file_analysis: Implement AnalyzerViolation() for file_analysis/Analyzer

Add a test parsing a malformed PE file showing that analyzer_violation_info is raised with the fa_file object set. It could be interesting to pass through an optional connection if one exists, but access is provided through f$conns, too.
2025-10-02 22:58:20 +00:00 · 2022-08-31 18:07:18 +02:00 · 2022-08-31 18:07:18 +02:00 · d5cd023dff
commit d5cd023dff
parent bc8fd5a4c6
10 changed files with 145 additions and 6 deletions
--- a/src/file_analysis/Analyzer.cc
+++ b/src/file_analysis/Analyzer.cc
@ -2,9 +2,14 @@

 #include "zeek/file_analysis/Analyzer.h"

+#include "zeek/Event.h"
 #include "zeek/Val.h"
+#include "zeek/file_analysis/File.h"
 #include "zeek/file_analysis/Manager.h"

+// For analyzer_violation_info
+#include "event.bif.netvar_h"
+
 namespace zeek::file_analysis
 	{

@ -23,7 +28,7 @@ void Analyzer::SetAnalyzerTag(const zeek::Tag& arg_tag)

 Analyzer::Analyzer(zeek::Tag arg_tag, RecordValPtr arg_args, File* arg_file)
 	: tag(arg_tag), args(std::move(arg_args)), file(arg_file), got_stream_delivery(false),
-	  skip(false)
+	  skip(false), analyzer_confirmed(false)
 	{
 	id = ++id_counter;
 	}
@ -33,4 +38,44 @@ Analyzer::Analyzer(RecordValPtr arg_args, File* arg_file)
 	{
 	}

+void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)
+	{
+	if ( analyzer_confirmed )
+		return;
+
+	analyzer_confirmed = true;
+
+	if ( ! analyzer_confirmation_info )
+		return;
+
+	static auto info_type = zeek::id::find_type<RecordType>("AnalyzerConfirmationInfo");
+	static auto info_f_idx = info_type->FieldOffset("f");
+
+	auto info = zeek::make_intrusive<RecordVal>(info_type);
+	info->Assign(info_f_idx, GetFile()->ToVal());
+
+	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
+	event_mgr.Enqueue(analyzer_confirmation_info, tval, info);
+	}
+
+void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len, zeek::Tag arg_tag)
+	{
+	if ( ! analyzer_violation_info )
+		return;
+
+	static auto info_type = zeek::id::find_type<RecordType>("AnalyzerViolationInfo");
+	static auto info_reason_idx = info_type->FieldOffset("reason");
+	static auto info_f_idx = info_type->FieldOffset("f");
+	static auto info_data_idx = info_type->FieldOffset("data");
+
+	auto info = zeek::make_intrusive<RecordVal>(info_type);
+	info->Assign(info_reason_idx, make_intrusive<StringVal>(reason));
+	info->Assign(info_f_idx, GetFile()->ToVal());
+	if ( data && len )
+		info->Assign(info_data_idx, make_intrusive<StringVal>(len, data));
+
+	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
+	event_mgr.Enqueue(analyzer_violation_info, tval, info);
+	}
+
 	} // namespace zeek::file_analysis