Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/awelzel/move-disabling-analyzer-out-of-global'

Browse source 
* origin/topic/awelzel/move-disabling-analyzer-out-of-global:
  analyzer: Move disabling_analyzer() hook into Analyzer module
This commit is contained in:
Arne Welzel 2023-01-31 14:48:56 +01:00
commit be44c642e1
7 changed files with 81 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -274,6 +274,9 @@ Changed Functionality
Deprecated Functionality Deprecated Functionality
------------------------ ------------------------
- The global ``disabling_analyzer()`` hook has been deprecated and replaced
with ``Analyzer::disabling_analyzer()`` that has the same semantics.
- The ``analyzer_confirmation`` and ``analyzer_violation`` events have been - The ``analyzer_confirmation`` and ``analyzer_violation`` events have been
deprecated in favor of the more generic ``analyzer_confirmation_info`` and deprecated in favor of the more generic ``analyzer_confirmation_info`` and
``analyzer_violation_info`` events. ``analyzer_violation_info`` events.

15
scripts/base/init-bare.zeek
View file

@ -597,9 +597,16 @@ type fa_metadata: record {
inferred: bool &default=T; inferred: bool &default=T;
}; };
## Same as :zeek:see:`Analyzer::disabling_analyzer`, but deprecated due
## to living in the global namespace.
type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count) &redef &deprecated="Remove in v6.1. Use Analyzer::disabling_analyzer() instead.";
module Analyzer;
export {
## A hook taking a connection, analyzer tag and analyzer id that can be ## A hook taking a connection, analyzer tag and analyzer id that can be
## used to veto disabling analyzers. Specifically, an analyzer can be prevented ## used to veto disabling protocol analyzers. Specifically, an analyzer
## from being disabled by using a :zeek:see:`break` statement within the hook. ## can be prevented from being disabled by using a :zeek:see:`break`
## statement within the hook.
## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call. ## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call.
## ##
## Scripts implementing this hook should have other logic that will eventually ## Scripts implementing this hook should have other logic that will eventually
@ -612,8 +619,10 @@ type fa_metadata: record {
## atype: The type / tag of the analyzer being disabled. ## atype: The type / tag of the analyzer being disabled.
## ##
## aid: The analyzer ID. ## aid: The analyzer ID.
type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count); type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count) &redef;
}
module GLOBAL;
## Fields of a SYN packet. ## Fields of a SYN packet.
## ##
## .. zeek:see:: connection_SYN_packet ## .. zeek:see:: connection_SYN_packet

11
src/zeek.bif
View file

@ -4697,7 +4697,10 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
return zeek::val_mgr->False(); return zeek::val_mgr->False();
} }
// Remove in v6.1: Global disabling_analyzer is to be removed.
static auto disabling_analyzer_hook = id::find_func("disabling_analyzer"); static auto disabling_analyzer_hook = id::find_func("disabling_analyzer");
static auto analyzer_disabling_analyzer_hook = id::find_func("Analyzer::disabling_analyzer");
if ( disabling_analyzer_hook ) if ( disabling_analyzer_hook )
{ {
auto hook_rval = disabling_analyzer_hook->Invoke(c->GetVal(), a->GetAnalyzerTag().AsVal(), auto hook_rval = disabling_analyzer_hook->Invoke(c->GetVal(), a->GetAnalyzerTag().AsVal(),
@ -4706,6 +4709,14 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
return zeek::val_mgr->False(); return zeek::val_mgr->False();
} }
if ( analyzer_disabling_analyzer_hook )
{
auto hook_rval = analyzer_disabling_analyzer_hook->Invoke(c->GetVal(), a->GetAnalyzerTag().AsVal(),
zeek::val_mgr->Count(aid));
if ( hook_rval && ! hook_rval->AsBool() )
return zeek::val_mgr->False();
}
if ( prevent ) if ( prevent )
a->Parent()->PreventChildren(a->GetAnalyzerTag()); a->Parent()->PreventChildren(a->GetAnalyzerTag());

16
testing/btest/Baseline/bifs.disable_analyzer-hook-module/out Normal file
View file

@ -0,0 +1,16 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
http_request, GET, /style/enhanced.css
prevent disabling
F
http_request, GET, /script/urchin.js
prevent disabling
F
http_request, GET, /images/template/screen/bullet_utility.png
prevent disabling
F
http_request, GET, /images/template/screen/key-point-top.png
prevent disabling
F
http_request, GET, /projects/calendar/images/header-sunbird.png
prevent disabling
F

21
testing/btest/bifs/disable_analyzer-hook-module.zeek Normal file
View file

@ -0,0 +1,21 @@
# @TEST-DOC: Hook Analyzer::disabling_analyzer in a module
# @TEST-EXEC: zeek -b -r $TRACES/http/pipelined-requests.trace %INPUT >out
# @TEST-EXEC: btest-diff out
@load base/protocols/http
module MyHTTP;
# Prevent disabling all analyzers.
hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
{
print("prevent disabling");
break;
}
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
print "http_request", method, original_URI;
print disable_analyzer(c$id, current_analyzer(), T, T);
}

4
testing/btest/bifs/disable_analyzer-hook.zeek
View file

@ -6,7 +6,7 @@
global msg_count: table[conn_id] of count &default=0; global msg_count: table[conn_id] of count &default=0;
event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=10 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10
{ {
if ( atype != Analyzer::ANALYZER_HTTP ) if ( atype != Analyzer::ANALYZER_HTTP )
return; return;
@ -15,7 +15,7 @@ event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
} }
# Prevent disabling all analyzers. # Prevent disabling all analyzers.
hook disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
{ {
if ( msg_count[c$id] < 4 ) if ( msg_count[c$id] < 4 )
{ {

6
testing/btest/scripts/base/protocols/ssl/prevent-disable-analyzer.test
View file

@ -17,7 +17,7 @@ global encrypted_data_wanted = 4;
# Prevent disabling the SSL analyzer for this connection until we've seen encrypted_data_wanted # Prevent disabling the SSL analyzer for this connection until we've seen encrypted_data_wanted
# encrypted data events on it. Our ssl_encrypted_data event handler has the inverse condition. # encrypted data events on it. Our ssl_encrypted_data event handler has the inverse condition.
hook disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
{ {
print "disabling_analyzer", c$id, atype, aid; print "disabling_analyzer", c$id, atype, aid;
if ( atype != Analyzer::ANALYZER_SSL || ! c?$ssl ) if ( atype != Analyzer::ANALYZER_SSL || ! c?$ssl )
@ -37,9 +37,9 @@ event ssl_established(c: connection)
print "established", c$id; print "established", c$id;
} }
event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
{ {
print "analyzer_confirmation", c$id, atype, aid; print "analyzer_confirmation", info$c$id, atype, info$aid;
} }
event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)