mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 01:28:20 +00:00
Introduce generic analyzer_confirmation_info and analyzer_violation_info
Introduce two new events for analyzer confirmation and analyzer violation reporting. The current analyzer_confirmation and analyzer_violation events assume connection objects and analyzer ids are available which is not always the case. We're already passing aid=0 for packet analyzers and there's not currently a way to report violations from file analyzers using analyzer_violation, for example. These new events use an extensible Info record approach so that additional (optional) information can be added later without changing the signature. It would allow for per analyzer extensions to the info records to pass analyzer specific info to script land. It's not clear that this would be a good idea, however. The previous analyzer_confirmation and analyzer_violation events continue to exist, but are deprecated and will be removed with Zeek 6.1.
This commit is contained in:
Arne Welzel
parent
2e58d6a1a9
commit
bc8fd5a4c6
24 changed files with 456 additions and 77 deletions
|
|
@ -166,6 +166,22 @@ void Analyzer::Weird(const char* name, Packet* packet, const char* addl) const
|
|||
session_mgr->Weird(name, packet, addl, GetAnalyzerName());
|
||||
}
|
||||
|
||||
void Analyzer::EnqueueAnalyzerConfirmationInfo(session::Session* session, const zeek::Tag& arg_tag)
|
||||
{
|
||||
static auto info_type = zeek::id::find_type<RecordType>("AnalyzerConfirmationInfo");
|
||||
static auto info_c_idx = info_type->FieldOffset("c");
|
||||
|
||||
auto info = make_intrusive<RecordVal>(info_type);
|
||||
info->Assign(info_c_idx, session->GetVal());
|
||||
|
||||
event_mgr.Enqueue(analyzer_confirmation_info, arg_tag.AsVal(), info);
|
||||
}
|
||||
|
||||
void Analyzer::EnqueueAnalyzerConfirmation(session::Session* session, const zeek::Tag& arg_tag)
|
||||
{
|
||||
event_mgr.Enqueue(analyzer_confirmation, session->GetVal(), arg_tag.AsVal(), val_mgr->Count(0));
|
||||
}
|
||||
|
||||
void Analyzer::AnalyzerConfirmation(session::Session* session, zeek::Tag arg_tag)
|
||||
{
|
||||
const auto& effective_tag = arg_tag ? arg_tag : GetAnalyzerTag();
|
||||
|
|
@ -175,25 +191,34 @@ void Analyzer::AnalyzerConfirmation(session::Session* session, zeek::Tag arg_tag
|
|||
|
||||
session->SetAnalyzerState(effective_tag, session::AnalyzerConfirmationState::CONFIRMED);
|
||||
|
||||
if ( ! analyzer_confirmation )
|
||||
return;
|
||||
if ( analyzer_confirmation_info )
|
||||
EnqueueAnalyzerConfirmationInfo(session, effective_tag);
|
||||
|
||||
event_mgr.Enqueue(analyzer_confirmation, session->GetVal(), effective_tag.AsVal(),
|
||||
val_mgr->Count(0));
|
||||
if ( analyzer_confirmation )
|
||||
EnqueueAnalyzerConfirmation(session, effective_tag);
|
||||
}
|
||||
|
||||
void Analyzer::AnalyzerViolation(const char* reason, session::Session* session, const char* data,
|
||||
int len, zeek::Tag arg_tag)
|
||||
void Analyzer::EnqueueAnalyzerViolationInfo(session::Session* session, const char* reason,
|
||||
const char* data, int len, const zeek::Tag& arg_tag)
|
||||
{
|
||||
const auto& effective_tag = arg_tag ? arg_tag : GetAnalyzerTag();
|
||||
static auto info_type = zeek::id::find_type<RecordType>("AnalyzerViolationInfo");
|
||||
static auto info_reason_idx = info_type->FieldOffset("reason");
|
||||
static auto info_c_idx = info_type->FieldOffset("c");
|
||||
static auto info_data_idx = info_type->FieldOffset("data");
|
||||
|
||||
session->SetAnalyzerState(effective_tag, session::AnalyzerConfirmationState::VIOLATED);
|
||||
auto info = zeek::make_intrusive<RecordVal>(info_type);
|
||||
info->Assign(info_reason_idx, make_intrusive<StringVal>(reason));
|
||||
info->Assign(info_c_idx, session->GetVal());
|
||||
if ( data && len )
|
||||
info->Assign(info_data_idx, make_intrusive<StringVal>(len, data));
|
||||
|
||||
if ( ! analyzer_violation )
|
||||
return;
|
||||
event_mgr.Enqueue(analyzer_violation_info, arg_tag.AsVal(), info);
|
||||
}
|
||||
|
||||
void Analyzer::EnqueueAnalyzerViolation(session::Session* session, const char* reason,
|
||||
const char* data, int len, const zeek::Tag& arg_tag)
|
||||
{
|
||||
StringValPtr r;
|
||||
|
||||
if ( data && len )
|
||||
{
|
||||
const char* tmp = util::copy_string(reason);
|
||||
|
|
@ -204,8 +229,22 @@ void Analyzer::AnalyzerViolation(const char* reason, session::Session* session,
|
|||
else
|
||||
r = make_intrusive<StringVal>(reason);
|
||||
|
||||
event_mgr.Enqueue(analyzer_violation, session->GetVal(), effective_tag.AsVal(),
|
||||
val_mgr->Count(0), std::move(r));
|
||||
event_mgr.Enqueue(analyzer_violation, session->GetVal(), arg_tag.AsVal(), val_mgr->Count(0),
|
||||
std::move(r));
|
||||
}
|
||||
|
||||
void Analyzer::AnalyzerViolation(const char* reason, session::Session* session, const char* data,
|
||||
int len, zeek::Tag arg_tag)
|
||||
{
|
||||
const auto& effective_tag = arg_tag ? arg_tag : GetAnalyzerTag();
|
||||
|
||||
session->SetAnalyzerState(effective_tag, session::AnalyzerConfirmationState::VIOLATED);
|
||||
|
||||
if ( analyzer_violation_info )
|
||||
EnqueueAnalyzerViolationInfo(session, reason, data, len, effective_tag);
|
||||
|
||||
if ( analyzer_violation )
|
||||
EnqueueAnalyzerViolation(session, reason, data, len, effective_tag);
|
||||
}
|
||||
|
||||
} // namespace zeek::packet_analysis
|
||||
|
|
|
|||
|
|
@ -131,7 +131,7 @@ public:
|
|||
* Signals Zeek's protocol detection that the analyzer has recognized
|
||||
* the input to indeed conform to the expected protocol. This should
|
||||
* be called as early as possible during a connection's life-time. It
|
||||
* may turn into \c analyzer_confirmed event at the script-layer (but
|
||||
* may turn into \c analyzer_confirmation_info event at the script-layer (but
|
||||
* only once per analyzer for each connection, even if the method is
|
||||
* called multiple times).
|
||||
*
|
||||
|
|
@ -144,7 +144,7 @@ public:
|
|||
* Signals Zeek's protocol detection that the analyzer has found a
|
||||
* severe protocol violation that could indicate that it's not
|
||||
* parsing the expected protocol. This turns into \c
|
||||
* analyzer_violation events at the script-layer (one such event is
|
||||
* analyzer_violation_info events at the script-layer (one such event is
|
||||
* raised for each call to this method so that the script-layer can
|
||||
* built up a notion of how prevalent protocol violations are; the
|
||||
* more, the less likely it's the right protocol).
|
||||
|
|
@ -241,6 +241,20 @@ protected:
|
|||
bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;
|
||||
|
||||
private:
|
||||
// Internal helper to raise analyzer_confirmation events
|
||||
void EnqueueAnalyzerConfirmationInfo(session::Session* session, const zeek::Tag& arg_tag);
|
||||
|
||||
// Remove in v6.1 - internal helper to raise analyzer_confirmation
|
||||
void EnqueueAnalyzerConfirmation(session::Session* session, const zeek::Tag& arg_tag);
|
||||
|
||||
// Internal helper to raise analyzer_violation_info
|
||||
void EnqueueAnalyzerViolationInfo(session::Session* session, const char* reason,
|
||||
const char* data, int len, const zeek::Tag& arg_tag);
|
||||
|
||||
// Remove in v6.1 - internal helper to raise analyzer_violation
|
||||
void EnqueueAnalyzerViolation(session::Session* session, const char* reason, const char* data,
|
||||
int len, const zeek::Tag& arg_tag);
|
||||
|
||||
zeek::Tag tag;
|
||||
Dispatcher dispatcher;
|
||||
AnalyzerPtr default_analyzer = nullptr;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue