Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Allow analyzer violations to explicitly set tag.

Browse source 
We could already pass an overriding tag to
`Analyzer::AnalyzerConfirmation()`, but we didn't have that ability
for `AnalyzerViolation`, leading to the two potentially mismatching in
the analyzer they report.
This commit is contained in:
Robin Sommer 2022-04-12 09:34:05 +02:00
parent d29160e9de
commit d2e8c5e887
No known key found for this signature in database
GPG key ID: 6BEDA4DA6B8B23E3
6 changed files with 16 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/analyzer/Analyzer.cc
View file

@ -736,7 +736,7 @@ void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)
event_mgr.Enqueue(analyzer_confirmation, ConnVal(), tval, val_mgr->Count(id)); event_mgr.Enqueue(analyzer_confirmation, ConnVal(), tval, val_mgr->Count(id));
} }
void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len) void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len, zeek::Tag arg_tag)
{ {
if ( ! analyzer_violation ) if ( ! analyzer_violation )
return; return;
@ -753,7 +753,7 @@ void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len)
else else
r = make_intrusive<StringVal>(reason); r = make_intrusive<StringVal>(reason);
const auto& tval = tag.AsVal(); const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
event_mgr.Enqueue(analyzer_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r)); event_mgr.Enqueue(analyzer_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
} }

6
src/analyzer/Analyzer.h
View file

@ -590,8 +590,12 @@ public:
* @param data An optional pointer to the malformed data. * @param data An optional pointer to the malformed data.
* *
* @param len If \a data is given, the length of it. * @param len If \a data is given, the length of it.
*
* @param tag If tag is given, it overrides the analyzer tag passed to the
* scripting layer; the default is the one of the analyzer itself.
*/ */
virtual void AnalyzerViolation(const char* reason, const char* data = nullptr, int len = 0); virtual void AnalyzerViolation(const char* reason, const char* data = nullptr, int len = 0,
zeek::Tag tag = zeek::Tag());
/** /**
* Returns true if ProtocolConfirmation() has been called at least * Returns true if ProtocolConfirmation() has been called at least

5
src/analyzer/protocol/tcp/TCP.cc
View file

@ -34,7 +34,8 @@ void TCP_ApplicationAnalyzer::Init()
SetTCP(static_cast<packet_analysis::TCP::TCPSessionAdapter*>(Parent())); SetTCP(static_cast<packet_analysis::TCP::TCPSessionAdapter*>(Parent()));
} }
void TCP_ApplicationAnalyzer::AnalyzerViolation(const char* reason, const char* data, int len) void TCP_ApplicationAnalyzer::AnalyzerViolation(const char* reason, const char* data, int len,
zeek::Tag tag)
{ {
if ( auto* tcp = TCP() ) if ( auto* tcp = TCP() )
{ {
@ -44,7 +45,7 @@ void TCP_ApplicationAnalyzer::AnalyzerViolation(const char* reason, const char*
return; return;
} }
Analyzer::AnalyzerViolation(reason, data, len); Analyzer::AnalyzerViolation(reason, data, len, tag);
} }
void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq,

3
src/analyzer/protocol/tcp/TCP.h
View file

@ -68,7 +68,8 @@ public:
// This suppresses violations if the TCP connection wasn't // This suppresses violations if the TCP connection wasn't
// fully established. // fully established.
void AnalyzerViolation(const char* reason, const char* data = nullptr, int len = 0) override; void AnalyzerViolation(const char* reason, const char* data = nullptr, int len = 0,
zeek::Tag tag = zeek::Tag()) override;
// "name" and "val" both now belong to this object, which needs to // "name" and "val" both now belong to this object, which needs to
// delete them when done with them. // delete them when done with them.

4
src/packet_analysis/Analyzer.cc
View file

@ -182,7 +182,7 @@ void Analyzer::AnalyzerConfirmation(session::Session* session, zeek::Tag arg_tag
} }
void Analyzer::AnalyzerViolation(const char* reason, session::Session* session, const char* data, void Analyzer::AnalyzerViolation(const char* reason, session::Session* session, const char* data,
int len) int len, zeek::Tag arg_tag)
{ {
if ( ! analyzer_violation ) if ( ! analyzer_violation )
return; return;
@ -201,7 +201,7 @@ void Analyzer::AnalyzerViolation(const char* reason, session::Session* session,
else else
r = make_intrusive<StringVal>(reason); r = make_intrusive<StringVal>(reason);
const auto& tval = tag.AsVal(); const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
event_mgr.Enqueue(analyzer_violation, session->GetVal(), tval, val_mgr->Count(0), std::move(r)); event_mgr.Enqueue(analyzer_violation, session->GetVal(), tval, val_mgr->Count(0), std::move(r));
} }

3
src/packet_analysis/Analyzer.h
View file

@ -156,7 +156,8 @@ public:
* @param len If \a data is given, the length of it. * @param len If \a data is given, the length of it.
*/ */
virtual void AnalyzerViolation(const char* reason, session::Session* session, virtual void AnalyzerViolation(const char* reason, session::Session* session,
const char* data = nullptr, int len = 0); const char* data = nullptr, int len = 0,
zeek::Tag tag = zeek::Tag());
/** /**
* Returns true if ProtocolConfirmation() has been called at least * Returns true if ProtocolConfirmation() has been called at least