diff --git a/NEWS b/NEWS index 7877c33c19..7b77037228 100644 --- a/NEWS +++ b/NEWS @@ -73,32 +73,32 @@ New Functionality to raise instead of ``signature_match()``. This can be more efficient in certain scenarios compared to funneling every match through a single event. - The new syntax is to put the name of the event in brackets before the string - or identifier used as message. As an extension, it is possible to only provide - the bracketed event name. In this case, the framework expects the event's - parameters to consist of only state and data as follows: + The new syntax is to put the name of the event before the string used for the + ``msg`` argument. As an extension, it is possible to only provide an event name, + skipping ``msg``. In this case, the framework expects the event's parameters to + consist of only state and data as follows: signature only-event { payload /.*root/ - event [found_root] + event found_root } event found_root(state: signature_state, data: string) { } - Passing an additional message parameter to a custom event is possible with the - following syntax. The custom event's parameters need to align with those for the - ``signature_match()` event: + Using the ``msg`` parameter with a custom event looks as follows. The custom + event's parameters need to align with those for ``signature_match()` event: signature event-with-msg { payload /.*root/ - event [found_root_with_msg] "the-message" + event found_root_with_msg "the-message" } event found_root_with_msg(state: signature_state, msg: string, data: string) { } - The message can also be specified as a Zeek side identifier, in which case - its initial value will be passed to the custom events. This is identical - to the behavior with the default ``signature_match()`` event. + Note, the message argument can currently still be specified as a Zeek identifier + referring to a script-level string value. If used, this is disambiguated behind + the scenes for the first variant. Specifying ``msg`` as a Zeek identifier has + been deprecated with the new event support and will be removed in the future. Note that matches for signatures with custom events will not be recorded in ``signatures.log``. This log is based on the generation of ``signature_match()`` @@ -145,6 +145,9 @@ Deprecated Functionality have been marked for removal. The feature of finding unused event handlers is provided by default via the ``UsageAnalyzer`` component. +- Using a Zeek identifier for the ``msg`` argument within a signatures's ``event`` + keyword has been deprecated. + Zeek 6.1.0 ========== diff --git a/src/RuleAction.cc b/src/RuleAction.cc index 55ad354d85..e6b0f7f204 100644 --- a/src/RuleAction.cc +++ b/src/RuleAction.cc @@ -15,6 +15,8 @@ using std::string; namespace zeek::detail { +bool is_event(const char* id) { return zeek::event_registry->Lookup(id) != nullptr; } + RuleActionEvent::RuleActionEvent(const char* arg_msg) : msg(make_intrusive(arg_msg)), handler(signature_match) {} diff --git a/src/RuleAction.h b/src/RuleAction.h index 3d78c5be8a..edbdf94c9d 100644 --- a/src/RuleAction.h +++ b/src/RuleAction.h @@ -17,6 +17,9 @@ namespace detail { class Rule; class RuleEndpointState; +// Returns true if the given C-string represents a registered event. +bool is_event(const char* id); + // Base class of all rule actions. class RuleAction { public: diff --git a/src/rule-parse.y b/src/rule-parse.y index a4b85d21a8..33fa8dd0c5 100644 --- a/src/rule-parse.y +++ b/src/rule-parse.y @@ -191,13 +191,33 @@ rule_attr: (zeek::detail::RuleHdrTest::Comp) $2, $3)); } - | TOK_EVENT '[' TOK_IDENT ']' - { current_rule->AddAction(new zeek::detail::RuleActionEvent(nullptr, $3)); } + | TOK_EVENT TOK_IDENT + { + if ( is_event($2) ) + current_rule->AddAction(new zeek::detail::RuleActionEvent(nullptr, $2)); + else + { + const char *msg = id_to_str($2); + if ( ! zeek::util::streq(msg, "") ) + zeek::reporter->Deprecation(zeek::util::fmt("Remove in v7.1: Using an identifier for msg is deprecated (%s:%d)", + current_rule_file, rules_line_number+1)); + current_rule->AddAction(new zeek::detail::RuleActionEvent(msg)); + } + } - | TOK_EVENT '[' TOK_IDENT ']' string - { current_rule->AddAction(new zeek::detail::RuleActionEvent($5, $3)); } + | TOK_EVENT TOK_IDENT TOK_IDENT + { + // Maybe remove in v7.1: Once we do not support msg as identifier, + // this extra messaging isn't all that useful anymore, but it + // beats a syntax error. + rules_error("custom event and identifier for msg unsupported"); + zeek::detail::rule_matcher->SetParseError(); + } - | TOK_EVENT string + | TOK_EVENT TOK_IDENT TOK_STRING + { current_rule->AddAction(new zeek::detail::RuleActionEvent($3, $2)); } + + | TOK_EVENT TOK_STRING { current_rule->AddAction(new zeek::detail::RuleActionEvent($2)); } | TOK_MIME string opt_strength @@ -444,14 +464,14 @@ pattern: void rules_error(const char* msg) { - zeek::reporter->Error("Error in signature (%s:%d): %s\n", + zeek::reporter->Error("Error in signature (%s:%d): %s", current_rule_file, rules_line_number+1, msg); zeek::detail::rule_matcher->SetParseError(); } void rules_error(const char* msg, const char* addl) { - zeek::reporter->Error("Error in signature (%s:%d): %s (%s)\n", + zeek::reporter->Error("Error in signature (%s:%d): %s (%s)", current_rule_file, rules_line_number+1, msg, addl); zeek::detail::rule_matcher->SetParseError(); } @@ -459,7 +479,7 @@ void rules_error(const char* msg, const char* addl) void rules_error(zeek::detail::Rule* r, const char* msg) { const zeek::detail::Location& l = r->GetLocation(); - zeek::reporter->Error("Error in signature %s (%s:%d): %s\n", + zeek::reporter->Error("Error in signature %s (%s:%d): %s", r->ID(), l.filename, l.first_line, msg); zeek::detail::rule_matcher->SetParseError(); } diff --git a/testing/btest/Baseline/core.parse-only-signature-file-issues/invalid-sig-file b/testing/btest/Baseline/core.parse-only-signature-file-issues/invalid-sig-file index 5216ce608e..baa0783e46 100644 --- a/testing/btest/Baseline/core.parse-only-signature-file-issues/invalid-sig-file +++ b/testing/btest/Baseline/core.parse-only-signature-file-issues/invalid-sig-file @@ -1,3 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. error: Error in signature (./test.sig:1): syntax error - diff --git a/testing/btest/Baseline/signatures.bad-eval-condition/.stderr b/testing/btest/Baseline/signatures.bad-eval-condition/.stderr index f4479230cb..c3de9ff503 100644 --- a/testing/btest/Baseline/signatures.bad-eval-condition/.stderr +++ b/testing/btest/Baseline/signatures.bad-eval-condition/.stderr @@ -1,4 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. warning in <...>/bad-eval-condition.zeek, line 9: Wrong number of arguments for function. Expected 2, got 1. (function(state:signature_state) : bool) error: Error in signature (./blah.sig:6): eval function parameters must be a 'signature_state' and a 'string' type (mark_conn) - diff --git a/testing/btest/Baseline/signatures.custom-event-errors/.stderr b/testing/btest/Baseline/signatures.custom-event-errors/.stderr index 64eb04875e..68f7bf5815 100644 --- a/testing/btest/Baseline/signatures.custom-event-errors/.stderr +++ b/testing/btest/Baseline/signatures.custom-event-errors/.stderr @@ -1,8 +1,9 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -warning in <...>/custom-event-errors.zeek, line 7: Wrong number of arguments for function. Expected 3, got 2. (event(state:signature_state, data:string)) +warning in <...>/custom-event-errors.zeek, line 9: Wrong number of arguments for function. Expected 3, got 2. (event(state:signature_state, data:string)) error: wrong event parameters for 'wrong_signature2' -warning in <...>/custom-event-errors.zeek, line 9: Wrong number of arguments for function. Expected 2, got 3. (event(state:signature_state, msg:string, data:string)) +warning in <...>/custom-event-errors.zeek, line 11: Wrong number of arguments for function. Expected 2, got 3. (event(state:signature_state, msg:string, data:string)) error: wrong event parameters for 'wrong_signature3' -warning in <...>/custom-event-errors.zeek, line 11: Type mismatch in function argument #1. Expected string, got count. (event(state:signature_state, msg:count, data:string)) +warning in <...>/custom-event-errors.zeek, line 13: Type mismatch in function argument #1. Expected string, got count. (event(state:signature_state, msg:count, data:string)) error: wrong event parameters for 'wrong_signature4' -error: unknown event 'non_existing_event' specified in rule +error: Error in signature (./id.sig:19): unknown script-level identifier (non_existing_event) +error: Error in signature (./id2.sig:4): custom event and identifier for msg unsupported diff --git a/testing/btest/Baseline/signatures.custom-event/.stderr b/testing/btest/Baseline/signatures.custom-event/.stderr index 49d861c74c..82d88c6d62 100644 --- a/testing/btest/Baseline/signatures.custom-event/.stderr +++ b/testing/btest/Baseline/signatures.custom-event/.stderr @@ -1 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +warning: Remove in v7.1: Using an identifier for msg is deprecated (./id.sig:9) diff --git a/testing/btest/Baseline/signatures.custom-event/out b/testing/btest/Baseline/signatures.custom-event/out index 6305bd639e..e6984c7450 100644 --- a/testing/btest/Baseline/signatures.custom-event/out +++ b/testing/btest/Baseline/signatures.custom-event/out @@ -1,5 +1,4 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. signature_match2 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message from identifier (cannot be changed) -signature_match3 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message from identifier (cannot be changed) signature_match3 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message diff --git a/testing/btest/Baseline/signatures.udp-state/reject b/testing/btest/Baseline/signatures.udp-state/reject index 9d97a9ac45..17e8dd6613 100644 --- a/testing/btest/Baseline/signatures.udp-state/reject +++ b/testing/btest/Baseline/signatures.udp-state/reject @@ -1,3 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. error: Error in signature (./udp-established.sig:5): 'established' is not a valid 'udp-state' - diff --git a/testing/btest/signatures/custom-event-errors.zeek b/testing/btest/signatures/custom-event-errors.zeek index cf4700c1da..445d68f443 100644 --- a/testing/btest/signatures/custom-event-errors.zeek +++ b/testing/btest/signatures/custom-event-errors.zeek @@ -1,29 +1,37 @@ # @TEST-DOC: Using the wrong paramters for custom signature events. # # @TEST-EXEC-FAIL: zeek -b -s id -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >id.out +# @TEST-EXEC-FAIL: zeek -b -s id2 -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >id.out # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr @TEST-START-FILE id.sig signature udp-proto { ip-proto == 17 - event [wrong_signature2] "id" + event wrong_signature2 "id" } signature udp-proto2 { ip-proto == 17 - event [wrong_signature3] + event wrong_signature3 } signature udp-proto3 { ip-proto == 17 - event [wrong_signature4] "not a count" + event wrong_signature4 "not a count" } signature udp-proto4 { ip-proto == 17 - event [non_existing_event] + event non_existing_event } +@TEST-END-FILE +@TEST-START-FILE id2.sig +# Using two identifiers is not supported. +signature udp-proto-msg-id { + ip-proto == 17 + event signature_match message_as_id +} @TEST-END-FILE event wrong_signature2(state: signature_state, data: string) { } diff --git a/testing/btest/signatures/custom-event.zeek b/testing/btest/signatures/custom-event.zeek index 7aa5c5a15f..9b9a750a78 100644 --- a/testing/btest/signatures/custom-event.zeek +++ b/testing/btest/signatures/custom-event.zeek @@ -7,12 +7,7 @@ @TEST-START-FILE id.sig signature udp-proto { ip-proto == 17 - event [my_signature_match3] "message" -} - -signature udp-proto-msg-id { - ip-proto == 17 - event [my_signature_match3] message_as_id + event my_signature_match3 "message" } signature udp-proto-msg-id2 { @@ -22,7 +17,7 @@ signature udp-proto-msg-id2 { signature udp-stuff { dst-ip == mynets - event [my_signature_match2] + event my_signature_match2 } @TEST-END-FILE