From fd4f25965d6eb595dfb911e9fe3f57ff95e4cc58 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 18 Dec 2024 15:32:10 -0700 Subject: [PATCH] Add spicy runtime-support current_analyzer_id(), use it to set id in events --- src/spicy/runtime-support.cc | 20 ++++++++++++++++++- src/spicy/runtime-support.h | 8 ++++++++ testing/btest/Baseline/spicy.analyzer-id/out | 3 +++ .../btest/Baseline/spicy.profiling/prof.log | 1 + testing/btest/spicy/analyzer-id.zeek | 11 ++++++++++ 5 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/spicy.analyzer-id/out create mode 100644 testing/btest/spicy/analyzer-id.zeek diff --git a/src/spicy/runtime-support.cc b/src/spicy/runtime-support.cc index c5d36e0b30..77e05bf903 100644 --- a/src/spicy/runtime-support.cc +++ b/src/spicy/runtime-support.cc @@ -206,7 +206,7 @@ void rt::raise_event(const EventHandlerPtr& handler, const hilti::rt::Vector& idx) { @@ -221,6 +221,24 @@ TypePtr rt::event_arg_type(const EventHandlerPtr& handler, const hilti::rt::inte return zeek_args[idx]; } +zeek::analyzer::ID rt::current_analyzer_id() { + auto _ = hilti::rt::profiler::start("zeek/rt/current_analyzer_id"); + + if ( auto cookie = static_cast(hilti::rt::context::cookie()) ) { + if ( auto x = cookie->protocol ) { + return x->analyzer->GetID(); + } + else if ( auto x = cookie->file ) { + return 0; + } + else if ( auto x = cookie->packet ) { + return 0; + } + } + + throw ValueUnavailable("analyzer not available"); +} + ValPtr& rt::current_conn() { auto _ = hilti::rt::profiler::start("zeek/rt/current_conn"); diff --git a/src/spicy/runtime-support.h b/src/spicy/runtime-support.h index 0397dc86cc..a12780c870 100644 --- a/src/spicy/runtime-support.h +++ b/src/spicy/runtime-support.h @@ -209,6 +209,14 @@ void raise_event(const EventHandlerPtr& handler, const hilti::rt::Vector */ TypePtr event_arg_type(const EventHandlerPtr& handler, const hilti::rt::integer::safe& idx); +/** + * Retrieves the analyzer ID for the currently processed Zeek connection. + * Assumes that the HILTI context's cookie value has been set accordingly. + * + * @return Pointer to an analyzer instance + */ +zeek::analyzer::ID current_analyzer_id(); + /** * Retrieves the connection ID for the currently processed Zeek connection. * Assumes that the HILTI context's cookie value has been set accordingly. diff --git a/testing/btest/Baseline/spicy.analyzer-id/out b/testing/btest/Baseline/spicy.analyzer-id/out new file mode 100644 index 0000000000..0f079b0c28 --- /dev/null +++ b/testing/btest/Baseline/spicy.analyzer-id/out @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CHhAvVGS1DHFjwGM9, PostgreSQL::ssl_request, 3 +CHhAvVGS1DHFjwGM9, ssl_client_hello, 5 diff --git a/testing/btest/Baseline/spicy.profiling/prof.log b/testing/btest/Baseline/spicy.profiling/prof.log index e53624d572..c01d4634c8 100644 --- a/testing/btest/Baseline/spicy.profiling/prof.log +++ b/testing/btest/Baseline/spicy.profiling/prof.log @@ -16,6 +16,7 @@ spicy/unit/SSH::Banner::magic 2 spicy/unit/SSH::Banner::software 2 spicy/unit/SSH::Banner::version 2 zeek/event/ssh::banner 2 +zeek/rt/current_analyzer_id 2 zeek/rt/current_conn 2 zeek/rt/current_is_orig 2 zeek/rt/event_arg_type 4 diff --git a/testing/btest/spicy/analyzer-id.zeek b/testing/btest/spicy/analyzer-id.zeek new file mode 100644 index 0000000000..656a19e66c --- /dev/null +++ b/testing/btest/spicy/analyzer-id.zeek @@ -0,0 +1,11 @@ +#@TEST-DOC: Test that analyzer ID set for spicy protocol analyzers +#@TEST-EXEC: zeek -r $TRACES/postgresql/psql-aws-ssl-preferred.pcap %INPUT > out +#@TEST-EXEC: btest-diff out + +event PostgreSQL::ssl_request(c: connection) { + print c$uid, "PostgreSQL::ssl_request", current_analyzer(); +} + +event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) { + print c$uid, "ssl_client_hello", current_analyzer(); +}