diff --git a/NEWS b/NEWS index 0c9339663b..5c80a4f295 100644 --- a/NEWS +++ b/NEWS @@ -171,6 +171,9 @@ Deprecated Functionality - ``Val::Type()`` is deprecated, use ``Val::GetType``. +- Most global type/value pointers in NetVar.h are deprecated, but there's + analogous ``IntrusivePtr`` in ``zeek::vars``. + Zeek 3.1.0 ========== diff --git a/src/BroString.cc b/src/BroString.cc index b72ead7572..6e5465160e 100644 --- a/src/BroString.cc +++ b/src/BroString.cc @@ -11,6 +11,7 @@ #include "Var.h" #include "Reporter.h" #include "util.h" +#include "ZeekVars.h" #ifdef DEBUG #define DEBUG_STR(msg) DBG_LOG(DBG_STRING, msg) @@ -340,8 +341,7 @@ BroString::Vec* BroString::Split(const BroString::IdxVec& indices) const VectorVal* BroString:: VecToPolicy(Vec* vec) { - auto result = - make_intrusive(zeek::lookup_type("string_vec")); + auto result = make_intrusive(zeek::vars::string_vec); for ( unsigned int i = 0; i < vec->size(); ++i ) { diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index bc2ea56555..5526ab35ab 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -205,6 +205,9 @@ add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS -fno-strict-aliasing) +set_source_files_properties(ZeekVars.cc PROPERTIES COMPILE_FLAGS + -Wno-deprecated-declarations) + set(MAIN_SRCS digest.cc net_util.cc @@ -286,6 +289,7 @@ set(MAIN_SRCS Var.cc WeirdState.cc ZeekArgs.cc + ZeekVars.cc bsd-getopt-long.c bro_inet_ntop.c patricia.c diff --git a/src/Conn.cc b/src/Conn.cc index dc8b63bb9c..7146191cb0 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -346,17 +346,17 @@ const IntrusivePtr& Connection::ConnVal() { if ( ! conn_val ) { - conn_val = make_intrusive(connection_type); + conn_val = make_intrusive(zeek::vars::connection_type); TransportProto prot_type = ConnTransport(); - auto id_val = make_intrusive(conn_id); + auto id_val = make_intrusive(zeek::vars::conn_id); id_val->Assign(0, make_intrusive(orig_addr)); id_val->Assign(1, val_mgr->Port(ntohs(orig_port), prot_type)); id_val->Assign(2, make_intrusive(resp_addr)); id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type)); - auto orig_endp = make_intrusive(endpoint); + auto orig_endp = make_intrusive(zeek::vars::endpoint); orig_endp->Assign(0, val_mgr->Count(0)); orig_endp->Assign(1, val_mgr->Count(0)); orig_endp->Assign(4, val_mgr->Count(orig_flow_label)); @@ -367,7 +367,7 @@ const IntrusivePtr& Connection::ConnVal() if ( memcmp(&orig_l2_addr, &null, l2_len) != 0 ) orig_endp->Assign(5, make_intrusive(fmt_mac(orig_l2_addr, l2_len))); - auto resp_endp = make_intrusive(endpoint); + auto resp_endp = make_intrusive(zeek::vars::endpoint); resp_endp->Assign(0, val_mgr->Count(0)); resp_endp->Assign(1, val_mgr->Count(0)); resp_endp->Assign(4, val_mgr->Count(resp_flow_label)); @@ -379,7 +379,7 @@ const IntrusivePtr& Connection::ConnVal() conn_val->Assign(1, std::move(orig_endp)); conn_val->Assign(2, std::move(resp_endp)); // 3 and 4 are set below. - conn_val->Assign(5, make_intrusive(IntrusivePtr{NewRef{}, string_set})); // service + conn_val->Assign(5, make_intrusive(zeek::vars::string_set)); // service conn_val->Assign(6, val_mgr->EmptyString()); // history if ( ! uid ) diff --git a/src/EventHandler.cc b/src/EventHandler.cc index 5c114d99ba..95b36e6b48 100644 --- a/src/EventHandler.cc +++ b/src/EventHandler.cc @@ -127,7 +127,7 @@ void EventHandler::NewEvent(const zeek::Args& vl) return; RecordType* args = FType()->Args(); - auto vargs = make_intrusive(IntrusivePtr{NewRef{}, call_argument_vector}); + auto vargs = make_intrusive(zeek::vars::call_argument_vector); for ( int i = 0; i < args->NumFields(); i++ ) { @@ -135,7 +135,7 @@ void EventHandler::NewEvent(const zeek::Args& vl) const auto& ftype = args->GetFieldType(i); auto fdefault = args->FieldDefault(i); - auto rec = make_intrusive(call_argument); + auto rec = make_intrusive(zeek::vars::call_argument); rec->Assign(0, make_intrusive(fname)); ODesc d; diff --git a/src/File.cc b/src/File.cc index 7581b9fb3b..7cefb2f9fd 100644 --- a/src/File.cc +++ b/src/File.cc @@ -277,7 +277,7 @@ RecordVal* BroFile::Rotate() if ( f == stdin || f == stdout || f == stderr ) return nullptr; - RecordVal* info = new RecordVal(rotate_info); + RecordVal* info = new RecordVal(zeek::vars::rotate_info); FILE* newf = rotate_file(name, info); if ( ! newf ) diff --git a/src/NetVar.cc b/src/NetVar.cc index 74cc7ca2df..18b0f9f6d5 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -7,8 +7,6 @@ #include "EventHandler.h" #include "Val.h" -using namespace zeek; - RecordType* conn_id; RecordType* endpoint; RecordType* endpoint_stats; @@ -207,7 +205,6 @@ void init_general_global_var() table_expire_delay = opt_internal_double("table_expire_delay"); table_incremental_step = opt_internal_int("table_incremental_step"); - rotate_info = lookup_type("rotate_info")->AsRecordType(); log_rotate_base_time = opt_internal_string("log_rotate_base_time"); peer_description = @@ -241,26 +238,7 @@ void init_net_var() #include "reporter.bif.netvar_init" #include "supervisor.bif.netvar_init" - conn_id = lookup_type("conn_id")->AsRecordType(); - endpoint = lookup_type("endpoint")->AsRecordType(); - endpoint_stats = lookup_type("endpoint_stats")->AsRecordType(); - connection_type = lookup_type("connection")->AsRecordType(); - fa_file_type = lookup_type("fa_file")->AsRecordType(); - fa_metadata_type = lookup_type("fa_metadata")->AsRecordType(); - icmp_conn = lookup_type("icmp_conn")->AsRecordType(); - icmp_context = lookup_type("icmp_context")->AsRecordType(); - signature_state = lookup_type("signature_state")->AsRecordType(); - SYN_packet = lookup_type("SYN_packet")->AsRecordType(); - pcap_packet = lookup_type("pcap_packet")->AsRecordType(); - raw_pkt_hdr_type = lookup_type("raw_pkt_hdr")->AsRecordType(); - l2_hdr_type = lookup_type("l2_hdr")->AsRecordType(); - transport_proto = lookup_type("transport_proto")->AsEnumType(); - string_set = lookup_type("string_set")->AsTableType(); - string_array = lookup_type("string_array")->AsTableType(); - string_vec = lookup_type("string_vec")->AsVectorType(); - index_vec = lookup_type("index_vec")->AsVectorType(); - mime_match = lookup_type("mime_match")->AsRecordType(); - mime_matches = lookup_type("mime_matches")->AsVectorType(); + zeek::vars::detail::Init(); ignore_checksums = opt_internal_int("ignore_checksums"); partial_connection_ok = opt_internal_int("partial_connection_ok"); @@ -286,8 +264,6 @@ void init_net_var() opt_internal_int("tcp_excessive_data_without_further_acks"); tcp_max_old_segments = opt_internal_int("tcp_max_old_segments"); - socks_address = lookup_type("SOCKS::Address")->AsRecordType(); - non_analyzed_lifetime = opt_internal_double("non_analyzed_lifetime"); tcp_inactivity_timeout = opt_internal_double("tcp_inactivity_timeout"); udp_inactivity_timeout = opt_internal_double("udp_inactivity_timeout"); @@ -333,34 +309,10 @@ void init_net_var() mime_segment_length = opt_internal_int("mime_segment_length"); mime_segment_overlap_length = opt_internal_int("mime_segment_overlap_length"); - mime_header_rec = lookup_type("mime_header_rec")->AsRecordType(); - mime_header_list = lookup_type("mime_header_list")->AsTableType(); http_entity_data_delivery_size = opt_internal_int("http_entity_data_delivery_size"); - http_stats_rec = lookup_type("http_stats_rec")->AsRecordType(); - http_message_stat = lookup_type("http_message_stat")->AsRecordType(); truncate_http_URI = opt_internal_int("truncate_http_URI"); - pm_mapping = lookup_type("pm_mapping")->AsRecordType(); - pm_mappings = lookup_type("pm_mappings")->AsTableType(); - pm_port_request = lookup_type("pm_port_request")->AsRecordType(); - pm_callit_request = lookup_type("pm_callit_request")->AsRecordType(); - - geo_location = lookup_type("geo_location")->AsRecordType(); - - entropy_test_result = lookup_type("entropy_test_result")->AsRecordType(); - - dns_msg = lookup_type("dns_msg")->AsRecordType(); - dns_answer = lookup_type("dns_answer")->AsRecordType(); - dns_soa = lookup_type("dns_soa")->AsRecordType(); - dns_edns_additional = - lookup_type("dns_edns_additional")->AsRecordType(); - dns_tsig_additional = - lookup_type("dns_tsig_additional")->AsRecordType(); - dns_rrsig_rr = lookup_type("dns_rrsig_rr")->AsRecordType(); - dns_dnskey_rr = lookup_type("dns_dnskey_rr")->AsRecordType(); - dns_nsec3_rr = lookup_type("dns_nsec3_rr")->AsRecordType(); - dns_ds_rr = lookup_type("dns_ds_rr")->AsRecordType(); dns_skip_auth = zeek::lookup_val("dns_skip_auth")->AsTableVal(); dns_skip_addl = zeek::lookup_val("dns_skip_addl")->AsTableVal(); dns_skip_all_auth = opt_internal_int("dns_skip_all_auth"); @@ -396,9 +348,6 @@ void init_net_var() gap_report_freq = opt_internal_double("gap_report_freq"); - irc_join_info = lookup_type("irc_join_info")->AsRecordType(); - irc_join_list = lookup_type("irc_join_list")->AsTableType(); - dpd_reassemble_first_packets = opt_internal_int("dpd_reassemble_first_packets"); dpd_buffer_size = opt_internal_int("dpd_buffer_size"); @@ -410,11 +359,4 @@ void init_net_var() timer_mgr_inactivity_timeout = opt_internal_double("timer_mgr_inactivity_timeout"); - - script_id = lookup_type("script_id")->AsRecordType(); - id_table = lookup_type("id_table")->AsTableType(); - record_field = lookup_type("record_field")->AsRecordType(); - record_field_table = lookup_type("record_field_table")->AsTableType(); - call_argument_vector = lookup_type("call_argument_vector")->AsVectorType(); - call_argument = lookup_type("call_argument")->AsRecordType(); } diff --git a/src/NetVar.h b/src/NetVar.h index fa76529197..dbf6b31c1d 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -6,27 +6,49 @@ #include "Func.h" #include "EventRegistry.h" #include "Stats.h" +#include "ZeekVars.h" +[[deprecated("Remove in v4.1. Use zeek::vars::conn_id.")]] extern RecordType* conn_id; +[[deprecated("Remove in v4.1. Use zeek::vars::endpoint.")]] extern RecordType* endpoint; +[[deprecated("Remove in v4.1. Use zeek::vars::endpoint_stats.")]] extern RecordType* endpoint_stats; +[[deprecated("Remove in v4.1. Use zeek::vars::connection_type.")]] extern RecordType* connection_type; +[[deprecated("Remove in v4.1. Use zeek::vars::fa_file_type.")]] extern RecordType* fa_file_type; +[[deprecated("Remove in v4.1. Use zeek::vars::fa_metadata_type.")]] extern RecordType* fa_metadata_type; +[[deprecated("Remove in v4.1. Use zeek::vars::icmp_conn.")]] extern RecordType* icmp_conn; +[[deprecated("Remove in v4.1. Use zeek::vars::icmp_context.")]] extern RecordType* icmp_context; +[[deprecated("Remove in v4.1. Use zeek::vars::signature_state.")]] extern RecordType* signature_state; +[[deprecated("Remove in v4.1. Use zeek::vars::SYN_packet.")]] extern RecordType* SYN_packet; +[[deprecated("Remove in v4.1. Use zeek::vars::pcap_packet.")]] extern RecordType* pcap_packet; +[[deprecated("Remove in v4.1. Use zeek::vars::raw_pkt_hdr_type.")]] extern RecordType* raw_pkt_hdr_type; +[[deprecated("Remove in v4.1. Use zeek::vars::l2_hdr_type.")]] extern RecordType* l2_hdr_type; +[[deprecated("Remove in v4.1. Use zeek::vars::transport_proto.")]] extern EnumType* transport_proto; +[[deprecated("Remove in v4.1. Use zeek::vars::string_set.")]] extern TableType* string_set; +[[deprecated("Remove in v4.1. Use zeek::vars::string_array.")]] extern TableType* string_array; +[[deprecated("Remove in v4.1. Use zeek::vars::count_set.")]] extern TableType* count_set; +[[deprecated("Remove in v4.1. Use zeek::vars::string_vec.")]] extern VectorType* string_vec; +[[deprecated("Remove in v4.1. Use zeek::vars::index_vec.")]] extern VectorType* index_vec; +[[deprecated("Remove in v4.1. Use zeek::vars::mime_matches.")]] extern VectorType* mime_matches; +[[deprecated("Remove in v4.1. Use zeek::vars::mime_match.")]] extern RecordType* mime_match; extern int watchdog_interval; @@ -55,6 +77,7 @@ extern int tcp_max_above_hole_without_any_acks; extern int tcp_excessive_data_without_further_acks; extern int tcp_max_old_segments; +[[deprecated("Remove in v4.1. Use zeek::vars::socks_address.")]] extern RecordType* socks_address; extern double non_analyzed_lifetime; @@ -85,31 +108,50 @@ extern double rpc_timeout; extern int mime_segment_length; extern int mime_segment_overlap_length; +[[deprecated("Remove in v4.1. Use zeek::vars::mime_header_rec.")]] extern RecordType* mime_header_rec; +[[deprecated("Remove in v4.1. Use zeek::vars::mime_header_list.")]] extern TableType* mime_header_list; extern int http_entity_data_delivery_size; +[[deprecated("Remove in v4.1. Use zeek::vars::http_stats_rec.")]] extern RecordType* http_stats_rec; +[[deprecated("Remove in v4.1. Use zeek::vars::http_message_stat.")]] extern RecordType* http_message_stat; extern int truncate_http_URI; +[[deprecated("Remove in v4.1. Use zeek::vars::pm_mapping.")]] extern RecordType* pm_mapping; +[[deprecated("Remove in v4.1. Use zeek::vars::pm_mappings.")]] extern TableType* pm_mappings; +[[deprecated("Remove in v4.1. Use zeek::vars::pm_port_request.")]] extern RecordType* pm_port_request; +[[deprecated("Remove in v4.1. Use zeek::vars::pm_callit_request.")]] extern RecordType* pm_callit_request; +[[deprecated("Remove in v4.1. Use zeek::vars::geo_location.")]] extern RecordType* geo_location; +[[deprecated("Remove in v4.1. Use zeek::vars::entropy_test_result.")]] extern RecordType* entropy_test_result; +[[deprecated("Remove in v4.1. Use zeek::vars::dns_msg.")]] extern RecordType* dns_msg; +[[deprecated("Remove in v4.1. Use zeek::vars::dns_answer.")]] extern RecordType* dns_answer; +[[deprecated("Remove in v4.1. Use zeek::vars::dns_soa.")]] extern RecordType* dns_soa; +[[deprecated("Remove in v4.1. Use zeek::vars::dns_edns_additional.")]] extern RecordType* dns_edns_additional; +[[deprecated("Remove in v4.1. Use zeek::vars::dns_tsig_additional.")]] extern RecordType* dns_tsig_additional; +[[deprecated("Remove in v4.1. Use zeek::vars::dns_rrsig_rr.")]] extern RecordType* dns_rrsig_rr; +[[deprecated("Remove in v4.1. Use zeek::vars::dns_dnskey_rr.")]] extern RecordType* dns_dnskey_rr; +[[deprecated("Remove in v4.1. Use zeek::vars::dns_nsec3_rr.")]] extern RecordType* dns_nsec3_rr; +[[deprecated("Remove in v4.1. Use zeek::vars::dns_ds_rr.")]] extern RecordType* dns_ds_rr; extern TableVal* dns_skip_auth; extern TableVal* dns_skip_addl; @@ -133,6 +175,7 @@ extern TableVal* preserve_other_addr; extern double connection_status_update_interval; +[[deprecated("Remove in v4.1. Use zeek::vars::rotate_info.")]] extern RecordType* rotate_info; extern StringVal* log_rotate_base_time; @@ -153,7 +196,9 @@ extern int packet_filter_default; extern int sig_max_group_size; +[[deprecated("Remove in v4.1. Use zeek::vars::irc_join_list.")]] extern TableType* irc_join_list; +[[deprecated("Remove in v4.1. Use zeek::vars::irc_join_info.")]] extern RecordType* irc_join_info; extern int dpd_reassemble_first_packets; @@ -174,11 +219,17 @@ extern StringVal* trace_output_file; extern int record_all_packets; +[[deprecated("Remove in v4.1. Use zeek::vars::script_id.")]] extern RecordType* script_id; +[[deprecated("Remove in v4.1. Use zeek::vars::id_table.")]] extern TableType* id_table; +[[deprecated("Remove in v4.1. Use zeek::vars::record_field.")]] extern RecordType* record_field; +[[deprecated("Remove in v4.1. Use zeek::vars::record_field_table.")]] extern TableType* record_field_table; +[[deprecated("Remove in v4.1. Use zeek::vars::call_argument.")]] extern RecordType* call_argument; +[[deprecated("Remove in v4.1. Use zeek::vars::call_argument_vector.")]] extern VectorType* call_argument_vector; extern StringVal* cmd_line_bpf_filter; diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index ac2ae55711..ff236fb894 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -981,7 +981,7 @@ ParaglobVal::ParaglobVal(std::unique_ptr p) IntrusivePtr ParaglobVal::Get(StringVal* &pattern) { - auto rval = make_intrusive(zeek::lookup_type("string_vec")); + auto rval = make_intrusive(zeek::vars::string_vec); std::string string_pattern (reinterpret_cast(pattern->Bytes()), pattern->Len()); std::vector matches = this->internal_paraglob->get(string_pattern); diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index a9f878390a..b3434088dd 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -8,6 +8,7 @@ #include "Func.h" #include "Val.h" #include "Var.h" +#include "ZeekVars.h" static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e) { @@ -145,7 +146,7 @@ RuleConditionEval::RuleConditionEval(const char* func) rules_error("eval function type must yield a 'bool'", func); TypeList tl; - tl.Append(zeek::lookup_type("signature_state")); + tl.Append(zeek::vars::signature_state); tl.Append(base_type(TYPE_STRING)); if ( ! f->CheckArgs(tl.Types()) ) diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 1341cc9c2b..fdc9af6471 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -79,7 +79,7 @@ RuleHdrTest::RuleHdrTest(Prot arg_prot, Comp arg_comp, vector arg_v) Val* RuleMatcher::BuildRuleStateValue(const Rule* rule, const RuleEndpointState* state) const { - RecordVal* val = new RecordVal(signature_state); + RecordVal* val = new RecordVal(zeek::vars::signature_state); val->Assign(0, make_intrusive(rule->ID())); val->Assign(1, state->GetAnalyzer()->ConnVal()); val->Assign(2, val_mgr->Bool(state->is_orig)); diff --git a/src/Sessions.cc b/src/Sessions.cc index afdddbdf1c..3c58a4427e 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -914,7 +914,7 @@ Connection* NetSessions::FindConnection(Val* v) int orig_h, orig_p; // indices into record's value list int resp_h, resp_p; - if ( vr == conn_id ) + if ( vr == zeek::vars::conn_id ) { orig_h = 0; orig_p = 1; diff --git a/src/Stmt.cc b/src/Stmt.cc index b5d927b2ef..1575e874eb 100644 --- a/src/Stmt.cc +++ b/src/Stmt.cc @@ -202,7 +202,7 @@ static void print_log(const std::vector>& vals) { auto plval = lookup_enum_val("Log", "PRINTLOG"); auto record = make_intrusive(zeek::lookup_type("Log::PrintLogInfo")->AsRecordType()); - auto vec = make_intrusive(zeek::lookup_type("string_vec")); + auto vec = make_intrusive(zeek::vars::string_vec); for ( const auto& val : vals ) { diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc index 2f58df3bd0..ad3461f8bb 100644 --- a/src/TunnelEncapsulation.cc +++ b/src/TunnelEncapsulation.cc @@ -20,7 +20,7 @@ IntrusivePtr EncapsulatingConn::ToVal() const { auto rv = make_intrusive(BifType::Record::Tunnel::EncapsulatingConn); - auto id_val = make_intrusive(conn_id); + auto id_val = make_intrusive(zeek::vars::conn_id); id_val->Assign(0, make_intrusive(src_addr)); id_val->Assign(1, val_mgr->Port(ntohs(src_port), proto)); id_val->Assign(2, make_intrusive(dst_addr)); diff --git a/src/ZeekVars.cc b/src/ZeekVars.cc new file mode 100644 index 0000000000..317c265dbc --- /dev/null +++ b/src/ZeekVars.cc @@ -0,0 +1,165 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include "ZeekVars.h" +#include "Var.h" +#include "NetVar.h" + +IntrusivePtr zeek::vars::conn_id; +IntrusivePtr zeek::vars::endpoint; +IntrusivePtr zeek::vars::endpoint_stats; +IntrusivePtr zeek::vars::connection_type; +IntrusivePtr zeek::vars::fa_file_type; +IntrusivePtr zeek::vars::fa_metadata_type; +IntrusivePtr zeek::vars::icmp_conn; +IntrusivePtr zeek::vars::icmp_context; +IntrusivePtr zeek::vars::signature_state; +IntrusivePtr zeek::vars::SYN_packet; +IntrusivePtr zeek::vars::pcap_packet; +IntrusivePtr zeek::vars::raw_pkt_hdr_type; +IntrusivePtr zeek::vars::l2_hdr_type; +IntrusivePtr zeek::vars::transport_proto; +IntrusivePtr zeek::vars::string_set; +IntrusivePtr zeek::vars::string_array; +IntrusivePtr zeek::vars::count_set; +IntrusivePtr zeek::vars::string_vec; +IntrusivePtr zeek::vars::index_vec; +IntrusivePtr zeek::vars::mime_matches; +IntrusivePtr zeek::vars::mime_match; +IntrusivePtr zeek::vars::socks_address; +IntrusivePtr zeek::vars::mime_header_rec; +IntrusivePtr zeek::vars::mime_header_list; +IntrusivePtr zeek::vars::http_stats_rec; +IntrusivePtr zeek::vars::http_message_stat; +IntrusivePtr zeek::vars::pm_mapping; +IntrusivePtr zeek::vars::pm_mappings; +IntrusivePtr zeek::vars::pm_port_request; +IntrusivePtr zeek::vars::pm_callit_request; +IntrusivePtr zeek::vars::geo_location; +IntrusivePtr zeek::vars::entropy_test_result; +IntrusivePtr zeek::vars::dns_msg; +IntrusivePtr zeek::vars::dns_answer; +IntrusivePtr zeek::vars::dns_soa; +IntrusivePtr zeek::vars::dns_edns_additional; +IntrusivePtr zeek::vars::dns_tsig_additional; +IntrusivePtr zeek::vars::dns_rrsig_rr; +IntrusivePtr zeek::vars::dns_dnskey_rr; +IntrusivePtr zeek::vars::dns_nsec3_rr; +IntrusivePtr zeek::vars::dns_ds_rr; +IntrusivePtr zeek::vars::rotate_info; +IntrusivePtr zeek::vars::irc_join_list; +IntrusivePtr zeek::vars::irc_join_info; +IntrusivePtr zeek::vars::script_id; +IntrusivePtr zeek::vars::id_table; +IntrusivePtr zeek::vars::record_field; +IntrusivePtr zeek::vars::record_field_table; +IntrusivePtr zeek::vars::call_argument; +IntrusivePtr zeek::vars::call_argument_vector; + +void zeek::vars::detail::Init() + { + // Types + conn_id = zeek::lookup_type("conn_id"); + endpoint = zeek::lookup_type("endpoint"); + endpoint_stats = zeek::lookup_type("endpoint_stats"); + connection_type = zeek::lookup_type("connection"); + fa_file_type = zeek::lookup_type("fa_file"); + fa_metadata_type = zeek::lookup_type("fa_metadata"); + icmp_conn = zeek::lookup_type("icmp_conn"); + icmp_context = zeek::lookup_type("icmp_context"); + signature_state = zeek::lookup_type("signature_state"); + SYN_packet = zeek::lookup_type("SYN_packet"); + pcap_packet = zeek::lookup_type("pcap_packet"); + raw_pkt_hdr_type = zeek::lookup_type("raw_pkt_hdr"); + l2_hdr_type = zeek::lookup_type("l2_hdr"); + transport_proto = zeek::lookup_type("transport_proto"); + string_set = zeek::lookup_type("string_set"); + string_array = zeek::lookup_type("string_array"); + count_set = zeek::lookup_type("count_set"); + string_vec = zeek::lookup_type("string_vec"); + index_vec = zeek::lookup_type("index_vec"); + mime_matches = zeek::lookup_type("mime_matches"); + mime_match = zeek::lookup_type("mime_match"); + socks_address = zeek::lookup_type("SOCKS::Address"); + mime_header_rec = zeek::lookup_type("mime_header_rec"); + mime_header_list = zeek::lookup_type("mime_header_list"); + http_stats_rec = zeek::lookup_type("http_stats_rec"); + http_message_stat = zeek::lookup_type("http_message_stat"); + pm_mapping = zeek::lookup_type("pm_mapping"); + pm_mappings = zeek::lookup_type("pm_mappings"); + pm_port_request = zeek::lookup_type("pm_port_request"); + pm_callit_request = zeek::lookup_type("pm_callit_request"); + geo_location = zeek::lookup_type("geo_location"); + entropy_test_result = zeek::lookup_type("entropy_test_result"); + dns_msg = zeek::lookup_type("dns_msg"); + dns_answer = zeek::lookup_type("dns_answer"); + dns_soa = zeek::lookup_type("dns_soa"); + dns_edns_additional = zeek::lookup_type("dns_edns_additional"); + dns_tsig_additional = zeek::lookup_type("dns_tsig_additional"); + dns_rrsig_rr = zeek::lookup_type("dns_rrsig_rr"); + dns_dnskey_rr = zeek::lookup_type("dns_dnskey_rr"); + dns_nsec3_rr = zeek::lookup_type("dns_nsec3_rr"); + dns_ds_rr = zeek::lookup_type("dns_ds_rr"); + rotate_info = zeek::lookup_type("rotate_info"); + irc_join_list = zeek::lookup_type("irc_join_list"); + irc_join_info = zeek::lookup_type("irc_join_info"); + script_id = zeek::lookup_type("script_id"); + id_table = zeek::lookup_type("id_table"); + record_field = zeek::lookup_type("record_field"); + record_field_table = zeek::lookup_type("record_field_table"); + call_argument = zeek::lookup_type("call_argument"); + call_argument_vector = zeek::lookup_type("call_argument_vector"); + + // Note: to bypass deprecation warnings on setting the legacy globals, + // CMake was told to compile this file with -Wno-deprecated-declarations. + // Once the legacy globals are removed, that compile flag can go also. + ::conn_id = conn_id.get(); + ::endpoint = endpoint.get(); + ::endpoint_stats = endpoint_stats.get(); + ::connection_type = connection_type.get(); + ::fa_file_type = fa_file_type.get(); + ::fa_metadata_type = fa_metadata_type.get(); + ::icmp_conn = icmp_conn.get(); + ::icmp_context = icmp_context.get(); + ::signature_state = signature_state.get(); + ::SYN_packet = SYN_packet.get(); + ::pcap_packet = pcap_packet.get(); + ::raw_pkt_hdr_type = raw_pkt_hdr_type.get(); + ::l2_hdr_type = l2_hdr_type.get(); + ::transport_proto = transport_proto.get(); + ::string_set = string_set.get(); + ::string_array = string_array.get(); + ::count_set = count_set.get(); + ::string_vec = string_vec.get(); + ::index_vec = index_vec.get(); + ::mime_matches = mime_matches.get(); + ::mime_match = mime_match.get(); + ::socks_address = socks_address.get(); + ::mime_header_rec = mime_header_rec.get(); + ::mime_header_list = mime_header_list.get(); + ::http_stats_rec = http_stats_rec.get(); + ::http_message_stat = http_message_stat.get(); + ::pm_mapping = pm_mapping.get(); + ::pm_mappings = pm_mappings.get(); + ::pm_port_request = pm_port_request.get(); + ::pm_callit_request = pm_callit_request.get(); + ::geo_location = geo_location.get(); + ::entropy_test_result = entropy_test_result.get(); + ::dns_msg = dns_msg.get(); + ::dns_answer = dns_answer.get(); + ::dns_soa = dns_soa.get(); + ::dns_edns_additional = dns_edns_additional.get(); + ::dns_tsig_additional = dns_tsig_additional.get(); + ::dns_rrsig_rr = dns_rrsig_rr.get(); + ::dns_dnskey_rr = dns_dnskey_rr.get(); + ::dns_nsec3_rr = dns_nsec3_rr.get(); + ::dns_ds_rr = dns_ds_rr.get(); + ::rotate_info = rotate_info.get(); + ::irc_join_list = irc_join_list.get(); + ::irc_join_info = irc_join_info.get(); + ::script_id = script_id.get(); + ::id_table = id_table.get(); + ::record_field = record_field.get(); + ::record_field_table = record_field_table.get(); + ::call_argument = call_argument.get(); + ::call_argument_vector = call_argument_vector.get(); + } diff --git a/src/ZeekVars.h b/src/ZeekVars.h new file mode 100644 index 0000000000..9c55af833f --- /dev/null +++ b/src/ZeekVars.h @@ -0,0 +1,67 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#pragma once + +#include "Val.h" +#include "Type.h" +#include "IntrusivePtr.h" + +namespace zeek { namespace vars { namespace detail { +void Init(); +}}} + +namespace zeek { namespace vars { + +// Types +extern IntrusivePtr conn_id; +extern IntrusivePtr endpoint; +extern IntrusivePtr endpoint_stats; +extern IntrusivePtr connection_type; +extern IntrusivePtr fa_file_type; +extern IntrusivePtr fa_metadata_type; +extern IntrusivePtr icmp_conn; +extern IntrusivePtr icmp_context; +extern IntrusivePtr signature_state; +extern IntrusivePtr SYN_packet; +extern IntrusivePtr pcap_packet; +extern IntrusivePtr raw_pkt_hdr_type; +extern IntrusivePtr l2_hdr_type; +extern IntrusivePtr transport_proto; +extern IntrusivePtr string_set; +extern IntrusivePtr string_array; +extern IntrusivePtr count_set; +extern IntrusivePtr string_vec; +extern IntrusivePtr index_vec; +extern IntrusivePtr mime_matches; +extern IntrusivePtr mime_match; +extern IntrusivePtr socks_address; +extern IntrusivePtr mime_header_rec; +extern IntrusivePtr mime_header_list; +extern IntrusivePtr http_stats_rec; +extern IntrusivePtr http_message_stat; +extern IntrusivePtr pm_mapping; +extern IntrusivePtr pm_mappings; +extern IntrusivePtr pm_port_request; +extern IntrusivePtr pm_callit_request; +extern IntrusivePtr geo_location; +extern IntrusivePtr entropy_test_result; +extern IntrusivePtr dns_msg; +extern IntrusivePtr dns_answer; +extern IntrusivePtr dns_soa; +extern IntrusivePtr dns_edns_additional; +extern IntrusivePtr dns_tsig_additional; +extern IntrusivePtr dns_rrsig_rr; +extern IntrusivePtr dns_dnskey_rr; +extern IntrusivePtr dns_nsec3_rr; +extern IntrusivePtr dns_ds_rr; +extern IntrusivePtr rotate_info; +extern IntrusivePtr irc_join_list; +extern IntrusivePtr irc_join_info; +extern IntrusivePtr script_id; +extern IntrusivePtr id_table; +extern IntrusivePtr record_field; +extern IntrusivePtr record_field_table; +extern IntrusivePtr call_argument; +extern IntrusivePtr call_argument_vector; + +}} // namespace zeek::vars diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc index 58c186a06a..4742f6f50f 100644 --- a/src/analyzer/protocol/conn-size/ConnSize.cc +++ b/src/analyzer/protocol/conn-size/ConnSize.cc @@ -174,8 +174,8 @@ void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val) RecordVal *resp_endp = conn_val->Lookup("resp")->AsRecordVal(); // endpoint is the RecordType from NetVar.h - int pktidx = endpoint->FieldOffset("num_pkts"); - int bytesidx = endpoint->FieldOffset("num_bytes_ip"); + int pktidx = zeek::vars::endpoint->FieldOffset("num_pkts"); + int bytesidx = zeek::vars::endpoint->FieldOffset("num_bytes_ip"); if ( pktidx < 0 ) reporter->InternalError("'endpoint' record missing 'num_pkts' field"); diff --git a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac index 1164cd4677..53233069d9 100644 --- a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac +++ b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac @@ -20,7 +20,7 @@ refine flow DHCP_Flow += { if ( ! options ) { options = make_intrusive(BifType::Record::DHCP::Options); - all_options = make_intrusive(IntrusivePtr{NewRef{}, index_vec}); + all_options = make_intrusive(zeek::vars::index_vec); options->Assign(0, all_options); } diff --git a/src/analyzer/protocol/dhcp/dhcp-options.pac b/src/analyzer/protocol/dhcp/dhcp-options.pac index d6f917cf7f..5d319826ab 100644 --- a/src/analyzer/protocol/dhcp/dhcp-options.pac +++ b/src/analyzer/protocol/dhcp/dhcp-options.pac @@ -462,7 +462,7 @@ refine casetype OptionValue += { refine flow DHCP_Flow += { function process_par_req_list_option(v: OptionValue): bool %{ - auto params = make_intrusive(IntrusivePtr{NewRef{}, index_vec}); + auto params = make_intrusive(zeek::vars::index_vec); int num_parms = ${v.par_req_list}->size(); vector* plist = ${v.par_req_list}; diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc index 6db7fa1183..47d4f8dc27 100644 --- a/src/analyzer/protocol/dns/DNS.cc +++ b/src/analyzer/protocol/dns/DNS.cc @@ -592,7 +592,7 @@ bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg, if ( dns_SOA_reply && ! msg->skip_event ) { - auto r = make_intrusive(dns_soa); + auto r = make_intrusive(zeek::vars::dns_soa); r->Assign(0, make_intrusive(new BroString(mname, mname_end - mname, true))); r->Assign(1, make_intrusive(new BroString(rname, rname_end - rname, true))); r->Assign(2, val_mgr->Count(serial)); @@ -998,7 +998,7 @@ bool DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg, int typebitmaps_len = rdlength - (data - data_start); - auto char_strings = make_intrusive(IntrusivePtr{NewRef{}, string_vec}); + auto char_strings = make_intrusive(zeek::vars::string_vec); while ( typebitmaps_len > 0 && len > 0 ) { @@ -1073,7 +1073,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg, int typebitmaps_len = rdlength - (data - data_start); - auto char_strings = make_intrusive(IntrusivePtr{NewRef{}, string_vec}); + auto char_strings = make_intrusive(zeek::vars::string_vec); while ( typebitmaps_len > 0 && len > 0 ) { @@ -1288,7 +1288,7 @@ bool DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg, return true; } - auto char_strings = make_intrusive(IntrusivePtr{NewRef{}, string_vec}); + auto char_strings = make_intrusive(zeek::vars::string_vec); IntrusivePtr char_string; while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) @@ -1316,7 +1316,7 @@ bool DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg, return true; } - auto char_strings = make_intrusive(IntrusivePtr{NewRef{}, string_vec}); + auto char_strings = make_intrusive(zeek::vars::string_vec); IntrusivePtr char_string; while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) ) @@ -1435,7 +1435,7 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query) IntrusivePtr DNS_MsgInfo::BuildHdrVal() { - auto r = make_intrusive(dns_msg); + auto r = make_intrusive(zeek::vars::dns_msg); r->Assign(0, val_mgr->Count(id)); r->Assign(1, val_mgr->Count(opcode)); @@ -1456,7 +1456,7 @@ IntrusivePtr DNS_MsgInfo::BuildHdrVal() IntrusivePtr DNS_MsgInfo::BuildAnswerVal() { - auto r = make_intrusive(dns_answer); + auto r = make_intrusive(zeek::vars::dns_answer); r->Assign(0, val_mgr->Count(int(answer_type))); r->Assign(1, query_name); @@ -1471,7 +1471,7 @@ IntrusivePtr DNS_MsgInfo::BuildEDNS_Val() { // We have to treat the additional record type in EDNS differently // than a regular resource record. - auto r = make_intrusive(dns_edns_additional); + auto r = make_intrusive(zeek::vars::dns_edns_additional); r->Assign(0, val_mgr->Count(int(answer_type))); r->Assign(1, query_name); @@ -1504,7 +1504,7 @@ IntrusivePtr DNS_MsgInfo::BuildEDNS_Val() IntrusivePtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) { - auto r = make_intrusive(dns_tsig_additional); + auto r = make_intrusive(zeek::vars::dns_tsig_additional); double rtime = tsig->time_s + tsig->time_ms / 1000.0; // r->Assign(0, val_mgr->Count(int(answer_type))); @@ -1523,7 +1523,7 @@ IntrusivePtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) IntrusivePtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig) { - auto r = make_intrusive(dns_rrsig_rr); + auto r = make_intrusive(zeek::vars::dns_rrsig_rr); r->Assign(0, query_name); r->Assign(1, val_mgr->Count(int(answer_type))); @@ -1543,7 +1543,7 @@ IntrusivePtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig) IntrusivePtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey) { - auto r = make_intrusive(dns_dnskey_rr); + auto r = make_intrusive(zeek::vars::dns_dnskey_rr); r->Assign(0, query_name); r->Assign(1, val_mgr->Count(int(answer_type))); @@ -1558,7 +1558,7 @@ IntrusivePtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey) IntrusivePtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3) { - auto r = make_intrusive(dns_nsec3_rr); + auto r = make_intrusive(zeek::vars::dns_nsec3_rr); r->Assign(0, query_name); r->Assign(1, val_mgr->Count(int(answer_type))); @@ -1577,7 +1577,7 @@ IntrusivePtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3) IntrusivePtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds) { - auto r = make_intrusive(dns_ds_rr); + auto r = make_intrusive(zeek::vars::dns_ds_rr); r->Assign(0, query_name); r->Assign(1, val_mgr->Count(int(answer_type))); diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index 77c9071ed2..daf928941c 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -615,7 +615,7 @@ HTTP_Message::~HTTP_Message() IntrusivePtr HTTP_Message::BuildMessageStat(bool interrupted, const char* msg) { - auto stat = make_intrusive(http_message_stat); + auto stat = make_intrusive(zeek::vars::http_message_stat); int field = 0; stat->Assign(field++, make_intrusive(start_time, TYPE_TIME)); stat->Assign(field++, val_mgr->Bool(interrupted)); @@ -1151,7 +1151,7 @@ void HTTP_Analyzer::GenStats() { if ( http_stats ) { - auto r = make_intrusive(http_stats_rec); + auto r = make_intrusive(zeek::vars::http_stats_rec); r->Assign(0, val_mgr->Count(num_requests)); r->Assign(1, val_mgr->Count(num_replies)); r->Assign(2, make_intrusive(request_version.ToDouble(), TYPE_DOUBLE)); diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc index 84a2fc2351..33c730d63f 100644 --- a/src/analyzer/protocol/icmp/ICMP.cc +++ b/src/analyzer/protocol/icmp/ICMP.cc @@ -225,7 +225,7 @@ ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len, { if ( ! icmp_conn_val ) { - icmp_conn_val = make_intrusive(icmp_conn); + icmp_conn_val = make_intrusive(zeek::vars::icmp_conn); icmp_conn_val->Assign(0, make_intrusive(Conn()->OrigAddr())); icmp_conn_val->Assign(1, make_intrusive(Conn()->RespAddr())); @@ -350,8 +350,8 @@ IntrusivePtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char } } - auto iprec = make_intrusive(icmp_context); - auto id_val = make_intrusive(conn_id); + auto iprec = make_intrusive(zeek::vars::icmp_context); + auto id_val = make_intrusive(zeek::vars::conn_id); id_val->Assign(0, make_intrusive(src_addr)); id_val->Assign(1, val_mgr->Port(src_port, proto)); @@ -409,8 +409,8 @@ IntrusivePtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char } } - auto iprec = make_intrusive(icmp_context); - auto id_val = make_intrusive(conn_id); + auto iprec = make_intrusive(zeek::vars::icmp_context); + auto id_val = make_intrusive(zeek::vars::conn_id); id_val->Assign(0, make_intrusive(src_addr)); id_val->Assign(1, val_mgr->Port(src_port, proto)); diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac index 5b587f77c0..c6c6ffe87a 100644 --- a/src/analyzer/protocol/imap/imap-analyzer.pac +++ b/src/analyzer/protocol/imap/imap-analyzer.pac @@ -59,7 +59,7 @@ refine connection IMAP_Conn += { if ( ! imap_capabilities ) return true; - auto capv = make_intrusive(zeek::lookup_type("string_vec")); + auto capv = make_intrusive(zeek::vars::string_vec); for ( unsigned int i = 0; i< capabilities->size(); i++ ) { diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc index e844e7e21b..6d7f2f0d82 100644 --- a/src/analyzer/protocol/irc/IRC.cc +++ b/src/analyzer/protocol/irc/IRC.cc @@ -271,7 +271,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts.size() > 0 && parts[0][0] == ':' ) parts[0] = parts[0].substr(1); - auto set = make_intrusive(IntrusivePtr{NewRef{}, string_set}); + auto set = make_intrusive(zeek::vars::string_set); for ( unsigned int i = 0; i < parts.size(); ++i ) { @@ -464,7 +464,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) if ( parts.size() > 0 && parts[0][0] == ':' ) parts[0] = parts[0].substr(1); - auto set = make_intrusive(IntrusivePtr{NewRef{}, string_set}); + auto set = make_intrusive(zeek::vars::string_set); for ( unsigned int i = 0; i < parts.size(); ++i ) { @@ -836,7 +836,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) nickname = prefix.substr(0, pos); } - auto list = make_intrusive(IntrusivePtr{NewRef{}, irc_join_list}); + auto list = make_intrusive(zeek::vars::irc_join_list); vector channels = SplitWords(parts[0], ','); vector passwords; @@ -847,7 +847,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) string empty_string = ""; for ( unsigned int i = 0; i < channels.size(); ++i ) { - RecordVal* info = new RecordVal(irc_join_info); + RecordVal* info = new RecordVal(zeek::vars::irc_join_info); info->Assign(0, make_intrusive(nickname.c_str())); info->Assign(1, make_intrusive(channels[i].c_str())); if ( i < passwords.size() ) @@ -881,13 +881,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) parts[1] = parts[1].substr(1); vector users = SplitWords(parts[1], ','); - auto list = make_intrusive(IntrusivePtr{NewRef{}, irc_join_list}); + auto list = make_intrusive(zeek::vars::irc_join_list); string empty_string = ""; for ( unsigned int i = 0; i < users.size(); ++i ) { - auto info = make_intrusive(irc_join_info); + auto info = make_intrusive(zeek::vars::irc_join_info); string nick = users[i]; string mode = "none"; @@ -951,7 +951,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) nick = nick.substr(0, pos); vector channelList = SplitWords(channels, ','); - auto set = make_intrusive(IntrusivePtr{NewRef{}, string_set}); + auto set = make_intrusive(zeek::vars::string_set); for ( unsigned int i = 0; i < channelList.size(); ++i ) { diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac index cbe588b38e..560a2b5b93 100644 --- a/src/analyzer/protocol/krb/krb-types.pac +++ b/src/analyzer/protocol/krb/krb-types.pac @@ -27,7 +27,7 @@ IntrusivePtr GetStringFromPrincipalName(const KRB_Principal_Name* pname) VectorVal* proc_cipher_list(const Array* list) { - auto ciphers = make_intrusive(zeek::lookup_type("index_vec")); + auto ciphers = make_intrusive(zeek::vars::index_vec); for ( uint i = 0; i < list->data()->size(); ++i ) ciphers->Assign(ciphers->Size(), asn1_integer_to_val((*list->data())[i], TYPE_COUNT)); return ciphers.release(); diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc index dab28cc608..b994407933 100644 --- a/src/analyzer/protocol/mime/MIME.cc +++ b/src/analyzer/protocol/mime/MIME.cc @@ -1289,7 +1289,7 @@ void MIME_Entity::DebugPrintHeaders() IntrusivePtr MIME_Message::BuildHeaderVal(MIME_Header* h) { - auto header_record = make_intrusive(mime_header_rec); + auto header_record = make_intrusive(zeek::vars::mime_header_rec); header_record->Assign(0, new_string_val(h->get_name())); auto upper_hn = new_string_val(h->get_name()); upper_hn->ToUpper(); @@ -1300,7 +1300,7 @@ IntrusivePtr MIME_Message::BuildHeaderVal(MIME_Header* h) IntrusivePtr MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist) { - auto t = make_intrusive(IntrusivePtr{NewRef{}, mime_header_list}); + auto t = make_intrusive(zeek::vars::mime_header_list); for ( unsigned int i = 0; i < hlist.size(); ++i ) { diff --git a/src/analyzer/protocol/mqtt/commands/subscribe.pac b/src/analyzer/protocol/mqtt/commands/subscribe.pac index 496f9953df..a2bca0c0cd 100644 --- a/src/analyzer/protocol/mqtt/commands/subscribe.pac +++ b/src/analyzer/protocol/mqtt/commands/subscribe.pac @@ -19,8 +19,8 @@ refine flow MQTT_Flow += { %{ if ( mqtt_subscribe ) { - auto topics = make_intrusive(IntrusivePtr{NewRef{}, string_vec}); - auto qos_levels = make_intrusive(IntrusivePtr{NewRef{}, index_vec}); + auto topics = make_intrusive(zeek::vars::string_vec); + auto qos_levels = make_intrusive(zeek::vars::index_vec); for ( auto topic: *${msg.topics} ) { diff --git a/src/analyzer/protocol/mqtt/commands/unsubscribe.pac b/src/analyzer/protocol/mqtt/commands/unsubscribe.pac index f7abcf68ae..cb0b747313 100644 --- a/src/analyzer/protocol/mqtt/commands/unsubscribe.pac +++ b/src/analyzer/protocol/mqtt/commands/unsubscribe.pac @@ -14,7 +14,7 @@ refine flow MQTT_Flow += { %{ if ( mqtt_unsubscribe ) { - auto topics = make_intrusive(IntrusivePtr{NewRef{}, string_vec}); + auto topics = make_intrusive(zeek::vars::string_vec); for ( auto topic: *${msg.topics} ) { diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac index b9ea38e3bf..9d0f13ecb6 100644 --- a/src/analyzer/protocol/mysql/mysql-analyzer.pac +++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac @@ -82,7 +82,7 @@ refine flow MySQL_Flow += { if ( ! mysql_result_row ) return true; - auto vt = zeek::lookup_type("string_vec"); + auto vt = zeek::vars::string_vec; auto vv = make_intrusive(std::move(vt)); auto& bstring = ${msg.row.first_field.val}; diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc index 1569279e7d..edbd34c57d 100644 --- a/src/analyzer/protocol/rpc/MOUNT.cc +++ b/src/analyzer/protocol/rpc/MOUNT.cc @@ -192,7 +192,7 @@ zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c, zeek::Args vl; vl.reserve(2 + extra_elements); vl.emplace_back(analyzer->ConnVal()); - auto auxgids = make_intrusive(zeek::lookup_type("index_vec")); + auto auxgids = make_intrusive(zeek::vars::index_vec); for (size_t i = 0; i < c->AuxGIDs().size(); ++i) { diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc index 0ecce74ff1..0789fb806b 100644 --- a/src/analyzer/protocol/rpc/NFS.cc +++ b/src/analyzer/protocol/rpc/NFS.cc @@ -328,7 +328,7 @@ zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_ zeek::Args vl; vl.reserve(2 + extra_elements); vl.emplace_back(analyzer->ConnVal()); - auto auxgids = make_intrusive(zeek::lookup_type("index_vec")); + auto auxgids = make_intrusive(zeek::vars::index_vec); for ( size_t i = 0; i < c->AuxGIDs().size(); ++i ) auxgids->Assign(i, val_mgr->Count(c->AuxGIDs()[i])); diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc index d3f878f8f0..91a0becb04 100644 --- a/src/analyzer/protocol/rpc/Portmap.cc +++ b/src/analyzer/protocol/rpc/Portmap.cc @@ -138,7 +138,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu event = success ? pm_request_dump : pm_attempt_dump; if ( success ) { - TableVal* mappings = new TableVal({NewRef{}, pm_mappings}); + TableVal* mappings = new TableVal(zeek::vars::pm_mappings); uint32_t nmap = 0; // Each call in the loop test pulls the next "opted" @@ -193,7 +193,7 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len) { - RecordVal* mapping = new RecordVal(pm_mapping); + RecordVal* mapping = new RecordVal(zeek::vars::pm_mapping); mapping->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); mapping->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); @@ -213,7 +213,7 @@ Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len) Val* PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len) { - RecordVal* pr = new RecordVal(pm_port_request); + RecordVal* pr = new RecordVal(zeek::vars::pm_port_request); pr->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); pr->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); @@ -233,7 +233,7 @@ Val* PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len) Val* PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len) { - RecordVal* c = new RecordVal(pm_callit_request); + RecordVal* c = new RecordVal(zeek::vars::pm_callit_request); c->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len))); c->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len))); diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac index 37e036739d..dab40b4e26 100644 --- a/src/analyzer/protocol/sip/sip-analyzer.pac +++ b/src/analyzer/protocol/sip/sip-analyzer.pac @@ -67,7 +67,7 @@ refine flow SIP_Flow += { function build_sip_headers_val(): BroVal %{ - TableVal* t = new TableVal({NewRef{}, mime_header_list}); + TableVal* t = new TableVal(zeek::vars::mime_header_list); for ( unsigned int i = 0; i < headers.size(); ++i ) { // index starting from 1 @@ -101,7 +101,7 @@ refine flow SIP_Flow += { function build_sip_header_val(name: const_bytestring, value: const_bytestring): BroVal %{ - RecordVal* header_record = new RecordVal(mime_header_rec); + RecordVal* header_record = new RecordVal(zeek::vars::mime_header_rec); IntrusivePtr name_val; if ( name.length() > 0 ) diff --git a/src/analyzer/protocol/smb/smb1-com-negotiate.pac b/src/analyzer/protocol/smb/smb1-com-negotiate.pac index f225cf9df5..38dc341a7a 100644 --- a/src/analyzer/protocol/smb/smb1-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb1-com-negotiate.pac @@ -15,7 +15,7 @@ refine connection SMB_Conn += { %{ if ( smb1_negotiate_request ) { - auto dialects = make_intrusive(IntrusivePtr{NewRef{}, string_vec}); + auto dialects = make_intrusive(zeek::vars::string_vec); for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i ) { diff --git a/src/analyzer/protocol/smb/smb2-com-negotiate.pac b/src/analyzer/protocol/smb/smb2-com-negotiate.pac index c40591b580..2fcd7f05db 100644 --- a/src/analyzer/protocol/smb/smb2-com-negotiate.pac +++ b/src/analyzer/protocol/smb/smb2-com-negotiate.pac @@ -22,7 +22,7 @@ refine connection SMB_Conn += { %{ if ( smb2_negotiate_request ) { - auto dialects = make_intrusive(IntrusivePtr{NewRef{}, index_vec}); + auto dialects = make_intrusive(zeek::vars::index_vec); for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i ) dialects->Assign(i, val_mgr->Count((*${val.dialects})[i])); diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac index 2da119cdf3..055e02377c 100644 --- a/src/analyzer/protocol/smb/smb2-protocol.pac +++ b/src/analyzer/protocol/smb/smb2-protocol.pac @@ -68,7 +68,7 @@ IntrusivePtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv) rpreauth->Assign(0, val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg_count})); rpreauth->Assign(1, val_mgr->Count(${ncv.preauth_integrity_capabilities.salt_length})); - auto ha = make_intrusive(zeek::lookup_type("index_vec")); + auto ha = make_intrusive(zeek::vars::index_vec); for ( int i = 0; i < ${ncv.preauth_integrity_capabilities.hash_alg_count}; ++i ) { @@ -87,7 +87,7 @@ IntrusivePtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv) auto rencr = make_intrusive(BifType::Record::SMB2::EncryptionCapabilities); rencr->Assign(0, val_mgr->Count(${ncv.encryption_capabilities.cipher_count})); - auto c = make_intrusive(zeek::lookup_type("index_vec")); + auto c = make_intrusive(zeek::vars::index_vec); for ( int i = 0; i < ${ncv.encryption_capabilities.cipher_count}; ++i ) { @@ -105,7 +105,7 @@ IntrusivePtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv) auto rcomp = make_intrusive(BifType::Record::SMB2::CompressionCapabilities); rcomp->Assign(0, val_mgr->Count(${ncv.compression_capabilities.alg_count})); - auto c = make_intrusive(zeek::lookup_type("index_vec")); + auto c = make_intrusive(zeek::vars::index_vec); for ( int i = 0; i < ${ncv.compression_capabilities.alg_count}; ++i ) { diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac index 95b1812eb6..cd33098653 100644 --- a/src/analyzer/protocol/socks/socks-analyzer.pac +++ b/src/analyzer/protocol/socks/socks-analyzer.pac @@ -24,7 +24,7 @@ refine connection SOCKS_Conn += { %{ if ( socks_request ) { - auto sa = make_intrusive(socks_address); + auto sa = make_intrusive(zeek::vars::socks_address); sa->Assign(0, make_intrusive(htonl(${request.addr}))); if ( ${request.v4a} ) @@ -48,7 +48,7 @@ refine connection SOCKS_Conn += { %{ if ( socks_reply ) { - auto sa = make_intrusive(socks_address); + auto sa = make_intrusive(zeek::vars::socks_address); sa->Assign(0, make_intrusive(htonl(${reply.addr}))); BifEvent::enqueue_socks_reply(bro_analyzer(), @@ -80,7 +80,7 @@ refine connection SOCKS_Conn += { return false; } - auto sa = make_intrusive(socks_address); + auto sa = make_intrusive(zeek::vars::socks_address); // This is dumb and there must be a better way (checking for presence of a field)... switch ( ${request.remote_name.addr_type} ) @@ -119,7 +119,7 @@ refine connection SOCKS_Conn += { function socks5_reply(reply: SOCKS5_Reply): bool %{ - auto sa = make_intrusive(socks_address); + auto sa = make_intrusive(zeek::vars::socks_address); // This is dumb and there must be a better way (checking for presence of a field)... switch ( ${reply.bound.addr_type} ) diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index 8a6f0adc13..d0032d9b77 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -12,7 +12,7 @@ VectorVal* name_list_to_vector(const bytestring& nl); // Copied from IRC_Analyzer::SplitWords VectorVal* name_list_to_vector(const bytestring& nl) { - VectorVal* vv = new VectorVal(zeek::lookup_type("string_vec")); + VectorVal* vv = new VectorVal(zeek::vars::string_vec); string name_list = std_str(nl); if ( name_list.size() < 1 ) diff --git a/src/analyzer/protocol/ssl/proc-client-hello.pac b/src/analyzer/protocol/ssl/proc-client-hello.pac index 80afbb56f9..7c447bb39e 100644 --- a/src/analyzer/protocol/ssl/proc-client-hello.pac +++ b/src/analyzer/protocol/ssl/proc-client-hello.pac @@ -23,7 +23,7 @@ else std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(cipher_suites), to_int()); - auto cipher_vec = make_intrusive(zeek::lookup_type("index_vec")); + auto cipher_vec = make_intrusive(zeek::vars::index_vec); for ( unsigned int i = 0; i < cipher_suites.size(); ++i ) { @@ -31,7 +31,7 @@ cipher_vec->Assign(i, ciph); } - auto comp_vec = make_intrusive(zeek::lookup_type("index_vec")); + auto comp_vec = make_intrusive(zeek::vars::index_vec); if ( compression_methods ) { diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 4f499039f5..1635e375bf 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -75,7 +75,7 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_ec_point_formats ) return true; - auto points = make_intrusive(zeek::lookup_type("index_vec")); + auto points = make_intrusive(zeek::vars::index_vec); if ( point_format_list ) { @@ -94,7 +94,7 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_elliptic_curves ) return true; - auto curves = make_intrusive(zeek::lookup_type("index_vec")); + auto curves = make_intrusive(zeek::vars::index_vec); if ( list ) { @@ -113,7 +113,7 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_key_share ) return true; - auto nglist = make_intrusive(zeek::lookup_type("index_vec")); + auto nglist = make_intrusive(zeek::vars::index_vec); if ( keyshare ) { @@ -131,7 +131,7 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_key_share ) return true; - auto nglist = make_intrusive(zeek::lookup_type("index_vec")); + auto nglist = make_intrusive(zeek::vars::index_vec); nglist->Assign(0u, val_mgr->Count(keyshare->namedgroup())); BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); @@ -143,7 +143,7 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_key_share ) return true; - auto nglist = make_intrusive(zeek::lookup_type("index_vec")); + auto nglist = make_intrusive(zeek::vars::index_vec); nglist->Assign(0u, val_mgr->Count(namedgroup)); BifEvent::enqueue_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); @@ -178,7 +178,7 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_application_layer_protocol_negotiation ) return true; - auto plist = make_intrusive(zeek::lookup_type("string_vec")); + auto plist = make_intrusive(zeek::vars::string_vec); if ( protocols ) { @@ -194,7 +194,7 @@ refine connection Handshake_Conn += { function proc_server_name(rec: HandshakeRecord, list: ServerName[]) : bool %{ - auto servers = make_intrusive(zeek::lookup_type("string_vec")); + auto servers = make_intrusive(zeek::vars::string_vec); if ( list ) { @@ -226,7 +226,7 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_supported_versions ) return true; - auto versions = make_intrusive(zeek::lookup_type("index_vec")); + auto versions = make_intrusive(zeek::vars::index_vec); if ( versions_list ) { @@ -245,7 +245,7 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_supported_versions ) return true; - auto versions = make_intrusive(zeek::lookup_type("index_vec")); + auto versions = make_intrusive(zeek::vars::index_vec); versions->Assign(0u, val_mgr->Count(version)); BifEvent::enqueue_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(), @@ -259,7 +259,7 @@ refine connection Handshake_Conn += { if ( ! ssl_extension_psk_key_exchange_modes ) return true; - auto modes = make_intrusive(zeek::lookup_type("index_vec")); + auto modes = make_intrusive(zeek::vars::index_vec); if ( mode_list ) { @@ -505,7 +505,7 @@ refine connection Handshake_Conn += { } } - auto blist = make_intrusive(zeek::lookup_type("string_vec")); + auto blist = make_intrusive(zeek::vars::string_vec); if ( binders && binders->binders() ) { diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index 81b6f20f7e..f492c3e154 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -107,7 +107,7 @@ static RecordVal* build_syn_packet_val(bool is_orig, const IP_Hdr* ip, options += opt_len; } - RecordVal* v = new RecordVal(SYN_packet); + RecordVal* v = new RecordVal(zeek::vars::SYN_packet); v->Assign(0, val_mgr->Bool(is_orig)); v->Assign(1, val_mgr->Bool(int(ip->DF()))); @@ -1421,7 +1421,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig) { auto p = reinterpret_cast(o + 2); auto num_pointers = (length - 2) / 4; - auto vt = zeek::lookup_type("index_vec"); + auto vt = zeek::vars::index_vec; auto sack = make_intrusive(std::move(vt)); for ( auto i = 0; i < num_pointers; ++i ) @@ -2077,7 +2077,7 @@ bool TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int capl RecordVal* TCPStats_Endpoint::BuildStats() { - RecordVal* stats = new RecordVal(endpoint_stats); + RecordVal* stats = new RecordVal(zeek::vars::endpoint_stats); stats->Assign(0, val_mgr->Count(num_pkts)); stats->Assign(1, val_mgr->Count(num_rxmit)); diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 064d4bbe9b..b98819c949 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -23,16 +23,16 @@ using namespace file_analysis; static Val* empty_connection_table() { - auto tbl_index = make_intrusive(IntrusivePtr{NewRef{}, conn_id}); - tbl_index->Append({NewRef{}, conn_id}); + auto tbl_index = make_intrusive(zeek::vars::conn_id); + tbl_index->Append(zeek::vars::conn_id); auto tbl_type = make_intrusive(std::move(tbl_index), - IntrusivePtr{NewRef{}, connection_type}); + zeek::vars::connection_type); return new TableVal(std::move(tbl_type)); } -static RecordVal* get_conn_id_val(const Connection* conn) +static IntrusivePtr get_conn_id_val(const Connection* conn) { - RecordVal* v = new RecordVal(conn_id); + auto v = make_intrusive(zeek::vars::conn_id); v->Assign(0, make_intrusive(conn->OrigAddr())); v->Assign(1, val_mgr->Port(ntohs(conn->OrigPort()), conn->ConnTransport())); v->Assign(2, make_intrusive(conn->RespAddr())); @@ -62,22 +62,22 @@ void File::StaticInit() if ( id_idx != -1 ) return; - id_idx = Idx("id", fa_file_type); - parent_id_idx = Idx("parent_id", fa_file_type); - source_idx = Idx("source", fa_file_type); - is_orig_idx = Idx("is_orig", fa_file_type); - conns_idx = Idx("conns", fa_file_type); - last_active_idx = Idx("last_active", fa_file_type); - seen_bytes_idx = Idx("seen_bytes", fa_file_type); - total_bytes_idx = Idx("total_bytes", fa_file_type); - missing_bytes_idx = Idx("missing_bytes", fa_file_type); - overflow_bytes_idx = Idx("overflow_bytes", fa_file_type); - timeout_interval_idx = Idx("timeout_interval", fa_file_type); - bof_buffer_size_idx = Idx("bof_buffer_size", fa_file_type); - bof_buffer_idx = Idx("bof_buffer", fa_file_type); - meta_mime_type_idx = Idx("mime_type", fa_metadata_type); - meta_mime_types_idx = Idx("mime_types", fa_metadata_type); - meta_inferred_idx = Idx("inferred", fa_metadata_type); + id_idx = Idx("id", zeek::vars::fa_file_type); + parent_id_idx = Idx("parent_id", zeek::vars::fa_file_type); + source_idx = Idx("source", zeek::vars::fa_file_type); + is_orig_idx = Idx("is_orig", zeek::vars::fa_file_type); + conns_idx = Idx("conns", zeek::vars::fa_file_type); + last_active_idx = Idx("last_active", zeek::vars::fa_file_type); + seen_bytes_idx = Idx("seen_bytes", zeek::vars::fa_file_type); + total_bytes_idx = Idx("total_bytes", zeek::vars::fa_file_type); + missing_bytes_idx = Idx("missing_bytes", zeek::vars::fa_file_type); + overflow_bytes_idx = Idx("overflow_bytes", zeek::vars::fa_file_type); + timeout_interval_idx = Idx("timeout_interval", zeek::vars::fa_file_type); + bof_buffer_size_idx = Idx("bof_buffer_size", zeek::vars::fa_file_type); + bof_buffer_idx = Idx("bof_buffer", zeek::vars::fa_file_type); + meta_mime_type_idx = Idx("mime_type", zeek::vars::fa_metadata_type); + meta_mime_types_idx = Idx("mime_types", zeek::vars::fa_metadata_type); + meta_inferred_idx = Idx("inferred", zeek::vars::fa_metadata_type); } File::File(const std::string& file_id, const std::string& source_name, Connection* conn, @@ -91,7 +91,7 @@ File::File(const std::string& file_id, const std::string& source_name, Connectio DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str()); - val = new RecordVal(fa_file_type); + val = new RecordVal(zeek::vars::fa_file_type); val->Assign(id_idx, make_intrusive(file_id.c_str())); SetSource(source_name); @@ -137,16 +137,12 @@ bool File::UpdateConnectionFields(Connection* conn, bool is_orig) val->Assign(conns_idx, conns); } - Val* idx = get_conn_id_val(conn); + auto idx = get_conn_id_val(conn); - if ( conns->AsTableVal()->Lookup(idx) ) - { - Unref(idx); + if ( conns->AsTableVal()->Lookup(idx.get()) ) return false; - } - conns->AsTableVal()->Assign(idx, conn->ConnVal()); - Unref(idx); + conns->AsTableVal()->Assign(idx.get(), conn->ConnVal()); return true; } @@ -299,7 +295,7 @@ bool File::SetMime(const std::string& mime_type) if ( ! FileEventAvailable(file_sniff) ) return false; - auto meta = make_intrusive(fa_metadata_type); + auto meta = make_intrusive(zeek::vars::fa_metadata_type); meta->Assign(meta_mime_type_idx, make_intrusive(mime_type)); meta->Assign(meta_inferred_idx, val_mgr->False()); @@ -332,7 +328,7 @@ void File::InferMetadata() len = std::min(len, LookupFieldDefaultCount(bof_buffer_size_idx)); file_mgr->DetectMIME(data, len, &matches); - auto meta = make_intrusive(fa_metadata_type); + auto meta = make_intrusive(zeek::vars::fa_metadata_type); if ( ! matches.empty() ) { diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index 97e6e0817a..82f286f70e 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -323,6 +323,8 @@ protected: * @return the field offset in #val record corresponding to \a field_name. */ static int Idx(const std::string& field_name, const RecordType* type); + static int Idx(const std::string& field_name, const IntrusivePtr& type) + { return Idx(field_name, type.get()); } /** * Initializes static member. diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index bc18568444..df950416cb 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -499,12 +499,12 @@ string Manager::DetectMIME(const u_char* data, uint64_t len) const IntrusivePtr file_analysis::GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m) { - auto rval = make_intrusive(IntrusivePtr{NewRef{}, mime_matches}); + auto rval = make_intrusive(zeek::vars::mime_matches); for ( RuleMatcher::MIME_Matches::const_iterator it = m.begin(); it != m.end(); ++it ) { - auto element = make_intrusive(mime_match); + auto element = make_intrusive(zeek::vars::mime_match); for ( set::const_iterator it2 = it->second.begin(); it2 != it->second.end(); ++it2 ) diff --git a/src/file_analysis/analyzer/entropy/Entropy.cc b/src/file_analysis/analyzer/entropy/Entropy.cc index ab96947d30..1e605c9883 100644 --- a/src/file_analysis/analyzer/entropy/Entropy.cc +++ b/src/file_analysis/analyzer/entropy/Entropy.cc @@ -60,7 +60,7 @@ void Entropy::Finalize() montepi = scc = ent = mean = chisq = 0.0; entropy->Get(&ent, &chisq, &mean, &montepi, &scc); - auto ent_result = make_intrusive(entropy_test_result); + auto ent_result = make_intrusive(zeek::vars::entropy_test_result); ent_result->Assign(0, make_intrusive(ent, TYPE_DOUBLE)); ent_result->Assign(1, make_intrusive(chisq, TYPE_DOUBLE)); ent_result->Assign(2, make_intrusive(mean, TYPE_DOUBLE)); diff --git a/src/file_analysis/analyzer/pe/pe-analyzer.pac b/src/file_analysis/analyzer/pe/pe-analyzer.pac index 95dfa436a9..30f484b1b3 100644 --- a/src/file_analysis/analyzer/pe/pe-analyzer.pac +++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac @@ -11,7 +11,7 @@ VectorVal* process_rvas(const RVAS* rvas); %code{ VectorVal* process_rvas(const RVAS* rva_table) { - auto rvas = make_intrusive(zeek::lookup_type("index_vec")); + auto rvas = make_intrusive(zeek::vars::index_vec); for ( uint16 i=0; i < rva_table->rvas()->size(); ++i ) rvas->Assign(i, val_mgr->Count((*rva_table->rvas())[i]->size())); @@ -26,7 +26,7 @@ refine flow File += { function characteristics_to_bro(c: uint32, len: uint8): TableVal %{ uint64 mask = (len==16) ? 0xFFFF : 0xFFFFFFFF; - TableVal* char_set = new TableVal(zeek::lookup_type("count_set")); + TableVal* char_set = new TableVal(zeek::vars::count_set); for ( uint16 i=0; i < len; ++i ) { if ( ((c >> i) & 0x1) == 1 ) diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 8c98ed179b..afd37d4958 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -367,21 +367,21 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) { case GEN_DNS: if ( names == nullptr ) - names = new VectorVal(zeek::lookup_type("string_vec")); + names = new VectorVal(zeek::vars::string_vec); names->Assign(names->Size(), bs); break; case GEN_URI: if ( uris == nullptr ) - uris = new VectorVal(zeek::lookup_type("string_vec")); + uris = new VectorVal(zeek::vars::string_vec); uris->Assign(uris->Size(), bs); break; case GEN_EMAIL: if ( emails == nullptr ) - emails = new VectorVal(zeek::lookup_type("string_vec")); + emails = new VectorVal(zeek::vars::string_vec); emails->Assign(emails->Size(), bs); break; diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 52033ca5d0..20c4d1bc8c 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -593,8 +593,8 @@ void Packet::ProcessLayer2() IntrusivePtr Packet::ToRawPktHdrVal() const { - auto pkt_hdr = make_intrusive(raw_pkt_hdr_type); - RecordVal* l2_hdr = new RecordVal(l2_hdr_type); + auto pkt_hdr = make_intrusive(zeek::vars::raw_pkt_hdr_type); + RecordVal* l2_hdr = new RecordVal(zeek::vars::l2_hdr_type); bool is_ethernet = link_type == DLT_EN10MB; diff --git a/src/reporter.bif b/src/reporter.bif index e37691da5f..46084d13d3 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -153,7 +153,7 @@ function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=" ## Returns: Current weird sampling whitelist function Reporter::get_weird_sampling_whitelist%(%): string_set %{ - auto set = make_intrusive(IntrusivePtr{NewRef{}, string_set}); + auto set = make_intrusive(zeek::vars::string_set); for ( auto el : reporter->GetWeirdSamplingWhitelist() ) { auto idx = make_intrusive(el); diff --git a/src/strings.bif b/src/strings.bif index 412b065065..bef95c9bad 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -259,7 +259,7 @@ static IntrusivePtr do_split_string(StringVal* str_val, Val* do_split(StringVal* str_val, RE_Matcher* re, int incl_sep, int max_num_sep) { - TableVal* a = new TableVal({NewRef{}, string_array}); + TableVal* a = new TableVal(zeek::vars::string_array); const u_char* s = str_val->Bytes(); int n = str_val->Len(); const u_char* end_of_s = s + n; @@ -713,8 +713,7 @@ function str_split%(s: string, idx: index_vec%): string_vec indices[i] = (*idx_v)[i]->AsCount(); BroString::Vec* result = s->AsString()->Split(indices); - auto result_v = make_intrusive( - zeek::lookup_type("string_vec")); + auto result_v = make_intrusive(zeek::vars::string_vec); if ( result ) { @@ -909,7 +908,7 @@ function safe_shell_quote%(source: string%): string ## .. zeek:see: find_last strstr function find_all%(str: string, re: pattern%) : string_set %{ - auto a = make_intrusive(IntrusivePtr{NewRef{}, string_set}); + auto a = make_intrusive(zeek::vars::string_set); const u_char* s = str->Bytes(); const u_char* e = s + str->Len(); diff --git a/src/zeek.bif b/src/zeek.bif index 1876dc741e..4ecc51d9e9 100644 --- a/src/zeek.bif +++ b/src/zeek.bif @@ -30,7 +30,6 @@ #include "Hash.h" using namespace std; -using namespace zeek; TableType* var_sizes; @@ -1052,7 +1051,7 @@ function find_entropy%(data: string%): entropy_test_result e.Feed(data->Bytes(), data->Len()); e.Get(&ent, &chisq, &mean, &montepi, &scc); - auto ent_result = make_intrusive(entropy_test_result); + auto ent_result = make_intrusive(zeek::vars::entropy_test_result); ent_result->Assign(0, make_intrusive(ent, TYPE_DOUBLE)); ent_result->Assign(1, make_intrusive(chisq, TYPE_DOUBLE)); ent_result->Assign(2, make_intrusive(mean, TYPE_DOUBLE)); @@ -1103,7 +1102,7 @@ function entropy_test_finish%(handle: opaque of entropy%): entropy_test_result montepi = scc = ent = mean = chisq = 0.0; static_cast(handle)->Get(&ent, &chisq, &mean, &montepi, &scc); - auto ent_result = make_intrusive(entropy_test_result); + auto ent_result = make_intrusive(zeek::vars::entropy_test_result); ent_result->Assign(0, make_intrusive(ent, TYPE_DOUBLE)); ent_result->Assign(1, make_intrusive(chisq, TYPE_DOUBLE)); ent_result->Assign(2, make_intrusive(mean, TYPE_DOUBLE)); @@ -1470,7 +1469,7 @@ function sort%(v: any, ...%) : any ## .. zeek:see:: sort function order%(v: any, ...%) : index_vec %{ - auto result_v = make_intrusive(lookup_type("index_vec")); + auto result_v = make_intrusive(zeek::vars::index_vec); if ( v->GetType()->Tag() != TYPE_VECTOR ) { @@ -1823,10 +1822,9 @@ function zeek_version%(%): string ## Returns: A string vector with the field names of *rt*. function record_type_to_vector%(rt: string%): string_vec %{ - auto result = - make_intrusive(lookup_type("string_vec")); + auto result = make_intrusive(zeek::vars::string_vec); - RecordType* type = lookup_type(rt->CheckString())->AsRecordType(); + RecordType* type = zeek::lookup_type(rt->CheckString())->AsRecordType(); for ( int i = 0; i < type->NumFields(); ++i ) result->Assign(i+1, make_intrusive(type->FieldName(i))); @@ -1853,7 +1851,7 @@ function type_name%(t: any%): string ## Returns: list of command-line arguments (``argv``) used to run Zeek. function zeek_args%(%): string_vec %{ - auto sv = lookup_type("string_vec"); + auto sv = zeek::vars::string_vec; auto rval = make_intrusive(std::move(sv)); for ( auto i = 0; i < bro_argc; ++i ) @@ -1891,7 +1889,7 @@ function reading_traces%(%): bool ## .. zeek:see:: reading_live_traffic reading_traces function packet_source%(%): PacketSource %{ - auto ps_type = lookup_type("PacketSource")->AsRecordType(); + auto ps_type = zeek::lookup_type("PacketSource")->AsRecordType(); auto ps = iosource_mgr->GetPktSrc(); auto r = make_intrusive(ps_type); @@ -1941,13 +1939,13 @@ function global_sizes%(%): var_sizes ## .. zeek:see:: global_sizes function global_ids%(%): id_table %{ - auto ids = make_intrusive(IntrusivePtr{NewRef{}, id_table}); + auto ids = make_intrusive(zeek::vars::id_table); const auto& globals = global_scope()->Vars(); for ( const auto& global : globals ) { ID* id = global.second.get(); - auto rec = make_intrusive(script_id); + auto rec = make_intrusive(zeek::vars::script_id); rec->Assign(0, make_intrusive(type_name(id->GetType()->Tag()))); rec->Assign(1, val_mgr->Bool(id->IsExport())); rec->Assign(2, val_mgr->Bool(id->IsConst())); @@ -1999,8 +1997,7 @@ function record_fields%(rec: any%): record_field_table if ( ! id || ! id->IsType() || id->GetType()->Tag() != TYPE_RECORD ) { reporter->Error("record_fields string argument does not name a record type"); - auto tt = lookup_type("record_field_table"); - return make_intrusive(std::move(tt)); + return make_intrusive(zeek::vars::record_field_table); } return id->GetType()->AsRecordType()->GetRecordFieldsVal(); @@ -2186,7 +2183,7 @@ function is_v6_subnet%(s: subnet%): bool ## Returns: The vector of addresses contained in the routing header data. function routing0_data_to_addrs%(s: string%): addr_vec %{ - auto rval = make_intrusive(lookup_type("addr_vec")); + auto rval = make_intrusive(zeek::lookup_type("addr_vec")); int len = s->Len(); const u_char* bytes = s->Bytes(); @@ -2217,7 +2214,7 @@ function routing0_data_to_addrs%(s: string%): addr_vec ## .. zeek:see:: counts_to_addr function addr_to_counts%(a: addr%): index_vec %{ - auto rval = make_intrusive(lookup_type("index_vec")); + auto rval = make_intrusive(zeek::vars::index_vec); const uint32_t* bytes; int len = a->AsAddr().GetBytes(&bytes); @@ -3211,16 +3208,16 @@ static IntrusivePtr map_conn_type(TransportProto tp) { switch ( tp ) { case TRANSPORT_UNKNOWN: - return transport_proto->GetVal(0); + return zeek::vars::transport_proto->GetVal(0); case TRANSPORT_TCP: - return transport_proto->GetVal(1); + return zeek::vars::transport_proto->GetVal(1); case TRANSPORT_UDP: - return transport_proto->GetVal(2); + return zeek::vars::transport_proto->GetVal(2); case TRANSPORT_ICMP: - return transport_proto->GetVal(3); + return zeek::vars::transport_proto->GetVal(3); default: reporter->InternalError("bad connection type in map_conn_type()"); @@ -3246,7 +3243,7 @@ function get_conn_transport_proto%(cid: conn_id%): transport_proto if ( ! c ) { builtin_error("unknown connection id in get_conn_transport_proto()", cid); - return transport_proto->GetVal(0); + return zeek::vars::transport_proto->GetVal(0); } return map_conn_type(c->ConnTransport()); @@ -3298,20 +3295,20 @@ function lookup_connection%(cid: conn_id%): connection builtin_error("connection ID not a known connection", cid); // Return a dummy connection record. - auto c = make_intrusive(connection_type); + auto c = make_intrusive(zeek::vars::connection_type); - auto id_val = make_intrusive(conn_id); + auto id_val = make_intrusive(zeek::vars::conn_id); id_val->Assign(0, make_intrusive((unsigned int) 0)); id_val->Assign(1, val_mgr->Port(ntohs(0), TRANSPORT_UDP)); id_val->Assign(2, make_intrusive((unsigned int) 0)); id_val->Assign(3, val_mgr->Port(ntohs(0), TRANSPORT_UDP)); c->Assign(0, std::move(id_val)); - auto orig_endp = make_intrusive(endpoint); + auto orig_endp = make_intrusive(zeek::vars::endpoint); orig_endp->Assign(0, val_mgr->Count(0)); orig_endp->Assign(1, val_mgr->Count(int(0))); - auto resp_endp = make_intrusive(endpoint); + auto resp_endp = make_intrusive(zeek::vars::endpoint); resp_endp->Assign(0, val_mgr->Count(0)); resp_endp->Assign(1, val_mgr->Count(int(0))); @@ -3320,7 +3317,7 @@ function lookup_connection%(cid: conn_id%): connection c->Assign(3, make_intrusive(network_time, TYPE_TIME)); c->Assign(4, make_intrusive(0.0, TYPE_INTERVAL)); - c->Assign(5, make_intrusive(IntrusivePtr{NewRef{}, string_set})); // service + c->Assign(5, make_intrusive(zeek::vars::string_set)); // service c->Assign(6, val_mgr->EmptyString()); // history return c; @@ -3383,7 +3380,7 @@ function dump_current_packet%(file_name: string%) : bool function get_current_packet%(%) : pcap_packet %{ const Packet* p; - auto pkt = make_intrusive(pcap_packet); + auto pkt = make_intrusive(zeek::vars::pcap_packet); if ( ! current_pktsrc || ! current_pktsrc->GetCurrentPacket(&p) ) @@ -3423,7 +3420,7 @@ function get_current_packet_header%(%) : raw_pkt_hdr return p->ToRawPktHdrVal(); } - auto hdr = make_intrusive(raw_pkt_hdr_type); + auto hdr = make_intrusive(zeek::vars::raw_pkt_hdr_type); return hdr; %} @@ -3993,7 +3990,7 @@ function mmdb_open_asn_db%(f: string%) : bool ## .. zeek:see:: lookup_asn function lookup_location%(a: addr%) : geo_location %{ - auto location = make_intrusive(geo_location); + auto location = make_intrusive(zeek::vars::geo_location); #ifdef USE_GEOIP mmdb_check_loc(); @@ -4624,7 +4621,7 @@ function rotate_file%(f: file%): rotate_info return info; // Record indicating error. - info = make_intrusive(rotate_info); + info = make_intrusive(zeek::vars::rotate_info); info->Assign(0, val_mgr->EmptyString()); info->Assign(1, val_mgr->EmptyString()); info->Assign(2, make_intrusive(0.0, TYPE_TIME)); @@ -4643,7 +4640,7 @@ function rotate_file%(f: file%): rotate_info ## .. zeek:see:: rotate_file calc_next_rotate function rotate_file_by_name%(f: string%): rotate_info %{ - auto info = make_intrusive(rotate_info); + auto info = make_intrusive(zeek::vars::rotate_info); bool is_pkt_dumper = false; bool is_addl_pkt_dumper = false;