diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake index 0f76c1881a..00cba8bab7 100644 --- a/doc/scripts/DocSourcesList.cmake +++ b/doc/scripts/DocSourcesList.cmake @@ -17,15 +17,48 @@ rest_target(${psd} base/init-default.bro internal) rest_target(${psd} base/init-bare.bro internal) rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/analyzer.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ayiya/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/backdoor/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/bittorrent/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/conn-size/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dce-rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dhcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/dns/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/file/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/finger/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ftp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gnutella/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/gtpv1/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/http/functions.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/icmp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ident/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/interconn/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/irc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/login/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/modbus/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ncp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/netbios-ssn/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ntp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pia/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/pop3/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/rpc/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smb/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/smtp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/socks/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssh/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/ssl/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/stepping-stone/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/syslog/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/tcp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/teredo/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/udp/events.bif.bro) +rest_target(${CMAKE_BINARY_DIR}/src base/analyzer/protocols/zip/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro) -rest_target(${CMAKE_BINARY_DIR}/src base/protocols/syslog/events.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro) rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index bc68d0d67f..4d3e6dd917 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -133,27 +133,8 @@ set(BINPAC_AUXSRC binpac_target(binpac-lib.pac) binpac_target(binpac_bro-lib.pac) -binpac_target(ayiya.pac - ayiya-protocol.pac ayiya-analyzer.pac) -binpac_target(bittorrent.pac - bittorrent-protocol.pac bittorrent-analyzer.pac) -binpac_target(dce_rpc.pac - dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac) -binpac_target(dce_rpc_simple.pac - dce_rpc-protocol.pac epmapper.pac) -binpac_target(dhcp.pac - dhcp-protocol.pac dhcp-analyzer.pac) -binpac_target(gtpv1.pac - gtpv1-protocol.pac gtpv1-analyzer.pac) -binpac_target(ncp.pac) binpac_target(netflow.pac netflow-protocol.pac netflow-analyzer.pac) -binpac_target(smb.pac - smb-protocol.pac smb-pipe.pac smb-mailslot.pac) -binpac_target(socks.pac - socks-protocol.pac socks-analyzer.pac) -binpac_target(modbus.pac - modbus-protocol.pac modbus-analyzer.pac) ######################################################################## ## Including subdirectories. @@ -233,11 +214,7 @@ set(bro_SRCS Anon.cc ARP.cc Attr.cc - AYIYA.cc - BackDoor.cc Base64.cc - BitTorrent.cc - BitTorrentTracker.cc BPF_Program.cc BroDoc.cc BroDocObj.cc @@ -247,13 +224,7 @@ set(bro_SRCS ChunkedIO.cc CompHash.cc Conn.cc - ConnSizeAnalyzer.cc - ContentLine.cc - DCE_RPC.cc DFA.cc - DHCP-binpac.cc - DNS.cc - DNS_Mgr.cc DbgBreakpoint.cc DbgHelp.cc DbgWatch.cc @@ -263,45 +234,30 @@ set(bro_SRCS Desc.cc Dict.cc Discard.cc + DNS_Mgr.cc EquivClass.cc Event.cc EventHandler.cc EventLauncher.cc EventRegistry.cc Expr.cc - FTP.cc File.cc - FileAnalyzer.cc - Finger.cc FlowSrc.cc Frag.cc Frame.cc Func.cc - Gnutella.cc - GTPv1.cc Hash.cc - ICMP.cc ID.cc - Ident.cc IntSet.cc - InterConn.cc IOSource.cc IP.cc IPAddr.cc - IRC.cc List.cc Reporter.cc - Login.cc MIME.cc - Modbus.cc - NCP.cc NFA.cc - NFS.cc - NTP.cc - NVT.cc Net.cc NetVar.cc - NetbiosSSN.cc Obj.cc OpaqueVal.cc OSFinger.cc @@ -309,30 +265,20 @@ set(bro_SRCS PacketSort.cc PersistenceSerializer.cc PktSrc.cc - PIA.cc PolicyFile.cc - POP3.cc - Portmap.cc PrefixTable.cc PriorityQueue.cc Queue.cc RandTest.cc RE.cc - RPC.cc Reassem.cc RemoteSerializer.cc - Rlogin.cc - RSH.cc Rule.cc RuleAction.cc RuleCondition.cc RuleMatcher.cc ScriptAnaly.cc SmithWaterman.cc - SMB.cc - SMTP.cc - SOCKS.cc - SSH.cc Scope.cc SerializationFormat.cc SerialObj.cc @@ -340,23 +286,14 @@ set(bro_SRCS Sessions.cc StateAccess.cc Stats.cc - SteppingStone.cc Stmt.cc - TCP.cc - TCP_Endpoint.cc - TCP_Reassembler.cc - Telnet.cc - Teredo.cc Timer.cc Traverse.cc Trigger.cc TunnelEncapsulation.cc Type.cc - UDP.cc Val.cc Var.cc - XDR.cc - ZIP.cc bsd-getopt-long.c bro_inet_ntop.c cq.c @@ -391,8 +328,6 @@ set(bro_SRCS plugin/Manager.cc plugin/Plugin.cc - analyzer/protocols/BuiltInAnalyzers.cc - nb_dns.c digest.h ) diff --git a/src/Conn.cc b/src/Conn.cc index e476dd674b..d6fc41c0b9 100644 --- a/src/Conn.cc +++ b/src/Conn.cc @@ -11,7 +11,7 @@ #include "Sessions.h" #include "Reporter.h" #include "Timer.h" -#include "PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "binpac.h" #include "TunnelEncapsulation.h" #include "analyzer/Analyzer.h" diff --git a/src/Func.cc b/src/Func.cc index 02f8dd4f29..82cd1998ce 100644 --- a/src/Func.cc +++ b/src/Func.cc @@ -38,7 +38,7 @@ #include "Func.h" #include "Frame.h" #include "Var.h" -#include "Login.h" +#include "analyzer/protocols/login/Login.h" #include "Sessions.h" #include "RE.h" #include "Serializer.h" diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 6bbd7243cd..4e279e2cab 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -8,7 +8,7 @@ using std::string; #include "Conn.h" #include "Event.h" #include "NetVar.h" -#include "PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "analyzer/Manager.h" diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc index b31976711c..b26ed9c9f5 100644 --- a/src/RuleCondition.cc +++ b/src/RuleCondition.cc @@ -1,7 +1,7 @@ #include "config.h" #include "RuleCondition.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "Scope.h" static inline bool is_established(const TCP_Endpoint* e) diff --git a/src/Sessions.cc b/src/Sessions.cc index dc3f54efe6..739bbbe5e7 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -16,12 +16,12 @@ #include "Reporter.h" #include "OSFinger.h" -#include "ICMP.h" -#include "UDP.h" +#include "analyzer/protocols/icmp/ICMP.h" +#include "analyzer/protocols/udp/UDP.h" -#include "SteppingStone.h" -#include "BackDoor.h" -#include "InterConn.h" +#include "analyzer/protocols/stepping-stone/SteppingStone.h" +#include "analyzer/protocols/backdoor/BackDoor.h" +#include "analyzer/protocols/interconn/InterConn.h" #include "Discard.h" #include "RuleMatcher.h" diff --git a/src/Sessions.h b/src/Sessions.h index abaa8b49d0..5b87518033 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -12,6 +12,8 @@ #include "Stats.h" #include "NetVar.h" #include "TunnelEncapsulation.h" +#include "analyzer/protocols/tcp/Stats.h" + #include struct pcap_pkthdr; diff --git a/src/Stats.cc b/src/Stats.cc index 1bccb8f9be..9b839ec672 100644 --- a/src/Stats.cc +++ b/src/Stats.cc @@ -389,84 +389,6 @@ void SegmentProfiler::Report() reporter->SegmentProfile(name, loc, dtime, dmem); } - -TCPStateStats::TCPStateStats() - { - for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) - for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) - state_cnt[i][j] = 0; - } - -void TCPStateStats::ChangeState(EndpointState o_prev, EndpointState o_now, - EndpointState r_prev, EndpointState r_now) - { - --state_cnt[o_prev][r_prev]; - ++state_cnt[o_now][r_now]; - } - -void TCPStateStats::FlipState(EndpointState orig, EndpointState resp) - { - --state_cnt[orig][resp]; - ++state_cnt[resp][orig]; - } - -unsigned int TCPStateStats::NumStatePartial() const - { - unsigned int sum = 0; - for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) - { - sum += state_cnt[TCP_ENDPOINT_PARTIAL][i]; - sum += state_cnt[i][TCP_ENDPOINT_PARTIAL]; - } - - return sum; - } - -void TCPStateStats::PrintStats(BroFile* file, const char* prefix) - { - file->Write(prefix); - file->Write(" Inact. Syn. SA Part. Est. Fin. Rst.\n"); - - for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) - { - file->Write(prefix); - - switch ( i ) { -#define STATE_STRING(state, str) \ - case state: \ - file->Write(str); \ - break; - - STATE_STRING(TCP_ENDPOINT_INACTIVE, "Inact."); - STATE_STRING(TCP_ENDPOINT_SYN_SENT, "Syn. "); - STATE_STRING(TCP_ENDPOINT_SYN_ACK_SENT, "SA "); - STATE_STRING(TCP_ENDPOINT_PARTIAL, "Part. "); - STATE_STRING(TCP_ENDPOINT_ESTABLISHED, "Est. "); - STATE_STRING(TCP_ENDPOINT_CLOSED, "Fin. "); - STATE_STRING(TCP_ENDPOINT_RESET, "Rst. "); - - } - - file->Write(" "); - - for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) - { - unsigned int n = state_cnt[i][j]; - if ( n > 0 ) - { - char buf[32]; - safe_snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]); - file->Write(buf); - } - else - file->Write(" "); - } - - file->Write("\n"); - } - } - - PacketProfiler::PacketProfiler(unsigned int mode, double freq, BroFile* arg_file) { diff --git a/src/Stats.h b/src/Stats.h index a11d66828a..8137ad16cf 100644 --- a/src/Stats.h +++ b/src/Stats.h @@ -7,9 +7,6 @@ #include #include -#include "TCP_Endpoint.h" - - // Object called by SegmentProfiler when it is done and reports its // cumulative CPU/memory statistics. class SegmentStatsReporter { @@ -121,67 +118,6 @@ extern uint64 tot_ack_bytes; extern uint64 tot_gap_events; extern uint64 tot_gap_bytes; - -// A TCPStateStats object tracks the distribution of TCP states for -// the currently active connections. -class TCPStateStats { -public: - TCPStateStats(); - ~TCPStateStats() { } - - void ChangeState(EndpointState o_prev, EndpointState o_now, - EndpointState r_prev, EndpointState r_now); - void FlipState(EndpointState orig, EndpointState resp); - - void StateEntered (EndpointState o_state, EndpointState r_state) - { ++state_cnt[o_state][r_state]; } - void StateLeft (EndpointState o_state, EndpointState r_state) - { --state_cnt[o_state][r_state]; } - - unsigned int Cnt(EndpointState state) const - { return Cnt(state, state); } - unsigned int Cnt(EndpointState state1, EndpointState state2) const - { return state_cnt[state1][state2]; } - - unsigned int NumStateEstablished() const - { return Cnt(TCP_ENDPOINT_ESTABLISHED); } - unsigned int NumStateHalfClose() const - { // corresponds to S2,S3 - return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_CLOSED) + - Cnt(TCP_ENDPOINT_CLOSED, TCP_ENDPOINT_ESTABLISHED); - } - unsigned int NumStateHalfRst() const - { - return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_RESET) + - Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_ESTABLISHED); - } - unsigned int NumStateClosed() const - { return Cnt(TCP_ENDPOINT_CLOSED); } - unsigned int NumStateRequest() const - { - assert(Cnt(TCP_ENDPOINT_INACTIVE, TCP_ENDPOINT_SYN_SENT)==0); - return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_INACTIVE); - } - unsigned int NumStateSuccRequest() const - { - return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_SYN_ACK_SENT) + - Cnt(TCP_ENDPOINT_SYN_ACK_SENT, TCP_ENDPOINT_SYN_SENT); - } - unsigned int NumStateRstRequest() const - { - return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_RESET) + - Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_SYN_SENT); - } - unsigned int NumStateInactive() const - { return Cnt(TCP_ENDPOINT_INACTIVE); } - unsigned int NumStatePartial() const; - - void PrintStats(BroFile* file, const char* prefix); - -private: - unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; -}; - class PacketProfiler { public: PacketProfiler(unsigned int mode, double freq, BroFile* arg_file); diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc index c482ddd792..098535d0a9 100644 --- a/src/analyzer/Analyzer.cc +++ b/src/analyzer/Analyzer.cc @@ -4,7 +4,7 @@ #include "Analyzer.h" #include "Manager.h" -#include "../PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "../Event.h" namespace analyzer { diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index 8ac8cbf824..aba7f26a56 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -1,16 +1,17 @@ #include "Manager.h" -#include "PIA.h" #include "Hash.h" -#include "ICMP.h" -#include "UDP.h" -#include "TCP.h" #include "Val.h" -#include "BackDoor.h" -#include "InterConn.h" -#include "SteppingStone.h" -#include "ConnSizeAnalyzer.h" + +#include "analyzer/protocols/backdoor/BackDoor.h" +#include "analyzer/protocols/conn-size/ConnSize.h" +#include "analyzer/protocols/icmp/ICMP.h" +#include "analyzer/protocols/interconn/InterConn.h" +#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocols/stepping-stone/SteppingStone.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/udp/UDP.h" #include "plugin/Manager.h" @@ -153,15 +154,16 @@ void Manager::RegisterAnalyzerComponent(Component* component) if ( Lookup(component->Name()) ) reporter->FatalError("Analyzer %s defined more than once", component->Name()); - DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", - component->Name(), component->Tag().AsString().c_str()); + string name = to_upper(component->Name()); - analyzers_by_name.insert(std::make_pair(component->Name(), component)); + DBG_LOG(DBG_ANALYZER, "Registering analyzer %s (tag %s)", + name.c_str(), component->Tag().AsString().c_str()); + + analyzers_by_name.insert(std::make_pair(name, component)); analyzers_by_tag.insert(std::make_pair(component->Tag(), component)); analyzers_by_val.insert(std::make_pair(component->Tag().AsEnumVal()->InternalInt(), component)); // Install enum "Analyzer::ANALYZER_*" - string name = to_upper(component->Name()); string id = fmt("ANALYZER_%s", name.c_str()); tag_enum_type->AddName("Analyzer", id.c_str(), component->Tag().AsEnumVal()->InternalInt(), true); } @@ -306,7 +308,9 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, Connection* conn) if ( ! c->Enabled() ) return 0; - assert(c->Factory()); + if ( ! c->Factory() ) + reporter->InternalError("analyzer %s cannot be instantiated dynamically", GetAnalyzerName(tag)); + Analyzer* a = c->Factory()(conn); if ( ! a ) diff --git a/src/analyzer/protocols/BuiltInAnalyzers.cc b/src/analyzer/protocols/BuiltInAnalyzers.cc deleted file mode 100644 index 8403b1bb25..0000000000 --- a/src/analyzer/protocols/BuiltInAnalyzers.cc +++ /dev/null @@ -1,119 +0,0 @@ - -// TODO: This file will eventually go away once we've converrted all -// analyzers into separate plugins. - -#include "BuiltInAnalyzers.h" -#include "analyzer/Component.h" - -#include "../../binpac_bro.h" - -#include "AYIYA.h" -#include "BackDoor.h" -#include "BitTorrent.h" -#include "BitTorrentTracker.h" -#include "Finger.h" -#include "InterConn.h" -#include "NTP.h" -#include "ICMP.h" -#include "SteppingStone.h" -#include "IRC.h" -#include "SMTP.h" -#include "FTP.h" -#include "FileAnalyzer.h" -#include "DNS.h" -#include "DHCP-binpac.h" -#include "Telnet.h" -#include "Rlogin.h" -#include "RSH.h" -#include "DCE_RPC.h" -#include "Gnutella.h" -#include "Ident.h" -#include "Modbus.h" -#include "NCP.h" -#include "NetbiosSSN.h" -#include "SMB.h" -#include "NFS.h" -#include "Portmap.h" -#include "POP3.h" -#include "SOCKS.h" -#include "SSH.h" -#include "Teredo.h" -#include "ConnSizeAnalyzer.h" -#include "GTPv1.h" - -using namespace analyzer; - -BuiltinAnalyzers builtin_analyzers; - -#define DEFINE_ANALYZER(name, factory) \ - AddComponent(new Component(name, factory)) - -void BuiltinAnalyzers::Init() - { - SetName("Core-Analyzers"); - SetDescription("Built-in protocol analyzers"); - SetVersion(BRO_PLUGIN_VERSION_BUILTIN); - - DEFINE_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); - DEFINE_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); - - DEFINE_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("BITTORRENT", BitTorrent_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("BITTORRENTTRACKER", BitTorrentTracker_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("LOGIN", 0); // just a base class - DEFINE_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("NETBIOSSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("RPC", 0); - DEFINE_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("DHCP_BINPAC", DHCP_Analyzer_binpac::InstantiateAnalyzer); - DEFINE_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("FILE", File_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("TCPSTATS", TCPStats_Analyzer::InstantiateAnalyzer); - DEFINE_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); - - DEFINE_ANALYZER("CONTENTS", 0); - DEFINE_ANALYZER("CONTENTLINE", 0); - DEFINE_ANALYZER("NVT", 0); - DEFINE_ANALYZER("ZIP", 0); - DEFINE_ANALYZER("CONTENTS_DNS", 0); - DEFINE_ANALYZER("CONTENTS_NETBIOSSSN", 0); - DEFINE_ANALYZER("CONTENTS_NCP", 0); - DEFINE_ANALYZER("CONTENTS_RLOGIN", 0); - DEFINE_ANALYZER("CONTENTS_RSH", 0); - DEFINE_ANALYZER("CONTENTS_DCE_RPC", 0); - DEFINE_ANALYZER("CONTENTS_SMB", 0); - DEFINE_ANALYZER("CONTENTS_RPC", 0); - DEFINE_ANALYZER("CONTENTS_NFS", 0); - DEFINE_ANALYZER("FTP_ADAT", 0); - } - diff --git a/src/analyzer/protocols/BuiltInAnalyzers.h b/src/analyzer/protocols/BuiltInAnalyzers.h deleted file mode 100644 index 6097bfa078..0000000000 --- a/src/analyzer/protocols/BuiltInAnalyzers.h +++ /dev/null @@ -1,17 +0,0 @@ - -#ifndef ANALYZER_BUILTIN_ANALYZERS_H -#define ANALYZER_BUILTIN_ANALYZERS_H - -#include "plugin/Plugin.h" - -namespace analyzer { - -class BuiltinAnalyzers : public plugin::Plugin { -public: - virtual void Init(); -}; - -} - - -#endif diff --git a/src/analyzer/protocols/CMakeLists.txt b/src/analyzer/protocols/CMakeLists.txt index 19dda0c770..9fcbbdd2d5 100644 --- a/src/analyzer/protocols/CMakeLists.txt +++ b/src/analyzer/protocols/CMakeLists.txt @@ -1,4 +1,37 @@ +add_subdirectory(ayiya) +add_subdirectory(backdoor) +add_subdirectory(bittorrent) +add_subdirectory(conn-size) +add_subdirectory(dce-rpc) +add_subdirectory(dhcp) +add_subdirectory(dns) +add_subdirectory(file) +add_subdirectory(finger) +add_subdirectory(ftp) +add_subdirectory(gnutella) +add_subdirectory(gtpv1) add_subdirectory(http) +add_subdirectory(icmp) +add_subdirectory(ident) +add_subdirectory(interconn) +add_subdirectory(irc) +add_subdirectory(login) +add_subdirectory(modbus) +add_subdirectory(ncp) +add_subdirectory(netbios-ssn) +add_subdirectory(ntp) +add_subdirectory(pia) +add_subdirectory(pop3) +add_subdirectory(rpc) +add_subdirectory(smb) +add_subdirectory(smtp) +add_subdirectory(socks) +add_subdirectory(ssh) add_subdirectory(ssl) +add_subdirectory(stepping-stone) add_subdirectory(syslog) +add_subdirectory(tcp) +add_subdirectory(teredo) +add_subdirectory(udp) +add_subdirectory(zip) diff --git a/src/analyzer/protocols/TODO b/src/analyzer/protocols/TODO new file mode 100644 index 0000000000..6168bf4686 --- /dev/null +++ b/src/analyzer/protocols/TODO @@ -0,0 +1,10 @@ + +- introduce namespace into analyzers +- fill events.bif +- add functions.bif where needed +- move ARP +- move NetFlow +- update *.h guards +- cleanup analyzer descriptions +- can now lower-case the analyzer name in plugin + diff --git a/src/AYIYA.cc b/src/analyzer/protocols/ayiya/AYIYA.cc similarity index 100% rename from src/AYIYA.cc rename to src/analyzer/protocols/ayiya/AYIYA.cc diff --git a/src/AYIYA.h b/src/analyzer/protocols/ayiya/AYIYA.h similarity index 100% rename from src/AYIYA.h rename to src/analyzer/protocols/ayiya/AYIYA.h diff --git a/src/analyzer/protocols/ayiya/CMakeLists.txt b/src/analyzer/protocols/ayiya/CMakeLists.txt new file mode 100644 index 0000000000..8f578a763b --- /dev/null +++ b/src/analyzer/protocols/ayiya/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(AYIYA) +bro_plugin_cc(AYIYA.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/ayiya/Plugin.cc b/src/analyzer/protocols/ayiya/Plugin.cc new file mode 100644 index 0000000000..1ec9887534 --- /dev/null +++ b/src/analyzer/protocols/ayiya/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "AYIYA.h" + +BRO_PLUGIN_BEGIN(AYIYA) + BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer"); + BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/ayiya-analyzer.pac b/src/analyzer/protocols/ayiya/ayiya-analyzer.pac similarity index 100% rename from src/ayiya-analyzer.pac rename to src/analyzer/protocols/ayiya/ayiya-analyzer.pac diff --git a/src/ayiya-protocol.pac b/src/analyzer/protocols/ayiya/ayiya-protocol.pac similarity index 100% rename from src/ayiya-protocol.pac rename to src/analyzer/protocols/ayiya/ayiya-protocol.pac diff --git a/src/ayiya.pac b/src/analyzer/protocols/ayiya/ayiya.pac similarity index 100% rename from src/ayiya.pac rename to src/analyzer/protocols/ayiya/ayiya.pac diff --git a/src/analyzer/protocols/ayiya/events.bif b/src/analyzer/protocols/ayiya/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/BackDoor.cc b/src/analyzer/protocols/backdoor/BackDoor.cc similarity index 99% rename from src/BackDoor.cc rename to src/analyzer/protocols/backdoor/BackDoor.cc index 333dc9c806..00a1319e53 100644 --- a/src/BackDoor.cc +++ b/src/analyzer/protocols/backdoor/BackDoor.cc @@ -5,7 +5,7 @@ #include "BackDoor.h" #include "Event.h" #include "Net.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e) { diff --git a/src/BackDoor.h b/src/analyzer/protocols/backdoor/BackDoor.h similarity index 97% rename from src/BackDoor.h rename to src/analyzer/protocols/backdoor/BackDoor.h index d3687bad0b..1865cdd1ef 100644 --- a/src/BackDoor.h +++ b/src/analyzer/protocols/backdoor/BackDoor.h @@ -3,10 +3,10 @@ #ifndef backdoor_h #define backdoor_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" -#include "Login.h" +#include "analyzer/protocols/login/Login.h" class BackDoorEndpoint { public: diff --git a/src/analyzer/protocols/backdoor/CMakeLists.txt b/src/analyzer/protocols/backdoor/CMakeLists.txt new file mode 100644 index 0000000000..b065cc2c95 --- /dev/null +++ b/src/analyzer/protocols/backdoor/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(BackDoor) +bro_plugin_cc(BackDoor.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/backdoor/Plugin.cc b/src/analyzer/protocols/backdoor/Plugin.cc new file mode 100644 index 0000000000..586b9ef139 --- /dev/null +++ b/src/analyzer/protocols/backdoor/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "BackDoor.h" + +BRO_PLUGIN_BEGIN(BackDoor) + BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/backdoor/events.bif b/src/analyzer/protocols/backdoor/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/BitTorrent.cc b/src/analyzer/protocols/bittorrent/BitTorrent.cc similarity index 98% rename from src/BitTorrent.cc rename to src/analyzer/protocols/bittorrent/BitTorrent.cc index de033cbbe7..05e9ae8fba 100644 --- a/src/BitTorrent.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrent.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrent.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("BITTORRENT", c) diff --git a/src/BitTorrent.h b/src/analyzer/protocols/bittorrent/BitTorrent.h similarity index 94% rename from src/BitTorrent.h rename to src/analyzer/protocols/bittorrent/BitTorrent.h index 6c1ef677e1..0a36442ab9 100644 --- a/src/BitTorrent.h +++ b/src/analyzer/protocols/bittorrent/BitTorrent.h @@ -3,7 +3,7 @@ #ifndef bittorrent_h #define bittorrent_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "bittorrent_pac.h" diff --git a/src/BitTorrentTracker.cc b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc similarity index 99% rename from src/BitTorrentTracker.cc rename to src/analyzer/protocols/bittorrent/BitTorrentTracker.cc index 81b97f44d4..cf8dcff6ba 100644 --- a/src/BitTorrentTracker.cc +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.cc @@ -1,7 +1,7 @@ // This code contributed by Nadi Sarrar. #include "BitTorrentTracker.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" #include #include diff --git a/src/BitTorrentTracker.h b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h similarity index 98% rename from src/BitTorrentTracker.h rename to src/analyzer/protocols/bittorrent/BitTorrentTracker.h index 41a902befa..70f3004acb 100644 --- a/src/BitTorrentTracker.h +++ b/src/analyzer/protocols/bittorrent/BitTorrentTracker.h @@ -3,7 +3,7 @@ #ifndef bittorrenttracker_h #define bittorrenttracker_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define BTTRACKER_BUF 2048 diff --git a/src/analyzer/protocols/bittorrent/CMakeLists.txt b/src/analyzer/protocols/bittorrent/CMakeLists.txt new file mode 100644 index 0000000000..5a3f9372bb --- /dev/null +++ b/src/analyzer/protocols/bittorrent/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(BitTorrent) +bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/bittorrent/Plugin.cc b/src/analyzer/protocols/bittorrent/Plugin.cc new file mode 100644 index 0000000000..c028956ce9 --- /dev/null +++ b/src/analyzer/protocols/bittorrent/Plugin.cc @@ -0,0 +1,12 @@ + +#include "plugin/Plugin.h" + +#include "BitTorrent.h" +#include "BitTorrentTracker.h" + +BRO_PLUGIN_BEGIN(BitTorrent) + BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer"); + BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/bittorrent-analyzer.pac b/src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac similarity index 100% rename from src/bittorrent-analyzer.pac rename to src/analyzer/protocols/bittorrent/bittorrent-analyzer.pac diff --git a/src/bittorrent-protocol.pac b/src/analyzer/protocols/bittorrent/bittorrent-protocol.pac similarity index 100% rename from src/bittorrent-protocol.pac rename to src/analyzer/protocols/bittorrent/bittorrent-protocol.pac diff --git a/src/bittorrent.pac b/src/analyzer/protocols/bittorrent/bittorrent.pac similarity index 100% rename from src/bittorrent.pac rename to src/analyzer/protocols/bittorrent/bittorrent.pac diff --git a/src/analyzer/protocols/bittorrent/events.bif b/src/analyzer/protocols/bittorrent/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/conn-size/CMakeLists.txt b/src/analyzer/protocols/conn-size/CMakeLists.txt new file mode 100644 index 0000000000..e5edd9c947 --- /dev/null +++ b/src/analyzer/protocols/conn-size/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ConnSize) +bro_plugin_cc(ConnSize.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/ConnSizeAnalyzer.cc b/src/analyzer/protocols/conn-size/ConnSize.cc similarity index 96% rename from src/ConnSizeAnalyzer.cc rename to src/analyzer/protocols/conn-size/ConnSize.cc index 82672dba7c..a5a401a816 100644 --- a/src/ConnSizeAnalyzer.cc +++ b/src/analyzer/protocols/conn-size/ConnSize.cc @@ -3,8 +3,8 @@ // See ConnSize.h for more extensive comments. -#include "ConnSizeAnalyzer.h" -#include "TCP.h" +#include "ConnSize.h" +#include "analyzer/protocols/tcp/TCP.h" diff --git a/src/ConnSizeAnalyzer.h b/src/analyzer/protocols/conn-size/ConnSize.h similarity index 100% rename from src/ConnSizeAnalyzer.h rename to src/analyzer/protocols/conn-size/ConnSize.h diff --git a/src/analyzer/protocols/conn-size/Plugin.cc b/src/analyzer/protocols/conn-size/Plugin.cc new file mode 100644 index 0000000000..7520d9b7b5 --- /dev/null +++ b/src/analyzer/protocols/conn-size/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "ConnSize.h" + +BRO_PLUGIN_BEGIN(ConnSize) + BRO_PLUGIN_DESCRIPTION("Connection size analyzer"); + BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/conn-size/events.bif b/src/analyzer/protocols/conn-size/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/dce-rpc/CMakeLists.txt b/src/analyzer/protocols/dce-rpc/CMakeLists.txt new file mode 100644 index 0000000000..61e6170640 --- /dev/null +++ b/src/analyzer/protocols/dce-rpc/CMakeLists.txt @@ -0,0 +1,11 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(DCE_RPC) +bro_plugin_cc(DCE_RPC.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(dce_rpc.pac dce_rpc-protocol.pac dce_rpc-analyzer.pac) +bro_plugin_pac(dce_rpc_simple.pac dce_rpc-protocol.pac epmapper.pac) +bro_plugin_end() diff --git a/src/DCE_RPC.cc b/src/analyzer/protocols/dce-rpc/DCE_RPC.cc similarity index 100% rename from src/DCE_RPC.cc rename to src/analyzer/protocols/dce-rpc/DCE_RPC.cc diff --git a/src/DCE_RPC.h b/src/analyzer/protocols/dce-rpc/DCE_RPC.h similarity index 99% rename from src/DCE_RPC.h rename to src/analyzer/protocols/dce-rpc/DCE_RPC.h index 61de358dbd..7ad3cd1e13 100644 --- a/src/DCE_RPC.h +++ b/src/analyzer/protocols/dce-rpc/DCE_RPC.h @@ -7,7 +7,7 @@ // Windows systems) and shouldn't be considered as stable. #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "IPAddr.h" #include "dce_rpc_simple_pac.h" diff --git a/src/analyzer/protocols/dce-rpc/Plugin.cc b/src/analyzer/protocols/dce-rpc/Plugin.cc new file mode 100644 index 0000000000..b818806076 --- /dev/null +++ b/src/analyzer/protocols/dce-rpc/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "DCE_RPC.h" + +BRO_PLUGIN_BEGIN(DCE_RPC) + BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer"); + BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/dce_rpc-analyzer.pac b/src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac similarity index 100% rename from src/dce_rpc-analyzer.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc-analyzer.pac diff --git a/src/dce_rpc-protocol.pac b/src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac similarity index 100% rename from src/dce_rpc-protocol.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc-protocol.pac diff --git a/src/dce_rpc.pac b/src/analyzer/protocols/dce-rpc/dce_rpc.pac similarity index 100% rename from src/dce_rpc.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc.pac diff --git a/src/dce_rpc_simple.pac b/src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac similarity index 100% rename from src/dce_rpc_simple.pac rename to src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac diff --git a/src/epmapper.pac b/src/analyzer/protocols/dce-rpc/epmapper.pac similarity index 100% rename from src/epmapper.pac rename to src/analyzer/protocols/dce-rpc/epmapper.pac diff --git a/src/analyzer/protocols/dce-rpc/events.bif b/src/analyzer/protocols/dce-rpc/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/dhcp/CMakeLists.txt b/src/analyzer/protocols/dhcp/CMakeLists.txt new file mode 100644 index 0000000000..f4552b666a --- /dev/null +++ b/src/analyzer/protocols/dhcp/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(DHCP) +bro_plugin_cc(DHCP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac) +bro_plugin_end() diff --git a/src/DHCP-binpac.cc b/src/analyzer/protocols/dhcp/DHCP.cc similarity index 54% rename from src/DHCP-binpac.cc rename to src/analyzer/protocols/dhcp/DHCP.cc index d2847966ae..a590db19ca 100644 --- a/src/DHCP-binpac.cc +++ b/src/analyzer/protocols/dhcp/DHCP.cc @@ -1,22 +1,23 @@ -#include "DHCP-binpac.h" -DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn) +#include "DHCP.h" + +DHCP_Analyzer::DHCP_Analyzer(Connection* conn) : Analyzer("DHCP", conn) { interp = new binpac::DHCP::DHCP_Conn(this); } -DHCP_Analyzer_binpac::~DHCP_Analyzer_binpac() +DHCP_Analyzer::~DHCP_Analyzer() { delete interp; } -void DHCP_Analyzer_binpac::Done() +void DHCP_Analyzer::Done() { Analyzer::Done(); } -void DHCP_Analyzer_binpac::DeliverPacket(int len, const u_char* data, +void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); diff --git a/src/DHCP-binpac.h b/src/analyzer/protocols/dhcp/DHCP.h similarity index 63% rename from src/DHCP-binpac.h rename to src/analyzer/protocols/dhcp/DHCP.h index 4b59ac15b2..5c12e52cc5 100644 --- a/src/DHCP-binpac.h +++ b/src/analyzer/protocols/dhcp/DHCP.h @@ -1,22 +1,21 @@ #ifndef dhcp_binpac_h #define dhcp_binpac_h -#include "UDP.h" +#include "analyzer/protocols/udp/UDP.h" #include "dhcp_pac.h" - -class DHCP_Analyzer_binpac : public analyzer::Analyzer { +class DHCP_Analyzer : public analyzer::Analyzer { public: - DHCP_Analyzer_binpac(Connection* conn); - virtual ~DHCP_Analyzer_binpac(); + DHCP_Analyzer(Connection* conn); + virtual ~DHCP_Analyzer(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen); static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) - { return new DHCP_Analyzer_binpac(conn); } + { return new DHCP_Analyzer(conn); } protected: binpac::DHCP::DHCP_Conn* interp; diff --git a/src/analyzer/protocols/dhcp/Plugin.cc b/src/analyzer/protocols/dhcp/Plugin.cc new file mode 100644 index 0000000000..32225d5bec --- /dev/null +++ b/src/analyzer/protocols/dhcp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "DHCP.h" + +BRO_PLUGIN_BEGIN(DHCP) + BRO_PLUGIN_DESCRIPTION("DHCP Analyzer"); + BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/dhcp-analyzer.pac b/src/analyzer/protocols/dhcp/dhcp-analyzer.pac similarity index 100% rename from src/dhcp-analyzer.pac rename to src/analyzer/protocols/dhcp/dhcp-analyzer.pac diff --git a/src/dhcp-protocol.pac b/src/analyzer/protocols/dhcp/dhcp-protocol.pac similarity index 100% rename from src/dhcp-protocol.pac rename to src/analyzer/protocols/dhcp/dhcp-protocol.pac diff --git a/src/dhcp.pac b/src/analyzer/protocols/dhcp/dhcp.pac similarity index 100% rename from src/dhcp.pac rename to src/analyzer/protocols/dhcp/dhcp.pac diff --git a/src/analyzer/protocols/dhcp/events.bif b/src/analyzer/protocols/dhcp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/dns/CMakeLists.txt b/src/analyzer/protocols/dns/CMakeLists.txt new file mode 100644 index 0000000000..38a4cedd03 --- /dev/null +++ b/src/analyzer/protocols/dns/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(DNS) +bro_plugin_cc(DNS.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/DNS.cc b/src/analyzer/protocols/dns/DNS.cc similarity index 100% rename from src/DNS.cc rename to src/analyzer/protocols/dns/DNS.cc diff --git a/src/DNS.h b/src/analyzer/protocols/dns/DNS.h similarity index 99% rename from src/DNS.h rename to src/analyzer/protocols/dns/DNS.h index 7a342dc757..ca87f862c0 100644 --- a/src/DNS.h +++ b/src/analyzer/protocols/dns/DNS.h @@ -3,7 +3,7 @@ #ifndef dns_h #define dns_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "binpac_bro.h" typedef enum { diff --git a/src/analyzer/protocols/dns/Plugin.cc b/src/analyzer/protocols/dns/Plugin.cc new file mode 100644 index 0000000000..6bd4415f0e --- /dev/null +++ b/src/analyzer/protocols/dns/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "DNS.h" + +BRO_PLUGIN_BEGIN(DNS) + BRO_PLUGIN_DESCRIPTION("DNS Analyzer"); + BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/dns/events.bif b/src/analyzer/protocols/dns/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/file/CMakeLists.txt b/src/analyzer/protocols/file/CMakeLists.txt new file mode 100644 index 0000000000..924aadd406 --- /dev/null +++ b/src/analyzer/protocols/file/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(File) +bro_plugin_cc(File.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/FileAnalyzer.cc b/src/analyzer/protocols/file/File.cc similarity index 98% rename from src/FileAnalyzer.cc rename to src/analyzer/protocols/file/File.cc index 9663d51260..664e0a8c4c 100644 --- a/src/FileAnalyzer.cc +++ b/src/analyzer/protocols/file/File.cc @@ -1,6 +1,6 @@ #include -#include "FileAnalyzer.h" +#include "File.h" #include "Reporter.h" #include "util.h" diff --git a/src/FileAnalyzer.h b/src/analyzer/protocols/file/File.h similarity index 93% rename from src/FileAnalyzer.h rename to src/analyzer/protocols/file/File.h index 1d2a956ef2..ae55a34885 100644 --- a/src/FileAnalyzer.h +++ b/src/analyzer/protocols/file/File.h @@ -3,7 +3,7 @@ #ifndef FILEANALYZER_H #define FILEANALYZER_H -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include diff --git a/src/analyzer/protocols/file/Plugin.cc b/src/analyzer/protocols/file/Plugin.cc new file mode 100644 index 0000000000..a5868e0d7e --- /dev/null +++ b/src/analyzer/protocols/file/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "./File.h" + +BRO_PLUGIN_BEGIN(File) + BRO_PLUGIN_DESCRIPTION("Generic File Analyzer"); + BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/file/events.bif b/src/analyzer/protocols/file/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/finger/CMakeLists.txt b/src/analyzer/protocols/finger/CMakeLists.txt new file mode 100644 index 0000000000..f51f892390 --- /dev/null +++ b/src/analyzer/protocols/finger/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Finger) +bro_plugin_cc(Finger.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Finger.cc b/src/analyzer/protocols/finger/Finger.cc similarity index 97% rename from src/Finger.cc rename to src/analyzer/protocols/finger/Finger.cc index 35809194d4..cdebed9bb9 100644 --- a/src/Finger.cc +++ b/src/analyzer/protocols/finger/Finger.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "Finger.h" #include "Event.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" Finger_Analyzer::Finger_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("FINGER", conn) diff --git a/src/Finger.h b/src/analyzer/protocols/finger/Finger.h similarity index 93% rename from src/Finger.h rename to src/analyzer/protocols/finger/Finger.h index 0be0c0eb19..f069daa8c7 100644 --- a/src/Finger.h +++ b/src/analyzer/protocols/finger/Finger.h @@ -3,7 +3,7 @@ #ifndef finger_h #define finger_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class ContentLine_Analyzer; diff --git a/src/analyzer/protocols/finger/Plugin.cc b/src/analyzer/protocols/finger/Plugin.cc new file mode 100644 index 0000000000..98fd1f5985 --- /dev/null +++ b/src/analyzer/protocols/finger/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Finger.h" + +BRO_PLUGIN_BEGIN(Finger) + BRO_PLUGIN_DESCRIPTION("Finger Analyzer"); + BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/finger/events.bif b/src/analyzer/protocols/finger/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ftp/CMakeLists.txt b/src/analyzer/protocols/ftp/CMakeLists.txt new file mode 100644 index 0000000000..b8b2e1bb3e --- /dev/null +++ b/src/analyzer/protocols/ftp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(FTP) +bro_plugin_cc(FTP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/FTP.cc b/src/analyzer/protocols/ftp/FTP.cc similarity index 99% rename from src/FTP.cc rename to src/analyzer/protocols/ftp/FTP.cc index a0cc25292c..b371099c01 100644 --- a/src/FTP.cc +++ b/src/analyzer/protocols/ftp/FTP.cc @@ -6,10 +6,10 @@ #include "NetVar.h" #include "FTP.h" -#include "NVT.h" #include "Event.h" #include "Base64.h" #include "analyzer/Manager.h" +#include "analyzer/protocols/login/NVT.h" FTP_Analyzer::FTP_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("FTP", conn) diff --git a/src/FTP.h b/src/analyzer/protocols/ftp/FTP.h similarity index 94% rename from src/FTP.h rename to src/analyzer/protocols/ftp/FTP.h index 19393fc5aa..aaecfb98f1 100644 --- a/src/FTP.h +++ b/src/analyzer/protocols/ftp/FTP.h @@ -3,8 +3,8 @@ #ifndef ftp_h #define ftp_h -#include "NVT.h" -#include "TCP.h" +#include "analyzer/protocols/login/NVT.h" +#include "analyzer/protocols/tcp/TCP.h" class FTP_Analyzer : public TCP_ApplicationAnalyzer { public: diff --git a/src/analyzer/protocols/ftp/Plugin.cc b/src/analyzer/protocols/ftp/Plugin.cc new file mode 100644 index 0000000000..2a250b97ee --- /dev/null +++ b/src/analyzer/protocols/ftp/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "FTP.h" + +BRO_PLUGIN_BEGIN(FTP) + BRO_PLUGIN_DESCRIPTION("FTP Analyzer"); + BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ftp/events.bif b/src/analyzer/protocols/ftp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/gnutella/CMakeLists.txt b/src/analyzer/protocols/gnutella/CMakeLists.txt new file mode 100644 index 0000000000..7418ab46ba --- /dev/null +++ b/src/analyzer/protocols/gnutella/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Gnutella) +bro_plugin_cc(Gnutella.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Gnutella.cc b/src/analyzer/protocols/gnutella/Gnutella.cc similarity index 99% rename from src/Gnutella.cc rename to src/analyzer/protocols/gnutella/Gnutella.cc index 9cfab4ff1a..bf2be877c0 100644 --- a/src/Gnutella.cc +++ b/src/analyzer/protocols/gnutella/Gnutella.cc @@ -9,7 +9,7 @@ #include "NetVar.h" #include "Gnutella.h" #include "Event.h" -#include "PIA.h" +#include "analyzer/protocols/pia/PIA.h" #include "analyzer/Manager.h" GnutellaMsgState::GnutellaMsgState() diff --git a/src/Gnutella.h b/src/analyzer/protocols/gnutella/Gnutella.h similarity index 97% rename from src/Gnutella.h rename to src/analyzer/protocols/gnutella/Gnutella.h index 2dd2a2ad12..085d4fbf56 100644 --- a/src/Gnutella.h +++ b/src/analyzer/protocols/gnutella/Gnutella.h @@ -3,7 +3,7 @@ #ifndef gnutella_h #define gnutella_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define ORIG_OK 0x1 #define RESP_OK 0x2 diff --git a/src/analyzer/protocols/gnutella/Plugin.cc b/src/analyzer/protocols/gnutella/Plugin.cc new file mode 100644 index 0000000000..6cc0b02771 --- /dev/null +++ b/src/analyzer/protocols/gnutella/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Gnutella.h" + +BRO_PLUGIN_BEGIN(Gnutella) + BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer"); + BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gnutella/events.bif b/src/analyzer/protocols/gnutella/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/gtpv1/CMakeLists.txt b/src/analyzer/protocols/gtpv1/CMakeLists.txt new file mode 100644 index 0000000000..e414876df5 --- /dev/null +++ b/src/analyzer/protocols/gtpv1/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(GTPV1) +bro_plugin_cc(GTPv1.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac) +bro_plugin_end() diff --git a/src/GTPv1.cc b/src/analyzer/protocols/gtpv1/GTPv1.cc similarity index 100% rename from src/GTPv1.cc rename to src/analyzer/protocols/gtpv1/GTPv1.cc diff --git a/src/GTPv1.h b/src/analyzer/protocols/gtpv1/GTPv1.h similarity index 100% rename from src/GTPv1.h rename to src/analyzer/protocols/gtpv1/GTPv1.h diff --git a/src/analyzer/protocols/gtpv1/Plugin.cc b/src/analyzer/protocols/gtpv1/Plugin.cc new file mode 100644 index 0000000000..caa9755828 --- /dev/null +++ b/src/analyzer/protocols/gtpv1/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "GTPv1.h" + +BRO_PLUGIN_BEGIN(GTPV1) + BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer"); + BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/gtpv1/events.bif b/src/analyzer/protocols/gtpv1/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/gtpv1-analyzer.pac b/src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac similarity index 100% rename from src/gtpv1-analyzer.pac rename to src/analyzer/protocols/gtpv1/gtpv1-analyzer.pac diff --git a/src/gtpv1-protocol.pac b/src/analyzer/protocols/gtpv1/gtpv1-protocol.pac similarity index 100% rename from src/gtpv1-protocol.pac rename to src/analyzer/protocols/gtpv1/gtpv1-protocol.pac diff --git a/src/gtpv1.pac b/src/analyzer/protocols/gtpv1/gtpv1.pac similarity index 100% rename from src/gtpv1.pac rename to src/analyzer/protocols/gtpv1/gtpv1.pac diff --git a/src/analyzer/protocols/http/HTTP.h b/src/analyzer/protocols/http/HTTP.h index 66cdf091bf..dae8fc1dcf 100644 --- a/src/analyzer/protocols/http/HTTP.h +++ b/src/analyzer/protocols/http/HTTP.h @@ -3,15 +3,16 @@ #ifndef http_h #define http_h -#include "TCP.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" +#include "analyzer/protocols/zip/ZIP.h" #include "MIME.h" #include "binpac_bro.h" -#include "ZIP.h" #include "IPAddr.h" -#include "HTTP.h" #include "events.bif.h" +#include "HTTP.h" + enum CHUNKED_TRANSFER_STATE { NON_CHUNKED_TRANSFER, BEFORE_CHUNK, diff --git a/src/analyzer/protocols/icmp/CMakeLists.txt b/src/analyzer/protocols/icmp/CMakeLists.txt new file mode 100644 index 0000000000..e867bac238 --- /dev/null +++ b/src/analyzer/protocols/icmp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ICMP) +bro_plugin_cc(ICMP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/ICMP.cc b/src/analyzer/protocols/icmp/ICMP.cc similarity index 100% rename from src/ICMP.cc rename to src/analyzer/protocols/icmp/ICMP.cc diff --git a/src/ICMP.h b/src/analyzer/protocols/icmp/ICMP.h similarity index 100% rename from src/ICMP.h rename to src/analyzer/protocols/icmp/ICMP.h diff --git a/src/analyzer/protocols/icmp/Plugin.cc b/src/analyzer/protocols/icmp/Plugin.cc new file mode 100644 index 0000000000..517b243e24 --- /dev/null +++ b/src/analyzer/protocols/icmp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "ICMP.h" + +BRO_PLUGIN_BEGIN(ICMP) + BRO_PLUGIN_DESCRIPTION("ICMP Analyzer"); + BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/icmp/events.bif b/src/analyzer/protocols/icmp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ident/CMakeLists.txt b/src/analyzer/protocols/ident/CMakeLists.txt new file mode 100644 index 0000000000..a8d4102a58 --- /dev/null +++ b/src/analyzer/protocols/ident/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Ident) +bro_plugin_cc(Ident.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Ident.cc b/src/analyzer/protocols/ident/Ident.cc similarity index 100% rename from src/Ident.cc rename to src/analyzer/protocols/ident/Ident.cc diff --git a/src/Ident.h b/src/analyzer/protocols/ident/Ident.h similarity index 90% rename from src/Ident.h rename to src/analyzer/protocols/ident/Ident.h index ffc927a73c..95383429ce 100644 --- a/src/Ident.h +++ b/src/analyzer/protocols/ident/Ident.h @@ -3,8 +3,8 @@ #ifndef ident_h #define ident_h -#include "TCP.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" class Ident_Analyzer : public TCP_ApplicationAnalyzer { public: diff --git a/src/analyzer/protocols/ident/Plugin.cc b/src/analyzer/protocols/ident/Plugin.cc new file mode 100644 index 0000000000..2c7ea208cd --- /dev/null +++ b/src/analyzer/protocols/ident/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Ident.h" + +BRO_PLUGIN_BEGIN(Ident) + BRO_PLUGIN_DESCRIPTION("Ident Analyzer"); + BRO_PLUGIN_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ident/events.bif b/src/analyzer/protocols/ident/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/interconn/CMakeLists.txt b/src/analyzer/protocols/interconn/CMakeLists.txt new file mode 100644 index 0000000000..6a5ae1f3fe --- /dev/null +++ b/src/analyzer/protocols/interconn/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(InterConn) +bro_plugin_cc(InterConn.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/InterConn.cc b/src/analyzer/protocols/interconn/InterConn.cc similarity index 99% rename from src/InterConn.cc rename to src/analyzer/protocols/interconn/InterConn.cc index 65e814a962..70860a6532 100644 --- a/src/InterConn.cc +++ b/src/analyzer/protocols/interconn/InterConn.cc @@ -5,7 +5,7 @@ #include "InterConn.h" #include "Event.h" #include "Net.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" InterConnEndpoint::InterConnEndpoint(TCP_Endpoint* e) { diff --git a/src/InterConn.h b/src/analyzer/protocols/interconn/InterConn.h similarity index 97% rename from src/InterConn.h rename to src/analyzer/protocols/interconn/InterConn.h index 741bea45ba..9ee73d2ae8 100644 --- a/src/InterConn.h +++ b/src/analyzer/protocols/interconn/InterConn.h @@ -3,7 +3,7 @@ #ifndef interconn_h #define interconn_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "Timer.h" #include "NetVar.h" diff --git a/src/analyzer/protocols/interconn/Plugin.cc b/src/analyzer/protocols/interconn/Plugin.cc new file mode 100644 index 0000000000..ba80cf52af --- /dev/null +++ b/src/analyzer/protocols/interconn/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "InterConn.h" + +BRO_PLUGIN_BEGIN(InterConn) + BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/interconn/events.bif b/src/analyzer/protocols/interconn/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/irc/CMakeLists.txt b/src/analyzer/protocols/irc/CMakeLists.txt new file mode 100644 index 0000000000..2e7ed7616b --- /dev/null +++ b/src/analyzer/protocols/irc/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(IRC) +bro_plugin_cc(IRC.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/IRC.cc b/src/analyzer/protocols/irc/IRC.cc similarity index 99% rename from src/IRC.cc rename to src/analyzer/protocols/irc/IRC.cc index e778023553..2411efbabb 100644 --- a/src/IRC.cc +++ b/src/analyzer/protocols/irc/IRC.cc @@ -2,10 +2,10 @@ #include #include "IRC.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" #include "NetVar.h" #include "Event.h" -#include "ZIP.h" +#include "analyzer/protocols/zip/ZIP.h" #include "analyzer/Manager.h" diff --git a/src/IRC.h b/src/analyzer/protocols/irc/IRC.h similarity index 97% rename from src/IRC.h rename to src/analyzer/protocols/irc/IRC.h index 6a78bad025..17b91f51e5 100644 --- a/src/IRC.h +++ b/src/analyzer/protocols/irc/IRC.h @@ -2,7 +2,7 @@ #ifndef irc_h #define irc_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" /** * \brief Main class for analyzing IRC traffic. diff --git a/src/analyzer/protocols/irc/Plugin.cc b/src/analyzer/protocols/irc/Plugin.cc new file mode 100644 index 0000000000..bb6ade5f1f --- /dev/null +++ b/src/analyzer/protocols/irc/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "IRC.h" + +BRO_PLUGIN_BEGIN(IRC) + BRO_PLUGIN_DESCRIPTION("IRC Analyzer"); + BRO_PLUGIN_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/irc/events.bif b/src/analyzer/protocols/irc/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/login/CMakeLists.txt b/src/analyzer/protocols/login/CMakeLists.txt new file mode 100644 index 0000000000..219c249d5e --- /dev/null +++ b/src/analyzer/protocols/login/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Login) +bro_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/Login.cc b/src/analyzer/protocols/login/Login.cc similarity index 100% rename from src/Login.cc rename to src/analyzer/protocols/login/Login.cc diff --git a/src/Login.h b/src/analyzer/protocols/login/Login.h similarity index 98% rename from src/Login.h rename to src/analyzer/protocols/login/Login.h index 6337738e7d..67b6a3c094 100644 --- a/src/Login.h +++ b/src/analyzer/protocols/login/Login.h @@ -3,7 +3,7 @@ #ifndef login_h #define login_h -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" typedef enum { LOGIN_STATE_AUTHENTICATE, // trying to authenticate diff --git a/src/NVT.cc b/src/analyzer/protocols/login/NVT.cc similarity index 99% rename from src/NVT.cc rename to src/analyzer/protocols/login/NVT.cc index 641ad211e4..d51d562bd5 100644 --- a/src/NVT.cc +++ b/src/analyzer/protocols/login/NVT.cc @@ -7,7 +7,7 @@ #include "NVT.h" #include "NetVar.h" #include "Event.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254) diff --git a/src/NVT.h b/src/analyzer/protocols/login/NVT.h similarity index 98% rename from src/NVT.h rename to src/analyzer/protocols/login/NVT.h index 61aa1ef740..da97a251f0 100644 --- a/src/NVT.h +++ b/src/analyzer/protocols/login/NVT.h @@ -3,7 +3,7 @@ #ifndef nvt_h #define nvt_h -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" #define TELNET_OPTION_BINARY 0 diff --git a/src/analyzer/protocols/login/Plugin.cc b/src/analyzer/protocols/login/Plugin.cc new file mode 100644 index 0000000000..10166783c0 --- /dev/null +++ b/src/analyzer/protocols/login/Plugin.cc @@ -0,0 +1,19 @@ + +#include "plugin/Plugin.h" + +#include "Login.h" +#include "Telnet.h" +#include "RSH.h" +#include "Rlogin.h" + +BRO_PLUGIN_BEGIN(Login) + BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer"); + BRO_PLUGIN_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("NVT", 0); + BRO_PLUGIN_ANALYZER("Login", 0); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh"); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/RSH.cc b/src/analyzer/protocols/login/RSH.cc similarity index 100% rename from src/RSH.cc rename to src/analyzer/protocols/login/RSH.cc diff --git a/src/RSH.h b/src/analyzer/protocols/login/RSH.h similarity index 96% rename from src/RSH.h rename to src/analyzer/protocols/login/RSH.h index c4eb8fb689..80cc4a6559 100644 --- a/src/RSH.h +++ b/src/analyzer/protocols/login/RSH.h @@ -4,7 +4,7 @@ #define rsh_h #include "Login.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" typedef enum { RSH_FIRST_NULL, // waiting to see first NUL diff --git a/src/Rlogin.cc b/src/analyzer/protocols/login/Rlogin.cc similarity index 100% rename from src/Rlogin.cc rename to src/analyzer/protocols/login/Rlogin.cc diff --git a/src/Rlogin.h b/src/analyzer/protocols/login/Rlogin.h similarity index 97% rename from src/Rlogin.h rename to src/analyzer/protocols/login/Rlogin.h index 5fcd209896..0ad72b1908 100644 --- a/src/Rlogin.h +++ b/src/analyzer/protocols/login/Rlogin.h @@ -4,7 +4,7 @@ #define rlogin_h #include "Login.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" typedef enum { RLOGIN_FIRST_NULL, // waiting to see first NUL diff --git a/src/Telnet.cc b/src/analyzer/protocols/login/Telnet.cc similarity index 100% rename from src/Telnet.cc rename to src/analyzer/protocols/login/Telnet.cc diff --git a/src/Telnet.h b/src/analyzer/protocols/login/Telnet.h similarity index 100% rename from src/Telnet.h rename to src/analyzer/protocols/login/Telnet.h diff --git a/src/analyzer/protocols/login/events.bif b/src/analyzer/protocols/login/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/modbus/CMakeLists.txt b/src/analyzer/protocols/modbus/CMakeLists.txt new file mode 100644 index 0000000000..120e352f36 --- /dev/null +++ b/src/analyzer/protocols/modbus/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Modbus) +bro_plugin_cc(Modbus.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(modbus.pac modbus-analyzer.pac modbus-protocol.pac) +bro_plugin_end() diff --git a/src/Modbus.cc b/src/analyzer/protocols/modbus/Modbus.cc similarity index 94% rename from src/Modbus.cc rename to src/analyzer/protocols/modbus/Modbus.cc index 22772daea0..841638cd0b 100644 --- a/src/Modbus.cc +++ b/src/analyzer/protocols/modbus/Modbus.cc @@ -1,6 +1,6 @@ #include "Modbus.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" ModbusTCP_Analyzer::ModbusTCP_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("MODBUS", c) diff --git a/src/Modbus.h b/src/analyzer/protocols/modbus/Modbus.h similarity index 93% rename from src/Modbus.h rename to src/analyzer/protocols/modbus/Modbus.h index b00a074ada..41b0267dc8 100644 --- a/src/Modbus.h +++ b/src/analyzer/protocols/modbus/Modbus.h @@ -1,7 +1,7 @@ #ifndef MODBUS_H #define MODBUS_H -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "modbus_pac.h" class ModbusTCP_Analyzer : public TCP_ApplicationAnalyzer { diff --git a/src/analyzer/protocols/modbus/Plugin.cc b/src/analyzer/protocols/modbus/Plugin.cc new file mode 100644 index 0000000000..9c53c8b814 --- /dev/null +++ b/src/analyzer/protocols/modbus/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Modbus.h" + +BRO_PLUGIN_BEGIN(Modbus) + BRO_PLUGIN_DESCRIPTION("Modbus Analyzer"); + BRO_PLUGIN_ANALYZER("MODBUS", ModbusTCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/modbus/events.bif b/src/analyzer/protocols/modbus/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/modbus-analyzer.pac b/src/analyzer/protocols/modbus/modbus-analyzer.pac similarity index 100% rename from src/modbus-analyzer.pac rename to src/analyzer/protocols/modbus/modbus-analyzer.pac diff --git a/src/modbus-protocol.pac b/src/analyzer/protocols/modbus/modbus-protocol.pac similarity index 100% rename from src/modbus-protocol.pac rename to src/analyzer/protocols/modbus/modbus-protocol.pac diff --git a/src/modbus.pac b/src/analyzer/protocols/modbus/modbus.pac similarity index 100% rename from src/modbus.pac rename to src/analyzer/protocols/modbus/modbus.pac diff --git a/src/analyzer/protocols/ncp/CMakeLists.txt b/src/analyzer/protocols/ncp/CMakeLists.txt new file mode 100644 index 0000000000..021561f0aa --- /dev/null +++ b/src/analyzer/protocols/ncp/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NCP) +bro_plugin_cc(NCP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(ncp.pac) +bro_plugin_end() diff --git a/src/NCP.cc b/src/analyzer/protocols/ncp/NCP.cc similarity index 100% rename from src/NCP.cc rename to src/analyzer/protocols/ncp/NCP.cc diff --git a/src/NCP.h b/src/analyzer/protocols/ncp/NCP.h similarity index 98% rename from src/NCP.h rename to src/analyzer/protocols/ncp/NCP.h index 4fcddfca39..ae54b7b9ee 100644 --- a/src/NCP.h +++ b/src/analyzer/protocols/ncp/NCP.h @@ -19,7 +19,7 @@ // http://faydoc.tripod.com/structures/21/2149.htm #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "ncp_pac.h" diff --git a/src/NCP_func.def b/src/analyzer/protocols/ncp/NCP_func.def similarity index 100% rename from src/NCP_func.def rename to src/analyzer/protocols/ncp/NCP_func.def diff --git a/src/analyzer/protocols/ncp/Plugin.cc b/src/analyzer/protocols/ncp/Plugin.cc new file mode 100644 index 0000000000..bc52a2c065 --- /dev/null +++ b/src/analyzer/protocols/ncp/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "NCP.h" + +BRO_PLUGIN_BEGIN(NCP) + BRO_PLUGIN_DESCRIPTION("NCP Analyzer"); + BRO_PLUGIN_ANALYZER("NCP", NCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NCP"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ncp/events.bif b/src/analyzer/protocols/ncp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/ncp.pac b/src/analyzer/protocols/ncp/ncp.pac similarity index 100% rename from src/ncp.pac rename to src/analyzer/protocols/ncp/ncp.pac diff --git a/src/analyzer/protocols/netbios-ssn/CMakeLists.txt b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt new file mode 100644 index 0000000000..8292c11546 --- /dev/null +++ b/src/analyzer/protocols/netbios-ssn/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NetbiosSSN) +bro_plugin_cc(NetbiosSSN.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/NetbiosSSN.cc b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc similarity index 100% rename from src/NetbiosSSN.cc rename to src/analyzer/protocols/netbios-ssn/NetbiosSSN.cc diff --git a/src/NetbiosSSN.h b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h similarity index 97% rename from src/NetbiosSSN.h rename to src/analyzer/protocols/netbios-ssn/NetbiosSSN.h index 8d2cc92089..9830d192ad 100644 --- a/src/NetbiosSSN.h +++ b/src/analyzer/protocols/netbios-ssn/NetbiosSSN.h @@ -3,9 +3,9 @@ #ifndef netbios_ssn_h #define netbios_ssn_h -#include "UDP.h" -#include "TCP.h" -#include "SMB.h" +#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/smb/SMB.h" typedef enum { NETBIOS_SSN_MSG = 0x0, diff --git a/src/analyzer/protocols/netbios-ssn/Plugin.cc b/src/analyzer/protocols/netbios-ssn/Plugin.cc new file mode 100644 index 0000000000..b14c3a9d8f --- /dev/null +++ b/src/analyzer/protocols/netbios-ssn/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "NetbiosSSN.h" + +BRO_PLUGIN_BEGIN(NetbiosSSN) + BRO_PLUGIN_DESCRIPTION("NetbiosSSN Analyzer"); + BRO_PLUGIN_ANALYZER("NetbiosSSN", NetbiosSSN_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NetbiosSSN"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/netbios-ssn/events.bif b/src/analyzer/protocols/netbios-ssn/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ntp/CMakeLists.txt b/src/analyzer/protocols/ntp/CMakeLists.txt new file mode 100644 index 0000000000..b16c1edee9 --- /dev/null +++ b/src/analyzer/protocols/ntp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(NTP) +bro_plugin_cc(NTP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/NTP.cc b/src/analyzer/protocols/ntp/NTP.cc similarity index 100% rename from src/NTP.cc rename to src/analyzer/protocols/ntp/NTP.cc diff --git a/src/NTP.h b/src/analyzer/protocols/ntp/NTP.h similarity index 97% rename from src/NTP.h rename to src/analyzer/protocols/ntp/NTP.h index 9dc5dc6af9..d161b4795d 100644 --- a/src/NTP.h +++ b/src/analyzer/protocols/ntp/NTP.h @@ -3,7 +3,7 @@ #ifndef ntp_h #define ntp_h -#include "UDP.h" +#include "analyzer/protocols/udp/UDP.h" // The following are from the tcpdump distribution, credited there diff --git a/src/analyzer/protocols/ntp/Plugin.cc b/src/analyzer/protocols/ntp/Plugin.cc new file mode 100644 index 0000000000..f2a0e487c9 --- /dev/null +++ b/src/analyzer/protocols/ntp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "NTP.h" + +BRO_PLUGIN_BEGIN(NTP) + BRO_PLUGIN_DESCRIPTION("NTP Analyzer"); + BRO_PLUGIN_ANALYZER("NTP", NTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/ntp/events.bif b/src/analyzer/protocols/ntp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/pia/CMakeLists.txt b/src/analyzer/protocols/pia/CMakeLists.txt new file mode 100644 index 0000000000..8c55deca09 --- /dev/null +++ b/src/analyzer/protocols/pia/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(PIA) +bro_plugin_cc(PIA.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/PIA.cc b/src/analyzer/protocols/pia/PIA.cc similarity index 99% rename from src/PIA.cc rename to src/analyzer/protocols/pia/PIA.cc index 2e4cf06e86..eb21fc7331 100644 --- a/src/PIA.cc +++ b/src/analyzer/protocols/pia/PIA.cc @@ -1,6 +1,6 @@ #include "PIA.h" #include "RuleMatcher.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" PIA::PIA(analyzer::Analyzer* arg_as_analyzer) { diff --git a/src/PIA.h b/src/analyzer/protocols/pia/PIA.h similarity index 99% rename from src/PIA.h rename to src/analyzer/protocols/pia/PIA.h index 920bd9c976..a91a516165 100644 --- a/src/PIA.h +++ b/src/analyzer/protocols/pia/PIA.h @@ -4,7 +4,7 @@ #define PIA_H #include "analyzer/Analyzer.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class RuleEndpointState; diff --git a/src/analyzer/protocols/pia/Plugin.cc b/src/analyzer/protocols/pia/Plugin.cc new file mode 100644 index 0000000000..a62e757164 --- /dev/null +++ b/src/analyzer/protocols/pia/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "PIA.h" + +BRO_PLUGIN_BEGIN(PIA) + BRO_PLUGIN_DESCRIPTION("Protocol Identificatin Analyzers"); + BRO_PLUGIN_ANALYZER("PIA_TCP", PIA_TCP::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("PIA_UDP", PIA_UDP::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pia/events.bif b/src/analyzer/protocols/pia/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/pop3/CMakeLists.txt b/src/analyzer/protocols/pop3/CMakeLists.txt new file mode 100644 index 0000000000..5af5a7f624 --- /dev/null +++ b/src/analyzer/protocols/pop3/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(POP3) +bro_plugin_cc(POP3.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/POP3.cc b/src/analyzer/protocols/pop3/POP3.cc similarity index 99% rename from src/POP3.cc rename to src/analyzer/protocols/pop3/POP3.cc index 697dc0434e..6b4fda8169 100644 --- a/src/POP3.cc +++ b/src/analyzer/protocols/pop3/POP3.cc @@ -12,8 +12,8 @@ #include "NetVar.h" #include "POP3.h" #include "Event.h" -#include "NVT.h" #include "Reporter.h" +#include "analyzer/protocols/login/NVT.h" #undef POP3_CMD_DEF #define POP3_CMD_DEF(cmd) #cmd, diff --git a/src/POP3.h b/src/analyzer/protocols/pop3/POP3.h similarity index 95% rename from src/POP3.h rename to src/analyzer/protocols/pop3/POP3.h index 5c10865ba3..10dbe9d085 100644 --- a/src/POP3.h +++ b/src/analyzer/protocols/pop3/POP3.h @@ -9,8 +9,8 @@ #include #include -#include "NVT.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/login/NVT.h" #include "MIME.h" diff --git a/src/POP3_cmd.def b/src/analyzer/protocols/pop3/POP3_cmd.def similarity index 100% rename from src/POP3_cmd.def rename to src/analyzer/protocols/pop3/POP3_cmd.def diff --git a/src/analyzer/protocols/pop3/Plugin.cc b/src/analyzer/protocols/pop3/Plugin.cc new file mode 100644 index 0000000000..5f56ade93a --- /dev/null +++ b/src/analyzer/protocols/pop3/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "POP3.h" + +BRO_PLUGIN_BEGIN(POP3) + BRO_PLUGIN_DESCRIPTION("POP3 Analyzer"); + BRO_PLUGIN_ANALYZER("POP3", POP3_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/pop3/events.bif b/src/analyzer/protocols/pop3/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/rpc/CMakeLists.txt b/src/analyzer/protocols/rpc/CMakeLists.txt new file mode 100644 index 0000000000..edf6371dd1 --- /dev/null +++ b/src/analyzer/protocols/rpc/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(RPC) +bro_plugin_cc(RPC.cc NFS.cc Portmap.cc XDR.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/NFS.cc b/src/analyzer/protocols/rpc/NFS.cc similarity index 100% rename from src/NFS.cc rename to src/analyzer/protocols/rpc/NFS.cc diff --git a/src/NFS.h b/src/analyzer/protocols/rpc/NFS.h similarity index 100% rename from src/NFS.h rename to src/analyzer/protocols/rpc/NFS.h diff --git a/src/analyzer/protocols/rpc/Plugin.cc b/src/analyzer/protocols/rpc/Plugin.cc new file mode 100644 index 0000000000..25c958859b --- /dev/null +++ b/src/analyzer/protocols/rpc/Plugin.cc @@ -0,0 +1,15 @@ + +#include "plugin/Plugin.h" + +#include "RPC.h" +#include "NFS.h" +#include "Portmap.h" + +BRO_PLUGIN_BEGIN(RPC) + BRO_PLUGIN_DESCRIPTION("Analyzers for RPC-based protocols"); + BRO_PLUGIN_ANALYZER("NFS", NFS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("PORTMAPPER", Portmapper_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_RPC"); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_NFS"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/Portmap.cc b/src/analyzer/protocols/rpc/Portmap.cc similarity index 100% rename from src/Portmap.cc rename to src/analyzer/protocols/rpc/Portmap.cc diff --git a/src/Portmap.h b/src/analyzer/protocols/rpc/Portmap.h similarity index 100% rename from src/Portmap.h rename to src/analyzer/protocols/rpc/Portmap.h diff --git a/src/RPC.cc b/src/analyzer/protocols/rpc/RPC.cc similarity index 100% rename from src/RPC.cc rename to src/analyzer/protocols/rpc/RPC.cc diff --git a/src/RPC.h b/src/analyzer/protocols/rpc/RPC.h similarity index 98% rename from src/RPC.h rename to src/analyzer/protocols/rpc/RPC.h index 960b9c744a..da39e9f220 100644 --- a/src/RPC.h +++ b/src/analyzer/protocols/rpc/RPC.h @@ -3,8 +3,8 @@ #ifndef rpc_h #define rpc_h -#include "TCP.h" -#include "UDP.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/udp/UDP.h" enum { RPC_CALL = 0, diff --git a/src/XDR.cc b/src/analyzer/protocols/rpc/XDR.cc similarity index 100% rename from src/XDR.cc rename to src/analyzer/protocols/rpc/XDR.cc diff --git a/src/XDR.h b/src/analyzer/protocols/rpc/XDR.h similarity index 100% rename from src/XDR.h rename to src/analyzer/protocols/rpc/XDR.h diff --git a/src/analyzer/protocols/rpc/events.bif b/src/analyzer/protocols/rpc/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/smb/CMakeLists.txt b/src/analyzer/protocols/smb/CMakeLists.txt new file mode 100644 index 0000000000..30338d91f5 --- /dev/null +++ b/src/analyzer/protocols/smb/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SMB) +bro_plugin_cc(SMB.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(smb.pac smb-protocol.pac smb-pipe.pac smb-mailslot.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/smb/Plugin.cc b/src/analyzer/protocols/smb/Plugin.cc new file mode 100644 index 0000000000..543638faf4 --- /dev/null +++ b/src/analyzer/protocols/smb/Plugin.cc @@ -0,0 +1,11 @@ + +#include "plugin/Plugin.h" + +#include "SMB.h" + +BRO_PLUGIN_BEGIN(SMB) + BRO_PLUGIN_DESCRIPTION("SMB Analyzer"); + BRO_PLUGIN_ANALYZER("SMB", SMB_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents_SMB"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SMB.cc b/src/analyzer/protocols/smb/SMB.cc similarity index 100% rename from src/SMB.cc rename to src/analyzer/protocols/smb/SMB.cc diff --git a/src/SMB.h b/src/analyzer/protocols/smb/SMB.h similarity index 98% rename from src/SMB.h rename to src/analyzer/protocols/smb/SMB.h index 7e7f1cea1d..83f3811010 100644 --- a/src/SMB.h +++ b/src/analyzer/protocols/smb/SMB.h @@ -6,8 +6,8 @@ // SMB (CIFS) analyzer. // Reference: http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf -#include "TCP.h" -#include "DCE_RPC.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/dce-rpc/DCE_RPC.h" #include "smb_pac.h" enum IPC_named_pipe { diff --git a/src/SMB_COM.def b/src/analyzer/protocols/smb/SMB_COM.def similarity index 100% rename from src/SMB_COM.def rename to src/analyzer/protocols/smb/SMB_COM.def diff --git a/src/analyzer/protocols/smb/events.bif b/src/analyzer/protocols/smb/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/smb-mailslot.pac b/src/analyzer/protocols/smb/smb-mailslot.pac similarity index 100% rename from src/smb-mailslot.pac rename to src/analyzer/protocols/smb/smb-mailslot.pac diff --git a/src/smb-pipe.pac b/src/analyzer/protocols/smb/smb-pipe.pac similarity index 100% rename from src/smb-pipe.pac rename to src/analyzer/protocols/smb/smb-pipe.pac diff --git a/src/smb-protocol.pac b/src/analyzer/protocols/smb/smb-protocol.pac similarity index 100% rename from src/smb-protocol.pac rename to src/analyzer/protocols/smb/smb-protocol.pac diff --git a/src/smb.pac b/src/analyzer/protocols/smb/smb.pac similarity index 100% rename from src/smb.pac rename to src/analyzer/protocols/smb/smb.pac diff --git a/src/analyzer/protocols/smtp/CMakeLists.txt b/src/analyzer/protocols/smtp/CMakeLists.txt new file mode 100644 index 0000000000..53f9dd1246 --- /dev/null +++ b/src/analyzer/protocols/smtp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SMTP) +bro_plugin_cc(SMTP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/smtp/Plugin.cc b/src/analyzer/protocols/smtp/Plugin.cc new file mode 100644 index 0000000000..6b9f7a0aeb --- /dev/null +++ b/src/analyzer/protocols/smtp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SMTP.h" + +BRO_PLUGIN_BEGIN(SMTP) + BRO_PLUGIN_DESCRIPTION("SMTP Analyzer"); + BRO_PLUGIN_ANALYZER("SMTP", SMTP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SMTP.cc b/src/analyzer/protocols/smtp/SMTP.cc similarity index 99% rename from src/SMTP.cc rename to src/analyzer/protocols/smtp/SMTP.cc index 16be4480dc..c674c120ec 100644 --- a/src/SMTP.cc +++ b/src/analyzer/protocols/smtp/SMTP.cc @@ -7,8 +7,8 @@ #include "NetVar.h" #include "SMTP.h" #include "Event.h" -#include "ContentLine.h" #include "Reporter.h" +#include "analyzer/protocols/tcp/ContentLine.h" #undef SMTP_CMD_DEF #define SMTP_CMD_DEF(cmd) #cmd, diff --git a/src/SMTP.h b/src/analyzer/protocols/smtp/SMTP.h similarity index 98% rename from src/SMTP.h rename to src/analyzer/protocols/smtp/SMTP.h index d4b7dd63a6..d525fb11af 100644 --- a/src/SMTP.h +++ b/src/analyzer/protocols/smtp/SMTP.h @@ -6,7 +6,7 @@ #include using namespace std; -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "MIME.h" diff --git a/src/SMTP_cmd.def b/src/analyzer/protocols/smtp/SMTP_cmd.def similarity index 100% rename from src/SMTP_cmd.def rename to src/analyzer/protocols/smtp/SMTP_cmd.def diff --git a/src/analyzer/protocols/smtp/events.bif b/src/analyzer/protocols/smtp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/socks/CMakeLists.txt b/src/analyzer/protocols/socks/CMakeLists.txt new file mode 100644 index 0000000000..451dfd53f4 --- /dev/null +++ b/src/analyzer/protocols/socks/CMakeLists.txt @@ -0,0 +1,10 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SOCKS) +bro_plugin_cc(SOCKS.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(socks.pac socks-protocol.pac socks-analyzer.pac) +bro_plugin_end() diff --git a/src/analyzer/protocols/socks/Plugin.cc b/src/analyzer/protocols/socks/Plugin.cc new file mode 100644 index 0000000000..080a8329de --- /dev/null +++ b/src/analyzer/protocols/socks/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SOCKS.h" + +BRO_PLUGIN_BEGIN(SOCKS) + BRO_PLUGIN_DESCRIPTION("SOCKS Analyzer"); + BRO_PLUGIN_ANALYZER("SOCKS", SOCKS_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SOCKS.cc b/src/analyzer/protocols/socks/SOCKS.cc similarity index 96% rename from src/SOCKS.cc rename to src/analyzer/protocols/socks/SOCKS.cc index 0157c19cd7..25ebf9796e 100644 --- a/src/SOCKS.cc +++ b/src/analyzer/protocols/socks/SOCKS.cc @@ -1,6 +1,6 @@ #include "SOCKS.h" #include "socks_pac.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" SOCKS_Analyzer::SOCKS_Analyzer(Connection* conn) : TCP_ApplicationAnalyzer("SOCKS", conn) diff --git a/src/SOCKS.h b/src/analyzer/protocols/socks/SOCKS.h similarity index 89% rename from src/SOCKS.h rename to src/analyzer/protocols/socks/SOCKS.h index 767d0a1eb7..8abdfe3a3f 100644 --- a/src/SOCKS.h +++ b/src/analyzer/protocols/socks/SOCKS.h @@ -3,8 +3,8 @@ // SOCKS v4 analyzer. -#include "TCP.h" -#include "PIA.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/pia/PIA.h" namespace binpac { namespace SOCKS { diff --git a/src/analyzer/protocols/socks/events.bif b/src/analyzer/protocols/socks/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/socks-analyzer.pac b/src/analyzer/protocols/socks/socks-analyzer.pac similarity index 100% rename from src/socks-analyzer.pac rename to src/analyzer/protocols/socks/socks-analyzer.pac diff --git a/src/socks-protocol.pac b/src/analyzer/protocols/socks/socks-protocol.pac similarity index 100% rename from src/socks-protocol.pac rename to src/analyzer/protocols/socks/socks-protocol.pac diff --git a/src/socks.pac b/src/analyzer/protocols/socks/socks.pac similarity index 100% rename from src/socks.pac rename to src/analyzer/protocols/socks/socks.pac diff --git a/src/analyzer/protocols/ssh/CMakeLists.txt b/src/analyzer/protocols/ssh/CMakeLists.txt new file mode 100644 index 0000000000..659e3207ab --- /dev/null +++ b/src/analyzer/protocols/ssh/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SSH) +bro_plugin_cc(SSH.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/ssh/Plugin.cc b/src/analyzer/protocols/ssh/Plugin.cc new file mode 100644 index 0000000000..76603220d3 --- /dev/null +++ b/src/analyzer/protocols/ssh/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SSH.h" + +BRO_PLUGIN_BEGIN(SSH) + BRO_PLUGIN_DESCRIPTION("SSH Analyzer"); + BRO_PLUGIN_ANALYZER("SSH", SSH_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SSH.cc b/src/analyzer/protocols/ssh/SSH.cc similarity index 97% rename from src/SSH.cc rename to src/analyzer/protocols/ssh/SSH.cc index 0bb710ac2f..3b89422d5a 100644 --- a/src/SSH.cc +++ b/src/analyzer/protocols/ssh/SSH.cc @@ -7,7 +7,7 @@ #include "NetVar.h" #include "SSH.h" #include "Event.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/ContentLine.h" SSH_Analyzer::SSH_Analyzer(Connection* c) : TCP_ApplicationAnalyzer("SSH", c) diff --git a/src/SSH.h b/src/analyzer/protocols/ssh/SSH.h similarity index 83% rename from src/SSH.h rename to src/analyzer/protocols/ssh/SSH.h index a6a2f4e154..d3cda5f2f5 100644 --- a/src/SSH.h +++ b/src/analyzer/protocols/ssh/SSH.h @@ -3,8 +3,8 @@ #ifndef ssh_h #define ssh_h -#include "TCP.h" -#include "ContentLine.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/ContentLine.h" class SSH_Analyzer : public TCP_ApplicationAnalyzer { public: diff --git a/src/analyzer/protocols/ssh/events.bif b/src/analyzer/protocols/ssh/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/ssl/SSL.cc b/src/analyzer/protocols/ssl/SSL.cc index da3e1e55f3..deec34e5d9 100644 --- a/src/analyzer/protocols/ssl/SSL.cc +++ b/src/analyzer/protocols/ssl/SSL.cc @@ -1,6 +1,6 @@ #include "SSL.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" #include "Reporter.h" #include "util.h" diff --git a/src/analyzer/protocols/ssl/SSL.h b/src/analyzer/protocols/ssl/SSL.h index cf6269a6e4..1d451a40ef 100644 --- a/src/analyzer/protocols/ssl/SSL.h +++ b/src/analyzer/protocols/ssl/SSL.h @@ -3,7 +3,7 @@ #include "events.bif.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "ssl_pac.h" class SSL_Analyzer : public TCP_ApplicationAnalyzer { diff --git a/src/analyzer/protocols/stepping-stone/CMakeLists.txt b/src/analyzer/protocols/stepping-stone/CMakeLists.txt new file mode 100644 index 0000000000..4de6210027 --- /dev/null +++ b/src/analyzer/protocols/stepping-stone/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(SteppingStone) +bro_plugin_cc(SteppingStone.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/stepping-stone/Plugin.cc b/src/analyzer/protocols/stepping-stone/Plugin.cc new file mode 100644 index 0000000000..18bfa41063 --- /dev/null +++ b/src/analyzer/protocols/stepping-stone/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "SteppingStone.h" + +BRO_PLUGIN_BEGIN(SteppingStone) + BRO_PLUGIN_DESCRIPTION("SteppingStone Analyzer (deprecated)"); + BRO_PLUGIN_ANALYZER("STEPPINGSTONE", SteppingStone_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/SteppingStone.cc b/src/analyzer/protocols/stepping-stone/SteppingStone.cc similarity index 99% rename from src/SteppingStone.cc rename to src/analyzer/protocols/stepping-stone/SteppingStone.cc index 1809b4abef..f2f4561de6 100644 --- a/src/SteppingStone.cc +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.cc @@ -7,7 +7,7 @@ #include "Event.h" #include "Net.h" #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "SteppingStone.h" #include "util.h" diff --git a/src/SteppingStone.h b/src/analyzer/protocols/stepping-stone/SteppingStone.h similarity index 98% rename from src/SteppingStone.h rename to src/analyzer/protocols/stepping-stone/SteppingStone.h index 4ec4dbc2e1..cbf22e7715 100644 --- a/src/SteppingStone.h +++ b/src/analyzer/protocols/stepping-stone/SteppingStone.h @@ -4,7 +4,7 @@ #define steppingstone_h #include "Queue.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class NetSessions; diff --git a/src/analyzer/protocols/stepping-stone/events.bif b/src/analyzer/protocols/stepping-stone/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/syslog/Syslog.cc b/src/analyzer/protocols/syslog/Syslog.cc index 137cecbd18..94ca996cce 100644 --- a/src/analyzer/protocols/syslog/Syslog.cc +++ b/src/analyzer/protocols/syslog/Syslog.cc @@ -1,6 +1,6 @@ #include "Syslog.h" -#include "TCP_Reassembler.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" Syslog_Analyzer::Syslog_Analyzer(Connection* conn) : Analyzer("SYSLOG", conn) diff --git a/src/analyzer/protocols/syslog/Syslog.h b/src/analyzer/protocols/syslog/Syslog.h index 2a96bd8ae6..32b7b3439a 100644 --- a/src/analyzer/protocols/syslog/Syslog.h +++ b/src/analyzer/protocols/syslog/Syslog.h @@ -2,8 +2,8 @@ #ifndef Syslog_h #define Syslog_h -#include "UDP.h" -#include "TCP.h" +#include "analyzer/protocols/udp/UDP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "syslog_pac.h" diff --git a/src/analyzer/protocols/tcp/CMakeLists.txt b/src/analyzer/protocols/tcp/CMakeLists.txt new file mode 100644 index 0000000000..b8cf0e2bf4 --- /dev/null +++ b/src/analyzer/protocols/tcp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(TCP) +bro_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/ContentLine.cc b/src/analyzer/protocols/tcp/ContentLine.cc similarity index 99% rename from src/ContentLine.cc rename to src/analyzer/protocols/tcp/ContentLine.cc index 2a79272cbd..bcfca4ecc6 100644 --- a/src/ContentLine.cc +++ b/src/analyzer/protocols/tcp/ContentLine.cc @@ -1,7 +1,7 @@ #include #include "ContentLine.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig) : TCP_SupportAnalyzer("CONTENTLINE", conn, orig) diff --git a/src/ContentLine.h b/src/analyzer/protocols/tcp/ContentLine.h similarity index 98% rename from src/ContentLine.h rename to src/analyzer/protocols/tcp/ContentLine.h index 849f457075..e83251d43d 100644 --- a/src/ContentLine.h +++ b/src/analyzer/protocols/tcp/ContentLine.h @@ -3,7 +3,7 @@ #ifndef CONTENTLINE_H #define CONTENTLINE_H -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #define CR_as_EOL 1 #define LF_as_EOL 2 diff --git a/src/analyzer/protocols/tcp/Plugin.cc b/src/analyzer/protocols/tcp/Plugin.cc new file mode 100644 index 0000000000..d76789bf30 --- /dev/null +++ b/src/analyzer/protocols/tcp/Plugin.cc @@ -0,0 +1,13 @@ + +#include "plugin/Plugin.h" + +#include "TCP.h" + +BRO_PLUGIN_BEGIN(TCP) + BRO_PLUGIN_DESCRIPTION("TCP Analyzer"); + BRO_PLUGIN_ANALYZER("TCP", TCP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_ANALYZER("TCPStats", TCPStats_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_SUPPORT_ANALYZER("ContentLine"); + BRO_PLUGIN_SUPPORT_ANALYZER("Contents"); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/analyzer/protocols/tcp/Stats.cc b/src/analyzer/protocols/tcp/Stats.cc new file mode 100644 index 0000000000..6157d54537 --- /dev/null +++ b/src/analyzer/protocols/tcp/Stats.cc @@ -0,0 +1,79 @@ + +#include "Stats.h" +#include "File.h" + +TCPStateStats::TCPStateStats() + { + for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) + for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) + state_cnt[i][j] = 0; + } + +void TCPStateStats::ChangeState(EndpointState o_prev, EndpointState o_now, + EndpointState r_prev, EndpointState r_now) + { + --state_cnt[o_prev][r_prev]; + ++state_cnt[o_now][r_now]; + } + +void TCPStateStats::FlipState(EndpointState orig, EndpointState resp) + { + --state_cnt[orig][resp]; + ++state_cnt[resp][orig]; + } + +unsigned int TCPStateStats::NumStatePartial() const + { + unsigned int sum = 0; + for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) + { + sum += state_cnt[TCP_ENDPOINT_PARTIAL][i]; + sum += state_cnt[i][TCP_ENDPOINT_PARTIAL]; + } + + return sum; + } + +void TCPStateStats::PrintStats(BroFile* file, const char* prefix) + { + file->Write(prefix); + file->Write(" Inact. Syn. SA Part. Est. Fin. Rst.\n"); + + for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i ) + { + file->Write(prefix); + + switch ( i ) { +#define STATE_STRING(state, str) \ + case state: \ + file->Write(str); \ + break; + + STATE_STRING(TCP_ENDPOINT_INACTIVE, "Inact."); + STATE_STRING(TCP_ENDPOINT_SYN_SENT, "Syn. "); + STATE_STRING(TCP_ENDPOINT_SYN_ACK_SENT, "SA "); + STATE_STRING(TCP_ENDPOINT_PARTIAL, "Part. "); + STATE_STRING(TCP_ENDPOINT_ESTABLISHED, "Est. "); + STATE_STRING(TCP_ENDPOINT_CLOSED, "Fin. "); + STATE_STRING(TCP_ENDPOINT_RESET, "Rst. "); + + } + + file->Write(" "); + + for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j ) + { + unsigned int n = state_cnt[i][j]; + if ( n > 0 ) + { + char buf[32]; + safe_snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]); + file->Write(buf); + } + else + file->Write(" "); + } + + file->Write("\n"); + } + } diff --git a/src/analyzer/protocols/tcp/Stats.h b/src/analyzer/protocols/tcp/Stats.h new file mode 100644 index 0000000000..01c95620ce --- /dev/null +++ b/src/analyzer/protocols/tcp/Stats.h @@ -0,0 +1,67 @@ + +#ifndef ANALYZER_PROTOCOLS_TCP_STATS_H +#define ANALYZER_PROTOCOLS_TCP_STATS_H + +#include "TCP_Endpoint.h" + +// A TCPStateStats object tracks the distribution of TCP states for +// the currently active connections. +class TCPStateStats { +public: + TCPStateStats(); + ~TCPStateStats() { } + + void ChangeState(EndpointState o_prev, EndpointState o_now, + EndpointState r_prev, EndpointState r_now); + void FlipState(EndpointState orig, EndpointState resp); + + void StateEntered (EndpointState o_state, EndpointState r_state) + { ++state_cnt[o_state][r_state]; } + void StateLeft (EndpointState o_state, EndpointState r_state) + { --state_cnt[o_state][r_state]; } + + unsigned int Cnt(EndpointState state) const + { return Cnt(state, state); } + unsigned int Cnt(EndpointState state1, EndpointState state2) const + { return state_cnt[state1][state2]; } + + unsigned int NumStateEstablished() const + { return Cnt(TCP_ENDPOINT_ESTABLISHED); } + unsigned int NumStateHalfClose() const + { // corresponds to S2,S3 + return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_CLOSED) + + Cnt(TCP_ENDPOINT_CLOSED, TCP_ENDPOINT_ESTABLISHED); + } + unsigned int NumStateHalfRst() const + { + return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_RESET) + + Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_ESTABLISHED); + } + unsigned int NumStateClosed() const + { return Cnt(TCP_ENDPOINT_CLOSED); } + unsigned int NumStateRequest() const + { + assert(Cnt(TCP_ENDPOINT_INACTIVE, TCP_ENDPOINT_SYN_SENT)==0); + return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_INACTIVE); + } + unsigned int NumStateSuccRequest() const + { + return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_SYN_ACK_SENT) + + Cnt(TCP_ENDPOINT_SYN_ACK_SENT, TCP_ENDPOINT_SYN_SENT); + } + unsigned int NumStateRstRequest() const + { + return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_RESET) + + Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_SYN_SENT); + } + unsigned int NumStateInactive() const + { return Cnt(TCP_ENDPOINT_INACTIVE); } + unsigned int NumStatePartial() const; + + void PrintStats(BroFile* file, const char* prefix); + +private: + unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1]; +}; + +#endif diff --git a/src/TCP.cc b/src/analyzer/protocols/tcp/TCP.cc similarity index 99% rename from src/TCP.cc rename to src/analyzer/protocols/tcp/TCP.cc index 004deb2edd..66bf9d2a83 100644 --- a/src/TCP.cc +++ b/src/analyzer/protocols/tcp/TCP.cc @@ -3,13 +3,14 @@ #include #include "NetVar.h" -#include "PIA.h" #include "File.h" -#include "TCP.h" -#include "TCP_Reassembler.h" #include "OSFinger.h" #include "Event.h" +#include "analyzer/protocols/pia/PIA.h" +#include "analyzer/protocols/tcp/TCP.h" +#include "analyzer/protocols/tcp/TCP_Reassembler.h" + namespace { // local namespace const bool DEBUG_tcp_data_sent = false; const bool DEBUG_tcp_connection_close = false; diff --git a/src/TCP.h b/src/analyzer/protocols/tcp/TCP.h similarity index 99% rename from src/TCP.h rename to src/analyzer/protocols/tcp/TCP.h index be91d473c2..ee89cef8e4 100644 --- a/src/TCP.h +++ b/src/analyzer/protocols/tcp/TCP.h @@ -4,7 +4,7 @@ #define TCP_H #include "analyzer/Analyzer.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "PacketDumper.h" #include "IPAddr.h" #include "TCP_Endpoint.h" diff --git a/src/TCP_Endpoint.cc b/src/analyzer/protocols/tcp/TCP_Endpoint.cc similarity index 99% rename from src/TCP_Endpoint.cc rename to src/analyzer/protocols/tcp/TCP_Endpoint.cc index 69c08870d9..adb2c101d4 100644 --- a/src/TCP_Endpoint.cc +++ b/src/analyzer/protocols/tcp/TCP_Endpoint.cc @@ -2,7 +2,7 @@ #include "Net.h" #include "NetVar.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "TCP_Reassembler.h" #include "Sessions.h" #include "Event.h" diff --git a/src/TCP_Endpoint.h b/src/analyzer/protocols/tcp/TCP_Endpoint.h similarity index 100% rename from src/TCP_Endpoint.h rename to src/analyzer/protocols/tcp/TCP_Endpoint.h diff --git a/src/TCP_Reassembler.cc b/src/analyzer/protocols/tcp/TCP_Reassembler.cc similarity index 99% rename from src/TCP_Reassembler.cc rename to src/analyzer/protocols/tcp/TCP_Reassembler.cc index a9c25781c4..5bfd536a10 100644 --- a/src/TCP_Reassembler.cc +++ b/src/analyzer/protocols/tcp/TCP_Reassembler.cc @@ -2,7 +2,7 @@ #include "analyzer/Analyzer.h" #include "TCP_Reassembler.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" #include "TCP_Endpoint.h" // Only needed for gap_report events. diff --git a/src/TCP_Reassembler.h b/src/analyzer/protocols/tcp/TCP_Reassembler.h similarity index 100% rename from src/TCP_Reassembler.h rename to src/analyzer/protocols/tcp/TCP_Reassembler.h diff --git a/src/analyzer/protocols/tcp/events.bif b/src/analyzer/protocols/tcp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/teredo/CMakeLists.txt b/src/analyzer/protocols/teredo/CMakeLists.txt new file mode 100644 index 0000000000..cf4d2a9bcf --- /dev/null +++ b/src/analyzer/protocols/teredo/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Teredo) +bro_plugin_cc(Teredo.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/teredo/Plugin.cc b/src/analyzer/protocols/teredo/Plugin.cc new file mode 100644 index 0000000000..9fc0fa4e7a --- /dev/null +++ b/src/analyzer/protocols/teredo/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "Teredo.h" + +BRO_PLUGIN_BEGIN(Teredo) + BRO_PLUGIN_DESCRIPTION("Teredo Analyzer"); + BRO_PLUGIN_ANALYZER("TEREDO", Teredo_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/Teredo.cc b/src/analyzer/protocols/teredo/Teredo.cc similarity index 100% rename from src/Teredo.cc rename to src/analyzer/protocols/teredo/Teredo.cc diff --git a/src/Teredo.h b/src/analyzer/protocols/teredo/Teredo.h similarity index 100% rename from src/Teredo.h rename to src/analyzer/protocols/teredo/Teredo.h diff --git a/src/analyzer/protocols/teredo/events.bif b/src/analyzer/protocols/teredo/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/udp/CMakeLists.txt b/src/analyzer/protocols/udp/CMakeLists.txt new file mode 100644 index 0000000000..077c4136b5 --- /dev/null +++ b/src/analyzer/protocols/udp/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(UDP) +bro_plugin_cc(UDP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/udp/Plugin.cc b/src/analyzer/protocols/udp/Plugin.cc new file mode 100644 index 0000000000..1a9b462013 --- /dev/null +++ b/src/analyzer/protocols/udp/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "analyzer/protocols/udp/UDP.h" + +BRO_PLUGIN_BEGIN(UDP) + BRO_PLUGIN_DESCRIPTION("UDP Analyzer"); + BRO_PLUGIN_ANALYZER("UDP", UDP_Analyzer::InstantiateAnalyzer); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/UDP.cc b/src/analyzer/protocols/udp/UDP.cc similarity index 99% rename from src/UDP.cc rename to src/analyzer/protocols/udp/UDP.cc index 2fd80cfce3..f85f5ad991 100644 --- a/src/UDP.cc +++ b/src/analyzer/protocols/udp/UDP.cc @@ -6,7 +6,7 @@ #include "Net.h" #include "NetVar.h" -#include "UDP.h" +#include "analyzer/protocols/udp/UDP.h" #include "Reporter.h" #include "Conn.h" diff --git a/src/UDP.h b/src/analyzer/protocols/udp/UDP.h similarity index 100% rename from src/UDP.h rename to src/analyzer/protocols/udp/UDP.h diff --git a/src/analyzer/protocols/udp/events.bif b/src/analyzer/protocols/udp/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/analyzer/protocols/zip/CMakeLists.txt b/src/analyzer/protocols/zip/CMakeLists.txt new file mode 100644 index 0000000000..5b2864c618 --- /dev/null +++ b/src/analyzer/protocols/zip/CMakeLists.txt @@ -0,0 +1,9 @@ + +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(ZIP) +bro_plugin_cc(ZIP.cc Plugin.cc) +bro_plugin_bif(events.bif) +bro_plugin_end() diff --git a/src/analyzer/protocols/zip/Plugin.cc b/src/analyzer/protocols/zip/Plugin.cc new file mode 100644 index 0000000000..89382dd0cd --- /dev/null +++ b/src/analyzer/protocols/zip/Plugin.cc @@ -0,0 +1,10 @@ + +#include "plugin/Plugin.h" + +#include "ZIP.h" + +BRO_PLUGIN_BEGIN(ZIP) + BRO_PLUGIN_DESCRIPTION("Generic ZIP support analyzer"); + BRO_PLUGIN_ANALYZER("ZIP", 0); + BRO_PLUGIN_BIF_FILE(events); +BRO_PLUGIN_END diff --git a/src/ZIP.cc b/src/analyzer/protocols/zip/ZIP.cc similarity index 100% rename from src/ZIP.cc rename to src/analyzer/protocols/zip/ZIP.cc diff --git a/src/ZIP.h b/src/analyzer/protocols/zip/ZIP.h similarity index 92% rename from src/ZIP.h rename to src/analyzer/protocols/zip/ZIP.h index 6a8a180d1a..24ec919f70 100644 --- a/src/ZIP.h +++ b/src/analyzer/protocols/zip/ZIP.h @@ -6,7 +6,7 @@ #include "config.h" #include "zlib.h" -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" class ZIP_Analyzer : public TCP_SupportAnalyzer { public: diff --git a/src/analyzer/protocols/zip/events.bif b/src/analyzer/protocols/zip/events.bif new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/bro.bif b/src/bro.bif index 4366d26951..aa15443e64 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2914,7 +2914,7 @@ function decode_base64_custom%(s: string, a: string%): string %} %%{ -#include "DCE_RPC.h" +#include "analyzer/protocols/dce-rpc/DCE_RPC.h" typedef struct { uint32 time_low; @@ -4262,7 +4262,7 @@ function set_login_state%(cid: conn_id, new_state: count%): bool %} %%{ -#include "TCP.h" +#include "analyzer/protocols/tcp/TCP.h" %%} ## Get the originator sequence number of a TCP connection. Sequence numbers @@ -4326,7 +4326,7 @@ function get_resp_seq%(cid: conn_id%): count %} %%{ -#include "SMTP.h" +#include "analyzer/protocols/smtp/SMTP.h" %%} ## Skips SMTP data until the next email in a connection. diff --git a/src/builtin-func.l b/src/builtin-func.l index b23ef43e22..b2da7cb7c3 100644 --- a/src/builtin-func.l +++ b/src/builtin-func.l @@ -207,7 +207,7 @@ void init_alternative_mode() for ( char* p = guard; *p; p++ ) { - if ( strchr("/.", *p) ) + if ( strchr("/.-", *p) ) *p = '_'; } diff --git a/src/parse.y b/src/parse.y index 520623de2c..449b472c0c 100644 --- a/src/parse.y +++ b/src/parse.y @@ -79,7 +79,7 @@ #include "Expr.h" #include "Stmt.h" #include "Var.h" -#include "DNS.h" +/* #include "analyzer/protocols/dns/DNS.h" */ #include "RE.h" #include "Scope.h" #include "Reporter.h" diff --git a/src/plugin/Macros.h b/src/plugin/Macros.h index 1ddcb1afc8..39bb190f8c 100644 --- a/src/plugin/Macros.h +++ b/src/plugin/Macros.h @@ -36,6 +36,9 @@ #define BRO_PLUGIN_ANALYZER(tag, factory) \ AddComponent(new ::analyzer::Component(tag, factory)); +#define BRO_PLUGIN_SUPPORT_ANALYZER(tag) \ + AddComponent(new ::analyzer::Component(tag, 0)); + #define BRO_PLUGIN_ANALYZER_EXT(tag, factory, enabled, partial) \ AddComponent(new ::analyzer::Component(tag, factory, 0, enabled, partial)); diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 0db69c1f17..a4933aba7b 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-09-22-37-59 +#open 2013-04-17-03-50-16 #fields name #types string scripts/base/init-bare.bro @@ -33,9 +33,45 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./AYIYA.events.bif.bro + build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro + build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro + build/scripts/base/bif/plugins/./BackDoor.events.bif.bro + build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/./ConnSize.events.bif.bro + build/scripts/base/bif/plugins/./DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/./DHCP.events.bif.bro + build/scripts/base/bif/plugins/./DNS.events.bif.bro + build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./File.events.bif.bro + build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro + build/scripts/base/bif/plugins/./Finger.events.bif.bro + build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./ICMP.events.bif.bro + build/scripts/base/bif/plugins/./IRC.events.bif.bro + build/scripts/base/bif/plugins/./Ident.events.bif.bro + build/scripts/base/bif/plugins/./InterConn.events.bif.bro + build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Modbus.events.bif.bro + build/scripts/base/bif/plugins/./NCP.events.bif.bro + build/scripts/base/bif/plugins/./NTP.events.bif.bro + build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./PIA.events.bif.bro + build/scripts/base/bif/plugins/./POP3.events.bif.bro + build/scripts/base/bif/plugins/./RPC.events.bif.bro + build/scripts/base/bif/plugins/./SMB.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SOCKS.events.bif.bro + build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro + build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./Teredo.events.bif.bro + build/scripts/base/bif/plugins/./UDP.events.bif.bro + build/scripts/base/bif/plugins/./ZIP.events.bif.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-09-22-37-59 +#close 2013-04-17-03-50-16 diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index aa406976a0..d469dad0bc 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path loaded_scripts -#open 2013-04-09-22-38-15 +#open 2013-04-17-03-50-51 #fields name #types string scripts/base/init-bare.bro @@ -33,10 +33,46 @@ scripts/base/init-bare.bro scripts/base/frameworks/analyzer/./main.bro build/scripts/base/bif/analyzer.bif.bro build/scripts/base/bif/plugins/__load__.bro + build/scripts/base/bif/plugins/./AYIYA.events.bif.bro + build/scripts/base/bif/plugins/./BACKDOOR.events.bif.bro + build/scripts/base/bif/plugins/./BITTORRENT.events.bif.bro + build/scripts/base/bif/plugins/./BackDoor.events.bif.bro + build/scripts/base/bif/plugins/./BitTorrent.events.bif.bro + build/scripts/base/bif/plugins/./ConnSize.events.bif.bro + build/scripts/base/bif/plugins/./DCE_RPC.events.bif.bro + build/scripts/base/bif/plugins/./DHCP.events.bif.bro + build/scripts/base/bif/plugins/./DNS.events.bif.bro + build/scripts/base/bif/plugins/./FTP.events.bif.bro + build/scripts/base/bif/plugins/./File.events.bif.bro + build/scripts/base/bif/plugins/./FileAnalyzer.events.bif.bro + build/scripts/base/bif/plugins/./Finger.events.bif.bro + build/scripts/base/bif/plugins/./GTPV1.events.bif.bro + build/scripts/base/bif/plugins/./Gnutella.events.bif.bro build/scripts/base/bif/plugins/./HTTP.events.bif.bro build/scripts/base/bif/plugins/./HTTP.functions.bif.bro + build/scripts/base/bif/plugins/./ICMP.events.bif.bro + build/scripts/base/bif/plugins/./IRC.events.bif.bro + build/scripts/base/bif/plugins/./Ident.events.bif.bro + build/scripts/base/bif/plugins/./InterConn.events.bif.bro + build/scripts/base/bif/plugins/./Login.events.bif.bro + build/scripts/base/bif/plugins/./Modbus.events.bif.bro + build/scripts/base/bif/plugins/./NCP.events.bif.bro + build/scripts/base/bif/plugins/./NTP.events.bif.bro + build/scripts/base/bif/plugins/./NetbiosSSN.events.bif.bro + build/scripts/base/bif/plugins/./PIA.events.bif.bro + build/scripts/base/bif/plugins/./POP3.events.bif.bro + build/scripts/base/bif/plugins/./RPC.events.bif.bro + build/scripts/base/bif/plugins/./SMB.events.bif.bro + build/scripts/base/bif/plugins/./SMTP.events.bif.bro + build/scripts/base/bif/plugins/./SOCKS.events.bif.bro + build/scripts/base/bif/plugins/./SSH.events.bif.bro build/scripts/base/bif/plugins/./SSL.events.bif.bro + build/scripts/base/bif/plugins/./SteppingStone.events.bif.bro build/scripts/base/bif/plugins/./Syslog.events.bif.bro + build/scripts/base/bif/plugins/./TCP.events.bif.bro + build/scripts/base/bif/plugins/./Teredo.events.bif.bro + build/scripts/base/bif/plugins/./UDP.events.bif.bro + build/scripts/base/bif/plugins/./ZIP.events.bif.bro scripts/base/init-default.bro scripts/base/utils/site.bro scripts/base/utils/./patterns.bro @@ -127,4 +163,4 @@ scripts/base/init-default.bro scripts/base/protocols/syslog/./main.bro scripts/base/misc/find-checksum-offloading.bro scripts/policy/misc/loaded-scripts.bro -#close 2013-04-09-22-38-15 +#close 2013-04-17-03-50-51 diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output index 69285a4dbe..600f353088 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output +++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.schedule-analyzer/output @@ -1,5 +1,5 @@ APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_DNS APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_FTP -APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_SSH APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_HTTP +APPLIED:, 1299491995.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=6/tcp], Analyzer::ANALYZER_SSH APPLIED:, 1299499195.0, [orig_h=10.0.0.2, orig_p=20/tcp, resp_h=10.0.0.3, resp_p=8/tcp], Analyzer::ANALYZER_DNS diff --git a/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro index e67a4fa82b..114ea73673 100644 --- a/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro +++ b/testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro @@ -1,5 +1,5 @@ # -# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT >output +# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT | sort >output # @TEST-EXEC: btest-diff output global x = 0;