rule-parse: Remove [event_name] syntax, deprecate msg as identifier

As suggested by Robin. Thanks.

NEWS

@@ -73,32 +73,32 @@ New Functionality
   to raise instead of ``signature_match()``. This can be more efficient in certain
   scenarios compared to funneling every match through a single event.
 
-  The new syntax is to put the name of the event in brackets before the string
+  The new syntax is to put the name of the event before the string used for the
-  or identifier used as message. As an extension, it is possible to only provide
+  ``msg`` argument. As an extension, it is possible to only provide an event name,
-  the bracketed event name. In this case, the framework expects the event's
+  skipping ``msg``. In this case, the framework expects the event's parameters to
-  parameters to consist of only state and data as follows:
+  consist of only state and data as follows:
 
 	signature only-event {
 		payload /.*root/
-		event [found_root]
+		event found_root
 	}
 
 	event found_root(state: signature_state, data: string) { }
 
-  Passing an additional message parameter to a custom event is possible with the
+  Using the ``msg`` parameter with a custom event looks as follows. The custom
-  following syntax. The custom event's parameters need to align with those for the
+  event's parameters need to align with those for ``signature_match()` event:
-  ``signature_match()` event:
 
 	signature event-with-msg {
 		payload /.*root/
-		event [found_root_with_msg] "the-message"
+		event found_root_with_msg "the-message"
 	}
 
 	event found_root_with_msg(state: signature_state, msg: string, data: string) { }
 
-  The message can also be specified as a Zeek side identifier, in which case
+  Note, the message argument can currently still be specified as a Zeek identifier
-  its initial value will be passed to the custom events. This is identical
+  referring to a script-level string value. If used, this is disambiguated behind
-  to the behavior with the default ``signature_match()`` event.
+  the scenes for the first variant. Specifying ``msg`` as a Zeek identifier has
+  been deprecated with the new event support and will be removed in the future. 
 
   Note that matches for signatures with custom events will not be recorded in
   ``signatures.log``. This log is based on the generation of ``signature_match()``
@@ -145,6 +145,9 @@ Deprecated Functionality
   have been marked for removal. The feature of finding unused event handlers is
   provided by default via the ``UsageAnalyzer`` component.
 
+- Using a Zeek identifier for the ``msg`` argument within a signatures's ``event``
+  keyword has been deprecated.
+
 Zeek 6.1.0
 ==========
 

src/RuleAction.cc

@@ -15,6 +15,8 @@ using std::string;
 
 namespace zeek::detail {
 
+bool is_event(const char* id) { return zeek::event_registry->Lookup(id) != nullptr; }
+
 RuleActionEvent::RuleActionEvent(const char* arg_msg)
     : msg(make_intrusive<StringVal>(arg_msg)), handler(signature_match) {}
 

src/RuleAction.h

@@ -17,6 +17,9 @@ namespace detail {
 class Rule;
 class RuleEndpointState;
 
+// Returns true if the given C-string represents a registered event.
+bool is_event(const char* id);
+
 // Base class of all rule actions.
 class RuleAction {
 public:

src/rule-parse.y

@@ -191,13 +191,33 @@ rule_attr:
 				(zeek::detail::RuleHdrTest::Comp) $2, $3));
 			}
 
-	|	TOK_EVENT '[' TOK_IDENT ']'
+	|	TOK_EVENT TOK_IDENT
-			{ current_rule->AddAction(new zeek::detail::RuleActionEvent(nullptr, $3)); }
+			{
+			if ( is_event($2) )
+				current_rule->AddAction(new zeek::detail::RuleActionEvent(nullptr, $2));
+			else
+				{
+				const char *msg = id_to_str($2);
+				if ( ! zeek::util::streq(msg, "<error>") )
+					zeek::reporter->Deprecation(zeek::util::fmt("Remove in v7.1: Using an identifier for msg is deprecated (%s:%d)",
+					                                            current_rule_file, rules_line_number+1));
+				current_rule->AddAction(new zeek::detail::RuleActionEvent(msg));
+				}
+			}
 
-	|	TOK_EVENT '[' TOK_IDENT ']' string
+	|	TOK_EVENT TOK_IDENT TOK_IDENT
-			{ current_rule->AddAction(new zeek::detail::RuleActionEvent($5, $3)); }
+			{
+			// Maybe remove in v7.1: Once we do not support msg as identifier,
+			// this extra messaging isn't all that useful anymore, but it
+			// beats a syntax error.
+			rules_error("custom event and identifier for msg unsupported");
+			zeek::detail::rule_matcher->SetParseError();
+			}
 
-	|	TOK_EVENT string
+	|	TOK_EVENT TOK_IDENT TOK_STRING
+			{ current_rule->AddAction(new zeek::detail::RuleActionEvent($3, $2)); }
+
+	|	TOK_EVENT TOK_STRING
 			{ current_rule->AddAction(new zeek::detail::RuleActionEvent($2)); }
 
 	|	TOK_MIME string opt_strength
@@ -444,14 +464,14 @@ pattern:
 
 void rules_error(const char* msg)
 	{
-	zeek::reporter->Error("Error in signature (%s:%d): %s\n",
+	zeek::reporter->Error("Error in signature (%s:%d): %s",
 	                      current_rule_file, rules_line_number+1, msg);
 	zeek::detail::rule_matcher->SetParseError();
 	}
 
 void rules_error(const char* msg, const char* addl)
 	{
-	zeek::reporter->Error("Error in signature (%s:%d): %s (%s)\n",
+	zeek::reporter->Error("Error in signature (%s:%d): %s (%s)",
 	                      current_rule_file, rules_line_number+1, msg, addl);
 	zeek::detail::rule_matcher->SetParseError();
 	}
@@ -459,7 +479,7 @@ void rules_error(const char* msg, const char* addl)
 void rules_error(zeek::detail::Rule* r, const char* msg)
 	{
 	const zeek::detail::Location& l = r->GetLocation();
-	zeek::reporter->Error("Error in signature %s (%s:%d): %s\n",
+	zeek::reporter->Error("Error in signature %s (%s:%d): %s",
 	                      r->ID(), l.filename, l.first_line, msg);
 	zeek::detail::rule_matcher->SetParseError();
 	}

testing/btest/Baseline/core.parse-only-signature-file-issues/invalid-sig-file

@@ -1,3 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 error: Error in signature (./test.sig:1): syntax error
-

testing/btest/Baseline/signatures.bad-eval-condition/.stderr

@@ -1,4 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 warning in <...>/bad-eval-condition.zeek, line 9: Wrong number of arguments for function. Expected 2, got 1. (function(state:signature_state) : bool)
 error: Error in signature (./blah.sig:6): eval function parameters must be a 'signature_state' and a 'string' type (mark_conn)
-

testing/btest/Baseline/signatures.custom-event-errors/.stderr

@@ -1,8 +1,9 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-warning in <...>/custom-event-errors.zeek, line 7: Wrong number of arguments for function. Expected 3, got 2. (event(state:signature_state, data:string))
+warning in <...>/custom-event-errors.zeek, line 9: Wrong number of arguments for function. Expected 3, got 2. (event(state:signature_state, data:string))
 error: wrong event parameters for 'wrong_signature2'
-warning in <...>/custom-event-errors.zeek, line 9: Wrong number of arguments for function. Expected 2, got 3. (event(state:signature_state, msg:string, data:string))
+warning in <...>/custom-event-errors.zeek, line 11: Wrong number of arguments for function. Expected 2, got 3. (event(state:signature_state, msg:string, data:string))
 error: wrong event parameters for 'wrong_signature3'
-warning in <...>/custom-event-errors.zeek, line 11: Type mismatch in function argument #1. Expected string, got count. (event(state:signature_state, msg:count, data:string))
+warning in <...>/custom-event-errors.zeek, line 13: Type mismatch in function argument #1. Expected string, got count. (event(state:signature_state, msg:count, data:string))
 error: wrong event parameters for 'wrong_signature4'
-error: unknown event 'non_existing_event' specified in rule
+error: Error in signature (./id.sig:19): unknown script-level identifier (non_existing_event)
+error: Error in signature (./id2.sig:4): custom event and identifier for msg unsupported

testing/btest/Baseline/signatures.custom-event/.stderr

@@ -1 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning: Remove in v7.1: Using an identifier for msg is deprecated (./id.sig:9)

testing/btest/Baseline/signatures.custom-event/out

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 signature_match2 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp]
 signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message from identifier (cannot be changed)
-signature_match3 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message from identifier (cannot be changed)
 signature_match3 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message

testing/btest/Baseline/signatures.udp-state/reject

@@ -1,3 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 error: Error in signature (./udp-established.sig:5): 'established' is not a valid 'udp-state'
-

testing/btest/signatures/custom-event-errors.zeek

@@ -1,29 +1,37 @@
 # @TEST-DOC: Using the wrong paramters for custom signature events.
 #
 # @TEST-EXEC-FAIL: zeek -b -s id -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >id.out
+# @TEST-EXEC-FAIL: zeek -b -s id2 -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >id.out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
 
 @TEST-START-FILE id.sig
 signature udp-proto {
   ip-proto == 17
-  event [wrong_signature2] "id"
+  event wrong_signature2 "id"
 }
 
 signature udp-proto2 {
   ip-proto == 17
-  event [wrong_signature3]
+  event wrong_signature3
 }
 
 signature udp-proto3 {
   ip-proto == 17
-  event [wrong_signature4] "not a count"
+  event wrong_signature4 "not a count"
 }
 
 signature udp-proto4 {
   ip-proto == 17
-  event [non_existing_event]
+  event non_existing_event
 }
+@TEST-END-FILE
 
+@TEST-START-FILE id2.sig
+# Using two identifiers is not supported.
+signature udp-proto-msg-id {
+  ip-proto == 17
+  event signature_match message_as_id
+}
 @TEST-END-FILE
 
 event wrong_signature2(state: signature_state, data: string) { }

testing/btest/signatures/custom-event.zeek

@@ -7,12 +7,7 @@
 @TEST-START-FILE id.sig
 signature udp-proto {
   ip-proto == 17
-  event [my_signature_match3] "message"
+  event my_signature_match3 "message"
-}
-
-signature udp-proto-msg-id {
-  ip-proto == 17
-  event [my_signature_match3] message_as_id
 }
 
 signature udp-proto-msg-id2 {
@@ -22,7 +17,7 @@ signature udp-proto-msg-id2 {
 
 signature udp-stuff {
   dst-ip == mynets
-  event [my_signature_match2]
+  event my_signature_match2
 }
 
 @TEST-END-FILE