Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 18:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

fix strange bug when using predicates and events at the same time on a tablefilter.

Browse source 
Testcase is now more involved.
This commit is contained in:
Bernhard Amann 2012-02-23 15:30:39 -08:00
parent d81607c3e9
commit d553a3c6f6
3 changed files with 249 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

50
src/input/Manager.cc
View file

@ -364,20 +364,21 @@ bool Manager::AddTableFilter(EnumVal *id, RecordVal* fval) {
} }
Val* name = fval->Lookup(rtype->FieldOffset("name")); Val* name = fval->LookupWithDefault(rtype->FieldOffset("name"));
Val* pred = fval->Lookup(rtype->FieldOffset("pred")); Val* pred = fval->LookupWithDefault(rtype->FieldOffset("pred"));
RecordType *idx = fval->Lookup(rtype->FieldOffset("idx"))->AsType()->AsTypeType()->Type()->AsRecordType(); RecordType *idx = fval->LookupWithDefault(rtype->FieldOffset("idx"))->AsType()->AsTypeType()->Type()->AsRecordType();
RecordType *val = 0; RecordType *val = 0;
if ( fval->Lookup(rtype->FieldOffset("val")) != 0 ) { if ( fval->Lookup(rtype->FieldOffset("val")) != 0 ) {
val = fval->Lookup(rtype->FieldOffset("val"))->AsType()->AsTypeType()->Type()->AsRecordType(); val = fval->LookupWithDefault(rtype->FieldOffset("val"))->AsType()->AsTypeType()->Type()->AsRecordType();
} }
TableVal *dst = fval->Lookup(rtype->FieldOffset("destination"))->AsTableVal(); TableVal *dst = fval->LookupWithDefault(rtype->FieldOffset("destination"))->AsTableVal();
Val *want_record = fval->LookupWithDefault(rtype->FieldOffset("want_record")); Val *want_record = fval->LookupWithDefault(rtype->FieldOffset("want_record"));
Val* event_val = fval->Lookup(rtype->FieldOffset("ev")); Val* event_val = fval->LookupWithDefault(rtype->FieldOffset("ev"));
Func* event = event_val ? event_val->AsFunc() : 0; Func* event = event_val ? event_val->AsFunc() : 0;
Unref(event_val);
if ( event ) { if ( event ) {
FuncType* etype = event->FType()->AsFuncType(); FuncType* etype = event->FType()->AsFuncType();
@ -450,14 +451,17 @@ bool Manager::AddTableFilter(EnumVal *id, RecordVal* fval) {
filter->pred = pred ? pred->AsFunc() : 0; filter->pred = pred ? pred->AsFunc() : 0;
filter->num_idx_fields = idxfields; filter->num_idx_fields = idxfields;
filter->num_val_fields = valfields; filter->num_val_fields = valfields;
filter->tab = dst->Ref()->AsTableVal(); filter->tab = dst->AsTableVal();
filter->rtype = val ? val->Ref()->AsRecordType() : 0; filter->rtype = val ? val->AsRecordType() : 0;
filter->itype = idx->Ref()->AsRecordType(); filter->itype = idx->AsRecordType();
filter->event = event ? event_registry->Lookup(event->GetID()->Name()) : 0; filter->event = event ? event_registry->Lookup(event->GetID()->Name()) : 0;
filter->currDict = new PDict(InputHash); filter->currDict = new PDict(InputHash);
filter->lastDict = new PDict(InputHash); filter->lastDict = new PDict(InputHash);
filter->want_record = ( want_record->InternalInt() == 1 ); filter->want_record = ( want_record->InternalInt() == 1 );
Unref(want_record); // ref'd by lookupwithdefault Unref(want_record); // ref'd by lookupwithdefault
Unref(name);
Unref(pred);
if ( valfields > 1 ) { if ( valfields > 1 ) {
assert(filter->want_record); assert(filter->want_record);
@ -948,16 +952,16 @@ void Manager::EndCurrentSend(const ReaderFrontend* reader, int id) {
val = filter->tab->Lookup(idx); val = filter->tab->Lookup(idx);
assert(val != 0); assert(val != 0);
} }
if ( filter->pred ) {
bool doBreak = false;
// ask predicate, if we want to expire this element...
EnumVal* ev = new EnumVal(BifEnum::Input::EVENT_REMOVED, BifType::Enum::Input::Event);
//Ref(idx);
int startpos = 0; int startpos = 0;
Val* predidx = ListValToRecordVal(idx, filter->itype, &startpos); Val* predidx = ListValToRecordVal(idx, filter->itype, &startpos);
EnumVal* ev = new EnumVal(BifEnum::Input::EVENT_REMOVED, BifType::Enum::Input::Event);
if ( filter->pred ) {
// ask predicate, if we want to expire this element...
Ref(ev);
Ref(predidx);
Ref(val); Ref(val);
val_list vl(3); val_list vl(3);
@ -971,21 +975,23 @@ void Manager::EndCurrentSend(const ReaderFrontend* reader, int id) {
if ( result == false ) { if ( result == false ) {
// Keep it. Hence - we quit and simply go to the next entry of lastDict // Keep it. Hence - we quit and simply go to the next entry of lastDict
// ah well - and we have to add the entry to currDict... // ah well - and we have to add the entry to currDict...
Unref(predidx);
Unref(ev);
filter->currDict->Insert(lastDictIdxKey, filter->lastDict->RemoveEntry(lastDictIdxKey)); filter->currDict->Insert(lastDictIdxKey, filter->lastDict->RemoveEntry(lastDictIdxKey));
continue; continue;
} }
} }
if ( filter->event ) { if ( filter->event ) {
int startpos = 0; Ref(predidx);
Val* predidx = ListValToRecordVal(idx, filter->itype, &startpos);
Ref(val); Ref(val);
EnumVal *ev = new EnumVal(BifEnum::Input::EVENT_REMOVED, BifType::Enum::Input::Event); Ref(ev);
SendEvent(filter->event, 3, ev, predidx, val); SendEvent(filter->event, 3, ev, predidx, val);
} }
Unref(predidx);
Unref(ev);
filter->tab->Delete(ih->idxkey); filter->tab->Delete(ih->idxkey);
filter->lastDict->Remove(lastDictIdxKey); // deletex in next line filter->lastDict->Remove(lastDictIdxKey); // deletex in next line
delete(ih); delete(ih);

212
testing/btest/Baseline/scripts.base.frameworks.input.reread/out
View file

@ -1,3 +1,18 @@
============PREDICATE============
Input::EVENT_NEW
[i=-42]
[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============EVENT============ ============EVENT============
Input::EVENT_NEW Input::EVENT_NEW
[i=-42] [i=-42]
@ -28,6 +43,21 @@ BB
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
} }
============PREDICATE============
Input::EVENT_NEW
[i=-43]
[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============EVENT============ ============EVENT============
Input::EVENT_NEW Input::EVENT_NEW
[i=-43] [i=-43]
@ -70,6 +100,21 @@ BB
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
} }
============PREDICATE============
Input::EVENT_CHANGED
[i=-43]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============EVENT============ ============EVENT============
Input::EVENT_CHANGED Input::EVENT_CHANGED
[i=-43] [i=-43]
@ -112,6 +157,21 @@ BB
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
} }
============PREDICATE============
Input::EVENT_NEW
[i=-44]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============EVENT============ ============EVENT============
Input::EVENT_NEW Input::EVENT_NEW
[i=-44] [i=-44]
@ -126,6 +186,21 @@ AA,
BB BB
}, se={ }, se={
}, vc=[10, 20, 30], ve=[]]
============PREDICATE============
Input::EVENT_NEW
[i=-45]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
============EVENT============ ============EVENT============
Input::EVENT_NEW Input::EVENT_NEW
@ -142,7 +217,7 @@ BB
}, se={ }, se={
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
============EVENT============ ============PREDICATE============
Input::EVENT_NEW Input::EVENT_NEW
[i=-46] [i=-46]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ [b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
@ -159,6 +234,21 @@ BB
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
============EVENT============ ============EVENT============
Input::EVENT_NEW Input::EVENT_NEW
[i=-46]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============PREDICATE============
Input::EVENT_NEW
[i=-47] [i=-47]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ [b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2, 2,
@ -171,6 +261,36 @@ AA,
BB BB
}, se={ }, se={
}, vc=[10, 20, 30], ve=[]]
============EVENT============
Input::EVENT_NEW
[i=-47]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============PREDICATE============
Input::EVENT_NEW
[i=-48]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
============EVENT============ ============EVENT============
Input::EVENT_NEW Input::EVENT_NEW
@ -274,6 +394,96 @@ BB
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
} }
============PREDICATE============
Input::EVENT_REMOVED
[i=-43]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============PREDICATE============
Input::EVENT_REMOVED
[i=-46]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============PREDICATE============
Input::EVENT_REMOVED
[i=-44]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============PREDICATE============
Input::EVENT_REMOVED
[i=-47]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============PREDICATE============
Input::EVENT_REMOVED
[i=-45]
[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============PREDICATE============
Input::EVENT_REMOVED
[i=-42]
[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
============EVENT============ ============EVENT============
Input::EVENT_REMOVED Input::EVENT_REMOVED
[i=-43] [i=-43]

10
testing/btest/scripts/base/frameworks/input/reread.bro
View file

@ -107,7 +107,15 @@ event bro_init()
try = 0; try = 0;
# first read in the old stuff into the table... # first read in the old stuff into the table...
Input::create_stream(A::INPUT, [$source="../input.log", $mode=Input::REREAD]); Input::create_stream(A::INPUT, [$source="../input.log", $mode=Input::REREAD]);
Input::add_tablefilter(A::INPUT, [$name="ssh", $idx=Idx, $val=Val, $destination=servers, $ev=line]); Input::add_tablefilter(A::INPUT, [$name="ssh", $idx=Idx, $val=Val, $destination=servers, $ev=line,
$pred(typ: Input::Event, left: Idx, right: Val) = {
print outfile, "============PREDICATE============";
print outfile, typ;
print outfile, left;
print outfile, right;
return T;
}
]);
} }