mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 14:08:20 +00:00
Prefer explicit construction to coercion in record initialization
While we support initializing records via coercion from an expression
list, e.g.,
local x: X = [$x1=1, $x2=2];
this can sometimes obscure the code to readers, e.g., when assigning to
value declared and typed elsewhere. The language runtime has a similar
overhead since instead of just constructing a known type it needs to
check at runtime that the coercion from the expression list is valid;
this can be slower than just writing the readible code in the first
place, see #4559.
With this patch we use explicit construction, e.g.,
local x = X($x1=1, $x2=2);
This commit is contained in:
Benjamin Bannier
Christian Kreibich
parent
54f9e45597
commit
d5fd29edcd
139 changed files with 786 additions and 788 deletions
|
|
@ -69,8 +69,8 @@ export {
|
|||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info, $path="analyzer_debug", $policy=log_policy,
|
||||
$event_groups=set("Analyzer::DebugLogging")]);
|
||||
Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer_debug", $policy=log_policy,
|
||||
$event_groups=set("Analyzer::DebugLogging")));
|
||||
|
||||
local enable_handler = function(id: string, new_value: bool): bool {
|
||||
if ( new_value )
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ redef record connection += {
|
|||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
|
||||
Log::create_stream(DPD::LOG, Log::Stream($columns=Info, $path="dpd", $policy=log_policy));
|
||||
}
|
||||
|
||||
# before the same event in dpd.zeek
|
||||
|
|
|
|||
|
|
@ -93,7 +93,7 @@ function get_protocol(c: connection, a: AllAnalyzers::Tag) : protocol
|
|||
str = |str| > 0 ? fmt("%s/%s", str, p) : p;
|
||||
}
|
||||
|
||||
return [$a=Analyzer::name(a), $sub=str];
|
||||
return protocol($a=Analyzer::name(a), $sub=str);
|
||||
}
|
||||
|
||||
function fmt_protocol(p: protocol) : string
|
||||
|
|
@ -115,9 +115,9 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
|
|||
local p = get_protocol(c, a);
|
||||
local s = fmt_protocol(p);
|
||||
|
||||
NOTICE([$note=Protocol_Found,
|
||||
NOTICE(Notice::Info($note=Protocol_Found,
|
||||
$msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p),
|
||||
$sub=s, $conn=c]);
|
||||
$sub=s, $conn=c));
|
||||
|
||||
# We report multiple Server_Found's per host if we find a new
|
||||
# sub-protocol.
|
||||
|
|
@ -130,10 +130,10 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
|
|||
|
||||
if ( (! known || newsub) && a !in suppress_servers )
|
||||
{
|
||||
NOTICE([$note=Server_Found,
|
||||
NOTICE(Notice::Info($note=Server_Found,
|
||||
$msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s,
|
||||
c$id$resp_p, (known ? " (update)" : "")),
|
||||
$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h]);
|
||||
$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h));
|
||||
|
||||
if ( ! known )
|
||||
servers[c$id$resp_h, c$id$resp_p, p$a] = set();
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ event connection_established(c: connection)
|
|||
if ( c$orig$state == TCP_ESTABLISHED &&
|
||||
c$resp$state == TCP_ESTABLISHED )
|
||||
{
|
||||
Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);
|
||||
Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
|
||||
Intel::seen(Intel::Seen($host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG));
|
||||
Intel::seen(Intel::Seen($host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@
|
|||
|
||||
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &group="Intel::DOMAIN"
|
||||
{
|
||||
Intel::seen([$indicator=query,
|
||||
$indicator_type=Intel::DOMAIN,
|
||||
$conn=c,
|
||||
$where=DNS::IN_REQUEST]);
|
||||
Intel::seen(Intel::Seen($indicator=query,
|
||||
$indicator_type=Intel::DOMAIN,
|
||||
$conn=c,
|
||||
$where=DNS::IN_REQUEST));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,10 +10,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME"
|
|||
return;
|
||||
|
||||
if ( f?$info && f$info?$filename )
|
||||
Intel::seen([$indicator=f$info$filename,
|
||||
$indicator_type=Intel::FILE_NAME,
|
||||
$f=f,
|
||||
$where=Files::IN_NAME]);
|
||||
Intel::seen(Intel::Seen($indicator=f$info$filename,
|
||||
$indicator_type=Intel::FILE_NAME,
|
||||
$f=f,
|
||||
$where=Files::IN_NAME));
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5 &group="Intel::FILE_NAME"
|
||||
|
|
@ -23,8 +23,8 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
|
|||
return;
|
||||
|
||||
if ( f?$info && f$info?$filename )
|
||||
Intel::seen([$indicator=f$info$filename,
|
||||
$indicator_type=Intel::FILE_NAME,
|
||||
$f=f,
|
||||
$where=Files::IN_NAME]);
|
||||
Intel::seen(Intel::Seen($indicator=f$info$filename,
|
||||
$indicator_type=Intel::FILE_NAME,
|
||||
$f=f,
|
||||
$where=Files::IN_NAME));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,10 +13,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
|
|||
# Remove the occasional port value that shows up here.
|
||||
local host = gsub(value, /:[[:digit:]]+$/, "");
|
||||
if ( is_valid_ip(host) )
|
||||
Intel::seen([$host=to_addr(host),
|
||||
$indicator_type=Intel::ADDR,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_HOST_HEADER]);
|
||||
Intel::seen(Intel::Seen($host=to_addr(host),
|
||||
$indicator_type=Intel::ADDR,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_HOST_HEADER));
|
||||
break;
|
||||
|
||||
case "X-FORWARDED-FOR":
|
||||
|
|
@ -25,10 +25,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
|
|||
local addrs = extract_ip_addresses(value);
|
||||
for ( i in addrs )
|
||||
{
|
||||
Intel::seen([$host=to_addr(addrs[i]),
|
||||
$indicator_type=Intel::ADDR,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_X_FORWARDED_FOR_HEADER]);
|
||||
Intel::seen(Intel::Seen($host=to_addr(addrs[i]),
|
||||
$indicator_type=Intel::ADDR,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_X_FORWARDED_FOR_HEADER));
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
|
@ -38,36 +38,36 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
|
|||
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::DOMAIN"
|
||||
{
|
||||
if ( ! is_orig || name != "HOST" )
|
||||
return;
|
||||
return;
|
||||
|
||||
# Remove the occasional port value that shows up here.
|
||||
local host = gsub(value, /:[[:digit:]]+$/, "");
|
||||
if ( ! is_valid_ip(host) )
|
||||
Intel::seen([$indicator=host,
|
||||
$indicator_type=Intel::DOMAIN,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_HOST_HEADER]);
|
||||
Intel::seen(Intel::Seen($indicator=host,
|
||||
$indicator_type=Intel::DOMAIN,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_HOST_HEADER));
|
||||
}
|
||||
|
||||
|
||||
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::URL"
|
||||
{
|
||||
if ( ! is_orig || name != "REFERER" )
|
||||
return;
|
||||
return;
|
||||
|
||||
Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
|
||||
$indicator_type=Intel::URL,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_REFERRER_HEADER]);
|
||||
Intel::seen(Intel::Seen($indicator=sub(value, /^.*:\/\//, ""),
|
||||
$indicator_type=Intel::URL,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_REFERRER_HEADER));
|
||||
}
|
||||
|
||||
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::SOFTWARE"
|
||||
{
|
||||
if ( ! is_orig || name != "USER-AGENT" )
|
||||
return;
|
||||
return;
|
||||
|
||||
Intel::seen([$indicator=value,
|
||||
$indicator_type=Intel::SOFTWARE,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_USER_AGENT_HEADER]);
|
||||
Intel::seen(Intel::Seen($indicator=value,
|
||||
$indicator_type=Intel::SOFTWARE,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_USER_AGENT_HEADER));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,8 +5,8 @@
|
|||
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &group="Intel::URL"
|
||||
{
|
||||
if ( is_orig && c?$http )
|
||||
Intel::seen([$indicator=HTTP::build_url(c$http),
|
||||
$indicator_type=Intel::URL,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_URL]);
|
||||
Intel::seen(Intel::Seen($indicator=HTTP::build_url(c$http),
|
||||
$indicator_type=Intel::URL,
|
||||
$conn=c,
|
||||
$where=HTTP::IN_URL));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,10 +14,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME"
|
|||
{
|
||||
local split_fname = split_string(c$smb_state$current_file$name, /\\/);
|
||||
local fname = split_fname[|split_fname|-1];
|
||||
Intel::seen([$indicator=fname,
|
||||
$indicator_type=Intel::FILE_NAME,
|
||||
$f=f,
|
||||
$where=SMB::IN_FILE_NAME]);
|
||||
Intel::seen(Intel::Seen($indicator=fname,
|
||||
$indicator_type=Intel::FILE_NAME,
|
||||
$f=f,
|
||||
$where=SMB::IN_FILE_NAME));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,10 +13,10 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
|
|||
local urls = find_all_urls_without_scheme(data);
|
||||
for ( url in urls )
|
||||
{
|
||||
Intel::seen([$indicator=url,
|
||||
$indicator_type=Intel::URL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_MESSAGE]);
|
||||
Intel::seen(Intel::Seen($indicator=url,
|
||||
$indicator_type=Intel::URL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_MESSAGE));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -24,5 +24,5 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
|
|||
event file_new(f: fa_file) &group="Intel::URL"
|
||||
{
|
||||
if ( f$source == "SMTP" )
|
||||
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);
|
||||
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, Files::AnalyzerArgs($stream_event=intel_mime_data));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,16 +12,16 @@ event mime_end_entity(c: connection) &group="Intel::ADDR"
|
|||
local path = c$smtp$path;
|
||||
for ( i in path )
|
||||
{
|
||||
Intel::seen([$host=path[i],
|
||||
$conn=c,
|
||||
$where=SMTP::IN_RECEIVED_HEADER]);
|
||||
Intel::seen(Intel::Seen($host=path[i],
|
||||
$conn=c,
|
||||
$where=SMTP::IN_RECEIVED_HEADER));
|
||||
}
|
||||
}
|
||||
|
||||
if ( c$smtp?$x_originating_ip )
|
||||
Intel::seen([$host=c$smtp$x_originating_ip,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_X_ORIGINATING_IP_HEADER]);
|
||||
Intel::seen(Intel::Seen($host=c$smtp$x_originating_ip,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_X_ORIGINATING_IP_HEADER));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -30,10 +30,10 @@ event mime_end_entity(c: connection) &group="Intel::SOFTWARE"
|
|||
if ( c?$smtp )
|
||||
{
|
||||
if ( c$smtp?$user_agent )
|
||||
Intel::seen([$indicator=c$smtp$user_agent,
|
||||
$indicator_type=Intel::SOFTWARE,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_HEADER]);
|
||||
Intel::seen(Intel::Seen($indicator=c$smtp$user_agent,
|
||||
$indicator_type=Intel::SOFTWARE,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_HEADER));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -43,20 +43,20 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
|
|||
{
|
||||
if ( c$smtp?$mailfrom )
|
||||
{
|
||||
Intel::seen([$indicator=c$smtp$mailfrom,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_MAIL_FROM]);
|
||||
Intel::seen(Intel::Seen($indicator=c$smtp$mailfrom,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_MAIL_FROM ));
|
||||
}
|
||||
|
||||
if ( c$smtp?$rcptto )
|
||||
{
|
||||
for ( rcptto_addr in c$smtp$rcptto )
|
||||
{
|
||||
Intel::seen([$indicator=rcptto_addr,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_RCPT_TO]);
|
||||
Intel::seen(Intel::Seen($indicator=rcptto_addr,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_RCPT_TO));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -64,10 +64,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
|
|||
{
|
||||
for ( from_addr in extract_email_addrs_set(c$smtp$from) )
|
||||
{
|
||||
Intel::seen([$indicator=from_addr,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_FROM]);
|
||||
Intel::seen(Intel::Seen($indicator=from_addr,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_FROM));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -75,10 +75,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
|
|||
{
|
||||
for ( email_to_addr in c$smtp$to )
|
||||
{
|
||||
Intel::seen([$indicator=extract_first_email_addr(email_to_addr),
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_TO]);
|
||||
Intel::seen(Intel::Seen($indicator=extract_first_email_addr(email_to_addr),
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_TO));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -86,19 +86,19 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
|
|||
{
|
||||
for ( cc_addr in c$smtp$cc )
|
||||
{
|
||||
Intel::seen([$indicator=cc_addr,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_CC]);
|
||||
Intel::seen(Intel::Seen($indicator=cc_addr,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_CC));
|
||||
}
|
||||
}
|
||||
|
||||
if ( c$smtp?$reply_to )
|
||||
{
|
||||
Intel::seen([$indicator=c$smtp$reply_to,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_REPLY_TO]);
|
||||
Intel::seen(Intel::Seen($indicator=c$smtp$reply_to,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$conn=c,
|
||||
$where=SMTP::IN_REPLY_TO));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,10 +5,10 @@
|
|||
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &group="Intel::DOMAIN"
|
||||
{
|
||||
if ( is_orig && c?$ssl && c$ssl?$server_name )
|
||||
Intel::seen([$indicator=c$ssl$server_name,
|
||||
$indicator_type=Intel::DOMAIN,
|
||||
$conn=c,
|
||||
$where=SSL::IN_SERVER_NAME]);
|
||||
Intel::seen(Intel::Seen($indicator=c$ssl$server_name,
|
||||
$indicator_type=Intel::DOMAIN,
|
||||
$conn=c,
|
||||
$where=SSL::IN_SERVER_NAME));
|
||||
}
|
||||
|
||||
event ssl_established(c: connection) &group="Intel::DOMAIN"
|
||||
|
|
@ -18,9 +18,9 @@ event ssl_established(c: connection) &group="Intel::DOMAIN"
|
|||
return;
|
||||
|
||||
if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn )
|
||||
Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
|
||||
Intel::seen(Intel::Seen($indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
|
||||
$indicator_type=Intel::DOMAIN,
|
||||
$fuid=c$ssl$cert_chain[0]$fuid,
|
||||
$conn=c,
|
||||
$where=X509::IN_CERT]);
|
||||
$where=X509::IN_CERT));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,8 +5,8 @@
|
|||
module Intel;
|
||||
|
||||
export {
|
||||
## Enables the extraction of subject alternate names from the X509 SAN DNS field
|
||||
option enable_x509_ext_subject_alternative_name = T;
|
||||
## Enables the extraction of subject alternate names from the X509 SAN DNS field
|
||||
option enable_x509_ext_subject_alternative_name = T;
|
||||
}
|
||||
|
||||
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &group="Intel::DOMAIN"
|
||||
|
|
@ -14,10 +14,10 @@ event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativ
|
|||
if ( enable_x509_ext_subject_alternative_name && ext?$dns )
|
||||
{
|
||||
for ( i in ext$dns )
|
||||
Intel::seen([$indicator=ext$dns[i],
|
||||
Intel::seen(Intel::Seen($indicator=ext$dns[i],
|
||||
$indicator_type=Intel::DOMAIN,
|
||||
$f=f,
|
||||
$where=X509::IN_CERT]);
|
||||
$where=X509::IN_CERT));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -27,10 +27,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
|
|||
{
|
||||
local email = sub(cert$subject, /^.*emailAddress=/, "");
|
||||
email = sub(email, /,.*$/, "");
|
||||
Intel::seen([$indicator=email,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$f=f,
|
||||
$where=X509::IN_CERT]);
|
||||
Intel::seen(Intel::Seen($indicator=email,
|
||||
$indicator_type=Intel::EMAIL,
|
||||
$f=f,
|
||||
$where=X509::IN_CERT));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -38,10 +38,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
|
|||
{
|
||||
if ( f$info?$sha1 ) # if the file_hash event was raised before the x509 event...
|
||||
{
|
||||
Intel::seen([$indicator=f$info$sha1,
|
||||
$indicator_type=Intel::CERT_HASH,
|
||||
$f=f,
|
||||
$where=X509::IN_CERT]);
|
||||
Intel::seen(Intel::Seen($indicator=f$info$sha1,
|
||||
$indicator_type=Intel::CERT_HASH,
|
||||
$f=f,
|
||||
$where=X509::IN_CERT));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -50,8 +50,8 @@ event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::CERT_HASH
|
|||
if ( ! f?$info || ! f$info?$x509 || kind != "sha1" )
|
||||
return;
|
||||
|
||||
Intel::seen([$indicator=hash,
|
||||
$indicator_type=Intel::CERT_HASH,
|
||||
$f=f,
|
||||
$where=X509::IN_CERT]);
|
||||
Intel::seen(Intel::Seen($indicator=hash,
|
||||
$indicator_type=Intel::CERT_HASH,
|
||||
$f=f,
|
||||
$where=X509::IN_CERT));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -88,8 +88,8 @@ function debug(message: string)
|
|||
return;
|
||||
|
||||
local node = Supervisor::node();
|
||||
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[DEBUG],
|
||||
$role=r2s[Management::role], $message=message]);
|
||||
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[DEBUG],
|
||||
$role=r2s[Management::role], $message=message));
|
||||
}
|
||||
|
||||
function info(message: string)
|
||||
|
|
@ -98,8 +98,8 @@ function info(message: string)
|
|||
return;
|
||||
|
||||
local node = Supervisor::node();
|
||||
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[INFO],
|
||||
$role=r2s[Management::role], $message=message]);
|
||||
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[INFO],
|
||||
$role=r2s[Management::role], $message=message));
|
||||
}
|
||||
|
||||
function warning(message: string)
|
||||
|
|
@ -108,8 +108,8 @@ function warning(message: string)
|
|||
return;
|
||||
|
||||
local node = Supervisor::node();
|
||||
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[WARNING],
|
||||
$role=r2s[Management::role], $message=message]);
|
||||
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[WARNING],
|
||||
$role=r2s[Management::role], $message=message));
|
||||
}
|
||||
|
||||
function error(message: string)
|
||||
|
|
@ -118,8 +118,8 @@ function error(message: string)
|
|||
return;
|
||||
|
||||
local node = Supervisor::node();
|
||||
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[ERROR],
|
||||
$role=r2s[Management::role], $message=message]);
|
||||
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[ERROR],
|
||||
$role=r2s[Management::role], $message=message));
|
||||
}
|
||||
|
||||
# Bump priority to ensure the log stream exists when other zeek_init handlers use it.
|
||||
|
|
|
|||
|
|
@ -29,8 +29,8 @@ global g_outputs: table[string] of NodeOutputStreams;
|
|||
|
||||
function make_node_output_streams(node: string): NodeOutputStreams
|
||||
{
|
||||
local stdout = Queue::init([$max_len = Management::Supervisor::output_max_lines]);
|
||||
local stderr = Queue::init([$max_len = Management::Supervisor::output_max_lines]);
|
||||
local stdout = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines));
|
||||
local stderr = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines));
|
||||
|
||||
local res = NodeOutputStreams($stdout=stdout, $stderr=stderr);
|
||||
local status = Supervisor::status(node);
|
||||
|
|
|
|||
|
|
@ -168,7 +168,7 @@ global catch_release_recently_notified: set[addr] &create_expire=30secs;
|
|||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release]);
|
||||
Log::create_stream(NetControl::CATCH_RELEASE, Log::Stream($columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release));
|
||||
}
|
||||
|
||||
function get_watch_interval(current_interval: count): interval
|
||||
|
|
|
|||
|
|
@ -78,9 +78,9 @@ function shunt_filters()
|
|||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
register_filter_plugin([
|
||||
register_filter_plugin(FilterPlugin(
|
||||
$func()={ return shunt_filters(); }
|
||||
]);
|
||||
));
|
||||
}
|
||||
|
||||
function current_shunted_conns(): set[conn_id]
|
||||
|
|
@ -97,8 +97,8 @@ function reached_max_shunts(): bool
|
|||
{
|
||||
if ( |shunted_conns| + |shunted_host_pairs| > max_bpf_shunts )
|
||||
{
|
||||
NOTICE([$note=No_More_Conn_Shunts_Available,
|
||||
$msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)]);
|
||||
NOTICE(Notice::Info($note=No_More_Conn_Shunts_Available,
|
||||
$msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)));
|
||||
return T;
|
||||
}
|
||||
else
|
||||
|
|
@ -145,10 +145,10 @@ function shunt_conn(id: conn_id): bool
|
|||
{
|
||||
if ( is_v6_addr(id$orig_h) )
|
||||
{
|
||||
NOTICE([$note=Cannot_BPF_Shunt_Conn,
|
||||
$msg="IPv6 connections can't be shunted with BPF due to limitations in BPF",
|
||||
$sub="ipv6_conn",
|
||||
$id=id, $identifier=cat(id)]);
|
||||
NOTICE(Notice::Info($note=Cannot_BPF_Shunt_Conn,
|
||||
$msg="IPv6 connections can't be shunted with BPF due to limitations in BPF",
|
||||
$sub="ipv6_conn",
|
||||
$id=id, $identifier=cat(id)));
|
||||
return F;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -30,8 +30,8 @@ event Software::version_change(old: Software::Info, new: Software::Info)
|
|||
local msg = fmt("%.6f %s '%s' version changed from %s to %s",
|
||||
network_time(), old$software_type, old$name,
|
||||
software_fmt_version(old$version),
|
||||
software_fmt_version(new$version));
|
||||
software_fmt_version(new$version));
|
||||
|
||||
NOTICE([$note=Software_Version_Change, $src=new$host,
|
||||
$msg=msg, $sub=software_fmt(new)]);
|
||||
NOTICE(Notice::Info($note=Software_Version_Change, $src=new$host,
|
||||
$msg=msg, $sub=software_fmt(new)));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRang
|
|||
{
|
||||
# Create a max value with a dunce value only because the $max field
|
||||
# is not optional.
|
||||
local vvr: Software::VulnerableVersionRange = [$max=[$major=0]];
|
||||
local vvr = Software::VulnerableVersionRange($max=Software::Version($major=0));
|
||||
|
||||
if ( /max=/ !in vuln_sw )
|
||||
{
|
||||
|
|
@ -138,9 +138,9 @@ event log_software(rec: Info)
|
|||
(!version_range?$min || cmp_versions(rec$version, version_range$min) >= 0) )
|
||||
{
|
||||
# The software is inside a vulnerable version range.
|
||||
NOTICE([$note=Vulnerable_Version, $src=rec$host,
|
||||
$msg=fmt("%s is running %s which is vulnerable.", rec$host, software_fmt(rec)),
|
||||
$sub=software_fmt(rec)]);
|
||||
NOTICE(Notice::Info($note=Vulnerable_Version, $src=rec$host,
|
||||
$msg=fmt("%s is running %s which is vulnerable.", rec$host, software_fmt(rec)),
|
||||
$sub=software_fmt(rec)));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -59,12 +59,12 @@ event HTTP::log_http(rec: HTTP::Info) &priority=5
|
|||
{
|
||||
if ( rec$user_agent !in crypto_api_mapping )
|
||||
{
|
||||
Software::found(rec$id, [$unparsed_version=sub(rec$user_agent, /Microsoft-CryptoAPI/, "Unknown CryptoAPI Version"), $host=rec$id$orig_h, $software_type=WINDOWS]);
|
||||
Software::found(rec$id, Software::Info($unparsed_version=sub(rec$user_agent, /Microsoft-CryptoAPI/, "Unknown CryptoAPI Version"), $host=rec$id$orig_h, $software_type=WINDOWS));
|
||||
}
|
||||
else
|
||||
{
|
||||
local result = crypto_api_mapping[rec$user_agent];
|
||||
Software::found(rec$id, [$version=result$version, $name=result$name, $host=rec$id$orig_h, $software_type=WINDOWS]);
|
||||
Software::found(rec$id, Software::Info($version=result$version, $name=result$name, $host=rec$id$orig_h, $software_type=WINDOWS));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -187,8 +187,8 @@ event Telemetry::log()
|
|||
|
||||
event zeek_init() &priority=5
|
||||
{
|
||||
Log::create_stream(LOG, [$columns=Info, $ev=log_telemetry, $path="telemetry", $policy=log_policy]);
|
||||
Log::create_stream(LOG_HISTOGRAM, [$columns=HistogramInfo, $ev=log_telemetry_histogram, $path="telemetry_histogram", $policy=log_policy_histogram]);
|
||||
Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_telemetry, $path="telemetry", $policy=log_policy));
|
||||
Log::create_stream(LOG_HISTOGRAM, Log::Stream($columns=HistogramInfo, $ev=log_telemetry_histogram, $path="telemetry_histogram", $policy=log_policy_histogram));
|
||||
|
||||
schedule log_interval { Telemetry::log() };
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue