftp-item-3.dat redef FTP::logged_commands += {"LIST"}; redef FTP::extract_file_types=/.*/; diff --git a/testing/btest/scripts/base/protocols/http/http-extract-files.bro b/testing/btest/scripts/base/protocols/http/http-extract-files.bro index ce9d3e7e04..6156009821 100644 --- a/testing/btest/scripts/base/protocols/http/http-extract-files.bro +++ b/testing/btest/scripts/base/protocols/http/http-extract-files.bro @@ -1,5 +1,6 @@ # @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT # @TEST-EXEC: btest-diff http.log -# @TEST-EXEC: btest-diff http-item-BFymS6bFgT3-0.dat +# @TEST-EXEC: mv http-item-*.dat http-item.dat +# @TEST-EXEC: btest-diff http-item.dat redef HTTP::extract_file_types += /text\/html/; diff --git a/testing/btest/scripts/base/protocols/irc/dcc-extract.test b/testing/btest/scripts/base/protocols/irc/dcc-extract.test index 8a6680f99b..71ab1b0900 100644 --- a/testing/btest/scripts/base/protocols/irc/dcc-extract.test +++ b/testing/btest/scripts/base/protocols/irc/dcc-extract.test @@ -4,9 +4,10 @@ # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT # @TEST-EXEC: btest-diff irc.log -# @TEST-EXEC: btest-diff irc-dcc-item-wqKMAamJVSb-0.dat +# @TEST-EXEC: mv irc-dcc-item-*-0.dat irc-dcc-item.dat +# @TEST-EXEC: btest-diff irc-dcc-item.dat # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT IRC::extraction_prefix="test" -# @TEST-EXEC: test -e test-wqKMAamJVSb-0.dat +# @TEST-EXEC: test -e test-*-0.dat redef IRC::extract_file_types=/.*/; diff --git a/testing/btest/scripts/base/protocols/smtp/mime-extract.test b/testing/btest/scripts/base/protocols/smtp/mime-extract.test index 54e50d0459..149fcf67c3 100644 --- a/testing/btest/scripts/base/protocols/smtp/mime-extract.test +++ b/testing/btest/scripts/base/protocols/smtp/mime-extract.test @@ -1,10 +1,12 @@ # @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT # @TEST-EXEC: btest-diff smtp_entities.log -# @TEST-EXEC: btest-diff smtp-entity-cwR7l6Zctxb-0.dat -# @TEST-EXEC: btest-diff smtp-entity-Ltd7QO7jEv3-1.dat +# @TEST-EXEC: mv smtp-entity-*-0.dat smtp-entity-0.dat +# @TEST-EXEC: mv smtp-entity-*-1.dat smtp-entity-1.dat +# @TEST-EXEC: btest-diff smtp-entity-0.dat +# @TEST-EXEC: btest-diff smtp-entity-1.dat # @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT SMTP::extraction_prefix="test" -# @TEST-EXEC: test -e test-cwR7l6Zctxb-0.dat -# @TEST-EXEC: test -e test-Ltd7QO7jEv3-1.dat +# @TEST-EXEC: test -e test-*-0.dat +# @TEST-EXEC: test -e test-*-1.dat @load base/protocols/smtp From 04dd363279283c56d205f0979aaa09aa70409391 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 27 May 2013 20:30:03 -0700 Subject: [PATCH 39/70] accept libmagic starting from 5.03 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index b95b637770..284cd0dfa2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -74,7 +74,7 @@ if (MISSING_PREREQS) message(FATAL_ERROR "Configuration aborted due to missing prerequisites") endif () -set(libmagic_req 5.04) +set(libmagic_req 5.03) if ( LibMagic_VERSION VERSION_LESS ${libmagic_req} ) message(FATAL_ERROR "libmagic of at least version ${libmagic_req} required " "(found ${LibMagic_VERSION})") From bcc81a1a143c2715240e9822c0c52760bc9b5006 Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Mon, 27 May 2013 21:10:51 -0700 Subject: [PATCH 40/70] Sorry, that libmagic version actually might have some problems - at least on the linux distribution I have access to. So... it was a bad idea. Revert "accept libmagic starting from 5.03" This reverts commit 04dd363279283c56d205f0979aaa09aa70409391. --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 284cd0dfa2..b95b637770 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -74,7 +74,7 @@ if (MISSING_PREREQS) message(FATAL_ERROR "Configuration aborted due to missing prerequisites") endif () -set(libmagic_req 5.03) +set(libmagic_req 5.04) if ( LibMagic_VERSION VERSION_LESS ${libmagic_req} ) message(FATAL_ERROR "libmagic of at least version ${libmagic_req} required " "(found ${LibMagic_VERSION})") From 22a4113ac3e0a9c977fd51f429c385ba0f2ea1a2 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 28 May 2013 16:21:29 -0500 Subject: [PATCH 41/70] Dangling pointer fix. Addresses #1004. --- src/Sessions.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index 2e5a6ded30..00f3bd539c 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -1159,12 +1159,12 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, if ( ! WantConnection(src_h, dst_h, tproto, flags, flip) ) return 0; + ConnID flip_id = *id; + if ( flip ) { // Make a guess that we're seeing the tail half of // an analyzable connection. - ConnID flip_id = *id; - const IPAddr ta = flip_id.src_addr; flip_id.src_addr = flip_id.dst_addr; flip_id.dst_addr = ta; From a0ad87b4c2ac9c1028d7c22f231d57c5d6fa5184 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 29 May 2013 12:48:15 -0500 Subject: [PATCH 42/70] Allow named record constructors. Addresses #983. --- src/Expr.cc | 41 +++++++++++++++++-- src/Expr.h | 17 +++++++- src/Type.h | 5 +++ src/parse.y | 35 ++++++++++++++-- .../btest/Baseline/language.named-ctors/out | 2 + testing/btest/language/named-ctors.bro | 12 ++++++ 6 files changed, 105 insertions(+), 7 deletions(-) create mode 100644 testing/btest/Baseline/language.named-ctors/out create mode 100644 testing/btest/language/named-ctors.bro diff --git a/src/Expr.cc b/src/Expr.cc index 12d3d72304..32fc9b5acc 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3320,12 +3320,20 @@ bool HasFieldExpr::DoUnserialize(UnserialInfo* info) return UNSERIALIZE(¬_used) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field); } -RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list) +RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list, + BroType* arg_type) : UnaryExpr(EXPR_RECORD_CONSTRUCTOR, constructor_list) { if ( IsError() ) return; + if ( arg_type && arg_type->Tag() != TYPE_RECORD ) + { + Error("bad record constructor type", arg_type); + SetError(); + return; + } + // Spin through the list, which should be comprised of // either record's or record-field-assign, and build up a // record type to associate with this constructor. @@ -3365,7 +3373,17 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list) } } - SetType(new RecordType(record_types)); + ctor_type = new RecordType(record_types); + + if ( arg_type ) + SetType(arg_type->Ref()); + else + SetType(ctor_type->Ref()); + } + +RecordConstructorExpr::~RecordConstructorExpr() + { + Unref(ctor_type); } Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const @@ -3391,7 +3409,7 @@ Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const Val* RecordConstructorExpr::Fold(Val* v) const { ListVal* lv = v->AsListVal(); - RecordType* rt = type->AsRecordType(); + RecordType* rt = ctor_type->AsRecordType(); if ( lv->Length() != rt->NumFields() ) Internal("inconsistency evaluating record constructor"); @@ -3401,6 +3419,19 @@ Val* RecordConstructorExpr::Fold(Val* v) const for ( int i = 0; i < lv->Length(); ++i ) rv->Assign(i, lv->Index(i)->Ref()); + if ( ! same_type(rt, type) ) + { + RecordVal* new_val = rv->CoerceTo(type->AsRecordType()); + + if ( new_val ) + { + Unref(rv); + rv = new_val; + } + else + Internal("record constructor coercion failed"); + } + return rv; } @@ -3416,12 +3447,16 @@ IMPLEMENT_SERIAL(RecordConstructorExpr, SER_RECORD_CONSTRUCTOR_EXPR); bool RecordConstructorExpr::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_RECORD_CONSTRUCTOR_EXPR, UnaryExpr); + SERIALIZE_OPTIONAL(ctor_type); return true; } bool RecordConstructorExpr::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(UnaryExpr); + BroType* t = 0; + UNSERIALIZE_OPTIONAL(t, RecordType::Unserialize(info)); + ctor_type = t->AsRecordType(); return true; } diff --git a/src/Expr.h b/src/Expr.h index bb7526d502..edc1ced6e5 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -57,6 +57,7 @@ extern const char* expr_name(BroExprTag t); class Stmt; class Frame; class ListExpr; +class NameExpr; class CallExpr; class EventExpr; @@ -165,6 +166,17 @@ public: return (ListExpr*) this; } + const NameExpr* AsNameExpr() const + { + CHECK_TAG(tag, EXPR_NAME, "ExprVal::AsNameExpr", expr_name) + return (const NameExpr*) this; + } + NameExpr* AsNameExpr() + { + CHECK_TAG(tag, EXPR_NAME, "ExprVal::AsNameExpr", expr_name) + return (NameExpr*) this; + } + void Describe(ODesc* d) const; bool Serialize(SerialInfo* info) const; @@ -729,7 +741,8 @@ protected: class RecordConstructorExpr : public UnaryExpr { public: - RecordConstructorExpr(ListExpr* constructor_list); + RecordConstructorExpr(ListExpr* constructor_list, BroType* arg_type = 0); + ~RecordConstructorExpr(); protected: friend class Expr; @@ -741,6 +754,8 @@ protected: void ExprDescribe(ODesc* d) const; DECLARE_SERIAL(RecordConstructorExpr); + + RecordType* ctor_type; // type inferred from the ctor expression list args }; class TableConstructorExpr : public UnaryExpr { diff --git a/src/Type.h b/src/Type.h index 0b7620cd68..bad51776d9 100644 --- a/src/Type.h +++ b/src/Type.h @@ -217,6 +217,11 @@ public: return tag == TYPE_TABLE && (YieldType() == 0); } + int IsTable() const + { + return tag == TYPE_TABLE && (YieldType() != 0); + } + BroType* Ref() { ::Ref(this); return this; } virtual void Describe(ODesc* d) const; diff --git a/src/parse.y b/src/parse.y index 7ce1174595..bfaf282c6a 100644 --- a/src/parse.y +++ b/src/parse.y @@ -522,10 +522,39 @@ expr: $$ = new VectorConstructorExpr($3); } - | expr '(' opt_expr_list ')' + | expr '(' { - set_location(@1, @4); - $$ = new CallExpr($1, $3, in_hook > 0); + if ( $1->Tag() == EXPR_NAME && $1->Type()->IsTable() ) + ++in_init; + } + opt_expr_list + { + if ( $1->Tag() == EXPR_NAME && $1->Type()->IsTable() ) + --in_init; + } + ')' + { + set_location(@1, @6); + + BroType* ctor_type = 0; + + if ( $1->Tag() == EXPR_NAME && + (ctor_type = $1->AsNameExpr()->Id()->AsType()) ) + { + switch ( ctor_type->Tag() ) { + case TYPE_RECORD: + $$ = new RecordConstructorExpr($4, ctor_type); + break; + case TYPE_TABLE: + case TYPE_VECTOR: + default: + $1->Error("constructor type not implemented"); + YYERROR; + } + } + + else + $$ = new CallExpr($1, $4, in_hook > 0); } | TOK_HOOK { ++in_hook; } expr diff --git a/testing/btest/Baseline/language.named-ctors/out b/testing/btest/Baseline/language.named-ctors/out new file mode 100644 index 0000000000..39b2ed7c0b --- /dev/null +++ b/testing/btest/Baseline/language.named-ctors/out @@ -0,0 +1,2 @@ +[min=, max=2] +[min=7, max=42] diff --git a/testing/btest/language/named-ctors.bro b/testing/btest/language/named-ctors.bro new file mode 100644 index 0000000000..7f04b9d4b0 --- /dev/null +++ b/testing/btest/language/named-ctors.bro @@ -0,0 +1,12 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type MyRec: record { + min: count &optional; + max: count; +}; + +local myrec: MyRec = MyRec($max=2); +print myrec; +myrec = MyRec($min=7, $max=42); +print myrec; From b256642f273e4b53cd9520acebd3bf5b4fdde60d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 29 May 2013 15:11:44 -0500 Subject: [PATCH 43/70] Allow named set constructors. Addresses #983. --- src/Expr.cc | 59 +++++++++++++++++-- src/Expr.h | 3 +- src/parse.y | 9 +++ .../out | 0 .../Baseline/language.named-set-ctors/out | 9 +++ ...named-ctors.bro => named-record-ctors.bro} | 0 testing/btest/language/named-set-ctors.bro | 11 ++++ 7 files changed, 86 insertions(+), 5 deletions(-) rename testing/btest/Baseline/{language.named-ctors => language.named-record-ctors}/out (100%) create mode 100644 testing/btest/Baseline/language.named-set-ctors/out rename testing/btest/language/{named-ctors.bro => named-record-ctors.bro} (100%) create mode 100644 testing/btest/language/named-set-ctors.bro diff --git a/src/Expr.cc b/src/Expr.cc index 32fc9b5acc..0888ee6336 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3537,16 +3537,30 @@ bool TableConstructorExpr::DoUnserialize(UnserialInfo* info) } SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list, - attr_list* arg_attrs) + attr_list* arg_attrs, BroType* arg_type) : UnaryExpr(EXPR_SET_CONSTRUCTOR, constructor_list) { if ( IsError() ) return; - if ( constructor_list->Exprs().length() == 0 ) - SetType(new ::SetType(new TypeList(base_type(TYPE_ANY)), 0)); + if ( arg_type ) + { + if ( ! arg_type->IsSet() ) + { + Error("bad set constructor type", arg_type); + SetError(); + return; + } + + SetType(arg_type->Ref()); + } else - SetType(init_type(constructor_list)); + { + if ( constructor_list->Exprs().length() == 0 ) + SetType(new ::SetType(new TypeList(base_type(TYPE_ANY)), 0)); + else + SetType(init_type(constructor_list)); + } if ( ! type ) SetError(); @@ -3555,6 +3569,43 @@ SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list, SetError("values in set(...) constructor do not specify a set"); attrs = arg_attrs ? new Attributes(arg_attrs, type, false) : 0; + + type_list* indices = type->AsTableType()->Indices()->Types(); + expr_list& cle = constructor_list->Exprs(); + + loop_over_list(cle, i) + { + Expr* ce = cle[i]; + + if ( ce->Tag() == EXPR_LIST ) + { + // check promote each expression in composite index + expr_list& el = ce->AsListExpr()->Exprs(); + + if ( el.length() != indices->length() ) + { + ExprError("inconsistent index type length in set constructor"); + return; + } + + loop_over_list(el, j) + { + Expr* e = el[j]; + + if ( ! check_and_promote_expr(e, (*indices)[j]) ) + { + ExprError("inconsistent index type in set constructor"); + return; + } + } + } + + else if ( indices->length() == 1 ) + { + if ( ! check_and_promote_expr(ce, (*indices)[0]) ) + ExprError("inconsistent index type in set constructor"); + } + } } Val* SetConstructorExpr::Eval(Frame* f) const diff --git a/src/Expr.h b/src/Expr.h index edc1ced6e5..e2cc1375a3 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -782,7 +782,8 @@ protected: class SetConstructorExpr : public UnaryExpr { public: - SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs); + SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs, + BroType* arg_type = 0); ~SetConstructorExpr() { Unref(attrs); } Attributes* Attrs() { return attrs; } diff --git a/src/parse.y b/src/parse.y index bfaf282c6a..ac57dea5e9 100644 --- a/src/parse.y +++ b/src/parse.y @@ -546,6 +546,15 @@ expr: $$ = new RecordConstructorExpr($4, ctor_type); break; case TYPE_TABLE: + if ( ctor_type->IsTable() ) + { + $1->Error("constructor type not implemented"); + YYERROR; + } + else + $$ = new SetConstructorExpr($4, 0, ctor_type); + + break; case TYPE_VECTOR: default: $1->Error("constructor type not implemented"); diff --git a/testing/btest/Baseline/language.named-ctors/out b/testing/btest/Baseline/language.named-record-ctors/out similarity index 100% rename from testing/btest/Baseline/language.named-ctors/out rename to testing/btest/Baseline/language.named-record-ctors/out diff --git a/testing/btest/Baseline/language.named-set-ctors/out b/testing/btest/Baseline/language.named-set-ctors/out new file mode 100644 index 0000000000..e7b0ca6b67 --- /dev/null +++ b/testing/btest/Baseline/language.named-set-ctors/out @@ -0,0 +1,9 @@ +{ +1, +5, +3 +} +{ +[test, 1] , +[cool, 2] +} diff --git a/testing/btest/language/named-ctors.bro b/testing/btest/language/named-record-ctors.bro similarity index 100% rename from testing/btest/language/named-ctors.bro rename to testing/btest/language/named-record-ctors.bro diff --git a/testing/btest/language/named-set-ctors.bro b/testing/btest/language/named-set-ctors.bro new file mode 100644 index 0000000000..5c7e0b1398 --- /dev/null +++ b/testing/btest/language/named-set-ctors.bro @@ -0,0 +1,11 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type FooSet: set[count]; +type FooSetComp: set[string, count]; + +global myset: FooSet = FooSet(1, 5, 3); +global mysetcomp: FooSetComp = FooSetComp(["test", 1], ["cool", 2]); + +print myset; +print mysetcomp; From 29740d3d6e5eb311f22f3ddd7b5407371ecab7eb Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 29 May 2013 16:49:12 -0500 Subject: [PATCH 44/70] Improve set constructor argument coercion. --- src/Expr.cc | 41 ++++++++----------- .../Baseline/language.named-set-ctors/out | 4 ++ testing/btest/language/named-set-ctors.bro | 8 ++++ 3 files changed, 29 insertions(+), 24 deletions(-) diff --git a/src/Expr.cc b/src/Expr.cc index 0888ee6336..777fa5fe26 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3573,37 +3573,30 @@ SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list, type_list* indices = type->AsTableType()->Indices()->Types(); expr_list& cle = constructor_list->Exprs(); - loop_over_list(cle, i) + if ( indices->length() == 1 ) { - Expr* ce = cle[i]; + if ( ! check_and_promote_exprs_to_type(constructor_list, + (*indices)[0]) ) + ExprError("inconsistent type in set constructor"); + } - if ( ce->Tag() == EXPR_LIST ) + else if ( indices->length() > 1 ) + { + // check/promote each expression in composite index + loop_over_list(cle, i) { - // check promote each expression in composite index - expr_list& el = ce->AsListExpr()->Exprs(); + Expr* ce = cle[i]; + ListExpr* le = ce->AsListExpr(); - if ( el.length() != indices->length() ) + if ( ce->Tag() == EXPR_LIST && + check_and_promote_exprs(le, type->AsTableType()->Indices()) ) { - ExprError("inconsistent index type length in set constructor"); - return; + if ( le != cle[i] ) + cle.replace(i, le); + continue; } - loop_over_list(el, j) - { - Expr* e = el[j]; - - if ( ! check_and_promote_expr(e, (*indices)[j]) ) - { - ExprError("inconsistent index type in set constructor"); - return; - } - } - } - - else if ( indices->length() == 1 ) - { - if ( ! check_and_promote_expr(ce, (*indices)[0]) ) - ExprError("inconsistent index type in set constructor"); + ExprError("inconsistent types in set constructor"); } } } diff --git a/testing/btest/Baseline/language.named-set-ctors/out b/testing/btest/Baseline/language.named-set-ctors/out index e7b0ca6b67..66b0baed7f 100644 --- a/testing/btest/Baseline/language.named-set-ctors/out +++ b/testing/btest/Baseline/language.named-set-ctors/out @@ -4,6 +4,10 @@ 3 } { +[min=, max=5], +[min=, max=2] +} +{ [test, 1] , [cool, 2] } diff --git a/testing/btest/language/named-set-ctors.bro b/testing/btest/language/named-set-ctors.bro index 5c7e0b1398..083937c42e 100644 --- a/testing/btest/language/named-set-ctors.bro +++ b/testing/btest/language/named-set-ctors.bro @@ -1,11 +1,19 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: btest-diff out +type MyRec: record { + min: count &optional; + max: count; +}; + type FooSet: set[count]; +type FooSetRec: set[MyRec]; type FooSetComp: set[string, count]; global myset: FooSet = FooSet(1, 5, 3); +global mysetrec: FooSetRec = FooSetRec([$max=5], [$max=2]); global mysetcomp: FooSetComp = FooSetComp(["test", 1], ["cool", 2]); print myset; +print mysetrec; print mysetcomp; From bcf5c41786d981b04ed62629fb8db03677f3e700 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 30 May 2013 10:21:15 -0500 Subject: [PATCH 45/70] Allow named table constructors. Addresses #983. --- src/Expr.cc | 66 ++++++++++++++++--- src/Expr.h | 15 ++++- src/parse.y | 7 +- .../Baseline/language.named-table-ctors/out | 19 ++++++ testing/btest/language/named-table-ctors.bro | 24 +++++++ 5 files changed, 117 insertions(+), 14 deletions(-) create mode 100644 testing/btest/Baseline/language.named-table-ctors/out create mode 100644 testing/btest/language/named-table-ctors.bro diff --git a/src/Expr.cc b/src/Expr.cc index 777fa5fe26..ca980e5acc 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3461,27 +3461,75 @@ bool RecordConstructorExpr::DoUnserialize(UnserialInfo* info) } TableConstructorExpr::TableConstructorExpr(ListExpr* constructor_list, - attr_list* arg_attrs) + attr_list* arg_attrs, BroType* arg_type) : UnaryExpr(EXPR_TABLE_CONSTRUCTOR, constructor_list) { if ( IsError() ) return; - if ( constructor_list->Exprs().length() == 0 ) - SetType(new TableType(new TypeList(base_type(TYPE_ANY)), 0)); + if ( arg_type ) + { + if ( ! arg_type->IsTable() ) + { + Error("bad table constructor type", arg_type); + SetError(); + return; + } + + SetType(arg_type->Ref()); + } else { - SetType(init_type(constructor_list)); + if ( constructor_list->Exprs().length() == 0 ) + SetType(new TableType(new TypeList(base_type(TYPE_ANY)), 0)); + else + { + SetType(init_type(constructor_list)); - if ( ! type ) - SetError(); + if ( ! type ) + SetError(); - else if ( type->Tag() != TYPE_TABLE || - type->AsTableType()->IsSet() ) - SetError("values in table(...) constructor do not specify a table"); + else if ( type->Tag() != TYPE_TABLE || + type->AsTableType()->IsSet() ) + SetError("values in table(...) constructor do not specify a table"); + } } attrs = arg_attrs ? new Attributes(arg_attrs, type, false) : 0; + + type_list* indices = type->AsTableType()->Indices()->Types(); + expr_list& cle = constructor_list->Exprs(); + + // check and promote all index expressions in ctor list + loop_over_list(cle, i) + { + if ( cle[i]->Tag() != EXPR_ASSIGN ) + continue; + + Expr* idx_expr = cle[i]->AsAssignExpr()->Op1(); + + if ( idx_expr->Tag() != EXPR_LIST ) + continue; + + expr_list& idx_exprs = idx_expr->AsListExpr()->Exprs(); + + if ( idx_exprs.length() != indices->length() ) + continue; + + loop_over_list(idx_exprs, j) + { + Expr* idx = idx_exprs[j]; + + if ( check_and_promote_expr(idx, (*indices)[j]) ) + { + if ( idx != idx_exprs[j] ) + idx_exprs.replace(j, idx); + continue; + } + + ExprError("inconsistent types in table constructor"); + } + } } Val* TableConstructorExpr::Eval(Frame* f) const diff --git a/src/Expr.h b/src/Expr.h index e2cc1375a3..ff97c52178 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -58,6 +58,7 @@ class Stmt; class Frame; class ListExpr; class NameExpr; +class AssignExpr; class CallExpr; class EventExpr; @@ -177,6 +178,17 @@ public: return (NameExpr*) this; } + const AssignExpr* AsAssignExpr() const + { + CHECK_TAG(tag, EXPR_ASSIGN, "ExprVal::AsAssignExpr", expr_name) + return (const AssignExpr*) this; + } + AssignExpr* AsAssignExpr() + { + CHECK_TAG(tag, EXPR_ASSIGN, "ExprVal::AsAssignExpr", expr_name) + return (AssignExpr*) this; + } + void Describe(ODesc* d) const; bool Serialize(SerialInfo* info) const; @@ -760,7 +772,8 @@ protected: class TableConstructorExpr : public UnaryExpr { public: - TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs); + TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs, + BroType* arg_type = 0); ~TableConstructorExpr() { Unref(attrs); } Attributes* Attrs() { return attrs; } diff --git a/src/parse.y b/src/parse.y index ac57dea5e9..74588408fa 100644 --- a/src/parse.y +++ b/src/parse.y @@ -545,16 +545,15 @@ expr: case TYPE_RECORD: $$ = new RecordConstructorExpr($4, ctor_type); break; + case TYPE_TABLE: if ( ctor_type->IsTable() ) - { - $1->Error("constructor type not implemented"); - YYERROR; - } + $$ = new TableConstructorExpr($4, 0, ctor_type); else $$ = new SetConstructorExpr($4, 0, ctor_type); break; + case TYPE_VECTOR: default: $1->Error("constructor type not implemented"); diff --git a/testing/btest/Baseline/language.named-table-ctors/out b/testing/btest/Baseline/language.named-table-ctors/out new file mode 100644 index 0000000000..23554d10f6 --- /dev/null +++ b/testing/btest/Baseline/language.named-table-ctors/out @@ -0,0 +1,19 @@ +{ +[1] = one, +[5] = five, +[3] = three +} +{ +[[min=, max=5]] = max5, +[[min=, max=2]] = max2 +} +{ +[test, 1] = test1, +[cool, 2] = cool2 +} +{ +[two] = 2.0, +[one] = 1.0, +[three] = 3.0 +} +0 diff --git a/testing/btest/language/named-table-ctors.bro b/testing/btest/language/named-table-ctors.bro new file mode 100644 index 0000000000..83500488f1 --- /dev/null +++ b/testing/btest/language/named-table-ctors.bro @@ -0,0 +1,24 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type MyRec: record { + min: count &optional; + max: count; +}; + +type FooTable: table[count] of string; +type FooTableRec: table[MyRec] of string; +type FooTableComp: table[string, count] of string; +type FooTableY: table[string] of double; + +global mytable: FooTable = FooTable([1] = "one", [5] = "five", [3] = "three"); +global mytablerec: FooTableRec = FooTableRec([[$max=5]] = "max5", [[$max=2]] = "max2"); +global mytablecomp: FooTableComp = FooTableComp(["test", 1] = "test1", ["cool", +2] = "cool2"); +global mytabley: FooTableY = FooTableY(["one"] = 1, ["two"] = 2, ["three"] = 3) &default=0; + +print mytable; +print mytablerec; +print mytablecomp; +print mytabley; +print mytabley["test"]; From a66b7380b6690003c1b0f321f4f7459a8469a901 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 30 May 2013 10:57:28 -0500 Subject: [PATCH 46/70] Allow named vector constructors. Addresses #983. --- src/Expr.cc | 51 +++++++++++++------ src/Expr.h | 2 +- src/parse.y | 3 ++ .../Baseline/language.named-vector-ctors/out | 3 ++ testing/btest/language/named-vector-ctors.bro | 19 +++++++ 5 files changed, 61 insertions(+), 17 deletions(-) create mode 100644 testing/btest/Baseline/language.named-vector-ctors/out create mode 100644 testing/btest/language/named-vector-ctors.bro diff --git a/src/Expr.cc b/src/Expr.cc index ca980e5acc..556c153643 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -3717,31 +3717,50 @@ bool SetConstructorExpr::DoUnserialize(UnserialInfo* info) return true; } -VectorConstructorExpr::VectorConstructorExpr(ListExpr* constructor_list) +VectorConstructorExpr::VectorConstructorExpr(ListExpr* constructor_list, + BroType* arg_type) : UnaryExpr(EXPR_VECTOR_CONSTRUCTOR, constructor_list) { if ( IsError() ) return; - if ( constructor_list->Exprs().length() == 0 ) + if ( arg_type ) { - // vector(). - SetType(new ::VectorType(base_type(TYPE_ANY))); - return; - } + if ( arg_type->Tag() != TYPE_VECTOR ) + { + Error("bad vector constructor type", arg_type); + SetError(); + return; + } - BroType* t = merge_type_list(constructor_list); - if ( t ) - { - SetType(new VectorType(t->Ref())); - - if ( ! check_and_promote_exprs_to_type(constructor_list, t) ) - ExprError("inconsistent types in vector constructor"); - - Unref(t); + SetType(arg_type->Ref()); } else - SetError(); + { + if ( constructor_list->Exprs().length() == 0 ) + { + // vector(). + SetType(new ::VectorType(base_type(TYPE_ANY))); + return; + } + + BroType* t = merge_type_list(constructor_list); + + if ( t ) + { + SetType(new VectorType(t->Ref())); + Unref(t); + } + else + { + SetError(); + return; + } + } + + if ( ! check_and_promote_exprs_to_type(constructor_list, + type->AsVectorType()->YieldType()) ) + ExprError("inconsistent types in vector constructor"); } Val* VectorConstructorExpr::Eval(Frame* f) const diff --git a/src/Expr.h b/src/Expr.h index ff97c52178..2dca42ef09 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -818,7 +818,7 @@ protected: class VectorConstructorExpr : public UnaryExpr { public: - VectorConstructorExpr(ListExpr* constructor_list); + VectorConstructorExpr(ListExpr* constructor_list, BroType* arg_type = 0); Val* Eval(Frame* f) const; diff --git a/src/parse.y b/src/parse.y index 74588408fa..2b86057f3c 100644 --- a/src/parse.y +++ b/src/parse.y @@ -555,6 +555,9 @@ expr: break; case TYPE_VECTOR: + $$ = new VectorConstructorExpr($4, ctor_type); + break; + default: $1->Error("constructor type not implemented"); YYERROR; diff --git a/testing/btest/Baseline/language.named-vector-ctors/out b/testing/btest/Baseline/language.named-vector-ctors/out new file mode 100644 index 0000000000..53ed260c93 --- /dev/null +++ b/testing/btest/Baseline/language.named-vector-ctors/out @@ -0,0 +1,3 @@ +[one, two, three] +[1.0, 2.0, 3.0] +[[min=, max=1], [min=, max=2], [min=, max=3]] diff --git a/testing/btest/language/named-vector-ctors.bro b/testing/btest/language/named-vector-ctors.bro new file mode 100644 index 0000000000..1e0e1e9e55 --- /dev/null +++ b/testing/btest/language/named-vector-ctors.bro @@ -0,0 +1,19 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +type MyRec: record { + min: count &optional; + max: count; +}; + +type FooVector: vector of string; +type FooVectorD: vector of double; +type FooVectorRec: vector of MyRec; + +global myvec: FooVector = FooVector("one", "two", "three"); +global myvecd: FooVectorD = FooVectorD(1, 2, 3); +global myvecrec: FooVectorRec = FooVectorRec([$max=1], [$max=2], [$max=3]); + +print myvec; +print myvecd; +print myvecrec; From 4301002f1adcf31ce23c61239671a6f5e19f47e7 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 30 May 2013 11:41:22 -0500 Subject: [PATCH 47/70] Add named constructor examples to docs. --- doc/scripts/builtins.rst | 75 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/doc/scripts/builtins.rst b/doc/scripts/builtins.rst index 369f38c9eb..937c0ea00d 100644 --- a/doc/scripts/builtins.rst +++ b/doc/scripts/builtins.rst @@ -246,6 +246,31 @@ The Bro scripting language supports the following built-in types. [5] = "five", }; + A table constructor (equivalent to above example) can also be used + to create a table: + + .. code:: bro + + global t2: table[count] of string = table( + [11] = "eleven", + [5] = "five" + ); + + Table constructors can also be explicitly named by a type, which is + useful for when a more complex index type could otherwise be + ambiguous: + + .. code:: bro + + type MyRec: record { + a: count &optional; + b: count; + }; + + type MyTable: table[MyRec] of string; + + global t3 = MyTable([[$b=5]] = "b5", [[$b=7]] = "b7"); + Accessing table elements if provided by enclosing values within square brackets (``[]``), for example: @@ -308,6 +333,28 @@ The Bro scripting language supports the following built-in types. The types are explicitly shown in the example above, but they could have been left to type inference. + A set constructor (equivalent to above example) can also be used to + create a set: + + .. code:: bro + + global s3: set[port] = set(21/tcp, 23/tcp, 80/tcp 443/tcp); + + Set constructors can also be explicitly named by a type, which is + useful for when a more complex index type could otherwise be + ambiguous: + + .. code:: bro + + type MyRec: record { + a: count &optional; + b: count; + }; + + type MySet: set[MyRec]; + + global s4 = MySet([$b=1], [$b=2]); + Set membership is tested with ``in``: .. code:: bro @@ -349,6 +396,21 @@ The Bro scripting language supports the following built-in types. global v: vector of string = vector("one", "two", "three"); + Vector constructors can also be explicitly named by a type, which + is useful for when a more complex yield type could otherwise be + ambiguous. + + .. code:: bro + + type MyRec: record { + a: count &optional; + b: count; + }; + + type MyVec: vector of MyRec; + + global v2 = MyVec([$b=1], [$b=2], [$b=3]); + Adding an element to a vector involves accessing/assigning it: .. code:: bro @@ -402,6 +464,19 @@ The Bro scripting language supports the following built-in types. if ( r?$s ) ... + Records can also be created using a constructor syntax: + + .. code:: bro + + global r2: MyRecordType = record($c = 7); + + And the constructor can be explicitly named by type, too, which + is arguably more readable code: + + .. code:: bro + + global r3 = MyRecordType($c = 42); + .. bro:type:: opaque A data type whose actual representation/implementation is From e3a7e0301b289b0905b1f92bf69138fd626b5379 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 16:45:14 -0700 Subject: [PATCH 48/70] Cleanup and more API docs. --- src/analyzer/Analyzer.cc | 1 + src/analyzer/Analyzer.h | 2 +- src/analyzer/Component.cc | 1 + src/analyzer/Component.h | 1 + src/analyzer/Manager.cc | 8 +- src/analyzer/Manager.h | 14 ++-- src/analyzer/Tag.cc | 1 + src/analyzer/Tag.h | 1 + src/analyzer/protocol/TODO | 2 - src/main.cc | 9 +-- src/plugin/Component.cc | 2 + src/plugin/Component.h | 39 ++++++++- src/plugin/DummyPlugin.cc | 28 ------- src/plugin/Macros.h | 81 ++++++++++++++++++- src/plugin/Manager.cc | 9 ++- src/plugin/Manager.h | 71 +++++++++++----- src/plugin/Plugin.cc | 11 ++- src/plugin/Plugin.h | 160 +++++++++++++++++++++++++++++++++---- 18 files changed, 349 insertions(+), 92 deletions(-) delete mode 100644 src/analyzer/protocol/TODO delete mode 100644 src/plugin/DummyPlugin.cc diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index 8e2cbdbbbf..ecd3c9f686 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 5769a6c58a..2d905867eb 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -1,4 +1,4 @@ -// Main analyzer interface. +// See the file "COPYING" in the main distribution directory for copyright. #ifndef ANALYZER_ANALYZER_H #define ANALYZER_ANALYZER_H diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc index 78705643e9..5844da848f 100644 --- a/src/analyzer/Component.cc +++ b/src/analyzer/Component.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include "Component.h" #include "Manager.h" diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index 6e72f87155..79d4c12fe5 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef ANALYZER_PLUGIN_COMPONENT_H #define ANALYZER_PLUGIN_COMPONENT_H diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 22912ad19d..5695dec625 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include "Manager.h" @@ -85,9 +86,9 @@ Manager::~Manager() } } -void Manager::Init() +void Manager::InitPreScript() { - std::list analyzers = plugin_mgr->Components(plugin::component::ANALYZER); + std::list analyzers = plugin_mgr->Components(); for ( std::list::const_iterator i = analyzers.begin(); i != analyzers.end(); i++ ) RegisterAnalyzerComponent(*i); @@ -98,10 +99,9 @@ void Manager::Init() analyzer_interconn = GetAnalyzerTag("INTERCONN"); analyzer_stepping = GetAnalyzerTag("STEPPINGSTONE"); analyzer_tcpstats = GetAnalyzerTag("TCPSTATS"); - } -void Manager::InitBifs() +void Manager::InitPostScript() { #include "analyzer.bif.init.cc" } diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 371cad956d..c66fd9eafb 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + /** * The central management unit for registering and instantiating analyzers. * @@ -60,16 +62,16 @@ public: ~Manager(); /** - * Initializes the manager's operation. Must be called before scripts - * are parsed. + * First-stage initializion of the manager. This is called early on + * during Bro's initialization, before any scripts are processed. */ - void Init(); + void InitPreScript(); /** - * Initializes the analyze-related BiFs. Must be called after scripts - * are parsed. + * Second-stage initialization of the manager. This is called late + * during Bro's initialization after any scripts are processed. */ - void InitBifs(); + void InitPostScript(); /** * Finished the manager's operations. diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index 0459a91a32..469b61a6c5 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include "Tag.h" #include "Manager.h" diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index 4d91e19641..3465ddd008 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef ANALYZER_TAG_H #define ANALYZER_TAG_H diff --git a/src/analyzer/protocol/TODO b/src/analyzer/protocol/TODO deleted file mode 100644 index d1888a18f1..0000000000 --- a/src/analyzer/protocol/TODO +++ /dev/null @@ -1,2 +0,0 @@ -- cmake dependencies don't work right yet - diff --git a/src/main.cc b/src/main.cc index 60c548ba9f..79c895e7af 100644 --- a/src/main.cc +++ b/src/main.cc @@ -826,15 +826,14 @@ int main(int argc, char** argv) persistence_serializer = new PersistenceSerializer(); remote_serializer = new RemoteSerializer(); event_registry = new EventRegistry(); - analyzer_mgr = new analyzer::Manager(); log_mgr = new logging::Manager(); input_mgr = new input::Manager(); plugin_mgr = new plugin::Manager(); file_mgr = new file_analysis::Manager(); - plugin_mgr->InitPlugins(); - analyzer_mgr->Init(); + plugin_mgr->InitPreScript(); + analyzer_mgr->InitPreScript(); if ( events_file ) event_player = new EventPlayer(events_file); @@ -854,8 +853,8 @@ int main(int argc, char** argv) yyparse(); - analyzer_mgr->InitBifs(); - plugin_mgr->InitPluginsBif(); + analyzer_mgr->InitPostScript(); + plugin_mgr->InitPostScript(); if ( print_plugins ) { diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc index ddedf7abbb..7d2e69eb86 100644 --- a/src/plugin/Component.cc +++ b/src/plugin/Component.cc @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #include "Component.h" #include "../Desc.h" diff --git a/src/plugin/Component.h b/src/plugin/Component.h index 09357effd2..fbeb70ebed 100644 --- a/src/plugin/Component.h +++ b/src/plugin/Component.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef PLUGIN_COMPONENT_H #define PLUGIN_COMPONENT_H @@ -7,25 +8,55 @@ class ODesc; namespace plugin { namespace component { - enum Type { - READER, - WRITER, - ANALYZER + +/** + * Component types. + */ +enum Type { + READER, /// An input reader (not currently used). + WRITER, /// An logging writer (not currenly used). + ANALYZER /// A protocol analyzer. }; } +#if 0 namespace input { class PluginComponent; } namespace logging { class PluginComponent; } namespace analyzer { class PluginComponent; } +#endif +/** + * Base class for plugin components. A component is a specific piece of + * functionality that a plugin provides, such as a protocol analyzer or a log + * writer. + */ class Component { public: + /** + * Constructor. + * + * @param type The type of the compoment. + */ Component(component::Type type); + + /** + * Destructor. + */ virtual ~Component(); + /** + * Returns the compoment's type. + */ component::Type Type() const; + /** + * Returns a textual representation of the component. The default + * version just output the type. Derived version should call the + * parent's implementation and that add further information. + * + * @param d The description object to use. + */ virtual void Describe(ODesc* d); private: diff --git a/src/plugin/DummyPlugin.cc b/src/plugin/DummyPlugin.cc deleted file mode 100644 index 8a7889c682..0000000000 --- a/src/plugin/DummyPlugin.cc +++ /dev/null @@ -1,28 +0,0 @@ - -#include "Plugin.h" - -class DummyPlugin { -public: - virtual void Init() - { - plugin::Description desc; - desc.name = "Dummy"; - desc.description = "My little dummy plugin"; - desc.version = 2; - desc.url = "http://dummy.bro.org"; - SetDescription(desc); - - analyzer::PluginComponent dummy("DUMMY", "Analyzer::DUMMY", dummy::Instantiate, dummy::Available, 0, false); - AddComponent(dummy); - } - -Plugin* bro_plugin() - { - return new DummyPlugin(); - } - - - - - - diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 2288af0d79..b8e2a42fdb 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -1,14 +1,38 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +/** + * A set of macros wrapping internal logic for defining plugins and + * components. + */ #ifndef PLUGIN_MACROS_H #define PLUGIN_MACROS_H #include "analyzer/Component.h" +/** + * Place-holder API version for plugins compiled in statically. + */ #define BRO_PLUGIN_VERSION_BUILTIN -1 + +/** + * The current plugin API version. Plugins that won't match this versions + * will be rejected. + */ #define BRO_PLUGIN_API_VERSION 1 #define _BRO_PLUGIN_VERSION_DEFAULT -1 +/** + * Starts the definition of a new plugin. + * + * @param _ns: A namespace for the plugin. All plugins compiled in statically + * must use the reserved "Bro" namespace. External plugins should define + * their own namespace to avoid collisions. + * + * @param _name: The plugin's name. The combiniation of namespace and name + * must be unique across all loaded plugins. + */ #define BRO_PLUGIN_BEGIN(_ns, _name) \ namespace plugin { namespace _ns ## _ ## _name {\ class Plugin : public plugin::Plugin { \ @@ -19,6 +43,9 @@ SetVersion(_BRO_PLUGIN_VERSION_DEFAULT);\ SetAPIVersion(BRO_PLUGIN_API_VERSION); +/** + * Ends the definition of a plugin. + */ #define BRO_PLUGIN_END \ } \ }; \ @@ -26,19 +53,69 @@ static Plugin __plugin; \ } } -#define BRO_PLUGIN_DESCRIPTION(x) SetDescription(x) -#define BRO_PLUGIN_VERSION(x) SetVersion(x) +/** + * Provides a textual description for a plugin. + * + * @param d A string with the description. + */ +#define BRO_PLUGIN_DESCRIPTION(d) SetDescription(d) +/** + * Defines a version of the plugin. The version is mostly informational for + * the user; if a plugin's functionality changes, the version should be + * increased. + * + * @param v An integer version. + */ +#define BRO_PLUGIN_VERSION(v) SetVersion(v) + +/** + * Adds scrip-level items defined in a \c *.bif file to what the plugin + * provides. + * + * @param file A string with the name of \c *.bif file. When loaded, the the + * plugin will make all items defined in the file available to Bro's script + * interpreter. + */ #define BRO_PLUGIN_BIF_FILE(file) \ extern std::list > __bif_##file##_init(); \ AddBifInitFunction(&__bif_##file##_init); +/** + * Defines a component implementating a protocol analyzer. + * + * @param tag A string with the analyzer's tag. This must be unique across + * all loaded analyzers and will translate into a corresponding \c ANALYZER_* + * constant at the script-layer. + * + * @param cls The class that implements the analyzer. It must be derived + * (directly or indirectly) from analyzer::Analyzer. + */ #define BRO_PLUGIN_ANALYZER(tag, cls) \ AddComponent(new ::analyzer::Component(tag, ::analyzer::cls::InstantiateAnalyzer)); +/** + * Defines a component implementating an protocol analyzer class that will + * not be instantiated dynamically. This is for two use-cases: (1) abstract + * analyzer base classes that aren't instantiated directly; and (2) analyzers + * that are only instantiated explicitly by other Bro components, but not + * dynmically by the manager based on their tag (e.g., the ZIP analyzer is + * attached by the HTTP analyzer when corresponding content is found). + * + * @param tag A string with the analyzer's tag. This must be unique across + * all loaded analyzers and will translate into a corresponding \c ANALYZER_* + * constant at the script-layer. + */ #define BRO_PLUGIN_ANALYZER_BARE(tag) \ AddComponent(new ::analyzer::Component(tag, 0)); +/** + * Defines a component implementating a support analyzer. + * + * @param tag A string with the analyzer's tag. This must be unique across + * all loaded analyzers and will translate into a corresponding \c ANALYZER_* + * constant at the script-layer. + */ #define BRO_PLUGIN_SUPPORT_ANALYZER(tag) \ AddComponent(new ::analyzer::Component(tag, 0)); diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index b969e581c7..ed6b43d2c4 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include "Manager.h" @@ -35,22 +36,22 @@ bool Manager::RegisterPlugin(Plugin *plugin) return true; } -void Manager::InitPlugins() +void Manager::InitPreScript() { assert(! init); for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) - (*i)->Init(); + (*i)->InitPreScript(); init = true; } -void Manager::InitPluginsBif() +void Manager::InitPostScript() { assert(init); for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) - (*i)->InitBif(); + (*i)->InitPostScript(); init = true; } diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index 44ec8913c6..2bbcaeb0f1 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef PLUGIN_MANAGER_H #define PLUGIN_MANAGER_H @@ -9,57 +10,88 @@ namespace plugin { +/** + * A singleton object managing all plugins. + */ class Manager { public: typedef std::list plugin_list; typedef Plugin::component_list component_list; + /** + * Constructor. + */ Manager(); + + /** + * Destructor. + */ ~Manager(); /** + * Loads a plugin dynamically from a file. This must be called only + * before InitPluginsPreScript() + * + * This is not currently implemented. + * + * @param file The path to the plugin to load. */ bool LoadPlugin(const std::string& file); /** + * Loads plugins dynamically found in a directory. This must be + * called only before InitPluginsPreScript(). * + * This is not currently implemented. + * + * @param dir The directory to search for plugins. */ bool LoadPluginsFrom(const std::string& dir); /** - * - * @param plugin: The plugin to register. The method does not take - * ownershop but assume the pointer will leave at least until the - * Manager is destroyed. + * First-stage initializion of the manager. This is called early on + * during Bro's initialization, before any scripts are processed, and + * forwards to the corresponding Plugin methods. */ - static bool RegisterPlugin(Plugin *plugin); + void InitPreScript(); /** - * + * Second-stage initialization of the manager. This is called late + * during Bro's initialization after any scripts are processed, and + * forwards to the corresponding Plugin methods. */ - void InitPlugins(); + void InitPostScript(); /** - * - */ - void InitPluginsBif(); - - /** - * + * Finalizes all plugins at termination time. This forwards to the + * corresponding Plugin methods. */ void FinishPlugins(); /** - * + * Returns a list of all available plugins. This includes all that + * are compiled in statically, as well as those loaded dynamically so + * far. */ plugin_list Plugins() const; /** - * + * Returns a list of all available components, in any plugin, that + * are derived from a specific class. The class is given as the + * template parameter \c T. */ - template - std::list Components(component::Type type) const; + template std::list Components() const; + + /** + * Internal method that registers a freshly instantiated plugin with + * the manager. + * + * @param plugin The plugin to register. The method does not take + * ownership, yet assumes the pointer will stay valid at least until + * the Manager is destroyed. + */ + static bool RegisterPlugin(Plugin *plugin); private: static plugin_list* PluginsInternal(); @@ -68,7 +100,7 @@ private: }; template -std::list Manager::Components(component::Type type) const +std::list Manager::Components() const { std::list result; @@ -90,6 +122,9 @@ std::list Manager::Components(component::Type type) const } +/** + * The global plugin manager singleton. + */ extern plugin::Manager* plugin_mgr; #endif diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 99c73339b3..093a4fad62 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include @@ -9,6 +10,12 @@ using namespace plugin; +BifItem::BifItem(const std::string& arg_id, Type arg_type) + { + id = copy_string(arg_id.c_str()); + type = arg_type; + } + BifItem::BifItem(const BifItem& other) { id = copy_string(other.id); @@ -91,11 +98,11 @@ void Plugin::SetAPIVersion(int arg_version) api_version = arg_version; } -void Plugin::Init() +void Plugin::InitPreScript() { } -void Plugin::InitBif() +void Plugin::InitPostScript() { for ( bif_init_func_list::const_iterator f = bif_inits.begin(); f != bif_inits.end(); f++ ) { diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index c5753767db..189fdf5c52 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -1,3 +1,4 @@ +// See the file "COPYING" in the main distribution directory for copyright. #ifndef PLUGIN_PLUGIN_H #define PLUGIN_PLUGIN_H @@ -14,17 +15,51 @@ namespace plugin { class Manager; class Component; +/** + * A class describing an item defined in \c *.bif file. + */ class BifItem { public: - // Values must match the integers bifcl generates. + /** + * Type of the item. + * + * The values here must match the integers that \c bifcl generated. + */ enum Type { FUNCTION = 1, EVENT = 2, CONSTANT = 3, GLOBAL = 4, TYPE = 5 }; + /** + * Constructor. + * + * @param id The script-level name of the item. This should be fully + * qualified. + * + * @param type The type of the item. + */ BifItem(const std::string& id, Type type); + + /** + * Copy constructor. + */ BifItem(const BifItem& other); + + /** + * Assigment operator. + */ BifItem& operator=(const BifItem& other); + + /** + * Destructor. + */ ~BifItem(); + /** + * Returns the script-level ID as passed into the constructor. + */ const char* GetID() const { return id; } + + /** + * Returns the type as passed into the constructor. + */ Type GetType() const { return type; } private: @@ -32,44 +67,136 @@ private: Type type; }; -inline BifItem::BifItem(const std::string& arg_id, Type arg_type) - { - id = copy_string(arg_id.c_str()); - type = arg_type; - } - +/** + * Base class for all plugins. + * + * Plugins encapsulate functionality that extends one of Bro's major + * subsystems, such as analysis of a specific protocol, or logging output in + * a particular format. A plugin is a logical container that can provide one + * or more \a components implementing functionality. For example, a RPC + * plugin could provide analyzer for set of related protocols (RPC, NFS, + * etc.), each of which would be a separate component. Likewise, a SQLite + * plugin could provide both a writer and reader component. In addition to + * components, a plugin can also provide of script-level elements defined in + * *.bif files. + * + * Currently, all plugins ard compiled statically into the final Bro binary. + * Later, we will extend the infrastructure to also support plugins loaded + * dynamically as shared libraries. + */ class Plugin { public: typedef std::list component_list; typedef std::list bif_item_list; + /** + * Constructor. + */ Plugin(); + + /** + * Destructor. + */ virtual ~Plugin(); + /** + * Returns the name of the plugin. + */ const char* Name(); + + /** + * Returns a short textual description of the plugin, if provided. + */ const char* Description(); + + /** + * Returns the version of the plugin. + */ int Version(); + + /** + * Returns the internal API version that this plugin relies on. Only + * plugins that match Bro's BRO_PLUGIN_API_VERSION may be used. For + * statically compiled plugins this is automatically the case, but + * dynamically loaded plugins could later cause a mismatch. + */ int APIVersion(); + /** + * Returns a list of all components the plugin provides. + * BRO_PLUGIN_VERSION_BUILTIN indiciates that it's a plugin compiled + * in statically. + */ component_list Components(); - void InitBif(); - - // Must be called after InitBif() only. + /** + * Returns a list of all BiF items that the plugin provides. This + * must be called only after InitBif() has been executed. + */ bif_item_list BifItems(); - virtual void Init(); + /** + * First-stage initialization of the plugin called early during Bro's + * startup, before scripts are parsed. This can be overridden by + * derived classes; they must however call the parent's + * implementation. + */ + virtual void InitPreScript(); + + /** + * Second-stage initialization of the plugin called late during Bro's + * startup, after scripts are parsed. This can be overridden by + * derived classes; they must however call the parent's + * implementation. + */ + virtual void InitPostScript(); + + /** + * Finalizer method that derived classes can override for performing + * custom tasks at shutdown. Implementation must call the parent's + * version. + */ virtual void Done(); + /** + * Returns a textual description of the plugin. + * + * @param d Description object to use for rendering. If "short mode" + * is disabled, the rendering will include a list of all components + * and BiF items. + */ void Describe(ODesc* d); protected: typedef std::list > bif_init_func_result; typedef bif_init_func_result (*bif_init_func)(); + /** + * Sets the plugins name. + * + * @param name The name. Makes a copy internally. + */ void SetName(const char* name); + + /** + * Sets the plugin's textual description. + * + * @param name The description. Makes a copy internally. + */ void SetDescription(const char* descr); + + /** + * Sets the plugin's version. + * + * @param version The version. + */ void SetVersion(int version); + + /** + * Sets the API version the plugin requires. + * BRO_PLUGIN_VERSION_BUILTIN indicates that it's a plugin linked in + * statically. + */ void SetAPIVersion(int version); /** @@ -78,11 +205,12 @@ protected: void AddComponent(Component* c); /** - * Can be overriden by derived class to inform the plugin about - * further BiF items they provide on their own (i.e., outside of the - * standard mechanism processing *.bif files automatically.). This - * information is for information purpuses only and will show up in - * the result of BifItem() as well as in the Describe() output. + * Virtual method that can be overriden by derived class to provide + * information about further script-level elements that the plugins + * provides on its own, i.e., outside of the standard mechanism + * processing *.bif files automatically. The returned information is + * for informational purpuses only and will show up in the result of + * BifItems() as well as in the Describe() output. */ virtual bif_item_list CustomBifItems() ; From 2e9de30bcc0156373e260b1a059960bf7dbb796d Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 17:39:37 -0700 Subject: [PATCH 49/70] New CMake variable bro_HAVE_OBJECT_LIBRARIES that switches between object and static libraries for sub directories. Default is static to support old CMakes. --- cmake | 2 +- src/CMakeLists.txt | 20 +++++++++++++++----- src/analyzer/CMakeLists.txt | 6 +++++- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/cmake b/cmake index 251cfee95c..0187b33a29 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 251cfee95c380c3c8ceac42653d3755928718f6f +Subproject commit 0187b33a29d5ec824f940feff60dc5d8c2fe314f diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 8264d6f94c..29c96099b9 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -6,6 +6,10 @@ include_directories(BEFORE # This collects generated bif and pac files from subdirectories. set(bro_ALL_GENERATED_OUTPUTS CACHE INTERNAL "automatically generated files" FORCE) +# If TRUE, use CMake's object libraries for sub-directories instead of +# static libraries. This requires CMake >= 2.8.8. +set(bro_HAVE_OBJECT_LIBRARIES FALSE) + configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c) configure_file(util-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/util-config.h) @@ -142,13 +146,14 @@ list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}") ## Including subdirectories. ######################################################################## -set(bro_PLUGIN_OBJECT_LIBS CACHE INTERNAL "plugin object libraries" FORCE) +set(bro_SUBDIR_LIBS CACHE INTERNAL "subdir libraries" FORCE) +set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE) add_subdirectory(analyzer) set(bro_SUBDIRS - $ - ${bro_PLUGIN_OBJECT_LIBS} + ${bro_SUBDIR_LIBS} + ${bro_PLUGIN_LIBS} ) ######################################################################## @@ -356,9 +361,14 @@ set(bro_SRCS ) collect_headers(bro_HEADERS ${bro_SRCS}) -add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS}) -target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) +if ( bro_HAVE_OBJECT_LIBRARIES ) + add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS}) + target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) +else () + add_executable(bro ${bro_SRCS} ${bro_HEADERS}) + target_link_libraries(bro ${brodeps} ${bro_SUBDIRS} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) +endif () install(TARGETS bro DESTINATION bin) diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt index 1e91141114..20b53d7ca8 100644 --- a/src/analyzer/CMakeLists.txt +++ b/src/analyzer/CMakeLists.txt @@ -1,4 +1,6 @@ +include(BroSubdir) + include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} @@ -14,5 +16,7 @@ set(analyzer_SRCS ) bif_target(analyzer.bif) -add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC}) + +bro_add_subdir_library(analyzer ${analyzer_SRCS} ${BIF_OUTPUT_CC}) add_dependencies(bro_analyzer generate_outputs) + From b3370584c7d2dafa293a7a83f2e70050a86b5eff Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 17:44:09 -0700 Subject: [PATCH 50/70] Updating submodule(s). [nomail] --- cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake b/cmake index 0187b33a29..94e72a3075 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 0187b33a29d5ec824f940feff60dc5d8c2fe314f +Subproject commit 94e72a3075bb0b9550ad05758963afda394bfb2c From 23463d064c4acd19df10310fbfd5c13fce47ee2b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 19:13:08 -0700 Subject: [PATCH 51/70] Little fixes. --- cmake | 2 +- src/main.cc | 2 +- src/plugin/Macros.h | 2 +- src/plugin/Manager.cc | 2 -- 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/cmake b/cmake index 94e72a3075..0187b33a29 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 94e72a3075bb0b9550ad05758963afda394bfb2c +Subproject commit 0187b33a29d5ec824f940feff60dc5d8c2fe314f diff --git a/src/main.cc b/src/main.cc index 79c895e7af..491f8a732d 100644 --- a/src/main.cc +++ b/src/main.cc @@ -853,8 +853,8 @@ int main(int argc, char** argv) yyparse(); - analyzer_mgr->InitPostScript(); plugin_mgr->InitPostScript(); + analyzer_mgr->InitPostScript(); if ( print_plugins ) { diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index b8e2a42fdb..64f04d7645 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -37,7 +37,7 @@ namespace plugin { namespace _ns ## _ ## _name {\ class Plugin : public plugin::Plugin { \ protected: \ - void Init() \ + void InitPreScript() \ { \ SetName(#_ns "::" #_name); \ SetVersion(_BRO_PLUGIN_VERSION_DEFAULT);\ diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index ed6b43d2c4..93ed3f2b97 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -52,8 +52,6 @@ void Manager::InitPostScript() for ( plugin_list::iterator i = Manager::PluginsInternal()->begin(); i != Manager::PluginsInternal()->end(); i++ ) (*i)->InitPostScript(); - - init = true; } void Manager::FinishPlugins() From 58ac7c80cd065bb5dee33d4be2c1a00093893e7a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 30 May 2013 19:14:04 -0700 Subject: [PATCH 52/70] Switching back to object libs for now. --- src/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 29c96099b9..5573855740 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -8,7 +8,7 @@ set(bro_ALL_GENERATED_OUTPUTS CACHE INTERNAL "automatically generated files" FO # If TRUE, use CMake's object libraries for sub-directories instead of # static libraries. This requires CMake >= 2.8.8. -set(bro_HAVE_OBJECT_LIBRARIES FALSE) +set(bro_HAVE_OBJECT_LIBRARIES TRUE) configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c) configure_file(util-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/util-config.h) From 6d478bea57ea128cac13e4342dcee3ff95a27ad4 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 31 May 2013 17:30:43 -0700 Subject: [PATCH 53/70] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 4d0b75afad..3389de4a60 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 4d0b75afadd6a3c6507e8ca18cb1913faa93a3b0 +Subproject commit 3389de4a6045451f66b6cd52074c746ec9be551e From 45f6f11e51fec58f2c0d43c4bce10a51d6a6e3af Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 31 May 2013 17:32:27 -0700 Subject: [PATCH 54/70] Adding Makefile target test-all that also runs the BroControl test suite. Eventually "make test" should do this but let's trigger it separately for now. --- Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 455fa6ed88..adf45f84f4 100644 --- a/Makefile +++ b/Makefile @@ -61,7 +61,10 @@ distclean: rm -rf $(BUILD) test: - @(cd testing && make ) + @( cd testing && make ) + +test-all: test + test -d aux/broctl && ( cd aux/broctl && make test ) configured: @test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 ) From c6ad731562ff5feb14798aaaba46e007c1284e0b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 2 Jun 2013 17:54:43 -0700 Subject: [PATCH 55/70] More smaller cleanup. --- doc/scripts/CMakeLists.txt | 6 -- doc/scripts/example.bro | 2 +- scripts/base/frameworks/analyzer/main.bro | 68 +++++++++++------------ scripts/base/frameworks/dpd/main.bro | 17 ++---- scripts/base/init-bare.bro | 6 +- scripts/base/protocols/irc/dcc-send.bro | 2 +- src/Base64.cc | 2 - src/CMakeLists.txt | 1 + src/RuleAction.h | 2 - src/analyzer/Tag.h | 2 +- src/analyzer/analyzer.bif | 2 +- src/analyzer/protocol/arp/ARP.cc | 1 - src/plugin/Macros.h | 4 +- 13 files changed, 50 insertions(+), 65 deletions(-) diff --git a/doc/scripts/CMakeLists.txt b/doc/scripts/CMakeLists.txt index 548ed1e119..64c3de92eb 100644 --- a/doc/scripts/CMakeLists.txt +++ b/doc/scripts/CMakeLists.txt @@ -45,12 +45,6 @@ macro(REST_TARGET srcDir broInput) set(sumTextSrc ${absSrcPath}) set(ogSourceFile ${absSrcPath}) - if (${extension} STREQUAL ".bif.bro") - # set(ogSourceFile ${BIF_SRC_DIR}/${basename}) - # the summary text is taken at configure time, but .bif.bro files - # may not have been generated yet, so read .bif file instead - set(sumTextSrc ${ogSourceFile}) - endif () if (NOT relDstDir) set(docName "${basename}") diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro index 4e2f533226..b7407a27a9 100644 --- a/doc/scripts/example.bro +++ b/doc/scripts/example.bro @@ -58,7 +58,7 @@ global example_ports = { event bro_init() { # Registering a well-known port is self-documenting and - # go into the generated doc's "Port Analysis" section + # goes into the generated doc's "Port Analysis" section. Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, example_ports); } diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index 50ff6b775d..66b3abc46e 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -2,25 +2,25 @@ ##! ##! The analyzer framework allows to dynamically enable or disable analyzers, as ##! well as to manage the well-known ports which automatically active a particular -##! analyzer for new connections. -##! +##! analyzer for new connections. +##! ##! Protocol analyzers are identified by unique tags of type ##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP` and ##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by the -##! analyzers themselves, and documented in their analyzer-specific description along with the -##! events that they generate. +##! analyzers themselves, and documented in their analyzer-specific description +##! along with the events that they generate. ##! ##! .. todo: ``The ANALYZER_*`` are in fact not yet documented, we need to add that -##! to Broxygen. +##! to Broxygen. module Analyzer; export { ## If true, all available analyzers are initially disabled at startup. One can - ## then selectively enable them with :bro:id:`enable_analyzer`. + ## then selectively enable them with :bro:id:`enable_analyzer`. global disable_all = F &redef; ## Enables an analyzer. Once enabled, the analyzer may be used for analysis of - ## future connections as decided by Bro's dynamic protocol detection. + ## future connections as decided by Bro's dynamic protocol detection. ## ## tag: The tag of the analyzer to enable. ## @@ -28,11 +28,11 @@ export { global enable_analyzer: function(tag: Analyzer::Tag) : bool; ## Disables an analyzer. Once disabled, the analyzer will not be used - ## further for analysis of future connections. + ## further for analysis of future connections. ## - ## tag: The tag of the analyzer to disable. + ## tag: The tag of the analyzer to disable. ## - ## Returns: True if the analyzer was successfully disabled. + ## Returns: True if the analyzer was successfully disabled. global disable_analyzer: function(tag: Analyzer::Tag) : bool; ## Registers a set of well-known ports for an analyzer. If a future connection @@ -40,50 +40,50 @@ export { ## to parsing it. The function *adds* to all ports already registered, it doesn't ## replace them . ## - ## tag: The tag of the analyzer. + ## tag: The tag of the analyzer. ## - ## ports: The set of well-known ports to associate with the analyzer. + ## ports: The set of well-known ports to associate with the analyzer. ## - ## Returns: True if the ports were sucessfully registered. + ## Returns: True if the ports were sucessfully registered. global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool; ## Registers an individual well-known port for an analyzer. If a future connection ## on this ports is seen, the analyzer will be automatically assigned to parsing - ## it. The function *adds* to all ports already registered, it doesn't - ## replace them . + ## it. The function *adds* to all ports already registered, it doesn't replace + ## them. ## - ## tag: The tag of the analyzer. + ## tag: The tag of the analyzer. ## - ## p: The well-known port to associate with the analyzer. + ## p: The well-known port to associate with the analyzer. ## ## Returns: True if the port was sucessfully registered. global register_for_port: function(tag: Analyzer::Tag, p: port) : bool; ## Returns a set of all well-known ports currently registered for a - ## specific analyzer. - ## - ## tag: The tag of the analyzer. + ## specific analyzer. + ## + ## tag: The tag of the analyzer. ## ## Returns: The set of ports. global registered_ports: function(tag: Analyzer::Tag) : set[port]; - ## Returns a table of all ports-to-analyzer mappings currently registered. - ## + ## Returns a table of all ports-to-analyzer mappings currently registered. + ## ## Returns: A table mapping each analyzer to the set of ports ## registered for it. - global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; + global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; - ## Translates an analyzer type to a string with the analyzer's. + ## Translates an analyzer type to a string with the analyzer's name. ## ## tag: The analyzer tag. ## - ## Returns: The analyzer name corresponding to the tag. + ## Returns: The analyzer name corresponding to the tag. global name: function(tag: Analyzer::Tag) : string; ## Schedules an analyzer for a future connection originating from a given IP - ## address and port. + ## address and port. ## - ## orig: The IP address originating a connection in the future. + ## orig: The IP address originating a connection in the future. ## 0.0.0.0 can be used as a wildcard to match any originator address. ## ## resp: The IP address responding to a connection from *orig*. @@ -99,8 +99,8 @@ export { global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool; - ## A set of analyzers to disable by at startup. The default set - ## contains legacy analyzers that are no longer supported. + ## A set of analyzers to disable by default at startup. The default set contains + ## legacy analyzers that are no longer supported. global disabled_analyzers: set[Analyzer::Tag] = { ANALYZER_INTERCONN, ANALYZER_STEPPINGSTONE, @@ -115,11 +115,11 @@ export { global ports: table[Analyzer::Tag] of set[port]; -event bro_init() &priority=-5 +event bro_init() &priority=5 { if ( disable_all ) __disable_all_analyzers(); - + for ( a in disabled_analyzers ) disable_analyzer(a); } @@ -137,8 +137,8 @@ function disable_analyzer(tag: Analyzer::Tag) : bool function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool { local rc = T; - - for ( p in ports ) + + for ( p in ports ) { if ( ! register_for_port(tag, p) ) rc = F; @@ -154,7 +154,7 @@ function register_for_port(tag: Analyzer::Tag, p: port) : bool if ( tag !in ports ) ports[tag] = set(); - + add ports[tag][p]; return T; } diff --git a/scripts/base/frameworks/dpd/main.bro b/scripts/base/frameworks/dpd/main.bro index b4da2ff492..c3282a1da4 100644 --- a/scripts/base/frameworks/dpd/main.bro +++ b/scripts/base/frameworks/dpd/main.bro @@ -23,12 +23,12 @@ export { analyzer: string &log; ## The textual reason for the analysis failure. failure_reason: string &log; - - ## Disabled analyzer IDs. This is only for internal tracking + + ## Disabled analyzer IDs. This is only for internal tracking ## so as to not attempt to disable analyzers multiple times. disabled_aids: set[count]; }; - + ## Ignore violations which go this many bytes into the connection. ## Set to 0 to never ignore protocol violations. const ignore_violations_after = 10 * 1024 &redef; @@ -43,11 +43,6 @@ event bro_init() &priority=5 Log::create_stream(DPD::LOG, [$columns=Info]); } -function foo() : string - { - return "HTTP"; - } - event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10 { local analyzer = Analyzer::name(atype); @@ -66,10 +61,10 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, # for the protocol violation. if ( analyzer !in c$service ) return; - + delete c$service[analyzer]; add c$service[fmt("-%s", analyzer)]; - + local info: Info; info$ts=network_time(); info$uid=c$uid; @@ -88,7 +83,7 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason local size = c$orig$size + c$resp$size; if ( ignore_violations_after > 0 && size > ignore_violations_after ) return; - + # Disable the analyzer that raised the last core-generated event. disable_analyzer(c$id, aid); add c$dpd$disabled_aids[aid]; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 09c08befa6..d5abbef1ff 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2946,7 +2946,7 @@ const dpd_buffer_size = 1024 &redef; const dpd_match_only_beginning = T &redef; ## If true, don't consider any ports for deciding which protocol analyzer to -## use. +## use. ## ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size ## dpd_match_only_beginning @@ -3065,12 +3065,12 @@ module GLOBAL; ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; -# Load these frameworks here because it uses fairly deep integration with +# Load these frameworks here because they use fairly deep integration with # BiFs and script-land defined types. @load base/frameworks/logging @load base/frameworks/input @load base/frameworks/analyzer @load base/frameworks/file-analysis -# Load BiF defined by plugins. +# Load BiFs defined by plugins. @load base/bif/plugins diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index f5dc72e9ce..0e1d52af59 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -175,7 +175,7 @@ event irc_dcc_message(c: connection, is_orig: bool, c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; local p = count_to_port(dest_port, tcp); - Analyzer::schedule_analyzer(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_IRC_DATA, 5 min); + Analyzer::schedule_analyzer(0.0.0.0, address, p, Analyzer::ANALYZER_IRC_DATA, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/src/Base64.cc b/src/Base64.cc index cef11dab92..50732534ab 100644 --- a/src/Base64.cc +++ b/src/Base64.cc @@ -82,8 +82,6 @@ int* Base64Converter::InitBase64Table(const string& alphabet) return base64_table; } - - Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string& arg_alphabet) { if ( arg_alphabet.size() > 0 ) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 5573855740..0303a88cfe 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -375,6 +375,7 @@ install(TARGETS bro DESTINATION bin) set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) +# Target to create all the autogenerated files. add_custom_target(generate_outputs DEPENDS ${bro_ALL_GENERATED_OUTPUTS}) # Build __load__.bro files for plugins/*.bif.bro. diff --git a/src/RuleAction.h b/src/RuleAction.h index ec7e5c3735..67ceadc6f1 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -50,8 +50,6 @@ public: analyzer::Tag ChildAnalyzer() const { return child_analyzer; } private: - // FIXME: This is in fact an analyzer::ID but we can't include "analyzer/Analyzer.h" - // at this point due to circular dependenides. Fix that! analyzer::Tag analyzer; analyzer::Tag child_analyzer; }; diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index 3465ddd008..9b2fea4a9b 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -14,7 +14,7 @@ class Manager; class Component; /** - * Class to identify an analyzdr type. + * Class to identify an analyzer type. * * Each analyzer type gets a tag consisting of a main type and subtype. The * former is an identifier that's unique all analyzer classes. The latter is diff --git a/src/analyzer/analyzer.bif b/src/analyzer/analyzer.bif index 69c648f7d3..7f3cc6ed94 100644 --- a/src/analyzer/analyzer.bif +++ b/src/analyzer/analyzer.bif @@ -1,4 +1,4 @@ -##! Internal functions and types used by the logging framework. +##! Internal functions and types used by the analyzer framework. module Analyzer; diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc index 9173e853aa..b3ef5383ce 100644 --- a/src/analyzer/protocol/arp/ARP.cc +++ b/src/analyzer/protocol/arp/ARP.cc @@ -1,6 +1,5 @@ // See the file "COPYING" in the main distribution directory for copyright. - #include "ARP.h" #include "Event.h" #include "Reporter.h" diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 64f04d7645..423efbfc71 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -16,8 +16,8 @@ #define BRO_PLUGIN_VERSION_BUILTIN -1 /** - * The current plugin API version. Plugins that won't match this versions - * will be rejected. + * The current plugin API version. Plugins that won't match this version will + * be rejected. */ #define BRO_PLUGIN_API_VERSION 1 From c19779ae886c7202c4d52b6489a7cd533997d1bd Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 2 Jun 2013 18:22:08 -0700 Subject: [PATCH 56/70] More analyzer framework tests. --- testing/btest/Traces/ssh-on-port-80.trace | Bin 0 -> 11076 bytes testing/btest/btest.cfg | 2 +- .../frameworks/analyzer/disable-analyzer.bro | 14 ++++++++++++++ .../frameworks/analyzer/enable-analyzer.bro | 13 +++++++++++++ .../frameworks/analyzer/register-for-port.bro | 13 +++++++++++++ 5 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Traces/ssh-on-port-80.trace create mode 100644 testing/btest/scripts/base/frameworks/analyzer/disable-analyzer.bro create mode 100644 testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.bro create mode 100644 testing/btest/scripts/base/frameworks/analyzer/register-for-port.bro diff --git a/testing/btest/Traces/ssh-on-port-80.trace b/testing/btest/Traces/ssh-on-port-80.trace new file mode 100644 index 0000000000000000000000000000000000000000..6c0ae22e30db1c3093a602715cc90b28730b6fa4 GIT binary patch literal 11076 zcmeI2c{J2*`2Rm+Cu>PU*@w!K86>4tNcJruOSZC;v8H5ASqfPyOZGyGM5rV?Jt(3_ zvPUTq*|+9<-{Z++hWh>SJLfs)d(PK6cYVxEuls$yuj{_<`}3JvEAvyy5DMhi4<3&o zDDX>QK841>WdzXx*Ki>8J4&5Vh?f3KgoXxDL=gFNcjXazsxaGo%%dnU0?TI+tzk@> zDg1CA86I!lk04|elm#eqa&i=khHmE!Zzg&_)4o=Km@uyJGS%ir_*9j$w z5Q-a7D4mdq1;i5|3OLr7b8Myx5*ZcNC9>o3Mh}RIYeT^-3s+q&oKQ8ZvMY(sBM5gS zaV!Zq=H|zYeB64T*fA*F1`v(Nmj|hEa<#DUkmw2PWpy>WfvhI^0paSqh=n5vIV%n8 zedj8!3LRV1P{Sk4vAUfbfF-_Gwx>_qT8r9PJ2*Ike4KH0c6SlA_Oi4wcRFJ&inB4t zNJ)$QKR+a~?nfjfA>cRf5#9m{m~c27QCFO~2>ja$hXXGqnOox|FfyW+ZmuHmaxdoB zB@nZG>1uh}+1(XtGhe<0pC^14{xb_p5v-Lpj&Nb&;Ou$Y7NFs)mgYD&0vKHX0xw?@ z!0>XJCgN&q=VWDW?EwFoyn{E++|Ail%)!=O3}^knL7=UTqq(K1qm`5h;ewC_cleUD zq`Wg&hrnwwOJ~RBcU^5=tR1Z+q<542y7rThBf3|5`E!5{u7Ml>>0}&E&Q8`M=NxP; zh~&W+fRsPK3qC;d16P`8<*KH$cI`eQtX+q-Yd13-tlb4RwY6&(UxOgGz}kg_w11L^ zqw^uLbJMy+c4UG66EP92T|G+HDfj&ar+Am}KTA#>$`9Q<4ah~-mR2@|B`WG0p?q+JGSKtF~vb+-_AnewS& zOlAf+r7chxlXe*-hK3uE{E_Zsi;=cB)%GOqvbOyG)_4Asm+A1fH>ta5>Fx>b;_C^w z%1F!gx!JVAGdoj^2HPg8n{Uw6v$VyeF5SZ};RdxdTB$R7vqktpm9gFkB==N$$>7Nc zM~Beb9rT;iaL2pyEUjPlb#<%J$9LX5yk!05(#1?h*S^}|L)*KAyM=O2B0UU#gJX@SlDlufNZW!*Jk7wyRzwi8bdcCnNUUo`kQM-gV-2zDJR$Fwlh-AJ zEd598s9F^6wotw^6#C81mA}j{vfYY9KTva>y(id<9=zk z_3XE*rCnmhU7ps_3N?dAytT%)@gi}!XsYZbAY!>X9vY*NjbQ(Q zgS0xxDbNLkJ?JKJbyP$QW3nXu*ioz_B`ekOY57iu>^U_rcx?-yQUBAt!6i8g-aesF zNOeJ&O_tG=#}7GWU%Mk$KXl!`FXhHqEJ-mGG~@{;`zc8#D|#XHv?6>-}XF4`!w4&EH)9q9?(M5lB7U18TO zPd@p{x4Hw&`p@J%i)=h2I-aIp;gAfzJzlB*qg6zfJi+0!YlK7J<2PNNhl`JmGGBF- zl}Kj9DTYis3aU*}Lw9U$AM5`)U_M=5_OhvSvP#59NqkaF zepl|d@$~)*@BX@s8#3Y=`uBzEM~}bG>ube1^CXyh9SsGUU?R#73OP@1=KT5vHLLwS zzXM8hUsW6wLiU|qy8cS;SmhqNP+UG%JLc@`lC}|=$qg>MrYEeT38r6TvYFqq+;QafC(s?^5{!*3AS9E4wG>(>SzLsg# z;1R90_pZ*lm;3f9>fh_3P2yCuQw!0+B&ir#eTaQ{zQtexnl8&5M*5%HvL3Yx@u3sCQ$JAd{fd>8Shn{Zp zugm2X!e)Z{Ls!Z4hb!b%B5@DMlElVVo4~HZ1Ukq+_sv=0PWKb+Dl}FoLvrbIl-WkN?u{I`T zZdFXAE?J?A2t?_1iJKQ#`k>hpUf2^8lYel|V-|fytZI9_4Kl`t_&v@|n9$^lVhtn}ip05w ztedx9E_C1GoY+v8UT+caa#baxT)&@D-%5h6YP+$NK2+3wo$TKjNnMsi7ZY5zCUF_= zFamVZ|L92?oy3-L^;{3PU~Ca){II$z$Th-Qq5j$|Jjf9r|xq;Gy2IP zL}w5f+deiL7R{E{T^21EwBf6nY#ihj|ALv1%D16yLp^(Rqws$*e1 z+_aN&C*NiDIhCsSdHI~#XEyp%TxX&A=cO4V8T#9|eu0Fu<>&ms8A5h^`yMTfxC!hTnH%T$i=$#=i@`K zaH{0&6iUc?8R6Wg-M**fh)#ZqZXU-}5#_MW;n(t=U3DMp4$NV$H;7kHq!gVCH8>QF z4RA-P&+OH!b8SHz1kCYXNN($DzOp?YX0Ug4O^{ZpB>E|#N-asMv~d`7R{+$#D76q# zm9|5ot@t17{uzPDw=R(#C93vhh1dq_zI}cvXhYU`zc+JwuMDa<;(hg}Fr&WieYLOj zM@8$#)2->+cQk7|wQwHd!WrOIh7O4(#RQ^Di^7UIU1nKI8(E;DNTBHVbzjsD6=^6E zSLs~=Y-|k!tb3YGL{-`r28cU1Q2gP11ahrCxzpNPlzU#Z&w=__$ zCN=pG!8R~A!-K^A8qvHlSSVgcF&9HeJ>L=Rm`Aj+>xWJf90&8`r?L87L5AC1NR zH{7iORT0R9*0p!C$+V7BpJ2Q}IlC>@o2P41?w|HduCm16p=Ih%yK2X~bE@=-OMXdJSb_q!t-*ZIlsmXv#Kfd4ek=<(hM zhNUh!16-x!Q6V;5OVvARLeI{m^IM8MfLn(+OWEKoTtheulb>11(j3B- zia_EsK&$|J92_KhXGRt1_CjLb{dI{T@5b}Q#P_NN3o{cIZ{Ngs1@ABA%@*KSEAc#F zxb@vv_NKy`?OIrq;J`->jQ$O`cI8DikzG{XQKna5#XMPfxOM3pD}vE=zoIW9N6#KH zVVEi@a>!XEDK#e9m#i_A+cWFS#&mD0Y6b=Nk`7nJhw8WPJQUIlFs91n+2Ke6x?1S7df?kFbA8VOm^uK8FQ2s1t^_xFFK8 zVceBWjYs5w0EblEIRA@-oAK{A=p7zLI=h8U`ePeXLOQzm3QkAi_r)kqohH{kSJ>jV zBTc8gtlwMw-6pr7xSr$%zK^$b7;~Gy_SNhOu?yu^|MnxlWo~PBP$TWv_i?@tHjItA zUsGCC^}>sXw5yzcitojLrYn4@n11D!tP?!Qs&!27taR9}y^8F~{5H`K@8{mbFLF9b zKYRA-#S@rOrZ1~%gtST}(Ju*AYC=+_;NBw#_BT(&g{VsBAo0csC6W)y0}hh@#*Ad3 z%OSD5b6p}k%CqmEs)H2=>V9ta!B8Dpx$^nlazkAhKA)y1uQNE6*v{~U-brji7o0jf z){|4)@L|t!_V2q3w>?2{hTCXFU$X`E+bOo35SU<)V%8`-a=@M$o7(nxR_ctWnZ;xY<)a$BDMcv` zH%<9+3GavN=PvggSMo`*_TdzMTHSIgx2B5!;7_Im<=eUewuZhhrR?S}c@znSo_{sl zz7(I;+e=Y7DR3cn_bFT(<*^5~fvDnvic;713&pmf$&P}DE-E@)B-6Y?WlFI%m#r0g zE(09;z2~P0Pqs1**Lq${_>vg;=N=fk11g8m{hlf@{HYEr37&TldtM8^y#*YRM}kg4loGje$MvJ{Yn%JR_^B@yF5Kp{ zV%{JBTzwaVxk-PMik}o^@P%6D{m(eCJAE9Yv2FD@lcr{F<#A2VAX>AZuhcd3&lnjG ze67pME+^wulXr48<;a7cEP@Dr?}=_Lj38fWttWMa^BTT*r4D}rPrSnc@wMfuJ&E|q zI5T2}i-N>xwRMT0e^1E%BJz*3?M55Fe_ibtYl?k z=L{d2b?^5uf!apluKFbt@xYkSxi=``wkKRAn2|&k?q@H3sfRCYQ!;-=QTJMNbc%nt z04kvH{L|{z$$|ypx|5&+D#KL@*1B3laCHlb ztB$}`1?Z~C#uZnO09UC#r|f?7w(A*Z%S6!goXUv2hPPvr?^8c+Nt{(GeVg9$Lt8kS zf$fp@jeBuzxm*r5Vppy2l%!0ifD5EVq?0eFsAN9c-6H7l+{4~{@0eH{HCT;(l> z!~wx|iNMuogDXU8NTiy&a9MfmT70x!X+xr}P_oEf>SvyU4Q%J@#l1?x(yMA>XXq=b ziewNoD#N$la*|NNSk5X1Yh5LDwH}iHGgSxra;_V66}9pWSDGzwm73SVvTy&RiV*E- zWn&~cysCh;A%Y~ulwQu zgj!vzZopN-{=T&G%@ZH=z!nm5)J%VHbzd)ZwSH+`B5?KK+={ETkjOWBSf$ZRfSnFyXp;k8o z1*`iiIAP?1?+sC&7H?N-H4?Z=JFjIcQph^Y(4lfrsqU(LRg}t?chM%n;azMe=Ojxq zEkAF1LoE?&V=s3to=i>1umvg@01AFztHy*=Q#LP&2N}TCCD;KL|9Rd4X9pfcLL&Vp zrr+HuGlM(jdO}PjPY&yre#K<0MI6)HM0qVEA^qUc2M6iN4{1feg2e80;=I&v z`xQg-cH$WNgkD^c(EQf=HQ`uoD1VT)laJS~=WS+XoPJj~JRFykWf&D;Q}@5?u53Fp zz$m@<3oAPC(nUU(NB!Xehqg_LIMGGZo>;Y&<>1?4$!LR<%s*tD8R adg_ooMff%%(~?AEHPHA1`23Sp Date: Sun, 2 Jun 2013 19:36:25 -0700 Subject: [PATCH 57/70] A work-around for supporting plugins compiled as *.a. This is for older CMakes which don't understand object libraries yet. We auto-generate a file at the top-level that references all the global plugin objects. Once they are referenced, the linker includes them into the final executable and their ctors run to register them with the plugin manager. By default this is on. Once we can require more recent CMakes, we can turn it off (and remove) in src/CMakeLists.txt. --- src/CMakeLists.txt | 19 +++++++++++++++++-- src/plugin/Macros.h | 2 +- src/plugins.cc.in | 22 ++++++++++++++++++++++ 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 src/plugins.cc.in diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 0303a88cfe..a5b1cfc106 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -8,7 +8,7 @@ set(bro_ALL_GENERATED_OUTPUTS CACHE INTERNAL "automatically generated files" FO # If TRUE, use CMake's object libraries for sub-directories instead of # static libraries. This requires CMake >= 2.8.8. -set(bro_HAVE_OBJECT_LIBRARIES TRUE) +set(bro_HAVE_OBJECT_LIBRARIES FALSE) configure_file(version.c.in ${CMAKE_CURRENT_BINARY_DIR}/version.c) configure_file(util-config.h.in ${CMAKE_CURRENT_BINARY_DIR}/util-config.h) @@ -156,6 +156,20 @@ set(bro_SUBDIRS ${bro_PLUGIN_LIBS} ) +if ( NOT bro_HAVE_OBJECT_LIBRARIES ) + foreach (_plugin ${bro_PLUGIN_LIBS}) + string(REGEX REPLACE "plugin-" "" _plugin "${_plugin}") + string(REGEX REPLACE "-" "_" _plugin "${_plugin}") + set(_decl "namespace plugin { namespace ${_plugin} { class Plugin; extern Plugin __plugin; } };") + set(_use "i += (size_t)(&(plugin::${_plugin}::__plugin));") + set(__BRO_DECL_PLUGINS "${__BRO_DECL_PLUGINS}${_decl}\n") + set(__BRO_USE_PLUGINS "${__BRO_USE_PLUGINS}${_use}\n") + endforeach() + + configure_file(plugins.cc.in ${CMAKE_CURRENT_BINARY_DIR}/plugins.cc) + set(PLUGIN_INIT ${CMAKE_CURRENT_BINARY_DIR}/plugins.cc) +endif() + ######################################################################## ## bro target @@ -222,6 +236,7 @@ set(bro_SRCS ${FLEX_Scanner_INPUT} ${BISON_Parser_INPUT} ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h + ${PLUGIN_INIT} main.cc net_util.cc util.cc @@ -367,7 +382,7 @@ if ( bro_HAVE_OBJECT_LIBRARIES ) target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) else () add_executable(bro ${bro_SRCS} ${bro_HEADERS}) - target_link_libraries(bro ${brodeps} ${bro_SUBDIRS} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) + target_link_libraries(bro ${bro_SUBDIRS} ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS}) endif () install(TARGETS bro DESTINATION bin) diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 423efbfc71..9d063cd60a 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -50,7 +50,7 @@ } \ }; \ \ - static Plugin __plugin; \ + Plugin __plugin; \ } } /** diff --git a/src/plugins.cc.in b/src/plugins.cc.in new file mode 100644 index 0000000000..4527d5d1a9 --- /dev/null +++ b/src/plugins.cc.in @@ -0,0 +1,22 @@ + +// A work-around the problem that for static libraries unused globals +// aren't linked into the final binary. CMake automatically inserts +// code here to reference the globals that initializes each of the +// statically compiled plugins. +// +// Note: This won't be necessary anymore once we can assume CMake >2.8.8 +// as a required depencendy. If so, switch bro_HAVE_OBJECT_LIBRARIES +// in src/CMakeLists.txt to TRUE and remove this. + +#include + +${__BRO_DECL_PLUGINS} + +size_t __make_sure_to_use_plugin_globals() +{ + // This function is never actually called. + + size_t i = 0; + ${__BRO_USE_PLUGINS} + return i; +} From 4494643296b3e44d2229ceb81a3243cc2c6c678b Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sun, 2 Jun 2013 20:03:19 -0700 Subject: [PATCH 58/70] Fix a compiler warning. --- CHANGES | 10 ++++++++++ VERSION | 2 +- src/RemoteSerializer.cc | 6 ++++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 75107d2496..1c23429a43 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,14 @@ +2.1-675 | 2013-06-02 20:03:19 -0700 + + * Fix a compiler warning. (Robin Sommer) + + * Allow named vector/set/table/record constructors. Addresses #983. + (Jon Siwek) + + * Adding Makefile target test-all that also runs the BroControl test + suite. (Robin Sommer) + 2.1-664 | 2013-05-28 21:37:46 -0700 * Dangling pointer fix. Addresses #1004. (Jon Siwek) diff --git a/VERSION b/VERSION index 688d60ec69..f3667fe959 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-664 +2.1-675 diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 66f8def489..8cd34aa8fc 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -351,10 +351,12 @@ public: } char Type() { return buffer[0]; } + RemoteSerializer::PeerID Peer() { - // Wow, is this ugly... - return ntohl(*(uint32*)(buffer + 4)); + uint32 tmp; + memcpy(&tmp, buffer + 4, sizeof(tmp)); + return ntohl(tmp); } const char* Raw() { return buffer; } From a5e1810aa8592dd69f2351ff4b069a6da90feb36 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 3 Jun 2013 16:03:25 -0500 Subject: [PATCH 59/70] Fix various documentation/typos; remove a few superfluous things. --- doc/scripts/example.bro | 2 - scripts/base/frameworks/analyzer/main.bro | 53 +++++++++++------------ scripts/base/frameworks/reporter/main.bro | 2 +- scripts/base/init-bare.bro | 2 +- src/IPAddr.h | 5 --- src/analyzer/Analyzer.h | 10 ++--- src/analyzer/Component.h | 8 ++-- src/analyzer/Manager.h | 18 ++++---- src/analyzer/Tag.h | 4 +- src/analyzer/protocol/http/events.bif | 2 +- src/analyzer/protocol/login/events.bif | 42 ++++++++++++------ src/analyzer/protocol/rpc/events.bif | 9 ++-- src/analyzer/protocol/tcp/events.bif | 26 +++++------ src/bro.bif | 2 +- src/event.bif | 14 +++--- src/plugin/Macros.h | 10 ++--- src/plugin/Plugin.h | 4 +- 17 files changed, 110 insertions(+), 103 deletions(-) diff --git a/doc/scripts/example.bro b/doc/scripts/example.bro index b7407a27a9..2ff12bfa27 100644 --- a/doc/scripts/example.bro +++ b/doc/scripts/example.bro @@ -57,8 +57,6 @@ global example_ports = { event bro_init() { - # Registering a well-known port is self-documenting and - # goes into the generated doc's "Port Analysis" section. Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, example_ports); } diff --git a/scripts/base/frameworks/analyzer/main.bro b/scripts/base/frameworks/analyzer/main.bro index 66b3abc46e..c7bfd1ce34 100644 --- a/scripts/base/frameworks/analyzer/main.bro +++ b/scripts/base/frameworks/analyzer/main.bro @@ -1,26 +1,25 @@ ##! Framework for managing Bro's protocol analyzers. ##! ##! The analyzer framework allows to dynamically enable or disable analyzers, as -##! well as to manage the well-known ports which automatically active a particular -##! analyzer for new connections. +##! well as to manage the well-known ports which automatically activate a +##! particular analyzer for new connections. ##! ##! Protocol analyzers are identified by unique tags of type ##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP` and -##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by the -##! analyzers themselves, and documented in their analyzer-specific description -##! along with the events that they generate. -##! -##! .. todo: ``The ANALYZER_*`` are in fact not yet documented, we need to add that -##! to Broxygen. +##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by +##! the analyzers themselves, and documented in their analyzer-specific +##! description along with the events that they generate. + module Analyzer; export { - ## If true, all available analyzers are initially disabled at startup. One can - ## then selectively enable them with :bro:id:`enable_analyzer`. + ## If true, all available analyzers are initially disabled at startup. One + ## can then selectively enable them with + ## :bro:id:`Analyzer::enable_analyzer`. global disable_all = F &redef; - ## Enables an analyzer. Once enabled, the analyzer may be used for analysis of - ## future connections as decided by Bro's dynamic protocol detection. + ## Enables an analyzer. Once enabled, the analyzer may be used for analysis + ## of future connections as decided by Bro's dynamic protocol detection. ## ## tag: The tag of the analyzer to enable. ## @@ -35,10 +34,10 @@ export { ## Returns: True if the analyzer was successfully disabled. global disable_analyzer: function(tag: Analyzer::Tag) : bool; - ## Registers a set of well-known ports for an analyzer. If a future connection - ## on one of these ports is seen, the analyzer will be automatically assigned - ## to parsing it. The function *adds* to all ports already registered, it doesn't - ## replace them . + ## Registers a set of well-known ports for an analyzer. If a future + ## connection on one of these ports is seen, the analyzer will be + ## automatically assigned to parsing it. The function *adds* to all ports + ## already registered, it doesn't replace them. ## ## tag: The tag of the analyzer. ## @@ -47,10 +46,10 @@ export { ## Returns: True if the ports were sucessfully registered. global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool; - ## Registers an individual well-known port for an analyzer. If a future connection - ## on this ports is seen, the analyzer will be automatically assigned to parsing - ## it. The function *adds* to all ports already registered, it doesn't replace - ## them. + ## Registers an individual well-known port for an analyzer. If a future + ## connection on this port is seen, the analyzer will be automatically + ## assigned to parsing it. The function *adds* to all ports already + ## registered, it doesn't replace them. ## ## tag: The tag of the analyzer. ## @@ -70,7 +69,7 @@ export { ## Returns a table of all ports-to-analyzer mappings currently registered. ## ## Returns: A table mapping each analyzer to the set of ports - ## registered for it. + ## registered for it. global all_registered_ports: function() : table[Analyzer::Tag] of set[port]; ## Translates an analyzer type to a string with the analyzer's name. @@ -84,7 +83,7 @@ export { ## address and port. ## ## orig: The IP address originating a connection in the future. - ## 0.0.0.0 can be used as a wildcard to match any originator address. + ## 0.0.0.0 can be used as a wildcard to match any originator address. ## ## resp: The IP address responding to a connection from *orig*. ## @@ -93,22 +92,20 @@ export { ## analyzer: The analyzer ID. ## ## tout: A timeout interval after which the scheduling request will be - ## discarded if the connection has not yet been seen. + ## discarded if the connection has not yet been seen. ## ## Returns: True if succesful. global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port, analyzer: Analyzer::Tag, tout: interval) : bool; - ## A set of analyzers to disable by default at startup. The default set contains - ## legacy analyzers that are no longer supported. + ## A set of analyzers to disable by default at startup. The default set + ## contains legacy analyzers that are no longer supported. global disabled_analyzers: set[Analyzer::Tag] = { ANALYZER_INTERCONN, ANALYZER_STEPPINGSTONE, ANALYZER_BACKDOOR, ANALYZER_TCPSTATS, - } - - &redef; + } &redef; } @load base/bif/analyzer.bif diff --git a/scripts/base/frameworks/reporter/main.bro b/scripts/base/frameworks/reporter/main.bro index 249ecdac98..891aebf6b2 100644 --- a/scripts/base/frameworks/reporter/main.bro +++ b/scripts/base/frameworks/reporter/main.bro @@ -9,7 +9,7 @@ ##! Note that this framework deals with the handling of internally generated ##! reporter messages, for the interface in to actually creating interface ##! into actually creating reporter messages from the scripting layer, use -##! the built-in functions in :doc:`/scripts/base/reporter.bif`. +##! the built-in functions in :doc:`/scripts/base/bif/reporter.bif`. module Reporter; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index d5abbef1ff..2110110a40 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -226,7 +226,7 @@ type endpoint_stats: record { ## for a connection, it assigns it a unique ID that can be used to reference ## that instance. ## -## .. bro:see:: analyzer_name disable_analyzer protocol_confirmation +## .. bro:see:: Analyzer::name Analyzer::disable_analyzer protocol_confirmation ## protocol_violation ## ## .. todo::While we declare an alias for the type here, the events/functions still diff --git a/src/IPAddr.h b/src/IPAddr.h index 0c6942c61e..cc7b2baa6e 100644 --- a/src/IPAddr.h +++ b/src/IPAddr.h @@ -451,11 +451,6 @@ inline void IPAddr::ConvertToThreadingValue(threading::Value::addr_t* v) const */ HashKey* BuildConnIDHashKey(const ConnID& id); -/** - * Returns a hash key for a given ExpectedConn instance. Passes ownership to caller. - */ -HashKey* BuildExpectedConnHashKey(const analyzer::ExpectedConn& c); - /** * Class storing both IPv4 and IPv6 prefixes * (i.e., \c 192.168.1.1/16 and \c FD00::/8. diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index 2d905867eb..396d45d60e 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -509,31 +509,31 @@ public: virtual void UpdateConnVal(RecordVal *conn_val); /** - * Convinience function that forwards directly to + * Convenience function that forwards directly to * Connection::BuildConnVal(). */ RecordVal* BuildConnVal(); /** - * Convinience function that forwards directly to the corresponding + * Convenience function that forwards directly to the corresponding * Connection::Event(). */ void Event(EventHandlerPtr f, const char* name = 0); /** - * Convinience function that forwards directly to the corresponding + * Convenience function that forwards directly to the corresponding * Connection::Event(). */ void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0); /** - * Convinience function that forwards directly to + * Convenience function that forwards directly to * Connection::ConnectionEvent(). */ void ConnectionEvent(EventHandlerPtr f, val_list* vl); /** - * Convinience function that forwards directly to the corresponding + * Convenience function that forwards directly to the corresponding * Connection::Weird(). */ void Weird(const char* name, const char* addl = ""); diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h index 79d4c12fe5..b766c2fe82 100644 --- a/src/analyzer/Component.h +++ b/src/analyzer/Component.h @@ -40,10 +40,10 @@ public: * returns a new instance. * * @param subtype A subtype associated with this component that - * further. The subtype will be integrated into the analyzer::Tag - * that the manager associates with this analyzer, and analyzer - * instances can accordingly access it via analyzer::Tag(). If not - * used, leave at zero. + * further distinguishes it. The subtype will be integrated into + * the analyzer::Tag that the manager associates with this analyzer, + * and analyzer instances can accordingly access it via analyzer::Tag(). + * If not used, leave at zero. * * @param enabled If false the analyzer starts out as disabled and * hence won't be used. It can still be enabled later via the diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index c66fd9eafb..efae629971 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -91,7 +91,7 @@ public: * * @param tag The analyzer's tag. * - * @return True if sucessful. + * @return True if successful. */ bool EnableAnalyzer(Tag tag); @@ -102,7 +102,7 @@ public: * @param tag The analyzer's tag as an enum of script type \c * Analyzer::Tag. * - * @return True if sucessful. + * @return True if successful. */ bool EnableAnalyzer(EnumVal* tag); @@ -112,7 +112,7 @@ public: * * @param tag The analyzer's tag. * - * @return True if sucessful. + * @return True if successful. */ bool DisableAnalyzer(Tag tag); @@ -123,7 +123,7 @@ public: * @param tag The analyzer's tag as an enum of script type \c * Analyzer::Tag. * - * @return True if sucessful. + * @return True if successful. */ bool DisableAnalyzer(EnumVal* tag); @@ -157,7 +157,7 @@ public: * * @param port The well-known port. * - * @return True if sucessful. + * @return True if successful. */ bool RegisterAnalyzerForPort(EnumVal* tag, PortVal* port); @@ -172,7 +172,7 @@ public: * * @param port The port's number. * - * @return True if sucessful. + * @return True if successful. */ bool RegisterAnalyzerForPort(Tag tag, TransportProto proto, uint32 port); @@ -184,7 +184,7 @@ public: * * @param port The well-known port. * - * @return True if sucessful (incl. when the port wasn't actually + * @return True if successful (incl. when the port wasn't actually * registered for the analyzer). * */ @@ -215,7 +215,7 @@ public: * have been added to the connection's analyzer tree yet. Returns * null if tag is invalid or the requested analyzer is disabled. */ - Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); // Null if disabled or not available. + Analyzer* InstantiateAnalyzer(Tag tag, Connection* c); /** * Instantiates a new analyzer instance for a connection. @@ -229,7 +229,7 @@ public: * null if the name is not known or if the requested analyzer that is * disabled. */ - Analyzer* InstantiateAnalyzer(const char* name, Connection* c); // Null if disabled or not available. + Analyzer* InstantiateAnalyzer(const char* name, Connection* c); /** * Translates an analyzer tag into corresponding analyzer name. diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h index 9b2fea4a9b..cf33dca41c 100644 --- a/src/analyzer/Tag.h +++ b/src/analyzer/Tag.h @@ -28,7 +28,7 @@ class Component; * assigns them their main types), and analyzer::Component creates new * tags. * - * The Tag class supports all operations necessary to act at the index in a + * The Tag class supports all operations necessary to act as an index in a * \c std::map. */ class Tag { @@ -90,7 +90,7 @@ public: /** * Assignment operator. */ - Tag& operator=(const Tag& other); + Tag& operator=(const Tag& other); /** * Compares two tags for equality. diff --git a/src/analyzer/protocol/http/events.bif b/src/analyzer/protocol/http/events.bif index ead8bc254b..7a509c6d54 100644 --- a/src/analyzer/protocol/http/events.bif +++ b/src/analyzer/protocol/http/events.bif @@ -18,7 +18,7 @@ ## version: The version number specified in the request (e.g., ``1.1``). ## ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity -## http_entity_data http_event http_header http_message_done ply http_stats +## http_entity_data http_event http_header http_message_done http_reply http_stats ## truncate_http_URI event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%); diff --git a/src/analyzer/protocol/login/events.bif b/src/analyzer/protocol/login/events.bif index 084f53eaad..68f1c3cf11 100644 --- a/src/analyzer/protocol/login/events.bif +++ b/src/analyzer/protocol/login/events.bif @@ -87,7 +87,8 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for successful Telnet/Rlogin logins. The *login* analyzer inspects @@ -121,7 +122,8 @@ event login_failure%(c: connection, user: string, client_user: string, password: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_success%(c: connection, user: string, client_user: string, password: string, line: string%); ## Generated for lines of input on Telnet/Rlogin sessions. The line will have @@ -137,7 +139,8 @@ event login_success%(c: connection, user: string, client_user: string, password: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_input_line%(c: connection, line: string%); ## Generated for lines of output on Telnet/Rlogin sessions. The line will have @@ -153,7 +156,8 @@ event login_input_line%(c: connection, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_output_line%(c: connection, line: string%); ## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's @@ -179,7 +183,8 @@ event login_output_line%(c: connection, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_confused%(c: connection, msg: string, line: string%); ## Generated after getting confused while tracking a Telnet/Rlogin @@ -199,7 +204,8 @@ event login_confused%(c: connection, msg: string, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_confused_text%(c: connection, line: string%); ## Generated for clients transmitting a terminal type in a Telnet session. This @@ -215,7 +221,8 @@ event login_confused_text%(c: connection, line: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_terminal%(c: connection, terminal: string%); ## Generated for clients transmitting an X11 DISPLAY in a Telnet session. This @@ -231,7 +238,8 @@ event login_terminal%(c: connection, terminal: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_display%(c: connection, display: string%); ## Generated when a Telnet authentication has been successful. The Telnet @@ -255,7 +263,8 @@ event login_display%(c: connection, display: string%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event authentication_accepted%(name: string, c: connection%); ## Generated when a Telnet authentication has been unsuccessful. The Telnet @@ -279,7 +288,8 @@ event authentication_accepted%(name: string, c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event authentication_rejected%(name: string, c: connection%); ## Generated for Telnet/Rlogin sessions when a pattern match indicates @@ -302,7 +312,8 @@ event authentication_rejected%(name: string, c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event authentication_skipped%(c: connection%); ## Generated for clients transmitting a terminal prompt in a Telnet session. @@ -322,7 +333,8 @@ event authentication_skipped%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event login_prompt%(c: connection, prompt: string%); ## Generated for Telnet sessions when encryption is activated. The Telnet @@ -373,7 +385,8 @@ event inconsistent_option%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event bad_option%(c: connection%); ## Generated for a Telnet option that's incorrectly terminated. @@ -391,5 +404,6 @@ event bad_option%(c: connection%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event bad_option_termination%(c: connection%); diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif index f0050ab446..72c57aff74 100644 --- a/src/analyzer/protocol/rpc/events.bif +++ b/src/analyzer/protocol/rpc/events.bif @@ -675,7 +675,8 @@ event pm_bad_port%(r: connection, bad_p: count%); ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%); ## Generated for RPC *call* messages. @@ -701,7 +702,8 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%); ## Generated for RPC *reply* messages. @@ -724,5 +726,6 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, ## .. todo:: Bro's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet ## been ported to Bro 2.x. To still enable this event, one needs to add a -## corresponding entry to :bro:see:`dpd_config` or a DPD payload signature. +## call to :bro:see:`Analyzer::register_for_ports` or a DPD payload +## signature. event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%); diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif index 05a280024d..af61783ac4 100644 --- a/src/analyzer/protocol/tcp/events.bif +++ b/src/analyzer/protocol/tcp/events.bif @@ -10,7 +10,7 @@ ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection partial_connection +## scheduled_analyzer_applied new_connection partial_connection event new_connection_contents%(c: connection%); ## Generated for an unsuccessful connection attempt. This event is raised when @@ -25,7 +25,7 @@ event new_connection_contents%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_attempt%(c: connection%); @@ -41,7 +41,7 @@ event connection_attempt%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_established%(c: connection%); @@ -57,7 +57,7 @@ event connection_established%(c: connection%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection new_connection_contents +## scheduled_analyzer_applied new_connection new_connection_contents ## event partial_connection%(c: connection%); @@ -73,7 +73,7 @@ event partial_connection%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_partial_close%(c: connection%); @@ -86,7 +86,7 @@ event connection_partial_close%(c: connection%); ## connection_established connection_external connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_finished%(c: connection%); @@ -100,7 +100,7 @@ event connection_finished%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_half_finished%(c: connection%); @@ -112,7 +112,7 @@ event connection_half_finished%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## c: The connection. @@ -136,7 +136,7 @@ event connection_rejected%(c: connection%); ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reused ## connection_state_remove connection_status_update connection_timeout -## expected_connection_seen new_connection new_connection_contents +## scheduled_analyzer_applied new_connection new_connection_contents ## partial_connection event connection_reset%(c: connection%); @@ -148,7 +148,7 @@ event connection_reset%(c: connection%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection bro_done event connection_pending%(c: connection%); @@ -163,7 +163,7 @@ event connection_pending%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -184,7 +184,7 @@ event connection_SYN_packet%(c: connection, pkt: SYN_packet%); ## connection_established connection_external connection_finished ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection ## ## .. note:: @@ -204,7 +204,7 @@ event connection_first_ACK%(c: connection%); ## connection_external connection_finished connection_first_ACK ## connection_half_finished connection_partial_close connection_pending ## connection_rejected connection_reset connection_reused connection_state_remove -## connection_status_update connection_timeout expected_connection_seen +## connection_status_update connection_timeout scheduled_analyzer_applied ## new_connection new_connection_contents partial_connection event connection_EOF%(c: connection, is_orig: bool%); diff --git a/src/bro.bif b/src/bro.bif index 07a98327b3..efb913bbf7 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3699,7 +3699,7 @@ function file_mode%(mode: count%): string ## Returns: True if the connection identified by *cid* exists and has analyzer ## *aid*. ## -## .. bro:see:: expect_connection analyzer_name +## .. bro:see:: Analyzer::schedule_analyzer Analyzer::name function disable_analyzer%(cid: conn_id, aid: count%) : bool %{ Connection* c = sessions->FindConnection(cid); diff --git a/src/event.bif b/src/event.bif index 6ddcf21682..f7fd9b4147 100644 --- a/src/event.bif +++ b/src/event.bif @@ -107,8 +107,9 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%); ## connection_established connection_external connection_finished ## connection_first_ACK connection_half_finished connection_partial_close ## connection_pending connection_rejected connection_reset connection_reused -## connection_state_remove connection_status_update expected_connection_seen -## new_connection new_connection_contents partial_connection +## connection_state_remove connection_status_update +## scheduled_analyzer_applied new_connection new_connection_contents +## partial_connection ## ## .. note:: ## @@ -201,14 +202,15 @@ event connection_external%(c: connection, tag: string%); event udp_session_done%(u: connection%); ## Generated when a connection is seen that is marked as being expected. -## The function :bro:id:`expect_connection` tells Bro to expect a particular -## connection to come up, and which analyzer to associate with it. Once the -## first packet of such a connection is indeed seen, this event is raised. +## The function :bro:id:`Analyzer::schedule_analyzer` tells Bro to expect a +## particular connection to come up, and which analyzer to associate with it. +## Once the first packet of such a connection is indeed seen, this event is +## raised. ## ## c: The connection. ## ## a: The analyzer that was scheduled for the connection with the -## :bro:id:`expect_connection` call. When the event is raised, that +## :bro:id:`Analyzer::schedule_analyzer` call. When the event is raised, that ## analyzer will already have been activated to process the connection. The ## ``count`` is one of the ``ANALYZER_*`` constants, e.g., ``ANALYZER_HTTP``. ## diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 9d063cd60a..0cbf00f899 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -70,10 +70,10 @@ #define BRO_PLUGIN_VERSION(v) SetVersion(v) /** - * Adds scrip-level items defined in a \c *.bif file to what the plugin + * Adds script-level items defined in a \c *.bif file to what the plugin * provides. * - * @param file A string with the name of \c *.bif file. When loaded, the the + * @param file A string with the name of \c *.bif file. When loaded, the * plugin will make all items defined in the file available to Bro's script * interpreter. */ @@ -82,7 +82,7 @@ AddBifInitFunction(&__bif_##file##_init); /** - * Defines a component implementating a protocol analyzer. + * Defines a component implementing a protocol analyzer. * * @param tag A string with the analyzer's tag. This must be unique across * all loaded analyzers and will translate into a corresponding \c ANALYZER_* @@ -95,11 +95,11 @@ AddComponent(new ::analyzer::Component(tag, ::analyzer::cls::InstantiateAnalyzer)); /** - * Defines a component implementating an protocol analyzer class that will + * Defines a component implementing a protocol analyzer class that will * not be instantiated dynamically. This is for two use-cases: (1) abstract * analyzer base classes that aren't instantiated directly; and (2) analyzers * that are only instantiated explicitly by other Bro components, but not - * dynmically by the manager based on their tag (e.g., the ZIP analyzer is + * dynamically by the manager based on their tag (e.g., the ZIP analyzer is * attached by the HTTP analyzer when corresponding content is found). * * @param tag A string with the analyzer's tag. This must be unique across diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 189fdf5c52..7ec6a11884 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -80,7 +80,7 @@ private: * components, a plugin can also provide of script-level elements defined in * *.bif files. * - * Currently, all plugins ard compiled statically into the final Bro binary. + * Currently, all plugins are compiled statically into the final Bro binary. * Later, we will extend the infrastructure to also support plugins loaded * dynamically as shared libraries. */ @@ -124,8 +124,6 @@ public: /** * Returns a list of all components the plugin provides. - * BRO_PLUGIN_VERSION_BUILTIN indiciates that it's a plugin compiled - * in statically. */ component_list Components(); From a5cb605b1d3e9573338ae8069c3258a1207a4063 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 3 Jun 2013 20:10:48 -0700 Subject: [PATCH 60/70] Fixing test that was accidentally broken. --- testing/btest/core/tunnels/teredo-known-services.test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/core/tunnels/teredo-known-services.test b/testing/btest/core/tunnels/teredo-known-services.test index c207d9a2ab..d03ef2ab71 100644 --- a/testing/btest/core/tunnels/teredo-known-services.test +++ b/testing/btest/core/tunnels/teredo-known-services.test @@ -1,6 +1,6 @@ # @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: test ! -e known_services.log -# @TEST-EXEC: bro -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" +# @TEST-EXEC: bro -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd protocols/conn/known-services Tunnel::delay_teredo_confirmation=F "Site::local_nets+={192.168.1.0/24}" # @TEST-EXEC: btest-diff known_services.log # The first case using Tunnel::delay_teredo_confirmation=T doesn't produce From 307fc187c000c95044aa3f61d891b4878e5552c1 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 4 Jun 2013 10:53:10 -0500 Subject: [PATCH 61/70] Add @PATH bro script macro. Addresses #869. The macro expands to a string value containing the file system path in which the script lives. --- src/scan.l | 4 ++++ testing/btest/Baseline/language.at-path/out | 1 + testing/btest/language/at-path.bro | 4 ++++ 3 files changed, 9 insertions(+) create mode 100644 testing/btest/Baseline/language.at-path/out create mode 100644 testing/btest/language/at-path.bro diff --git a/src/scan.l b/src/scan.l index ffbc125728..c488855e0e 100644 --- a/src/scan.l +++ b/src/scan.l @@ -344,6 +344,10 @@ when return TOK_WHEN; @DEBUG return TOK_DEBUG; // marks input for debugger +@PATH { + RET_CONST(new StringVal(current_scanned_file_path.c_str())); + } + @load{WS}{FILE} { const char* new_file = skip_whitespace(yytext + 5); // Skip "@load". if ( generate_documentation ) diff --git a/testing/btest/Baseline/language.at-path/out b/testing/btest/Baseline/language.at-path/out new file mode 100644 index 0000000000..7ac82c183c --- /dev/null +++ b/testing/btest/Baseline/language.at-path/out @@ -0,0 +1 @@ +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-path diff --git a/testing/btest/language/at-path.bro b/testing/btest/language/at-path.bro new file mode 100644 index 0000000000..78e15e07eb --- /dev/null +++ b/testing/btest/language/at-path.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out + +print @PATH; From 7e8b504305f8606246b52fb7a92ad151552aac11 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 4 Jun 2013 14:16:56 -0500 Subject: [PATCH 62/70] Make @PATH always return absolute path. Addresses #869. --- src/scan.l | 16 +++++++++++++++- testing/btest/Baseline/language.at-path/out2 | 1 + testing/btest/language/at-path.bro | 6 ++++++ 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/language.at-path/out2 diff --git a/src/scan.l b/src/scan.l index c488855e0e..8a460aba07 100644 --- a/src/scan.l +++ b/src/scan.l @@ -8,6 +8,8 @@ #include #include #include +#include +#include #include #include "input.h" @@ -345,7 +347,19 @@ when return TOK_WHEN; @DEBUG return TOK_DEBUG; // marks input for debugger @PATH { - RET_CONST(new StringVal(current_scanned_file_path.c_str())); + string rval = current_scanned_file_path; + + if ( ! rval.empty() && rval[0] == '.' ) + { + char path[MAXPATHLEN]; + + if ( ! getcwd(path, MAXPATHLEN) ) + reporter->Error("getcwd failed: %s", strerror(errno)); + else + rval = string(path) + "/" + rval; + } + + RET_CONST(new StringVal(rval.c_str())); } @load{WS}{FILE} { diff --git a/testing/btest/Baseline/language.at-path/out2 b/testing/btest/Baseline/language.at-path/out2 new file mode 100644 index 0000000000..f8e3c550d3 --- /dev/null +++ b/testing/btest/Baseline/language.at-path/out2 @@ -0,0 +1 @@ +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-path/. diff --git a/testing/btest/language/at-path.bro b/testing/btest/language/at-path.bro index 78e15e07eb..433db17835 100644 --- a/testing/btest/language/at-path.bro +++ b/testing/btest/language/at-path.bro @@ -1,4 +1,10 @@ # @TEST-EXEC: bro -b %INPUT >out # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out +# @TEST-EXEC: bro -b ./pathtest.bro >out2 +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out2 print @PATH; + +@TEST-START-FILE pathtest.bro +print @PATH; +@TEST-END-FILE From cf9d65932cea68e97e15024c671da24cefb9af53 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 4 Jun 2013 20:43:20 -0700 Subject: [PATCH 63/70] Redoing the plugin versioning. We now explicitly mark plugins as static vs dynamic (though we don't have the latter yet) instead of piggy-backing that on the version. Also, versions are now ignored for static plugins. --- src/plugin/Macros.h | 15 ++++++--------- src/plugin/Plugin.cc | 27 +++++++++++++++++++++------ src/plugin/Plugin.h | 22 +++++++++++++++++++--- 3 files changed, 46 insertions(+), 18 deletions(-) diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 16f8224c14..f5c1a41cfa 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -10,19 +10,12 @@ #include "analyzer/Component.h" -/** - * Place-holder API version for plugins compiled in statically. - */ -#define BRO_PLUGIN_VERSION_BUILTIN -1 - /** * The current plugin API version. Plugins that won't match this version will * be rejected. */ #define BRO_PLUGIN_API_VERSION 1 -#define _BRO_PLUGIN_VERSION_DEFAULT -1 - /** * Starts the definition of a new plugin. * @@ -40,8 +33,12 @@ void InitPreScript() \ { \ SetName(#_ns "::" #_name); \ - SetVersion(_BRO_PLUGIN_VERSION_DEFAULT);\ - SetAPIVersion(BRO_PLUGIN_API_VERSION); + SetVersion(-1);\ + SetAPIVersion(BRO_PLUGIN_API_VERSION);\ + SetDynamicPlugin(false); +// TODO: The SetDynamicPlugin() call is currently hardcoded to false. Change +// once we have dynamic plugins as well. + /** * Ends the definition of a plugin. diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index 093a4fad62..352aff6aed 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -46,6 +46,7 @@ Plugin::Plugin() // These will be reset by the BRO_PLUGIN_* macros. version = -9999; api_version = -9999; + dynamic = false; Manager::RegisterPlugin(this); } @@ -80,7 +81,7 @@ void Plugin::SetDescription(const char* arg_description) int Plugin::Version() { - return version; + return dynamic ? version : 0; } void Plugin::SetVersion(int arg_version) @@ -93,11 +94,21 @@ int Plugin::APIVersion() return api_version; } +bool Plugin::DynamicPlugin() + { + return dynamic; + } + void Plugin::SetAPIVersion(int arg_version) { api_version = arg_version; } +void Plugin::SetDynamicPlugin(bool arg_dynamic) + { + dynamic = arg_dynamic; + } + void Plugin::InitPreScript() { } @@ -166,12 +177,16 @@ void Plugin::Describe(ODesc* d) d->Add(description); } - if ( version != BRO_PLUGIN_VERSION_BUILTIN ) + if ( dynamic ) { - d->Add(" (version "); - d->Add(version); - - d->Add(")"); + if ( version > 0 ) + { + d->Add(" (version "); + d->Add(version); + d->Add(")"); + } + else + d->Add(" (version not set)"); } else diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index 2dba0249c9..6c6d89a4d1 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -110,15 +110,23 @@ public: const char* Description(); /** - * Returns the version of the plugin. + * Returns the version of the plugin. Version are only meaningful for + * dynamically compiled plugins; for statically compiled ones, this + * will always return 0. */ int Version(); + /** + * Returns true if this is a dynamically linked in plugin. + */ + bool DynamicPlugin(); + /** * Returns the internal API version that this plugin relies on. Only - * plugins that match Bro's BRO_PLUGIN_API_VERSION may be used. For + * plugins that match Bro's current API version may be used. For * statically compiled plugins this is automatically the case, but - * dynamically loaded plugins could later cause a mismatch. + * dynamically loaded plugins may cause a mismatch if they were + * compiled for a different Bro version. */ int APIVersion(); @@ -197,6 +205,13 @@ protected: */ void SetAPIVersion(int version); + /** + * Marks the plugin as statically or dynamically linked. + * + * @param dynamic True if this is a dynamically linked plugin. + */ + void SetDynamicPlugin(bool dynamic); + /** * Takes ownership. */ @@ -225,6 +240,7 @@ private: const char* description; int version; int api_version; + bool dynamic; component_list components; bif_item_list bif_items; From 74e99a27db4b600208ca2b973bb35598c75867b9 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 4 Jun 2013 21:19:08 -0700 Subject: [PATCH 64/70] Ignoring file ids in external tests. They can change occasionally, and we likewise ignore uids already. --- CHANGES | 11 ++++++++ VERSION | 2 +- testing/scripts/diff-canonifier-external | 1 + testing/scripts/diff-remove-file-ids | 33 ++++++++++++++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) create mode 100755 testing/scripts/diff-remove-file-ids diff --git a/CHANGES b/CHANGES index 1c23429a43..75d3356603 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,15 @@ +2.1-731 | 2013-06-04 21:19:08 -0700 + + * Reorginization of internal protocol analyzer code. We're moving + them to a modularized structure, based on a plugin model. Along + with this change comes generic plugin infrastructure that we'll + later extend to other Bro component as well. For now all plugins + are compiled in statically, but in the future we plan to also + enable dynamic loading at run time. (Robin Sommer) + + * Ignoring file ids in external tests. (Robin Sommer) + 2.1-675 | 2013-06-02 20:03:19 -0700 * Fix a compiler warning. (Robin Sommer) diff --git a/VERSION b/VERSION index f3667fe959..d138533403 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-675 +2.1-731 diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external index 04ef699538..f4356154e4 100755 --- a/testing/scripts/diff-canonifier-external +++ b/testing/scripts/diff-canonifier-external @@ -4,6 +4,7 @@ `dirname $0`/diff-remove-timestamps \ | `dirname $0`/diff-remove-uids \ + | `dirname $0`/diff-remove-file-ids \ | `dirname $0`/diff-remove-x509-names \ | `dirname $0`/diff-canon-notice-policy \ | `dirname $0`/diff-sort diff --git a/testing/scripts/diff-remove-file-ids b/testing/scripts/diff-remove-file-ids new file mode 100755 index 0000000000..f54177d8ba --- /dev/null +++ b/testing/scripts/diff-remove-file-ids @@ -0,0 +1,33 @@ +#! /usr/bin/awk -f +# +# A diff canonifier that removes all file IDs from file_analysis.log + +BEGIN { + FS="\t"; + OFS="\t"; + process = 0; + } + +$1 == "#path" && $2 == "file_analysis" { + process = 1; + } + +process && column1 > 0 && column2 > 0 { + $column1 = "XXXXXXXXXXX"; + $column2 = "XXXXXXXXXXX"; + } + +/^#/ { + for ( i = 0; i < NF; ++i ) { + if ( $i == "id" ) + column1 = i - 1; + + if ( $i == "parent_id" ) + column2 = i - 1; + } + } + +{ print } + + + From 1dfaf249459afff9fc9188a90804b6e43caa5698 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 5 Jun 2013 08:00:01 -0700 Subject: [PATCH 65/70] Updating submodule(s). [nomail] --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- cmake | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/aux/binpac b/aux/binpac index f86a3169b8..c39bd478b9 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit f86a3169b8d49189d264cbc1a7507260cd9ff51d +Subproject commit c39bd478b9d0ecd05b1b83aa9d09a7887893977c diff --git a/aux/bro-aux b/aux/bro-aux index cfaf4eea78..a9942558c7 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit cfaf4eea788bdac4ebfe9e46e3de2cd74b0bc068 +Subproject commit a9942558c7d3dfd80148b8aaded64c82ade3d117 diff --git a/aux/broccoli b/aux/broccoli index 8955807b0f..889f9c6594 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 8955807b0f4151f5f6aca2e68d353b9b341d9f86 +Subproject commit 889f9c65944ceac20ad9230efc39d33e6e1221c3 diff --git a/aux/broctl b/aux/broctl index 0eca32b35d..a1aaa1608e 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 0eca32b35d16a4d387f41976ab46360ee6ecaed8 +Subproject commit a1aaa1608ef08761a211b1e251449d796ba5e4a0 diff --git a/cmake b/cmake index e1a7fd00a0..0187b33a29 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit e1a7fd00a0a66d6831a239fe84f5fcfaa54e2c35 +Subproject commit 0187b33a29d5ec824f940feff60dc5d8c2fe314f From 022ce2505f3423378d193e2b16fda873cb325c3c Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 5 Jun 2013 11:01:11 -0500 Subject: [PATCH 66/70] Change @PATH to @DIR for clarity. Add @FILENAME. Addresses #869. @DIR expands to directory path of the script, @FILENAME expands to just the script file name without path. --- src/scan.l | 16 ++++++++++++++-- testing/btest/Baseline/language.at-dir/out | 1 + .../{language.at-path => language.at-dir}/out2 | 0 testing/btest/Baseline/language.at-filename/out | 1 + testing/btest/Baseline/language.at-path/out | 1 - .../btest/language/{at-path.bro => at-dir.bro} | 4 ++-- testing/btest/language/at-filename.bro | 4 ++++ 7 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 testing/btest/Baseline/language.at-dir/out rename testing/btest/Baseline/{language.at-path => language.at-dir}/out2 (100%) create mode 100644 testing/btest/Baseline/language.at-filename/out delete mode 100644 testing/btest/Baseline/language.at-path/out rename testing/btest/language/{at-path.bro => at-dir.bro} (91%) create mode 100644 testing/btest/language/at-filename.bro diff --git a/src/scan.l b/src/scan.l index 8a460aba07..3d2d0e217f 100644 --- a/src/scan.l +++ b/src/scan.l @@ -346,7 +346,7 @@ when return TOK_WHEN; @DEBUG return TOK_DEBUG; // marks input for debugger -@PATH { +@DIR { string rval = current_scanned_file_path; if ( ! rval.empty() && rval[0] == '.' ) @@ -354,7 +354,7 @@ when return TOK_WHEN; char path[MAXPATHLEN]; if ( ! getcwd(path, MAXPATHLEN) ) - reporter->Error("getcwd failed: %s", strerror(errno)); + reporter->InternalError("getcwd failed: %s", strerror(errno)); else rval = string(path) + "/" + rval; } @@ -362,6 +362,18 @@ when return TOK_WHEN; RET_CONST(new StringVal(rval.c_str())); } +@FILENAME { + char* filename_copy = copy_string(::filename); + const char* bname = basename(filename_copy); + + if ( ! bname ) + reporter->InternalError("basename failed: %s", strerror(errno)); + + StringVal* rval = new StringVal(bname); + delete [] filename_copy; + RET_CONST(rval); + } + @load{WS}{FILE} { const char* new_file = skip_whitespace(yytext + 5); // Skip "@load". if ( generate_documentation ) diff --git a/testing/btest/Baseline/language.at-dir/out b/testing/btest/Baseline/language.at-dir/out new file mode 100644 index 0000000000..4cd8e27d6a --- /dev/null +++ b/testing/btest/Baseline/language.at-dir/out @@ -0,0 +1 @@ +/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-dir diff --git a/testing/btest/Baseline/language.at-path/out2 b/testing/btest/Baseline/language.at-dir/out2 similarity index 100% rename from testing/btest/Baseline/language.at-path/out2 rename to testing/btest/Baseline/language.at-dir/out2 diff --git a/testing/btest/Baseline/language.at-filename/out b/testing/btest/Baseline/language.at-filename/out new file mode 100644 index 0000000000..12cfb152d9 --- /dev/null +++ b/testing/btest/Baseline/language.at-filename/out @@ -0,0 +1 @@ +at-filename.bro diff --git a/testing/btest/Baseline/language.at-path/out b/testing/btest/Baseline/language.at-path/out deleted file mode 100644 index 7ac82c183c..0000000000 --- a/testing/btest/Baseline/language.at-path/out +++ /dev/null @@ -1 +0,0 @@ -/Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.at-path diff --git a/testing/btest/language/at-path.bro b/testing/btest/language/at-dir.bro similarity index 91% rename from testing/btest/language/at-path.bro rename to testing/btest/language/at-dir.bro index 433db17835..b826e3a5da 100644 --- a/testing/btest/language/at-path.bro +++ b/testing/btest/language/at-dir.bro @@ -3,8 +3,8 @@ # @TEST-EXEC: bro -b ./pathtest.bro >out2 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out2 -print @PATH; +print @DIR; @TEST-START-FILE pathtest.bro -print @PATH; +print @DIR; @TEST-END-FILE diff --git a/testing/btest/language/at-filename.bro b/testing/btest/language/at-filename.bro new file mode 100644 index 0000000000..83e4e968f3 --- /dev/null +++ b/testing/btest/language/at-filename.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -b %INPUT >out +# @TEST-EXEC: btest-diff out + +print @FILENAME; From fde081c30f6b1a5c13b2cd5a53872f9b2241bffb Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Thu, 6 Jun 2013 13:04:47 -0700 Subject: [PATCH 67/70] Remove invalid free on non-allocated pointer. The byte_lookup member is a fixed-size 2D array and should not be freed in the destructor. Fixes #1018. --- src/H3.h | 1 - 1 file changed, 1 deletion(-) diff --git a/src/H3.h b/src/H3.h index 9e6f1c5c35..72d81d519f 100644 --- a/src/H3.h +++ b/src/H3.h @@ -66,7 +66,6 @@ template class H3 { T byte_lookup[N][H3_BYTE_RANGE]; public: H3(); - ~H3() { free(byte_lookup); } T operator()(const void* data, size_t size, size_t offset = 0) const { const unsigned char *p = static_cast(data); From 1302da10cdc8cee3dd3a08c4aeb5ae8e6acecdff Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jun 2013 16:28:27 -0700 Subject: [PATCH 68/70] Fix for CMake 2.6.x. --- src/CMakeLists.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index a5b1cfc106..5e74b3d8b0 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -391,7 +391,8 @@ set(BRO_EXE bro CACHE STRING "Bro executable binary" FORCE) # Target to create all the autogenerated files. -add_custom_target(generate_outputs DEPENDS ${bro_ALL_GENERATED_OUTPUTS}) +add_custom_target(generate_outputs) +add_dependencies(generate_outputs ${bro_ALL_GENERATED_OUTPUTS}) # Build __load__.bro files for plugins/*.bif.bro. bro_bif_create_loader(bif_loader_plugins ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins) From 5487258b039aee30becee0e0c45253c995949210 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jun 2013 16:37:32 -0700 Subject: [PATCH 69/70] Updating submodule(s). [nomail] --- CHANGES | 4 ++++ VERSION | 2 +- aux/broctl | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index da05746fd1..b671fe8cb0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.1-740 | 2013-06-07 16:37:32 -0700 + + * Fix for CMake 2.6.x. (Robin Sommer) + 2.1-738 | 2013-06-07 08:38:13 -0700 * Remove invalid free on non-allocated pointer in hash function diff --git a/VERSION b/VERSION index 82b504016f..468fc388bb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-738 +2.1-740 diff --git a/aux/broctl b/aux/broctl index a1aaa1608e..cf7a1ca56f 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit a1aaa1608ef08761a211b1e251449d796ba5e4a0 +Subproject commit cf7a1ca56f2b20f777542d912de0a9c8fdb0655d From f811e669ff59101e9a108097f1cbbdbd8e8201ad Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 7 Jun 2013 17:28:50 -0700 Subject: [PATCH 70/70] Fixing typo that could cause an assertion to falsely trigger. --- CHANGES | 5 +++++ VERSION | 2 +- src/analyzer/Tag.cc | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index b671fe8cb0..92f0a3b9ee 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ +2.1-741 | 2013-06-07 17:28:50 -0700 + + * Fixing typo that could cause an assertion to falsely trigger. + (Robin Sommer) + 2.1-740 | 2013-06-07 16:37:32 -0700 * Fix for CMake 2.6.x. (Robin Sommer) diff --git a/VERSION b/VERSION index 468fc388bb..0559f5c3b4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.1-740 +2.1-741 diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc index 469b61a6c5..2f04ff17da 100644 --- a/src/analyzer/Tag.cc +++ b/src/analyzer/Tag.cc @@ -24,7 +24,7 @@ Tag::Tag(type_t arg_type, subtype_t arg_subtype) Tag::Tag(EnumVal* arg_val) { - assert(val); + assert(arg_val); val = arg_val; Ref(val);