Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix packet analyzer replacement.

Browse source 
Also reworking the existing test, which was pretty odd/broken.
This commit is contained in:
Robin Sommer 2024-04-30 11:30:35 +02:00
parent 3a469b3619
commit ccfeffaf2b
No known key found for this signature in database
GPG key ID: D8187293B3FFE5D0
5 changed files with 26 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/packet_analysis/Component.cc
View file

@ -18,11 +18,23 @@ void Component::Initialize() {
} }
void Component::SetEnabled(bool arg_enabled) { void Component::SetEnabled(bool arg_enabled) {
plugin::Component::SetEnabled(arg_enabled); auto analyzer = packet_mgr->GetAnalyzer(Tag().AsVal().get());
if ( analyzer ) {
// We can only toggle the analyzer if it's not replacing another one,
// otherwise our dispatching tables would be wrong.
if ( packet_mgr->ProvidesComponentMapping(Tag()) ) {
reporter->Warning(
"attempt to toggle packet analyzer %s, which replaces another one; toggling replacement analyzers is "
"not supported",
analyzer->GetAnalyzerName());
return;
}
// If we already have instantiated an analyzer, update its state. // Update the existing analyzer's state.
if ( auto analyzer = packet_mgr->Lookup(Tag().AsVal().get(), false) )
analyzer->SetEnabled(arg_enabled); analyzer->SetEnabled(arg_enabled);
}
plugin::Component::SetEnabled(arg_enabled);
} }
void Component::DoDescribe(ODesc* d) const { void Component::DoDescribe(ODesc* d) const {

2
src/packet_analysis/Dispatcher.cc
View file

@ -42,7 +42,7 @@ void Dispatcher::Register(uint32_t identifier, AnalyzerPtr analyzer) {
} }
int64_t index = identifier - lowest_identifier; int64_t index = identifier - lowest_identifier;
if ( table[index] != nullptr ) if ( table[index] != nullptr && table[index] != analyzer )
reporter->Info("Overwriting packet analyzer mapping %#8" PRIx64 " => %s with %s", index + lowest_identifier, reporter->Info("Overwriting packet analyzer mapping %#8" PRIx64 " => %s with %s", index + lowest_identifier,
table[index]->GetAnalyzerName(), analyzer->GetAnalyzerName()); table[index]->GetAnalyzerName(), analyzer->GetAnalyzerName());
table[index] = std::move(analyzer); table[index] = std::move(analyzer);

2
src/packet_analysis/Manager.cc
View file

@ -159,7 +159,7 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const Tag& tag) {
return nullptr; return nullptr;
} }
if ( tag != a->GetAnalyzerTag() ) { if ( tag != a->GetAnalyzerTag() && ! HasComponentMapping(tag) ) {
reporter->InternalError( reporter->InternalError(
"Mismatch of requested analyzer %s and instantiated analyzer %s. " "Mismatch of requested analyzer %s and instantiated analyzer %s. "
"This usually means that the plugin author made a mistake.", "This usually means that the plugin author made a mistake.",

1
testing/btest/Baseline/spicy.packet-analyzer-replaces/output-on → testing/btest/Baseline/spicy.packet-analyzer-replaces/output
View file

@ -1,2 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
My Ethernet:, \x00\x10\xdcrL_\x00\xd0\xb7\x1e\xbe \x08\x00 My Ethernet:, \x00\x10\xdcrL_\x00\xd0\xb7\x1e\xbe \x08\x00
UDP:, 10.20.1.31, 53/udp, 207.158.192.40, 53/udp

29
testing/btest/spicy/packet-analyzer-replaces.zeek
View file

@ -1,35 +1,17 @@
# @TEST-REQUIRES: have-spicy # @TEST-REQUIRES: have-spicy
# #
# @TEST-EXEC: spicyz -d -o my-ethernet.hlto my-ethernet.spicy my-ethernet.evt # @TEST-EXEC: spicyz -d -o my-ethernet.hlto my-ethernet.spicy my-ethernet.evt
# @TEST-EXEC: zeek -r ${TRACES}/dns53.pcap my-ethernet.hlto %INPUT ENABLE=T >output-on # @TEST-EXEC: zeek -r ${TRACES}/dns53.pcap my-ethernet.hlto %INPUT >output
# @TEST-EXEC: zeek -r ${TRACES}/dns53.pcap my-ethernet.hlto %INPUT ENABLE=F >output-off # @TEST-EXEC: btest-diff output
# @TEST-EXEC: btest-diff output-on
# #
# @TEST-DOC: Check that we can replace Zeek's Ethernet analyzer. # @TEST-DOC: Check that we can replace Zeek's Ethernet analyzer.
#
# Zeek logs look the same in both cases but we get some additional output
# when our analyzer is running by raising a custom event.
const ENABLE = T &redef;
module MyEthernet; module MyEthernet;
const DLT_EN10MB : count = 1; const DLT_EN10MB : count = 1;
event zeek_init() &priority=-200 event zeek_init()
{ {
if ( ENABLE )
Spicy::enable_file_analyzer(PacketAnalyzer::ANALYZER_SPICY_MYETHERNET);
else
Spicy::disable_file_analyzer(PacketAnalyzer::ANALYZER_SPICY_MYETHERNET);
}
# The priority here needs to be higher than the standard script registering the
# built-in Ethernet analyzer.
event zeek_init() &priority=-100
{
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, DLT_EN10MB, PacketAnalyzer::ANALYZER_SPICY_MYETHERNET);
PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SPICY_MYETHERNET, 0x0800, PacketAnalyzer::ANALYZER_IP); PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_SPICY_MYETHERNET, 0x0800, PacketAnalyzer::ANALYZER_IP);
} }
@ -38,6 +20,11 @@ event MyEthernet::data(p: raw_pkt_hdr, data: string)
print "My Ethernet:", data; print "My Ethernet:", data;
} }
event udp_request(u: connection)
{
print "UDP:", u$id$orig_h, u$id$orig_p, u$id$resp_h, u$id$resp_p;
}
# @TEST-START-FILE my-ethernet.spicy # @TEST-START-FILE my-ethernet.spicy
module MyEthernet; module MyEthernet;