Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/timw/remove-8.1-deprecations'

Browse source 
* origin/topic/timw/remove-8.1-deprecations:
  Pass DNS complete_flag along as a uint8_t instead of a String
  Update docs submodule with 8.1 deprecation removals
  Update zeekjs submodule with 8.1 deprecation fixes
  Remove deprecations tagged for v8.1
This commit is contained in:
Tim Wojtulewicz 2025-08-12 11:01:12 -07:00
commit d9357b4204
113 changed files with 140 additions and 2243 deletions
Download patch file Download diff file Expand all files Collapse all files

10
CHANGES
View file

@ -1,3 +1,13 @@
8.1.0-dev.35 | 2025-08-12 11:01:12 -0700
* Pass DNS complete_flag along as a uint8_t instead of a String (Tim Wojtulewicz, Corelight)
* Update docs submodule with 8.1 deprecation removals (Tim Wojtulewicz, Corelight)
* Update zeekjs submodule with 8.1 deprecation fixes (Tim Wojtulewicz, Corelight)
* Remove deprecations tagged for v8.1 (Tim Wojtulewicz, Corelight)
8.1.0-dev.29 | 2025-08-11 11:37:22 -0700
* smb2/read: Parse only 1 byte for data_offset, ignore reserved1 (Arne Welzel, Corelight)

2
VERSION
View file

@ -1 +1 @@
8.1.0-dev.29
8.1.0-dev.35

2
auxil/zeekjs

@ -1 +1 @@
Subproject commit df112dc70ad7c2b854e4aeaad0742cdfa3927945
Subproject commit e5985abfffc1ef5ead3a0bab196fa5d86bc5276f

2
cmake_templates/zeek-config-paths.h.in
View file

@ -3,8 +3,6 @@
#pragma once
constexpr char ZEEK_SCRIPT_INSTALL_PATH[] = "@ZEEK_SCRIPT_INSTALL_PATH@";
[[deprecated("Remove in v8.1. Use ZEEK_PLUGIN_INSTALL_PATH")]] constexpr char BRO_PLUGIN_INSTALL_PATH[] =
"@ZEEK_PLUGIN_DIR@";
constexpr char ZEEK_PLUGIN_INSTALL_PATH[] = "@ZEEK_PLUGIN_DIR@";
constexpr char DEFAULT_ZEEKPATH[] = "@DEFAULT_ZEEKPATH@";
constexpr char ZEEK_SPICY_MODULE_PATH[] = "@ZEEK_SPICY_MODULE_PATH@";

24
configure vendored
View file

@ -90,10 +90,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
--disable-zkg don't install zkg
Required Packages in Non-Standard Locations:
--with-bifcl=PATH path to Zeek BIF compiler executable
(useful for cross-compiling)
--with-binpac=PATH path to BinPAC executable
(useful for cross-compiling)
--with-bison=PATH path to bison executable
--with-broker=PATH path to Broker install root
(Zeek uses an embedded version by default)
@ -184,8 +180,6 @@ builddir=build
CMakeCacheEntries=""
display_cmake=0
has_disable_archiver=0
has_with_binpac=0
has_with_bifcl=0
# parse arguments
while [ $# -ne 0 ]; do
@ -369,15 +363,9 @@ while [ $# -ne 0 ]; do
--disable-zkg)
append_cache_entry INSTALL_ZKG BOOL false
;;
--with-bifcl=*)
has_with_bifcl=1
;;
--with-bind=*)
append_cache_entry BIND_ROOT_DIR PATH $optarg
;;
--with-binpac=*)
has_with_binpac=1
;;
--with-bison=*)
append_cache_entry BISON_EXECUTABLE PATH $optarg
;;
@ -508,15 +496,3 @@ eval ${cmake} 2>&1
echo "# This is the command used to configure this build" >config.status
echo $command >>config.status
chmod u+x config.status
if [ $has_with_bifcl -eq 1 ]; then
echo
echo "The --with-bifcl option has been deprecated and will be removed in v8.1."
echo "The bundled version of bifcl will always be used."
fi
if [ $has_with_binpac -eq 1 ]; then
echo
echo "The --with-binpac option has been deprecated and will be removed in v8.1."
echo "The bundled version of BinPAC will always be used.\n"
fi

2
doc

@ -1 +1 @@
Subproject commit cc58d32ca0c011b5440926fac9ad5e5b4ab62b04
Subproject commit 938fcadccaff63a2b1526ff8fcdee11c5de3c5ec

4
scripts/base/frameworks/analyzer/dpd.zeek
View file

@ -6,9 +6,6 @@
module DPD;
export {
## Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details
option max_violations: table[Analyzer::Tag] of count = table() &deprecated="Remove in v8.1: This has become non-functional in Zeek 7.2, see PR #4200" &default = 5;
## Analyzers which you don't want to remove on violations.
option ignore_violations: set[Analyzer::Tag] = set();
@ -110,4 +107,3 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
if ( disabled )
event analyzer_failed(network_time(), atype, info);
}

86
scripts/base/frameworks/broker/main.zeek
View file

@ -28,7 +28,7 @@ export {
## Default address on which to listen for WebSocket connections.
##
## .. zeek:see:: Broker::listen_websocket
## .. zeek:see:: Cluster::listen_websocket
const default_listen_address_websocket = getenv("ZEEK_DEFAULT_LISTEN_ADDRESS") &redef;
## Default interval to retry connecting to a peer if it cannot be made to
@ -69,11 +69,6 @@ export {
## all peers.
const ssl_keyfile = "" &redef;
## The number of buffered messages at the Broker/CAF layer after which
## a subscriber considers themselves congested (i.e. tune the congestion
## control mechanisms).
const congestion_queue_size = 200 &redef &deprecated="Remove in v8.1. Non-functional since v5.0";
## The max number of log entries per log stream to batch together when
## sending log messages to a remote logger.
const log_batch_size = 400 &redef;
@ -319,27 +314,6 @@ export {
p: port &default = default_port,
retry: interval &default = default_listen_retry): port;
## Listen for remote connections using WebSocket.
##
## a: an address string on which to accept connections, e.g.
## "127.0.0.1". An empty string refers to INADDR_ANY.
##
## p: the TCP port to listen on. The value 0 means that the OS should choose
## the next available free port.
##
## retry: If non-zero, retries listening in regular intervals if the port cannot be
## acquired immediately. 0 disables retries. If the
## ZEEK_DEFAULT_LISTEN_RETRY environment variable is set (as number
## of seconds), it overrides any value given here.
##
## Returns: the bound port or 0/? on failure.
##
## .. zeek:see:: Broker::status
global listen_websocket: function(a: string &default = default_listen_address_websocket,
p: port &default = default_port_websocket,
retry: interval &default = default_listen_retry): port
&deprecated="Remove in v8.1. Switch to Cluster::listen_websocket() instead.";
## Initiate a remote connection.
##
## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
@ -450,29 +424,6 @@ export {
##
## Returns: true if a new event forwarding/subscription is now registered.
global forward: function(topic_prefix: string): bool;
## Automatically send an event to any interested peers whenever it is
## locally dispatched. (For example, using "event my_event(...);" in a
## script.)
##
## topic: a topic string associated with the event message.
## Peers advertise interest by registering a subscription to some
## prefix of this topic name.
##
## ev: a Zeek event value.
##
## Returns: true if automatic event sending is now enabled.
global auto_publish: function(topic: string, ev: any): bool &deprecated="Remove in v8.1. Switch to explicit Cluster::publish() calls. Auto-publish won't work with all cluster backends.";
## Stop automatically sending an event to peers upon local dispatch.
##
## topic: a topic originally given to :zeek:see:`Broker::auto_publish`.
##
## ev: an event originally given to :zeek:see:`Broker::auto_publish`.
##
## Returns: true if automatic events will not occur for the topic/event
## pair.
global auto_unpublish: function(topic: string, ev: any): bool &deprecated="Remove in v8.1. See Broker::auto_publish()";
}
@load base/bif/comm.bif
@ -514,31 +465,6 @@ function listen(a: string, p: port, retry: interval): port
return bound;
}
event retry_listen_websocket(a: string, p: port, retry: interval)
{
@pragma push ignore-deprecations
listen_websocket(a, p, retry);
@pragma pop ignore-deprecations
}
function listen_websocket(a: string, p: port, retry: interval): port
{
local bound = __listen(a, p, Broker::WEBSOCKET);
if ( bound == 0/tcp )
{
local e = getenv("ZEEK_DEFAULT_LISTEN_RETRY");
if ( e != "" )
retry = double_to_interval(to_double(e));
if ( retry != 0secs )
schedule retry { retry_listen_websocket(a, p, retry) };
}
return bound;
}
function peer(a: string, p: port, retry: interval): bool
{
return __peer(a, p, retry);
@ -593,13 +519,3 @@ function unsubscribe(topic_prefix: string): bool
{
return __unsubscribe(topic_prefix);
}
function auto_publish(topic: string, ev: any): bool
{
return __auto_publish(topic, ev);
}
function auto_unpublish(topic: string, ev: any): bool
{
return __auto_unpublish(topic, ev);
}

2
scripts/base/frameworks/cluster/main.zeek
View file

@ -362,8 +362,6 @@ export {
## WebSocket server options to pass to :zeek:see:`Cluster::listen_websocket`.
type WebSocketServerOptions: record {
## The host address to listen on.
listen_host: string &optional &deprecated="Remove in v8.1: Use $listen_addr instead.";
## The address to listen on, cannot be used together with ``listen_host``.
listen_addr: addr &optional;
## The port the WebSocket server is supposed to listen on.

23
scripts/base/frameworks/telemetry/main.zeek
View file

@ -245,16 +245,6 @@ export {
label_values: labels_vector,
measurement: double): bool;
## Interval at which the :zeek:see:`Telemetry::sync` hook is invoked.
##
## By default, the hook is invoked on demand, setting this option to
## a positive interval allows to invoke it regularly, too. Regular
## invocations are relative to Zeek's network time.
##
## Note that on-demand hook invocation will happen even if this
## is set.
option sync_interval = 0sec &deprecated="Remove in 8.1. If you require regular sync invocation, do so explicitly in a scheduled event.";
## Collect all counter and gauge metrics matching the given *name* and *prefix*.
##
## For histogram metrics, use the :zeek:see:`Telemetry::collect_histogram_metrics`.
@ -465,14 +455,6 @@ function collect_histogram_metrics(prefix: string, name: string): vector of Hist
return Telemetry::__collect_histogram_metrics(prefix, name);
}
event run_sync_hook()
{
hook Telemetry::sync();
@pragma push ignore-deprecations
schedule sync_interval { run_sync_hook() };
@pragma pop ignore-deprecations
}
# Expose the Zeek version as Prometheus style info metric
global version_gauge_family = Telemetry::register_gauge_family(Telemetry::MetricOpts(
$prefix="zeek",
@ -485,11 +467,6 @@ global version_gauge_family = Telemetry::register_gauge_family(Telemetry::Metric
event zeek_init()
{
@pragma push ignore-deprecations
if ( sync_interval > 0sec )
schedule sync_interval { run_sync_hook() };
@pragma pop ignore-deprecations
local v = Version::info;
local labels = vector(cat(v$version_number),
cat(v$major), cat(v$minor), cat (v$patch),

15
scripts/base/init-bare.zeek
View file

@ -1726,18 +1726,6 @@ const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024 &redef;
## buffering.
const tcp_max_old_segments = 0 &redef;
## For services without a handler, these sets define originator-side ports
## that still trigger reassembly.
##
## .. zeek:see:: tcp_reassembler_ports_resp
const tcp_reassembler_ports_orig: set[port] = {} &redef &deprecated="Remove in v8.1. Non-functional since v4.1";
## For services without a handler, these sets define responder-side ports
## that still trigger reassembly.
##
## .. zeek:see:: tcp_reassembler_ports_orig
const tcp_reassembler_ports_resp: set[port] = {} &redef &deprecated="Remove in v8.1. Non-functional since v4.1";
## Defines destination TCP ports for which the contents of the originator stream
## should be delivered via :zeek:see:`tcp_contents`.
##
@ -3063,9 +3051,8 @@ type dns_binds_rr: record {
algorithm: count; ##< Algorithm for Public Key.
key_id: count; ##< key tag.
removal_flag: count; ##< rm flag.
complte_flag: string &deprecated="Remove in v8.1: Use complete_flag instead."; ##< complete flag.
is_query: count; ##< The RR is a query/Response.
complete_flag: count; ##< complete flag.
is_query: count; ##< The RR is a query/Response.
};
## A Private RR type LOC record.

96
scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
View file

@ -1,96 +0,0 @@
##! Creates the now deprecated dpd.logfile.
# Remove in v8.1
module DPD;
export {
## Add the DPD logging stream identifier.
redef enum Log::ID += { LOG };
## A default logging policy hook for the stream.
global log_policy: Log::PolicyHook;
## The record type defining the columns to log in the DPD logging stream.
type Info: record {
## Timestamp for when protocol analysis failed.
ts: time &log;
## Connection unique ID.
uid: string &log;
## Connection ID containing the 4-tuple which identifies endpoints.
id: conn_id &log;
## Transport protocol for the violation.
proto: transport_proto &log;
## The analyzer that generated the violation.
analyzer: string &log;
## The textual reason for the analysis failure.
failure_reason: string &log;
};
}
redef record connection += {
dpd: Info &optional;
## The set of services (analyzers) for which Zeek has observed a
## violation after the same service had previously been confirmed.
service_violation: set[string] &default=set() &ordered &deprecated="Remove in v8.1. Consider using failed_analyzers instead";
};
event zeek_init() &priority=5
{
Log::create_stream(DPD::LOG, Log::Stream($columns=Info, $path="dpd", $policy=log_policy));
}
# before the same event in dpd.zeek
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=15
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
return;
if ( ! info?$c )
return;
local c = info$c;
local analyzer = Analyzer::name(atype);
# If the service hasn't been confirmed yet, or already failed,
# don't generate a log message for the protocol violation.
if ( analyzer !in c$service || analyzer in c$service_violation )
return;
add c$service_violation[analyzer];
local dpd: Info;
dpd$ts = network_time();
dpd$uid = c$uid;
dpd$id = c$id;
dpd$proto = get_port_transport_proto(c$id$orig_p);
dpd$analyzer = analyzer;
# Encode data into the reason if there's any as done for the old
# analyzer_violation event, previously.
local reason = info$reason;
if ( info?$data )
{
local ellipsis = |info$data| > 40 ? "..." : "";
local data = info$data[0:40];
reason = fmt("%s [%s%s]", reason, data, ellipsis);
}
dpd$failure_reason = reason;
c$dpd = dpd;
}
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
return;
if ( ! info?$c )
return;
if ( info$c?$dpd )
{
Log::write(DPD::LOG, info$c$dpd);
delete info$c$dpd;
}
}

3
scripts/policy/frameworks/dpd/detect-protocols.zeek
View file

@ -1,3 +0,0 @@
@deprecated("frameworks/dpd/detect-protocols.zeek moved to frameworks/analyzer/detect-protocols.zeek. Please switch to frameworks/analyzer/detect-protocols.zeek. Remove in 8.1")
@load frameworks/analyzer/detect-protocols.zeek

34
scripts/policy/frameworks/dpd/packet-segment-logging.zeek
View file

@ -1,34 +0,0 @@
@deprecated("Please switch to frameworks/analyzer/packet-segment-logging, which logs to analyzer.log. Remove in 8.1")
##! This script enables logging of packet segment data when a protocol
##! parsing violation is encountered. The amount of data from the
##! packet logged is set by the :zeek:see:`DPD::packet_segment_size` variable.
##! A caveat to logging packet data is that in some cases, the packet may
##! not be the packet that actually caused the protocol violation.
@load frameworks/analyzer/deprecated-dpd-log
module DPD;
export {
redef record Info += {
## A chunk of the payload that most likely resulted in the
## analyzer violation.
packet_segment: string &optional &log;
};
## Size of the packet segment to display in the DPD log.
option packet_segment_size: int = 255;
}
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=4
{
if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
return;
if ( ! info?$c || ! info$c?$dpd )
return;
info$c$dpd$packet_segment = fmt("%s", sub_bytes(get_current_packet()$data, 0, packet_segment_size));
}

7
scripts/policy/frameworks/management/controller/main.zeek
View file

@ -4,6 +4,7 @@
##! by the supervisor.
@load base/frameworks/broker
@load base/frameworks/cluster
@load policy/frameworks/management
@load policy/frameworks/management/agent/config # For the agent topic prefix
@ -1644,9 +1645,9 @@ event zeek_init()
if ( cni$bound_port != 0/unknown )
{
@pragma push ignore-deprecations
Broker::listen_websocket(cat(cni$address), cni$bound_port);
@pragma pop ignore-deprecations
local ws_opts = Cluster::WebSocketServerOptions($listen_addr=to_addr(cni$address),
$listen_port=cni$bound_port);
Cluster::listen_websocket(ws_opts);
websocket_info = fmt("websocket port %s:%s", cni$address, cni$bound_port);
}

142
scripts/policy/protocols/http/detect-sqli.zeek
View file

@ -1,142 +0,0 @@
##! SQL injection attack detection in HTTP.
## This package is deprecated in favor of detect-sql-injection.zeek.
##
## The replacement script annotates the notices it generates with
## an associated $uid connection identifier; always provides an attacker
## IP address in the $src field; and always provides a victim IP address
## in the $dst field. The notices generated by this script, on the other
## hand, lack a $uid identifier, and do not provide $dst information.
## In addition, for SQL_Injection_Victim notices, this script provides the
## victim's IP address in the $src field, which some find counter-intuitive.
##
## In addition, the replacement script removes support for generating
## Notice emails.
@deprecated "Remove in v8.1: Switch to the improved detect-sql-injection script"
@load base/frameworks/notice
@load base/frameworks/sumstats
@load base/protocols/http
module HTTP;
export {
redef enum Notice::Type += {
## Indicates that a host performing SQL injection attacks was
## detected.
SQL_Injection_Attacker,
## Indicates that a host was seen to have SQL injection attacks
## against it. This is tracked by IP address as opposed to
## hostname.
SQL_Injection_Victim,
};
redef enum Tags += {
## Indicator of a URI based SQL injection attack.
URI_SQLI,
## Indicator of client body based SQL injection attack. This is
## typically the body content of a POST request. Not implemented
## yet.
POST_SQLI,
## Indicator of a cookie based SQL injection attack. Not
## implemented yet.
COOKIE_SQLI,
};
## Defines the threshold that determines if an SQL injection attack
## is ongoing based on the number of requests that appear to be SQL
## injection attacks.
const sqli_requests_threshold: double = 50.0 &redef;
## Interval at which to watch for the
## :zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
## At the end of each interval the counter is reset.
const sqli_requests_interval = 5min &redef;
## Collecting samples will add extra data to notice emails
## by collecting some sample SQL injection url paths. Disable
## sample collection by setting this value to 0.
const collect_SQLi_samples = 5 &redef;
## Regular expression is used to match URI based SQL injections.
const match_sql_injection_uri =
/[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-[:alnum:]%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+.*?([hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+/
| /[\?&][^[:blank:]\x00-\x1f\|\+]+?=[\-0-9%]+([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]?([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|\)?;)+([xX]?[oO][rR]|[nN]?[aA][nN][dD])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)+['"]?(([^a-zA-Z&]+)?=|[eE][xX][iI][sS][tT][sS])/
| /[\?&][^[:blank:]\x00-\x1f\+]+?=[\-0-9%]*([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f]|\/\*.*?\*\/)*(-|=|\+|\|\|)([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*([0-9]|\(?[cC][oO][nN][vV][eE][rR][tT]|[cC][aA][sS][tT])/
| /[\?&][^[:blank:]\x00-\x1f\|\+]+?=([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/)*['"]([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|;)*([xX]?[oO][rR]|[nN]?[aA][nN][dD]|[hH][aA][vV][iI][nN][gG]|[uU][nN][iI][oO][nN]|[eE][xX][eE][cC]|[sS][eE][lL][eE][cC][tT]|[dD][eE][lL][eE][tT][eE]|[dD][rR][oO][pP]|[dD][eE][cC][lL][aA][rR][eE]|[cC][rR][eE][aA][tT][eE]|[rR][eE][gG][eE][xX][pP]|[iI][nN][sS][eE][rR][tT])([[:blank:]\x00-\x1f\+]|\/\*.*?\*\/|[\[(])+[a-zA-Z&]{2,}/
| /[\?&][^[:blank:]\x00-\x1f\+]+?=[^\.]*?([cC][hH][aA][rR]|[aA][sS][cC][iI][iI]|[sS][uU][bB][sS][tT][rR][iI][nN][gG]|[tT][rR][uU][nN][cC][aA][tT][eE]|[vV][eE][rR][sS][iI][oO][nN]|[lL][eE][nN][gG][tT][hH])\(/
| /\/\*![[:digit:]]{5}.*?\*\// &redef;
## A hook that can be used to prevent specific requests from being counted
## as an injection attempt. Use a 'break' statement to exit the hook
## early and ignore the request.
global HTTP::sqli_policy: hook(c: connection, method: string, unescaped_URI: string);
}
function format_sqli_samples(samples: vector of SumStats::Observation): string
{
local ret = "SQL Injection samples\n---------------------";
for ( i in samples )
ret += "\n" + samples[i]$str;
return ret;
}
event zeek_init() &priority=3
{
# Add filters to the metrics so that the metrics framework knows how to
# determine when it looks like an actual attack and how to respond when
# thresholds are crossed.
local r1 = SumStats::Reducer($stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
SumStats::create(SumStats::SumStat($name="detect-sqli-attackers",
$epoch=sqli_requests_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.attacker"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.attacker"];
NOTICE(Notice::Info($note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)));
}));
local r2 = SumStats::Reducer($stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
SumStats::create(SumStats::SumStat($name="detect-sqli-victims",
$epoch=sqli_requests_interval,
$reducers=set(r2),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.victim"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.victim"];
NOTICE(Notice::Info($note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)));
}));
}
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) &priority=3
{
if ( ! hook HTTP::sqli_policy(c, method, unescaped_URI) )
return;
if ( match_sql_injection_uri in unescaped_URI )
{
add c$http$tags[URI_SQLI];
SumStats::observe("http.sqli.attacker", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=original_URI));
SumStats::observe("http.sqli.victim", SumStats::Key($host=c$id$resp_h), SumStats::Observation($str=original_URI));
}
}

4
scripts/test-all-policy.zeek
View file

@ -11,7 +11,6 @@
@load frameworks/analyzer/debug-logging.zeek
@load frameworks/analyzer/detect-protocols.zeek
# @load frameworks/analyzer/deprecated-dpd-log.zeek
@load frameworks/analyzer/packet-segment-logging.zeek
# @load frameworks/control/controllee.zeek
# @load frameworks/control/controller.zeek
@ -50,8 +49,6 @@
@load frameworks/management/request.zeek
@load frameworks/management/types.zeek
@load frameworks/management/util.zeek
# @load frameworks/dpd/detect-protocols.zeek
# @load frameworks/dpd/packet-segment-logging.zeek
@load frameworks/intel/do_notice.zeek
@load frameworks/intel/do_expire.zeek
@load frameworks/intel/whitelist.zeek
@ -126,7 +123,6 @@
@load protocols/ftp/detect-bruteforcing.zeek
@load protocols/ftp/detect.zeek
@load protocols/ftp/software.zeek
# @load protocols/http/detect-sqli.zeek
@load protocols/http/detect-sql-injection.zeek
@load protocols/http/detect-webapps.zeek
@load protocols/http/header-names.zeek

14
scripts/zeekygen/__load__.zeek
View file

@ -1,14 +1,8 @@
@load test-all-policy.zeek
# Scripts which are commented out in test-all-policy.zeek.
@load frameworks/analyzer/deprecated-dpd-log.zeek
@load frameworks/conn_key/vlan_fivetuple.zeek
# Remove in v8.1: replaced by frameworks/analyzer/detect-protocols.zeek
@pragma push ignore-deprecations
@load frameworks/dpd/detect-protocols.zeek
@pragma pop ignore-deprecations
@load protocols/ssl/decryption.zeek
@ifdef ( Cluster::CLUSTER_BACKEND_ZEROMQ )
@load frameworks/cluster/backend/zeromq/connect.zeek
@ -17,11 +11,6 @@
@load frameworks/control/controllee.zeek
@load frameworks/control/controller.zeek
# Remove in v8.1: replaced by frameworks/analyzer/packet-segment-logging.zeek
@pragma push ignore-deprecations
@load frameworks/dpd/packet-segment-logging.zeek
@pragma pop ignore-deprecations
@load frameworks/management/agent/main.zeek
@load frameworks/management/controller/main.zeek
@load frameworks/management/node/__load__.zeek
@ -31,9 +20,6 @@
@load policy/misc/dump-events.zeek
@load policy/protocols/conn/speculative-service.zeek
# Remove in v8.1: This script is deprecated and conflicts with detect-sql-injection.zeek
# @load policy/protocols/http/detect-sqli.zeek
@if ( have_spicy() )
# Loading this messes up documentation of some elements defined elsewhere.
# @load frameworks/spicy/record-spicy-batch.zeek

8
src/Attr.cc
View file

@ -300,10 +300,8 @@ bool Attributes::CheckAttr(Attr* a) {
if ( global_var )
return AttrError("&optional is not valid for global variables");
// Remove in v8.1: Call AttrError()
if ( in_record && Find(ATTR_DEFAULT) )
zeek::reporter->Deprecation(
"Remove in v8.1: Using &default and &optional together results in &default behavior");
return AttrError("Using &default and &optional together results in &default behavior");
break;
@ -342,10 +340,8 @@ bool Attributes::CheckAttr(Attr* a) {
if ( Find(ATTR_DEFAULT_INSERT) )
return AttrError("&default and &default_insert cannot be used together");
// Remove in v8.1: Call AttrError()
if ( in_record && Find(ATTR_OPTIONAL) )
zeek::reporter->Deprecation(
"Remove in v8.1: Using &default and &optional together results in &default behavior");
return AttrError("Using &default and &optional together results in &default behavior");
std::string err_msg;
if ( ! check_default_attr(a, type, global_var, in_record, err_msg) && ! err_msg.empty() )

51
src/Conn.cc
View file

@ -39,43 +39,6 @@ Connection::Connection(zeek::IPBasedConnKeyPtr k, double t, uint32_t flow, const
resp_port = key->DstPort();
proto = key->GetTransportProto();
Init(flow, pkt);
}
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
Connection::Connection(const detail::ConnKey& k, double t, const ConnTuple* id, uint32_t flow, const Packet* pkt)
: Session(t, connection_timeout, connection_status_update, detail::connection_status_update_interval) {
orig_addr = id->src_addr;
resp_addr = id->dst_addr;
orig_port = id->src_port;
resp_port = id->dst_port;
key = std::make_unique<zeek::IPConnKey>();
key->InitTuple(id->src_addr, id->src_port, id->dst_addr, id->dst_port, id->proto, id->is_one_way);
key->Init(*pkt);
proto = key->GetTransportProto();
Init(flow, pkt);
}
#pragma GCC diagnostic pop
Connection::~Connection() {
if ( ! finished )
reporter->InternalError("Done() not called before destruction of Connection");
CancelTimers();
if ( conn_val )
conn_val->SetOrigin(nullptr);
delete adapter;
--current_connections;
}
void Connection::Init(uint32_t flow, const Packet* pkt) {
orig_flow_label = flow;
resp_flow_label = 0;
saw_first_orig_packet = 1;
@ -109,6 +72,20 @@ void Connection::Init(uint32_t flow, const Packet* pkt) {
encapsulation = pkt->encap;
}
Connection::~Connection() {
if ( ! finished )
reporter->InternalError("Done() not called before destruction of Connection");
CancelTimers();
if ( conn_val )
conn_val->SetOrigin(nullptr);
delete adapter;
--current_connections;
}
void Connection::CheckEncapsulation(const std::shared_ptr<EncapsulationStack>& arg_encap) {
if ( encapsulation && arg_encap ) {
if ( *encapsulation != *arg_encap ) {

22
src/Conn.h
View file

@ -53,21 +53,6 @@ enum ConnEventToFlag : uint8_t {
NUM_EVENTS_TO_FLAG,
};
// Deprecated without replacement: remove in v8.1.
// XXX using [[deprecated]] for the whole struct leads to hard errors on FreeBSD/MacOS.
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
struct ConnTuple {
#pragma GCC diagnostic pop
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] IPAddr src_addr;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] IPAddr dst_addr;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint32_t src_port = 0;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint32_t dst_port = 0;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] uint16_t proto = UNKNOWN_IP_PROTO;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] bool is_one_way =
false; // if true, don't canonicalize order
};
static inline int addr_port_canon_lt(const IPAddr& addr1, uint32_t p1, const IPAddr& addr2, uint32_t p2) {
return addr1 < addr2 || (addr1 == addr2 && p1 < p2);
}
@ -76,9 +61,6 @@ class Connection final : public session::Session {
public:
Connection(zeek::IPBasedConnKeyPtr k, double t, uint32_t flow, const Packet* pkt);
[[deprecated("Remove in v8.1. Switch to ConnKey factories and the new zeek::ConnKey tree.")]]
Connection(const detail::ConnKey& k, double t, const ConnTuple* id, uint32_t flow, const Packet* pkt);
~Connection() override;
/**
@ -213,10 +195,6 @@ public:
static void InitPostScript();
private:
// Common initialization for the constructors. This can move back into the
// (sole) constructor when we remove the deprecated one in 8.1.
void Init(uint32_t flow, const Packet* pkt);
friend class session::detail::Timer;
IPAddr orig_addr;

4
src/Desc.h
View file

@ -144,10 +144,6 @@ public:
return byte_vec(t);
}
[[deprecated("Remove in v8.1. Use Size() that returns size_t instead.")]]
int Len() const {
return static_cast<int>(offset);
}
size_t Size() const { return offset; }
void Clear();

63
src/Event.cc
View file

@ -41,16 +41,6 @@ RecordValPtr detail::MetadataEntry::BuildVal() const {
return rv;
}
Event::Event(const EventHandlerPtr& arg_handler, zeek::Args arg_args, util::detail::SourceID arg_src,
analyzer::ID arg_aid, Obj* arg_obj, double arg_ts)
: handler(arg_handler),
args(std::move(arg_args)),
meta(detail::MakeEventMetadataVector(arg_ts)),
src(arg_src),
aid(arg_aid),
obj(zeek::NewRef{}, arg_obj),
next_event(nullptr) {}
Event::Event(detail::EventMetadataVectorPtr arg_meta, const EventHandlerPtr& arg_handler, zeek::Args arg_args,
util::detail::SourceID arg_src, analyzer::ID arg_aid, Obj* arg_obj)
: handler(arg_handler),
@ -58,8 +48,7 @@ Event::Event(detail::EventMetadataVectorPtr arg_meta, const EventHandlerPtr& arg
meta(std::move(arg_meta)),
src(arg_src),
aid(arg_aid),
obj(zeek::NewRef{}, arg_obj),
next_event(nullptr) {}
obj(zeek::NewRef{}, arg_obj) {}
zeek::VectorValPtr Event::MetadataValues(const EnumValPtr& id) const {
static const auto& any_vec_t = zeek::id::find_type<zeek::VectorType>("any_vec");
@ -135,14 +124,8 @@ void Event::Dispatch(bool no_remote) {
reporter->BeginErrorHandler();
try {
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
// Replace in v8.1 with handler->Call(&args).
handler->Call(&args, no_remote, Time());
#pragma GCC diagnostic pop
}
catch ( InterpreterException& e ) {
handler->Call(&args);
} catch ( InterpreterException& e ) {
// Already reported.
}
@ -161,15 +144,12 @@ EventMgr::~EventMgr() {
}
}
void EventMgr::Enqueue(const EventHandlerPtr& h, Args vl, util::detail::SourceID src, analyzer::ID aid, Obj* obj,
DeprecatedTimestamp deprecated_ts) {
void EventMgr::Enqueue(const EventHandlerPtr& h, Args vl, util::detail::SourceID src, analyzer::ID aid, Obj* obj) {
detail::EventMetadataVectorPtr meta;
double ts = double(deprecated_ts);
// If this is a local event and EventMetadata::add_network_timestamp is
// enabled, automatically set the network timestamp for this event to the
// current network time when it is < 0 (default of deprecated_ts is -1.0).
// current network time.
//
// See the other Enqueue() implementation for the local vs broker/remote
// motivation of want_network_timestamp.
@ -178,19 +158,8 @@ void EventMgr::Enqueue(const EventHandlerPtr& h, Args vl, util::detail::SourceID
((src == util::detail::SOURCE_LOCAL) ||
(src == util::detail::SOURCE_BROKER && BifConst::EventMetadata::add_missing_remote_network_timestamp));
if ( want_network_timestamp ) {
if ( ts < 0.0 )
ts = run_state::network_time;
// In v8.1 when the deprecated_ts parameters is gone: Just use run_state::network_time directly here.
meta = detail::MakeEventMetadataVector(ts);
}
else if ( ts >= 0.0 ) {
// EventMetadata::add_network_timestamp is false, but EventMgr::Enqueue()
// with an explicit (non-negative) timestamp is used. That's a deprecated
// API, but we continue to support it until v8.1.
meta = detail::MakeEventMetadataVector(ts);
}
if ( want_network_timestamp )
meta = detail::MakeEventMetadataVector(run_state::network_time);
QueueEvent(new Event(std::move(meta), h, std::move(vl), src, aid, obj));
}
@ -261,14 +230,6 @@ void EventMgr::QueueEvent(Event* event) {
++event_mgr.num_events_queued;
}
void EventMgr::Dispatch(Event* event, bool no_remote) {
Event* old_current = current;
current = event;
event->Dispatch(no_remote);
current = old_current;
Unref(event);
}
void EventMgr::Dispatch(const EventHandlerPtr& h, zeek::Args vl) {
detail::EventMetadataVectorPtr meta;
@ -284,11 +245,11 @@ void EventMgr::Dispatch(const EventHandlerPtr& h, zeek::Args vl) {
if ( done )
return;
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
// TODO: Open-code the old Dispatch() implementation here in v8.1.
Dispatch(ev);
#pragma GCC diagnostic pop
Event* old_current = current;
current = ev;
ev->Dispatch();
current = old_current;
Unref(ev);
}
void EventMgr::Drain() {

31
src/Event.h
View file

@ -55,10 +55,6 @@ constexpr double NO_TIMESTAMP = -1.0;
class Event final : public Obj {
public:
[[deprecated("Remove in v8.1: Do not instantiate raw events. Use EventMgr::Dispatch() or EventMgr::Enqueue().")]]
Event(const EventHandlerPtr& handler, zeek::Args args, util::detail::SourceID src = util::detail::SOURCE_LOCAL,
analyzer::ID aid = 0, Obj* obj = nullptr, double ts = run_state::network_time);
void SetNext(Event* n) { next_event = n; }
Event* NextEvent() const { return next_event; }
@ -99,12 +95,10 @@ private:
util::detail::SourceID src;
analyzer::ID aid;
zeek::IntrusivePtr<Obj> obj;
Event* next_event;
Event* next_event = nullptr;
};
class EventMgr final : public Obj, public iosource::IOSource {
class DeprecatedTimestamp;
public:
~EventMgr() override;
@ -123,7 +117,7 @@ public:
* (defaults to current network time - deprecated).
*/
void Enqueue(const EventHandlerPtr& h, zeek::Args vl, util::detail::SourceID src = util::detail::SOURCE_LOCAL,
analyzer::ID aid = 0, Obj* obj = nullptr, DeprecatedTimestamp ts = {});
analyzer::ID aid = 0, Obj* obj = nullptr);
/**
* A version of Enqueue() taking a variable number of arguments.
@ -147,9 +141,6 @@ public:
void Enqueue(detail::EventMetadataVectorPtr meta, const EventHandlerPtr& h, zeek::Args vl,
util::detail::SourceID src = util::detail::SOURCE_LOCAL, analyzer::ID aid = 0, Obj* obj = nullptr);
[[deprecated("Remove in v8.1: Use Dispatch(handler, args) instead.")]]
void Dispatch(Event* event, bool no_remote = false);
// Dispatch an event with the given handler and arguments immediately.
//
// While the event is technically not queued, HookQueueEvent() is
@ -196,24 +187,6 @@ public:
uint64_t num_events_dispatched = 0;
private:
/**
* Helper class to produce a compile time warning if Enqueue() is called with an explicit timestamp.
*
* Remove in v8.1.
*/
class DeprecatedTimestamp {
public:
DeprecatedTimestamp() : d(-1.0) {}
[[deprecated("Use overload EventMgr::Enqueue(EventMetadataVectorPtr meta, ...) to pass timestamp metadata")]]
/*implicit*/ DeprecatedTimestamp(double d)
: d(d) {}
explicit operator double() const { return d; }
private:
double d;
};
void QueueEvent(Event* event);
Event* current = nullptr;

40
src/EventHandler.cc
View file

@ -22,9 +22,7 @@ EventHandler::EventHandler(std::string arg_name) {
generate_always = false;
}
EventHandler::operator bool() const {
return enabled && ((local && local->HasEnabledBodies()) || generate_always || ! auto_publish.empty());
}
EventHandler::operator bool() const { return enabled && ((local && local->HasEnabledBodies()) || generate_always); }
const FuncTypePtr& EventHandler::GetType(bool check_export) {
if ( type )
@ -44,7 +42,7 @@ const FuncTypePtr& EventHandler::GetType(bool check_export) {
void EventHandler::SetFunc(FuncPtr f) { local = std::move(f); }
void EventHandler::Call(Args* vl, bool no_remote, double ts) {
void EventHandler::Call(Args* vl) {
if ( ! call_count ) {
static auto eh_invocations_family =
telemetry_mgr->CounterFamily("zeek", "event-handler-invocations", {"name"},
@ -58,40 +56,6 @@ void EventHandler::Call(Args* vl, bool no_remote, double ts) {
if ( new_event )
NewEvent(vl);
if ( ! no_remote ) {
if ( ! auto_publish.empty() ) {
// Send event in form [name, xs...] where xs represent the arguments.
BrokerListBuilder xs;
xs.Reserve(vl->size());
bool valid_args = true;
for ( const auto& v : *vl ) {
if ( ! xs.Add(v) ) {
valid_args = false;
auto_publish.clear();
reporter->Error("failed auto-remote event '%s', disabled", Name());
break;
}
}
if ( valid_args ) {
auto ev_args = std::move(xs).Build();
for ( auto it = auto_publish.begin();; ) {
const auto& topic = *it;
++it;
if ( it != auto_publish.end() )
broker_mgr->PublishEvent(topic, Name(), ev_args, ts);
else {
broker_mgr->PublishEvent(topic, Name(), std::move(ev_args), ts);
break;
}
}
}
}
}
if ( local )
// No try/catch here; we pass exceptions upstream.
local->Invoke(vl);

24
src/EventHandler.h
View file

@ -35,28 +35,8 @@ public:
void SetFunc(FuncPtr f);
[[deprecated("Remove in v8.1, use explicit Publish().")]]
void AutoPublish(std::string topic) {
auto_publish.insert(std::move(topic));
}
[[deprecated("Remove in v8.1.")]]
void AutoUnpublish(const std::string& topic) {
auto_publish.erase(topic);
}
[[deprecated(
"Remove in v8.1. The no_remote and ts parameters are AutoPublish() specific and won't have an effect "
"in the future. Use Call(args)")]]
void Call(zeek::Args* vl, bool no_remote = false, double ts = run_state::network_time);
// Call the function associated with this handler.
void Call(zeek::Args* vl) {
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
Call(vl, false, run_state::network_time);
#pragma GCC diagnostic pop
}
void Call(zeek::Args* vl);
// Returns true if there is at least one local or remote handler.
explicit operator bool() const;
@ -89,8 +69,6 @@ private:
// Initialize this lazy, so we don't expose metrics for 0 values.
std::shared_ptr<zeek::telemetry::Counter> call_count;
std::unordered_set<std::string> auto_publish;
};
// Encapsulates a ptr to an event handler to overload the boolean operator.

5
src/Func.h
View file

@ -129,11 +129,6 @@ public:
Kind GetKind() const { return kind; }
[[deprecated("Remove with v8.1 - use GetName() instead")]]
const char* Name() const {
return name.c_str();
}
const std::string& GetName() const { return name; }
void SetName(const std::string& arg_name) { name = arg_name; }

121
src/IPAddr.cc
View file

@ -16,127 +16,6 @@ namespace zeek {
const IPAddr IPAddr::v4_unspecified = IPAddr(in4_addr{});
const IPAddr IPAddr::v6_unspecified = IPAddr();
namespace detail {
ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint16_t proto,
bool one_way) {
Init(src, dst, src_port, dst_port, proto, one_way);
}
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
ConnKey::ConnKey(const ConnTuple& id) {
Init(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way);
}
ConnKey& ConnKey::operator=(const ConnKey& rhs) {
if ( this == &rhs )
return *this;
// Because of padding in the object, this needs to memset to clear out
// the extra memory used by padding. Otherwise, the session key stuff
// doesn't work quite right. The static_cast is to silence a
// -Wnontrival-memcall warning from clang++ 17 and later.
memset(static_cast<void*>(this), 0, sizeof(ConnKey));
memcpy(&ip1, &rhs.ip1, sizeof(in6_addr));
memcpy(&ip2, &rhs.ip2, sizeof(in6_addr));
port1 = rhs.port1;
port2 = rhs.port2;
transport = rhs.transport;
return *this;
}
#pragma GCC diagnostic pop
ConnKey::ConnKey(Val* v) {
const auto& vt = v->GetType();
if ( ! IsRecord(vt->Tag()) ) {
transport = INVALID_CONN_KEY_IP_PROTO;
return;
}
RecordType* vr = vt->AsRecordType();
auto vl = v->As<RecordVal*>();
// indices into record's value list
int orig_h;
int orig_p;
int resp_h;
int resp_p;
int proto;
if ( vr == id::conn_id ) {
orig_h = 0;
orig_p = 1;
resp_h = 2;
resp_p = 3;
proto = 4;
}
else {
// While it's not a conn_id, it may have equivalent fields.
orig_h = vr->FieldOffset("orig_h");
resp_h = vr->FieldOffset("resp_h");
orig_p = vr->FieldOffset("orig_p");
resp_p = vr->FieldOffset("resp_p");
proto = vr->FieldOffset("proto");
if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 || proto < 0 ) {
transport = INVALID_CONN_KEY_IP_PROTO;
return;
}
// TODO we ought to check that the fields have the right
// types, too.
}
if ( ! vl->HasField(orig_h) || ! vl->HasField(resp_h) || ! vl->HasField(orig_p) || ! vl->HasField(resp_p) ) {
transport = INVALID_CONN_KEY_IP_PROTO;
return;
}
const IPAddr& orig_addr = vl->GetFieldAs<AddrVal>(orig_h);
const IPAddr& resp_addr = vl->GetFieldAs<AddrVal>(resp_h);
const auto& orig_portv = vl->GetFieldAs<PortVal>(orig_p);
const auto& resp_portv = vl->GetFieldAs<PortVal>(resp_p);
const auto& protov = vl->GetField<CountVal>(proto);
Init(orig_addr, resp_addr, htons((unsigned short)orig_portv->Port()), htons((unsigned short)resp_portv->Port()),
protov->AsCount(), false);
}
void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint16_t proto,
bool one_way) {
// Because of padding in the object, this needs to memset to clear out
// the extra memory used by padding. Otherwise, the session key stuff
// doesn't work quite right. The static_cast is to silence a
// -Wnontrival-memcall warning from clang++ 17 and later.
memset(static_cast<void*>(this), 0, sizeof(ConnKey));
// Lookup up connection based on canonical ordering, which is
// the smaller of <src addr, src port> and <dst addr, dst port>
// followed by the other.
if ( one_way || addr_port_canon_lt(src, src_port, dst, dst_port) ) {
ip1 = src.in6;
ip2 = dst.in6;
port1 = src_port;
port2 = dst_port;
}
else {
ip1 = dst.in6;
ip2 = src.in6;
port1 = dst_port;
port2 = src_port;
}
transport = proto;
}
} // namespace detail
IPAddr::IPAddr(const String& s) { Init(s.CheckString()); }
std::unique_ptr<detail::HashKey> IPAddr::MakeHashKey() const {

36
src/IPAddr.h
View file

@ -25,41 +25,6 @@ constexpr uint16_t INVALID_CONN_KEY_IP_PROTO = 65534;
class HashKey;
// Deprecated: Remove the whole class in v8.1. Switch usage to the conntuple factories and the new zeek::ConnKey tree.
class ConnKey {
public:
in6_addr ip1;
in6_addr ip2;
uint16_t port1 = 0;
uint16_t port2 = 0;
uint16_t transport = INVALID_CONN_KEY_IP_PROTO;
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] ConnKey(const IPAddr& src, const IPAddr& dst,
uint16_t src_port, uint16_t dst_port,
uint16_t proto, bool one_way);
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] ConnKey(const ConnTuple& conn);
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] ConnKey(const ConnKey& rhs) { *this = rhs; }
[[deprecated("Remove in v8.1: Switch to new conn_key framework")]] ConnKey(Val* v);
// FIXME: This is getting reworked as part of the connection tuple changes. Suppress
// the clang-tidy warning for the time being.
// NOLINTBEGIN(bugprone-suspicious-memory-comparison)
bool operator<(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) < 0; }
bool operator<=(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) <= 0; }
bool operator==(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) == 0; }
bool operator!=(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) != 0; }
bool operator>=(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) >= 0; }
bool operator>(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) > 0; }
// NOLINTEND(bugprone-suspicious-memory-comparison)
ConnKey& operator=(const ConnKey& rhs);
bool Valid() const { return transport <= 0xFF; };
private:
void Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port, uint16_t proto, bool one_way);
};
} // namespace detail
/**
@ -406,7 +371,6 @@ public:
static const IPAddr v6_unspecified;
private:
friend class detail::ConnKey;
friend class IPPrefix;
/**

2
src/RunState.h
View file

@ -67,8 +67,6 @@ extern void suspend_processing();
extern void continue_processing();
bool is_processing_suspended();
[[deprecated("Remove with v8.1. Use run_state::current_pseudo directly if needed.")]]
extern double current_packet_timestamp();
extern double current_packet_wallclock();
// Whether we're reading live traffic.

12
src/Span.h
View file

@ -1,12 +0,0 @@
// See the file "COPYING" in the main distribution directory for copyright.
#pragma once
#include <span>
namespace zeek {
template<class T>
using Span [[deprecated("Remove in v8.1: Use std::span instead")]] = std::span<T>;
} // namespace zeek

11
src/ZeekArgs.h
View file

@ -19,17 +19,6 @@ using RecordTypePtr = IntrusivePtr<RecordType>;
using Args = std::vector<ValPtr>;
/**
* Converts a legacy-style argument list for use in modern Zeek function
* calling or event queueing APIs.
* @param vl the argument list to convert, the returned value takes ownership
* of a reference to each element in the list
* @return the converted argument list
*
*/
[[deprecated("Remove in v8.1. Convert users to produce zeek::Args directly.")]]
Args val_list_to_args(const ValPList& vl);
/**
* Creates a vector of "call_argument" meta data describing the arguments to
* function/event invocation.

51
src/ZeekString.cc
View file

@ -322,46 +322,6 @@ String::Vec* String::Split(const String::IdxVec& indices) const {
return result;
}
VectorVal* String::VecToPolicy(Vec* vec) {
auto result = make_intrusive<VectorVal>(id::string_vec);
for ( unsigned int i = 0; i < vec->size(); ++i ) {
String* string = (*vec)[i];
auto val = make_intrusive<StringVal>(string->Len(), (const char*)string->Bytes());
result->Assign(i, std::move(val));
}
return result.release();
}
String::Vec* String::VecFromPolicy(VectorVal* vec) {
Vec* result = new Vec();
for ( unsigned int i = 0; i < vec->Size(); ++i ) {
auto v = vec->StringAt(i);
if ( ! v )
continue;
String* string = new String(*v);
result->push_back(string);
}
return result;
}
char* String::VecToString(const Vec* vec) {
std::string result("[");
for ( const auto* str : *vec ) {
result += str->CheckString();
result += ",";
}
result += "]";
return strdup(result.c_str());
}
bool StringLenCmp::operator()(String* const& bst1, String* const& bst2) {
return _increasing ? (bst1->Len() < bst2->Len()) : (bst1->Len() > bst2->Len());
}
@ -587,15 +547,8 @@ TEST_CASE("searching/modification") {
CHECK_EQ(s, *s3);
delete s3;
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
char* temp = zeek::String::VecToString(splits);
#pragma GCC diagnostic pop
CHECK_EQ(std::string(temp), "[this, is, a, test,]");
free(temp);
for ( auto* entry : *splits )
delete entry;
for ( auto& spl : *splits )
delete spl;
delete splits;
}

8
src/ZeekString.h
View file

@ -166,14 +166,6 @@ public:
//
Vec* Split(const IdxVec& indices) const;
// Helper functions for vectors:
[[deprecated("Remove in v8.1. The ZeekString vector methods are unused.")]]
static VectorVal* VecToPolicy(Vec* vec);
[[deprecated("Remove in v8.1. The ZeekString vector methods are unused.")]]
static Vec* VecFromPolicy(VectorVal* vec);
[[deprecated("Remove in v8.1. The ZeekString vector methods are unused.")]]
static char* VecToString(const Vec* vec);
protected:
void Reset();

12
src/analyzer/Analyzer.h
View file

@ -903,15 +903,3 @@ constexpr int CONTENTS_RESP = 2;
constexpr int CONTENTS_BOTH = 3;
} // namespace zeek::analyzer
[[deprecated("Remove in v8.1. Use version in zeek::analyzer namespace.")]] constexpr int CONTENTS_NONE =
zeek::analyzer::CONTENTS_NONE;
[[deprecated("Remove in v8.1. Use version in zeek::analyzer namespace.")]] constexpr int CONTENTS_ORIG =
zeek::analyzer::CONTENTS_ORIG;
[[deprecated("Remove in v8.1. Use version in zeek::analyzer namespace.")]] constexpr int CONTENTS_RESP =
zeek::analyzer::CONTENTS_RESP;
[[deprecated("Remove in v8.1. Use version in zeek::analyzer namespace.")]] constexpr int CONTENTS_BOTH =
zeek::analyzer::CONTENTS_BOTH;

26
src/analyzer/protocol/dns/DNS.cc
View file

@ -455,6 +455,19 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
return true;
}
uint8_t DNS_Interpreter::ExtractByte(const u_char*& data, int& len) {
if ( len < 1 )
return 0;
uint8_t val;
val = data[0];
++data;
--len;
return val;
}
uint16_t DNS_Interpreter::ExtractShort(const u_char*& data, int& len) {
if ( len < 2 )
return 0;
@ -1331,15 +1344,7 @@ bool DNS_Interpreter::ParseRR_BINDS(detail::DNS_MsgInfo* msg, const u_char*& dat
unsigned int keyid = (keyid1 << 8) | keyid2;
String* completeflag = ExtractStream(data, len, rdlength - 4);
// We exposed the complete flag as a string to script land previously,
// but there should only ever be a single byte, so raise a weird if
// it is longer than that.
//
// https://bind9.readthedocs.io/en/latest/chapter5.html#monitoring-with-private-type-records
if ( completeflag->Len() > 1 )
analyzer->Weird("DNS_BINDS_complete_flag_length", util::fmt("%d", completeflag->Len()));
uint8_t completeflag = ExtractByte(data, len);
if ( dns_BINDS ) {
detail::BINDS_DATA binds;
@ -1912,9 +1917,8 @@ RecordValPtr DNS_MsgInfo::BuildBINDS_Val(BINDS_DATA* binds) {
r->Assign(2, binds->algorithm);
r->Assign(3, binds->key_id);
r->Assign(4, binds->removal_flag);
r->Assign(5, binds->complete_flag); // Remove in v8.1: Move field 7 here. Drop String* usage.
r->Assign(5, binds->complete_flag);
r->Assign(6, is_query);
r->Assign(7, binds->complete_flag->Len() > 0 ? binds->complete_flag->Bytes()[0] : 0);
return r;
}

3
src/analyzer/protocol/dns/DNS.h
View file

@ -262,7 +262,7 @@ struct BINDS_DATA {
unsigned short algorithm; // 8
unsigned short key_id; // 16 : ExtractShort(data, len)
unsigned short removal_flag; // 8
String* complete_flag; // 8
uint8_t complete_flag; // 8
};
struct LOC_DATA {
@ -353,6 +353,7 @@ protected:
bool downcase = true);
bool ExtractLabel(const u_char*& data, int& len, u_char*& label, int& label_len, const u_char* msg_start);
uint8_t ExtractByte(const u_char*& data, int& len);
uint16_t ExtractShort(const u_char*& data, int& len);
uint32_t ExtractLong(const u_char*& data, int& len);
void ExtractOctets(const u_char*& data, int& len, String** p);

6
src/analyzer/protocol/tcp/ContentLine.h
View file

@ -122,9 +122,3 @@ protected:
};
} // namespace zeek::analyzer::tcp
// These were previously #defined, so they have to be outside of the namespace.
[[deprecated("Remove in v8.1, use the version in the zeek:::analyzer::tcp namespace")]] constexpr int CR_as_EOL =
zeek::analyzer::tcp::CR_as_EOL;
[[deprecated("Remove in v8.1, use the version in the zeek:::analyzer::tcp namespace")]] constexpr int LF_as_EOL =
zeek::analyzer::tcp::LF_as_EOL;

38
src/analyzer/protocol/tcp/TCP_Endpoint.h
View file

@ -260,41 +260,3 @@ enum EndianTypes : uint8_t {
} // namespace analyzer::tcp
} // namespace zeek
[[deprecated(
"Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_SYN_PKT =
zeek::analyzer::tcp::TCP_Endpoint::HIST_SYN_PKT;
[[deprecated(
"Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_FIN_PKT =
zeek::analyzer::tcp::TCP_Endpoint::HIST_FIN_PKT;
[[deprecated(
"Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_RST_PKT =
zeek::analyzer::tcp::TCP_Endpoint::HIST_RST_PKT;
[[deprecated(
"Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_FIN_RST_PKT =
zeek::analyzer::tcp::TCP_Endpoint::HIST_FIN_RST_PKT;
[[deprecated(
"Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_DATA_PKT =
zeek::analyzer::tcp::TCP_Endpoint::HIST_DATA_PKT;
[[deprecated(
"Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_ACK_PKT =
zeek::analyzer::tcp::TCP_Endpoint::HIST_ACK_PKT;
[[deprecated(
"Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_MULTI_FLAG_PKT =
zeek::analyzer::tcp::TCP_Endpoint::HIST_MULTI_FLAG_PKT;
[[deprecated(
"Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_CORRUPT_PKT =
zeek::analyzer::tcp::TCP_Endpoint::HIST_CORRUPT_PKT;
[[deprecated("Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_RXMIT =
zeek::analyzer::tcp::TCP_Endpoint::HIST_RXMIT;
[[deprecated("Remove in v8.1. Use version in zeek::analyzer::tcp::TCP_Endpoint namespace.")]] constexpr int HIST_WIN0 =
zeek::analyzer::tcp::TCP_Endpoint::HIST_WIN0;

68
src/broker/Manager.cc
View file

@ -826,8 +826,6 @@ std::vector<broker::peer_info> Manager::Peers() const {
return bstate->endpoint.peers();
}
std::string Manager::NodeID() const { return to_string(bstate->endpoint.node_id()); }
bool Manager::DoPublishEvent(const std::string& topic, cluster::Event& event) {
bool do_publish = PLUGIN_HOOK_WITH_RESULT(HOOK_PUBLISH_EVENT, HookPublishEvent(*this, topic, event), true);
if ( ! do_publish )
@ -1107,72 +1105,6 @@ void Manager::Error(const char* format, ...) {
reporter->Error("%s", msg);
}
bool Manager::AutoPublishEvent(string topic, Val* event) {
if ( event->GetType()->Tag() != TYPE_FUNC ) {
Error("Broker::auto_publish must operate on an event");
return false;
}
auto event_val = event->AsFunc();
if ( event_val->Flavor() != FUNC_FLAVOR_EVENT ) {
Error("Broker::auto_publish must operate on an event");
return false;
}
auto handler = event_registry->Lookup(event_val->GetName());
if ( ! handler ) {
Error("Broker::auto_publish failed to lookup event '%s'", event_val->GetName().c_str());
return false;
}
DBG_LOG(DBG_BROKER, "Enabling auto-publishing of event %s to topic %s", handler->Name(), topic.c_str());
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
handler->AutoPublish(std::move(topic));
#pragma GCC diagnostic pop
return true;
}
bool Manager::AutoUnpublishEvent(const string& topic, Val* event) {
if ( event->GetType()->Tag() != TYPE_FUNC ) {
Error("Broker::auto_event_stop must operate on an event");
return false;
}
auto event_val = event->AsFunc();
if ( event_val->Flavor() != FUNC_FLAVOR_EVENT ) {
Error("Broker::auto_event_stop must operate on an event");
return false;
}
auto handler = event_registry->Lookup(event_val->GetName());
if ( ! handler ) {
Error("Broker::auto_event_stop failed to lookup event '%s'", event_val->GetName().c_str());
return false;
}
DBG_LOG(DBG_BROKER, "Disabling auto-publishing of event %s to topic %s", handler->Name(), topic.c_str());
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
handler->AutoUnpublish(topic);
#pragma GCC diagnostic pop
return true;
}
RecordVal* Manager::MakeEvent(ValPList* args, zeek::detail::Frame* frame) {
// Deprecated MakeEvent() version using ValPList - requires extra copy.
zeek::Args cargs;
cargs.reserve(args->size());
for ( auto* a : *args )
cargs.emplace_back(zeek::NewRef{}, a);
return MakeEvent(ArgsSpan{cargs}, frame)->Ref()->AsRecordVal();
}
zeek::RecordValPtr Manager::MakeEvent(ArgsSpan args, zeek::detail::Frame* frame) {
scoped_reporter_location srl{frame};
auto rval = zeek::make_intrusive<RecordVal>(BifType::Record::Broker::Event);

37
src/broker/Manager.h
View file

@ -175,11 +175,6 @@ public:
*/
std::vector<broker::peer_info> Peers() const;
/**
* @return a unique identifier for this broker endpoint.
*/
[[deprecated("Remove in v8.1: Use Backend::NodeId() instead.")]] std::string NodeID() const;
/**
* Send an identifier's value to interested peers.
* @param topic a topic string associated with the message.
@ -252,38 +247,6 @@ public:
bool PublishLogWrite(EnumVal* stream, EnumVal* writer, const std::string& path,
const logging::detail::LogRecord& rec);
/**
* Automatically send an event to any interested peers whenever it is
* locally dispatched (e.g. using "event my_event(...);" in a script).
* @param topic a topic string associated with the event message.
* Peers advertise interest by registering a subscription to some prefix
* of this topic name.
* @param event a Zeek event value.
* @return true if automatic event sending is now enabled.
*/
[[deprecated("Remove in v8.1, use explicit Publish().")]]
bool AutoPublishEvent(std::string topic, Val* event);
/**
* Stop automatically sending an event to peers upon local dispatch.
* @param topic a topic originally given to zeek::Broker::Manager::AutoPublish().
* @param event an event originally given to zeek::Broker::Manager::AutoPublish().
* @return true if automatic events will no occur for the topic/event pair.
*/
[[deprecated("Remove in v8.1.")]]
bool AutoUnpublishEvent(const std::string& topic, Val* event);
/**
* Create an `Event` record value from an event and its arguments.
* @param args the event and its arguments. The event is always the first
* elements in the list.
* @param frame the calling frame, used to report location info upon error
* @return an `Event` record value. If an invalid event or arguments
* were supplied the optional "name" field will not be set.
*/
[[deprecated("Remove in v8.1: Use the ArgsSpan version instead")]] RecordVal* MakeEvent(ValPList* args,
zeek::detail::Frame* frame);
using ArgsSpan = std::span<const ValPtr>;
/**

20
src/broker/messaging.bif
View file

@ -146,26 +146,6 @@ function Broker::__publish_id%(topic: string, id: string%): bool
return zeek::val_mgr->Bool(rval);
%}
function Broker::__auto_publish%(topic: string, ev: any%): bool
%{
zeek::Broker::Manager::ScriptScopeGuard ssg;
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
auto rval = zeek::broker_mgr->AutoPublishEvent(topic->CheckString(), ev);
#pragma GCC diagnostic pop
return zeek::val_mgr->Bool(rval);
%}
function Broker::__auto_unpublish%(topic: string, ev: any%): bool
%{
zeek::Broker::Manager::ScriptScopeGuard ssg;
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
auto rval = zeek::broker_mgr->AutoUnpublishEvent(topic->CheckString(), ev);
#pragma GCC diagnostic pop
return zeek::val_mgr->Bool(rval);
%}
function Broker::__subscribe%(topic_prefix: string%): bool
%{
zeek::Broker::Manager::ScriptScopeGuard ssg;

5
src/cluster/Backend.cc
View file

@ -277,11 +277,6 @@ void ThreadedBackend::DoTerminate() {
}
}
void ThreadedBackend::QueueForProcessing(QueueMessage&& qmessages) {
if ( onloop )
onloop->QueueForProcessing(std::move(qmessages));
}
void ThreadedBackend::Process(QueueMessage&& msg) {
// sonarlint wants to use std::visit. not sure...
if ( auto* emsg = std::get_if<EventMessage>(&msg) ) {

11
src/cluster/Backend.h
View file

@ -568,17 +568,6 @@ protected:
ThreadedBackend(std::string_view name, std::unique_ptr<EventSerializer> es, std::unique_ptr<LogSerializer> ls,
std::unique_ptr<detail::EventHandlingStrategy> ehs);
/**
* To be used by implementations to enqueue messages for processing on the IO loop.
*
* It's safe to call this method from any thread before ThreadedBackend's
* DoTerminate() implementation is invoked.
*
* @param messages Messages to be enqueued.
*/
[[deprecated("Remove in v8.1: Use OnLoop() and QueueForProcessing() directly.")]]
void QueueForProcessing(QueueMessage&& messages);
/**
* The default DoInit() implementation of ThreadedBackend
* registers itself as a counting IO source to keep the IO

1
src/event.bif
View file

@ -898,7 +898,6 @@ event Pcap::file_done%(path: string%);
##
## .. zeek:see:: UnknownProtocol::first_bytes_count
event unknown_protocol%(analyzer_name: string, protocol: count, first_bytes: string, analyzer_history: string_vec%);
event unknown_protocol%(analyzer_name: string, protocol: count, first_bytes: string%) &deprecated="Remove in v8.1. Use the version that includes analyzer_history.";
## An event for handling packets that reached the end of processing without
## being marked as processed. Note that this event may lead to unpredictable

18
src/fuzzers/dns-fuzzer.cc
View file

@ -8,8 +8,9 @@
#include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/analyzer/protocol/tcp/TCP.h"
#include "zeek/fuzzers/FuzzBuffer.h"
#include "zeek/conn_key/Manager.h"
#include "zeek/fuzzers/fuzzer-setup.h"
#include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
#include "zeek/session/Manager.h"
@ -19,16 +20,13 @@ static zeek::Connection* add_connection() {
static constexpr double network_time_start = 1439471031;
zeek::run_state::detail::update_network_time(network_time_start);
zeek::ConnKeyPtr ck = zeek::conn_key_mgr->GetFactory().NewConnKey();
zeek::IPBasedConnKeyPtr key = zeek::IPBasedConnKeyPtr(static_cast<zeek::IPBasedConnKey*>(ck.release()));
key->InitTuple(zeek::IPAddr("1.2.3.4"), htons(23132), zeek::IPAddr("5.6.7.8"), htons(80), TRANSPORT_TCP, false);
zeek::Packet p;
zeek::ConnTuple conn_id;
conn_id.src_addr = zeek::IPAddr("1.2.3.4");
conn_id.dst_addr = zeek::IPAddr("5.6.7.8");
conn_id.src_port = htons(23132);
conn_id.dst_port = htons(80);
conn_id.is_one_way = false;
conn_id.proto = TRANSPORT_TCP;
zeek::detail::ConnKey key(conn_id);
zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p);
zeek::Connection* conn = new zeek::Connection(std::move(key), network_time_start, 1, &p);
conn->SetTransport(TRANSPORT_TCP);
zeek::session_mgr->Insert(conn);
return conn;

16
src/fuzzers/websocket-fuzzer.cc
View file

@ -10,8 +10,10 @@
#include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/analyzer/protocol/tcp/TCP.h"
#include "zeek/analyzer/protocol/websocket/WebSocket.h"
#include "zeek/conn_key/Manager.h"
#include "zeek/fuzzers/FuzzBuffer.h"
#include "zeek/fuzzers/fuzzer-setup.h"
#include "zeek/packet_analysis/protocol/ip/conn_key/IPBasedConnKey.h"
#include "zeek/packet_analysis/protocol/tcp/TCPSessionAdapter.h"
#include "zeek/session/Manager.h"
@ -21,16 +23,12 @@ static zeek::Connection* add_connection() {
static constexpr double network_time_start = 1439471031;
zeek::run_state::detail::update_network_time(network_time_start);
zeek::ConnKeyPtr ck = zeek::conn_key_mgr->GetFactory().NewConnKey();
zeek::IPBasedConnKeyPtr key = zeek::IPBasedConnKeyPtr(static_cast<zeek::IPBasedConnKey*>(ck.release()));
key->InitTuple(zeek::IPAddr("1.2.3.4"), htons(23132), zeek::IPAddr("5.6.7.8"), htons(80), TRANSPORT_TCP, false);
zeek::Packet p;
zeek::ConnTuple conn_id;
conn_id.src_addr = zeek::IPAddr("1.2.3.4");
conn_id.dst_addr = zeek::IPAddr("5.6.7.8");
conn_id.src_port = htons(23132);
conn_id.dst_port = htons(80);
conn_id.is_one_way = false;
conn_id.proto = TRANSPORT_TCP;
zeek::detail::ConnKey key(conn_id);
zeek::Connection* conn = new zeek::Connection(key, network_time_start, &conn_id, 1, &p);
zeek::Connection* conn = new zeek::Connection(std::move(key), network_time_start, 1, &p);
conn->SetTransport(TRANSPORT_TCP);
zeek::session_mgr->Insert(conn);
return conn;

42
src/logging/WriterFrontend.cc
View file

@ -106,9 +106,6 @@ WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVa
remote = arg_remote;
info = new WriterBackend::WriterInfo(arg_info);
num_fields = 0;
fields = nullptr;
const char* w = arg_writer->GetType()->AsEnumType()->Lookup(arg_writer->InternalInt());
name = util::copy_string(util::fmt("%s/%s", arg_info.path, w));
@ -124,11 +121,6 @@ WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVa
}
WriterFrontend::~WriterFrontend() {
for ( auto i = 0; i < num_fields; ++i )
delete fields[i];
delete[] fields;
delete info;
delete[] name;
}
@ -154,27 +146,25 @@ void WriterFrontend::Init(int arg_num_fields, const Field* const* arg_fields) {
if ( initialized )
reporter->InternalError("writer initialize twice");
num_fields = arg_num_fields;
fields = arg_fields;
initialized = true;
if ( backend ) {
auto fs = new Field*[num_fields];
for ( auto i = 0; i < num_fields; ++i )
fs[i] = new Field(*fields[i]);
backend->SendIn(new InitMessage(backend, arg_num_fields, fs));
}
header.fields.reserve(arg_num_fields);
for ( int i = 0; i < arg_num_fields; i++ )
header.fields.emplace_back(*arg_fields[i]);
if ( remote ) {
broker_mgr->PublishLogCreate(header.stream_id.get(), header.writer_id.get(), *info, arg_num_fields, arg_fields);
}
header.fields.reserve(arg_num_fields);
for ( int i = 0; i < arg_num_fields; i++ )
header.fields.emplace_back(*arg_fields[i]);
if ( backend )
// InitMessage takes ownership of the pointer passed in here and deletes it and
// the fields when done processing the message.
backend->SendIn(new InitMessage(backend, arg_num_fields, arg_fields));
else {
for ( int i = 0; i < arg_num_fields; i++ )
delete arg_fields[i];
delete[] arg_fields;
}
}
void WriterFrontend::Write(detail::LogRecord&& arg_vals) {
@ -183,9 +173,9 @@ void WriterFrontend::Write(detail::LogRecord&& arg_vals) {
if ( disabled )
return;
if ( vals.size() != static_cast<size_t>(num_fields) ) {
reporter->Warning("WriterFrontend %s expected %d fields in write, got %zu. Skipping line.", name, num_fields,
vals.size());
if ( vals.size() != header.fields.size() ) {
reporter->Warning("WriterFrontend %s expected %zu fields in write, got %zu. Skipping line.", name,
header.fields.size(), vals.size());
return;
}
@ -238,7 +228,7 @@ void WriterFrontend::FlushWriteBuffer() {
zeek::cluster::backend->PublishLogWrites(header, std::span{records});
if ( backend )
backend->SendIn(new WriteMessage(backend, num_fields, std::move(records)));
backend->SendIn(new WriteMessage(backend, header.fields.size(), std::move(records)));
}
void WriterFrontend::SetBuf(bool enabled) {

22
src/logging/WriterFrontend.h
View file

@ -226,14 +226,6 @@ public:
*/
const WriterBackend::WriterInfo& Info() const { return *info; }
/**
* Returns the number of log fields as passed into the constructor.
*/
[[deprecated("Remove in v8.1: Use GetFields() instead")]]
int NumFields() const {
return num_fields;
}
/**
* Returns a descriptive name for the writer, including the type of
* the backend and the path used.
@ -247,14 +239,6 @@ public:
*/
const std::string& GetFilterName() const { return info->filter_name; }
/**
* Returns the log fields as passed into the constructor.
*/
[[deprecated("Remove in v8.1: Use GetFields() instead")]]
const threading::Field* const* Fields() const {
return fields;
}
/**
* Returns the log fields once Init() was called on the frontend.
*/
@ -270,10 +254,8 @@ protected:
bool local; // True if logging locally.
bool remote; // True if logging remotely.
const char* name; // Descriptive name of the
WriterBackend::WriterInfo* info; // The writer information.
int num_fields; // Remove in v8.1.
const threading::Field* const* fields; // Remove in v8.1.
const char* name; // Descriptive name of the writer.
WriterBackend::WriterInfo* info; // The writer information.
detail::LogWriteHeader header; // Collected information about the WriterFrontend.
detail::WriteBuffer write_buffer; // Buffer for bulk writes.

5
src/packet_analysis/Manager.h
View file

@ -171,11 +171,6 @@ public:
return pkt_filter;
}
[[deprecated("Remove in v8.1: Use PacketsUnprocessed() instead.")]]
uint64_t GetUnprocessedCount() const {
return PacketsUnprocessed();
}
/**
* Returns the total number of packets received that weren't considered
* processed by some analyzer.

4
src/packet_analysis/protocol/ip/IP.h
View file

@ -31,13 +31,9 @@ private:
enum class ParseResult : int8_t {
CAPLEN_TOO_SMALL = -1,
CaplenTooSmall [[deprecated("Remove in v8.1, use ParseResult::CAPLEN_TOO_SMALL.")]] = CAPLEN_TOO_SMALL,
BAD_PROTOCOL = -2,
BadProtocol [[deprecated("Remove in v8.1, use ParseResult::BAD_PROTOCOL.")]] = BAD_PROTOCOL,
OK = 0,
Ok [[deprecated("Remove in v8.1, use ParseResult::OK.")]] = OK,
CAPLEN_TOO_LARGE = 1,
CaplenTooLarge [[deprecated("Remove in v8.1, use ParseResult::CAPLEN_TOO_LARGE.")]] = CAPLEN_TOO_LARGE,
};
/**

11
src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
View file

@ -36,17 +36,8 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
key = IPBasedConnKeyPtr(static_cast<IPBasedConnKey*>(ck.release()));
}
// Deprecated: remove ConnTuple use in 8.1 and only use InitConnKey().
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
ConnTuple tuple;
if ( BuildConnTuple(len, data, pkt, tuple) ) {
key->InitTuple(tuple.src_addr, tuple.src_port, tuple.dst_addr, tuple.dst_port, pkt->proto);
#pragma GCC diagnostic pop
}
else if ( ! InitConnKey(len, data, pkt, *key) ) {
if ( ! InitConnKey(len, data, pkt, *key) )
return false;
}
key->Init(*pkt);

13
src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
View file

@ -109,18 +109,7 @@ protected:
* @return True if initialization succeeded, false otherwise (e.g. because
* there wasn't enough data available).
*/
virtual bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) {
// Given deprecation of BuildConnTuple below, make this pure virtual in 8.1.
return false;
}
/**
* Parse the header from the packet into a ConnTuple object.
*/
[[deprecated("Remove in v8.1. Switch to InitConnKey() and key-only initialization.")]]
virtual bool BuildConnTuple(size_t len, const uint8_t* data, Packet* packet, ConnTuple& tuple) {
return false;
}
virtual bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) = 0;
/**
* Continues process of packet after the connection has been inserted into the

1
src/plugin/Manager.cc
View file

@ -10,6 +10,7 @@
#include <sys/stat.h>
#include <cerrno>
#include <cstdlib>
#include <filesystem>
#include <fstream>
#include <optional>
#include <ranges>

9
src/scan.l
View file

@ -663,14 +663,9 @@ F RET_CONST(zeek::val_mgr->False()->Ref())
({H}".")+{HTLD} {
zeek::TableValPtr result;
std::string msg = zeek::util::fmt("Remove in v8.1: DNS lookup of host literal '%s' is deprecated. "
std::string msg = zeek::util::fmt("DNS lookup of host literal '%s' is not supported. "
"Replace with blocking_lookup_hostname().", yytext);
zeek::reporter->Deprecation(msg.c_str());
if ( ! zeek::detail::parse_only )
result = zeek::detail::dns_mgr->LookupHost(yytext);
else
result = zeek::detail::dns_mgr->empty_addr_set();
RET_CONST(result.release());
zeek::reporter->Error("%s", msg.c_str());
}
\"([^\\\r\\\n\"]|{ESCSEQ})*\" {

3
src/session/Manager.h
View file

@ -58,9 +58,6 @@ public:
Manager();
~Manager();
[[deprecated("Remove in v8.1 - no functionality. Use Drain() and Clear().")]]
void Done() {};
// Looks up the connection referred to by the given Val,
// which should be a conn_id record. Returns nil if there's
// no such connection or the Val is ill-formed.

6
src/util.h
View file

@ -21,7 +21,7 @@
#include <cstdio>
#include <cstdlib>
#include <cstring>
#include <filesystem> // Remove in v8.1.
#include <limits>
#include <string>
#include <string_view>
#include <vector>
@ -100,10 +100,6 @@ constexpr int UID_POOL_CUSTOM_SCRIPT = 10; // First available custom script leve
namespace zeek {
// This alias is deprecated and should be removed in v8.1. There isn't a way to mark
// it so the compiler will flag it.
namespace filesystem = std::filesystem;
class ODesc;
class RecordVal;

18
src/zeek.bif
View file

@ -2046,24 +2046,6 @@ function bare_mode%(%): bool
return zeek::val_mgr->Bool(zeek::run_state::detail::bare_mode);
%}
## Converts a record type name to a vector of strings, where each element is
## the name of a record field. Nested records are flattened.
##
## rt: The name of the record type.
##
## Returns: A string vector with the field names of *rt*.
function record_type_to_vector%(rt: string%): string_vec &deprecated="Remove in v8.1: Consider using the ordered table from record_fields"
%{
auto result = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
zeek::RecordType* type = zeek::id::find_type(rt->CheckString())->AsRecordType();
for ( int i = 0; i < type->NumFields(); ++i )
result->Assign(i+1, zeek::make_intrusive<zeek::StringVal>(type->FieldName(i)));
return std::move(result);
%}
## Returns the type name of an arbitrary Zeek variable.
##
## t: An arbitrary object.

6
testing/btest/Baseline.zam/cluster.websocket.listen-idempotent/.stderr
View file

@ -1,5 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/main.zeek, line 691: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_x))
error in <...>/main.zeek, line 691: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_wss_port))
error in <...>/main.zeek, line 691: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_qs))
error in <...>/main.zeek, line 689: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_x))
error in <...>/main.zeek, line 689: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_wss_port))
error in <...>/main.zeek, line 689: Already listening on 127.0.0.1:<port> (Cluster::__listen_websocket(ws_opts_qs))
received termination signal

4
testing/btest/Baseline.zam/cluster.websocket.one-ipv6-deprecated/..manager..stderr
View file

@ -1,4 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in ../manager.zeek, line 12: deprecated (Cluster::WebSocketServerOptions$listen_host): Remove in v8.1: Use $listen_addr instead. ((coerce [$listen_host=::1, $listen_port=to_port(getenv(WEBSOCKET_PORT))] to Cluster::WebSocketServerOptions))
warning in <no location>: deprecated (Cluster::WebSocketServerOptions$listen_host): Remove in v8.1: Use $listen_addr instead. (Cluster::WebSocketServerOptions($listen_host=::1, $listen_port=to_port(getenv(WEBSOCKET_PORT))))
received termination signal

4
testing/btest/Baseline.zam/cluster.websocket.tls-usage-error/.stderr
View file

@ -1,3 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/main.zeek, line 691: Invalid tls_options: No key_file field (Cluster::__listen_websocket(Cluster::options.0))
error in <...>/main.zeek, line 691: Invalid tls_options: No cert_file field (Cluster::__listen_websocket(Cluster::options.3))
error in <...>/main.zeek, line 689: Invalid tls_options: No key_file field (Cluster::__listen_websocket(Cluster::options.0))
error in <...>/main.zeek, line 689: Invalid tls_options: No cert_file field (Cluster::__listen_websocket(Cluster::options.3))

2
testing/btest/Baseline/bifs.record_type_to_vector/out
View file

@ -1,2 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
[, ct, str1]

7
testing/btest/Baseline/broker.event-group-interaction/recv.recv.out
View file

@ -1,7 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
receiver added peer: endpoint=127.0.0.1 msg=handshake successful
receiver got ping: my-message, 1
receiver got ping: my-message, 2
receiver got ping: my-message, 3
receiver got ping: my-message, 4
receiver got ping: my-message, 5

7
testing/btest/Baseline/broker.event-group-interaction/send.send.out
View file

@ -1,7 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
sender added peer: endpoint=127.0.0.1 msg=handshake successful
sender got pong: my-message, 1
sender got pong: my-message, 2
sender got pong: my-message, 3
sender got pong: my-message, 4
sender lost peer: endpoint=127.0.0.1 msg=lost connection to remote peer

7
testing/btest/Baseline/broker.remote_event_auto/recv.recv.out
View file

@ -1,7 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
receiver added peer: endpoint=127.0.0.1 msg=handshake successful
receiver got ping: my-message, 1
receiver got ping: my-message, 2
receiver got ping: my-message, 3
receiver got ping: my-message, 4
receiver got ping: my-message, 5

7
testing/btest/Baseline/broker.remote_event_auto/send.send.out
View file

@ -1,7 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
sender added peer: endpoint=127.0.0.1 msg=handshake successful
sender got pong: my-message, 1
sender got pong: my-message, 2
sender got pong: my-message, 3
sender got pong: my-message, 4
sender lost peer: endpoint=127.0.0.1 msg=lost connection to remote peer

11
testing/btest/Baseline/broker.remote_event_auto_ts/recv.recv.out
View file

@ -1,11 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
receiver added peer: endpoint=127.0.0.1 msg=handshake successful
receiver got ping: my-message-a intended for 1989-12-12-22:00:00 stamped to 1989-12-12-22:00:00 (is_remote = T)
receiver got ping: my-message-b intended for 1989-12-12-22:15:00 stamped to 1989-12-12-22:15:00 (is_remote = T)
receiver got ping: my-message-c intended for 1989-12-12-22:30:00 stamped to 1989-12-12-22:30:00 (is_remote = T)
receiver got ping: my-message-a intended for 1989-12-12-23:00:00 stamped to 1989-12-12-23:00:00 (is_remote = T)
receiver got ping: my-message-b intended for 1989-12-12-23:15:00 stamped to 1989-12-12-23:15:00 (is_remote = T)
receiver got ping: my-message-c intended for 1989-12-12-23:30:00 stamped to 1989-12-12-23:30:00 (is_remote = T)
receiver got ping: my-message-a intended for 1989-12-13-00:00:00 stamped to 1989-12-13-00:00:00 (is_remote = T)
receiver got ping: my-message-b intended for 1989-12-13-00:15:00 stamped to 1989-12-13-00:15:00 (is_remote = T)
receiver got ping: my-message-c intended for 1989-12-13-00:30:00 stamped to 1989-12-13-00:30:00 (is_remote = T)

13
testing/btest/Baseline/broker.remote_event_auto_ts/send.send.out
View file

@ -1,13 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
sender added peer: endpoint=127.0.0.1 msg=handshake successful
>> Run 1 (1989-12-12-22:00:00)
>> Run 2 (1989-12-12-23:00:00)
>> Run 3 (1989-12-13-00:00:00)
>> Run 4 (1989-12-13-01:00:00)
>> Run 5 (1989-12-13-02:00:00)
>> Run 6 (1989-12-13-03:00:00)
>> Run 7 (1989-12-13-04:00:00)
>> Run 8 (1989-12-13-05:00:00)
>> Run 9 (1989-12-13-06:00:00)
>> Run 10 (1989-12-13-07:00:00)
sender lost peer: endpoint=127.0.0.1 msg=lost connection to remote peer

4
testing/btest/Baseline/broker.web-socket-events-metadata/client.output
View file

@ -1,4 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ping args ['my-message', 1] metadata [{'@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'timestamp', 'data': '2023-04-18T12:13:14.000'}]}]
ping args ['my-message', 2] metadata [{'@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'timestamp', 'data': '2023-04-18T12:13:24.000'}]}]
ping args ['my-message', 3] metadata [{'@data-type': 'vector', 'data': [{'@data-type': 'count', 'data': 1}, {'@data-type': 'timestamp', 'data': '2023-04-18T12:13:34.000'}]}]

6
testing/btest/Baseline/broker.web-socket-events-metadata/server.output
View file

@ -1,6 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
sender added peer: endpoint=127.0.0.1 msg=handshake successful
sender got pong: my-message, 1 network_time=1681819994.0 current_event_time=1681819995.0
sender got pong: my-message, 2 network_time=1681820004.0 current_event_time=1681819996.0
sender got pong: my-message, 3 network_time=1681820014.0 current_event_time=1681819997.0
sender lost peer: endpoint=127.0.0.1 msg=lost connection to client

4
testing/btest/Baseline/broker.web-socket-events/client.output
View file

@ -1,4 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ping ['my-message', 1]
ping ['my-message', 2]
ping ['my-message', 3]

6
testing/btest/Baseline/broker.web-socket-events/server.output
View file

@ -1,6 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
sender added peer: endpoint=127.0.0.1 msg=handshake successful
sender got pong: my-message, 1
sender got pong: my-message, 2
sender got pong: my-message, 3
sender lost peer: endpoint=127.0.0.1 msg=lost connection to client

1
testing/btest/Baseline/cluster.websocket.one-ipv6-deprecated/..client..stderr
View file

@ -1 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

12
testing/btest/Baseline/cluster.websocket.one-ipv6-deprecated/..client.out
View file

@ -1,12 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
Connected
Sending ping 0
topic /test/pings event name pong args [{'@data-type': 'string', 'data': 'my-message'}, {'@data-type': 'count', 'data': 1}]
Sending ping 1
topic /test/pings event name pong args [{'@data-type': 'string', 'data': 'my-message'}, {'@data-type': 'count', 'data': 2}]
Sending ping 2
topic /test/pings event name pong args [{'@data-type': 'string', 'data': 'my-message'}, {'@data-type': 'count', 'data': 3}]
Sending ping 3
topic /test/pings event name pong args [{'@data-type': 'string', 'data': 'my-message'}, {'@data-type': 'count', 'data': 4}]
Sending ping 4
topic /test/pings event name pong args [{'@data-type': 'string', 'data': 'my-message'}, {'@data-type': 'count', 'data': 5}]

3
testing/btest/Baseline/cluster.websocket.one-ipv6-deprecated/..manager..stderr
View file

@ -1,3 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in ../manager.zeek, line 12: deprecated (Cluster::WebSocketServerOptions$listen_host): Remove in v8.1: Use $listen_addr instead. ((coerce [$listen_host=::1, $listen_port=to_port(getenv(WEBSOCKET_PORT))] to Cluster::WebSocketServerOptions))
received termination signal

8
testing/btest/Baseline/cluster.websocket.one-ipv6-deprecated/..manager.out
View file

@ -1,8 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
Cluster::websocket_client_added, [/test/pings, /zeek/wstest/ws1/]
got ping: ping 0, 0
got ping: ping 1, 1
got ping: ping 2, 2
got ping: ping 3, 3
got ping: ping 4, 4
Cluster::websocket_client_lost

1
testing/btest/Baseline/core.dns-init/.stderr
View file

@ -1,2 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in <...>/dns-init.zeek, line 8: Remove in v8.1: DNS lookup of host literal 'google.com' is deprecated. Replace with blocking_lookup_hostname().

3
testing/btest/Baseline/core.fake_dns/err
View file

@ -1,5 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in <...>/fake_dns.zeek, line 8: Remove in v8.1: DNS lookup of host literal 'google.com' is deprecated. Replace with blocking_lookup_hostname().
warning in <...>/fake_dns.zeek, line 9: Remove in v8.1: DNS lookup of host literal 'bing.com' is deprecated. Replace with blocking_lookup_hostname().
warning in <...>/fake_dns.zeek, line 10: Remove in v8.1: DNS lookup of host literal 'yahoo.com' is deprecated. Replace with blocking_lookup_hostname().
received termination signal

2
testing/btest/Baseline/core.hostname-literal-resolve/err
View file

@ -1,2 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in <...>/hostname-literal-resolve.zeek, line 11: Remove in v8.1: DNS lookup of host literal 'dns.example.com' is deprecated. Replace with blocking_lookup_hostname().

2
testing/btest/Baseline/core.hostname-literal-resolve/err.parse-only
View file

@ -1,2 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in <...>/hostname-literal-resolve.zeek, line 11: Remove in v8.1: DNS lookup of host literal 'dns.example.com' is deprecated. Replace with blocking_lookup_hostname().

4
testing/btest/Baseline/core.hostname-literal-resolve/out
View file

@ -1,4 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
dns.example.com, {
9fb0:8c56:531e:72ee:ca2b:4c97:da18:3a6
}

1
testing/btest/Baseline/core.hostname-literal-resolve/out.parse-only
View file

@ -1 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

3
testing/btest/Baseline/coverage.bare-mode-errors/errors
View file

@ -1,5 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
### NOTE: This file has been sorted with diff-sort.
warning in <...>/detect-protocols.zeek, line 1: deprecated script loaded from command line arguments ("frameworks<...>/detect-protocols.zeek moved to frameworks<...>/detect-protocols.zeek. Please switch to frameworks<...>/detect-protocols.zeek. Remove in 8.1")
warning in <...>/detect-sqli.zeek, line 16: deprecated script loaded from command line arguments "Remove in v8.1: Switch to the improved detect-sql-injection script"
warning in <...>/packet-segment-logging.zeek, line 1: deprecated script loaded from command line arguments ("Please switch to frameworks<...>/packet-segment-logging, which logs to analyzer.log. Remove in 8.1")

1
testing/btest/Baseline/coverage.find-bro-logs/out
View file

@ -10,7 +10,6 @@ dce_rpc
dhcp
dnp3
dns
dpd
files
ftp
http

6
testing/btest/Baseline/language.optional-and-default-field/.stderr
View file

@ -1,6 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in <...>/optional-and-default-field.zeek, line 10: Remove in v8.1: Using &default and &optional together results in &default behavior
warning in <...>/optional-and-default-field.zeek, line 11: Remove in v8.1: Using &default and &optional together results in &default behavior
warning in <...>/optional-and-default-field.zeek, line 12: Remove in v8.1: Using &default and &optional together results in &default behavior
warning in <...>/optional-and-default-field.zeek, line 13: Remove in v8.1: Using &default and &optional together results in &default behavior
warning in <...>/optional-and-default-field.zeek, line 14: Remove in v8.1: Using &default and &optional together results in &default behavior

2
testing/btest/Baseline/language.optional-and-default-field/.stdout
View file

@ -1,2 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
[c=5, i=-5, v=[], r0=[], r1=[]]

3
testing/btest/Baseline/plugins.hooks/output
View file

@ -102,7 +102,6 @@
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Conn::port_inactivity_timeouts, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (DPD::ignore_violations, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (DPD::ignore_violations_after, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (DPD::max_violations, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (DPD::track_removed_services_in_connection, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (Files::enable_reassembler, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
0.000000 MetaHookPost CallFunction(Option::set_change_handler, <frame>, (HTTP::default_capture_password, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) -> <no result>
@ -1045,7 +1044,6 @@
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Conn::port_inactivity_timeouts, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (DPD::ignore_violations, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (DPD::ignore_violations_after, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (DPD::max_violations, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (DPD::track_removed_services_in_connection, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (Files::enable_reassembler, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, <frame>, (HTTP::default_capture_password, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
@ -1987,7 +1985,6 @@
0.000000 | HookCallFunction Option::set_change_handler(Conn::port_inactivity_timeouts, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(DPD::ignore_violations, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(DPD::ignore_violations_after, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(DPD::max_violations, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(DPD::track_removed_services_in_connection, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Files::enable_reassembler, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(HTTP::default_capture_password, Config::config_option_changed: function(ID:string, new_value:any, location:string) : any{ if (<skip-config-log> == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)

32
testing/btest/Baseline/scripts.base.protocols.dns.binds/output
View file

@ -1,17 +1,17 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=32018, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=2196, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=12994, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=23868, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=37611, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=9551, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=48254, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=33130, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=15141, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=41675, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=63711, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=65395, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=31400, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=60289, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=31000, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=40187, removal_flag=0, complte_flag=\x01, is_query=0, complete_flag=1]
BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=32018, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=2196, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=12994, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=23868, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=7, key_id=37611, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=9551, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=5, key_id=48254, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=8, key_id=33130, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=15141, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=41675, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=10, key_id=63711, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=65395, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=13, key_id=31400, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=14, key_id=60289, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=15, key_id=31000, removal_flag=0, complete_flag=1, is_query=0]
BINDS, [query=example.net, answer_type=1, algorithm=16, key_id=40187, removal_flag=0, complete_flag=1, is_query=0]

11
testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-invalid-reply-code.log
View file

@ -1,11 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dpd
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51354 127.0.0.1 21 tcp FTP non-numeric reply code [99 PASV invalid]
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ftp-missing-space-after-reply-code.log
View file

@ -1,11 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dpd
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51346 127.0.0.1 21 tcp FTP invalid reply line [230_no_space]
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-gtp9_unknown_or_too_short_payload.log
View file

@ -1,11 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dpd
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 173.86.159.28 2152 213.72.147.186 2152 udp GTPV1 Truncated GTPv1
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-http-11-request-then-cruft.log
View file

@ -1,11 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dpd
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.12.5 51792 192.0.78.212 80 tcp HTTP not a http request line
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.policy.frameworks.analyzer.deprecated-dpd-log/dpd-ntlm-empty-av-sequence.log
View file

@ -1,11 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dpd
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason
#types time string addr port addr port enum string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.0.173 1068 192.168.0.2 4997 tcp NTLM NTLM AV Pair loop underflow
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.policy.frameworks.dpd.packet-segment-logging/dpd.log
View file

@ -1,11 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dpd
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason packet_segment
#types time string addr port addr port enum string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:470:1f05:17a6:d69a:20ff:fefd:6b88 24316 2001:6a8:a40::21 21 tcp FTP non-numeric reply code [SSH-2.0-mod_sftp/0.9.7] \xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4
#close XXXX-XX-XX-XX-XX-XX

5
testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/http.log.cut
View file

@ -1,5 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid method host uri tags
ClEkJM2Vm5giqnMf4h GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=1'+OR+'1'='1&Submit=Submit HTTP::URI_SQLI
C4J4Th3PJpwUYZZ6gc GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=1'+UNION+SELECT+NULL,+version()+#&Submit=Submit HTTP::URI_SQLI
CtPZjS20MLrsMUOJi2 GET 192.168.111.154 /dvwa/vulnerabilities/sqli/?id=2'+OR+'2'='2&Submit=Submit HTTP::URI_SQLI

4
testing/btest/Baseline/scripts.policy.protocols.http.sql-injection-plus-dvwa/output
View file

@ -1,4 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ClEkJM2Vm5giqnMf4h, [orig_h=192.168.111.148, orig_p=53796/tcp, resp_h=192.168.111.154, resp_p=80/tcp, proto=6, ctx=[]], {\x0a\x09HTTP::URI_SQLI\x0a}
C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.111.148, orig_p=57524/tcp, resp_h=192.168.111.154, resp_p=80/tcp, proto=6, ctx=[]], {\x0a\x09HTTP::URI_SQLI\x0a}
CtPZjS20MLrsMUOJi2, [orig_h=192.168.111.148, orig_p=40112/tcp, resp_h=192.168.111.154, resp_p=80/tcp, proto=6, ctx=[]], {\x0a\x09HTTP::URI_SQLI\x0a}

13
testing/btest/bifs/record_type_to_vector.zeek
View file

@ -1,13 +0,0 @@
#
# @TEST-EXEC: zeek -b %INPUT >out
# @TEST-EXEC: btest-diff out
type myrecord: record {
ct: count;
str1: string;
};
event zeek_init()
{
print record_type_to_vector("myrecord");
}

119
testing/btest/broker/event-group-interaction.zeek
View file

@ -1,119 +0,0 @@
# @TEST-DOC: Disabling an unrelated event group caused auto-publish to break because the remote event had no bodies and got disabled. This is a regression test it's not being done again.
#
# Remove in v8.1 when auto_publish() is removed.
#
# @TEST-GROUP: broker
#
# @TEST-PORT: BROKER_PORT
#
# @TEST-EXEC: btest-bg-run recv "zeek -b ../recv.zeek >recv.out"
# @TEST-EXEC: btest-bg-run send "zeek -b ../send.zeek >send.out"
#
# @TEST-EXEC: btest-bg-wait 10
# @TEST-EXEC: btest-diff recv/recv.out
# @TEST-EXEC: btest-diff send/send.out
# @TEST-START-FILE send.zeek
global event_count = 0;
global ping: event(msg: string, c: count);
event zeek_init()
{
Broker::subscribe("zeek/event/my_topic");
Broker::auto_publish("zeek/event/my_topic", ping);
Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
}
function send_event()
{
event ping("my-message", ++event_count);
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("sender added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
send_event();
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("sender lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
terminate();
}
event pong(msg: string, n: count) &is_used
{
print fmt("sender got pong: %s, %s", msg, n);
send_event();
}
module TestDumpEvents;
event pong(msg: string, n: count) &is_used
{
print fmt("ERROR: This should not be visible: %s, %s", msg, n);
}
event zeek_init()
{
disable_module_events("TestDumpEvents");
}
# @TEST-END-FILE
# @TEST-START-FILE recv.zeek
redef exit_only_after_terminate = T;
const events_to_recv = 5;
global pong: event(msg: string, c: count);
event zeek_init()
{
Broker::subscribe("zeek/event/my_topic");
Broker::auto_publish("zeek/event/my_topic", pong);
Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("receiver added peer: endpoint=%s msg=%s",
endpoint$network$address, msg);
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("receiver lost peer: endpoint=%s msg=%s",
endpoint$network$address, msg);
}
event ping(msg: string, n: count) &is_used
{
print fmt("receiver got ping: %s, %s", msg, n);
if ( n == events_to_recv )
{
terminate();
return;
}
event pong(msg, n);
}
module TestDumpEvents;
event ping(msg: string, n: count) &is_used
{
print fmt("ERROR: This should not be visible: %s, %s", msg, n);
}
event zeek_init()
{
disable_module_events("TestDumpEvents");
}
# @TEST-END-FILE

98
testing/btest/broker/remote_event_auto.zeek
View file

@ -1,98 +0,0 @@
# Remove in v8.1 when auto_publish() is gone.
#
# @TEST-GROUP: broker
#
# @TEST-PORT: BROKER_PORT
#
# @TEST-EXEC: btest-bg-run recv "zeek -b ../recv.zeek >recv.out"
# @TEST-EXEC: btest-bg-run send "zeek -b ../send.zeek >send.out"
#
# @TEST-EXEC: btest-bg-wait 45
# @TEST-EXEC: btest-diff recv/recv.out
# @TEST-EXEC: btest-diff send/send.out
# @TEST-START-FILE send.zeek
redef exit_only_after_terminate = T;
global event_count = 0;
global ping: event(msg: string, c: count);
event zeek_init()
{
Broker::subscribe("zeek/event/my_topic");
Broker::auto_publish("zeek/event/my_topic", ping);
Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
}
function send_event()
{
event ping("my-message", ++event_count);
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("sender added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
send_event();
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("sender lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
terminate();
}
event pong(msg: string, n: count)
{
print fmt("sender got pong: %s, %s", msg, n);
send_event();
}
# @TEST-END-FILE
# @TEST-START-FILE recv.zeek
redef exit_only_after_terminate = T;
const events_to_recv = 5;
global handler: event(msg: string, c: count);
global auto_handler: event(msg: string, c: count);
global pong: event(msg: string, c: count);
event zeek_init()
{
Broker::subscribe("zeek/event/my_topic");
Broker::auto_publish("zeek/event/my_topic", pong);
Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("receiver added peer: endpoint=%s msg=%s",
endpoint$network$address, msg);
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("receiver lost peer: endpoint=%s msg=%s",
endpoint$network$address, msg);
}
event ping(msg: string, n: count)
{
print fmt("receiver got ping: %s, %s", msg, n);
if ( n == events_to_recv )
{
terminate();
return;
}
event pong(msg, n);
}
# @TEST-END-FILE

89
testing/btest/broker/remote_event_auto_ts.zeek
View file

@ -1,89 +0,0 @@
# Remove in v8.1 when auto_publish() is gone.
#
# Not compatible with -O C++ testing since includes two distinct scripts.
# @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
#
# @TEST-GROUP: broker
#
# @TEST-PORT: BROKER_PORT
#
# @TEST-EXEC: btest-bg-run recv "zeek -b ../recv.zeek >recv.out"
# @TEST-EXEC: btest-bg-run send "zeek -b -r $TRACES/ticks-dns-1hr.pcap ../send.zeek >send.out"
#
# @TEST-EXEC: btest-bg-wait 45
# @TEST-EXEC: btest-diff recv/recv.out
# @TEST-EXEC: btest-diff send/send.out
# @TEST-START-FILE send.zeek
redef exit_only_after_terminate = T;
redef EventMetadata::add_network_timestamp = T;
global runs = 0;
global ping: event(msg: string, intended_ts: time);
event zeek_init()
{
suspend_processing();
Broker::subscribe("zeek/event/my_topic");
Broker::auto_publish("zeek/event/my_topic", ping);
Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("sender added peer: endpoint=%s msg=%s",
endpoint$network$address, msg);
continue_processing();
}
event new_connection(c: connection)
{
print fmt(">> Run %s (%D)", ++runs, network_time());
event ping("my-message-a", network_time());
schedule 30 mins { ping("my-message-c", network_time() + 30 mins) };
schedule 15 mins { ping("my-message-b", network_time() + 15 mins) };
}
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("sender lost peer: endpoint=%s msg=%s",
endpoint$network$address, msg);
terminate();
}
# @TEST-END-FILE
# @TEST-START-FILE recv.zeek
redef exit_only_after_terminate = T;
redef EventMetadata::add_network_timestamp = T;
global msg_count = 0;
event zeek_init()
{
Broker::subscribe("zeek/event/my_topic");
Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
}
event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
{
print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
}
event ping(msg: string, intended_ts: time) &is_used
{
if ( ++msg_count >= 10 )
{
terminate();
return;
}
print fmt("receiver got ping: %s intended for %D stamped to %D (is_remote = %s)",
msg, intended_ts, current_event_time(), is_remote_event());
}
# @TEST-END-FILE

Some files were not shown because too many files have changed in this diff Show more