mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 19:18:19 +00:00
Prefer explicit construction to coercion in record initialization
While we support initializing records via coercion from an expression
list, e.g.,
local x: X = [$x1=1, $x2=2];
this can sometimes obscure the code to readers, e.g., when assigning to
value declared and typed elsewhere. The language runtime has a similar
overhead since instead of just constructing a known type it needs to
check at runtime that the coercion from the expression list is valid;
this can be slower than just writing the readible code in the first
place, see #4559.
With this patch we use explicit construction, e.g.,
local x = X($x1=1, $x2=2);
This commit is contained in:
Benjamin Bannier
Christian Kreibich
parent
54f9e45597
commit
d5fd29edcd
139 changed files with 786 additions and 788 deletions
|
|
@ -72,7 +72,7 @@ event zeek_init() &priority=3
|
|||
$num_samples=1
|
||||
);
|
||||
|
||||
SumStats::create([
|
||||
SumStats::create(SumStats::SumStat(
|
||||
$name="detect-sqli-attackers",
|
||||
$epoch=sqli_requests_interval,
|
||||
$reducers=set(r1),
|
||||
|
|
@ -86,16 +86,16 @@ event zeek_init() &priority=3
|
|||
local r = result["http.sqli.attacker"];
|
||||
local dst = to_addr(r$samples[0]$str);
|
||||
local uid = r$samples[0]$uid;
|
||||
NOTICE([$note=SQL_Injection_Attacker,
|
||||
$msg="An SQL injection attacker was discovered!",
|
||||
$uid=uid,
|
||||
$src=key$host,
|
||||
$dst=dst,
|
||||
$identifier=cat(key$host)]);
|
||||
NOTICE(Notice::Info($note=SQL_Injection_Attacker,
|
||||
$msg="An SQL injection attacker was discovered!",
|
||||
$uid=uid,
|
||||
$src=key$host,
|
||||
$dst=dst,
|
||||
$identifier=cat(key$host)));
|
||||
}
|
||||
]);
|
||||
));
|
||||
|
||||
SumStats::create([
|
||||
SumStats::create(SumStats::SumStat(
|
||||
$name="detect-sqli-victims",
|
||||
$epoch=sqli_requests_interval,
|
||||
$reducers=set(r2),
|
||||
|
|
@ -109,14 +109,14 @@ event zeek_init() &priority=3
|
|||
local r = result["http.sqli.victim"];
|
||||
local src = to_addr(r$samples[0]$str);
|
||||
local uid = r$samples[0]$uid;
|
||||
NOTICE([$note=SQL_Injection_Victim,
|
||||
$msg="An SQL injection victim was discovered!",
|
||||
$uid=uid,
|
||||
$src=src,
|
||||
$dst=key$host,
|
||||
$identifier=cat(key$host)]);
|
||||
NOTICE(Notice::Info($note=SQL_Injection_Victim,
|
||||
$msg="An SQL injection victim was discovered!",
|
||||
$uid=uid,
|
||||
$src=src,
|
||||
$dst=key$host,
|
||||
$identifier=cat(key$host)));
|
||||
}
|
||||
]);
|
||||
));
|
||||
}
|
||||
|
||||
event http_request(c: connection, method: string, original_URI: string,
|
||||
|
|
|
|||
|
|
@ -87,43 +87,43 @@ event zeek_init() &priority=3
|
|||
# Add filters to the metrics so that the metrics framework knows how to
|
||||
# determine when it looks like an actual attack and how to respond when
|
||||
# thresholds are crossed.
|
||||
local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
|
||||
SumStats::create([$name="detect-sqli-attackers",
|
||||
$epoch=sqli_requests_interval,
|
||||
$reducers=set(r1),
|
||||
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
return result["http.sqli.attacker"]$sum;
|
||||
},
|
||||
$threshold=sqli_requests_threshold,
|
||||
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
local r = result["http.sqli.attacker"];
|
||||
NOTICE([$note=SQL_Injection_Attacker,
|
||||
$msg="An SQL injection attacker was discovered!",
|
||||
$email_body_sections=vector(format_sqli_samples(r$samples)),
|
||||
$src=key$host,
|
||||
$identifier=cat(key$host)]);
|
||||
}]);
|
||||
local r1 = SumStats::Reducer($stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
|
||||
SumStats::create(SumStats::SumStat($name="detect-sqli-attackers",
|
||||
$epoch=sqli_requests_interval,
|
||||
$reducers=set(r1),
|
||||
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
return result["http.sqli.attacker"]$sum;
|
||||
},
|
||||
$threshold=sqli_requests_threshold,
|
||||
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
local r = result["http.sqli.attacker"];
|
||||
NOTICE(Notice::Info($note=SQL_Injection_Attacker,
|
||||
$msg="An SQL injection attacker was discovered!",
|
||||
$email_body_sections=vector(format_sqli_samples(r$samples)),
|
||||
$src=key$host,
|
||||
$identifier=cat(key$host)));
|
||||
}));
|
||||
|
||||
local r2: SumStats::Reducer = [$stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
|
||||
SumStats::create([$name="detect-sqli-victims",
|
||||
$epoch=sqli_requests_interval,
|
||||
$reducers=set(r2),
|
||||
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
return result["http.sqli.victim"]$sum;
|
||||
},
|
||||
$threshold=sqli_requests_threshold,
|
||||
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
local r = result["http.sqli.victim"];
|
||||
NOTICE([$note=SQL_Injection_Victim,
|
||||
$msg="An SQL injection victim was discovered!",
|
||||
$email_body_sections=vector(format_sqli_samples(r$samples)),
|
||||
$src=key$host,
|
||||
$identifier=cat(key$host)]);
|
||||
}]);
|
||||
local r2 = SumStats::Reducer($stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
|
||||
SumStats::create(SumStats::SumStat($name="detect-sqli-victims",
|
||||
$epoch=sqli_requests_interval,
|
||||
$reducers=set(r2),
|
||||
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
return result["http.sqli.victim"]$sum;
|
||||
},
|
||||
$threshold=sqli_requests_threshold,
|
||||
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
|
||||
{
|
||||
local r = result["http.sqli.victim"];
|
||||
NOTICE(Notice::Info($note=SQL_Injection_Victim,
|
||||
$msg="An SQL injection victim was discovered!",
|
||||
$email_body_sections=vector(format_sqli_samples(r$samples)),
|
||||
$src=key$host,
|
||||
$identifier=cat(key$host)));
|
||||
}));
|
||||
}
|
||||
|
||||
event http_request(c: connection, method: string, original_URI: string,
|
||||
|
|
@ -136,7 +136,7 @@ event http_request(c: connection, method: string, original_URI: string,
|
|||
{
|
||||
add c$http$tags[URI_SQLI];
|
||||
|
||||
SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
|
||||
SumStats::observe("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]);
|
||||
SumStats::observe("http.sqli.attacker", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=original_URI));
|
||||
SumStats::observe("http.sqli.victim", SumStats::Key($host=c$id$resp_h), SumStats::Observation($str=original_URI));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
|
|||
|
||||
local c = state$conn;
|
||||
local si: Software::Info;
|
||||
si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];
|
||||
si = Software::Info($name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION);
|
||||
si$url = build_url_http(c$http);
|
||||
Software::found(c$id, si);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
|
|||
c$http$flash_version = cat("AdobeAIR-", c$http$flash_version);
|
||||
}
|
||||
|
||||
Software::found(c$id, [$unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
|
||||
Software::found(c$id, Software::Info($unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -81,7 +81,7 @@ event log_http(rec: Info)
|
|||
local plugins = split_string(sw, /[[:blank:]]*;[[:blank:]]*/);
|
||||
|
||||
for ( i in plugins )
|
||||
Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]);
|
||||
Software::found(rec$id, Software::Info($unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,18 +23,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
|||
if ( is_orig )
|
||||
{
|
||||
if ( name == "USER-AGENT" && ignored_user_agents !in value )
|
||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER]);
|
||||
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER));
|
||||
}
|
||||
else
|
||||
{
|
||||
if ( name == "SERVER" )
|
||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
|
||||
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER));
|
||||
else if ( name == "X-POWERED-BY" )
|
||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
|
||||
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER));
|
||||
else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" )
|
||||
{
|
||||
value = cat("SharePoint/", value);
|
||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
|
||||
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue