Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'master' into topic/jsiwek/fuzzing

Browse source
This commit is contained in:
Jon Siwek 2020-04-28 17:25:32 -07:00
commit d533212a6a
218 changed files with 3816 additions and 3557 deletions
Download patch file Download diff file Expand all files Collapse all files

82
CHANGES
View file

@ -1,4 +1,86 @@
3.2.0-dev.443 | 2020-04-28 17:10:38 -0700
* GH-941: Fix build when configured to use libmaxminddb (Jon Siwek, Corelight)
3.2.0-dev.441 | 2020-04-27 13:34:22 -0700
* Fix a few more IntrusivePtr deprecation warnings (Tim Wojtulewicz, Corelight)
* Fix cloning of TypeType values (Vern Paxson, Corelight)
3.2.0-dev.437 | 2020-04-27 19:30:24 +0000
* GH-854: provide access to original HTTP/MIME header names
The "http_header" event now has an "original_name" parameter that allows
access to the original header name (the "name" parameter reamins the
same as before: it's the uppercased header name).
The "mime_header_rec" record type now also includes an "original_name"
field to similarly provide access to original header name in the
following events: "http_all_headers", "mime_one_header", and
"mime_all_headers". (Jon Siwek, Corelight)
* Remove error message from empty bloomfilter lookups
If a bloomfilter doesn't have a type, that just means no
bloomfilter_add() has been called yet, so seems undesirable to emit an
error for a lookup against something that's known to be empty. (Jon Siwek, Corelight)
* unused variables found via use-def analysis (plus an indentation micro-nit) (Vern Paxson, Corelight)
3.2.0-dev.431 | 2020-04-27 12:09:30 -0700
* Update various BIFs to return IntrusivePtr (Jon Siwek, Corelight)
3.2.0-dev.428 | 2020-04-24 16:19:45 -0700
* Deprecate returning Val* from BIFs (Jon Siwek, Corelight)
* Deprecate binpac::string_to_val (Jon Siwek, Corelight)
* Deprecate binpac::bytestring_to_val, replace with binpac::to_stringval (Jon Siwek, Corelight)
* Update deprecated BifEvent::generate_* usages (Jon Siwek, Corelight)
* Deprecate Connection::Event and Analyzer::Event methods
And update usages to the "EnqueueEvent" methods. (Jon Siwek, Corelight)
* Deprecate BuildConnVal() methods and update usages to ConnVal()
The later being a new method that returns IntrusivePtr (Jon Siwek, Corelight)
* Update all BIFs to return IntrusivePtr instead of Val* (Jon Siwek, Corelight)
* Update deprecated ValManager::GetPort usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetEmptyString usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetCount usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetInt usages (Jon Siwek, Corelight)
* Update deprecated ValManager::GetBool usages (Jon Siwek, Corelight)
* Update deprecated ValManager GetTrue/GetFalse usages (Jon Siwek, Corelight)
* Deprecate all ValManager "Get" methods
Alternate methods that return IntrusivePtr are available in similarly
named methods that omit the "Get" prefix. (Jon Siwek, Corelight)
* Change BIFs to return a wrapper object
That allows returning either Val* or IntrusivePtr<T>. The former could
eventually be deprecated, but it's used extensively at the moment. (Jon Siwek, Corelight)
3.2.0-dev.412 | 2020-04-22 10:43:39 -0700
* Fix buffer over-read in Ident analyzer (Max Kellermann)
3.2.0-dev.410 | 2020-04-21 10:25:29 -0700
* Remove "connection_external" event (Johanna Amann, Corelight)

21
NEWS
View file

@ -96,7 +96,7 @@ Deprecated Functionality
- The ``EventMgr::QueueEvent()`` and EventMgr::QueueEventFast()`` methods
are now deprecated, use ``EventMgr::Enqueue()`` instead.
- The ``Connection::ConnectionEvent()`` and
- The ``Connection::ConnectionEvent()``, ``Connection::Event()``, and
``Connection::ConnectionEventFast()`` methods are now deprecated, use
``Connection::EnqueueEvent()`` instead.
@ -104,10 +104,25 @@ Deprecated Functionality
arguments are now deprecated, use the overload that takes a ``zeek::Args``
instead.
- The ``analyzer::Analyzer::ConnectionEvent()`` and
``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
- The ``analyzer::Analyzer::ConnectionEvent()``, ``analyzer::Analyzer::Event``,
and ``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
``analyzer::Analyzer::EnqueueConnEvent()`` instead.
- All ``val_mgr`` methods starting with "Get" are deprecated, use the new
``val_mgr`` methods that return ``IntrusivePtr``.
- ``Connection::BuildConnVal()`` is deprecated, use ``Connection::ConnVal()``.
- ``Analyzer::BuildConnVal()`` is deprecated, use ``Analyzer::ConnVal()``.
- ``BifEvent::generate_`` functions are deprecated, use ``BifEvent::enqueue_``.
- ``binpac::bytestring_to_val()`` is deprecated, use ``binpac::to_stringval()``.
- ``binpac::string_to_val()`` is deprecated, use ``StringVal`` constructor.
- Returning ``Val*`` from BIFs is deprecated, return ``IntrusivePtr`` instead.
Zeek 3.1.0
==========

2
VERSION
View file

@ -1 +1 @@
3.2.0-dev.410
3.2.0-dev.443

2
aux/bifcl

@ -1 +1 @@
Subproject commit 66b4b30305237f48535276a00a52ca304659400b
Subproject commit 9918f94bd90e77dfc75bc50c2c0da644f292e262

2
aux/btest

@ -1 +1 @@
Subproject commit 87896050d7ac189f0e063bb90c3fa37a6c977f83
Subproject commit 0528e8bc8e6e0108ec2f752896b2aa8b5dd949dd

2
doc

@ -1 +1 @@
Subproject commit 7b59ef1ab823a77dff78991b6a8808be5ba9072d
Subproject commit e862aa7a89c044e7eea96671d9b832a5dfccbf56

1
scripts/base/frameworks/cluster/setup-connections.zeek
View file

@ -28,7 +28,6 @@ function connect_peer(node_type: NodeType, node_name: string)
function connect_peers_with_type(node_type: NodeType)
{
local rval: vector of NamedNode = vector();
local nn = nodes_with_type(node_type);
for ( i in nn )

2
scripts/base/frameworks/netcontrol/main.zeek
View file

@ -731,7 +731,7 @@ function find_rules_subnet(sn: subnet) : vector of Rule
{
local sn_entry = matches[m];
local rule_ids = rules_by_subnets[sn_entry];
for ( rule_id in rules_by_subnets[sn_entry] )
for ( rule_id in rule_ids )
{
if ( rule_id in rules )
ret += rules[rule_id];

2
scripts/base/frameworks/netcontrol/plugins/openflow.zeek
View file

@ -195,7 +195,7 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
return openflow_match_pred(p, e, v);
}
local proto = OpenFlow::IP_TCP;
# local proto = OpenFlow::IP_TCP;
if ( e$ty == FLOW )
{

3
scripts/base/init-bare.zeek
View file

@ -2076,7 +2076,8 @@ global login_timeouts: set[string] &redef;
##
## .. zeek:see:: mime_header_list http_all_headers mime_all_headers mime_one_header
type mime_header_rec: record {
name: string; ##< The header name.
original_name: string; ##< The header name (unaltered).
name: string; ##< The header name (converted to all upper-case).
value: string; ##< The header value.
};

3
scripts/base/protocols/smtp/main.zeek
View file

@ -336,5 +336,6 @@ function describe(rec: Info): string
(|rec$rcptto|>1 ? fmt(" (plus %d others)", |rec$rcptto|-1) : ""),
(abbrev_subject != "" ? fmt(": %s", abbrev_subject) : ""));
}
return "";
return "";
}

5
scripts/base/utils/addrs.zeek
View file

@ -70,11 +70,10 @@ const ip_addr_regex = ipv4_addr_regex | ipv6_addr_regex;
## Returns: T if every element is between 0 and 255, inclusive, else F.
function has_valid_octets(octets: string_vec): bool
{
local num = 0;
for ( i in octets )
{
num = to_count(octets[i]);
if ( num < 0 || 255 < num )
local num = to_count(octets[i]);
if ( 255 < num )
return F;
}
return T;

8
src/CompHash.cc
View file

@ -768,9 +768,9 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
if ( tag == TYPE_ENUM )
*pval = t->AsEnumType()->GetVal(*kp);
else if ( tag == TYPE_BOOL )
*pval = {AdoptRef{}, val_mgr->GetBool(*kp)};
*pval = val_mgr->Bool(*kp);
else if ( tag == TYPE_INT )
*pval = {AdoptRef{}, val_mgr->GetInt(*kp)};
*pval = val_mgr->Int(*kp);
else
{
reporter->InternalError("bad internal unsigned int in CompositeHash::RecoverOneVal()");
@ -787,11 +787,11 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
switch ( tag ) {
case TYPE_COUNT:
case TYPE_COUNTER:
*pval = {AdoptRef{}, val_mgr->GetCount(*kp)};
*pval = val_mgr->Count(*kp);
break;
case TYPE_PORT:
*pval = {AdoptRef{}, val_mgr->GetPort(*kp)};
*pval = val_mgr->Port(*kp);
break;
default:

95
src/Conn.cc
View file

@ -90,7 +90,6 @@ Connection::Connection(NetSessions* s, const ConnIDKey& k, double t, const ConnI
vlan = pkt->vlan;
inner_vlan = pkt->inner_vlan;
conn_val = nullptr;
login_conn = nullptr;
is_active = 1;
@ -131,10 +130,7 @@ Connection::~Connection()
CancelTimers();
if ( conn_val )
{
conn_val->SetOrigin(nullptr);
Unref(conn_val);
}
delete root_analyzer;
delete encapsulation;
@ -148,7 +144,10 @@ void Connection::CheckEncapsulation(const EncapsulationStack* arg_encap)
{
if ( *encapsulation != *arg_encap )
{
Event(tunnel_changed, nullptr, arg_encap->GetVectorVal());
if ( tunnel_changed )
EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
IntrusivePtr{AdoptRef{}, arg_encap->GetVectorVal()});
delete encapsulation;
encapsulation = new EncapsulationStack(*arg_encap);
}
@ -156,15 +155,23 @@ void Connection::CheckEncapsulation(const EncapsulationStack* arg_encap)
else if ( encapsulation )
{
EncapsulationStack empty;
Event(tunnel_changed, nullptr, empty.GetVectorVal());
if ( tunnel_changed )
{
EncapsulationStack empty;
EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
IntrusivePtr{AdoptRef{}, empty.GetVectorVal()});
}
delete encapsulation;
encapsulation = nullptr;
}
else if ( arg_encap )
{
Event(tunnel_changed, nullptr, arg_encap->GetVectorVal());
if ( tunnel_changed )
EnqueueEvent(tunnel_changed, nullptr, ConnVal(),
IntrusivePtr{AdoptRef{}, arg_encap->GetVectorVal()});
encapsulation = new EncapsulationStack(*arg_encap);
}
}
@ -203,7 +210,7 @@ void Connection::NextPacket(double t, bool is_orig,
is_successful = true;
if ( ! was_successful && is_successful && connection_successful )
EnqueueEvent(connection_successful, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueEvent(connection_successful, nullptr, ConnVal());
}
else
last_time = t;
@ -260,9 +267,9 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
return;
EnqueueEvent(e, nullptr,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)}
ConnVal(),
val_mgr->Bool(is_orig),
val_mgr->Count(threshold)
);
}
@ -323,30 +330,35 @@ void Connection::EnableStatusUpdateTimer()
void Connection::StatusUpdateTimer(double t)
{
EnqueueEvent(connection_status_update, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueEvent(connection_status_update, nullptr, ConnVal());
ADD_TIMER(&Connection::StatusUpdateTimer,
network_time + connection_status_update_interval, 0,
TIMER_CONN_STATUS_UPDATE);
}
RecordVal* Connection::BuildConnVal()
{
return ConnVal()->Ref()->AsRecordVal();
}
const IntrusivePtr<RecordVal>& Connection::ConnVal()
{
if ( ! conn_val )
{
conn_val = new RecordVal(connection_type);
conn_val = make_intrusive<RecordVal>(connection_type);
TransportProto prot_type = ConnTransport();
auto id_val = make_intrusive<RecordVal>(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(orig_addr));
id_val->Assign(1, val_mgr->GetPort(ntohs(orig_port), prot_type));
id_val->Assign(1, val_mgr->Port(ntohs(orig_port), prot_type));
id_val->Assign(2, make_intrusive<AddrVal>(resp_addr));
id_val->Assign(3, val_mgr->GetPort(ntohs(resp_port), prot_type));
id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type));
auto orig_endp = make_intrusive<RecordVal>(endpoint);
orig_endp->Assign(0, val_mgr->GetCount(0));
orig_endp->Assign(1, val_mgr->GetCount(0));
orig_endp->Assign(4, val_mgr->GetCount(orig_flow_label));
orig_endp->Assign(0, val_mgr->Count(0));
orig_endp->Assign(1, val_mgr->Count(0));
orig_endp->Assign(4, val_mgr->Count(orig_flow_label));
const int l2_len = sizeof(orig_l2_addr);
char null[l2_len]{};
@ -355,9 +367,9 @@ RecordVal* Connection::BuildConnVal()
orig_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(orig_l2_addr, l2_len)));
auto resp_endp = make_intrusive<RecordVal>(endpoint);
resp_endp->Assign(0, val_mgr->GetCount(0));
resp_endp->Assign(1, val_mgr->GetCount(0));
resp_endp->Assign(4, val_mgr->GetCount(resp_flow_label));
resp_endp->Assign(0, val_mgr->Count(0));
resp_endp->Assign(1, val_mgr->Count(0));
resp_endp->Assign(4, val_mgr->Count(resp_flow_label));
if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 )
resp_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(resp_l2_addr, l2_len)));
@ -367,7 +379,7 @@ RecordVal* Connection::BuildConnVal()
conn_val->Assign(2, std::move(resp_endp));
// 3 and 4 are set below.
conn_val->Assign(5, make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set})); // service
conn_val->Assign(6, val_mgr->GetEmptyString()); // history
conn_val->Assign(6, val_mgr->EmptyString()); // history
if ( ! uid )
uid.Set(bits_per_uid);
@ -378,25 +390,23 @@ RecordVal* Connection::BuildConnVal()
conn_val->Assign(8, encapsulation->GetVectorVal());
if ( vlan != 0 )
conn_val->Assign(9, val_mgr->GetInt(vlan));
conn_val->Assign(9, val_mgr->Int(vlan));
if ( inner_vlan != 0 )
conn_val->Assign(10, val_mgr->GetInt(inner_vlan));
conn_val->Assign(10, val_mgr->Int(inner_vlan));
}
if ( root_analyzer )
root_analyzer->UpdateConnVal(conn_val);
root_analyzer->UpdateConnVal(conn_val.get());
conn_val->Assign(3, make_intrusive<Val>(start_time, TYPE_TIME)); // ###
conn_val->Assign(4, make_intrusive<Val>(last_time - start_time, TYPE_INTERVAL));
conn_val->Assign(6, make_intrusive<StringVal>(history.c_str()));
conn_val->Assign(11, val_mgr->GetBool(is_successful));
conn_val->Assign(11, val_mgr->Bool(is_successful));
conn_val->SetOrigin(this);
Ref(conn_val);
return conn_val;
}
@ -417,12 +427,12 @@ analyzer::Analyzer* Connection::FindAnalyzer(const char* name)
void Connection::AppendAddl(const char* str)
{
Unref(BuildConnVal());
const auto& cv = ConnVal();
const char* old = conn_val->Lookup(6)->AsString()->CheckString();
const char* old = cv->Lookup(6)->AsString()->CheckString();
const char* format = *old ? "%s %s" : "%s%s";
conn_val->Assign(6, make_intrusive<StringVal>(fmt(format, old, str)));
cv->Assign(6, make_intrusive<StringVal>(fmt(format, old, str)));
}
// Returns true if the character at s separates a version number.
@ -446,7 +456,7 @@ void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool
void Connection::RemovalEvent()
{
auto cv = IntrusivePtr{AdoptRef{}, BuildConnVal()};
auto cv = ConnVal();
if ( connection_state_remove )
EnqueueEvent(connection_state_remove, nullptr, cv);
@ -461,9 +471,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
return;
if ( name )
EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), ConnVal());
else
EnqueueEvent(f, analyzer, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueEvent(f, analyzer, ConnVal());
}
void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
@ -477,12 +487,12 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
if ( v2 )
EnqueueEvent(f, analyzer,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, v1},
IntrusivePtr{AdoptRef{}, v2});
else
EnqueueEvent(f, analyzer,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, v1});
}
@ -590,7 +600,6 @@ void Connection::FlipRoles()
resp_flow_label = orig_flow_label;
orig_flow_label = tmp_flow;
Unref(conn_val);
conn_val = nullptr;
if ( root_analyzer )
@ -690,17 +699,17 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
if ( conn_val )
{
RecordVal *endp = conn_val->Lookup(is_orig ? 1 : 2)->AsRecordVal();
endp->Assign(4, val_mgr->GetCount(flow_label));
endp->Assign(4, val_mgr->Count(flow_label));
}
if ( connection_flow_label_changed &&
(is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
{
EnqueueEvent(connection_flow_label_changed, nullptr,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(my_flow_label)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flow_label)}
ConnVal(),
val_mgr->Bool(is_orig),
val_mgr->Count(my_flow_label),
val_mgr->Count(flow_label)
);
}

12
src/Conn.h
View file

@ -163,7 +163,14 @@ public:
// Activate connection_status_update timer.
void EnableStatusUpdateTimer();
[[deprecated("Remove in v4.1. Use ConnVal() instead.")]]
RecordVal* BuildConnVal();
/**
* Returns the associated "connection" record.
*/
const IntrusivePtr<RecordVal>& ConnVal();
void AppendAddl(const char* str);
LoginConn* AsLoginConn() { return login_conn; }
@ -186,6 +193,7 @@ public:
// 'v1' and 'v2' reference counts get decremented. The event's first
// argument is the connection value, second argument is 'v1', and if 'v2'
// is given that will be it's third argument.
[[deprecated("Remove in v4.1. Use EnqueueEvent() instead (note it doesn't automatically add the connection argument).")]]
void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = nullptr);
// If a handler exists for 'f', an event will be generated. In any case,
@ -316,8 +324,6 @@ public:
protected:
Connection() { }
// Add the given timer to expire at time t. If do_expire
// is true, then the timer is also evaluated when Bro terminates,
// otherwise not.
@ -349,7 +355,7 @@ protected:
u_char resp_l2_addr[Packet::l2_addr_len]; // Link-layer responder address, if available
double start_time, last_time;
double inactivity_timeout;
RecordVal* conn_val;
IntrusivePtr<RecordVal> conn_val;
LoginConn* login_conn; // either nil, or this
const EncapsulationStack* encapsulation; // tunnels
int suppress_event; // suppress certain events to once per conn.

2
src/DNS_Mgr.cc
View file

@ -738,7 +738,7 @@ IntrusivePtr<Val> DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
r->Assign(0, make_intrusive<Val>(dm->CreationTime(), TYPE_TIME));
r->Assign(1, make_intrusive<StringVal>(dm->ReqHost() ? dm->ReqHost() : ""));
r->Assign(2, make_intrusive<AddrVal>(dm->ReqAddr()));
r->Assign(3, val_mgr->GetBool(dm->Valid()));
r->Assign(3, val_mgr->Bool(dm->Valid()));
auto h = dm->Host();
r->Assign(4, h ? h.release() : new StringVal("<none>"));

48
src/Expr.cc
View file

@ -682,11 +682,11 @@ IntrusivePtr<Val> BinaryExpr::Fold(Val* v1, Val* v2) const
else if ( ret_type->InternalType() == TYPE_INTERNAL_DOUBLE )
return make_intrusive<Val>(d3, ret_type->Tag());
else if ( ret_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
return {AdoptRef{}, val_mgr->GetCount(u3)};
return val_mgr->Count(u3);
else if ( ret_type->Tag() == TYPE_BOOL )
return {AdoptRef{}, val_mgr->GetBool(i3)};
return val_mgr->Bool(i3);
else
return {AdoptRef{}, val_mgr->GetInt(i3)};
return val_mgr->Int(i3);
}
IntrusivePtr<Val> BinaryExpr::StringFold(Val* v1, Val* v2) const
@ -720,7 +720,7 @@ IntrusivePtr<Val> BinaryExpr::StringFold(Val* v1, Val* v2) const
BadTag("BinaryExpr::StringFold", expr_name(tag));
}
return {AdoptRef{}, val_mgr->GetBool(result)};
return val_mgr->Bool(result);
}
@ -796,7 +796,7 @@ IntrusivePtr<Val> BinaryExpr::SetFold(Val* v1, Val* v2) const
return nullptr;
}
return {AdoptRef{}, val_mgr->GetBool(res)};
return val_mgr->Bool(res);
}
IntrusivePtr<Val> BinaryExpr::AddrFold(Val* v1, Val* v2) const
@ -830,7 +830,7 @@ IntrusivePtr<Val> BinaryExpr::AddrFold(Val* v1, Val* v2) const
BadTag("BinaryExpr::AddrFold", expr_name(tag));
}
return {AdoptRef{}, val_mgr->GetBool(result)};
return val_mgr->Bool(result);
}
IntrusivePtr<Val> BinaryExpr::SubNetFold(Val* v1, Val* v2) const
@ -843,7 +843,7 @@ IntrusivePtr<Val> BinaryExpr::SubNetFold(Val* v1, Val* v2) const
if ( tag == EXPR_NE )
result = ! result;
return {AdoptRef{}, val_mgr->GetBool(result)};
return val_mgr->Bool(result);
}
void BinaryExpr::SwapOps()
@ -958,9 +958,9 @@ IntrusivePtr<Val> IncrExpr::DoSingleEval(Frame* f, Val* v) const
ret_type = Type()->YieldType();
if ( ret_type->Tag() == TYPE_INT )
return {AdoptRef{}, val_mgr->GetInt(k)};
return val_mgr->Int(k);
else
return {AdoptRef{}, val_mgr->GetCount(k)};
return val_mgr->Count(k);
}
@ -1018,7 +1018,7 @@ ComplementExpr::ComplementExpr(IntrusivePtr<Expr> arg_op)
IntrusivePtr<Val> ComplementExpr::Fold(Val* v) const
{
return {AdoptRef{}, val_mgr->GetCount(~ v->InternalUnsigned())};
return val_mgr->Count(~ v->InternalUnsigned());
}
NotExpr::NotExpr(IntrusivePtr<Expr> arg_op)
@ -1037,7 +1037,7 @@ NotExpr::NotExpr(IntrusivePtr<Expr> arg_op)
IntrusivePtr<Val> NotExpr::Fold(Val* v) const
{
return {AdoptRef{}, val_mgr->GetBool(! v->InternalInt())};
return val_mgr->Bool(! v->InternalInt());
}
PosExpr::PosExpr(IntrusivePtr<Expr> arg_op)
@ -1075,7 +1075,7 @@ IntrusivePtr<Val> PosExpr::Fold(Val* v) const
if ( t == TYPE_DOUBLE || t == TYPE_INTERVAL || t == TYPE_INT )
return {NewRef{}, v};
else
return {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())};
return val_mgr->Int(v->CoerceToInt());
}
NegExpr::NegExpr(IntrusivePtr<Expr> arg_op)
@ -1113,7 +1113,7 @@ IntrusivePtr<Val> NegExpr::Fold(Val* v) const
else if ( v->Type()->Tag() == TYPE_INTERVAL )
return make_intrusive<IntervalVal>(- v->InternalDouble(), 1.0);
else
return {AdoptRef{}, val_mgr->GetInt(- v->CoerceToInt())};
return val_mgr->Int(- v->CoerceToInt());
}
SizeExpr::SizeExpr(IntrusivePtr<Expr> arg_op)
@ -1620,7 +1620,7 @@ IntrusivePtr<Val> BoolExpr::Eval(Frame* f) const
(! op1->IsZero() && ! op2->IsZero()) :
(! op1->IsZero() || ! op2->IsZero());
result->Assign(i, val_mgr->GetBool(local_result));
result->Assign(i, val_mgr->Bool(local_result));
}
else
result->Assign(i, nullptr);
@ -1775,9 +1775,9 @@ IntrusivePtr<Val> EqExpr::Fold(Val* v1, Val* v2) const
RE_Matcher* re = v1->AsPattern();
const BroString* s = v2->AsString();
if ( tag == EXPR_EQ )
return {AdoptRef{}, val_mgr->GetBool(re->MatchExactly(s))};
return val_mgr->Bool(re->MatchExactly(s));
else
return {AdoptRef{}, val_mgr->GetBool(! re->MatchExactly(s))};
return val_mgr->Bool(! re->MatchExactly(s));
}
else
@ -2972,7 +2972,7 @@ HasFieldExpr::~HasFieldExpr()
IntrusivePtr<Val> HasFieldExpr::Fold(Val* v) const
{
auto rv = v->AsRecordVal();
return {AdoptRef{}, val_mgr->GetBool(rv->Lookup(field))};
return val_mgr->Bool(rv->Lookup(field));
}
void HasFieldExpr::ExprDescribe(ODesc* d) const
@ -3485,10 +3485,10 @@ IntrusivePtr<Val> ArithCoerceExpr::FoldSingleVal(Val* v, InternalTypeTag t) cons
return make_intrusive<Val>(v->CoerceToDouble(), TYPE_DOUBLE);
case TYPE_INTERNAL_INT:
return {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())};
return val_mgr->Int(v->CoerceToInt());
case TYPE_INTERNAL_UNSIGNED:
return {AdoptRef{}, val_mgr->GetCount(v->CoerceToUnsigned())};
return val_mgr->Count(v->CoerceToUnsigned());
default:
RuntimeErrorWithCallStack("bad type in CoerceExpr::Fold");
@ -4024,7 +4024,7 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
{
RE_Matcher* re = v1->AsPattern();
const BroString* s = v2->AsString();
return {AdoptRef{}, val_mgr->GetBool(re->MatchAnywhere(s) != 0)};
return val_mgr->Bool(re->MatchAnywhere(s) != 0);
}
if ( v2->Type()->Tag() == TYPE_STRING )
@ -4035,12 +4035,12 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
// Could do better here e.g. Boyer-Moore if done repeatedly.
auto s = reinterpret_cast<const unsigned char*>(s1->CheckString());
auto res = strstr_n(s2->Len(), s2->Bytes(), s1->Len(), s) != -1;
return {AdoptRef{}, val_mgr->GetBool(res)};
return val_mgr->Bool(res);
}
if ( v1->Type()->Tag() == TYPE_ADDR &&
v2->Type()->Tag() == TYPE_SUBNET )
return {AdoptRef{}, val_mgr->GetBool(v2->AsSubNetVal()->Contains(v1->AsAddr()))};
return val_mgr->Bool(v2->AsSubNetVal()->Contains(v1->AsAddr()));
bool res;
@ -4049,7 +4049,7 @@ IntrusivePtr<Val> InExpr::Fold(Val* v1, Val* v2) const
else
res = (bool)v2->AsTableVal()->Lookup(v1, false);
return {AdoptRef{}, val_mgr->GetBool(res)};
return val_mgr->Bool(res);
}
CallExpr::CallExpr(IntrusivePtr<Expr> arg_func,
@ -4906,7 +4906,7 @@ IntrusivePtr<Val> IsExpr::Fold(Val* v) const
if ( IsError() )
return nullptr;
return {AdoptRef{}, val_mgr->GetBool(can_cast_value_to_type(v, t.get()))};
return val_mgr->Bool(can_cast_value_to_type(v, t.get()));
}
void IsExpr::ExprDescribe(ODesc* d) const

15
src/Func.cc
View file

@ -321,7 +321,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
{
// Can only happen for events and hooks.
assert(Flavor() == FUNC_FLAVOR_EVENT || Flavor() == FUNC_FLAVOR_HOOK);
return Flavor() == FUNC_FLAVOR_HOOK ? IntrusivePtr{AdoptRef{}, val_mgr->GetTrue()} : nullptr;
return Flavor() == FUNC_FLAVOR_HOOK ? val_mgr->True() : nullptr;
}
auto f = make_intrusive<Frame>(frame_size, this, &args);
@ -407,7 +407,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
if ( flow == FLOW_BREAK )
{
// Short-circuit execution of remaining hook handler bodies.
result = {AdoptRef{}, val_mgr->GetFalse()};
result = val_mgr->False();
break;
}
}
@ -418,7 +418,7 @@ IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
if ( Flavor() == FUNC_FLAVOR_HOOK )
{
if ( ! result )
result = {AdoptRef{}, val_mgr->GetTrue()};
result = val_mgr->True();
}
// Warn if the function returns something, but we returned from
@ -633,7 +633,7 @@ IntrusivePtr<Val> BuiltinFunc::Call(const zeek::Args& args, Frame* parent) const
const CallExpr* call_expr = parent ? parent->GetCall() : nullptr;
call_stack.emplace_back(CallInfo{call_expr, this, args});
IntrusivePtr<Val> result{AdoptRef{}, func(parent, &args)};
auto result = std::move(func(parent, &args).rval);
call_stack.pop_back();
if ( result && g_trace_state.DoTrace() )
@ -890,3 +890,10 @@ function_ingredients::~function_ingredients()
delete inits;
}
BifReturnVal::BifReturnVal(std::nullptr_t) noexcept
{ }
BifReturnVal::BifReturnVal(Val* v) noexcept
: rval(AdoptRef{}, v)
{ }

27
src/Func.h
View file

@ -188,7 +188,32 @@ private:
bool weak_closure_ref = false;
};
using built_in_func = Val* (*)(Frame* frame, const zeek::Args* args);
/**
* A simple wrapper class to use for the return value of BIFs so that
* they may return either a Val* or IntrusivePtr<Val> (the former could
* potentially be deprecated).
*/
class BifReturnVal {
public:
template <typename T>
BifReturnVal(IntrusivePtr<T> v) noexcept
: rval(AdoptRef{}, v.release())
{ }
BifReturnVal(std::nullptr_t) noexcept;
[[deprecated("Remove in v4.1. Return an IntrusivePtr instead.")]]
BifReturnVal(Val* v) noexcept;
private:
friend class BuiltinFunc;
IntrusivePtr<Val> rval;
};
using built_in_func = BifReturnVal (*)(Frame* frame, const zeek::Args* args);
class BuiltinFunc final : public Func {
public:

158
src/IP.cc
View file

@ -50,13 +50,13 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
{
const struct ip6_opt* opt = (const struct ip6_opt*) data;
RecordVal* rv = new RecordVal(hdrType(ip6_option_type, "ip6_option"));
rv->Assign(0, val_mgr->GetCount(opt->ip6o_type));
rv->Assign(0, val_mgr->Count(opt->ip6o_type));
if ( opt->ip6o_type == 0 )
{
// Pad1 option
rv->Assign(1, val_mgr->GetCount(0));
rv->Assign(2, val_mgr->GetEmptyString());
rv->Assign(1, val_mgr->Count(0));
rv->Assign(2, val_mgr->EmptyString());
data += sizeof(uint8_t);
len -= sizeof(uint8_t);
}
@ -64,7 +64,7 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
{
// PadN or other option
uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(1, val_mgr->GetCount(opt->ip6o_len));
rv->Assign(1, val_mgr->Count(opt->ip6o_len));
rv->Assign(2, make_intrusive<StringVal>(
new BroString(data + off, opt->ip6o_len, true)));
data += opt->ip6o_len + off;
@ -86,11 +86,11 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_hdr_type, "ip6_hdr"));
const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
rv->Assign(0, val_mgr->GetCount((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20));
rv->Assign(1, val_mgr->GetCount(ntohl(ip6->ip6_flow) & 0x000fffff));
rv->Assign(2, val_mgr->GetCount(ntohs(ip6->ip6_plen)));
rv->Assign(3, val_mgr->GetCount(ip6->ip6_nxt));
rv->Assign(4, val_mgr->GetCount(ip6->ip6_hlim));
rv->Assign(0, val_mgr->Count((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20));
rv->Assign(1, val_mgr->Count(ntohl(ip6->ip6_flow) & 0x000fffff));
rv->Assign(2, val_mgr->Count(ntohs(ip6->ip6_plen)));
rv->Assign(3, val_mgr->Count(ip6->ip6_nxt));
rv->Assign(4, val_mgr->Count(ip6->ip6_hlim));
rv->Assign(5, make_intrusive<AddrVal>(IPAddr(ip6->ip6_src)));
rv->Assign(6, make_intrusive<AddrVal>(IPAddr(ip6->ip6_dst)));
if ( ! chain )
@ -104,8 +104,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_hopopts_type, "ip6_hopopts"));
const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
rv->Assign(0, val_mgr->GetCount(hbh->ip6h_nxt));
rv->Assign(1, val_mgr->GetCount(hbh->ip6h_len));
rv->Assign(0, val_mgr->Count(hbh->ip6h_nxt));
rv->Assign(1, val_mgr->Count(hbh->ip6h_len));
uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
@ -116,8 +116,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_dstopts_type, "ip6_dstopts"));
const struct ip6_dest* dst = (const struct ip6_dest*)data;
rv->Assign(0, val_mgr->GetCount(dst->ip6d_nxt));
rv->Assign(1, val_mgr->GetCount(dst->ip6d_len));
rv->Assign(0, val_mgr->Count(dst->ip6d_nxt));
rv->Assign(1, val_mgr->Count(dst->ip6d_len));
uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
}
@ -127,10 +127,10 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_routing_type, "ip6_routing"));
const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
rv->Assign(0, val_mgr->GetCount(rt->ip6r_nxt));
rv->Assign(1, val_mgr->GetCount(rt->ip6r_len));
rv->Assign(2, val_mgr->GetCount(rt->ip6r_type));
rv->Assign(3, val_mgr->GetCount(rt->ip6r_segleft));
rv->Assign(0, val_mgr->Count(rt->ip6r_nxt));
rv->Assign(1, val_mgr->Count(rt->ip6r_len));
rv->Assign(2, val_mgr->Count(rt->ip6r_type));
rv->Assign(3, val_mgr->Count(rt->ip6r_segleft));
uint16_t off = 4 * sizeof(uint8_t);
rv->Assign(4, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true)));
}
@ -140,28 +140,28 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_fragment_type, "ip6_fragment"));
const struct ip6_frag* frag = (const struct ip6_frag*)data;
rv->Assign(0, val_mgr->GetCount(frag->ip6f_nxt));
rv->Assign(1, val_mgr->GetCount(frag->ip6f_reserved));
rv->Assign(2, val_mgr->GetCount((ntohs(frag->ip6f_offlg) & 0xfff8)>>3));
rv->Assign(3, val_mgr->GetCount((ntohs(frag->ip6f_offlg) & 0x0006)>>1));
rv->Assign(4, val_mgr->GetBool(ntohs(frag->ip6f_offlg) & 0x0001));
rv->Assign(5, val_mgr->GetCount(ntohl(frag->ip6f_ident)));
rv->Assign(0, val_mgr->Count(frag->ip6f_nxt));
rv->Assign(1, val_mgr->Count(frag->ip6f_reserved));
rv->Assign(2, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0xfff8)>>3));
rv->Assign(3, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0x0006)>>1));
rv->Assign(4, val_mgr->Bool(ntohs(frag->ip6f_offlg) & 0x0001));
rv->Assign(5, val_mgr->Count(ntohl(frag->ip6f_ident)));
}
break;
case IPPROTO_AH:
{
rv = new RecordVal(hdrType(ip6_ah_type, "ip6_ah"));
rv->Assign(0, val_mgr->GetCount(((ip6_ext*)data)->ip6e_nxt));
rv->Assign(1, val_mgr->GetCount(((ip6_ext*)data)->ip6e_len));
rv->Assign(2, val_mgr->GetCount(ntohs(((uint16_t*)data)[1])));
rv->Assign(3, val_mgr->GetCount(ntohl(((uint32_t*)data)[1])));
rv->Assign(0, val_mgr->Count(((ip6_ext*)data)->ip6e_nxt));
rv->Assign(1, val_mgr->Count(((ip6_ext*)data)->ip6e_len));
rv->Assign(2, val_mgr->Count(ntohs(((uint16_t*)data)[1])));
rv->Assign(3, val_mgr->Count(ntohl(((uint32_t*)data)[1])));
if ( Length() >= 12 )
{
// Sequence Number and ICV fields can only be extracted if
// Payload Len was non-zero for this header.
rv->Assign(4, val_mgr->GetCount(ntohl(((uint32_t*)data)[2])));
rv->Assign(4, val_mgr->Count(ntohl(((uint32_t*)data)[2])));
uint16_t off = 3 * sizeof(uint32_t);
rv->Assign(5, make_intrusive<StringVal>(new BroString(data + off, Length() - off, true)));
}
@ -172,8 +172,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_esp_type, "ip6_esp"));
const uint32_t* esp = (const uint32_t*)data;
rv->Assign(0, val_mgr->GetCount(ntohl(esp[0])));
rv->Assign(1, val_mgr->GetCount(ntohl(esp[1])));
rv->Assign(0, val_mgr->Count(ntohl(esp[0])));
rv->Assign(1, val_mgr->Count(ntohl(esp[1])));
}
break;
@ -182,14 +182,14 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
{
rv = new RecordVal(hdrType(ip6_mob_type, "ip6_mobility_hdr"));
const struct ip6_mobility* mob = (const struct ip6_mobility*) data;
rv->Assign(0, val_mgr->GetCount(mob->ip6mob_payload));
rv->Assign(1, val_mgr->GetCount(mob->ip6mob_len));
rv->Assign(2, val_mgr->GetCount(mob->ip6mob_type));
rv->Assign(3, val_mgr->GetCount(mob->ip6mob_rsv));
rv->Assign(4, val_mgr->GetCount(ntohs(mob->ip6mob_chksum)));
rv->Assign(0, val_mgr->Count(mob->ip6mob_payload));
rv->Assign(1, val_mgr->Count(mob->ip6mob_len));
rv->Assign(2, val_mgr->Count(mob->ip6mob_type));
rv->Assign(3, val_mgr->Count(mob->ip6mob_rsv));
rv->Assign(4, val_mgr->Count(ntohs(mob->ip6mob_chksum)));
RecordVal* msg = new RecordVal(hdrType(ip6_mob_msg_type, "ip6_mobility_msg"));
msg->Assign(0, val_mgr->GetCount(mob->ip6mob_type));
msg->Assign(0, val_mgr->Count(mob->ip6mob_type));
uint16_t off = sizeof(ip6_mobility);
const u_char* msg_data = data + off;
@ -198,7 +198,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 0:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_brr"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
off += sizeof(uint16_t);
m->Assign(1, BuildOptionsVal(data + off, Length() - off));
msg->Assign(1, m);
@ -208,8 +208,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 1:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hoti"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(2, m);
@ -219,8 +219,8 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 2:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_coti"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(3, m);
@ -230,9 +230,9 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 3:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_hot"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(4, m);
@ -242,9 +242,9 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 4:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_cot"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->GetCount(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(5, m);
@ -254,12 +254,12 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 5:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_bu"));
m->Assign(0, val_mgr->GetCount(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
m->Assign(2, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
m->Assign(3, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
m->Assign(4, val_mgr->GetBool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
m->Assign(5, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
m->Assign(2, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
m->Assign(3, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
m->Assign(4, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
m->Assign(5, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
off += 3 * sizeof(uint16_t);
m->Assign(6, BuildOptionsVal(data + off, Length() - off));
msg->Assign(6, m);
@ -269,10 +269,10 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 6:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_back"));
m->Assign(0, val_mgr->GetCount(*((uint8_t*)msg_data)));
m->Assign(1, val_mgr->GetBool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
m->Assign(2, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(3, val_mgr->GetCount(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
m->Assign(1, val_mgr->Bool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
m->Assign(2, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(3, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
off += 3 * sizeof(uint16_t);
m->Assign(4, BuildOptionsVal(data + off, Length() - off));
msg->Assign(7, m);
@ -282,7 +282,7 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
case 7:
{
RecordVal* m = new RecordVal(hdrType(ip6_mob_brr_type, "ip6_mobility_be"));
m->Assign(0, val_mgr->GetCount(*((uint8_t*)msg_data)));
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t));
m->Assign(1, make_intrusive<AddrVal>(IPAddr(*hoa)));
off += sizeof(uint16_t) + sizeof(in6_addr);
@ -335,12 +335,12 @@ RecordVal* IP_Hdr::BuildIPHdrVal() const
if ( ip4 )
{
rval = new RecordVal(hdrType(ip4_hdr_type, "ip4_hdr"));
rval->Assign(0, val_mgr->GetCount(ip4->ip_hl * 4));
rval->Assign(1, val_mgr->GetCount(ip4->ip_tos));
rval->Assign(2, val_mgr->GetCount(ntohs(ip4->ip_len)));
rval->Assign(3, val_mgr->GetCount(ntohs(ip4->ip_id)));
rval->Assign(4, val_mgr->GetCount(ip4->ip_ttl));
rval->Assign(5, val_mgr->GetCount(ip4->ip_p));
rval->Assign(0, val_mgr->Count(ip4->ip_hl * 4));
rval->Assign(1, val_mgr->Count(ip4->ip_tos));
rval->Assign(2, val_mgr->Count(ntohs(ip4->ip_len)));
rval->Assign(3, val_mgr->Count(ntohs(ip4->ip_id)));
rval->Assign(4, val_mgr->Count(ip4->ip_ttl));
rval->Assign(5, val_mgr->Count(ip4->ip_p));
rval->Assign(6, make_intrusive<AddrVal>(ip4->ip_src.s_addr));
rval->Assign(7, make_intrusive<AddrVal>(ip4->ip_dst.s_addr));
}
@ -394,15 +394,15 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
int tcp_hdr_len = tp->th_off * 4;
int data_len = PayloadLen() - tcp_hdr_len;
tcp_hdr->Assign(0, val_mgr->GetPort(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, val_mgr->GetPort(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, val_mgr->GetCount(uint32_t(ntohl(tp->th_seq))));
tcp_hdr->Assign(3, val_mgr->GetCount(uint32_t(ntohl(tp->th_ack))));
tcp_hdr->Assign(4, val_mgr->GetCount(tcp_hdr_len));
tcp_hdr->Assign(5, val_mgr->GetCount(data_len));
tcp_hdr->Assign(6, val_mgr->GetCount(tp->th_x2));
tcp_hdr->Assign(7, val_mgr->GetCount(tp->th_flags));
tcp_hdr->Assign(8, val_mgr->GetCount(ntohs(tp->th_win)));
tcp_hdr->Assign(0, val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, val_mgr->Count(uint32_t(ntohl(tp->th_seq))));
tcp_hdr->Assign(3, val_mgr->Count(uint32_t(ntohl(tp->th_ack))));
tcp_hdr->Assign(4, val_mgr->Count(tcp_hdr_len));
tcp_hdr->Assign(5, val_mgr->Count(data_len));
tcp_hdr->Assign(6, val_mgr->Count(tp->th_x2));
tcp_hdr->Assign(7, val_mgr->Count(tp->th_flags));
tcp_hdr->Assign(8, val_mgr->Count(ntohs(tp->th_win)));
pkt_hdr->Assign(sindex + 2, tcp_hdr);
break;
@ -413,9 +413,9 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct udphdr* up = (const struct udphdr*) data;
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
udp_hdr->Assign(0, val_mgr->GetPort(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, val_mgr->GetPort(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, val_mgr->GetCount(ntohs(up->uh_ulen)));
udp_hdr->Assign(0, val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, val_mgr->Count(ntohs(up->uh_ulen)));
pkt_hdr->Assign(sindex + 3, udp_hdr);
break;
@ -426,7 +426,7 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct icmp* icmpp = (const struct icmp *) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->GetCount(icmpp->icmp_type));
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp_type));
pkt_hdr->Assign(sindex + 4, icmp_hdr);
break;
@ -437,7 +437,7 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data;
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->GetCount(icmpp->icmp6_type));
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp6_type));
pkt_hdr->Assign(sindex + 4, icmp_hdr);
break;
@ -696,7 +696,7 @@ VectorVal* IPv6_Hdr_Chain::BuildVal() const
RecordVal* v = chain[i]->BuildRecordVal();
RecordVal* ext_hdr = new RecordVal(ip6_ext_hdr_type);
uint8_t type = chain[i]->Type();
ext_hdr->Assign(0, val_mgr->GetCount(type));
ext_hdr->Assign(0, val_mgr->Count(type));
switch (type) {
case IPPROTO_HOPOPTS:

13
src/OpaqueVal.cc
View file

@ -171,8 +171,7 @@ bool HashVal::Init()
IntrusivePtr<StringVal> HashVal::Get()
{
if ( ! valid )
return IntrusivePtr<StringVal>(AdoptRef{},
val_mgr->GetEmptyString());
return val_mgr->EmptyString();
auto result = DoGet();
valid = false;
@ -203,7 +202,7 @@ bool HashVal::DoFeed(const void*, size_t)
IntrusivePtr<StringVal> HashVal::DoGet()
{
assert(! "missing implementation of DoGet()");
return IntrusivePtr<StringVal>(AdoptRef{}, val_mgr->GetEmptyString());
return val_mgr->EmptyString();
}
HashVal::HashVal(OpaqueType* t) : OpaqueVal(t)
@ -275,7 +274,7 @@ bool MD5Val::DoFeed(const void* data, size_t size)
IntrusivePtr<StringVal> MD5Val::DoGet()
{
if ( ! IsValid() )
return IntrusivePtr<StringVal>(AdoptRef{}, val_mgr->GetEmptyString());
return val_mgr->EmptyString();
u_char digest[MD5_DIGEST_LENGTH];
hash_final(ctx, digest);
@ -395,8 +394,7 @@ bool SHA1Val::DoFeed(const void* data, size_t size)
IntrusivePtr<StringVal> SHA1Val::DoGet()
{
if ( ! IsValid() )
return IntrusivePtr<StringVal>(AdoptRef{},
val_mgr->GetEmptyString());
return val_mgr->EmptyString();
u_char digest[SHA_DIGEST_LENGTH];
hash_final(ctx, digest);
@ -519,8 +517,7 @@ bool SHA256Val::DoFeed(const void* data, size_t size)
IntrusivePtr<StringVal> SHA256Val::DoGet()
{
if ( ! IsValid() )
return IntrusivePtr<StringVal>(AdoptRef{},
val_mgr->GetEmptyString());
return val_mgr->EmptyString();
u_char digest[SHA256_DIGEST_LENGTH];
hash_final(ctx, digest);

4
src/Reporter.cc
View file

@ -364,7 +364,7 @@ void Reporter::Weird(Connection* conn, const char* name, const char* addl)
return;
}
WeirdHelper(conn_weird, {conn->BuildConnVal(), new StringVal(addl)},
WeirdHelper(conn_weird, {conn->ConnVal()->Ref(), new StringVal(addl)},
"%s", name);
}
@ -501,7 +501,7 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
vl.emplace_back(make_intrusive<StringVal>(loc_str.c_str()));
if ( conn )
vl.emplace_back(AdoptRef{}, conn->BuildConnVal());
vl.emplace_back(conn->ConnVal());
if ( addl )
for ( auto v : *addl )

2
src/RuleAction.cc
View file

@ -24,7 +24,7 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
mgr.Enqueue(signature_match,
IntrusivePtr{AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)},
make_intrusive<StringVal>(msg),
data ? make_intrusive<StringVal>(len, (const char*)data) : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()}
data ? make_intrusive<StringVal>(len, (const char*)data) : val_mgr->EmptyString()
);
}

2
src/RuleCondition.cc
View file

@ -174,7 +174,7 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
if ( data )
args.emplace_back(make_intrusive<StringVal>(len, (const char*) data));
else
args.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
args.emplace_back(val_mgr->EmptyString());
bool result = false;

6
src/RuleMatcher.cc
View file

@ -81,9 +81,9 @@ Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
{
RecordVal* val = new RecordVal(signature_state);
val->Assign(0, make_intrusive<StringVal>(rule->ID()));
val->Assign(1, state->GetAnalyzer()->BuildConnVal());
val->Assign(2, val_mgr->GetBool(state->is_orig));
val->Assign(3, val_mgr->GetCount(state->payload_size));
val->Assign(1, state->GetAnalyzer()->ConnVal());
val->Assign(2, val_mgr->Bool(state->is_orig));
val->Assign(3, val_mgr->Count(state->payload_size));
return val;
}

8
src/Sessions.cc
View file

@ -691,12 +691,14 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
{
pkt_hdr_val = ip_hdr->BuildPktHdrVal();
conn->Event(ipv6_ext_headers, nullptr, pkt_hdr_val);
conn->EnqueueEvent(ipv6_ext_headers, nullptr, conn->ConnVal(),
IntrusivePtr{AdoptRef{}, pkt_hdr_val});
}
if ( new_packet )
conn->Event(new_packet, nullptr,
pkt_hdr_val ? pkt_hdr_val->Ref() : ip_hdr->BuildPktHdrVal());
conn->EnqueueEvent(new_packet, nullptr, conn->ConnVal(), pkt_hdr_val ?
IntrusivePtr{NewRef{}, pkt_hdr_val} :
IntrusivePtr{AdoptRef{}, ip_hdr->BuildPktHdrVal()});
conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
record_packet, record_content, pkt);

4
src/SmithWaterman.cc
View file

@ -95,13 +95,13 @@ VectorVal* BroSubstring::VecToPolicy(Vec* vec)
auto align_val = make_intrusive<RecordVal>(sw_align_type);
align_val->Assign(0, make_intrusive<StringVal>(new BroString(*align.string)));
align_val->Assign(1, val_mgr->GetCount(align.index));
align_val->Assign(1, val_mgr->Count(align.index));
aligns->Assign(j + 1, std::move(align_val));
}
st_val->Assign(1, std::move(aligns));
st_val->Assign(2, val_mgr->GetBool(bst->IsNewAlignment()));
st_val->Assign(2, val_mgr->Bool(bst->IsNewAlignment()));
result->Assign(i + 1, std::move(st_val));
}
}

4
src/Stats.cc
View file

@ -314,7 +314,7 @@ void ProfileLogger::Log()
Ref(file);
mgr.Dispatch(new Event(profiling_update, {
make_intrusive<Val>(file),
{AdoptRef{}, val_mgr->GetBool(expensive)},
val_mgr->Bool(expensive),
}));
}
}
@ -374,7 +374,7 @@ void SampleLogger::SegmentProfile(const char* /* name */,
mgr.Enqueue(load_sample,
IntrusivePtr{NewRef{}, load_samples},
make_intrusive<IntervalVal>(dtime, Seconds),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(dmem)}
val_mgr->Int(dmem)
);
}

3
src/Stmt.cc
View file

@ -1232,8 +1232,7 @@ IntrusivePtr<Val> ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
// Set the loop variable to the current index, and make
// another pass over the loop body.
f->SetElement((*loop_vars)[0],
val_mgr->GetCount(i));
f->SetElement((*loop_vars)[0], val_mgr->Count(i).release());
flow = FLOW_NEXT;
ret = body->Exec(f, flow);

4
src/TunnelEncapsulation.cc
View file

@ -22,9 +22,9 @@ RecordVal* EncapsulatingConn::GetRecordVal() const
auto id_val = make_intrusive<RecordVal>(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->GetPort(ntohs(src_port), proto));
id_val->Assign(1, val_mgr->Port(ntohs(src_port), proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->GetPort(ntohs(dst_port), proto));
id_val->Assign(3, val_mgr->Port(ntohs(dst_port), proto));
rv->Assign(0, std::move(id_val));
rv->Assign(1, BifType::Enum::Tunnel::Type->GetVal(type));

9
src/Type.cc
View file

@ -840,7 +840,7 @@ IntrusivePtr<TableVal> RecordType::GetRecordFieldsVal(const RecordVal* rv) const
string s = container_type_name(ft);
nr->Assign(0, make_intrusive<StringVal>(s));
nr->Assign(1, val_mgr->GetBool(logged));
nr->Assign(1, val_mgr->Bool(logged));
nr->Assign(2, fv);
nr->Assign(3, FieldDefault(i));
Val* field_name = new StringVal(FieldName(i));
@ -1615,7 +1615,12 @@ bool same_type(const BroType* t1, const BroType* t2, bool is_init, bool match_re
}
case TYPE_TYPE:
return same_type(t1, t2, is_init, match_record_field_names);
{
auto tt1 = t1->AsTypeType();
auto tt2 = t2->AsTypeType();
return same_type(tt1->Type(), tt1->Type(),
is_init, match_record_field_names);
}
case TYPE_UNION:
reporter->Error("union type in same_type()");

3
src/Type.h
View file

@ -506,7 +506,8 @@ public:
explicit TypeType(IntrusivePtr<BroType> t) : BroType(TYPE_TYPE), type(std::move(t)) {}
TypeType* ShallowClone() override { return new TypeType(type); }
BroType* Type() { return type.get(); }
BroType* Type() { return type.get(); }
const BroType* Type() const { return type.get(); }
protected:
IntrusivePtr<BroType> type;

113
src/Val.cc
View file

@ -136,6 +136,10 @@ IntrusivePtr<Val> Val::DoClone(CloneState* state)
return {NewRef{}, this};
}
if ( type->Tag() == TYPE_TYPE )
// These are immutable, essentially.
return {NewRef{}, this};
// Fall-through.
default:
@ -250,19 +254,19 @@ IntrusivePtr<Val> Val::SizeVal() const
// Return abs value. However abs() only works on ints and llabs
// doesn't work on Mac OS X 10.5. So we do it by hand
if ( val.int_val < 0 )
return {AdoptRef{}, val_mgr->GetCount(-val.int_val)};
return val_mgr->Count(-val.int_val);
else
return {AdoptRef{}, val_mgr->GetCount(val.int_val)};
return val_mgr->Count(val.int_val);
case TYPE_INTERNAL_UNSIGNED:
return {AdoptRef{}, val_mgr->GetCount(val.uint_val)};
return val_mgr->Count(val.uint_val);
case TYPE_INTERNAL_DOUBLE:
return make_intrusive<Val>(fabs(val.double_val), TYPE_DOUBLE);
case TYPE_INTERNAL_OTHER:
if ( type->Tag() == TYPE_FUNC )
return {AdoptRef{}, val_mgr->GetCount(val.func_val->FType()->ArgTypes()->Types()->length())};
return val_mgr->Count(val.func_val->FType()->ArgTypes()->Types()->length());
if ( type->Tag() == TYPE_FILE )
return make_intrusive<Val>(val.file_val->Size(), TYPE_DOUBLE);
@ -272,7 +276,7 @@ IntrusivePtr<Val> Val::SizeVal() const
break;
}
return {AdoptRef{}, val_mgr->GetCount(0)};
return val_mgr->Count(0);
}
unsigned int Val::MemoryAllocation() const
@ -583,9 +587,8 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
{
auto blank = make_intrusive<StringVal>("");
auto fn_val = make_intrusive<StringVal>(field_name);
auto key_val = fn_val->Substitute(re, blank.get(), false)->AsStringVal();
auto key_val = fn_val->Substitute(re, blank.get(), false);
key_str = key_val->ToStdString();
Unref(key_val);
}
else
key_str = field_name;
@ -732,7 +735,7 @@ void IntervalVal::ValDescribe(ODesc* d) const
IntrusivePtr<Val> PortVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetInt(val.uint_val)};
return val_mgr->Int(val.uint_val);
}
uint32_t PortVal::Mask(uint32_t port_num, TransportProto port_type)
@ -851,9 +854,9 @@ unsigned int AddrVal::MemoryAllocation() const
IntrusivePtr<Val> AddrVal::SizeVal() const
{
if ( val.addr_val->GetFamily() == IPv4 )
return {AdoptRef{}, val_mgr->GetCount(32)};
return val_mgr->Count(32);
else
return {AdoptRef{}, val_mgr->GetCount(128)};
return val_mgr->Count(128);
}
IntrusivePtr<Val> AddrVal::DoClone(CloneState* state)
@ -979,7 +982,7 @@ StringVal::StringVal(const string& s) : StringVal(s.length(), s.data())
IntrusivePtr<Val> StringVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(val.string_val->Len())};
return val_mgr->Count(val.string_val->Len());
}
int StringVal::Len()
@ -1024,7 +1027,7 @@ unsigned int StringVal::MemoryAllocation() const
return padded_sizeof(*this) + val.string_val->MemoryAllocation();
}
Val* StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
IntrusivePtr<StringVal> StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
{
const u_char* s = Bytes();
int offset = 0;
@ -1105,7 +1108,7 @@ Val* StringVal::Substitute(RE_Matcher* re, StringVal* repl, bool do_all)
// the NUL.
r[0] = '\0';
return new StringVal(new BroString(true, result, r - result));
return make_intrusive<StringVal>(new BroString(true, result, r - result));
}
IntrusivePtr<Val> StringVal::DoClone(CloneState* state)
@ -1193,7 +1196,7 @@ ListVal::~ListVal()
IntrusivePtr<Val> ListVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(vals.length())};
return val_mgr->Count(vals.length());
}
RE_Matcher* ListVal::BuildRE() const
@ -1564,7 +1567,7 @@ bool TableVal::Assign(Val* index, HashKey* k, Val* new_val)
IntrusivePtr<Val> TableVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(Size())};
return val_mgr->Count(Size());
}
bool TableVal::AddTo(Val* val, bool is_first_init) const
@ -2683,7 +2686,7 @@ RecordVal::~RecordVal()
IntrusivePtr<Val> RecordVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(Type()->AsRecordType()->NumFields())};
return val_mgr->Count(Type()->AsRecordType()->NumFields());
}
void RecordVal::Assign(int field, IntrusivePtr<Val> new_val)
@ -2931,7 +2934,7 @@ unsigned int RecordVal::MemoryAllocation() const
IntrusivePtr<Val> EnumVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetInt(val.int_val)};
return val_mgr->Int(val.int_val);
}
void EnumVal::ValDescribe(ODesc* d) const
@ -2968,7 +2971,7 @@ VectorVal::~VectorVal()
IntrusivePtr<Val> VectorVal::SizeVal() const
{
return {AdoptRef{}, val_mgr->GetCount(uint32_t(val.vector_val->size()))};
return val_mgr->Count(uint32_t(val.vector_val->size()));
}
bool VectorVal::Assign(unsigned int index, IntrusivePtr<Val> element)
@ -3205,7 +3208,7 @@ IntrusivePtr<Val> check_and_promote(IntrusivePtr<Val> v, const BroType* t,
return nullptr;
}
else if ( t_tag == TYPE_INT )
promoted_v = {AdoptRef{}, val_mgr->GetInt(v->CoerceToInt())};
promoted_v = val_mgr->Int(v->CoerceToInt());
else // enum
{
reporter->InternalError("bad internal type in check_and_promote()");
@ -3221,7 +3224,7 @@ IntrusivePtr<Val> check_and_promote(IntrusivePtr<Val> v, const BroType* t,
return nullptr;
}
else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
promoted_v = {AdoptRef{}, val_mgr->GetCount(v->CoerceToUnsigned())};
promoted_v = val_mgr->Count(v->CoerceToUnsigned());
else // port
{
reporter->InternalError("bad internal type in check_and_promote()");
@ -3398,13 +3401,26 @@ bool can_cast_value_to_type(const BroType* s, BroType* t)
return false;
}
IntrusivePtr<Val> Val::MakeBool(bool b)
{
return IntrusivePtr{AdoptRef{}, new Val(bro_int_t(b), TYPE_BOOL)};
}
IntrusivePtr<Val> Val::MakeInt(bro_int_t i)
{
return IntrusivePtr{AdoptRef{}, new Val(i, TYPE_INT)};
}
IntrusivePtr<Val> Val::MakeCount(bro_uint_t u)
{
return IntrusivePtr{AdoptRef{}, new Val(u, TYPE_COUNT)};
}
ValManager::ValManager()
{
empty_string = new StringVal("");
empty_string = make_intrusive<StringVal>("");
b_false = Val::MakeBool(false);
b_true = Val::MakeBool(true);
counts = new Val*[PREALLOCATED_COUNTS];
ints = new Val*[PREALLOCATED_INTS];
for ( auto i = 0u; i < PREALLOCATED_COUNTS; ++i )
counts[i] = Val::MakeCount(i);
@ -3418,37 +3434,16 @@ ValManager::ValManager()
auto port_type = (TransportProto)i;
for ( auto j = 0u; j < arr.size(); ++j )
arr[j] = new PortVal(PortVal::Mask(j, port_type));
arr[j] = IntrusivePtr{AdoptRef{}, new PortVal(PortVal::Mask(j, port_type))};
}
}
ValManager::~ValManager()
{
Unref(empty_string);
Unref(b_true);
Unref(b_false);
for ( auto i = 0u; i < PREALLOCATED_COUNTS; ++i )
Unref(counts[i]);
for ( auto i = 0u; i < PREALLOCATED_INTS; ++i )
Unref(ints[i]);
delete [] counts;
delete [] ints;
for ( auto& arr : ports )
for ( auto& pv : arr )
Unref(pv);
}
StringVal* ValManager::GetEmptyString() const
{
::Ref(empty_string);
return empty_string;
return empty_string->Ref()->AsStringVal();
}
PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
const IntrusivePtr<PortVal>& ValManager::Port(uint32_t port_num, TransportProto port_type) const
{
if ( port_num >= 65536 )
{
@ -3456,22 +3451,30 @@ PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
port_num = 0;
}
auto rval = ports[port_type][port_num];
::Ref(rval);
return rval;
return ports[port_type][port_num];
}
PortVal* ValManager::GetPort(uint32_t port_num) const
PortVal* ValManager::GetPort(uint32_t port_num, TransportProto port_type) const
{
return Port(port_num, port_type)->Ref()->AsPortVal();
}
const IntrusivePtr<PortVal>& ValManager::Port(uint32_t port_num) const
{
auto mask = port_num & PORT_SPACE_MASK;
port_num &= ~PORT_SPACE_MASK;
if ( mask == TCP_PORT_MASK )
return GetPort(port_num, TRANSPORT_TCP);
return Port(port_num, TRANSPORT_TCP);
else if ( mask == UDP_PORT_MASK )
return GetPort(port_num, TRANSPORT_UDP);
return Port(port_num, TRANSPORT_UDP);
else if ( mask == ICMP_PORT_MASK )
return GetPort(port_num, TRANSPORT_ICMP);
return Port(port_num, TRANSPORT_ICMP);
else
return GetPort(port_num, TRANSPORT_UNKNOWN);
return Port(port_num, TRANSPORT_UNKNOWN);
}
PortVal* ValManager::GetPort(uint32_t port_num) const
{
return Port(port_num)->Ref()->AsPortVal();
}

74
src/Val.h
View file

@ -335,20 +335,9 @@ protected:
virtual void ValDescribe(ODesc* d) const;
virtual void ValDescribeReST(ODesc* d) const;
static Val* MakeBool(bool b)
{
return new Val(bro_int_t(b), TYPE_BOOL);
}
static Val* MakeInt(bro_int_t i)
{
return new Val(i, TYPE_INT);
}
static Val* MakeCount(bro_uint_t u)
{
return new Val(u, TYPE_COUNT);
}
static IntrusivePtr<Val> MakeBool(bool b);
static IntrusivePtr<Val> MakeInt(bro_int_t i);
static IntrusivePtr<Val> MakeCount(bro_uint_t u);
template<typename V>
Val(V &&v, TypeTag t) noexcept
@ -406,44 +395,79 @@ public:
ValManager();
~ValManager();
[[deprecated("Remove in v4.1. Use val_mgr->True() instead.")]]
inline Val* GetTrue() const
{ return b_true->Ref(); }
inline const IntrusivePtr<Val>& True() const
{ return b_true; }
[[deprecated("Remove in v4.1. Use val_mgr->False() instead.")]]
inline Val* GetFalse() const
{ return b_false->Ref(); }
inline const IntrusivePtr<Val>& False() const
{ return b_false; }
[[deprecated("Remove in v4.1. Use val_mgr->Bool() instead.")]]
inline Val* GetBool(bool b) const
{ return b ? b_true->Ref() : b_false->Ref(); }
inline const IntrusivePtr<Val>& Bool(bool b) const
{ return b ? b_true : b_false; }
[[deprecated("Remove in v4.1. Use val_mgr->Int() instead.")]]
inline Val* GetInt(int64_t i) const
{
return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ?
Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST]->Ref();
Val::MakeInt(i).release() : ints[i - PREALLOCATED_INT_LOWEST]->Ref();
}
inline IntrusivePtr<Val> Int(int64_t i) const
{
return i < PREALLOCATED_INT_LOWEST || i > PREALLOCATED_INT_HIGHEST ?
Val::MakeInt(i) : ints[i - PREALLOCATED_INT_LOWEST];
}
[[deprecated("Remove in v4.1. Use val_mgr->Count() instead.")]]
inline Val* GetCount(uint64_t i) const
{
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i]->Ref();
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i).release() : counts[i]->Ref();
}
inline IntrusivePtr<Val> Count(uint64_t i) const
{
return i >= PREALLOCATED_COUNTS ? Val::MakeCount(i) : counts[i];
}
[[deprecated("Remove in v4.1. Use val_mgr->EmptyString() instead.")]]
StringVal* GetEmptyString() const;
inline const IntrusivePtr<StringVal>& EmptyString() const
{ return empty_string; }
// Port number given in host order.
[[deprecated("Remove in v4.1. Use val_mgr->Port() instead.")]]
PortVal* GetPort(uint32_t port_num, TransportProto port_type) const;
// Port number given in host order.
const IntrusivePtr<PortVal>& Port(uint32_t port_num, TransportProto port_type) const;
// Host-order port number already masked with port space protocol mask.
[[deprecated("Remove in v4.1. Use val_mgr->Port() instead.")]]
PortVal* GetPort(uint32_t port_num) const;
// Host-order port number already masked with port space protocol mask.
const IntrusivePtr<PortVal>& Port(uint32_t port_num) const;
private:
std::array<std::array<PortVal*, 65536>, NUM_PORT_SPACES> ports;
StringVal* empty_string;
Val* b_true;
Val* b_false;
Val** counts;
Val** ints;
std::array<std::array<IntrusivePtr<PortVal>, 65536>, NUM_PORT_SPACES> ports;
std::array<IntrusivePtr<Val>, PREALLOCATED_COUNTS> counts;
std::array<IntrusivePtr<Val>, PREALLOCATED_INTS> ints;
IntrusivePtr<StringVal> empty_string;
IntrusivePtr<Val> b_true;
IntrusivePtr<Val> b_false;
};
extern ValManager* val_mgr;
@ -569,7 +593,7 @@ public:
unsigned int MemoryAllocation() const override;
Val* Substitute(RE_Matcher* re, StringVal* repl, bool do_all);
IntrusivePtr<StringVal> Substitute(RE_Matcher* re, StringVal* repl, bool do_all);
protected:
void ValDescribe(ODesc* d) const override;

25
src/analyzer/Analyzer.cc
View file

@ -690,9 +690,9 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
mgr.Enqueue(protocol_confirmation,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, tval},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)}
val_mgr->Count(id)
);
}
@ -717,9 +717,9 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
EnumVal* tval = tag.AsEnumVal();
mgr.Enqueue(protocol_violation,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, tval},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)},
val_mgr->Count(id),
IntrusivePtr{AdoptRef{}, r}
);
}
@ -788,7 +788,12 @@ void Analyzer::UpdateConnVal(RecordVal *conn_val)
RecordVal* Analyzer::BuildConnVal()
{
return conn->BuildConnVal();
return conn->ConnVal()->Ref()->AsRecordVal();
}
const IntrusivePtr<RecordVal>& Analyzer::ConnVal()
{
return conn->ConnVal();
}
void Analyzer::Event(EventHandlerPtr f, const char* name)
@ -798,7 +803,11 @@ void Analyzer::Event(EventHandlerPtr f, const char* name)
void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2)
{
conn->Event(f, this, v1, v2);
IntrusivePtr val1{AdoptRef{}, v1};
IntrusivePtr val2{AdoptRef{}, v2};
if ( f )
conn->EnqueueEvent(f, this, conn->ConnVal(), std::move(val1), std::move(val2));
}
void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl)
@ -930,7 +939,7 @@ void TransportLayerAnalyzer::PacketContents(const u_char* data, int len)
if ( packet_contents && len > 0 )
{
BroString* cbs = new BroString(data, len, true);
Val* contents = new StringVal(cbs);
Event(packet_contents, contents);
auto contents = make_intrusive<StringVal>(cbs);
EnqueueConnEvent(packet_contents, ConnVal(), std::move(contents));
}
}

8
src/analyzer/Analyzer.h
View file

@ -549,8 +549,15 @@ public:
* Convenience function that forwards directly to
* Connection::BuildConnVal().
*/
[[deprecated("Remove in v4.1. Use ConnVal() instead.")]]
RecordVal* BuildConnVal();
/**
* Convenience function that forwards directly to
* Connection::ConnVal().
*/
const IntrusivePtr<RecordVal>& ConnVal();
/**
* Convenience function that forwards directly to the corresponding
* Connection::Event().
@ -561,6 +568,7 @@ public:
* Convenience function that forwards directly to the corresponding
* Connection::Event().
*/
[[deprecated("Remove in v4.1. Use EnqueueConnEvent() instead (note it doesn't automatically ad the connection argument).")]]
void Event(EventHandlerPtr f, Val* v1, Val* v2 = nullptr);
/**

15
src/analyzer/Manager.cc
View file

@ -440,15 +440,13 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
if ( tcp_contents && ! reass )
{
auto dport = val_mgr->GetPort(ntohs(conn->RespPort()), TRANSPORT_TCP);
const auto& dport = val_mgr->Port(ntohs(conn->RespPort()), TRANSPORT_TCP);
if ( ! reass )
reass = (bool)tcp_content_delivery_ports_orig->Lookup(dport);
reass = (bool)tcp_content_delivery_ports_orig->Lookup(dport.get());
if ( ! reass )
reass = (bool)tcp_content_delivery_ports_resp->Lookup(dport);
Unref(dport);
reass = (bool)tcp_content_delivery_ports_resp->Lookup(dport.get());
}
if ( reass )
@ -626,9 +624,10 @@ bool Manager::ApplyScheduledAnalyzers(Connection* conn, bool init, TransportLaye
parent->AddChildAnalyzer(analyzer, init);
EnumVal* tag = it->AsEnumVal();
Ref(tag);
conn->Event(scheduled_analyzer_applied, nullptr, tag);
if ( scheduled_analyzer_applied )
conn->EnqueueEvent(scheduled_analyzer_applied, nullptr,
conn->ConnVal(),
IntrusivePtr{NewRef{}, it->AsEnumVal()});
DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled",
analyzer_mgr->GetComponentName(*it).c_str());

14
src/analyzer/analyzer.bif
View file

@ -11,41 +11,41 @@ module Analyzer;
function Analyzer::__enable_analyzer%(id: Analyzer::Tag%) : bool
%{
bool result = analyzer_mgr->EnableAnalyzer(id->AsEnumVal());
return val_mgr->GetBool(result);
return val_mgr->Bool(result);
%}
function Analyzer::__disable_analyzer%(id: Analyzer::Tag%) : bool
%{
bool result = analyzer_mgr->DisableAnalyzer(id->AsEnumVal());
return val_mgr->GetBool(result);
return val_mgr->Bool(result);
%}
function Analyzer::__disable_all_analyzers%(%) : any
%{
analyzer_mgr->DisableAllAnalyzers();
return 0;
return nullptr;
%}
function Analyzer::__register_for_port%(id: Analyzer::Tag, p: port%) : bool
%{
bool result = analyzer_mgr->RegisterAnalyzerForPort(id->AsEnumVal(), p);
return val_mgr->GetBool(result);
return val_mgr->Bool(result);
%}
function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port,
analyzer: Analyzer::Tag, tout: interval%) : bool
%{
analyzer_mgr->ScheduleAnalyzer(orig->AsAddr(), resp->AsAddr(), resp_p, analyzer->AsEnumVal(), tout);
return val_mgr->GetTrue();
return val_mgr->True();
%}
function __name%(atype: Analyzer::Tag%) : string
%{
return new StringVal(analyzer_mgr->GetComponentName(atype));
return make_intrusive<StringVal>(analyzer_mgr->GetComponentName(atype));
%}
function __tag%(name: string%) : Analyzer::Tag
%{
analyzer::Tag t = analyzer_mgr->GetComponentTag(name->CheckString());
return t.AsEnumVal()->Ref();
return IntrusivePtr{NewRef{}, t.AsEnumVal()};
%}

10
src/analyzer/protocol/asn1/asn1.pac
View file

@ -113,15 +113,15 @@ Val* asn1_integer_to_val(const ASN1Encoding* i, TypeTag t)
switch ( t ) {
case TYPE_BOOL:
return val_mgr->GetBool(v);
return val_mgr->Bool(v)->Ref();
case TYPE_INT:
return val_mgr->GetInt(v);
return val_mgr->Int(v).release();
case TYPE_COUNT:
case TYPE_COUNTER:
return val_mgr->GetCount(v);
return val_mgr->Count(v).release();
default:
reporter->Error("bad asn1_integer_to_val tag: %s", type_name(t));
return val_mgr->GetCount(v);
return val_mgr->Count(v).release();
}
}
@ -152,7 +152,7 @@ StringVal* asn1_oid_to_val(const ASN1Encoding* oid)
if ( ! subidentifier.empty() || subidentifiers.size() < 1 )
// Underflow.
return val_mgr->GetEmptyString();
return val_mgr->EmptyString()->Ref()->AsStringVal();
for ( size_t i = 0; i < subidentifiers.size(); ++i )
{

4
src/analyzer/protocol/bittorrent/BitTorrent.cc
View file

@ -120,8 +120,8 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
{
if ( bittorrent_peer_weird )
EnqueueConnEvent(bittorrent_peer_weird,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(msg)
);
}

18
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -247,8 +247,8 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
{
if ( bt_tracker_weird )
EnqueueConnEvent(bt_tracker_weird,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(msg)
);
}
@ -348,7 +348,7 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
if ( bt_tracker_request )
EnqueueConnEvent(bt_tracker_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, req_val_uri},
IntrusivePtr{AdoptRef{}, req_val_headers}
);
@ -402,8 +402,8 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
{
if ( bt_tracker_response_not_ok )
EnqueueConnEvent(bt_tracker_response_not_ok,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
ConnVal(),
val_mgr->Count(res_status),
IntrusivePtr{AdoptRef{}, res_val_headers}
);
res_val_headers = nullptr;
@ -480,7 +480,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
RecordVal* peer = new RecordVal(bittorrent_peer);
peer->Assign(0, make_intrusive<AddrVal>(ad));
peer->Assign(1, val_mgr->GetPort(pt, TRANSPORT_TCP));
peer->Assign(1, val_mgr->Port(pt, TRANSPORT_TCP));
res_val_peers->Assign(peer, nullptr);
Unref(peer);
@ -503,7 +503,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
RecordVal* benc_value = new RecordVal(bittorrent_benc_value);
StringVal* name_ = new StringVal(name_len, name);
benc_value->Assign(type, val_mgr->GetInt(value));
benc_value->Assign(type, val_mgr->Int(value));
res_val_benc->Assign(name_, benc_value);
Unref(name_);
@ -789,8 +789,8 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
if ( bt_tracker_response )
EnqueueConnEvent(bt_tracker_response,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
ConnVal(),
val_mgr->Count(res_status),
IntrusivePtr{AdoptRef{}, res_val_headers},
IntrusivePtr{AdoptRef{}, res_val_peers},
IntrusivePtr{AdoptRef{}, res_val_benc}

38
src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
View file

@ -61,13 +61,13 @@ flow BitTorrent_Flow(is_orig: bool) {
handshake_ok = true;
if ( ::bittorrent_peer_handshake )
{
BifEvent::generate_bittorrent_peer_handshake(
BifEvent::enqueue_bittorrent_peer_handshake(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
bytestring_to_val(reserved),
bytestring_to_val(info_hash),
bytestring_to_val(peer_id));
to_stringval(reserved),
to_stringval(info_hash),
to_stringval(peer_id));
}
connection()->bro_analyzer()->ProtocolConfirmation();
@ -79,7 +79,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_keep_alive )
{
BifEvent::generate_bittorrent_peer_keep_alive(
BifEvent::enqueue_bittorrent_peer_keep_alive(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -92,7 +92,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_choke )
{
BifEvent::generate_bittorrent_peer_choke(
BifEvent::enqueue_bittorrent_peer_choke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -105,7 +105,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_unchoke )
{
BifEvent::generate_bittorrent_peer_unchoke(
BifEvent::enqueue_bittorrent_peer_unchoke(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -118,7 +118,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_interested )
{
BifEvent::generate_bittorrent_peer_interested(
BifEvent::enqueue_bittorrent_peer_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -131,7 +131,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_not_interested )
{
BifEvent::generate_bittorrent_peer_not_interested(
BifEvent::enqueue_bittorrent_peer_not_interested(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig());
@ -144,7 +144,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_have )
{
BifEvent::generate_bittorrent_peer_have(
BifEvent::enqueue_bittorrent_peer_have(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -158,11 +158,11 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_bitfield )
{
BifEvent::generate_bittorrent_peer_bitfield(
BifEvent::enqueue_bittorrent_peer_bitfield(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
bytestring_to_val(bitfield));
to_stringval(bitfield));
}
return true;
@ -173,7 +173,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_request )
{
BifEvent::generate_bittorrent_peer_request(
BifEvent::enqueue_bittorrent_peer_request(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -188,7 +188,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_piece )
{
BifEvent::generate_bittorrent_peer_piece(
BifEvent::enqueue_bittorrent_peer_piece(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -203,7 +203,7 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_cancel )
{
BifEvent::generate_bittorrent_peer_cancel(
BifEvent::enqueue_bittorrent_peer_cancel(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -217,11 +217,11 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_port )
{
BifEvent::generate_bittorrent_peer_port(
BifEvent::enqueue_bittorrent_peer_port(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
val_mgr->GetPort(listen_port, TRANSPORT_TCP));
val_mgr->Port(listen_port, TRANSPORT_TCP));
}
return true;
@ -231,12 +231,12 @@ flow BitTorrent_Flow(is_orig: bool) {
%{
if ( ::bittorrent_peer_unknown )
{
BifEvent::generate_bittorrent_peer_unknown(
BifEvent::enqueue_bittorrent_peer_unknown(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
id,
bytestring_to_val(data));
to_stringval(data));
}
return true;

18
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -51,9 +51,9 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
return;
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
ConnVal(),
val_mgr->Count(threshold),
val_mgr->Bool(is_orig)
);
}
@ -93,9 +93,9 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
if ( ( network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed )
{
EnqueueConnEvent(conn_duration_threshold_crossed,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<Val>(duration_thresh, TYPE_INTERVAL),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
val_mgr->Bool(is_orig)
);
duration_thresh = 0;
}
@ -183,10 +183,10 @@ void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
if ( bytesidx < 0 )
reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
orig_endp->Assign(pktidx, val_mgr->GetCount(orig_pkts));
orig_endp->Assign(bytesidx, val_mgr->GetCount(orig_bytes));
resp_endp->Assign(pktidx, val_mgr->GetCount(resp_pkts));
resp_endp->Assign(bytesidx, val_mgr->GetCount(resp_bytes));
orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts));
orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes));
resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts));
resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes));
Analyzer::UpdateConnVal(conn_val);
}

24
src/analyzer/protocol/conn-size/functions.bif
View file

@ -35,11 +35,11 @@ function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_or
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetFalse();
return val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
return val_mgr->GetTrue();
return val_mgr->True();
%}
## Sets a threshold for connection packets, overwtiting any potential old thresholds.
@ -59,11 +59,11 @@ function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetFalse();
return val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, false, is_orig);
return val_mgr->GetTrue();
return val_mgr->True();
%}
## Sets the current duration threshold for connection, overwriting any potential old
@ -81,11 +81,11 @@ function set_current_conn_duration_threshold%(cid: conn_id, threshold: interval%
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetFalse();
return val_mgr->False();
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetDurationThreshold(threshold);
return val_mgr->GetTrue();
return val_mgr->True();
%}
# Gets the current byte threshold size for a connection.
@ -103,9 +103,9 @@ function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetCount(0);
return val_mgr->Count(0);
return val_mgr->GetCount(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig));
%}
## Gets the current packet threshold size for a connection.
@ -122,9 +122,9 @@ function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): coun
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return val_mgr->GetCount(0);
return val_mgr->Count(0);
return val_mgr->GetCount(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
return val_mgr->Count(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(false, is_orig));
%}
## Gets the current duration threshold size for a connection.
@ -139,7 +139,7 @@ function get_current_conn_duration_threshold%(cid: conn_id%): interval
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return new Val(0.0, TYPE_INTERVAL);
return make_intrusive<Val>(0.0, TYPE_INTERVAL);
return new Val(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold(), TYPE_INTERVAL);
return make_intrusive<Val>(static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetDurationThreshold(), TYPE_INTERVAL);
%}

89
src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
View file

@ -37,12 +37,12 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_message )
{
BifEvent::generate_dce_rpc_message(bro_analyzer(),
bro_analyzer()->Conn(),
${header.is_orig},
fid,
${header.PTYPE},
BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}).release());
BifEvent::enqueue_dce_rpc_message(bro_analyzer(),
bro_analyzer()->Conn(),
${header.is_orig},
fid,
${header.PTYPE},
BifType::Enum::DCE_RPC::PType->GetVal(${header.PTYPE}));
}
return true;
%}
@ -51,13 +51,13 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_bind )
{
BifEvent::generate_dce_rpc_bind(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
BifEvent::enqueue_dce_rpc_bind(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
to_stringval(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
}
return true;
@ -67,13 +67,13 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_alter_context )
{
BifEvent::generate_dce_rpc_alter_context(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
bytestring_to_val(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
BifEvent::enqueue_dce_rpc_alter_context(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.id},
to_stringval(${req.abstract_syntax.uuid}),
${req.abstract_syntax.ver_major},
${req.abstract_syntax.ver_minor});
}
return true;
@ -83,22 +83,19 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_bind_ack )
{
StringVal *sec_addr;
IntrusivePtr<StringVal> sec_addr;
// Remove the null from the end of the string if it's there.
if ( ${bind.sec_addr}.length() > 0 &&
*(${bind.sec_addr}.begin() + ${bind.sec_addr}.length()) == 0 )
{
sec_addr = new StringVal(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
}
sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length()-1, (const char*) ${bind.sec_addr}.begin());
else
{
sec_addr = new StringVal(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
}
sec_addr = make_intrusive<StringVal>(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
BifEvent::generate_dce_rpc_bind_ack(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
sec_addr);
BifEvent::enqueue_dce_rpc_bind_ack(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
std::move(sec_addr));
}
return true;
%}
@ -107,9 +104,9 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_alter_context_resp )
{
BifEvent::generate_dce_rpc_alter_context_resp(bro_analyzer(),
bro_analyzer()->Conn(),
fid);
BifEvent::enqueue_dce_rpc_alter_context_resp(bro_analyzer(),
bro_analyzer()->Conn(),
fid);
}
return true;
%}
@ -118,12 +115,12 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_request )
{
BifEvent::generate_dce_rpc_request(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.context_id},
${req.opnum},
${req.stub}.length());
BifEvent::enqueue_dce_rpc_request(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${req.context_id},
${req.opnum},
${req.stub}.length());
}
set_cont_id_opnum_map(${req.context_id},
@ -135,12 +132,12 @@ refine connection DCE_RPC_Conn += {
%{
if ( dce_rpc_response )
{
BifEvent::generate_dce_rpc_response(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}),
${resp.stub}.length());
BifEvent::enqueue_dce_rpc_response(bro_analyzer(),
bro_analyzer()->Conn(),
fid,
${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}),
${resp.stub}.length());
}
return true;

37
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -1,8 +1,8 @@
refine flow DHCP_Flow += {
%member{
RecordVal* options;
VectorVal* all_options;
IntrusivePtr<RecordVal> options;
IntrusivePtr<VectorVal> all_options;
%}
%init{
@ -11,10 +11,7 @@ refine flow DHCP_Flow += {
%}
%cleanup{
Unref(options);
options = nullptr;
Unref(all_options);
all_options = nullptr;
%}
@ -22,9 +19,9 @@ refine flow DHCP_Flow += {
%{
if ( ! options )
{
options = new RecordVal(BifType::Record::DHCP::Options);
all_options = new VectorVal(index_vec);
options->Assign(0, all_options->Ref());
options = make_intrusive<RecordVal>(BifType::Record::DHCP::Options);
all_options = make_intrusive<VectorVal>(index_vec);
options->Assign(0, all_options);
}
return true;
@ -35,8 +32,7 @@ refine flow DHCP_Flow += {
init_options();
if ( code != 255 )
all_options->Assign(all_options->Size(),
val_mgr->GetCount(code));
all_options->Assign(all_options->Size(), val_mgr->Count(code));
return true;
%}
@ -57,12 +53,12 @@ refine flow DHCP_Flow += {
std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
double secs = static_cast<double>(${msg.secs});
auto dhcp_msg_val = new RecordVal(BifType::Record::DHCP::Msg);
dhcp_msg_val->Assign(0, val_mgr->GetCount(${msg.op}));
dhcp_msg_val->Assign(1, val_mgr->GetCount(${msg.type}));
dhcp_msg_val->Assign(2, val_mgr->GetCount(${msg.xid}));
auto dhcp_msg_val = make_intrusive<RecordVal>(BifType::Record::DHCP::Msg);
dhcp_msg_val->Assign(0, val_mgr->Count(${msg.op}));
dhcp_msg_val->Assign(1, val_mgr->Count(${msg.type}));
dhcp_msg_val->Assign(2, val_mgr->Count(${msg.xid}));
dhcp_msg_val->Assign(3, make_intrusive<Val>(secs, TYPE_INTERVAL));
dhcp_msg_val->Assign(4, val_mgr->GetCount(${msg.flags}));
dhcp_msg_val->Assign(4, val_mgr->Count(${msg.flags}));
dhcp_msg_val->Assign(5, make_intrusive<AddrVal>(htonl(${msg.ciaddr})));
dhcp_msg_val->Assign(6, make_intrusive<AddrVal>(htonl(${msg.yiaddr})));
dhcp_msg_val->Assign(7, make_intrusive<AddrVal>(htonl(${msg.siaddr})));
@ -95,14 +91,13 @@ refine flow DHCP_Flow += {
init_options();
BifEvent::generate_dhcp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.is_orig},
dhcp_msg_val,
options);
BifEvent::enqueue_dhcp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.is_orig},
std::move(dhcp_msg_val),
std::move(options));
options = nullptr;
Unref(all_options);
all_options = nullptr;
}

22
src/analyzer/protocol/dhcp/dhcp-options.pac
View file

@ -34,7 +34,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_time_offset_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(25, val_mgr->GetInt(${v.time_offset}));
${context.flow}->options->Assign(25, val_mgr->Int(${v.time_offset}));
return true;
%}
};
@ -250,7 +250,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_forwarding_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(6, val_mgr->GetBool(${v.forwarding} == 0 ? false : true));
${context.flow}->options->Assign(6, val_mgr->Bool(${v.forwarding} == 0 ? false : true));
return true;
%}
@ -469,7 +469,7 @@ refine flow DHCP_Flow += {
for ( int i = 0; i < num_parms; ++i )
{
uint8 param = (*plist)[i];
params->Assign(i, val_mgr->GetCount(param));
params->Assign(i, val_mgr->Count(param));
}
${context.flow}->options->Assign(13, params);
@ -521,7 +521,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_max_message_size_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(15, val_mgr->GetCount(${v.max_msg_size}));
${context.flow}->options->Assign(15, val_mgr->Count(${v.max_msg_size}));
return true;
%}
@ -626,7 +626,7 @@ refine flow DHCP_Flow += {
function process_client_id_option(v: OptionValue): bool
%{
RecordVal* client_id = new RecordVal(BifType::Record::DHCP::ClientID);
client_id->Assign(0, val_mgr->GetCount(${v.client_id.hwtype}));
client_id->Assign(0, val_mgr->Count(${v.client_id.hwtype}));
client_id->Assign(1, make_intrusive<StringVal>(fmt_mac(${v.client_id.hwaddr}.begin(), ${v.client_id.hwaddr}.length())));
${context.flow}->options->Assign(19, client_id);
@ -686,9 +686,9 @@ refine flow DHCP_Flow += {
function process_client_fqdn_option(v: OptionValue): bool
%{
RecordVal* client_fqdn = new RecordVal(BifType::Record::DHCP::ClientFQDN);
client_fqdn->Assign(0, val_mgr->GetCount(${v.client_fqdn.flags}));
client_fqdn->Assign(1, val_mgr->GetCount(${v.client_fqdn.rcode1}));
client_fqdn->Assign(2, val_mgr->GetCount(${v.client_fqdn.rcode2}));
client_fqdn->Assign(0, val_mgr->Count(${v.client_fqdn.flags}));
client_fqdn->Assign(1, val_mgr->Count(${v.client_fqdn.rcode1}));
client_fqdn->Assign(2, val_mgr->Count(${v.client_fqdn.rcode2}));
const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin());
client_fqdn->Assign(3, make_intrusive<StringVal>(${v.client_fqdn.domain_name}.length(), domain_name));
@ -751,8 +751,8 @@ refine flow DHCP_Flow += {
ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
{
auto r = new RecordVal(BifType::Record::DHCP::SubOpt);
r->Assign(0, val_mgr->GetCount((*ptrsubopt)->code()));
r->Assign(1, bytestring_to_val((*ptrsubopt)->value()));
r->Assign(0, val_mgr->Count((*ptrsubopt)->code()));
r->Assign(1, to_stringval((*ptrsubopt)->value()));
relay_agent_sub_opt->Assign(i, r);
++i;
@ -781,7 +781,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_auto_config_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(23, val_mgr->GetBool(${v.auto_config} == 0 ? false : true));
${context.flow}->options->Assign(23, val_mgr->Bool(${v.auto_config} == 0 ? false : true));
return true;
%}

108
src/analyzer/protocol/dnp3/dnp3-analyzer.pac
View file

@ -29,7 +29,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_header_block )
{
BifEvent::generate_dnp3_header_block(
BifEvent::enqueue_dnp3_header_block(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), len, ctrl, dest_addr, src_addr);
@ -42,7 +42,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_application_request_header )
{
BifEvent::generate_dnp3_application_request_header(
BifEvent::enqueue_dnp3_application_request_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -57,7 +57,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_application_response_header )
{
BifEvent::generate_dnp3_application_response_header(
BifEvent::enqueue_dnp3_application_response_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(),
@ -73,7 +73,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_object_header )
{
BifEvent::generate_dnp3_object_header(
BifEvent::enqueue_dnp3_object_header(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), obj_type, qua_field, number, rf_low, rf_high);
@ -86,7 +86,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_object_prefix )
{
BifEvent::generate_dnp3_object_prefix(
BifEvent::enqueue_dnp3_object_prefix(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), prefix_value);
@ -99,7 +99,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_response_data_object )
{
BifEvent::generate_dnp3_response_data_object(
BifEvent::enqueue_dnp3_response_data_object(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), data_value);
@ -113,10 +113,10 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_attribute_common )
{
BifEvent::generate_dnp3_attribute_common(
BifEvent::enqueue_dnp3_attribute_common(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), data_type_code, leng, bytestring_to_val(attribute_obj) );
is_orig(), data_type_code, leng, to_stringval(attribute_obj) );
}
return true;
@ -127,7 +127,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_crob )
{
BifEvent::generate_dnp3_crob(
BifEvent::enqueue_dnp3_crob(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code);
@ -141,7 +141,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_pcb )
{
BifEvent::generate_dnp3_pcb(
BifEvent::enqueue_dnp3_pcb(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code);
@ -155,7 +155,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_32wFlag )
{
BifEvent::generate_dnp3_counter_32wFlag(
BifEvent::enqueue_dnp3_counter_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -169,7 +169,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_16wFlag )
{
BifEvent::generate_dnp3_counter_16wFlag(
BifEvent::enqueue_dnp3_counter_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -183,7 +183,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_32woFlag )
{
BifEvent::generate_dnp3_counter_32woFlag(
BifEvent::enqueue_dnp3_counter_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -197,7 +197,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_counter_16woFlag )
{
BifEvent::generate_dnp3_counter_16woFlag(
BifEvent::enqueue_dnp3_counter_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -211,7 +211,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_32wFlag )
{
BifEvent::generate_dnp3_frozen_counter_32wFlag(
BifEvent::enqueue_dnp3_frozen_counter_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -225,7 +225,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_16wFlag )
{
BifEvent::generate_dnp3_frozen_counter_16wFlag(
BifEvent::enqueue_dnp3_frozen_counter_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value);
@ -239,7 +239,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_32wFlagTime )
{
BifEvent::generate_dnp3_frozen_counter_32wFlagTime(
BifEvent::enqueue_dnp3_frozen_counter_32wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48));
@ -253,7 +253,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_16wFlagTime )
{
BifEvent::generate_dnp3_frozen_counter_16wFlagTime(
BifEvent::enqueue_dnp3_frozen_counter_16wFlagTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48));
@ -267,7 +267,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_32woFlag )
{
BifEvent::generate_dnp3_frozen_counter_32woFlag(
BifEvent::enqueue_dnp3_frozen_counter_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -281,7 +281,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_counter_16woFlag )
{
BifEvent::generate_dnp3_frozen_counter_16woFlag(
BifEvent::enqueue_dnp3_frozen_counter_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), count_value);
@ -295,7 +295,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_32wFlag )
{
BifEvent::generate_dnp3_analog_input_32wFlag(
BifEvent::enqueue_dnp3_analog_input_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -309,7 +309,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_16wFlag )
{
BifEvent::generate_dnp3_analog_input_16wFlag(
BifEvent::enqueue_dnp3_analog_input_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -323,7 +323,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_32woFlag )
{
BifEvent::generate_dnp3_analog_input_32woFlag(
BifEvent::enqueue_dnp3_analog_input_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), value);
@ -337,7 +337,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_16woFlag )
{
BifEvent::generate_dnp3_analog_input_16woFlag(
BifEvent::enqueue_dnp3_analog_input_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), value);
@ -351,7 +351,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_SPwFlag )
{
BifEvent::generate_dnp3_analog_input_SPwFlag(
BifEvent::enqueue_dnp3_analog_input_SPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -365,7 +365,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_DPwFlag )
{
BifEvent::generate_dnp3_analog_input_DPwFlag(
BifEvent::enqueue_dnp3_analog_input_DPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high);
@ -379,7 +379,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_32wFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_32wFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_32wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -393,7 +393,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_16wFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_16wFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_16wFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -407,7 +407,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_32wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_32wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -421,7 +421,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_16wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_16wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -435,7 +435,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_32woFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_32woFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_32woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), frozen_value);
@ -449,7 +449,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_16woFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_16woFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_16woFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), frozen_value);
@ -463,7 +463,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_SPwFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_SPwFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_SPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -477,7 +477,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_DPwFlag )
{
BifEvent::generate_dnp3_frozen_analog_input_DPwFlag(
BifEvent::enqueue_dnp3_frozen_analog_input_DPwFlag(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high);
@ -491,7 +491,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_32woTime )
{
BifEvent::generate_dnp3_analog_input_event_32woTime(
BifEvent::enqueue_dnp3_analog_input_event_32woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -505,7 +505,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_16woTime )
{
BifEvent::generate_dnp3_analog_input_event_16woTime(
BifEvent::enqueue_dnp3_analog_input_event_16woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -519,7 +519,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_32wTime )
{
BifEvent::generate_dnp3_analog_input_event_32wTime(
BifEvent::enqueue_dnp3_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
@ -533,7 +533,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_16wTime )
{
BifEvent::generate_dnp3_analog_input_event_16wTime(
BifEvent::enqueue_dnp3_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
@ -547,7 +547,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_SPwoTime )
{
BifEvent::generate_dnp3_analog_input_event_SPwoTime(
BifEvent::enqueue_dnp3_analog_input_event_SPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value);
@ -561,7 +561,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_DPwoTime )
{
BifEvent::generate_dnp3_analog_input_event_DPwoTime(
BifEvent::enqueue_dnp3_analog_input_event_DPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high);
@ -575,7 +575,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_SPwTime )
{
BifEvent::generate_dnp3_analog_input_event_SPwTime(
BifEvent::enqueue_dnp3_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48));
@ -589,7 +589,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_analog_input_event_DPwTime )
{
BifEvent::generate_dnp3_analog_input_event_DPwTime(
BifEvent::enqueue_dnp3_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
@ -603,7 +603,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_32woTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_32woTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_32woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -617,7 +617,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_16woTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_16woTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_16woTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -631,7 +631,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_32wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_32wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_32wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -645,7 +645,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_16wTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_16wTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_16wTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -659,7 +659,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_SPwoTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_SPwoTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value);
@ -673,7 +673,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_DPwoTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_DPwoTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwoTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high);
@ -687,7 +687,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_SPwTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_SPwTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48));
@ -701,7 +701,7 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_frozen_analog_input_event_DPwTime )
{
BifEvent::generate_dnp3_frozen_analog_input_event_DPwTime(
BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwTime(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
@ -715,10 +715,10 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_file_transport )
{
BifEvent::generate_dnp3_file_transport(
BifEvent::enqueue_dnp3_file_transport(
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), file_handle, block_num, bytestring_to_val(file_data));
is_orig(), file_handle, block_num, to_stringval(file_data));
}
return true;
@ -729,10 +729,10 @@ flow DNP3_Flow(is_orig: bool) {
%{
if ( ::dnp3_debug_byte )
{
BifEvent::generate_dnp3_debug_byte (
BifEvent::enqueue_dnp3_debug_byte (
connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), bytestring_to_val(debug));
is_orig(), to_stringval(debug));
}
return true;

162
src/analyzer/protocol/dns/DNS.cc
View file

@ -49,10 +49,10 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
if ( dns_message )
analyzer->EnqueueConnEvent(dns_message,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
analyzer->ConnVal(),
val_mgr->Bool(is_query),
IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
val_mgr->Count(len)
);
// There is a great deal of non-DNS traffic that runs on port 53.
@ -134,7 +134,7 @@ void DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
{
if ( dns_end )
analyzer->EnqueueConnEvent(dns_end,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}
);
}
@ -337,7 +337,7 @@ bool DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
if ( dns_unknown_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_unknown_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}
);
@ -550,7 +550,7 @@ bool DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
if ( reply_event && ! msg->skip_event )
analyzer->EnqueueConnEvent(reply_event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true))
@ -596,14 +596,14 @@ bool DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
auto r = make_intrusive<RecordVal>(dns_soa);
r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, true)));
r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, true)));
r->Assign(2, val_mgr->GetCount(serial));
r->Assign(2, val_mgr->Count(serial));
r->Assign(3, make_intrusive<IntervalVal>(double(refresh), Seconds));
r->Assign(4, make_intrusive<IntervalVal>(double(retry), Seconds));
r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
analyzer->EnqueueConnEvent(dns_SOA_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(r)
@ -633,11 +633,11 @@ bool DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
if ( dns_MX_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_MX_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(preference)}
val_mgr->Count(preference)
);
return true;
@ -674,13 +674,13 @@ bool DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
if ( dns_SRV_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_SRV_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(priority)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(weight)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
val_mgr->Count(priority),
val_mgr->Count(weight),
val_mgr->Count(port)
);
return true;
@ -695,7 +695,7 @@ bool DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
if ( dns_EDNS_addl && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_EDNS_addl,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()}
);
@ -772,7 +772,7 @@ bool DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
tsig.rr_error = rr_error;
analyzer->EnqueueConnEvent(dns_TSIG_addl,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)}
);
@ -873,7 +873,7 @@ bool DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
rrsig.signature = sign;
analyzer->EnqueueConnEvent(dns_RRSIG,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)}
@ -968,7 +968,7 @@ bool DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
dnskey.public_key = key;
analyzer->EnqueueConnEvent(dns_DNSKEY,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)}
@ -1020,7 +1020,7 @@ bool DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
if ( dns_NSEC )
analyzer->EnqueueConnEvent(dns_NSEC,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<StringVal>(new BroString(name, name_end - name, true)),
@ -1106,7 +1106,7 @@ bool DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
nsec3.bitmaps = char_strings;
analyzer->EnqueueConnEvent(dns_NSEC3,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)}
@ -1166,7 +1166,7 @@ bool DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
ds.digest_val = ds_digest;
analyzer->EnqueueConnEvent(dns_DS,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)}
@ -1189,7 +1189,7 @@ bool DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
if ( dns_A_reply && ! msg->skip_event )
analyzer->EnqueueConnEvent(dns_A_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<AddrVal>(htonl(addr))
@ -1225,7 +1225,7 @@ bool DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
if ( event && ! msg->skip_event )
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
make_intrusive<AddrVal>(addr)
@ -1299,7 +1299,7 @@ bool DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
if ( dns_TXT_reply )
analyzer->EnqueueConnEvent(dns_TXT_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(char_strings)
@ -1327,7 +1327,7 @@ bool DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
if ( dns_SPF_reply )
analyzer->EnqueueConnEvent(dns_SPF_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
std::move(char_strings)
@ -1368,10 +1368,10 @@ bool DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
if ( dns_CAA_reply )
analyzer->EnqueueConnEvent(dns_CAA_reply,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags)},
val_mgr->Count(flags),
make_intrusive<StringVal>(tag),
make_intrusive<StringVal>(value)
);
@ -1396,11 +1396,11 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
assert(event);
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
make_intrusive<StringVal>(question_name),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qtype)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qclass)}
val_mgr->Count(qtype),
val_mgr->Count(qclass)
);
}
@ -1446,19 +1446,19 @@ Val* DNS_MsgInfo::BuildHdrVal()
{
RecordVal* r = new RecordVal(dns_msg);
r->Assign(0, val_mgr->GetCount(id));
r->Assign(1, val_mgr->GetCount(opcode));
r->Assign(2, val_mgr->GetCount(rcode));
r->Assign(3, val_mgr->GetBool(QR));
r->Assign(4, val_mgr->GetBool(AA));
r->Assign(5, val_mgr->GetBool(TC));
r->Assign(6, val_mgr->GetBool(RD));
r->Assign(7, val_mgr->GetBool(RA));
r->Assign(8, val_mgr->GetCount(Z));
r->Assign(9, val_mgr->GetCount(qdcount));
r->Assign(10, val_mgr->GetCount(ancount));
r->Assign(11, val_mgr->GetCount(nscount));
r->Assign(12, val_mgr->GetCount(arcount));
r->Assign(0, val_mgr->Count(id));
r->Assign(1, val_mgr->Count(opcode));
r->Assign(2, val_mgr->Count(rcode));
r->Assign(3, val_mgr->Bool(QR));
r->Assign(4, val_mgr->Bool(AA));
r->Assign(5, val_mgr->Bool(TC));
r->Assign(6, val_mgr->Bool(RD));
r->Assign(7, val_mgr->Bool(RA));
r->Assign(8, val_mgr->Count(Z));
r->Assign(9, val_mgr->Count(qdcount));
r->Assign(10, val_mgr->Count(ancount));
r->Assign(11, val_mgr->Count(nscount));
r->Assign(12, val_mgr->Count(arcount));
return r;
}
@ -1468,10 +1468,10 @@ Val* DNS_MsgInfo::BuildAnswerVal()
RecordVal* r = new RecordVal(dns_answer);
Ref(query_name);
r->Assign(0, val_mgr->GetCount(int(answer_type)));
r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name);
r->Assign(2, val_mgr->GetCount(atype));
r->Assign(3, val_mgr->GetCount(aclass));
r->Assign(2, val_mgr->Count(atype));
r->Assign(3, val_mgr->Count(aclass));
r->Assign(4, make_intrusive<IntervalVal>(double(ttl), Seconds));
return r;
@ -1484,14 +1484,14 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
RecordVal* r = new RecordVal(dns_edns_additional);
Ref(query_name);
r->Assign(0, val_mgr->GetCount(int(answer_type)));
r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(1, query_name);
// type = 0x29 or 41 = EDNS
r->Assign(2, val_mgr->GetCount(atype));
r->Assign(2, val_mgr->Count(atype));
// sender's UDP payload size, per RFC 2671 4.3
r->Assign(3, val_mgr->GetCount(aclass));
r->Assign(3, val_mgr->Count(aclass));
// Need to break the TTL field into three components:
// initial: [------------- ttl (32) ---------------------]
@ -1504,11 +1504,11 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
unsigned int return_error = (ercode << 8) | rcode;
r->Assign(4, val_mgr->GetCount(return_error));
r->Assign(5, val_mgr->GetCount(version));
r->Assign(6, val_mgr->GetCount(z));
r->Assign(4, val_mgr->Count(return_error));
r->Assign(5, val_mgr->Count(version));
r->Assign(6, val_mgr->Count(z));
r->Assign(7, make_intrusive<IntervalVal>(double(ttl), Seconds));
r->Assign(8, val_mgr->GetCount(is_query));
r->Assign(8, val_mgr->Count(is_query));
return r;
}
@ -1519,16 +1519,16 @@ Val* DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
double rtime = tsig->time_s + tsig->time_ms / 1000.0;
Ref(query_name);
// r->Assign(0, val_mgr->GetCount(int(answer_type)));
// r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, make_intrusive<StringVal>(tsig->alg_name));
r->Assign(3, make_intrusive<StringVal>(tsig->sig));
r->Assign(4, make_intrusive<Val>(rtime, TYPE_TIME));
r->Assign(5, make_intrusive<Val>(double(tsig->fudge), TYPE_TIME));
r->Assign(6, val_mgr->GetCount(tsig->orig_id));
r->Assign(7, val_mgr->GetCount(tsig->rr_error));
r->Assign(8, val_mgr->GetCount(is_query));
r->Assign(6, val_mgr->Count(tsig->orig_id));
r->Assign(7, val_mgr->Count(tsig->rr_error));
r->Assign(8, val_mgr->Count(is_query));
return r;
}
@ -1539,17 +1539,17 @@ Val* DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
Ref(query_name);
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(2, val_mgr->GetCount(rrsig->type_covered));
r->Assign(3, val_mgr->GetCount(rrsig->algorithm));
r->Assign(4, val_mgr->GetCount(rrsig->labels));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(rrsig->type_covered));
r->Assign(3, val_mgr->Count(rrsig->algorithm));
r->Assign(4, val_mgr->Count(rrsig->labels));
r->Assign(5, make_intrusive<IntervalVal>(double(rrsig->orig_ttl), Seconds));
r->Assign(6, make_intrusive<Val>(double(rrsig->sig_exp), TYPE_TIME));
r->Assign(7, make_intrusive<Val>(double(rrsig->sig_incep), TYPE_TIME));
r->Assign(8, val_mgr->GetCount(rrsig->key_tag));
r->Assign(8, val_mgr->Count(rrsig->key_tag));
r->Assign(9, make_intrusive<StringVal>(rrsig->signer_name));
r->Assign(10, make_intrusive<StringVal>(rrsig->signature));
r->Assign(11, val_mgr->GetCount(is_query));
r->Assign(11, val_mgr->Count(is_query));
return r;
}
@ -1560,12 +1560,12 @@ Val* DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
Ref(query_name);
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(2, val_mgr->GetCount(dnskey->dflags));
r->Assign(3, val_mgr->GetCount(dnskey->dprotocol));
r->Assign(4, val_mgr->GetCount(dnskey->dalgorithm));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(dnskey->dflags));
r->Assign(3, val_mgr->Count(dnskey->dprotocol));
r->Assign(4, val_mgr->Count(dnskey->dalgorithm));
r->Assign(5, make_intrusive<StringVal>(dnskey->public_key));
r->Assign(6, val_mgr->GetCount(is_query));
r->Assign(6, val_mgr->Count(is_query));
return r;
}
@ -1576,16 +1576,16 @@ Val* DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
Ref(query_name);
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(2, val_mgr->GetCount(nsec3->nsec_flags));
r->Assign(3, val_mgr->GetCount(nsec3->nsec_hash_algo));
r->Assign(4, val_mgr->GetCount(nsec3->nsec_iter));
r->Assign(5, val_mgr->GetCount(nsec3->nsec_salt_len));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(nsec3->nsec_flags));
r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo));
r->Assign(4, val_mgr->Count(nsec3->nsec_iter));
r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len));
r->Assign(6, make_intrusive<StringVal>(nsec3->nsec_salt));
r->Assign(7, val_mgr->GetCount(nsec3->nsec_hlen));
r->Assign(7, val_mgr->Count(nsec3->nsec_hlen));
r->Assign(8, make_intrusive<StringVal>(nsec3->nsec_hash));
r->Assign(9, nsec3->bitmaps);
r->Assign(10, val_mgr->GetCount(is_query));
r->Assign(10, val_mgr->Count(is_query));
return r;
}
@ -1596,12 +1596,12 @@ Val* DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
Ref(query_name);
r->Assign(0, query_name);
r->Assign(1, val_mgr->GetCount(int(answer_type)));
r->Assign(2, val_mgr->GetCount(ds->key_tag));
r->Assign(3, val_mgr->GetCount(ds->algorithm));
r->Assign(4, val_mgr->GetCount(ds->digest_type));
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(ds->key_tag));
r->Assign(3, val_mgr->Count(ds->algorithm));
r->Assign(4, val_mgr->Count(ds->digest_type));
r->Assign(5, make_intrusive<StringVal>(ds->digest_val));
r->Assign(6, val_mgr->GetCount(is_query));
r->Assign(6, val_mgr->Count(is_query));
return r;
}

2
src/analyzer/protocol/file/File.cc
View file

@ -80,7 +80,7 @@ void File_Analyzer::Identify()
if ( file_transferred )
EnqueueConnEvent(file_transferred,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(buffer_len, buffer),
make_intrusive<StringVal>("<unknown>"),
make_intrusive<StringVal>(match)

6
src/analyzer/protocol/finger/Finger.cc
View file

@ -68,8 +68,8 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
if ( finger_request )
EnqueueConnEvent(finger_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(long_cnt)},
ConnVal(),
val_mgr->Bool(long_cnt),
make_intrusive<StringVal>(at - line, line),
make_intrusive<StringVal>(end_of_line - host, host)
);
@ -86,7 +86,7 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
return;
EnqueueConnEvent(finger_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(end_of_line - line, line)
);
}

8
src/analyzer/protocol/ftp/FTP.cc
View file

@ -97,7 +97,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
vl = {
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, cmd_str},
make_intrusive<StringVal>(end_of_line - line, line),
};
@ -176,10 +176,10 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
}
vl = {
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
ConnVal(),
val_mgr->Count(reply_code),
make_intrusive<StringVal>(end_of_line - line, line),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(cont_resp)}
val_mgr->Bool(cont_resp)
};
f = ftp_reply;

24
src/analyzer/protocol/ftp/functions.bif
View file

@ -4,9 +4,9 @@ type ftp_port: record;
%%{
#include "Reporter.h"
static Val* parse_port(const char* line)
static IntrusivePtr<Val> parse_port(const char* line)
{
RecordVal* r = new RecordVal(BifType::Record::ftp_port);
auto r = make_intrusive<RecordVal>(BifType::Record::ftp_port);
int bytes[6];
if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d",
@ -34,22 +34,22 @@ static Val* parse_port(const char* line)
}
r->Assign(0, make_intrusive<AddrVal>(htonl(addr)));
r->Assign(1, val_mgr->GetPort(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->GetBool(good));
r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->Bool(good));
}
else
{
r->Assign(0, make_intrusive<AddrVal>(uint32_t(0)));
r->Assign(1, val_mgr->GetPort(0, TRANSPORT_TCP));
r->Assign(2, val_mgr->GetFalse());
r->Assign(1, val_mgr->Port(0, TRANSPORT_TCP));
r->Assign(2, val_mgr->False());
}
return r;
}
static Val* parse_eftp(const char* line)
static IntrusivePtr<Val> parse_eftp(const char* line)
{
RecordVal* r = new RecordVal(BifType::Record::ftp_port);
auto r = make_intrusive<RecordVal>(BifType::Record::ftp_port);
int net_proto = 0; // currently not used
IPAddr addr; // unspecified IPv6 address (all 128 bits zero)
@ -110,8 +110,8 @@ static Val* parse_eftp(const char* line)
}
r->Assign(0, make_intrusive<AddrVal>(addr));
r->Assign(1, val_mgr->GetPort(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->GetBool(good));
r->Assign(1, val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, val_mgr->Bool(good));
return r;
}
@ -206,7 +206,7 @@ function fmt_ftp_port%(a: addr, p: port%): string
{
uint32_t a = ntohl(addr[0]);
uint32_t pn = p->Port();
return new StringVal(fmt("%d,%d,%d,%d,%d,%d",
return make_intrusive<StringVal>(fmt("%d,%d,%d,%d,%d,%d",
a >> 24, (a >> 16) & 0xff,
(a >> 8) & 0xff, a & 0xff,
pn >> 8, pn & 0xff));
@ -215,6 +215,6 @@ function fmt_ftp_port%(a: addr, p: port%): string
{
builtin_error("conversion of non-IPv4 address in fmt_ftp_port",
@ARG@[0]);
return val_mgr->GetEmptyString();
return val_mgr->EmptyString();
}
%}

36
src/analyzer/protocol/gnutella/Gnutella.cc
View file

@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
{
if ( Established() && gnutella_establish )
EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(gnutella_establish, ConnVal());
else if ( ! Established () && gnutella_not_establish )
EnqueueConnEvent(gnutella_not_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(gnutella_not_establish, ConnVal());
}
if ( gnutella_partial_binary_msg )
@ -72,10 +72,10 @@ void Gnutella_Analyzer::Done()
{
if ( ! p->msg_sent && p->msg_pos )
EnqueueConnEvent(gnutella_partial_binary_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(p->msg),
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((i == 0))},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_pos)}
val_mgr->Bool((i == 0)),
val_mgr->Count(p->msg_pos)
);
else if ( ! p->msg_sent && p->payload_left )
@ -118,7 +118,7 @@ bool Gnutella_Analyzer::IsHTTP(std::string header)
return false;
if ( gnutella_http_notify )
EnqueueConnEvent(gnutella_http_notify, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(gnutella_http_notify, ConnVal());
analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -177,8 +177,8 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{
if ( gnutella_text_msg )
EnqueueConnEvent(gnutella_text_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(ms->headers.data())
);
@ -189,7 +189,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
{
sent_establish = 1;
EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(gnutella_establish, ConnVal());
}
}
}
@ -215,16 +215,16 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
if ( gnutella_binary_msg )
EnqueueConnEvent(gnutella_binary_msg,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_type)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_ttl)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_hops)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_len)},
ConnVal(),
val_mgr->Bool(is_orig),
val_mgr->Count(p->msg_type),
val_mgr->Count(p->msg_ttl),
val_mgr->Count(p->msg_hops),
val_mgr->Count(p->msg_len),
make_intrusive<StringVal>(p->payload),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->payload_len)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_left == 0))}
val_mgr->Count(p->payload_len),
val_mgr->Bool((p->payload_len < std::min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
val_mgr->Bool((p->payload_left == 0))
);
}

6
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -61,9 +61,9 @@ refine connection GSSAPI_Conn += {
%{
if ( gssapi_neg_result )
{
BifEvent::generate_gssapi_neg_result(bro_analyzer(),
bro_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content}));
BifEvent::enqueue_gssapi_neg_result(bro_analyzer(),
bro_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content}));
}
return true;

142
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -4,90 +4,90 @@
%}
%code{
RecordVal* BuildGTPv1Hdr(const GTPv1_Header* pdu)
IntrusivePtr<RecordVal> BuildGTPv1Hdr(const GTPv1_Header* pdu)
{
RecordVal* rv = new RecordVal(BifType::Record::gtpv1_hdr);
auto rv = make_intrusive<RecordVal>(BifType::Record::gtpv1_hdr);
rv->Assign(0, val_mgr->GetCount(pdu->version()));
rv->Assign(1, val_mgr->GetBool(pdu->pt_flag()));
rv->Assign(2, val_mgr->GetBool(pdu->rsv()));
rv->Assign(3, val_mgr->GetBool(pdu->e_flag()));
rv->Assign(4, val_mgr->GetBool(pdu->s_flag()));
rv->Assign(5, val_mgr->GetBool(pdu->pn_flag()));
rv->Assign(6, val_mgr->GetCount(pdu->msg_type()));
rv->Assign(7, val_mgr->GetCount(pdu->length()));
rv->Assign(8, val_mgr->GetCount(pdu->teid()));
rv->Assign(0, val_mgr->Count(pdu->version()));
rv->Assign(1, val_mgr->Bool(pdu->pt_flag()));
rv->Assign(2, val_mgr->Bool(pdu->rsv()));
rv->Assign(3, val_mgr->Bool(pdu->e_flag()));
rv->Assign(4, val_mgr->Bool(pdu->s_flag()));
rv->Assign(5, val_mgr->Bool(pdu->pn_flag()));
rv->Assign(6, val_mgr->Count(pdu->msg_type()));
rv->Assign(7, val_mgr->Count(pdu->length()));
rv->Assign(8, val_mgr->Count(pdu->teid()));
if ( pdu->has_opt() )
{
rv->Assign(9, val_mgr->GetCount(pdu->opt_hdr()->seq()));
rv->Assign(10, val_mgr->GetCount(pdu->opt_hdr()->n_pdu()));
rv->Assign(11, val_mgr->GetCount(pdu->opt_hdr()->next_type()));
rv->Assign(9, val_mgr->Count(pdu->opt_hdr()->seq()));
rv->Assign(10, val_mgr->Count(pdu->opt_hdr()->n_pdu()));
rv->Assign(11, val_mgr->Count(pdu->opt_hdr()->next_type()));
}
return rv;
}
Val* BuildIMSI(const InformationElement* ie)
static IntrusivePtr<Val> BuildIMSI(const InformationElement* ie)
{
return val_mgr->GetCount(ie->imsi()->value());
return val_mgr->Count(ie->imsi()->value());
}
Val* BuildRAI(const InformationElement* ie)
static IntrusivePtr<Val> BuildRAI(const InformationElement* ie)
{
RecordVal* ev = new RecordVal(BifType::Record::gtp_rai);
ev->Assign(0, val_mgr->GetCount(ie->rai()->mcc()));
ev->Assign(1, val_mgr->GetCount(ie->rai()->mnc()));
ev->Assign(2, val_mgr->GetCount(ie->rai()->lac()));
ev->Assign(3, val_mgr->GetCount(ie->rai()->rac()));
auto ev = make_intrusive<RecordVal>(BifType::Record::gtp_rai);
ev->Assign(0, val_mgr->Count(ie->rai()->mcc()));
ev->Assign(1, val_mgr->Count(ie->rai()->mnc()));
ev->Assign(2, val_mgr->Count(ie->rai()->lac()));
ev->Assign(3, val_mgr->Count(ie->rai()->rac()));
return ev;
}
Val* BuildRecovery(const InformationElement* ie)
static IntrusivePtr<Val> BuildRecovery(const InformationElement* ie)
{
return val_mgr->GetCount(ie->recovery()->restart_counter());
return val_mgr->Count(ie->recovery()->restart_counter());
}
Val* BuildSelectionMode(const InformationElement* ie)
static IntrusivePtr<Val> BuildSelectionMode(const InformationElement* ie)
{
return val_mgr->GetCount(ie->selection_mode()->mode());
return val_mgr->Count(ie->selection_mode()->mode());
}
Val* BuildTEID1(const InformationElement* ie)
static IntrusivePtr<Val> BuildTEID1(const InformationElement* ie)
{
return val_mgr->GetCount(ie->teid1()->value());
return val_mgr->Count(ie->teid1()->value());
}
Val* BuildTEID_ControlPlane(const InformationElement* ie)
static IntrusivePtr<Val> BuildTEID_ControlPlane(const InformationElement* ie)
{
return val_mgr->GetCount(ie->teidcp()->value());
return val_mgr->Count(ie->teidcp()->value());
}
Val* BuildNSAPI(const InformationElement* ie)
static IntrusivePtr<Val> BuildNSAPI(const InformationElement* ie)
{
return val_mgr->GetCount(ie->nsapi()->nsapi());
return val_mgr->Count(ie->nsapi()->nsapi());
}
Val* BuildChargingCharacteristics(const InformationElement* ie)
static IntrusivePtr<Val> BuildChargingCharacteristics(const InformationElement* ie)
{
return val_mgr->GetCount(ie->charging_characteristics()->value());
return val_mgr->Count(ie->charging_characteristics()->value());
}
Val* BuildTraceReference(const InformationElement* ie)
static IntrusivePtr<Val> BuildTraceReference(const InformationElement* ie)
{
return val_mgr->GetCount(ie->trace_reference()->value());
return val_mgr->Count(ie->trace_reference()->value());
}
Val* BuildTraceType(const InformationElement* ie)
static IntrusivePtr<Val> BuildTraceType(const InformationElement* ie)
{
return val_mgr->GetCount(ie->trace_type()->value());
return val_mgr->Count(ie->trace_type()->value());
}
Val* BuildEndUserAddr(const InformationElement* ie)
{
RecordVal* ev = new RecordVal(BifType::Record::gtp_end_user_addr);
ev->Assign(0, val_mgr->GetCount(ie->end_user_addr()->pdp_type_org()));
ev->Assign(1, val_mgr->GetCount(ie->end_user_addr()->pdp_type_num()));
ev->Assign(0, val_mgr->Count(ie->end_user_addr()->pdp_type_org()));
ev->Assign(1, val_mgr->Count(ie->end_user_addr()->pdp_type_num()));
int len = ie->end_user_addr()->pdp_addr().length();
@ -161,7 +161,7 @@ Val* BuildQoS_Profile(const InformationElement* ie)
const u_char* d = (const u_char*) ie->qos_profile()->data().data();
int len = ie->qos_profile()->data().length();
ev->Assign(0, val_mgr->GetCount(ie->qos_profile()->alloc_retention_priority()));
ev->Assign(0, val_mgr->Count(ie->qos_profile()->alloc_retention_priority()));
ev->Assign(1, make_intrusive<StringVal>(new BroString(d, len, false)));
return ev;
@ -195,25 +195,25 @@ Val* BuildPrivateExt(const InformationElement* ie)
const uint8* d = ie->private_ext()->value().data();
int len = ie->private_ext()->value().length();
ev->Assign(0, val_mgr->GetCount(ie->private_ext()->id()));
ev->Assign(0, val_mgr->Count(ie->private_ext()->id()));
ev->Assign(1, make_intrusive<StringVal>(new BroString((const u_char*) d, len, false)));
return ev;
}
Val* BuildCause(const InformationElement* ie)
static IntrusivePtr<Val> BuildCause(const InformationElement* ie)
{
return val_mgr->GetCount(ie->cause()->value());
return val_mgr->Count(ie->cause()->value());
}
Val* BuildReorderReq(const InformationElement* ie)
static IntrusivePtr<Val> BuildReorderReq(const InformationElement* ie)
{
return val_mgr->GetBool(ie->reorder_req()->req());
return val_mgr->Bool(ie->reorder_req()->req());
}
Val* BuildChargingID(const InformationElement* ie)
static IntrusivePtr<Val> BuildChargingID(const InformationElement* ie)
{
return val_mgr->GetCount(ie->charging_id()->value());;
return val_mgr->Count(ie->charging_id()->value());;
}
Val* BuildChargingGatewayAddr(const InformationElement* ie)
@ -228,16 +228,16 @@ Val* BuildChargingGatewayAddr(const InformationElement* ie)
return 0;
}
Val* BuildTeardownInd(const InformationElement* ie)
static IntrusivePtr<Val> BuildTeardownInd(const InformationElement* ie)
{
return val_mgr->GetBool(ie->teardown_ind()->ind());
return val_mgr->Bool(ie->teardown_ind()->ind());
}
void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
{
if ( ! ::gtpv1_create_pdp_ctx_request ) return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_create_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
@ -328,8 +328,8 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_create_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_create_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -337,7 +337,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_create_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_create_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
@ -397,8 +397,8 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_create_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_create_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -406,7 +406,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_update_pdp_ctx_request )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_update_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
@ -475,8 +475,8 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_update_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_update_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -484,7 +484,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_update_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_update_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
@ -535,8 +535,8 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_update_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_update_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -544,7 +544,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_delete_pdp_ctx_request )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_delete_pdp_ctx_request_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
@ -569,8 +569,8 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
@ -578,7 +578,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
if ( ! ::gtpv1_delete_pdp_ctx_response )
return;
RecordVal* rv = new RecordVal(
auto rv = make_intrusive<RecordVal>(
BifType::Record::gtp_delete_pdp_ctx_response_elements);
const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
@ -600,8 +600,8 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
}
}
BifEvent::generate_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), rv);
BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
BuildGTPv1Hdr(pdu), std::move(rv));
}
%}
@ -679,7 +679,7 @@ flow GTPv1_Flow(is_orig: bool)
}
if ( ::gtpv1_message )
BifEvent::generate_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
BifEvent::enqueue_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
switch ( ${pdu.msg_type} ) {
case 16:
@ -759,8 +759,8 @@ flow GTPv1_Flow(is_orig: bool)
}
if ( ::gtpv1_g_pdu_packet )
BifEvent::generate_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
inner->BuildPktHdrVal());
BifEvent::enqueue_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
{AdoptRef{}, inner->BuildPktHdrVal()});
EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);

55
src/analyzer/protocol/http/HTTP.cc
View file

@ -618,11 +618,11 @@ Val* HTTP_Message::BuildMessageStat(bool interrupted, const char* msg)
RecordVal* stat = new RecordVal(http_message_stat);
int field = 0;
stat->Assign(field++, make_intrusive<Val>(start_time, TYPE_TIME));
stat->Assign(field++, val_mgr->GetBool(interrupted));
stat->Assign(field++, val_mgr->Bool(interrupted));
stat->Assign(field++, make_intrusive<StringVal>(msg));
stat->Assign(field++, val_mgr->GetCount(body_length));
stat->Assign(field++, val_mgr->GetCount(content_gap_length));
stat->Assign(field++, val_mgr->GetCount(header_length));
stat->Assign(field++, val_mgr->Count(body_length));
stat->Assign(field++, val_mgr->Count(content_gap_length));
stat->Assign(field++, val_mgr->Count(header_length));
return stat;
}
@ -650,8 +650,8 @@ void HTTP_Message::Done(bool interrupted, const char* detail)
if ( http_message_done )
GetAnalyzer()->EnqueueConnEvent(http_message_done,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
analyzer->ConnVal(),
val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)}
);
@ -681,8 +681,8 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
if ( http_begin_entity )
analyzer->EnqueueConnEvent(http_begin_entity,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
analyzer->ConnVal(),
val_mgr->Bool(is_orig)
);
}
@ -696,8 +696,8 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
if ( http_end_entity )
analyzer->EnqueueConnEvent(http_end_entity,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
analyzer->ConnVal(),
val_mgr->Bool(is_orig)
);
current_entity = (HTTP_Entity*) entity->Parent();
@ -735,8 +735,8 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
{
if ( http_all_headers )
analyzer->EnqueueConnEvent(http_all_headers,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
analyzer->ConnVal(),
val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
);
@ -746,8 +746,8 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
StringVal* subty = current_entity->ContentSubType();
analyzer->EnqueueConnEvent(http_content_type,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
analyzer->ConnVal(),
val_mgr->Bool(is_orig),
IntrusivePtr{NewRef{}, ty},
IntrusivePtr{NewRef{}, subty}
);
@ -1172,13 +1172,13 @@ void HTTP_Analyzer::GenStats()
if ( http_stats )
{
auto r = make_intrusive<RecordVal>(http_stats_rec);
r->Assign(0, val_mgr->GetCount(num_requests));
r->Assign(1, val_mgr->GetCount(num_replies));
r->Assign(0, val_mgr->Count(num_requests));
r->Assign(1, val_mgr->Count(num_replies));
r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));
r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE));
// DEBUG_MSG("%.6f http_stats\n", network_time);
EnqueueConnEvent(http_stats, IntrusivePtr{AdoptRef{}, BuildConnVal()}, std::move(r));
EnqueueConnEvent(http_stats, ConnVal(), std::move(r));
}
}
@ -1378,7 +1378,7 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
if ( http_event )
// DEBUG_MSG("%.6f http_event\n", network_time);
EnqueueConnEvent(http_event,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(category),
IntrusivePtr{AdoptRef{}, detail}
);
@ -1417,7 +1417,7 @@ void HTTP_Analyzer::HTTP_Request()
if ( http_request )
// DEBUG_MSG("%.6f http_request\n", network_time);
EnqueueConnEvent(http_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, request_method},
IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())},
IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())},
@ -1429,9 +1429,9 @@ void HTTP_Analyzer::HTTP_Reply()
{
if ( http_reply )
EnqueueConnEvent(http_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
val_mgr->Count(reply_code),
reply_reason_phrase ?
IntrusivePtr{NewRef{}, reply_reason_phrase} :
make_intrusive<StringVal>("<empty>")
@ -1506,7 +1506,7 @@ void HTTP_Analyzer::ReplyMade(bool interrupted, const char* msg)
if ( http_connection_upgrade )
EnqueueConnEvent(http_connection_upgrade,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(upgrade_protocol)
);
}
@ -1670,8 +1670,9 @@ void HTTP_Analyzer::HTTP_Header(bool is_orig, mime::MIME_Header* h)
DEBUG_MSG("%.6f http_header\n", network_time);
EnqueueConnEvent(http_header,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
ConnVal(),
val_mgr->Bool(is_orig),
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())},
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()},
IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())}
);
@ -1682,9 +1683,9 @@ void HTTP_Analyzer::HTTP_EntityData(bool is_orig, BroString* entity_data)
{
if ( http_entity_data )
EnqueueConnEvent(http_entity_data,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(entity_data->Len())},
ConnVal(),
val_mgr->Bool(is_orig),
val_mgr->Count(entity_data->Len()),
make_intrusive<StringVal>(entity_data)
);
else

5
src/analyzer/protocol/http/events.bif
View file

@ -54,7 +54,9 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
##
## is_orig: True if the header was sent by the originator of the TCP connection.
##
## name: The name of the header.
## original_name: The name of the header (unaltered).
##
## name: The name of the header (converted to all uppercase).
##
## value: The value of the header.
##
@ -64,6 +66,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
##
## .. note:: This event is also raised for headers found in nested body
## entities.
event http_header%(c: connection, is_orig: bool, original_name: string, name: string, value: string%);
event http_header%(c: connection, is_orig: bool, name: string, value: string%);
## Generated for HTTP headers, passing on all headers of an HTTP message at

4
src/analyzer/protocol/http/functions.bif
View file

@ -31,7 +31,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
else
reporter->Error("no analyzer associated with connection record");
return 0;
return nullptr;
%}
## Unescapes all characters in a URI (decode every ``%xx`` group).
@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string
const u_char* line = URI->Bytes();
const u_char* const line_end = line + URI->Len();
return new StringVal(analyzer::http::unescape_URI(line, line_end, 0));
return make_intrusive<StringVal>(analyzer::http::unescape_URI(line, line_end, 0));
%}

114
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -203,7 +203,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
{
if ( icmp_sent )
EnqueueConnEvent(icmp_sent,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}
);
@ -212,7 +212,7 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
BroString* payload = new BroString(data, std::min(len, caplen), false);
EnqueueConnEvent(icmp_sent_payload,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)},
make_intrusive<StringVal>(payload)
);
@ -228,11 +228,11 @@ RecordVal* ICMP_Analyzer::BuildICMPVal(const struct icmp* icmpp, int len,
icmp_conn_val->Assign(0, make_intrusive<AddrVal>(Conn()->OrigAddr()));
icmp_conn_val->Assign(1, make_intrusive<AddrVal>(Conn()->RespAddr()));
icmp_conn_val->Assign(2, val_mgr->GetCount(icmpp->icmp_type));
icmp_conn_val->Assign(3, val_mgr->GetCount(icmpp->icmp_code));
icmp_conn_val->Assign(4, val_mgr->GetCount(len));
icmp_conn_val->Assign(5, val_mgr->GetCount(ip_hdr->TTL()));
icmp_conn_val->Assign(6, val_mgr->GetBool(icmpv6));
icmp_conn_val->Assign(2, val_mgr->Count(icmpp->icmp_type));
icmp_conn_val->Assign(3, val_mgr->Count(icmpp->icmp_code));
icmp_conn_val->Assign(4, val_mgr->Count(len));
icmp_conn_val->Assign(5, val_mgr->Count(ip_hdr->TTL()));
icmp_conn_val->Assign(6, val_mgr->Bool(icmpv6));
}
Ref(icmp_conn_val);
@ -355,18 +355,18 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->GetPort(src_port, proto));
id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->GetPort(dst_port, proto));
id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, id_val);
iprec->Assign(1, val_mgr->GetCount(ip_len));
iprec->Assign(2, val_mgr->GetCount(proto));
iprec->Assign(3, val_mgr->GetCount(frag_offset));
iprec->Assign(4, val_mgr->GetBool(bad_hdr_len));
iprec->Assign(5, val_mgr->GetBool(bad_checksum));
iprec->Assign(6, val_mgr->GetBool(MF));
iprec->Assign(7, val_mgr->GetBool(DF));
iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
iprec->Assign(5, val_mgr->Bool(bad_checksum));
iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF));
return iprec;
}
@ -414,19 +414,19 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
RecordVal* id_val = new RecordVal(conn_id);
id_val->Assign(0, make_intrusive<AddrVal>(src_addr));
id_val->Assign(1, val_mgr->GetPort(src_port, proto));
id_val->Assign(1, val_mgr->Port(src_port, proto));
id_val->Assign(2, make_intrusive<AddrVal>(dst_addr));
id_val->Assign(3, val_mgr->GetPort(dst_port, proto));
id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, id_val);
iprec->Assign(1, val_mgr->GetCount(ip_len));
iprec->Assign(2, val_mgr->GetCount(proto));
iprec->Assign(3, val_mgr->GetCount(frag_offset));
iprec->Assign(4, val_mgr->GetBool(bad_hdr_len));
iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
// bad_checksum is always false since IPv6 layer doesn't have a checksum.
iprec->Assign(5, val_mgr->GetFalse());
iprec->Assign(6, val_mgr->GetBool(MF));
iprec->Assign(7, val_mgr->GetBool(DF));
iprec->Assign(5, val_mgr->False());
iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF));
return iprec;
}
@ -474,14 +474,14 @@ void ICMP_Analyzer::UpdateEndpointVal(RecordVal* endp, bool is_orig)
int size = is_orig ? request_len : reply_len;
if ( size < 0 )
{
endp->Assign(0, val_mgr->GetCount(0));
endp->Assign(1, val_mgr->GetCount(int(ICMP_INACTIVE)));
endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE)));
}
else
{
endp->Assign(0, val_mgr->GetCount(size));
endp->Assign(1, val_mgr->GetCount(int(ICMP_ACTIVE)));
endp->Assign(0, val_mgr->Count(size));
endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE)));
}
}
@ -515,10 +515,10 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
BroString* payload = new BroString(data, caplen, false);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iid)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iseq)},
val_mgr->Count(iid),
val_mgr->Count(iseq),
make_intrusive<StringVal>(payload)
);
}
@ -543,15 +543,15 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(reachable) + sizeof(retrans);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_num_addrs)}, // Cur Hop Limit
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x80)}, // Managed
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x40)}, // Other
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x20)}, // Home Agent
IntrusivePtr{AdoptRef{}, val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)}, // Pref
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x04)}, // Proxy
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_wpa & 0x02)}, // Reserved
val_mgr->Count(icmpp->icmp_num_addrs), // Cur Hop Limit
val_mgr->Bool(icmpp->icmp_wpa & 0x80), // Managed
val_mgr->Bool(icmpp->icmp_wpa & 0x40), // Other
val_mgr->Bool(icmpp->icmp_wpa & 0x20), // Home Agent
val_mgr->Count((icmpp->icmp_wpa & 0x18)>>3), // Pref
val_mgr->Bool(icmpp->icmp_wpa & 0x04), // Proxy
val_mgr->Count(icmpp->icmp_wpa & 0x02), // Reserved
make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
@ -576,11 +576,11 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)}, // Router
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)}, // Solicited
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)}, // Override
val_mgr->Bool(icmpp->icmp_num_addrs & 0x80), // Router
val_mgr->Bool(icmpp->icmp_num_addrs & 0x40), // Solicited
val_mgr->Bool(icmpp->icmp_num_addrs & 0x20), // Override
make_intrusive<AddrVal>(tgtaddr),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
);
@ -603,7 +603,7 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int opt_offset = sizeof(in6_addr);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
make_intrusive<AddrVal>(tgtaddr),
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
@ -630,7 +630,7 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int opt_offset = 2 * sizeof(in6_addr);
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
make_intrusive<AddrVal>(tgtaddr),
make_intrusive<AddrVal>(dstaddr),
@ -648,7 +648,7 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
return;
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)}
);
@ -673,9 +673,9 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
if ( f )
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
val_mgr->Count(icmpp->icmp_code),
IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)}
);
}
@ -711,9 +711,9 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
if ( f )
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
val_mgr->Count(icmpp->icmp_code),
IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)}
);
}
@ -752,8 +752,8 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
}
RecordVal* rv = new RecordVal(icmp6_nd_option_type);
rv->Assign(0, val_mgr->GetCount(type));
rv->Assign(1, val_mgr->GetCount(length));
rv->Assign(0, val_mgr->Count(type));
rv->Assign(1, val_mgr->Count(length));
// Adjust length to be in units of bytes, exclude type/length fields.
length = length * 8 - 2;
@ -792,9 +792,9 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, val_mgr->GetCount(prefix_len));
info->Assign(1, val_mgr->GetBool(L_flag));
info->Assign(2, val_mgr->GetBool(A_flag));
info->Assign(0, val_mgr->Count(prefix_len));
info->Assign(1, val_mgr->Bool(L_flag));
info->Assign(2, val_mgr->Bool(A_flag));
info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
@ -825,7 +825,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
// MTU option
{
if ( caplen >= 6 )
rv->Assign(5, val_mgr->GetCount(ntohl(*((const uint32_t*)(data + 2)))));
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
else
set_payload_field = true;

22
src/analyzer/protocol/ident/Ident.cc
View file

@ -85,9 +85,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
}
EnqueueConnEvent(ident_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}
ConnVal(),
val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP)
);
did_deliver = true;
@ -146,9 +146,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
{
if ( ident_error )
EnqueueConnEvent(ident_error,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
ConnVal(),
val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP),
make_intrusive<StringVal>(end_of_line - line, line)
);
}
@ -179,9 +179,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
line = skip_whitespace(colon + 1, end_of_line);
EnqueueConnEvent(ident_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
ConnVal(),
val_mgr->Port(local_port, TRANSPORT_TCP),
val_mgr->Port(remote_port, TRANSPORT_TCP),
make_intrusive<StringVal>(end_of_line - line, line),
make_intrusive<StringVal>(sys_type_s)
);
@ -215,7 +215,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
int n = 0;
line = skip_whitespace(line, end_of_line);
if ( ! isdigit(*line) )
if ( line >= end_of_line || ! isdigit(*line) )
return nullptr;
const char* l = line;
@ -225,7 +225,7 @@ const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
n = n * 10 + (*line - '0');
++line;
}
while ( isdigit(*line) );
while ( line < end_of_line && isdigit(*line) );
line = skip_whitespace(line, end_of_line);

7
src/analyzer/protocol/imap/imap-analyzer.pac
View file

@ -45,7 +45,7 @@ refine connection IMAP_Conn += {
bro_analyzer()->StartTLS();
if ( imap_starttls )
BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
}
else
reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
@ -59,14 +59,15 @@ refine connection IMAP_Conn += {
if ( ! imap_capabilities )
return true;
VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
auto capv = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());
for ( unsigned int i = 0; i< capabilities->size(); i++ )
{
const bytestring& capability = (*capabilities)[i]->cap();
capv->Assign(i, make_intrusive<StringVal>(capability.length(), (const char*)capability.data()));
}
BifEvent::generate_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), capv);
BifEvent::enqueue_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), std::move(capv));
return true;
%}

176
src/analyzer/protocol/irc/IRC.cc
View file

@ -235,11 +235,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_network_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
ConnVal(),
val_mgr->Bool(orig),
val_mgr->Int(users),
val_mgr->Int(services),
val_mgr->Int(servers)
);
}
break;
@ -282,8 +282,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_names_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(type.c_str()),
make_intrusive<StringVal>(channel.c_str()),
std::move(set)
@ -316,11 +316,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_server_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
ConnVal(),
val_mgr->Bool(orig),
val_mgr->Int(users),
val_mgr->Int(services),
val_mgr->Int(servers)
);
}
break;
@ -338,9 +338,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
channels = atoi(parts[i - 1].c_str());
EnqueueConnEvent(irc_channel_info,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(channels)}
ConnVal(),
val_mgr->Bool(orig),
val_mgr->Int(channels)
);
}
break;
@ -370,8 +370,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_global_users,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(eop - prefix, prefix),
make_intrusive<StringVal>(++msg)
);
@ -396,8 +396,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::Args vl;
vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
@ -435,8 +435,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_whois_operator_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str())
);
}
@ -473,8 +473,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_whois_channel_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(nick.c_str()),
std::move(set)
);
@ -504,8 +504,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
++t;
EnqueueConnEvent(irc_channel_topic,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(t)
);
@ -538,8 +538,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[7] = parts[7].substr(1);
EnqueueConnEvent(irc_who_line,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()),
@ -547,7 +547,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
make_intrusive<StringVal>(parts[4].c_str()),
make_intrusive<StringVal>(parts[5].c_str()),
make_intrusive<StringVal>(parts[6].c_str()),
IntrusivePtr{AdoptRef{}, val_mgr->GetInt(atoi(parts[7].c_str()))},
val_mgr->Int(atoi(parts[7].c_str())),
make_intrusive<StringVal>(parts[8].c_str())
);
}
@ -560,8 +560,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 436:
if ( irc_invalid_nick )
EnqueueConnEvent(irc_invalid_nick,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}
ConnVal(),
val_mgr->Bool(orig)
);
break;
@ -570,9 +570,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
case 491: // user is not operator
if ( irc_oper_response )
EnqueueConnEvent(irc_oper_response,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(code == 381)}
ConnVal(),
val_mgr->Bool(orig),
val_mgr->Bool(code == 381)
);
break;
@ -585,10 +585,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
default:
if ( irc_reply )
EnqueueConnEvent(irc_reply,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(code)},
val_mgr->Count(code),
make_intrusive<StringVal>(params.c_str())
);
break;
@ -656,17 +656,15 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_dcc_message )
EnqueueConnEvent(irc_dcc_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(parts[1].c_str()),
make_intrusive<StringVal>(parts[2].c_str()),
make_intrusive<AddrVal>(htonl(raw_ip)),
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(atoi(parts[4].c_str()))},
IntrusivePtr{AdoptRef{}, parts.size() >= 6 ?
val_mgr->GetCount(atoi(parts[5].c_str())) :
val_mgr->GetCount(0)}
val_mgr->Count(atoi(parts[4].c_str())),
parts.size() >= 6 ? val_mgr->Count(atoi(parts[5].c_str())) : val_mgr->Count(0)
);
}
@ -674,8 +672,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
if ( irc_privmsg_message )
EnqueueConnEvent(irc_privmsg_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
@ -699,8 +697,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1);
EnqueueConnEvent(irc_notice_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
@ -723,8 +721,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
message = message.substr(1);
EnqueueConnEvent(irc_squery_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(target.c_str()),
make_intrusive<StringVal>(message.c_str())
@ -737,20 +735,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' ');
zeek::Args vl;
vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(orig));
if ( parts.size() > 0 )
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 1 )
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
else vl.emplace_back(val_mgr->EmptyString());
if ( parts.size() > 2 )
vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
else vl.emplace_back(val_mgr->EmptyString());
string realname;
for ( unsigned int i = 3; i < parts.size(); i++ )
@ -772,8 +770,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' ');
if ( parts.size() == 2 )
EnqueueConnEvent(irc_oper_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str())
);
@ -794,8 +792,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
zeek::Args vl;
vl.reserve(6);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(orig));
vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
@ -812,7 +810,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
}
else
vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
vl.emplace_back(val_mgr->EmptyString());
EnqueueConnEvent(irc_kick_message, std::move(vl));
}
@ -863,8 +861,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_join_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
std::move(list)
);
}
@ -923,8 +921,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_join_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
std::move(list)
);
}
@ -962,8 +960,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_part_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(nick.c_str()),
std::move(set),
make_intrusive<StringVal>(message.c_str())
@ -985,8 +983,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_quit_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(nickname.c_str()),
make_intrusive<StringVal>(message.c_str())
);
@ -999,8 +997,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
nick = nick.substr(1);
EnqueueConnEvent(irc_nick_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(nick.c_str())
);
@ -1024,12 +1022,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[0] = parts[0].substr(1);
EnqueueConnEvent(irc_who_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
parts.size() > 0 ?
make_intrusive<StringVal>(parts[0].c_str()) :
IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(oper)}
val_mgr->EmptyString(),
val_mgr->Bool(oper)
);
}
@ -1054,8 +1052,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
users = parts[0];
EnqueueConnEvent(irc_whois_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(users.c_str())
);
@ -1067,8 +1065,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
params = params.substr(1);
EnqueueConnEvent(irc_error_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str())
);
@ -1083,8 +1081,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
parts[1] = parts[1].substr(1);
EnqueueConnEvent(irc_invite_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(parts[0].c_str()),
make_intrusive<StringVal>(parts[1].c_str())
@ -1098,8 +1096,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{
if ( params.size() > 0 )
EnqueueConnEvent(irc_mode_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(params.c_str())
);
@ -1111,8 +1109,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
else if ( irc_password_message && command == "PASS" )
{
EnqueueConnEvent(irc_password_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(params.c_str())
);
}
@ -1133,8 +1131,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
}
EnqueueConnEvent(irc_squit_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(server.c_str()),
make_intrusive<StringVal>(message.c_str())
@ -1147,8 +1145,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_request )
{
EnqueueConnEvent(irc_request,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str())
@ -1161,8 +1159,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( irc_message )
{
EnqueueConnEvent(irc_message,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
ConnVal(),
val_mgr->Bool(orig),
make_intrusive<StringVal>(prefix.c_str()),
make_intrusive<StringVal>(command.c_str()),
make_intrusive<StringVal>(params.c_str())
@ -1196,7 +1194,7 @@ void IRC_Analyzer::StartTLS()
AddChildAnalyzer(ssl);
if ( irc_starttls )
EnqueueConnEvent(irc_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(irc_starttls, ConnVal());
}
vector<string> IRC_Analyzer::SplitWords(const string& input, char split)

6
src/analyzer/protocol/krb/KRB.cc
View file

@ -87,7 +87,9 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
}
}
StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype)
IntrusivePtr<StringVal> KRB_Analyzer::GetAuthenticationInfo(const BroString* principal,
const BroString* ciphertext,
const bro_uint_t enctype)
{
#ifdef USE_KRB5
if ( !krb_available )
@ -145,7 +147,7 @@ StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const
return nullptr;
}
StringVal* ret = new StringVal(cp);
auto ret = make_intrusive<StringVal>(cp);
krb5_free_unparsed_name(krb_context, cp);
krb5_free_ticket(krb_context, tkt);

4
src/analyzer/protocol/krb/KRB.h
View file

@ -25,7 +25,9 @@ public:
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }
StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype);
IntrusivePtr<StringVal> GetAuthenticationInfo(const BroString* principal,
const BroString* ciphertext,
const bro_uint_t enctype);
protected:

5
src/analyzer/protocol/krb/KRB_TCP.h
View file

@ -21,7 +21,10 @@ public:
// Overriden from tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;
StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) { return val_mgr->GetEmptyString(); }
IntrusivePtr<StringVal> GetAuthenticationInfo(const BroString* principal,
const BroString* ciphertext,
const bro_uint_t enctype)
{ return val_mgr->EmptyString(); }
static analyzer::Analyzer* Instantiate(Connection* conn)
{ return new KRB_Analyzer(conn); }

86
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -10,19 +10,19 @@ RecordVal* proc_krb_kdc_options(const KRB_KDC_Options* opts)
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Options);
rv->Assign(0, val_mgr->GetBool(opts->forwardable()));
rv->Assign(1, val_mgr->GetBool(opts->forwarded()));
rv->Assign(2, val_mgr->GetBool(opts->proxiable()));
rv->Assign(3, val_mgr->GetBool(opts->proxy()));
rv->Assign(4, val_mgr->GetBool(opts->allow_postdate()));
rv->Assign(5, val_mgr->GetBool(opts->postdated()));
rv->Assign(6, val_mgr->GetBool(opts->renewable()));
rv->Assign(7, val_mgr->GetBool(opts->opt_hardware_auth()));
rv->Assign(8, val_mgr->GetBool(opts->disable_transited_check()));
rv->Assign(9, val_mgr->GetBool(opts->renewable_ok()));
rv->Assign(10, val_mgr->GetBool(opts->enc_tkt_in_skey()));
rv->Assign(11, val_mgr->GetBool(opts->renew()));
rv->Assign(12, val_mgr->GetBool(opts->validate()));
rv->Assign(0, val_mgr->Bool(opts->forwardable()));
rv->Assign(1, val_mgr->Bool(opts->forwarded()));
rv->Assign(2, val_mgr->Bool(opts->proxiable()));
rv->Assign(3, val_mgr->Bool(opts->proxy()));
rv->Assign(4, val_mgr->Bool(opts->allow_postdate()));
rv->Assign(5, val_mgr->Bool(opts->postdated()));
rv->Assign(6, val_mgr->Bool(opts->renewable()));
rv->Assign(7, val_mgr->Bool(opts->opt_hardware_auth()));
rv->Assign(8, val_mgr->Bool(opts->disable_transited_check()));
rv->Assign(9, val_mgr->Bool(opts->renewable_ok()));
rv->Assign(10, val_mgr->Bool(opts->enc_tkt_in_skey()));
rv->Assign(11, val_mgr->Bool(opts->renew()));
rv->Assign(12, val_mgr->Bool(opts->validate()));
return rv;
}
@ -49,7 +49,7 @@ RecordVal* proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_an
rv->Assign(4, GetStringFromPrincipalName(element->data()->principal()));
break;
case 2:
rv->Assign(5, bytestring_to_val(element->data()->realm()->encoding()->content()));
rv->Assign(5, to_stringval(element->data()->realm()->encoding()->content()));
break;
case 3:
rv->Assign(6, GetStringFromPrincipalName(element->data()->sname()));
@ -139,19 +139,19 @@ bool proc_error_arguments(RecordVal* rv, const std::vector<KRB_ERROR_Arg*>* args
break;
// ctime/stime handled above
case 7:
rv->Assign(5, bytestring_to_val((*args)[i]->args()->crealm()->encoding()->content()));
rv->Assign(5, to_stringval((*args)[i]->args()->crealm()->encoding()->content()));
break;
case 8:
rv->Assign(6, GetStringFromPrincipalName((*args)[i]->args()->cname()));
break;
case 9:
rv->Assign(7, bytestring_to_val((*args)[i]->args()->realm()->encoding()->content()));
rv->Assign(7, to_stringval((*args)[i]->args()->realm()->encoding()->content()));
break;
case 10:
rv->Assign(8, GetStringFromPrincipalName((*args)[i]->args()->sname()));
break;
case 11:
rv->Assign(9, bytestring_to_val((*args)[i]->args()->e_text()->encoding()->content()));
rv->Assign(9, to_stringval((*args)[i]->args()->e_text()->encoding()->content()));
break;
case 12:
if ( error_code == KDC_ERR_PREAUTH_REQUIRED )
@ -180,7 +180,7 @@ refine connection KRB_Conn += {
return false;
RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
BifEvent::generate_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
BifEvent::enqueue_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
return true;
}
@ -190,7 +190,7 @@ refine connection KRB_Conn += {
return false;
RecordVal* rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer());
BifEvent::generate_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), rv);
BifEvent::enqueue_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), {AdoptRef{}, rv});
return true;
}
@ -201,9 +201,9 @@ refine connection KRB_Conn += {
%{
bro_analyzer()->ProtocolConfirmation();
auto msg_type = binary_to_int64(${msg.msg_type.data.content});
auto make_arg = [this, msg]() -> RecordVal*
auto make_arg = [this, msg]() -> IntrusivePtr<RecordVal>
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::KDC_Response);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::KDC_Response);
rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@ -211,7 +211,7 @@ refine connection KRB_Conn += {
if ( ${msg.padata.has_padata} )
rv->Assign(2, proc_padata(${msg.padata.padata.padata}, bro_analyzer(), false));
rv->Assign(3, bytestring_to_val(${msg.client_realm.encoding.content}));
rv->Assign(3, to_stringval(${msg.client_realm.encoding.content}));
rv->Assign(4, GetStringFromPrincipalName(${msg.client_name}));
rv->Assign(5, proc_ticket(${msg.ticket}));
@ -223,7 +223,7 @@ refine connection KRB_Conn += {
if ( ! krb_as_response )
return false;
BifEvent::generate_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
BifEvent::enqueue_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
return true;
}
@ -232,7 +232,7 @@ refine connection KRB_Conn += {
if ( ! krb_tgs_response )
return false;
BifEvent::generate_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
BifEvent::enqueue_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg());
return true;
}
@ -244,11 +244,11 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_error )
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::Error_Msg);
proc_error_arguments(rv, ${msg.args1}, 0);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Error_Msg);
proc_error_arguments(rv.get(), ${msg.args1}, 0);
rv->Assign(4, asn1_integer_to_val(${msg.error_code}, TYPE_COUNT));
proc_error_arguments(rv, ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
BifEvent::generate_krb_error(bro_analyzer(), bro_analyzer()->Conn(), rv);
proc_error_arguments(rv.get(), ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
BifEvent::enqueue_krb_error(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv));
}
return true;
%}
@ -258,16 +258,18 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_ap_request )
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::AP_Options);
rv->Assign(0, val_mgr->GetBool(${msg.ap_options.use_session_key}));
rv->Assign(1, val_mgr->GetBool(${msg.ap_options.mutual_required}));
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::AP_Options);
rv->Assign(0, val_mgr->Bool(${msg.ap_options.use_session_key}));
rv->Assign(1, val_mgr->Bool(${msg.ap_options.mutual_required}));
auto rvticket = proc_ticket(${msg.ticket});
auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
RecordVal* rvticket = proc_ticket(${msg.ticket});
StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
if ( authenticationinfo )
rvticket->Assign(5, authenticationinfo);
BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
rvticket, rv);
BifEvent::enqueue_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
std::move(rvticket), std::move(rv));
}
return true;
%}
@ -277,7 +279,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_ap_response )
{
BifEvent::generate_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
BifEvent::enqueue_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn());
}
return true;
%}
@ -287,7 +289,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_safe )
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::SAFE_Msg);
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::SAFE_Msg);
rv->Assign(0, asn1_integer_to_val(${msg.pvno.data}, TYPE_COUNT));
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, TYPE_COUNT));
@ -320,7 +322,7 @@ refine connection KRB_Conn += {
switch ( ${msg.safe_body.args[i].seq_meta.index} )
{
case 0:
rv->Assign(3, bytestring_to_val(${msg.safe_body.args[i].args.user_data.encoding.content}));
rv->Assign(3, to_stringval(${msg.safe_body.args[i].args.user_data.encoding.content}));
break;
case 3:
rv->Assign(5, asn1_integer_to_val(${msg.safe_body.args[i].args.seq_number}, TYPE_COUNT));
@ -335,7 +337,7 @@ refine connection KRB_Conn += {
break;
}
}
BifEvent::generate_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, rv);
BifEvent::enqueue_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, std::move(rv));
}
return true;
%}
@ -345,7 +347,7 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_priv )
{
BifEvent::generate_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
BifEvent::enqueue_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig});
}
return true;
%}
@ -355,8 +357,8 @@ refine connection KRB_Conn += {
bro_analyzer()->ProtocolConfirmation();
if ( krb_cred )
{
BifEvent::generate_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
proc_tickets(${msg.tickets}));
BifEvent::enqueue_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig},
proc_tickets(${msg.tickets}));
}
return true;

17
src/analyzer/protocol/krb/krb-asn1.pac
View file

@ -2,21 +2,20 @@
%include ../asn1/asn1.pac
%header{
Val* GetTimeFromAsn1(const KRB_Time* atime, int64 usecs);
Val* GetTimeFromAsn1(StringVal* atime, int64 usecs);
IntrusivePtr<Val> GetTimeFromAsn1(const KRB_Time* atime, int64 usecs);
IntrusivePtr<Val> GetTimeFromAsn1(StringVal* atime, int64 usecs);
%}
%code{
Val* GetTimeFromAsn1(const KRB_Time* atime, int64 usecs)
IntrusivePtr<Val> GetTimeFromAsn1(const KRB_Time* atime, int64 usecs)
{
StringVal* atime_bytestring = bytestring_to_val(atime->time());
Val* result = GetTimeFromAsn1(atime_bytestring, usecs);
Unref(atime_bytestring);
auto atime_bytestring = to_stringval(atime->time());
auto result = GetTimeFromAsn1(atime_bytestring.get(), usecs);
return result;
}
Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
IntrusivePtr<Val> GetTimeFromAsn1(StringVal* atime, int64 usecs)
{
time_t lResult = 0;
@ -27,7 +26,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
char * pString = (char *) atime->Bytes();
if ( lTimeLength != 15 && lTimeLength != 17 )
return 0;
return nullptr;
if (lTimeLength == 17 )
pString = pString + 2;
@ -52,7 +51,7 @@ Val* GetTimeFromAsn1(StringVal* atime, int64 usecs)
if ( !lResult )
lResult = 0;
return new Val(double(lResult + double(usecs/100000.0)), TYPE_TIME);
return make_intrusive<Val>(double(lResult + double(usecs/100000.0)), TYPE_TIME);
}
%}

16
src/analyzer/protocol/krb/krb-padata.pac
View file

@ -37,24 +37,24 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
case PA_PW_SALT:
{
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
vv->Assign(vv->Size(), type_val);
break;
}
case PA_ENCTYPE_INFO:
{
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pf_enctype_info()->salt()));
type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info()->salt()));
vv->Assign(vv->Size(), type_val);
break;
}
case PA_ENCTYPE_INFO2:
{
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->pf_enctype_info2()->salt()));
type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info2()->salt()));
vv->Assign(vv->Size(), type_val);
break;
}
@ -111,8 +111,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 )
{
RecordVal * type_val = new RecordVal(BifType::Record::KRB::Type_Value);
type_val->Assign(0, val_mgr->GetCount(element->data_type()));
type_val->Assign(1, bytestring_to_val(element->pa_data_element()->unknown()->content()));
type_val->Assign(0, val_mgr->Count(element->data_type()));
type_val->Assign(1, to_stringval(element->pa_data_element()->unknown()->content()));
vv->Assign(vv->Size(), type_val);
}
break;

41
src/analyzer/protocol/krb/krb-types.pac
View file

@ -1,28 +1,28 @@
# Fundamental KRB types
%header{
Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname);
IntrusivePtr<Val> GetStringFromPrincipalName(const KRB_Principal_Name* pname);
VectorVal* proc_cipher_list(const Array* list);
VectorVal* proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list);
RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr);
VectorVal* proc_tickets(const KRB_Ticket_Sequence* list);
RecordVal* proc_ticket(const KRB_Ticket* ticket);
IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list);
IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket);
%}
%code{
Val* GetStringFromPrincipalName(const KRB_Principal_Name* pname)
IntrusivePtr<Val> GetStringFromPrincipalName(const KRB_Principal_Name* pname)
{
if ( pname->data()->size() == 1 )
return bytestring_to_val(pname->data()[0][0]->encoding()->content());
return to_stringval(pname->data()[0][0]->encoding()->content());
if ( pname->data()->size() == 2 )
return new StringVal(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin()));
return make_intrusive<StringVal>(fmt("%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin()));
if ( pname->data()->size() == 3 ) // if the name-string has a third value, this will just append it, else this will return unknown as the principal name
return new StringVal(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin()));
return make_intrusive<StringVal>(fmt("%s/%s/%s", (char *) pname->data()[0][0]->encoding()->content().begin(), (char *)pname->data()[0][1]->encoding()->content().begin(), (char *)pname->data()[0][2]->encoding()->content().begin()));
return new StringVal("unknown");
return make_intrusive<StringVal>("unknown");
}
VectorVal* proc_cipher_list(const Array* list)
@ -78,7 +78,7 @@ RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
}
case 20:
{
rv->Assign(1, bytestring_to_val(addr_bytes));
rv->Assign(1, to_stringval(addr_bytes));
return rv;
}
default:
@ -87,14 +87,15 @@ RecordVal* proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr)
RecordVal* unk = new RecordVal(BifType::Record::KRB::Type_Value);
unk->Assign(0, asn1_integer_to_val(addr->addr_type(), TYPE_COUNT));
unk->Assign(1, bytestring_to_val(addr_bytes));
unk->Assign(1, to_stringval(addr_bytes));
rv->Assign(2, unk);
return rv;
}
VectorVal* proc_tickets(const KRB_Ticket_Sequence* list)
{
VectorVal* tickets = new VectorVal(internal_type("KRB::Ticket_Vector")->AsVectorType());
IntrusivePtr<VectorVal> proc_tickets(const KRB_Ticket_Sequence* list)
{
auto tickets = make_intrusive<VectorVal>(internal_type("KRB::Ticket_Vector")->AsVectorType());
for ( uint i = 0; i < list->tickets()->size(); ++i )
{
KRB_Ticket* element = (*list->tickets())[i];
@ -102,20 +103,20 @@ VectorVal* proc_tickets(const KRB_Ticket_Sequence* list)
}
return tickets;
}
}
RecordVal* proc_ticket(const KRB_Ticket* ticket)
{
RecordVal* rv = new RecordVal(BifType::Record::KRB::Ticket);
IntrusivePtr<RecordVal> proc_ticket(const KRB_Ticket* ticket)
{
auto rv = make_intrusive<RecordVal>(BifType::Record::KRB::Ticket);
rv->Assign(0, asn1_integer_to_val(ticket->tkt_vno()->data(), TYPE_COUNT));
rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
rv->Assign(1, to_stringval(ticket->realm()->data()->content()));
rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
rv->Assign(4, to_stringval(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
return rv;
}
}
%}
type KRB_Principal_Name = record {

20
src/analyzer/protocol/login/Login.cc
View file

@ -290,7 +290,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
else if ( IsSkipAuthentication(line) )
{
if ( authentication_skipped )
EnqueueConnEvent(authentication_skipped, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(authentication_skipped, ConnVal());
state = LOGIN_STATE_SKIP;
SetSkip(true);
@ -332,19 +332,19 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
else if ( login_terminal && streq(name, "TERM") )
EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(val)
);
else if ( login_display && streq(name, "DISPLAY") )
EnqueueConnEvent(login_display,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(val)
);
else if ( login_prompt && streq(name, "TTYPROMPT") )
EnqueueConnEvent(login_prompt,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(val)
);
}
@ -420,10 +420,10 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
PopUserTextVal() : new StringVal("<none>");
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, username},
client_name ? IntrusivePtr{NewRef{}, client_name}
: IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
: val_mgr->EmptyString(),
IntrusivePtr{AdoptRef{}, password},
make_intrusive<StringVal>(line)
);
@ -443,7 +443,7 @@ void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
return;
EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(line)
);
}
@ -455,7 +455,7 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
if ( login_confused )
EnqueueConnEvent(login_confused,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(msg),
make_intrusive<StringVal>(line)
);
@ -479,7 +479,7 @@ void Login_Analyzer::ConfusionText(const char* line)
{
if ( login_confused_text )
EnqueueConnEvent(login_confused_text,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(line)
);
}
@ -593,7 +593,7 @@ Val* Login_Analyzer::PopUserTextVal()
if ( s )
return new StringVal(new BroString(true, byte_vec(s), strlen(s)));
else
return val_mgr->GetEmptyString();
return val_mgr->EmptyString()->Ref();
}
bool Login_Analyzer::MatchesTypeahead(const char* line) const

2
src/analyzer/protocol/login/NVT.cc
View file

@ -460,7 +460,7 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
{
if ( login_terminal )
EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(new BroString(terminal, len, false))
);
}

6
src/analyzer/protocol/login/RSH.cc
View file

@ -172,7 +172,7 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
vl.reserve(4 + orig);
const char* line = (const char*) data;
line = skip_whitespace(line);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(ConnVal());
if ( client_name )
vl.emplace_back(NewRef{}, client_name);
@ -190,9 +190,9 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{
if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
// First input
vl.emplace_back(AdoptRef{}, val_mgr->GetTrue());
vl.emplace_back(val_mgr->True());
else
vl.emplace_back(AdoptRef{}, val_mgr->GetFalse());
vl.emplace_back(val_mgr->False());
EnqueueConnEvent(rsh_request, std::move(vl));
}

2
src/analyzer/protocol/login/Rlogin.cc
View file

@ -245,7 +245,7 @@ void Rlogin_Analyzer::TerminalType(const char* s)
{
if ( login_terminal )
EnqueueConnEvent(login_terminal,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
make_intrusive<StringVal>(s)
);
}

12
src/analyzer/protocol/login/functions.bif
View file

@ -28,13 +28,13 @@ function get_login_state%(cid: conn_id%): count
%{
Connection* c = sessions->FindConnection(cid);
if ( ! c )
return val_mgr->GetFalse();
return val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la )
return val_mgr->GetFalse();
return val_mgr->False();
return val_mgr->GetCount(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState()));
return val_mgr->Count(int(static_cast<analyzer::login::Login_Analyzer*>(la)->LoginState()));
%}
## Sets the login state of a connection with a login analyzer.
@ -52,12 +52,12 @@ function set_login_state%(cid: conn_id, new_state: count%): bool
%{
Connection* c = sessions->FindConnection(cid);
if ( ! c )
return val_mgr->GetFalse();
return val_mgr->False();
analyzer::Analyzer* la = c->FindAnalyzer("Login");
if ( ! la )
return val_mgr->GetFalse();
return val_mgr->False();
static_cast<analyzer::login::Login_Analyzer*>(la)->SetLoginState(analyzer::login::login_state(new_state));
return val_mgr->GetTrue();
return val_mgr->True();
%}

37
src/analyzer/protocol/mime/MIME.cc
View file

@ -1292,8 +1292,9 @@ void MIME_Entity::DebugPrintHeaders()
RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h)
{
RecordVal* header_record = new RecordVal(mime_header_rec);
header_record->Assign(0, new_string_val(h->get_name())->ToUpper());
header_record->Assign(1, new_string_val(h->get_value()));
header_record->Assign(0, new_string_val(h->get_name()));
header_record->Assign(1, new_string_val(h->get_name())->ToUpper());
header_record->Assign(2, new_string_val(h->get_value()));
return header_record;
}
@ -1303,14 +1304,12 @@ TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
for ( unsigned int i = 0; i < hlist.size(); ++i )
{
Val* index = val_mgr->GetCount(i+1); // index starting from 1
auto index = val_mgr->Count(i + 1); // index starting from 1
MIME_Header* h = hlist[i];
RecordVal* header_record = BuildHeaderVal(h);
t->Assign(index, header_record);
Unref(index);
t->Assign(index.get(), header_record);
}
return t;
@ -1366,8 +1365,8 @@ void MIME_Mail::Done()
md5_hash = nullptr;
analyzer->EnqueueConnEvent(mime_content_hash,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(content_hash_length)},
analyzer->ConnVal(),
val_mgr->Count(content_hash_length),
make_intrusive<StringVal>(new BroString(true, digest, 16))
);
}
@ -1393,7 +1392,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
cur_entity_id.clear();
if ( mime_begin_entity )
analyzer->EnqueueConnEvent(mime_begin_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
analyzer->EnqueueConnEvent(mime_begin_entity, analyzer->ConnVal());
buffer_start = data_start = 0;
ASSERT(entity_content.size() == 0);
@ -1406,8 +1405,8 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
BroString* s = concatenate(entity_content);
analyzer->EnqueueConnEvent(mime_entity_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
analyzer->ConnVal(),
val_mgr->Count(s->Len()),
make_intrusive<StringVal>(s)
);
@ -1418,7 +1417,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
}
if ( mime_end_entity )
analyzer->EnqueueConnEvent(mime_end_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal());
file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
cur_entity_id.clear();
@ -1428,7 +1427,7 @@ void MIME_Mail::SubmitHeader(MIME_Header* h)
{
if ( mime_one_header )
analyzer->EnqueueConnEvent(mime_one_header,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)}
);
}
@ -1437,7 +1436,7 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
{
if ( mime_all_headers )
analyzer->EnqueueConnEvent(mime_all_headers,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
);
}
@ -1473,8 +1472,8 @@ void MIME_Mail::SubmitData(int len, const char* buf)
int data_len = (buf + len) - data;
analyzer->EnqueueConnEvent(mime_segment_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_len)},
analyzer->ConnVal(),
val_mgr->Count(data_len),
make_intrusive<StringVal>(data_len, data)
);
}
@ -1520,8 +1519,8 @@ void MIME_Mail::SubmitAllData()
delete_strings(all_content);
analyzer->EnqueueConnEvent(mime_all_data,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
analyzer->ConnVal(),
val_mgr->Count(s->Len()),
make_intrusive<StringVal>(s)
);
}
@ -1548,7 +1547,7 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
if ( mime_event )
analyzer->EnqueueConnEvent(mime_event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
make_intrusive<StringVal>(category),
make_intrusive<StringVal>(detail)
);

327
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -8,39 +8,39 @@
#
%header{
VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity);
RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header);
VectorVal* create_vector_of_count();
IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity);
IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header);
IntrusivePtr<VectorVal> create_vector_of_count();
%}
%code{
VectorVal* bytestring_to_coils(const bytestring& coils, uint quantity)
IntrusivePtr<VectorVal> bytestring_to_coils(const bytestring& coils, uint quantity)
{
VectorVal* modbus_coils = new VectorVal(BifType::Vector::ModbusCoils);
auto modbus_coils = make_intrusive<VectorVal>(BifType::Vector::ModbusCoils);
for ( uint i = 0; i < quantity; i++ )
{
char currentCoil = (coils[i/8] >> (i % 8)) % 2;
modbus_coils->Assign(i, val_mgr->GetBool(currentCoil));
modbus_coils->Assign(i, val_mgr->Bool(currentCoil));
}
return modbus_coils;
}
RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header)
IntrusivePtr<RecordVal> HeaderToVal(ModbusTCP_TransportHeader* header)
{
RecordVal* modbus_header = new RecordVal(BifType::Record::ModbusHeaders);
modbus_header->Assign(0, val_mgr->GetCount(header->tid()));
modbus_header->Assign(1, val_mgr->GetCount(header->pid()));
modbus_header->Assign(2, val_mgr->GetCount(header->uid()));
modbus_header->Assign(3, val_mgr->GetCount(header->fc()));
auto modbus_header = make_intrusive<RecordVal>(BifType::Record::ModbusHeaders);
modbus_header->Assign(0, val_mgr->Count(header->tid()));
modbus_header->Assign(1, val_mgr->Count(header->pid()));
modbus_header->Assign(2, val_mgr->Count(header->uid()));
modbus_header->Assign(3, val_mgr->Count(header->fc()));
return modbus_header;
}
VectorVal* create_vector_of_count()
IntrusivePtr<VectorVal> create_vector_of_count()
{
VectorType* vt = new VectorType(base_type(TYPE_COUNT));
VectorVal* vv = new VectorVal(vt);
Unref(vt);
auto vt = make_intrusive<VectorType>(base_type(TYPE_COUNT));
auto vv = make_intrusive<VectorVal>(vt.get());
return vv;
}
@ -88,10 +88,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_message )
{
BifEvent::generate_modbus_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
is_orig());
BifEvent::enqueue_modbus_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
is_orig());
}
return true;
@ -117,10 +117,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_exception )
{
BifEvent::generate_modbus_exception(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.code});
BifEvent::enqueue_modbus_exception(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.code});
}
return true;
@ -131,11 +131,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_coils_request )
{
BifEvent::generate_modbus_read_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address},
${message.quantity});
BifEvent::enqueue_modbus_read_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address},
${message.quantity});
}
return true;
@ -146,10 +146,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_coils_response )
{
BifEvent::generate_modbus_read_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
BifEvent::enqueue_modbus_read_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
}
return true;
%}
@ -159,10 +159,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_discrete_inputs_request )
{
BifEvent::generate_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -173,10 +173,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_discrete_inputs_response )
{
BifEvent::generate_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
}
return true;
@ -188,10 +188,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_holding_registers_request )
{
BifEvent::generate_modbus_read_holding_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_read_holding_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -209,18 +209,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_holding_registers_response )
{
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
for ( unsigned int i=0; i < ${message.registers}->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.registers[i]});
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_holding_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_holding_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;
@ -232,10 +232,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_input_registers_request )
{
BifEvent::generate_modbus_read_input_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_read_input_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -253,17 +253,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_input_registers_response )
{
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i=0; i < (${message.registers})->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.registers[i]});
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_input_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_input_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;
@ -287,11 +288,11 @@ refine flow ModbusTCP_Flow += {
return false;
}
BifEvent::generate_modbus_write_single_coil_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
val);
BifEvent::enqueue_modbus_write_single_coil_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
val);
}
return true;
@ -314,11 +315,11 @@ refine flow ModbusTCP_Flow += {
return false;
}
BifEvent::generate_modbus_write_single_coil_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
val);
BifEvent::enqueue_modbus_write_single_coil_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
val);
}
return true;
@ -330,10 +331,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_single_register_request )
{
BifEvent::generate_modbus_write_single_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address}, ${message.value});
BifEvent::enqueue_modbus_write_single_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address}, ${message.value});
}
return true;
@ -344,10 +345,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_single_register_response )
{
BifEvent::generate_modbus_write_single_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address}, ${message.value});
BifEvent::enqueue_modbus_write_single_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address}, ${message.value});
}
return true;
@ -359,11 +360,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_coils_request )
{
BifEvent::generate_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address},
bytestring_to_coils(${message.coils}, ${message.quantity}));
BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address},
bytestring_to_coils(${message.coils}, ${message.quantity}));
}
return true;
@ -374,10 +375,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_coils_response )
{
BifEvent::generate_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -396,17 +397,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_write_multiple_registers_request )
{
VectorVal * t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < (${message.registers}->size()); ++i )
{
Val* r = val_mgr->GetCount(${message.registers[i]});
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, t);
BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, std::move(t));
}
return true;
@ -417,10 +419,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_multiple_registers_response )
{
BifEvent::generate_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address}, ${message.quantity});
BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address}, ${message.quantity});
}
return true;
@ -432,22 +434,22 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_file_record_request )
{
//TODO: this need to be a vector of some Reference Request record type
//VectorVal *t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// {
// Val* r = val_mgr->GetCount((${message.references[i].ref_type}));
// auto r = val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r);
//
// Val* k = val_mgr->GetCount((${message.references[i].file_num}));
// auto k = val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, k);
//
// Val* l = val_mgr->GetCount((${message.references[i].record_num}));
// auto l = val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, l);
// }
BifEvent::generate_modbus_read_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_read_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -458,17 +460,17 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_file_record_response )
{
//VectorVal *t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < ${message.references}->size(); ++i )
// {
// //TODO: work the reference type in here somewhere
// Val* r = val_mgr->GetCount(${message.references[i].record_data}));
// auto r = val_mgr->Count(${message.references[i].record_data}));
// t->Assign(i, r);
// }
BifEvent::generate_modbus_read_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_read_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -479,28 +481,28 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_file_record_request )
{
//VectorVal* t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
// {
// Val* r = val_mgr->GetCount((${message.references[i].ref_type}));
// auto r = val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r);
//
// Val* k = val_mgr->GetCount((${message.references[i].file_num}));
// auto k = val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, k);
//
// Val* n = val_mgr->GetCount((${message.references[i].record_num}));
// auto n = val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, n);
//
// for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j )
// {
// k = val_mgr->GetCount((${message.references[i].register_value[j]}));
// k = val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k);
// }
// }
BifEvent::generate_modbus_write_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_write_file_record_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -512,27 +514,27 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_write_file_record_response )
{
//VectorVal* t = create_vector_of_count();
//auto t = create_vector_of_count();
//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
// {
// Val* r = val_mgr->GetCount((${message.references[i].ref_type}));
// auto r = val_mgr->Count((${message.references[i].ref_type}));
// t->Assign(i, r);
//
// Val* f = val_mgr->GetCount((${message.references[i].file_num}));
// auto f = val_mgr->Count((${message.references[i].file_num}));
// t->Assign(i, f);
//
// Val* rn = val_mgr->GetCount((${message.references[i].record_num}));
// auto rn = val_mgr->Count((${message.references[i].record_num}));
// t->Assign(i, rn);
//
// for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j )
// {
// Val* k = val_mgr->GetCount((${message.references[i].register_value[j]}));
// auto k = val_mgr->Count((${message.references[i].register_value[j]}));
// t->Assign(i, k);
// }
BifEvent::generate_modbus_write_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header));
BifEvent::enqueue_modbus_write_file_record_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header));
}
return true;
@ -543,11 +545,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_mask_write_register_request )
{
BifEvent::generate_modbus_mask_write_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
${message.and_mask}, ${message.or_mask});
BifEvent::enqueue_modbus_mask_write_register_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
${message.and_mask}, ${message.or_mask});
}
return true;
@ -558,11 +560,11 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_mask_write_register_response )
{
BifEvent::generate_modbus_mask_write_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.address},
${message.and_mask}, ${message.or_mask});
BifEvent::enqueue_modbus_mask_write_register_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.address},
${message.and_mask}, ${message.or_mask});
}
return true;
@ -580,20 +582,21 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_write_multiple_registers_request )
{
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.write_register_values[i]});
auto r = val_mgr->Count(${message.write_register_values[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.read_start_address},
${message.read_quantity},
${message.write_start_address},
t);
BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.read_start_address},
${message.read_quantity},
${message.write_start_address},
std::move(t));
}
return true;
@ -611,17 +614,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_write_multiple_registers_response )
{
VectorVal* t = new VectorVal(BifType::Vector::ModbusRegisters);
auto t = make_intrusive<VectorVal>(BifType::Vector::ModbusRegisters);
for ( unsigned int i = 0; i < ${message.registers}->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.registers[i]});
auto r = val_mgr->Count(${message.registers[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;
@ -632,10 +636,10 @@ refine flow ModbusTCP_Flow += {
%{
if ( ::modbus_read_fifo_queue_request )
{
BifEvent::generate_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
${message.start_address});
BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
${message.start_address});
}
return true;
@ -654,17 +658,18 @@ refine flow ModbusTCP_Flow += {
if ( ::modbus_read_fifo_queue_response )
{
VectorVal* t = create_vector_of_count();
auto t = create_vector_of_count();
for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i )
{
Val* r = val_mgr->GetCount(${message.register_data[i]});
auto r = val_mgr->Count(${message.register_data[i]});
t->Assign(i, r);
}
BifEvent::generate_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToBro(header),
t);
BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
HeaderToVal(header),
std::move(t));
}
return true;

12
src/analyzer/protocol/mqtt/commands/connack.pac
View file

@ -15,12 +15,12 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_connack )
{
auto m = new RecordVal(BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, val_mgr->GetCount(${msg.return_code}));
m->Assign(1, val_mgr->GetBool(${msg.session_present}));
BifEvent::generate_mqtt_connack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
m);
auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, val_mgr->Count(${msg.return_code}));
m->Assign(1, val_mgr->Bool(${msg.session_present}));
BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(m));
}
return true;

16
src/analyzer/protocol/mqtt/commands/connect.pac
View file

@ -44,17 +44,17 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_connect )
{
auto m = new RecordVal(BifType::Record::MQTT::ConnectMsg);
auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::ConnectMsg);
m->Assign(0, make_intrusive<StringVal>(${msg.protocol_name.str}.length(),
reinterpret_cast<const char*>(${msg.protocol_name.str}.begin())));
m->Assign(1, val_mgr->GetCount(${msg.protocol_version}));
m->Assign(1, val_mgr->Count(${msg.protocol_version}));
m->Assign(2, make_intrusive<StringVal>(${msg.client_id.str}.length(),
reinterpret_cast<const char*>(${msg.client_id.str}.begin())));
m->Assign(3, make_intrusive<IntervalVal>(double(${msg.keep_alive}), Seconds));
m->Assign(4, val_mgr->GetBool(${msg.clean_session}));
m->Assign(5, val_mgr->GetBool(${msg.will_retain}));
m->Assign(6, val_mgr->GetCount(${msg.will_qos}));
m->Assign(4, val_mgr->Bool(${msg.clean_session}));
m->Assign(5, val_mgr->Bool(${msg.will_retain}));
m->Assign(6, val_mgr->Count(${msg.will_qos}));
if ( ${msg.will_flag} )
{
@ -75,9 +75,9 @@ refine flow MQTT_Flow += {
reinterpret_cast<const char*>(${msg.pass.str}.begin())));
}
BifEvent::generate_mqtt_connect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
m);
BifEvent::enqueue_mqtt_connect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(m));
}
// If a connect message was seen, let's say that confirms it.

4
src/analyzer/protocol/mqtt/commands/disconnect.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_disconnect )
{
BifEvent::generate_mqtt_disconnect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
BifEvent::enqueue_mqtt_disconnect(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
}
return true;

4
src/analyzer/protocol/mqtt/commands/pingreq.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pingreq )
{
BifEvent::generate_mqtt_pingreq(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
BifEvent::enqueue_mqtt_pingreq(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
}
return true;

4
src/analyzer/protocol/mqtt/commands/pingresp.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pingresp )
{
BifEvent::generate_mqtt_pingresp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
BifEvent::enqueue_mqtt_pingresp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn());
}
return true;

8
src/analyzer/protocol/mqtt/commands/puback.pac
View file

@ -13,10 +13,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_puback )
{
BifEvent::generate_mqtt_puback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
BifEvent::enqueue_mqtt_puback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}
return true;
%}

8
src/analyzer/protocol/mqtt/commands/pubcomp.pac
View file

@ -13,10 +13,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pubcomp )
{
BifEvent::generate_mqtt_pubcomp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
BifEvent::enqueue_mqtt_pubcomp(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}
return true;
%}

20
src/analyzer/protocol/mqtt/commands/publish.pac
View file

@ -23,10 +23,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_publish )
{
auto m = new RecordVal(BifType::Record::MQTT::PublishMsg);
m->Assign(0, val_mgr->GetBool(${msg.dup}));
m->Assign(1, val_mgr->GetCount(${msg.qos}));
m->Assign(2, val_mgr->GetBool(${msg.retain}));
auto m = make_intrusive<RecordVal>(BifType::Record::MQTT::PublishMsg);
m->Assign(0, val_mgr->Bool(${msg.dup}));
m->Assign(1, val_mgr->Count(${msg.qos}));
m->Assign(2, val_mgr->Bool(${msg.retain}));
m->Assign(3, new StringVal(${msg.topic.str}.length(),
reinterpret_cast<const char*>(${msg.topic.str}.begin())));
@ -39,13 +39,13 @@ refine flow MQTT_Flow += {
m->Assign(4, new StringVal(len,
reinterpret_cast<const char*>(${msg.payload}.begin())));
m->Assign(5, val_mgr->GetCount(${msg.payload}.length()));
m->Assign(5, val_mgr->Count(${msg.payload}.length()));
BifEvent::generate_mqtt_publish(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${pdu.is_orig},
${msg.qos} == 0 ? 0 : ${msg.msg_id},
m);
BifEvent::enqueue_mqtt_publish(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${pdu.is_orig},
${msg.qos} == 0 ? 0 : ${msg.msg_id},
std::move(m));
}
// If a publish message was seen, let's say that confirms it.

8
src/analyzer/protocol/mqtt/commands/pubrec.pac
View file

@ -13,10 +13,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pubrec )
{
BifEvent::generate_mqtt_pubrec(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
BifEvent::enqueue_mqtt_pubrec(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}
return true;
%}

8
src/analyzer/protocol/mqtt/commands/pubrel.pac
View file

@ -13,10 +13,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_pubrel )
{
BifEvent::generate_mqtt_pubrel(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
BifEvent::enqueue_mqtt_pubrel(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig,
${msg.msg_id});
}
return true;
%}

8
src/analyzer/protocol/mqtt/commands/suback.pac
View file

@ -14,10 +14,10 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_suback )
{
BifEvent::generate_mqtt_suback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
${msg.granted_QoS});
BifEvent::enqueue_mqtt_suback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
${msg.granted_QoS});
}
return true;

18
src/analyzer/protocol/mqtt/commands/subscribe.pac
View file

@ -19,23 +19,23 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_subscribe )
{
auto topics = new VectorVal(string_vec);
auto qos_levels = new VectorVal(index_vec);
auto topics = make_intrusive<VectorVal>(string_vec);
auto qos_levels = make_intrusive<VectorVal>(index_vec);
for (auto topic: *${msg.topics})
for ( auto topic: *${msg.topics} )
{
auto subscribe_topic = new StringVal(${topic.name.str}.length(),
reinterpret_cast<const char*>(${topic.name.str}.begin()));
auto qos = val_mgr->GetCount(${topic.requested_QoS});
auto qos = val_mgr->Count(${topic.requested_QoS});
topics->Assign(topics->Size(), subscribe_topic);
qos_levels->Assign(qos_levels->Size(), qos);
}
BifEvent::generate_mqtt_subscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
topics,
qos_levels);
BifEvent::enqueue_mqtt_subscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
std::move(topics),
std::move(qos_levels));
}
return true;

6
src/analyzer/protocol/mqtt/commands/unsuback.pac
View file

@ -13,9 +13,9 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_unsuback )
{
BifEvent::generate_mqtt_unsuback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id});
BifEvent::enqueue_mqtt_unsuback(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id});
}
return true;

12
src/analyzer/protocol/mqtt/commands/unsubscribe.pac
View file

@ -14,19 +14,19 @@ refine flow MQTT_Flow += {
%{
if ( mqtt_unsubscribe )
{
auto topics = new VectorVal(string_vec);
auto topics = make_intrusive<VectorVal>(string_vec);
for (auto topic: *${msg.topics})
for ( auto topic: *${msg.topics} )
{
auto unsubscribe_topic = new StringVal(${topic.str}.length(),
reinterpret_cast<const char*>(${topic.str}.begin()));
topics->Assign(topics->Size(), unsubscribe_topic);
}
BifEvent::generate_mqtt_unsubscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
topics);
BifEvent::enqueue_mqtt_unsubscribe(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.msg_id},
std::move(topics));
}
return true;

60
src/analyzer/protocol/mysql/mysql-analyzer.pac
View file

@ -6,13 +6,13 @@ refine flow MySQL_Flow += {
if ( mysql_server_version )
{
if ( ${msg.version} == 10 )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.handshake10.server_version})));
BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
make_intrusive<StringVal>(c_str(${msg.handshake10.server_version})));
if ( ${msg.version} == 9 )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.handshake9.server_version})));
BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
make_intrusive<StringVal>(c_str(${msg.handshake9.server_version})));
}
return true;
%}
@ -25,13 +25,13 @@ refine flow MySQL_Flow += {
if ( mysql_handshake )
{
if ( ${msg.version} == 10 )
BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.v10_response.username})));
BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
make_intrusive<StringVal>(c_str(${msg.v10_response.username})));
if ( ${msg.version} == 9 )
BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
new StringVal(c_str(${msg.v9_response.username})));
BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
make_intrusive<StringVal>(c_str(${msg.v9_response.username})));
}
return true;
%}
@ -39,29 +39,29 @@ refine flow MySQL_Flow += {
function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool
%{
if ( mysql_command_request )
BifEvent::generate_mysql_command_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.command},
bytestring_to_val(${msg.arg}));
BifEvent::enqueue_mysql_command_request(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.command},
to_stringval(${msg.arg}));
return true;
%}
function proc_err_packet(msg: ERR_Packet): bool
%{
if ( mysql_error )
BifEvent::generate_mysql_error(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.code},
bytestring_to_val(${msg.msg}));
BifEvent::enqueue_mysql_error(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.code},
to_stringval(${msg.msg}));
return true;
%}
function proc_ok_packet(msg: OK_Packet): bool
%{
if ( mysql_ok )
BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.rows});
BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.rows});
return true;
%}
@ -71,9 +71,9 @@ refine flow MySQL_Flow += {
{
// This is a bit fake...
if ( mysql_ok )
BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
0);
BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
0);
}
if ( ${msg.is_eof} )
@ -83,7 +83,7 @@ refine flow MySQL_Flow += {
return true;
auto vt = internal_type("string_vec")->AsVectorType();
auto vv = new VectorVal(vt);
auto vv = make_intrusive<VectorVal>(vt);
auto& bstring = ${msg.row.first_field.val};
auto ptr = reinterpret_cast<const char*>(bstring.data());
@ -98,9 +98,9 @@ refine flow MySQL_Flow += {
vv->Assign(vv->Size(), make_intrusive<StringVal>(bstring.length(), ptr));
}
BifEvent::generate_mysql_result_row(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
vv);
BifEvent::enqueue_mysql_result_row(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
std::move(vv));
return true;
%}

20
src/analyzer/protocol/ncp/NCP.cc
View file

@ -63,19 +63,19 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
{
if ( frame->is_orig() )
analyzer->EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)}
analyzer->ConnVal(),
val_mgr->Count(frame->frame_type()),
val_mgr->Count(frame->body_length()),
val_mgr->Count(req_func)
);
else
analyzer->EnqueueConnEvent(f,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_frame_type)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->reply()->completion_code())}
analyzer->ConnVal(),
val_mgr->Count(frame->frame_type()),
val_mgr->Count(frame->body_length()),
val_mgr->Count(req_frame_type),
val_mgr->Count(req_func),
val_mgr->Count(frame->reply()->completion_code())
);
}
}

14
src/analyzer/protocol/netbios/NetbiosSSN.cc
View file

@ -60,10 +60,10 @@ void NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
{
if ( netbios_session_message )
analyzer->EnqueueConnEvent(netbios_session_message,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(type)},
IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
analyzer->ConnVal(),
val_mgr->Bool(is_query),
val_mgr->Count(type),
val_mgr->Count(len)
);
switch ( type ) {
@ -322,13 +322,13 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
if ( is_orig >= 0 )
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
analyzer->ConnVal(),
val_mgr->Bool(is_orig),
make_intrusive<StringVal>(new BroString(data, len, false))
);
else
analyzer->EnqueueConnEvent(event,
IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
analyzer->ConnVal(),
make_intrusive<StringVal>(new BroString(data, len, false))
);
}

4
src/analyzer/protocol/netbios/functions.bif
View file

@ -34,7 +34,7 @@ function decode_netbios_name%(name: string%): string
break;
}
return new StringVal(i, result);
return make_intrusive<StringVal>(i, result);
%}
## Converts a NetBIOS name type to its corresponding numeric value.
@ -49,5 +49,5 @@ function decode_netbios_name_type%(name: string%): count
%{
const u_char* s = name->Bytes();
char return_val = ((toupper(s[30]) - 'A') << 4) + (toupper(s[31]) - 'A');
return val_mgr->GetCount(return_val);
return val_mgr->Count(return_val);
%}

82
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -16,10 +16,10 @@ refine connection NTLM_Conn += {
function build_version_record(val: NTLM_Version): BroVal
%{
RecordVal* result = new RecordVal(BifType::Record::NTLM::Version);
result->Assign(0, val_mgr->GetCount(${val.major_version}));
result->Assign(1, val_mgr->GetCount(${val.minor_version}));
result->Assign(2, val_mgr->GetCount(${val.build_number}));
result->Assign(3, val_mgr->GetCount(${val.ntlm_revision}));
result->Assign(0, val_mgr->Count(${val.major_version}));
result->Assign(1, val_mgr->Count(${val.minor_version}));
result->Assign(2, val_mgr->Count(${val.build_number}));
result->Assign(3, val_mgr->Count(${val.ntlm_revision}));
return result;
%}
@ -60,13 +60,13 @@ refine connection NTLM_Conn += {
result->Assign(4, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
break;
case 6:
result->Assign(5, val_mgr->GetBool(${val.pairs[i].constrained_auth}));
result->Assign(5, val_mgr->Bool(${val.pairs[i].constrained_auth}));
break;
case 7:
result->Assign(6, filetime2brotime(${val.pairs[i].timestamp}));
break;
case 8:
result->Assign(7, val_mgr->GetCount(${val.pairs[i].single_host.machine_id}));
result->Assign(7, val_mgr->Count(${val.pairs[i].single_host.machine_id}));
break;
case 9:
result->Assign(8, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data}));
@ -79,28 +79,28 @@ refine connection NTLM_Conn += {
function build_negotiate_flag_record(val: NTLM_Negotiate_Flags): BroVal
%{
RecordVal* flags = new RecordVal(BifType::Record::NTLM::NegotiateFlags);
flags->Assign(0, val_mgr->GetBool(${val.negotiate_56}));
flags->Assign(1, val_mgr->GetBool(${val.negotiate_key_exch}));
flags->Assign(2, val_mgr->GetBool(${val.negotiate_128}));
flags->Assign(3, val_mgr->GetBool(${val.negotiate_version}));
flags->Assign(4, val_mgr->GetBool(${val.negotiate_target_info}));
flags->Assign(5, val_mgr->GetBool(${val.request_non_nt_session_key}));
flags->Assign(6, val_mgr->GetBool(${val.negotiate_identify}));
flags->Assign(7, val_mgr->GetBool(${val.negotiate_extended_sessionsecurity}));
flags->Assign(8, val_mgr->GetBool(${val.target_type_server}));
flags->Assign(9, val_mgr->GetBool(${val.target_type_domain}));
flags->Assign(10, val_mgr->GetBool(${val.negotiate_always_sign}));
flags->Assign(11, val_mgr->GetBool(${val.negotiate_oem_workstation_supplied}));
flags->Assign(12, val_mgr->GetBool(${val.negotiate_oem_domain_supplied}));
flags->Assign(13, val_mgr->GetBool(${val.negotiate_anonymous_connection}));
flags->Assign(14, val_mgr->GetBool(${val.negotiate_ntlm}));
flags->Assign(15, val_mgr->GetBool(${val.negotiate_lm_key}));
flags->Assign(16, val_mgr->GetBool(${val.negotiate_datagram}));
flags->Assign(17, val_mgr->GetBool(${val.negotiate_seal}));
flags->Assign(18, val_mgr->GetBool(${val.negotiate_sign}));
flags->Assign(19, val_mgr->GetBool(${val.request_target}));
flags->Assign(20, val_mgr->GetBool(${val.negotiate_oem}));
flags->Assign(21, val_mgr->GetBool(${val.negotiate_unicode}));
flags->Assign(0, val_mgr->Bool(${val.negotiate_56}));
flags->Assign(1, val_mgr->Bool(${val.negotiate_key_exch}));
flags->Assign(2, val_mgr->Bool(${val.negotiate_128}));
flags->Assign(3, val_mgr->Bool(${val.negotiate_version}));
flags->Assign(4, val_mgr->Bool(${val.negotiate_target_info}));
flags->Assign(5, val_mgr->Bool(${val.request_non_nt_session_key}));
flags->Assign(6, val_mgr->Bool(${val.negotiate_identify}));
flags->Assign(7, val_mgr->Bool(${val.negotiate_extended_sessionsecurity}));
flags->Assign(8, val_mgr->Bool(${val.target_type_server}));
flags->Assign(9, val_mgr->Bool(${val.target_type_domain}));
flags->Assign(10, val_mgr->Bool(${val.negotiate_always_sign}));
flags->Assign(11, val_mgr->Bool(${val.negotiate_oem_workstation_supplied}));
flags->Assign(12, val_mgr->Bool(${val.negotiate_oem_domain_supplied}));
flags->Assign(13, val_mgr->Bool(${val.negotiate_anonymous_connection}));
flags->Assign(14, val_mgr->Bool(${val.negotiate_ntlm}));
flags->Assign(15, val_mgr->Bool(${val.negotiate_lm_key}));
flags->Assign(16, val_mgr->Bool(${val.negotiate_datagram}));
flags->Assign(17, val_mgr->Bool(${val.negotiate_seal}));
flags->Assign(18, val_mgr->Bool(${val.negotiate_sign}));
flags->Assign(19, val_mgr->Bool(${val.request_target}));
flags->Assign(20, val_mgr->Bool(${val.negotiate_oem}));
flags->Assign(21, val_mgr->Bool(${val.negotiate_unicode}));
return flags;
%}
@ -110,7 +110,7 @@ refine connection NTLM_Conn += {
if ( ! ntlm_negotiate )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate);
auto result = make_intrusive<RecordVal>(BifType::Record::NTLM::Negotiate);
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() )
@ -122,9 +122,9 @@ refine connection NTLM_Conn += {
if ( ${val}->has_version() )
result->Assign(3, build_version_record(${val.version}));
BifEvent::generate_ntlm_negotiate(bro_analyzer(),
bro_analyzer()->Conn(),
result);
BifEvent::enqueue_ntlm_negotiate(bro_analyzer(),
bro_analyzer()->Conn(),
std::move(result));
return true;
%}
@ -134,7 +134,7 @@ refine connection NTLM_Conn += {
if ( ! ntlm_challenge )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge);
auto result = make_intrusive<RecordVal>(BifType::Record::NTLM::Challenge);
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_target_name() )
@ -146,9 +146,9 @@ refine connection NTLM_Conn += {
if ( ${val}->has_target_info() )
result->Assign(3, build_av_record(${val.target_info}, ${val.target_info_fields.length}));
BifEvent::generate_ntlm_challenge(bro_analyzer(),
bro_analyzer()->Conn(),
result);
BifEvent::enqueue_ntlm_challenge(bro_analyzer(),
bro_analyzer()->Conn(),
std::move(result));
return true;
%}
@ -158,7 +158,7 @@ refine connection NTLM_Conn += {
if ( ! ntlm_authenticate )
return true;
RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate);
auto result = make_intrusive<RecordVal>(BifType::Record::NTLM::Authenticate);
result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() > 0 )
@ -171,14 +171,14 @@ refine connection NTLM_Conn += {
result->Assign(3, utf16_bytestring_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_encrypted_session_key() > 0 )
result->Assign(4, bytestring_to_val(${val.encrypted_session_key.string.data}));
result->Assign(4, to_stringval(${val.encrypted_session_key.string.data}));
if ( ${val}->has_version() )
result->Assign(5, build_version_record(${val.version}));
BifEvent::generate_ntlm_authenticate(bro_analyzer(),
bro_analyzer()->Conn(),
result);
BifEvent::enqueue_ntlm_authenticate(bro_analyzer(),
bro_analyzer()->Conn(),
std::move(result));
return true;
%}
}

60
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -37,7 +37,7 @@ refine flow NTP_Flow += {
%{
RecordVal* rv = new RecordVal(BifType::Record::NTP::StandardMessage);
rv->Assign(0, val_mgr->GetCount(${nsm.stratum}));
rv->Assign(0, val_mgr->Count(${nsm.stratum}));
rv->Assign(1, make_intrusive<Val>(pow(2, ${nsm.poll}), TYPE_INTERVAL));
rv->Assign(2, make_intrusive<Val>(pow(2, ${nsm.precision}), TYPE_INTERVAL));
rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
@ -46,11 +46,11 @@ refine flow NTP_Flow += {
switch ( ${nsm.stratum} ) {
case 0:
// unknown stratum => kiss code
rv->Assign(5, bytestring_to_val(${nsm.reference_id}));
rv->Assign(5, to_stringval(${nsm.reference_id}));
break;
case 1:
// reference clock => ref clock string
rv->Assign(6, bytestring_to_val(${nsm.reference_id}));
rv->Assign(6, to_stringval(${nsm.reference_id}));
break;
default:
{
@ -67,19 +67,19 @@ refine flow NTP_Flow += {
if ( ${nsm.mac_len} == 20 )
{
rv->Assign(12, val_mgr->GetCount(${nsm.mac.key_id}));
rv->Assign(13, bytestring_to_val(${nsm.mac.digest}));
rv->Assign(12, val_mgr->Count(${nsm.mac.key_id}));
rv->Assign(13, to_stringval(${nsm.mac.digest}));
}
else if ( ${nsm.mac_len} == 24 )
{
rv->Assign(12, val_mgr->GetCount(${nsm.mac_ext.key_id}));
rv->Assign(13, bytestring_to_val(${nsm.mac_ext.digest}));
rv->Assign(12, val_mgr->Count(${nsm.mac_ext.key_id}));
rv->Assign(13, to_stringval(${nsm.mac_ext.digest}));
}
if ( ${nsm.has_exts} )
{
// TODO: add extension fields
rv->Assign(14, val_mgr->GetCount((uint32) ${nsm.exts}->size()));
rv->Assign(14, val_mgr->Count((uint32) ${nsm.exts}->size()));
}
return rv;
@ -90,21 +90,21 @@ refine flow NTP_Flow += {
%{
RecordVal* rv = new RecordVal(BifType::Record::NTP::ControlMessage);
rv->Assign(0, val_mgr->GetCount(${ncm.OpCode}));
rv->Assign(1, val_mgr->GetBool(${ncm.R}));
rv->Assign(2, val_mgr->GetBool(${ncm.E}));
rv->Assign(3, val_mgr->GetBool(${ncm.M}));
rv->Assign(4, val_mgr->GetCount(${ncm.sequence}));
rv->Assign(5, val_mgr->GetCount(${ncm.status}));
rv->Assign(6, val_mgr->GetCount(${ncm.association_id}));
rv->Assign(0, val_mgr->Count(${ncm.OpCode}));
rv->Assign(1, val_mgr->Bool(${ncm.R}));
rv->Assign(2, val_mgr->Bool(${ncm.E}));
rv->Assign(3, val_mgr->Bool(${ncm.M}));
rv->Assign(4, val_mgr->Count(${ncm.sequence}));
rv->Assign(5, val_mgr->Count(${ncm.status}));
rv->Assign(6, val_mgr->Count(${ncm.association_id}));
if ( ${ncm.c} > 0 )
rv->Assign(7, bytestring_to_val(${ncm.data}));
rv->Assign(7, to_stringval(${ncm.data}));
if ( ${ncm.has_control_mac} )
{
rv->Assign(8, val_mgr->GetCount(${ncm.mac.key_id}));
rv->Assign(9, bytestring_to_val(${ncm.mac.crypto_checksum}));
rv->Assign(8, val_mgr->Count(${ncm.mac.key_id}));
rv->Assign(9, to_stringval(${ncm.mac.crypto_checksum}));
}
return rv;
@ -115,14 +115,14 @@ refine flow NTP_Flow += {
%{
RecordVal* rv = new RecordVal(BifType::Record::NTP::Mode7Message);
rv->Assign(0, val_mgr->GetCount(${m7.request_code}));
rv->Assign(1, val_mgr->GetBool(${m7.auth_bit}));
rv->Assign(2, val_mgr->GetCount(${m7.sequence}));
rv->Assign(3, val_mgr->GetCount(${m7.implementation}));
rv->Assign(4, val_mgr->GetCount(${m7.error_code}));
rv->Assign(0, val_mgr->Count(${m7.request_code}));
rv->Assign(1, val_mgr->Bool(${m7.auth_bit}));
rv->Assign(2, val_mgr->Count(${m7.sequence}));
rv->Assign(3, val_mgr->Count(${m7.implementation}));
rv->Assign(4, val_mgr->Count(${m7.error_code}));
if ( ${m7.data_len} > 0 )
rv->Assign(5, bytestring_to_val(${m7.data}));
rv->Assign(5, to_stringval(${m7.data}));
return rv;
%}
@ -135,9 +135,9 @@ refine flow NTP_Flow += {
if ( ! ntp_message )
return false;
RecordVal* rv = new RecordVal(BifType::Record::NTP::Message);
rv->Assign(0, val_mgr->GetCount(${msg.version}));
rv->Assign(1, val_mgr->GetCount(${msg.mode}));
auto rv = make_intrusive<RecordVal>(BifType::Record::NTP::Message);
rv->Assign(0, val_mgr->Count(${msg.version}));
rv->Assign(1, val_mgr->Count(${msg.mode}));
// The standard record
if ( ${msg.mode} >=1 && ${msg.mode} <= 5 )
@ -147,9 +147,9 @@ refine flow NTP_Flow += {
else if ( ${msg.mode} == 7 )
rv->Assign(4, BuildNTPMode7Msg(${msg.mode7}));
BifEvent::generate_ntp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), rv);
BifEvent::enqueue_ntp_message(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
is_orig(), std::move(rv));
return true;
%}
};

4
src/analyzer/protocol/pia/PIA.cc
View file

@ -159,7 +159,7 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
mgr.Enqueue(protocol_late_match,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, tval}
);
}
@ -307,7 +307,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
mgr.Enqueue(protocol_late_match,
IntrusivePtr{AdoptRef{}, BuildConnVal()},
ConnVal(),
IntrusivePtr{NewRef{}, tval}
);
}

6
src/analyzer/protocol/pop3/POP3.cc
View file

@ -826,7 +826,7 @@ void POP3_Analyzer::StartTLS()
AddChildAnalyzer(ssl);
if ( pop3_starttls )
EnqueueConnEvent(pop3_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
EnqueueConnEvent(pop3_starttls, ConnVal());
}
void POP3_Analyzer::AuthSuccessfull()
@ -919,8 +919,8 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
zeek::Args vl;
vl.reserve(2 + (bool)arg1 + (bool)arg2);
vl.emplace_back(AdoptRef{}, BuildConnVal());
vl.emplace_back(AdoptRef{}, val_mgr->GetBool(is_orig));
vl.emplace_back(ConnVal());
vl.emplace_back(val_mgr->Bool(is_orig));
if ( arg1 )
vl.emplace_back(make_intrusive<StringVal>(arg1));

41
src/analyzer/protocol/radius/radius-analyzer.pac
View file

@ -5,54 +5,53 @@ refine flow RADIUS_Flow += {
connection()->bro_analyzer()->ProtocolConfirmation();
if ( ! radius_message )
return false;
return false;
RecordVal* result = new RecordVal(BifType::Record::RADIUS::Message);
result->Assign(0, val_mgr->GetCount(${msg.code}));
result->Assign(1, val_mgr->GetCount(${msg.trans_id}));
result->Assign(2, bytestring_to_val(${msg.authenticator}));
auto result = make_intrusive<RecordVal>(BifType::Record::RADIUS::Message);
result->Assign(0, val_mgr->Count(${msg.code}));
result->Assign(1, val_mgr->Count(${msg.trans_id}));
result->Assign(2, to_stringval(${msg.authenticator}));
if ( ${msg.attributes}->size() )
{
TableVal* attributes = new TableVal({NewRef{}, BifType::Table::RADIUS::Attributes});
for ( uint i = 0; i < ${msg.attributes}->size(); ++i ) {
Val* index = val_mgr->GetCount(${msg.attributes[i].code});
for ( uint i = 0; i < ${msg.attributes}->size(); ++i )
{
auto index = val_mgr->Count(${msg.attributes[i].code});
// Do we already have a vector of attributes for this type?
auto current = attributes->Lookup(index);
Val* val = bytestring_to_val(${msg.attributes[i].value});
auto current = attributes->Lookup(index.get());
IntrusivePtr<Val> val = to_stringval(${msg.attributes[i].value});
if ( current )
{
VectorVal* vcurrent = current->AsVectorVal();
vcurrent->Assign(vcurrent->Size(), val);
vcurrent->Assign(vcurrent->Size(), std::move(val));
}
else
{
{
VectorVal* attribute_list = new VectorVal(BifType::Vector::RADIUS::AttributeList);
attribute_list->Assign((unsigned int)0, val);
attributes->Assign(index, attribute_list);
}
Unref(index);
}
attribute_list->Assign((unsigned int)0, std::move(val));
attributes->Assign(index.get(), attribute_list);
}
}
result->Assign(3, attributes);
}
BifEvent::generate_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
BifEvent::enqueue_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), std::move(result));
return true;
%}
function proc_radius_attribute(attr: RADIUS_Attribute): bool
%{
if ( ! radius_attribute )
return false;
return false;
BifEvent::generate_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
${attr.code}, bytestring_to_val(${attr.value}));
BifEvent::enqueue_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
${attr.code}, to_stringval(${attr.value}));
return true;
%}
};

Some files were not shown because too many files have changed in this diff Show more