From b6862c5c59bb5febda071cf834d51d1546543c51 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 11 Apr 2019 20:23:49 -0700 Subject: [PATCH] Add methods to queue events without handler existence check Added ConnectionEventFast() and QueueEventFast() methods to avoid redundant event handler existence checks. It's common practice for caller to already check for event handler existence before doing all the work of constructing the arguments, so it's desirable to not have to check for existence again. E.g. going through ConnectionEvent() means 3 existence checks: one you do yourself before calling it, one in ConnectionEvent(), and then another in QueueEvent(). The existence check itself can be more than a few operations sometimes as it needs to check a few flags that determine if it's enabled, has a local body, or has any remote receivers in the old comm. system or has been flagged as something to publish in the new comm. system. --- aux/bifcl | 2 +- src/Anon.cc | 2 +- src/Conn.cc | 27 +- src/Conn.h | 2 + src/DNS_Mgr.cc | 6 +- src/Event.cc | 2 +- src/Event.h | 7 + src/Reporter.cc | 4 +- src/RuleAction.cc | 2 +- src/Sessions.cc | 8 +- src/StateAccess.cc | 2 +- src/Stats.cc | 11 +- src/analyzer/Analyzer.cc | 19 +- src/analyzer/Analyzer.h | 6 + src/analyzer/protocol/arp/ARP.cc | 4 +- src/analyzer/protocol/backdoor/BackDoor.cc | 27 +- .../protocol/bittorrent/BitTorrent.cc | 2 +- .../protocol/bittorrent/BitTorrentTracker.cc | 39 +-- src/analyzer/protocol/conn-size/ConnSize.cc | 2 +- src/analyzer/protocol/dns/DNS.cc | 261 ++++++++++-------- src/analyzer/protocol/dns/DNS.h | 6 +- src/analyzer/protocol/file/File.cc | 13 +- src/analyzer/protocol/finger/Finger.cc | 4 +- src/analyzer/protocol/gnutella/Gnutella.cc | 14 +- src/analyzer/protocol/http/HTTP.cc | 24 +- src/analyzer/protocol/icmp/ICMP.cc | 39 ++- src/analyzer/protocol/ident/Ident.cc | 17 +- src/analyzer/protocol/imap/imap-analyzer.pac | 7 +- src/analyzer/protocol/interconn/InterConn.cc | 14 +- src/analyzer/protocol/irc/IRC.cc | 122 ++++---- src/analyzer/protocol/login/Login.cc | 19 +- src/analyzer/protocol/login/NVT.cc | 2 +- src/analyzer/protocol/login/RSH.cc | 4 +- src/analyzer/protocol/login/Rlogin.cc | 2 +- src/analyzer/protocol/mime/MIME.cc | 19 +- src/analyzer/protocol/ncp/NCP.cc | 4 +- src/analyzer/protocol/netbios/NetbiosSSN.cc | 6 +- src/analyzer/protocol/ntlm/ntlm-analyzer.pac | 9 + src/analyzer/protocol/ntp/NTP.cc | 5 +- src/analyzer/protocol/pop3/POP3.cc | 5 +- src/analyzer/protocol/rfb/rfb-analyzer.pac | 24 +- src/analyzer/protocol/rpc/MOUNT.cc | 4 +- src/analyzer/protocol/rpc/NFS.cc | 4 +- src/analyzer/protocol/rpc/Portmap.cc | 4 +- src/analyzer/protocol/rpc/RPC.cc | 6 +- .../protocol/smb/smb1-com-nt-create-andx.pac | 6 +- src/analyzer/protocol/smb/smb1-protocol.pac | 7 +- src/analyzer/protocol/smb/smb2-com-create.pac | 6 +- src/analyzer/protocol/smtp/SMTP.cc | 23 +- .../protocol/socks/socks-analyzer.pac | 87 +++--- src/analyzer/protocol/ssl/ssl-analyzer.pac | 4 +- .../protocol/ssl/ssl-dtls-analyzer.pac | 21 +- .../protocol/ssl/tls-handshake-analyzer.pac | 172 ++++++++---- .../protocol/stepping-stone/SteppingStone.cc | 9 +- .../protocol/syslog/syslog-analyzer.pac | 3 + src/analyzer/protocol/tcp/TCP.cc | 23 +- src/analyzer/protocol/tcp/TCP_Endpoint.cc | 2 +- src/analyzer/protocol/tcp/TCP_Reassembler.cc | 10 +- src/analyzer/protocol/udp/UDP.cc | 2 +- src/analyzer/protocol/xmpp/xmpp-analyzer.pac | 3 +- src/broker/Manager.cc | 9 +- src/file_analysis/File.cc | 2 +- src/file_analysis/Manager.cc | 2 +- .../analyzer/data_event/DataEvent.cc | 4 +- src/file_analysis/analyzer/entropy/Entropy.cc | 5 +- src/file_analysis/analyzer/hash/Hash.cc | 5 +- .../analyzer/unified2/unified2-analyzer.pac | 6 +- src/file_analysis/analyzer/x509/OCSP.cc | 24 +- src/file_analysis/analyzer/x509/X509.cc | 20 +- .../analyzer/x509/x509-extension.pac | 3 + src/logging/Manager.cc | 2 +- src/main.cc | 23 +- 72 files changed, 771 insertions(+), 524 deletions(-) diff --git a/aux/bifcl b/aux/bifcl index 44622332fb..33cde13264 160000 --- a/aux/bifcl +++ b/aux/bifcl @@ -1 +1 @@ -Subproject commit 44622332fb1361383799be33e365704caacce199 +Subproject commit 33cde13264825df906668b608017e65f4ffbc12a diff --git a/src/Anon.cc b/src/Anon.cc index de225e95a8..983c7fbec8 100644 --- a/src/Anon.cc +++ b/src/Anon.cc @@ -415,7 +415,7 @@ void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output) { if ( anonymization_mapping ) { - mgr.QueueEvent(anonymization_mapping, { + mgr.QueueEventFast(anonymization_mapping, { new AddrVal(input), new AddrVal(output) }); diff --git a/src/Conn.cc b/src/Conn.cc index 494d2d21c4..83ad6c08f6 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -325,7 +325,7 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig, // and at this stage it's not a *multiple* instance. return; - ConnectionEvent(e, 0, { + ConnectionEventFast(e, 0, { BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(threshold) @@ -389,7 +389,7 @@ void Connection::EnableStatusUpdateTimer() void Connection::StatusUpdateTimer(double t) { - ConnectionEvent(connection_status_update, 0, { BuildConnVal() }); + ConnectionEventFast(connection_status_update, 0, { BuildConnVal() }); ADD_TIMER(&Connection::StatusUpdateTimer, network_time + connection_status_update_interval, 0, TIMER_CONN_STATUS_UPDATE); @@ -627,7 +627,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, { if ( software_parse_error ) { - ConnectionEvent(software_parse_error, analyzer, { + ConnectionEventFast(software_parse_error, analyzer, { BuildConnVal(), new AddrVal(addr), new StringVal(len, s), @@ -638,7 +638,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len, if ( software_version_found ) { - ConnectionEvent(software_version_found, 0, { + ConnectionEventFast(software_version_found, 0, { BuildConnVal(), new AddrVal(addr), val, @@ -666,7 +666,7 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr, if ( software_unparsed_version_found ) { - ConnectionEvent(software_unparsed_version_found, analyzer, { + ConnectionEventFast(software_unparsed_version_found, analyzer, { BuildConnVal(), new AddrVal(addr), new StringVal(len, full), @@ -682,9 +682,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch return; if ( name ) - ConnectionEvent(f, analyzer, {new StringVal(name), BuildConnVal()}); + ConnectionEventFast(f, analyzer, {new StringVal(name), BuildConnVal()}); else - ConnectionEvent(f, analyzer, {BuildConnVal()}); + ConnectionEventFast(f, analyzer, {BuildConnVal()}); } @@ -698,9 +698,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, } if ( v2 ) - ConnectionEvent(f, analyzer, {BuildConnVal(), v1, v2}); + ConnectionEventFast(f, analyzer, {BuildConnVal(), v1, v2}); else - ConnectionEvent(f, analyzer, {BuildConnVal(), v1}); + ConnectionEventFast(f, analyzer, {BuildConnVal(), v1}); } void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl) @@ -720,6 +720,13 @@ void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_l a ? a->GetID() : 0, GetTimerMgr(), this); } +void Connection::ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl) + { + // "this" is passed as a cookie for the event + mgr.QueueEventFast(f, std::move(vl), SOURCE_LOCAL, + a ? a->GetID() : 0, GetTimerMgr(), this); + } + void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl) { ConnectionEvent(f, a, std::move(*vl)); @@ -1053,7 +1060,7 @@ void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label) if ( connection_flow_label_changed && (is_orig ? saw_first_orig_packet : saw_first_resp_packet) ) { - ConnectionEvent(connection_flow_label_changed, 0, { + ConnectionEventFast(connection_flow_label_changed, 0, { BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(my_flow_label), diff --git a/src/Conn.h b/src/Conn.h index 2622134f2a..d19501ff13 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -181,6 +181,8 @@ public: val_list* vl); void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer, val_list vl); + void ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* analyzer, + val_list vl); void Weird(const char* name, const char* addl = ""); bool DidWeird() const { return weird != 0; } diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc index c72e66f0bf..c3efda3ad9 100644 --- a/src/DNS_Mgr.cc +++ b/src/DNS_Mgr.cc @@ -704,7 +704,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm) if ( ! e ) return; - mgr.QueueEvent(e, {BuildMappingVal(dm)}); + mgr.QueueEventFast(e, {BuildMappingVal(dm)}); } void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2) @@ -715,7 +715,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2 Unref(l1); Unref(l2); - mgr.QueueEvent(e, { + mgr.QueueEventFast(e, { BuildMappingVal(dm), l1->ConvertToSet(), l2->ConvertToSet(), @@ -727,7 +727,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm) if ( ! e ) return; - mgr.QueueEvent(e, { + mgr.QueueEventFast(e, { BuildMappingVal(old_dm), BuildMappingVal(new_dm), }); diff --git a/src/Event.cc b/src/Event.cc index 26ca874c2a..8b87caa9b1 100644 --- a/src/Event.cc +++ b/src/Event.cc @@ -128,7 +128,7 @@ void EventMgr::QueueEvent(Event* event) void EventMgr::Drain() { if ( event_queue_flush_point ) - QueueEvent(event_queue_flush_point, val_list{}); + QueueEventFast(event_queue_flush_point, val_list{}); SegmentProfiler(segment_logger, "draining-events"); diff --git a/src/Event.h b/src/Event.h index 9ee30ae674..258b680d49 100644 --- a/src/Event.h +++ b/src/Event.h @@ -58,6 +58,13 @@ public: EventMgr(); ~EventMgr() override; + void QueueEventFast(const EventHandlerPtr &h, val_list vl, + SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, + TimerMgr* mgr = 0, BroObj* obj = 0) + { + QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj)); + } + void QueueEvent(const EventHandlerPtr &h, val_list vl, SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0, TimerMgr* mgr = 0, BroObj* obj = 0) diff --git a/src/Reporter.cc b/src/Reporter.cc index 9821911d17..cc0542eaac 100644 --- a/src/Reporter.cc +++ b/src/Reporter.cc @@ -506,9 +506,9 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out, } if ( conn ) - conn->ConnectionEvent(event, 0, std::move(vl)); + conn->ConnectionEventFast(event, 0, std::move(vl)); else - mgr.QueueEvent(event, std::move(vl)); + mgr.QueueEventFast(event, std::move(vl)); } else { diff --git a/src/RuleAction.cc b/src/RuleAction.cc index ab9994bde2..3d22e3b56f 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -17,7 +17,7 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state, { if ( signature_match ) { - mgr.QueueEvent(signature_match, { + mgr.QueueEventFast(signature_match, { rule_matcher->BuildRuleStateValue(parent, state), new StringVal(msg), data ? new StringVal(len, (const char*)data) : val_mgr->GetEmptyString(), diff --git a/src/Sessions.cc b/src/Sessions.cc index db4e9e5d3a..3507c46e53 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -171,7 +171,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt) SegmentProfiler(segment_logger, "dispatching-packet"); if ( raw_packet ) - mgr.QueueEvent(raw_packet, {pkt->BuildPktHdrVal()}); + mgr.QueueEventFast(raw_packet, {pkt->BuildPktHdrVal()}); if ( pkt_profiler ) pkt_profiler->ProfilePkt(t, pkt->cap_len); @@ -411,7 +411,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr { dump_this_packet = 1; if ( esp_packet ) - mgr.QueueEvent(esp_packet, {ip_hdr->BuildPktHdrVal()}); + mgr.QueueEventFast(esp_packet, {ip_hdr->BuildPktHdrVal()}); // Can't do more since upper-layer payloads are going to be encrypted. return; @@ -1315,9 +1315,9 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id, { conn->Event(new_connection, 0); - if ( external ) + if ( external && connection_external ) { - conn->ConnectionEvent(connection_external, 0, { + conn->ConnectionEventFast(connection_external, 0, { conn->BuildConnVal(), new StringVal(conn->GetTimerMgr()->GetTag().c_str()), }); diff --git a/src/StateAccess.cc b/src/StateAccess.cc index b9f08a54cc..72ed9ef236 100644 --- a/src/StateAccess.cc +++ b/src/StateAccess.cc @@ -536,7 +536,7 @@ void StateAccess::Replay() if ( remote_state_access_performed ) { - mgr.QueueEvent(remote_state_access_performed, { + mgr.QueueEventFast(remote_state_access_performed, { new StringVal(target.id->Name()), target.id->ID_Val()->Ref(), }); diff --git a/src/Stats.cc b/src/Stats.cc index 7c232f7aa4..1d2a2c8ad8 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -369,11 +369,12 @@ void SampleLogger::SegmentProfile(const char* /* name */, const Location* /* loc */, double dtime, int dmem) { - mgr.QueueEvent(load_sample, { - load_samples->Ref(), - new IntervalVal(dtime, Seconds), - val_mgr->GetInt(dmem) - }); + if ( load_sample ) + mgr.QueueEventFast(load_sample, { + load_samples->Ref(), + new IntervalVal(dtime, Seconds), + val_mgr->GetInt(dmem) + }); } void SegmentProfiler::Init() diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index be2cfcf627..874b405e9d 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -662,16 +662,19 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag) if ( protocol_confirmed ) return; + protocol_confirmed = true; + + if ( ! protocol_confirmation ) + return; + EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal(); Ref(tval); - mgr.QueueEvent(protocol_confirmation, { + mgr.QueueEventFast(protocol_confirmation, { BuildConnVal(), tval, val_mgr->GetCount(id), }); - - protocol_confirmed = true; } void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) @@ -689,10 +692,13 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len) else r = new StringVal(reason); + if ( ! protocol_violation ) + return; + EnumVal* tval = tag.AsEnumVal(); Ref(tval); - mgr.QueueEvent(protocol_violation, { + mgr.QueueEventFast(protocol_violation, { BuildConnVal(), tval, val_mgr->GetCount(id), @@ -787,6 +793,11 @@ void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list vl) conn->ConnectionEvent(f, this, std::move(vl)); } +void Analyzer::ConnectionEventFast(EventHandlerPtr f, val_list vl) + { + conn->ConnectionEventFast(f, this, std::move(vl)); + } + void Analyzer::Weird(const char* name, const char* addl) { conn->Weird(name, addl); diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h index ab09e63458..141d420a82 100644 --- a/src/analyzer/Analyzer.h +++ b/src/analyzer/Analyzer.h @@ -547,6 +547,12 @@ public: */ void ConnectionEvent(EventHandlerPtr f, val_list vl); + /** + * Convenience function that forwards directly to + * Connection::ConnectionEventFast(). + */ + void ConnectionEventFast(EventHandlerPtr f, val_list vl); + /** * Convenience function that forwards directly to the corresponding * Connection::Weird(). diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc index e206303e9c..d3a4ab688f 100644 --- a/src/analyzer/protocol/arp/ARP.cc +++ b/src/analyzer/protocol/arp/ARP.cc @@ -190,7 +190,7 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg) if ( ! bad_arp ) return; - mgr.QueueEvent(bad_arp, { + mgr.QueueEventFast(bad_arp, { ConstructAddrVal(ar_spa(hdr)), EthAddrToStr((const u_char*) ar_sha(hdr)), ConstructAddrVal(ar_tpa(hdr)), @@ -212,7 +212,7 @@ void ARP_Analyzer::RREvent(EventHandlerPtr e, if ( ! e ) return; - mgr.QueueEvent(e, { + mgr.QueueEventFast(e, { EthAddrToStr(src), EthAddrToStr(dst), ConstructAddrVal(spa), diff --git a/src/analyzer/protocol/backdoor/BackDoor.cc b/src/analyzer/protocol/backdoor/BackDoor.cc index 4cc8d5f703..81b4c0e9a5 100644 --- a/src/analyzer/protocol/backdoor/BackDoor.cc +++ b/src/analyzer/protocol/backdoor/BackDoor.cc @@ -246,7 +246,10 @@ void BackDoorEndpoint::RloginSignatureFound(int len) rlogin_checking_done = 1; - endp->TCP()->ConnectionEvent(rlogin_signature_found, { + if ( ! rlogin_signature_found ) + return; + + endp->TCP()->ConnectionEventFast(rlogin_signature_found, { endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig()), val_mgr->GetCount(rlogin_num_null), @@ -337,7 +340,10 @@ void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* d void BackDoorEndpoint::TelnetSignatureFound(int len) { - endp->TCP()->ConnectionEvent(telnet_signature_found, { + if ( ! telnet_signature_found ) + return; + + endp->TCP()->ConnectionEventFast(telnet_signature_found, { endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig()), val_mgr->GetCount(len), @@ -641,12 +647,15 @@ void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len, void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig) { + if ( ! e ) + return; + if ( do_orig ) - endp->TCP()->ConnectionEvent(e, + endp->TCP()->ConnectionEventFast(e, {endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig())}); else - endp->TCP()->ConnectionEvent(e, {endp->TCP()->BuildConnVal()}); + endp->TCP()->ConnectionEventFast(e, {endp->TCP()->BuildConnVal()}); } @@ -773,7 +782,10 @@ void BackDoor_Analyzer::StatTimer(double t, int is_expire) void BackDoor_Analyzer::StatEvent() { - TCP()->ConnectionEvent(backdoor_stats, { + if ( ! backdoor_stats ) + return; + + TCP()->ConnectionEventFast(backdoor_stats, { TCP()->BuildConnVal(), orig_endp->BuildStats(), resp_endp->BuildStats(), @@ -782,7 +794,10 @@ void BackDoor_Analyzer::StatEvent() void BackDoor_Analyzer::RemoveEvent() { - TCP()->ConnectionEvent(backdoor_remove_conn, {TCP()->BuildConnVal()}); + if ( ! backdoor_remove_conn ) + return; + + TCP()->ConnectionEventFast(backdoor_remove_conn, {TCP()->BuildConnVal()}); } BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a) diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc index 989265623c..c57d694c6e 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrent.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc @@ -120,7 +120,7 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig) { if ( bittorrent_peer_weird ) { - ConnectionEvent(bittorrent_peer_weird, { + ConnectionEventFast(bittorrent_peer_weird, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(msg), diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc index 411bbf0aff..a1a40e8d56 100644 --- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc +++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc @@ -247,7 +247,7 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig) { if ( bt_tracker_weird ) { - ConnectionEvent(bt_tracker_weird, { + ConnectionEventFast(bt_tracker_weird, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(msg), @@ -348,11 +348,12 @@ void BitTorrentTracker_Analyzer::EmitRequest(void) { ProtocolConfirmation(); - ConnectionEvent(bt_tracker_request, { - BuildConnVal(), - req_val_uri, - req_val_headers, - }); + if ( bt_tracker_request ) + ConnectionEventFast(bt_tracker_request, { + BuildConnVal(), + req_val_uri, + req_val_headers, + }); req_val_uri = 0; req_val_headers = 0; @@ -401,11 +402,12 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line) { if ( res_status != 200 ) { - ConnectionEvent(bt_tracker_response_not_ok, { - BuildConnVal(), - val_mgr->GetCount(res_status), - res_val_headers, - }); + if ( bt_tracker_response_not_ok ) + ConnectionEventFast(bt_tracker_response_not_ok, { + BuildConnVal(), + val_mgr->GetCount(res_status), + res_val_headers, + }); res_val_headers = 0; res_buf_pos = res_buf + res_buf_len; res_state = BTT_RES_DONE; @@ -787,13 +789,14 @@ void BitTorrentTracker_Analyzer::EmitResponse(void) { ProtocolConfirmation(); - ConnectionEvent(bt_tracker_response, { - BuildConnVal(), - val_mgr->GetCount(res_status), - res_val_headers, - res_val_peers, - res_val_benc, - }); + if ( bt_tracker_response ) + ConnectionEventFast(bt_tracker_response, { + BuildConnVal(), + val_mgr->GetCount(res_status), + res_val_headers, + res_val_peers, + res_val_benc, + }); res_val_headers = 0; res_val_peers = 0; diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc index cf6521103c..1b18335e7f 100644 --- a/src/analyzer/protocol/conn-size/ConnSize.cc +++ b/src/analyzer/protocol/conn-size/ConnSize.cc @@ -47,7 +47,7 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool if ( ! f ) return; - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), val_mgr->GetCount(threshold), val_mgr->GetBool(is_orig), diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index a67b548fe9..f99a7ca1e9 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -46,7 +46,7 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) if ( dns_message ) { - analyzer->ConnectionEvent(dns_message, { + analyzer->ConnectionEventFast(dns_message, { analyzer->BuildConnVal(), val_mgr->GetBool(is_query), msg.BuildHdrVal(), @@ -132,10 +132,11 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg) { - analyzer->ConnectionEvent(dns_end, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - }); + if ( dns_end ) + analyzer->ConnectionEventFast(dns_end, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + }); return 1; } @@ -334,7 +335,7 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg, if ( dns_unknown_reply && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_unknown_reply, { + analyzer->ConnectionEventFast(dns_unknown_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -549,7 +550,7 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg, if ( reply_event && ! msg->skip_event ) { - analyzer->ConnectionEvent(reply_event, { + analyzer->ConnectionEventFast(reply_event, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -603,7 +604,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg, r->Assign(5, new IntervalVal(double(expire), Seconds)); r->Assign(6, new IntervalVal(double(minimum), Seconds)); - analyzer->ConnectionEvent(dns_SOA_reply, { + analyzer->ConnectionEventFast(dns_SOA_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -634,7 +635,7 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg, if ( dns_MX_reply && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_MX_reply, { + analyzer->ConnectionEventFast(dns_MX_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -677,7 +678,7 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg, if ( dns_SRV_reply && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_SRV_reply, { + analyzer->ConnectionEventFast(dns_SRV_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -700,7 +701,7 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg, if ( dns_EDNS_addl && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_EDNS_addl, { + analyzer->ConnectionEventFast(dns_EDNS_addl, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildEDNS_Val(), @@ -766,22 +767,24 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg, unsigned int rr_error = ExtractShort(data, len); ExtractOctets(data, len, 0); // Other Data - msg->tsig = new TSIG_DATA; + if ( dns_TSIG_addl ) + { + TSIG_DATA tsig; + tsig.alg_name = + new BroString(alg_name, alg_name_end - alg_name, 1); + tsig.sig = request_MAC; + tsig.time_s = sign_time_sec; + tsig.time_ms = sign_time_msec; + tsig.fudge = fudge; + tsig.orig_id = orig_id; + tsig.rr_error = rr_error; - msg->tsig->alg_name = - new BroString(alg_name, alg_name_end - alg_name, 1); - msg->tsig->sig = request_MAC; - msg->tsig->time_s = sign_time_sec; - msg->tsig->time_ms = sign_time_msec; - msg->tsig->fudge = fudge; - msg->tsig->orig_id = orig_id; - msg->tsig->rr_error = rr_error; - - analyzer->ConnectionEvent(dns_TSIG_addl, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildTSIG_Val(), - }); + analyzer->ConnectionEventFast(dns_TSIG_addl, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildTSIG_Val(&tsig), + }); + } return 1; } @@ -864,23 +867,26 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg, break; } - RRSIG_DATA rrsig; - rrsig.type_covered = type_covered; - rrsig.algorithm = algo; - rrsig.labels = lab; - rrsig.orig_ttl = orig_ttl; - rrsig.sig_exp = sign_exp; - rrsig.sig_incep = sign_incp; - rrsig.key_tag = key_tag; - rrsig.signer_name = new BroString(name, name_end - name, 1); - rrsig.signature = sign; + if ( dns_RRSIG ) + { + RRSIG_DATA rrsig; + rrsig.type_covered = type_covered; + rrsig.algorithm = algo; + rrsig.labels = lab; + rrsig.orig_ttl = orig_ttl; + rrsig.sig_exp = sign_exp; + rrsig.sig_incep = sign_incp; + rrsig.key_tag = key_tag; + rrsig.signer_name = new BroString(name, name_end - name, 1); + rrsig.signature = sign; - analyzer->ConnectionEvent(dns_RRSIG, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - msg->BuildRRSIG_Val(&rrsig), - }); + analyzer->ConnectionEventFast(dns_RRSIG, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildRRSIG_Val(&rrsig), + }); + } return 1; } @@ -961,18 +967,21 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg, break; } - DNSKEY_DATA dnskey; - dnskey.dflags = dflags; - dnskey.dalgorithm = dalgorithm; - dnskey.dprotocol = dprotocol; - dnskey.public_key = key; + if ( dns_DNSKEY ) + { + DNSKEY_DATA dnskey; + dnskey.dflags = dflags; + dnskey.dalgorithm = dalgorithm; + dnskey.dprotocol = dprotocol; + dnskey.public_key = key; - analyzer->ConnectionEvent(dns_DNSKEY, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - msg->BuildDNSKEY_Val(&dnskey), - }); + analyzer->ConnectionEventFast(dns_DNSKEY, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildDNSKEY_Val(&dnskey), + }); + } return 1; } @@ -1017,13 +1026,16 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg, typebitmaps_len = typebitmaps_len - (2 + bmlen); } - analyzer->ConnectionEvent(dns_NSEC, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - new StringVal(new BroString(name, name_end - name, 1)), - char_strings, - }); + if ( dns_NSEC ) + analyzer->ConnectionEventFast(dns_NSEC, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + new StringVal(new BroString(name, name_end - name, 1)), + char_strings, + }); + else + Unref(char_strings); return 1; } @@ -1091,22 +1103,25 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg, typebitmaps_len = typebitmaps_len - (2 + bmlen); } - NSEC3_DATA nsec3; - nsec3.nsec_flags = nsec_flags; - nsec3.nsec_hash_algo = hash_algo; - nsec3.nsec_iter = iter; - nsec3.nsec_salt_len = salt_len; - nsec3.nsec_salt = salt_val; - nsec3.nsec_hlen = hash_len; - nsec3.nsec_hash = hash_val; - nsec3.bitmaps = char_strings; + if ( dns_NSEC3 ) + { + NSEC3_DATA nsec3; + nsec3.nsec_flags = nsec_flags; + nsec3.nsec_hash_algo = hash_algo; + nsec3.nsec_iter = iter; + nsec3.nsec_salt_len = salt_len; + nsec3.nsec_salt = salt_val; + nsec3.nsec_hlen = hash_len; + nsec3.nsec_hash = hash_val; + nsec3.bitmaps = char_strings; - analyzer->ConnectionEvent(dns_NSEC3, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - msg->BuildNSEC3_Val(&nsec3), - }); + analyzer->ConnectionEventFast(dns_NSEC3, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildNSEC3_Val(&nsec3), + }); + } return 1; } @@ -1150,18 +1165,21 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg, break; } - DS_DATA ds; - ds.key_tag = ds_key_tag; - ds.algorithm = ds_algo; - ds.digest_type = ds_dtype; - ds.digest_val = ds_digest; + if ( dns_DS ) + { + DS_DATA ds; + ds.key_tag = ds_key_tag; + ds.algorithm = ds_algo; + ds.digest_type = ds_dtype; + ds.digest_val = ds_digest; - analyzer->ConnectionEvent(dns_DS, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - msg->BuildDS_Val(&ds), - }); + analyzer->ConnectionEventFast(dns_DS, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + msg->BuildDS_Val(&ds), + }); + } return 1; } @@ -1179,7 +1197,7 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg, if ( dns_A_reply && ! msg->skip_event ) { - analyzer->ConnectionEvent(dns_A_reply, { + analyzer->ConnectionEventFast(dns_A_reply, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -1216,7 +1234,7 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg, event = dns_A6_reply; if ( event && ! msg->skip_event ) { - analyzer->ConnectionEvent(event, { + analyzer->ConnectionEventFast(event, { analyzer->BuildConnVal(), msg->BuildHdrVal(), msg->BuildAnswerVal(), @@ -1290,12 +1308,15 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg, while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) char_strings->Assign(char_strings->Size(), char_string); - analyzer->ConnectionEvent(dns_TXT_reply, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - char_strings, - }); + if ( dns_TXT_reply ) + analyzer->ConnectionEventFast(dns_TXT_reply, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + char_strings, + }); + else + Unref(char_strings); return rdlength == 0; } @@ -1330,14 +1351,20 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg, data += value->Len(); rdlength -= value->Len(); - analyzer->ConnectionEvent(dns_CAA_reply, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - msg->BuildAnswerVal(), - val_mgr->GetCount(flags), - new StringVal(tag), - new StringVal(value), - }); + if ( dns_CAA_reply ) + analyzer->ConnectionEventFast(dns_CAA_reply, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + msg->BuildAnswerVal(), + val_mgr->GetCount(flags), + new StringVal(tag), + new StringVal(value), + }); + else + { + delete tag; + delete value; + } return rdlength == 0; } @@ -1351,13 +1378,14 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg, RR_Type qtype = RR_Type(ExtractShort(data, len)); int qclass = ExtractShort(data, len); - analyzer->ConnectionEvent(event, { - analyzer->BuildConnVal(), - msg->BuildHdrVal(), - new StringVal(question_name), - val_mgr->GetCount(qtype), - val_mgr->GetCount(qclass), - }); + if ( event ) + analyzer->ConnectionEventFast(event, { + analyzer->BuildConnVal(), + msg->BuildHdrVal(), + new StringVal(question_name), + val_mgr->GetCount(qtype), + val_mgr->GetCount(qclass), + }); } @@ -1391,7 +1419,6 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query) answer_type = DNS_QUESTION; skip_event = 0; - tsig = 0; } DNS_MsgInfo::~DNS_MsgInfo() @@ -1470,7 +1497,7 @@ Val* DNS_MsgInfo::BuildEDNS_Val() return r; } -Val* DNS_MsgInfo::BuildTSIG_Val() +Val* DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) { RecordVal* r = new RecordVal(dns_tsig_additional); double rtime = tsig->time_s + tsig->time_ms / 1000.0; @@ -1487,9 +1514,6 @@ Val* DNS_MsgInfo::BuildTSIG_Val() r->Assign(7, val_mgr->GetCount(tsig->rr_error)); r->Assign(8, val_mgr->GetCount(is_query)); - delete tsig; - tsig = 0; - return r; } @@ -1705,10 +1729,11 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, { if ( ! interp->ParseMessage(data, len, 1) && non_dns_request ) { - ConnectionEvent(non_dns_request, { - BuildConnVal(), - new StringVal(len, (const char*) data), - }); + if ( non_dns_request ) + ConnectionEventFast(non_dns_request, { + BuildConnVal(), + new StringVal(len, (const char*) data), + }); } } diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h index f095fe96fa..a4975cdaa1 100644 --- a/src/analyzer/protocol/dns/DNS.h +++ b/src/analyzer/protocol/dns/DNS.h @@ -182,7 +182,7 @@ public: Val* BuildHdrVal(); Val* BuildAnswerVal(); Val* BuildEDNS_Val(); - Val* BuildTSIG_Val(); + Val* BuildTSIG_Val(struct TSIG_DATA*); Val* BuildRRSIG_Val(struct RRSIG_DATA*); Val* BuildDNSKEY_Val(struct DNSKEY_DATA*); Val* BuildNSEC3_Val(struct NSEC3_DATA*); @@ -214,10 +214,6 @@ public: ///< identical answer, there may be problems // uint32* addr; ///< cache value to pass back results ///< for forward lookups - - // More values for spesific DNS types. - //struct EDNS_ADDITIONAL* edns; - struct TSIG_DATA* tsig; }; diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc index bb81eaa1fd..62fd36c0da 100644 --- a/src/analyzer/protocol/file/File.cc +++ b/src/analyzer/protocol/file/File.cc @@ -78,10 +78,11 @@ void File_Analyzer::Identify() string match = matches.empty() ? "" : *(matches.begin()->second.begin()); - ConnectionEvent(file_transferred, { - BuildConnVal(), - new StringVal(buffer_len, buffer), - new StringVal(""), - new StringVal(match), - }); + if ( file_transferred ) + ConnectionEventFast(file_transferred, { + BuildConnVal(), + new StringVal(buffer_len, buffer), + new StringVal(""), + new StringVal(match), + }); } diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc index 0f7cec2677..fcc778f151 100644 --- a/src/analyzer/protocol/finger/Finger.cc +++ b/src/analyzer/protocol/finger/Finger.cc @@ -68,7 +68,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig if ( finger_request ) { - ConnectionEvent(finger_request, { + ConnectionEventFast(finger_request, { BuildConnVal(), val_mgr->GetBool(long_cnt), new StringVal(at - line, line), @@ -87,7 +87,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig if ( ! finger_reply ) return; - ConnectionEvent(finger_reply, { + ConnectionEventFast(finger_reply, { BuildConnVal(), new StringVal(end_of_line - line, line), }); diff --git a/src/analyzer/protocol/gnutella/Gnutella.cc b/src/analyzer/protocol/gnutella/Gnutella.cc index dc6e14bf63..0b0ebadf03 100644 --- a/src/analyzer/protocol/gnutella/Gnutella.cc +++ b/src/analyzer/protocol/gnutella/Gnutella.cc @@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done() if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) { if ( Established() && gnutella_establish ) - ConnectionEvent(gnutella_establish, {BuildConnVal()}); + ConnectionEventFast(gnutella_establish, {BuildConnVal()}); else if ( ! Established () && gnutella_not_establish ) - ConnectionEvent(gnutella_not_establish, {BuildConnVal()}); + ConnectionEventFast(gnutella_not_establish, {BuildConnVal()}); } if ( gnutella_partial_binary_msg ) @@ -72,7 +72,7 @@ void Gnutella_Analyzer::Done() { if ( ! p->msg_sent && p->msg_pos ) { - ConnectionEvent(gnutella_partial_binary_msg, { + ConnectionEventFast(gnutella_partial_binary_msg, { BuildConnVal(), new StringVal(p->msg), val_mgr->GetBool((i == 0)), @@ -121,7 +121,7 @@ int Gnutella_Analyzer::IsHTTP(string header) if ( gnutella_http_notify ) { - ConnectionEvent(gnutella_http_notify, {BuildConnVal()}); + ConnectionEventFast(gnutella_http_notify, {BuildConnVal()}); } analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); @@ -181,7 +181,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig) { if ( gnutella_text_msg ) { - ConnectionEvent(gnutella_text_msg, { + ConnectionEventFast(gnutella_text_msg, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(ms->headers.data()), @@ -195,7 +195,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig) { sent_establish = 1; - ConnectionEvent(gnutella_establish, {BuildConnVal()}); + ConnectionEventFast(gnutella_establish, {BuildConnVal()}); } } } @@ -221,7 +221,7 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig) if ( gnutella_binary_msg ) { - ConnectionEvent(gnutella_binary_msg, { + ConnectionEventFast(gnutella_binary_msg, { BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(p->msg_type), diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index 6087f7b43d..cc6403cb3e 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -646,7 +646,7 @@ void HTTP_Message::Done(const int interrupted, const char* detail) if ( http_message_done ) { - GetAnalyzer()->ConnectionEvent(http_message_done, { + GetAnalyzer()->ConnectionEventFast(http_message_done, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), BuildMessageStat(interrupted, detail), @@ -679,7 +679,7 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity) if ( http_begin_entity ) { - analyzer->ConnectionEvent(http_begin_entity, { + analyzer->ConnectionEventFast(http_begin_entity, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), }); @@ -696,7 +696,7 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity) if ( http_end_entity ) { - analyzer->ConnectionEvent(http_end_entity, { + analyzer->ConnectionEventFast(http_end_entity, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), }); @@ -737,7 +737,7 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) { if ( http_all_headers ) { - analyzer->ConnectionEvent(http_all_headers, { + analyzer->ConnectionEventFast(http_all_headers, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), BuildHeaderTable(hlist), @@ -751,7 +751,7 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist) ty->Ref(); subty->Ref(); - analyzer->ConnectionEvent(http_content_type, { + analyzer->ConnectionEventFast(http_content_type, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), ty, @@ -1183,7 +1183,7 @@ void HTTP_Analyzer::GenStats() r->Assign(3, new Val(reply_version, TYPE_DOUBLE)); // DEBUG_MSG("%.6f http_stats\n", network_time); - ConnectionEvent(http_stats, {BuildConnVal(), r}); + ConnectionEventFast(http_stats, {BuildConnVal(), r}); } } @@ -1381,7 +1381,7 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail) if ( http_event ) { // DEBUG_MSG("%.6f http_event\n", network_time); - ConnectionEvent(http_event, { + ConnectionEventFast(http_event, { BuildConnVal(), new StringVal(category), detail, @@ -1424,7 +1424,7 @@ void HTTP_Analyzer::HTTP_Request() Ref(request_method); // DEBUG_MSG("%.6f http_request\n", network_time); - ConnectionEvent(http_request, { + ConnectionEventFast(http_request, { BuildConnVal(), request_method, TruncateURI(request_URI->AsStringVal()), @@ -1438,7 +1438,7 @@ void HTTP_Analyzer::HTTP_Reply() { if ( http_reply ) { - ConnectionEvent(http_reply, { + ConnectionEventFast(http_reply, { BuildConnVal(), new StringVal(fmt("%.1f", reply_version)), val_mgr->GetCount(reply_code), @@ -1517,7 +1517,7 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg) if ( http_connection_upgrade ) { - ConnectionEvent(http_connection_upgrade, { + ConnectionEventFast(http_connection_upgrade, { BuildConnVal(), new StringVal(upgrade_protocol), }); @@ -1693,7 +1693,7 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h) if ( DEBUG_http ) DEBUG_MSG("%.6f http_header\n", network_time); - ConnectionEvent(http_header, { + ConnectionEventFast(http_header, { BuildConnVal(), val_mgr->GetBool(is_orig), mime::new_string_val(h->get_name())->ToUpper(), @@ -1827,7 +1827,7 @@ void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data) { if ( http_entity_data ) { - ConnectionEvent(http_entity_data, { + ConnectionEventFast(http_entity_data, { BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(entity_data->Len()), diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index a740ac8848..0acbbd9731 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -199,7 +199,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, { if ( icmp_sent ) { - ConnectionEvent(icmp_sent, { + ConnectionEventFast(icmp_sent, { BuildConnVal(), BuildICMPVal(icmpp, len, icmpv6, ip_hdr), }); @@ -209,7 +209,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen, { BroString* payload = new BroString(data, min(len, caplen), 0); - ConnectionEvent(icmp_sent_payload, { + ConnectionEventFast(icmp_sent_payload, { BuildConnVal(), BuildICMPVal(icmpp, len, icmpv6, ip_hdr), new StringVal(payload), @@ -512,7 +512,7 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len, BroString* payload = new BroString(data, caplen, 0); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr), val_mgr->GetCount(iid), @@ -526,6 +526,10 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_router_advertisement; + + if ( ! f ) + return; + uint32 reachable = 0, retrans = 0; if ( caplen >= (int)sizeof(reachable) ) @@ -536,7 +540,7 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len, int opt_offset = sizeof(reachable) + sizeof(retrans); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit @@ -558,6 +562,10 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_neighbor_advertisement; + + if ( ! f ) + return; + IPAddr tgtaddr; if ( caplen >= (int)sizeof(in6_addr) ) @@ -565,7 +573,7 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len, int opt_offset = sizeof(in6_addr); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router @@ -581,6 +589,10 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_neighbor_solicitation; + + if ( ! f ) + return; + IPAddr tgtaddr; if ( caplen >= (int)sizeof(in6_addr) ) @@ -588,7 +600,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len, int opt_offset = sizeof(in6_addr); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), new AddrVal(tgtaddr), @@ -601,6 +613,10 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr) { EventHandlerPtr f = icmp_redirect; + + if ( ! f ) + return; + IPAddr tgtaddr, dstaddr; if ( caplen >= (int)sizeof(in6_addr) ) @@ -611,7 +627,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len, int opt_offset = 2 * sizeof(in6_addr); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), new AddrVal(tgtaddr), @@ -626,7 +642,10 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len, { EventHandlerPtr f = icmp_router_solicitation; - ConnectionEvent(f, { + if ( ! f ) + return; + + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), BuildNDOptionsVal(caplen, data), @@ -652,7 +671,7 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp, if ( f ) { - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 0, ip_hdr), val_mgr->GetCount(icmpp->icmp_code), @@ -692,7 +711,7 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp, if ( f ) { - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), BuildICMPVal(icmpp, len, 1, ip_hdr), val_mgr->GetCount(icmpp->icmp_code), diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc index ba32968c3b..ba00d9215b 100644 --- a/src/analyzer/protocol/ident/Ident.cc +++ b/src/analyzer/protocol/ident/Ident.cc @@ -83,7 +83,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) Weird("ident_request_addendum", s.CheckString()); } - ConnectionEvent(ident_request, { + ConnectionEventFast(ident_request, { BuildConnVal(), val_mgr->GetPort(local_port, TRANSPORT_TCP), val_mgr->GetPort(remote_port, TRANSPORT_TCP), @@ -143,12 +143,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) if ( is_error ) { - ConnectionEvent(ident_error, { - BuildConnVal(), - val_mgr->GetPort(local_port, TRANSPORT_TCP), - val_mgr->GetPort(remote_port, TRANSPORT_TCP), - new StringVal(end_of_line - line, line), - }); + if ( ident_error ) + ConnectionEventFast(ident_error, { + BuildConnVal(), + val_mgr->GetPort(local_port, TRANSPORT_TCP), + val_mgr->GetPort(remote_port, TRANSPORT_TCP), + new StringVal(end_of_line - line, line), + }); } else @@ -176,7 +177,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig) line = skip_whitespace(colon + 1, end_of_line); - ConnectionEvent(ident_reply, { + ConnectionEventFast(ident_reply, { BuildConnVal(), val_mgr->GetPort(local_port, TRANSPORT_TCP), val_mgr->GetPort(remote_port, TRANSPORT_TCP), diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac index 353aadb7ce..ac1652086e 100644 --- a/src/analyzer/protocol/imap/imap-analyzer.pac +++ b/src/analyzer/protocol/imap/imap-analyzer.pac @@ -43,7 +43,9 @@ refine connection IMAP_Conn += { if ( commands == "ok" ) { bro_analyzer()->StartTLS(); - BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn()); + + if ( imap_starttls ) + BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn()); } else reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS"); @@ -54,6 +56,9 @@ refine connection IMAP_Conn += { function proc_server_capability(capabilities: Capability[]): bool %{ + if ( ! imap_capabilities ) + return true; + VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType()); for ( unsigned int i = 0; i< capabilities->size(); i++ ) { diff --git a/src/analyzer/protocol/interconn/InterConn.cc b/src/analyzer/protocol/interconn/InterConn.cc index 39749a0deb..057280a0fa 100644 --- a/src/analyzer/protocol/interconn/InterConn.cc +++ b/src/analyzer/protocol/interconn/InterConn.cc @@ -241,16 +241,18 @@ void InterConn_Analyzer::StatTimer(double t, int is_expire) void InterConn_Analyzer::StatEvent() { - Conn()->ConnectionEvent(interconn_stats, this, { - Conn()->BuildConnVal(), - orig_endp->BuildStats(), - resp_endp->BuildStats(), - }); + if ( interconn_stats ) + Conn()->ConnectionEventFast(interconn_stats, this, { + Conn()->BuildConnVal(), + orig_endp->BuildStats(), + resp_endp->BuildStats(), + }); } void InterConn_Analyzer::RemoveEvent() { - Conn()->ConnectionEvent(interconn_remove_conn, this, {Conn()->BuildConnVal()}); + if ( interconn_remove_conn ) + Conn()->ConnectionEventFast(interconn_remove_conn, this, {Conn()->BuildConnVal()}); } InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a) diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc index cd48d8469c..c5db109434 100644 --- a/src/analyzer/protocol/irc/IRC.cc +++ b/src/analyzer/protocol/irc/IRC.cc @@ -233,7 +233,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) // else ### } - ConnectionEvent(irc_network_info, { + ConnectionEventFast(irc_network_info, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetInt(users), @@ -281,7 +281,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(idx); } - ConnectionEvent(irc_names_info, { + ConnectionEventFast(irc_names_info, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(type.c_str()), @@ -315,7 +315,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) // else ### } - ConnectionEvent(irc_server_info, { + ConnectionEventFast(irc_server_info, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetInt(users), @@ -337,7 +337,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts[i] == ":channels" ) channels = atoi(parts[i - 1].c_str()); - ConnectionEvent(irc_channel_info, { + ConnectionEventFast(irc_channel_info, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetInt(channels), @@ -369,7 +369,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) break; } - ConnectionEvent(irc_global_users, { + ConnectionEventFast(irc_global_users, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(eop - prefix, prefix), @@ -412,7 +412,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) vl.append(new StringVal(real_name.c_str())); - ConnectionEvent(irc_whois_user_line, std::move(vl)); + ConnectionEventFast(irc_whois_user_line, std::move(vl)); } break; @@ -433,7 +433,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) return; } - ConnectionEvent(irc_whois_operator_line, { + ConnectionEventFast(irc_whois_operator_line, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(parts[0].c_str()), @@ -472,7 +472,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(idx); } - ConnectionEvent(irc_whois_channel_line, { + ConnectionEventFast(irc_whois_channel_line, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(nick.c_str()), @@ -503,7 +503,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( *t == ':' ) ++t; - ConnectionEvent(irc_channel_topic, { + ConnectionEventFast(irc_channel_topic, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(parts[1].c_str()), @@ -537,7 +537,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts[7][0] == ':' ) parts[7] = parts[7].substr(1); - ConnectionEvent(irc_who_line, { + ConnectionEventFast(irc_who_line, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(parts[0].c_str()), @@ -560,7 +560,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) case 436: if ( irc_invalid_nick ) { - ConnectionEvent(irc_invalid_nick, { + ConnectionEventFast(irc_invalid_nick, { BuildConnVal(), val_mgr->GetBool(orig), }); @@ -572,7 +572,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) case 491: // user is not operator if ( irc_oper_response ) { - ConnectionEvent(irc_oper_response, { + ConnectionEventFast(irc_oper_response, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetBool(code == 381), @@ -587,13 +587,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) // All other server replies. default: - ConnectionEvent(irc_reply, { - BuildConnVal(), - val_mgr->GetBool(orig), - new StringVal(prefix.c_str()), - val_mgr->GetCount(code), - new StringVal(params.c_str()), - }); + if ( irc_reply ) + ConnectionEventFast(irc_reply, { + BuildConnVal(), + val_mgr->GetBool(orig), + new StringVal(prefix.c_str()), + val_mgr->GetCount(code), + new StringVal(params.c_str()), + }); break; } return; @@ -657,30 +658,32 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) } - ConnectionEvent(irc_dcc_message, { - BuildConnVal(), - val_mgr->GetBool(orig), - new StringVal(prefix.c_str()), - new StringVal(target.c_str()), - new StringVal(parts[1].c_str()), - new StringVal(parts[2].c_str()), - new AddrVal(htonl(raw_ip)), - val_mgr->GetCount(atoi(parts[4].c_str())), - parts.size() >= 6 ? - val_mgr->GetCount(atoi(parts[5].c_str())) : - val_mgr->GetCount(0), - }); + if ( irc_dcc_message ) + ConnectionEventFast(irc_dcc_message, { + BuildConnVal(), + val_mgr->GetBool(orig), + new StringVal(prefix.c_str()), + new StringVal(target.c_str()), + new StringVal(parts[1].c_str()), + new StringVal(parts[2].c_str()), + new AddrVal(htonl(raw_ip)), + val_mgr->GetCount(atoi(parts[4].c_str())), + parts.size() >= 6 ? + val_mgr->GetCount(atoi(parts[5].c_str())) : + val_mgr->GetCount(0), + }); } else { - ConnectionEvent(irc_privmsg_message, { - BuildConnVal(), - val_mgr->GetBool(orig), - new StringVal(prefix.c_str()), - new StringVal(target.c_str()), - new StringVal(message.c_str()), - }); + if ( irc_privmsg_message ) + ConnectionEventFast(irc_privmsg_message, { + BuildConnVal(), + val_mgr->GetBool(orig), + new StringVal(prefix.c_str()), + new StringVal(target.c_str()), + new StringVal(message.c_str()), + }); } } @@ -699,7 +702,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( message[0] == ':' ) message = message.substr(1); - ConnectionEvent(irc_notice_message, { + ConnectionEventFast(irc_notice_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -723,7 +726,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( message[0] == ':' ) message = message.substr(1); - ConnectionEvent(irc_squery_message, { + ConnectionEventFast(irc_squery_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -763,7 +766,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) const char* name = realname.c_str(); vl.append(new StringVal(*name == ':' ? name + 1 : name)); - ConnectionEvent(irc_user_message, std::move(vl)); + ConnectionEventFast(irc_user_message, std::move(vl)); } else if ( irc_oper_message && command == "OPER" ) @@ -772,7 +775,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) vector parts = SplitWords(params, ' '); if ( parts.size() == 2 ) { - ConnectionEvent(irc_oper_message, { + ConnectionEventFast(irc_oper_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(parts[0].c_str()), @@ -814,7 +817,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) else vl.append(val_mgr->GetEmptyString()); - ConnectionEvent(irc_kick_message, std::move(vl)); + ConnectionEventFast(irc_kick_message, std::move(vl)); } else if ( irc_join_message && command == "JOIN" ) @@ -862,7 +865,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(info); } - ConnectionEvent(irc_join_message, { + ConnectionEventFast(irc_join_message, { BuildConnVal(), val_mgr->GetBool(orig), list, @@ -923,7 +926,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(info); } - ConnectionEvent(irc_join_message, { + ConnectionEventFast(irc_join_message, { BuildConnVal(), val_mgr->GetBool(orig), list, @@ -963,7 +966,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) Unref(idx); } - ConnectionEvent(irc_part_message, { + ConnectionEventFast(irc_part_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(nick.c_str()), @@ -986,7 +989,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) nickname = prefix.substr(0, pos); } - ConnectionEvent(irc_quit_message, { + ConnectionEventFast(irc_quit_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(nickname.c_str()), @@ -1000,7 +1003,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( nick[0] == ':' ) nick = nick.substr(1); - ConnectionEvent(irc_nick_message, { + ConnectionEventFast(irc_nick_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1025,7 +1028,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' ) parts[0] = parts[0].substr(1); - ConnectionEvent(irc_who_message, { + ConnectionEventFast(irc_who_message, { BuildConnVal(), val_mgr->GetBool(orig), parts.size() > 0 ? @@ -1055,7 +1058,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) else users = parts[0]; - ConnectionEvent(irc_whois_message, { + ConnectionEventFast(irc_whois_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(server.c_str()), @@ -1068,7 +1071,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( params[0] == ':' ) params = params.substr(1); - ConnectionEvent(irc_error_message, { + ConnectionEventFast(irc_error_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1084,7 +1087,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts[1].size() > 0 && parts[1][0] == ':' ) parts[1] = parts[1].substr(1); - ConnectionEvent(irc_invite_message, { + ConnectionEventFast(irc_invite_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1100,7 +1103,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { if ( params.size() > 0 ) { - ConnectionEvent(irc_mode_message, { + ConnectionEventFast(irc_mode_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1114,7 +1117,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) else if ( irc_password_message && command == "PASS" ) { - ConnectionEvent(irc_password_message, { + ConnectionEventFast(irc_password_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(params.c_str()), @@ -1136,7 +1139,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) message = message.substr(1); } - ConnectionEvent(irc_squit_message, { + ConnectionEventFast(irc_squit_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1150,7 +1153,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { if ( irc_request ) { - ConnectionEvent(irc_request, { + ConnectionEventFast(irc_request, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1164,7 +1167,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) { if ( irc_message ) { - ConnectionEvent(irc_message, { + ConnectionEventFast(irc_message, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(prefix.c_str()), @@ -1199,7 +1202,8 @@ void IRC_Analyzer::StartTLS() if ( ssl ) AddChildAnalyzer(ssl); - ConnectionEvent(irc_starttls, {BuildConnVal()}); + if ( irc_starttls ) + ConnectionEventFast(irc_starttls, {BuildConnVal()}); } vector IRC_Analyzer::SplitWords(const string input, const char split) diff --git a/src/analyzer/protocol/login/Login.cc b/src/analyzer/protocol/login/Login.cc index 326c126ae9..31aba64755 100644 --- a/src/analyzer/protocol/login/Login.cc +++ b/src/analyzer/protocol/login/Login.cc @@ -289,7 +289,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line) { if ( authentication_skipped ) { - ConnectionEvent(authentication_skipped, {BuildConnVal()}); + ConnectionEventFast(authentication_skipped, {BuildConnVal()}); } state = LOGIN_STATE_SKIP; @@ -332,7 +332,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) else if ( login_terminal && streq(name, "TERM") ) { - ConnectionEvent(login_terminal, { + ConnectionEventFast(login_terminal, { BuildConnVal(), new StringVal(val), }); @@ -340,7 +340,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) else if ( login_display && streq(name, "DISPLAY") ) { - ConnectionEvent(login_display, { + ConnectionEventFast(login_display, { BuildConnVal(), new StringVal(val), }); @@ -348,7 +348,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val) else if ( login_prompt && streq(name, "TTYPROMPT") ) { - ConnectionEvent(login_prompt, { + ConnectionEventFast(login_prompt, { BuildConnVal(), new StringVal(val), }); @@ -425,7 +425,7 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line, Val* password = HaveTypeahead() ? PopUserTextVal() : new StringVal(""); - ConnectionEvent(f, { + ConnectionEventFast(f, { BuildConnVal(), username->Ref(), client_name ? client_name->Ref() : val_mgr->GetEmptyString(), @@ -444,7 +444,10 @@ const char* Login_Analyzer::GetUsername(const char* line) const void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line) { - ConnectionEvent(f, { + if ( ! f ) + return; + + ConnectionEventFast(f, { BuildConnVal(), new StringVal(line), }); @@ -457,7 +460,7 @@ void Login_Analyzer::Confused(const char* msg, const char* line) if ( login_confused ) { - ConnectionEvent(login_confused, { + ConnectionEventFast(login_confused, { BuildConnVal(), new StringVal(msg), new StringVal(line), @@ -483,7 +486,7 @@ void Login_Analyzer::ConfusionText(const char* line) { if ( login_confused_text ) { - ConnectionEvent(login_confused_text, { + ConnectionEventFast(login_confused_text, { BuildConnVal(), new StringVal(line), }); diff --git a/src/analyzer/protocol/login/NVT.cc b/src/analyzer/protocol/login/NVT.cc index 53ad3c202d..ea651ece42 100644 --- a/src/analyzer/protocol/login/NVT.cc +++ b/src/analyzer/protocol/login/NVT.cc @@ -461,7 +461,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len) { if ( login_terminal ) { - ConnectionEvent(login_terminal, { + ConnectionEventFast(login_terminal, { BuildConnVal(), new StringVal(new BroString(terminal, len, 0)), }); diff --git a/src/analyzer/protocol/login/RSH.cc b/src/analyzer/protocol/login/RSH.cc index 4688bf9280..b3cca3f5c4 100644 --- a/src/analyzer/protocol/login/RSH.cc +++ b/src/analyzer/protocol/login/RSH.cc @@ -183,11 +183,11 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig) else vl.append(val_mgr->GetFalse()); - ConnectionEvent(rsh_request, std::move(vl)); + ConnectionEventFast(rsh_request, std::move(vl)); } else - ConnectionEvent(rsh_reply, std::move(vl)); + ConnectionEventFast(rsh_reply, std::move(vl)); } void Rsh_Analyzer::ClientUserName(const char* s) diff --git a/src/analyzer/protocol/login/Rlogin.cc b/src/analyzer/protocol/login/Rlogin.cc index 10d9e23e91..0c7386e59f 100644 --- a/src/analyzer/protocol/login/Rlogin.cc +++ b/src/analyzer/protocol/login/Rlogin.cc @@ -244,7 +244,7 @@ void Rlogin_Analyzer::TerminalType(const char* s) { if ( login_terminal ) { - ConnectionEvent(login_terminal, { + ConnectionEventFast(login_terminal, { BuildConnVal(), new StringVal(s), }); diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc index edb5316bac..35b9832020 100644 --- a/src/analyzer/protocol/mime/MIME.cc +++ b/src/analyzer/protocol/mime/MIME.cc @@ -1358,7 +1358,7 @@ void MIME_Mail::Done() hash_final(md5_hash, digest); md5_hash = nullptr; - analyzer->ConnectionEvent(mime_content_hash, { + analyzer->ConnectionEventFast(mime_content_hash, { analyzer->BuildConnVal(), val_mgr->GetCount(content_hash_length), new StringVal(new BroString(1, digest, 16)), @@ -1386,7 +1386,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */) cur_entity_id.clear(); if ( mime_begin_entity ) - analyzer->ConnectionEvent(mime_begin_entity, {analyzer->BuildConnVal()}); + analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()}); buffer_start = data_start = 0; ASSERT(entity_content.size() == 0); @@ -1398,8 +1398,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */) { BroString* s = concatenate(entity_content); - - analyzer->ConnectionEvent(mime_entity_data, { + analyzer->ConnectionEventFast(mime_entity_data, { analyzer->BuildConnVal(), val_mgr->GetCount(s->Len()), new StringVal(s), @@ -1412,7 +1411,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */) } if ( mime_end_entity ) - analyzer->ConnectionEvent(mime_end_entity, {analyzer->BuildConnVal()}); + analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()}); file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); cur_entity_id.clear(); @@ -1422,7 +1421,7 @@ void MIME_Mail::SubmitHeader(MIME_Header* h) { if ( mime_one_header ) { - analyzer->ConnectionEvent(mime_one_header, { + analyzer->ConnectionEventFast(mime_one_header, { analyzer->BuildConnVal(), BuildHeaderVal(h), }); @@ -1433,7 +1432,7 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist) { if ( mime_all_headers ) { - analyzer->ConnectionEvent(mime_all_headers, { + analyzer->ConnectionEventFast(mime_all_headers, { analyzer->BuildConnVal(), BuildHeaderTable(hlist), }); @@ -1470,7 +1469,7 @@ void MIME_Mail::SubmitData(int len, const char* buf) const char* data = (char*) data_buffer->Bytes() + data_start; int data_len = (buf + len) - data; - analyzer->ConnectionEvent(mime_segment_data, { + analyzer->ConnectionEventFast(mime_segment_data, { analyzer->BuildConnVal(), val_mgr->GetCount(data_len), new StringVal(data_len, data), @@ -1517,7 +1516,7 @@ void MIME_Mail::SubmitAllData() BroString* s = concatenate(all_content); delete_strings(all_content); - analyzer->ConnectionEvent(mime_all_data, { + analyzer->ConnectionEventFast(mime_all_data, { analyzer->BuildConnVal(), val_mgr->GetCount(s->Len()), new StringVal(s), @@ -1546,7 +1545,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail) if ( mime_event ) { - analyzer->ConnectionEvent(mime_event, { + analyzer->ConnectionEventFast(mime_event, { analyzer->BuildConnVal(), new StringVal(category), new StringVal(detail), diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc index ceb480292b..de13e4a6e7 100644 --- a/src/analyzer/protocol/ncp/NCP.cc +++ b/src/analyzer/protocol/ncp/NCP.cc @@ -63,7 +63,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame) { if ( frame->is_orig() ) { - analyzer->ConnectionEvent(f, { + analyzer->ConnectionEventFast(f, { analyzer->BuildConnVal(), val_mgr->GetCount(frame->frame_type()), val_mgr->GetCount(frame->body_length()), @@ -72,7 +72,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame) } else { - analyzer->ConnectionEvent(f, { + analyzer->ConnectionEventFast(f, { analyzer->BuildConnVal(), val_mgr->GetCount(frame->frame_type()), val_mgr->GetCount(frame->body_length()), diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc index 5dc07f7d0d..c643f8ced7 100644 --- a/src/analyzer/protocol/netbios/NetbiosSSN.cc +++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc @@ -58,7 +58,7 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags, { if ( netbios_session_message ) { - analyzer->ConnectionEvent(netbios_session_message, { + analyzer->ConnectionEventFast(netbios_session_message, { analyzer->BuildConnVal(), val_mgr->GetBool(is_query), val_mgr->GetCount(type), @@ -330,14 +330,14 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data, if ( is_orig >= 0 ) { - analyzer->ConnectionEvent(event, { + analyzer->ConnectionEventFast(event, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), new StringVal(new BroString(data, len, 0)), }); } else - analyzer->ConnectionEvent(event, { + analyzer->ConnectionEventFast(event, { analyzer->BuildConnVal(), new StringVal(new BroString(data, len, 0)), }); diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac index c72a9d249a..0f0d842570 100644 --- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac +++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac @@ -94,6 +94,9 @@ refine connection NTLM_Conn += { function proc_ntlm_negotiate(val: NTLM_Negotiate): bool %{ + if ( ! ntlm_negotiate ) + return true; + RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate); result->Assign(0, build_negotiate_flag_record(${val.flags})); @@ -115,6 +118,9 @@ refine connection NTLM_Conn += { function proc_ntlm_challenge(val: NTLM_Challenge): bool %{ + if ( ! ntlm_challenge ) + return true; + RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge); result->Assign(0, build_negotiate_flag_record(${val.flags})); @@ -136,6 +142,9 @@ refine connection NTLM_Conn += { function proc_ntlm_authenticate(val: NTLM_Authenticate): bool %{ + if ( ! ntlm_authenticate ) + return true; + RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate); result->Assign(0, build_negotiate_flag_record(${val.flags})); diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc index 2e6988d13f..a4c147b464 100644 --- a/src/analyzer/protocol/ntp/NTP.cc +++ b/src/analyzer/protocol/ntp/NTP.cc @@ -62,6 +62,9 @@ void NTP_Analyzer::Message(const u_char* data, int len) len -= sizeof *ntp_data; data += sizeof *ntp_data; + if ( ! ntp_message ) + return; + RecordVal* msg = new RecordVal(ntp_msg); unsigned int code = ntp_data->status & 0x7; @@ -78,7 +81,7 @@ void NTP_Analyzer::Message(const u_char* data, int len) msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME)); msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME)); - ConnectionEvent(ntp_message, { + ConnectionEventFast(ntp_message, { BuildConnVal(), msg, new StringVal(new BroString(data, len, 0)), diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc index e7ccf3907c..d8601ed3ba 100644 --- a/src/analyzer/protocol/pop3/POP3.cc +++ b/src/analyzer/protocol/pop3/POP3.cc @@ -833,7 +833,8 @@ void POP3_Analyzer::StartTLS() if ( ssl ) AddChildAnalyzer(ssl); - ConnectionEvent(pop3_starttls, {BuildConnVal()}); + if ( pop3_starttls ) + ConnectionEventFast(pop3_starttls, {BuildConnVal()}); } void POP3_Analyzer::AuthSuccessfull() @@ -932,5 +933,5 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig, if ( arg2 ) vl.append(new StringVal(arg2)); - ConnectionEvent(event, std::move(vl)); + ConnectionEventFast(event, std::move(vl)); } diff --git a/src/analyzer/protocol/rfb/rfb-analyzer.pac b/src/analyzer/protocol/rfb/rfb-analyzer.pac index 39a792ba89..67adba8681 100644 --- a/src/analyzer/protocol/rfb/rfb-analyzer.pac +++ b/src/analyzer/protocol/rfb/rfb-analyzer.pac @@ -1,7 +1,8 @@ refine flow RFB_Flow += { function proc_rfb_message(msg: RFB_PDU): bool %{ - BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn()); + if ( rfb_event ) + BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn()); return true; %} @@ -9,44 +10,51 @@ refine flow RFB_Flow += { %{ if (client) { - BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); + if ( rfb_client_version ) + BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); connection()->bro_analyzer()->ProtocolConfirmation(); } else { - BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); + if ( rfb_server_version ) + BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor)); } return true; %} function proc_rfb_share_flag(shared: bool) : bool %{ - BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared); + if ( rfb_share_flag ) + BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared); return true; %} function proc_security_types(msg: RFBSecurityTypes) : bool %{ - BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype}); + if ( rfb_authentication_type ) + BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype}); return true; %} function proc_security_types37(msg: RFBAuthTypeSelected) : bool %{ - BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type}); + if ( rfb_authentication_type ) + BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type}); return true; %} function proc_handle_server_params(msg:RFBServerInit) : bool %{ - BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height}); + if ( rfb_server_parameters ) + BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height}); return true; %} function proc_handle_security_result(result : uint32) : bool %{ - BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result); + if ( rfb_auth_result ) + BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result); return true; %} }; diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc index 1cea8e0211..4473826830 100644 --- a/src/analyzer/protocol/rpc/MOUNT.cc +++ b/src/analyzer/protocol/rpc/MOUNT.cc @@ -95,7 +95,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status { auto vl = event_common_vl(c, rpc_status, mount_status, start_time, last_time, reply_len, 0); - analyzer->ConnectionEvent(mount_reply_status, std::move(vl)); + analyzer->ConnectionEventFast(mount_reply_status, std::move(vl)); } if ( ! rpc_success ) @@ -173,7 +173,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status if ( reply ) vl.append(reply); - analyzer->ConnectionEvent(event, std::move(vl)); + analyzer->ConnectionEventFast(event, std::move(vl)); } else Unref(reply); diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 3453263dd0..089d89ea98 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -149,7 +149,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, { auto vl = event_common_vl(c, rpc_status, nfs_status, start_time, last_time, reply_len, 0); - analyzer->ConnectionEvent(nfs_reply_status, std::move(vl)); + analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl)); } if ( ! rpc_success ) @@ -285,7 +285,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status, if ( reply ) vl.append(reply); - analyzer->ConnectionEvent(event, std::move(vl)); + analyzer->ConnectionEventFast(event, std::move(vl)); } else Unref(reply); diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc index 8333f615fa..cb3944519f 100644 --- a/src/analyzer/protocol/rpc/Portmap.cc +++ b/src/analyzer/protocol/rpc/Portmap.cc @@ -261,7 +261,7 @@ uint32 PortmapperInterp::CheckPort(uint32 port) { if ( pm_bad_port ) { - analyzer->ConnectionEvent(pm_bad_port, { + analyzer->ConnectionEventFast(pm_bad_port, { analyzer->BuildConnVal(), val_mgr->GetCount(port), }); @@ -300,7 +300,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu vl.append(request); } - analyzer->ConnectionEvent(f, std::move(vl)); + analyzer->ConnectionEventFast(f, std::move(vl)); } Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn) diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc index 781ba20681..be0be02232 100644 --- a/src/analyzer/protocol/rpc/RPC.cc +++ b/src/analyzer/protocol/rpc/RPC.cc @@ -330,7 +330,7 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st { if ( rpc_dialogue ) { - analyzer->ConnectionEvent(rpc_dialogue, { + analyzer->ConnectionEventFast(rpc_dialogue, { analyzer->BuildConnVal(), val_mgr->GetCount(c->Program()), val_mgr->GetCount(c->Version()), @@ -347,7 +347,7 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c) { if ( rpc_call ) { - analyzer->ConnectionEvent(rpc_call, { + analyzer->ConnectionEventFast(rpc_call, { analyzer->BuildConnVal(), val_mgr->GetCount(c->XID()), val_mgr->GetCount(c->Program()), @@ -362,7 +362,7 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, { if ( rpc_reply ) { - analyzer->ConnectionEvent(rpc_reply, { + analyzer->ConnectionEventFast(rpc_reply, { analyzer->BuildConnVal(), val_mgr->GetCount(xid), BifType::Enum::rpc_status->GetVal(status), diff --git a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac index 0cdae1cefb..01eae48d0b 100644 --- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac @@ -6,8 +6,10 @@ refine connection SMB_Conn += { BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) { set_tree_is_pipe(${header.tid}); - BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), - bro_analyzer()->Conn()); + + if ( smb_pipe_connect_heuristic ) + BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), + bro_analyzer()->Conn()); } if ( smb1_nt_create_andx_request ) diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac index 4ba86d1b75..d5df7a3fca 100644 --- a/src/analyzer/protocol/smb/smb1-protocol.pac +++ b/src/analyzer/protocol/smb/smb1-protocol.pac @@ -66,9 +66,10 @@ refine connection SMB_Conn += { } else { - BifEvent::generate_smb1_error(bro_analyzer(), - bro_analyzer()->Conn(), - BuildHeaderVal(h), is_orig); + if ( smb1_error ) + BifEvent::generate_smb1_error(bro_analyzer(), + bro_analyzer()->Conn(), + BuildHeaderVal(h), is_orig); } return true; %} diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac index 2f7dfc4d26..d3df094f51 100644 --- a/src/analyzer/protocol/smb/smb2-com-create.pac +++ b/src/analyzer/protocol/smb/smb2-com-create.pac @@ -7,8 +7,10 @@ refine connection SMB_Conn += { BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) ) { set_tree_is_pipe(${h.tree_id}); - BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), - bro_analyzer()->Conn()); + + if ( smb_pipe_connect_heuristic ) + BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(), + bro_analyzer()->Conn()); } if ( smb2_create_request ) diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc index dff1677fc3..aa049c994b 100644 --- a/src/analyzer/protocol/smtp/SMTP.cc +++ b/src/analyzer/protocol/smtp/SMTP.cc @@ -220,7 +220,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) if ( smtp_data && ! skip_data ) { - ConnectionEvent(smtp_data, { + ConnectionEventFast(smtp_data, { BuildConnVal(), val_mgr->GetBool(orig), new StringVal(data_len, line), @@ -350,7 +350,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig) break; } - ConnectionEvent(smtp_reply, { + ConnectionEventFast(smtp_reply, { BuildConnVal(), val_mgr->GetBool(orig), val_mgr->GetCount(reply_code), @@ -410,7 +410,8 @@ void SMTP_Analyzer::StartTLS() if ( ssl ) AddChildAnalyzer(ssl); - ConnectionEvent(smtp_starttls, {BuildConnVal()}); + if ( smtp_starttls ) + ConnectionEventFast(smtp_starttls, {BuildConnVal()}); } @@ -852,12 +853,14 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd, int arg_len, const char* arg) { ProtocolConfirmation(); - ConnectionEvent(smtp_request, { - BuildConnVal(), - val_mgr->GetBool(orig_is_sender), - (new StringVal(cmd_len, cmd))->ToUpper(), - new StringVal(arg_len, arg), - }); + + if ( smtp_request ) + ConnectionEventFast(smtp_request, { + BuildConnVal(), + val_mgr->GetBool(orig_is_sender), + (new StringVal(cmd_len, cmd))->ToUpper(), + new StringVal(arg_len, arg), + }); } void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg, @@ -872,7 +875,7 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg, if ( ! orig_is_sender ) is_orig = ! is_orig; - ConnectionEvent(smtp_unexpected, { + ConnectionEventFast(smtp_unexpected, { BuildConnVal(), val_mgr->GetBool(is_orig), new StringVal(msg), diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index f625851d0a..b0ec62e2b9 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -22,18 +22,22 @@ refine connection SOCKS_Conn += { function socks4_request(request: SOCKS4_Request): bool %{ - RecordVal* sa = new RecordVal(socks_address); - sa->Assign(0, new AddrVal(htonl(${request.addr}))); - if ( ${request.v4a} ) - sa->Assign(1, array_to_string(${request.name})); + if ( socks_request ) + { + RecordVal* sa = new RecordVal(socks_address); + sa->Assign(0, new AddrVal(htonl(${request.addr}))); - BifEvent::generate_socks_request(bro_analyzer(), - bro_analyzer()->Conn(), - 4, - ${request.command}, - sa, - val_mgr->GetPort(${request.port}, TRANSPORT_TCP), - array_to_string(${request.user})); + if ( ${request.v4a} ) + sa->Assign(1, array_to_string(${request.name})); + + BifEvent::generate_socks_request(bro_analyzer(), + bro_analyzer()->Conn(), + 4, + ${request.command}, + sa, + val_mgr->GetPort(${request.port}, TRANSPORT_TCP), + array_to_string(${request.user})); + } static_cast(bro_analyzer())->EndpointDone(true); @@ -42,15 +46,18 @@ refine connection SOCKS_Conn += { function socks4_reply(reply: SOCKS4_Reply): bool %{ - RecordVal* sa = new RecordVal(socks_address); - sa->Assign(0, new AddrVal(htonl(${reply.addr}))); + if ( socks_reply ) + { + RecordVal* sa = new RecordVal(socks_address); + sa->Assign(0, new AddrVal(htonl(${reply.addr}))); - BifEvent::generate_socks_reply(bro_analyzer(), - bro_analyzer()->Conn(), - 4, - ${reply.status}, - sa, - val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); + BifEvent::generate_socks_reply(bro_analyzer(), + bro_analyzer()->Conn(), + 4, + ${reply.status}, + sa, + val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); + } bro_analyzer()->ProtocolConfirmation(); static_cast(bro_analyzer())->EndpointDone(false); @@ -97,13 +104,16 @@ refine connection SOCKS_Conn += { return false; } - BifEvent::generate_socks_request(bro_analyzer(), - bro_analyzer()->Conn(), - 5, - ${request.command}, - sa, - val_mgr->GetPort(${request.port}, TRANSPORT_TCP), - val_mgr->GetEmptyString()); + if ( socks_request ) + BifEvent::generate_socks_request(bro_analyzer(), + bro_analyzer()->Conn(), + 5, + ${request.command}, + sa, + val_mgr->GetPort(${request.port}, TRANSPORT_TCP), + val_mgr->GetEmptyString()); + else + Unref(sa); static_cast(bro_analyzer())->EndpointDone(true); @@ -136,12 +146,15 @@ refine connection SOCKS_Conn += { return false; } - BifEvent::generate_socks_reply(bro_analyzer(), - bro_analyzer()->Conn(), - 5, - ${reply.reply}, - sa, - val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); + if ( socks_reply ) + BifEvent::generate_socks_reply(bro_analyzer(), + bro_analyzer()->Conn(), + 5, + ${reply.reply}, + sa, + val_mgr->GetPort(${reply.port}, TRANSPORT_TCP)); + else + Unref(sa); bro_analyzer()->ProtocolConfirmation(); static_cast(bro_analyzer())->EndpointDone(false); @@ -150,6 +163,9 @@ refine connection SOCKS_Conn += { function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass_v1): bool %{ + if ( ! socks_login_userpass_request ) + return true; + StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin()); StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin()); @@ -173,9 +189,10 @@ refine connection SOCKS_Conn += { function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool %{ - BifEvent::generate_socks_login_userpass_reply(bro_analyzer(), - bro_analyzer()->Conn(), - ${reply.code}); + if ( socks_login_userpass_reply ) + BifEvent::generate_socks_login_userpass_reply(bro_analyzer(), + bro_analyzer()->Conn(), + ${reply.code}); return true; %} diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac index bf35218873..7d23ecc75e 100644 --- a/src/analyzer/protocol/ssl/ssl-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac @@ -17,8 +17,8 @@ refine connection SSL_Conn += { function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool %{ - BifEvent::generate_ssl_established(bro_analyzer(), - bro_analyzer()->Conn()); + if ( ssl_established ) + BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn()); return true; %} diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac index d92f850d28..56573fd48e 100644 --- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac @@ -31,8 +31,9 @@ refine connection SSL_Conn += { function proc_alert(rec: SSLRecord, level : int, desc : int) : bool %{ - BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(), - ${rec.is_orig}, level, desc); + if ( ssl_alert ) + BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, level, desc); return true; %} function proc_unknown_record(rec: SSLRecord) : bool @@ -50,8 +51,8 @@ refine connection SSL_Conn += { established_ == false ) { established_ = true; - BifEvent::generate_ssl_established(bro_analyzer(), - bro_analyzer()->Conn()); + if ( ssl_established ) + BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn()); } if ( ssl_encrypted_data ) @@ -72,9 +73,10 @@ refine connection SSL_Conn += { function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool %{ - BifEvent::generate_ssl_heartbeat(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, - new StringVal(data.length(), (const char*) data.data())); + if ( ssl_heartbeat ) + BifEvent::generate_ssl_heartbeat(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, + new StringVal(data.length(), (const char*) data.data())); return true; %} @@ -93,8 +95,9 @@ refine connection SSL_Conn += { function proc_ccs(rec: SSLRecord) : bool %{ - BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}); + if ( ssl_change_cipher_spec ) + BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(), + bro_analyzer()->Conn(), ${rec.is_orig}); return true; %} diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 5cf250c366..ecaaf8c20d 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -72,6 +72,9 @@ refine connection Handshake_Conn += { function proc_ec_point_formats(rec: HandshakeRecord, point_format_list: uint8[]) : bool %{ + if ( ! ssl_extension_ec_point_formats ) + return true; + VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( point_format_list ) @@ -88,6 +91,9 @@ refine connection Handshake_Conn += { function proc_elliptic_curves(rec: HandshakeRecord, list: uint16[]) : bool %{ + if ( ! ssl_extension_elliptic_curves ) + return true; + VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( list ) @@ -104,6 +110,9 @@ refine connection Handshake_Conn += { function proc_client_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry[]) : bool %{ + if ( ! ssl_extension_key_share ) + return true; + VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( keyshare ) @@ -113,11 +122,15 @@ refine connection Handshake_Conn += { } BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist); + return true; %} function proc_server_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry) : bool %{ + if ( ! ssl_extension_key_share ) + return true; + VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType()); nglist->Assign(0u, val_mgr->GetCount(keyshare->namedgroup())); @@ -127,6 +140,9 @@ refine connection Handshake_Conn += { function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool %{ + if ( ! ssl_extension_signature_algorithm ) + return true; + VectorVal* slist = new VectorVal(internal_type("signature_and_hashalgorithm_vec")->AsVectorType()); if ( supported_signature_algorithms ) @@ -147,6 +163,9 @@ refine connection Handshake_Conn += { function proc_apnl(rec: HandshakeRecord, protocols: ProtocolName[]) : bool %{ + if ( ! ssl_extension_application_layer_protocol_negotiation ) + return true; + VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType()); if ( protocols ) @@ -183,14 +202,20 @@ refine connection Handshake_Conn += { } } - BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(), - ${rec.is_orig}, servers); + if ( ssl_extension_server_name ) + BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, servers); + else + Unref(servers); return true; %} function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool %{ + if ( ! ssl_extension_supported_versions ) + return true; + VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( versions_list ) @@ -207,6 +232,9 @@ refine connection Handshake_Conn += { function proc_one_supported_version(rec: HandshakeRecord, version: uint16) : bool %{ + if ( ! ssl_extension_supported_versions ) + return true; + VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType()); versions->Assign(0u, val_mgr->GetCount(version)); @@ -218,6 +246,9 @@ refine connection Handshake_Conn += { function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool %{ + if ( ! ssl_extension_psk_key_exchange_modes ) + return true; + VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType()); if ( mode_list ) @@ -272,10 +303,11 @@ refine connection Handshake_Conn += { response.length(), bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), false, file_id, "application/ocsp-response"); - BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), - bro_analyzer()->Conn(), ${rec.is_orig}, - new StringVal(response.length(), - (const char*) response.data())); + if ( ssl_stapled_ocsp ) + BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), + bro_analyzer()->Conn(), + ${rec.is_orig}, + new StringVal(response.length(), (const char*) response.data())); file_mgr->EndOfFile(file_id); } @@ -288,26 +320,32 @@ refine connection Handshake_Conn += { if ( ${kex.curve_type} != NAMED_CURVE ) return true; - BifEvent::generate_ssl_server_curve(bro_analyzer(), - bro_analyzer()->Conn(), ${kex.params.curve}); - BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); + if ( ssl_server_curve ) + BifEvent::generate_ssl_server_curve(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}); - RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); - if ( ${kex.signed_params.uses_signature_and_hashalgorithm} ) + if ( ssl_ecdh_server_params ) + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); + + if ( ssl_server_signature ) { - ha->Assign(0, val_mgr->GetCount(${kex.signed_params.algorithm.HashAlgorithm})); - ha->Assign(1, val_mgr->GetCount(${kex.signed_params.algorithm.SignatureAlgorithm})); - } + RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); + if ( ${kex.signed_params.uses_signature_and_hashalgorithm} ) + { + ha->Assign(0, val_mgr->GetCount(${kex.signed_params.algorithm.HashAlgorithm})); + ha->Assign(1, val_mgr->GetCount(${kex.signed_params.algorithm.SignatureAlgorithm})); + } else - { - // set to impossible value - ha->Assign(0, val_mgr->GetCount(256)); - ha->Assign(1, val_mgr->GetCount(256)); - } + { + // set to impossible value + ha->Assign(0, val_mgr->GetCount(256)); + ha->Assign(1, val_mgr->GetCount(256)); + } - BifEvent::generate_ssl_server_signature(bro_analyzer(), - bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data())); + BifEvent::generate_ssl_server_signature(bro_analyzer(), + bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data())); + } return true; %} @@ -317,34 +355,46 @@ refine connection Handshake_Conn += { if ( ${kex.curve_type} != NAMED_CURVE ) return true; - BifEvent::generate_ssl_server_curve(bro_analyzer(), - bro_analyzer()->Conn(), ${kex.params.curve}); - BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); + if ( ssl_server_curve ) + BifEvent::generate_ssl_server_curve(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}); + + if ( ssl_ecdh_server_params ) + BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data())); return true; %} function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool %{ - BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data())); + if ( ssl_rsa_client_pms ) + BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data())); + return true; %} function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool %{ - BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data())); + if ( ssl_dh_client_params ) + BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data())); + return true; %} function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool %{ - BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data())); + if ( ssl_ecdh_client_params ) + BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data())); + return true; %} function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool %{ + if ( ! ssl_extension_signed_certificate_timestamp ) + return true; + RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); ha->Assign(0, val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm())); ha->Assign(1, val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm())); @@ -363,50 +413,56 @@ refine connection Handshake_Conn += { function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool %{ - BifEvent::generate_ssl_dh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), - new StringVal(p.length(), (const char*) p.data()), - new StringVal(g.length(), (const char*) g.data()), - new StringVal(Ys.length(), (const char*) Ys.data()) - ); + if ( ssl_ecdh_server_params ) + BifEvent::generate_ssl_dh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), + new StringVal(p.length(), (const char*) p.data()), + new StringVal(g.length(), (const char*) g.data()), + new StringVal(Ys.length(), (const char*) Ys.data()) + ); - RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); - if ( ${signed_params.uses_signature_and_hashalgorithm} ) + if ( ssl_server_signature ) { - ha->Assign(0, val_mgr->GetCount(${signed_params.algorithm.HashAlgorithm})); - ha->Assign(1, val_mgr->GetCount(${signed_params.algorithm.SignatureAlgorithm})); - } - else - { - // set to impossible value - ha->Assign(0, val_mgr->GetCount(256)); - ha->Assign(1, val_mgr->GetCount(256)); - } + RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm); + if ( ${signed_params.uses_signature_and_hashalgorithm} ) + { + ha->Assign(0, val_mgr->GetCount(${signed_params.algorithm.HashAlgorithm})); + ha->Assign(1, val_mgr->GetCount(${signed_params.algorithm.SignatureAlgorithm})); + } + else + { + // set to impossible value + ha->Assign(0, val_mgr->GetCount(256)); + ha->Assign(1, val_mgr->GetCount(256)); + } - BifEvent::generate_ssl_server_signature(bro_analyzer(), - bro_analyzer()->Conn(), ha, - new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data()) - ); + BifEvent::generate_ssl_server_signature(bro_analyzer(), + bro_analyzer()->Conn(), ha, + new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data()) + ); + } return true; %} function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool %{ - BifEvent::generate_ssl_dh_server_params(bro_analyzer(), - bro_analyzer()->Conn(), - new StringVal(p.length(), (const char*) p.data()), - new StringVal(g.length(), (const char*) g.data()), - new StringVal(Ys.length(), (const char*) Ys.data()) - ); + if ( ssl_dh_server_params ) + BifEvent::generate_ssl_dh_server_params(bro_analyzer(), + bro_analyzer()->Conn(), + new StringVal(p.length(), (const char*) p.data()), + new StringVal(g.length(), (const char*) g.data()), + new StringVal(Ys.length(), (const char*) Ys.data()) + ); return true; %} function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool %{ - BifEvent::generate_ssl_handshake_message(bro_analyzer(), - bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); + if ( ssl_handshake_message ) + BifEvent::generate_ssl_handshake_message(bro_analyzer(), + bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); return true; %} diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc index f4b4f78c89..29315faa74 100644 --- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc +++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc @@ -140,15 +140,18 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2) return; if ( id2 >= 0 ) - endp->TCP()->ConnectionEvent(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)}); + endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)}); else - endp->TCP()->ConnectionEvent(f, {val_mgr->GetInt(id1)}); + endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)}); } void SteppingStoneEndpoint::CreateEndpEvent(int is_orig) { - endp->TCP()->ConnectionEvent(stp_create_endp, { + if ( ! stp_create_endp ) + return; + + endp->TCP()->ConnectionEventFast(stp_create_endp, { endp->TCP()->BuildConnVal(), val_mgr->GetInt(stp_id), val_mgr->GetBool(is_orig), diff --git a/src/analyzer/protocol/syslog/syslog-analyzer.pac b/src/analyzer/protocol/syslog/syslog-analyzer.pac index 46e2cc171d..2bbdfd3754 100644 --- a/src/analyzer/protocol/syslog/syslog-analyzer.pac +++ b/src/analyzer/protocol/syslog/syslog-analyzer.pac @@ -11,6 +11,9 @@ flow Syslog_Flow function process_syslog_message(m: Syslog_Message): bool %{ + if ( ! syslog_message ) + return true; + if ( ${m.has_pri} ) BifEvent::generate_syslog_message( connection()->bro_analyzer(), diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index a90e0f32c4..fa2250270a 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -299,7 +299,7 @@ static void passive_fingerprint(TCP_Analyzer* tcp, bool is_orig, if ( OS_val ) { // found new OS version - tcp->ConnectionEvent(OS_version_found, { + tcp->ConnectionEventFast(OS_version_found, { tcp->BuildConnVal(), src_addr_val->Ref(), OS_val, @@ -965,7 +965,7 @@ void TCP_Analyzer::GeneratePacketEvent( const u_char* data, int len, int caplen, int is_orig, TCP_Flags flags) { - ConnectionEvent(tcp_packet, { + ConnectionEventFast(tcp_packet, { BuildConnVal(), val_mgr->GetBool(is_orig), new StringVal(flags.AsString()), @@ -1280,7 +1280,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( connection_SYN_packet ) { - ConnectionEvent(connection_SYN_packet, { + ConnectionEventFast(connection_SYN_packet, { BuildConnVal(), SYN_vals->Ref(), }); @@ -1500,7 +1500,7 @@ int TCP_Analyzer::TCPOptionEvent(unsigned int opt, { if ( tcp_option ) { - analyzer->ConnectionEvent(tcp_option, { + analyzer->ConnectionEventFast(tcp_option, { analyzer->BuildConnVal(), val_mgr->GetBool(is_orig), val_mgr->GetCount(opt), @@ -1821,7 +1821,7 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp) { if ( connection_EOF ) { - ConnectionEvent(connection_EOF, { + ConnectionEventFast(connection_EOF, { BuildConnVal(), val_mgr->GetBool(endp->IsOrig()), }); @@ -2103,7 +2103,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen, if ( tcp_rexmit ) { - endp->TCP()->ConnectionEvent(tcp_rexmit, { + endp->TCP()->ConnectionEventFast(tcp_rexmit, { endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig()), val_mgr->GetCount(seq), @@ -2158,11 +2158,12 @@ void TCPStats_Analyzer::Done() { TCP_ApplicationAnalyzer::Done(); - ConnectionEvent(conn_stats, { - BuildConnVal(), - orig_stats->BuildStats(), - resp_stats->BuildStats(), - }); + if ( conn_stats ) + ConnectionEventFast(conn_stats, { + BuildConnVal(), + orig_stats->BuildStats(), + resp_stats->BuildStats(), + }); } void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen) diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc index ce58398f2d..b588adbe29 100644 --- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc +++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc @@ -237,7 +237,7 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen, if ( contents_file_write_failure ) { - tcp_analyzer->ConnectionEvent(contents_file_write_failure, { + tcp_analyzer->ConnectionEventFast(contents_file_write_failure, { Conn()->BuildConnVal(), val_mgr->GetBool(IsOrig()), new StringVal(buf), diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc index 5ad6d2e460..3db1b50352 100644 --- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc +++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc @@ -136,7 +136,7 @@ void TCP_Reassembler::Gap(uint64 seq, uint64 len) if ( report_gap(endp, endp->peer) ) { - dst_analyzer->ConnectionEvent(content_gap, { + dst_analyzer->ConnectionEventFast(content_gap, { dst_analyzer->BuildConnVal(), val_mgr->GetBool(IsOrig()), val_mgr->GetCount(seq), @@ -335,7 +335,7 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f) if ( contents_file_write_failure ) { - tcp_analyzer->ConnectionEvent(contents_file_write_failure, { + tcp_analyzer->ConnectionEventFast(contents_file_write_failure, { Endpoint()->Conn()->BuildConnVal(), val_mgr->GetBool(IsOrig()), new StringVal("TCP reassembler content write failure"), @@ -352,7 +352,7 @@ void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f) if ( contents_file_write_failure ) { - tcp_analyzer->ConnectionEvent(contents_file_write_failure, { + tcp_analyzer->ConnectionEventFast(contents_file_write_failure, { Endpoint()->Conn()->BuildConnVal(), val_mgr->GetBool(IsOrig()), new StringVal("TCP reassembler gap write failure"), @@ -425,7 +425,7 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n) BroString* b1_s = new BroString((const u_char*) b1, n, 0); BroString* b2_s = new BroString((const u_char*) b2, n, 0); - tcp_analyzer->ConnectionEvent(rexmit_inconsistency, { + tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, { tcp_analyzer->BuildConnVal(), new StringVal(b1_s), new StringVal(b2_s), @@ -596,7 +596,7 @@ void TCP_Reassembler::DeliverBlock(uint64 seq, int len, const u_char* data) if ( deliver_tcp_contents ) { - tcp_analyzer->ConnectionEvent(tcp_contents, { + tcp_analyzer->ConnectionEventFast(tcp_contents, { tcp_analyzer->BuildConnVal(), val_mgr->GetBool(IsOrig()), val_mgr->GetCount(seq), diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc index 6123c42e91..74375e673c 100644 --- a/src/analyzer/protocol/udp/UDP.cc +++ b/src/analyzer/protocol/udp/UDP.cc @@ -157,7 +157,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( do_udp_contents ) { - ConnectionEvent(udp_contents, { + ConnectionEventFast(udp_contents, { BuildConnVal(), val_mgr->GetBool(is_orig), new StringVal(len, (const char*) data), diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac index 5253ce050b..26a9c69b5b 100644 --- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac +++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac @@ -32,7 +32,8 @@ refine connection XMPP_Conn += { if ( !is_orig && ( token == "proceed" || token_no_ns == "proceed" ) && client_starttls ) { bro_analyzer()->StartTLS(); - BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn()); + if ( xmpp_starttls ) + BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn()); } else if ( !is_orig && token == "proceed" ) reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls"); diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index c9d1d7a1e3..96a37490a2 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -1016,7 +1016,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev) } if ( static_cast(vl.length()) == args.size() ) - mgr.QueueEvent(handler, std::move(vl), SOURCE_BROKER); + mgr.QueueEventFast(handler, std::move(vl), SOURCE_BROKER); else { loop_over_list(vl, i) @@ -1247,6 +1247,9 @@ void Manager::ProcessStatus(broker::status stat) break; } + if ( ! event ) + return; + auto ei = internal_type("Broker::EndpointInfo")->AsRecordType(); auto endpoint_info = new RecordVal(ei); @@ -1275,7 +1278,7 @@ void Manager::ProcessStatus(broker::status stat) auto str = stat.message(); auto msg = new StringVal(str ? *str : ""); - mgr.QueueEvent(event, {endpoint_info, msg}); + mgr.QueueEventFast(event, {endpoint_info, msg}); } void Manager::ProcessError(broker::error err) @@ -1352,7 +1355,7 @@ void Manager::ProcessError(broker::error err) msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str()); } - mgr.QueueEvent(Broker::error, { + mgr.QueueEventFast(Broker::error, { BifType::Enum::Broker::ErrorCode->GetVal(ec), new StringVal(msg), }); diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index faa6b280b0..b3680c2a2c 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -637,7 +637,7 @@ void File::FileEvent(EventHandlerPtr h, val_list* vl) void File::FileEvent(EventHandlerPtr h, val_list vl) { - mgr.QueueEvent(h, std::move(vl)); + mgr.QueueEventFast(h, std::move(vl)); if ( h == file_new || h == file_over_new_connection || h == file_sniff || diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 134418a476..da6099b1fe 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -443,7 +443,7 @@ string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig) EnumVal* tagval = tag.AsEnumVal(); Ref(tagval); - mgr.QueueEvent(get_file_handle, { + mgr.QueueEventFast(get_file_handle, { tagval, c->BuildConnVal(), val_mgr->GetBool(is_orig), diff --git a/src/file_analysis/analyzer/data_event/DataEvent.cc b/src/file_analysis/analyzer/data_event/DataEvent.cc index 8aa688b879..5d692383e1 100644 --- a/src/file_analysis/analyzer/data_event/DataEvent.cc +++ b/src/file_analysis/analyzer/data_event/DataEvent.cc @@ -41,7 +41,7 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64 len, uint64 offset) { if ( ! chunk_event ) return true; - mgr.QueueEvent(chunk_event, { + mgr.QueueEventFast(chunk_event, { GetFile()->GetVal()->Ref(), new StringVal(new BroString(data, len, 0)), val_mgr->GetCount(offset), @@ -54,7 +54,7 @@ bool DataEvent::DeliverStream(const u_char* data, uint64 len) { if ( ! stream_event ) return true; - mgr.QueueEvent(stream_event, { + mgr.QueueEventFast(stream_event, { GetFile()->GetVal()->Ref(), new StringVal(new BroString(data, len, 0)), }); diff --git a/src/file_analysis/analyzer/entropy/Entropy.cc b/src/file_analysis/analyzer/entropy/Entropy.cc index 873b8e2fcf..a0a561a1cc 100644 --- a/src/file_analysis/analyzer/entropy/Entropy.cc +++ b/src/file_analysis/analyzer/entropy/Entropy.cc @@ -53,6 +53,9 @@ void Entropy::Finalize() if ( ! fed ) return; + if ( ! file_entropy ) + return; + double montepi, scc, ent, mean, chisq; montepi = scc = ent = mean = chisq = 0.0; entropy->Get(&ent, &chisq, &mean, &montepi, &scc); @@ -64,7 +67,7 @@ void Entropy::Finalize() ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE)); ent_result->Assign(4, new Val(scc, TYPE_DOUBLE)); - mgr.QueueEvent(file_entropy, { + mgr.QueueEventFast(file_entropy, { GetFile()->GetVal()->Ref(), ent_result, }); diff --git a/src/file_analysis/analyzer/hash/Hash.cc b/src/file_analysis/analyzer/hash/Hash.cc index 07bcb0babd..7b2ecb5799 100644 --- a/src/file_analysis/analyzer/hash/Hash.cc +++ b/src/file_analysis/analyzer/hash/Hash.cc @@ -48,7 +48,10 @@ void Hash::Finalize() if ( ! hash->IsValid() || ! fed ) return; - mgr.QueueEvent(file_hash, { + if ( ! file_hash ) + return; + + mgr.QueueEventFast(file_hash, { GetFile()->GetVal()->Ref(), new StringVal(kind), hash->Get(), diff --git a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac index ee874c4d37..a4a7da5081 100644 --- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac +++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac @@ -81,7 +81,7 @@ refine flow Flow += { ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol})); ids_event->Assign(17, val_mgr->GetCount(${ev.packet_action})); - mgr.QueueEvent(::unified2_event, { + mgr.QueueEventFast(::unified2_event, { connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), ids_event, }, @@ -113,7 +113,7 @@ refine flow Flow += { ids_event->Assign(15, val_mgr->GetCount(${ev.mpls_label})); ids_event->Assign(16, val_mgr->GetCount(${ev.vlan_id})); - mgr.QueueEvent(::unified2_event, { + mgr.QueueEventFast(::unified2_event, { connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), ids_event, }, @@ -135,7 +135,7 @@ refine flow Flow += { packet->Assign(4, val_mgr->GetCount(${pkt.link_type})); packet->Assign(5, bytestring_to_val(${pkt.packet_data})); - mgr.QueueEvent(::unified2_packet, { + mgr.QueueEventFast(::unified2_packet, { connection()->bro_analyzer()->GetFile()->GetVal()->Ref(), packet, }, diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 3681c6fd44..d55931c946 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -427,10 +427,11 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req) // TODO: try to parse out general name ? #endif - mgr.QueueEvent(ocsp_request, { - GetFile()->GetVal()->Ref(), - val_mgr->GetCount(version), - }); + if ( ocsp_request ) + mgr.QueueEventFast(ocsp_request, { + GetFile()->GetVal()->Ref(), + val_mgr->GetCount(version), + }); BIO *bio = BIO_new(BIO_s_mem()); @@ -470,10 +471,11 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) const char *status_str = OCSP_response_status_str(OCSP_response_status(resp)); StringVal* status_val = new StringVal(strlen(status_str), status_str); - mgr.QueueEvent(ocsp_response_status, { - GetFile()->GetVal()->Ref(), - status_val->Ref(), - }); + if ( ocsp_response_status ) + mgr.QueueEventFast(ocsp_response_status, { + GetFile()->GetVal()->Ref(), + status_val->Ref(), + }); //if (!resp_bytes) // { @@ -491,12 +493,18 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) // get the basic response basic_resp = OCSP_response_get1_basic(resp); if ( !basic_resp ) + { + Unref(status_val); goto clean_up; + } #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) resp_data = basic_resp->tbsResponseData; if ( !resp_data ) + { + Unref(status_val); goto clean_up; + } #endif vl.append(GetFile()->GetVal()->Ref()); diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index c33f20a800..524aae1f27 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -221,16 +221,20 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) if ( constr ) { - RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints); - pBasicConstraint->Assign(0, val_mgr->GetBool(constr->ca ? 1 : 0)); + if ( x509_ext_basic_constraints ) + { + RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints); + pBasicConstraint->Assign(0, val_mgr->GetBool(constr->ca ? 1 : 0)); - if ( constr->pathlen ) - pBasicConstraint->Assign(1, val_mgr->GetCount((int32_t) ASN1_INTEGER_get(constr->pathlen))); + if ( constr->pathlen ) + pBasicConstraint->Assign(1, val_mgr->GetCount((int32_t) ASN1_INTEGER_get(constr->pathlen))); + + mgr.QueueEventFast(x509_ext_basic_constraints, { + GetFile()->GetVal()->Ref(), + pBasicConstraint, + }); + } - mgr.QueueEvent(x509_ext_basic_constraints, { - GetFile()->GetVal()->Ref(), - pBasicConstraint, - }); BASIC_CONSTRAINTS_free(constr); } diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac index 396debbbbe..b6a6611d3c 100644 --- a/src/file_analysis/analyzer/x509/x509-extension.pac +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -35,6 +35,9 @@ refine connection MockConnection += { function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool %{ + if ( ! x509_ocsp_ext_signed_certificate_timestamp ) + return true; + BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(), bro_analyzer()->GetFile()->GetVal()->Ref(), version, diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc index 108869be9f..39496671a2 100644 --- a/src/logging/Manager.cc +++ b/src/logging/Manager.cc @@ -715,7 +715,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns) // Raise the log event. if ( stream->event ) - mgr.QueueEvent(stream->event, {columns->Ref()}, SOURCE_LOCAL); + mgr.QueueEventFast(stream->event, {columns->Ref()}, SOURCE_LOCAL); // Send to each of our filters. for ( list::iterator i = stream->filters.begin(); diff --git a/src/main.cc b/src/main.cc index 56300fc1a2..7afdb876bd 100644 --- a/src/main.cc +++ b/src/main.cc @@ -340,7 +340,7 @@ void terminate_bro() EventHandlerPtr bro_done = internal_handler("bro_done"); if ( bro_done ) - mgr.QueueEvent(bro_done, val_list{}); + mgr.QueueEventFast(bro_done, val_list{}); timer_mgr->Expire(); mgr.Drain(); @@ -1138,7 +1138,7 @@ int main(int argc, char** argv) EventHandlerPtr bro_init = internal_handler("bro_init"); if ( bro_init ) - mgr.QueueEvent(bro_init, val_list{}); + mgr.QueueEventFast(bro_init, val_list{}); EventRegistry::string_list* dead_handlers = event_registry->UnusedHandlers(); @@ -1184,16 +1184,19 @@ int main(int argc, char** argv) if ( override_ignore_checksums ) ignore_checksums = 1; - // Queue events reporting loaded scripts. - for ( std::list::iterator i = files_scanned.begin(); i != files_scanned.end(); i++ ) + if ( bro_script_loaded ) { - if ( i->skipped ) - continue; + // Queue events reporting loaded scripts. + for ( std::list::iterator i = files_scanned.begin(); i != files_scanned.end(); i++ ) + { + if ( i->skipped ) + continue; - mgr.QueueEvent(bro_script_loaded, { - new StringVal(i->name.c_str()), - val_mgr->GetCount(i->include_level), - }); + mgr.QueueEventFast(bro_script_loaded, { + new StringVal(i->name.c_str()), + val_mgr->GetCount(i->include_level), + }); + } } reporter->ReportViaEvents(true);