diff --git a/NEWS b/NEWS index c29e0ff754..dd3c9b377c 100644 --- a/NEWS +++ b/NEWS @@ -55,6 +55,24 @@ New Functionality rebuilds. Previously, updates to included Zeek scripts didn't reliably trigger a rebuild. +- Added PacketAnalyzer::register_for_port(s) functions to the packet analyzer + framework in script-land. This allows a packet analyzer to register a port + mapping with a parent analyzer just like any other numeric identifier, while + also adding that port to the now-global Analyzer::ports table used by BPF + filtering. + +- Added AllAnalyzers::Tag enum type that combines the existing Analyzer::Tag, + PacketAnalyzer::Tag, and Files::Tags into a single enum. The existing types + still exist, but the new type can be used as an argument for + functions/hooks/events that need to handle any of the analyzer types. + +- Added protocol detection functionality to the packet analyzer framework. + Packet analyzers can register for protocol detection using the + ``PacketAnalyzer::register_protocol_detection`` script function and implement + the ``PacketAnalyzer::DetectProtocol`` method in C++. This allows packet + analyzer plugins to detect a protocol via byte matching or other heuristics + instead of relying solely on a numeric identifier for forwarding. + Changed Functionality --------------------- @@ -81,12 +99,21 @@ Changed Functionality on the local NIC - which typically causes the total-length of affected packets to be set to zero. +- The existing tunnel analyzers for AYIYA, Geneve, GTPv1, Teredo, and VXLAN + are now packet analyzers. + Removed Functionality --------------------- Deprecated Functionality ------------------------ +- The ``protocol_confirmation`` and ``protocol_violation`` events along with + the corresponding ``Analyzer::ProtocolConfirmation` and + ``Analyzer::ProtocolViolation`` C++ methods are marked as deprecated. They are + replaced by ``analyzer_confirmation`` and ``analyzer_violation`` which can also + now be implemented in packet analyzers. + Zeek 4.1.0 ========== diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek index 20c4bcad10..919a71b0c8 100644 --- a/scripts/base/frameworks/analyzer/main.zeek +++ b/scripts/base/frameworks/analyzer/main.zeek @@ -10,7 +10,7 @@ ##! the analyzers themselves, and documented in their analyzer-specific ##! description along with the events that they generate. ##! -##! Analyzer tags are also inserted into a global :zeek:type:`AllAnalyzers` enum +##! Analyzer tags are also inserted into a global :zeek:type:`AllAnalyzers::Tag` enum ##! type. This type contains duplicates of all of the :zeek:type:`Analyzer::Tag`, ##! :zeek:type:`PacketAnalyzer::Tag` and :zeek:type:`Files::Tag` enum values ##! and can be used for arguments to function/hook/event definitions where they diff --git a/src/zeekygen/Target.cc b/src/zeekygen/Target.cc index b03d7b8e2b..a4e62b742d 100644 --- a/src/zeekygen/Target.cc +++ b/src/zeekygen/Target.cc @@ -282,6 +282,7 @@ void ProtoAnalyzerTarget::DoCreateAnalyzerDoc(FILE* f) const fprintf(f, "==================\n\n"); WriteAnalyzerTagDefn(f, "Analyzer"); + WriteAnalyzerTagDefn(f, "AllAnalyzers"); plugin::Manager::plugin_list plugins = plugin_mgr->ActivePlugins(); plugin::Manager::plugin_list::const_iterator it;