diff --git a/aux/bifcl b/aux/bifcl index 44622332fb..33cde13264 160000 --- a/aux/bifcl +++ b/aux/bifcl @@ -1 +1 @@ -Subproject commit 44622332fb1361383799be33e365704caacce199 +Subproject commit 33cde13264825df906668b608017e65f4ffbc12a diff --git a/src/Anon.cc b/src/Anon.cc index de225e95a8..983c7fbec8 100644 --- a/src/Anon.cc +++ b/src/Anon.cc @@ -415,7 +415,7 @@ void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output) { if ( anonymization_mapping ) { - mgr.QueueEvent(anonymization_mapping, { + mgr.QueueEventFast(anonymization_mapping, { new AddrVal(input), new AddrVal(output) }); diff --git a/src/Conn.cc b/src/Conn.cc index 494d2d21c4..83ad6c08f6 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -325,7 +325,7 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig, // and at this stage it's not a *multiple* instance. return; - ConnectionEvent(e, 0, { + ConnectionEventFast(e, 0, { BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(threshold) @@ -389,7 +389,7 @@ void Connection::EnableStatusUpdateTimer() void Connection::StatusUpdateTimer(double t) { - ConnectionEvent(connection_status_update, 0, { BuildConnVal() }); + ConnectionEventFast(connection_status_update, 0, { BuildConnVal() }); ADD_TIMER(&Connection::StatusUpdateTimer, network_time + connection_status_update_interval, 0, TIMER_CONN_STATUS_UPDATE); @@ -627,7 +627,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, { if ( software_parse_error ) { - ConnectionEvent(software_parse_error, analyzer, { + ConnectionEventFast(software_parse_error, analyzer, { BuildConnVal(), new AddrVal(addr), new StringVal(len, s), @@ -638,7 +638,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, if ( software_version_found ) { - ConnectionEvent(software_version_found, 0, { + ConnectionEventFast(software_version_found, 0, { BuildConnVal(), new AddrVal(addr), val, @@ -666,7 +666,7 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr, if ( software_unparsed_version_found ) { - ConnectionEvent(software_unparsed_version_found, analyzer, { + ConnectionEventFast(software_unparsed_version_found, analyzer, { BuildConnVal(), new AddrVal(addr), new StringVal(len, full), @@ -682,9 +682,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch return; if ( name ) - ConnectionEvent(f, analyzer, {new StringVal(name), BuildConnVal()}); + ConnectionEventFast(f, analyzer, {new StringVal(name), BuildConnVal()}); else - ConnectionEvent(f, analyzer, {BuildConnVal()}); + ConnectionEventFast(f, analyzer, {BuildConnVal()}); } @@ -698,9 +698,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, } if ( v2 ) - ConnectionEvent(f, analyzer, {BuildConnVal(), v1, v2}); + ConnectionEventFast(f, analyzer, {BuildConnVal(), v1, v2}); else - ConnectionEvent(f, analyzer, {BuildConnVal(), v1}); + ConnectionEventFast(f, analyzer, {BuildConnVal(), v1}); } void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl) @@ -720,6 +720,13 @@ void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_l a ? a->GetID() : 0, GetTimerMgr(), this); } +void Connection::ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl) + { + // "this" is passed as a cookie for the event + mgr.QueueEventFast(f, std::move(vl), SOURCE_LOCAL, + a ? a->GetID() : 0, GetTimerMgr(), this); + } + void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl) { ConnectionEvent(f, a, std::move(*vl)); @@ -1053,7 +1060,7 @@ void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label) if ( connection_flow_label_changed && (is_orig ? saw_first_orig_packet : saw_first_resp_packet) ) { - ConnectionEvent(connection_flow_label_changed, 0, { + ConnectionEventFast(connection_flow_label_changed, 0, { BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(my_flow_label), diff --git a/src/Conn.h b/src/Conn.h index 2622134f2a..d19501ff13 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -181,6 +181,8 @@ public: val_list* vl); void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer, val_list vl); + void ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* analyzer, + val_list vl); void Weird(const char* name, const char* addl = ""); bool DidWeird() const { return weird != 0; } diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc index c72e66f0bf..c3efda3ad9 100644 --- a/src/DNS_Mgr.cc +++ b/src/DNS_Mgr.cc @@ -704,7 +704,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm) if ( ! e ) return; - mgr.QueueEvent(e, {BuildMappingVal(dm)}); + mgr.QueueEventFast(e, {BuildMappingVal(dm)}); } void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2) @@ -715,7 +715,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2 Unref(l1); Unref(l2); - mgr.QueueEvent(e, { + mgr.QueueEventFast(e, { BuildMappingVal(dm), l1->ConvertToSet(), l2->ConvertToSet(), @@ -727,7 +727,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm) if ( ! e ) return; - mgr.QueueEvent(e, { + mgr.QueueEventFast(e, { BuildMappingVal(old_dm), BuildMappingVal(new_dm), }); diff --git a/src/Event.cc b/src/Event.cc index 26ca874c2a..8b87caa9b1 100644 --- a/src/Event.cc +++ b/src/Event.cc @@ -128,7 +128,7 @@ void EventMgr::QueueEvent(Event* event) void EventMgr::Drain() { if ( event_queue_flush_point ) - QueueEvent(event_queue_flush_point, val_list{}); + QueueEventFast(event_queue_flush_point, val_list{}); SegmentProfiler(segment_logger, "draining-events"); diff --git a/src/Event.h b/src/Event.h index 9ee30ae674..258b680d49 100644 --- a/src/Event.h +++ b/src/Event.h @@ -58,6 +58,13 @@ public: EventMgr(); ~EventMgr() override; + void QueueEventFast(const EventHandlerPtr &h, val_list vl, + SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, + TimerMgr* mgr = 0, BroObj* obj = 0) + { + QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj)); + } + void QueueEvent(const EventHandlerPtr &h, val_list vl, SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, TimerMgr* mgr = 0, BroObj* obj = 0) diff --git a/src/Reporter.cc b/src/Reporter.cc index 9821911d17..cc0542eaac 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -506,9 +506,9 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out, } if ( conn ) - conn->ConnectionEvent(event, 0, std::move(vl)); + conn->ConnectionEventFast(event, 0, std::move(vl)); else - mgr.QueueEvent(event, std::move(vl)); + mgr.QueueEventFast(event, std::move(vl)); } else { diff --git a/src/RuleAction.cc b/src/RuleAction.cc index ab9994bde2..3d22e3b56f 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -17,7 +17,7 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state, { if ( signature_match ) { - mgr.QueueEvent(signature_match, { + mgr.QueueEventFast(signature_match, { rule_matcher->BuildRuleStateValue(parent, state), new StringVal(msg), data ? new StringVal(len, (const char*)data) : val_mgr->GetEmptyString(), diff --git a/src/Sessions.cc b/src/Sessions.cc index db4e9e5d3a..3507c46e53 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -171,7 +171,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt) SegmentProfiler(segment_logger, "dispatching-packet"); if ( raw_packet ) - mgr.QueueEvent(raw_packet, {pkt->BuildPktHdrVal()}); + mgr.QueueEventFast(raw_packet, {pkt->BuildPktHdrVal()}); if ( pkt_profiler ) pkt_profiler->ProfilePkt(t, pkt->cap_len); @@ -411,7 +411,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr { dump_this_packet = 1; if ( esp_packet ) - mgr.QueueEvent(esp_packet, {ip_hdr->BuildPktHdrVal()}); + mgr.QueueEventFast(esp_packet, {ip_hdr->BuildPktHdrVal()}); // Can't do more since upper-layer payloads are going to be encrypted. return; @@ -1315,9 +1315,9 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, { conn->Event(new_connection, 0); - if ( external ) + if ( external && connection_external ) { - conn->ConnectionEvent(connection_external, 0, { + conn->ConnectionEventFast(connection_external, 0, { conn->BuildConnVal(), new StringVal(conn->GetTimerMgr()->GetTag().c_str()), }); diff --git a/src/StateAccess.cc b/src/StateAccess.cc index b9f08a54cc..72ed9ef236 100644 --- a/src/StateAccess.cc +++ b/src/StateAccess.cc @@ -536,7 +536,7 @@ void StateAccess::Replay() if ( remote_state_access_performed ) { - mgr.QueueEvent(remote_state_access_performed, { + mgr.QueueEventFast(remote_state_access_performed, { new StringVal(target.id->Name()), target.id->ID_Val()->Ref(), }); diff --git a/src/Stats.cc b/src/Stats.cc index 7c232f7aa4..1d2a2c8ad8 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -369,11 +369,12 @@ void SampleLogger::SegmentProfile(const char* /* name */, const Location* /* loc */, double dtime, int dmem) { - mgr.QueueEvent(load_sample, { - load_samples->Ref(), - new IntervalVal(dtime, Seconds), - val_mgr->GetInt(dmem) - }); + if ( load_sample ) + mgr.QueueEventFast(load_sample, { + load_samples->Ref(), + new IntervalVal(dtime, Seconds), + val_mgr->GetInt(dmem) + }); } void SegmentProfiler::Init() diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index be2cfcf627..874b405e9d 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -662,16 +662,19 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag) if ( protocol_confirmed ) return; + protocol_confirmed = true; + + if ( ! protocol_confirmation ) + return; + EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal(); Ref(tval); - mgr.QueueEvent(protocol_confirmation, { + mgr.QueueEventFast(protocol_confirmation, { BuildConnVal(), tval, val_mgr->GetCount(id), }); - - protocol_confirmed = true; } void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) @@ -689,10 +692,13 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) else r = new StringVal(reason); + if ( ! protocol_violation ) + return; + EnumVal* tval = tag.AsEnumVal(); Ref(tval); - mgr.QueueEvent(protocol_violation, { + mgr.QueueEventFast(protocol_violation, { BuildConnVal(), tval, val_mgr->GetCount(id), @@ -787,6 +793,11 @@ void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list vl) conn->ConnectionEvent(f, this, std::move(vl)); } +void Analyzer::ConnectionEventFast(EventHandlerPtr f, val_list vl) + { + conn->ConnectionEventFast(f, this, std::move(vl)); + } + void Analyzer::Weird(const char* name, const char* addl) { conn->Weird(name, addl); diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index ab09e63458..141d420a82 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -547,6 +547,12 @@ public: */ void ConnectionEvent(EventHandlerPtr f, val_list vl); + /** + * Convenience function that forwards directly to + * Connection::ConnectionEventFast(). + */ + void ConnectionEventFast(EventHandlerPtr f, val_list vl); + /** * Convenience function that forwards directly to the corresponding * Connection::Weird(). diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc index e206303e9c..d3a4ab688f 100644 --- a/src/analyzer/protocol/arp/ARP.cc +++ b/src/analyzer/protocol/arp/ARP.cc @@ -190,7 +190,7 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg) if ( ! bad_arp ) return; - mgr.QueueEvent(bad_arp, { + mgr.QueueEventFast(bad_arp, { ConstructAddrVal(ar_spa(hdr)), EthAddrToStr((const u_char*) ar_sha(hdr)), ConstructAddrVal(ar_tpa(hdr)), @@ -212,7 +212,7 @@ void ARP_Analyzer::RREvent(EventHandlerPtr e, if ( ! e ) return; - mgr.QueueEvent(e, { + mgr.QueueEventFast(e, { EthAddrToStr(src), EthAddrToStr(dst), ConstructAddrVal(spa), diff --git a/src/analyzer/protocol/backdoor/BackDoor.cc b/src/analyzer/protocol/backdoor/BackDoor.cc index 4cc8d5f703..81b4c0e9a5 100644 --- a/src/analyzer/protocol/backdoor/BackDoor.cc +++ b/src/analyzer/protocol/backdoor/BackDoor.cc @@ -246,7 +246,10 @@ void BackDoorEndpoint::RloginSignatureFound(int len) rlogin_checking_done = 1; - endp->TCP()->ConnectionEvent(rlogin_signature_found, { + if ( ! rlogin_signature_found ) + return; + + endp->TCP()->ConnectionEventFast(rlogin_signature_found, { endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig()), val_mgr->GetCount(rlogin_num_null), @@ -337,7 +340,10 @@ void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* d void BackDoorEndpoint::TelnetSignatureFound(int len) { - endp->TCP()->ConnectionEvent(telnet_signature_found, { + if ( ! telnet_signature_found ) + return; + + endp->TCP()->ConnectionEventFast(telnet_signature_found, { endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig()), val_mgr->GetCount(len), @@ -641,12 +647,15 @@ void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len, void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig) { + if ( ! e ) + return; + if ( do_orig ) - endp->TCP()->ConnectionEvent(e, + endp->TCP()->ConnectionEventFast(e, {endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig())}); else - endp->TCP()->ConnectionEvent(e, {endp->TCP()->BuildConnVal()}); + endp->TCP()->ConnectionEventFast(e, {endp->TCP()->BuildConnVal()}); } @@ -773,7 +782,10 @@ void BackDoor_Analyzer::StatTimer(double t, int is_expire) void BackDoor_Analyzer::StatEvent() { - TCP()->ConnectionEvent(backdoor_stats, { + if ( ! backdoor_stats ) + return; + + TCP()->ConnectionEventFast(backdoor_stats, { TCP()->BuildConnVal(), orig_endp->BuildStats(), resp_endp->BuildStats(), @@ -782,7 +794,10 @@ void BackDoor_Analyzer::StatEvent() void BackDoor_Analyzer::RemoveEvent() { - TCP()->ConnectionEvent(backdoor_remove_conn, {TCP()->BuildConnVal()}); + if ( ! backdoor_remove_conn ) + return; + + TCP()->ConnectionEventFast(backdoor_remove_conn, {TCP()->BuildConnVal()}); } BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a) diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc index 989265623c..c57d694c6e 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -120,7 +120,7 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) { if ( bittorrent_peer_weird ) { - ConnectionEvent(bittorrent_peer_weird, { + ConnectionEventFast(bittorrent_peer_weird, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(msg), diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index 411bbf0aff..a1a40e8d56 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -247,7 +247,7 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig) { if ( bt_tracker_weird ) { - ConnectionEvent(bt_tracker_weird, { + ConnectionEventFast(bt_tracker_weird, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(msg), @@ -348,11 +348,12 @@ void BitTorrentTracker_Analyzer::EmitRequest(void) { ProtocolConfirmation(); - ConnectionEvent(bt_tracker_request, { - BuildConnVal(), - req_val_uri, - req_val_headers, - }); + if ( bt_tracker_request ) + ConnectionEventFast(bt_tracker_request, { + BuildConnVal(), + req_val_uri, + req_val_headers, + }); req_val_uri = 0; req_val_headers = 0; @@ -401,11 +402,12 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line) { if ( res_status != 200 ) { - ConnectionEvent(bt_tracker_response_not_ok, { - BuildConnVal(), - val_mgr->GetCount(res_status), - res_val_headers, - }); + if ( bt_tracker_response_not_ok ) + ConnectionEventFast(bt_tracker_response_not_ok, { + BuildConnVal(), + val_mgr->GetCount(res_status), + res_val_headers, + }); res_val_headers = 0; res_buf_pos = res_buf + res_buf_len; res_state = BTT_RES_DONE; @@ -787,13 +789,14 @@ void BitTorrentTracker_Analyzer::EmitResponse(void) { ProtocolConfirmation(); - ConnectionEvent(bt_tracker_response, { - BuildConnVal(), - val_mgr->GetCount(res_status), - res_val_headers, - res_val_peers, - res_val_benc, - }); + if ( bt_tracker_response ) + ConnectionEventFast(bt_tracker_response, { + BuildConnVal(), + val_mgr->GetCount(res_status), + res_val_headers, + res_val_peers, + res_val_benc, + }); res_val_headers = 0; res_val_peers = 0; diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc index cf6521103c..1b18335e7f 100644 --- a/src/analyzer/protocol/conn-size/ConnSize.cc +++ b/src/analyzer/protocol/conn-size/ConnSize.cc @@ -47,7 +47,7 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool if ( ! f ) return; - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), val_mgr->GetCount(threshold), val_mgr->GetBool(is_orig), diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index a67b548fe9..f99a7ca1e9 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -46,7 +46,7 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) if ( dns_message ) { - analyzer->ConnectionEvent(dns_message, { + analyzer->ConnectionEventFast(dns_message, { analyzer->BuildConnVal(), val_mgr->GetBool(is_query), msg.BuildHdrVal(), @@ -132,10 +132,11 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg) { - analyzer->ConnectionEvent(dns_end, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - }); + if ( dns_end ) + analyzer->ConnectionEventFast(dns_end, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + }); return 1; } @@ -334,7 +335,7 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, if ( dns_unknown_reply && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_unknown_reply, { + analyzer->ConnectionEventFast(dns_unknown_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -549,7 +550,7 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg, if ( reply_event && ! msg->skip_event ) { - analyzer->ConnectionEvent(reply_event, { + analyzer->ConnectionEventFast(reply_event, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -603,7 +604,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg, r->Assign(5, new IntervalVal(double(expire), Seconds)); r->Assign(6, new IntervalVal(double(minimum), Seconds)); - analyzer->ConnectionEvent(dns_SOA_reply, { + analyzer->ConnectionEventFast(dns_SOA_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -634,7 +635,7 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg, if ( dns_MX_reply && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_MX_reply, { + analyzer->ConnectionEventFast(dns_MX_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -677,7 +678,7 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg, if ( dns_SRV_reply && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_SRV_reply, { + analyzer->ConnectionEventFast(dns_SRV_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -700,7 +701,7 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, if ( dns_EDNS_addl && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_EDNS_addl, { + analyzer->ConnectionEventFast(dns_EDNS_addl, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildEDNS_Val(), @@ -766,22 +767,24 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, unsigned int rr_error = ExtractShort(data, len); ExtractOctets(data, len, 0); // Other Data - msg->tsig = new TSIG_DATA; + if ( dns_TSIG_addl ) + { + TSIG_DATA tsig; + tsig.alg_name = + new BroString(alg_name, alg_name_end - alg_name, 1); + tsig.sig = request_MAC; + tsig.time_s = sign_time_sec; + tsig.time_ms = sign_time_msec; + tsig.fudge = fudge; + tsig.orig_id = orig_id; + tsig.rr_error = rr_error; - msg->tsig->alg_name = - new BroString(alg_name, alg_name_end - alg_name, 1); - msg->tsig->sig = request_MAC; - msg->tsig->time_s = sign_time_sec; - msg->tsig->time_ms = sign_time_msec; - msg->tsig->fudge = fudge; - msg->tsig->orig_id = orig_id; - msg->tsig->rr_error = rr_error; - - analyzer->ConnectionEvent(dns_TSIG_addl, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildTSIG_Val(), - }); + analyzer->ConnectionEventFast(dns_TSIG_addl, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildTSIG_Val(&tsig), + }); + } return 1; } @@ -864,23 +867,26 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg, break; } - RRSIG_DATA rrsig; - rrsig.type_covered = type_covered; - rrsig.algorithm = algo; - rrsig.labels = lab; - rrsig.orig_ttl = orig_ttl; - rrsig.sig_exp = sign_exp; - rrsig.sig_incep = sign_incp; - rrsig.key_tag = key_tag; - rrsig.signer_name = new BroString(name, name_end - name, 1); - rrsig.signature = sign; + if ( dns_RRSIG ) + { + RRSIG_DATA rrsig; + rrsig.type_covered = type_covered; + rrsig.algorithm = algo; + rrsig.labels = lab; + rrsig.orig_ttl = orig_ttl; + rrsig.sig_exp = sign_exp; + rrsig.sig_incep = sign_incp; + rrsig.key_tag = key_tag; + rrsig.signer_name = new BroString(name, name_end - name, 1); + rrsig.signature = sign; - analyzer->ConnectionEvent(dns_RRSIG, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - msg->BuildRRSIG_Val(&rrsig), - }); + analyzer->ConnectionEventFast(dns_RRSIG, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildRRSIG_Val(&rrsig), + }); + } return 1; } @@ -961,18 +967,21 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, break; } - DNSKEY_DATA dnskey; - dnskey.dflags = dflags; - dnskey.dalgorithm = dalgorithm; - dnskey.dprotocol = dprotocol; - dnskey.public_key = key; + if ( dns_DNSKEY ) + { + DNSKEY_DATA dnskey; + dnskey.dflags = dflags; + dnskey.dalgorithm = dalgorithm; + dnskey.dprotocol = dprotocol; + dnskey.public_key = key; - analyzer->ConnectionEvent(dns_DNSKEY, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - msg->BuildDNSKEY_Val(&dnskey), - }); + analyzer->ConnectionEventFast(dns_DNSKEY, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildDNSKEY_Val(&dnskey), + }); + } return 1; } @@ -1017,13 +1026,16 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg, typebitmaps_len = typebitmaps_len - (2 + bmlen); } - analyzer->ConnectionEvent(dns_NSEC, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - new StringVal(new BroString(name, name_end - name, 1)), - char_strings, - }); + if ( dns_NSEC ) + analyzer->ConnectionEventFast(dns_NSEC, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + new StringVal(new BroString(name, name_end - name, 1)), + char_strings, + }); + else + Unref(char_strings); return 1; } @@ -1091,22 +1103,25 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg, typebitmaps_len = typebitmaps_len - (2 + bmlen); } - NSEC3_DATA nsec3; - nsec3.nsec_flags = nsec_flags; - nsec3.nsec_hash_algo = hash_algo; - nsec3.nsec_iter = iter; - nsec3.nsec_salt_len = salt_len; - nsec3.nsec_salt = salt_val; - nsec3.nsec_hlen = hash_len; - nsec3.nsec_hash = hash_val; - nsec3.bitmaps = char_strings; + if ( dns_NSEC3 ) + { + NSEC3_DATA nsec3; + nsec3.nsec_flags = nsec_flags; + nsec3.nsec_hash_algo = hash_algo; + nsec3.nsec_iter = iter; + nsec3.nsec_salt_len = salt_len; + nsec3.nsec_salt = salt_val; + nsec3.nsec_hlen = hash_len; + nsec3.nsec_hash = hash_val; + nsec3.bitmaps = char_strings; - analyzer->ConnectionEvent(dns_NSEC3, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - msg->BuildNSEC3_Val(&nsec3), - }); + analyzer->ConnectionEventFast(dns_NSEC3, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildNSEC3_Val(&nsec3), + }); + } return 1; } @@ -1150,18 +1165,21 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg, break; } - DS_DATA ds; - ds.key_tag = ds_key_tag; - ds.algorithm = ds_algo; - ds.digest_type = ds_dtype; - ds.digest_val = ds_digest; + if ( dns_DS ) + { + DS_DATA ds; + ds.key_tag = ds_key_tag; + ds.algorithm = ds_algo; + ds.digest_type = ds_dtype; + ds.digest_val = ds_digest; - analyzer->ConnectionEvent(dns_DS, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - msg->BuildDS_Val(&ds), - }); + analyzer->ConnectionEventFast(dns_DS, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildDS_Val(&ds), + }); + } return 1; } @@ -1179,7 +1197,7 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg, if ( dns_A_reply && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_A_reply, { + analyzer->ConnectionEventFast(dns_A_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -1216,7 +1234,7 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg, event = dns_A6_reply; if ( event && ! msg->skip_event ) { - analyzer->ConnectionEvent(event, { + analyzer->ConnectionEventFast(event, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -1290,12 +1308,15 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg, while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) char_strings->Assign(char_strings->Size(), char_string); - analyzer->ConnectionEvent(dns_TXT_reply, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - char_strings, - }); + if ( dns_TXT_reply ) + analyzer->ConnectionEventFast(dns_TXT_reply, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + char_strings, + }); + else + Unref(char_strings); return rdlength == 0; } @@ -1330,14 +1351,20 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg, data += value->Len(); rdlength -= value->Len(); - analyzer->ConnectionEvent(dns_CAA_reply, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - val_mgr->GetCount(flags), - new StringVal(tag), - new StringVal(value), - }); + if ( dns_CAA_reply ) + analyzer->ConnectionEventFast(dns_CAA_reply, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + val_mgr->GetCount(flags), + new StringVal(tag), + new StringVal(value), + }); + else + { + delete tag; + delete value; + } return rdlength == 0; } @@ -1351,13 +1378,14 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg, RR_Type qtype = RR_Type(ExtractShort(data, len)); int qclass = ExtractShort(data, len); - analyzer->ConnectionEvent(event, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - new StringVal(question_name), - val_mgr->GetCount(qtype), - val_mgr->GetCount(qclass), - }); + if ( event ) + analyzer->ConnectionEventFast(event, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + new StringVal(question_name), + val_mgr->GetCount(qtype), + val_mgr->GetCount(qclass), + }); } @@ -1391,7 +1419,6 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query) answer_type = DNS_QUESTION; skip_event = 0; - tsig = 0; } DNS_MsgInfo::~DNS_MsgInfo() @@ -1470,7 +1497,7 @@ Val* DNS_MsgInfo::BuildEDNS_Val() return r; } -Val* DNS_MsgInfo::BuildTSIG_Val() +Val* DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) { RecordVal* r = new RecordVal(dns_tsig_additional); double rtime = tsig->time_s + tsig->time_ms / 1000.0; @@ -1487,9 +1514,6 @@ Val* DNS_MsgInfo::BuildTSIG_Val() r->Assign(7, val_mgr->GetCount(tsig->rr_error)); r->Assign(8, val_mgr->GetCount(is_query)); - delete tsig; - tsig = 0; - return r; } @@ -1705,10 +1729,11 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, { if ( ! interp->ParseMessage(data, len, 1) && non_dns_request ) { - ConnectionEvent(non_dns_request, { - BuildConnVal(), - new StringVal(len, (const char*) data), - }); + if ( non_dns_request ) + ConnectionEventFast(non_dns_request, { + BuildConnVal(), + new StringVal(len, (const char*) data), + }); } } diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index f095fe96fa..a4975cdaa1 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -182,7 +182,7 @@ public: Val* BuildHdrVal(); Val* BuildAnswerVal(); Val* BuildEDNS_Val(); - Val* BuildTSIG_Val(); + Val* BuildTSIG_Val(struct TSIG_DATA*); Val* BuildRRSIG_Val(struct RRSIG_DATA*); Val* BuildDNSKEY_Val(struct DNSKEY_DATA*); Val* BuildNSEC3_Val(struct NSEC3_DATA*); @@ -214,10 +214,6 @@ public: ///< identical answer, there may be problems // uint32* addr; ///< cache value to pass back results ///< for forward lookups - - // More values for spesific DNS types. - //struct EDNS_ADDITIONAL* edns; - struct TSIG_DATA* tsig; }; diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc index bb81eaa1fd..62fd36c0da 100644 --- a/src/analyzer/protocol/file/File.cc +++ b/src/analyzer/protocol/file/File.cc @@ -78,10 +78,11 @@ void File_Analyzer::Identify() string match = matches.empty() ? "" : *(matches.begin()->second.begin()); - ConnectionEvent(file_transferred, { - BuildConnVal(), - new StringVal(buffer_len, buffer), - new StringVal(""), - new StringVal(match), - }); + if ( file_transferred ) + ConnectionEventFast(file_transferred, { + BuildConnVal(), + new StringVal(buffer_len, buffer), + new StringVal(""), + new StringVal(match), + }); } diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc index 0f7cec2677..fcc778f151 100644 --- a/src/analyzer/protocol/finger/Finger.cc +++ b/src/analyzer/protocol/finger/Finger.cc @@ -68,7 +68,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig if ( finger_request ) { - ConnectionEvent(finger_request, { + ConnectionEventFast(finger_request, { BuildConnVal(), val_mgr->GetBool(long_cnt), new StringVal(at - line, line), @@ -87,7 +87,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig if ( ! finger_reply ) return; - ConnectionEvent(finger_reply, { + ConnectionEventFast(finger_reply, { BuildConnVal(), new StringVal(end_of_line - line, line), }); diff --git a/src/analyzer/protocol/gnutella/Gnutella.cc b/src/analyzer/protocol/gnutella/Gnutella.cc index dc6e14bf63..0b0ebadf03 100644 --- a/src/analyzer/protocol/gnutella/Gnutella.cc +++ b/src/analyzer/protocol/gnutella/Gnutella.cc @@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done() if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) { if ( Established() && gnutella_establish ) - ConnectionEvent(gnutella_establish, {BuildConnVal()}); + ConnectionEventFast(gnutella_establish, {BuildConnVal()}); else if ( ! Established () && gnutella_not_establish ) - ConnectionEvent(gnutella_not_establish, {BuildConnVal()}); + ConnectionEventFast(gnutella_not_establish, {BuildConnVal()}); } if ( gnutella_partial_binary_msg ) @@ -72,7 +72,7 @@ void Gnutella_Analyzer::Done() { if ( ! p->msg_sent && p->msg_pos ) { - ConnectionEvent(gnutella_partial_binary_msg, { + ConnectionEventFast(gnutella_partial_binary_msg, { BuildConnVal(), new StringVal(p->msg), val_mgr->GetBool((i == 0)), @@ -121,7 +121,7 @@ int Gnutella_Analyzer::IsHTTP(string header) if ( gnutella_http_notify ) { - ConnectionEvent(gnutella_http_notify, {BuildConnVal()}); + ConnectionEventFast(gnutella_http_notify, {BuildConnVal()}); } analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); @@ -181,7 +181,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig) { if ( gnutella_text_msg ) { - ConnectionEvent(gnutella_text_msg, { + ConnectionEventFast(gnutella_text_msg, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(ms->headers.data()), @@ -195,7 +195,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig) { sent_establish = 1; - ConnectionEvent(gnutella_establish, {BuildConnVal()}); + ConnectionEventFast(gnutella_establish, {BuildConnVal()}); } } } @@ -221,7 +221,7 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig) if ( gnutella_binary_msg ) { - ConnectionEvent(gnutella_binary_msg, { + ConnectionEventFast(gnutella_binary_msg, { BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(p->msg_type), diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index 6087f7b43d..cc6403cb3e 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -646,7 +646,7 @@ void HTTP_Message::Done(const int interrupted, const char* detail) if ( http_message_done ) { - GetAnalyzer()->ConnectionEvent(http_message_done, { + GetAnalyzer()->ConnectionEventFast(http_message_done, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), BuildMessageStat(interrupted, detail), @@ -679,7 +679,7 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity) if ( http_begin_entity ) { - analyzer->ConnectionEvent(http_begin_entity, { + analyzer->ConnectionEventFast(http_begin_entity, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), }); @@ -696,7 +696,7 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity) if ( http_end_entity ) { - analyzer->ConnectionEvent(http_end_entity, { + analyzer->ConnectionEventFast(http_end_entity, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), }); @@ -737,7 +737,7 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) { if ( http_all_headers ) { - analyzer->ConnectionEvent(http_all_headers, { + analyzer->ConnectionEventFast(http_all_headers, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), BuildHeaderTable(hlist), @@ -751,7 +751,7 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) ty->Ref(); subty->Ref(); - analyzer->ConnectionEvent(http_content_type, { + analyzer->ConnectionEventFast(http_content_type, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), ty, @@ -1183,7 +1183,7 @@ void HTTP_Analyzer::GenStats() r->Assign(3, new Val(reply_version, TYPE_DOUBLE)); // DEBUG_MSG("%.6f http_stats\n", network_time); - ConnectionEvent(http_stats, {BuildConnVal(), r}); + ConnectionEventFast(http_stats, {BuildConnVal(), r}); } } @@ -1381,7 +1381,7 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail) if ( http_event ) { // DEBUG_MSG("%.6f http_event\n", network_time); - ConnectionEvent(http_event, { + ConnectionEventFast(http_event, { BuildConnVal(), new StringVal(category), detail, @@ -1424,7 +1424,7 @@ void HTTP_Analyzer::HTTP_Request() Ref(request_method); // DEBUG_MSG("%.6f http_request\n", network_time); - ConnectionEvent(http_request, { + ConnectionEventFast(http_request, { BuildConnVal(), request_method, TruncateURI(request_URI->AsStringVal()), @@ -1438,7 +1438,7 @@ void HTTP_Analyzer::HTTP_Reply() { if ( http_reply ) { - ConnectionEvent(http_reply, { + ConnectionEventFast(http_reply, { BuildConnVal(), new StringVal(fmt("%.1f", reply_version)), val_mgr->GetCount(reply_code), @@ -1517,7 +1517,7 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg) if ( http_connection_upgrade ) { - ConnectionEvent(http_connection_upgrade, { + ConnectionEventFast(http_connection_upgrade, { BuildConnVal(), new StringVal(upgrade_protocol), }); @@ -1693,7 +1693,7 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h) if ( DEBUG_http ) DEBUG_MSG("%.6f http_header\n", network_time); - ConnectionEvent(http_header, { + ConnectionEventFast(http_header, { BuildConnVal(), val_mgr->GetBool(is_orig), mime::new_string_val(h->get_name())->ToUpper(), @@ -1827,7 +1827,7 @@ void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data) { if ( http_entity_data ) { - ConnectionEvent(http_entity_data, { + ConnectionEventFast(http_entity_data, { BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(entity_data->Len()), diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index a740ac8848..0acbbd9731 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -199,7 +199,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, { if ( icmp_sent ) { - ConnectionEvent(icmp_sent, { + ConnectionEventFast(icmp_sent, { BuildConnVal(), BuildICMPVal(icmpp, len, icmpv6, ip_hdr), }); @@ -209,7 +209,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, { BroString* payload = new BroString(data, min(len, caplen), 0); - ConnectionEvent(icmp_sent_payload, { + ConnectionEventFast(icmp_sent_payload, { BuildConnVal(), BuildICMPVal(icmpp, len, icmpv6, ip_hdr), new StringVal(payload), @@ -512,7 +512,7 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len, BroString* payload = new BroString(data, caplen, 0); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), val_mgr->GetCount(iid), @@ -526,6 +526,10 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_router_advertisement; + + if ( ! f ) + return; + uint32 reachable = 0, retrans = 0; if ( caplen >= (int)sizeof(reachable) ) @@ -536,7 +540,7 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, int opt_offset = sizeof(reachable) + sizeof(retrans); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit @@ -558,6 +562,10 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_neighbor_advertisement; + + if ( ! f ) + return; + IPAddr tgtaddr; if ( caplen >= (int)sizeof(in6_addr) ) @@ -565,7 +573,7 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, int opt_offset = sizeof(in6_addr); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router @@ -581,6 +589,10 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_neighbor_solicitation; + + if ( ! f ) + return; + IPAddr tgtaddr; if ( caplen >= (int)sizeof(in6_addr) ) @@ -588,7 +600,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, int opt_offset = sizeof(in6_addr); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), new AddrVal(tgtaddr), @@ -601,6 +613,10 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_redirect; + + if ( ! f ) + return; + IPAddr tgtaddr, dstaddr; if ( caplen >= (int)sizeof(in6_addr) ) @@ -611,7 +627,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, int opt_offset = 2 * sizeof(in6_addr); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), new AddrVal(tgtaddr), @@ -626,7 +642,10 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, { EventHandlerPtr f = icmp_router_solicitation; - ConnectionEvent(f, { + if ( ! f ) + return; + + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), BuildNDOptionsVal(caplen, data), @@ -652,7 +671,7 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp, if ( f ) { - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 0, ip_hdr), val_mgr->GetCount(icmpp->icmp_code), @@ -692,7 +711,7 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp, if ( f ) { - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), val_mgr->GetCount(icmpp->icmp_code), diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc index ba32968c3b..ba00d9215b 100644 --- a/src/analyzer/protocol/ident/Ident.cc +++ b/src/analyzer/protocol/ident/Ident.cc @@ -83,7 +83,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) Weird("ident_request_addendum", s.CheckString()); } - ConnectionEvent(ident_request, { + ConnectionEventFast(ident_request, { BuildConnVal(), val_mgr->GetPort(local_port, TRANSPORT_TCP), val_mgr->GetPort(remote_port, TRANSPORT_TCP), @@ -143,12 +143,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( is_error ) { - ConnectionEvent(ident_error, { - BuildConnVal(), - val_mgr->GetPort(local_port, TRANSPORT_TCP), - val_mgr->GetPort(remote_port, TRANSPORT_TCP), - new StringVal(end_of_line - line, line), - }); + if ( ident_error ) + ConnectionEventFast(ident_error, { + BuildConnVal(), + val_mgr->GetPort(local_port, TRANSPORT_TCP), + val_mgr->GetPort(remote_port, TRANSPORT_TCP), + new StringVal(end_of_line - line, line), + }); } else @@ -176,7 +177,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) line = skip_whitespace(colon + 1, end_of_line); - ConnectionEvent(ident_reply, { + ConnectionEventFast(ident_reply, { BuildConnVal(), val_mgr->GetPort(local_port, TRANSPORT_TCP), val_mgr->GetPort(remote_port, TRANSPORT_TCP), diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac index 353aadb7ce..ac1652086e 100644 --- a/src/analyzer/protocol/imap/imap-analyzer.pac +++ b/src/analyzer/protocol/imap/imap-analyzer.pac @@ -43,7 +43,9 @@ refine connection IMAP_Conn += { if ( commands == "ok" ) { bro_analyzer()->StartTLS(); - BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn()); + + if ( imap_starttls ) + BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn()); } else reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS"); @@ -54,6 +56,9 @@ refine connection IMAP_Conn += { function proc_server_capability(capabilities: Capability[]): bool %{ + if ( ! imap_capabilities ) + return true; + VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType()); for ( unsigned int i = 0; i< capabilities->size(); i++ ) { diff --git a/src/analyzer/protocol/interconn/InterConn.cc b/src/analyzer/protocol/interconn/InterConn.cc index 39749a0deb..057280a0fa 100644 --- a/src/analyzer/protocol/interconn/InterConn.cc +++ b/src/analyzer/protocol/interconn/InterConn.cc @@ -241,16 +241,18 @@ void InterConn_Analyzer::StatTimer(double t, int is_expire) void InterConn_Analyzer::StatEvent() { - Conn()->ConnectionEvent(interconn_stats, this, { - Conn()->BuildConnVal(), - orig_endp->BuildStats(), - resp_endp->BuildStats(), - }); + if ( interconn_stats ) + Conn()->ConnectionEventFast(interconn_stats, this, { + Conn()->BuildConnVal(), + orig_endp->BuildStats(), + resp_endp->BuildStats(), + }); } void InterConn_Analyzer::RemoveEvent() { - Conn()->ConnectionEvent(interconn_remove_conn, this, {Conn()->BuildConnVal()}); + if ( interconn_remove_conn ) + Conn()->ConnectionEventFast(interconn_remove_conn, this, {Conn()->BuildConnVal()}); } InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a) diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc index cd48d8469c..c5db109434 100644 --- a/src/analyzer/protocol/irc/IRC.cc +++ b/src/analyzer/protocol/irc/IRC.cc @@ -233,7 +233,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) // else ### } - ConnectionEvent(irc_network_info, { + ConnectionEventFast(irc_network_info, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetInt(users), @@ -281,7 +281,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(idx); } - ConnectionEvent(irc_names_info, { + ConnectionEventFast(irc_names_info, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(type.c_str()), @@ -315,7 +315,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) // else ### } - ConnectionEvent(irc_server_info, { + ConnectionEventFast(irc_server_info, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetInt(users), @@ -337,7 +337,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts[i] == ":channels" ) channels = atoi(parts[i - 1].c_str()); - ConnectionEvent(irc_channel_info, { + ConnectionEventFast(irc_channel_info, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetInt(channels), @@ -369,7 +369,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) break; } - ConnectionEvent(irc_global_users, { + ConnectionEventFast(irc_global_users, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(eop - prefix, prefix), @@ -412,7 +412,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) vl.append(new StringVal(real_name.c_str())); - ConnectionEvent(irc_whois_user_line, std::move(vl)); + ConnectionEventFast(irc_whois_user_line, std::move(vl)); } break; @@ -433,7 +433,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) return; } - ConnectionEvent(irc_whois_operator_line, { + ConnectionEventFast(irc_whois_operator_line, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(parts[0].c_str()), @@ -472,7 +472,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(idx); } - ConnectionEvent(irc_whois_channel_line, { + ConnectionEventFast(irc_whois_channel_line, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(nick.c_str()), @@ -503,7 +503,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( *t == ':' ) ++t; - ConnectionEvent(irc_channel_topic, { + ConnectionEventFast(irc_channel_topic, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(parts[1].c_str()), @@ -537,7 +537,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts[7][0] == ':' ) parts[7] = parts[7].substr(1); - ConnectionEvent(irc_who_line, { + ConnectionEventFast(irc_who_line, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(parts[0].c_str()), @@ -560,7 +560,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) case 436: if ( irc_invalid_nick ) { - ConnectionEvent(irc_invalid_nick, { + ConnectionEventFast(irc_invalid_nick, { BuildConnVal(), val_mgr->GetBool(orig), }); @@ -572,7 +572,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) case 491: // user is not operator if ( irc_oper_response ) { - ConnectionEvent(irc_oper_response, { + ConnectionEventFast(irc_oper_response, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetBool(code == 381), @@ -587,13 +587,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) // All other server replies. default: - ConnectionEvent(irc_reply, { - BuildConnVal(), - val_mgr->GetBool(orig), - new StringVal(prefix.c_str()), - val_mgr->GetCount(code), - new StringVal(params.c_str()), - }); + if ( irc_reply ) + ConnectionEventFast(irc_reply, { + BuildConnVal(), + val_mgr->GetBool(orig), + new StringVal(prefix.c_str()), + val_mgr->GetCount(code), + new StringVal(params.c_str()), + }); break; } return; @@ -657,30 +658,32 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) } - ConnectionEvent(irc_dcc_message, { - BuildConnVal(), - val_mgr->GetBool(orig), - new StringVal(prefix.c_str()), - new StringVal(target.c_str()), - new StringVal(parts[1].c_str()), - new StringVal(parts[2].c_str()), - new AddrVal(htonl(raw_ip)), - val_mgr->GetCount(atoi(parts[4].c_str())), - parts.size() >= 6 ? - val_mgr->GetCount(atoi(parts[5].c_str())) : - val_mgr->GetCount(0), - }); + if ( irc_dcc_message ) + ConnectionEventFast(irc_dcc_message, { + BuildConnVal(), + val_mgr->GetBool(orig), + new StringVal(prefix.c_str()), + new StringVal(target.c_str()), + new StringVal(parts[1].c_str()), + new StringVal(parts[2].c_str()), + new AddrVal(htonl(raw_ip)), + val_mgr->GetCount(atoi(parts[4].c_str())), + parts.size() >= 6 ? + val_mgr->GetCount(atoi(parts[5].c_str())) : + val_mgr->GetCount(0), + }); } else { - ConnectionEvent(irc_privmsg_message, { - BuildConnVal(), - val_mgr->GetBool(orig), - new StringVal(prefix.c_str()), - new StringVal(target.c_str()), - new StringVal(message.c_str()), - }); + if ( irc_privmsg_message ) + ConnectionEventFast(irc_privmsg_message, { + BuildConnVal(), + val_mgr->GetBool(orig), + new StringVal(prefix.c_str()), + new StringVal(target.c_str()), + new StringVal(message.c_str()), + }); } } @@ -699,7 +702,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( message[0] == ':' ) message = message.substr(1); - ConnectionEvent(irc_notice_message, { + ConnectionEventFast(irc_notice_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -723,7 +726,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( message[0] == ':' ) message = message.substr(1); - ConnectionEvent(irc_squery_message, { + ConnectionEventFast(irc_squery_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -763,7 +766,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) const char* name = realname.c_str(); vl.append(new StringVal(*name == ':' ? name + 1 : name)); - ConnectionEvent(irc_user_message, std::move(vl)); + ConnectionEventFast(irc_user_message, std::move(vl)); } else if ( irc_oper_message && command == "OPER" ) @@ -772,7 +775,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) vector parts = SplitWords(params, ' '); if ( parts.size() == 2 ) { - ConnectionEvent(irc_oper_message, { + ConnectionEventFast(irc_oper_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(parts[0].c_str()), @@ -814,7 +817,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) else vl.append(val_mgr->GetEmptyString()); - ConnectionEvent(irc_kick_message, std::move(vl)); + ConnectionEventFast(irc_kick_message, std::move(vl)); } else if ( irc_join_message && command == "JOIN" ) @@ -862,7 +865,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(info); } - ConnectionEvent(irc_join_message, { + ConnectionEventFast(irc_join_message, { BuildConnVal(), val_mgr->GetBool(orig), list, @@ -923,7 +926,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(info); } - ConnectionEvent(irc_join_message, { + ConnectionEventFast(irc_join_message, { BuildConnVal(), val_mgr->GetBool(orig), list, @@ -963,7 +966,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(idx); } - ConnectionEvent(irc_part_message, { + ConnectionEventFast(irc_part_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(nick.c_str()), @@ -986,7 +989,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) nickname = prefix.substr(0, pos); } - ConnectionEvent(irc_quit_message, { + ConnectionEventFast(irc_quit_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(nickname.c_str()), @@ -1000,7 +1003,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( nick[0] == ':' ) nick = nick.substr(1); - ConnectionEvent(irc_nick_message, { + ConnectionEventFast(irc_nick_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1025,7 +1028,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' ) parts[0] = parts[0].substr(1); - ConnectionEvent(irc_who_message, { + ConnectionEventFast(irc_who_message, { BuildConnVal(), val_mgr->GetBool(orig), parts.size() > 0 ? @@ -1055,7 +1058,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) else users = parts[0]; - ConnectionEvent(irc_whois_message, { + ConnectionEventFast(irc_whois_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(server.c_str()), @@ -1068,7 +1071,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( params[0] == ':' ) params = params.substr(1); - ConnectionEvent(irc_error_message, { + ConnectionEventFast(irc_error_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1084,7 +1087,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts[1].size() > 0 && parts[1][0] == ':' ) parts[1] = parts[1].substr(1); - ConnectionEvent(irc_invite_message, { + ConnectionEventFast(irc_invite_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1100,7 +1103,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { if ( params.size() > 0 ) { - ConnectionEvent(irc_mode_message, { + ConnectionEventFast(irc_mode_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1114,7 +1117,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) else if ( irc_password_message && command == "PASS" ) { - ConnectionEvent(irc_password_message, { + ConnectionEventFast(irc_password_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(params.c_str()), @@ -1136,7 +1139,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) message = message.substr(1); } - ConnectionEvent(irc_squit_message, { + ConnectionEventFast(irc_squit_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1150,7 +1153,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { if ( irc_request ) { - ConnectionEvent(irc_request, { + ConnectionEventFast(irc_request, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1164,7 +1167,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { if ( irc_message ) { - ConnectionEvent(irc_message, { + ConnectionEventFast(irc_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1199,7 +1202,8 @@ void IRC_Analyzer::StartTLS() if ( ssl ) AddChildAnalyzer(ssl); - ConnectionEvent(irc_starttls, {BuildConnVal()}); + if ( irc_starttls ) + ConnectionEventFast(irc_starttls, {BuildConnVal()}); } vector IRC_Analyzer::SplitWords(const string input, const char split) diff --git a/src/analyzer/protocol/login/Login.cc b/src/analyzer/protocol/login/Login.cc index 326c126ae9..31aba64755 100644 --- a/src/analyzer/protocol/login/Login.cc +++ b/src/analyzer/protocol/login/Login.cc @@ -289,7 +289,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line) { if ( authentication_skipped ) { - ConnectionEvent(authentication_skipped, {BuildConnVal()}); + ConnectionEventFast(authentication_skipped, {BuildConnVal()}); } state = LOGIN_STATE_SKIP; @@ -332,7 +332,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) else if ( login_terminal && streq(name, "TERM") ) { - ConnectionEvent(login_terminal, { + ConnectionEventFast(login_terminal, { BuildConnVal(), new StringVal(val), }); @@ -340,7 +340,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) else if ( login_display && streq(name, "DISPLAY") ) { - ConnectionEvent(login_display, { + ConnectionEventFast(login_display, { BuildConnVal(), new StringVal(val), }); @@ -348,7 +348,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) else if ( login_prompt && streq(name, "TTYPROMPT") ) { - ConnectionEvent(login_prompt, { + ConnectionEventFast(login_prompt, { BuildConnVal(), new StringVal(val), }); @@ -425,7 +425,7 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line, Val* password = HaveTypeahead() ? PopUserTextVal() : new StringVal(""); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), username->Ref(), client_name ? client_name->Ref() : val_mgr->GetEmptyString(), @@ -444,7 +444,10 @@ const char* Login_Analyzer::GetUsername(const char* line) const void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line) { - ConnectionEvent(f, { + if ( ! f ) + return; + + ConnectionEventFast(f, { BuildConnVal(), new StringVal(line), }); @@ -457,7 +460,7 @@ void Login_Analyzer::Confused(const char* msg, const char* line) if ( login_confused ) { - ConnectionEvent(login_confused, { + ConnectionEventFast(login_confused, { BuildConnVal(), new StringVal(msg), new StringVal(line), @@ -483,7 +486,7 @@ void Login_Analyzer::ConfusionText(const char* line) { if ( login_confused_text ) { - ConnectionEvent(login_confused_text, { + ConnectionEventFast(login_confused_text, { BuildConnVal(), new StringVal(line), }); diff --git a/src/analyzer/protocol/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc index 53ad3c202d..ea651ece42 100644 --- a/src/analyzer/protocol/login/NVT.cc +++ b/src/analyzer/protocol/login/NVT.cc @@ -461,7 +461,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len) { if ( login_terminal ) { - ConnectionEvent(login_terminal, { + ConnectionEventFast(login_terminal, { BuildConnVal(), new StringVal(new BroString(terminal, len, 0)), }); diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc index 4688bf9280..b3cca3f5c4 100644 --- a/src/analyzer/protocol/login/RSH.cc +++ b/src/analyzer/protocol/login/RSH.cc @@ -183,11 +183,11 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig) else vl.append(val_mgr->GetFalse()); - ConnectionEvent(rsh_request, std::move(vl)); + ConnectionEventFast(rsh_request, std::move(vl)); } else - ConnectionEvent(rsh_reply, std::move(vl)); + ConnectionEventFast(rsh_reply, std::move(vl)); } void Rsh_Analyzer::ClientUserName(const char* s) diff --git a/src/analyzer/protocol/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc index 10d9e23e91..0c7386e59f 100644 --- a/src/analyzer/protocol/login/Rlogin.cc +++ b/src/analyzer/protocol/login/Rlogin.cc @@ -244,7 +244,7 @@ void Rlogin_Analyzer::TerminalType(const char* s) { if ( login_terminal ) { - ConnectionEvent(login_terminal, { + ConnectionEventFast(login_terminal, { BuildConnVal(), new StringVal(s), }); diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc index edb5316bac..35b9832020 100644 --- a/src/analyzer/protocol/mime/MIME.cc +++ b/src/analyzer/protocol/mime/MIME.cc @@ -1358,7 +1358,7 @@ void MIME_Mail::Done() hash_final(md5_hash, digest); md5_hash = nullptr; - analyzer->ConnectionEvent(mime_content_hash, { + analyzer->ConnectionEventFast(mime_content_hash, { analyzer->BuildConnVal(), val_mgr->GetCount(content_hash_length), new StringVal(new BroString(1, digest, 16)), @@ -1386,7 +1386,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */) cur_entity_id.clear(); if ( mime_begin_entity ) - analyzer->ConnectionEvent(mime_begin_entity, {analyzer->BuildConnVal()}); + analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()}); buffer_start = data_start = 0; ASSERT(entity_content.size() == 0); @@ -1398,8 +1398,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */) { BroString* s = concatenate(entity_content); - - analyzer->ConnectionEvent(mime_entity_data, { + analyzer->ConnectionEventFast(mime_entity_data, { analyzer->BuildConnVal(), val_mgr->GetCount(s->Len()), new StringVal(s), @@ -1412,7 +1411,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */) } if ( mime_end_entity ) - analyzer->ConnectionEvent(mime_end_entity, {analyzer->BuildConnVal()}); + analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()}); file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); cur_entity_id.clear(); @@ -1422,7 +1421,7 @@ void MIME_Mail::SubmitHeader(MIME_Header* h) { if ( mime_one_header ) { - analyzer->ConnectionEvent(mime_one_header, { + analyzer->ConnectionEventFast(mime_one_header, { analyzer->BuildConnVal(), BuildHeaderVal(h), }); @@ -1433,7 +1432,7 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist) { if ( mime_all_headers ) { - analyzer->ConnectionEvent(mime_all_headers, { + analyzer->ConnectionEventFast(mime_all_headers, { analyzer->BuildConnVal(), BuildHeaderTable(hlist), }); @@ -1470,7 +1469,7 @@ void MIME_Mail::SubmitData(int len, const char* buf) const char* data = (char*) data_buffer->Bytes() + data_start; int data_len = (buf + len) - data; - analyzer->ConnectionEvent(mime_segment_data, { + analyzer->ConnectionEventFast(mime_segment_data, { analyzer->BuildConnVal(), val_mgr->GetCount(data_len), new StringVal(data_len, data), @@ -1517,7 +1516,7 @@ void MIME_Mail::SubmitAllData() BroString* s = concatenate(all_content); delete_strings(all_content); - analyzer->ConnectionEvent(mime_all_data, { + analyzer->ConnectionEventFast(mime_all_data, { analyzer->BuildConnVal(), val_mgr->GetCount(s->Len()), new StringVal(s), @@ -1546,7 +1545,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail) if ( mime_event ) { - analyzer->ConnectionEvent(mime_event, { + analyzer->ConnectionEventFast(mime_event, { analyzer->BuildConnVal(), new StringVal(category), new StringVal(detail), diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc index ceb480292b..de13e4a6e7 100644 --- a/src/analyzer/protocol/ncp/NCP.cc +++ b/src/analyzer/protocol/ncp/NCP.cc @@ -63,7 +63,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame) { if ( frame->is_orig() ) { - analyzer->ConnectionEvent(f, { + analyzer->ConnectionEventFast(f, { analyzer->BuildConnVal(), val_mgr->GetCount(frame->frame_type()), val_mgr->GetCount(frame->body_length()), @@ -72,7 +72,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame) } else { - analyzer->ConnectionEvent(f, { + analyzer->ConnectionEventFast(f, { analyzer->BuildConnVal(), val_mgr->GetCount(frame->frame_type()), val_mgr->GetCount(frame->body_length()), diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc index 5dc07f7d0d..c643f8ced7 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.cc +++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc @@ -58,7 +58,7 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags, { if ( netbios_session_message ) { - analyzer->ConnectionEvent(netbios_session_message, { + analyzer->ConnectionEventFast(netbios_session_message, { analyzer->BuildConnVal(), val_mgr->GetBool(is_query), val_mgr->GetCount(type), @@ -330,14 +330,14 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data, if ( is_orig >= 0 ) { - analyzer->ConnectionEvent(event, { + analyzer->ConnectionEventFast(event, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), new StringVal(new BroString(data, len, 0)), }); } else - analyzer->ConnectionEvent(event, { + analyzer->ConnectionEventFast(event, { analyzer->BuildConnVal(), new StringVal(new BroString(data, len, 0)), }); diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac index c72a9d249a..0f0d842570 100644 --- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac +++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac @@ -94,6 +94,9 @@ refine connection NTLM_Conn += { function proc_ntlm_negotiate(val: NTLM_Negotiate): bool %{ + if ( ! ntlm_negotiate ) + return true; + RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate); result->Assign(0, build_negotiate_flag_record(${val.flags})); @@ -115,6 +118,9 @@ refine connection NTLM_Conn += { function proc_ntlm_challenge(val: NTLM_Challenge): bool %{ + if ( ! ntlm_challenge ) + return true; + RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge); result->Assign(0, build_negotiate_flag_record(${val.flags})); @@ -136,6 +142,9 @@ refine connection NTLM_Conn += { function proc_ntlm_authenticate(val: NTLM_Authenticate): bool %{ + if ( ! ntlm_authenticate ) + return true; + RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate); result->Assign(0, build_negotiate_flag_record(${val.flags})); diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc index 2e6988d13f..a4c147b464 100644 --- a/src/analyzer/protocol/ntp/NTP.cc +++ b/src/analyzer/protocol/ntp/NTP.cc @@ -62,6 +62,9 @@ void NTP_Analyzer::Message(const u_char* data, int len) len -= sizeof *ntp_data; data += sizeof *ntp_data; + if ( ! ntp_message ) + return; + RecordVal* msg = new RecordVal(ntp_msg); unsigned int code = ntp_data->status & 0x7; @@ -78,7 +81,7 @@ void NTP_Analyzer::Message(const u_char* data, int len) msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME)); msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME)); - ConnectionEvent(ntp_message, { + ConnectionEventFast(ntp_message, { BuildConnVal(), msg, new StringVal(new BroString(data, len, 0)), diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index e7ccf3907c..d8601ed3ba 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -833,7 +833,8 @@ void POP3_Analyzer::StartTLS() if ( ssl ) AddChildAnalyzer(ssl); - ConnectionEvent(pop3_starttls, {BuildConnVal()}); + if ( pop3_starttls ) + ConnectionEventFast(pop3_starttls, {BuildConnVal()}); } void POP3_Analyzer::AuthSuccessfull() @@ -932,5 +933,5 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig, if ( arg2 ) vl.append(new StringVal(arg2)); - ConnectionEvent(event, std::move(vl)); + ConnectionEventFast(event, std::move(vl)); } diff --git a/src/analyzer/protocol/rfb/rfb-analyzer.pac b/src/analyzer/protocol/rfb/rfb-analyzer.pac index 39a792ba89..67adba8681 100644 --- a/src/analyzer/protocol/rfb/rfb-analyzer.pac +++ b/src/analyzer/protocol/rfb/rfb-analyzer.pac @@ -1,7 +1,8 @@ refine flow RFB_Flow += { function proc_rfb_message(msg: RFB_PDU): bool %{ - BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn()); + if ( rfb_event ) + BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn()); return true; %} @@ -9,44 +10,51 @@ refine flow RFB_Flow += { %{ if (client) { - BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); + if ( rfb_client_version ) + BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); connection()->bro_analyzer()->ProtocolConfirmation(); } else { - BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); + if ( rfb_server_version ) + BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); } return true; %} function proc_rfb_share_flag(shared: bool) : bool %{ - BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared); + if ( rfb_share_flag ) + BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared); return true; %} function proc_security_types(msg: RFBSecurityTypes) : bool %{ - BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype}); + if ( rfb_authentication_type ) + BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype}); return true; %} function proc_security_types37(msg: RFBAuthTypeSelected) : bool %{ - BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type}); + if ( rfb_authentication_type ) + BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type}); return true; %} function proc_handle_server_params(msg:RFBServerInit) : bool %{ - BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height}); + if ( rfb_server_parameters ) + BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height}); return true; %} function proc_handle_security_result(result : uint32) : bool %{ - BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result); + if ( rfb_auth_result ) + BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result); return true; %} }; diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc index 1cea8e0211..4473826830 100644 --- a/src/analyzer/protocol/rpc/MOUNT.cc +++ b/src/analyzer/protocol/rpc/MOUNT.cc @@ -95,7 +95,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status { auto vl = event_common_vl(c, rpc_status, mount_status, start_time, last_time, reply_len, 0); - analyzer->ConnectionEvent(mount_reply_status, std::move(vl)); + analyzer->ConnectionEventFast(mount_reply_status, std::move(vl)); } if ( ! rpc_success ) @@ -173,7 +173,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status if ( reply ) vl.append(reply); - analyzer->ConnectionEvent(event, std::move(vl)); + analyzer->ConnectionEventFast(event, std::move(vl)); } else Unref(reply); diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 3453263dd0..089d89ea98 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -149,7 +149,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, { auto vl = event_common_vl(c, rpc_status, nfs_status, start_time, last_time, reply_len, 0); - analyzer->ConnectionEvent(nfs_reply_status, std::move(vl)); + analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl)); } if ( ! rpc_success ) @@ -285,7 +285,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, if ( reply ) vl.append(reply); - analyzer->ConnectionEvent(event, std::move(vl)); + analyzer->ConnectionEventFast(event, std::move(vl)); } else Unref(reply); diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc index 8333f615fa..cb3944519f 100644 --- a/src/analyzer/protocol/rpc/Portmap.cc +++ b/src/analyzer/protocol/rpc/Portmap.cc @@ -261,7 +261,7 @@ uint32 PortmapperInterp::CheckPort(uint32 port) { if ( pm_bad_port ) { - analyzer->ConnectionEvent(pm_bad_port, { + analyzer->ConnectionEventFast(pm_bad_port, { analyzer->BuildConnVal(), val_mgr->GetCount(port), }); @@ -300,7 +300,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu vl.append(request); } - analyzer->ConnectionEvent(f, std::move(vl)); + analyzer->ConnectionEventFast(f, std::move(vl)); } Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn) diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index 781ba20681..be0be02232 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -330,7 +330,7 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st { if ( rpc_dialogue ) { - analyzer->ConnectionEvent(rpc_dialogue, { + analyzer->ConnectionEventFast(rpc_dialogue, { analyzer->BuildConnVal(), val_mgr->GetCount(c->Program()), val_mgr->GetCount(c->Version()), @@ -347,7 +347,7 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c) { if ( rpc_call ) { - analyzer->ConnectionEvent(rpc_call, { + analyzer->ConnectionEventFast(rpc_call, { analyzer->BuildConnVal(), val_mgr->GetCount(c->XID()), val_mgr->GetCount(c->Program()), @@ -362,7 +362,7 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, { if ( rpc_reply ) { - analyzer->ConnectionEvent(rpc_reply, { + analyzer->ConnectionEventFast(rpc_reply, { analyzer->BuildConnVal(), val_mgr->GetCount(xid), BifType::Enum::rpc_status->GetVal(status), diff --git a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac index 0cdae1cefb..01eae48d0b 100644 --- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac @@ -6,8 +6,10 @@ refine connection SMB_Conn += { BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) { set_tree_is_pipe(${header.tid}); - BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), - bro_analyzer()->Conn()); + + if ( smb_pipe_connect_heuristic ) + BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), + bro_analyzer()->Conn()); } if ( smb1_nt_create_andx_request ) diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac index 4ba86d1b75..d5df7a3fca 100644 --- a/src/analyzer/protocol/smb/smb1-protocol.pac +++ b/src/analyzer/protocol/smb/smb1-protocol.pac @@ -66,9 +66,10 @@ refine connection SMB_Conn += { } else { - BifEvent::generate_smb1_error(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(h), is_orig); + if ( smb1_error ) + BifEvent::generate_smb1_error(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(h), is_orig); } return true; %} diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index 2f7dfc4d26..d3df094f51 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -7,8 +7,10 @@ refine connection SMB_Conn += { BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) { set_tree_is_pipe(${h.tree_id}); - BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), - bro_analyzer()->Conn()); + + if ( smb_pipe_connect_heuristic ) + BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), + bro_analyzer()->Conn()); } if ( smb2_create_request ) diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc index dff1677fc3..aa049c994b 100644 --- a/src/analyzer/protocol/smtp/SMTP.cc +++ b/src/analyzer/protocol/smtp/SMTP.cc @@ -220,7 +220,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) if ( smtp_data && ! skip_data ) { - ConnectionEvent(smtp_data, { + ConnectionEventFast(smtp_data, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(data_len, line), @@ -350,7 +350,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) break; } - ConnectionEvent(smtp_reply, { + ConnectionEventFast(smtp_reply, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetCount(reply_code), @@ -410,7 +410,8 @@ void SMTP_Analyzer::StartTLS() if ( ssl ) AddChildAnalyzer(ssl); - ConnectionEvent(smtp_starttls, {BuildConnVal()}); + if ( smtp_starttls ) + ConnectionEventFast(smtp_starttls, {BuildConnVal()}); } @@ -852,12 +853,14 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd, int arg_len, const char* arg) { ProtocolConfirmation(); - ConnectionEvent(smtp_request, { - BuildConnVal(), - val_mgr->GetBool(orig_is_sender), - (new StringVal(cmd_len, cmd))->ToUpper(), - new StringVal(arg_len, arg), - }); + + if ( smtp_request ) + ConnectionEventFast(smtp_request, { + BuildConnVal(), + val_mgr->GetBool(orig_is_sender), + (new StringVal(cmd_len, cmd))->ToUpper(), + new StringVal(arg_len, arg), + }); } void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg, @@ -872,7 +875,7 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg, if ( ! orig_is_sender ) is_orig = ! is_orig; - ConnectionEvent(smtp_unexpected, { + ConnectionEventFast(smtp_unexpected, { BuildConnVal(), val_mgr->GetBool(is_orig), new StringVal(msg), diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index f625851d0a..b0ec62e2b9 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -22,18 +22,22 @@ refine connection SOCKS_Conn += { function socks4_request(request: SOCKS4_Request): bool %{ - RecordVal* sa = new RecordVal(socks_address); - sa->Assign(0, new AddrVal(htonl(${request.addr}))); - if ( ${request.v4a} ) - sa->Assign(1, array_to_string(${request.name})); + if ( socks_request ) + { + RecordVal* sa = new RecordVal(socks_address); + sa->Assign(0, new AddrVal(htonl(${request.addr}))); - BifEvent::generate_socks_request(bro_analyzer(), - bro_analyzer()->Conn(), - 4, - ${request.command}, - sa, - val_mgr->GetPort(${request.port}, TRANSPORT_TCP), - array_to_string(${request.user})); + if ( ${request.v4a} ) + sa->Assign(1, array_to_string(${request.name})); + + BifEvent::generate_socks_request(bro_analyzer(), + bro_analyzer()->Conn(), + 4, + ${request.command}, + sa, + val_mgr->GetPort(${request.port}, TRANSPORT_TCP), + array_to_string(${request.user})); + } static_cast(bro_analyzer())->EndpointDone(true); @@ -42,15 +46,18 @@ refine connection SOCKS_Conn += { function socks4_reply(reply: SOCKS4_Reply): bool %{ - RecordVal* sa = new RecordVal(socks_address); - sa->Assign(0, new AddrVal(htonl(${reply.addr}))); + if ( socks_reply ) + { + RecordVal* sa = new RecordVal(socks_address); + sa->Assign(0, new AddrVal(htonl(${reply.addr}))); - BifEvent::generate_socks_reply(bro_analyzer(), - bro_analyzer()->Conn(), - 4, - ${reply.status}, - sa, - val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); + BifEvent::generate_socks_reply(bro_analyzer(), + bro_analyzer()->Conn(), + 4, + ${reply.status}, + sa, + val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); + } bro_analyzer()->ProtocolConfirmation(); static_cast(bro_analyzer())->EndpointDone(false); @@ -97,13 +104,16 @@ refine connection SOCKS_Conn += { return false; } - BifEvent::generate_socks_request(bro_analyzer(), - bro_analyzer()->Conn(), - 5, - ${request.command}, - sa, - val_mgr->GetPort(${request.port}, TRANSPORT_TCP), - val_mgr->GetEmptyString()); + if ( socks_request ) + BifEvent::generate_socks_request(bro_analyzer(), + bro_analyzer()->Conn(), + 5, + ${request.command}, + sa, + val_mgr->GetPort(${request.port}, TRANSPORT_TCP), + val_mgr->GetEmptyString()); + else + Unref(sa); static_cast(bro_analyzer())->EndpointDone(true); @@ -136,12 +146,15 @@ refine connection SOCKS_Conn += { return false; } - BifEvent::generate_socks_reply(bro_analyzer(), - bro_analyzer()->Conn(), - 5, - ${reply.reply}, - sa, - val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); + if ( socks_reply ) + BifEvent::generate_socks_reply(bro_analyzer(), + bro_analyzer()->Conn(), + 5, + ${reply.reply}, + sa, + val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); + else + Unref(sa); bro_analyzer()->ProtocolConfirmation(); static_cast(bro_analyzer())->EndpointDone(false); @@ -150,6 +163,9 @@ refine connection SOCKS_Conn += { function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass_v1): bool %{ + if ( ! socks_login_userpass_request ) + return true; + StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin()); StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin()); @@ -173,9 +189,10 @@ refine connection SOCKS_Conn += { function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool %{ - BifEvent::generate_socks_login_userpass_reply(bro_analyzer(), - bro_analyzer()->Conn(), - ${reply.code}); + if ( socks_login_userpass_reply ) + BifEvent::generate_socks_login_userpass_reply(bro_analyzer(), + bro_analyzer()->Conn(), + ${reply.code}); return true; %} diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac index bf35218873..7d23ecc75e 100644 --- a/src/analyzer/protocol/ssl/ssl-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac @@ -17,8 +17,8 @@ refine connection SSL_Conn += { function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool %{ - BifEvent::generate_ssl_established(bro_analyzer(), - bro_analyzer()->Conn()); + if ( ssl_established ) + BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn()); return true; %} diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac index d92f850d28..56573fd48e 100644 --- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac @@ -31,8 +31,9 @@ refine connection SSL_Conn += { function proc_alert(rec: SSLRecord, level : int, desc : int) : bool %{ - BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(), - ${rec.is_orig}, level, desc); + if ( ssl_alert ) + BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, level, desc); return true; %} function proc_unknown_record(rec: SSLRecord) : bool @@ -50,8 +51,8 @@ refine connection SSL_Conn += { established_ == false ) { established_ = true; - BifEvent::generate_ssl_established(bro_analyzer(), - bro_analyzer()->Conn()); + if ( ssl_established ) + BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn()); } if ( ssl_encrypted_data ) @@ -72,9 +73,10 @@ refine connection SSL_Conn += { function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool %{ - BifEvent::generate_ssl_heartbeat(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, - new StringVal(data.length(), (const char*) data.data())); + if ( ssl_heartbeat ) + BifEvent::generate_ssl_heartbeat(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, + new StringVal(data.length(), (const char*) data.data())); return true; %} @@ -93,8 +95,9 @@ refine connection SSL_Conn += { function proc_ccs(rec: SSLRecord) : bool %{ - BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}); + if ( ssl_change_cipher_spec ) + BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}); return true; %} diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 5cf250c366..ecaaf8c20d 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -72,6 +72,9 @@ refine connection Handshake_Conn += { function proc_ec_point_formats(rec: HandshakeRecord, point_format_list: uint8[]) : bool %{ + if ( ! ssl_extension_ec_point_formats ) + return true; + VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( point_format_list ) @@ -88,6 +91,9 @@ refine connection Handshake_Conn += { function proc_elliptic_curves(rec: HandshakeRecord, list: uint16[]) : bool %{ + if ( ! ssl_extension_elliptic_curves ) + return true; + VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( list ) @@ -104,6 +110,9 @@ refine connection Handshake_Conn += { function proc_client_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry[]) : bool %{ + if ( ! ssl_extension_key_share ) + return true; + VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( keyshare ) @@ -113,11 +122,15 @@ refine connection Handshake_Conn += { } BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist); + return true; %} function proc_server_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry) : bool %{ + if ( ! ssl_extension_key_share ) + return true; + VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType()); nglist->Assign(0u, val_mgr->GetCount(keyshare->namedgroup())); @@ -127,6 +140,9 @@ refine connection Handshake_Conn += { function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool %{ + if ( ! ssl_extension_signature_algorithm ) + return true; + VectorVal* slist = new VectorVal(internal_type("signature_and_hashalgorithm_vec")->AsVectorType()); if ( supported_signature_algorithms ) @@ -147,6 +163,9 @@ refine connection Handshake_Conn += { function proc_apnl(rec: HandshakeRecord, protocols: ProtocolName[]) : bool %{ + if ( ! ssl_extension_application_layer_protocol_negotiation ) + return true; + VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType()); if ( protocols ) @@ -183,14 +202,20 @@ refine connection Handshake_Conn += { } } - BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(), - ${rec.is_orig}, servers); + if ( ssl_extension_server_name ) + BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, servers); + else + Unref(servers); return true; %} function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool %{ + if ( ! ssl_extension_supported_versions ) + return true; + VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( versions_list ) @@ -207,6 +232,9 @@ refine connection Handshake_Conn += { function proc_one_supported_version(rec: HandshakeRecord, version: uint16) : bool %{ + if ( ! ssl_extension_supported_versions ) + return true; + VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType()); versions->Assign(0u, val_mgr->GetCount(version)); @@ -218,6 +246,9 @@ refine connection Handshake_Conn += { function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool %{ + if ( ! ssl_extension_psk_key_exchange_modes ) + return true; + VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( mode_list ) @@ -272,10 +303,11 @@ refine connection Handshake_Conn += { response.length(), bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), false, file_id, "application/ocsp-response"); - BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, - new StringVal(response.length(), - (const char*) response.data())); + if ( ssl_stapled_ocsp ) + BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), + bro_analyzer()->Conn(), + ${rec.is_orig}, + new StringVal(response.length(), (const char*) response.data())); file_mgr->EndOfFile(file_id); } @@ -288,26 +320,32 @@ refine connection Handshake_Conn += { if ( ${kex.curve_type} != NAMED_CURVE ) return true; - BifEvent::generate_ssl_server_curve(bro_analyzer(), - bro_analyzer()->Conn(), ${kex.params.curve}); - BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); + if ( ssl_server_curve ) + BifEvent::generate_ssl_server_curve(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}); - RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); - if ( ${kex.signed_params.uses_signature_and_hashalgorithm} ) + if ( ssl_ecdh_server_params ) + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); + + if ( ssl_server_signature ) { - ha->Assign(0, val_mgr->GetCount(${kex.signed_params.algorithm.HashAlgorithm})); - ha->Assign(1, val_mgr->GetCount(${kex.signed_params.algorithm.SignatureAlgorithm})); - } + RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); + if ( ${kex.signed_params.uses_signature_and_hashalgorithm} ) + { + ha->Assign(0, val_mgr->GetCount(${kex.signed_params.algorithm.HashAlgorithm})); + ha->Assign(1, val_mgr->GetCount(${kex.signed_params.algorithm.SignatureAlgorithm})); + } else - { - // set to impossible value - ha->Assign(0, val_mgr->GetCount(256)); - ha->Assign(1, val_mgr->GetCount(256)); - } + { + // set to impossible value + ha->Assign(0, val_mgr->GetCount(256)); + ha->Assign(1, val_mgr->GetCount(256)); + } - BifEvent::generate_ssl_server_signature(bro_analyzer(), - bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data())); + BifEvent::generate_ssl_server_signature(bro_analyzer(), + bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data())); + } return true; %} @@ -317,34 +355,46 @@ refine connection Handshake_Conn += { if ( ${kex.curve_type} != NAMED_CURVE ) return true; - BifEvent::generate_ssl_server_curve(bro_analyzer(), - bro_analyzer()->Conn(), ${kex.params.curve}); - BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); + if ( ssl_server_curve ) + BifEvent::generate_ssl_server_curve(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}); + + if ( ssl_ecdh_server_params ) + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); return true; %} function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool %{ - BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data())); + if ( ssl_rsa_client_pms ) + BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data())); + return true; %} function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool %{ - BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data())); + if ( ssl_dh_client_params ) + BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data())); + return true; %} function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool %{ - BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data())); + if ( ssl_ecdh_client_params ) + BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data())); + return true; %} function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool %{ + if ( ! ssl_extension_signed_certificate_timestamp ) + return true; + RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); ha->Assign(0, val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm())); ha->Assign(1, val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm())); @@ -363,50 +413,56 @@ refine connection Handshake_Conn += { function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool %{ - BifEvent::generate_ssl_dh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), - new StringVal(p.length(), (const char*) p.data()), - new StringVal(g.length(), (const char*) g.data()), - new StringVal(Ys.length(), (const char*) Ys.data()) - ); + if ( ssl_ecdh_server_params ) + BifEvent::generate_ssl_dh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), + new StringVal(p.length(), (const char*) p.data()), + new StringVal(g.length(), (const char*) g.data()), + new StringVal(Ys.length(), (const char*) Ys.data()) + ); - RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); - if ( ${signed_params.uses_signature_and_hashalgorithm} ) + if ( ssl_server_signature ) { - ha->Assign(0, val_mgr->GetCount(${signed_params.algorithm.HashAlgorithm})); - ha->Assign(1, val_mgr->GetCount(${signed_params.algorithm.SignatureAlgorithm})); - } - else - { - // set to impossible value - ha->Assign(0, val_mgr->GetCount(256)); - ha->Assign(1, val_mgr->GetCount(256)); - } + RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); + if ( ${signed_params.uses_signature_and_hashalgorithm} ) + { + ha->Assign(0, val_mgr->GetCount(${signed_params.algorithm.HashAlgorithm})); + ha->Assign(1, val_mgr->GetCount(${signed_params.algorithm.SignatureAlgorithm})); + } + else + { + // set to impossible value + ha->Assign(0, val_mgr->GetCount(256)); + ha->Assign(1, val_mgr->GetCount(256)); + } - BifEvent::generate_ssl_server_signature(bro_analyzer(), - bro_analyzer()->Conn(), ha, - new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data()) - ); + BifEvent::generate_ssl_server_signature(bro_analyzer(), + bro_analyzer()->Conn(), ha, + new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data()) + ); + } return true; %} function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool %{ - BifEvent::generate_ssl_dh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), - new StringVal(p.length(), (const char*) p.data()), - new StringVal(g.length(), (const char*) g.data()), - new StringVal(Ys.length(), (const char*) Ys.data()) - ); + if ( ssl_dh_server_params ) + BifEvent::generate_ssl_dh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), + new StringVal(p.length(), (const char*) p.data()), + new StringVal(g.length(), (const char*) g.data()), + new StringVal(Ys.length(), (const char*) Ys.data()) + ); return true; %} function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool %{ - BifEvent::generate_ssl_handshake_message(bro_analyzer(), - bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); + if ( ssl_handshake_message ) + BifEvent::generate_ssl_handshake_message(bro_analyzer(), + bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); return true; %} diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc index f4b4f78c89..29315faa74 100644 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc @@ -140,15 +140,18 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2) return; if ( id2 >= 0 ) - endp->TCP()->ConnectionEvent(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)}); + endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)}); else - endp->TCP()->ConnectionEvent(f, {val_mgr->GetInt(id1)}); + endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)}); } void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) { - endp->TCP()->ConnectionEvent(stp_create_endp, { + if ( ! stp_create_endp ) + return; + + endp->TCP()->ConnectionEventFast(stp_create_endp, { endp->TCP()->BuildConnVal(), val_mgr->GetInt(stp_id), val_mgr->GetBool(is_orig), diff --git a/src/analyzer/protocol/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/syslog-analyzer.pac index 46e2cc171d..2bbdfd3754 100644 --- a/src/analyzer/protocol/syslog/syslog-analyzer.pac +++ b/src/analyzer/protocol/syslog/syslog-analyzer.pac @@ -11,6 +11,9 @@ flow Syslog_Flow function process_syslog_message(m: Syslog_Message): bool %{ + if ( ! syslog_message ) + return true; + if ( ${m.has_pri} ) BifEvent::generate_syslog_message( connection()->bro_analyzer(), diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index a90e0f32c4..fa2250270a 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -299,7 +299,7 @@ static void passive_fingerprint(TCP_Analyzer* tcp, bool is_orig, if ( OS_val ) { // found new OS version - tcp->ConnectionEvent(OS_version_found, { + tcp->ConnectionEventFast(OS_version_found, { tcp->BuildConnVal(), src_addr_val->Ref(), OS_val, @@ -965,7 +965,7 @@ void TCP_Analyzer::GeneratePacketEvent( const u_char* data, int len, int caplen, int is_orig, TCP_Flags flags) { - ConnectionEvent(tcp_packet, { + ConnectionEventFast(tcp_packet, { BuildConnVal(), val_mgr->GetBool(is_orig), new StringVal(flags.AsString()), @@ -1280,7 +1280,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( connection_SYN_packet ) { - ConnectionEvent(connection_SYN_packet, { + ConnectionEventFast(connection_SYN_packet, { BuildConnVal(), SYN_vals->Ref(), }); @@ -1500,7 +1500,7 @@ int TCP_Analyzer::TCPOptionEvent(unsigned int opt, { if ( tcp_option ) { - analyzer->ConnectionEvent(tcp_option, { + analyzer->ConnectionEventFast(tcp_option, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(opt), @@ -1821,7 +1821,7 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) { if ( connection_EOF ) { - ConnectionEvent(connection_EOF, { + ConnectionEventFast(connection_EOF, { BuildConnVal(), val_mgr->GetBool(endp->IsOrig()), }); @@ -2103,7 +2103,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen, if ( tcp_rexmit ) { - endp->TCP()->ConnectionEvent(tcp_rexmit, { + endp->TCP()->ConnectionEventFast(tcp_rexmit, { endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig()), val_mgr->GetCount(seq), @@ -2158,11 +2158,12 @@ void TCPStats_Analyzer::Done() { TCP_ApplicationAnalyzer::Done(); - ConnectionEvent(conn_stats, { - BuildConnVal(), - orig_stats->BuildStats(), - resp_stats->BuildStats(), - }); + if ( conn_stats ) + ConnectionEventFast(conn_stats, { + BuildConnVal(), + orig_stats->BuildStats(), + resp_stats->BuildStats(), + }); } void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen) diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc index ce58398f2d..b588adbe29 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc @@ -237,7 +237,7 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen, if ( contents_file_write_failure ) { - tcp_analyzer->ConnectionEvent(contents_file_write_failure, { + tcp_analyzer->ConnectionEventFast(contents_file_write_failure, { Conn()->BuildConnVal(), val_mgr->GetBool(IsOrig()), new StringVal(buf), diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index 5ad6d2e460..3db1b50352 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -136,7 +136,7 @@ void TCP_Reassembler::Gap(uint64 seq, uint64 len) if ( report_gap(endp, endp->peer) ) { - dst_analyzer->ConnectionEvent(content_gap, { + dst_analyzer->ConnectionEventFast(content_gap, { dst_analyzer->BuildConnVal(), val_mgr->GetBool(IsOrig()), val_mgr->GetCount(seq), @@ -335,7 +335,7 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f) if ( contents_file_write_failure ) { - tcp_analyzer->ConnectionEvent(contents_file_write_failure, { + tcp_analyzer->ConnectionEventFast(contents_file_write_failure, { Endpoint()->Conn()->BuildConnVal(), val_mgr->GetBool(IsOrig()), new StringVal("TCP reassembler content write failure"), @@ -352,7 +352,7 @@ void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f) if ( contents_file_write_failure ) { - tcp_analyzer->ConnectionEvent(contents_file_write_failure, { + tcp_analyzer->ConnectionEventFast(contents_file_write_failure, { Endpoint()->Conn()->BuildConnVal(), val_mgr->GetBool(IsOrig()), new StringVal("TCP reassembler gap write failure"), @@ -425,7 +425,7 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n) BroString* b1_s = new BroString((const u_char*) b1, n, 0); BroString* b2_s = new BroString((const u_char*) b2, n, 0); - tcp_analyzer->ConnectionEvent(rexmit_inconsistency, { + tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, { tcp_analyzer->BuildConnVal(), new StringVal(b1_s), new StringVal(b2_s), @@ -596,7 +596,7 @@ void TCP_Reassembler::DeliverBlock(uint64 seq, int len, const u_char* data) if ( deliver_tcp_contents ) { - tcp_analyzer->ConnectionEvent(tcp_contents, { + tcp_analyzer->ConnectionEventFast(tcp_contents, { tcp_analyzer->BuildConnVal(), val_mgr->GetBool(IsOrig()), val_mgr->GetCount(seq), diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index 6123c42e91..74375e673c 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -157,7 +157,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( do_udp_contents ) { - ConnectionEvent(udp_contents, { + ConnectionEventFast(udp_contents, { BuildConnVal(), val_mgr->GetBool(is_orig), new StringVal(len, (const char*) data), diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac index 5253ce050b..26a9c69b5b 100644 --- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac +++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac @@ -32,7 +32,8 @@ refine connection XMPP_Conn += { if ( !is_orig && ( token == "proceed" || token_no_ns == "proceed" ) && client_starttls ) { bro_analyzer()->StartTLS(); - BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn()); + if ( xmpp_starttls ) + BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn()); } else if ( !is_orig && token == "proceed" ) reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls"); diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index c9d1d7a1e3..96a37490a2 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -1016,7 +1016,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev) } if ( static_cast(vl.length()) == args.size() ) - mgr.QueueEvent(handler, std::move(vl), SOURCE_BROKER); + mgr.QueueEventFast(handler, std::move(vl), SOURCE_BROKER); else { loop_over_list(vl, i) @@ -1247,6 +1247,9 @@ void Manager::ProcessStatus(broker::status stat) break; } + if ( ! event ) + return; + auto ei = internal_type("Broker::EndpointInfo")->AsRecordType(); auto endpoint_info = new RecordVal(ei); @@ -1275,7 +1278,7 @@ void Manager::ProcessStatus(broker::status stat) auto str = stat.message(); auto msg = new StringVal(str ? *str : ""); - mgr.QueueEvent(event, {endpoint_info, msg}); + mgr.QueueEventFast(event, {endpoint_info, msg}); } void Manager::ProcessError(broker::error err) @@ -1352,7 +1355,7 @@ void Manager::ProcessError(broker::error err) msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str()); } - mgr.QueueEvent(Broker::error, { + mgr.QueueEventFast(Broker::error, { BifType::Enum::Broker::ErrorCode->GetVal(ec), new StringVal(msg), }); diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index faa6b280b0..b3680c2a2c 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -637,7 +637,7 @@ void File::FileEvent(EventHandlerPtr h, val_list* vl) void File::FileEvent(EventHandlerPtr h, val_list vl) { - mgr.QueueEvent(h, std::move(vl)); + mgr.QueueEventFast(h, std::move(vl)); if ( h == file_new || h == file_over_new_connection || h == file_sniff || diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 134418a476..da6099b1fe 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -443,7 +443,7 @@ string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig) EnumVal* tagval = tag.AsEnumVal(); Ref(tagval); - mgr.QueueEvent(get_file_handle, { + mgr.QueueEventFast(get_file_handle, { tagval, c->BuildConnVal(), val_mgr->GetBool(is_orig), diff --git a/src/file_analysis/analyzer/data_event/DataEvent.cc b/src/file_analysis/analyzer/data_event/DataEvent.cc index 8aa688b879..5d692383e1 100644 --- a/src/file_analysis/analyzer/data_event/DataEvent.cc +++ b/src/file_analysis/analyzer/data_event/DataEvent.cc @@ -41,7 +41,7 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64 len, uint64 offset) { if ( ! chunk_event ) return true; - mgr.QueueEvent(chunk_event, { + mgr.QueueEventFast(chunk_event, { GetFile()->GetVal()->Ref(), new StringVal(new BroString(data, len, 0)), val_mgr->GetCount(offset), @@ -54,7 +54,7 @@ bool DataEvent::DeliverStream(const u_char* data, uint64 len) { if ( ! stream_event ) return true; - mgr.QueueEvent(stream_event, { + mgr.QueueEventFast(stream_event, { GetFile()->GetVal()->Ref(), new StringVal(new BroString(data, len, 0)), }); diff --git a/src/file_analysis/analyzer/entropy/Entropy.cc b/src/file_analysis/analyzer/entropy/Entropy.cc index 873b8e2fcf..a0a561a1cc 100644 --- a/src/file_analysis/analyzer/entropy/Entropy.cc +++ b/src/file_analysis/analyzer/entropy/Entropy.cc @@ -53,6 +53,9 @@ void Entropy::Finalize() if ( ! fed ) return; + if ( ! file_entropy ) + return; + double montepi, scc, ent, mean, chisq; montepi = scc = ent = mean = chisq = 0.0; entropy->Get(&ent, &chisq, &mean, &montepi, &scc); @@ -64,7 +67,7 @@ void Entropy::Finalize() ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE)); ent_result->Assign(4, new Val(scc, TYPE_DOUBLE)); - mgr.QueueEvent(file_entropy, { + mgr.QueueEventFast(file_entropy, { GetFile()->GetVal()->Ref(), ent_result, }); diff --git a/src/file_analysis/analyzer/hash/Hash.cc b/src/file_analysis/analyzer/hash/Hash.cc index 07bcb0babd..7b2ecb5799 100644 --- a/src/file_analysis/analyzer/hash/Hash.cc +++ b/src/file_analysis/analyzer/hash/Hash.cc @@ -48,7 +48,10 @@ void Hash::Finalize() if ( ! hash->IsValid() || ! fed ) return; - mgr.QueueEvent(file_hash, { + if ( ! file_hash ) + return; + + mgr.QueueEventFast(file_hash, { GetFile()->GetVal()->Ref(), new StringVal(kind), hash->Get(), diff --git a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac index ee874c4d37..a4a7da5081 100644 --- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac +++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac @@ -81,7 +81,7 @@ refine flow Flow += { ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol})); ids_event->Assign(17, val_mgr->GetCount(${ev.packet_action})); - mgr.QueueEvent(::unified2_event, { + mgr.QueueEventFast(::unified2_event, { connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), ids_event, }, @@ -113,7 +113,7 @@ refine flow Flow += { ids_event->Assign(15, val_mgr->GetCount(${ev.mpls_label})); ids_event->Assign(16, val_mgr->GetCount(${ev.vlan_id})); - mgr.QueueEvent(::unified2_event, { + mgr.QueueEventFast(::unified2_event, { connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), ids_event, }, @@ -135,7 +135,7 @@ refine flow Flow += { packet->Assign(4, val_mgr->GetCount(${pkt.link_type})); packet->Assign(5, bytestring_to_val(${pkt.packet_data})); - mgr.QueueEvent(::unified2_packet, { + mgr.QueueEventFast(::unified2_packet, { connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), packet, }, diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 3681c6fd44..d55931c946 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -427,10 +427,11 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req) // TODO: try to parse out general name ? #endif - mgr.QueueEvent(ocsp_request, { - GetFile()->GetVal()->Ref(), - val_mgr->GetCount(version), - }); + if ( ocsp_request ) + mgr.QueueEventFast(ocsp_request, { + GetFile()->GetVal()->Ref(), + val_mgr->GetCount(version), + }); BIO *bio = BIO_new(BIO_s_mem()); @@ -470,10 +471,11 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) const char *status_str = OCSP_response_status_str(OCSP_response_status(resp)); StringVal* status_val = new StringVal(strlen(status_str), status_str); - mgr.QueueEvent(ocsp_response_status, { - GetFile()->GetVal()->Ref(), - status_val->Ref(), - }); + if ( ocsp_response_status ) + mgr.QueueEventFast(ocsp_response_status, { + GetFile()->GetVal()->Ref(), + status_val->Ref(), + }); //if (!resp_bytes) // { @@ -491,12 +493,18 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) // get the basic response basic_resp = OCSP_response_get1_basic(resp); if ( !basic_resp ) + { + Unref(status_val); goto clean_up; + } #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) resp_data = basic_resp->tbsResponseData; if ( !resp_data ) + { + Unref(status_val); goto clean_up; + } #endif vl.append(GetFile()->GetVal()->Ref()); diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index c33f20a800..524aae1f27 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -221,16 +221,20 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) if ( constr ) { - RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints); - pBasicConstraint->Assign(0, val_mgr->GetBool(constr->ca ? 1 : 0)); + if ( x509_ext_basic_constraints ) + { + RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints); + pBasicConstraint->Assign(0, val_mgr->GetBool(constr->ca ? 1 : 0)); - if ( constr->pathlen ) - pBasicConstraint->Assign(1, val_mgr->GetCount((int32_t) ASN1_INTEGER_get(constr->pathlen))); + if ( constr->pathlen ) + pBasicConstraint->Assign(1, val_mgr->GetCount((int32_t) ASN1_INTEGER_get(constr->pathlen))); + + mgr.QueueEventFast(x509_ext_basic_constraints, { + GetFile()->GetVal()->Ref(), + pBasicConstraint, + }); + } - mgr.QueueEvent(x509_ext_basic_constraints, { - GetFile()->GetVal()->Ref(), - pBasicConstraint, - }); BASIC_CONSTRAINTS_free(constr); } diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac index 396debbbbe..b6a6611d3c 100644 --- a/src/file_analysis/analyzer/x509/x509-extension.pac +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -35,6 +35,9 @@ refine connection MockConnection += { function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool %{ + if ( ! x509_ocsp_ext_signed_certificate_timestamp ) + return true; + BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(), bro_analyzer()->GetFile()->GetVal()->Ref(), version, diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index 108869be9f..39496671a2 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -715,7 +715,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns) // Raise the log event. if ( stream->event ) - mgr.QueueEvent(stream->event, {columns->Ref()}, SOURCE_LOCAL); + mgr.QueueEventFast(stream->event, {columns->Ref()}, SOURCE_LOCAL); // Send to each of our filters. for ( list::iterator i = stream->filters.begin(); diff --git a/src/main.cc b/src/main.cc index 56300fc1a2..7afdb876bd 100644 --- a/src/main.cc +++ b/src/main.cc @@ -340,7 +340,7 @@ void terminate_bro() EventHandlerPtr bro_done = internal_handler("bro_done"); if ( bro_done ) - mgr.QueueEvent(bro_done, val_list{}); + mgr.QueueEventFast(bro_done, val_list{}); timer_mgr->Expire(); mgr.Drain(); @@ -1138,7 +1138,7 @@ int main(int argc, char** argv) EventHandlerPtr bro_init = internal_handler("bro_init"); if ( bro_init ) - mgr.QueueEvent(bro_init, val_list{}); + mgr.QueueEventFast(bro_init, val_list{}); EventRegistry::string_list* dead_handlers = event_registry->UnusedHandlers(); @@ -1184,16 +1184,19 @@ int main(int argc, char** argv) if ( override_ignore_checksums ) ignore_checksums = 1; - // Queue events reporting loaded scripts. - for ( std::list::iterator i = files_scanned.begin(); i != files_scanned.end(); i++ ) + if ( bro_script_loaded ) { - if ( i->skipped ) - continue; + // Queue events reporting loaded scripts. + for ( std::list::iterator i = files_scanned.begin(); i != files_scanned.end(); i++ ) + { + if ( i->skipped ) + continue; - mgr.QueueEvent(bro_script_loaded, { - new StringVal(i->name.c_str()), - val_mgr->GetCount(i->include_level), - }); + mgr.QueueEventFast(bro_script_loaded, { + new StringVal(i->name.c_str()), + val_mgr->GetCount(i->include_level), + }); + } } reporter->ReportViaEvents(true);