Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add methods to queue events without handler existence check

Browse source 
Added ConnectionEventFast() and QueueEventFast() methods to avoid
redundant event handler existence checks.

It's common practice for caller to already check for event handler
existence before doing all the work of constructing the arguments, so
it's desirable to not have to check for existence again.

E.g. going through ConnectionEvent() means 3 existence checks:
one you do yourself before calling it, one in ConnectionEvent(), and then
another in QueueEvent().

The existence check itself can be more than a few operations sometimes
as it needs to check a few flags that determine if it's enabled, has
a local body, or has any remote receivers in the old comm. system or
has been flagged as something to publish in the new comm. system.
This commit is contained in:
Jon Siwek 2019-04-11 20:23:49 -07:00
parent 8bc65f09ec
commit b6862c5c59
72 changed files with 771 additions and 524 deletions
Download patch file Download diff file Expand all files Collapse all files

2
aux/bifcl

@ -1 +1 @@
Subproject commit 44622332fb1361383799be33e365704caacce199
Subproject commit 33cde13264825df906668b608017e65f4ffbc12a

2
src/Anon.cc
View file

@ -415,7 +415,7 @@ void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output)
{
if ( anonymization_mapping )
{
mgr.QueueEvent(anonymization_mapping, {
mgr.QueueEventFast(anonymization_mapping, {
new AddrVal(input),
new AddrVal(output)
});

27
src/Conn.cc
View file

@ -325,7 +325,7 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
// and at this stage it's not a *multiple* instance.
return;
ConnectionEvent(e, 0, {
ConnectionEventFast(e, 0, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
val_mgr->GetCount(threshold)
@ -389,7 +389,7 @@ void Connection::EnableStatusUpdateTimer()
void Connection::StatusUpdateTimer(double t)
{
ConnectionEvent(connection_status_update, 0, { BuildConnVal() });
ConnectionEventFast(connection_status_update, 0, { BuildConnVal() });
ADD_TIMER(&Connection::StatusUpdateTimer,
network_time + connection_status_update_interval, 0,
TIMER_CONN_STATUS_UPDATE);
@ -627,7 +627,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
{
if ( software_parse_error )
{
ConnectionEvent(software_parse_error, analyzer, {
ConnectionEventFast(software_parse_error, analyzer, {
BuildConnVal(),
new AddrVal(addr),
new StringVal(len, s),
@ -638,7 +638,7 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
if ( software_version_found )
{
ConnectionEvent(software_version_found, 0, {
ConnectionEventFast(software_version_found, 0, {
BuildConnVal(),
new AddrVal(addr),
val,
@ -666,7 +666,7 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
if ( software_unparsed_version_found )
{
ConnectionEvent(software_unparsed_version_found, analyzer, {
ConnectionEventFast(software_unparsed_version_found, analyzer, {
BuildConnVal(),
new AddrVal(addr),
new StringVal(len, full),
@ -682,9 +682,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
return;
if ( name )
ConnectionEvent(f, analyzer, {new StringVal(name), BuildConnVal()});
ConnectionEventFast(f, analyzer, {new StringVal(name), BuildConnVal()});
else
ConnectionEvent(f, analyzer, {BuildConnVal()});
ConnectionEventFast(f, analyzer, {BuildConnVal()});
}
@ -698,9 +698,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
}
if ( v2 )
ConnectionEvent(f, analyzer, {BuildConnVal(), v1, v2});
ConnectionEventFast(f, analyzer, {BuildConnVal(), v1, v2});
else
ConnectionEvent(f, analyzer, {BuildConnVal(), v1});
ConnectionEventFast(f, analyzer, {BuildConnVal(), v1});
}
void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
@ -720,6 +720,13 @@ void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_l
a ? a->GetID() : 0, GetTimerMgr(), this);
}
void Connection::ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
{
// "this" is passed as a cookie for the event
mgr.QueueEventFast(f, std::move(vl), SOURCE_LOCAL,
a ? a->GetID() : 0, GetTimerMgr(), this);
}
void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
{
ConnectionEvent(f, a, std::move(*vl));
@ -1053,7 +1060,7 @@ void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label)
if ( connection_flow_label_changed &&
(is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
{
ConnectionEvent(connection_flow_label_changed, 0, {
ConnectionEventFast(connection_flow_label_changed, 0, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
val_mgr->GetCount(my_flow_label),

2
src/Conn.h
View file

@ -181,6 +181,8 @@ public:
val_list* vl);
void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
val_list vl);
void ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* analyzer,
val_list vl);
void Weird(const char* name, const char* addl = "");
bool DidWeird() const { return weird != 0; }

6
src/DNS_Mgr.cc
View file

@ -704,7 +704,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm)
if ( ! e )
return;
mgr.QueueEvent(e, {BuildMappingVal(dm)});
mgr.QueueEventFast(e, {BuildMappingVal(dm)});
}
void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2)
@ -715,7 +715,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2
Unref(l1);
Unref(l2);
mgr.QueueEvent(e, {
mgr.QueueEventFast(e, {
BuildMappingVal(dm),
l1->ConvertToSet(),
l2->ConvertToSet(),
@ -727,7 +727,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
if ( ! e )
return;
mgr.QueueEvent(e, {
mgr.QueueEventFast(e, {
BuildMappingVal(old_dm),
BuildMappingVal(new_dm),
});

2
src/Event.cc
View file

@ -128,7 +128,7 @@ void EventMgr::QueueEvent(Event* event)
void EventMgr::Drain()
{
if ( event_queue_flush_point )
QueueEvent(event_queue_flush_point, val_list{});
QueueEventFast(event_queue_flush_point, val_list{});
SegmentProfiler(segment_logger, "draining-events");

7
src/Event.h
View file

@ -58,6 +58,13 @@ public:
EventMgr();
~EventMgr() override;
void QueueEventFast(const EventHandlerPtr &h, val_list vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0)
{
QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
}
void QueueEvent(const EventHandlerPtr &h, val_list vl,
SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
TimerMgr* mgr = 0, BroObj* obj = 0)

4
src/Reporter.cc
View file

@ -506,9 +506,9 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
}
if ( conn )
conn->ConnectionEvent(event, 0, std::move(vl));
conn->ConnectionEventFast(event, 0, std::move(vl));
else
mgr.QueueEvent(event, std::move(vl));
mgr.QueueEventFast(event, std::move(vl));
}
else
{

2
src/RuleAction.cc
View file

@ -17,7 +17,7 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
{
if ( signature_match )
{
mgr.QueueEvent(signature_match, {
mgr.QueueEventFast(signature_match, {
rule_matcher->BuildRuleStateValue(parent, state),
new StringVal(msg),
data ? new StringVal(len, (const char*)data) : val_mgr->GetEmptyString(),

8
src/Sessions.cc
View file

@ -171,7 +171,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
SegmentProfiler(segment_logger, "dispatching-packet");
if ( raw_packet )
mgr.QueueEvent(raw_packet, {pkt->BuildPktHdrVal()});
mgr.QueueEventFast(raw_packet, {pkt->BuildPktHdrVal()});
if ( pkt_profiler )
pkt_profiler->ProfilePkt(t, pkt->cap_len);
@ -411,7 +411,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
{
dump_this_packet = 1;
if ( esp_packet )
mgr.QueueEvent(esp_packet, {ip_hdr->BuildPktHdrVal()});
mgr.QueueEventFast(esp_packet, {ip_hdr->BuildPktHdrVal()});
// Can't do more since upper-layer payloads are going to be encrypted.
return;
@ -1315,9 +1315,9 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
{
conn->Event(new_connection, 0);
if ( external )
if ( external && connection_external )
{
conn->ConnectionEvent(connection_external, 0, {
conn->ConnectionEventFast(connection_external, 0, {
conn->BuildConnVal(),
new StringVal(conn->GetTimerMgr()->GetTag().c_str()),
});

2
src/StateAccess.cc
View file

@ -536,7 +536,7 @@ void StateAccess::Replay()
if ( remote_state_access_performed )
{
mgr.QueueEvent(remote_state_access_performed, {
mgr.QueueEventFast(remote_state_access_performed, {
new StringVal(target.id->Name()),
target.id->ID_Val()->Ref(),
});

3
src/Stats.cc
View file

@ -369,7 +369,8 @@ void SampleLogger::SegmentProfile(const char* /* name */,
const Location* /* loc */,
double dtime, int dmem)
{
mgr.QueueEvent(load_sample, {
if ( load_sample )
mgr.QueueEventFast(load_sample, {
load_samples->Ref(),
new IntervalVal(dtime, Seconds),
val_mgr->GetInt(dmem)

19
src/analyzer/Analyzer.cc
View file

@ -662,16 +662,19 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
if ( protocol_confirmed )
return;
protocol_confirmed = true;
if ( ! protocol_confirmation )
return;
EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
Ref(tval);
mgr.QueueEvent(protocol_confirmation, {
mgr.QueueEventFast(protocol_confirmation, {
BuildConnVal(),
tval,
val_mgr->GetCount(id),
});
protocol_confirmed = true;
}
void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
@ -689,10 +692,13 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
else
r = new StringVal(reason);
if ( ! protocol_violation )
return;
EnumVal* tval = tag.AsEnumVal();
Ref(tval);
mgr.QueueEvent(protocol_violation, {
mgr.QueueEventFast(protocol_violation, {
BuildConnVal(),
tval,
val_mgr->GetCount(id),
@ -787,6 +793,11 @@ void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list vl)
conn->ConnectionEvent(f, this, std::move(vl));
}
void Analyzer::ConnectionEventFast(EventHandlerPtr f, val_list vl)
{
conn->ConnectionEventFast(f, this, std::move(vl));
}
void Analyzer::Weird(const char* name, const char* addl)
{
conn->Weird(name, addl);

6
src/analyzer/Analyzer.h
View file

@ -547,6 +547,12 @@ public:
*/
void ConnectionEvent(EventHandlerPtr f, val_list vl);
/**
* Convenience function that forwards directly to
* Connection::ConnectionEventFast().
*/
void ConnectionEventFast(EventHandlerPtr f, val_list vl);
/**
* Convenience function that forwards directly to the corresponding
* Connection::Weird().

4
src/analyzer/protocol/arp/ARP.cc
View file

@ -190,7 +190,7 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
if ( ! bad_arp )
return;
mgr.QueueEvent(bad_arp, {
mgr.QueueEventFast(bad_arp, {
ConstructAddrVal(ar_spa(hdr)),
EthAddrToStr((const u_char*) ar_sha(hdr)),
ConstructAddrVal(ar_tpa(hdr)),
@ -212,7 +212,7 @@ void ARP_Analyzer::RREvent(EventHandlerPtr e,
if ( ! e )
return;
mgr.QueueEvent(e, {
mgr.QueueEventFast(e, {
EthAddrToStr(src),
EthAddrToStr(dst),
ConstructAddrVal(spa),

27
src/analyzer/protocol/backdoor/BackDoor.cc
View file

@ -246,7 +246,10 @@ void BackDoorEndpoint::RloginSignatureFound(int len)
rlogin_checking_done = 1;
endp->TCP()->ConnectionEvent(rlogin_signature_found, {
if ( ! rlogin_signature_found )
return;
endp->TCP()->ConnectionEventFast(rlogin_signature_found, {
endp->TCP()->BuildConnVal(),
val_mgr->GetBool(endp->IsOrig()),
val_mgr->GetCount(rlogin_num_null),
@ -337,7 +340,10 @@ void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* d
void BackDoorEndpoint::TelnetSignatureFound(int len)
{
endp->TCP()->ConnectionEvent(telnet_signature_found, {
if ( ! telnet_signature_found )
return;
endp->TCP()->ConnectionEventFast(telnet_signature_found, {
endp->TCP()->BuildConnVal(),
val_mgr->GetBool(endp->IsOrig()),
val_mgr->GetCount(len),
@ -641,12 +647,15 @@ void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len,
void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig)
{
if ( ! e )
return;
if ( do_orig )
endp->TCP()->ConnectionEvent(e,
endp->TCP()->ConnectionEventFast(e,
{endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig())});
else
endp->TCP()->ConnectionEvent(e, {endp->TCP()->BuildConnVal()});
endp->TCP()->ConnectionEventFast(e, {endp->TCP()->BuildConnVal()});
}
@ -773,7 +782,10 @@ void BackDoor_Analyzer::StatTimer(double t, int is_expire)
void BackDoor_Analyzer::StatEvent()
{
TCP()->ConnectionEvent(backdoor_stats, {
if ( ! backdoor_stats )
return;
TCP()->ConnectionEventFast(backdoor_stats, {
TCP()->BuildConnVal(),
orig_endp->BuildStats(),
resp_endp->BuildStats(),
@ -782,7 +794,10 @@ void BackDoor_Analyzer::StatEvent()
void BackDoor_Analyzer::RemoveEvent()
{
TCP()->ConnectionEvent(backdoor_remove_conn, {TCP()->BuildConnVal()});
if ( ! backdoor_remove_conn )
return;
TCP()->ConnectionEventFast(backdoor_remove_conn, {TCP()->BuildConnVal()});
}
BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a)

2
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -120,7 +120,7 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
{
if ( bittorrent_peer_weird )
{
ConnectionEvent(bittorrent_peer_weird, {
ConnectionEventFast(bittorrent_peer_weird, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(msg),

11
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -247,7 +247,7 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
{
if ( bt_tracker_weird )
{
ConnectionEvent(bt_tracker_weird, {
ConnectionEventFast(bt_tracker_weird, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(msg),
@ -348,7 +348,8 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
{
ProtocolConfirmation();
ConnectionEvent(bt_tracker_request, {
if ( bt_tracker_request )
ConnectionEventFast(bt_tracker_request, {
BuildConnVal(),
req_val_uri,
req_val_headers,
@ -401,7 +402,8 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
{
if ( res_status != 200 )
{
ConnectionEvent(bt_tracker_response_not_ok, {
if ( bt_tracker_response_not_ok )
ConnectionEventFast(bt_tracker_response_not_ok, {
BuildConnVal(),
val_mgr->GetCount(res_status),
res_val_headers,
@ -787,7 +789,8 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
{
ProtocolConfirmation();
ConnectionEvent(bt_tracker_response, {
if ( bt_tracker_response )
ConnectionEventFast(bt_tracker_response, {
BuildConnVal(),
val_mgr->GetCount(res_status),
res_val_headers,

2
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -47,7 +47,7 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool
if ( ! f )
return;
ConnectionEvent(f, {
ConnectionEventFast(f, {
BuildConnVal(),
val_mgr->GetCount(threshold),
val_mgr->GetBool(is_orig),

95
src/analyzer/protocol/dns/DNS.cc
View file

@ -46,7 +46,7 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
if ( dns_message )
{
analyzer->ConnectionEvent(dns_message, {
analyzer->ConnectionEventFast(dns_message, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_query),
msg.BuildHdrVal(),
@ -132,7 +132,8 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
{
analyzer->ConnectionEvent(dns_end, {
if ( dns_end )
analyzer->ConnectionEventFast(dns_end, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
});
@ -334,7 +335,7 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
if ( dns_unknown_reply && ! msg->skip_event )
{
analyzer->ConnectionEvent(dns_unknown_reply, {
analyzer->ConnectionEventFast(dns_unknown_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
@ -549,7 +550,7 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
if ( reply_event && ! msg->skip_event )
{
analyzer->ConnectionEvent(reply_event, {
analyzer->ConnectionEventFast(reply_event, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
@ -603,7 +604,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
r->Assign(5, new IntervalVal(double(expire), Seconds));
r->Assign(6, new IntervalVal(double(minimum), Seconds));
analyzer->ConnectionEvent(dns_SOA_reply, {
analyzer->ConnectionEventFast(dns_SOA_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
@ -634,7 +635,7 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
if ( dns_MX_reply && ! msg->skip_event )
{
analyzer->ConnectionEvent(dns_MX_reply, {
analyzer->ConnectionEventFast(dns_MX_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
@ -677,7 +678,7 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
if ( dns_SRV_reply && ! msg->skip_event )
{
analyzer->ConnectionEvent(dns_SRV_reply, {
analyzer->ConnectionEventFast(dns_SRV_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
@ -700,7 +701,7 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
if ( dns_EDNS_addl && ! msg->skip_event )
{
analyzer->ConnectionEvent(dns_EDNS_addl, {
analyzer->ConnectionEventFast(dns_EDNS_addl, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildEDNS_Val(),
@ -766,22 +767,24 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
unsigned int rr_error = ExtractShort(data, len);
ExtractOctets(data, len, 0); // Other Data
msg->tsig = new TSIG_DATA;
msg->tsig->alg_name =
if ( dns_TSIG_addl )
{
TSIG_DATA tsig;
tsig.alg_name =
new BroString(alg_name, alg_name_end - alg_name, 1);
msg->tsig->sig = request_MAC;
msg->tsig->time_s = sign_time_sec;
msg->tsig->time_ms = sign_time_msec;
msg->tsig->fudge = fudge;
msg->tsig->orig_id = orig_id;
msg->tsig->rr_error = rr_error;
tsig.sig = request_MAC;
tsig.time_s = sign_time_sec;
tsig.time_ms = sign_time_msec;
tsig.fudge = fudge;
tsig.orig_id = orig_id;
tsig.rr_error = rr_error;
analyzer->ConnectionEvent(dns_TSIG_addl, {
analyzer->ConnectionEventFast(dns_TSIG_addl, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildTSIG_Val(),
msg->BuildTSIG_Val(&tsig),
});
}
return 1;
}
@ -864,6 +867,8 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
break;
}
if ( dns_RRSIG )
{
RRSIG_DATA rrsig;
rrsig.type_covered = type_covered;
rrsig.algorithm = algo;
@ -875,12 +880,13 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
rrsig.signer_name = new BroString(name, name_end - name, 1);
rrsig.signature = sign;
analyzer->ConnectionEvent(dns_RRSIG, {
analyzer->ConnectionEventFast(dns_RRSIG, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
msg->BuildRRSIG_Val(&rrsig),
});
}
return 1;
}
@ -961,18 +967,21 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
break;
}
if ( dns_DNSKEY )
{
DNSKEY_DATA dnskey;
dnskey.dflags = dflags;
dnskey.dalgorithm = dalgorithm;
dnskey.dprotocol = dprotocol;
dnskey.public_key = key;
analyzer->ConnectionEvent(dns_DNSKEY, {
analyzer->ConnectionEventFast(dns_DNSKEY, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
msg->BuildDNSKEY_Val(&dnskey),
});
}
return 1;
}
@ -1017,13 +1026,16 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
typebitmaps_len = typebitmaps_len - (2 + bmlen);
}
analyzer->ConnectionEvent(dns_NSEC, {
if ( dns_NSEC )
analyzer->ConnectionEventFast(dns_NSEC, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
new StringVal(new BroString(name, name_end - name, 1)),
char_strings,
});
else
Unref(char_strings);
return 1;
}
@ -1091,6 +1103,8 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
typebitmaps_len = typebitmaps_len - (2 + bmlen);
}
if ( dns_NSEC3 )
{
NSEC3_DATA nsec3;
nsec3.nsec_flags = nsec_flags;
nsec3.nsec_hash_algo = hash_algo;
@ -1101,12 +1115,13 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
nsec3.nsec_hash = hash_val;
nsec3.bitmaps = char_strings;
analyzer->ConnectionEvent(dns_NSEC3, {
analyzer->ConnectionEventFast(dns_NSEC3, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
msg->BuildNSEC3_Val(&nsec3),
});
}
return 1;
}
@ -1150,18 +1165,21 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
break;
}
if ( dns_DS )
{
DS_DATA ds;
ds.key_tag = ds_key_tag;
ds.algorithm = ds_algo;
ds.digest_type = ds_dtype;
ds.digest_val = ds_digest;
analyzer->ConnectionEvent(dns_DS, {
analyzer->ConnectionEventFast(dns_DS, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
msg->BuildDS_Val(&ds),
});
}
return 1;
}
@ -1179,7 +1197,7 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
if ( dns_A_reply && ! msg->skip_event )
{
analyzer->ConnectionEvent(dns_A_reply, {
analyzer->ConnectionEventFast(dns_A_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
@ -1216,7 +1234,7 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
event = dns_A6_reply;
if ( event && ! msg->skip_event )
{
analyzer->ConnectionEvent(event, {
analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
@ -1290,12 +1308,15 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
char_strings->Assign(char_strings->Size(), char_string);
analyzer->ConnectionEvent(dns_TXT_reply, {
if ( dns_TXT_reply )
analyzer->ConnectionEventFast(dns_TXT_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
char_strings,
});
else
Unref(char_strings);
return rdlength == 0;
}
@ -1330,7 +1351,8 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
data += value->Len();
rdlength -= value->Len();
analyzer->ConnectionEvent(dns_CAA_reply, {
if ( dns_CAA_reply )
analyzer->ConnectionEventFast(dns_CAA_reply, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
msg->BuildAnswerVal(),
@ -1338,6 +1360,11 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
new StringVal(tag),
new StringVal(value),
});
else
{
delete tag;
delete value;
}
return rdlength == 0;
}
@ -1351,7 +1378,8 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
RR_Type qtype = RR_Type(ExtractShort(data, len));
int qclass = ExtractShort(data, len);
analyzer->ConnectionEvent(event, {
if ( event )
analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
msg->BuildHdrVal(),
new StringVal(question_name),
@ -1391,7 +1419,6 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
answer_type = DNS_QUESTION;
skip_event = 0;
tsig = 0;
}
DNS_MsgInfo::~DNS_MsgInfo()
@ -1470,7 +1497,7 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
return r;
}
Val* DNS_MsgInfo::BuildTSIG_Val()
Val* DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
{
RecordVal* r = new RecordVal(dns_tsig_additional);
double rtime = tsig->time_s + tsig->time_ms / 1000.0;
@ -1487,9 +1514,6 @@ Val* DNS_MsgInfo::BuildTSIG_Val()
r->Assign(7, val_mgr->GetCount(tsig->rr_error));
r->Assign(8, val_mgr->GetCount(is_query));
delete tsig;
tsig = 0;
return r;
}
@ -1705,7 +1729,8 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
{
if ( ! interp->ParseMessage(data, len, 1) && non_dns_request )
{
ConnectionEvent(non_dns_request, {
if ( non_dns_request )
ConnectionEventFast(non_dns_request, {
BuildConnVal(),
new StringVal(len, (const char*) data),
});

6
src/analyzer/protocol/dns/DNS.h
View file

@ -182,7 +182,7 @@ public:
Val* BuildHdrVal();
Val* BuildAnswerVal();
Val* BuildEDNS_Val();
Val* BuildTSIG_Val();
Val* BuildTSIG_Val(struct TSIG_DATA*);
Val* BuildRRSIG_Val(struct RRSIG_DATA*);
Val* BuildDNSKEY_Val(struct DNSKEY_DATA*);
Val* BuildNSEC3_Val(struct NSEC3_DATA*);
@ -214,10 +214,6 @@ public:
///< identical answer, there may be problems
// uint32* addr; ///< cache value to pass back results
///< for forward lookups
// More values for spesific DNS types.
//struct EDNS_ADDITIONAL* edns;
struct TSIG_DATA* tsig;
};

3
src/analyzer/protocol/file/File.cc
View file

@ -78,7 +78,8 @@ void File_Analyzer::Identify()
string match = matches.empty() ? "<unknown>"
: *(matches.begin()->second.begin());
ConnectionEvent(file_transferred, {
if ( file_transferred )
ConnectionEventFast(file_transferred, {
BuildConnVal(),
new StringVal(buffer_len, buffer),
new StringVal("<unknown>"),

4
src/analyzer/protocol/finger/Finger.cc
View file

@ -68,7 +68,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( finger_request )
{
ConnectionEvent(finger_request, {
ConnectionEventFast(finger_request, {
BuildConnVal(),
val_mgr->GetBool(long_cnt),
new StringVal(at - line, line),
@ -87,7 +87,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( ! finger_reply )
return;
ConnectionEvent(finger_reply, {
ConnectionEventFast(finger_reply, {
BuildConnVal(),
new StringVal(end_of_line - line, line),
});

14
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{
if ( Established() && gnutella_establish )
ConnectionEvent(gnutella_establish, {BuildConnVal()});
ConnectionEventFast(gnutella_establish, {BuildConnVal()});
else if ( ! Established () && gnutella_not_establish )
ConnectionEvent(gnutella_not_establish, {BuildConnVal()});
ConnectionEventFast(gnutella_not_establish, {BuildConnVal()});
}
if ( gnutella_partial_binary_msg )
@ -72,7 +72,7 @@ void Gnutella_Analyzer::Done()
{
if ( ! p->msg_sent && p->msg_pos )
{
ConnectionEvent(gnutella_partial_binary_msg, {
ConnectionEventFast(gnutella_partial_binary_msg, {
BuildConnVal(),
new StringVal(p->msg),
val_mgr->GetBool((i == 0)),
@ -121,7 +121,7 @@ int Gnutella_Analyzer::IsHTTP(string header)
if ( gnutella_http_notify )
{
ConnectionEvent(gnutella_http_notify, {BuildConnVal()});
ConnectionEventFast(gnutella_http_notify, {BuildConnVal()});
}
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -181,7 +181,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{
if ( gnutella_text_msg )
{
ConnectionEvent(gnutella_text_msg, {
ConnectionEventFast(gnutella_text_msg, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(ms->headers.data()),
@ -195,7 +195,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{
sent_establish = 1;
ConnectionEvent(gnutella_establish, {BuildConnVal()});
ConnectionEventFast(gnutella_establish, {BuildConnVal()});
}
}
}
@ -221,7 +221,7 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
if ( gnutella_binary_msg )
{
ConnectionEvent(gnutella_binary_msg, {
ConnectionEventFast(gnutella_binary_msg, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
val_mgr->GetCount(p->msg_type),

24
src/analyzer/protocol/http/HTTP.cc
View file

@ -646,7 +646,7 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
if ( http_message_done )
{
GetAnalyzer()->ConnectionEvent(http_message_done, {
GetAnalyzer()->ConnectionEventFast(http_message_done, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
BuildMessageStat(interrupted, detail),
@ -679,7 +679,7 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
if ( http_begin_entity )
{
analyzer->ConnectionEvent(http_begin_entity, {
analyzer->ConnectionEventFast(http_begin_entity, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
});
@ -696,7 +696,7 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
if ( http_end_entity )
{
analyzer->ConnectionEvent(http_end_entity, {
analyzer->ConnectionEventFast(http_end_entity, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
});
@ -737,7 +737,7 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
{
if ( http_all_headers )
{
analyzer->ConnectionEvent(http_all_headers, {
analyzer->ConnectionEventFast(http_all_headers, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
BuildHeaderTable(hlist),
@ -751,7 +751,7 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
ty->Ref();
subty->Ref();
analyzer->ConnectionEvent(http_content_type, {
analyzer->ConnectionEventFast(http_content_type, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
ty,
@ -1183,7 +1183,7 @@ void HTTP_Analyzer::GenStats()
r->Assign(3, new Val(reply_version, TYPE_DOUBLE));
// DEBUG_MSG("%.6f http_stats\n", network_time);
ConnectionEvent(http_stats, {BuildConnVal(), r});
ConnectionEventFast(http_stats, {BuildConnVal(), r});
}
}
@ -1381,7 +1381,7 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
if ( http_event )
{
// DEBUG_MSG("%.6f http_event\n", network_time);
ConnectionEvent(http_event, {
ConnectionEventFast(http_event, {
BuildConnVal(),
new StringVal(category),
detail,
@ -1424,7 +1424,7 @@ void HTTP_Analyzer::HTTP_Request()
Ref(request_method);
// DEBUG_MSG("%.6f http_request\n", network_time);
ConnectionEvent(http_request, {
ConnectionEventFast(http_request, {
BuildConnVal(),
request_method,
TruncateURI(request_URI->AsStringVal()),
@ -1438,7 +1438,7 @@ void HTTP_Analyzer::HTTP_Reply()
{
if ( http_reply )
{
ConnectionEvent(http_reply, {
ConnectionEventFast(http_reply, {
BuildConnVal(),
new StringVal(fmt("%.1f", reply_version)),
val_mgr->GetCount(reply_code),
@ -1517,7 +1517,7 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
if ( http_connection_upgrade )
{
ConnectionEvent(http_connection_upgrade, {
ConnectionEventFast(http_connection_upgrade, {
BuildConnVal(),
new StringVal(upgrade_protocol),
});
@ -1693,7 +1693,7 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
if ( DEBUG_http )
DEBUG_MSG("%.6f http_header\n", network_time);
ConnectionEvent(http_header, {
ConnectionEventFast(http_header, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
mime::new_string_val(h->get_name())->ToUpper(),
@ -1827,7 +1827,7 @@ void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
{
if ( http_entity_data )
{
ConnectionEvent(http_entity_data, {
ConnectionEventFast(http_entity_data, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
val_mgr->GetCount(entity_data->Len()),

39
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -199,7 +199,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
{
if ( icmp_sent )
{
ConnectionEvent(icmp_sent, {
ConnectionEventFast(icmp_sent, {
BuildConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
});
@ -209,7 +209,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
{
BroString* payload = new BroString(data, min(len, caplen), 0);
ConnectionEvent(icmp_sent_payload, {
ConnectionEventFast(icmp_sent_payload, {
BuildConnVal(),
BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
new StringVal(payload),
@ -512,7 +512,7 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
BroString* payload = new BroString(data, caplen, 0);
ConnectionEvent(f, {
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
val_mgr->GetCount(iid),
@ -526,6 +526,10 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
EventHandlerPtr f = icmp_router_advertisement;
if ( ! f )
return;
uint32 reachable = 0, retrans = 0;
if ( caplen >= (int)sizeof(reachable) )
@ -536,7 +540,7 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(reachable) + sizeof(retrans);
ConnectionEvent(f, {
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit
@ -558,6 +562,10 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
EventHandlerPtr f = icmp_neighbor_advertisement;
if ( ! f )
return;
IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) )
@ -565,7 +573,7 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
ConnectionEvent(f, {
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router
@ -581,6 +589,10 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
EventHandlerPtr f = icmp_neighbor_solicitation;
if ( ! f )
return;
IPAddr tgtaddr;
if ( caplen >= (int)sizeof(in6_addr) )
@ -588,7 +600,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
ConnectionEvent(f, {
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
new AddrVal(tgtaddr),
@ -601,6 +613,10 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
{
EventHandlerPtr f = icmp_redirect;
if ( ! f )
return;
IPAddr tgtaddr, dstaddr;
if ( caplen >= (int)sizeof(in6_addr) )
@ -611,7 +627,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int opt_offset = 2 * sizeof(in6_addr);
ConnectionEvent(f, {
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
new AddrVal(tgtaddr),
@ -626,7 +642,10 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
{
EventHandlerPtr f = icmp_router_solicitation;
ConnectionEvent(f, {
if ( ! f )
return;
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
BuildNDOptionsVal(caplen, data),
@ -652,7 +671,7 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
if ( f )
{
ConnectionEvent(f, {
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 0, ip_hdr),
val_mgr->GetCount(icmpp->icmp_code),
@ -692,7 +711,7 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
if ( f )
{
ConnectionEvent(f, {
ConnectionEventFast(f, {
BuildConnVal(),
BuildICMPVal(icmpp, len, 1, ip_hdr),
val_mgr->GetCount(icmpp->icmp_code),

7
src/analyzer/protocol/ident/Ident.cc
View file

@ -83,7 +83,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
Weird("ident_request_addendum", s.CheckString());
}
ConnectionEvent(ident_request, {
ConnectionEventFast(ident_request, {
BuildConnVal(),
val_mgr->GetPort(local_port, TRANSPORT_TCP),
val_mgr->GetPort(remote_port, TRANSPORT_TCP),
@ -143,7 +143,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
if ( is_error )
{
ConnectionEvent(ident_error, {
if ( ident_error )
ConnectionEventFast(ident_error, {
BuildConnVal(),
val_mgr->GetPort(local_port, TRANSPORT_TCP),
val_mgr->GetPort(remote_port, TRANSPORT_TCP),
@ -176,7 +177,7 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = skip_whitespace(colon + 1, end_of_line);
ConnectionEvent(ident_reply, {
ConnectionEventFast(ident_reply, {
BuildConnVal(),
val_mgr->GetPort(local_port, TRANSPORT_TCP),
val_mgr->GetPort(remote_port, TRANSPORT_TCP),

5
src/analyzer/protocol/imap/imap-analyzer.pac
View file

@ -43,6 +43,8 @@ refine connection IMAP_Conn += {
if ( commands == "ok" )
{
bro_analyzer()->StartTLS();
if ( imap_starttls )
BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
}
else
@ -54,6 +56,9 @@ refine connection IMAP_Conn += {
function proc_server_capability(capabilities: Capability[]): bool
%{
if ( ! imap_capabilities )
return true;
VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
for ( unsigned int i = 0; i< capabilities->size(); i++ )
{

6
src/analyzer/protocol/interconn/InterConn.cc
View file

@ -241,7 +241,8 @@ void InterConn_Analyzer::StatTimer(double t, int is_expire)
void InterConn_Analyzer::StatEvent()
{
Conn()->ConnectionEvent(interconn_stats, this, {
if ( interconn_stats )
Conn()->ConnectionEventFast(interconn_stats, this, {
Conn()->BuildConnVal(),
orig_endp->BuildStats(),
resp_endp->BuildStats(),
@ -250,7 +251,8 @@ void InterConn_Analyzer::StatEvent()
void InterConn_Analyzer::RemoveEvent()
{
Conn()->ConnectionEvent(interconn_remove_conn, this, {Conn()->BuildConnVal()});
if ( interconn_remove_conn )
Conn()->ConnectionEventFast(interconn_remove_conn, this, {Conn()->BuildConnVal()});
}
InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a)

74
src/analyzer/protocol/irc/IRC.cc
View file

@ -233,7 +233,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ###
}
ConnectionEvent(irc_network_info, {
ConnectionEventFast(irc_network_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetInt(users),
@ -281,7 +281,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(idx);
}
ConnectionEvent(irc_names_info, {
ConnectionEventFast(irc_names_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(type.c_str()),
@ -315,7 +315,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// else ###
}
ConnectionEvent(irc_server_info, {
ConnectionEventFast(irc_server_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetInt(users),
@ -337,7 +337,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[i] == ":channels" )
channels = atoi(parts[i - 1].c_str());
ConnectionEvent(irc_channel_info, {
ConnectionEventFast(irc_channel_info, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetInt(channels),
@ -369,7 +369,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
break;
}
ConnectionEvent(irc_global_users, {
ConnectionEventFast(irc_global_users, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(eop - prefix, prefix),
@ -412,7 +412,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vl.append(new StringVal(real_name.c_str()));
ConnectionEvent(irc_whois_user_line, std::move(vl));
ConnectionEventFast(irc_whois_user_line, std::move(vl));
}
break;
@ -433,7 +433,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return;
}
ConnectionEvent(irc_whois_operator_line, {
ConnectionEventFast(irc_whois_operator_line, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[0].c_str()),
@ -472,7 +472,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(idx);
}
ConnectionEvent(irc_whois_channel_line, {
ConnectionEventFast(irc_whois_channel_line, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(nick.c_str()),
@ -503,7 +503,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( *t == ':' )
++t;
ConnectionEvent(irc_channel_topic, {
ConnectionEventFast(irc_channel_topic, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[1].c_str()),
@ -537,7 +537,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[7][0] == ':' )
parts[7] = parts[7].substr(1);
ConnectionEvent(irc_who_line, {
ConnectionEventFast(irc_who_line, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[0].c_str()),
@ -560,7 +560,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 436:
if ( irc_invalid_nick )
{
ConnectionEvent(irc_invalid_nick, {
ConnectionEventFast(irc_invalid_nick, {
BuildConnVal(),
val_mgr->GetBool(orig),
});
@ -572,7 +572,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 491: // user is not operator
if ( irc_oper_response )
{
ConnectionEvent(irc_oper_response, {
ConnectionEventFast(irc_oper_response, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetBool(code == 381),
@ -587,7 +587,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
// All other server replies.
default:
ConnectionEvent(irc_reply, {
if ( irc_reply )
ConnectionEventFast(irc_reply, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -657,7 +658,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
ConnectionEvent(irc_dcc_message, {
if ( irc_dcc_message )
ConnectionEventFast(irc_dcc_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -674,7 +676,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else
{
ConnectionEvent(irc_privmsg_message, {
if ( irc_privmsg_message )
ConnectionEventFast(irc_privmsg_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -699,7 +702,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' )
message = message.substr(1);
ConnectionEvent(irc_notice_message, {
ConnectionEventFast(irc_notice_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -723,7 +726,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( message[0] == ':' )
message = message.substr(1);
ConnectionEvent(irc_squery_message, {
ConnectionEventFast(irc_squery_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -763,7 +766,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
const char* name = realname.c_str();
vl.append(new StringVal(*name == ':' ? name + 1 : name));
ConnectionEvent(irc_user_message, std::move(vl));
ConnectionEventFast(irc_user_message, std::move(vl));
}
else if ( irc_oper_message && command == "OPER" )
@ -772,7 +775,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' ');
if ( parts.size() == 2 )
{
ConnectionEvent(irc_oper_message, {
ConnectionEventFast(irc_oper_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(parts[0].c_str()),
@ -814,7 +817,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else
vl.append(val_mgr->GetEmptyString());
ConnectionEvent(irc_kick_message, std::move(vl));
ConnectionEventFast(irc_kick_message, std::move(vl));
}
else if ( irc_join_message && command == "JOIN" )
@ -862,7 +865,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(info);
}
ConnectionEvent(irc_join_message, {
ConnectionEventFast(irc_join_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
list,
@ -923,7 +926,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(info);
}
ConnectionEvent(irc_join_message, {
ConnectionEventFast(irc_join_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
list,
@ -963,7 +966,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
Unref(idx);
}
ConnectionEvent(irc_part_message, {
ConnectionEventFast(irc_part_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(nick.c_str()),
@ -986,7 +989,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nickname = prefix.substr(0, pos);
}
ConnectionEvent(irc_quit_message, {
ConnectionEventFast(irc_quit_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(nickname.c_str()),
@ -1000,7 +1003,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( nick[0] == ':' )
nick = nick.substr(1);
ConnectionEvent(irc_nick_message, {
ConnectionEventFast(irc_nick_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -1025,7 +1028,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
parts[0] = parts[0].substr(1);
ConnectionEvent(irc_who_message, {
ConnectionEventFast(irc_who_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
parts.size() > 0 ?
@ -1055,7 +1058,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else
users = parts[0];
ConnectionEvent(irc_whois_message, {
ConnectionEventFast(irc_whois_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(server.c_str()),
@ -1068,7 +1071,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( params[0] == ':' )
params = params.substr(1);
ConnectionEvent(irc_error_message, {
ConnectionEventFast(irc_error_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -1084,7 +1087,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( parts[1].size() > 0 && parts[1][0] == ':' )
parts[1] = parts[1].substr(1);
ConnectionEvent(irc_invite_message, {
ConnectionEventFast(irc_invite_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -1100,7 +1103,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
if ( params.size() > 0 )
{
ConnectionEvent(irc_mode_message, {
ConnectionEventFast(irc_mode_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -1114,7 +1117,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_password_message && command == "PASS" )
{
ConnectionEvent(irc_password_message, {
ConnectionEventFast(irc_password_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(params.c_str()),
@ -1136,7 +1139,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1);
}
ConnectionEvent(irc_squit_message, {
ConnectionEventFast(irc_squit_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -1150,7 +1153,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
if ( irc_request )
{
ConnectionEvent(irc_request, {
ConnectionEventFast(irc_request, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -1164,7 +1167,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
if ( irc_message )
{
ConnectionEvent(irc_message, {
ConnectionEventFast(irc_message, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(prefix.c_str()),
@ -1199,7 +1202,8 @@ void IRC_Analyzer::StartTLS()
if ( ssl )
AddChildAnalyzer(ssl);
ConnectionEvent(irc_starttls, {BuildConnVal()});
if ( irc_starttls )
ConnectionEventFast(irc_starttls, {BuildConnVal()});
}
vector<string> IRC_Analyzer::SplitWords(const string input, const char split)

19
src/analyzer/protocol/login/Login.cc
View file

@ -289,7 +289,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
{
if ( authentication_skipped )
{
ConnectionEvent(authentication_skipped, {BuildConnVal()});
ConnectionEventFast(authentication_skipped, {BuildConnVal()});
}
state = LOGIN_STATE_SKIP;
@ -332,7 +332,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else if ( login_terminal && streq(name, "TERM") )
{
ConnectionEvent(login_terminal, {
ConnectionEventFast(login_terminal, {
BuildConnVal(),
new StringVal(val),
});
@ -340,7 +340,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else if ( login_display && streq(name, "DISPLAY") )
{
ConnectionEvent(login_display, {
ConnectionEventFast(login_display, {
BuildConnVal(),
new StringVal(val),
});
@ -348,7 +348,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else if ( login_prompt && streq(name, "TTYPROMPT") )
{
ConnectionEvent(login_prompt, {
ConnectionEventFast(login_prompt, {
BuildConnVal(),
new StringVal(val),
});
@ -425,7 +425,7 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
Val* password = HaveTypeahead() ?
PopUserTextVal() : new StringVal("<none>");
ConnectionEvent(f, {
ConnectionEventFast(f, {
BuildConnVal(),
username->Ref(),
client_name ? client_name->Ref() : val_mgr->GetEmptyString(),
@ -444,7 +444,10 @@ const char* Login_Analyzer::GetUsername(const char* line) const
void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
{
ConnectionEvent(f, {
if ( ! f )
return;
ConnectionEventFast(f, {
BuildConnVal(),
new StringVal(line),
});
@ -457,7 +460,7 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
if ( login_confused )
{
ConnectionEvent(login_confused, {
ConnectionEventFast(login_confused, {
BuildConnVal(),
new StringVal(msg),
new StringVal(line),
@ -483,7 +486,7 @@ void Login_Analyzer::ConfusionText(const char* line)
{
if ( login_confused_text )
{
ConnectionEvent(login_confused_text, {
ConnectionEventFast(login_confused_text, {
BuildConnVal(),
new StringVal(line),
});

2
src/analyzer/protocol/login/NVT.cc
View file

@ -461,7 +461,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
{
if ( login_terminal )
{
ConnectionEvent(login_terminal, {
ConnectionEventFast(login_terminal, {
BuildConnVal(),
new StringVal(new BroString(terminal, len, 0)),
});

4
src/analyzer/protocol/login/RSH.cc
View file

@ -183,11 +183,11 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
else
vl.append(val_mgr->GetFalse());
ConnectionEvent(rsh_request, std::move(vl));
ConnectionEventFast(rsh_request, std::move(vl));
}
else
ConnectionEvent(rsh_reply, std::move(vl));
ConnectionEventFast(rsh_reply, std::move(vl));
}
void Rsh_Analyzer::ClientUserName(const char* s)

2
src/analyzer/protocol/login/Rlogin.cc
View file

@ -244,7 +244,7 @@ void Rlogin_Analyzer::TerminalType(const char* s)
{
if ( login_terminal )
{
ConnectionEvent(login_terminal, {
ConnectionEventFast(login_terminal, {
BuildConnVal(),
new StringVal(s),
});

19
src/analyzer/protocol/mime/MIME.cc
View file

@ -1358,7 +1358,7 @@ void MIME_Mail::Done()
hash_final(md5_hash, digest);
md5_hash = nullptr;
analyzer->ConnectionEvent(mime_content_hash, {
analyzer->ConnectionEventFast(mime_content_hash, {
analyzer->BuildConnVal(),
val_mgr->GetCount(content_hash_length),
new StringVal(new BroString(1, digest, 16)),
@ -1386,7 +1386,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
cur_entity_id.clear();
if ( mime_begin_entity )
analyzer->ConnectionEvent(mime_begin_entity, {analyzer->BuildConnVal()});
analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()});
buffer_start = data_start = 0;
ASSERT(entity_content.size() == 0);
@ -1398,8 +1398,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
{
BroString* s = concatenate(entity_content);
analyzer->ConnectionEvent(mime_entity_data, {
analyzer->ConnectionEventFast(mime_entity_data, {
analyzer->BuildConnVal(),
val_mgr->GetCount(s->Len()),
new StringVal(s),
@ -1412,7 +1411,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
}
if ( mime_end_entity )
analyzer->ConnectionEvent(mime_end_entity, {analyzer->BuildConnVal()});
analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()});
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear();
@ -1422,7 +1421,7 @@ void MIME_Mail::SubmitHeader(MIME_Header* h)
{
if ( mime_one_header )
{
analyzer->ConnectionEvent(mime_one_header, {
analyzer->ConnectionEventFast(mime_one_header, {
analyzer->BuildConnVal(),
BuildHeaderVal(h),
});
@ -1433,7 +1432,7 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
{
if ( mime_all_headers )
{
analyzer->ConnectionEvent(mime_all_headers, {
analyzer->ConnectionEventFast(mime_all_headers, {
analyzer->BuildConnVal(),
BuildHeaderTable(hlist),
});
@ -1470,7 +1469,7 @@ void MIME_Mail::SubmitData(int len, const char* buf)
const char* data = (char*) data_buffer->Bytes() + data_start;
int data_len = (buf + len) - data;
analyzer->ConnectionEvent(mime_segment_data, {
analyzer->ConnectionEventFast(mime_segment_data, {
analyzer->BuildConnVal(),
val_mgr->GetCount(data_len),
new StringVal(data_len, data),
@ -1517,7 +1516,7 @@ void MIME_Mail::SubmitAllData()
BroString* s = concatenate(all_content);
delete_strings(all_content);
analyzer->ConnectionEvent(mime_all_data, {
analyzer->ConnectionEventFast(mime_all_data, {
analyzer->BuildConnVal(),
val_mgr->GetCount(s->Len()),
new StringVal(s),
@ -1546,7 +1545,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
if ( mime_event )
{
analyzer->ConnectionEvent(mime_event, {
analyzer->ConnectionEventFast(mime_event, {
analyzer->BuildConnVal(),
new StringVal(category),
new StringVal(detail),

4
src/analyzer/protocol/ncp/NCP.cc
View file

@ -63,7 +63,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
{
if ( frame->is_orig() )
{
analyzer->ConnectionEvent(f, {
analyzer->ConnectionEventFast(f, {
analyzer->BuildConnVal(),
val_mgr->GetCount(frame->frame_type()),
val_mgr->GetCount(frame->body_length()),
@ -72,7 +72,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
}
else
{
analyzer->ConnectionEvent(f, {
analyzer->ConnectionEventFast(f, {
analyzer->BuildConnVal(),
val_mgr->GetCount(frame->frame_type()),
val_mgr->GetCount(frame->body_length()),

6
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -58,7 +58,7 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
{
if ( netbios_session_message )
{
analyzer->ConnectionEvent(netbios_session_message, {
analyzer->ConnectionEventFast(netbios_session_message, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_query),
val_mgr->GetCount(type),
@ -330,14 +330,14 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
if ( is_orig >= 0 )
{
analyzer->ConnectionEvent(event, {
analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
new StringVal(new BroString(data, len, 0)),
});
}
else
analyzer->ConnectionEvent(event, {
analyzer->ConnectionEventFast(event, {
analyzer->BuildConnVal(),
new StringVal(new BroString(data, len, 0)),
});

9
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -94,6 +94,9 @@ refine connection NTLM_Conn += {
function proc_ntlm_negotiate(val: NTLM_Negotiate): bool
%{
if ( ! ntlm_negotiate )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate);
result->Assign(0, build_negotiate_flag_record(${val.flags}));
@ -115,6 +118,9 @@ refine connection NTLM_Conn += {
function proc_ntlm_challenge(val: NTLM_Challenge): bool
%{
if ( ! ntlm_challenge )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge);
result->Assign(0, build_negotiate_flag_record(${val.flags}));
@ -136,6 +142,9 @@ refine connection NTLM_Conn += {
function proc_ntlm_authenticate(val: NTLM_Authenticate): bool
%{
if ( ! ntlm_authenticate )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate);
result->Assign(0, build_negotiate_flag_record(${val.flags}));

5
src/analyzer/protocol/ntp/NTP.cc
View file

@ -62,6 +62,9 @@ void NTP_Analyzer::Message(const u_char* data, int len)
len -= sizeof *ntp_data;
data += sizeof *ntp_data;
if ( ! ntp_message )
return;
RecordVal* msg = new RecordVal(ntp_msg);
unsigned int code = ntp_data->status & 0x7;
@ -78,7 +81,7 @@ void NTP_Analyzer::Message(const u_char* data, int len)
msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME));
msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME));
ConnectionEvent(ntp_message, {
ConnectionEventFast(ntp_message, {
BuildConnVal(),
msg,
new StringVal(new BroString(data, len, 0)),

5
src/analyzer/protocol/pop3/POP3.cc
View file

@ -833,7 +833,8 @@ void POP3_Analyzer::StartTLS()
if ( ssl )
AddChildAnalyzer(ssl);
ConnectionEvent(pop3_starttls, {BuildConnVal()});
if ( pop3_starttls )
ConnectionEventFast(pop3_starttls, {BuildConnVal()});
}
void POP3_Analyzer::AuthSuccessfull()
@ -932,5 +933,5 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
if ( arg2 )
vl.append(new StringVal(arg2));
ConnectionEvent(event, std::move(vl));
ConnectionEventFast(event, std::move(vl));
}

8
src/analyzer/protocol/rfb/rfb-analyzer.pac
View file

@ -1,6 +1,7 @@
refine flow RFB_Flow += {
function proc_rfb_message(msg: RFB_PDU): bool
%{
if ( rfb_event )
BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn());
return true;
%}
@ -9,12 +10,14 @@ refine flow RFB_Flow += {
%{
if (client)
{
if ( rfb_client_version )
BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
connection()->bro_analyzer()->ProtocolConfirmation();
}
else
{
if ( rfb_server_version )
BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
}
return true;
@ -22,30 +25,35 @@ refine flow RFB_Flow += {
function proc_rfb_share_flag(shared: bool) : bool
%{
if ( rfb_share_flag )
BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared);
return true;
%}
function proc_security_types(msg: RFBSecurityTypes) : bool
%{
if ( rfb_authentication_type )
BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype});
return true;
%}
function proc_security_types37(msg: RFBAuthTypeSelected) : bool
%{
if ( rfb_authentication_type )
BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type});
return true;
%}
function proc_handle_server_params(msg:RFBServerInit) : bool
%{
if ( rfb_server_parameters )
BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height});
return true;
%}
function proc_handle_security_result(result : uint32) : bool
%{
if ( rfb_auth_result )
BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
return true;
%}

4
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -95,7 +95,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
{
auto vl = event_common_vl(c, rpc_status, mount_status,
start_time, last_time, reply_len, 0);
analyzer->ConnectionEvent(mount_reply_status, std::move(vl));
analyzer->ConnectionEventFast(mount_reply_status, std::move(vl));
}
if ( ! rpc_success )
@ -173,7 +173,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
if ( reply )
vl.append(reply);
analyzer->ConnectionEvent(event, std::move(vl));
analyzer->ConnectionEventFast(event, std::move(vl));
}
else
Unref(reply);

4
src/analyzer/protocol/rpc/NFS.cc
View file

@ -149,7 +149,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
{
auto vl = event_common_vl(c, rpc_status, nfs_status,
start_time, last_time, reply_len, 0);
analyzer->ConnectionEvent(nfs_reply_status, std::move(vl));
analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl));
}
if ( ! rpc_success )
@ -285,7 +285,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
if ( reply )
vl.append(reply);
analyzer->ConnectionEvent(event, std::move(vl));
analyzer->ConnectionEventFast(event, std::move(vl));
}
else
Unref(reply);

4
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -261,7 +261,7 @@ uint32 PortmapperInterp::CheckPort(uint32 port)
{
if ( pm_bad_port )
{
analyzer->ConnectionEvent(pm_bad_port, {
analyzer->ConnectionEventFast(pm_bad_port, {
analyzer->BuildConnVal(),
val_mgr->GetCount(port),
});
@ -300,7 +300,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
vl.append(request);
}
analyzer->ConnectionEvent(f, std::move(vl));
analyzer->ConnectionEventFast(f, std::move(vl));
}
Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)

6
src/analyzer/protocol/rpc/RPC.cc
View file

@ -330,7 +330,7 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st
{
if ( rpc_dialogue )
{
analyzer->ConnectionEvent(rpc_dialogue, {
analyzer->ConnectionEventFast(rpc_dialogue, {
analyzer->BuildConnVal(),
val_mgr->GetCount(c->Program()),
val_mgr->GetCount(c->Version()),
@ -347,7 +347,7 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
{
if ( rpc_call )
{
analyzer->ConnectionEvent(rpc_call, {
analyzer->ConnectionEventFast(rpc_call, {
analyzer->BuildConnVal(),
val_mgr->GetCount(c->XID()),
val_mgr->GetCount(c->Program()),
@ -362,7 +362,7 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status,
{
if ( rpc_reply )
{
analyzer->ConnectionEvent(rpc_reply, {
analyzer->ConnectionEventFast(rpc_reply, {
analyzer->BuildConnVal(),
val_mgr->GetCount(xid),
BifType::Enum::rpc_status->GetVal(status),

2
src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
View file

@ -6,6 +6,8 @@ refine connection SMB_Conn += {
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{
set_tree_is_pipe(${header.tid});
if ( smb_pipe_connect_heuristic )
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
}

1
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -66,6 +66,7 @@ refine connection SMB_Conn += {
}
else
{
if ( smb1_error )
BifEvent::generate_smb1_error(bro_analyzer(),
bro_analyzer()->Conn(),
BuildHeaderVal(h), is_orig);

2
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -7,6 +7,8 @@ refine connection SMB_Conn += {
BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
{
set_tree_is_pipe(${h.tree_id});
if ( smb_pipe_connect_heuristic )
BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
bro_analyzer()->Conn());
}

13
src/analyzer/protocol/smtp/SMTP.cc
View file

@ -220,7 +220,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
if ( smtp_data && ! skip_data )
{
ConnectionEvent(smtp_data, {
ConnectionEventFast(smtp_data, {
BuildConnVal(),
val_mgr->GetBool(orig),
new StringVal(data_len, line),
@ -350,7 +350,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
break;
}
ConnectionEvent(smtp_reply, {
ConnectionEventFast(smtp_reply, {
BuildConnVal(),
val_mgr->GetBool(orig),
val_mgr->GetCount(reply_code),
@ -410,7 +410,8 @@ void SMTP_Analyzer::StartTLS()
if ( ssl )
AddChildAnalyzer(ssl);
ConnectionEvent(smtp_starttls, {BuildConnVal()});
if ( smtp_starttls )
ConnectionEventFast(smtp_starttls, {BuildConnVal()});
}
@ -852,7 +853,9 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
int arg_len, const char* arg)
{
ProtocolConfirmation();
ConnectionEvent(smtp_request, {
if ( smtp_request )
ConnectionEventFast(smtp_request, {
BuildConnVal(),
val_mgr->GetBool(orig_is_sender),
(new StringVal(cmd_len, cmd))->ToUpper(),
@ -872,7 +875,7 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
if ( ! orig_is_sender )
is_orig = ! is_orig;
ConnectionEvent(smtp_unexpected, {
ConnectionEventFast(smtp_unexpected, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
new StringVal(msg),

17
src/analyzer/protocol/socks/socks-analyzer.pac
View file

@ -22,8 +22,11 @@ refine connection SOCKS_Conn += {
function socks4_request(request: SOCKS4_Request): bool
%{
if ( socks_request )
{
RecordVal* sa = new RecordVal(socks_address);
sa->Assign(0, new AddrVal(htonl(${request.addr})));
if ( ${request.v4a} )
sa->Assign(1, array_to_string(${request.name}));
@ -34,6 +37,7 @@ refine connection SOCKS_Conn += {
sa,
val_mgr->GetPort(${request.port}, TRANSPORT_TCP),
array_to_string(${request.user}));
}
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@ -42,6 +46,8 @@ refine connection SOCKS_Conn += {
function socks4_reply(reply: SOCKS4_Reply): bool
%{
if ( socks_reply )
{
RecordVal* sa = new RecordVal(socks_address);
sa->Assign(0, new AddrVal(htonl(${reply.addr})));
@ -51,6 +57,7 @@ refine connection SOCKS_Conn += {
${reply.status},
sa,
val_mgr->GetPort(${reply.port}, TRANSPORT_TCP));
}
bro_analyzer()->ProtocolConfirmation();
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
@ -97,6 +104,7 @@ refine connection SOCKS_Conn += {
return false;
}
if ( socks_request )
BifEvent::generate_socks_request(bro_analyzer(),
bro_analyzer()->Conn(),
5,
@ -104,6 +112,8 @@ refine connection SOCKS_Conn += {
sa,
val_mgr->GetPort(${request.port}, TRANSPORT_TCP),
val_mgr->GetEmptyString());
else
Unref(sa);
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@ -136,12 +146,15 @@ refine connection SOCKS_Conn += {
return false;
}
if ( socks_reply )
BifEvent::generate_socks_reply(bro_analyzer(),
bro_analyzer()->Conn(),
5,
${reply.reply},
sa,
val_mgr->GetPort(${reply.port}, TRANSPORT_TCP));
else
Unref(sa);
bro_analyzer()->ProtocolConfirmation();
static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
@ -150,6 +163,9 @@ refine connection SOCKS_Conn += {
function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass_v1): bool
%{
if ( ! socks_login_userpass_request )
return true;
StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin());
StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin());
@ -173,6 +189,7 @@ refine connection SOCKS_Conn += {
function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool
%{
if ( socks_login_userpass_reply )
BifEvent::generate_socks_login_userpass_reply(bro_analyzer(),
bro_analyzer()->Conn(),
${reply.code});

4
src/analyzer/protocol/ssl/ssl-analyzer.pac
View file

@ -17,8 +17,8 @@ refine connection SSL_Conn += {
function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool
%{
BifEvent::generate_ssl_established(bro_analyzer(),
bro_analyzer()->Conn());
if ( ssl_established )
BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
return true;
%}

7
src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
View file

@ -31,6 +31,7 @@ refine connection SSL_Conn += {
function proc_alert(rec: SSLRecord, level : int, desc : int) : bool
%{
if ( ssl_alert )
BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, level, desc);
return true;
@ -50,8 +51,8 @@ refine connection SSL_Conn += {
established_ == false )
{
established_ = true;
BifEvent::generate_ssl_established(bro_analyzer(),
bro_analyzer()->Conn());
if ( ssl_established )
BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
}
if ( ssl_encrypted_data )
@ -72,6 +73,7 @@ refine connection SSL_Conn += {
function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool
%{
if ( ssl_heartbeat )
BifEvent::generate_ssl_heartbeat(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length,
new StringVal(data.length(), (const char*) data.data()));
@ -93,6 +95,7 @@ refine connection SSL_Conn += {
function proc_ccs(rec: SSLRecord) : bool
%{
if ( ssl_change_cipher_spec )
BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig});

62
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -72,6 +72,9 @@ refine connection Handshake_Conn += {
function proc_ec_point_formats(rec: HandshakeRecord, point_format_list: uint8[]) : bool
%{
if ( ! ssl_extension_ec_point_formats )
return true;
VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( point_format_list )
@ -88,6 +91,9 @@ refine connection Handshake_Conn += {
function proc_elliptic_curves(rec: HandshakeRecord, list: uint16[]) : bool
%{
if ( ! ssl_extension_elliptic_curves )
return true;
VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( list )
@ -104,6 +110,9 @@ refine connection Handshake_Conn += {
function proc_client_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry[]) : bool
%{
if ( ! ssl_extension_key_share )
return true;
VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( keyshare )
@ -113,11 +122,15 @@ refine connection Handshake_Conn += {
}
BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist);
return true;
%}
function proc_server_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry) : bool
%{
if ( ! ssl_extension_key_share )
return true;
VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
nglist->Assign(0u, val_mgr->GetCount(keyshare->namedgroup()));
@ -127,6 +140,9 @@ refine connection Handshake_Conn += {
function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool
%{
if ( ! ssl_extension_signature_algorithm )
return true;
VectorVal* slist = new VectorVal(internal_type("signature_and_hashalgorithm_vec")->AsVectorType());
if ( supported_signature_algorithms )
@ -147,6 +163,9 @@ refine connection Handshake_Conn += {
function proc_apnl(rec: HandshakeRecord, protocols: ProtocolName[]) : bool
%{
if ( ! ssl_extension_application_layer_protocol_negotiation )
return true;
VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType());
if ( protocols )
@ -183,14 +202,20 @@ refine connection Handshake_Conn += {
}
}
if ( ssl_extension_server_name )
BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
${rec.is_orig}, servers);
else
Unref(servers);
return true;
%}
function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool
%{
if ( ! ssl_extension_supported_versions )
return true;
VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( versions_list )
@ -207,6 +232,9 @@ refine connection Handshake_Conn += {
function proc_one_supported_version(rec: HandshakeRecord, version: uint16) : bool
%{
if ( ! ssl_extension_supported_versions )
return true;
VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
versions->Assign(0u, val_mgr->GetCount(version));
@ -218,6 +246,9 @@ refine connection Handshake_Conn += {
function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool
%{
if ( ! ssl_extension_psk_key_exchange_modes )
return true;
VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType());
if ( mode_list )
@ -272,10 +303,11 @@ refine connection Handshake_Conn += {
response.length(), bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), false, file_id, "application/ocsp-response");
if ( ssl_stapled_ocsp )
BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.is_orig},
new StringVal(response.length(),
(const char*) response.data()));
bro_analyzer()->Conn(),
${rec.is_orig},
new StringVal(response.length(), (const char*) response.data()));
file_mgr->EndOfFile(file_id);
}
@ -288,11 +320,16 @@ refine connection Handshake_Conn += {
if ( ${kex.curve_type} != NAMED_CURVE )
return true;
if ( ssl_server_curve )
BifEvent::generate_ssl_server_curve(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve});
if ( ssl_ecdh_server_params )
BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
if ( ssl_server_signature )
{
RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
if ( ${kex.signed_params.uses_signature_and_hashalgorithm} )
{
@ -308,6 +345,7 @@ refine connection Handshake_Conn += {
BifEvent::generate_ssl_server_signature(bro_analyzer(),
bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data()));
}
return true;
%}
@ -317,8 +355,11 @@ refine connection Handshake_Conn += {
if ( ${kex.curve_type} != NAMED_CURVE )
return true;
if ( ssl_server_curve )
BifEvent::generate_ssl_server_curve(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve});
if ( ssl_ecdh_server_params )
BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
@ -327,24 +368,33 @@ refine connection Handshake_Conn += {
function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool
%{
if ( ssl_rsa_client_pms )
BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data()));
return true;
%}
function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool
%{
if ( ssl_dh_client_params )
BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data()));
return true;
%}
function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool
%{
if ( ssl_ecdh_client_params )
BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
return true;
%}
function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
%{
if ( ! ssl_extension_signed_certificate_timestamp )
return true;
RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
ha->Assign(0, val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm()));
ha->Assign(1, val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm()));
@ -363,6 +413,7 @@ refine connection Handshake_Conn += {
function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool
%{
if ( ssl_ecdh_server_params )
BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
bro_analyzer()->Conn(),
new StringVal(p.length(), (const char*) p.data()),
@ -370,6 +421,8 @@ refine connection Handshake_Conn += {
new StringVal(Ys.length(), (const char*) Ys.data())
);
if ( ssl_server_signature )
{
RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
if ( ${signed_params.uses_signature_and_hashalgorithm} )
{
@ -387,12 +440,14 @@ refine connection Handshake_Conn += {
bro_analyzer()->Conn(), ha,
new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data())
);
}
return true;
%}
function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
%{
if ( ssl_dh_server_params )
BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
bro_analyzer()->Conn(),
new StringVal(p.length(), (const char*) p.data()),
@ -405,6 +460,7 @@ refine connection Handshake_Conn += {
function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool
%{
if ( ssl_handshake_message )
BifEvent::generate_ssl_handshake_message(bro_analyzer(),
bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length));

9
src/analyzer/protocol/stepping-stone/SteppingStone.cc
View file

@ -140,15 +140,18 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
return;
if ( id2 >= 0 )
endp->TCP()->ConnectionEvent(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)});
endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)});
else
endp->TCP()->ConnectionEvent(f, {val_mgr->GetInt(id1)});
endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)});
}
void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
{
endp->TCP()->ConnectionEvent(stp_create_endp, {
if ( ! stp_create_endp )
return;
endp->TCP()->ConnectionEventFast(stp_create_endp, {
endp->TCP()->BuildConnVal(),
val_mgr->GetInt(stp_id),
val_mgr->GetBool(is_orig),

3
src/analyzer/protocol/syslog/syslog-analyzer.pac
View file

@ -11,6 +11,9 @@ flow Syslog_Flow
function process_syslog_message(m: Syslog_Message): bool
%{
if ( ! syslog_message )
return true;
if ( ${m.has_pri} )
BifEvent::generate_syslog_message(
connection()->bro_analyzer(),

15
src/analyzer/protocol/tcp/TCP.cc
View file

@ -299,7 +299,7 @@ static void passive_fingerprint(TCP_Analyzer* tcp, bool is_orig,
if ( OS_val )
{ // found new OS version
tcp->ConnectionEvent(OS_version_found, {
tcp->ConnectionEventFast(OS_version_found, {
tcp->BuildConnVal(),
src_addr_val->Ref(),
OS_val,
@ -965,7 +965,7 @@ void TCP_Analyzer::GeneratePacketEvent(
const u_char* data, int len, int caplen,
int is_orig, TCP_Flags flags)
{
ConnectionEvent(tcp_packet, {
ConnectionEventFast(tcp_packet, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
new StringVal(flags.AsString()),
@ -1280,7 +1280,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
if ( connection_SYN_packet )
{
ConnectionEvent(connection_SYN_packet, {
ConnectionEventFast(connection_SYN_packet, {
BuildConnVal(),
SYN_vals->Ref(),
});
@ -1500,7 +1500,7 @@ int TCP_Analyzer::TCPOptionEvent(unsigned int opt,
{
if ( tcp_option )
{
analyzer->ConnectionEvent(tcp_option, {
analyzer->ConnectionEventFast(tcp_option, {
analyzer->BuildConnVal(),
val_mgr->GetBool(is_orig),
val_mgr->GetCount(opt),
@ -1821,7 +1821,7 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
{
if ( connection_EOF )
{
ConnectionEvent(connection_EOF, {
ConnectionEventFast(connection_EOF, {
BuildConnVal(),
val_mgr->GetBool(endp->IsOrig()),
});
@ -2103,7 +2103,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen,
if ( tcp_rexmit )
{
endp->TCP()->ConnectionEvent(tcp_rexmit, {
endp->TCP()->ConnectionEventFast(tcp_rexmit, {
endp->TCP()->BuildConnVal(),
val_mgr->GetBool(endp->IsOrig()),
val_mgr->GetCount(seq),
@ -2158,7 +2158,8 @@ void TCPStats_Analyzer::Done()
{
TCP_ApplicationAnalyzer::Done();
ConnectionEvent(conn_stats, {
if ( conn_stats )
ConnectionEventFast(conn_stats, {
BuildConnVal(),
orig_stats->BuildStats(),
resp_stats->BuildStats(),

2
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -237,7 +237,7 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen,
if ( contents_file_write_failure )
{
tcp_analyzer->ConnectionEvent(contents_file_write_failure, {
tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
Conn()->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
new StringVal(buf),

10
src/analyzer/protocol/tcp/TCP_Reassembler.cc
View file

@ -136,7 +136,7 @@ void TCP_Reassembler::Gap(uint64 seq, uint64 len)
if ( report_gap(endp, endp->peer) )
{
dst_analyzer->ConnectionEvent(content_gap, {
dst_analyzer->ConnectionEventFast(content_gap, {
dst_analyzer->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
val_mgr->GetCount(seq),
@ -335,7 +335,7 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f)
if ( contents_file_write_failure )
{
tcp_analyzer->ConnectionEvent(contents_file_write_failure, {
tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
Endpoint()->Conn()->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
new StringVal("TCP reassembler content write failure"),
@ -352,7 +352,7 @@ void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f)
if ( contents_file_write_failure )
{
tcp_analyzer->ConnectionEvent(contents_file_write_failure, {
tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
Endpoint()->Conn()->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
new StringVal("TCP reassembler gap write failure"),
@ -425,7 +425,7 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
BroString* b1_s = new BroString((const u_char*) b1, n, 0);
BroString* b2_s = new BroString((const u_char*) b2, n, 0);
tcp_analyzer->ConnectionEvent(rexmit_inconsistency, {
tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, {
tcp_analyzer->BuildConnVal(),
new StringVal(b1_s),
new StringVal(b2_s),
@ -596,7 +596,7 @@ void TCP_Reassembler::DeliverBlock(uint64 seq, int len, const u_char* data)
if ( deliver_tcp_contents )
{
tcp_analyzer->ConnectionEvent(tcp_contents, {
tcp_analyzer->ConnectionEventFast(tcp_contents, {
tcp_analyzer->BuildConnVal(),
val_mgr->GetBool(IsOrig()),
val_mgr->GetCount(seq),

2
src/analyzer/protocol/udp/UDP.cc
View file

@ -157,7 +157,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
if ( do_udp_contents )
{
ConnectionEvent(udp_contents, {
ConnectionEventFast(udp_contents, {
BuildConnVal(),
val_mgr->GetBool(is_orig),
new StringVal(len, (const char*) data),

1
src/analyzer/protocol/xmpp/xmpp-analyzer.pac
View file

@ -32,6 +32,7 @@ refine connection XMPP_Conn += {
if ( !is_orig && ( token == "proceed" || token_no_ns == "proceed" ) && client_starttls )
{
bro_analyzer()->StartTLS();
if ( xmpp_starttls )
BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn());
}
else if ( !is_orig && token == "proceed" )

9
src/broker/Manager.cc
View file

@ -1016,7 +1016,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
}
if ( static_cast<size_t>(vl.length()) == args.size() )
mgr.QueueEvent(handler, std::move(vl), SOURCE_BROKER);
mgr.QueueEventFast(handler, std::move(vl), SOURCE_BROKER);
else
{
loop_over_list(vl, i)
@ -1247,6 +1247,9 @@ void Manager::ProcessStatus(broker::status stat)
break;
}
if ( ! event )
return;
auto ei = internal_type("Broker::EndpointInfo")->AsRecordType();
auto endpoint_info = new RecordVal(ei);
@ -1275,7 +1278,7 @@ void Manager::ProcessStatus(broker::status stat)
auto str = stat.message();
auto msg = new StringVal(str ? *str : "");
mgr.QueueEvent(event, {endpoint_info, msg});
mgr.QueueEventFast(event, {endpoint_info, msg});
}
void Manager::ProcessError(broker::error err)
@ -1352,7 +1355,7 @@ void Manager::ProcessError(broker::error err)
msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str());
}
mgr.QueueEvent(Broker::error, {
mgr.QueueEventFast(Broker::error, {
BifType::Enum::Broker::ErrorCode->GetVal(ec),
new StringVal(msg),
});

2
src/file_analysis/File.cc
View file

@ -637,7 +637,7 @@ void File::FileEvent(EventHandlerPtr h, val_list* vl)
void File::FileEvent(EventHandlerPtr h, val_list vl)
{
mgr.QueueEvent(h, std::move(vl));
mgr.QueueEventFast(h, std::move(vl));
if ( h == file_new || h == file_over_new_connection ||
h == file_sniff ||

2
src/file_analysis/Manager.cc
View file

@ -443,7 +443,7 @@ string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig)
EnumVal* tagval = tag.AsEnumVal();
Ref(tagval);
mgr.QueueEvent(get_file_handle, {
mgr.QueueEventFast(get_file_handle, {
tagval,
c->BuildConnVal(),
val_mgr->GetBool(is_orig),

4
src/file_analysis/analyzer/data_event/DataEvent.cc
View file

@ -41,7 +41,7 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
{
if ( ! chunk_event ) return true;
mgr.QueueEvent(chunk_event, {
mgr.QueueEventFast(chunk_event, {
GetFile()->GetVal()->Ref(),
new StringVal(new BroString(data, len, 0)),
val_mgr->GetCount(offset),
@ -54,7 +54,7 @@ bool DataEvent::DeliverStream(const u_char* data, uint64 len)
{
if ( ! stream_event ) return true;
mgr.QueueEvent(stream_event, {
mgr.QueueEventFast(stream_event, {
GetFile()->GetVal()->Ref(),
new StringVal(new BroString(data, len, 0)),
});

5
src/file_analysis/analyzer/entropy/Entropy.cc
View file

@ -53,6 +53,9 @@ void Entropy::Finalize()
if ( ! fed )
return;
if ( ! file_entropy )
return;
double montepi, scc, ent, mean, chisq;
montepi = scc = ent = mean = chisq = 0.0;
entropy->Get(&ent, &chisq, &mean, &montepi, &scc);
@ -64,7 +67,7 @@ void Entropy::Finalize()
ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE));
ent_result->Assign(4, new Val(scc, TYPE_DOUBLE));
mgr.QueueEvent(file_entropy, {
mgr.QueueEventFast(file_entropy, {
GetFile()->GetVal()->Ref(),
ent_result,
});

5
src/file_analysis/analyzer/hash/Hash.cc
View file

@ -48,7 +48,10 @@ void Hash::Finalize()
if ( ! hash->IsValid() || ! fed )
return;
mgr.QueueEvent(file_hash, {
if ( ! file_hash )
return;
mgr.QueueEventFast(file_hash, {
GetFile()->GetVal()->Ref(),
new StringVal(kind),
hash->Get(),

6
src/file_analysis/analyzer/unified2/unified2-analyzer.pac
View file

@ -81,7 +81,7 @@ refine flow Flow += {
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
ids_event->Assign(17, val_mgr->GetCount(${ev.packet_action}));
mgr.QueueEvent(::unified2_event, {
mgr.QueueEventFast(::unified2_event, {
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
ids_event,
},
@ -113,7 +113,7 @@ refine flow Flow += {
ids_event->Assign(15, val_mgr->GetCount(${ev.mpls_label}));
ids_event->Assign(16, val_mgr->GetCount(${ev.vlan_id}));
mgr.QueueEvent(::unified2_event, {
mgr.QueueEventFast(::unified2_event, {
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
ids_event,
},
@ -135,7 +135,7 @@ refine flow Flow += {
packet->Assign(4, val_mgr->GetCount(${pkt.link_type}));
packet->Assign(5, bytestring_to_val(${pkt.packet_data}));
mgr.QueueEvent(::unified2_packet, {
mgr.QueueEventFast(::unified2_packet, {
connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
packet,
},

12
src/file_analysis/analyzer/x509/OCSP.cc
View file

@ -427,7 +427,8 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
// TODO: try to parse out general name ?
#endif
mgr.QueueEvent(ocsp_request, {
if ( ocsp_request )
mgr.QueueEventFast(ocsp_request, {
GetFile()->GetVal()->Ref(),
val_mgr->GetCount(version),
});
@ -470,7 +471,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
StringVal* status_val = new StringVal(strlen(status_str), status_str);
mgr.QueueEvent(ocsp_response_status, {
if ( ocsp_response_status )
mgr.QueueEventFast(ocsp_response_status, {
GetFile()->GetVal()->Ref(),
status_val->Ref(),
});
@ -491,12 +493,18 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
// get the basic response
basic_resp = OCSP_response_get1_basic(resp);
if ( !basic_resp )
{
Unref(status_val);
goto clean_up;
}
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
resp_data = basic_resp->tbsResponseData;
if ( !resp_data )
{
Unref(status_val);
goto clean_up;
}
#endif
vl.append(GetFile()->GetVal()->Ref());

6
src/file_analysis/analyzer/x509/X509.cc
View file

@ -220,6 +220,8 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
BASIC_CONSTRAINTS *constr = (BASIC_CONSTRAINTS *) X509V3_EXT_d2i(ex);
if ( constr )
{
if ( x509_ext_basic_constraints )
{
RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints);
pBasicConstraint->Assign(0, val_mgr->GetBool(constr->ca ? 1 : 0));
@ -227,10 +229,12 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
if ( constr->pathlen )
pBasicConstraint->Assign(1, val_mgr->GetCount((int32_t) ASN1_INTEGER_get(constr->pathlen)));
mgr.QueueEvent(x509_ext_basic_constraints, {
mgr.QueueEventFast(x509_ext_basic_constraints, {
GetFile()->GetVal()->Ref(),
pBasicConstraint,
});
}
BASIC_CONSTRAINTS_free(constr);
}

3
src/file_analysis/analyzer/x509/x509-extension.pac
View file

@ -35,6 +35,9 @@ refine connection MockConnection += {
function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
%{
if ( ! x509_ocsp_ext_signed_certificate_timestamp )
return true;
BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(),
bro_analyzer()->GetFile()->GetVal()->Ref(),
version,

2
src/logging/Manager.cc
View file

@ -715,7 +715,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
// Raise the log event.
if ( stream->event )
mgr.QueueEvent(stream->event, {columns->Ref()}, SOURCE_LOCAL);
mgr.QueueEventFast(stream->event, {columns->Ref()}, SOURCE_LOCAL);
// Send to each of our filters.
for ( list<Filter*>::iterator i = stream->filters.begin();

9
src/main.cc
View file

@ -340,7 +340,7 @@ void terminate_bro()
EventHandlerPtr bro_done = internal_handler("bro_done");
if ( bro_done )
mgr.QueueEvent(bro_done, val_list{});
mgr.QueueEventFast(bro_done, val_list{});
timer_mgr->Expire();
mgr.Drain();
@ -1138,7 +1138,7 @@ int main(int argc, char** argv)
EventHandlerPtr bro_init = internal_handler("bro_init");
if ( bro_init )
mgr.QueueEvent(bro_init, val_list{});
mgr.QueueEventFast(bro_init, val_list{});
EventRegistry::string_list* dead_handlers =
event_registry->UnusedHandlers();
@ -1184,17 +1184,20 @@ int main(int argc, char** argv)
if ( override_ignore_checksums )
ignore_checksums = 1;
if ( bro_script_loaded )
{
// Queue events reporting loaded scripts.
for ( std::list<ScannedFile>::iterator i = files_scanned.begin(); i != files_scanned.end(); i++ )
{
if ( i->skipped )
continue;
mgr.QueueEvent(bro_script_loaded, {
mgr.QueueEventFast(bro_script_loaded, {
new StringVal(i->name.c_str()),
val_mgr->GetCount(i->include_level),
});
}
}
reporter->ReportViaEvents(true);