Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

better testcase & fix a few bugs (that took way too long to find).

Browse source
This commit is contained in:
Bernhard Amann 2012-02-20 15:30:21 -08:00
parent fe5b376d28
commit edd30da082
4 changed files with 95 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

34
src/input/Manager.cc
View file

@ -22,7 +22,7 @@ using threading::Value;
using threading::Field; using threading::Field;
struct InputHash { struct InputHash {
HashKey* valhash; hash_t valhash;
HashKey* idxkey; // does not need ref or whatever - if it is present here, it is also still present in the TableVal. HashKey* idxkey; // does not need ref or whatever - if it is present here, it is also still present in the TableVal.
}; };
@ -776,11 +776,15 @@ int Manager::SendEntryTable(const ReaderFrontend* reader, const int id, const Va
//reporter->Error("Hashing %d index fields", i->num_idx_fields); //reporter->Error("Hashing %d index fields", i->num_idx_fields);
HashKey* idxhash = HashValues(filter->num_idx_fields, vals); HashKey* idxhash = HashValues(filter->num_idx_fields, vals);
//reporter->Error("Result: %d", (uint64_t) idxhash->Hash()); //reporter->Error("Result: %d\n", (uint64_t) idxhash->Hash());
//reporter->Error("Hashing %d val fields", i->num_val_fields); //reporter->Error("Hashing %d val fields", i->num_val_fields);
HashKey* valhash = 0;
if ( filter->num_val_fields > 0 ) hash_t valhash = 0;
valhash = HashValues(filter->num_val_fields, vals+filter->num_idx_fields); if ( filter->num_val_fields > 0 ) {
HashKey* valhashkey = HashValues(filter->num_val_fields, vals+filter->num_idx_fields);
valhash = valhashkey->Hash();
delete(valhashkey);
}
//reporter->Error("Result: %d", (uint64_t) valhash->Hash()); //reporter->Error("Result: %d", (uint64_t) valhash->Hash());
@ -789,7 +793,7 @@ int Manager::SendEntryTable(const ReaderFrontend* reader, const int id, const Va
InputHash *h = filter->lastDict->Lookup(idxhash); InputHash *h = filter->lastDict->Lookup(idxhash);
if ( h != 0 ) { if ( h != 0 ) {
// seen before // seen before
if ( filter->num_val_fields == 0 || h->valhash->Hash() == valhash->Hash() ) { if ( filter->num_val_fields == 0 || h->valhash == valhash ) {
// ok, exact duplicate // ok, exact duplicate
filter->lastDict->Remove(idxhash); filter->lastDict->Remove(idxhash);
filter->currDict->Insert(idxhash, h); filter->currDict->Insert(idxhash, h);
@ -862,7 +866,7 @@ int Manager::SendEntryTable(const ReaderFrontend* reader, const int id, const Va
if ( updated == true ) { if ( updated == true ) {
assert(filter->num_val_fields > 0); assert(filter->num_val_fields > 0);
// in that case, we need the old value to send the event (if we send an event). // in that case, we need the old value to send the event (if we send an event).
oldval = filter->tab->Lookup(idxval); oldval = filter->tab->Lookup(idxval, false);
} }
//i->tab->Assign(idxval, valval); //i->tab->Assign(idxval, valval);
@ -872,6 +876,8 @@ int Manager::SendEntryTable(const ReaderFrontend* reader, const int id, const Va
return filter->num_val_fields + filter->num_idx_fields; return filter->num_val_fields + filter->num_idx_fields;
} }
if ( filter->event && updated )
Ref(oldval); // otherwise it is no longer accessible after the assignment
filter->tab->Assign(idxval, k, valval); filter->tab->Assign(idxval, k, valval);
InputHash* ih = new InputHash(); InputHash* ih = new InputHash();
@ -891,7 +897,6 @@ int Manager::SendEntryTable(const ReaderFrontend* reader, const int id, const Va
assert ( filter->num_val_fields > 0 ); assert ( filter->num_val_fields > 0 );
ev = new EnumVal(BifEnum::Input::EVENT_CHANGED, BifType::Enum::Input::Event); ev = new EnumVal(BifEnum::Input::EVENT_CHANGED, BifType::Enum::Input::Event);
assert ( oldval != 0 ); assert ( oldval != 0 );
Ref(oldval);
SendEvent(filter->event, 3, ev, predidx, oldval); SendEvent(filter->event, 3, ev, predidx, oldval);
} else { } else {
ev = new EnumVal(BifEnum::Input::EVENT_NEW, BifType::Enum::Input::Event); ev = new EnumVal(BifEnum::Input::EVENT_NEW, BifType::Enum::Input::Event);
@ -1468,7 +1473,7 @@ int Manager::CopyValue(char *data, const int startpos, const Value* val) {
int length = 0; int length = 0;
memcpy(data+startpos, (const void*) &(val->val.port_val.port), sizeof(val->val.port_val.port)); memcpy(data+startpos, (const void*) &(val->val.port_val.port), sizeof(val->val.port_val.port));
length += sizeof(val->val.port_val.port); length += sizeof(val->val.port_val.port);
memcpy(data+startpos, (const void*) &(val->val.port_val.proto), sizeof(val->val.port_val.proto)); memcpy(data+startpos+length, (const void*) &(val->val.port_val.proto), sizeof(val->val.port_val.proto));
length += sizeof(val->val.port_val.proto); length += sizeof(val->val.port_val.proto);
return length; return length;
break; break;
@ -1500,7 +1505,7 @@ int Manager::CopyValue(char *data, const int startpos, const Value* val) {
int length = 0; int length = 0;
memcpy(data+startpos,(const char*) &(val->val.subnet_val.width), sizeof(val->val.subnet_val.width) ); memcpy(data+startpos,(const char*) &(val->val.subnet_val.width), sizeof(val->val.subnet_val.width) );
length += sizeof(val->val.subnet_val.width); length += sizeof(val->val.subnet_val.width);
memcpy(data+startpos, (const char*) &(val->val.subnet_val.net), sizeof(val->val.subnet_val.net) ); memcpy(data+startpos+length, (const char*) &(val->val.subnet_val.net), sizeof(val->val.subnet_val.net) );
length += sizeof(val->val.subnet_val.net); length += sizeof(val->val.subnet_val.net);
return length; return length;
break; break;
@ -1508,7 +1513,8 @@ int Manager::CopyValue(char *data, const int startpos, const Value* val) {
case TYPE_TABLE: { case TYPE_TABLE: {
int length = 0; int length = 0;
for ( int i = 0; i < val->val.set_val.size; i++ ) { int j = val->val.set_val.size;
for ( int i = 0; i < j; i++ ) {
length += CopyValue(data, startpos+length, val->val.set_val.vals[i]); length += CopyValue(data, startpos+length, val->val.set_val.vals[i]);
} }
return length; return length;
@ -1531,6 +1537,7 @@ int Manager::CopyValue(char *data, const int startpos, const Value* val) {
} }
reporter->InternalError("internal error"); reporter->InternalError("internal error");
assert(false);
return 0; return 0;
} }
@ -1550,13 +1557,16 @@ HashKey* Manager::HashValues(const int num_elements, const Value* const *vals) {
if ( data == 0 ) { if ( data == 0 ) {
reporter->InternalError("Could not malloc?"); reporter->InternalError("Could not malloc?");
} }
memset(data, 0, length);
for ( int i = 0; i < num_elements; i++ ) { for ( int i = 0; i < num_elements; i++ ) {
const Value* val = vals[i]; const Value* val = vals[i];
position += CopyValue(data, position, val); position += CopyValue(data, position, val);
} }
hash_t key = HashKey::HashBytes(data, length);
assert(position == length); assert(position == length);
return new HashKey(data, length); return new HashKey(data, length, key, true);
} }

21
src/input/readers/Ascii.cc
View file

@ -268,7 +268,7 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) {
if ( s.compare(unset_field) == 0 ) { // field is not set... if ( s.compare(unset_field) == 0 ) { // field is not set...
return new Value(field.type, false); return new Value(field.type, false);
} }
switch ( field.type ) { switch ( field.type ) {
case TYPE_ENUM: case TYPE_ENUM:
case TYPE_STRING: case TYPE_STRING:
@ -302,6 +302,7 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) {
break; break;
case TYPE_PORT: case TYPE_PORT:
val->val.port_val.port = 0;
val->val.port_val.port = atoi(s.c_str()); val->val.port_val.port = atoi(s.c_str());
val->val.port_val.proto = TRANSPORT_UNKNOWN; val->val.port_val.proto = TRANSPORT_UNKNOWN;
break; break;
@ -312,19 +313,27 @@ Value* Ascii::EntryToVal(string s, FieldMapping field) {
val->val.subnet_val.width = atoi(width.c_str()); val->val.subnet_val.width = atoi(width.c_str());
string addr = s.substr(0, pos); string addr = s.substr(0, pos);
s = addr; s = addr;
// NOTE: dotted_to_addr BREAKS THREAD SAFETY! it uses reporter.
// Solve this some other time....
#ifdef BROv6 #ifdef BROv6
if ( s.find(':') != s.npos ) { if ( s.find(':') != s.npos ) {
uint32* addr = dotted_to_addr6(s.c_str()); uint32* addr = new uint32[4];
if ( inet_pton(AF_INET6, s.c_str(), addr) <= 0 ) {
Error(Fmt("Bad IPv6 address: %s", s.c_str()));
val->val.subnet_val.net[0] = val->val.subnet_val.net[1] = val->val.subnet_val.net[2] = val->val.subnet_val.net[3] = 0;
}
copy_addr(val->val.subnet_val.net, addr); copy_addr(val->val.subnet_val.net, addr);
delete addr; delete addr;
} else { } else {
val->val.subnet_val.net[0] = val->val.subnet_val.net[1] = val->val.subnet_val.net[2] = 0; val->val.subnet_val.net[0] = val->val.subnet_val.net[1] = val->val.subnet_val.net[2] = 0;
val->val.subnet_val.net[3] = dotted_to_addr(s.c_str()); if ( inet_aton(s.c_str(), &(val->val.subnet_val.net[3])) <= 0 ) {
Error(Fmt("Bad addres: %s", s.c_str()));
val->val.subnet_val.net[3] = 0;
}
} }
#else #else
val->val.subnet_val.net = dotted_to_addr(s.c_str()); if ( inet_aton(s.c_str(), (in_addr*) &(val->val.subnet_val.net)) <= 0 ) {
Error(Fmt("Bad addres: %s", s.c_str()));
val->val.subnet_val.net = 0;
}
#endif #endif
break; break;

48
testing/btest/Baseline/scripts.base.frameworks.input.reread/out
View file

@ -1,3 +1,19 @@
============EVENT============
Input::EVENT_NEW
[i=-42]
[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
==========SERVERS============
{ {
[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ [-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2, 2,
@ -12,6 +28,22 @@ BB
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
} }
============EVENT============
Input::EVENT_NEW
[i=-43]
[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
==========SERVERS============
{ {
[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ [-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2, 2,
@ -38,6 +70,22 @@ BB
}, vc=[10, 20, 30], ve=[]] }, vc=[10, 20, 30], ve=[]]
} }
============EVENT============
Input::EVENT_CHANGED
[i=-43]
[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2,
4,
1,
3
}, ss={
CC,
AA,
BB
}, se={
}, vc=[10, 20, 30], ve=[]]
==========SERVERS============
{ {
[-43] = [b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={ [-43] = [b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
2, 2,

11
testing/btest/scripts/base/frameworks/input/reread.bro
View file

@ -70,16 +70,25 @@ global outfile: file;
global try: count; global try: count;
event line(tpe: Input::Event, left: Idx, right: Val) {
print outfile, "============EVENT============";
print outfile, tpe;
print outfile, left;
print outfile, right;
}
event bro_init() event bro_init()
{ {
outfile = open ("../out"); outfile = open ("../out");
try = 0; try = 0;
# first read in the old stuff into the table... # first read in the old stuff into the table...
Input::create_stream(A::INPUT, [$source="../input.log", $mode=Input::REREAD]); Input::create_stream(A::INPUT, [$source="../input.log", $mode=Input::REREAD]);
Input::add_tablefilter(A::INPUT, [$name="ssh", $idx=Idx, $val=Val, $destination=servers]); Input::add_tablefilter(A::INPUT, [$name="ssh", $idx=Idx, $val=Val, $destination=servers, $ev=line]);
} }
event Input::update_finished(id: Input::ID) { event Input::update_finished(id: Input::ID) {
print outfile, "==========SERVERS============";
print outfile, servers; print outfile, servers;
try = try + 1; try = try + 1;