From 0325b5ea32f9b86c89ca020097de4586d782f636 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 20 Nov 2011 21:41:41 -0800 Subject: [PATCH 1/7] to_port() now parses a string instead of a count. Addresses #684. --- scripts/base/protocols/irc/dcc-send.bro | 2 +- src/bro.bif | 22 ++++++++++++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro index b2a48a472a..669cc03e55 100644 --- a/scripts/base/protocols/irc/dcc-send.bro +++ b/scripts/base/protocols/irc/dcc-send.bro @@ -99,7 +99,7 @@ event irc_dcc_message(c: connection, is_orig: bool, return; c$irc$dcc_file_name = argument; c$irc$dcc_file_size = size; - local p = to_port(dest_port, tcp); + local p = count_to_port(dest_port, tcp); expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min); dcc_expected_transfers[address, p] = c$irc; } diff --git a/src/bro.bif b/src/bro.bif index a2f97356a7..6d4d7ce1dd 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -586,9 +586,27 @@ function raw_bytes_to_v4_addr%(b: string%): addr return new AddrVal(htonl(a)); %} -function to_port%(num: count, proto: transport_proto%): port +function to_port%(s: string%): port %{ - return new PortVal(num, (TransportProto)proto->AsEnum()); + int port = 0; + if ( s->Len() < 10 ) + { + char* slash; + port = strtol(s->CheckString(), &slash, 10); + if ( port ) + { + ++slash; + if ( streq(slash, "tcp") ) + return new PortVal(port, TRANSPORT_TCP); + else if ( streq(slash, "udp") ) + return new PortVal(port, TRANSPORT_UDP); + else if ( streq(slash, "icmp") ) + return new PortVal(port, TRANSPORT_ICMP); + } + } + + builtin_error("wrong port format, must be /[0-9]{1,5}\\/(tcp|udp|icmp)/"); + return new PortVal(port, TRANSPORT_UNKNOWN); %} function mask_addr%(a: addr, top_bits_to_keep: count%): subnet From 6a563c88291eb5967e9bb43597d06c6ae52e206b Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 21 Nov 2011 22:30:53 -0800 Subject: [PATCH 2/7] Make exit() parameterizable. The exit() BiF used to have no arguments and always invoked exit(0) from libc. This small fix allows for non-zero exit values of the Bro process. --- src/bro.bif | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 6d4d7ce1dd..8b4c8d3038 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -845,9 +845,9 @@ function log10%(d: double%): double return new Val(log10(d), TYPE_DOUBLE); %} -function exit%(%): int +function exit%(code: int%): any %{ - exit(0); + exit(code); return 0; %} From 1179c1a598602ffbdb08086c8edc3c709d7a4669 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 21 Nov 2011 22:55:14 -0800 Subject: [PATCH 3/7] Remove redundant active_connection() BiF. The BiF connection_exists has a more intuitive name and provides the same functionality, thus we can remove active_connection(). --- src/bro.bif | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 8b4c8d3038..fd3a738126 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -720,12 +720,6 @@ function active_file%(f: file%): bool return new Val(f->IsOpen(), TYPE_BOOL); %} -function active_connection%(id: conn_id%): bool - %{ - Connection* c = sessions->FindConnection(id); - return new Val(c ? 1 : 0, TYPE_BOOL); - %} - # Note, you *must* first make sure that the connection is active # (e.g., by calling active_connection()) before invoking this. function connection_record%(cid: conn_id%): connection @@ -1027,12 +1021,10 @@ static Val* parse_port(const char* line) %%} # Returns true if the given connection exists, false otherwise. -function connection_exists%(c: conn_id%): bool +function connection_exists%(id: conn_id%): bool %{ - if ( sessions->FindConnection(c) ) - return new Val(1, TYPE_BOOL); - else - return new Val(0, TYPE_BOOL); + Connection* c = sessions->FindConnection(id); + return new Val(c ? 1 : 0, TYPE_BOOL); %} # For a given connection ID, returns the corresponding "connection" record. From c04b261376b9f00d3be9e2a93a132e7d5ebec923 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Mon, 21 Nov 2011 23:03:46 -0800 Subject: [PATCH 4/7] Remove redundant connection_record() BiF. The function lookup_connection() provides the same functionality and has more graceful failure semantics. --- src/bro.bif | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index fd3a738126..842535b657 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -720,22 +720,6 @@ function active_file%(f: file%): bool return new Val(f->IsOpen(), TYPE_BOOL); %} -# Note, you *must* first make sure that the connection is active -# (e.g., by calling active_connection()) before invoking this. -function connection_record%(cid: conn_id%): connection - %{ - Connection* c = sessions->FindConnection(cid); - if ( c ) - return c->BuildConnVal(); - else - { - // Hard to recover from this until we have union types ... - builtin_error("connection ID not a known connection (fatal)", cid); - exit(0); - return 0; - } - %} - %%{ EnumVal* map_conn_type(TransportProto tp) { From e9f05348b003492c5a269501f4eac636663bcbe8 Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Tue, 22 Nov 2011 09:04:22 -0800 Subject: [PATCH 5/7] Perform type checking on count-to-port conversion. Related to #684. --- src/bro.bif | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 842535b657..65b9d9791a 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -540,9 +540,9 @@ function port_to_count%(p: port%): count return new Val(p->Port(), TYPE_COUNT); %} -function count_to_port%(c: count, t: transport_proto%): port +function count_to_port%(num: count, proto: transport_proto%): port %{ - return new PortVal(c, (TransportProto)(t->InternalInt())); + return new PortVal(num, (TransportProto)proto->AsEnum()); %} function floor%(d: double%): double From 5666448a482601a9890e0f495cc3ebcead950c0d Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 27 Nov 2011 15:11:13 -0800 Subject: [PATCH 6/7] Change some BiF return values from bool to any. The BiFs - do_profiling - make_connection_persistent - expect_connection used to unconditionally return true. Since such a return value is meaningless, returning 'any' is more appropriate. --- src/bro.bif | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index 65b9d9791a..16b18b0d48 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2231,12 +2231,12 @@ function send_current_packet%(p: event_peer%) : bool return new Val(remote_serializer->SendPacket(&info, id, pkt), TYPE_BOOL); %} -function do_profiling%(%) : bool +function do_profiling%(%) : any %{ if ( profiling_logger ) profiling_logger->Log(); - return new Val(1, TYPE_BOOL); + return 0; %} function get_event_peer%(%) : event_peer @@ -2279,10 +2279,10 @@ function send_capture_filter%(p: event_peer, s: string%) : bool return new Val(remote_serializer->SendCaptureFilter(id, s->CheckString()), TYPE_BOOL); %} -function make_connection_persistent%(c: connection%) : bool +function make_connection_persistent%(c: connection%) : any %{ c->MakePersistent(); - return new Val(1, TYPE_BOOL); + return 0; %} function is_local_interface%(ip: addr%) : bool @@ -2959,11 +2959,11 @@ function continue_processing%(%) : any # Schedule analyzer for a future connection. function expect_connection%(orig: addr, resp: addr, resp_p: port, - analyzer: count, tout: interval%) : bool + analyzer: count, tout: interval%) : any %{ dpm->ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(), (AnalyzerTag::Tag) analyzer, tout, 0); - return new Val(1, TYPE_BOOL); + return 0; %} # Disables the analyzer which raised the current event (if the analyzer From 50d5571939b74b4a9c91a00339bfdba390d564cc Mon Sep 17 00:00:00 2001 From: Matthias Vallentin Date: Sun, 11 Dec 2011 18:49:00 -0800 Subject: [PATCH 7/7] Give mode2string a more generic name. --- src/bro.bif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bro.bif b/src/bro.bif index 16b18b0d48..d0569716b0 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3542,7 +3542,7 @@ function x509_err2str%(err_num: count%): string return new StringVal(X509_verify_cert_error_string(err_num)); %} -function NFS3::mode2string%(mode: count%): string +function file_mode%(mode: count%): string %{ char str[12]; char *p = str;