Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'master' into topic/jsiwek/fuzzing

Browse source
This commit is contained in:
Jon Siwek 2020-04-28 17:25:32 -07:00
commit d533212a6a
218 changed files with 3816 additions and 3557 deletions
Download patch file Download diff file Expand all files Collapse all files

82
CHANGES
View file

@ -1,4 +1,86 @@
3.2.0-dev.443 | 2020-04-28 17:10:38 -0700
* GH-941: Fix build when configured to use libmaxminddb (Jon Siwek, Corelight)
3.2.0-dev.441 | 2020-04-27 13:34:22 -0700
* Fix a few more IntrusivePtr deprecation warnings (Tim Wojtulewicz, Corelight)
* Fix cloning of TypeType values (Vern Paxson, Corelight)
3.2.0-dev.437 | 2020-04-27 19:30:24 +0000
* GH-854: provide access to original HTTP/MIME header names
The "http_header" event now has an "original_name" parameter that allows
access to the original header name (the "name" parameter reamins the
same as before: it's the uppercased header name).
The "mime_header_rec" record type now also includes an "original_name"
field to similarly provide access to original header name in the
following events: "http_all_headers", "mime_one_header", and
"mime_all_headers". (Jon Siwek, Corelight)
* Remove error message from empty bloomfilter lookups
If a bloomfilter doesn't have a type, that just means no
bloomfilter_add() has been called yet, so seems undesirable to emit an
error for a lookup against something that's known to be empty. (Jon Siwek, Corelight)
* unused variables found via use-def analysis (plus an indentation micro-nit) (Vern Paxson, Corelight)
3.2.0-dev.431 | 2020-04-27 12:09:30 -0700
* Update various BIFs to return IntrusivePtr (Jon Siwek, Corelight)
3.2.0-dev.428 | 2020-04-24 16:19:45 -0700
* Deprecate returning Val* from BIFs (Jon Siwek, Corelight)
* Deprecate binpac::string_to_val (Jon Siwek, Corelight)
* Deprecate binpac::bytestring_to_val, replace with binpac::to_stringval (Jon Siwek, Corelight)
* Update deprecated BifEvent::generate_* usages (Jon Siwek, Corelight)
* Deprecate Connection::Event and Analyzer::Event methods
And update usages to the "EnqueueEvent" methods. (Jon Siwek, Corelight)
* Deprecate BuildConnVal() methods and update usages to ConnVal()
The later being a new method that returns IntrusivePtr (Jon Siwek, Corelight)
* Update all BIFs to return IntrusivePtr instead of Val* (Jon Siwek, Corelight)
* Update deprecated ValManager::GetPort usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetEmptyString usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetCount usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetInt usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetBool usages (Jon Siwek, Corelight)
* Update deprecated ValManager GetTrue/GetFalse usages (Jon Siwek, Corelight)
* Deprecate all ValManager "Get" methods
Alternate methods that return IntrusivePtr are available in similarly
named methods that omit the "Get" prefix. (Jon Siwek, Corelight)
* Change BIFs to return a wrapper object
That allows returning either Val* or IntrusivePtr<T>. The former could
eventually be deprecated, but it's used extensively at the moment. (Jon Siwek, Corelight)
3.2.0-dev.412 | 2020-04-22 10:43:39 -0700
* Fix buffer over-read in Ident analyzer (Max Kellermann)
3.2.0-dev.410 | 2020-04-21 10:25:29 -0700 3.2.0-dev.410 | 2020-04-21 10:25:29 -0700
* Remove "connection_external" event (Johanna Amann, Corelight) * Remove "connection_external" event (Johanna Amann, Corelight)

21
NEWS
View file

@ -96,7 +96,7 @@ Deprecated Functionality
- The ``EventMgr::QueueEvent()`` and EventMgr::QueueEventFast()`` methods - The ``EventMgr::QueueEvent()`` and EventMgr::QueueEventFast()`` methods
are now deprecated, use ``EventMgr::Enqueue()`` instead. are now deprecated, use ``EventMgr::Enqueue()`` instead.
- The ``Connection::ConnectionEvent()`` and - The ``Connection::ConnectionEvent()``, ``Connection::Event()``, and
``Connection::ConnectionEventFast()`` methods are now deprecated, use ``Connection::ConnectionEventFast()`` methods are now deprecated, use
``Connection::EnqueueEvent()`` instead. ``Connection::EnqueueEvent()`` instead.
@ -104,10 +104,25 @@ Deprecated Functionality
arguments are now deprecated, use the overload that takes a ``zeek::Args`` arguments are now deprecated, use the overload that takes a ``zeek::Args``
instead. instead.
- The ``analyzer::Analyzer::ConnectionEvent()`` and - The ``analyzer::Analyzer::ConnectionEvent()``, ``analyzer::Analyzer::Event``,
``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use and ``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
``analyzer::Analyzer::EnqueueConnEvent()`` instead. ``analyzer::Analyzer::EnqueueConnEvent()`` instead.
- All ``val_mgr`` methods starting with "Get" are deprecated, use the new
``val_mgr`` methods that return ``IntrusivePtr``.
- ``Connection::BuildConnVal()`` is deprecated, use ``Connection::ConnVal()``.
- ``Analyzer::BuildConnVal()`` is deprecated, use ``Analyzer::ConnVal()``.
- ``BifEvent::generate_`` functions are deprecated, use ``BifEvent::enqueue_``.
- ``binpac::bytestring_to_val()`` is deprecated, use ``binpac::to_stringval()``.
- ``binpac::string_to_val()`` is deprecated, use ``StringVal`` constructor.
- Returning ``Val*`` from BIFs is deprecated, return ``IntrusivePtr`` instead.
Zeek 3.1.0 Zeek 3.1.0
========== ==========

2
VERSION
View file

@ -1 +1 @@
3.2.0-dev.410 3.2.0-dev.443

2
aux/bifcl

@ -1 +1 @@
Subproject commit 66b4b30305237f48535276a00a52ca304659400b Subproject commit 9918f94bd90e77dfc75bc50c2c0da644f292e262

2
aux/btest

@ -1 +1 @@
Subproject commit 87896050d7ac189f0e063bb90c3fa37a6c977f83 Subproject commit 0528e8bc8e6e0108ec2f752896b2aa8b5dd949dd

2
doc

@ -1 +1 @@
Subproject commit 7b59ef1ab823a77dff78991b6a8808be5ba9072d Subproject commit e862aa7a89c044e7eea96671d9b832a5dfccbf56

1
scripts/base/frameworks/cluster/setup-connections.zeek
View file

@ -28,7 +28,6 @@ function connect_peer(node_type: NodeType, node_name: string)
function connect_peers_with_type(node_type: NodeType) function connect_peers_with_type(node_type: NodeType)
{ {
local rval: vector of NamedNode = vector();
local nn = nodes_with_type(node_type); local nn = nodes_with_type(node_type);
for ( i in nn ) for ( i in nn )

2
scripts/base/frameworks/netcontrol/main.zeek
View file

@ -731,7 +731,7 @@ function find_rules_subnet(sn: subnet) : vector of Rule
{ {
local sn_entry = matches[m]; local sn_entry = matches[m];
local rule_ids = rules_by_subnets[sn_entry]; local rule_ids = rules_by_subnets[sn_entry];
for ( rule_id in rules_by_subnets[sn_entry] ) for ( rule_id in rule_ids )
{ {
if ( rule_id in rules ) if ( rule_id in rules )
ret += rules[rule_id]; ret += rules[rule_id];

2
scripts/base/frameworks/netcontrol/plugins/openflow.zeek
View file

@ -195,7 +195,7 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
return openflow_match_pred(p, e, v); return openflow_match_pred(p, e, v);
} }
local proto = OpenFlow::IP_TCP; # local proto = OpenFlow::IP_TCP;
if ( e$ty == FLOW ) if ( e$ty == FLOW )
{ {

3
scripts/base/init-bare.zeek
View file

@ -2076,7 +2076,8 @@ global login_timeouts: set[string] &redef;
## ##
## .. zeek:see:: mime_header_list http_all_headers mime_all_headers mime_one_header ## .. zeek:see:: mime_header_list http_all_headers mime_all_headers mime_one_header
type mime_header_rec: record { type mime_header_rec: record {
name: string; ##< The header name. original_name: string; ##< The header name (unaltered).
name: string; ##< The header name (converted to all upper-case).
value: string; ##< The header value. value: string; ##< The header value.
}; };

1
scripts/base/protocols/smtp/main.zeek
View file

@ -336,5 +336,6 @@ function describe(rec: Info): string
(|rec$rcptto|>1 ? fmt(" (plus %d others)", |rec$rcptto|-1) : ""), (|rec$rcptto|>1 ? fmt(" (plus %d others)", |rec$rcptto|-1) : ""),
(abbrev_subject != "" ? fmt(": %s", abbrev_subject) : "")); (abbrev_subject != "" ? fmt(": %s", abbrev_subject) : ""));
} }
return ""; return "";
} }

5
scripts/base/utils/addrs.zeek
View file

@ -70,11 +70,10 @@ const ip_addr_regex = ipv4_addr_regex | ipv6_addr_regex;
## Returns: T if every element is between 0 and 255, inclusive, else F. ## Returns: T if every element is between 0 and 255, inclusive, else F.
function has_valid_octets(octets: string_vec): bool function has_valid_octets(octets: string_vec): bool
{ {
local num = 0;
for ( i in octets ) for ( i in octets )
{ {
num = to_count(octets[i]); local num = to_count(octets[i]);
if ( num < 0 || 255 < num ) if ( 255 < num )
return F; return F;
} }
return T; return T;

8
src/CompHash.cc
View file

@ -768,9 +768,9 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
if ( tag == TYPE_ENUM ) if ( tag == TYPE_ENUM )
*pval = t->AsEnumType()->GetVal(*kp); *pval = t->AsEnumType()->GetVal(*kp);
else if ( tag == TYPE_BOOL ) else if ( tag == TYPE_BOOL )
*pval = {AdoptRef{}, val_mgr->GetBool(*kp)}; *pval = val_mgr->Bool(*kp);
else if ( tag == TYPE_INT ) else if ( tag == TYPE_INT )
*pval = {AdoptRef{}, val_mgr->GetInt(*kp)}; *pval = val_mgr->Int(*kp);
else else
{ {
reporter->InternalError("bad internal unsigned int in CompositeHash::RecoverOneVal()"); reporter->InternalError("bad internal unsigned int in CompositeHash::RecoverOneVal()");
@ -787,11 +787,11 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
switch ( tag ) { switch ( tag ) {
case TYPE_COUNT: case TYPE_COUNT:
case TYPE_COUNTER: case TYPE_COUNTER:
*pval = {AdoptRef{}, val_mgr->GetCount(*kp)}; *pval = val_mgr->Count(*kp);
break; break;
case TYPE_PORT: case TYPE_PORT:
*pval = {AdoptRef{}, val_mgr->GetPort(*kp)}; *pval = val_mgr->Port(*kp);
break; break;
default: default:

93
src/Conn.cc
View file

@ -90,7 +90,6 @@ Connection::Connection(NetSessions* s, const ConnIDKey& k, double t, const ConnI
vlan = pkt->vlan; vlan = pkt->vlan;
inner_vlan = pkt->inner_vlan; inner_vlan = pkt->inner_vlan;
conn_val = nullptr;
login_conn = nullptr; login_conn = nullptr;
is_active = 1; is_active = 1;
@ -131,10 +130,7 @@ Connection::~Connection()
CancelTimers(); CancelTimers();
if ( conn_val ) if ( conn_val )
{
conn_val->SetOrigin(nullptr); conn_val->SetOrigin(nullptr);
Unref(conn_val);
}
delete root_analyzer; delete root_analyzer;
delete encapsulation; delete encapsulation;
@ -148,23 +144,34 @@ void Connection::CheckEncapsulation(const EncapsulationStack* arg_encap)
{ {
if ( *encapsulation != *arg_encap ) if ( *encapsulation != *arg_encap )
{ {
Event(tunnel_changed, nullptr, arg_encap->GetVectorVal()); if ( tunnel_changed )
EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
IntrusivePtr{AdoptRef{}, arg_encap->GetVectorVal()});
delete encapsulation; delete encapsulation;
encapsulation = new EncapsulationStack(*arg_encap); encapsulation = new EncapsulationStack(*arg_encap);
} }
} }
else if ( encapsulation ) else if ( encapsulation )
{
if ( tunnel_changed )
{ {
EncapsulationStack empty; EncapsulationStack empty;
Event(tunnel_changed, nullptr, empty.GetVectorVal()); EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
IntrusivePtr{AdoptRef{}, empty.GetVectorVal()});
}
delete encapsulation; delete encapsulation;
encapsulation = nullptr; encapsulation = nullptr;
} }
else if ( arg_encap ) else if ( arg_encap )
{ {
Event(tunnel_changed, nullptr, arg_encap->GetVectorVal()); if ( tunnel_changed )
EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
IntrusivePtr{AdoptRef{}, arg_encap->GetVectorVal()});
encapsulation = new EncapsulationStack(*arg_encap); encapsulation = new EncapsulationStack(*arg_encap);
} }
} }
@ -203,7 +210,7 @@ void Connection::NextPacket(double t, bool is_orig,
is_successful = true; is_successful = true;
if ( ! was_successful && is_successful && connection_successful ) if ( ! was_successful && is_successful && connection_successful )
EnqueueEvent(connection_successful, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueEvent(connection_successful, nullptr, ConnVal());
} }
else else
last_time = t; last_time = t;
@ -260,9 +267,9 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
return; return;
EnqueueEvent(e, nullptr, EnqueueEvent(e, nullptr,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)} val_mgr->Count(threshold)
); );
} }
@ -323,30 +330,35 @@ void Connection::EnableStatusUpdateTimer()
void Connection::StatusUpdateTimer(double t) void Connection::StatusUpdateTimer(double t)
{ {
EnqueueEvent(connection_status_update, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueEvent(connection_status_update, nullptr, ConnVal());
ADD_TIMER(&Connection::StatusUpdateTimer, ADD_TIMER(&Connection::StatusUpdateTimer,
network_time + connection_status_update_interval, 0, network_time + connection_status_update_interval, 0,
TIMER_CONN_STATUS_UPDATE); TIMER_CONN_STATUS_UPDATE);
} }
RecordVal* Connection::BuildConnVal() RecordVal* Connection::BuildConnVal()
{
return ConnVal()->Ref()->AsRecordVal();
}
const IntrusivePtr<RecordVal>& Connection::ConnVal()
{ {
if ( ! conn_val ) if ( ! conn_val )
{ {
conn_val = new RecordVal(connection_type); conn_val = make_intrusive<RecordVal>(connection_type);
TransportProto prot_type = ConnTransport(); TransportProto prot_type = ConnTransport();
auto id_val = make_intrusive<RecordVal>(conn_id); auto id_val = make_intrusive<RecordVal>(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(orig_addr)); id_val->Assign(0, make_intrusive<AddrVal>(orig_addr));
id_val->Assign(1, val_mgr->GetPort(ntohs(orig_port), prot_type)); id_val->Assign(1, val_mgr->Port(ntohs(orig_port), prot_type));
id_val->Assign(2, make_intrusive<AddrVal>(resp_addr)); id_val->Assign(2, make_intrusive<AddrVal>(resp_addr));
id_val->Assign(3, val_mgr->GetPort(ntohs(resp_port), prot_type)); id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type));
auto orig_endp = make_intrusive<RecordVal>(endpoint); auto orig_endp = make_intrusive<RecordVal>(endpoint);
orig_endp->Assign(0, val_mgr->GetCount(0)); orig_endp->Assign(0, val_mgr->Count(0));
orig_endp->Assign(1, val_mgr->GetCount(0)); orig_endp->Assign(1, val_mgr->Count(0));
orig_endp->Assign(4, val_mgr->GetCount(orig_flow_label)); orig_endp->Assign(4, val_mgr->Count(orig_flow_label));
const int l2_len = sizeof(orig_l2_addr); const int l2_len = sizeof(orig_l2_addr);
char null[l2_len]{}; char null[l2_len]{};
@ -355,9 +367,9 @@ RecordVal* Connection::BuildConnVal()
orig_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(orig_l2_addr, l2_len))); orig_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(orig_l2_addr, l2_len)));
auto resp_endp = make_intrusive<RecordVal>(endpoint); auto resp_endp = make_intrusive<RecordVal>(endpoint);
resp_endp->Assign(0, val_mgr->GetCount(0)); resp_endp->Assign(0, val_mgr->Count(0));
resp_endp->Assign(1, val_mgr->GetCount(0)); resp_endp->Assign(1, val_mgr->Count(0));
resp_endp->Assign(4, val_mgr->GetCount(resp_flow_label)); resp_endp->Assign(4, val_mgr->Count(resp_flow_label));
if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 ) if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 )
resp_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(resp_l2_addr, l2_len))); resp_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(resp_l2_addr, l2_len)));
@ -367,7 +379,7 @@ RecordVal* Connection::BuildConnVal()
conn_val->Assign(2, std::move(resp_endp)); conn_val->Assign(2, std::move(resp_endp));
// 3 and 4 are set below. // 3 and 4 are set below.
conn_val->Assign(5, make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set})); // service conn_val->Assign(5, make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set})); // service
conn_val->Assign(6, val_mgr->GetEmptyString()); // history conn_val->Assign(6, val_mgr->EmptyString()); // history
if ( ! uid ) if ( ! uid )
uid.Set(bits_per_uid); uid.Set(bits_per_uid);
@ -378,25 +390,23 @@ RecordVal* Connection::BuildConnVal()
conn_val->Assign(8, encapsulation->GetVectorVal()); conn_val->Assign(8, encapsulation->GetVectorVal());
if ( vlan != 0 ) if ( vlan != 0 )
conn_val->Assign(9, val_mgr->GetInt(vlan)); conn_val->Assign(9, val_mgr->Int(vlan));
if ( inner_vlan != 0 ) if ( inner_vlan != 0 )
conn_val->Assign(10, val_mgr->GetInt(inner_vlan)); conn_val->Assign(10, val_mgr->Int(inner_vlan));
} }
if ( root_analyzer ) if ( root_analyzer )
root_analyzer->UpdateConnVal(conn_val); root_analyzer->UpdateConnVal(conn_val.get());
conn_val->Assign(3, make_intrusive<Val>(start_time, TYPE_TIME)); // ### conn_val->Assign(3, make_intrusive<Val>(start_time, TYPE_TIME)); // ###
conn_val->Assign(4, make_intrusive<Val>(last_time - start_time, TYPE_INTERVAL)); conn_val->Assign(4, make_intrusive<Val>(last_time - start_time, TYPE_INTERVAL));
conn_val->Assign(6, make_intrusive<StringVal>(history.c_str())); conn_val->Assign(6, make_intrusive<StringVal>(history.c_str()));
conn_val->Assign(11, val_mgr->GetBool(is_successful)); conn_val->Assign(11, val_mgr->Bool(is_successful));
conn_val->SetOrigin(this); conn_val->SetOrigin(this);
Ref(conn_val);
return conn_val; return conn_val;
} }
@ -417,12 +427,12 @@ analyzer::Analyzer* Connection::FindAnalyzer(const char* name)
void Connection::AppendAddl(const char* str) void Connection::AppendAddl(const char* str)
{ {
Unref(BuildConnVal()); const auto& cv = ConnVal();
const char* old = conn_val->Lookup(6)->AsString()->CheckString(); const char* old = cv->Lookup(6)->AsString()->CheckString();
const char* format = *old ? "%s %s" : "%s%s"; const char* format = *old ? "%s %s" : "%s%s";
conn_val->Assign(6, make_intrusive<StringVal>(fmt(format, old, str))); cv->Assign(6, make_intrusive<StringVal>(fmt(format, old, str)));
} }
// Returns true if the character at s separates a version number. // Returns true if the character at s separates a version number.
@ -446,7 +456,7 @@ void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool
void Connection::RemovalEvent() void Connection::RemovalEvent()
{ {
auto cv = IntrusivePtr{AdoptRef{}, BuildConnVal()}; auto cv = ConnVal();
if ( connection_state_remove ) if ( connection_state_remove )
EnqueueEvent(connection_state_remove, nullptr, cv); EnqueueEvent(connection_state_remove, nullptr, cv);
@ -461,9 +471,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
return; return;
if ( name ) if ( name )
EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), ConnVal());
else else
EnqueueEvent(f, analyzer, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueEvent(f, analyzer, ConnVal());
} }
void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2) void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
@ -477,12 +487,12 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
if ( v2 ) if ( v2 )
EnqueueEvent(f, analyzer, EnqueueEvent(f, analyzer,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, v1}, IntrusivePtr{AdoptRef{}, v1},
IntrusivePtr{AdoptRef{}, v2}); IntrusivePtr{AdoptRef{}, v2});
else else
EnqueueEvent(f, analyzer, EnqueueEvent(f, analyzer,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, v1}); IntrusivePtr{AdoptRef{}, v1});
} }
@ -590,7 +600,6 @@ void Connection::FlipRoles()
resp_flow_label = orig_flow_label; resp_flow_label = orig_flow_label;
orig_flow_label = tmp_flow; orig_flow_label = tmp_flow;
Unref(conn_val);
conn_val = nullptr; conn_val = nullptr;
if ( root_analyzer ) if ( root_analyzer )
@ -690,17 +699,17 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
if ( conn_val ) if ( conn_val )
{ {
RecordVal *endp = conn_val->Lookup(is_orig ? 1 : 2)->AsRecordVal(); RecordVal *endp = conn_val->Lookup(is_orig ? 1 : 2)->AsRecordVal();
endp->Assign(4, val_mgr->GetCount(flow_label)); endp->Assign(4, val_mgr->Count(flow_label));
} }
if ( connection_flow_label_changed && if ( connection_flow_label_changed &&
(is_orig ? saw_first_orig_packet : saw_first_resp_packet) ) (is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
{ {
EnqueueEvent(connection_flow_label_changed, nullptr, EnqueueEvent(connection_flow_label_changed, nullptr,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(my_flow_label)}, val_mgr->Count(my_flow_label),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flow_label)} val_mgr->Count(flow_label)
); );
} }

12
src/Conn.h
View file

@ -163,7 +163,14 @@ public:
// Activate connection_status_update timer. // Activate connection_status_update timer.
void EnableStatusUpdateTimer(); void EnableStatusUpdateTimer();
[[deprecated("Remove in v4.1. Use ConnVal() instead.")]]
RecordVal* BuildConnVal(); RecordVal* BuildConnVal();
/**
* Returns the associated "connection" record.
*/
const IntrusivePtr<RecordVal>& ConnVal();
void AppendAddl(const char* str); void AppendAddl(const char* str);
LoginConn* AsLoginConn() { return login_conn; } LoginConn* AsLoginConn() { return login_conn; }
@ -186,6 +193,7 @@ public:
// 'v1' and 'v2' reference counts get decremented. The event's first // 'v1' and 'v2' reference counts get decremented. The event's first
// argument is the connection value, second argument is 'v1', and if 'v2' // argument is the connection value, second argument is 'v1', and if 'v2'
// is given that will be it's third argument. // is given that will be it's third argument.
[[deprecated("Remove in v4.1. Use EnqueueEvent() instead (note it doesn't automatically add the connection argument).")]]
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = nullptr); void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = nullptr);
// If a handler exists for 'f', an event will be generated. In any case, // If a handler exists for 'f', an event will be generated. In any case,
@ -316,8 +324,6 @@ public:
protected: protected:
Connection() { }
// Add the given timer to expire at time t. If do_expire // Add the given timer to expire at time t. If do_expire
// is true, then the timer is also evaluated when Bro terminates, // is true, then the timer is also evaluated when Bro terminates,
// otherwise not. // otherwise not.
@ -349,7 +355,7 @@ protected:
u_char resp_l2_addr[Packet::l2_addr_len]; // Link-layer responder address, if available u_char resp_l2_addr[Packet::l2_addr_len]; // Link-layer responder address, if available
double start_time, last_time; double start_time, last_time;
double inactivity_timeout; double inactivity_timeout;
RecordVal* conn_val; IntrusivePtr<RecordVal> conn_val;
LoginConn* login_conn; // either nil, or this LoginConn* login_conn; // either nil, or this
const EncapsulationStack* encapsulation; // tunnels const EncapsulationStack* encapsulation; // tunnels
int suppress_event; // suppress certain events to once per conn. int suppress_event; // suppress certain events to once per conn.

2
src/DNS_Mgr.cc
View file

@ -738,7 +738,7 @@ IntrusivePtr<Val> DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
r->Assign(0, make_intrusive<Val>(dm->CreationTime(), TYPE_TIME)); r->Assign(0, make_intrusive<Val>(dm->CreationTime(), TYPE_TIME));
r->Assign(1, make_intrusive<StringVal>(dm->ReqHost() ? dm->ReqHost() : "")); r->Assign(1, make_intrusive<StringVal>(dm->ReqHost() ? dm->ReqHost() : ""));
r->Assign(2, make_intrusive<AddrVal>(dm->ReqAddr())); r->Assign(2, make_intrusive<AddrVal>(dm->ReqAddr()));
r->Assign(3, val_mgr->GetBool(dm->Valid())); r->Assign(3, val_mgr->Bool(dm->Valid()));
auto h = dm->Host(); auto h = dm->Host();
r->Assign(4, h ? h.release() : new StringVal("<none>")); r->Assign(4, h ? h.release() : new StringVal("<none>"));

48
src/Expr.cc
View file

@ -682,11 +682,11 @@ IntrusivePtr<Val> BinaryExpr::Fold(Val* v1, Val* v2) const
else if ( ret_type->InternalType() == TYPE_INTERNAL_DOUBLE ) else if ( ret_type->InternalType() == TYPE_INTERNAL_DOUBLE )
return make_intrusive<Val>(d3, ret_type->Tag()); return make_intrusive<Val>(d3, ret_type->Tag());
else if ( ret_type->InternalType() == TYPE_INTERNAL_UNSIGNED ) else if ( ret_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
return {AdoptRef{}, val_mgr->GetCount(u3)}; return val_mgr->Count(u3);
else if ( ret_type->Tag() == TYPE_BOOL ) else if ( ret_type->Tag() == TYPE_BOOL )
return {AdoptRef{}, val_mgr->GetBool(i3)}; return val_mgr->Bool(i3);
else else
return {AdoptRef{}, val_mgr->GetInt(i3)}; return val_mgr->Int(i3);
} }
IntrusivePtr<Val> BinaryExpr::StringFold(Val* v1, Val* v2) const IntrusivePtr<Val> BinaryExpr::StringFold(Val* v1, Val* v2) const
@ -720,7 +720,7 @@ IntrusivePtr<Val> BinaryExpr::StringFold(Val* v1, Val* v2) const
BadTag("BinaryExpr::StringFold", expr_name(tag)); BadTag("BinaryExpr::StringFold", expr_name(tag));
} }
return {AdoptRef{}, val_mgr->GetBool(result)}; return val_mgr->Bool(result);
} }
@ -796,7 +796,7 @@ IntrusivePtr<Val> BinaryExpr::SetFold(Val* v1, Val* v2) const
return nullptr; return nullptr;
} }
return {AdoptRef{}, val_mgr->GetBool(res)}; return val_mgr->Bool(res);
} }
IntrusivePtr<Val> BinaryExpr::AddrFold(Val* v1, Val* v2) const IntrusivePtr<Val> BinaryExpr::AddrFold(Val* v1, Val* v2) const
@ -830,7 +830,7 @@ IntrusivePtr<Val> BinaryExpr::AddrFold(Val* v1, Val* v2) const
BadTag("BinaryExpr::AddrFold", expr_name(tag)); BadTag("BinaryExpr::AddrFold", expr_name(tag));
} }
return {AdoptRef{}, val_mgr->GetBool(result)}; return val_mgr->Bool(result);
} }
IntrusivePtr<Val> BinaryExpr::SubNetFold(Val* v1, Val* v2) const IntrusivePtr<Val> BinaryExpr::SubNetFold(Val* v1, Val* v2) const
@ -843,7 +843,7 @@ IntrusivePtr<Val> BinaryExpr::SubNetFold(Val* v1, Val* v2) const
if ( tag == EXPR_NE ) if ( tag == EXPR_NE )
result = ! result; result = ! result;
return {AdoptRef{}, val_mgr->GetBool(result)}; return val_mgr->Bool(result);
} }
void BinaryExpr::SwapOps() void BinaryExpr::SwapOps()
@ -958,9 +958,9 @@ IntrusivePtr<Val> IncrExpr::DoSingleEval(Frame* f, Val* v) const
ret_type = Type()->YieldType(); ret_type = Type()->YieldType();
if ( ret_type->Tag() == TYPE_INT ) if ( ret_type->Tag() == TYPE_INT )
return {AdoptRef{}, val_mgr->GetInt(k)}; return val_mgr->Int(k);
else else
return {AdoptRef{}, val_mgr->GetCount(k)}; return val_mgr->Count(k);
} }
@ -1018,7 +1018,7 @@ ComplementExpr::ComplementExpr(IntrusivePtr<Expr> arg_op)
IntrusivePtr<Val> ComplementExpr::Fold(Val* v) const IntrusivePtr<Val> ComplementExpr::Fold(Val* v) const
{ {
return {AdoptRef{}, val_mgr->GetCount(~ v->InternalUnsigned())}; return val_mgr->Count(~ v->InternalUnsigned());
} }
NotExpr::NotExpr(IntrusivePtr<Expr> arg_op) NotExpr::NotExpr(IntrusivePtr<Expr> arg_op)
@ -1037,7 +1037,7 @@ NotExpr::NotExpr(IntrusivePtr<Expr> arg_op)
IntrusivePtr<Val> NotExpr::Fold(Val* v) const IntrusivePtr<Val> NotExpr::Fold(Val* v) const
{ {
return {AdoptRef{}, val_mgr->GetBool(! v->InternalInt())}; return val_mgr->Bool(! v->InternalInt());
} }
PosExpr::PosExpr(IntrusivePtr<Expr> arg_op) PosExpr::PosExpr(IntrusivePtr<Expr> arg_op)
@ -1075,7 +1075,7 @@ IntrusivePtr<Val> PosExpr::Fold(Val* v) const
if ( t == TYPE_DOUBLE || t == TYPE_INTERVAL || t == TYPE_INT ) if ( t == TYPE_DOUBLE || t == TYPE_INTERVAL || t == TYPE_INT )
return {NewRef{}, v}; return {NewRef{}, v};
else else
return {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())}; return val_mgr->Int(v->CoerceToInt());
} }
NegExpr::NegExpr(IntrusivePtr<Expr> arg_op) NegExpr::NegExpr(IntrusivePtr<Expr> arg_op)
@ -1113,7 +1113,7 @@ IntrusivePtr<Val> NegExpr::Fold(Val* v) const
else if ( v->Type()->Tag() == TYPE_INTERVAL ) else if ( v->Type()->Tag() == TYPE_INTERVAL )
return make_intrusive<IntervalVal>(- v->InternalDouble(), 1.0); return make_intrusive<IntervalVal>(- v->InternalDouble(), 1.0);
else else
return {AdoptRef{}, val_mgr->GetInt(- v->CoerceToInt())}; return val_mgr->Int(- v->CoerceToInt());
} }
SizeExpr::SizeExpr(IntrusivePtr<Expr> arg_op) SizeExpr::SizeExpr(IntrusivePtr<Expr> arg_op)
@ -1620,7 +1620,7 @@ IntrusivePtr<Val> BoolExpr::Eval(Frame* f) const
(! op1->IsZero() && ! op2->IsZero()) : (! op1->IsZero() && ! op2->IsZero()) :
(! op1->IsZero() || ! op2->IsZero()); (! op1->IsZero() || ! op2->IsZero());
result->Assign(i, val_mgr->GetBool(local_result)); result->Assign(i, val_mgr->Bool(local_result));
} }
else else
result->Assign(i, nullptr); result->Assign(i, nullptr);
@ -1775,9 +1775,9 @@ IntrusivePtr<Val> EqExpr::Fold(Val* v1, Val* v2) const
RE_Matcher* re = v1->AsPattern(); RE_Matcher* re = v1->AsPattern();
const BroString* s = v2->AsString(); const BroString* s = v2->AsString();
if ( tag == EXPR_EQ ) if ( tag == EXPR_EQ )
return {AdoptRef{}, val_mgr->GetBool(re->MatchExactly(s))}; return val_mgr->Bool(re->MatchExactly(s));
else else
return {AdoptRef{}, val_mgr->GetBool(! re->MatchExactly(s))}; return val_mgr->Bool(! re->MatchExactly(s));
} }
else else
@ -2972,7 +2972,7 @@ HasFieldExpr::~HasFieldExpr()
IntrusivePtr<Val> HasFieldExpr::Fold(Val* v) const IntrusivePtr<Val> HasFieldExpr::Fold(Val* v) const
{ {
auto rv = v->AsRecordVal(); auto rv = v->AsRecordVal();
return {AdoptRef{}, val_mgr->GetBool(rv->Lookup(field))}; return val_mgr->Bool(rv->Lookup(field));
} }
void HasFieldExpr::ExprDescribe(ODesc* d) const void HasFieldExpr::ExprDescribe(ODesc* d) const
@ -3485,10 +3485,10 @@ IntrusivePtr<Val> ArithCoerceExpr::FoldSingleVal(Val* v, InternalTypeTag t) cons
return make_intrusive<Val>(v->CoerceToDouble(), TYPE_DOUBLE); return make_intrusive<Val>(v->CoerceToDouble(), TYPE_DOUBLE);
case TYPE_INTERNAL_INT: case TYPE_INTERNAL_INT:
return {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())}; return val_mgr->Int(v->CoerceToInt());
case TYPE_INTERNAL_UNSIGNED: case TYPE_INTERNAL_UNSIGNED:
return {AdoptRef{}, val_mgr->GetCount(v->CoerceToUnsigned())}; return val_mgr->Count(v->CoerceToUnsigned());
default: default:
RuntimeErrorWithCallStack("bad type in CoerceExpr::Fold"); RuntimeErrorWithCallStack("bad type in CoerceExpr::Fold");
@ -4024,7 +4024,7 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
{ {
RE_Matcher* re = v1->AsPattern(); RE_Matcher* re = v1->AsPattern();
const BroString* s = v2->AsString(); const BroString* s = v2->AsString();
return {AdoptRef{}, val_mgr->GetBool(re->MatchAnywhere(s) != 0)}; return val_mgr->Bool(re->MatchAnywhere(s) != 0);
} }
if ( v2->Type()->Tag() == TYPE_STRING ) if ( v2->Type()->Tag() == TYPE_STRING )
@ -4035,12 +4035,12 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
// Could do better here e.g. Boyer-Moore if done repeatedly. // Could do better here e.g. Boyer-Moore if done repeatedly.
auto s = reinterpret_cast<const unsigned char*>(s1->CheckString()); auto s = reinterpret_cast<const unsigned char*>(s1->CheckString());
auto res = strstr_n(s2->Len(), s2->Bytes(), s1->Len(), s) != -1; auto res = strstr_n(s2->Len(), s2->Bytes(), s1->Len(), s) != -1;
return {AdoptRef{}, val_mgr->GetBool(res)}; return val_mgr->Bool(res);
} }
if ( v1->Type()->Tag() == TYPE_ADDR && if ( v1->Type()->Tag() == TYPE_ADDR &&
v2->Type()->Tag() == TYPE_SUBNET ) v2->Type()->Tag() == TYPE_SUBNET )
return {AdoptRef{}, val_mgr->GetBool(v2->AsSubNetVal()->Contains(v1->AsAddr()))}; return val_mgr->Bool(v2->AsSubNetVal()->Contains(v1->AsAddr()));
bool res; bool res;
@ -4049,7 +4049,7 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
else else
res = (bool)v2->AsTableVal()->Lookup(v1, false); res = (bool)v2->AsTableVal()->Lookup(v1, false);
return {AdoptRef{}, val_mgr->GetBool(res)}; return val_mgr->Bool(res);
} }
CallExpr::CallExpr(IntrusivePtr<Expr> arg_func, CallExpr::CallExpr(IntrusivePtr<Expr> arg_func,
@ -4906,7 +4906,7 @@ IntrusivePtr<Val> IsExpr::Fold(Val* v) const
if ( IsError() ) if ( IsError() )
return nullptr; return nullptr;
return {AdoptRef{}, val_mgr->GetBool(can_cast_value_to_type(v, t.get()))}; return val_mgr->Bool(can_cast_value_to_type(v, t.get()));
} }
void IsExpr::ExprDescribe(ODesc* d) const void IsExpr::ExprDescribe(ODesc* d) const

15
src/Func.cc
View file

@ -321,7 +321,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
{ {
// Can only happen for events and hooks. // Can only happen for events and hooks.
assert(Flavor() == FUNC_FLAVOR_EVENT || Flavor() == FUNC_FLAVOR_HOOK); assert(Flavor() == FUNC_FLAVOR_EVENT || Flavor() == FUNC_FLAVOR_HOOK);
return Flavor() == FUNC_FLAVOR_HOOK ? IntrusivePtr{AdoptRef{}, val_mgr->GetTrue()} : nullptr; return Flavor() == FUNC_FLAVOR_HOOK ? val_mgr->True() : nullptr;
} }
auto f = make_intrusive<Frame>(frame_size, this, &args); auto f = make_intrusive<Frame>(frame_size, this, &args);
@ -407,7 +407,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
if ( flow == FLOW_BREAK ) if ( flow == FLOW_BREAK )
{ {
// Short-circuit execution of remaining hook handler bodies. // Short-circuit execution of remaining hook handler bodies.
result = {AdoptRef{}, val_mgr->GetFalse()}; result = val_mgr->False();
break; break;
} }
} }
@ -418,7 +418,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
if ( Flavor() == FUNC_FLAVOR_HOOK ) if ( Flavor() == FUNC_FLAVOR_HOOK )
{ {
if ( ! result ) if ( ! result )
result = {AdoptRef{}, val_mgr->GetTrue()}; result = val_mgr->True();
} }
// Warn if the function returns something, but we returned from // Warn if the function returns something, but we returned from
@ -633,7 +633,7 @@ IntrusivePtr<Val> BuiltinFunc::Call(const zeek::Args& args, Frame* parent) const
const CallExpr* call_expr = parent ? parent->GetCall() : nullptr; const CallExpr* call_expr = parent ? parent->GetCall() : nullptr;
call_stack.emplace_back(CallInfo{call_expr, this, args}); call_stack.emplace_back(CallInfo{call_expr, this, args});
IntrusivePtr<Val> result{AdoptRef{}, func(parent, &args)}; auto result = std::move(func(parent, &args).rval);
call_stack.pop_back(); call_stack.pop_back();
if ( result && g_trace_state.DoTrace() ) if ( result && g_trace_state.DoTrace() )
@ -890,3 +890,10 @@ function_ingredients::~function_ingredients()
delete inits; delete inits;
} }
BifReturnVal::BifReturnVal(std::nullptr_t) noexcept
{ }
BifReturnVal::BifReturnVal(Val* v) noexcept
: rval(AdoptRef{}, v)
{ }

27
src/Func.h
View file

@ -188,7 +188,32 @@ private:
bool weak_closure_ref = false; bool weak_closure_ref = false;
}; };
using built_in_func = Val* (*)(Frame* frame, const zeek::Args* args); /**
* A simple wrapper class to use for the return value of BIFs so that
* they may return either a Val* or IntrusivePtr<Val> (the former could
* potentially be deprecated).
*/
class BifReturnVal {
public:
template <typename T>
BifReturnVal(IntrusivePtr<T> v) noexcept
: rval(AdoptRef{}, v.release())
{ }
BifReturnVal(std::nullptr_t) noexcept;
[[deprecated("Remove in v4.1. Return an IntrusivePtr instead.")]]
BifReturnVal(Val* v) noexcept;
private:
friend class BuiltinFunc;
IntrusivePtr<Val> rval;
};
using built_in_func = BifReturnVal (*)(Frame* frame, const zeek::Args* args);
class BuiltinFunc final : public Func { class BuiltinFunc final : public Func {
public: public:

158
src/IP.cc
View file

@ -50,13 +50,13 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
{ {
const struct ip6_opt* opt = (const struct ip6_opt*) data; const struct ip6_opt* opt = (const struct ip6_opt*) data;
RecordVal* rv = new RecordVal(hdrType(ip6_option_type, "ip6_option")); RecordVal* rv = new RecordVal(hdrType(ip6_option_type, "ip6_option"));
rv->Assign(0, val_mgr->GetCount(opt->ip6o_type)); rv->Assign(0, val_mgr->Count(opt->ip6o_type));
if ( opt->ip6o_type == 0 ) if ( opt->ip6o_type == 0 )
{ {
// Pad1 option // Pad1 option
rv->Assign(1, val_mgr->GetCount(0)); rv->Assign(1, val_mgr->Count(0));
rv->Assign(2, val_mgr->GetEmptyString()); rv->Assign(2, val_mgr->EmptyString());
data += sizeof(uint8_t); data += sizeof(uint8_t);
len -= sizeof(uint8_t); len -= sizeof(uint8_t);
} }
@ -64,7 +64,7 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
{ {
// PadN or other option // PadN or other option
uint16_t off = 2 * sizeof(uint8_t); uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(1, val_mgr->GetCount(opt->ip6o_len)); rv->Assign(1, val_mgr->Count(opt->ip6o_len));
rv->Assign(2, make_intrusive<StringVal>( rv->Assign(2, make_intrusive<StringVal>(
new BroString(data + off, opt->ip6o_len, true))); new BroString(data + off, opt->ip6o_len, true)));
data += opt->ip6o_len + off; data += opt->ip6o_len + off;
@ -86,11 +86,11 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{ {
rv = new RecordVal(hdrType(ip6_hdr_type, "ip6_hdr")); rv = new RecordVal(hdrType(ip6_hdr_type, "ip6_hdr"));
const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data; const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
rv->Assign(0, val_mgr->GetCount((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20)); rv->Assign(0, val_mgr->Count((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20));
rv->Assign(1, val_mgr->GetCount(ntohl(ip6->ip6_flow) & 0x000fffff)); rv->Assign(1, val_mgr->Count(ntohl(ip6->ip6_flow) & 0x000fffff));
rv->Assign(2, val_mgr->GetCount(ntohs(ip6->ip6_plen))); rv->Assign(2, val_mgr->Count(ntohs(ip6->ip6_plen)));
rv->Assign(3, val_mgr->GetCount(ip6->ip6_nxt)); rv->Assign(3, val_mgr->Count(ip6->ip6_nxt));
rv->Assign(4, val_mgr->GetCount(ip6->ip6_hlim)); rv->Assign(4, val_mgr->Count(ip6->ip6_hlim));
rv->Assign(5, make_intrusive<AddrVal>(IPAddr(ip6->ip6_src))); rv->Assign(5, make_intrusive<AddrVal>(IPAddr(ip6->ip6_src)));
rv->Assign(6, make_intrusive<AddrVal>(IPAddr(ip6->ip6_dst))); rv->Assign(6, make_intrusive<AddrVal>(IPAddr(ip6->ip6_dst)));
if ( ! chain ) if ( ! chain )
@ -104,8 +104,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{ {
rv = new RecordVal(hdrType(ip6_hopopts_type, "ip6_hopopts")); rv = new RecordVal(hdrType(ip6_hopopts_type, "ip6_hopopts"));
const struct ip6_hbh* hbh = (const struct ip6_hbh*)data; const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
rv->Assign(0, val_mgr->GetCount(hbh->ip6h_nxt)); rv->Assign(0, val_mgr->Count(hbh->ip6h_nxt));
rv->Assign(1, val_mgr->GetCount(hbh->ip6h_len)); rv->Assign(1, val_mgr->Count(hbh->ip6h_len));
uint16_t off = 2 * sizeof(uint8_t); uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off)); rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
@ -116,8 +116,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{ {
rv = new RecordVal(hdrType(ip6_dstopts_type, "ip6_dstopts")); rv = new RecordVal(hdrType(ip6_dstopts_type, "ip6_dstopts"));
const struct ip6_dest* dst = (const struct ip6_dest*)data; const struct ip6_dest* dst = (const struct ip6_dest*)data;
rv->Assign(0, val_mgr->GetCount(dst->ip6d_nxt)); rv->Assign(0, val_mgr->Count(dst->ip6d_nxt));
rv->Assign(1, val_mgr->GetCount(dst->ip6d_len)); rv->Assign(1, val_mgr->Count(dst->ip6d_len));
uint16_t off = 2 * sizeof(uint8_t); uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off)); rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
} }
@ -127,10 +127,10 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{ {
rv = new RecordVal(hdrType(ip6_routing_type, "ip6_routing")); rv = new RecordVal(hdrType(ip6_routing_type, "ip6_routing"));
const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data; const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
rv->Assign(0, val_mgr->GetCount(rt->ip6r_nxt)); rv->Assign(0, val_mgr->Count(rt->ip6r_nxt));
rv->Assign(1, val_mgr->GetCount(rt->ip6r_len)); rv->Assign(1, val_mgr->Count(rt->ip6r_len));
rv->Assign(2, val_mgr->GetCount(rt->ip6r_type)); rv->Assign(2, val_mgr->Count(rt->ip6r_type));
rv->Assign(3, val_mgr->GetCount(rt->ip6r_segleft)); rv->Assign(3, val_mgr->Count(rt->ip6r_segleft));
uint16_t off = 4 * sizeof(uint8_t); uint16_t off = 4 * sizeof(uint8_t);
rv->Assign(4, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true))); rv->Assign(4, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true)));
} }
@ -140,28 +140,28 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{ {
rv = new RecordVal(hdrType(ip6_fragment_type, "ip6_fragment")); rv = new RecordVal(hdrType(ip6_fragment_type, "ip6_fragment"));
const struct ip6_frag* frag = (const struct ip6_frag*)data; const struct ip6_frag* frag = (const struct ip6_frag*)data;
rv->Assign(0, val_mgr->GetCount(frag->ip6f_nxt)); rv->Assign(0, val_mgr->Count(frag->ip6f_nxt));
rv->Assign(1, val_mgr->GetCount(frag->ip6f_reserved)); rv->Assign(1, val_mgr->Count(frag->ip6f_reserved));
rv->Assign(2, val_mgr->GetCount((ntohs(frag->ip6f_offlg) & 0xfff8)>>3)); rv->Assign(2, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0xfff8)>>3));
rv->Assign(3, val_mgr->GetCount((ntohs(frag->ip6f_offlg) & 0x0006)>>1)); rv->Assign(3, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0x0006)>>1));
rv->Assign(4, val_mgr->GetBool(ntohs(frag->ip6f_offlg) & 0x0001)); rv->Assign(4, val_mgr->Bool(ntohs(frag->ip6f_offlg) & 0x0001));
rv->Assign(5, val_mgr->GetCount(ntohl(frag->ip6f_ident))); rv->Assign(5, val_mgr->Count(ntohl(frag->ip6f_ident)));
} }
break; break;
case IPPROTO_AH: case IPPROTO_AH:
{ {
rv = new RecordVal(hdrType(ip6_ah_type, "ip6_ah")); rv = new RecordVal(hdrType(ip6_ah_type, "ip6_ah"));
rv->Assign(0, val_mgr->GetCount(((ip6_ext*)data)->ip6e_nxt)); rv->Assign(0, val_mgr->Count(((ip6_ext*)data)->ip6e_nxt));
rv->Assign(1, val_mgr->GetCount(((ip6_ext*)data)->ip6e_len)); rv->Assign(1, val_mgr->Count(((ip6_ext*)data)->ip6e_len));
rv->Assign(2, val_mgr->GetCount(ntohs(((uint16_t*)data)[1]))); rv->Assign(2, val_mgr->Count(ntohs(((uint16_t*)data)[1])));
rv->Assign(3, val_mgr->GetCount(ntohl(((uint32_t*)data)[1]))); rv->Assign(3, val_mgr->Count(ntohl(((uint32_t*)data)[1])));
if ( Length() >= 12 ) if ( Length() >= 12 )
{ {
// Sequence Number and ICV fields can only be extracted if // Sequence Number and ICV fields can only be extracted if
// Payload Len was non-zero for this header. // Payload Len was non-zero for this header.
rv->Assign(4, val_mgr->GetCount(ntohl(((uint32_t*)data)[2]))); rv->Assign(4, val_mgr->Count(ntohl(((uint32_t*)data)[2])));
uint16_t off = 3 * sizeof(uint32_t); uint16_t off = 3 * sizeof(uint32_t);
rv->Assign(5, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true))); rv->Assign(5, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true)));
} }
@ -172,8 +172,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{ {
rv = new RecordVal(hdrType(ip6_esp_type, "ip6_esp")); rv = new RecordVal(hdrType(ip6_esp_type, "ip6_esp"));
const uint32_t* esp = (const uint32_t*)data; const uint32_t* esp = (const uint32_t*)data;
rv->Assign(0, val_mgr->GetCount(ntohl(esp[0]))); rv->Assign(0, val_mgr->Count(ntohl(esp[0])));
rv->Assign(1, val_mgr->GetCount(ntohl(esp[1]))); rv->Assign(1, val_mgr->Count(ntohl(esp[1])));
} }
break; break;
@ -182,14 +182,14 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{ {
rv = new RecordVal(hdrType(ip6_mob_type, "ip6_mobility_hdr")); rv = new RecordVal(hdrType(ip6_mob_type, "ip6_mobility_hdr"));
const struct ip6_mobility* mob = (const struct ip6_mobility*) data; const struct ip6_mobility* mob = (const struct ip6_mobility*) data;
rv->Assign(0, val_mgr->GetCount(mob->ip6mob_payload)); rv->Assign(0, val_mgr->Count(mob->ip6mob_payload));
rv->Assign(1, val_mgr->GetCount(mob->ip6mob_len)); rv->Assign(1, val_mgr->Count(mob->ip6mob_len));
rv->Assign(2, val_mgr->GetCount(mob->ip6mob_type)); rv->Assign(2, val_mgr->Count(mob->ip6mob_type));
rv->Assign(3, val_mgr->GetCount(mob->ip6mob_rsv)); rv->Assign(3, val_mgr->Count(mob->ip6mob_rsv));
rv->Assign(4, val_mgr->GetCount(ntohs(mob->ip6mob_chksum))); rv->Assign(4, val_mgr->Count(ntohs(mob->ip6mob_chksum)));
RecordVal* msg = new RecordVal(hdrType(ip6_mob_msg_type, "ip6_mobility_msg")); RecordVal* msg = new RecordVal(hdrType(ip6_mob_msg_type, "ip6_mobility_msg"));
msg->Assign(0, val_mgr->GetCount(mob->ip6mob_type)); msg->Assign(0, val_mgr->Count(mob->ip6mob_type));
uint16_t off = sizeof(ip6_mobility); uint16_t off = sizeof(ip6_mobility);
const u_char* msg_data = data + off; const u_char* msg_data = data + off;
@ -198,7 +198,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 0: case 0:
{ {
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_brr")); RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_brr"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
off += sizeof(uint16_t); off += sizeof(uint16_t);
m->Assign(1, BuildOptionsVal(data + off, Length() - off)); m->Assign(1, BuildOptionsVal(data + off, Length() - off));
msg->Assign(1, m); msg->Assign(1, m);
@ -208,8 +208,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 1: case 1:
{ {
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hoti")); RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hoti"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
off += sizeof(uint16_t) + sizeof(uint64_t); off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off)); m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(2, m); msg->Assign(2, m);
@ -219,8 +219,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 2: case 2:
{ {
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_coti")); RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_coti"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
off += sizeof(uint16_t) + sizeof(uint64_t); off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off)); m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(3, m); msg->Assign(3, m);
@ -230,9 +230,9 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 3: case 3:
{ {
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hot")); RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hot"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))))); m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t); off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off)); m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(4, m); msg->Assign(4, m);
@ -242,9 +242,9 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 4: case 4:
{ {
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_cot")); RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_cot"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))))); m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t); off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off)); m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(5, m); msg->Assign(5, m);
@ -254,12 +254,12 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 5: case 5:
{ {
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_bu")); RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_bu"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data)))); m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000)); m->Assign(1, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
m->Assign(2, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000)); m->Assign(2, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
m->Assign(3, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000)); m->Assign(3, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
m->Assign(4, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000)); m->Assign(4, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
m->Assign(5, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))))); m->Assign(5, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
off += 3 * sizeof(uint16_t); off += 3 * sizeof(uint16_t);
m->Assign(6, BuildOptionsVal(data + off, Length() - off)); m->Assign(6, BuildOptionsVal(data + off, Length() - off));
msg->Assign(6, m); msg->Assign(6, m);
@ -269,10 +269,10 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 6: case 6:
{ {
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_back")); RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_back"));
m->Assign(0, val_mgr->GetCount(*((uint8_t*)msg_data))); m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
m->Assign(1, val_mgr->GetBool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80)); m->Assign(1, val_mgr->Bool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
m->Assign(2, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))))); m->Assign(2, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(3, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))))); m->Assign(3, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
off += 3 * sizeof(uint16_t); off += 3 * sizeof(uint16_t);
m->Assign(4, BuildOptionsVal(data + off, Length() - off)); m->Assign(4, BuildOptionsVal(data + off, Length() - off));
msg->Assign(7, m); msg->Assign(7, m);
@ -282,7 +282,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 7: case 7:
{ {
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_be")); RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_be"));
m->Assign(0, val_mgr->GetCount(*((uint8_t*)msg_data))); m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t)); const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t));
m->Assign(1, make_intrusive<AddrVal>(IPAddr(*hoa))); m->Assign(1, make_intrusive<AddrVal>(IPAddr(*hoa)));
off += sizeof(uint16_t) + sizeof(in6_addr); off += sizeof(uint16_t) + sizeof(in6_addr);
@ -335,12 +335,12 @@ RecordVal* IP_Hdr::BuildIPHdrVal() const
if ( ip4 ) if ( ip4 )
{ {
rval = new RecordVal(hdrType(ip4_hdr_type, "ip4_hdr")); rval = new RecordVal(hdrType(ip4_hdr_type, "ip4_hdr"));
rval->Assign(0, val_mgr->GetCount(ip4->ip_hl * 4)); rval->Assign(0, val_mgr->Count(ip4->ip_hl * 4));
rval->Assign(1, val_mgr->GetCount(ip4->ip_tos)); rval->Assign(1, val_mgr->Count(ip4->ip_tos));
rval->Assign(2, val_mgr->GetCount(ntohs(ip4->ip_len))); rval->Assign(2, val_mgr->Count(ntohs(ip4->ip_len)));
rval->Assign(3, val_mgr->GetCount(ntohs(ip4->ip_id))); rval->Assign(3, val_mgr->Count(ntohs(ip4->ip_id)));
rval->Assign(4, val_mgr->GetCount(ip4->ip_ttl)); rval->Assign(4, val_mgr->Count(ip4->ip_ttl));
rval->Assign(5, val_mgr->GetCount(ip4->ip_p)); rval->Assign(5, val_mgr->Count(ip4->ip_p));
rval->Assign(6, make_intrusive<AddrVal>(ip4->ip_src.s_addr)); rval->Assign(6, make_intrusive<AddrVal>(ip4->ip_src.s_addr));
rval->Assign(7, make_intrusive<AddrVal>(ip4->ip_dst.s_addr)); rval->Assign(7, make_intrusive<AddrVal>(ip4->ip_dst.s_addr));
} }
@ -394,15 +394,15 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
int tcp_hdr_len = tp->th_off * 4; int tcp_hdr_len = tp->th_off * 4;
int data_len = PayloadLen() - tcp_hdr_len; int data_len = PayloadLen() - tcp_hdr_len;
tcp_hdr->Assign(0, val_mgr->GetPort(ntohs(tp->th_sport), TRANSPORT_TCP)); tcp_hdr->Assign(0, val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, val_mgr->GetPort(ntohs(tp->th_dport), TRANSPORT_TCP)); tcp_hdr->Assign(1, val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, val_mgr->GetCount(uint32_t(ntohl(tp->th_seq)))); tcp_hdr->Assign(2, val_mgr->Count(uint32_t(ntohl(tp->th_seq))));
tcp_hdr->Assign(3, val_mgr->GetCount(uint32_t(ntohl(tp->th_ack)))); tcp_hdr->Assign(3, val_mgr->Count(uint32_t(ntohl(tp->th_ack))));
tcp_hdr->Assign(4, val_mgr->GetCount(tcp_hdr_len)); tcp_hdr->Assign(4, val_mgr->Count(tcp_hdr_len));
tcp_hdr->Assign(5, val_mgr->GetCount(data_len)); tcp_hdr->Assign(5, val_mgr->Count(data_len));
tcp_hdr->Assign(6, val_mgr->GetCount(tp->th_x2)); tcp_hdr->Assign(6, val_mgr->Count(tp->th_x2));
tcp_hdr->Assign(7, val_mgr->GetCount(tp->th_flags)); tcp_hdr->Assign(7, val_mgr->Count(tp->th_flags));
tcp_hdr->Assign(8, val_mgr->GetCount(ntohs(tp->th_win))); tcp_hdr->Assign(8, val_mgr->Count(ntohs(tp->th_win)));
pkt_hdr->Assign(sindex + 2, tcp_hdr); pkt_hdr->Assign(sindex + 2, tcp_hdr);
break; break;
@ -413,9 +413,9 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct udphdr* up = (const struct udphdr*) data; const struct udphdr* up = (const struct udphdr*) data;
RecordVal* udp_hdr = new RecordVal(udp_hdr_type); RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
udp_hdr->Assign(0, val_mgr->GetPort(ntohs(up->uh_sport), TRANSPORT_UDP)); udp_hdr->Assign(0, val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, val_mgr->GetPort(ntohs(up->uh_dport), TRANSPORT_UDP)); udp_hdr->Assign(1, val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, val_mgr->GetCount(ntohs(up->uh_ulen))); udp_hdr->Assign(2, val_mgr->Count(ntohs(up->uh_ulen)));
pkt_hdr->Assign(sindex + 3, udp_hdr); pkt_hdr->Assign(sindex + 3, udp_hdr);
break; break;
@ -426,7 +426,7 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct icmp* icmpp = (const struct icmp *) data; const struct icmp* icmpp = (const struct icmp *) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type); RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->GetCount(icmpp->icmp_type)); icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp_type));
pkt_hdr->Assign(sindex + 4, icmp_hdr); pkt_hdr->Assign(sindex + 4, icmp_hdr);
break; break;
@ -437,7 +437,7 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data; const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type); RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->GetCount(icmpp->icmp6_type)); icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp6_type));
pkt_hdr->Assign(sindex + 4, icmp_hdr); pkt_hdr->Assign(sindex + 4, icmp_hdr);
break; break;
@ -696,7 +696,7 @@ VectorVal* IPv6_Hdr_Chain::BuildVal() const
RecordVal* v = chain[i]->BuildRecordVal(); RecordVal* v = chain[i]->BuildRecordVal();
RecordVal* ext_hdr = new RecordVal(ip6_ext_hdr_type); RecordVal* ext_hdr = new RecordVal(ip6_ext_hdr_type);
uint8_t type = chain[i]->Type(); uint8_t type = chain[i]->Type();
ext_hdr->Assign(0, val_mgr->GetCount(type)); ext_hdr->Assign(0, val_mgr->Count(type));
switch (type) { switch (type) {
case IPPROTO_HOPOPTS: case IPPROTO_HOPOPTS:

13
src/OpaqueVal.cc
View file

@ -171,8 +171,7 @@ bool HashVal::Init()
IntrusivePtr<StringVal> HashVal::Get() IntrusivePtr<StringVal> HashVal::Get()
{ {
if ( ! valid ) if ( ! valid )
return IntrusivePtr<StringVal>(AdoptRef{}, return val_mgr->EmptyString();
val_mgr->GetEmptyString());
auto result = DoGet(); auto result = DoGet();
valid = false; valid = false;
@ -203,7 +202,7 @@ bool HashVal::DoFeed(const void*, size_t)
IntrusivePtr<StringVal> HashVal::DoGet() IntrusivePtr<StringVal> HashVal::DoGet()
{ {
assert(! "missing implementation of DoGet()"); assert(! "missing implementation of DoGet()");
return IntrusivePtr<StringVal>(AdoptRef{}, val_mgr->GetEmptyString()); return val_mgr->EmptyString();
} }
HashVal::HashVal(OpaqueType* t) : OpaqueVal(t) HashVal::HashVal(OpaqueType* t) : OpaqueVal(t)
@ -275,7 +274,7 @@ bool MD5Val::DoFeed(const void* data, size_t size)
IntrusivePtr<StringVal> MD5Val::DoGet() IntrusivePtr<StringVal> MD5Val::DoGet()
{ {
if ( ! IsValid() ) if ( ! IsValid() )
return IntrusivePtr<StringVal>(AdoptRef{}, val_mgr->GetEmptyString()); return val_mgr->EmptyString();
u_char digest[MD5_DIGEST_LENGTH]; u_char digest[MD5_DIGEST_LENGTH];
hash_final(ctx, digest); hash_final(ctx, digest);
@ -395,8 +394,7 @@ bool SHA1Val::DoFeed(const void* data, size_t size)
IntrusivePtr<StringVal> SHA1Val::DoGet() IntrusivePtr<StringVal> SHA1Val::DoGet()
{ {
if ( ! IsValid() ) if ( ! IsValid() )
return IntrusivePtr<StringVal>(AdoptRef{}, return val_mgr->EmptyString();
val_mgr->GetEmptyString());
u_char digest[SHA_DIGEST_LENGTH]; u_char digest[SHA_DIGEST_LENGTH];
hash_final(ctx, digest); hash_final(ctx, digest);
@ -519,8 +517,7 @@ bool SHA256Val::DoFeed(const void* data, size_t size)
IntrusivePtr<StringVal> SHA256Val::DoGet() IntrusivePtr<StringVal> SHA256Val::DoGet()
{ {
if ( ! IsValid() ) if ( ! IsValid() )
return IntrusivePtr<StringVal>(AdoptRef{}, return val_mgr->EmptyString();
val_mgr->GetEmptyString());
u_char digest[SHA256_DIGEST_LENGTH]; u_char digest[SHA256_DIGEST_LENGTH];
hash_final(ctx, digest); hash_final(ctx, digest);

4
src/Reporter.cc
View file

@ -364,7 +364,7 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl)
return; return;
} }
WeirdHelper(conn_weird, {conn->BuildConnVal(), new StringVal(addl)}, WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl)},
"%s", name); "%s", name);
} }
@ -501,7 +501,7 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
vl.emplace_back(make_intrusive<StringVal>(loc_str.c_str())); vl.emplace_back(make_intrusive<StringVal>(loc_str.c_str()));
if ( conn ) if ( conn )
vl.emplace_back(AdoptRef{}, conn->BuildConnVal()); vl.emplace_back(conn->ConnVal());
if ( addl ) if ( addl )
for ( auto v : *addl ) for ( auto v : *addl )

2
src/RuleAction.cc
View file

@ -24,7 +24,7 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
mgr.Enqueue(signature_match, mgr.Enqueue(signature_match,
IntrusivePtr{AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)}, IntrusivePtr{AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)},
make_intrusive<StringVal>(msg), make_intrusive<StringVal>(msg),
data ? make_intrusive<StringVal>(len, (const char*)data) : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()} data ? make_intrusive<StringVal>(len, (const char*)data) : val_mgr->EmptyString()
); );
} }

2
src/RuleCondition.cc
View file

@ -174,7 +174,7 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
if ( data ) if ( data )
args.emplace_back(make_intrusive<StringVal>(len, (const char*) data)); args.emplace_back(make_intrusive<StringVal>(len, (const char*) data));
else else
args.emplace_back(AdoptRef{}, val_mgr->GetEmptyString()); args.emplace_back(val_mgr->EmptyString());
bool result = false; bool result = false;

6
src/RuleMatcher.cc
View file

@ -81,9 +81,9 @@ Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
{ {
RecordVal* val = new RecordVal(signature_state); RecordVal* val = new RecordVal(signature_state);
val->Assign(0, make_intrusive<StringVal>(rule->ID())); val->Assign(0, make_intrusive<StringVal>(rule->ID()));
val->Assign(1, state->GetAnalyzer()->BuildConnVal()); val->Assign(1, state->GetAnalyzer()->ConnVal());
val->Assign(2, val_mgr->GetBool(state->is_orig)); val->Assign(2, val_mgr->Bool(state->is_orig));
val->Assign(3, val_mgr->GetCount(state->payload_size)); val->Assign(3, val_mgr->Count(state->payload_size));
return val; return val;
} }

8
src/Sessions.cc
View file

@ -691,12 +691,14 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 ) if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
{ {
pkt_hdr_val = ip_hdr->BuildPktHdrVal(); pkt_hdr_val = ip_hdr->BuildPktHdrVal();
conn->Event(ipv6_ext_headers, nullptr, pkt_hdr_val); conn->EnqueueEvent(ipv6_ext_headers, nullptr, conn->ConnVal(),
IntrusivePtr{AdoptRef{}, pkt_hdr_val});
} }
if ( new_packet ) if ( new_packet )
conn->Event(new_packet, nullptr, conn->EnqueueEvent(new_packet, nullptr, conn->ConnVal(), pkt_hdr_val ?
pkt_hdr_val ? pkt_hdr_val->Ref() : ip_hdr->BuildPktHdrVal()); IntrusivePtr{NewRef{}, pkt_hdr_val} :
IntrusivePtr{AdoptRef{}, ip_hdr->BuildPktHdrVal()});
conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data, conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
record_packet, record_content, pkt); record_packet, record_content, pkt);

4
src/SmithWaterman.cc
View file

@ -95,13 +95,13 @@ VectorVal* BroSubstring::VecToPolicy(Vec* vec)
auto align_val = make_intrusive<RecordVal>(sw_align_type); auto align_val = make_intrusive<RecordVal>(sw_align_type);
align_val->Assign(0, make_intrusive<StringVal>(new BroString(*align.string))); align_val->Assign(0, make_intrusive<StringVal>(new BroString(*align.string)));
align_val->Assign(1, val_mgr->GetCount(align.index)); align_val->Assign(1, val_mgr->Count(align.index));
aligns->Assign(j + 1, std::move(align_val)); aligns->Assign(j + 1, std::move(align_val));
} }
st_val->Assign(1, std::move(aligns)); st_val->Assign(1, std::move(aligns));
st_val->Assign(2, val_mgr->GetBool(bst->IsNewAlignment())); st_val->Assign(2, val_mgr->Bool(bst->IsNewAlignment()));
result->Assign(i + 1, std::move(st_val)); result->Assign(i + 1, std::move(st_val));
} }
} }

4
src/Stats.cc
View file

@ -314,7 +314,7 @@ void ProfileLogger::Log()
Ref(file); Ref(file);
mgr.Dispatch(new Event(profiling_update, { mgr.Dispatch(new Event(profiling_update, {
make_intrusive<Val>(file), make_intrusive<Val>(file),
{AdoptRef{}, val_mgr->GetBool(expensive)}, val_mgr->Bool(expensive),
})); }));
} }
} }
@ -374,7 +374,7 @@ void SampleLogger::SegmentProfile(const char* /* name */,
mgr.Enqueue(load_sample, mgr.Enqueue(load_sample,
IntrusivePtr{NewRef{}, load_samples}, IntrusivePtr{NewRef{}, load_samples},
make_intrusive<IntervalVal>(dtime, Seconds), make_intrusive<IntervalVal>(dtime, Seconds),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(dmem)} val_mgr->Int(dmem)
); );
} }

3
src/Stmt.cc
View file

@ -1232,8 +1232,7 @@ IntrusivePtr<Val> ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
// Set the loop variable to the current index, and make // Set the loop variable to the current index, and make
// another pass over the loop body. // another pass over the loop body.
f->SetElement((*loop_vars)[0], f->SetElement((*loop_vars)[0], val_mgr->Count(i).release());
val_mgr->GetCount(i));
flow = FLOW_NEXT; flow = FLOW_NEXT;
ret = body->Exec(f, flow); ret = body->Exec(f, flow);

4
src/TunnelEncapsulation.cc
View file

@ -22,9 +22,9 @@ RecordVal* EncapsulatingConn::GetRecordVal() const
auto id_val = make_intrusive<RecordVal>(conn_id); auto id_val = make_intrusive<RecordVal>(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(src_addr)); id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->GetPort(ntohs(src_port), proto)); id_val->Assign(1, val_mgr->Port(ntohs(src_port), proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr)); id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->GetPort(ntohs(dst_port), proto)); id_val->Assign(3, val_mgr->Port(ntohs(dst_port), proto));
rv->Assign(0, std::move(id_val)); rv->Assign(0, std::move(id_val));
rv->Assign(1, BifType::Enum::Tunnel::Type->GetVal(type)); rv->Assign(1, BifType::Enum::Tunnel::Type->GetVal(type));

9
src/Type.cc
View file

@ -840,7 +840,7 @@ IntrusivePtr<TableVal> RecordType::GetRecordFieldsVal(const RecordVal* rv) const
string s = container_type_name(ft); string s = container_type_name(ft);
nr->Assign(0, make_intrusive<StringVal>(s)); nr->Assign(0, make_intrusive<StringVal>(s));
nr->Assign(1, val_mgr->GetBool(logged)); nr->Assign(1, val_mgr->Bool(logged));
nr->Assign(2, fv); nr->Assign(2, fv);
nr->Assign(3, FieldDefault(i)); nr->Assign(3, FieldDefault(i));
Val* field_name = new StringVal(FieldName(i)); Val* field_name = new StringVal(FieldName(i));
@ -1615,7 +1615,12 @@ bool same_type(const BroType* t1, const BroType* t2, bool is_init, bool match_re
} }
case TYPE_TYPE: case TYPE_TYPE:
return same_type(t1, t2, is_init, match_record_field_names); {
auto tt1 = t1->AsTypeType();
auto tt2 = t2->AsTypeType();
return same_type(tt1->Type(), tt1->Type(),
is_init, match_record_field_names);
}
case TYPE_UNION: case TYPE_UNION:
reporter->Error("union type in same_type()"); reporter->Error("union type in same_type()");

1
src/Type.h
View file

@ -507,6 +507,7 @@ public:
TypeType* ShallowClone() override { return new TypeType(type); } TypeType* ShallowClone() override { return new TypeType(type); }
BroType* Type() { return type.get(); } BroType* Type() { return type.get(); }
const BroType* Type() const { return type.get(); }
protected: protected:
IntrusivePtr<BroType> type; IntrusivePtr<BroType> type;

113
src/Val.cc
View file

@ -136,6 +136,10 @@ IntrusivePtr<Val> Val::DoClone(CloneState* state)
return {NewRef{}, this}; return {NewRef{}, this};
} }
if ( type->Tag() == TYPE_TYPE )
// These are immutable, essentially.
return {NewRef{}, this};
// Fall-through. // Fall-through.
default: default:
@ -250,19 +254,19 @@ IntrusivePtr<Val> Val::SizeVal() const
// Return abs value. However abs() only works on ints and llabs // Return abs value. However abs() only works on ints and llabs
// doesn't work on Mac OS X 10.5. So we do it by hand // doesn't work on Mac OS X 10.5. So we do it by hand
if ( val.int_val < 0 ) if ( val.int_val < 0 )
return {AdoptRef{}, val_mgr->GetCount(-val.int_val)}; return val_mgr->Count(-val.int_val);
else else
return {AdoptRef{}, val_mgr->GetCount(val.int_val)}; return val_mgr->Count(val.int_val);
case TYPE_INTERNAL_UNSIGNED: case TYPE_INTERNAL_UNSIGNED:
return {AdoptRef{}, val_mgr->GetCount(val.uint_val)}; return val_mgr->Count(val.uint_val);
case TYPE_INTERNAL_DOUBLE: case TYPE_INTERNAL_DOUBLE:
return make_intrusive<Val>(fabs(val.double_val), TYPE_DOUBLE); return make_intrusive<Val>(fabs(val.double_val), TYPE_DOUBLE);
case TYPE_INTERNAL_OTHER: case TYPE_INTERNAL_OTHER:
if ( type->Tag() == TYPE_FUNC ) if ( type->Tag() == TYPE_FUNC )
return {AdoptRef{}, val_mgr->GetCount(val.func_val->FType()->ArgTypes()->Types()->length())}; return val_mgr->Count(val.func_val->FType()->ArgTypes()->Types()->length());
if ( type->Tag() == TYPE_FILE ) if ( type->Tag() == TYPE_FILE )
return make_intrusive<Val>(val.file_val->Size(), TYPE_DOUBLE); return make_intrusive<Val>(val.file_val->Size(), TYPE_DOUBLE);
@ -272,7 +276,7 @@ IntrusivePtr<Val> Val::SizeVal() const
break; break;
} }
return {AdoptRef{}, val_mgr->GetCount(0)}; return val_mgr->Count(0);
} }
unsigned int Val::MemoryAllocation() const unsigned int Val::MemoryAllocation() const
@ -583,9 +587,8 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
{ {
auto blank = make_intrusive<StringVal>(""); auto blank = make_intrusive<StringVal>("");
auto fn_val = make_intrusive<StringVal>(field_name); auto fn_val = make_intrusive<StringVal>(field_name);
auto key_val = fn_val->Substitute(re, blank.get(), false)->AsStringVal(); auto key_val = fn_val->Substitute(re, blank.get(), false);
key_str = key_val->ToStdString(); key_str = key_val->ToStdString();
Unref(key_val);
} }
else else
key_str = field_name; key_str = field_name;
@ -732,7 +735,7 @@ void IntervalVal::ValDescribe(ODesc* d) const
IntrusivePtr<Val> PortVal::SizeVal() const IntrusivePtr<Val> PortVal::SizeVal() const
{ {
return {AdoptRef{}, val_mgr->GetInt(val.uint_val)}; return val_mgr->Int(val.uint_val);
} }
uint32_t PortVal::Mask(uint32_t port_num, TransportProto port_type) uint32_t PortVal::Mask(uint32_t port_num, TransportProto port_type)
@ -851,9 +854,9 @@ unsigned int AddrVal::MemoryAllocation() const
IntrusivePtr<Val> AddrVal::SizeVal() const IntrusivePtr<Val> AddrVal::SizeVal() const
{ {
if ( val.addr_val->GetFamily() == IPv4 ) if ( val.addr_val->GetFamily() == IPv4 )
return {AdoptRef{}, val_mgr->GetCount(32)}; return val_mgr->Count(32);
else else
return {AdoptRef{}, val_mgr->GetCount(128)}; return val_mgr->Count(128);
} }
IntrusivePtr<Val> AddrVal::DoClone(CloneState* state) IntrusivePtr<Val> AddrVal::DoClone(CloneState* state)
@ -979,7 +982,7 @@ StringVal::StringVal(const string& s) : StringVal(s.length(), s.data())
IntrusivePtr<Val> StringVal::SizeVal() const IntrusivePtr<Val> StringVal::SizeVal() const
{ {
return {AdoptRef{}, val_mgr->GetCount(val.string_val->Len())}; return val_mgr->Count(val.string_val->Len());
} }
int StringVal::Len() int StringVal::Len()
@ -1024,7 +1027,7 @@ unsigned int StringVal::MemoryAllocation() const
return padded_sizeof(*this) + val.string_val->MemoryAllocation(); return padded_sizeof(*this) + val.string_val->MemoryAllocation();
} }
Val* StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all) IntrusivePtr<StringVal> StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
{ {
const u_char* s = Bytes(); const u_char* s = Bytes();
int offset = 0; int offset = 0;
@ -1105,7 +1108,7 @@ Val* StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
// the NUL. // the NUL.
r[0] = '\0'; r[0] = '\0';
return new StringVal(new BroString(true, result, r - result)); return make_intrusive<StringVal>(new BroString(true, result, r - result));
} }
IntrusivePtr<Val> StringVal::DoClone(CloneState* state) IntrusivePtr<Val> StringVal::DoClone(CloneState* state)
@ -1193,7 +1196,7 @@ ListVal::~ListVal()
IntrusivePtr<Val> ListVal::SizeVal() const IntrusivePtr<Val> ListVal::SizeVal() const
{ {
return {AdoptRef{}, val_mgr->GetCount(vals.length())}; return val_mgr->Count(vals.length());
} }
RE_Matcher* ListVal::BuildRE() const RE_Matcher* ListVal::BuildRE() const
@ -1564,7 +1567,7 @@ bool TableVal::Assign(Val* index, HashKey* k, Val* new_val)
IntrusivePtr<Val> TableVal::SizeVal() const IntrusivePtr<Val> TableVal::SizeVal() const
{ {
return {AdoptRef{}, val_mgr->GetCount(Size())}; return val_mgr->Count(Size());
} }
bool TableVal::AddTo(Val* val, bool is_first_init) const bool TableVal::AddTo(Val* val, bool is_first_init) const
@ -2683,7 +2686,7 @@ RecordVal::~RecordVal()
IntrusivePtr<Val> RecordVal::SizeVal() const IntrusivePtr<Val> RecordVal::SizeVal() const
{ {
return {AdoptRef{}, val_mgr->GetCount(Type()->AsRecordType()->NumFields())}; return val_mgr->Count(Type()->AsRecordType()->NumFields());
} }
void RecordVal::Assign(int field, IntrusivePtr<Val> new_val) void RecordVal::Assign(int field, IntrusivePtr<Val> new_val)
@ -2931,7 +2934,7 @@ unsigned int RecordVal::MemoryAllocation() const
IntrusivePtr<Val> EnumVal::SizeVal() const IntrusivePtr<Val> EnumVal::SizeVal() const
{ {
return {AdoptRef{}, val_mgr->GetInt(val.int_val)}; return val_mgr->Int(val.int_val);
} }
void EnumVal::ValDescribe(ODesc* d) const void EnumVal::ValDescribe(ODesc* d) const
@ -2968,7 +2971,7 @@ VectorVal::~VectorVal()
IntrusivePtr<Val> VectorVal::SizeVal() const IntrusivePtr<Val> VectorVal::SizeVal() const
{ {
return {AdoptRef{}, val_mgr->GetCount(uint32_t(val.vector_val->size()))}; return val_mgr->Count(uint32_t(val.vector_val->size()));
} }
bool VectorVal::Assign(unsigned int index, IntrusivePtr<Val> element) bool VectorVal::Assign(unsigned int index, IntrusivePtr<Val> element)
@ -3205,7 +3208,7 @@ IntrusivePtr<Val> check_and_promote(IntrusivePtr<Val> v, const BroType* t,
return nullptr; return nullptr;
} }
else if ( t_tag == TYPE_INT ) else if ( t_tag == TYPE_INT )
promoted_v = {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())}; promoted_v = val_mgr->Int(v->CoerceToInt());
else // enum else // enum
{ {
reporter->InternalError("bad internal type in check_and_promote()"); reporter->InternalError("bad internal type in check_and_promote()");
@ -3221,7 +3224,7 @@ IntrusivePtr<Val> check_and_promote(IntrusivePtr<Val> v, const BroType* t,
return nullptr; return nullptr;
} }
else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER ) else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
promoted_v = {AdoptRef{}, val_mgr->GetCount(v->CoerceToUnsigned())}; promoted_v = val_mgr->Count(v->CoerceToUnsigned());
else // port else // port
{ {
reporter->InternalError("bad internal type in check_and_promote()"); reporter->InternalError("bad internal type in check_and_promote()");
@ -3398,13 +3401,26 @@ bool can_cast_value_to_type(const BroType* s, BroType* t)
return false; return false;
} }
IntrusivePtr<Val> Val::MakeBool(bool b)
{
return IntrusivePtr{AdoptRef{}, new Val(bro_int_t(b), TYPE_BOOL)};
}
IntrusivePtr<Val> Val::MakeInt(bro_int_t i)
{
return IntrusivePtr{AdoptRef{}, new Val(i, TYPE_INT)};
}
IntrusivePtr<Val> Val::MakeCount(bro_uint_t u)
{
return IntrusivePtr{AdoptRef{}, new Val(u, TYPE_COUNT)};
}
ValManager::ValManager() ValManager::ValManager()
{ {
empty_string = new StringVal(""); empty_string = make_intrusive<StringVal>("");
b_false = Val::MakeBool(false); b_false = Val::MakeBool(false);
b_true = Val::MakeBool(true); b_true = Val::MakeBool(true);
counts = new Val*[PREALLOCATED_COUNTS];
ints = new Val*[PREALLOCATED_INTS];
for ( auto i = 0u; i < PREALLOCATED_COUNTS; ++i ) for ( auto i = 0u; i < PREALLOCATED_COUNTS; ++i )
counts[i] = Val::MakeCount(i); counts[i] = Val::MakeCount(i);
@ -3418,37 +3434,16 @@ ValManager::ValManager()
auto port_type = (TransportProto)i; auto port_type = (TransportProto)i;
for ( auto j = 0u; j < arr.size(); ++j ) for ( auto j = 0u; j < arr.size(); ++j )
arr[j] = new PortVal(PortVal::Mask(j, port_type)); arr[j] = IntrusivePtr{AdoptRef{}, new PortVal(PortVal::Mask(j, port_type))};
} }
} }
ValManager::~ValManager()
{
Unref(empty_string);
Unref(b_true);
Unref(b_false);
for ( auto i = 0u; i < PREALLOCATED_COUNTS; ++i )
Unref(counts[i]);
for ( auto i = 0u; i < PREALLOCATED_INTS; ++i )
Unref(ints[i]);
delete [] counts;
delete [] ints;
for ( auto& arr : ports )
for ( auto& pv : arr )
Unref(pv);
}
StringVal* ValManager::GetEmptyString() const StringVal* ValManager::GetEmptyString() const
{ {
::Ref(empty_string); return empty_string->Ref()->AsStringVal();
return empty_string;
} }
PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const const IntrusivePtr<PortVal>& ValManager::Port(uint32_t port_num, TransportProto port_type) const
{ {
if ( port_num >= 65536 ) if ( port_num >= 65536 )
{ {
@ -3456,22 +3451,30 @@ PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
port_num = 0; port_num = 0;
} }
auto rval = ports[port_type][port_num]; return ports[port_type][port_num];
::Ref(rval);
return rval;
} }
PortVal* ValManager::GetPort(uint32_t port_num) const PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
{
return Port(port_num, port_type)->Ref()->AsPortVal();
}
const IntrusivePtr<PortVal>& ValManager::Port(uint32_t port_num) const
{ {
auto mask = port_num & PORT_SPACE_MASK; auto mask = port_num & PORT_SPACE_MASK;
port_num &= ~PORT_SPACE_MASK; port_num &= ~PORT_SPACE_MASK;
if ( mask == TCP_PORT_MASK ) if ( mask == TCP_PORT_MASK )
return GetPort(port_num, TRANSPORT_TCP); return Port(port_num, TRANSPORT_TCP);
else if ( mask == UDP_PORT_MASK ) else if ( mask == UDP_PORT_MASK )
return GetPort(port_num, TRANSPORT_UDP); return Port(port_num, TRANSPORT_UDP);
else if ( mask == ICMP_PORT_MASK ) else if ( mask == ICMP_PORT_MASK )
return GetPort(port_num, TRANSPORT_ICMP); return Port(port_num, TRANSPORT_ICMP);
else else
return GetPort(port_num, TRANSPORT_UNKNOWN); return Port(port_num, TRANSPORT_UNKNOWN);
}
PortVal* ValManager::GetPort(uint32_t port_num) const
{
return Port(port_num)->Ref()->AsPortVal();
} }

74
src/Val.h
View file

@ -335,20 +335,9 @@ protected:
virtual void ValDescribe(ODesc* d) const; virtual void ValDescribe(ODesc* d) const;
virtual void ValDescribeReST(ODesc* d) const; virtual void ValDescribeReST(ODesc* d) const;
static Val* MakeBool(bool b) static IntrusivePtr<Val> MakeBool(bool b);
{ static IntrusivePtr<Val> MakeInt(bro_int_t i);
return new Val(bro_int_t(b), TYPE_BOOL); static IntrusivePtr<Val> MakeCount(bro_uint_t u);
}
static Val* MakeInt(bro_int_t i)
{
return new Val(i, TYPE_INT);
}
static Val* MakeCount(bro_uint_t u)
{
return new Val(u, TYPE_COUNT);
}
template<typename V> template<typename V>
Val(V &&v, TypeTag t) noexcept Val(V &&v, TypeTag t) noexcept
@ -406,44 +395,79 @@ public:
ValManager(); ValManager();
~ValManager(); [[deprecated("Remove in v4.1. Use val_mgr->True() instead.")]]
inline Val* GetTrue() const inline Val* GetTrue() const
{ return b_true->Ref(); } { return b_true->Ref(); }
inline const IntrusivePtr<Val>& True() const
{ return b_true; }
[[deprecated("Remove in v4.1. Use val_mgr->False() instead.")]]
inline Val* GetFalse() const inline Val* GetFalse() const
{ return b_false->Ref(); } { return b_false->Ref(); }
inline const IntrusivePtr<Val>& False() const
{ return b_false; }
[[deprecated("Remove in v4.1. Use val_mgr->Bool() instead.")]]
inline Val* GetBool(bool b) const inline Val* GetBool(bool b) const
{ return b ? b_true->Ref() : b_false->Ref(); } { return b ? b_true->Ref() : b_false->Ref(); }
inline const IntrusivePtr<Val>& Bool(bool b) const
{ return b ? b_true : b_false; }
[[deprecated("Remove in v4.1. Use val_mgr->Int() instead.")]]
inline Val* GetInt(int64_t i) const inline Val* GetInt(int64_t i) const
{ {
return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ? return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ?
Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST]->Ref(); Val::MakeInt(i).release() : ints[i - PREALLOCATED_INT_LOWEST]->Ref();
} }
inline IntrusivePtr<Val> Int(int64_t i) const
{
return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ?
Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST];
}
[[deprecated("Remove in v4.1. Use val_mgr->Count() instead.")]]
inline Val* GetCount(uint64_t i) const inline Val* GetCount(uint64_t i) const
{ {
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i]->Ref(); return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i).release() : counts[i]->Ref();
} }
inline IntrusivePtr<Val> Count(uint64_t i) const
{
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i];
}
[[deprecated("Remove in v4.1. Use val_mgr->EmptyString() instead.")]]
StringVal* GetEmptyString() const; StringVal* GetEmptyString() const;
inline const IntrusivePtr<StringVal>& EmptyString() const
{ return empty_string; }
// Port number given in host order. // Port number given in host order.
[[deprecated("Remove in v4.1. Use val_mgr->Port() instead.")]]
PortVal* GetPort(uint32_t port_num, TransportProto port_type) const; PortVal* GetPort(uint32_t port_num, TransportProto port_type) const;
// Port number given in host order.
const IntrusivePtr<PortVal>& Port(uint32_t port_num, TransportProto port_type) const;
// Host-order port number already masked with port space protocol mask. // Host-order port number already masked with port space protocol mask.
[[deprecated("Remove in v4.1. Use val_mgr->Port() instead.")]]
PortVal* GetPort(uint32_t port_num) const; PortVal* GetPort(uint32_t port_num) const;
// Host-order port number already masked with port space protocol mask.
const IntrusivePtr<PortVal>& Port(uint32_t port_num) const;
private: private:
std::array<std::array<PortVal*, 65536>, NUM_PORT_SPACES> ports; std::array<std::array<IntrusivePtr<PortVal>, 65536>, NUM_PORT_SPACES> ports;
StringVal* empty_string; std::array<IntrusivePtr<Val>, PREALLOCATED_COUNTS> counts;
Val* b_true; std::array<IntrusivePtr<Val>, PREALLOCATED_INTS> ints;
Val* b_false; IntrusivePtr<StringVal> empty_string;
Val** counts; IntrusivePtr<Val> b_true;
Val** ints; IntrusivePtr<Val> b_false;
}; };
extern ValManager* val_mgr; extern ValManager* val_mgr;
@ -569,7 +593,7 @@ public:
unsigned int MemoryAllocation() const override; unsigned int MemoryAllocation() const override;
Val* Substitute(RE_Matcher* re, StringVal* repl, bool do_all); IntrusivePtr<StringVal> Substitute(RE_Matcher* re, StringVal* repl, bool do_all);
protected: protected:
void ValDescribe(ODesc* d) const override; void ValDescribe(ODesc* d) const override;

25
src/analyzer/Analyzer.cc
View file

@ -690,9 +690,9 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal(); EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
mgr.Enqueue(protocol_confirmation, mgr.Enqueue(protocol_confirmation,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{NewRef{}, tval}, IntrusivePtr{NewRef{}, tval},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)} val_mgr->Count(id)
); );
} }
@ -717,9 +717,9 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
EnumVal* tval = tag.AsEnumVal(); EnumVal* tval = tag.AsEnumVal();
mgr.Enqueue(protocol_violation, mgr.Enqueue(protocol_violation,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{NewRef{}, tval}, IntrusivePtr{NewRef{}, tval},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)}, val_mgr->Count(id),
IntrusivePtr{AdoptRef{}, r} IntrusivePtr{AdoptRef{}, r}
); );
} }
@ -788,7 +788,12 @@ void Analyzer::UpdateConnVal(RecordVal *conn_val)
RecordVal* Analyzer::BuildConnVal() RecordVal* Analyzer::BuildConnVal()
{ {
return conn->BuildConnVal(); return conn->ConnVal()->Ref()->AsRecordVal();
}
const IntrusivePtr<RecordVal>& Analyzer::ConnVal()
{
return conn->ConnVal();
} }
void Analyzer::Event(EventHandlerPtr f, const char* name) void Analyzer::Event(EventHandlerPtr f, const char* name)
@ -798,7 +803,11 @@ void Analyzer::Event(EventHandlerPtr f, const char* name)
void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2) void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2)
{ {
conn->Event(f, this, v1, v2); IntrusivePtr val1{AdoptRef{}, v1};
IntrusivePtr val2{AdoptRef{}, v2};
if ( f )
conn->EnqueueEvent(f, this, conn->ConnVal(), std::move(val1), std::move(val2));
} }
void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl) void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl)
@ -930,7 +939,7 @@ void TransportLayerAnalyzer::PacketContents(const u_char* data, int len)
if ( packet_contents && len > 0 ) if ( packet_contents && len > 0 )
{ {
BroString* cbs = new BroString(data, len, true); BroString* cbs = new BroString(data, len, true);
Val* contents = new StringVal(cbs); auto contents = make_intrusive<StringVal>(cbs);
Event(packet_contents, contents); EnqueueConnEvent(packet_contents, ConnVal(), std::move(contents));
} }
} }

8
src/analyzer/Analyzer.h
View file

@ -549,8 +549,15 @@ public:
* Convenience function that forwards directly to * Convenience function that forwards directly to
* Connection::BuildConnVal(). * Connection::BuildConnVal().
*/ */
[[deprecated("Remove in v4.1. Use ConnVal() instead.")]]
RecordVal* BuildConnVal(); RecordVal* BuildConnVal();
/**
* Convenience function that forwards directly to
* Connection::ConnVal().
*/
const IntrusivePtr<RecordVal>& ConnVal();
/** /**
* Convenience function that forwards directly to the corresponding * Convenience function that forwards directly to the corresponding
* Connection::Event(). * Connection::Event().
@ -561,6 +568,7 @@ public:
* Convenience function that forwards directly to the corresponding * Convenience function that forwards directly to the corresponding
* Connection::Event(). * Connection::Event().
*/ */
[[deprecated("Remove in v4.1. Use EnqueueConnEvent() instead (note it doesn't automatically ad the connection argument).")]]
void Event(EventHandlerPtr f, Val* v1, Val* v2 = nullptr); void Event(EventHandlerPtr f, Val* v1, Val* v2 = nullptr);
/** /**

15
src/analyzer/Manager.cc
View file

@ -440,15 +440,13 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
if ( tcp_contents && ! reass ) if ( tcp_contents && ! reass )
{ {
auto dport = val_mgr->GetPort(ntohs(conn->RespPort()), TRANSPORT_TCP); const auto& dport = val_mgr->Port(ntohs(conn->RespPort()), TRANSPORT_TCP);
if ( ! reass ) if ( ! reass )
reass = (bool)tcp_content_delivery_ports_orig->Lookup(dport); reass = (bool)tcp_content_delivery_ports_orig->Lookup(dport.get());
if ( ! reass ) if ( ! reass )
reass = (bool)tcp_content_delivery_ports_resp->Lookup(dport); reass = (bool)tcp_content_delivery_ports_resp->Lookup(dport.get());
Unref(dport);
} }
if ( reass ) if ( reass )
@ -626,9 +624,10 @@ bool Manager::ApplyScheduledAnalyzers(Connection* conn, bool init, TransportLaye
parent->AddChildAnalyzer(analyzer, init); parent->AddChildAnalyzer(analyzer, init);
EnumVal* tag = it->AsEnumVal(); if ( scheduled_analyzer_applied )
Ref(tag); conn->EnqueueEvent(scheduled_analyzer_applied, nullptr,
conn->Event(scheduled_analyzer_applied, nullptr, tag); conn->ConnVal(),
IntrusivePtr{NewRef{}, it->AsEnumVal()});
DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled", DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled",
analyzer_mgr->GetComponentName(*it).c_str()); analyzer_mgr->GetComponentName(*it).c_str());

14
src/analyzer/analyzer.bif
View file

@ -11,41 +11,41 @@ module Analyzer;
function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool
%{ %{
bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal()); bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal());
return val_mgr->GetBool(result); return val_mgr->Bool(result);
%} %}
function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool
%{ %{
bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal()); bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal());
return val_mgr->GetBool(result); return val_mgr->Bool(result);
%} %}
function Analyzer::__disable_all_analyzers%(%) : any function Analyzer::__disable_all_analyzers%(%) : any
%{ %{
analyzer_mgr->DisableAllAnalyzers(); analyzer_mgr->DisableAllAnalyzers();
return 0; return nullptr;
%} %}
function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool
%{ %{
bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p); bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p);
return val_mgr->GetBool(result); return val_mgr->Bool(result);
%} %}
function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port, function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port,
analyzer: Analyzer::Tag, tout: interval%) : bool analyzer: Analyzer::Tag, tout: interval%) : bool
%{ %{
analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout); analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout);
return val_mgr->GetTrue(); return val_mgr->True();
%} %}
function __name%(atype: Analyzer::Tag%) : string function __name%(atype: Analyzer::Tag%) : string
%{ %{
return new StringVal(analyzer_mgr->GetComponentName(atype)); return make_intrusive<StringVal>(analyzer_mgr->GetComponentName(atype));
%} %}
function __tag%(name: string%) : Analyzer::Tag function __tag%(name: string%) : Analyzer::Tag
%{ %{
analyzer::Tag t = analyzer_mgr->GetComponentTag(name->CheckString()); analyzer::Tag t = analyzer_mgr->GetComponentTag(name->CheckString());
return t.AsEnumVal()->Ref(); return IntrusivePtr{NewRef{}, t.AsEnumVal()};
%} %}

10
src/analyzer/protocol/asn1/asn1.pac
View file

@ -113,15 +113,15 @@ Val* asn1_integer_to_val(const ASN1Encoding* i, TypeTag t)
switch ( t ) { switch ( t ) {
case TYPE_BOOL: case TYPE_BOOL:
return val_mgr->GetBool(v); return val_mgr->Bool(v)->Ref();
case TYPE_INT: case TYPE_INT:
return val_mgr->GetInt(v); return val_mgr->Int(v).release();
case TYPE_COUNT: case TYPE_COUNT:
case TYPE_COUNTER: case TYPE_COUNTER:
return val_mgr->GetCount(v); return val_mgr->Count(v).release();
default: default:
reporter->Error("bad asn1_integer_to_val tag: %s", type_name(t)); reporter->Error("bad asn1_integer_to_val tag: %s", type_name(t));
return val_mgr->GetCount(v); return val_mgr->Count(v).release();
} }
} }
@ -152,7 +152,7 @@ StringVal* asn1_oid_to_val(const ASN1Encoding* oid)
if ( ! subidentifier.empty() || subidentifiers.size() < 1 ) if ( ! subidentifier.empty() || subidentifiers.size() < 1 )
// Underflow. // Underflow.
return val_mgr->GetEmptyString(); return val_mgr->EmptyString()->Ref()->AsStringVal();
for ( size_t i = 0; i < subidentifiers.size(); ++i ) for ( size_t i = 0; i < subidentifiers.size(); ++i )
{ {

4
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -120,8 +120,8 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
{ {
if ( bittorrent_peer_weird ) if ( bittorrent_peer_weird )
EnqueueConnEvent(bittorrent_peer_weird, EnqueueConnEvent(bittorrent_peer_weird,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(msg) make_intrusive<StringVal>(msg)
); );
} }

18
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -247,8 +247,8 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
{ {
if ( bt_tracker_weird ) if ( bt_tracker_weird )
EnqueueConnEvent(bt_tracker_weird, EnqueueConnEvent(bt_tracker_weird,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(msg) make_intrusive<StringVal>(msg)
); );
} }
@ -348,7 +348,7 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
if ( bt_tracker_request ) if ( bt_tracker_request )
EnqueueConnEvent(bt_tracker_request, EnqueueConnEvent(bt_tracker_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, req_val_uri}, IntrusivePtr{AdoptRef{}, req_val_uri},
IntrusivePtr{AdoptRef{}, req_val_headers} IntrusivePtr{AdoptRef{}, req_val_headers}
); );
@ -402,8 +402,8 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
{ {
if ( bt_tracker_response_not_ok ) if ( bt_tracker_response_not_ok )
EnqueueConnEvent(bt_tracker_response_not_ok, EnqueueConnEvent(bt_tracker_response_not_ok,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)}, val_mgr->Count(res_status),
IntrusivePtr{AdoptRef{}, res_val_headers} IntrusivePtr{AdoptRef{}, res_val_headers}
); );
res_val_headers = nullptr; res_val_headers = nullptr;
@ -480,7 +480,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
RecordVal* peer = new RecordVal(bittorrent_peer); RecordVal* peer = new RecordVal(bittorrent_peer);
peer->Assign(0, make_intrusive<AddrVal>(ad)); peer->Assign(0, make_intrusive<AddrVal>(ad));
peer->Assign(1, val_mgr->GetPort(pt, TRANSPORT_TCP)); peer->Assign(1, val_mgr->Port(pt, TRANSPORT_TCP));
res_val_peers->Assign(peer, nullptr); res_val_peers->Assign(peer, nullptr);
Unref(peer); Unref(peer);
@ -503,7 +503,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
RecordVal* benc_value = new RecordVal(bittorrent_benc_value); RecordVal* benc_value = new RecordVal(bittorrent_benc_value);
StringVal* name_ = new StringVal(name_len, name); StringVal* name_ = new StringVal(name_len, name);
benc_value->Assign(type, val_mgr->GetInt(value)); benc_value->Assign(type, val_mgr->Int(value));
res_val_benc->Assign(name_, benc_value); res_val_benc->Assign(name_, benc_value);
Unref(name_); Unref(name_);
@ -789,8 +789,8 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
if ( bt_tracker_response ) if ( bt_tracker_response )
EnqueueConnEvent(bt_tracker_response, EnqueueConnEvent(bt_tracker_response,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)}, val_mgr->Count(res_status),
IntrusivePtr{AdoptRef{}, res_val_headers}, IntrusivePtr{AdoptRef{}, res_val_headers},
IntrusivePtr{AdoptRef{}, res_val_peers}, IntrusivePtr{AdoptRef{}, res_val_peers},
IntrusivePtr{AdoptRef{}, res_val_benc} IntrusivePtr{AdoptRef{}, res_val_benc}

38
src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
View file

@ -61,13 +61,13 @@ flow BitTorrent_Flow(is_orig: bool) {
handshake_ok = true; handshake_ok = true;
if ( ::bittorrent_peer_handshake ) if ( ::bittorrent_peer_handshake )
{ {
BifEvent::generate_bittorrent_peer_handshake( BifEvent::enqueue_bittorrent_peer_handshake(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
bytestring_to_val(reserved), to_stringval(reserved),
bytestring_to_val(info_hash), to_stringval(info_hash),
bytestring_to_val(peer_id)); to_stringval(peer_id));
} }
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->bro_analyzer()->ProtocolConfirmation();
@ -79,7 +79,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_keep_alive ) if ( ::bittorrent_peer_keep_alive )
{ {
BifEvent::generate_bittorrent_peer_keep_alive( BifEvent::enqueue_bittorrent_peer_keep_alive(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig()); is_orig());
@ -92,7 +92,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_choke ) if ( ::bittorrent_peer_choke )
{ {
BifEvent::generate_bittorrent_peer_choke( BifEvent::enqueue_bittorrent_peer_choke(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig()); is_orig());
@ -105,7 +105,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_unchoke ) if ( ::bittorrent_peer_unchoke )
{ {
BifEvent::generate_bittorrent_peer_unchoke( BifEvent::enqueue_bittorrent_peer_unchoke(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig()); is_orig());
@ -118,7 +118,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_interested ) if ( ::bittorrent_peer_interested )
{ {
BifEvent::generate_bittorrent_peer_interested( BifEvent::enqueue_bittorrent_peer_interested(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig()); is_orig());
@ -131,7 +131,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_not_interested ) if ( ::bittorrent_peer_not_interested )
{ {
BifEvent::generate_bittorrent_peer_not_interested( BifEvent::enqueue_bittorrent_peer_not_interested(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig()); is_orig());
@ -144,7 +144,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_have ) if ( ::bittorrent_peer_have )
{ {
BifEvent::generate_bittorrent_peer_have( BifEvent::enqueue_bittorrent_peer_have(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
@ -158,11 +158,11 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_bitfield ) if ( ::bittorrent_peer_bitfield )
{ {
BifEvent::generate_bittorrent_peer_bitfield( BifEvent::enqueue_bittorrent_peer_bitfield(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
bytestring_to_val(bitfield)); to_stringval(bitfield));
} }
return true; return true;
@ -173,7 +173,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_request ) if ( ::bittorrent_peer_request )
{ {
BifEvent::generate_bittorrent_peer_request( BifEvent::enqueue_bittorrent_peer_request(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
@ -188,7 +188,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_piece ) if ( ::bittorrent_peer_piece )
{ {
BifEvent::generate_bittorrent_peer_piece( BifEvent::enqueue_bittorrent_peer_piece(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
@ -203,7 +203,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_cancel ) if ( ::bittorrent_peer_cancel )
{ {
BifEvent::generate_bittorrent_peer_cancel( BifEvent::enqueue_bittorrent_peer_cancel(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
@ -217,11 +217,11 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_port ) if ( ::bittorrent_peer_port )
{ {
BifEvent::generate_bittorrent_peer_port( BifEvent::enqueue_bittorrent_peer_port(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
val_mgr->GetPort(listen_port, TRANSPORT_TCP)); val_mgr->Port(listen_port, TRANSPORT_TCP));
} }
return true; return true;
@ -231,12 +231,12 @@ flow BitTorrent_Flow(is_orig: bool) {
%{ %{
if ( ::bittorrent_peer_unknown ) if ( ::bittorrent_peer_unknown )
{ {
BifEvent::generate_bittorrent_peer_unknown( BifEvent::enqueue_bittorrent_peer_unknown(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
id, id,
bytestring_to_val(data)); to_stringval(data));
} }
return true; return true;

18
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -51,9 +51,9 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
return; return;
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)}, val_mgr->Count(threshold),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)} val_mgr->Bool(is_orig)
); );
} }
@ -93,9 +93,9 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
if ( ( network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed ) if ( ( network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed )
{ {
EnqueueConnEvent(conn_duration_threshold_crossed, EnqueueConnEvent(conn_duration_threshold_crossed,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<Val>(duration_thresh, TYPE_INTERVAL), make_intrusive<Val>(duration_thresh, TYPE_INTERVAL),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)} val_mgr->Bool(is_orig)
); );
duration_thresh = 0; duration_thresh = 0;
} }
@ -183,10 +183,10 @@ void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
if ( bytesidx < 0 ) if ( bytesidx < 0 )
reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field"); reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
orig_endp->Assign(pktidx, val_mgr->GetCount(orig_pkts)); orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts));
orig_endp->Assign(bytesidx, val_mgr->GetCount(orig_bytes)); orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes));
resp_endp->Assign(pktidx, val_mgr->GetCount(resp_pkts)); resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts));
resp_endp->Assign(bytesidx, val_mgr->GetCount(resp_bytes)); resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes));
Analyzer::UpdateConnVal(conn_val); Analyzer::UpdateConnVal(conn_val);
} }

24
src/analyzer/protocol/conn-size/functions.bif
View file

@ -35,11 +35,11 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->GetFalse(); return val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig); static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
return val_mgr->GetTrue(); return val_mgr->True();
%} %}
## Sets a threshold for connection packets, overwtiting any potential old thresholds. ## Sets a threshold for connection packets, overwtiting any potential old thresholds.
@ -59,11 +59,11 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->GetFalse(); return val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig); static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig);
return val_mgr->GetTrue(); return val_mgr->True();
%} %}
## Sets the current duration threshold for connection, overwriting any potential old ## Sets the current duration threshold for connection, overwriting any potential old
@ -81,11 +81,11 @@ function set_current_conn_duration_threshold%(cid: conn_id, threshold: interval%
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->GetFalse(); return val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold); static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold);
return val_mgr->GetTrue(); return val_mgr->True();
%} %}
# Gets the current byte threshold size for a connection. # Gets the current byte threshold size for a connection.
@ -103,9 +103,9 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->GetCount(0); return val_mgr->Count(0);
return val_mgr->GetCount(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig)); return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
%} %}
## Gets the current packet threshold size for a connection. ## Gets the current packet threshold size for a connection.
@ -122,9 +122,9 @@ function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): coun
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return val_mgr->GetCount(0); return val_mgr->Count(0);
return val_mgr->GetCount(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig)); return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
%} %}
## Gets the current duration threshold size for a connection. ## Gets the current duration threshold size for a connection.
@ -139,7 +139,7 @@ function get_current_conn_duration_threshold%(cid: conn_id%): interval
%{ %{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid); analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a ) if ( ! a )
return new Val(0.0, TYPE_INTERVAL); return make_intrusive<Val>(0.0, TYPE_INTERVAL);
return new Val(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold(), TYPE_INTERVAL); return make_intrusive<Val>(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold(), TYPE_INTERVAL);
%} %}

33
src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
View file

@ -37,12 +37,12 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_message ) if ( dce_rpc_message )
{ {
BifEvent::generate_dce_rpc_message(bro_analyzer(), BifEvent::enqueue_dce_rpc_message(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
${header.is_orig}, ${header.is_orig},
fid, fid,
${header.PTYPE}, ${header.PTYPE},
BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}).release()); BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}));
} }
return true; return true;
%} %}
@ -51,11 +51,11 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_bind ) if ( dce_rpc_bind )
{ {
BifEvent::generate_dce_rpc_bind(bro_analyzer(), BifEvent::enqueue_dce_rpc_bind(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
fid, fid,
${req.id}, ${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}), to_stringval(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major}, ${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor}); ${req.abstract_syntax.ver_minor});
} }
@ -67,11 +67,11 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_alter_context ) if ( dce_rpc_alter_context )
{ {
BifEvent::generate_dce_rpc_alter_context(bro_analyzer(), BifEvent::enqueue_dce_rpc_alter_context(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
fid, fid,
${req.id}, ${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}), to_stringval(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major}, ${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor}); ${req.abstract_syntax.ver_minor});
} }
@ -83,22 +83,19 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_bind_ack ) if ( dce_rpc_bind_ack )
{ {
StringVal *sec_addr; IntrusivePtr<StringVal> sec_addr;
// Remove the null from the end of the string if it's there. // Remove the null from the end of the string if it's there.
if ( ${bind.sec_addr}.length() > 0 && if ( ${bind.sec_addr}.length() > 0 &&
*(${bind.sec_addr}.begin() + ${bind.sec_addr}.length()) == 0 ) *(${bind.sec_addr}.begin() + ${bind.sec_addr}.length()) == 0 )
{ sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
sec_addr = new StringVal(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
}
else else
{ sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
sec_addr = new StringVal(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
}
BifEvent::generate_dce_rpc_bind_ack(bro_analyzer(), BifEvent::enqueue_dce_rpc_bind_ack(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
fid, fid,
sec_addr); std::move(sec_addr));
} }
return true; return true;
%} %}
@ -107,7 +104,7 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_alter_context_resp ) if ( dce_rpc_alter_context_resp )
{ {
BifEvent::generate_dce_rpc_alter_context_resp(bro_analyzer(), BifEvent::enqueue_dce_rpc_alter_context_resp(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
fid); fid);
} }
@ -118,7 +115,7 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_request ) if ( dce_rpc_request )
{ {
BifEvent::generate_dce_rpc_request(bro_analyzer(), BifEvent::enqueue_dce_rpc_request(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
fid, fid,
${req.context_id}, ${req.context_id},
@ -135,7 +132,7 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_response ) if ( dce_rpc_response )
{ {
BifEvent::generate_dce_rpc_response(bro_analyzer(), BifEvent::enqueue_dce_rpc_response(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
fid, fid,
${resp.context_id}, ${resp.context_id},

33
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -1,8 +1,8 @@
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
%member{ %member{
RecordVal* options; IntrusivePtr<RecordVal> options;
VectorVal* all_options; IntrusivePtr<VectorVal> all_options;
%} %}
%init{ %init{
@ -11,10 +11,7 @@ refine flow DHCP_Flow += {
%} %}
%cleanup{ %cleanup{
Unref(options);
options = nullptr; options = nullptr;
Unref(all_options);
all_options = nullptr; all_options = nullptr;
%} %}
@ -22,9 +19,9 @@ refine flow DHCP_Flow += {
%{ %{
if ( ! options ) if ( ! options )
{ {
options = new RecordVal(BifType::Record::DHCP::Options); options = make_intrusive<RecordVal>(BifType::Record::DHCP::Options);
all_options = new VectorVal(index_vec); all_options = make_intrusive<VectorVal>(index_vec);
options->Assign(0, all_options->Ref()); options->Assign(0, all_options);
} }
return true; return true;
@ -35,8 +32,7 @@ refine flow DHCP_Flow += {
init_options(); init_options();
if ( code != 255 ) if ( code != 255 )
all_options->Assign(all_options->Size(), all_options->Assign(all_options->Size(), val_mgr->Count(code));
val_mgr->GetCount(code));
return true; return true;
%} %}
@ -57,12 +53,12 @@ refine flow DHCP_Flow += {
std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length()); std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
double secs = static_cast<double>(${msg.secs}); double secs = static_cast<double>(${msg.secs});
auto dhcp_msg_val = new RecordVal(BifType::Record::DHCP::Msg); auto dhcp_msg_val = make_intrusive<RecordVal>(BifType::Record::DHCP::Msg);
dhcp_msg_val->Assign(0, val_mgr->GetCount(${msg.op})); dhcp_msg_val->Assign(0, val_mgr->Count(${msg.op}));
dhcp_msg_val->Assign(1, val_mgr->GetCount(${msg.type})); dhcp_msg_val->Assign(1, val_mgr->Count(${msg.type}));
dhcp_msg_val->Assign(2, val_mgr->GetCount(${msg.xid})); dhcp_msg_val->Assign(2, val_mgr->Count(${msg.xid}));
dhcp_msg_val->Assign(3, make_intrusive<Val>(secs, TYPE_INTERVAL)); dhcp_msg_val->Assign(3, make_intrusive<Val>(secs, TYPE_INTERVAL));
dhcp_msg_val->Assign(4, val_mgr->GetCount(${msg.flags})); dhcp_msg_val->Assign(4, val_mgr->Count(${msg.flags}));
dhcp_msg_val->Assign(5, make_intrusive<AddrVal>(htonl(${msg.ciaddr}))); dhcp_msg_val->Assign(5, make_intrusive<AddrVal>(htonl(${msg.ciaddr})));
dhcp_msg_val->Assign(6, make_intrusive<AddrVal>(htonl(${msg.yiaddr}))); dhcp_msg_val->Assign(6, make_intrusive<AddrVal>(htonl(${msg.yiaddr})));
dhcp_msg_val->Assign(7, make_intrusive<AddrVal>(htonl(${msg.siaddr}))); dhcp_msg_val->Assign(7, make_intrusive<AddrVal>(htonl(${msg.siaddr})));
@ -95,14 +91,13 @@ refine flow DHCP_Flow += {
init_options(); init_options();
BifEvent::generate_dhcp_message(connection()->bro_analyzer(), BifEvent::enqueue_dhcp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
${msg.is_orig}, ${msg.is_orig},
dhcp_msg_val, std::move(dhcp_msg_val),
options); std::move(options));
options = nullptr; options = nullptr;
Unref(all_options);
all_options = nullptr; all_options = nullptr;
} }

22
src/analyzer/protocol/dhcp/dhcp-options.pac
View file

@ -34,7 +34,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_time_offset_option(v: OptionValue): bool function process_time_offset_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(25, val_mgr->GetInt(${v.time_offset})); ${context.flow}->options->Assign(25, val_mgr->Int(${v.time_offset}));
return true; return true;
%} %}
}; };
@ -250,7 +250,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_forwarding_option(v: OptionValue): bool function process_forwarding_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(6, val_mgr->GetBool(${v.forwarding} == 0 ? false : true)); ${context.flow}->options->Assign(6, val_mgr->Bool(${v.forwarding} == 0 ? false : true));
return true; return true;
%} %}
@ -469,7 +469,7 @@ refine flow DHCP_Flow += {
for ( int i = 0; i < num_parms; ++i ) for ( int i = 0; i < num_parms; ++i )
{ {
uint8 param = (*plist)[i]; uint8 param = (*plist)[i];
params->Assign(i, val_mgr->GetCount(param)); params->Assign(i, val_mgr->Count(param));
} }
${context.flow}->options->Assign(13, params); ${context.flow}->options->Assign(13, params);
@ -521,7 +521,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_max_message_size_option(v: OptionValue): bool function process_max_message_size_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(15, val_mgr->GetCount(${v.max_msg_size})); ${context.flow}->options->Assign(15, val_mgr->Count(${v.max_msg_size}));
return true; return true;
%} %}
@ -626,7 +626,7 @@ refine flow DHCP_Flow += {
function process_client_id_option(v: OptionValue): bool function process_client_id_option(v: OptionValue): bool
%{ %{
RecordVal* client_id = new RecordVal(BifType::Record::DHCP::ClientID); RecordVal* client_id = new RecordVal(BifType::Record::DHCP::ClientID);
client_id->Assign(0, val_mgr->GetCount(${v.client_id.hwtype})); client_id->Assign(0, val_mgr->Count(${v.client_id.hwtype}));
client_id->Assign(1, make_intrusive<StringVal>(fmt_mac(${v.client_id.hwaddr}.begin(), ${v.client_id.hwaddr}.length()))); client_id->Assign(1, make_intrusive<StringVal>(fmt_mac(${v.client_id.hwaddr}.begin(), ${v.client_id.hwaddr}.length())));
${context.flow}->options->Assign(19, client_id); ${context.flow}->options->Assign(19, client_id);
@ -686,9 +686,9 @@ refine flow DHCP_Flow += {
function process_client_fqdn_option(v: OptionValue): bool function process_client_fqdn_option(v: OptionValue): bool
%{ %{
RecordVal* client_fqdn = new RecordVal(BifType::Record::DHCP::ClientFQDN); RecordVal* client_fqdn = new RecordVal(BifType::Record::DHCP::ClientFQDN);
client_fqdn->Assign(0, val_mgr->GetCount(${v.client_fqdn.flags})); client_fqdn->Assign(0, val_mgr->Count(${v.client_fqdn.flags}));
client_fqdn->Assign(1, val_mgr->GetCount(${v.client_fqdn.rcode1})); client_fqdn->Assign(1, val_mgr->Count(${v.client_fqdn.rcode1}));
client_fqdn->Assign(2, val_mgr->GetCount(${v.client_fqdn.rcode2})); client_fqdn->Assign(2, val_mgr->Count(${v.client_fqdn.rcode2}));
const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin()); const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin());
client_fqdn->Assign(3, make_intrusive<StringVal>(${v.client_fqdn.domain_name}.length(), domain_name)); client_fqdn->Assign(3, make_intrusive<StringVal>(${v.client_fqdn.domain_name}.length(), domain_name));
@ -751,8 +751,8 @@ refine flow DHCP_Flow += {
ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt ) ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
{ {
auto r = new RecordVal(BifType::Record::DHCP::SubOpt); auto r = new RecordVal(BifType::Record::DHCP::SubOpt);
r->Assign(0, val_mgr->GetCount((*ptrsubopt)->code())); r->Assign(0, val_mgr->Count((*ptrsubopt)->code()));
r->Assign(1, bytestring_to_val((*ptrsubopt)->value())); r->Assign(1, to_stringval((*ptrsubopt)->value()));
relay_agent_sub_opt->Assign(i, r); relay_agent_sub_opt->Assign(i, r);
++i; ++i;
@ -781,7 +781,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += { refine flow DHCP_Flow += {
function process_auto_config_option(v: OptionValue): bool function process_auto_config_option(v: OptionValue): bool
%{ %{
${context.flow}->options->Assign(23, val_mgr->GetBool(${v.auto_config} == 0 ? false : true)); ${context.flow}->options->Assign(23, val_mgr->Bool(${v.auto_config} == 0 ? false : true));
return true; return true;
%} %}

108
src/analyzer/protocol/dnp3/dnp3-analyzer.pac
View file

@ -29,7 +29,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_header_block ) if ( ::dnp3_header_block )
{ {
BifEvent::generate_dnp3_header_block( BifEvent::enqueue_dnp3_header_block(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), len, ctrl, dest_addr, src_addr); is_orig(), len, ctrl, dest_addr, src_addr);
@ -42,7 +42,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_application_request_header ) if ( ::dnp3_application_request_header )
{ {
BifEvent::generate_dnp3_application_request_header( BifEvent::enqueue_dnp3_application_request_header(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
@ -57,7 +57,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_application_response_header ) if ( ::dnp3_application_response_header )
{ {
BifEvent::generate_dnp3_application_response_header( BifEvent::enqueue_dnp3_application_response_header(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), is_orig(),
@ -73,7 +73,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_object_header ) if ( ::dnp3_object_header )
{ {
BifEvent::generate_dnp3_object_header( BifEvent::enqueue_dnp3_object_header(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), obj_type, qua_field, number, rf_low, rf_high); is_orig(), obj_type, qua_field, number, rf_low, rf_high);
@ -86,7 +86,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_object_prefix ) if ( ::dnp3_object_prefix )
{ {
BifEvent::generate_dnp3_object_prefix( BifEvent::enqueue_dnp3_object_prefix(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), prefix_value); is_orig(), prefix_value);
@ -99,7 +99,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_response_data_object ) if ( ::dnp3_response_data_object )
{ {
BifEvent::generate_dnp3_response_data_object( BifEvent::enqueue_dnp3_response_data_object(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), data_value); is_orig(), data_value);
@ -113,10 +113,10 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_attribute_common ) if ( ::dnp3_attribute_common )
{ {
BifEvent::generate_dnp3_attribute_common( BifEvent::enqueue_dnp3_attribute_common(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), data_type_code, leng, bytestring_to_val(attribute_obj) ); is_orig(), data_type_code, leng, to_stringval(attribute_obj) );
} }
return true; return true;
@ -127,7 +127,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_crob ) if ( ::dnp3_crob )
{ {
BifEvent::generate_dnp3_crob( BifEvent::enqueue_dnp3_crob(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code); is_orig(), control_code, count8, on_time, off_time, status_code);
@ -141,7 +141,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_pcb ) if ( ::dnp3_pcb )
{ {
BifEvent::generate_dnp3_pcb( BifEvent::enqueue_dnp3_pcb(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code); is_orig(), control_code, count8, on_time, off_time, status_code);
@ -155,7 +155,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_counter_32wFlag ) if ( ::dnp3_counter_32wFlag )
{ {
BifEvent::generate_dnp3_counter_32wFlag( BifEvent::enqueue_dnp3_counter_32wFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value); is_orig(), flag, count_value);
@ -169,7 +169,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_counter_16wFlag ) if ( ::dnp3_counter_16wFlag )
{ {
BifEvent::generate_dnp3_counter_16wFlag( BifEvent::enqueue_dnp3_counter_16wFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value); is_orig(), flag, count_value);
@ -183,7 +183,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_counter_32woFlag ) if ( ::dnp3_counter_32woFlag )
{ {
BifEvent::generate_dnp3_counter_32woFlag( BifEvent::enqueue_dnp3_counter_32woFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), count_value); is_orig(), count_value);
@ -197,7 +197,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_counter_16woFlag ) if ( ::dnp3_counter_16woFlag )
{ {
BifEvent::generate_dnp3_counter_16woFlag( BifEvent::enqueue_dnp3_counter_16woFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), count_value); is_orig(), count_value);
@ -211,7 +211,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_counter_32wFlag ) if ( ::dnp3_frozen_counter_32wFlag )
{ {
BifEvent::generate_dnp3_frozen_counter_32wFlag( BifEvent::enqueue_dnp3_frozen_counter_32wFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value); is_orig(), flag, count_value);
@ -225,7 +225,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_counter_16wFlag ) if ( ::dnp3_frozen_counter_16wFlag )
{ {
BifEvent::generate_dnp3_frozen_counter_16wFlag( BifEvent::enqueue_dnp3_frozen_counter_16wFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value); is_orig(), flag, count_value);
@ -239,7 +239,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_counter_32wFlagTime ) if ( ::dnp3_frozen_counter_32wFlagTime )
{ {
BifEvent::generate_dnp3_frozen_counter_32wFlagTime( BifEvent::enqueue_dnp3_frozen_counter_32wFlagTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48)); is_orig(), flag, count_value, bytestring_to_time(time48));
@ -253,7 +253,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_counter_16wFlagTime ) if ( ::dnp3_frozen_counter_16wFlagTime )
{ {
BifEvent::generate_dnp3_frozen_counter_16wFlagTime( BifEvent::enqueue_dnp3_frozen_counter_16wFlagTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48)); is_orig(), flag, count_value, bytestring_to_time(time48));
@ -267,7 +267,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_counter_32woFlag ) if ( ::dnp3_frozen_counter_32woFlag )
{ {
BifEvent::generate_dnp3_frozen_counter_32woFlag( BifEvent::enqueue_dnp3_frozen_counter_32woFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), count_value); is_orig(), count_value);
@ -281,7 +281,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_counter_16woFlag ) if ( ::dnp3_frozen_counter_16woFlag )
{ {
BifEvent::generate_dnp3_frozen_counter_16woFlag( BifEvent::enqueue_dnp3_frozen_counter_16woFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), count_value); is_orig(), count_value);
@ -295,7 +295,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_32wFlag ) if ( ::dnp3_analog_input_32wFlag )
{ {
BifEvent::generate_dnp3_analog_input_32wFlag( BifEvent::enqueue_dnp3_analog_input_32wFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
@ -309,7 +309,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_16wFlag ) if ( ::dnp3_analog_input_16wFlag )
{ {
BifEvent::generate_dnp3_analog_input_16wFlag( BifEvent::enqueue_dnp3_analog_input_16wFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
@ -323,7 +323,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_32woFlag ) if ( ::dnp3_analog_input_32woFlag )
{ {
BifEvent::generate_dnp3_analog_input_32woFlag( BifEvent::enqueue_dnp3_analog_input_32woFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), value); is_orig(), value);
@ -337,7 +337,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_16woFlag ) if ( ::dnp3_analog_input_16woFlag )
{ {
BifEvent::generate_dnp3_analog_input_16woFlag( BifEvent::enqueue_dnp3_analog_input_16woFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), value); is_orig(), value);
@ -351,7 +351,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_SPwFlag ) if ( ::dnp3_analog_input_SPwFlag )
{ {
BifEvent::generate_dnp3_analog_input_SPwFlag( BifEvent::enqueue_dnp3_analog_input_SPwFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
@ -365,7 +365,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_DPwFlag ) if ( ::dnp3_analog_input_DPwFlag )
{ {
BifEvent::generate_dnp3_analog_input_DPwFlag( BifEvent::enqueue_dnp3_analog_input_DPwFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high); is_orig(), flag, value_low, value_high);
@ -379,7 +379,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_32wFlag ) if ( ::dnp3_frozen_analog_input_32wFlag )
{ {
BifEvent::generate_dnp3_frozen_analog_input_32wFlag( BifEvent::enqueue_dnp3_frozen_analog_input_32wFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
@ -393,7 +393,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_16wFlag ) if ( ::dnp3_frozen_analog_input_16wFlag )
{ {
BifEvent::generate_dnp3_frozen_analog_input_16wFlag( BifEvent::enqueue_dnp3_frozen_analog_input_16wFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
@ -407,7 +407,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_32wTime ) if ( ::dnp3_frozen_analog_input_32wTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_32wTime( BifEvent::enqueue_dnp3_frozen_analog_input_32wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -421,7 +421,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_16wTime ) if ( ::dnp3_frozen_analog_input_16wTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_16wTime( BifEvent::enqueue_dnp3_frozen_analog_input_16wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -435,7 +435,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_32woFlag ) if ( ::dnp3_frozen_analog_input_32woFlag )
{ {
BifEvent::generate_dnp3_frozen_analog_input_32woFlag( BifEvent::enqueue_dnp3_frozen_analog_input_32woFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), frozen_value); is_orig(), frozen_value);
@ -449,7 +449,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_16woFlag ) if ( ::dnp3_frozen_analog_input_16woFlag )
{ {
BifEvent::generate_dnp3_frozen_analog_input_16woFlag( BifEvent::enqueue_dnp3_frozen_analog_input_16woFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), frozen_value); is_orig(), frozen_value);
@ -463,7 +463,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_SPwFlag ) if ( ::dnp3_frozen_analog_input_SPwFlag )
{ {
BifEvent::generate_dnp3_frozen_analog_input_SPwFlag( BifEvent::enqueue_dnp3_frozen_analog_input_SPwFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
@ -477,7 +477,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_DPwFlag ) if ( ::dnp3_frozen_analog_input_DPwFlag )
{ {
BifEvent::generate_dnp3_frozen_analog_input_DPwFlag( BifEvent::enqueue_dnp3_frozen_analog_input_DPwFlag(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high); is_orig(), flag, frozen_value_low, frozen_value_high);
@ -491,7 +491,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_event_32woTime ) if ( ::dnp3_analog_input_event_32woTime )
{ {
BifEvent::generate_dnp3_analog_input_event_32woTime( BifEvent::enqueue_dnp3_analog_input_event_32woTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
@ -505,7 +505,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_event_16woTime ) if ( ::dnp3_analog_input_event_16woTime )
{ {
BifEvent::generate_dnp3_analog_input_event_16woTime( BifEvent::enqueue_dnp3_analog_input_event_16woTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
@ -519,7 +519,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_event_32wTime ) if ( ::dnp3_analog_input_event_32wTime )
{ {
BifEvent::generate_dnp3_analog_input_event_32wTime( BifEvent::enqueue_dnp3_analog_input_event_32wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48)); is_orig(), flag, value, bytestring_to_time(time48));
@ -533,7 +533,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_event_16wTime ) if ( ::dnp3_analog_input_event_16wTime )
{ {
BifEvent::generate_dnp3_analog_input_event_16wTime( BifEvent::enqueue_dnp3_analog_input_event_16wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48)); is_orig(), flag, value, bytestring_to_time(time48));
@ -547,7 +547,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_event_SPwoTime ) if ( ::dnp3_analog_input_event_SPwoTime )
{ {
BifEvent::generate_dnp3_analog_input_event_SPwoTime( BifEvent::enqueue_dnp3_analog_input_event_SPwoTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
@ -561,7 +561,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_event_DPwoTime ) if ( ::dnp3_analog_input_event_DPwoTime )
{ {
BifEvent::generate_dnp3_analog_input_event_DPwoTime( BifEvent::enqueue_dnp3_analog_input_event_DPwoTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high); is_orig(), flag, value_low, value_high);
@ -575,7 +575,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_event_SPwTime ) if ( ::dnp3_analog_input_event_SPwTime )
{ {
BifEvent::generate_dnp3_analog_input_event_SPwTime( BifEvent::enqueue_dnp3_analog_input_event_SPwTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48)); is_orig(), flag, value, bytestring_to_time(time48));
@ -589,7 +589,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_analog_input_event_DPwTime ) if ( ::dnp3_analog_input_event_DPwTime )
{ {
BifEvent::generate_dnp3_analog_input_event_DPwTime( BifEvent::enqueue_dnp3_analog_input_event_DPwTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high, bytestring_to_time(time48)); is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
@ -603,7 +603,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_event_32woTime ) if ( ::dnp3_frozen_analog_input_event_32woTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_event_32woTime( BifEvent::enqueue_dnp3_frozen_analog_input_event_32woTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
@ -617,7 +617,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_event_16woTime ) if ( ::dnp3_frozen_analog_input_event_16woTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_event_16woTime( BifEvent::enqueue_dnp3_frozen_analog_input_event_16woTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
@ -631,7 +631,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_event_32wTime ) if ( ::dnp3_frozen_analog_input_event_32wTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_event_32wTime( BifEvent::enqueue_dnp3_frozen_analog_input_event_32wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -645,7 +645,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_event_16wTime ) if ( ::dnp3_frozen_analog_input_event_16wTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_event_16wTime( BifEvent::enqueue_dnp3_frozen_analog_input_event_16wTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -659,7 +659,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_event_SPwoTime ) if ( ::dnp3_frozen_analog_input_event_SPwoTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_event_SPwoTime( BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwoTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
@ -673,7 +673,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_event_DPwoTime ) if ( ::dnp3_frozen_analog_input_event_DPwoTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_event_DPwoTime( BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwoTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high); is_orig(), flag, frozen_value_low, frozen_value_high);
@ -687,7 +687,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_event_SPwTime ) if ( ::dnp3_frozen_analog_input_event_SPwTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime( BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -701,7 +701,7 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_frozen_analog_input_event_DPwTime ) if ( ::dnp3_frozen_analog_input_event_DPwTime )
{ {
BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime( BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwTime(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48)); is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
@ -715,10 +715,10 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_file_transport ) if ( ::dnp3_file_transport )
{ {
BifEvent::generate_dnp3_file_transport( BifEvent::enqueue_dnp3_file_transport(
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), file_handle, block_num, bytestring_to_val(file_data)); is_orig(), file_handle, block_num, to_stringval(file_data));
} }
return true; return true;
@ -729,10 +729,10 @@ flow DNP3_Flow(is_orig: bool) {
%{ %{
if ( ::dnp3_debug_byte ) if ( ::dnp3_debug_byte )
{ {
BifEvent::generate_dnp3_debug_byte ( BifEvent::enqueue_dnp3_debug_byte (
connection()->bro_analyzer(), connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), bytestring_to_val(debug)); is_orig(), to_stringval(debug));
} }
return true; return true;

162
src/analyzer/protocol/dns/DNS.cc
View file

@ -49,10 +49,10 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
if ( dns_message ) if ( dns_message )
analyzer->EnqueueConnEvent(dns_message, analyzer->EnqueueConnEvent(dns_message,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)}, val_mgr->Bool(is_query),
IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)} val_mgr->Count(len)
); );
// There is a great deal of non-DNS traffic that runs on port 53. // There is a great deal of non-DNS traffic that runs on port 53.
@ -134,7 +134,7 @@ void DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
{ {
if ( dns_end ) if ( dns_end )
analyzer->EnqueueConnEvent(dns_end, analyzer->EnqueueConnEvent(dns_end,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()} IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}
); );
} }
@ -337,7 +337,7 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
if ( dns_unknown_reply && ! msg->skip_event ) if ( dns_unknown_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_unknown_reply, analyzer->EnqueueConnEvent(dns_unknown_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()} IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}
); );
@ -550,7 +550,7 @@ bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
if ( reply_event && ! msg->skip_event ) if ( reply_event && ! msg->skip_event )
analyzer->EnqueueConnEvent(reply_event, analyzer->EnqueueConnEvent(reply_event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)) make_intrusive<StringVal>(new BroString(name, name_end - name, true))
@ -596,14 +596,14 @@ bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
auto r = make_intrusive<RecordVal>(dns_soa); auto r = make_intrusive<RecordVal>(dns_soa);
r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, true))); r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, true)));
r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, true))); r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, true)));
r->Assign(2, val_mgr->GetCount(serial)); r->Assign(2, val_mgr->Count(serial));
r->Assign(3, make_intrusive<IntervalVal>(double(refresh), Seconds)); r->Assign(3, make_intrusive<IntervalVal>(double(refresh), Seconds));
r->Assign(4, make_intrusive<IntervalVal>(double(retry), Seconds)); r->Assign(4, make_intrusive<IntervalVal>(double(retry), Seconds));
r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds)); r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds)); r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
analyzer->EnqueueConnEvent(dns_SOA_reply, analyzer->EnqueueConnEvent(dns_SOA_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(r) std::move(r)
@ -633,11 +633,11 @@ bool DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
if ( dns_MX_reply && ! msg->skip_event ) if ( dns_MX_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_MX_reply, analyzer->EnqueueConnEvent(dns_MX_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)), make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(preference)} val_mgr->Count(preference)
); );
return true; return true;
@ -674,13 +674,13 @@ bool DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
if ( dns_SRV_reply && ! msg->skip_event ) if ( dns_SRV_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_SRV_reply, analyzer->EnqueueConnEvent(dns_SRV_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)), make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(priority)}, val_mgr->Count(priority),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(weight)}, val_mgr->Count(weight),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)} val_mgr->Count(port)
); );
return true; return true;
@ -695,7 +695,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
if ( dns_EDNS_addl && ! msg->skip_event ) if ( dns_EDNS_addl && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_EDNS_addl, analyzer->EnqueueConnEvent(dns_EDNS_addl,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()} IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()}
); );
@ -772,7 +772,7 @@ bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
tsig.rr_error = rr_error; tsig.rr_error = rr_error;
analyzer->EnqueueConnEvent(dns_TSIG_addl, analyzer->EnqueueConnEvent(dns_TSIG_addl,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)} IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)}
); );
@ -873,7 +873,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
rrsig.signature = sign; rrsig.signature = sign;
analyzer->EnqueueConnEvent(dns_RRSIG, analyzer->EnqueueConnEvent(dns_RRSIG,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)} IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)}
@ -968,7 +968,7 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
dnskey.public_key = key; dnskey.public_key = key;
analyzer->EnqueueConnEvent(dns_DNSKEY, analyzer->EnqueueConnEvent(dns_DNSKEY,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)} IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)}
@ -1020,7 +1020,7 @@ bool DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
if ( dns_NSEC ) if ( dns_NSEC )
analyzer->EnqueueConnEvent(dns_NSEC, analyzer->EnqueueConnEvent(dns_NSEC,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)), make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
@ -1106,7 +1106,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
nsec3.bitmaps = char_strings; nsec3.bitmaps = char_strings;
analyzer->EnqueueConnEvent(dns_NSEC3, analyzer->EnqueueConnEvent(dns_NSEC3,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)} IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)}
@ -1166,7 +1166,7 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
ds.digest_val = ds_digest; ds.digest_val = ds_digest;
analyzer->EnqueueConnEvent(dns_DS, analyzer->EnqueueConnEvent(dns_DS,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)} IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)}
@ -1189,7 +1189,7 @@ bool DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
if ( dns_A_reply && ! msg->skip_event ) if ( dns_A_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_A_reply, analyzer->EnqueueConnEvent(dns_A_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<AddrVal>(htonl(addr)) make_intrusive<AddrVal>(htonl(addr))
@ -1225,7 +1225,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
if ( event && ! msg->skip_event ) if ( event && ! msg->skip_event )
analyzer->EnqueueConnEvent(event, analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<AddrVal>(addr) make_intrusive<AddrVal>(addr)
@ -1299,7 +1299,7 @@ bool DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
if ( dns_TXT_reply ) if ( dns_TXT_reply )
analyzer->EnqueueConnEvent(dns_TXT_reply, analyzer->EnqueueConnEvent(dns_TXT_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(char_strings) std::move(char_strings)
@ -1327,7 +1327,7 @@ bool DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
if ( dns_SPF_reply ) if ( dns_SPF_reply )
analyzer->EnqueueConnEvent(dns_SPF_reply, analyzer->EnqueueConnEvent(dns_SPF_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(char_strings) std::move(char_strings)
@ -1368,10 +1368,10 @@ bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
if ( dns_CAA_reply ) if ( dns_CAA_reply )
analyzer->EnqueueConnEvent(dns_CAA_reply, analyzer->EnqueueConnEvent(dns_CAA_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}, IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags)}, val_mgr->Count(flags),
make_intrusive<StringVal>(tag), make_intrusive<StringVal>(tag),
make_intrusive<StringVal>(value) make_intrusive<StringVal>(value)
); );
@ -1396,11 +1396,11 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
assert(event); assert(event);
analyzer->EnqueueConnEvent(event, analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}, IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
make_intrusive<StringVal>(question_name), make_intrusive<StringVal>(question_name),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qtype)}, val_mgr->Count(qtype),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qclass)} val_mgr->Count(qclass)
); );
} }
@ -1446,19 +1446,19 @@ Val* DNS_MsgInfo::BuildHdrVal()
{ {
RecordVal* r = new RecordVal(dns_msg); RecordVal* r = new RecordVal(dns_msg);
r->Assign(0, val_mgr->GetCount(id)); r->Assign(0, val_mgr->Count(id));
r->Assign(1, val_mgr->GetCount(opcode)); r->Assign(1, val_mgr->Count(opcode));
r->Assign(2, val_mgr->GetCount(rcode)); r->Assign(2, val_mgr->Count(rcode));
r->Assign(3, val_mgr->GetBool(QR)); r->Assign(3, val_mgr->Bool(QR));
r->Assign(4, val_mgr->GetBool(AA)); r->Assign(4, val_mgr->Bool(AA));
r->Assign(5, val_mgr->GetBool(TC)); r->Assign(5, val_mgr->Bool(TC));
r->Assign(6, val_mgr->GetBool(RD)); r->Assign(6, val_mgr->Bool(RD));
r->Assign(7, val_mgr->GetBool(RA)); r->Assign(7, val_mgr->Bool(RA));
r->Assign(8, val_mgr->GetCount(Z)); r->Assign(8, val_mgr->Count(Z));
r->Assign(9, val_mgr->GetCount(qdcount)); r->Assign(9, val_mgr->Count(qdcount));
r->Assign(10, val_mgr->GetCount(ancount)); r->Assign(10, val_mgr->Count(ancount));
r->Assign(11, val_mgr->GetCount(nscount)); r->Assign(11, val_mgr->Count(nscount));
r->Assign(12, val_mgr->GetCount(arcount)); r->Assign(12, val_mgr->Count(arcount));
return r; return r;
} }
@ -1468,10 +1468,10 @@ Val* DNS_MsgInfo::BuildAnswerVal()
RecordVal* r = new RecordVal(dns_answer); RecordVal* r = new RecordVal(dns_answer);
Ref(query_name); Ref(query_name);
r->Assign(0, val_mgr->GetCount(int(answer_type))); r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name); r->Assign(1, query_name);
r->Assign(2, val_mgr->GetCount(atype)); r->Assign(2, val_mgr->Count(atype));
r->Assign(3, val_mgr->GetCount(aclass)); r->Assign(3, val_mgr->Count(aclass));
r->Assign(4, make_intrusive<IntervalVal>(double(ttl), Seconds)); r->Assign(4, make_intrusive<IntervalVal>(double(ttl), Seconds));
return r; return r;
@ -1484,14 +1484,14 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
RecordVal* r = new RecordVal(dns_edns_additional); RecordVal* r = new RecordVal(dns_edns_additional);
Ref(query_name); Ref(query_name);
r->Assign(0, val_mgr->GetCount(int(answer_type))); r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name); r->Assign(1, query_name);
// type = 0x29 or 41 = EDNS // type = 0x29 or 41 = EDNS
r->Assign(2, val_mgr->GetCount(atype)); r->Assign(2, val_mgr->Count(atype));
// sender's UDP payload size, per RFC 2671 4.3 // sender's UDP payload size, per RFC 2671 4.3
r->Assign(3, val_mgr->GetCount(aclass)); r->Assign(3, val_mgr->Count(aclass));
// Need to break the TTL field into three components: // Need to break the TTL field into three components:
// initial: [------------- ttl (32) ---------------------] // initial: [------------- ttl (32) ---------------------]
@ -1504,11 +1504,11 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
unsigned int return_error = (ercode << 8) | rcode; unsigned int return_error = (ercode << 8) | rcode;
r->Assign(4, val_mgr->GetCount(return_error)); r->Assign(4, val_mgr->Count(return_error));
r->Assign(5, val_mgr->GetCount(version)); r->Assign(5, val_mgr->Count(version));
r->Assign(6, val_mgr->GetCount(z)); r->Assign(6, val_mgr->Count(z));
r->Assign(7, make_intrusive<IntervalVal>(double(ttl), Seconds)); r->Assign(7, make_intrusive<IntervalVal>(double(ttl), Seconds));
r->Assign(8, val_mgr->GetCount(is_query)); r->Assign(8, val_mgr->Count(is_query));
return r; return r;
} }
@ -1519,16 +1519,16 @@ Val* DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
double rtime = tsig->time_s + tsig->time_ms / 1000.0; double rtime = tsig->time_s + tsig->time_ms / 1000.0;
Ref(query_name); Ref(query_name);
// r->Assign(0, val_mgr->GetCount(int(answer_type))); // r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, make_intrusive<StringVal>(tsig->alg_name)); r->Assign(2, make_intrusive<StringVal>(tsig->alg_name));
r->Assign(3, make_intrusive<StringVal>(tsig->sig)); r->Assign(3, make_intrusive<StringVal>(tsig->sig));
r->Assign(4, make_intrusive<Val>(rtime, TYPE_TIME)); r->Assign(4, make_intrusive<Val>(rtime, TYPE_TIME));
r->Assign(5, make_intrusive<Val>(double(tsig->fudge), TYPE_TIME)); r->Assign(5, make_intrusive<Val>(double(tsig->fudge), TYPE_TIME));
r->Assign(6, val_mgr->GetCount(tsig->orig_id)); r->Assign(6, val_mgr->Count(tsig->orig_id));
r->Assign(7, val_mgr->GetCount(tsig->rr_error)); r->Assign(7, val_mgr->Count(tsig->rr_error));
r->Assign(8, val_mgr->GetCount(is_query)); r->Assign(8, val_mgr->Count(is_query));
return r; return r;
} }
@ -1539,17 +1539,17 @@ Val* DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
Ref(query_name); Ref(query_name);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->GetCount(rrsig->type_covered)); r->Assign(2, val_mgr->Count(rrsig->type_covered));
r->Assign(3, val_mgr->GetCount(rrsig->algorithm)); r->Assign(3, val_mgr->Count(rrsig->algorithm));
r->Assign(4, val_mgr->GetCount(rrsig->labels)); r->Assign(4, val_mgr->Count(rrsig->labels));
r->Assign(5, make_intrusive<IntervalVal>(double(rrsig->orig_ttl), Seconds)); r->Assign(5, make_intrusive<IntervalVal>(double(rrsig->orig_ttl), Seconds));
r->Assign(6, make_intrusive<Val>(double(rrsig->sig_exp), TYPE_TIME)); r->Assign(6, make_intrusive<Val>(double(rrsig->sig_exp), TYPE_TIME));
r->Assign(7, make_intrusive<Val>(double(rrsig->sig_incep), TYPE_TIME)); r->Assign(7, make_intrusive<Val>(double(rrsig->sig_incep), TYPE_TIME));
r->Assign(8, val_mgr->GetCount(rrsig->key_tag)); r->Assign(8, val_mgr->Count(rrsig->key_tag));
r->Assign(9, make_intrusive<StringVal>(rrsig->signer_name)); r->Assign(9, make_intrusive<StringVal>(rrsig->signer_name));
r->Assign(10, make_intrusive<StringVal>(rrsig->signature)); r->Assign(10, make_intrusive<StringVal>(rrsig->signature));
r->Assign(11, val_mgr->GetCount(is_query)); r->Assign(11, val_mgr->Count(is_query));
return r; return r;
} }
@ -1560,12 +1560,12 @@ Val* DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
Ref(query_name); Ref(query_name);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->GetCount(dnskey->dflags)); r->Assign(2, val_mgr->Count(dnskey->dflags));
r->Assign(3, val_mgr->GetCount(dnskey->dprotocol)); r->Assign(3, val_mgr->Count(dnskey->dprotocol));
r->Assign(4, val_mgr->GetCount(dnskey->dalgorithm)); r->Assign(4, val_mgr->Count(dnskey->dalgorithm));
r->Assign(5, make_intrusive<StringVal>(dnskey->public_key)); r->Assign(5, make_intrusive<StringVal>(dnskey->public_key));
r->Assign(6, val_mgr->GetCount(is_query)); r->Assign(6, val_mgr->Count(is_query));
return r; return r;
} }
@ -1576,16 +1576,16 @@ Val* DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
Ref(query_name); Ref(query_name);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->GetCount(nsec3->nsec_flags)); r->Assign(2, val_mgr->Count(nsec3->nsec_flags));
r->Assign(3, val_mgr->GetCount(nsec3->nsec_hash_algo)); r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo));
r->Assign(4, val_mgr->GetCount(nsec3->nsec_iter)); r->Assign(4, val_mgr->Count(nsec3->nsec_iter));
r->Assign(5, val_mgr->GetCount(nsec3->nsec_salt_len)); r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len));
r->Assign(6, make_intrusive<StringVal>(nsec3->nsec_salt)); r->Assign(6, make_intrusive<StringVal>(nsec3->nsec_salt));
r->Assign(7, val_mgr->GetCount(nsec3->nsec_hlen)); r->Assign(7, val_mgr->Count(nsec3->nsec_hlen));
r->Assign(8, make_intrusive<StringVal>(nsec3->nsec_hash)); r->Assign(8, make_intrusive<StringVal>(nsec3->nsec_hash));
r->Assign(9, nsec3->bitmaps); r->Assign(9, nsec3->bitmaps);
r->Assign(10, val_mgr->GetCount(is_query)); r->Assign(10, val_mgr->Count(is_query));
return r; return r;
} }
@ -1596,12 +1596,12 @@ Val* DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
Ref(query_name); Ref(query_name);
r->Assign(0, query_name); r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type))); r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->GetCount(ds->key_tag)); r->Assign(2, val_mgr->Count(ds->key_tag));
r->Assign(3, val_mgr->GetCount(ds->algorithm)); r->Assign(3, val_mgr->Count(ds->algorithm));
r->Assign(4, val_mgr->GetCount(ds->digest_type)); r->Assign(4, val_mgr->Count(ds->digest_type));
r->Assign(5, make_intrusive<StringVal>(ds->digest_val)); r->Assign(5, make_intrusive<StringVal>(ds->digest_val));
r->Assign(6, val_mgr->GetCount(is_query)); r->Assign(6, val_mgr->Count(is_query));
return r; return r;
} }

2
src/analyzer/protocol/file/File.cc
View file

@ -80,7 +80,7 @@ void File_Analyzer::Identify()
if ( file_transferred ) if ( file_transferred )
EnqueueConnEvent(file_transferred, EnqueueConnEvent(file_transferred,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(buffer_len, buffer), make_intrusive<StringVal>(buffer_len, buffer),
make_intrusive<StringVal>("<unknown>"), make_intrusive<StringVal>("<unknown>"),
make_intrusive<StringVal>(match) make_intrusive<StringVal>(match)

6
src/analyzer/protocol/finger/Finger.cc
View file

@ -68,8 +68,8 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( finger_request ) if ( finger_request )
EnqueueConnEvent(finger_request, EnqueueConnEvent(finger_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(long_cnt)}, val_mgr->Bool(long_cnt),
make_intrusive<StringVal>(at - line, line), make_intrusive<StringVal>(at - line, line),
make_intrusive<StringVal>(end_of_line - host, host) make_intrusive<StringVal>(end_of_line - host, host)
); );
@ -86,7 +86,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
return; return;
EnqueueConnEvent(finger_reply, EnqueueConnEvent(finger_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(end_of_line - line, line) make_intrusive<StringVal>(end_of_line - line, line)
); );
} }

8
src/analyzer/protocol/ftp/FTP.cc
View file

@ -97,7 +97,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
cmd_str = (new StringVal(cmd_len, cmd))->ToUpper(); cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
vl = { vl = {
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, cmd_str}, IntrusivePtr{AdoptRef{}, cmd_str},
make_intrusive<StringVal>(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
}; };
@ -176,10 +176,10 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
} }
vl = { vl = {
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)}, val_mgr->Count(reply_code),
make_intrusive<StringVal>(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(cont_resp)} val_mgr->Bool(cont_resp)
}; };
f = ftp_reply; f = ftp_reply;

24
src/analyzer/protocol/ftp/functions.bif
View file

@ -4,9 +4,9 @@ type ftp_port: record;
%%{ %%{
#include "Reporter.h" #include "Reporter.h"
static Val* parse_port(const char* line) static IntrusivePtr<Val> parse_port(const char* line)
{ {
RecordVal* r = new RecordVal(BifType::Record::ftp_port); auto r = make_intrusive<RecordVal>(BifType::Record::ftp_port);
int bytes[6]; int bytes[6];
if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d", if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d",
@ -34,22 +34,22 @@ static Val* parse_port(const char* line)
} }
r->Assign(0, make_intrusive<AddrVal>(htonl(addr))); r->Assign(0, make_intrusive<AddrVal>(htonl(addr)));
r->Assign(1, val_mgr->GetPort(port, TRANSPORT_TCP)); r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->GetBool(good)); r->Assign(2, val_mgr->Bool(good));
} }
else else
{ {
r->Assign(0, make_intrusive<AddrVal>(uint32_t(0))); r->Assign(0, make_intrusive<AddrVal>(uint32_t(0)));
r->Assign(1, val_mgr->GetPort(0, TRANSPORT_TCP)); r->Assign(1, val_mgr->Port(0, TRANSPORT_TCP));
r->Assign(2, val_mgr->GetFalse()); r->Assign(2, val_mgr->False());
} }
return r; return r;
} }
static Val* parse_eftp(const char* line) static IntrusivePtr<Val> parse_eftp(const char* line)
{ {
RecordVal* r = new RecordVal(BifType::Record::ftp_port); auto r = make_intrusive<RecordVal>(BifType::Record::ftp_port);
int net_proto = 0; // currently not used int net_proto = 0; // currently not used
IPAddr addr; // unspecified IPv6 address (all 128 bits zero) IPAddr addr; // unspecified IPv6 address (all 128 bits zero)
@ -110,8 +110,8 @@ static Val* parse_eftp(const char* line)
} }
r->Assign(0, make_intrusive<AddrVal>(addr)); r->Assign(0, make_intrusive<AddrVal>(addr));
r->Assign(1, val_mgr->GetPort(port, TRANSPORT_TCP)); r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->GetBool(good)); r->Assign(2, val_mgr->Bool(good));
return r; return r;
} }
@ -206,7 +206,7 @@ function fmt_ftp_port%(a: addr, p: port%): string
{ {
uint32_t a = ntohl(addr[0]); uint32_t a = ntohl(addr[0]);
uint32_t pn = p->Port(); uint32_t pn = p->Port();
return new StringVal(fmt("%d,%d,%d,%d,%d,%d", return make_intrusive<StringVal>(fmt("%d,%d,%d,%d,%d,%d",
a >> 24, (a >> 16) & 0xff, a >> 24, (a >> 16) & 0xff,
(a >> 8) & 0xff, a & 0xff, (a >> 8) & 0xff, a & 0xff,
pn >> 8, pn & 0xff)); pn >> 8, pn & 0xff));
@ -215,6 +215,6 @@ function fmt_ftp_port%(a: addr, p: port%): string
{ {
builtin_error("conversion of non-IPv4 address in fmt_ftp_port", builtin_error("conversion of non-IPv4 address in fmt_ftp_port",
@ARG@[0]); @ARG@[0]);
return val_mgr->GetEmptyString(); return val_mgr->EmptyString();
} }
%} %}

36
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) ) if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{ {
if ( Established() && gnutella_establish ) if ( Established() && gnutella_establish )
EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueConnEvent(gnutella_establish, ConnVal());
else if ( ! Established () && gnutella_not_establish ) else if ( ! Established () && gnutella_not_establish )
EnqueueConnEvent(gnutella_not_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueConnEvent(gnutella_not_establish, ConnVal());
} }
if ( gnutella_partial_binary_msg ) if ( gnutella_partial_binary_msg )
@ -72,10 +72,10 @@ void Gnutella_Analyzer::Done()
{ {
if ( ! p->msg_sent && p->msg_pos ) if ( ! p->msg_sent && p->msg_pos )
EnqueueConnEvent(gnutella_partial_binary_msg, EnqueueConnEvent(gnutella_partial_binary_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(p->msg), make_intrusive<StringVal>(p->msg),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((i == 0))}, val_mgr->Bool((i == 0)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_pos)} val_mgr->Count(p->msg_pos)
); );
else if ( ! p->msg_sent && p->payload_left ) else if ( ! p->msg_sent && p->payload_left )
@ -118,7 +118,7 @@ bool Gnutella_Analyzer::IsHTTP(std::string header)
return false; return false;
if ( gnutella_http_notify ) if ( gnutella_http_notify )
EnqueueConnEvent(gnutella_http_notify, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueConnEvent(gnutella_http_notify, ConnVal());
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn()); analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -177,8 +177,8 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{ {
if ( gnutella_text_msg ) if ( gnutella_text_msg )
EnqueueConnEvent(gnutella_text_msg, EnqueueConnEvent(gnutella_text_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(ms->headers.data()) make_intrusive<StringVal>(ms->headers.data())
); );
@ -189,7 +189,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{ {
sent_establish = 1; sent_establish = 1;
EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueConnEvent(gnutella_establish, ConnVal());
} }
} }
} }
@ -215,16 +215,16 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
if ( gnutella_binary_msg ) if ( gnutella_binary_msg )
EnqueueConnEvent(gnutella_binary_msg, EnqueueConnEvent(gnutella_binary_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_type)}, val_mgr->Count(p->msg_type),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_ttl)}, val_mgr->Count(p->msg_ttl),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_hops)}, val_mgr->Count(p->msg_hops),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_len)}, val_mgr->Count(p->msg_len),
make_intrusive<StringVal>(p->payload), make_intrusive<StringVal>(p->payload),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->payload_len)}, val_mgr->Count(p->payload_len),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))}, val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_left == 0))} val_mgr->Bool((p->payload_left == 0))
); );
} }

2
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -61,7 +61,7 @@ refine connection GSSAPI_Conn += {
%{ %{
if ( gssapi_neg_result ) if ( gssapi_neg_result )
{ {
BifEvent::generate_gssapi_neg_result(bro_analyzer(), BifEvent::enqueue_gssapi_neg_result(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content})); binary_to_int64(${val.neg_state.encoding.content}));
} }

142
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -4,90 +4,90 @@
%} %}
%code{ %code{
RecordVal* BuildGTPv1Hdr(const GTPv1_Header* pdu) IntrusivePtr<RecordVal> BuildGTPv1Hdr(const GTPv1_Header* pdu)
{ {
RecordVal* rv = new RecordVal(BifType::Record::gtpv1_hdr); auto rv = make_intrusive<RecordVal>(BifType::Record::gtpv1_hdr);
rv->Assign(0, val_mgr->GetCount(pdu->version())); rv->Assign(0, val_mgr->Count(pdu->version()));
rv->Assign(1, val_mgr->GetBool(pdu->pt_flag())); rv->Assign(1, val_mgr->Bool(pdu->pt_flag()));
rv->Assign(2, val_mgr->GetBool(pdu->rsv())); rv->Assign(2, val_mgr->Bool(pdu->rsv()));
rv->Assign(3, val_mgr->GetBool(pdu->e_flag())); rv->Assign(3, val_mgr->Bool(pdu->e_flag()));
rv->Assign(4, val_mgr->GetBool(pdu->s_flag())); rv->Assign(4, val_mgr->Bool(pdu->s_flag()));
rv->Assign(5, val_mgr->GetBool(pdu->pn_flag())); rv->Assign(5, val_mgr->Bool(pdu->pn_flag()));
rv->Assign(6, val_mgr->GetCount(pdu->msg_type())); rv->Assign(6, val_mgr->Count(pdu->msg_type()));
rv->Assign(7, val_mgr->GetCount(pdu->length())); rv->Assign(7, val_mgr->Count(pdu->length()));
rv->Assign(8, val_mgr->GetCount(pdu->teid())); rv->Assign(8, val_mgr->Count(pdu->teid()));
if ( pdu->has_opt() ) if ( pdu->has_opt() )
{ {
rv->Assign(9, val_mgr->GetCount(pdu->opt_hdr()->seq())); rv->Assign(9, val_mgr->Count(pdu->opt_hdr()->seq()));
rv->Assign(10, val_mgr->GetCount(pdu->opt_hdr()->n_pdu())); rv->Assign(10, val_mgr->Count(pdu->opt_hdr()->n_pdu()));
rv->Assign(11, val_mgr->GetCount(pdu->opt_hdr()->next_type())); rv->Assign(11, val_mgr->Count(pdu->opt_hdr()->next_type()));
} }
return rv; return rv;
} }
Val* BuildIMSI(const InformationElement* ie) static IntrusivePtr<Val> BuildIMSI(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->imsi()->value()); return val_mgr->Count(ie->imsi()->value());
} }
Val* BuildRAI(const InformationElement* ie) static IntrusivePtr<Val> BuildRAI(const InformationElement* ie)
{ {
RecordVal* ev = new RecordVal(BifType::Record::gtp_rai); auto ev = make_intrusive<RecordVal>(BifType::Record::gtp_rai);
ev->Assign(0, val_mgr->GetCount(ie->rai()->mcc())); ev->Assign(0, val_mgr->Count(ie->rai()->mcc()));
ev->Assign(1, val_mgr->GetCount(ie->rai()->mnc())); ev->Assign(1, val_mgr->Count(ie->rai()->mnc()));
ev->Assign(2, val_mgr->GetCount(ie->rai()->lac())); ev->Assign(2, val_mgr->Count(ie->rai()->lac()));
ev->Assign(3, val_mgr->GetCount(ie->rai()->rac())); ev->Assign(3, val_mgr->Count(ie->rai()->rac()));
return ev; return ev;
} }
Val* BuildRecovery(const InformationElement* ie) static IntrusivePtr<Val> BuildRecovery(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->recovery()->restart_counter()); return val_mgr->Count(ie->recovery()->restart_counter());
} }
Val* BuildSelectionMode(const InformationElement* ie) static IntrusivePtr<Val> BuildSelectionMode(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->selection_mode()->mode()); return val_mgr->Count(ie->selection_mode()->mode());
} }
Val* BuildTEID1(const InformationElement* ie) static IntrusivePtr<Val> BuildTEID1(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->teid1()->value()); return val_mgr->Count(ie->teid1()->value());
} }
Val* BuildTEID_ControlPlane(const InformationElement* ie) static IntrusivePtr<Val> BuildTEID_ControlPlane(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->teidcp()->value()); return val_mgr->Count(ie->teidcp()->value());
} }
Val* BuildNSAPI(const InformationElement* ie) static IntrusivePtr<Val> BuildNSAPI(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->nsapi()->nsapi()); return val_mgr->Count(ie->nsapi()->nsapi());
} }
Val* BuildChargingCharacteristics(const InformationElement* ie) static IntrusivePtr<Val> BuildChargingCharacteristics(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->charging_characteristics()->value()); return val_mgr->Count(ie->charging_characteristics()->value());
} }
Val* BuildTraceReference(const InformationElement* ie) static IntrusivePtr<Val> BuildTraceReference(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->trace_reference()->value()); return val_mgr->Count(ie->trace_reference()->value());
} }
Val* BuildTraceType(const InformationElement* ie) static IntrusivePtr<Val> BuildTraceType(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->trace_type()->value()); return val_mgr->Count(ie->trace_type()->value());
} }
Val* BuildEndUserAddr(const InformationElement* ie) Val* BuildEndUserAddr(const InformationElement* ie)
{ {
RecordVal* ev = new RecordVal(BifType::Record::gtp_end_user_addr); RecordVal* ev = new RecordVal(BifType::Record::gtp_end_user_addr);
ev->Assign(0, val_mgr->GetCount(ie->end_user_addr()->pdp_type_org())); ev->Assign(0, val_mgr->Count(ie->end_user_addr()->pdp_type_org()));
ev->Assign(1, val_mgr->GetCount(ie->end_user_addr()->pdp_type_num())); ev->Assign(1, val_mgr->Count(ie->end_user_addr()->pdp_type_num()));
int len = ie->end_user_addr()->pdp_addr().length(); int len = ie->end_user_addr()->pdp_addr().length();
@ -161,7 +161,7 @@ Val* BuildQoS_Profile(const InformationElement* ie)
const u_char* d = (const u_char*) ie->qos_profile()->data().data(); const u_char* d = (const u_char*) ie->qos_profile()->data().data();
int len = ie->qos_profile()->data().length(); int len = ie->qos_profile()->data().length();
ev->Assign(0, val_mgr->GetCount(ie->qos_profile()->alloc_retention_priority())); ev->Assign(0, val_mgr->Count(ie->qos_profile()->alloc_retention_priority()));
ev->Assign(1, make_intrusive<StringVal>(new BroString(d, len, false))); ev->Assign(1, make_intrusive<StringVal>(new BroString(d, len, false)));
return ev; return ev;
@ -195,25 +195,25 @@ Val* BuildPrivateExt(const InformationElement* ie)
const uint8* d = ie->private_ext()->value().data(); const uint8* d = ie->private_ext()->value().data();
int len = ie->private_ext()->value().length(); int len = ie->private_ext()->value().length();
ev->Assign(0, val_mgr->GetCount(ie->private_ext()->id())); ev->Assign(0, val_mgr->Count(ie->private_ext()->id()));
ev->Assign(1, make_intrusive<StringVal>(new BroString((const u_char*) d, len, false))); ev->Assign(1, make_intrusive<StringVal>(new BroString((const u_char*) d, len, false)));
return ev; return ev;
} }
Val* BuildCause(const InformationElement* ie) static IntrusivePtr<Val> BuildCause(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->cause()->value()); return val_mgr->Count(ie->cause()->value());
} }
Val* BuildReorderReq(const InformationElement* ie) static IntrusivePtr<Val> BuildReorderReq(const InformationElement* ie)
{ {
return val_mgr->GetBool(ie->reorder_req()->req()); return val_mgr->Bool(ie->reorder_req()->req());
} }
Val* BuildChargingID(const InformationElement* ie) static IntrusivePtr<Val> BuildChargingID(const InformationElement* ie)
{ {
return val_mgr->GetCount(ie->charging_id()->value());; return val_mgr->Count(ie->charging_id()->value());;
} }
Val* BuildChargingGatewayAddr(const InformationElement* ie) Val* BuildChargingGatewayAddr(const InformationElement* ie)
@ -228,16 +228,16 @@ Val* BuildChargingGatewayAddr(const InformationElement* ie)
return 0; return 0;
} }
Val* BuildTeardownInd(const InformationElement* ie) static IntrusivePtr<Val> BuildTeardownInd(const InformationElement* ie)
{ {
return val_mgr->GetBool(ie->teardown_ind()->ind()); return val_mgr->Bool(ie->teardown_ind()->ind());
} }
void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
{ {
if ( ! ::gtpv1_create_pdp_ctx_request ) return; if ( ! ::gtpv1_create_pdp_ctx_request ) return;
RecordVal* rv = new RecordVal( auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_create_pdp_ctx_request_elements); BifType::Record::gtp_create_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_request(); const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
@ -328,8 +328,8 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
} }
} }
BifEvent::generate_gtpv1_create_pdp_ctx_request(a, a->Conn(), BifEvent::enqueue_gtpv1_create_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -337,7 +337,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_create_pdp_ctx_response ) if ( ! ::gtpv1_create_pdp_ctx_response )
return; return;
RecordVal* rv = new RecordVal( auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_create_pdp_ctx_response_elements); BifType::Record::gtp_create_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_response(); const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
@ -397,8 +397,8 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
} }
} }
BifEvent::generate_gtpv1_create_pdp_ctx_response(a, a->Conn(), BifEvent::enqueue_gtpv1_create_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -406,7 +406,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_update_pdp_ctx_request ) if ( ! ::gtpv1_update_pdp_ctx_request )
return; return;
RecordVal* rv = new RecordVal( auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_update_pdp_ctx_request_elements); BifType::Record::gtp_update_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_request(); const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
@ -475,8 +475,8 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
} }
} }
BifEvent::generate_gtpv1_update_pdp_ctx_request(a, a->Conn(), BifEvent::enqueue_gtpv1_update_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -484,7 +484,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_update_pdp_ctx_response ) if ( ! ::gtpv1_update_pdp_ctx_response )
return; return;
RecordVal* rv = new RecordVal( auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_update_pdp_ctx_response_elements); BifType::Record::gtp_update_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_response(); const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
@ -535,8 +535,8 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
} }
} }
BifEvent::generate_gtpv1_update_pdp_ctx_response(a, a->Conn(), BifEvent::enqueue_gtpv1_update_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -544,7 +544,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_delete_pdp_ctx_request ) if ( ! ::gtpv1_delete_pdp_ctx_request )
return; return;
RecordVal* rv = new RecordVal( auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_delete_pdp_ctx_request_elements); BifType::Record::gtp_delete_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request(); const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
@ -569,8 +569,8 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
} }
} }
BifEvent::generate_gtpv1_delete_pdp_ctx_request(a, a->Conn(), BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -578,7 +578,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_delete_pdp_ctx_response ) if ( ! ::gtpv1_delete_pdp_ctx_response )
return; return;
RecordVal* rv = new RecordVal( auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_delete_pdp_ctx_response_elements); BifType::Record::gtp_delete_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response(); const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
@ -600,8 +600,8 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
} }
} }
BifEvent::generate_gtpv1_delete_pdp_ctx_response(a, a->Conn(), BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv); BuildGTPv1Hdr(pdu), std::move(rv));
} }
%} %}
@ -679,7 +679,7 @@ flow GTPv1_Flow(is_orig: bool)
} }
if ( ::gtpv1_message ) if ( ::gtpv1_message )
BifEvent::generate_gtpv1_message(a, c, BuildGTPv1Hdr(pdu)); BifEvent::enqueue_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
switch ( ${pdu.msg_type} ) { switch ( ${pdu.msg_type} ) {
case 16: case 16:
@ -759,8 +759,8 @@ flow GTPv1_Flow(is_orig: bool)
} }
if ( ::gtpv1_g_pdu_packet ) if ( ::gtpv1_g_pdu_packet )
BifEvent::generate_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu), BifEvent::enqueue_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
inner->BuildPktHdrVal()); {AdoptRef{}, inner->BuildPktHdrVal()});
EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1); EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);

55
src/analyzer/protocol/http/HTTP.cc
View file

@ -618,11 +618,11 @@ Val* HTTP_Message::BuildMessageStat(bool interrupted, const char* msg)
RecordVal* stat = new RecordVal(http_message_stat); RecordVal* stat = new RecordVal(http_message_stat);
int field = 0; int field = 0;
stat->Assign(field++, make_intrusive<Val>(start_time, TYPE_TIME)); stat->Assign(field++, make_intrusive<Val>(start_time, TYPE_TIME));
stat->Assign(field++, val_mgr->GetBool(interrupted)); stat->Assign(field++, val_mgr->Bool(interrupted));
stat->Assign(field++, make_intrusive<StringVal>(msg)); stat->Assign(field++, make_intrusive<StringVal>(msg));
stat->Assign(field++, val_mgr->GetCount(body_length)); stat->Assign(field++, val_mgr->Count(body_length));
stat->Assign(field++, val_mgr->GetCount(content_gap_length)); stat->Assign(field++, val_mgr->Count(content_gap_length));
stat->Assign(field++, val_mgr->GetCount(header_length)); stat->Assign(field++, val_mgr->Count(header_length));
return stat; return stat;
} }
@ -650,8 +650,8 @@ void HTTP_Message::Done(bool interrupted, const char* detail)
if ( http_message_done ) if ( http_message_done )
GetAnalyzer()->EnqueueConnEvent(http_message_done, GetAnalyzer()->EnqueueConnEvent(http_message_done,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)} IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)}
); );
@ -681,8 +681,8 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
if ( http_begin_entity ) if ( http_begin_entity )
analyzer->EnqueueConnEvent(http_begin_entity, analyzer->EnqueueConnEvent(http_begin_entity,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)} val_mgr->Bool(is_orig)
); );
} }
@ -696,8 +696,8 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
if ( http_end_entity ) if ( http_end_entity )
analyzer->EnqueueConnEvent(http_end_entity, analyzer->EnqueueConnEvent(http_end_entity,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)} val_mgr->Bool(is_orig)
); );
current_entity = (HTTP_Entity*) entity->Parent(); current_entity = (HTTP_Entity*) entity->Parent();
@ -735,8 +735,8 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
{ {
if ( http_all_headers ) if ( http_all_headers )
analyzer->EnqueueConnEvent(http_all_headers, analyzer->EnqueueConnEvent(http_all_headers,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)} IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
); );
@ -746,8 +746,8 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
StringVal* subty = current_entity->ContentSubType(); StringVal* subty = current_entity->ContentSubType();
analyzer->EnqueueConnEvent(http_content_type, analyzer->EnqueueConnEvent(http_content_type,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, val_mgr->Bool(is_orig),
IntrusivePtr{NewRef{}, ty}, IntrusivePtr{NewRef{}, ty},
IntrusivePtr{NewRef{}, subty} IntrusivePtr{NewRef{}, subty}
); );
@ -1172,13 +1172,13 @@ void HTTP_Analyzer::GenStats()
if ( http_stats ) if ( http_stats )
{ {
auto r = make_intrusive<RecordVal>(http_stats_rec); auto r = make_intrusive<RecordVal>(http_stats_rec);
r->Assign(0, val_mgr->GetCount(num_requests)); r->Assign(0, val_mgr->Count(num_requests));
r->Assign(1, val_mgr->GetCount(num_replies)); r->Assign(1, val_mgr->Count(num_replies));
r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE)); r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));
r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE)); r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE));
// DEBUG_MSG("%.6f http_stats\n", network_time); // DEBUG_MSG("%.6f http_stats\n", network_time);
EnqueueConnEvent(http_stats, IntrusivePtr{AdoptRef{}, BuildConnVal()}, std::move(r)); EnqueueConnEvent(http_stats, ConnVal(), std::move(r));
} }
} }
@ -1378,7 +1378,7 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
if ( http_event ) if ( http_event )
// DEBUG_MSG("%.6f http_event\n", network_time); // DEBUG_MSG("%.6f http_event\n", network_time);
EnqueueConnEvent(http_event, EnqueueConnEvent(http_event,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(category), make_intrusive<StringVal>(category),
IntrusivePtr{AdoptRef{}, detail} IntrusivePtr{AdoptRef{}, detail}
); );
@ -1417,7 +1417,7 @@ void HTTP_Analyzer::HTTP_Request()
if ( http_request ) if ( http_request )
// DEBUG_MSG("%.6f http_request\n", network_time); // DEBUG_MSG("%.6f http_request\n", network_time);
EnqueueConnEvent(http_request, EnqueueConnEvent(http_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{NewRef{}, request_method}, IntrusivePtr{NewRef{}, request_method},
IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())}, IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())},
IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())}, IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())},
@ -1429,9 +1429,9 @@ void HTTP_Analyzer::HTTP_Reply()
{ {
if ( http_reply ) if ( http_reply )
EnqueueConnEvent(http_reply, EnqueueConnEvent(http_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())), make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)}, val_mgr->Count(reply_code),
reply_reason_phrase ? reply_reason_phrase ?
IntrusivePtr{NewRef{}, reply_reason_phrase} : IntrusivePtr{NewRef{}, reply_reason_phrase} :
make_intrusive<StringVal>("<empty>") make_intrusive<StringVal>("<empty>")
@ -1506,7 +1506,7 @@ void HTTP_Analyzer::ReplyMade(bool interrupted, const char* msg)
if ( http_connection_upgrade ) if ( http_connection_upgrade )
EnqueueConnEvent(http_connection_upgrade, EnqueueConnEvent(http_connection_upgrade,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(upgrade_protocol) make_intrusive<StringVal>(upgrade_protocol)
); );
} }
@ -1670,8 +1670,9 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h)
DEBUG_MSG("%.6f http_header\n", network_time); DEBUG_MSG("%.6f http_header\n", network_time);
EnqueueConnEvent(http_header, EnqueueConnEvent(http_header,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())},
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()}, IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()},
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())} IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())}
); );
@ -1682,9 +1683,9 @@ void HTTP_Analyzer::HTTP_EntityData(bool is_orig, BroString* entity_data)
{ {
if ( http_entity_data ) if ( http_entity_data )
EnqueueConnEvent(http_entity_data, EnqueueConnEvent(http_entity_data,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(entity_data->Len())}, val_mgr->Count(entity_data->Len()),
make_intrusive<StringVal>(entity_data) make_intrusive<StringVal>(entity_data)
); );
else else

5
src/analyzer/protocol/http/events.bif
View file

@ -54,7 +54,9 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
## ##
## is_orig: True if the header was sent by the originator of the TCP connection. ## is_orig: True if the header was sent by the originator of the TCP connection.
## ##
## name: The name of the header. ## original_name: The name of the header (unaltered).
##
## name: The name of the header (converted to all uppercase).
## ##
## value: The value of the header. ## value: The value of the header.
## ##
@ -64,6 +66,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
## ##
## .. note:: This event is also raised for headers found in nested body ## .. note:: This event is also raised for headers found in nested body
## entities. ## entities.
event http_header%(c: connection, is_orig: bool, original_name: string, name: string, value: string%);
event http_header%(c: connection, is_orig: bool, name: string, value: string%); event http_header%(c: connection, is_orig: bool, name: string, value: string%);
## Generated for HTTP headers, passing on all headers of an HTTP message at ## Generated for HTTP headers, passing on all headers of an HTTP message at

4
src/analyzer/protocol/http/functions.bif
View file

@ -31,7 +31,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
else else
reporter->Error("no analyzer associated with connection record"); reporter->Error("no analyzer associated with connection record");
return 0; return nullptr;
%} %}
## Unescapes all characters in a URI (decode every ``%xx`` group). ## Unescapes all characters in a URI (decode every ``%xx`` group).
@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string
const u_char* line = URI->Bytes(); const u_char* line = URI->Bytes();
const u_char* const line_end = line + URI->Len(); const u_char* const line_end = line + URI->Len();
return new StringVal(analyzer::http::unescape_URI(line, line_end, 0)); return make_intrusive<StringVal>(analyzer::http::unescape_URI(line, line_end, 0));
%} %}

114
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -203,7 +203,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
{ {
if ( icmp_sent ) if ( icmp_sent )
EnqueueConnEvent(icmp_sent, EnqueueConnEvent(icmp_sent,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)} IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}
); );
@ -212,7 +212,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
BroString* payload = new BroString(data, std::min(len, caplen), false); BroString* payload = new BroString(data, std::min(len, caplen), false);
EnqueueConnEvent(icmp_sent_payload, EnqueueConnEvent(icmp_sent_payload,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}, IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)},
make_intrusive<StringVal>(payload) make_intrusive<StringVal>(payload)
); );
@ -228,11 +228,11 @@ RecordVal* ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,
icmp_conn_val->Assign(0, make_intrusive<AddrVal>(Conn()->OrigAddr())); icmp_conn_val->Assign(0, make_intrusive<AddrVal>(Conn()->OrigAddr()));
icmp_conn_val->Assign(1, make_intrusive<AddrVal>(Conn()->RespAddr())); icmp_conn_val->Assign(1, make_intrusive<AddrVal>(Conn()->RespAddr()));
icmp_conn_val->Assign(2, val_mgr->GetCount(icmpp->icmp_type)); icmp_conn_val->Assign(2, val_mgr->Count(icmpp->icmp_type));
icmp_conn_val->Assign(3, val_mgr->GetCount(icmpp->icmp_code)); icmp_conn_val->Assign(3, val_mgr->Count(icmpp->icmp_code));
icmp_conn_val->Assign(4, val_mgr->GetCount(len)); icmp_conn_val->Assign(4, val_mgr->Count(len));
icmp_conn_val->Assign(5, val_mgr->GetCount(ip_hdr->TTL())); icmp_conn_val->Assign(5, val_mgr->Count(ip_hdr->TTL()));
icmp_conn_val->Assign(6, val_mgr->GetBool(icmpv6)); icmp_conn_val->Assign(6, val_mgr->Bool(icmpv6));
} }
Ref(icmp_conn_val); Ref(icmp_conn_val);
@ -355,18 +355,18 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
RecordVal* id_val = new RecordVal(conn_id); RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(src_addr)); id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->GetPort(src_port, proto)); id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr)); id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->GetPort(dst_port, proto)); id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, id_val); iprec->Assign(0, id_val);
iprec->Assign(1, val_mgr->GetCount(ip_len)); iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->GetCount(proto)); iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->GetCount(frag_offset)); iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->GetBool(bad_hdr_len)); iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
iprec->Assign(5, val_mgr->GetBool(bad_checksum)); iprec->Assign(5, val_mgr->Bool(bad_checksum));
iprec->Assign(6, val_mgr->GetBool(MF)); iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->GetBool(DF)); iprec->Assign(7, val_mgr->Bool(DF));
return iprec; return iprec;
} }
@ -414,19 +414,19 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
RecordVal* id_val = new RecordVal(conn_id); RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(src_addr)); id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->GetPort(src_port, proto)); id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr)); id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->GetPort(dst_port, proto)); id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, id_val); iprec->Assign(0, id_val);
iprec->Assign(1, val_mgr->GetCount(ip_len)); iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->GetCount(proto)); iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->GetCount(frag_offset)); iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->GetBool(bad_hdr_len)); iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
// bad_checksum is always false since IPv6 layer doesn't have a checksum. // bad_checksum is always false since IPv6 layer doesn't have a checksum.
iprec->Assign(5, val_mgr->GetFalse()); iprec->Assign(5, val_mgr->False());
iprec->Assign(6, val_mgr->GetBool(MF)); iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->GetBool(DF)); iprec->Assign(7, val_mgr->Bool(DF));
return iprec; return iprec;
} }
@ -474,14 +474,14 @@ void ICMP_Analyzer::UpdateEndpointVal(RecordVal* endp, bool is_orig)
int size = is_orig ? request_len : reply_len; int size = is_orig ? request_len : reply_len;
if ( size < 0 ) if ( size < 0 )
{ {
endp->Assign(0, val_mgr->GetCount(0)); endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, val_mgr->GetCount(int(ICMP_INACTIVE))); endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE)));
} }
else else
{ {
endp->Assign(0, val_mgr->GetCount(size)); endp->Assign(0, val_mgr->Count(size));
endp->Assign(1, val_mgr->GetCount(int(ICMP_ACTIVE))); endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE)));
} }
} }
@ -515,10 +515,10 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
BroString* payload = new BroString(data, caplen, false); BroString* payload = new BroString(data, caplen, false);
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)}, IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iid)}, val_mgr->Count(iid),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iseq)}, val_mgr->Count(iseq),
make_intrusive<StringVal>(payload) make_intrusive<StringVal>(payload)
); );
} }
@ -543,15 +543,15 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(reachable) + sizeof(retrans); int opt_offset = sizeof(reachable) + sizeof(retrans);
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)}, IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_num_addrs)}, // Cur Hop Limit val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x80)}, // Managed val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x40)}, // Other val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x20)}, // Home Agent val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
IntrusivePtr{AdoptRef{}, val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)}, // Pref val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x04)}, // Proxy val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_wpa & 0x02)}, // Reserved val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds), make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds), make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds), make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
@ -576,11 +576,11 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)}, IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)}, // Router val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)}, // Solicited val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)}, // Override val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
make_intrusive<AddrVal>(tgtaddr), make_intrusive<AddrVal>(tgtaddr),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)} IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
); );
@ -603,7 +603,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr); int opt_offset = sizeof(in6_addr);
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)}, IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
make_intrusive<AddrVal>(tgtaddr), make_intrusive<AddrVal>(tgtaddr),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)} IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
@ -630,7 +630,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int opt_offset = 2 * sizeof(in6_addr); int opt_offset = 2 * sizeof(in6_addr);
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)}, IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
make_intrusive<AddrVal>(tgtaddr), make_intrusive<AddrVal>(tgtaddr),
make_intrusive<AddrVal>(dstaddr), make_intrusive<AddrVal>(dstaddr),
@ -648,7 +648,7 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
return; return;
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)}, IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)} IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)}
); );
@ -673,9 +673,9 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
if ( f ) if ( f )
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)}, IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)}, val_mgr->Count(icmpp->icmp_code),
IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)} IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)}
); );
} }
@ -711,9 +711,9 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
if ( f ) if ( f )
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)}, IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)}, val_mgr->Count(icmpp->icmp_code),
IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)} IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)}
); );
} }
@ -752,8 +752,8 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
} }
RecordVal* rv = new RecordVal(icmp6_nd_option_type); RecordVal* rv = new RecordVal(icmp6_nd_option_type);
rv->Assign(0, val_mgr->GetCount(type)); rv->Assign(0, val_mgr->Count(type));
rv->Assign(1, val_mgr->GetCount(length)); rv->Assign(1, val_mgr->Count(length));
// Adjust length to be in units of bytes, exclude type/length fields. // Adjust length to be in units of bytes, exclude type/length fields.
length = length * 8 - 2; length = length * 8 - 2;
@ -792,9 +792,9 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
uint32_t valid_life = *((const uint32_t*)(data + 2)); uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6)); uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14)); in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, val_mgr->GetCount(prefix_len)); info->Assign(0, val_mgr->Count(prefix_len));
info->Assign(1, val_mgr->GetBool(L_flag)); info->Assign(1, val_mgr->Bool(L_flag));
info->Assign(2, val_mgr->GetBool(A_flag)); info->Assign(2, val_mgr->Bool(A_flag));
info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds)); info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds)); info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix))); info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
@ -825,7 +825,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
// MTU option // MTU option
{ {
if ( caplen >= 6 ) if ( caplen >= 6 )
rv->Assign(5, val_mgr->GetCount(ntohl(*((const uint32_t*)(data + 2))))); rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
else else
set_payload_field = true; set_payload_field = true;

22
src/analyzer/protocol/ident/Ident.cc
View file

@ -85,9 +85,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
} }
EnqueueConnEvent(ident_request, EnqueueConnEvent(ident_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)}, val_mgr->Port(local_port, TRANSPORT_TCP),
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)} val_mgr->Port(remote_port, TRANSPORT_TCP)
); );
did_deliver = true; did_deliver = true;
@ -146,9 +146,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
{ {
if ( ident_error ) if ( ident_error )
EnqueueConnEvent(ident_error, EnqueueConnEvent(ident_error,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)}, val_mgr->Port(local_port, TRANSPORT_TCP),
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}, val_mgr->Port(remote_port, TRANSPORT_TCP),
make_intrusive<StringVal>(end_of_line - line, line) make_intrusive<StringVal>(end_of_line - line, line)
); );
} }
@ -179,9 +179,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = skip_whitespace(colon + 1, end_of_line); line = skip_whitespace(colon + 1, end_of_line);
EnqueueConnEvent(ident_reply, EnqueueConnEvent(ident_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)}, val_mgr->Port(local_port, TRANSPORT_TCP),
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}, val_mgr->Port(remote_port, TRANSPORT_TCP),
make_intrusive<StringVal>(end_of_line - line, line), make_intrusive<StringVal>(end_of_line - line, line),
make_intrusive<StringVal>(sys_type_s) make_intrusive<StringVal>(sys_type_s)
); );
@ -215,7 +215,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
int n = 0; int n = 0;
line = skip_whitespace(line, end_of_line); line = skip_whitespace(line, end_of_line);
if ( ! isdigit(*line) ) if ( line >= end_of_line || ! isdigit(*line) )
return nullptr; return nullptr;
const char* l = line; const char* l = line;
@ -225,7 +225,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
n = n * 10 + (*line - '0'); n = n * 10 + (*line - '0');
++line; ++line;
} }
while ( isdigit(*line) ); while ( line < end_of_line && isdigit(*line) );
line = skip_whitespace(line, end_of_line); line = skip_whitespace(line, end_of_line);

7
src/analyzer/protocol/imap/imap-analyzer.pac
View file

@ -45,7 +45,7 @@ refine connection IMAP_Conn += {
bro_analyzer()->StartTLS(); bro_analyzer()->StartTLS();
if ( imap_starttls ) if ( imap_starttls )
BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn()); BifEvent::enqueue_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
} }
else else
reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS"); reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
@ -59,14 +59,15 @@ refine connection IMAP_Conn += {
if ( ! imap_capabilities ) if ( ! imap_capabilities )
return true; return true;
VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType()); auto capv = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());
for ( unsigned int i = 0; i< capabilities->size(); i++ ) for ( unsigned int i = 0; i< capabilities->size(); i++ )
{ {
const bytestring& capability = (*capabilities)[i]->cap(); const bytestring& capability = (*capabilities)[i]->cap();
capv->Assign(i, make_intrusive<StringVal>(capability.length(), (const char*)capability.data())); capv->Assign(i, make_intrusive<StringVal>(capability.length(), (const char*)capability.data()));
} }
BifEvent::generate_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), capv); BifEvent::enqueue_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), std::move(capv));
return true; return true;
%} %}

176
src/analyzer/protocol/irc/IRC.cc
View file

@ -235,11 +235,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_network_info, EnqueueConnEvent(irc_network_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)}, val_mgr->Int(users),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)}, val_mgr->Int(services),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)} val_mgr->Int(servers)
); );
} }
break; break;
@ -282,8 +282,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_names_info, EnqueueConnEvent(irc_names_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(type.c_str()), make_intrusive<StringVal>(type.c_str()),
make_intrusive<StringVal>(channel.c_str()), make_intrusive<StringVal>(channel.c_str()),
std::move(set) std::move(set)
@ -316,11 +316,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_server_info, EnqueueConnEvent(irc_server_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)}, val_mgr->Int(users),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)}, val_mgr->Int(services),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)} val_mgr->Int(servers)
); );
} }
break; break;
@ -338,9 +338,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
channels = atoi(parts[i - 1].c_str()); channels = atoi(parts[i - 1].c_str());
EnqueueConnEvent(irc_channel_info, EnqueueConnEvent(irc_channel_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(channels)} val_mgr->Int(channels)
); );
} }
break; break;
@ -370,8 +370,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_global_users, EnqueueConnEvent(irc_global_users,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(eop - prefix, prefix), make_intrusive<StringVal>(eop - prefix, prefix),
make_intrusive<StringVal>(++msg) make_intrusive<StringVal>(++msg)
); );
@ -396,8 +396,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::Args vl; zeek::Args vl;
vl.reserve(6); vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig)); vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
@ -435,8 +435,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_whois_operator_line, EnqueueConnEvent(irc_whois_operator_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()) make_intrusive<StringVal>(parts[0].c_str())
); );
} }
@ -473,8 +473,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_whois_channel_line, EnqueueConnEvent(irc_whois_channel_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(nick.c_str()), make_intrusive<StringVal>(nick.c_str()),
std::move(set) std::move(set)
); );
@ -504,8 +504,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
++t; ++t;
EnqueueConnEvent(irc_channel_topic, EnqueueConnEvent(irc_channel_topic,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(t) make_intrusive<StringVal>(t)
); );
@ -538,8 +538,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[7] = parts[7].substr(1); parts[7] = parts[7].substr(1);
EnqueueConnEvent(irc_who_line, EnqueueConnEvent(irc_who_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()), make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()), make_intrusive<StringVal>(parts[2].c_str()),
@ -547,7 +547,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
make_intrusive<StringVal>(parts[4].c_str()), make_intrusive<StringVal>(parts[4].c_str()),
make_intrusive<StringVal>(parts[5].c_str()), make_intrusive<StringVal>(parts[5].c_str()),
make_intrusive<StringVal>(parts[6].c_str()), make_intrusive<StringVal>(parts[6].c_str()),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(atoi(parts[7].c_str()))}, val_mgr->Int(atoi(parts[7].c_str())),
make_intrusive<StringVal>(parts[8].c_str()) make_intrusive<StringVal>(parts[8].c_str())
); );
} }
@ -560,8 +560,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 436: case 436:
if ( irc_invalid_nick ) if ( irc_invalid_nick )
EnqueueConnEvent(irc_invalid_nick, EnqueueConnEvent(irc_invalid_nick,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)} val_mgr->Bool(orig)
); );
break; break;
@ -570,9 +570,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 491: // user is not operator case 491: // user is not operator
if ( irc_oper_response ) if ( irc_oper_response )
EnqueueConnEvent(irc_oper_response, EnqueueConnEvent(irc_oper_response,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(code == 381)} val_mgr->Bool(code == 381)
); );
break; break;
@ -585,10 +585,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
default: default:
if ( irc_reply ) if ( irc_reply )
EnqueueConnEvent(irc_reply, EnqueueConnEvent(irc_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(code)}, val_mgr->Count(code),
make_intrusive<StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
); );
break; break;
@ -656,17 +656,15 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_dcc_message ) if ( irc_dcc_message )
EnqueueConnEvent(irc_dcc_message, EnqueueConnEvent(irc_dcc_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()), make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(parts[1].c_str()), make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()), make_intrusive<StringVal>(parts[2].c_str()),
make_intrusive<AddrVal>(htonl(raw_ip)), make_intrusive<AddrVal>(htonl(raw_ip)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(atoi(parts[4].c_str()))}, val_mgr->Count(atoi(parts[4].c_str())),
IntrusivePtr{AdoptRef{}, parts.size() >= 6 ? parts.size() >= 6 ? val_mgr->Count(atoi(parts[5].c_str())) : val_mgr->Count(0)
val_mgr->GetCount(atoi(parts[5].c_str())) :
val_mgr->GetCount(0)}
); );
} }
@ -674,8 +672,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( irc_privmsg_message ) if ( irc_privmsg_message )
EnqueueConnEvent(irc_privmsg_message, EnqueueConnEvent(irc_privmsg_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()), make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
@ -699,8 +697,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1); message = message.substr(1);
EnqueueConnEvent(irc_notice_message, EnqueueConnEvent(irc_notice_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()), make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
@ -723,8 +721,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1); message = message.substr(1);
EnqueueConnEvent(irc_squery_message, EnqueueConnEvent(irc_squery_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()), make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
@ -737,20 +735,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
zeek::Args vl; zeek::Args vl;
vl.reserve(6); vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig)); vl.emplace_back(val_mgr->Bool(orig));
if ( parts.size() > 0 ) if ( parts.size() > 0 )
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString()); else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 1 ) if ( parts.size() > 1 )
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString()); else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 2 ) if ( parts.size() > 2 )
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString()); else vl.emplace_back(val_mgr->EmptyString());
string realname; string realname;
for ( unsigned int i = 3; i < parts.size(); i++ ) for ( unsigned int i = 3; i < parts.size(); i++ )
@ -772,8 +770,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
if ( parts.size() == 2 ) if ( parts.size() == 2 )
EnqueueConnEvent(irc_oper_message, EnqueueConnEvent(irc_oper_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()), make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str()) make_intrusive<StringVal>(parts[1].c_str())
); );
@ -794,8 +792,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::Args vl; zeek::Args vl;
vl.reserve(6); vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig)); vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(make_intrusive<StringVal>(prefix.c_str())); vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str())); vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
@ -812,7 +810,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vl.emplace_back(make_intrusive<StringVal>(comment.c_str())); vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
} }
else else
vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString()); vl.emplace_back(val_mgr->EmptyString());
EnqueueConnEvent(irc_kick_message, std::move(vl)); EnqueueConnEvent(irc_kick_message, std::move(vl));
} }
@ -863,8 +861,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_join_message, EnqueueConnEvent(irc_join_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
std::move(list) std::move(list)
); );
} }
@ -923,8 +921,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_join_message, EnqueueConnEvent(irc_join_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
std::move(list) std::move(list)
); );
} }
@ -962,8 +960,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_part_message, EnqueueConnEvent(irc_part_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(nick.c_str()), make_intrusive<StringVal>(nick.c_str()),
std::move(set), std::move(set),
make_intrusive<StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
@ -985,8 +983,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_quit_message, EnqueueConnEvent(irc_quit_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(nickname.c_str()), make_intrusive<StringVal>(nickname.c_str()),
make_intrusive<StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
); );
@ -999,8 +997,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nick = nick.substr(1); nick = nick.substr(1);
EnqueueConnEvent(irc_nick_message, EnqueueConnEvent(irc_nick_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(nick.c_str()) make_intrusive<StringVal>(nick.c_str())
); );
@ -1024,12 +1022,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[0] = parts[0].substr(1); parts[0] = parts[0].substr(1);
EnqueueConnEvent(irc_who_message, EnqueueConnEvent(irc_who_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
parts.size() > 0 ? parts.size() > 0 ?
make_intrusive<StringVal>(parts[0].c_str()) : make_intrusive<StringVal>(parts[0].c_str()) :
IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()}, val_mgr->EmptyString(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(oper)} val_mgr->Bool(oper)
); );
} }
@ -1054,8 +1052,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
users = parts[0]; users = parts[0];
EnqueueConnEvent(irc_whois_message, EnqueueConnEvent(irc_whois_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(server.c_str()), make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(users.c_str()) make_intrusive<StringVal>(users.c_str())
); );
@ -1067,8 +1065,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
params = params.substr(1); params = params.substr(1);
EnqueueConnEvent(irc_error_message, EnqueueConnEvent(irc_error_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
); );
@ -1083,8 +1081,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[1] = parts[1].substr(1); parts[1] = parts[1].substr(1);
EnqueueConnEvent(irc_invite_message, EnqueueConnEvent(irc_invite_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(parts[0].c_str()), make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str()) make_intrusive<StringVal>(parts[1].c_str())
@ -1098,8 +1096,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
if ( params.size() > 0 ) if ( params.size() > 0 )
EnqueueConnEvent(irc_mode_message, EnqueueConnEvent(irc_mode_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
); );
@ -1111,8 +1109,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_password_message && command == "PASS" ) else if ( irc_password_message && command == "PASS" )
{ {
EnqueueConnEvent(irc_password_message, EnqueueConnEvent(irc_password_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
); );
} }
@ -1133,8 +1131,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
} }
EnqueueConnEvent(irc_squit_message, EnqueueConnEvent(irc_squit_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(server.c_str()), make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(message.c_str()) make_intrusive<StringVal>(message.c_str())
@ -1147,8 +1145,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_request ) if ( irc_request )
{ {
EnqueueConnEvent(irc_request, EnqueueConnEvent(irc_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()), make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
@ -1161,8 +1159,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_message ) if ( irc_message )
{ {
EnqueueConnEvent(irc_message, EnqueueConnEvent(irc_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}, val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()), make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()), make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str()) make_intrusive<StringVal>(params.c_str())
@ -1196,7 +1194,7 @@ void IRC_Analyzer::StartTLS()
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
if ( irc_starttls ) if ( irc_starttls )
EnqueueConnEvent(irc_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueConnEvent(irc_starttls, ConnVal());
} }
vector<string> IRC_Analyzer::SplitWords(const string& input, char split) vector<string> IRC_Analyzer::SplitWords(const string& input, char split)

6
src/analyzer/protocol/krb/KRB.cc
View file

@ -87,7 +87,9 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
} }
} }
StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) IntrusivePtr<StringVal> KRB_Analyzer::GetAuthenticationInfo(const BroString* principal,
const BroString* ciphertext,
const bro_uint_t enctype)
{ {
#ifdef USE_KRB5 #ifdef USE_KRB5
if ( !krb_available ) if ( !krb_available )
@ -145,7 +147,7 @@ StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const
return nullptr; return nullptr;
} }
StringVal* ret = new StringVal(cp); auto ret = make_intrusive<StringVal>(cp);
krb5_free_unparsed_name(krb_context, cp); krb5_free_unparsed_name(krb_context, cp);
krb5_free_ticket(krb_context, tkt); krb5_free_ticket(krb_context, tkt);

4
src/analyzer/protocol/krb/KRB.h
View file

@ -25,7 +25,9 @@ public:
static analyzer::Analyzer* Instantiate(Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); } { return new KRB_Analyzer(conn); }
StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype); IntrusivePtr<StringVal> GetAuthenticationInfo(const BroString* principal,
const BroString* ciphertext,
const bro_uint_t enctype);
protected: protected:

5
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -21,7 +21,10 @@ public:
// Overriden from tcp::TCP_ApplicationAnalyzer. // Overriden from tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override; void EndpointEOF(bool is_orig) override;
StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) { return val_mgr->GetEmptyString(); } IntrusivePtr<StringVal> GetAuthenticationInfo(const BroString* principal,
const BroString* ciphertext,
const bro_uint_t enctype)
{ return val_mgr->EmptyString(); }
static analyzer::Analyzer* Instantiate(Connection* conn) static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); } { return new KRB_Analyzer(conn); }

84
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -10,19 +10,19 @@ RecordVal* proc_krb_kdc_options(const KRB_KDC_Options* opts)
{ {
RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Options); RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Options);
rv->Assign(0, val_mgr->GetBool(opts->forwardable())); rv->Assign(0, val_mgr->Bool(opts->forwardable()));
rv->Assign(1, val_mgr->GetBool(opts->forwarded())); rv->Assign(1, val_mgr->Bool(opts->forwarded()));
rv->Assign(2, val_mgr->GetBool(opts->proxiable())); rv->Assign(2, val_mgr->Bool(opts->proxiable()));
rv->Assign(3, val_mgr->GetBool(opts->proxy())); rv->Assign(3, val_mgr->Bool(opts->proxy()));
rv->Assign(4, val_mgr->GetBool(opts->allow_postdate())); rv->Assign(4, val_mgr->Bool(opts->allow_postdate()));
rv->Assign(5, val_mgr->GetBool(opts->postdated())); rv->Assign(5, val_mgr->Bool(opts->postdated()));
rv->Assign(6, val_mgr->GetBool(opts->renewable())); rv->Assign(6, val_mgr->Bool(opts->renewable()));
rv->Assign(7, val_mgr->GetBool(opts->opt_hardware_auth())); rv->Assign(7, val_mgr->Bool(opts->opt_hardware_auth()));
rv->Assign(8, val_mgr->GetBool(opts->disable_transited_check())); rv->Assign(8, val_mgr->Bool(opts->disable_transited_check()));
rv->Assign(9, val_mgr->GetBool(opts->renewable_ok())); rv->Assign(9, val_mgr->Bool(opts->renewable_ok()));
rv->Assign(10, val_mgr->GetBool(opts->enc_tkt_in_skey())); rv->Assign(10, val_mgr->Bool(opts->enc_tkt_in_skey()));
rv->Assign(11, val_mgr->GetBool(opts->renew())); rv->Assign(11, val_mgr->Bool(opts->renew()));
rv->Assign(12, val_mgr->GetBool(opts->validate())); rv->Assign(12, val_mgr->Bool(opts->validate()));
return rv; return rv;
} }
@ -49,7 +49,7 @@ RecordVal* proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_an
rv->Assign(4, GetStringFromPrincipalName(element->data()->principal())); rv->Assign(4, GetStringFromPrincipalName(element->data()->principal()));
break; break;
case 2: case 2:
rv->Assign(5, bytestring_to_val(element->data()->realm()->encoding()->content())); rv->Assign(5, to_stringval(element->data()->realm()->encoding()->content()));
break; break;
case 3: case 3:
rv->Assign(6, GetStringFromPrincipalName(element->data()->sname())); rv->Assign(6, GetStringFromPrincipalName(element->data()->sname()));
@ -139,19 +139,19 @@ bool proc_error_arguments(RecordVal* rv, const std::vector<KRB_ERROR_Arg*>* args
break; break;
// ctime/stime handled above // ctime/stime handled above
case 7: case 7:
rv->Assign(5, bytestring_to_val((*args)[i]->args()->crealm()->encoding()->content())); rv->Assign(5, to_stringval((*args)[i]->args()->crealm()->encoding()->content()));
break; break;
case 8: case 8:
rv->Assign(6, GetStringFromPrincipalName((*args)[i]->args()->cname())); rv->Assign(6, GetStringFromPrincipalName((*args)[i]->args()->cname()));
break; break;
case 9: case 9:
rv->Assign(7, bytestring_to_val((*args)[i]->args()->realm()->encoding()->content())); rv->Assign(7, to_stringval((*args)[i]->args()->realm()->encoding()->content()));
break; break;
case 10: case 10:
rv->Assign(8, GetStringFromPrincipalName((*args)[i]->args()->sname())); rv->Assign(8, GetStringFromPrincipalName((*args)[i]->args()->sname()));
break; break;
case 11: case 11:
rv->Assign(9, bytestring_to_val((*args)[i]->args()->e_text()->encoding()->content())); rv->Assign(9, to_stringval((*args)[i]->args()->e_text()->encoding()->content()));
break; break;
case 12: case 12:
if ( error_code == KDC_ERR_PREAUTH_REQUIRED ) if ( error_code == KDC_ERR_PREAUTH_REQUIRED )
@ -180,7 +180,7 @@ refine connection KRB_Conn += {
return false; return false;
RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer()); RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
BifEvent::generate_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), rv); BifEvent::enqueue_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
return true; return true;
} }
@ -190,7 +190,7 @@ refine connection KRB_Conn += {
return false; return false;
RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer()); RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
BifEvent::generate_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), rv); BifEvent::enqueue_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
return true; return true;
} }
@ -201,9 +201,9 @@ refine connection KRB_Conn += {
%{ %{
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
auto msg_type = binary_to_int64(${msg.msg_type.data.content}); auto msg_type = binary_to_int64(${msg.msg_type.data.content});
auto make_arg = [this, msg]() -> RecordVal* auto make_arg = [this, msg]() -> IntrusivePtr<RecordVal>
{ {
RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Response); auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::KDC_Response);
rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT)); rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT)); rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@ -211,7 +211,7 @@ refine connection KRB_Conn += {
if ( ${msg.padata.has_padata} ) if ( ${msg.padata.has_padata} )
rv->Assign(2, proc_padata(${msg.padata.padata.padata}, bro_analyzer(), false)); rv->Assign(2, proc_padata(${msg.padata.padata.padata}, bro_analyzer(), false));
rv->Assign(3, bytestring_to_val(${msg.client_realm.encoding.content})); rv->Assign(3, to_stringval(${msg.client_realm.encoding.content}));
rv->Assign(4, GetStringFromPrincipalName(${msg.client_name})); rv->Assign(4, GetStringFromPrincipalName(${msg.client_name}));
rv->Assign(5, proc_ticket(${msg.ticket})); rv->Assign(5, proc_ticket(${msg.ticket}));
@ -223,7 +223,7 @@ refine connection KRB_Conn += {
if ( ! krb_as_response ) if ( ! krb_as_response )
return false; return false;
BifEvent::generate_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg()); BifEvent::enqueue_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
return true; return true;
} }
@ -232,7 +232,7 @@ refine connection KRB_Conn += {
if ( ! krb_tgs_response ) if ( ! krb_tgs_response )
return false; return false;
BifEvent::generate_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg()); BifEvent::enqueue_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
return true; return true;
} }
@ -244,11 +244,11 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
if ( krb_error ) if ( krb_error )
{ {
RecordVal* rv = new RecordVal(BifType::Record::KRB::Error_Msg); auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Error_Msg);
proc_error_arguments(rv, ${msg.args1}, 0); proc_error_arguments(rv.get(), ${msg.args1}, 0);
rv->Assign(4, asn1_integer_to_val(${msg.error_code}, TYPE_COUNT)); rv->Assign(4, asn1_integer_to_val(${msg.error_code}, TYPE_COUNT));
proc_error_arguments(rv, ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content})); proc_error_arguments(rv.get(), ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
BifEvent::generate_krb_error(bro_analyzer(), bro_analyzer()->Conn(), rv); BifEvent::enqueue_krb_error(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv));
} }
return true; return true;
%} %}
@ -258,16 +258,18 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
if ( krb_ap_request ) if ( krb_ap_request )
{ {
RecordVal* rv = new RecordVal(BifType::Record::KRB::AP_Options); auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::AP_Options);
rv->Assign(0, val_mgr->GetBool(${msg.ap_options.use_session_key})); rv->Assign(0, val_mgr->Bool(${msg.ap_options.use_session_key}));
rv->Assign(1, val_mgr->GetBool(${msg.ap_options.mutual_required})); rv->Assign(1, val_mgr->Bool(${msg.ap_options.mutual_required}));
auto rvticket = proc_ticket(${msg.ticket});
auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
RecordVal* rvticket = proc_ticket(${msg.ticket});
StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
if ( authenticationinfo ) if ( authenticationinfo )
rvticket->Assign(5, authenticationinfo); rvticket->Assign(5, authenticationinfo);
BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
rvticket, rv); BifEvent::enqueue_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
std::move(rvticket), std::move(rv));
} }
return true; return true;
%} %}
@ -277,7 +279,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
if ( krb_ap_response ) if ( krb_ap_response )
{ {
BifEvent::generate_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn()); BifEvent::enqueue_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
} }
return true; return true;
%} %}
@ -287,7 +289,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
if ( krb_safe ) if ( krb_safe )
{ {
RecordVal* rv = new RecordVal(BifType::Record::KRB::SAFE_Msg); auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::SAFE_Msg);
rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT)); rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT)); rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@ -320,7 +322,7 @@ refine connection KRB_Conn += {
switch ( ${msg.safe_body.args[i].seq_meta.index} ) switch ( ${msg.safe_body.args[i].seq_meta.index} )
{ {
case 0: case 0:
rv->Assign(3, bytestring_to_val(${msg.safe_body.args[i].args.user_data.encoding.content})); rv->Assign(3, to_stringval(${msg.safe_body.args[i].args.user_data.encoding.content}));
break; break;
case 3: case 3:
rv->Assign(5, asn1_integer_to_val(${msg.safe_body.args[i].args.seq_number}, TYPE_COUNT)); rv->Assign(5, asn1_integer_to_val(${msg.safe_body.args[i].args.seq_number}, TYPE_COUNT));
@ -335,7 +337,7 @@ refine connection KRB_Conn += {
break; break;
} }
} }
BifEvent::generate_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, rv); BifEvent::enqueue_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, std::move(rv));
} }
return true; return true;
%} %}
@ -345,7 +347,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
if ( krb_priv ) if ( krb_priv )
{ {
BifEvent::generate_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}); BifEvent::enqueue_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
} }
return true; return true;
%} %}
@ -355,7 +357,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation(); bro_analyzer()->ProtocolConfirmation();
if ( krb_cred ) if ( krb_cred )
{ {
BifEvent::generate_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, BifEvent::enqueue_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
proc_tickets(${msg.tickets})); proc_tickets(${msg.tickets}));
} }
return true; return true;

17
src/analyzer/protocol/krb/krb-asn1.pac
View file

@ -2,21 +2,20 @@
%include ../asn1/asn1.pac %include ../asn1/asn1.pac
%header{ %header{
Val* GetTimeFromAsn1(const KRB_Time* atime, int64 usecs); IntrusivePtr<Val> GetTimeFromAsn1(const KRB_Time* atime, int64 usecs);
Val* GetTimeFromAsn1(StringVal* atime, int64 usecs); IntrusivePtr<Val> GetTimeFromAsn1(StringVal* atime, int64 usecs);
%} %}
%code{ %code{
Val* GetTimeFromAsn1(const KRB_Time* atime, int64 usecs) IntrusivePtr<Val> GetTimeFromAsn1(const KRB_Time* atime, int64 usecs)
{ {
StringVal* atime_bytestring = bytestring_to_val(atime->time()); auto atime_bytestring = to_stringval(atime->time());
Val* result = GetTimeFromAsn1(atime_bytestring, usecs); auto result = GetTimeFromAsn1(atime_bytestring.get(), usecs);
Unref(atime_bytestring);
return result; return result;
} }
Val* GetTimeFromAsn1(StringVal* atime, int64 usecs) IntrusivePtr<Val> GetTimeFromAsn1(StringVal* atime, int64 usecs)
{ {
time_t lResult = 0; time_t lResult = 0;
@ -27,7 +26,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
char * pString = (char *) atime->Bytes(); char * pString = (char *) atime->Bytes();
if ( lTimeLength != 15 && lTimeLength != 17 ) if ( lTimeLength != 15 && lTimeLength != 17 )
return 0; return nullptr;
if (lTimeLength == 17 ) if (lTimeLength == 17 )
pString = pString + 2; pString = pString + 2;
@ -52,7 +51,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
if ( !lResult ) if ( !lResult )
lResult = 0; lResult = 0;
return new Val(double(lResult + double(usecs/100000.0)), TYPE_TIME); return make_intrusive<Val>(double(lResult + double(usecs/100000.0)), TYPE_TIME);
} }
%} %}

16
src/analyzer/protocol/krb/krb-padata.pac
View file

@ -37,24 +37,24 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
case PA_PW_SALT: case PA_PW_SALT:
{ {
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type())); type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pa_pw_salt()->encoding()->content())); type_val->Assign(1, to_stringval(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
vv->Assign(vv->Size(), type_val); vv->Assign(vv->Size(), type_val);
break; break;
} }
case PA_ENCTYPE_INFO: case PA_ENCTYPE_INFO:
{ {
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type())); type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pf_enctype_info()->salt())); type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info()->salt()));
vv->Assign(vv->Size(), type_val); vv->Assign(vv->Size(), type_val);
break; break;
} }
case PA_ENCTYPE_INFO2: case PA_ENCTYPE_INFO2:
{ {
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type())); type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pf_enctype_info2()->salt())); type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info2()->salt()));
vv->Assign(vv->Size(), type_val); vv->Assign(vv->Size(), type_val);
break; break;
} }
@ -111,8 +111,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 ) if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 )
{ {
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value); RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type())); type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->unknown()->content())); type_val->Assign(1, to_stringval(element->pa_data_element()->unknown()->content()));
vv->Assign(vv->Size(), type_val); vv->Assign(vv->Size(), type_val);
} }
break; break;

41
src/analyzer/protocol/krb/krb-types.pac
View file

@ -1,28 +1,28 @@
# Fundamental KRB types # Fundamental KRB types
%header{ %header{
Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname); IntrusivePtr<Val> GetStringFromPrincipalName(const KRB_Principal_Name* pname);
VectorVal* proc_cipher_list(const Array* list); VectorVal* proc_cipher_list(const Array* list);
VectorVal* proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list); VectorVal* proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list);
RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr); RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr);
VectorVal* proc_tickets(const KRB_Ticket_Sequence* list); IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list);
RecordVal* proc_ticket(const KRB_Ticket* ticket); IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket);
%} %}
%code{ %code{
Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname) IntrusivePtr<Val> GetStringFromPrincipalName(const KRB_Principal_Name* pname)
{ {
if ( pname->data()->size() == 1 ) if ( pname->data()->size() == 1 )
return bytestring_to_val(pname->data()[0][0]->encoding()->content()); return to_stringval(pname->data()[0][0]->encoding()->content());
if ( pname->data()->size() == 2 ) if ( pname->data()->size() == 2 )
return new StringVal(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin())); return make_intrusive<StringVal>(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin()));
if ( pname->data()->size() == 3 ) // if the name-string has a third value, this will just append it, else this will return unknown as the principal name if ( pname->data()->size() == 3 ) // if the name-string has a third value, this will just append it, else this will return unknown as the principal name
return new StringVal(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin())); return make_intrusive<StringVal>(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin()));
return new StringVal("unknown"); return make_intrusive<StringVal>("unknown");
} }
VectorVal* proc_cipher_list(const Array* list) VectorVal* proc_cipher_list(const Array* list)
@ -78,7 +78,7 @@ RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
} }
case 20: case 20:
{ {
rv->Assign(1, bytestring_to_val(addr_bytes)); rv->Assign(1, to_stringval(addr_bytes));
return rv; return rv;
} }
default: default:
@ -87,14 +87,15 @@ RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
RecordVal* unk = new RecordVal(BifType::Record::KRB::Type_Value); RecordVal* unk = new RecordVal(BifType::Record::KRB::Type_Value);
unk->Assign(0, asn1_integer_to_val(addr->addr_type(), TYPE_COUNT)); unk->Assign(0, asn1_integer_to_val(addr->addr_type(), TYPE_COUNT));
unk->Assign(1, bytestring_to_val(addr_bytes)); unk->Assign(1, to_stringval(addr_bytes));
rv->Assign(2, unk); rv->Assign(2, unk);
return rv; return rv;
} }
VectorVal* proc_tickets(const KRB_Ticket_Sequence* list) IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list)
{ {
VectorVal* tickets = new VectorVal(internal_type("KRB::Ticket_Vector")->AsVectorType()); auto tickets = make_intrusive<VectorVal>(internal_type("KRB::Ticket_Vector")->AsVectorType());
for ( uint i = 0; i < list->tickets()->size(); ++i ) for ( uint i = 0; i < list->tickets()->size(); ++i )
{ {
KRB_Ticket* element = (*list->tickets())[i]; KRB_Ticket* element = (*list->tickets())[i];
@ -102,20 +103,20 @@ VectorVal* proc_tickets(const KRB_Ticket_Sequence* list)
} }
return tickets; return tickets;
} }
RecordVal* proc_ticket(const KRB_Ticket* ticket) IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket)
{ {
RecordVal* rv = new RecordVal(BifType::Record::KRB::Ticket); auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Ticket);
rv->Assign(0, asn1_integer_to_val(ticket->tkt_vno()->data(), TYPE_COUNT)); rv->Assign(0, asn1_integer_to_val(ticket->tkt_vno()->data(), TYPE_COUNT));
rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content())); rv->Assign(1, to_stringval(ticket->realm()->data()->content()));
rv->Assign(2, GetStringFromPrincipalName(ticket->sname())); rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT)); rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()->encoding()->content())); rv->Assign(4, to_stringval(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
return rv; return rv;
} }
%} %}
type KRB_Principal_Name = record { type KRB_Principal_Name = record {

20
src/analyzer/protocol/login/Login.cc
View file

@ -290,7 +290,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
else if ( IsSkipAuthentication(line) ) else if ( IsSkipAuthentication(line) )
{ {
if ( authentication_skipped ) if ( authentication_skipped )
EnqueueConnEvent(authentication_skipped, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueConnEvent(authentication_skipped, ConnVal());
state = LOGIN_STATE_SKIP; state = LOGIN_STATE_SKIP;
SetSkip(true); SetSkip(true);
@ -332,19 +332,19 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else if ( login_terminal && streq(name, "TERM") ) else if ( login_terminal && streq(name, "TERM") )
EnqueueConnEvent(login_terminal, EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(val) make_intrusive<StringVal>(val)
); );
else if ( login_display && streq(name, "DISPLAY") ) else if ( login_display && streq(name, "DISPLAY") )
EnqueueConnEvent(login_display, EnqueueConnEvent(login_display,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(val) make_intrusive<StringVal>(val)
); );
else if ( login_prompt && streq(name, "TTYPROMPT") ) else if ( login_prompt && streq(name, "TTYPROMPT") )
EnqueueConnEvent(login_prompt, EnqueueConnEvent(login_prompt,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(val) make_intrusive<StringVal>(val)
); );
} }
@ -420,10 +420,10 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
PopUserTextVal() : new StringVal("<none>"); PopUserTextVal() : new StringVal("<none>");
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{NewRef{}, username}, IntrusivePtr{NewRef{}, username},
client_name ? IntrusivePtr{NewRef{}, client_name} client_name ? IntrusivePtr{NewRef{}, client_name}
: IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()}, : val_mgr->EmptyString(),
IntrusivePtr{AdoptRef{}, password}, IntrusivePtr{AdoptRef{}, password},
make_intrusive<StringVal>(line) make_intrusive<StringVal>(line)
); );
@ -443,7 +443,7 @@ void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
return; return;
EnqueueConnEvent(f, EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(line) make_intrusive<StringVal>(line)
); );
} }
@ -455,7 +455,7 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
if ( login_confused ) if ( login_confused )
EnqueueConnEvent(login_confused, EnqueueConnEvent(login_confused,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(msg), make_intrusive<StringVal>(msg),
make_intrusive<StringVal>(line) make_intrusive<StringVal>(line)
); );
@ -479,7 +479,7 @@ void Login_Analyzer::ConfusionText(const char* line)
{ {
if ( login_confused_text ) if ( login_confused_text )
EnqueueConnEvent(login_confused_text, EnqueueConnEvent(login_confused_text,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(line) make_intrusive<StringVal>(line)
); );
} }
@ -593,7 +593,7 @@ Val* Login_Analyzer::PopUserTextVal()
if ( s ) if ( s )
return new StringVal(new BroString(true, byte_vec(s), strlen(s))); return new StringVal(new BroString(true, byte_vec(s), strlen(s)));
else else
return val_mgr->GetEmptyString(); return val_mgr->EmptyString()->Ref();
} }
bool Login_Analyzer::MatchesTypeahead(const char* line) const bool Login_Analyzer::MatchesTypeahead(const char* line) const

2
src/analyzer/protocol/login/NVT.cc
View file

@ -460,7 +460,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
{ {
if ( login_terminal ) if ( login_terminal )
EnqueueConnEvent(login_terminal, EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(new BroString(terminal, len, false)) make_intrusive<StringVal>(new BroString(terminal, len, false))
); );
} }

6
src/analyzer/protocol/login/RSH.cc
View file

@ -172,7 +172,7 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
vl.reserve(4 + orig); vl.reserve(4 + orig);
const char* line = (const char*) data; const char* line = (const char*) data;
line = skip_whitespace(line); line = skip_whitespace(line);
vl.emplace_back(AdoptRef{}, BuildConnVal()); vl.emplace_back(ConnVal());
if ( client_name ) if ( client_name )
vl.emplace_back(NewRef{}, client_name); vl.emplace_back(NewRef{}, client_name);
@ -190,9 +190,9 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME ) if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input // First input
vl.emplace_back(AdoptRef{}, val_mgr->GetTrue()); vl.emplace_back(val_mgr->True());
else else
vl.emplace_back(AdoptRef{}, val_mgr->GetFalse()); vl.emplace_back(val_mgr->False());
EnqueueConnEvent(rsh_request, std::move(vl)); EnqueueConnEvent(rsh_request, std::move(vl));
} }

2
src/analyzer/protocol/login/Rlogin.cc
View file

@ -245,7 +245,7 @@ void Rlogin_Analyzer::TerminalType(const char* s)
{ {
if ( login_terminal ) if ( login_terminal )
EnqueueConnEvent(login_terminal, EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
make_intrusive<StringVal>(s) make_intrusive<StringVal>(s)
); );
} }

12
src/analyzer/protocol/login/functions.bif
View file

@ -28,13 +28,13 @@ function get_login_state%(cid: conn_id%): count
%{ %{
Connection* c = sessions->FindConnection(cid); Connection* c = sessions->FindConnection(cid);
if ( ! c ) if ( ! c )
return val_mgr->GetFalse(); return val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login"); analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la ) if ( ! la )
return val_mgr->GetFalse(); return val_mgr->False();
return val_mgr->GetCount(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState())); return val_mgr->Count(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState()));
%} %}
## Sets the login state of a connection with a login analyzer. ## Sets the login state of a connection with a login analyzer.
@ -52,12 +52,12 @@ function set_login_state%(cid: conn_id, new_state: count%): bool
%{ %{
Connection* c = sessions->FindConnection(cid); Connection* c = sessions->FindConnection(cid);
if ( ! c ) if ( ! c )
return val_mgr->GetFalse(); return val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login"); analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la ) if ( ! la )
return val_mgr->GetFalse(); return val_mgr->False();
static_cast<analyzer::login::Login_Analyzer*>(la)->SetLoginState(analyzer::login::login_state(new_state)); static_cast<analyzer::login::Login_Analyzer*>(la)->SetLoginState(analyzer::login::login_state(new_state));
return val_mgr->GetTrue(); return val_mgr->True();
%} %}

37
src/analyzer/protocol/mime/MIME.cc
View file

@ -1292,8 +1292,9 @@ void MIME_Entity::DebugPrintHeaders()
RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h) RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h)
{ {
RecordVal* header_record = new RecordVal(mime_header_rec); RecordVal* header_record = new RecordVal(mime_header_rec);
header_record->Assign(0, new_string_val(h->get_name())->ToUpper()); header_record->Assign(0, new_string_val(h->get_name()));
header_record->Assign(1, new_string_val(h->get_value())); header_record->Assign(1, new_string_val(h->get_name())->ToUpper());
header_record->Assign(2, new_string_val(h->get_value()));
return header_record; return header_record;
} }
@ -1303,14 +1304,12 @@ TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
for ( unsigned int i = 0; i < hlist.size(); ++i ) for ( unsigned int i = 0; i < hlist.size(); ++i )
{ {
Val* index = val_mgr->GetCount(i+1); // index starting from 1 auto index = val_mgr->Count(i + 1); // index starting from 1
MIME_Header* h = hlist[i]; MIME_Header* h = hlist[i];
RecordVal* header_record = BuildHeaderVal(h); RecordVal* header_record = BuildHeaderVal(h);
t->Assign(index, header_record); t->Assign(index.get(), header_record);
Unref(index);
} }
return t; return t;
@ -1366,8 +1365,8 @@ void MIME_Mail::Done()
md5_hash = nullptr; md5_hash = nullptr;
analyzer->EnqueueConnEvent(mime_content_hash, analyzer->EnqueueConnEvent(mime_content_hash,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(content_hash_length)}, val_mgr->Count(content_hash_length),
make_intrusive<StringVal>(new BroString(true, digest, 16)) make_intrusive<StringVal>(new BroString(true, digest, 16))
); );
} }
@ -1393,7 +1392,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
cur_entity_id.clear(); cur_entity_id.clear();
if ( mime_begin_entity ) if ( mime_begin_entity )
analyzer->EnqueueConnEvent(mime_begin_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}); analyzer->EnqueueConnEvent(mime_begin_entity, analyzer->ConnVal());
buffer_start = data_start = 0; buffer_start = data_start = 0;
ASSERT(entity_content.size() == 0); ASSERT(entity_content.size() == 0);
@ -1406,8 +1405,8 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
BroString* s = concatenate(entity_content); BroString* s = concatenate(entity_content);
analyzer->EnqueueConnEvent(mime_entity_data, analyzer->EnqueueConnEvent(mime_entity_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())}, val_mgr->Count(s->Len()),
make_intrusive<StringVal>(s) make_intrusive<StringVal>(s)
); );
@ -1418,7 +1417,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
} }
if ( mime_end_entity ) if ( mime_end_entity )
analyzer->EnqueueConnEvent(mime_end_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}); analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal());
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear(); cur_entity_id.clear();
@ -1428,7 +1427,7 @@ void MIME_Mail::SubmitHeader(MIME_Header* h)
{ {
if ( mime_one_header ) if ( mime_one_header )
analyzer->EnqueueConnEvent(mime_one_header, analyzer->EnqueueConnEvent(mime_one_header,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)} IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)}
); );
} }
@ -1437,7 +1436,7 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
{ {
if ( mime_all_headers ) if ( mime_all_headers )
analyzer->EnqueueConnEvent(mime_all_headers, analyzer->EnqueueConnEvent(mime_all_headers,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)} IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
); );
} }
@ -1473,8 +1472,8 @@ void MIME_Mail::SubmitData(int len, const char* buf)
int data_len = (buf + len) - data; int data_len = (buf + len) - data;
analyzer->EnqueueConnEvent(mime_segment_data, analyzer->EnqueueConnEvent(mime_segment_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_len)}, val_mgr->Count(data_len),
make_intrusive<StringVal>(data_len, data) make_intrusive<StringVal>(data_len, data)
); );
} }
@ -1520,8 +1519,8 @@ void MIME_Mail::SubmitAllData()
delete_strings(all_content); delete_strings(all_content);
analyzer->EnqueueConnEvent(mime_all_data, analyzer->EnqueueConnEvent(mime_all_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())}, val_mgr->Count(s->Len()),
make_intrusive<StringVal>(s) make_intrusive<StringVal>(s)
); );
} }
@ -1548,7 +1547,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
if ( mime_event ) if ( mime_event )
analyzer->EnqueueConnEvent(mime_event, analyzer->EnqueueConnEvent(mime_event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
make_intrusive<StringVal>(category), make_intrusive<StringVal>(category),
make_intrusive<StringVal>(detail) make_intrusive<StringVal>(detail)
); );

217
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -8,39 +8,39 @@
# #
%header{ %header{
VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity); IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity);
RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header); IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header);
VectorVal* create_vector_of_count(); IntrusivePtr<VectorVal> create_vector_of_count();
%} %}
%code{ %code{
VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity) IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity)
{ {
VectorVal* modbus_coils = new VectorVal(BifType::Vector::ModbusCoils); auto modbus_coils = make_intrusive<VectorVal>(BifType::Vector::ModbusCoils);
for ( uint i = 0; i < quantity; i++ ) for ( uint i = 0; i < quantity; i++ )
{ {
char currentCoil = (coils[i/8] >> (i % 8)) % 2; char currentCoil = (coils[i/8] >> (i % 8)) % 2;
modbus_coils->Assign(i, val_mgr->GetBool(currentCoil)); modbus_coils->Assign(i, val_mgr->Bool(currentCoil));
} }
return modbus_coils; return modbus_coils;
} }
RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header) IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header)
{ {
RecordVal* modbus_header = new RecordVal(BifType::Record::ModbusHeaders); auto modbus_header = make_intrusive<RecordVal>(BifType::Record::ModbusHeaders);
modbus_header->Assign(0, val_mgr->GetCount(header->tid())); modbus_header->Assign(0, val_mgr->Count(header->tid()));
modbus_header->Assign(1, val_mgr->GetCount(header->pid())); modbus_header->Assign(1, val_mgr->Count(header->pid()));
modbus_header->Assign(2, val_mgr->GetCount(header->uid())); modbus_header->Assign(2, val_mgr->Count(header->uid()));
modbus_header->Assign(3, val_mgr->GetCount(header->fc())); modbus_header->Assign(3, val_mgr->Count(header->fc()));
return modbus_header; return modbus_header;
} }
VectorVal* create_vector_of_count() IntrusivePtr<VectorVal> create_vector_of_count()
{ {
VectorType* vt = new VectorType(base_type(TYPE_COUNT)); auto vt = make_intrusive<VectorType>(base_type(TYPE_COUNT));
VectorVal* vv = new VectorVal(vt); auto vv = make_intrusive<VectorVal>(vt.get());
Unref(vt);
return vv; return vv;
} }
@ -88,9 +88,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_message ) if ( ::modbus_message )
{ {
BifEvent::generate_modbus_message(connection()->bro_analyzer(), BifEvent::enqueue_modbus_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
is_orig()); is_orig());
} }
@ -117,9 +117,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_exception ) if ( ::modbus_exception )
{ {
BifEvent::generate_modbus_exception(connection()->bro_analyzer(), BifEvent::enqueue_modbus_exception(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.code}); ${message.code});
} }
@ -131,9 +131,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_coils_request ) if ( ::modbus_read_coils_request )
{ {
BifEvent::generate_modbus_read_coils_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.start_address}, ${message.start_address},
${message.quantity}); ${message.quantity});
} }
@ -146,9 +146,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_coils_response ) if ( ::modbus_read_coils_response )
{ {
BifEvent::generate_modbus_read_coils_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8)); bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
} }
return true; return true;
@ -159,9 +159,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_discrete_inputs_request ) if ( ::modbus_read_discrete_inputs_request )
{ {
BifEvent::generate_modbus_read_discrete_inputs_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -173,9 +173,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_discrete_inputs_response ) if ( ::modbus_read_discrete_inputs_response )
{ {
BifEvent::generate_modbus_read_discrete_inputs_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8)); bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
} }
@ -188,9 +188,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_holding_registers_request ) if ( ::modbus_read_holding_registers_request )
{ {
BifEvent::generate_modbus_read_holding_registers_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_holding_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -209,18 +209,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_holding_registers_response ) if ( ::modbus_read_holding_registers_response )
{ {
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
for ( unsigned int i=0; i < ${message.registers}->size(); ++i ) for ( unsigned int i=0; i < ${message.registers}->size(); ++i )
{ {
Val* r = val_mgr->GetCount(${message.registers[i]}); auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r); t->Assign(i, r);
} }
BifEvent::generate_modbus_read_holding_registers_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_holding_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
t); std::move(t));
} }
return true; return true;
@ -232,9 +232,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_input_registers_request ) if ( ::modbus_read_input_registers_request )
{ {
BifEvent::generate_modbus_read_input_registers_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_input_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -253,17 +253,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_input_registers_response ) if ( ::modbus_read_input_registers_response )
{ {
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters); auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i=0; i < (${message.registers})->size(); ++i ) for ( unsigned int i=0; i < (${message.registers})->size(); ++i )
{ {
Val* r = val_mgr->GetCount(${message.registers[i]}); auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r); t->Assign(i, r);
} }
BifEvent::generate_modbus_read_input_registers_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_input_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
t); std::move(t));
} }
return true; return true;
@ -287,9 +288,9 @@ refine flow ModbusTCP_Flow += {
return false; return false;
} }
BifEvent::generate_modbus_write_single_coil_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_single_coil_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.address}, ${message.address},
val); val);
} }
@ -314,9 +315,9 @@ refine flow ModbusTCP_Flow += {
return false; return false;
} }
BifEvent::generate_modbus_write_single_coil_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_single_coil_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.address}, ${message.address},
val); val);
} }
@ -330,9 +331,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_single_register_request ) if ( ::modbus_write_single_register_request )
{ {
BifEvent::generate_modbus_write_single_register_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_single_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.address}, ${message.value}); ${message.address}, ${message.value});
} }
@ -344,9 +345,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_single_register_response ) if ( ::modbus_write_single_register_response )
{ {
BifEvent::generate_modbus_write_single_register_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_single_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.address}, ${message.value}); ${message.address}, ${message.value});
} }
@ -359,9 +360,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_multiple_coils_request ) if ( ::modbus_write_multiple_coils_request )
{ {
BifEvent::generate_modbus_write_multiple_coils_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.start_address}, ${message.start_address},
bytestring_to_coils(${message.coils}, ${message.quantity})); bytestring_to_coils(${message.coils}, ${message.quantity}));
} }
@ -374,9 +375,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_multiple_coils_response ) if ( ::modbus_write_multiple_coils_response )
{ {
BifEvent::generate_modbus_write_multiple_coils_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -396,17 +397,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_write_multiple_registers_request ) if ( ::modbus_write_multiple_registers_request )
{ {
VectorVal * t = new VectorVal(BifType::Vector::ModbusRegisters); auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < (${message.registers}->size()); ++i ) for ( unsigned int i = 0; i < (${message.registers}->size()); ++i )
{ {
Val* r = val_mgr->GetCount(${message.registers[i]}); auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r); t->Assign(i, r);
} }
BifEvent::generate_modbus_write_multiple_registers_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.start_address}, t); ${message.start_address}, std::move(t));
} }
return true; return true;
@ -417,9 +419,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_multiple_registers_response ) if ( ::modbus_write_multiple_registers_response )
{ {
BifEvent::generate_modbus_write_multiple_registers_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -432,22 +434,22 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_file_record_request ) if ( ::modbus_read_file_record_request )
{ {
//TODO: this need to be a vector of some Reference Request record type //TODO: this need to be a vector of some Reference Request record type
//VectorVal *t = create_vector_of_count(); //auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i ) //for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// { // {
// Val* r = val_mgr->GetCount((${message.references[i].ref_type})); // auto r = val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r); // t->Assign(i, r);
// //
// Val* k = val_mgr->GetCount((${message.references[i].file_num})); // auto k = val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, k); // t->Assign(i, k);
// //
// Val* l = val_mgr->GetCount((${message.references[i].record_num})); // auto l = val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, l); // t->Assign(i, l);
// } // }
BifEvent::generate_modbus_read_file_record_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header)); HeaderToVal(header));
} }
return true; return true;
@ -458,17 +460,17 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_file_record_response ) if ( ::modbus_read_file_record_response )
{ {
//VectorVal *t = create_vector_of_count(); //auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < ${message.references}->size(); ++i ) //for ( unsigned int i = 0; i < ${message.references}->size(); ++i )
// { // {
// //TODO: work the reference type in here somewhere // //TODO: work the reference type in here somewhere
// Val* r = val_mgr->GetCount(${message.references[i].record_data})); // auto r = val_mgr->Count(${message.references[i].record_data}));
// t->Assign(i, r); // t->Assign(i, r);
// } // }
BifEvent::generate_modbus_read_file_record_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header)); HeaderToVal(header));
} }
return true; return true;
@ -479,28 +481,28 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_file_record_request ) if ( ::modbus_write_file_record_request )
{ {
//VectorVal* t = create_vector_of_count(); //auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i ) //for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// { // {
// Val* r = val_mgr->GetCount((${message.references[i].ref_type})); // auto r = val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r); // t->Assign(i, r);
// //
// Val* k = val_mgr->GetCount((${message.references[i].file_num})); // auto k = val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, k); // t->Assign(i, k);
// //
// Val* n = val_mgr->GetCount((${message.references[i].record_num})); // auto n = val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, n); // t->Assign(i, n);
// //
// for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j ) // for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j )
// { // {
// k = val_mgr->GetCount((${message.references[i].register_value[j]})); // k = val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k); // t->Assign(i, k);
// } // }
// } // }
BifEvent::generate_modbus_write_file_record_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header)); HeaderToVal(header));
} }
return true; return true;
@ -512,27 +514,27 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_file_record_response ) if ( ::modbus_write_file_record_response )
{ {
//VectorVal* t = create_vector_of_count(); //auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i ) //for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
// { // {
// Val* r = val_mgr->GetCount((${message.references[i].ref_type})); // auto r = val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r); // t->Assign(i, r);
// //
// Val* f = val_mgr->GetCount((${message.references[i].file_num})); // auto f = val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, f); // t->Assign(i, f);
// //
// Val* rn = val_mgr->GetCount((${message.references[i].record_num})); // auto rn = val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, rn); // t->Assign(i, rn);
// //
// for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j ) // for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j )
// { // {
// Val* k = val_mgr->GetCount((${message.references[i].register_value[j]})); // auto k = val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k); // t->Assign(i, k);
// } // }
BifEvent::generate_modbus_write_file_record_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_write_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header)); HeaderToVal(header));
} }
return true; return true;
@ -543,9 +545,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_mask_write_register_request ) if ( ::modbus_mask_write_register_request )
{ {
BifEvent::generate_modbus_mask_write_register_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_mask_write_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.address}, ${message.address},
${message.and_mask}, ${message.or_mask}); ${message.and_mask}, ${message.or_mask});
} }
@ -558,9 +560,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_mask_write_register_response ) if ( ::modbus_mask_write_register_response )
{ {
BifEvent::generate_modbus_mask_write_register_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_mask_write_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.address}, ${message.address},
${message.and_mask}, ${message.or_mask}); ${message.and_mask}, ${message.or_mask});
} }
@ -580,20 +582,21 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_write_multiple_registers_request ) if ( ::modbus_read_write_multiple_registers_request )
{ {
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters); auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i ) for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i )
{ {
Val* r = val_mgr->GetCount(${message.write_register_values[i]}); auto r = val_mgr->Count(${message.write_register_values[i]});
t->Assign(i, r); t->Assign(i, r);
} }
BifEvent::generate_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.read_start_address}, ${message.read_start_address},
${message.read_quantity}, ${message.read_quantity},
${message.write_start_address}, ${message.write_start_address},
t); std::move(t));
} }
return true; return true;
@ -611,17 +614,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_write_multiple_registers_response ) if ( ::modbus_read_write_multiple_registers_response )
{ {
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters); auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < ${message.registers}->size(); ++i ) for ( unsigned int i = 0; i < ${message.registers}->size(); ++i )
{ {
Val* r = val_mgr->GetCount(${message.registers[i]}); auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r); t->Assign(i, r);
} }
BifEvent::generate_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
t); std::move(t));
} }
return true; return true;
@ -632,9 +636,9 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_fifo_queue_request ) if ( ::modbus_read_fifo_queue_request )
{ {
BifEvent::generate_modbus_read_fifo_queue_request(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
${message.start_address}); ${message.start_address});
} }
@ -654,17 +658,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_fifo_queue_response ) if ( ::modbus_read_fifo_queue_response )
{ {
VectorVal* t = create_vector_of_count(); auto t = create_vector_of_count();
for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i ) for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i )
{ {
Val* r = val_mgr->GetCount(${message.register_data[i]}); auto r = val_mgr->Count(${message.register_data[i]});
t->Assign(i, r); t->Assign(i, r);
} }
BifEvent::generate_modbus_read_fifo_queue_response(connection()->bro_analyzer(), BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
HeaderToBro(header), HeaderToVal(header),
t); std::move(t));
} }
return true; return true;

10
src/analyzer/protocol/mqtt/commands/connack.pac
View file

@ -15,12 +15,12 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_connack ) if ( mqtt_connack )
{ {
auto m = new RecordVal(BifType::Record::MQTT::ConnectAckMsg); auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, val_mgr->GetCount(${msg.return_code})); m->Assign(0, val_mgr->Count(${msg.return_code}));
m->Assign(1, val_mgr->GetBool(${msg.session_present})); m->Assign(1, val_mgr->Bool(${msg.session_present}));
BifEvent::generate_mqtt_connack(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
m); std::move(m));
} }
return true; return true;

14
src/analyzer/protocol/mqtt/commands/connect.pac
View file

@ -44,17 +44,17 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_connect ) if ( mqtt_connect )
{ {
auto m = new RecordVal(BifType::Record::MQTT::ConnectMsg); auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::ConnectMsg);
m->Assign(0, make_intrusive<StringVal>(${msg.protocol_name.str}.length(), m->Assign(0, make_intrusive<StringVal>(${msg.protocol_name.str}.length(),
reinterpret_cast<const char*>(${msg.protocol_name.str}.begin()))); reinterpret_cast<const char*>(${msg.protocol_name.str}.begin())));
m->Assign(1, val_mgr->GetCount(${msg.protocol_version})); m->Assign(1, val_mgr->Count(${msg.protocol_version}));
m->Assign(2, make_intrusive<StringVal>(${msg.client_id.str}.length(), m->Assign(2, make_intrusive<StringVal>(${msg.client_id.str}.length(),
reinterpret_cast<const char*>(${msg.client_id.str}.begin()))); reinterpret_cast<const char*>(${msg.client_id.str}.begin())));
m->Assign(3, make_intrusive<IntervalVal>(double(${msg.keep_alive}), Seconds)); m->Assign(3, make_intrusive<IntervalVal>(double(${msg.keep_alive}), Seconds));
m->Assign(4, val_mgr->GetBool(${msg.clean_session})); m->Assign(4, val_mgr->Bool(${msg.clean_session}));
m->Assign(5, val_mgr->GetBool(${msg.will_retain})); m->Assign(5, val_mgr->Bool(${msg.will_retain}));
m->Assign(6, val_mgr->GetCount(${msg.will_qos})); m->Assign(6, val_mgr->Count(${msg.will_qos}));
if ( ${msg.will_flag} ) if ( ${msg.will_flag} )
{ {
@ -75,9 +75,9 @@ refine flow MQTT_Flow += {
reinterpret_cast<const char*>(${msg.pass.str}.begin()))); reinterpret_cast<const char*>(${msg.pass.str}.begin())));
} }
BifEvent::generate_mqtt_connect(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_connect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
m); std::move(m));
} }
// If a connect message was seen, let's say that confirms it. // If a connect message was seen, let's say that confirms it.

2
src/analyzer/protocol/mqtt/commands/disconnect.pac
View file

@ -11,7 +11,7 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_disconnect ) if ( mqtt_disconnect )
{ {
BifEvent::generate_mqtt_disconnect(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_disconnect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn()); connection()->bro_analyzer()->Conn());
} }

2
src/analyzer/protocol/mqtt/commands/pingreq.pac
View file

@ -11,7 +11,7 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pingreq ) if ( mqtt_pingreq )
{ {
BifEvent::generate_mqtt_pingreq(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_pingreq(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn()); connection()->bro_analyzer()->Conn());
} }

2
src/analyzer/protocol/mqtt/commands/pingresp.pac
View file

@ -11,7 +11,7 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pingresp ) if ( mqtt_pingresp )
{ {
BifEvent::generate_mqtt_pingresp(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_pingresp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn()); connection()->bro_analyzer()->Conn());
} }

2
src/analyzer/protocol/mqtt/commands/puback.pac
View file

@ -13,7 +13,7 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_puback ) if ( mqtt_puback )
{ {
BifEvent::generate_mqtt_puback(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_puback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig, is_orig,
${msg.msg_id}); ${msg.msg_id});

2
src/analyzer/protocol/mqtt/commands/pubcomp.pac
View file

@ -13,7 +13,7 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pubcomp ) if ( mqtt_pubcomp )
{ {
BifEvent::generate_mqtt_pubcomp(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_pubcomp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig, is_orig,
${msg.msg_id}); ${msg.msg_id});

14
src/analyzer/protocol/mqtt/commands/publish.pac
View file

@ -23,10 +23,10 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_publish ) if ( mqtt_publish )
{ {
auto m = new RecordVal(BifType::Record::MQTT::PublishMsg); auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::PublishMsg);
m->Assign(0, val_mgr->GetBool(${msg.dup})); m->Assign(0, val_mgr->Bool(${msg.dup}));
m->Assign(1, val_mgr->GetCount(${msg.qos})); m->Assign(1, val_mgr->Count(${msg.qos}));
m->Assign(2, val_mgr->GetBool(${msg.retain})); m->Assign(2, val_mgr->Bool(${msg.retain}));
m->Assign(3, new StringVal(${msg.topic.str}.length(), m->Assign(3, new StringVal(${msg.topic.str}.length(),
reinterpret_cast<const char*>(${msg.topic.str}.begin()))); reinterpret_cast<const char*>(${msg.topic.str}.begin())));
@ -39,13 +39,13 @@ refine flow MQTT_Flow += {
m->Assign(4, new StringVal(len, m->Assign(4, new StringVal(len,
reinterpret_cast<const char*>(${msg.payload}.begin()))); reinterpret_cast<const char*>(${msg.payload}.begin())));
m->Assign(5, val_mgr->GetCount(${msg.payload}.length())); m->Assign(5, val_mgr->Count(${msg.payload}.length()));
BifEvent::generate_mqtt_publish(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_publish(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
${pdu.is_orig}, ${pdu.is_orig},
${msg.qos} == 0 ? 0 : ${msg.msg_id}, ${msg.qos} == 0 ? 0 : ${msg.msg_id},
m); std::move(m));
} }
// If a publish message was seen, let's say that confirms it. // If a publish message was seen, let's say that confirms it.

2
src/analyzer/protocol/mqtt/commands/pubrec.pac
View file

@ -13,7 +13,7 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pubrec ) if ( mqtt_pubrec )
{ {
BifEvent::generate_mqtt_pubrec(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_pubrec(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig, is_orig,
${msg.msg_id}); ${msg.msg_id});

2
src/analyzer/protocol/mqtt/commands/pubrel.pac
View file

@ -13,7 +13,7 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pubrel ) if ( mqtt_pubrel )
{ {
BifEvent::generate_mqtt_pubrel(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_pubrel(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig, is_orig,
${msg.msg_id}); ${msg.msg_id});

2
src/analyzer/protocol/mqtt/commands/suback.pac
View file

@ -14,7 +14,7 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_suback ) if ( mqtt_suback )
{ {
BifEvent::generate_mqtt_suback(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_suback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
${msg.msg_id}, ${msg.msg_id},
${msg.granted_QoS}); ${msg.granted_QoS});

14
src/analyzer/protocol/mqtt/commands/subscribe.pac
View file

@ -19,23 +19,23 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_subscribe ) if ( mqtt_subscribe )
{ {
auto topics = new VectorVal(string_vec); auto topics = make_intrusive<VectorVal>(string_vec);
auto qos_levels = new VectorVal(index_vec); auto qos_levels = make_intrusive<VectorVal>(index_vec);
for (auto topic: *${msg.topics}) for ( auto topic: *${msg.topics} )
{ {
auto subscribe_topic = new StringVal(${topic.name.str}.length(), auto subscribe_topic = new StringVal(${topic.name.str}.length(),
reinterpret_cast<const char*>(${topic.name.str}.begin())); reinterpret_cast<const char*>(${topic.name.str}.begin()));
auto qos = val_mgr->GetCount(${topic.requested_QoS}); auto qos = val_mgr->Count(${topic.requested_QoS});
topics->Assign(topics->Size(), subscribe_topic); topics->Assign(topics->Size(), subscribe_topic);
qos_levels->Assign(qos_levels->Size(), qos); qos_levels->Assign(qos_levels->Size(), qos);
} }
BifEvent::generate_mqtt_subscribe(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_subscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
${msg.msg_id}, ${msg.msg_id},
topics, std::move(topics),
qos_levels); std::move(qos_levels));
} }
return true; return true;

2
src/analyzer/protocol/mqtt/commands/unsuback.pac
View file

@ -13,7 +13,7 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_unsuback ) if ( mqtt_unsuback )
{ {
BifEvent::generate_mqtt_unsuback(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_unsuback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
${msg.msg_id}); ${msg.msg_id});
} }

8
src/analyzer/protocol/mqtt/commands/unsubscribe.pac
View file

@ -14,19 +14,19 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_unsubscribe ) if ( mqtt_unsubscribe )
{ {
auto topics = new VectorVal(string_vec); auto topics = make_intrusive<VectorVal>(string_vec);
for (auto topic: *${msg.topics}) for ( auto topic: *${msg.topics} )
{ {
auto unsubscribe_topic = new StringVal(${topic.str}.length(), auto unsubscribe_topic = new StringVal(${topic.str}.length(),
reinterpret_cast<const char*>(${topic.str}.begin())); reinterpret_cast<const char*>(${topic.str}.begin()));
topics->Assign(topics->Size(), unsubscribe_topic); topics->Assign(topics->Size(), unsubscribe_topic);
} }
BifEvent::generate_mqtt_unsubscribe(connection()->bro_analyzer(), BifEvent::enqueue_mqtt_unsubscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
${msg.msg_id}, ${msg.msg_id},
topics); std::move(topics));
} }
return true; return true;

34
src/analyzer/protocol/mysql/mysql-analyzer.pac
View file

@ -6,13 +6,13 @@ refine flow MySQL_Flow += {
if ( mysql_server_version ) if ( mysql_server_version )
{ {
if ( ${msg.version} == 10 ) if ( ${msg.version} == 10 )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(), BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.handshake10.server_version}))); make_intrusive<StringVal>(c_str(${msg.handshake10.server_version})));
if ( ${msg.version} == 9 ) if ( ${msg.version} == 9 )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(), BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.handshake9.server_version}))); make_intrusive<StringVal>(c_str(${msg.handshake9.server_version})));
} }
return true; return true;
%} %}
@ -25,13 +25,13 @@ refine flow MySQL_Flow += {
if ( mysql_handshake ) if ( mysql_handshake )
{ {
if ( ${msg.version} == 10 ) if ( ${msg.version} == 10 )
BifEvent::generate_mysql_handshake(connection()->bro_analyzer(), BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.v10_response.username}))); make_intrusive<StringVal>(c_str(${msg.v10_response.username})));
if ( ${msg.version} == 9 ) if ( ${msg.version} == 9 )
BifEvent::generate_mysql_handshake(connection()->bro_analyzer(), BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.v9_response.username}))); make_intrusive<StringVal>(c_str(${msg.v9_response.username})));
} }
return true; return true;
%} %}
@ -39,27 +39,27 @@ refine flow MySQL_Flow += {
function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool
%{ %{
if ( mysql_command_request ) if ( mysql_command_request )
BifEvent::generate_mysql_command_request(connection()->bro_analyzer(), BifEvent::enqueue_mysql_command_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
${msg.command}, ${msg.command},
bytestring_to_val(${msg.arg})); to_stringval(${msg.arg}));
return true; return true;
%} %}
function proc_err_packet(msg: ERR_Packet): bool function proc_err_packet(msg: ERR_Packet): bool
%{ %{
if ( mysql_error ) if ( mysql_error )
BifEvent::generate_mysql_error(connection()->bro_analyzer(), BifEvent::enqueue_mysql_error(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
${msg.code}, ${msg.code},
bytestring_to_val(${msg.msg})); to_stringval(${msg.msg}));
return true; return true;
%} %}
function proc_ok_packet(msg: OK_Packet): bool function proc_ok_packet(msg: OK_Packet): bool
%{ %{
if ( mysql_ok ) if ( mysql_ok )
BifEvent::generate_mysql_ok(connection()->bro_analyzer(), BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
${msg.rows}); ${msg.rows});
return true; return true;
@ -71,7 +71,7 @@ refine flow MySQL_Flow += {
{ {
// This is a bit fake... // This is a bit fake...
if ( mysql_ok ) if ( mysql_ok )
BifEvent::generate_mysql_ok(connection()->bro_analyzer(), BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
0); 0);
} }
@ -83,7 +83,7 @@ refine flow MySQL_Flow += {
return true; return true;
auto vt = internal_type("string_vec")->AsVectorType(); auto vt = internal_type("string_vec")->AsVectorType();
auto vv = new VectorVal(vt); auto vv = make_intrusive<VectorVal>(vt);
auto& bstring = ${msg.row.first_field.val}; auto& bstring = ${msg.row.first_field.val};
auto ptr = reinterpret_cast<const char*>(bstring.data()); auto ptr = reinterpret_cast<const char*>(bstring.data());
@ -98,9 +98,9 @@ refine flow MySQL_Flow += {
vv->Assign(vv->Size(), make_intrusive<StringVal>(bstring.length(), ptr)); vv->Assign(vv->Size(), make_intrusive<StringVal>(bstring.length(), ptr));
} }
BifEvent::generate_mysql_result_row(connection()->bro_analyzer(), BifEvent::enqueue_mysql_result_row(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
vv); std::move(vv));
return true; return true;
%} %}

20
src/analyzer/protocol/ncp/NCP.cc
View file

@ -63,19 +63,19 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
{ {
if ( frame->is_orig() ) if ( frame->is_orig() )
analyzer->EnqueueConnEvent(f, analyzer->EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())}, val_mgr->Count(frame->frame_type()),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())}, val_mgr->Count(frame->body_length()),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)} val_mgr->Count(req_func)
); );
else else
analyzer->EnqueueConnEvent(f, analyzer->EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())}, val_mgr->Count(frame->frame_type()),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())}, val_mgr->Count(frame->body_length()),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_frame_type)}, val_mgr->Count(req_frame_type),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)}, val_mgr->Count(req_func),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->reply()->completion_code())} val_mgr->Count(frame->reply()->completion_code())
); );
} }
} }

14
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -60,10 +60,10 @@ void NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
{ {
if ( netbios_session_message ) if ( netbios_session_message )
analyzer->EnqueueConnEvent(netbios_session_message, analyzer->EnqueueConnEvent(netbios_session_message,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)}, val_mgr->Bool(is_query),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(type)}, val_mgr->Count(type),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)} val_mgr->Count(len)
); );
switch ( type ) { switch ( type ) {
@ -322,13 +322,13 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
if ( is_orig >= 0 ) if ( is_orig >= 0 )
analyzer->EnqueueConnEvent(event, analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}, val_mgr->Bool(is_orig),
make_intrusive<StringVal>(new BroString(data, len, false)) make_intrusive<StringVal>(new BroString(data, len, false))
); );
else else
analyzer->EnqueueConnEvent(event, analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()}, analyzer->ConnVal(),
make_intrusive<StringVal>(new BroString(data, len, false)) make_intrusive<StringVal>(new BroString(data, len, false))
); );
} }

4
src/analyzer/protocol/netbios/functions.bif
View file

@ -34,7 +34,7 @@ function decode_netbios_name%(name: string%): string
break; break;
} }
return new StringVal(i, result); return make_intrusive<StringVal>(i, result);
%} %}
## Converts a NetBIOS name type to its corresponding numeric value. ## Converts a NetBIOS name type to its corresponding numeric value.
@ -49,5 +49,5 @@ function decode_netbios_name_type%(name: string%): count
%{ %{
const u_char* s = name->Bytes(); const u_char* s = name->Bytes();
char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A'); char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A');
return val_mgr->GetCount(return_val); return val_mgr->Count(return_val);
%} %}

76
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -16,10 +16,10 @@ refine connection NTLM_Conn += {
function build_version_record(val: NTLM_Version): BroVal function build_version_record(val: NTLM_Version): BroVal
%{ %{
RecordVal* result = new RecordVal(BifType::Record::NTLM::Version); RecordVal* result = new RecordVal(BifType::Record::NTLM::Version);
result->Assign(0, val_mgr->GetCount(${val.major_version})); result->Assign(0, val_mgr->Count(${val.major_version}));
result->Assign(1, val_mgr->GetCount(${val.minor_version})); result->Assign(1, val_mgr->Count(${val.minor_version}));
result->Assign(2, val_mgr->GetCount(${val.build_number})); result->Assign(2, val_mgr->Count(${val.build_number}));
result->Assign(3, val_mgr->GetCount(${val.ntlm_revision})); result->Assign(3, val_mgr->Count(${val.ntlm_revision}));
return result; return result;
%} %}
@ -60,13 +60,13 @@ refine connection NTLM_Conn += {
result->Assign(4, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data})); result->Assign(4, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
break; break;
case 6: case 6:
result->Assign(5, val_mgr->GetBool(${val.pairs[i].constrained_auth})); result->Assign(5, val_mgr->Bool(${val.pairs[i].constrained_auth}));
break; break;
case 7: case 7:
result->Assign(6, filetime2brotime(${val.pairs[i].timestamp})); result->Assign(6, filetime2brotime(${val.pairs[i].timestamp}));
break; break;
case 8: case 8:
result->Assign(7, val_mgr->GetCount(${val.pairs[i].single_host.machine_id})); result->Assign(7, val_mgr->Count(${val.pairs[i].single_host.machine_id}));
break; break;
case 9: case 9:
result->Assign(8, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data})); result->Assign(8, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data}));
@ -79,28 +79,28 @@ refine connection NTLM_Conn += {
function build_negotiate_flag_record(val: NTLM_Negotiate_Flags): BroVal function build_negotiate_flag_record(val: NTLM_Negotiate_Flags): BroVal
%{ %{
RecordVal* flags = new RecordVal(BifType::Record::NTLM::NegotiateFlags); RecordVal* flags = new RecordVal(BifType::Record::NTLM::NegotiateFlags);
flags->Assign(0, val_mgr->GetBool(${val.negotiate_56})); flags->Assign(0, val_mgr->Bool(${val.negotiate_56}));
flags->Assign(1, val_mgr->GetBool(${val.negotiate_key_exch})); flags->Assign(1, val_mgr->Bool(${val.negotiate_key_exch}));
flags->Assign(2, val_mgr->GetBool(${val.negotiate_128})); flags->Assign(2, val_mgr->Bool(${val.negotiate_128}));
flags->Assign(3, val_mgr->GetBool(${val.negotiate_version})); flags->Assign(3, val_mgr->Bool(${val.negotiate_version}));
flags->Assign(4, val_mgr->GetBool(${val.negotiate_target_info})); flags->Assign(4, val_mgr->Bool(${val.negotiate_target_info}));
flags->Assign(5, val_mgr->GetBool(${val.request_non_nt_session_key})); flags->Assign(5, val_mgr->Bool(${val.request_non_nt_session_key}));
flags->Assign(6, val_mgr->GetBool(${val.negotiate_identify})); flags->Assign(6, val_mgr->Bool(${val.negotiate_identify}));
flags->Assign(7, val_mgr->GetBool(${val.negotiate_extended_sessionsecurity})); flags->Assign(7, val_mgr->Bool(${val.negotiate_extended_sessionsecurity}));
flags->Assign(8, val_mgr->GetBool(${val.target_type_server})); flags->Assign(8, val_mgr->Bool(${val.target_type_server}));
flags->Assign(9, val_mgr->GetBool(${val.target_type_domain})); flags->Assign(9, val_mgr->Bool(${val.target_type_domain}));
flags->Assign(10, val_mgr->GetBool(${val.negotiate_always_sign})); flags->Assign(10, val_mgr->Bool(${val.negotiate_always_sign}));
flags->Assign(11, val_mgr->GetBool(${val.negotiate_oem_workstation_supplied})); flags->Assign(11, val_mgr->Bool(${val.negotiate_oem_workstation_supplied}));
flags->Assign(12, val_mgr->GetBool(${val.negotiate_oem_domain_supplied})); flags->Assign(12, val_mgr->Bool(${val.negotiate_oem_domain_supplied}));
flags->Assign(13, val_mgr->GetBool(${val.negotiate_anonymous_connection})); flags->Assign(13, val_mgr->Bool(${val.negotiate_anonymous_connection}));
flags->Assign(14, val_mgr->GetBool(${val.negotiate_ntlm})); flags->Assign(14, val_mgr->Bool(${val.negotiate_ntlm}));
flags->Assign(15, val_mgr->GetBool(${val.negotiate_lm_key})); flags->Assign(15, val_mgr->Bool(${val.negotiate_lm_key}));
flags->Assign(16, val_mgr->GetBool(${val.negotiate_datagram})); flags->Assign(16, val_mgr->Bool(${val.negotiate_datagram}));
flags->Assign(17, val_mgr->GetBool(${val.negotiate_seal})); flags->Assign(17, val_mgr->Bool(${val.negotiate_seal}));
flags->Assign(18, val_mgr->GetBool(${val.negotiate_sign})); flags->Assign(18, val_mgr->Bool(${val.negotiate_sign}));
flags->Assign(19, val_mgr->GetBool(${val.request_target})); flags->Assign(19, val_mgr->Bool(${val.request_target}));
flags->Assign(20, val_mgr->GetBool(${val.negotiate_oem})); flags->Assign(20, val_mgr->Bool(${val.negotiate_oem}));
flags->Assign(21, val_mgr->GetBool(${val.negotiate_unicode})); flags->Assign(21, val_mgr->Bool(${val.negotiate_unicode}));
return flags; return flags;
%} %}
@ -110,7 +110,7 @@ refine connection NTLM_Conn += {
if ( ! ntlm_negotiate ) if ( ! ntlm_negotiate )
return true; return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate); auto result = make_intrusive<RecordVal>(BifType::Record::NTLM::Negotiate);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() ) if ( ${val}->has_domain_name() )
@ -122,9 +122,9 @@ refine connection NTLM_Conn += {
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(3, build_version_record(${val.version})); result->Assign(3, build_version_record(${val.version}));
BifEvent::generate_ntlm_negotiate(bro_analyzer(), BifEvent::enqueue_ntlm_negotiate(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
result); std::move(result));
return true; return true;
%} %}
@ -134,7 +134,7 @@ refine connection NTLM_Conn += {
if ( ! ntlm_challenge ) if ( ! ntlm_challenge )
return true; return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge); auto result = make_intrusive<RecordVal>(BifType::Record::NTLM::Challenge);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_target_name() ) if ( ${val}->has_target_name() )
@ -146,9 +146,9 @@ refine connection NTLM_Conn += {
if ( ${val}->has_target_info() ) if ( ${val}->has_target_info() )
result->Assign(3, build_av_record(${val.target_info}, ${val.target_info_fields.length})); result->Assign(3, build_av_record(${val.target_info}, ${val.target_info_fields.length}));
BifEvent::generate_ntlm_challenge(bro_analyzer(), BifEvent::enqueue_ntlm_challenge(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
result); std::move(result));
return true; return true;
%} %}
@ -158,7 +158,7 @@ refine connection NTLM_Conn += {
if ( ! ntlm_authenticate ) if ( ! ntlm_authenticate )
return true; return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate); auto result = make_intrusive<RecordVal>(BifType::Record::NTLM::Authenticate);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() > 0 ) if ( ${val}->has_domain_name() > 0 )
@ -171,14 +171,14 @@ refine connection NTLM_Conn += {
result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_encrypted_session_key() > 0 ) if ( ${val}->has_encrypted_session_key() > 0 )
result->Assign(4, bytestring_to_val(${val.encrypted_session_key.string.data})); result->Assign(4, to_stringval(${val.encrypted_session_key.string.data}));
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(5, build_version_record(${val.version})); result->Assign(5, build_version_record(${val.version}));
BifEvent::generate_ntlm_authenticate(bro_analyzer(), BifEvent::enqueue_ntlm_authenticate(bro_analyzer(),
bro_analyzer()->Conn(), bro_analyzer()->Conn(),
result); std::move(result));
return true; return true;
%} %}
} }

58
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -37,7 +37,7 @@ refine flow NTP_Flow += {
%{ %{
RecordVal* rv = new RecordVal(BifType::Record::NTP::StandardMessage); RecordVal* rv = new RecordVal(BifType::Record::NTP::StandardMessage);
rv->Assign(0, val_mgr->GetCount(${nsm.stratum})); rv->Assign(0, val_mgr->Count(${nsm.stratum}));
rv->Assign(1, make_intrusive<Val>(pow(2, ${nsm.poll}), TYPE_INTERVAL)); rv->Assign(1, make_intrusive<Val>(pow(2, ${nsm.poll}), TYPE_INTERVAL));
rv->Assign(2, make_intrusive<Val>(pow(2, ${nsm.precision}), TYPE_INTERVAL)); rv->Assign(2, make_intrusive<Val>(pow(2, ${nsm.precision}), TYPE_INTERVAL));
rv->Assign(3, proc_ntp_short(${nsm.root_delay})); rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
@ -46,11 +46,11 @@ refine flow NTP_Flow += {
switch ( ${nsm.stratum} ) { switch ( ${nsm.stratum} ) {
case 0: case 0:
// unknown stratum => kiss code // unknown stratum => kiss code
rv->Assign(5, bytestring_to_val(${nsm.reference_id})); rv->Assign(5, to_stringval(${nsm.reference_id}));
break; break;
case 1: case 1:
// reference clock => ref clock string // reference clock => ref clock string
rv->Assign(6, bytestring_to_val(${nsm.reference_id})); rv->Assign(6, to_stringval(${nsm.reference_id}));
break; break;
default: default:
{ {
@ -67,19 +67,19 @@ refine flow NTP_Flow += {
if ( ${nsm.mac_len} == 20 ) if ( ${nsm.mac_len} == 20 )
{ {
rv->Assign(12, val_mgr->GetCount(${nsm.mac.key_id})); rv->Assign(12, val_mgr->Count(${nsm.mac.key_id}));
rv->Assign(13, bytestring_to_val(${nsm.mac.digest})); rv->Assign(13, to_stringval(${nsm.mac.digest}));
} }
else if ( ${nsm.mac_len} == 24 ) else if ( ${nsm.mac_len} == 24 )
{ {
rv->Assign(12, val_mgr->GetCount(${nsm.mac_ext.key_id})); rv->Assign(12, val_mgr->Count(${nsm.mac_ext.key_id}));
rv->Assign(13, bytestring_to_val(${nsm.mac_ext.digest})); rv->Assign(13, to_stringval(${nsm.mac_ext.digest}));
} }
if ( ${nsm.has_exts} ) if ( ${nsm.has_exts} )
{ {
// TODO: add extension fields // TODO: add extension fields
rv->Assign(14, val_mgr->GetCount((uint32) ${nsm.exts}->size())); rv->Assign(14, val_mgr->Count((uint32) ${nsm.exts}->size()));
} }
return rv; return rv;
@ -90,21 +90,21 @@ refine flow NTP_Flow += {
%{ %{
RecordVal* rv = new RecordVal(BifType::Record::NTP::ControlMessage); RecordVal* rv = new RecordVal(BifType::Record::NTP::ControlMessage);
rv->Assign(0, val_mgr->GetCount(${ncm.OpCode})); rv->Assign(0, val_mgr->Count(${ncm.OpCode}));
rv->Assign(1, val_mgr->GetBool(${ncm.R})); rv->Assign(1, val_mgr->Bool(${ncm.R}));
rv->Assign(2, val_mgr->GetBool(${ncm.E})); rv->Assign(2, val_mgr->Bool(${ncm.E}));
rv->Assign(3, val_mgr->GetBool(${ncm.M})); rv->Assign(3, val_mgr->Bool(${ncm.M}));
rv->Assign(4, val_mgr->GetCount(${ncm.sequence})); rv->Assign(4, val_mgr->Count(${ncm.sequence}));
rv->Assign(5, val_mgr->GetCount(${ncm.status})); rv->Assign(5, val_mgr->Count(${ncm.status}));
rv->Assign(6, val_mgr->GetCount(${ncm.association_id})); rv->Assign(6, val_mgr->Count(${ncm.association_id}));
if ( ${ncm.c} > 0 ) if ( ${ncm.c} > 0 )
rv->Assign(7, bytestring_to_val(${ncm.data})); rv->Assign(7, to_stringval(${ncm.data}));
if ( ${ncm.has_control_mac} ) if ( ${ncm.has_control_mac} )
{ {
rv->Assign(8, val_mgr->GetCount(${ncm.mac.key_id})); rv->Assign(8, val_mgr->Count(${ncm.mac.key_id}));
rv->Assign(9, bytestring_to_val(${ncm.mac.crypto_checksum})); rv->Assign(9, to_stringval(${ncm.mac.crypto_checksum}));
} }
return rv; return rv;
@ -115,14 +115,14 @@ refine flow NTP_Flow += {
%{ %{
RecordVal* rv = new RecordVal(BifType::Record::NTP::Mode7Message); RecordVal* rv = new RecordVal(BifType::Record::NTP::Mode7Message);
rv->Assign(0, val_mgr->GetCount(${m7.request_code})); rv->Assign(0, val_mgr->Count(${m7.request_code}));
rv->Assign(1, val_mgr->GetBool(${m7.auth_bit})); rv->Assign(1, val_mgr->Bool(${m7.auth_bit}));
rv->Assign(2, val_mgr->GetCount(${m7.sequence})); rv->Assign(2, val_mgr->Count(${m7.sequence}));
rv->Assign(3, val_mgr->GetCount(${m7.implementation})); rv->Assign(3, val_mgr->Count(${m7.implementation}));
rv->Assign(4, val_mgr->GetCount(${m7.error_code})); rv->Assign(4, val_mgr->Count(${m7.error_code}));
if ( ${m7.data_len} > 0 ) if ( ${m7.data_len} > 0 )
rv->Assign(5, bytestring_to_val(${m7.data})); rv->Assign(5, to_stringval(${m7.data}));
return rv; return rv;
%} %}
@ -135,9 +135,9 @@ refine flow NTP_Flow += {
if ( ! ntp_message ) if ( ! ntp_message )
return false; return false;
RecordVal* rv = new RecordVal(BifType::Record::NTP::Message); auto rv = make_intrusive<RecordVal>(BifType::Record::NTP::Message);
rv->Assign(0, val_mgr->GetCount(${msg.version})); rv->Assign(0, val_mgr->Count(${msg.version}));
rv->Assign(1, val_mgr->GetCount(${msg.mode})); rv->Assign(1, val_mgr->Count(${msg.mode}));
// The standard record // The standard record
if ( ${msg.mode} >=1 && ${msg.mode} <= 5 ) if ( ${msg.mode} >=1 && ${msg.mode} <= 5 )
@ -147,9 +147,9 @@ refine flow NTP_Flow += {
else if ( ${msg.mode} == 7 ) else if ( ${msg.mode} == 7 )
rv->Assign(4, BuildNTPMode7Msg(${msg.mode7})); rv->Assign(4, BuildNTPMode7Msg(${msg.mode7}));
BifEvent::generate_ntp_message(connection()->bro_analyzer(), BifEvent::enqueue_ntp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
is_orig(), rv); is_orig(), std::move(rv));
return true; return true;
%} %}
}; };

4
src/analyzer/protocol/pia/PIA.cc
View file

@ -159,7 +159,7 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal(); EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
mgr.Enqueue(protocol_late_match, mgr.Enqueue(protocol_late_match,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{NewRef{}, tval} IntrusivePtr{NewRef{}, tval}
); );
} }
@ -307,7 +307,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal(); EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
mgr.Enqueue(protocol_late_match, mgr.Enqueue(protocol_late_match,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, ConnVal(),
IntrusivePtr{NewRef{}, tval} IntrusivePtr{NewRef{}, tval}
); );
} }

6
src/analyzer/protocol/pop3/POP3.cc
View file

@ -826,7 +826,7 @@ void POP3_Analyzer::StartTLS()
AddChildAnalyzer(ssl); AddChildAnalyzer(ssl);
if ( pop3_starttls ) if ( pop3_starttls )
EnqueueConnEvent(pop3_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()}); EnqueueConnEvent(pop3_starttls, ConnVal());
} }
void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::AuthSuccessfull()
@ -919,8 +919,8 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
zeek::Args vl; zeek::Args vl;
vl.reserve(2 + (bool)arg1 + (bool)arg2); vl.reserve(2 + (bool)arg1 + (bool)arg2);
vl.emplace_back(AdoptRef{}, BuildConnVal()); vl.emplace_back(ConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(is_orig)); vl.emplace_back(val_mgr->Bool(is_orig));
if ( arg1 ) if ( arg1 )
vl.emplace_back(make_intrusive<StringVal>(arg1)); vl.emplace_back(make_intrusive<StringVal>(arg1));

31
src/analyzer/protocol/radius/radius-analyzer.pac
View file

@ -7,42 +7,41 @@ refine flow RADIUS_Flow += {
if ( ! radius_message ) if ( ! radius_message )
return false; return false;
RecordVal* result = new RecordVal(BifType::Record::RADIUS::Message); auto result = make_intrusive<RecordVal>(BifType::Record::RADIUS::Message);
result->Assign(0, val_mgr->GetCount(${msg.code})); result->Assign(0, val_mgr->Count(${msg.code}));
result->Assign(1, val_mgr->GetCount(${msg.trans_id})); result->Assign(1, val_mgr->Count(${msg.trans_id}));
result->Assign(2, bytestring_to_val(${msg.authenticator})); result->Assign(2, to_stringval(${msg.authenticator}));
if ( ${msg.attributes}->size() ) if ( ${msg.attributes}->size() )
{ {
TableVal* attributes = new TableVal({NewRef{}, BifType::Table::RADIUS::Attributes}); TableVal* attributes = new TableVal({NewRef{}, BifType::Table::RADIUS::Attributes});
for ( uint i = 0; i < ${msg.attributes}->size(); ++i ) { for ( uint i = 0; i < ${msg.attributes}->size(); ++i )
Val* index = val_mgr->GetCount(${msg.attributes[i].code}); {
auto index = val_mgr->Count(${msg.attributes[i].code});
// Do we already have a vector of attributes for this type? // Do we already have a vector of attributes for this type?
auto current = attributes->Lookup(index); auto current = attributes->Lookup(index.get());
Val* val = bytestring_to_val(${msg.attributes[i].value}); IntrusivePtr<Val> val = to_stringval(${msg.attributes[i].value});
if ( current ) if ( current )
{ {
VectorVal* vcurrent = current->AsVectorVal(); VectorVal* vcurrent = current->AsVectorVal();
vcurrent->Assign(vcurrent->Size(), val); vcurrent->Assign(vcurrent->Size(), std::move(val));
} }
else else
{ {
VectorVal* attribute_list = new VectorVal(BifType::Vector::RADIUS::AttributeList); VectorVal* attribute_list = new VectorVal(BifType::Vector::RADIUS::AttributeList);
attribute_list->Assign((unsigned int)0, val); attribute_list->Assign((unsigned int)0, std::move(val));
attributes->Assign(index, attribute_list); attributes->Assign(index.get(), attribute_list);
} }
Unref(index);
} }
result->Assign(3, attributes); result->Assign(3, attributes);
} }
BifEvent::generate_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result); BifEvent::enqueue_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), std::move(result));
return true; return true;
%} %}
@ -51,8 +50,8 @@ refine flow RADIUS_Flow += {
if ( ! radius_attribute ) if ( ! radius_attribute )
return false; return false;
BifEvent::generate_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), BifEvent::enqueue_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
${attr.code}, bytestring_to_val(${attr.value})); ${attr.code}, to_stringval(${attr.value}));
return true; return true;
%} %}
}; };

Some files were not shown because too many files have changed in this diff Show more