rule-parse: Remove [event_name] syntax, deprecate msg as identifier

As suggested by Robin. Thanks.
2025-10-02 14:48:21 +00:00 · 2023-12-13 20:50:56 +01:00 · 2023-12-13 20:50:56 +01:00 · f3470843d6
commit f3470843d6
parent 0b5126f650
12 changed files with 68 additions and 39 deletions
--- a/27
+++ b/27
@ -73,32 +73,32 @@ New Functionality
  to raise instead of ``signature_match()``. This can be more efficient in certain
  scenarios compared to funneling every match through a single event.

-  The new syntax is to put the name of the event in brackets before the string
-  or identifier used as message. As an extension, it is possible to only provide
-  the bracketed event name. In this case, the framework expects the event's
-  parameters to consist of only state and data as follows:
+  The new syntax is to put the name of the event before the string used for the
+  ``msg`` argument. As an extension, it is possible to only provide an event name,
+  skipping ``msg``. In this case, the framework expects the event's parameters to
+  consist of only state and data as follows:

 	signature only-event {
 		payload /.*root/
-		event [found_root]
+		event found_root
 	}

 	event found_root(state: signature_state, data: string) { }

-  Passing an additional message parameter to a custom event is possible with the
-  following syntax. The custom event's parameters need to align with those for the
-  ``signature_match()` event:
+  Using the ``msg`` parameter with a custom event looks as follows. The custom
+  event's parameters need to align with those for ``signature_match()` event:

 	signature event-with-msg {
 		payload /.*root/
-		event [found_root_with_msg] "the-message"
+		event found_root_with_msg "the-message"
 	}

 	event found_root_with_msg(state: signature_state, msg: string, data: string) { }

-  The message can also be specified as a Zeek side identifier, in which case
-  its initial value will be passed to the custom events. This is identical
-  to the behavior with the default ``signature_match()`` event.
+  Note, the message argument can currently still be specified as a Zeek identifier
+  referring to a script-level string value. If used, this is disambiguated behind
+  the scenes for the first variant. Specifying ``msg`` as a Zeek identifier has
+  been deprecated with the new event support and will be removed in the future. 

  Note that matches for signatures with custom events will not be recorded in
  ``signatures.log``. This log is based on the generation of ``signature_match()``
@ -145,6 +145,9 @@ Deprecated Functionality
  have been marked for removal. The feature of finding unused event handlers is
  provided by default via the ``UsageAnalyzer`` component.

+- Using a Zeek identifier for the ``msg`` argument within a signatures's ``event``
+  keyword has been deprecated.
+
 Zeek 6.1.0
 ==========

--- a/src/RuleAction.cc
+++ b/src/RuleAction.cc
@ -15,6 +15,8 @@ using std::string;

 namespace zeek::detail {

+bool is_event(const char* id) { return zeek::event_registry->Lookup(id) != nullptr; }
+
 RuleActionEvent::RuleActionEvent(const char* arg_msg)
    : msg(make_intrusive<StringVal>(arg_msg)), handler(signature_match) {}

--- a/src/RuleAction.h
+++ b/src/RuleAction.h
@ -17,6 +17,9 @@ namespace detail {
 class Rule;
 class RuleEndpointState;

+// Returns true if the given C-string represents a registered event.
+bool is_event(const char* id);
+
 // Base class of all rule actions.
 class RuleAction {
 public:
--- a/src/rule-parse.y
+++ b/src/rule-parse.y
@ -191,13 +191,33 @@ rule_attr:
 				(zeek::detail::RuleHdrTest::Comp) $2, $3));
 			}

-	|	TOK_EVENT '[' TOK_IDENT ']'
-			{ current_rule->AddAction(new zeek::detail::RuleActionEvent(nullptr, $3)); }
+	|	TOK_EVENT TOK_IDENT
+			{
+			if ( is_event($2) )
+				current_rule->AddAction(new zeek::detail::RuleActionEvent(nullptr, $2));
+			else
+				{
+				const char *msg = id_to_str($2);
+				if ( ! zeek::util::streq(msg, "<error>") )
+					zeek::reporter->Deprecation(zeek::util::fmt("Remove in v7.1: Using an identifier for msg is deprecated (%s:%d)",
+					                                            current_rule_file, rules_line_number+1));
+				current_rule->AddAction(new zeek::detail::RuleActionEvent(msg));
+				}
+			}

-	|	TOK_EVENT '[' TOK_IDENT ']' string
-			{ current_rule->AddAction(new zeek::detail::RuleActionEvent($5, $3)); }
+	|	TOK_EVENT TOK_IDENT TOK_IDENT
+			{
+			// Maybe remove in v7.1: Once we do not support msg as identifier,
+			// this extra messaging isn't all that useful anymore, but it
+			// beats a syntax error.
+			rules_error("custom event and identifier for msg unsupported");
+			zeek::detail::rule_matcher->SetParseError();
+			}

-	|	TOK_EVENT string
+	|	TOK_EVENT TOK_IDENT TOK_STRING
+			{ current_rule->AddAction(new zeek::detail::RuleActionEvent($3, $2)); }
+
+	|	TOK_EVENT TOK_STRING
 			{ current_rule->AddAction(new zeek::detail::RuleActionEvent($2)); }

 	|	TOK_MIME string opt_strength
@ -444,14 +464,14 @@ pattern:

 void rules_error(const char* msg)
 	{
-	zeek::reporter->Error("Error in signature (%s:%d): %s\n",
+	zeek::reporter->Error("Error in signature (%s:%d): %s",
 	                      current_rule_file, rules_line_number+1, msg);
 	zeek::detail::rule_matcher->SetParseError();
 	}

 void rules_error(const char* msg, const char* addl)
 	{
-	zeek::reporter->Error("Error in signature (%s:%d): %s (%s)\n",
+	zeek::reporter->Error("Error in signature (%s:%d): %s (%s)",
 	                      current_rule_file, rules_line_number+1, msg, addl);
 	zeek::detail::rule_matcher->SetParseError();
 	}
@ -459,7 +479,7 @@ void rules_error(const char* msg, const char* addl)
 void rules_error(zeek::detail::Rule* r, const char* msg)
 	{
 	const zeek::detail::Location& l = r->GetLocation();
-	zeek::reporter->Error("Error in signature %s (%s:%d): %s\n",
+	zeek::reporter->Error("Error in signature %s (%s:%d): %s",
 	                      r->ID(), l.filename, l.first_line, msg);
 	zeek::detail::rule_matcher->SetParseError();
 	}
--- a/testing/btest/Baseline/core.parse-only-signature-file-issues/invalid-sig-file
+++ b/testing/btest/Baseline/core.parse-only-signature-file-issues/invalid-sig-file
@ -1,3 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 error: Error in signature (./test.sig:1): syntax error
-
--- a/testing/btest/Baseline/signatures.bad-eval-condition/.stderr
+++ b/testing/btest/Baseline/signatures.bad-eval-condition/.stderr
@ -1,4 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 warning in <...>/bad-eval-condition.zeek, line 9: Wrong number of arguments for function. Expected 2, got 1. (function(state:signature_state) : bool)
 error: Error in signature (./blah.sig:6): eval function parameters must be a 'signature_state' and a 'string' type (mark_conn)
-
--- a/testing/btest/Baseline/signatures.custom-event-errors/.stderr
+++ b/testing/btest/Baseline/signatures.custom-event-errors/.stderr
@ -1,8 +1,9 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-warning in <...>/custom-event-errors.zeek, line 7: Wrong number of arguments for function. Expected 3, got 2. (event(state:signature_state, data:string))
+warning in <...>/custom-event-errors.zeek, line 9: Wrong number of arguments for function. Expected 3, got 2. (event(state:signature_state, data:string))
 error: wrong event parameters for 'wrong_signature2'
-warning in <...>/custom-event-errors.zeek, line 9: Wrong number of arguments for function. Expected 2, got 3. (event(state:signature_state, msg:string, data:string))
+warning in <...>/custom-event-errors.zeek, line 11: Wrong number of arguments for function. Expected 2, got 3. (event(state:signature_state, msg:string, data:string))
 error: wrong event parameters for 'wrong_signature3'
-warning in <...>/custom-event-errors.zeek, line 11: Type mismatch in function argument #1. Expected string, got count. (event(state:signature_state, msg:count, data:string))
+warning in <...>/custom-event-errors.zeek, line 13: Type mismatch in function argument #1. Expected string, got count. (event(state:signature_state, msg:count, data:string))
 error: wrong event parameters for 'wrong_signature4'
-error: unknown event 'non_existing_event' specified in rule
+error: Error in signature (./id.sig:19): unknown script-level identifier (non_existing_event)
+error: Error in signature (./id2.sig:4): custom event and identifier for msg unsupported
--- a/testing/btest/Baseline/signatures.custom-event/.stderr
+++ b/testing/btest/Baseline/signatures.custom-event/.stderr
@ -1 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning: Remove in v7.1: Using an identifier for msg is deprecated (./id.sig:9)
--- a/testing/btest/Baseline/signatures.custom-event/out
+++ b/testing/btest/Baseline/signatures.custom-event/out
@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 signature_match2 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp]
 signature_match [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message from identifier (cannot be changed)
-signature_match3 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message from identifier (cannot be changed)
 signature_match3 [orig_h=127.0.0.1, orig_p=30000/udp, resp_h=127.0.0.1, resp_p=13000/udp] - message
--- a/testing/btest/Baseline/signatures.udp-state/reject
+++ b/testing/btest/Baseline/signatures.udp-state/reject
@ -1,3 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 error: Error in signature (./udp-established.sig:5): 'established' is not a valid 'udp-state'
-
--- a/testing/btest/signatures/custom-event-errors.zeek
+++ b/testing/btest/signatures/custom-event-errors.zeek
@ -1,29 +1,37 @@
 # @TEST-DOC: Using the wrong paramters for custom signature events.
 #
 # @TEST-EXEC-FAIL: zeek -b -s id -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >id.out
+# @TEST-EXEC-FAIL: zeek -b -s id2 -r $TRACES/chksums/ip4-udp-good-chksum.pcap %INPUT >id.out
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr

@TEST-START-FILE id.sig
 signature udp-proto {
  ip-proto == 17
-  event [wrong_signature2] "id"
+  event wrong_signature2 "id"
 }

 signature udp-proto2 {
  ip-proto == 17
-  event [wrong_signature3]
+  event wrong_signature3
 }

 signature udp-proto3 {
  ip-proto == 17
-  event [wrong_signature4] "not a count"
+  event wrong_signature4 "not a count"
 }

 signature udp-proto4 {
  ip-proto == 17
-  event [non_existing_event]
+  event non_existing_event
 }
+@TEST-END-FILE

+@TEST-START-FILE id2.sig
+# Using two identifiers is not supported.
+signature udp-proto-msg-id {
+  ip-proto == 17
+  event signature_match message_as_id
+}
@TEST-END-FILE

 event wrong_signature2(state: signature_state, data: string) { }
--- a/testing/btest/signatures/custom-event.zeek
+++ b/testing/btest/signatures/custom-event.zeek
@ -7,12 +7,7 @@
@TEST-START-FILE id.sig
 signature udp-proto {
  ip-proto == 17
-  event [my_signature_match3] "message"
-}
-
-signature udp-proto-msg-id {
-  ip-proto == 17
-  event [my_signature_match3] message_as_id
+  event my_signature_match3 "message"
 }

 signature udp-proto-msg-id2 {
@ -22,7 +17,7 @@ signature udp-proto-msg-id2 {

 signature udp-stuff {
  dst-ip == mynets
-  event [my_signature_match2]
+  event my_signature_match2
 }

@TEST-END-FILE