Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/vern/zval'

Browse source 
* origin/topic/vern/zval: (42 commits)
  whitespace tweaks
  resolved some TODO comments
  remove unnecessary casts, and change necessary ones to use static_cast<>
  explain cmp_func default
  change functions for ZVal type management to static members
  fix some unsigned/signed integer warnings
  address lint concern about uninitialized variable
  Remove use of obsolete forward-declaration macros
  fix #include's that lack zeek/ prefixes
  explicitly populate holes created in vectors
  fixes for now-incorrect assumption that GetField always returns an existing ValPtr
  memory management for assignment to vector elements
  memory management for assignment to record fields
  destructor cleanup from ZAM_vector/ZAM_record
  fix #include's that lack zeek/ prefixes
  overlooked another way in which vector holes can be created
  initialize vector holes to the correct corresponding type
  explicitly populate holes created in vectors
  fix other instances of GetField().get() assuming long-lived ValPtr's
  fix for now-incorrect assumption that GetField always returns an existing ValPtr
  ...
This commit is contained in:
Tim Wojtulewicz 2021-03-23 20:44:19 -07:00
commit f45df63cd0
100 changed files with 2376 additions and 1386 deletions
Download patch file Download diff file Expand all files Collapse all files

6
scripts/base/init-bare.zeek
View file

@ -3334,7 +3334,7 @@ export {
## The security mode field specifies whether SMB signing is enabled, required at the server, or both.
security_mode : count;
## A globally unique identifier that is generate by the server to uniquely identify the server.
server_guid : string;
server_guid : SMB2::GUID;
## The system time of the SMB2 server when the SMB2 NEGOTIATE Request was processed.
system_time : time;
## The SMB2 server start time.
@ -3710,7 +3710,7 @@ type dns_edns_ecs: record {
family: string; ##< IP Family
source_prefix_len: count; ##< Source Prefix Length.
scope_prefix_len: count; ##< Scope Prefix Length.
address: string; ##< Client Subnet Address.
address: addr; ##< Client Subnet Address.
};
## An DNS EDNS TCP KEEPALIVE (TCP KEEPALIVE) record.
@ -4354,7 +4354,7 @@ export {
keyboard_function_key: count;
ime_file_name: string;
post_beta2_color_depth: count &optional;
client_product_id: string &optional;
client_product_id: count &optional;
serial_number: count &optional;
high_color_depth: count &optional;
supported_color_depths: count &optional;

1
src/CMakeLists.txt
View file

@ -301,6 +301,7 @@ set(MAIN_SRCS
WeirdState.cc
ZeekArgs.cc
ZeekString.cc
ZVal.cc
bsd-getopt-long.c
bro_inet_ntop.c
in_cksum.cc

11
src/CompHash.cc
View file

@ -184,7 +184,7 @@ char* CompositeHash::SingleValHash(bool type_check, char* kp0,
for ( int i = 0; i < num_fields; ++i )
{
auto rv_i = rv->GetField(i).get();
auto rv_i = rv->GetField(i);
Attributes* a = rt->FieldDecl(i)->attrs.get();
bool optional_attr = (a && a->Find(ATTR_OPTIONAL));
@ -194,7 +194,7 @@ char* CompositeHash::SingleValHash(bool type_check, char* kp0,
if ( ! (kp = SingleValHash(type_check, kp,
rt->GetFieldType(i).get(),
rv_i, optional_attr)) )
rv_i.get(), optional_attr)) )
return nullptr;
}
@ -265,7 +265,7 @@ char* CompositeHash::SingleValHash(bool type_check, char* kp0,
kp1 = reinterpret_cast<char*>(kp+1);
for ( unsigned int i = 0; i < vv->Size(); ++i )
{
const auto& val = vv->At(i);
auto val = vv->ValAt(i);
unsigned int* kp = AlignAndPadType<unsigned int>(kp1);
*kp = i;
kp1 = reinterpret_cast<char*>(kp+1);
@ -517,8 +517,9 @@ int CompositeHash::SingleTypeKeySize(Type* bt, const Val* v,
Attributes* a = rt->FieldDecl(i)->attrs.get();
bool optional_attr = (a && a->Find(ATTR_OPTIONAL));
auto rv_v = rv ? rv->GetField(i) : nullptr;
sz = SingleTypeKeySize(rt->GetFieldType(i).get(),
rv ? rv->GetField(i).get() : nullptr,
rv_v.get(),
type_check, sz, optional_attr,
calc_static_size);
if ( ! sz )
@ -566,7 +567,7 @@ int CompositeHash::SingleTypeKeySize(Type* bt, const Val* v,
VectorVal* vv = const_cast<VectorVal*>(v->AsVectorVal());
for ( unsigned int i = 0; i < vv->Size(); ++i )
{
const auto& val = vv->At(i);
auto val = vv->ValAt(i);
sz = SizeAlign(sz, sizeof(unsigned int));
sz = SizeAlign(sz, sizeof(unsigned int));
if ( val )

34
src/Conn.cc
View file

@ -343,23 +343,23 @@ const RecordValPtr& Connection::ConnVal()
id_val->Assign(3, val_mgr->Port(ntohs(resp_port), prot_type));
auto orig_endp = make_intrusive<RecordVal>(id::endpoint);
orig_endp->Assign(0, val_mgr->Count(0));
orig_endp->Assign(1, val_mgr->Count(0));
orig_endp->Assign(4, val_mgr->Count(orig_flow_label));
orig_endp->Assign(0, 0);
orig_endp->Assign(1, 0);
orig_endp->Assign(4, orig_flow_label);
const int l2_len = sizeof(orig_l2_addr);
char null[l2_len]{};
if ( memcmp(&orig_l2_addr, &null, l2_len) != 0 )
orig_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(orig_l2_addr, l2_len)));
orig_endp->Assign(5, fmt_mac(orig_l2_addr, l2_len));
auto resp_endp = make_intrusive<RecordVal>(id::endpoint);
resp_endp->Assign(0, val_mgr->Count(0));
resp_endp->Assign(1, val_mgr->Count(0));
resp_endp->Assign(4, val_mgr->Count(resp_flow_label));
resp_endp->Assign(0, 0);
resp_endp->Assign(1, 0);
resp_endp->Assign(4, resp_flow_label);
if ( memcmp(&resp_l2_addr, &null, l2_len) != 0 )
resp_endp->Assign(5, make_intrusive<StringVal>(fmt_mac(resp_l2_addr, l2_len)));
resp_endp->Assign(5, fmt_mac(resp_l2_addr, l2_len));
conn_val->Assign(0, std::move(id_val));
conn_val->Assign(1, std::move(orig_endp));
@ -371,25 +371,25 @@ const RecordValPtr& Connection::ConnVal()
if ( ! uid )
uid.Set(zeek::detail::bits_per_uid);
conn_val->Assign(7, make_intrusive<StringVal>(uid.Base62("C").c_str()));
conn_val->Assign(7, uid.Base62("C"));
if ( encapsulation && encapsulation->Depth() > 0 )
conn_val->Assign(8, encapsulation->ToVal());
if ( vlan != 0 )
conn_val->Assign(9, val_mgr->Int(vlan));
conn_val->Assign(9, vlan);
if ( inner_vlan != 0 )
conn_val->Assign(10, val_mgr->Int(inner_vlan));
conn_val->Assign(10, inner_vlan);
}
if ( root_analyzer )
root_analyzer->UpdateConnVal(conn_val.get());
conn_val->Assign(3, make_intrusive<TimeVal>(start_time)); // ###
conn_val->Assign(4, make_intrusive<IntervalVal>(last_time - start_time));
conn_val->Assign(6, make_intrusive<StringVal>(history.c_str()));
conn_val->AssignTime(3, start_time); // ###
conn_val->AssignInterval(4, last_time - start_time);
conn_val->Assign(6, history);
conn_val->SetOrigin(this);
@ -418,7 +418,7 @@ void Connection::AppendAddl(const char* str)
const char* old = cv->GetFieldAs<StringVal>(6)->CheckString();
const char* format = *old ? "%s %s" : "%s%s";
cv->Assign(6, make_intrusive<StringVal>(util::fmt(format, old, str)));
cv->Assign(6, util::fmt(format, old, str));
}
// Returns true if the character at s separates a version number.
@ -631,8 +631,8 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
{
if ( conn_val )
{
RecordVal* endp = conn_val->GetField(is_orig ? 1 : 2)->AsRecordVal();
endp->Assign(4, val_mgr->Count(flow_label));
RecordVal* endp = conn_val->GetFieldAs<RecordVal>(is_orig ? 1 : 2);
endp->Assign(4, flow_label);
}
if ( connection_flow_label_changed &&

6
src/DNS_Mgr.cc
View file

@ -718,10 +718,10 @@ ValPtr DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
{
auto r = make_intrusive<RecordVal>(dm_rec);
r->Assign(0, make_intrusive<TimeVal>(dm->CreationTime()));
r->Assign(1, make_intrusive<StringVal>(dm->ReqHost() ? dm->ReqHost() : ""));
r->AssignTime(0, dm->CreationTime());
r->Assign(1, dm->ReqHost() ? dm->ReqHost() : "");
r->Assign(2, make_intrusive<AddrVal>(dm->ReqAddr()));
r->Assign(3, val_mgr->Bool(dm->Valid()));
r->Assign(3, dm->Valid());
auto h = dm->Host();
r->Assign(4, h ? std::move(h) : make_intrusive<StringVal>("<none>"));

79
src/Expr.cc
View file

@ -277,7 +277,7 @@ const char* assign_to_index(ValPtr v1, ValPtr v2, ValPtr v3,
for ( auto idx = 0u; idx < v_vect->Size();
idx++, first++ )
v1_vect->Insert(first, v_vect->At(idx));
v1_vect->Insert(first, v_vect->ValAt(idx));
}
else if ( ! v1_vect->Assign(lv->Idx(0)->CoerceToUnsigned(), std::move(v3)) )
@ -619,8 +619,11 @@ ValPtr UnaryExpr::Eval(Frame* f) const
for ( unsigned int i = 0; i < v_op->Size(); ++i )
{
const auto& v_i = v_op->At(i);
result->Assign(i, v_i ? Fold(v_i.get()) : nullptr);
auto vop = v_op->ValAt(i);
if ( vop )
result->Assign(i, Fold(vop.get()));
else
result->Assign(i, nullptr);
}
return result;
@ -708,11 +711,12 @@ ValPtr BinaryExpr::Eval(Frame* f) const
for ( unsigned int i = 0; i < v_op1->Size(); ++i )
{
if ( v_op1->At(i) && v_op2->At(i) )
v_result->Assign(i, Fold(v_op1->At(i).get(), v_op2->At(i).get()));
auto v1_i = v_op1->ValAt(i);
auto v2_i = v_op2->ValAt(i);
if ( v1_i && v2_i )
v_result->Assign(i, Fold(v_op1->ValAt(i).get(), v_op2->ValAt(i).get()));
else
v_result->Assign(i, nullptr);
// SetError("undefined element in vector operation");
}
return v_result;
@ -725,13 +729,12 @@ ValPtr BinaryExpr::Eval(Frame* f) const
for ( unsigned int i = 0; i < vv->Size(); ++i )
{
if ( const auto& vv_i = vv->At(i) )
auto vv_i = vv->ValAt(i);
if ( vv_i )
v_result->Assign(i, is_vec1 ? Fold(vv_i.get(), v2.get())
: Fold(v1.get(), vv_i.get()));
else
v_result->Assign(i, nullptr);
// SetError("Undefined element in vector operation");
}
return v_result;
@ -1235,12 +1238,8 @@ ValPtr IncrExpr::Eval(Frame* f) const
for ( unsigned int i = 0; i < v_vec->Size(); ++i )
{
const auto& elt = v_vec->At(i);
if ( elt )
auto elt = v_vec->ValAt(i);
v_vec->Assign(i, DoSingleEval(f, elt.get()));
else
v_vec->Assign(i, nullptr);
}
op->Assign(f, std::move(v_vec));
@ -1863,19 +1862,14 @@ ValPtr BoolExpr::Eval(Frame* f) const
for ( unsigned int i = 0; i < vec_v1->Size(); ++i )
{
const auto& op1 = vec_v1->At(i);
const auto& op2 = vec_v2->At(i);
if ( op1 && op2 )
{
bool local_result = (tag == EXPR_AND_AND) ?
(! op1->IsZero() && ! op2->IsZero()) :
(! op1->IsZero() || ! op2->IsZero());
const auto op1 = vec_v1->BoolAt(i);
const auto op2 = vec_v2->BoolAt(i);
bool local_result =
(tag == EXPR_AND_AND) ? (op1 && op2) : (op1 || op2);
result->Assign(i, val_mgr->Bool(local_result));
}
else
result->Assign(i, nullptr);
}
return result;
}
@ -2225,16 +2219,10 @@ ValPtr CondExpr::Eval(Frame* f) const
for ( unsigned int i = 0; i < cond->Size(); ++i )
{
const auto& local_cond = cond->At(i);
if ( local_cond )
{
const auto& v = local_cond->IsZero() ? b->At(i) : a->At(i);
auto local_cond = cond->BoolAt(i);
auto v = local_cond ? a->ValAt(i) : b->ValAt(i);
result->Assign(i, v);
}
else
result->Assign(i, nullptr);
}
return result;
}
@ -2912,8 +2900,8 @@ ValPtr IndexExpr::Eval(Frame* f) const
for ( unsigned int i = 0; i < v_v2->Size(); ++i )
{
if ( v_v2->At(i)->AsBool() )
v_result->Assign(v_result->Size() + 1, v_v1->At(i));
if ( v_v2->BoolAt(i) )
v_result->Assign(v_result->Size() + 1, v_v1->ValAt(i));
}
}
else
@ -2923,7 +2911,7 @@ ValPtr IndexExpr::Eval(Frame* f) const
// Probably only do this if *all* are negative.
v_result->Resize(v_v2->Size());
for ( unsigned int i = 0; i < v_v2->Size(); ++i )
v_result->Assign(i, v_v1->At(v_v2->At(i)->CoerceToInt()));
v_result->Assign(i, v_v1->ValAt(v_v2->ValAt(i)->CoerceToInt()));
}
return v_result;
@ -2946,7 +2934,7 @@ ValPtr IndexExpr::Fold(Val* v1, Val* v2) const
const ListVal* lv = v2->AsListVal();
if ( lv->Length() == 1 )
v = vect->At(lv->Idx(0)->CoerceToUnsigned());
v = vect->ValAt(lv->Idx(0)->CoerceToUnsigned());
else
{
size_t len = vect->Size();
@ -2961,7 +2949,7 @@ ValPtr IndexExpr::Fold(Val* v1, Val* v2) const
result->Resize(sub_length);
for ( bro_int_t idx = first; idx < last; idx++ )
result->Assign(idx - first, vect->At(idx));
result->Assign(idx - first, vect->ValAt(idx));
}
return result;
@ -3161,7 +3149,7 @@ HasFieldExpr::~HasFieldExpr()
ValPtr HasFieldExpr::Fold(Val* v) const
{
auto rv = v->AsRecordVal();
return val_mgr->Bool(rv->GetField(field) != nullptr);
return val_mgr->Bool(rv->HasField(field));
}
void HasFieldExpr::ExprDescribe(ODesc* d) const
@ -3749,7 +3737,8 @@ ValPtr ArithCoerceExpr::Fold(Val* v) const
for ( unsigned int i = 0; i < vv->Size(); ++i )
{
if ( const auto& elt = vv->At(i) )
auto elt = vv->ValAt(i);
if ( elt )
result->Assign(i, FoldSingleVal(elt.get(), t));
else
result->Assign(i, nullptr);
@ -3917,7 +3906,7 @@ ValPtr RecordCoerceExpr::Fold(Val* v) const
if ( ! rhs )
{
// Optional field is missing.
val->Assign(i, nullptr);
val->Remove(i);
continue;
}
@ -3964,7 +3953,7 @@ ValPtr RecordCoerceExpr::Fold(Val* v) const
val->Assign(i, std::move(def_val));
}
else
val->Assign(i, nullptr);
val->Remove(i);
}
}
@ -4207,7 +4196,11 @@ ValPtr InExpr::Fold(Val* v1, Val* v2) const
bool res;
if ( is_vector(v2) )
res = (bool)v2->AsVectorVal()->At(v1->AsListVal()->Idx(0)->CoerceToUnsigned());
{
auto vv2 = v2->AsVectorVal();
auto ind = v1->AsListVal()->Idx(0)->CoerceToUnsigned();
res = ind < vv2->Size() && vv2->ValAt(ind);
}
else
res = (bool)v2->AsTableVal()->Find({NewRef{}, v1});
@ -5087,7 +5080,7 @@ ValPtr CastExpr::Eval(Frame* f) const
d.Add("'");
if ( same_type(v->GetType(), Broker::detail::DataVal::ScriptDataType()) &&
! v->AsRecordVal()->GetField(0) )
! v->AsRecordVal()->HasField(0) )
d.Add(" (nil $data field)");
RuntimeError(d.Description());

2
src/File.cc
View file

@ -290,7 +290,7 @@ RecordVal* File::Rotate()
return nullptr;
}
info->Assign<TimeVal>(2, open_time);
info->AssignTime(2, open_time);
Unlink();

155
src/IP.cc
View file

@ -24,12 +24,12 @@ static VectorValPtr BuildOptionsVal(const u_char* data, int len)
static auto ip6_option_type = id::find_type<RecordType>("ip6_option");
const struct ip6_opt* opt = (const struct ip6_opt*) data;
auto rv = make_intrusive<RecordVal>(ip6_option_type);
rv->Assign(0, val_mgr->Count(opt->ip6o_type));
rv->Assign(0, opt->ip6o_type);
if ( opt->ip6o_type == 0 )
{
// Pad1 option
rv->Assign(1, val_mgr->Count(0));
rv->Assign(1, 0);
rv->Assign(2, val_mgr->EmptyString());
data += sizeof(uint8_t);
len -= sizeof(uint8_t);
@ -38,9 +38,8 @@ static VectorValPtr BuildOptionsVal(const u_char* data, int len)
{
// PadN or other option
uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(1, val_mgr->Count(opt->ip6o_len));
rv->Assign(2, make_intrusive<StringVal>(
new String(data + off, opt->ip6o_len, true)));
rv->Assign(1, opt->ip6o_len);
rv->Assign(2, new String(data + off, opt->ip6o_len, true));
data += opt->ip6o_len + off;
len -= opt->ip6o_len + off;
}
@ -61,11 +60,11 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_hdr_type = id::find_type<RecordType>("ip6_hdr");
rv = make_intrusive<RecordVal>(ip6_hdr_type);
const struct ip6_hdr* ip6 = (const struct ip6_hdr*)data;
rv->Assign(0, val_mgr->Count((ntohl(ip6->ip6_flow) & 0x0ff00000)>>20));
rv->Assign(1, val_mgr->Count(ntohl(ip6->ip6_flow) & 0x000fffff));
rv->Assign(2, val_mgr->Count(ntohs(ip6->ip6_plen)));
rv->Assign(3, val_mgr->Count(ip6->ip6_nxt));
rv->Assign(4, val_mgr->Count(ip6->ip6_hlim));
rv->Assign(0, (ntohl(ip6->ip6_flow) & 0x0ff00000)>>20);
rv->Assign(1, ntohl(ip6->ip6_flow) & 0x000fffff);
rv->Assign(2, ntohs(ip6->ip6_plen));
rv->Assign(3, ip6->ip6_nxt);
rv->Assign(4, ip6->ip6_hlim);
rv->Assign(5, make_intrusive<AddrVal>(IPAddr(ip6->ip6_src)));
rv->Assign(6, make_intrusive<AddrVal>(IPAddr(ip6->ip6_dst)));
if ( ! chain )
@ -80,8 +79,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_hopopts_type = id::find_type<RecordType>("ip6_hopopts");
rv = make_intrusive<RecordVal>(ip6_hopopts_type);
const struct ip6_hbh* hbh = (const struct ip6_hbh*)data;
rv->Assign(0, val_mgr->Count(hbh->ip6h_nxt));
rv->Assign(1, val_mgr->Count(hbh->ip6h_len));
rv->Assign(0, hbh->ip6h_nxt);
rv->Assign(1, hbh->ip6h_len);
uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
@ -93,8 +92,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_dstopts_type = id::find_type<RecordType>("ip6_dstopts");
rv = make_intrusive<RecordVal>(ip6_dstopts_type);
const struct ip6_dest* dst = (const struct ip6_dest*)data;
rv->Assign(0, val_mgr->Count(dst->ip6d_nxt));
rv->Assign(1, val_mgr->Count(dst->ip6d_len));
rv->Assign(0, dst->ip6d_nxt);
rv->Assign(1, dst->ip6d_len);
uint16_t off = 2 * sizeof(uint8_t);
rv->Assign(2, BuildOptionsVal(data + off, Length() - off));
}
@ -105,12 +104,12 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_routing_type = id::find_type<RecordType>("ip6_routing");
rv = make_intrusive<RecordVal>(ip6_routing_type);
const struct ip6_rthdr* rt = (const struct ip6_rthdr*)data;
rv->Assign(0, val_mgr->Count(rt->ip6r_nxt));
rv->Assign(1, val_mgr->Count(rt->ip6r_len));
rv->Assign(2, val_mgr->Count(rt->ip6r_type));
rv->Assign(3, val_mgr->Count(rt->ip6r_segleft));
rv->Assign(0, rt->ip6r_nxt);
rv->Assign(1, rt->ip6r_len);
rv->Assign(2, rt->ip6r_type);
rv->Assign(3, rt->ip6r_segleft);
uint16_t off = 4 * sizeof(uint8_t);
rv->Assign(4, make_intrusive<StringVal>(new String(data + off, Length() - off, true)));
rv->Assign(4, new String(data + off, Length() - off, true));
}
break;
@ -119,12 +118,12 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_fragment_type = id::find_type<RecordType>("ip6_fragment");
rv = make_intrusive<RecordVal>(ip6_fragment_type);
const struct ip6_frag* frag = (const struct ip6_frag*)data;
rv->Assign(0, val_mgr->Count(frag->ip6f_nxt));
rv->Assign(1, val_mgr->Count(frag->ip6f_reserved));
rv->Assign(2, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0xfff8)>>3));
rv->Assign(3, val_mgr->Count((ntohs(frag->ip6f_offlg) & 0x0006)>>1));
rv->Assign(4, val_mgr->Bool(ntohs(frag->ip6f_offlg) & 0x0001));
rv->Assign(5, val_mgr->Count(ntohl(frag->ip6f_ident)));
rv->Assign(0, frag->ip6f_nxt);
rv->Assign(1, frag->ip6f_reserved);
rv->Assign(2, (ntohs(frag->ip6f_offlg) & 0xfff8)>>3);
rv->Assign(3, (ntohs(frag->ip6f_offlg) & 0x0006)>>1);
rv->Assign(4, static_cast<bool>(ntohs(frag->ip6f_offlg) & 0x0001));
rv->Assign(5, ntohl(frag->ip6f_ident));
}
break;
@ -132,18 +131,18 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
{
static auto ip6_ah_type = id::find_type<RecordType>("ip6_ah");
rv = make_intrusive<RecordVal>(ip6_ah_type);
rv->Assign(0, val_mgr->Count(((ip6_ext*)data)->ip6e_nxt));
rv->Assign(1, val_mgr->Count(((ip6_ext*)data)->ip6e_len));
rv->Assign(2, val_mgr->Count(ntohs(((uint16_t*)data)[1])));
rv->Assign(3, val_mgr->Count(ntohl(((uint32_t*)data)[1])));
rv->Assign(0, ((ip6_ext*)data)->ip6e_nxt);
rv->Assign(1, ((ip6_ext*)data)->ip6e_len);
rv->Assign(2, ntohs(((uint16_t*)data)[1]));
rv->Assign(3, ntohl(((uint32_t*)data)[1]));
if ( Length() >= 12 )
{
// Sequence Number and ICV fields can only be extracted if
// Payload Len was non-zero for this header.
rv->Assign(4, val_mgr->Count(ntohl(((uint32_t*)data)[2])));
rv->Assign(4, ntohl(((uint32_t*)data)[2]));
uint16_t off = 3 * sizeof(uint32_t);
rv->Assign(5, make_intrusive<StringVal>(new String(data + off, Length() - off, true)));
rv->Assign(5, new String(data + off, Length() - off, true));
}
}
break;
@ -153,8 +152,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_esp_type = id::find_type<RecordType>("ip6_esp");
rv = make_intrusive<RecordVal>(ip6_esp_type);
const uint32_t* esp = (const uint32_t*)data;
rv->Assign(0, val_mgr->Count(ntohl(esp[0])));
rv->Assign(1, val_mgr->Count(ntohl(esp[1])));
rv->Assign(0, ntohl(esp[0]));
rv->Assign(1, ntohl(esp[1]));
}
break;
@ -164,15 +163,15 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
static auto ip6_mob_type = id::find_type<RecordType>("ip6_mobility_hdr");
rv = make_intrusive<RecordVal>(ip6_mob_type);
const struct ip6_mobility* mob = (const struct ip6_mobility*) data;
rv->Assign(0, val_mgr->Count(mob->ip6mob_payload));
rv->Assign(1, val_mgr->Count(mob->ip6mob_len));
rv->Assign(2, val_mgr->Count(mob->ip6mob_type));
rv->Assign(3, val_mgr->Count(mob->ip6mob_rsv));
rv->Assign(4, val_mgr->Count(ntohs(mob->ip6mob_chksum)));
rv->Assign(0, mob->ip6mob_payload);
rv->Assign(1, mob->ip6mob_len);
rv->Assign(2, mob->ip6mob_type);
rv->Assign(3, mob->ip6mob_rsv);
rv->Assign(4, ntohs(mob->ip6mob_chksum));
static auto ip6_mob_msg_type = id::find_type<RecordType>("ip6_mobility_msg");
auto msg = make_intrusive<RecordVal>(ip6_mob_msg_type);
msg->Assign(0, val_mgr->Count(mob->ip6mob_type));
msg->Assign(0, mob->ip6mob_type);
uint16_t off = sizeof(ip6_mobility);
const u_char* msg_data = data + off;
@ -190,7 +189,7 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 0:
{
auto m = make_intrusive<RecordVal>(ip6_mob_brr_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(0, ntohs(*((uint16_t*)msg_data)));
off += sizeof(uint16_t);
m->Assign(1, BuildOptionsVal(data + off, Length() - off));
msg->Assign(1, std::move(m));
@ -200,8 +199,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 1:
{
auto m = make_intrusive<RecordVal>(ip6_mob_hoti_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(0, ntohs(*((uint16_t*)msg_data)));
m->Assign(1, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))));
off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(2, std::move(m));
@ -211,8 +210,8 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 2:
{
auto m = make_intrusive<RecordVal>(ip6_mob_coti_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(0, ntohs(*((uint16_t*)msg_data)));
m->Assign(1, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))));
off += sizeof(uint16_t) + sizeof(uint64_t);
m->Assign(2, BuildOptionsVal(data + off, Length() - off));
msg->Assign(3, std::move(m));
@ -222,9 +221,9 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 3:
{
auto m = make_intrusive<RecordVal>(ip6_mob_hot_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
m->Assign(0, ntohs(*((uint16_t*)msg_data)));
m->Assign(1, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))));
m->Assign(2, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(4, std::move(m));
@ -234,9 +233,9 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 4:
{
auto m = make_intrusive<RecordVal>(ip6_mob_cot_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(2, val_mgr->Count(ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t))))));
m->Assign(0, ntohs(*((uint16_t*)msg_data)));
m->Assign(1, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t)))));
m->Assign(2, ntohll(*((uint64_t*)(msg_data + sizeof(uint16_t) + sizeof(uint64_t)))));
off += sizeof(uint16_t) + 2 * sizeof(uint64_t);
m->Assign(3, BuildOptionsVal(data + off, Length() - off));
msg->Assign(5, std::move(m));
@ -246,12 +245,12 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 5:
{
auto m = make_intrusive<RecordVal>(ip6_mob_bu_type);
m->Assign(0, val_mgr->Count(ntohs(*((uint16_t*)msg_data))));
m->Assign(1, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
m->Assign(2, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
m->Assign(3, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
m->Assign(4, val_mgr->Bool(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
m->Assign(5, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
m->Assign(0, ntohs(*((uint16_t*)msg_data))));
m->Assign(1, static_cast<bool>(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x8000));
m->Assign(2, static_cast<bool>(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x4000));
m->Assign(3, static_cast<bool>(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x2000));
m->Assign(4, static_cast<bool>(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))) & 0x1000));
m->Assign(5, ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))));
off += 3 * sizeof(uint16_t);
m->Assign(6, BuildOptionsVal(data + off, Length() - off));
msg->Assign(6, std::move(m));
@ -261,10 +260,10 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 6:
{
auto m = make_intrusive<RecordVal>(ip6_mob_back_type);
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
m->Assign(1, val_mgr->Bool(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
m->Assign(2, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t))))));
m->Assign(3, val_mgr->Count(ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t))))));
m->Assign(0, *((uint8_t*)msg_data));
m->Assign(1, static_cast<bool>(*((uint8_t*)(msg_data + sizeof(uint8_t))) & 0x80));
m->Assign(2, ntohs(*((uint16_t*)(msg_data + sizeof(uint16_t)))));
m->Assign(3, ntohs(*((uint16_t*)(msg_data + 2*sizeof(uint16_t)))));
off += 3 * sizeof(uint16_t);
m->Assign(4, BuildOptionsVal(data + off, Length() - off));
msg->Assign(7, std::move(m));
@ -274,7 +273,7 @@ RecordValPtr IPv6_Hdr::ToVal(VectorValPtr chain) const
case 7:
{
auto m = make_intrusive<RecordVal>(ip6_mob_be_type);
m->Assign(0, val_mgr->Count(*((uint8_t*)msg_data)));
m->Assign(0, *((uint8_t*)msg_data));
const in6_addr* hoa = (const in6_addr*)(msg_data + sizeof(uint16_t));
m->Assign(1, make_intrusive<AddrVal>(IPAddr(*hoa)));
off += sizeof(uint16_t) + sizeof(in6_addr);
@ -331,12 +330,12 @@ RecordValPtr IP_Hdr::ToIPHdrVal() const
{
static auto ip4_hdr_type = id::find_type<RecordType>("ip4_hdr");
rval = make_intrusive<RecordVal>(ip4_hdr_type);
rval->Assign(0, val_mgr->Count(ip4->ip_hl * 4));
rval->Assign(1, val_mgr->Count(ip4->ip_tos));
rval->Assign(2, val_mgr->Count(ntohs(ip4->ip_len)));
rval->Assign(3, val_mgr->Count(ntohs(ip4->ip_id)));
rval->Assign(4, val_mgr->Count(ip4->ip_ttl));
rval->Assign(5, val_mgr->Count(ip4->ip_p));
rval->Assign(0, ip4->ip_hl * 4);
rval->Assign(1, ip4->ip_tos);
rval->Assign(2, ntohs(ip4->ip_len));
rval->Assign(3, ntohs(ip4->ip_id));
rval->Assign(4, ip4->ip_ttl);
rval->Assign(5, ip4->ip_p);
rval->Assign(6, make_intrusive<AddrVal>(ip4->ip_src.s_addr));
rval->Assign(7, make_intrusive<AddrVal>(ip4->ip_dst.s_addr));
}
@ -380,13 +379,13 @@ RecordValPtr IP_Hdr::ToPktHdrVal(RecordValPtr pkt_hdr, int sindex) const
tcp_hdr->Assign(0, val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP));
tcp_hdr->Assign(1, val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP));
tcp_hdr->Assign(2, val_mgr->Count(uint32_t(ntohl(tp->th_seq))));
tcp_hdr->Assign(3, val_mgr->Count(uint32_t(ntohl(tp->th_ack))));
tcp_hdr->Assign(4, val_mgr->Count(tcp_hdr_len));
tcp_hdr->Assign(5, val_mgr->Count(data_len));
tcp_hdr->Assign(6, val_mgr->Count(tp->th_x2));
tcp_hdr->Assign(7, val_mgr->Count(tp->th_flags));
tcp_hdr->Assign(8, val_mgr->Count(ntohs(tp->th_win)));
tcp_hdr->Assign(2, ntohl(tp->th_seq));
tcp_hdr->Assign(3, ntohl(tp->th_ack));
tcp_hdr->Assign(4, tcp_hdr_len);
tcp_hdr->Assign(5, data_len);
tcp_hdr->Assign(6, tp->th_x2);
tcp_hdr->Assign(7, tp->th_flags);
tcp_hdr->Assign(8, ntohs(tp->th_win));
pkt_hdr->Assign(sindex + 2, std::move(tcp_hdr));
break;
@ -399,7 +398,7 @@ RecordValPtr IP_Hdr::ToPktHdrVal(RecordValPtr pkt_hdr, int sindex) const
udp_hdr->Assign(0, val_mgr->Port(ntohs(up->uh_sport), TRANSPORT_UDP));
udp_hdr->Assign(1, val_mgr->Port(ntohs(up->uh_dport), TRANSPORT_UDP));
udp_hdr->Assign(2, val_mgr->Count(ntohs(up->uh_ulen)));
udp_hdr->Assign(2, ntohs(up->uh_ulen));
pkt_hdr->Assign(sindex + 3, std::move(udp_hdr));
break;
@ -410,7 +409,7 @@ RecordValPtr IP_Hdr::ToPktHdrVal(RecordValPtr pkt_hdr, int sindex) const
const struct icmp* icmpp = (const struct icmp *) data;
auto icmp_hdr = make_intrusive<RecordVal>(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp_type));
icmp_hdr->Assign(0, icmpp->icmp_type);
pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr));
break;
@ -421,7 +420,7 @@ RecordValPtr IP_Hdr::ToPktHdrVal(RecordValPtr pkt_hdr, int sindex) const
const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data;
auto icmp_hdr = make_intrusive<RecordVal>(icmp_hdr_type);
icmp_hdr->Assign(0, val_mgr->Count(icmpp->icmp6_type));
icmp_hdr->Assign(0, icmpp->icmp6_type);
pkt_hdr->Assign(sindex + 4, std::move(icmp_hdr));
break;
@ -675,7 +674,7 @@ VectorValPtr IPv6_Hdr_Chain::ToVal() const
auto v = chain[i]->ToVal();
auto ext_hdr = make_intrusive<RecordVal>(ip6_ext_hdr_type);
uint8_t type = chain[i]->Type();
ext_hdr->Assign(0, val_mgr->Count(type));
ext_hdr->Assign(0, type);
switch (type) {
case IPPROTO_HOPOPTS:

6
src/RuleMatcher.cc
View file

@ -86,10 +86,10 @@ Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
{
static auto signature_state = id::find_type<RecordType>("signature_state");
auto* val = new RecordVal(signature_state);
val->Assign(0, make_intrusive<StringVal>(rule->ID()));
val->Assign(0, rule->ID());
val->Assign(1, state->GetAnalyzer()->ConnVal());
val->Assign(2, val_mgr->Bool(state->is_orig));
val->Assign(3, val_mgr->Count(state->payload_size));
val->Assign(2, state->is_orig);
val->Assign(3, state->payload_size);
return val;
}

4
src/Sessions.cc
View file

@ -344,8 +344,8 @@ Connection* NetSessions::FindConnection(Val* v)
const IPAddr& orig_addr = vl->GetFieldAs<AddrVal>(orig_h);
const IPAddr& resp_addr = vl->GetFieldAs<AddrVal>(resp_h);
const PortVal* orig_portv = vl->GetFieldAs<PortVal>(orig_p);
const PortVal* resp_portv = vl->GetFieldAs<PortVal>(resp_p);
auto orig_portv = vl->GetFieldAs<PortVal>(orig_p);
auto resp_portv = vl->GetFieldAs<PortVal>(resp_p);
ConnID id;

25
src/SmithWaterman.cc
View file

@ -74,7 +74,7 @@ VectorVal* Substring::VecToPolicy(Vec* vec)
Substring* bst = (*vec)[i];
auto st_val = make_intrusive<RecordVal>(sw_substring_type);
st_val->Assign(0, make_intrusive<StringVal>(new String(*bst)));
st_val->Assign(0, new String(*bst));
auto aligns = make_intrusive<VectorVal>(sw_align_vec_type);
@ -83,15 +83,15 @@ VectorVal* Substring::VecToPolicy(Vec* vec)
const BSSAlign& align = (bst->GetAlignments())[j];
auto align_val = make_intrusive<RecordVal>(sw_align_type);
align_val->Assign(0, make_intrusive<StringVal>(new String(*align.string)));
align_val->Assign(1, val_mgr->Count(align.index));
align_val->Assign(0, new String(*align.string));
align_val->Assign(1, align.index);
aligns->Assign(j + 1, std::move(align_val));
aligns->Assign(j, std::move(align_val));
}
st_val->Assign(1, std::move(aligns));
st_val->Assign(2, val_mgr->Bool(bst->IsNewAlignment()));
result->Assign(i + 1, std::move(st_val));
st_val->Assign(2, bst->IsNewAlignment());
result->Assign(i, std::move(st_val));
}
}
@ -102,26 +102,25 @@ Substring::Vec* Substring::VecFromPolicy(VectorVal* vec)
{
Vec* result = new Vec();
// VectorVals start at index 1!
for ( unsigned int i = 1; i <= vec->Size(); ++i )
for ( unsigned int i = 0; i < vec->Size(); ++i )
{
const auto& v = vec->At(i); // get the RecordVal
auto v = vec->RecordValAt(i);
if ( ! v )
continue;
const String* str = v->AsRecordVal()->GetFieldAs<StringVal>(0);
const String* str = v->GetFieldAs<StringVal>(0);
auto* substr = new Substring(*str);
const VectorVal* aligns = v->AsRecordVal()->GetField(1)->AsVectorVal();
const VectorVal* aligns = v->GetFieldAs<VectorVal>(1);
for ( unsigned int j = 1; j <= aligns->Size(); ++j )
{
const RecordVal* align = aligns->AsVectorVal()->At(j)->AsRecordVal();
const RecordVal* align = aligns->AsVectorVal()->RecordValAt(j);
const String* str = align->GetFieldAs<StringVal>(0);
int index = align->GetFieldAs<CountVal>(1);
substr->AddAlignment(str, index);
}
bool new_alignment = v->AsRecordVal()->GetFieldAs<BoolVal>(2);
bool new_alignment = v->GetFieldAs<BoolVal>(2);
substr->MarkNewAlignment(new_alignment);
result->push_back(substr);

8
src/Stmt.cc
View file

@ -297,7 +297,7 @@ static void print_log(const std::vector<ValPtr>& vals)
vec->Assign(vec->Size(), make_intrusive<StringVal>(d.Description()));
}
record->Assign(0, make_intrusive<TimeVal>(run_state::network_time));
record->AssignTime(0, run_state::network_time);
record->Assign(1, std::move(vec));
log_mgr->Write(plval.get(), record.get());
}
@ -1324,12 +1324,8 @@ ValPtr ForStmt::DoExec(Frame* f, Val* v, StmtFlowType& flow)
{
VectorVal* vv = v->AsVectorVal();
for ( auto i = 0u; i <= vv->Size(); ++i )
for ( auto i = 0u; i < vv->Size(); ++i )
{
// Skip unassigned vector indices.
if ( ! vv->At(i) )
continue;
// Set the loop variable to the current index, and make
// another pass over the loop body.
f->SetElement((*loop_vars)[0], val_mgr->Count(i));

2
src/TunnelEncapsulation.cc
View file

@ -30,7 +30,7 @@ RecordValPtr EncapsulatingConn::ToVal() const
rv->Assign(0, std::move(id_val));
rv->Assign(1, BifType::Enum::Tunnel::Type->GetEnumVal(type));
rv->Assign(2, make_intrusive<StringVal>(uid.Base62("C").c_str()));
rv->Assign(2, uid.Base62("C"));
return rv;
}

24
src/Type.cc
View file

@ -840,7 +840,16 @@ void TypeDecl::DescribeReST(ODesc* d, bool roles_only) const
RecordType::RecordType(type_decl_list* arg_types) : Type(TYPE_RECORD)
{
types = arg_types;
num_fields = types ? types->length() : 0;
if ( types )
{
num_fields = types->length();
loop_over_list(*types, i)
AddField(i, (*types)[i]);
}
else
num_fields = 0;
}
// in this case the clone is actually not so shallow, since
@ -864,6 +873,13 @@ RecordType::~RecordType()
}
}
void RecordType::AddField(unsigned int field, const TypeDecl* td)
{
ASSERT(field == managed_fields.size());
managed_fields.push_back(ZVal::IsManagedType(td->type));
}
bool RecordType::HasField(const char* field) const
{
return FieldOffset(field) >= 0;
@ -1001,8 +1017,8 @@ TableValPtr RecordType::GetRecordFieldsVal(const RecordVal* rv) const
auto nr = make_intrusive<RecordVal>(record_field);
string s = container_type_name(ft.get());
nr->Assign(0, make_intrusive<StringVal>(s));
nr->Assign(1, val_mgr->Bool(logged));
nr->Assign(0, s);
nr->Assign(1, logged);
nr->Assign(2, std::move(fv));
nr->Assign(3, FieldDefault(i));
auto field_name = make_intrusive<StringVal>(FieldName(i));
@ -1037,7 +1053,9 @@ const char* RecordType::AddFields(const type_decl_list& others,
td->attrs->AddAttr(make_intrusive<detail::Attr>(detail::ATTR_LOG));
}
int field = types->size();
types->push_back(td);
AddField(field, td);
}
num_fields = types->length();

11
src/Type.h
View file

@ -605,6 +605,11 @@ public:
const TypeDecl* FieldDecl(int field) const;
TypeDecl* FieldDecl(int field);
// Returns flags corresponding to which fields in the record
// have types requiring memory management (reference counting).
const std::vector<bool>& ManagedFields() const
{ return managed_fields; }
int NumFields() const { return num_fields; }
/**
@ -640,6 +645,12 @@ public:
protected:
RecordType() { types = nullptr; }
void AddField(unsigned int field, const TypeDecl* td);
// If we were willing to bound the size of records, then we could
// use std::bitset here instead.
std::vector<bool> managed_fields;
int num_fields;
type_decl_list* types;
};

465
src/Val.cc
View file

@ -590,7 +590,7 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
auto* vval = val->AsVectorVal();
size_t size = vval->SizeVal()->AsCount();
for (size_t i = 0; i < size; i++)
BuildJSON(writer, vval->At(i).get(), only_loggable, re);
BuildJSON(writer, vval->ValAt(i).get(), only_loggable, re);
writer.EndArray();
break;
@ -2816,16 +2816,21 @@ TableVal::TableRecordDependencies TableVal::parse_time_table_record_dependencies
RecordVal::RecordTypeValMap RecordVal::parse_time_records;
RecordVal::RecordVal(RecordTypePtr t, bool init_fields) : Val(std::move(t))
RecordVal::RecordVal(RecordTypePtr t, bool init_fields)
: Val(t), is_managed(t->ManagedFields())
{
origin = nullptr;
auto rt = GetType()->AsRecordType();
rt = std::move(t);
int n = rt->NumFields();
auto vl = record_val = new std::vector<ValPtr>;
vl->reserve(n);
record_val = new std::vector<ZVal>;
record_val->reserve(n);
is_in_record = new std::vector<bool>(n, false);
if ( run_state::is_parsing )
parse_time_records[rt].emplace_back(NewRef{}, this);
parse_time_records[rt.get()].emplace_back(NewRef{}, this);
if ( ! init_fields )
return;
@ -2846,9 +2851,10 @@ RecordVal::RecordVal(RecordTypePtr t, bool init_fields) : Val(std::move(t))
catch ( InterpreterException& )
{
if ( run_state::is_parsing )
parse_time_records[rt].pop_back();
parse_time_records[rt.get()].pop_back();
delete record_val;
delete is_in_record;
throw;
}
@ -2879,13 +2885,29 @@ RecordVal::RecordVal(RecordTypePtr t, bool init_fields) : Val(std::move(t))
def = make_intrusive<VectorVal>(cast_intrusive<VectorType>(type));
}
vl->emplace_back(std::move(def));
if ( def )
{
record_val->emplace_back(ZVal(def, def->GetType()));
(*is_in_record)[i] = true;
}
else
{
record_val->emplace_back(ZVal());
(*is_in_record)[i] = false;
}
}
}
RecordVal::~RecordVal()
{
auto n = record_val->size();
for ( unsigned int i = 0; i < n; ++i )
if ( HasField(i) && IsManaged(i) )
ZVal::DeleteManagedType((*record_val)[i]);
delete record_val;
delete is_in_record;
}
ValPtr RecordVal::SizeVal() const
@ -2895,13 +2917,36 @@ ValPtr RecordVal::SizeVal() const
void RecordVal::Assign(int field, ValPtr new_val)
{
(*record_val)[field] = std::move(new_val);
if ( new_val )
{
DeleteFieldIfManaged(field);
auto t = rt->GetFieldType(field);
(*record_val)[field] = ZVal(new_val, t);
(*is_in_record)[field] = true;
Modified();
}
else
Remove(field);
}
void RecordVal::Remove(int field)
{
if ( HasField(field) )
{
if ( IsManaged(field) )
ZVal::DeleteManagedType((*record_val)[field]);
(*record_val)[field] = ZVal();
(*is_in_record)[field] = false;
Modified();
}
}
ValPtr RecordVal::GetFieldOrDefault(int field) const
{
const auto& val = (*record_val)[field];
auto val = GetField(field);
if ( val )
return val;
@ -2909,9 +2954,9 @@ ValPtr RecordVal::GetFieldOrDefault(int field) const
return GetType()->AsRecordType()->FieldDefault(field);
}
void RecordVal::ResizeParseTimeRecords(RecordType* rt)
void RecordVal::ResizeParseTimeRecords(RecordType* revised_rt)
{
auto it = parse_time_records.find(rt);
auto it = parse_time_records.find(revised_rt);
if ( it == parse_time_records.end() )
return;
@ -2921,14 +2966,14 @@ void RecordVal::ResizeParseTimeRecords(RecordType* rt)
for ( auto& rv : rvs )
{
int current_length = rv->NumFields();
auto required_length = rt->NumFields();
auto required_length = revised_rt->NumFields();
if ( required_length > current_length )
{
rv->Reserve(required_length);
for ( auto i = current_length; i < required_length; ++i )
rv->AppendField(rt->FieldDefault(i));
rv->AppendField(revised_rt->FieldDefault(i));
}
}
}
@ -2938,7 +2983,7 @@ void RecordVal::DoneParsing()
parse_time_records.clear();
}
const ValPtr& RecordVal::GetField(const char* field) const
ValPtr RecordVal::GetField(const char* field) const
{
int idx = GetType()->AsRecordType()->FieldOffset(field);
@ -3010,7 +3055,7 @@ RecordValPtr RecordVal::CoerceTo(RecordTypePtr t,
}
for ( i = 0; i < ar_t->NumFields(); ++i )
if ( ! aggr->GetField(i) &&
if ( ! aggr->HasField(i) &&
! ar_t->FieldDecl(i)->GetAttr(detail::ATTR_OPTIONAL) )
{
char buf[512];
@ -3038,11 +3083,10 @@ TableValPtr RecordVal::GetRecordFieldsVal() const
void RecordVal::Describe(ODesc* d) const
{
auto n = record_val->size();
auto record_type = GetType()->AsRecordType();
if ( d->IsBinary() || d->IsPortable() )
{
record_type->Describe(d);
rt->Describe(d);
d->SP();
d->Add(static_cast<uint64_t>(n));
d->SP();
@ -3055,12 +3099,12 @@ void RecordVal::Describe(ODesc* d) const
if ( ! d->IsBinary() && i > 0 )
d->Add(", ");
d->Add(record_type->FieldName(i));
d->Add(rt->FieldName(i));
if ( ! d->IsBinary() )
d->Add("=");
const auto& v = (*record_val)[i];
auto v = GetField(i);
if ( v )
v->Describe(d);
@ -3075,7 +3119,7 @@ void RecordVal::Describe(ODesc* d) const
void RecordVal::DescribeReST(ODesc* d) const
{
auto n = record_val->size();
auto record_type = GetType()->AsRecordType();
auto rt = GetType()->AsRecordType();
d->Add("{");
d->PushIndent();
@ -3085,10 +3129,10 @@ void RecordVal::DescribeReST(ODesc* d) const
if ( i > 0 )
d->NL();
d->Add(record_type->FieldName(i));
d->Add(rt->FieldName(i));
d->Add("=");
const auto& v = (*record_val)[i];
auto v = GetField(i);
if ( v )
v->Describe(d);
@ -3111,9 +3155,11 @@ ValPtr RecordVal::DoClone(CloneState* state)
rv->origin = nullptr;
state->NewClone(this, rv);
for ( const auto& vlv : *record_val)
int n = NumFields();
for ( auto i = 0; i < n; ++i )
{
auto v = vlv ? vlv->Clone(state) : nullptr;
auto f_i = GetField(i);
auto v = f_i ? f_i->Clone(state) : nullptr;
rv->AppendField(std::move(v));
}
@ -3123,16 +3169,25 @@ ValPtr RecordVal::DoClone(CloneState* state)
unsigned int RecordVal::MemoryAllocation() const
{
unsigned int size = 0;
const auto& vl = *record_val;
for ( const auto& v : vl )
int n = NumFields();
for ( auto i = 0; i < n; ++i )
{
if ( v )
size += v->MemoryAllocation();
auto f_i = GetField(i);
if ( f_i )
size += f_i->MemoryAllocation();
}
size += util::pad_size(vl.capacity() * sizeof(ValPtr));
size += padded_sizeof(vl);
size += util::pad_size(record_val->capacity() * sizeof(ZVal));
size += padded_sizeof(*record_val);
// It's tricky sizing is_in_record since it's a std::vector
// specialization. We approximate this by not scaling capacity()
// by sizeof(bool) but just using its raw value. That's still
// presumably going to be an overestimate.
size += util::pad_size(is_in_record->capacity());
size += padded_sizeof(*is_in_record);
return size + padded_sizeof(*this);
}
@ -3168,13 +3223,32 @@ ValPtr TypeVal::DoClone(CloneState* state)
return {NewRef{}, this};
}
VectorVal::VectorVal(VectorTypePtr t) : Val(std::move(t))
VectorVal::VectorVal(VectorTypePtr t) : Val(t)
{
vector_val = new vector<ValPtr>();
vector_val = new vector<ZVal>();
yield_type = t->Yield();
auto y_tag = yield_type->Tag();
any_yield = (y_tag == TYPE_VOID || y_tag == TYPE_ANY);
managed_yield = ZVal::IsManagedType(yield_type);
}
VectorVal::~VectorVal()
{
if ( yield_types )
{
int n = yield_types->size();
for ( auto i = 0; i < n; ++i )
ZVal::DeleteIfManaged((*vector_val)[i], (*yield_types)[i]);
delete yield_types;
}
else if ( managed_yield )
{
for ( auto& elem : *vector_val )
ZVal::DeleteManagedType(elem);
}
delete vector_val;
}
@ -3183,16 +3257,72 @@ ValPtr VectorVal::SizeVal() const
return val_mgr->Count(uint32_t(vector_val->size()));
}
bool VectorVal::Assign(unsigned int index, ValPtr element)
bool VectorVal::CheckElementType(const ValPtr& element)
{
if ( element &&
! same_type(element->GetType(), GetType()->AsVectorType()->Yield(), false) )
if ( ! element )
// Insertion isn't actually going to happen.
return true;
if ( yield_types )
// We're already a heterogeneous vector-of-any.
return true;
if ( any_yield )
{
int n = vector_val->size();
if ( n == 0 )
// First addition to an empty vector-of-any, perhaps
// it will be homogeneous.
yield_type = element->GetType();
else
{
yield_types = new std::vector<TypePtr>();
// Since we're only now switching to the heterogeneous
// representation, capture the types of the existing
// elements.
for ( auto i = 0; i < n; ++i )
yield_types->emplace_back(yield_type);
}
}
else if ( ! same_type(element->GetType(), yield_type, false) )
return false;
if ( index >= vector_val->size() )
vector_val->resize(index + 1);
return true;
}
(*vector_val)[index] = std::move(element);
bool VectorVal::Assign(unsigned int index, ValPtr element)
{
if ( ! CheckElementType(element) )
return false;
unsigned int n = vector_val->size();
if ( index >= n )
{
AddHoles(index - n);
vector_val->resize(index + 1);
if ( yield_types )
yield_types->resize(index + 1);
}
if ( yield_types )
{
const auto& t = element->GetType();
(*yield_types)[index] = t;
ZVal::DeleteIfManaged((*vector_val)[index], t);
(*vector_val)[index] = ZVal(std::move(element), t);
}
else
{
if ( managed_yield )
ZVal::DeleteManagedType((*vector_val)[index]);
(*vector_val)[index] = ZVal(std::move(element), yield_type);
}
Modified();
return true;
@ -3212,31 +3342,73 @@ bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
bool VectorVal::Insert(unsigned int index, ValPtr element)
{
if ( element &&
! same_type(element->GetType(), GetType()->AsVectorType()->Yield(), false) )
{
if ( ! CheckElementType(element) )
return false;
vector<ZVal>::iterator it;
vector<TypePtr>::iterator types_it;
auto n = vector_val->size();
if ( index < n )
{ // May need to delete previous element
it = std::next(vector_val->begin(), index);
if ( yield_types )
{
ZVal::DeleteIfManaged(*it, element->GetType());
types_it = std::next(yield_types->begin(), index);
}
else if ( managed_yield )
ZVal::DeleteManagedType(*it);
}
else
{
it = vector_val->end();
if ( yield_types )
types_it = yield_types->end();
AddHoles(index - n);
}
vector<ValPtr>::iterator it;
if ( index < vector_val->size() )
it = std::next(vector_val->begin(), index);
if ( yield_types )
{
const auto& t = element->GetType();
yield_types->insert(types_it, t);
vector_val->insert(it, ZVal(std::move(element), t));
}
else
it = vector_val->end();
vector_val->insert(it, std::move(element));
vector_val->insert(it, ZVal(std::move(element), yield_type));
Modified();
return true;
}
void VectorVal::AddHoles(int nholes)
{
TypePtr fill_t = yield_type;
if ( yield_type->Tag() == TYPE_VOID )
fill_t = base_type(TYPE_ANY);
for ( auto i = 0; i < nholes; ++i )
vector_val->emplace_back(ZVal(fill_t));
}
bool VectorVal::Remove(unsigned int index)
{
if ( index >= vector_val->size() )
return false;
auto it = std::next(vector_val->begin(), index);
if ( yield_types )
{
auto types_it = std::next(yield_types->begin(), index);
ZVal::DeleteIfManaged(*it, *types_it);
yield_types->erase(types_it);
}
else if ( managed_yield )
ZVal::DeleteManagedType(*it);
vector_val->erase(it);
Modified();
@ -3267,17 +3439,173 @@ bool VectorVal::AddTo(Val* val, bool /* is_first_init */) const
return true;
}
const ValPtr& VectorVal::At(unsigned int index) const
ValPtr VectorVal::At(unsigned int index) const
{
if ( index >= vector_val->size() )
return Val::nil;
return (*vector_val)[index];
const auto& t = yield_types ? (*yield_types)[index] : yield_type;
return (*vector_val)[index].ToVal(t);
}
void VectorVal::Sort(bool cmp_func(const ValPtr& a, const ValPtr& b))
static Func* sort_function_comp = nullptr;
// Used for indirect sorting to support order().
static std::vector<const ZVal*> index_map;
// The yield type of the vector being sorted.
static TypePtr sort_type;
static bool sort_type_is_managed = false;
static bool sort_function(const ZVal& a, const ZVal& b)
{
sort(vector_val->begin(), vector_val->end(), cmp_func);
// Missing values are only applicable for managed types.
if ( sort_type_is_managed )
{
if ( ! a.ManagedVal() )
return 0;
if ( ! b.ManagedVal() )
return 1;
}
auto a_v = a.ToVal(sort_type);
auto b_v = b.ToVal(sort_type);
auto result = sort_function_comp->Invoke(a_v, b_v);
int int_result = result->CoerceToInt();
return int_result < 0;
}
static bool signed_sort_function (const ZVal& a, const ZVal& b)
{
return a.AsInt() < b.AsInt();
}
static bool unsigned_sort_function (const ZVal& a, const ZVal& b)
{
return a.AsCount() < b.AsCount();
}
static bool double_sort_function (const ZVal& a, const ZVal& b)
{
return a.AsDouble() < b.AsDouble();
}
static bool indirect_sort_function(size_t a, size_t b)
{
return sort_function(*index_map[a], *index_map[b]);
}
static bool indirect_signed_sort_function(size_t a, size_t b)
{
return signed_sort_function(*index_map[a], *index_map[b]);
}
static bool indirect_unsigned_sort_function(size_t a, size_t b)
{
return unsigned_sort_function(*index_map[a], *index_map[b]);
}
static bool indirect_double_sort_function(size_t a, size_t b)
{
return double_sort_function(*index_map[a], *index_map[b]);
}
void VectorVal::Sort(Func* cmp_func)
{
if ( yield_types )
reporter->RuntimeError(GetLocationInfo(), "cannot sort a vector-of-any");
sort_type = yield_type;
sort_type_is_managed = ZVal::IsManagedType(sort_type);
bool (*sort_func)(const ZVal&, const ZVal&);
if ( cmp_func )
{
sort_function_comp = cmp_func;
sort_func = sort_function;
}
else
{
auto eti = sort_type->InternalType();
if ( eti == TYPE_INTERNAL_INT )
sort_func = signed_sort_function;
else if ( eti == TYPE_INTERNAL_UNSIGNED )
sort_func = unsigned_sort_function;
else
{
ASSERT(eti == TYPE_INTERNAL_DOUBLE);
sort_func = double_sort_function;
}
}
sort(vector_val->begin(), vector_val->end(), sort_func);
}
VectorValPtr VectorVal::Order(Func* cmp_func)
{
if ( yield_types )
{
reporter->RuntimeError(GetLocationInfo(), "cannot order a vector-of-any");
return nullptr;
}
sort_type = yield_type;
sort_type_is_managed = ZVal::IsManagedType(sort_type);
bool (*sort_func)(size_t, size_t);
if ( cmp_func )
{
sort_function_comp = cmp_func;
sort_func = indirect_sort_function;
}
else
{
auto eti = sort_type->InternalType();
if ( eti == TYPE_INTERNAL_INT )
sort_func = indirect_signed_sort_function;
else if ( eti == TYPE_INTERNAL_UNSIGNED )
sort_func = indirect_unsigned_sort_function;
else
{
ASSERT(eti == TYPE_INTERNAL_DOUBLE);
sort_func = indirect_double_sort_function;
}
}
int n = Size();
// Set up initial mapping of indices directly to corresponding
// elements.
vector<size_t> ind_vv(n);
int i;
for ( i = 0; i < n; ++i )
{
ind_vv[i] = i;
index_map.emplace_back(&(*vector_val)[i]);
}
sort(ind_vv.begin(), ind_vv.end(), sort_func);
index_map.clear();
// Now spin through ind_vv to read out the rearrangement.
auto result_v = make_intrusive<VectorVal>(zeek::id::index_vec);
for ( i = 0; i < n; ++i )
{
int ind = ind_vv[i];
result_v->Assign(i, zeek::val_mgr->Count(ind));
}
return result_v;
}
unsigned int VectorVal::Resize(unsigned int new_num_elements)
@ -3285,6 +3613,13 @@ unsigned int VectorVal::Resize(unsigned int new_num_elements)
unsigned int oldsize = vector_val->size();
vector_val->reserve(new_num_elements);
vector_val->resize(new_num_elements);
if ( yield_types )
{
yield_types->reserve(new_num_elements);
yield_types->resize(new_num_elements);
}
return oldsize;
}
@ -3300,6 +3635,9 @@ unsigned int VectorVal::ResizeAtLeast(unsigned int new_num_elements)
void VectorVal::Reserve(unsigned int num_elements)
{
vector_val->reserve(num_elements);
if ( yield_types )
yield_types->reserve(num_elements);
}
ValPtr VectorVal::DoClone(CloneState* state)
@ -3308,9 +3646,11 @@ ValPtr VectorVal::DoClone(CloneState* state)
vv->Reserve(vector_val->size());
state->NewClone(this, vv);
for ( const auto& e : *vector_val )
int n = vector_val->size();
for ( auto i = 0; i < n; ++i )
{
auto vc = e->Clone(state);
auto vc = At(i)->Clone(state);
vv->Append(std::move(vc));
}
@ -3325,16 +3665,19 @@ void VectorVal::ValDescribe(ODesc* d) const
if ( vector_size != 0 )
{
for ( unsigned int i = 0; i < (vector_size - 1); ++i )
auto last_ind = vector_size - 1;
for ( unsigned int i = 0; i < last_ind; ++i )
{
if ( vector_val->at(i) )
vector_val->at(i)->Describe(d);
auto v = At(i);
if ( v )
v->Describe(d);
d->Add(", ");
}
}
if ( vector_size != 0 && vector_val->back() )
vector_val->back()->Describe(d);
auto v = At(last_ind);
if ( v )
v->Describe(d);
}
d->Add("]");
}

361
src/Val.h
View file

@ -15,6 +15,7 @@
#include "zeek/Reporter.h"
#include "zeek/net_util.h"
#include "zeek/Dict.h"
#include "zeek/ZVal.h"
// We have four different port name spaces: TCP, UDP, ICMP, and UNKNOWN.
// We distinguish between them based on the bits specified in the *_PORT_MASK
@ -72,6 +73,7 @@ class EnumVal;
class OpaqueVal;
class VectorVal;
class TableEntryVal;
class TypeVal;
using AddrValPtr = IntrusivePtr<AddrVal>;
using EnumValPtr = IntrusivePtr<EnumVal>;
@ -448,14 +450,19 @@ public:
// Returns a masked port number
static uint32_t Mask(uint32_t port_num, TransportProto port_type);
const PortVal* Get() const { return AsPortVal(); }
protected:
friend class ValManager;
PortVal(uint32_t p);
void ValDescribe(ODesc* d) const override;
ValPtr DoClone(CloneState* state) override;
private:
// This method is just here to trick the interface in
// `RecordVal::GetFieldAs` into returning the right type.
// It shouldn't actually be used for anything.
friend class RecordVal;
PortValPtr Get() { return {NewRef{}, this}; }
};
class AddrVal final : public Val {
@ -1024,6 +1031,39 @@ private:
PDict<TableEntryVal>* table_val;
};
// This would be way easier with is_convertible_v, but sadly that won't
// work here because Obj has deleted copy constructors (and for good
// reason). Instead we make up our own type trait here that basically
// combines a bunch of is_same traits into a single trait to make life
// easier in the definitions of GetFieldAs().
template <typename T>
struct is_zeek_val
{
static const bool value = std::disjunction_v<
std::is_same<AddrVal, T>,
std::is_same<BoolVal, T>,
std::is_same<CountVal, T>,
std::is_same<DoubleVal, T>,
std::is_same<EnumVal, T>,
std::is_same<FileVal, T>,
std::is_same<FuncVal, T>,
std::is_same<IntVal, T>,
std::is_same<IntervalVal, T>,
std::is_same<ListVal, T>,
std::is_same<OpaqueVal, T>,
std::is_same<PatternVal, T>,
std::is_same<PortVal, T>,
std::is_same<RecordVal, T>,
std::is_same<StringVal, T>,
std::is_same<SubNetVal, T>,
std::is_same<TableVal, T>,
std::is_same<TimeVal, T>,
std::is_same<TypeVal, T>,
std::is_same<VectorVal, T>>;
};
template <typename T>
inline constexpr bool is_zeek_val_v = is_zeek_val<T>::value;
class RecordVal final : public Val, public notifier::detail::Modifiable {
public:
explicit RecordVal(RecordTypePtr t, bool init_fields = true);
@ -1050,14 +1090,87 @@ public:
void Assign(int field, Ts&&... args)
{ Assign(field, make_intrusive<T>(std::forward<Ts>(args)...)); }
/**
* Sets the given record field to not-in-record. Equivalent to
* Assign using a nil ValPtr.
* @param field The field index to remove.
*/
void Remove(int field);
// The following provide efficient record field assignments.
void Assign(int field, bool new_val)
{
(*record_val)[field].int_val = int(new_val);
AddedField(field);
}
void Assign(int field, int new_val)
{
(*record_val)[field].int_val = new_val;
AddedField(field);
}
// For unsigned, we provide both uint32_t and uint64_t versions
// for convenience, since sometimes the caller has one rather
// than the other.
void Assign(int field, uint32_t new_val)
{
(*record_val)[field].uint_val = new_val;
AddedField(field);
}
void Assign(int field, uint64_t new_val)
{
(*record_val)[field].uint_val = new_val;
AddedField(field);
}
void Assign(int field, double new_val)
{
(*record_val)[field].double_val = new_val;
AddedField(field);
}
// The following two are the same as the previous method,
// but we use the names so that in the future if it would
// be helpful, we can track the intent of the underlying
// value representing a time or an interval.
void AssignTime(int field, double new_val)
{ Assign(field, new_val); }
void AssignInterval(int field, double new_val)
{ Assign(field, new_val); }
void Assign(int field, StringVal* new_val)
{
ZVal::DeleteManagedType((*record_val)[field]);
(*record_val)[field].string_val = new_val;
AddedField(field);
}
void Assign(int field, const char* new_val)
{ Assign(field, new StringVal(new_val)); }
void Assign(int field, const std::string& new_val)
{ Assign(field, new StringVal(new_val)); }
void Assign(int field, String* new_val)
{ Assign(field, new StringVal(new_val)); }
/**
* Appends a value to the record's fields. The caller is responsible
* for ensuring that fields are appended in the correct orer and
* for ensuring that fields are appended in the correct order and
* with the correct type.
* @param v The value to append.
*/
void AppendField(ValPtr v)
{ record_val->emplace_back(std::move(v)); }
{
if ( v )
{
(*is_in_record)[record_val->size()] = true;
record_val->emplace_back(ZVal(v, v->GetType()));
}
else
{
(*is_in_record)[record_val->size()] = false;
record_val->emplace_back(ZVal());
}
}
/**
* Ensures that the record has enough internal storage for the
@ -1065,22 +1178,44 @@ public:
* @param n The number of fields.
*/
void Reserve(unsigned int n)
{ record_val->reserve(n); }
{
record_val->reserve(n);
is_in_record->reserve(n);
for ( auto i = is_in_record->size(); i < n; ++i )
is_in_record->emplace_back(false);
}
/**
* Returns the number of fields in the record.
* @return The number of fields in the record.
*/
unsigned int NumFields()
unsigned int NumFields() const
{ return record_val->size(); }
/**
* Returns true if the given field is in the record, false if
* it's missing.
* @param field The field index to retrieve.
* @return Whether there's a value for the given field index.
*/
bool HasField(int field) const
{
return (*is_in_record)[field];
}
/**
* Returns the value of a given field index.
* @param field The field index to retrieve.
* @return The value at the given field index.
*/
const ValPtr& GetField(int field) const
{ return (*record_val)[field]; }
ValPtr GetField(int field) const
{
if ( ! HasField(field) )
return nullptr;
return (*record_val)[field].ToVal(rt->GetFieldType(field));
}
/**
* Returns the value of a given field index as cast to type @c T.
@ -1107,7 +1242,7 @@ public:
* @return The value of the given field. If no such field name exists,
* a fatal error occurs.
*/
const ValPtr& GetField(const char* field) const;
ValPtr GetField(const char* field) const;
/**
* Returns the value of a given field name as cast to type @c T.
@ -1143,22 +1278,79 @@ public:
// The following return the given field converted to a particular
// underlying value. We provide these to enable efficient
// access to record fields (without requiring an intermediary Val)
// if we change the underlying representation of records.
template <typename T>
// access to record fields (without requiring an intermediary Val).
// It is up to the caller to ensure that the field exists in the
// record (using HasField(), if necessary).
template <typename T,
typename std::enable_if_t<is_zeek_val_v<T>, bool> = true>
auto GetFieldAs(int field) const -> std::invoke_result_t<decltype(&T::Get), T>
{
auto& field_ptr = GetField(field);
auto field_val_ptr = static_cast<T*>(field_ptr.get());
return field_val_ptr->Get();
if constexpr ( std::is_same_v<T, BoolVal> ||
std::is_same_v<T, IntVal> ||
std::is_same_v<T, EnumVal> )
return record_val->at(field).int_val;
else if constexpr ( std::is_same_v<T, CountVal> )
return record_val->at(field).uint_val;
else if constexpr ( std::is_same_v<T, DoubleVal> ||
std::is_same_v<T, TimeVal> ||
std::is_same_v<T, IntervalVal> )
return record_val->at(field).double_val;
else if constexpr ( std::is_same_v<T, PortVal> )
return val_mgr->Port(record_val->at(field).uint_val);
else if constexpr ( std::is_same_v<T, StringVal> )
return record_val->at(field).string_val->Get();
else if constexpr ( std::is_same_v<T, AddrVal> )
return record_val->at(field).addr_val->Get();
else if constexpr ( std::is_same_v<T, SubNetVal> )
return record_val->at(field).subnet_val->Get();
else if constexpr ( std::is_same_v<T, File> )
return *(record_val->at(field).file_val);
else if constexpr ( std::is_same_v<T, Func> )
return *(record_val->at(field).func_val);
else if constexpr ( std::is_same_v<T, PatternVal> )
return record_val->at(field).re_val->Get();
else if constexpr ( std::is_same_v<T, RecordVal> )
return record_val->at(field).record_val;
else if constexpr ( std::is_same_v<T, VectorVal> )
return record_val->at(field).vector_val;
else if constexpr ( std::is_same_v<T, TableVal> )
return record_val->at(field).table_val->Get();
else
{
// It's an error to reach here, although because of
// the type trait we really shouldn't ever wind up
// here.
reporter->InternalError("bad type in GetFieldAs");
}
}
template <typename T,
typename std::enable_if_t<!is_zeek_val_v<T>, bool> = true>
T GetFieldAs(int field) const
{
if constexpr ( std::is_integral_v<T> && std::is_signed_v<T> )
return record_val->at(field).int_val;
else if constexpr ( std::is_integral_v<T> &&
std::is_unsigned_v<T> )
return record_val->at(field).uint_val;
else if constexpr ( std::is_floating_point_v<T> )
return record_val->at(field).double_val;
// Note: we could add other types here using type traits,
// such as is_same_v<T, std::string>, etc.
return T{};
}
template <typename T>
auto GetFieldAs(const char* field) const -> std::invoke_result_t<decltype(&T::Get), T>
auto GetFieldAs(const char* field) const
{
auto& field_ptr = GetField(field);
auto field_val_ptr = static_cast<T*>(field_ptr.get());
return field_val_ptr->Get();
int idx = GetType()->AsRecordType()->FieldOffset(field);
if ( idx < 0 )
reporter->InternalError("missing record field: %s", field);
return GetFieldAs<T>(idx);
}
void Describe(ODesc* d) const override;
@ -1205,13 +1397,43 @@ public:
protected:
ValPtr DoClone(CloneState* state) override;
void AddedField(int field)
{
(*is_in_record)[field] = true;
Modified();
}
Obj* origin;
using RecordTypeValMap = std::unordered_map<RecordType*, std::vector<RecordValPtr>>;
static RecordTypeValMap parse_time_records;
private:
std::vector<ValPtr>* record_val;
void DeleteFieldIfManaged(unsigned int field)
{
if ( HasField(field) && IsManaged(field) )
ZVal::DeleteManagedType((*record_val)[field]);
}
bool IsManaged(unsigned int offset) const
{ return is_managed[offset]; }
// Just for template inferencing.
RecordVal* Get() { return this; }
// Keep this handy for quick access during low-level operations.
RecordTypePtr rt;
// Low-level values of each of the fields.
std::vector<ZVal>* record_val;
// Whether a given field exists - for optional fields, and because
// Zeek does not enforce that non-optional fields are actually
// present.
std::vector<bool>* is_in_record;
// Whether a given field requires explicit memory management.
const std::vector<bool>& is_managed;
};
class EnumVal final : public detail::IntValImplementation {
@ -1285,24 +1507,6 @@ public:
// Returns true if succcessful.
bool AddTo(Val* v, bool is_first_init) const override;
/**
* Returns the element at a given index or nullptr if it does not exist.
* @param index The position in the vector of the element to return.
* @return The element at the given index or nullptr if the index
* does not exist (it's greater than or equal to vector's current size).
*/
const ValPtr& At(unsigned int index) const;
/**
* Returns the given element treated as a Count type, to efficiently
* support a common type of vector access if we change the underlying
* vector representation.
* @param index The position in the vector of the element to return.
* @return The element's value, as a Count underlying representation.
*/
bro_uint_t CountAt(unsigned int index) const
{ return At(index)->AsCount(); }
unsigned int Size() const { return vector_val->size(); }
// Is there any way to reclaim previously-allocated memory when you
@ -1340,17 +1544,92 @@ public:
bool Remove(unsigned int index);
/**
* Sorts the vector in place, using the given comparison function.
* Sorts the vector in place, using the given optional
* comparison function.
* @param cmp_func Comparison function for vector elements.
*/
void Sort(bool cmp_func(const ValPtr& a, const ValPtr& b));
void Sort(Func* cmp_func = nullptr);
/**
* Returns a "vector of count" holding the indices of this
* vector when sorted using the given (optional) comparison function.
* @param cmp_func Comparison function for vector elements. If
* nullptr, then the vector must be internally
* of a numeric, and the usual '<' comparison
* will be used.
*/
VectorValPtr Order(Func* cmp_func = nullptr);
ValPtr ValAt(unsigned int index) const { return At(index); }
/**
* Returns the given element in a given underlying representation.
* Enables efficient vector access. Caller must ensure that the
* index lies within the vector's range.
* @param index The position in the vector of the element to return.
* @return The element's underlying value.
*/
bro_uint_t CountAt(unsigned int index) const
{ return (*vector_val)[index].uint_val; }
const RecordVal* RecordValAt(unsigned int index) const
{ return (*vector_val)[index].record_val; }
bool BoolAt(unsigned int index) const
{ return static_cast<bool>((*vector_val)[index].uint_val); }
const StringVal* StringValAt(unsigned int index) const
{ return (*vector_val)[index].string_val; }
const String* StringAt(unsigned int index) const
{ return StringValAt(index)->AsString(); }
protected:
/**
* Returns the element at a given index or nullptr if it does not exist.
* @param index The position in the vector of the element to return.
* @return The element at the given index or nullptr if the index
* does not exist (it's greater than or equal to vector's current size).
*
* Protected to ensure callers pick one of the differentiated accessors
* above, as appropriate, with ValAt() providing the original semantics.
*/
ValPtr At(unsigned int index) const;
void ValDescribe(ODesc* d) const override;
ValPtr DoClone(CloneState* state) override;
private:
std::vector<ValPtr>* vector_val;
// Just for template inferencing.
friend class RecordVal;
VectorVal* Get() { return this; }
// Check the type of the given element against our current
// yield type and adjust as necessary. Returns whether the
// element type-checked.
bool CheckElementType(const ValPtr& element);
// Add the given number of "holes" to the end of a vector.
void AddHoles(int nholes);
std::vector<ZVal>* vector_val;
// For homogeneous vectors (the usual case), the type of the
// elements. Will be TYPE_VOID for empty vectors created using
// "vector()".
TypePtr yield_type;
// True if this is a vector-of-any, or potentially one (which is
// the case for empty vectors created using "vector()").
bool any_yield;
// True if this is a vector-of-managed-types, requiring explicit
// memory management.
bool managed_yield;
// For heterogeneous vectors, the individual type of each element,
// parallel to vector_val. Heterogeneous vectors can arise for
// "vector of any" when disparate elements are stored in the vector.
//
// Thus, if yield_types is non-nil, then we know this is a
// vector-of-any.
std::vector<TypePtr>* yield_types = nullptr;
};
#define UNDERLYING_ACCESSOR_DEF(ztype, ctype, name) \

301
src/ZVal.cc Normal file
View file

@ -0,0 +1,301 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/ZeekString.h"
#include "zeek/File.h"
#include "zeek/Func.h"
#include "zeek/OpaqueVal.h"
#include "zeek/Reporter.h"
#include "zeek/Desc.h"
using namespace zeek;
bool ZVal::zval_was_nil = false;
ZVal::ZVal(ValPtr v, const TypePtr& t)
{
if ( ! v )
{
// This can happen for some forms of error propagation.
// We can deal with it iff the type is managed, and thus
// we can employ a "nil" placeholder.
ASSERT(IsManagedType(t));
managed_val = nullptr;
return;
}
auto vt = v->GetType();
if ( vt->Tag() != t->Tag() && t->Tag() != TYPE_ANY )
{
if ( t->InternalType() == TYPE_INTERNAL_OTHER ||
t->InternalType() != vt->InternalType() )
reporter->InternalError("type inconsistency in ZVal constructor");
}
switch ( t->Tag() ) {
case TYPE_BOOL:
case TYPE_INT:
case TYPE_ENUM:
int_val = v->AsInt();
break;
case TYPE_COUNT:
case TYPE_PORT:
uint_val = v->AsCount();
break;
case TYPE_DOUBLE:
case TYPE_INTERVAL:
case TYPE_TIME:
double_val = v->AsDouble();
break;
case TYPE_FUNC:
func_val = v->AsFunc();
Ref(func_val);
break;
case TYPE_FILE:
file_val = v->AsFile();
Ref(file_val);
break;
case TYPE_LIST:
list_val = v.release()->AsListVal();
break;
case TYPE_OPAQUE:
opaque_val = v.release()->AsOpaqueVal();
break;
case TYPE_PATTERN:
re_val = v.release()->AsPatternVal();
break;
case TYPE_TABLE:
table_val = v.release()->AsTableVal();
break;
case TYPE_VECTOR:
vector_val = v.release()->AsVectorVal();
break;
case TYPE_RECORD:
record_val = v.release()->AsRecordVal();
break;
case TYPE_STRING:
string_val = v.release()->AsStringVal();
break;
case TYPE_ADDR:
addr_val = v.release()->AsAddrVal();
break;
case TYPE_SUBNET:
subnet_val = v.release()->AsSubNetVal();
break;
case TYPE_ANY:
any_val = v.release();
break;
case TYPE_TYPE:
type_val = t->Ref();
break;
case TYPE_ERROR:
case TYPE_TIMER:
case TYPE_UNION:
case TYPE_VOID:
reporter->InternalError("bad type in ZVal constructor");
}
}
ZVal::ZVal(const TypePtr& t)
{
switch ( t->Tag() ) {
case TYPE_BOOL:
case TYPE_INT:
case TYPE_ENUM:
int_val = 0;
break;
case TYPE_COUNT:
case TYPE_PORT:
uint_val = 0;
break;
case TYPE_DOUBLE:
case TYPE_INTERVAL:
case TYPE_TIME:
double_val = 0.0;
break;
case TYPE_FUNC:
func_val = nullptr;
break;
case TYPE_FILE:
file_val = nullptr;
break;
case TYPE_LIST:
list_val = nullptr;
break;
case TYPE_OPAQUE:
opaque_val = nullptr;
break;
case TYPE_PATTERN:
re_val = nullptr;
break;
case TYPE_TABLE:
table_val = nullptr;
break;
case TYPE_VECTOR:
vector_val = nullptr;
break;
case TYPE_RECORD:
record_val = nullptr;
break;
case TYPE_STRING:
string_val = nullptr;
break;
case TYPE_ADDR:
addr_val = nullptr;
break;
case TYPE_SUBNET:
subnet_val = nullptr;
break;
case TYPE_ANY:
any_val = nullptr;
break;
case TYPE_TYPE:
type_val = nullptr;
break;
case TYPE_ERROR:
case TYPE_TIMER:
case TYPE_UNION:
case TYPE_VOID:
reporter->InternalError("bad type in ZVal constructor");
}
}
ValPtr ZVal::ToVal(const TypePtr& t) const
{
Val* v;
switch ( t->Tag() ) {
case TYPE_INT:
return val_mgr->Int(int_val);
case TYPE_BOOL:
return val_mgr->Bool(int_val ? true : false);
case TYPE_PORT:
return val_mgr->Port(uint_val);
case TYPE_COUNT:
return val_mgr->Count(uint_val);
case TYPE_DOUBLE:
return make_intrusive<DoubleVal>(double_val);
case TYPE_INTERVAL:
return make_intrusive<IntervalVal>(double_val, Seconds);
case TYPE_TIME:
return make_intrusive<TimeVal>(double_val);
case TYPE_ENUM:
return t->AsEnumType()->GetEnumVal(int_val);
case TYPE_ANY:
return {NewRef{}, any_val};
case TYPE_TYPE:
{
TypePtr tp = {NewRef{}, type_val};
return make_intrusive<TypeVal>(tp);
}
case TYPE_FUNC:
if ( func_val )
{
FuncPtr fv_ptr = {NewRef{}, func_val};
return make_intrusive<FuncVal>(fv_ptr);
}
return nullptr;
case TYPE_FILE:
if ( file_val )
{
FilePtr fv_ptr = {NewRef{}, file_val};
return make_intrusive<FileVal>(fv_ptr);
}
return nullptr;
case TYPE_ADDR: v = addr_val; break;
case TYPE_SUBNET: v = subnet_val; break;
case TYPE_STRING: v = string_val; break;
case TYPE_LIST: v = list_val; break;
case TYPE_OPAQUE: v = opaque_val; break;
case TYPE_TABLE: v = table_val; break;
case TYPE_RECORD: v = record_val; break;
case TYPE_VECTOR: v = vector_val; break;
case TYPE_PATTERN: v = re_val; break;
case TYPE_ERROR:
case TYPE_TIMER:
case TYPE_UNION:
case TYPE_VOID:
v = nullptr;
reporter->InternalError("bad ret type return tag");
}
if ( v )
return {NewRef{}, v};
zval_was_nil = true;
return nullptr;
}
bool ZVal::IsManagedType(const TypePtr& t)
{
switch ( t->Tag() ) {
case zeek::TYPE_ADDR:
case zeek::TYPE_ANY:
case zeek::TYPE_FILE:
case zeek::TYPE_FUNC:
case zeek::TYPE_LIST:
case zeek::TYPE_OPAQUE:
case zeek::TYPE_PATTERN:
case zeek::TYPE_RECORD:
case zeek::TYPE_STRING:
case zeek::TYPE_SUBNET:
case zeek::TYPE_TABLE:
case zeek::TYPE_TYPE:
case zeek::TYPE_VECTOR:
return true;
default:
return false;
}
}

145
src/ZVal.h Normal file
View file

@ -0,0 +1,145 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Low-level representation of Zeek scripting values.
#pragma once
#include "zeek/zeek-config.h"
#include <unordered_set>
#include "zeek/Dict.h"
#include "zeek/Expr.h"
namespace zeek {
class StringVal;
class AddrVal;
class SubNetVal;
class File;
class Func;
class ListVal;
class OpaqueVal;
class PatternVal;
class TableVal;
class RecordVal;
class VectorVal;
class Type;
class Val;
// Note that a ZVal by itself is ambiguous: it doesn't track its type.
// This makes them consume less memory and cheaper to copy. It does
// however require a separate way to determine the type. Generally
// this is doable using surrounding context, or can be statically
// determined in the case of optimization/compilation.
//
// An alternative would be to use std::variant, but it will be larger
// due to needing to track the variant type, and it won't allow access
// to the managed_val member, which both simplifies memory management
// and is also required for sharing of ZAM frame slots.
union ZVal {
// Constructor for hand-populating the values.
ZVal() { managed_val = nullptr; }
// Construct from a given higher-level script value with a given type.
ZVal(ValPtr v, const TypePtr& t);
// Construct an empty value compatible with the given type.
ZVal(const TypePtr& t);
// Convert to a higher-level script value. The caller needs to
// ensure that they're providing the correct type.
ValPtr ToVal(const TypePtr& t) const;
// Whether a ZVal was accessed that was missing (a nil pointer).
// Used to generate run-time error messages.
static bool ZValNilStatus() { return zval_was_nil; }
// Resets the notion of low-level-error-occurred.
static void ClearZValNilStatus() { zval_was_nil = false; }
bro_int_t AsInt() const { return int_val; }
bro_uint_t AsCount() const { return uint_val; }
double AsDouble() const { return double_val; }
StringVal* AsString() const { return string_val; }
AddrVal* AsAddr() const { return addr_val; }
SubNetVal* AsSubNet() const { return subnet_val; }
File* AsFile() const { return file_val; }
Func* AsFunc() const { return func_val; }
ListVal* AsList() const { return list_val; }
OpaqueVal* AsOpaque() const { return opaque_val; }
PatternVal* AsPattern() const { return re_val; }
TableVal* AsTable() const { return table_val; }
RecordVal* AsRecord() const { return record_val; }
VectorVal* AsVector() const { return vector_val; }
Type* AsType() const { return type_val; }
Val* AsAny() const { return any_val; }
Obj* ManagedVal() const { return managed_val; }
// True if a given type is one for which we manage the associated
// memory internally.
static bool IsManagedType(const TypePtr& t);
// Deletes a managed value. Caller needs to ensure that the ZVal
// indeed holds such.
static void DeleteManagedType(ZVal& v)
{
Unref(v.ManagedVal());
}
// Deletes a possibly-managed value.
static void DeleteIfManaged(ZVal& v, const TypePtr& t)
{
if ( IsManagedType(t) )
DeleteManagedType(v);
}
private:
friend class RecordVal;
friend class VectorVal;
// Used for bool, int, enum.
bro_int_t int_val;
// Used for count and port.
bro_uint_t uint_val;
// Used for double, time, interval.
double double_val;
// The types are all variants of Val, Type, or more fundamentally
// Obj. They are raw pointers rather than IntrusivePtr's because
// unions can't contain the latter. For memory management, we use
// Ref/Unref.
StringVal* string_val;
AddrVal* addr_val;
SubNetVal* subnet_val;
File* file_val;
Func* func_val;
ListVal* list_val;
OpaqueVal* opaque_val;
PatternVal* re_val;
TableVal* table_val;
RecordVal* record_val;
VectorVal* vector_val;
Type* type_val;
// Used for "any" values.
Val* any_val;
// Used for generic access to managed (derived-from-Obj) objects.
Obj* managed_val;
// A class-wide status variable set to true when a missing
// value was accessed. Only germane for managed types, since
// we don't track the presence of non-managed types. Static
// because often the caller won't have direct access to the
// particular ZVal that produces the issue, and just wants to
// know whether it occurred at some point.
static bool zval_was_nil;
};
} // zeek

4
src/ZeekArgs.cc
View file

@ -32,12 +32,12 @@ VectorValPtr MakeCallArgumentVector(const Args& vals,
static auto call_argument = id::find_type<RecordType>("call_argument");
auto rec = make_intrusive<RecordVal>(call_argument);
rec->Assign(0, make_intrusive<StringVal>(fname));
rec->Assign(0, fname);
ODesc d;
d.SetShort();
ftype->Describe(&d);
rec->Assign(1, make_intrusive<StringVal>(d.Description()));
rec->Assign(1, d.Description());
if ( fdefault )
rec->Assign(2, std::move(fdefault));

9
src/ZeekString.cc
View file

@ -352,7 +352,7 @@ VectorVal* String:: VecToPolicy(Vec* vec)
String* string = (*vec)[i];
auto val = make_intrusive<StringVal>(string->Len(),
(const char*) string->Bytes());
result->Assign(i+1, std::move(val));
result->Assign(i, std::move(val));
}
return result.release();
@ -362,14 +362,13 @@ String::Vec* String::VecFromPolicy(VectorVal* vec)
{
Vec* result = new Vec();
// VectorVals start at index 1!
for ( unsigned int i = 1; i <= vec->Size(); ++i )
for ( unsigned int i = 0; i < vec->Size(); ++i )
{
const auto& v = vec->At(i); // get the RecordVal
auto v = vec->StringAt(i);
if ( ! v )
continue;
String* string = new String(*(v->AsString()));
String* string = new String(*v);
result->push_back(string);
}

2
src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
View file

@ -500,7 +500,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
auto benc_value = make_intrusive<RecordVal>(bittorrent_benc_value);
auto name_ = make_intrusive<StringVal>(name_len, name);
benc_value->Assign(type, val_mgr->Int(value));
benc_value->Assign(type, static_cast<int>(value));
res_val_benc->Assign(std::move(name_), std::move(benc_value));
}

12
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -171,8 +171,8 @@ void ConnSize_Analyzer::SetDurationThreshold(double duration)
void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
{
// RecordType *connection_type is decleared in NetVar.h
RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal();
RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal();
RecordVal* orig_endp = conn_val->GetFieldAs<RecordVal>("orig");
RecordVal* resp_endp = conn_val->GetFieldAs<RecordVal>("resp");
// endpoint is the RecordType from NetVar.h
int pktidx = id::endpoint->FieldOffset("num_pkts");
@ -184,10 +184,10 @@ void ConnSize_Analyzer::UpdateConnVal(RecordVal *conn_val)
if ( bytesidx < 0 )
reporter->InternalError("'endpoint' record missing 'num_bytes_ip' field");
orig_endp->Assign(pktidx, val_mgr->Count(orig_pkts));
orig_endp->Assign(bytesidx, val_mgr->Count(orig_bytes));
resp_endp->Assign(pktidx, val_mgr->Count(resp_pkts));
resp_endp->Assign(bytesidx, val_mgr->Count(resp_bytes));
orig_endp->Assign(pktidx, orig_pkts);
orig_endp->Assign(bytesidx, orig_bytes);
resp_endp->Assign(pktidx, resp_pkts);
resp_endp->Assign(bytesidx, resp_bytes);
Analyzer::UpdateConnVal(conn_val);
}

12
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -54,16 +54,16 @@ refine flow DHCP_Flow += {
double secs = static_cast<double>(${msg.secs});
auto dhcp_msg_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::Msg);
dhcp_msg_val->Assign(0, zeek::val_mgr->Count(${msg.op}));
dhcp_msg_val->Assign(1, zeek::val_mgr->Count(${msg.type}));
dhcp_msg_val->Assign(2, zeek::val_mgr->Count(${msg.xid}));
dhcp_msg_val->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(secs));
dhcp_msg_val->Assign(4, zeek::val_mgr->Count(${msg.flags}));
dhcp_msg_val->Assign(0, ${msg.op});
dhcp_msg_val->Assign(1, ${msg.type});
dhcp_msg_val->Assign(2, ${msg.xid});
dhcp_msg_val->AssignInterval(3, secs);
dhcp_msg_val->Assign(4, ${msg.flags});
dhcp_msg_val->Assign(5, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.ciaddr})));
dhcp_msg_val->Assign(6, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.yiaddr})));
dhcp_msg_val->Assign(7, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.siaddr})));
dhcp_msg_val->Assign(8, zeek::make_intrusive<zeek::AddrVal>(htonl(${msg.giaddr})));
dhcp_msg_val->Assign(9, zeek::make_intrusive<zeek::StringVal>(mac_str));
dhcp_msg_val->Assign(9, mac_str);
int last_non_null = 0;

24
src/analyzer/protocol/dhcp/dhcp-options.pac
View file

@ -34,7 +34,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_time_offset_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(25, zeek::val_mgr->Int(${v.time_offset}));
${context.flow}->options->Assign(25, ${v.time_offset});
return true;
%}
};
@ -250,7 +250,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_forwarding_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(6, zeek::val_mgr->Bool(${v.forwarding} == 0 ? false : true));
${context.flow}->options->Assign(6, ${v.forwarding} == 0 ? false : true);
return true;
%}
@ -414,7 +414,7 @@ refine flow DHCP_Flow += {
function process_lease_option(v: OptionValue): bool
%{
double lease = static_cast<double>(${v.lease});
${context.flow}->options->Assign(11, zeek::make_intrusive<zeek::IntervalVal>(lease));
${context.flow}->options->AssignInterval(11, lease);
return true;
%}
@ -521,7 +521,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_max_message_size_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(15, zeek::val_mgr->Count(${v.max_msg_size}));
${context.flow}->options->Assign(15, ${v.max_msg_size});
return true;
%}
@ -546,7 +546,7 @@ refine flow DHCP_Flow += {
function process_renewal_time_option(v: OptionValue): bool
%{
double renewal_time = static_cast<double>(${v.renewal_time});
${context.flow}->options->Assign(16, zeek::make_intrusive<zeek::IntervalVal>(renewal_time));
${context.flow}->options->AssignInterval(16, renewal_time);
return true;
%}
@ -571,7 +571,7 @@ refine flow DHCP_Flow += {
function process_rebinding_time_option(v: OptionValue): bool
%{
double rebinding_time = static_cast<double>(${v.rebinding_time});
${context.flow}->options->Assign(17, zeek::make_intrusive<zeek::IntervalVal>(rebinding_time));
${context.flow}->options->AssignInterval(17, rebinding_time);
return true;
%}
@ -626,7 +626,7 @@ refine flow DHCP_Flow += {
function process_client_id_option(v: OptionValue): bool
%{
auto client_id = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientID);
client_id->Assign(0, zeek::val_mgr->Count(${v.client_id.hwtype}));
client_id->Assign(0, ${v.client_id.hwtype});
zeek::StringValPtr sv;
if ( ${v.client_id.hwtype} == 0 )
@ -695,9 +695,9 @@ refine flow DHCP_Flow += {
function process_client_fqdn_option(v: OptionValue): bool
%{
auto client_fqdn = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::ClientFQDN);
client_fqdn->Assign(0, zeek::val_mgr->Count(${v.client_fqdn.flags}));
client_fqdn->Assign(1, zeek::val_mgr->Count(${v.client_fqdn.rcode1}));
client_fqdn->Assign(2, zeek::val_mgr->Count(${v.client_fqdn.rcode2}));
client_fqdn->Assign(0, ${v.client_fqdn.flags});
client_fqdn->Assign(1, ${v.client_fqdn.rcode1});
client_fqdn->Assign(2, ${v.client_fqdn.rcode2});
const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin());
client_fqdn->Assign(3, zeek::make_intrusive<zeek::StringVal>(${v.client_fqdn.domain_name}.length(), domain_name));
@ -760,7 +760,7 @@ refine flow DHCP_Flow += {
ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
{
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::DHCP::SubOpt);
r->Assign(0, zeek::val_mgr->Count((*ptrsubopt)->code()));
r->Assign(0, (*ptrsubopt)->code());
r->Assign(1, to_stringval((*ptrsubopt)->value()));
relay_agent_sub_opt->Assign(i, std::move(r));
@ -790,7 +790,7 @@ refine casetype OptionValue += {
refine flow DHCP_Flow += {
function process_auto_config_option(v: OptionValue): bool
%{
${context.flow}->options->Assign(23, zeek::val_mgr->Bool(${v.auto_config} == 0 ? false : true));
${context.flow}->options->Assign(23, ${v.auto_config} == 0 ? false : true);
return true;
%}

202
src/analyzer/protocol/dns/DNS.cc
View file

@ -622,13 +622,13 @@ bool DNS_Interpreter::ParseRR_SOA(detail::DNS_MsgInfo* msg,
{
static auto dns_soa = id::find_type<RecordType>("dns_soa");
auto r = make_intrusive<RecordVal>(dns_soa);
r->Assign(0, make_intrusive<StringVal>(new String(mname, mname_end - mname, true)));
r->Assign(1, make_intrusive<StringVal>(new String(rname, rname_end - rname, true)));
r->Assign(2, val_mgr->Count(serial));
r->Assign(3, make_intrusive<IntervalVal>(double(refresh), Seconds));
r->Assign(4, make_intrusive<IntervalVal>(double(retry), Seconds));
r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
r->Assign(0, new String(mname, mname_end - mname, true));
r->Assign(1, new String(rname, rname_end - rname, true));
r->Assign(2, serial);
r->AssignInterval(3, double(refresh));
r->AssignInterval(4, double(retry));
r->AssignInterval(5, double(expire));
r->AssignInterval(6, double(minimum));
analyzer->EnqueueConnEvent(dns_SOA_reply,
analyzer->ConnVal(),
@ -1849,19 +1849,19 @@ RecordValPtr DNS_MsgInfo::BuildHdrVal()
static auto dns_msg = id::find_type<RecordType>("dns_msg");
auto r = make_intrusive<RecordVal>(dns_msg);
r->Assign(0, val_mgr->Count(id));
r->Assign(1, val_mgr->Count(opcode));
r->Assign(2, val_mgr->Count(rcode));
r->Assign(3, val_mgr->Bool(QR));
r->Assign(4, val_mgr->Bool(AA));
r->Assign(5, val_mgr->Bool(TC));
r->Assign(6, val_mgr->Bool(RD));
r->Assign(7, val_mgr->Bool(RA));
r->Assign(8, val_mgr->Count(Z));
r->Assign(9, val_mgr->Count(qdcount));
r->Assign(10, val_mgr->Count(ancount));
r->Assign(11, val_mgr->Count(nscount));
r->Assign(12, val_mgr->Count(arcount));
r->Assign(0, id);
r->Assign(1, opcode);
r->Assign(2, rcode);
r->Assign(3, static_cast<bool>(QR));
r->Assign(4, static_cast<bool>(AA));
r->Assign(5, static_cast<bool>(TC));
r->Assign(6, static_cast<bool>(RD));
r->Assign(7, static_cast<bool>(RA));
r->Assign(8, Z);
r->Assign(9, qdcount);
r->Assign(10, ancount);
r->Assign(11, nscount);
r->Assign(12, arcount);
return r;
}
@ -1871,11 +1871,11 @@ RecordValPtr DNS_MsgInfo::BuildAnswerVal()
static auto dns_answer = id::find_type<RecordType>("dns_answer");
auto r = make_intrusive<RecordVal>(dns_answer);
r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(0, answer_type);
r->Assign(1, query_name);
r->Assign(2, val_mgr->Count(atype));
r->Assign(3, val_mgr->Count(aclass));
r->Assign(4, make_intrusive<IntervalVal>(double(ttl), Seconds));
r->Assign(2, atype);
r->Assign(3, aclass);
r->AssignInterval(4, double(ttl));
return r;
}
@ -1887,14 +1887,14 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
static auto dns_edns_additional = id::find_type<RecordType>("dns_edns_additional");
auto r = make_intrusive<RecordVal>(dns_edns_additional);
r->Assign(0, val_mgr->Count(int(answer_type)));
r->Assign(0, answer_type);
r->Assign(1, query_name);
// type = 0x29 or 41 = EDNS
r->Assign(2, val_mgr->Count(atype));
r->Assign(2, atype);
// sender's UDP payload size, per RFC 2671 4.3
r->Assign(3, val_mgr->Count(aclass));
r->Assign(3, aclass);
// Need to break the TTL field into three components:
// initial: [------------- ttl (32) ---------------------]
@ -1907,11 +1907,11 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_Val()
unsigned int return_error = (ercode << 8) | rcode;
r->Assign(4, val_mgr->Count(return_error));
r->Assign(5, val_mgr->Count(version));
r->Assign(6, val_mgr->Count(z));
r->Assign(7, make_intrusive<IntervalVal>(double(ttl), Seconds));
r->Assign(8, val_mgr->Count(is_query));
r->Assign(4, return_error);
r->Assign(5, version);
r->Assign(6, z);
r->AssignInterval(7, double(ttl));
r->Assign(8, is_query);
return r;
}
@ -1922,8 +1922,8 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_ECS_Val(struct EDNS_ECS* opt)
auto r = make_intrusive<RecordVal>(dns_edns_ecs);
r->Assign(0, opt->ecs_family);
r->Assign(1, val_mgr->Count(opt->ecs_src_pfx_len));
r->Assign(2, val_mgr->Count(opt->ecs_scp_pfx_len));
r->Assign(1, opt->ecs_src_pfx_len);
r->Assign(2, opt->ecs_scp_pfx_len);
r->Assign(3, opt->ecs_addr);
return r;
@ -1934,8 +1934,8 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE* opt)
static auto dns_edns_tcp_keepalive = id::find_type<RecordType>("dns_edns_tcp_keepalive");
auto r = make_intrusive<RecordVal>(dns_edns_tcp_keepalive);
r->Assign(0, val_mgr->Bool(opt->keepalive_timeout_omitted));
r->Assign(1, val_mgr->Count(opt->keepalive_timeout));
r->Assign(0, opt->keepalive_timeout_omitted);
r->Assign(1, opt->keepalive_timeout);
return r;
}
@ -1945,9 +1945,9 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt)
static auto dns_edns_cookie = id::find_type<RecordType>("dns_edns_cookie");
auto r = make_intrusive<RecordVal>(dns_edns_cookie);
r->Assign(0, make_intrusive<StringVal>(opt->client_cookie));
r->Assign(0, opt->client_cookie);
if (opt->server_cookie != nullptr) {
r->Assign(1, make_intrusive<StringVal>(opt->server_cookie));
r->Assign(1, opt->server_cookie);
}
return r;
@ -1959,16 +1959,16 @@ RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
auto r = make_intrusive<RecordVal>(dns_tsig_additional);
double rtime = tsig->time_s + tsig->time_ms / 1000.0;
// r->Assign(0, val_mgr->Count(int(answer_type)));
// r->Assign(0, answer_type);
r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, make_intrusive<StringVal>(tsig->alg_name));
r->Assign(3, make_intrusive<StringVal>(tsig->sig));
r->Assign(4, make_intrusive<TimeVal>(rtime));
r->Assign(5, make_intrusive<TimeVal>(double(tsig->fudge)));
r->Assign(6, val_mgr->Count(tsig->orig_id));
r->Assign(7, val_mgr->Count(tsig->rr_error));
r->Assign(8, val_mgr->Count(is_query));
r->Assign(1, answer_type);
r->Assign(2, tsig->alg_name);
r->Assign(3, tsig->sig);
r->AssignTime(4, rtime);
r->AssignTime(5, double(tsig->fudge));
r->Assign(6, tsig->orig_id);
r->Assign(7, tsig->rr_error);
r->Assign(8, is_query);
return r;
}
@ -1979,17 +1979,17 @@ RecordValPtr DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
auto r = make_intrusive<RecordVal>(dns_rrsig_rr);
r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(rrsig->type_covered));
r->Assign(3, val_mgr->Count(rrsig->algorithm));
r->Assign(4, val_mgr->Count(rrsig->labels));
r->Assign(5, make_intrusive<IntervalVal>(double(rrsig->orig_ttl), Seconds));
r->Assign(6, make_intrusive<TimeVal>(double(rrsig->sig_exp)));
r->Assign(7, make_intrusive<TimeVal>(double(rrsig->sig_incep)));
r->Assign(8, val_mgr->Count(rrsig->key_tag));
r->Assign(9, make_intrusive<StringVal>(rrsig->signer_name));
r->Assign(10, make_intrusive<StringVal>(rrsig->signature));
r->Assign(11, val_mgr->Count(is_query));
r->Assign(1, answer_type);
r->Assign(2, rrsig->type_covered);
r->Assign(3, rrsig->algorithm);
r->Assign(4, rrsig->labels);
r->AssignInterval(5, double(rrsig->orig_ttl));
r->AssignTime(6, double(rrsig->sig_exp));
r->AssignTime(7, double(rrsig->sig_incep));
r->Assign(8, rrsig->key_tag);
r->Assign(9, rrsig->signer_name);
r->Assign(10, rrsig->signature);
r->Assign(11, is_query);
return r;
}
@ -2000,12 +2000,12 @@ RecordValPtr DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
auto r = make_intrusive<RecordVal>(dns_dnskey_rr);
r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(dnskey->dflags));
r->Assign(3, val_mgr->Count(dnskey->dprotocol));
r->Assign(4, val_mgr->Count(dnskey->dalgorithm));
r->Assign(5, make_intrusive<StringVal>(dnskey->public_key));
r->Assign(6, val_mgr->Count(is_query));
r->Assign(1, answer_type);
r->Assign(2, dnskey->dflags);
r->Assign(3, dnskey->dprotocol);
r->Assign(4, dnskey->dalgorithm);
r->Assign(5, dnskey->public_key);
r->Assign(6, is_query);
return r;
}
@ -2016,16 +2016,16 @@ RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
auto r = make_intrusive<RecordVal>(dns_nsec3_rr);
r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(nsec3->nsec_flags));
r->Assign(3, val_mgr->Count(nsec3->nsec_hash_algo));
r->Assign(4, val_mgr->Count(nsec3->nsec_iter));
r->Assign(5, val_mgr->Count(nsec3->nsec_salt_len));
r->Assign(6, make_intrusive<StringVal>(nsec3->nsec_salt));
r->Assign(7, val_mgr->Count(nsec3->nsec_hlen));
r->Assign(8, make_intrusive<StringVal>(nsec3->nsec_hash));
r->Assign(1, answer_type);
r->Assign(2, nsec3->nsec_flags);
r->Assign(3, nsec3->nsec_hash_algo);
r->Assign(4, nsec3->nsec_iter);
r->Assign(5, nsec3->nsec_salt_len);
r->Assign(6, nsec3->nsec_salt);
r->Assign(7, nsec3->nsec_hlen);
r->Assign(8, nsec3->nsec_hash);
r->Assign(9, std::move(nsec3->bitmaps));
r->Assign(10, val_mgr->Count(is_query));
r->Assign(10, is_query);
return r;
}
@ -2036,13 +2036,13 @@ RecordValPtr DNS_MsgInfo::BuildNSEC3PARAM_Val(NSEC3PARAM_DATA* nsec3param)
auto r = make_intrusive<RecordVal>(dns_nsec3param_rr);
r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(nsec3param->nsec_flags));
r->Assign(3, val_mgr->Count(nsec3param->nsec_hash_algo));
r->Assign(4, val_mgr->Count(nsec3param->nsec_iter));
r->Assign(5, val_mgr->Count(nsec3param->nsec_salt_len));
r->Assign(6, make_intrusive<StringVal>(nsec3param->nsec_salt));
r->Assign(7, val_mgr->Count(is_query));
r->Assign(1, answer_type);
r->Assign(2, nsec3param->nsec_flags);
r->Assign(3, nsec3param->nsec_hash_algo);
r->Assign(4, nsec3param->nsec_iter);
r->Assign(5, nsec3param->nsec_salt_len);
r->Assign(6, nsec3param->nsec_salt);
r->Assign(7, is_query);
return r;
}
@ -2053,12 +2053,12 @@ RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
auto r = make_intrusive<RecordVal>(dns_ds_rr);
r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(ds->key_tag));
r->Assign(3, val_mgr->Count(ds->algorithm));
r->Assign(4, val_mgr->Count(ds->digest_type));
r->Assign(5, make_intrusive<StringVal>(ds->digest_val));
r->Assign(6, val_mgr->Count(is_query));
r->Assign(1, answer_type);
r->Assign(2, ds->key_tag);
r->Assign(3, ds->algorithm);
r->Assign(4, ds->digest_type);
r->Assign(5, ds->digest_val);
r->Assign(6, is_query);
return r;
}
@ -2069,12 +2069,12 @@ RecordValPtr DNS_MsgInfo::BuildBINDS_Val(BINDS_DATA* binds)
auto r = make_intrusive<RecordVal>(dns_binds_rr);
r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(binds->algorithm));
r->Assign(3, val_mgr->Count(binds->key_id));
r->Assign(4, val_mgr->Count(binds->removal_flag));
r->Assign(5, make_intrusive<StringVal>(binds->complete_flag));
r->Assign(6, val_mgr->Count(is_query));
r->Assign(1, answer_type);
r->Assign(2, binds->algorithm);
r->Assign(3, binds->key_id);
r->Assign(4, binds->removal_flag);
r->Assign(5, binds->complete_flag);
r->Assign(6, is_query);
return r;
}
@ -2085,15 +2085,15 @@ RecordValPtr DNS_MsgInfo::BuildLOC_Val(LOC_DATA* loc)
auto r = make_intrusive<RecordVal>(dns_loc_rr);
r->Assign(0, query_name);
r->Assign(1, val_mgr->Count(int(answer_type)));
r->Assign(2, val_mgr->Count(loc->version));
r->Assign(3, val_mgr->Count(loc->size));
r->Assign(4, val_mgr->Count(loc->horiz_pre));
r->Assign(5, val_mgr->Count(loc->vert_pre));
r->Assign(6, val_mgr->Count(loc->latitude));
r->Assign(7, val_mgr->Count(loc->longitude));
r->Assign(8, val_mgr->Count(loc->altitude));
r->Assign(9, val_mgr->Count(is_query));
r->Assign(1, answer_type);
r->Assign(2, loc->version);
r->Assign(3, loc->size);
r->Assign(4, loc->horiz_pre);
r->Assign(5, loc->vert_pre);
r->Assign(6, static_cast<uint64_t>(loc->latitude));
r->Assign(7, static_cast<uint64_t>(loc->longitude));
r->Assign(8, static_cast<uint64_t>(loc->altitude));
r->Assign(9, is_query);
return r;
}

6
src/analyzer/protocol/ftp/functions.bif
View file

@ -35,13 +35,13 @@ static zeek::ValPtr parse_port(const char* line)
r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(htonl(addr)));
r->Assign(1, zeek::val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, zeek::val_mgr->Bool(good));
r->Assign(2, good);
}
else
{
r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(uint32_t(0)));
r->Assign(1, zeek::val_mgr->Port(0, TRANSPORT_TCP));
r->Assign(2, zeek::val_mgr->False());
r->Assign(2, false);
}
return r;
@ -111,7 +111,7 @@ static zeek::ValPtr parse_eftp(const char* line)
r->Assign(0, zeek::make_intrusive<zeek::AddrVal>(addr));
r->Assign(1, zeek::val_mgr->Port(port, TRANSPORT_TCP));
r->Assign(2, zeek::val_mgr->Bool(good));
r->Assign(2, good);
return r;
}

49
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -9,21 +9,21 @@ zeek::RecordValPtr BuildGTPv1Hdr(const GTPv1_Header* pdu)
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtpv1_hdr);
rv->Assign(0, zeek::val_mgr->Count(pdu->version()));
rv->Assign(1, zeek::val_mgr->Bool(pdu->pt_flag()));
rv->Assign(2, zeek::val_mgr->Bool(pdu->rsv()));
rv->Assign(3, zeek::val_mgr->Bool(pdu->e_flag()));
rv->Assign(4, zeek::val_mgr->Bool(pdu->s_flag()));
rv->Assign(5, zeek::val_mgr->Bool(pdu->pn_flag()));
rv->Assign(6, zeek::val_mgr->Count(pdu->msg_type()));
rv->Assign(7, zeek::val_mgr->Count(pdu->length()));
rv->Assign(8, zeek::val_mgr->Count(pdu->teid()));
rv->Assign(0, pdu->version());
rv->Assign(1, pdu->pt_flag());
rv->Assign(2, pdu->rsv());
rv->Assign(3, pdu->e_flag());
rv->Assign(4, pdu->s_flag());
rv->Assign(5, pdu->pn_flag());
rv->Assign(6, pdu->msg_type());
rv->Assign(7, pdu->length());
rv->Assign(8, pdu->teid());
if ( pdu->has_opt() )
{
rv->Assign(9, zeek::val_mgr->Count(pdu->opt_hdr()->seq()));
rv->Assign(10, zeek::val_mgr->Count(pdu->opt_hdr()->n_pdu()));
rv->Assign(11, zeek::val_mgr->Count(pdu->opt_hdr()->next_type()));
rv->Assign(9, pdu->opt_hdr()->seq());
rv->Assign(10, pdu->opt_hdr()->n_pdu());
rv->Assign(11, pdu->opt_hdr()->next_type());
}
return rv;
@ -37,10 +37,10 @@ static zeek::ValPtr BuildIMSI(const InformationElement* ie)
static zeek::ValPtr BuildRAI(const InformationElement* ie)
{
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_rai);
ev->Assign(0, zeek::val_mgr->Count(ie->rai()->mcc()));
ev->Assign(1, zeek::val_mgr->Count(ie->rai()->mnc()));
ev->Assign(2, zeek::val_mgr->Count(ie->rai()->lac()));
ev->Assign(3, zeek::val_mgr->Count(ie->rai()->rac()));
ev->Assign(0, ie->rai()->mcc());
ev->Assign(1, ie->rai()->mnc());
ev->Assign(2, ie->rai()->lac());
ev->Assign(3, ie->rai()->rac());
return ev;
}
@ -87,8 +87,8 @@ static zeek::ValPtr BuildTraceType(const InformationElement* ie)
zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
{
auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_end_user_addr);
ev->Assign(0, zeek::val_mgr->Count(ie->end_user_addr()->pdp_type_org()));
ev->Assign(1, zeek::val_mgr->Count(ie->end_user_addr()->pdp_type_num()));
ev->Assign(0, ie->end_user_addr()->pdp_type_org());
ev->Assign(1, ie->end_user_addr()->pdp_type_num());
int len = ie->end_user_addr()->pdp_addr().length();
@ -106,8 +106,7 @@ zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
break;
default:
ev->Assign(3, zeek::make_intrusive<zeek::StringVal>(
new zeek::String((const u_char*) d, len, false)));
ev->Assign(3, new zeek::String((const u_char*) d, len, false));
break;
}
}
@ -143,7 +142,7 @@ zeek::ValPtr BuildGSN_Addr(const InformationElement* ie)
ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
else
ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false)));
ev->Assign(1, new zeek::String((const u_char*) d, len, false));
return ev;
}
@ -162,8 +161,8 @@ zeek::ValPtr BuildQoS_Profile(const InformationElement* ie)
const u_char* d = (const u_char*) ie->qos_profile()->data().data();
int len = ie->qos_profile()->data().length();
ev->Assign(0, zeek::val_mgr->Count(ie->qos_profile()->alloc_retention_priority()));
ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false)));
ev->Assign(0, ie->qos_profile()->alloc_retention_priority());
ev->Assign(1, new zeek::String(d, len, false));
return ev;
}
@ -196,8 +195,8 @@ zeek::ValPtr BuildPrivateExt(const InformationElement* ie)
const uint8* d = ie->private_ext()->value().data();
int len = ie->private_ext()->value().length();
ev->Assign(0, zeek::val_mgr->Count(ie->private_ext()->id()));
ev->Assign(1, zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false)));
ev->Assign(0, ie->private_ext()->id());
ev->Assign(1, new zeek::String((const u_char*) d, len, false));
return ev;
}

20
src/analyzer/protocol/http/HTTP.cc
View file

@ -626,12 +626,12 @@ RecordValPtr HTTP_Message::BuildMessageStat(bool interrupted, const char* msg)
static auto http_message_stat = id::find_type<RecordType>("http_message_stat");
auto stat = make_intrusive<RecordVal>(http_message_stat);
int field = 0;
stat->Assign(field++, make_intrusive<TimeVal>(start_time));
stat->Assign(field++, val_mgr->Bool(interrupted));
stat->Assign(field++, make_intrusive<StringVal>(msg));
stat->Assign(field++, val_mgr->Count(body_length));
stat->Assign(field++, val_mgr->Count(content_gap_length));
stat->Assign(field++, val_mgr->Count(header_length));
stat->AssignTime(field++, start_time);
stat->Assign(field++, interrupted);
stat->Assign(field++, msg);
stat->Assign(field++, static_cast<uint64_t>(body_length));
stat->Assign(field++, static_cast<uint64_t>(content_gap_length));
stat->Assign(field++, static_cast<uint64_t>(header_length));
return stat;
}
@ -1165,10 +1165,10 @@ void HTTP_Analyzer::GenStats()
{
static auto http_stats_rec = id::find_type<RecordType>("http_stats_rec");
auto r = make_intrusive<RecordVal>(http_stats_rec);
r->Assign(0, val_mgr->Count(num_requests));
r->Assign(1, val_mgr->Count(num_replies));
r->Assign(2, make_intrusive<DoubleVal>(request_version.ToDouble()));
r->Assign(3, make_intrusive<DoubleVal>(reply_version.ToDouble()));
r->Assign(0, num_requests);
r->Assign(1, num_replies);
r->Assign(2, request_version.ToDouble());
r->Assign(3, reply_version.ToDouble());
// DEBUG_MSG("%.6f http_stats\n", run_state::network_time);
EnqueueConnEvent(http_stats, ConnVal(), std::move(r));

66
src/analyzer/protocol/icmp/ICMP.cc
View file

@ -224,11 +224,11 @@ RecordValPtr ICMP_Analyzer::BuildInfo(const struct icmp* icmpp, int len,
{
static auto icmp_info = id::find_type<RecordType>("icmp_info");
auto rval = make_intrusive<RecordVal>(icmp_info);
rval->Assign(0, val_mgr->Bool(icmpv6));
rval->Assign(1, val_mgr->Count(icmpp->icmp_type));
rval->Assign(2, val_mgr->Count(icmpp->icmp_code));
rval->Assign(3, val_mgr->Count(len));
rval->Assign(4, val_mgr->Count(ip_hdr->TTL()));
rval->Assign(0, static_cast<bool>(icmpv6));
rval->Assign(1, icmpp->icmp_type);
rval->Assign(2, icmpp->icmp_code);
rval->Assign(3, len);
rval->Assign(4, ip_hdr->TTL());
return rval;
}
@ -355,13 +355,13 @@ RecordValPtr ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val));
iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
iprec->Assign(5, val_mgr->Bool(bad_checksum));
iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF));
iprec->Assign(1, ip_len);
iprec->Assign(2, proto);
iprec->Assign(3, frag_offset);
iprec->Assign(4, static_cast<bool>(bad_hdr_len));
iprec->Assign(5, static_cast<bool>(bad_checksum));
iprec->Assign(6, static_cast<bool>(MF));
iprec->Assign(7, static_cast<bool>(DF));
return iprec;
}
@ -415,14 +415,14 @@ RecordValPtr ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
id_val->Assign(3, val_mgr->Port(dst_port, proto));
iprec->Assign(0, std::move(id_val));
iprec->Assign(1, val_mgr->Count(ip_len));
iprec->Assign(2, val_mgr->Count(proto));
iprec->Assign(3, val_mgr->Count(frag_offset));
iprec->Assign(4, val_mgr->Bool(bad_hdr_len));
iprec->Assign(1, ip_len);
iprec->Assign(2, proto);
iprec->Assign(3, frag_offset);
iprec->Assign(4, static_cast<bool>(bad_hdr_len));
// bad_checksum is always false since IPv6 layer doesn't have a checksum.
iprec->Assign(5, val_mgr->False());
iprec->Assign(6, val_mgr->Bool(MF));
iprec->Assign(7, val_mgr->Bool(DF));
iprec->Assign(5, false);
iprec->Assign(6, static_cast<bool>(MF));
iprec->Assign(7, static_cast<bool>(DF));
return iprec;
}
@ -472,14 +472,14 @@ void ICMP_Analyzer::UpdateEndpointVal(const ValPtr& endp_arg, bool is_orig)
if ( size < 0 )
{
endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, val_mgr->Count(int(ICMP_INACTIVE)));
endp->Assign(0, 0);
endp->Assign(1, ICMP_INACTIVE);
}
else
{
endp->Assign(0, val_mgr->Count(size));
endp->Assign(1, val_mgr->Count(int(ICMP_ACTIVE)));
endp->Assign(0, size);
endp->Assign(1, ICMP_ACTIVE);
}
}
@ -743,8 +743,8 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
}
auto rv = make_intrusive<RecordVal>(icmp6_nd_option_type);
rv->Assign(0, val_mgr->Count(type));
rv->Assign(1, val_mgr->Count(length));
rv->Assign(0, type);
rv->Assign(1, length);
// Adjust length to be in units of bytes, exclude type/length fields.
length = length * 8 - 2;
@ -763,7 +763,7 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
if ( caplen >= length )
{
String* link_addr = new String(data, length, false);
rv->Assign(2, make_intrusive<StringVal>(link_addr));
rv->Assign(2, link_addr);
}
else
set_payload_field = true;
@ -783,11 +783,11 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
uint32_t valid_life = *((const uint32_t*)(data + 2));
uint32_t prefer_life = *((const uint32_t*)(data + 6));
in6_addr prefix = *((const in6_addr*)(data + 14));
info->Assign(0, val_mgr->Count(prefix_len));
info->Assign(1, val_mgr->Bool(L_flag));
info->Assign(2, val_mgr->Bool(A_flag));
info->Assign(3, make_intrusive<IntervalVal>((double)ntohl(valid_life), Seconds));
info->Assign(4, make_intrusive<IntervalVal>((double)ntohl(prefer_life), Seconds));
info->Assign(0, prefix_len);
info->Assign(1, L_flag);
info->Assign(2, A_flag);
info->AssignInterval(3, double(ntohl(valid_life)));
info->AssignInterval(4, double(ntohl(prefer_life)));
info->Assign(5, make_intrusive<AddrVal>(IPAddr(prefix)));
rv->Assign(3, std::move(info));
}
@ -816,7 +816,7 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
// MTU option
{
if ( caplen >= 6 )
rv->Assign(5, val_mgr->Count(ntohl(*((const uint32_t*)(data + 2)))));
rv->Assign(5, ntohl(*((const uint32_t*)(data + 2))));
else
set_payload_field = true;
@ -833,7 +833,7 @@ VectorValPtr ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
if ( set_payload_field )
{
String* payload = new String(data, std::min((int)length, caplen), false);
rv->Assign(6, make_intrusive<StringVal>(payload));
rv->Assign(6, payload);
}
data += length;

18
src/analyzer/protocol/irc/IRC.cc
View file

@ -841,14 +841,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
for ( size_t i = 0; i < channels.size(); ++i )
{
auto info = make_intrusive<RecordVal>(irc_join_info);
info->Assign(0, make_intrusive<StringVal>(nickname.c_str()));
info->Assign(1, make_intrusive<StringVal>(channels[i].c_str()));
info->Assign(0, nickname);
info->Assign(1, channels[i]);
if ( i < passwords.size() )
info->Assign(2, make_intrusive<StringVal>(passwords[i].c_str()));
info->Assign(2, passwords[i]);
else
info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
info->Assign(2, empty_string);
// User mode.
info->Assign(3, make_intrusive<StringVal>(empty_string.c_str()));
info->Assign(3, empty_string);
list->Assign(std::move(info), nullptr);
}
@ -903,12 +903,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
mode = "voice";
}
info->Assign(0, make_intrusive<StringVal>(nick.c_str()));
info->Assign(1, make_intrusive<StringVal>(channel.c_str()));
info->Assign(0, nick);
info->Assign(1, channel);
// Password:
info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
info->Assign(2, empty_string);
// User mode:
info->Assign(3, make_intrusive<StringVal>(mode.c_str()));
info->Assign(3, mode);
list->Assign(std::move(info), nullptr);
}

30
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -10,19 +10,19 @@ zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts)
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::KDC_Options);
rv->Assign(0, zeek::val_mgr->Bool(opts->forwardable()));
rv->Assign(1, zeek::val_mgr->Bool(opts->forwarded()));
rv->Assign(2, zeek::val_mgr->Bool(opts->proxiable()));
rv->Assign(3, zeek::val_mgr->Bool(opts->proxy()));
rv->Assign(4, zeek::val_mgr->Bool(opts->allow_postdate()));
rv->Assign(5, zeek::val_mgr->Bool(opts->postdated()));
rv->Assign(6, zeek::val_mgr->Bool(opts->renewable()));
rv->Assign(7, zeek::val_mgr->Bool(opts->opt_hardware_auth()));
rv->Assign(8, zeek::val_mgr->Bool(opts->disable_transited_check()));
rv->Assign(9, zeek::val_mgr->Bool(opts->renewable_ok()));
rv->Assign(10, zeek::val_mgr->Bool(opts->enc_tkt_in_skey()));
rv->Assign(11, zeek::val_mgr->Bool(opts->renew()));
rv->Assign(12, zeek::val_mgr->Bool(opts->validate()));
rv->Assign(0, opts->forwardable());
rv->Assign(1, opts->forwarded());
rv->Assign(2, opts->proxiable());
rv->Assign(3, opts->proxy());
rv->Assign(4, opts->allow_postdate());
rv->Assign(5, opts->postdated());
rv->Assign(6, opts->renewable());
rv->Assign(7, opts->opt_hardware_auth());
rv->Assign(8, opts->disable_transited_check());
rv->Assign(9, opts->renewable_ok());
rv->Assign(10, opts->enc_tkt_in_skey());
rv->Assign(11, opts->renew());
rv->Assign(12, opts->validate());
return rv;
}
@ -259,8 +259,8 @@ refine connection KRB_Conn += {
if ( krb_ap_request )
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options);
rv->Assign(0, zeek::val_mgr->Bool(${msg.ap_options.use_session_key}));
rv->Assign(1, zeek::val_mgr->Bool(${msg.ap_options.mutual_required}));
rv->Assign(0, ${msg.ap_options.use_session_key});
rv->Assign(1, ${msg.ap_options.mutual_required});
auto rvticket = proc_ticket(${msg.ticket});
auto authenticationinfo = zeek_analyzer()->GetAuthenticationInfo(

10
src/analyzer/protocol/krb/krb-padata.pac
View file

@ -21,7 +21,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
for ( uint i = 0; i < data->data()->padata_elems()->size(); ++i)
{
KRB_PA_Data* element = (*data->data()->padata_elems())[i];
int64 data_type = element->data_type();
uint64_t data_type = element->data_type();
if ( is_error && ( data_type == PA_PW_AS_REQ || data_type == PA_PW_AS_REP ) )
data_type = 0;
@ -37,7 +37,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
case PA_PW_SALT:
{
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, zeek::val_mgr->Count(element->data_type()));
type_val->Assign(0, data_type);
type_val->Assign(1, to_stringval(element->pa_data_element()->pa_pw_salt()->encoding()->content()));
vv->Assign(vv->Size(), std::move(type_val));
break;
@ -45,7 +45,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
case PA_ENCTYPE_INFO:
{
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, zeek::val_mgr->Count(element->data_type()));
type_val->Assign(0, data_type);
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info()->salt()));
vv->Assign(vv->Size(), std::move(type_val));
break;
@ -53,7 +53,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
case PA_ENCTYPE_INFO2:
{
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, zeek::val_mgr->Count(element->data_type()));
type_val->Assign(0, data_type);
type_val->Assign(1, to_stringval(element->pa_data_element()->pf_enctype_info2()->salt()));
vv->Assign(vv->Size(), std::move(type_val));
break;
@ -113,7 +113,7 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnaly
if ( ! is_error && element->pa_data_element()->unknown()->meta()->length() > 0 )
{
auto type_val = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Type_Value);
type_val->Assign(0, zeek::val_mgr->Count(element->data_type()));
type_val->Assign(0, data_type);
type_val->Assign(1, to_stringval(element->pa_data_element()->unknown()->content()));
vv->Assign(vv->Size(), std::move(type_val));
}

8
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -30,10 +30,10 @@
zeek::RecordValPtr HeaderToVal(ModbusTCP_TransportHeader* header)
{
auto modbus_header = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::ModbusHeaders);
modbus_header->Assign(0, zeek::val_mgr->Count(header->tid()));
modbus_header->Assign(1, zeek::val_mgr->Count(header->pid()));
modbus_header->Assign(2, zeek::val_mgr->Count(header->uid()));
modbus_header->Assign(3, zeek::val_mgr->Count(header->fc()));
modbus_header->Assign(0, header->tid());
modbus_header->Assign(1, header->pid());
modbus_header->Assign(2, header->uid());
modbus_header->Assign(3, header->fc());
return modbus_header;
}

4
src/analyzer/protocol/mqtt/commands/connack.pac
View file

@ -16,8 +16,8 @@ refine flow MQTT_Flow += {
if ( mqtt_connack )
{
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, zeek::val_mgr->Count(${msg.return_code}));
m->Assign(1, zeek::val_mgr->Bool(${msg.session_present}));
m->Assign(0, ${msg.return_code});
m->Assign(1, ${msg.session_present});
zeek::BifEvent::enqueue_mqtt_connack(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
std::move(m));

10
src/analyzer/protocol/mqtt/commands/connect.pac
View file

@ -47,14 +47,14 @@ refine flow MQTT_Flow += {
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectMsg);
m->Assign(0, zeek::make_intrusive<zeek::StringVal>(${msg.protocol_name.str}.length(),
reinterpret_cast<const char*>(${msg.protocol_name.str}.begin())));
m->Assign(1, zeek::val_mgr->Count(${msg.protocol_version}));
m->Assign(1, ${msg.protocol_version});
m->Assign(2, zeek::make_intrusive<zeek::StringVal>(${msg.client_id.str}.length(),
reinterpret_cast<const char*>(${msg.client_id.str}.begin())));
m->Assign(3, zeek::make_intrusive<zeek::IntervalVal>(double(${msg.keep_alive}), Seconds));
m->AssignInterval(3, double(${msg.keep_alive}));
m->Assign(4, zeek::val_mgr->Bool(${msg.clean_session}));
m->Assign(5, zeek::val_mgr->Bool(${msg.will_retain}));
m->Assign(6, zeek::val_mgr->Count(${msg.will_qos}));
m->Assign(4, ${msg.clean_session});
m->Assign(5, ${msg.will_retain});
m->Assign(6, ${msg.will_qos});
if ( ${msg.will_flag} )
{

8
src/analyzer/protocol/mqtt/commands/publish.pac
View file

@ -24,9 +24,9 @@ refine flow MQTT_Flow += {
if ( mqtt_publish )
{
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::PublishMsg);
m->Assign(0, zeek::val_mgr->Bool(${msg.dup}));
m->Assign(1, zeek::val_mgr->Count(${msg.qos}));
m->Assign(2, zeek::val_mgr->Bool(${msg.retain}));
m->Assign(0, ${msg.dup});
m->Assign(1, ${msg.qos});
m->Assign(2, ${msg.retain});
m->Assign<zeek::StringVal>(3, ${msg.topic.str}.length(),
reinterpret_cast<const char*>(${msg.topic.str}.begin()));
@ -40,7 +40,7 @@ refine flow MQTT_Flow += {
m->Assign<zeek::StringVal>(4, len,
reinterpret_cast<const char*>(${msg.payload}.begin()));
m->Assign(5, zeek::val_mgr->Count(${msg.payload}.length()));
m->Assign(5, ${msg.payload}.length());
zeek::BifEvent::enqueue_mqtt_publish(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),

56
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -20,10 +20,10 @@
zeek::RecordValPtr build_version_record(NTLM_Version* val)
{
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::Version);
result->Assign(0, zeek::val_mgr->Count(${val.major_version}));
result->Assign(1, zeek::val_mgr->Count(${val.minor_version}));
result->Assign(2, zeek::val_mgr->Count(${val.build_number}));
result->Assign(3, zeek::val_mgr->Count(${val.ntlm_revision}));
result->Assign(0, ${val.major_version});
result->Assign(1, ${val.minor_version});
result->Assign(2, ${val.build_number});
result->Assign(3, ${val.ntlm_revision});
return result;
}
@ -31,28 +31,28 @@
zeek::RecordValPtr build_negotiate_flag_record(NTLM_Negotiate_Flags* val)
{
auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::NegotiateFlags);
flags->Assign(0, zeek::val_mgr->Bool(${val.negotiate_56}));
flags->Assign(1, zeek::val_mgr->Bool(${val.negotiate_key_exch}));
flags->Assign(2, zeek::val_mgr->Bool(${val.negotiate_128}));
flags->Assign(3, zeek::val_mgr->Bool(${val.negotiate_version}));
flags->Assign(4, zeek::val_mgr->Bool(${val.negotiate_target_info}));
flags->Assign(5, zeek::val_mgr->Bool(${val.request_non_nt_session_key}));
flags->Assign(6, zeek::val_mgr->Bool(${val.negotiate_identify}));
flags->Assign(7, zeek::val_mgr->Bool(${val.negotiate_extended_sessionsecurity}));
flags->Assign(8, zeek::val_mgr->Bool(${val.target_type_server}));
flags->Assign(9, zeek::val_mgr->Bool(${val.target_type_domain}));
flags->Assign(10, zeek::val_mgr->Bool(${val.negotiate_always_sign}));
flags->Assign(11, zeek::val_mgr->Bool(${val.negotiate_oem_workstation_supplied}));
flags->Assign(12, zeek::val_mgr->Bool(${val.negotiate_oem_domain_supplied}));
flags->Assign(13, zeek::val_mgr->Bool(${val.negotiate_anonymous_connection}));
flags->Assign(14, zeek::val_mgr->Bool(${val.negotiate_ntlm}));
flags->Assign(15, zeek::val_mgr->Bool(${val.negotiate_lm_key}));
flags->Assign(16, zeek::val_mgr->Bool(${val.negotiate_datagram}));
flags->Assign(17, zeek::val_mgr->Bool(${val.negotiate_seal}));
flags->Assign(18, zeek::val_mgr->Bool(${val.negotiate_sign}));
flags->Assign(19, zeek::val_mgr->Bool(${val.request_target}));
flags->Assign(20, zeek::val_mgr->Bool(${val.negotiate_oem}));
flags->Assign(21, zeek::val_mgr->Bool(${val.negotiate_unicode}));
flags->Assign(0, ${val.negotiate_56});
flags->Assign(1, ${val.negotiate_key_exch});
flags->Assign(2, ${val.negotiate_128});
flags->Assign(3, ${val.negotiate_version});
flags->Assign(4, ${val.negotiate_target_info});
flags->Assign(5, ${val.request_non_nt_session_key});
flags->Assign(6, ${val.negotiate_identify});
flags->Assign(7, ${val.negotiate_extended_sessionsecurity});
flags->Assign(8, ${val.target_type_server});
flags->Assign(9, ${val.target_type_domain});
flags->Assign(10, ${val.negotiate_always_sign});
flags->Assign(11, ${val.negotiate_oem_workstation_supplied});
flags->Assign(12, ${val.negotiate_oem_domain_supplied});
flags->Assign(13, ${val.negotiate_anonymous_connection});
flags->Assign(14, ${val.negotiate_ntlm});
flags->Assign(15, ${val.negotiate_lm_key});
flags->Assign(16, ${val.negotiate_datagram});
flags->Assign(17, ${val.negotiate_seal});
flags->Assign(18, ${val.negotiate_sign});
flags->Assign(19, ${val.request_target});
flags->Assign(20, ${val.negotiate_oem});
flags->Assign(21, ${val.negotiate_unicode});
return flags;
}
@ -96,13 +96,13 @@ refine connection NTLM_Conn += {
result->Assign(4, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
break;
case 6:
result->Assign(5, zeek::val_mgr->Bool(${val.pairs[i].constrained_auth}));
result->Assign(5, ${val.pairs[i].constrained_auth});
break;
case 7:
result->Assign(6, filetime2zeektime(${val.pairs[i].timestamp}));
break;
case 8:
result->Assign(7, zeek::val_mgr->Count(${val.pairs[i].single_host.machine_id}));
result->Assign(7, ${val.pairs[i].single_host.machine_id});
break;
case 9:
result->Assign(8, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].target_name.data}));

42
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -36,9 +36,9 @@
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::StandardMessage);
rv->Assign(0, zeek::val_mgr->Count(${nsm.stratum}));
rv->Assign(1, zeek::make_intrusive<zeek::IntervalVal>(pow(2, ${nsm.poll})));
rv->Assign(2, zeek::make_intrusive<zeek::IntervalVal>(pow(2, ${nsm.precision})));
rv->Assign(0, ${nsm.stratum});
rv->AssignInterval(1, pow(2, ${nsm.poll}));
rv->AssignInterval(2, pow(2, ${nsm.precision}));
rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
rv->Assign(4, proc_ntp_short(${nsm.root_dispersion}));
@ -66,19 +66,19 @@
if ( ${nsm.mac_len} == 20 )
{
rv->Assign(12, zeek::val_mgr->Count(${nsm.mac.key_id}));
rv->Assign(12, ${nsm.mac.key_id});
rv->Assign(13, to_stringval(${nsm.mac.digest}));
}
else if ( ${nsm.mac_len} == 24 )
{
rv->Assign(12, zeek::val_mgr->Count(${nsm.mac_ext.key_id}));
rv->Assign(12, ${nsm.mac_ext.key_id});
rv->Assign(13, to_stringval(${nsm.mac_ext.digest}));
}
if ( ${nsm.has_exts} )
{
// TODO: add extension fields
rv->Assign(14, zeek::val_mgr->Count((uint32) ${nsm.exts}->size()));
rv->Assign(14, static_cast<uint32>(${nsm.exts}->size()));
}
return rv;
@ -89,20 +89,20 @@
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::ControlMessage);
rv->Assign(0, zeek::val_mgr->Count(${ncm.OpCode}));
rv->Assign(1, zeek::val_mgr->Bool(${ncm.R}));
rv->Assign(2, zeek::val_mgr->Bool(${ncm.E}));
rv->Assign(3, zeek::val_mgr->Bool(${ncm.M}));
rv->Assign(4, zeek::val_mgr->Count(${ncm.sequence}));
rv->Assign(5, zeek::val_mgr->Count(${ncm.status}));
rv->Assign(6, zeek::val_mgr->Count(${ncm.association_id}));
rv->Assign(0, ${ncm.OpCode});
rv->Assign(1, ${ncm.R});
rv->Assign(2, ${ncm.E});
rv->Assign(3, ${ncm.M});
rv->Assign(4, ${ncm.sequence});
rv->Assign(5, ${ncm.status});
rv->Assign(6, ${ncm.association_id});
if ( ${ncm.c} > 0 )
rv->Assign(7, to_stringval(${ncm.data}));
if ( ${ncm.has_control_mac} )
{
rv->Assign(8, zeek::val_mgr->Count(${ncm.mac.key_id}));
rv->Assign(8, ${ncm.mac.key_id});
rv->Assign(9, to_stringval(${ncm.mac.crypto_checksum}));
}
@ -114,11 +114,11 @@
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Mode7Message);
rv->Assign(0, zeek::val_mgr->Count(${m7.request_code}));
rv->Assign(1, zeek::val_mgr->Bool(${m7.auth_bit}));
rv->Assign(2, zeek::val_mgr->Count(${m7.sequence}));
rv->Assign(3, zeek::val_mgr->Count(${m7.implementation}));
rv->Assign(4, zeek::val_mgr->Count(${m7.error_code}));
rv->Assign(0, ${m7.request_code});
rv->Assign(1, ${m7.auth_bit});
rv->Assign(2, ${m7.sequence});
rv->Assign(3, ${m7.implementation});
rv->Assign(4, ${m7.error_code});
if ( ${m7.data_len} > 0 )
rv->Assign(5, to_stringval(${m7.data}));
@ -139,8 +139,8 @@ refine flow NTP_Flow += {
return false;
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTP::Message);
rv->Assign(0, zeek::val_mgr->Count(${msg.version}));
rv->Assign(1, zeek::val_mgr->Count(${msg.mode}));
rv->Assign(0, ${msg.version});
rv->Assign(1, ${msg.mode});
// The standard record
if ( ${msg.mode} >=1 && ${msg.mode} <= 5 )

4
src/analyzer/protocol/radius/radius-analyzer.pac
View file

@ -8,8 +8,8 @@ refine flow RADIUS_Flow += {
return false;
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RADIUS::Message);
result->Assign(0, zeek::val_mgr->Count(${msg.code}));
result->Assign(1, zeek::val_mgr->Count(${msg.trans_id}));
result->Assign(0, ${msg.code});
result->Assign(1, ${msg.trans_id});
result->Assign(2, to_stringval(${msg.authenticator}));
if ( ${msg.attributes}->size() )

90
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -66,35 +66,35 @@ refine flow RDP_Flow += {
if ( rdp_client_core_data )
{
auto ec_flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::EarlyCapabilityFlags);
ec_flags->Assign(0, zeek::val_mgr->Bool(${ccore.SUPPORT_ERRINFO_PDU}));
ec_flags->Assign(1, zeek::val_mgr->Bool(${ccore.WANT_32BPP_SESSION}));
ec_flags->Assign(2, zeek::val_mgr->Bool(${ccore.SUPPORT_STATUSINFO_PDU}));
ec_flags->Assign(3, zeek::val_mgr->Bool(${ccore.STRONG_ASYMMETRIC_KEYS}));
ec_flags->Assign(4, zeek::val_mgr->Bool(${ccore.SUPPORT_MONITOR_LAYOUT_PDU}));
ec_flags->Assign(5, zeek::val_mgr->Bool(${ccore.SUPPORT_NETCHAR_AUTODETECT}));
ec_flags->Assign(6, zeek::val_mgr->Bool(${ccore.SUPPORT_DYNVC_GFX_PROTOCOL}));
ec_flags->Assign(7, zeek::val_mgr->Bool(${ccore.SUPPORT_DYNAMIC_TIME_ZONE}));
ec_flags->Assign(8, zeek::val_mgr->Bool(${ccore.SUPPORT_HEARTBEAT_PDU}));
ec_flags->Assign(0, ${ccore.SUPPORT_ERRINFO_PDU});
ec_flags->Assign(1, ${ccore.WANT_32BPP_SESSION});
ec_flags->Assign(2, ${ccore.SUPPORT_STATUSINFO_PDU});
ec_flags->Assign(3, ${ccore.STRONG_ASYMMETRIC_KEYS});
ec_flags->Assign(4, ${ccore.SUPPORT_MONITOR_LAYOUT_PDU});
ec_flags->Assign(5, ${ccore.SUPPORT_NETCHAR_AUTODETECT});
ec_flags->Assign(6, ${ccore.SUPPORT_DYNVC_GFX_PROTOCOL});
ec_flags->Assign(7, ${ccore.SUPPORT_DYNAMIC_TIME_ZONE});
ec_flags->Assign(8, ${ccore.SUPPORT_HEARTBEAT_PDU});
auto ccd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientCoreData);
ccd->Assign(0, zeek::val_mgr->Count(${ccore.version_major}));
ccd->Assign(1, zeek::val_mgr->Count(${ccore.version_minor}));
ccd->Assign(2, zeek::val_mgr->Count(${ccore.desktop_width}));
ccd->Assign(3, zeek::val_mgr->Count(${ccore.desktop_height}));
ccd->Assign(4, zeek::val_mgr->Count(${ccore.color_depth}));
ccd->Assign(5, zeek::val_mgr->Count(${ccore.sas_sequence}));
ccd->Assign(6, zeek::val_mgr->Count(${ccore.keyboard_layout}));
ccd->Assign(7, zeek::val_mgr->Count(${ccore.client_build}));
ccd->Assign(0, ${ccore.version_major});
ccd->Assign(1, ${ccore.version_minor});
ccd->Assign(2, ${ccore.desktop_width});
ccd->Assign(3, ${ccore.desktop_height});
ccd->Assign(4, ${ccore.color_depth});
ccd->Assign(5, ${ccore.sas_sequence});
ccd->Assign(6, ${ccore.keyboard_layout});
ccd->Assign(7, ${ccore.client_build});
ccd->Assign(8, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.client_name}));
ccd->Assign(9, zeek::val_mgr->Count(${ccore.keyboard_type}));
ccd->Assign(10, zeek::val_mgr->Count(${ccore.keyboard_sub}));
ccd->Assign(11, zeek::val_mgr->Count(${ccore.keyboard_function_key}));
ccd->Assign(9, ${ccore.keyboard_type});
ccd->Assign(10, ${ccore.keyboard_sub});
ccd->Assign(11, ${ccore.keyboard_function_key});
ccd->Assign(12, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.ime_file_name}));
ccd->Assign(13, zeek::val_mgr->Count(${ccore.post_beta2_color_depth}));
ccd->Assign(14, zeek::val_mgr->Count(${ccore.client_product_id}));
ccd->Assign(15, zeek::val_mgr->Count(${ccore.serial_number}));
ccd->Assign(16, zeek::val_mgr->Count(${ccore.high_color_depth}));
ccd->Assign(17, zeek::val_mgr->Count(${ccore.supported_color_depths}));
ccd->Assign(13, ${ccore.post_beta2_color_depth});
ccd->Assign(14, ${ccore.client_product_id});
ccd->Assign(15, ${ccore.serial_number});
ccd->Assign(16, ${ccore.high_color_depth});
ccd->Assign(17, ${ccore.supported_color_depths});
ccd->Assign(18, std::move(ec_flags));
ccd->Assign(19, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.dig_product_id}));
@ -112,8 +112,8 @@ refine flow RDP_Flow += {
return false;
auto csd = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientSecurityData);
csd->Assign(0, zeek::val_mgr->Count(${csec.encryption_methods}));
csd->Assign(1, zeek::val_mgr->Count(${csec.ext_encryption_methods}));
csd->Assign(0, ${csec.encryption_methods});
csd->Assign(1, ${csec.ext_encryption_methods});
zeek::BifEvent::enqueue_rdp_client_security_data(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
@ -135,19 +135,19 @@ refine flow RDP_Flow += {
auto channel_def = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientChannelDef);
channel_def->Assign(0, to_stringval(${cnetwork.channel_def_array[i].name}));
channel_def->Assign(1, zeek::val_mgr->Count(${cnetwork.channel_def_array[i].options}));
channel_def->Assign(1, ${cnetwork.channel_def_array[i].options});
channel_def->Assign(2, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED}));
channel_def->Assign(3, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP}));
channel_def->Assign(4, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC}));
channel_def->Assign(5, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS}));
channel_def->Assign(6, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH}));
channel_def->Assign(7, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED}));
channel_def->Assign(8, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW}));
channel_def->Assign(9, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP}));
channel_def->Assign(10, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS}));
channel_def->Assign(11, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL}));
channel_def->Assign(12, zeek::val_mgr->Bool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT}));
channel_def->Assign(2, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED});
channel_def->Assign(3, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP});
channel_def->Assign(4, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC});
channel_def->Assign(5, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS});
channel_def->Assign(6, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH});
channel_def->Assign(7, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED});
channel_def->Assign(8, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW});
channel_def->Assign(9, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP});
channel_def->Assign(10, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS});
channel_def->Assign(11, ${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL});
channel_def->Assign(12, ${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT});
channels->Assign(channels->Size(), std::move(channel_def));
}
@ -166,12 +166,12 @@ refine flow RDP_Flow += {
return false;
auto ccld = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::RDP::ClientClusterData);
ccld->Assign(0, zeek::val_mgr->Count(${ccluster.flags}));
ccld->Assign(1, zeek::val_mgr->Count(${ccluster.redir_session_id}));
ccld->Assign(2, zeek::val_mgr->Bool(${ccluster.REDIRECTION_SUPPORTED}));
ccld->Assign(3, zeek::val_mgr->Count(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK}));
ccld->Assign(4, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
ccld->Assign(5, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SMARTCARD}));
ccld->Assign(0, ${ccluster.flags});
ccld->Assign(1, ${ccluster.redir_session_id});
ccld->Assign(2, ${ccluster.REDIRECTION_SUPPORTED});
ccld->Assign(3, ${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK});
ccld->Assign(4, ${ccluster.REDIRECTED_SESSIONID_FIELD_VALID});
ccld->Assign(5, ${ccluster.REDIRECTED_SMARTCARD});
zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),

27
src/analyzer/protocol/rpc/MOUNT.cc
View file

@ -188,16 +188,16 @@ Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, BifType::Enum::MOUNT3::status_t->GetEnumVal(mount_status));
info->Assign(2, make_intrusive<TimeVal>(c->StartTime()));
info->Assign(3, make_intrusive<IntervalVal>(c->LastTime() - c->StartTime()));
info->Assign(4, val_mgr->Count(c->RPCLen()));
info->Assign(5, make_intrusive<TimeVal>(rep_start_time));
info->Assign(6, make_intrusive<IntervalVal>(rep_last_time - rep_start_time));
info->Assign(7, val_mgr->Count(reply_len));
info->Assign(8, val_mgr->Count(c->Uid()));
info->Assign(9, val_mgr->Count(c->Gid()));
info->Assign(10, val_mgr->Count(c->Stamp()));
info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->AssignTime(2, c->StartTime());
info->AssignInterval(3, c->LastTime() - c->StartTime());
info->Assign(4, c->RPCLen());
info->AssignTime(5, rep_start_time);
info->AssignInterval(6, rep_last_time - rep_start_time);
info->Assign(7, reply_len);
info->Assign(8, c->Uid());
info->Assign(9, c->Gid());
info->Assign(10, c->Stamp());
info->Assign(11, c->MachineName());
info->Assign(12, std::move(auxgids));
vl.emplace_back(std::move(info));
@ -259,7 +259,7 @@ RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
auth_flavors_count = max_auth_flavors;
}
auto enum_vector = make_intrusive<VectorType>(base_type(TYPE_ENUM));
auto enum_vector = make_intrusive<VectorType>(BifType::Enum::MOUNT3::auth_flavor_t);
auto auth_flavors = make_intrusive<VectorVal>(std::move(enum_vector));
for ( auto i = 0u; i < auth_flavors_count; ++i )
@ -272,11 +272,6 @@ RecordValPtr MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
rep->Assign(1, std::move(auth_flavors));
}
else
{
rep->Assign(0, nullptr);
rep->Assign(1, nullptr);
}
return rep;
}

63
src/analyzer/protocol/rpc/NFS.cc
View file

@ -321,16 +321,16 @@ Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status
auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t);
info->Assign(0, BifType::Enum::rpc_status->GetEnumVal(rpc_status));
info->Assign(1, BifType::Enum::NFS3::status_t->GetEnumVal(nfs_status));
info->Assign(2, make_intrusive<TimeVal>(c->StartTime()));
info->Assign(3, make_intrusive<IntervalVal>(c->LastTime()-c->StartTime()));
info->Assign(4, val_mgr->Count(c->RPCLen()));
info->Assign(5, make_intrusive<TimeVal>(rep_start_time));
info->Assign(6, make_intrusive<IntervalVal>(rep_last_time-rep_start_time));
info->Assign(7, val_mgr->Count(reply_len));
info->Assign(8, val_mgr->Count(c->Uid()));
info->Assign(9, val_mgr->Count(c->Gid()));
info->Assign(10, val_mgr->Count(c->Stamp()));
info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
info->AssignTime(2, c->StartTime());
info->AssignInterval(3, c->LastTime()-c->StartTime());
info->Assign(4, c->RPCLen());
info->AssignTime(5, rep_start_time);
info->AssignInterval(6, rep_last_time-rep_start_time);
info->Assign(7, reply_len);
info->Assign(8, c->Uid());
info->Assign(9, c->Gid());
info->Assign(10, c->Stamp());
info->Assign(11, c->MachineName());
info->Assign(12, std::move(auxgids));
vl.emplace_back(std::move(info));
@ -353,22 +353,18 @@ RecordValPtr NFS_Interp::nfs3_sattr(const u_char*& buf, int& n)
{
auto attrs = make_intrusive<RecordVal>(BifType::Record::NFS3::sattr_t);
attrs->Assign(0, nullptr); // mode
int mode_set_it = extract_XDR_uint32(buf, n);
if ( mode_set_it )
attrs->Assign(0, ExtractUint32(buf, n)); // mode
attrs->Assign(1, nullptr); // uid
int uid_set_it = extract_XDR_uint32(buf, n);
if ( uid_set_it )
attrs->Assign(1, ExtractUint32(buf, n)); // uid
attrs->Assign(2, nullptr); // gid
int gid_set_it = extract_XDR_uint32(buf, n);
if ( gid_set_it )
attrs->Assign(2, ExtractUint32(buf, n)); // gid
attrs->Assign(3, nullptr); // size
int size_set_it = extract_XDR_uint32(buf, n);
if ( size_set_it )
attrs->Assign(3, ExtractTime(buf, n)); // size
@ -389,11 +385,6 @@ RecordValPtr NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::N
rep->Assign(0, nfs3_pre_op_attr(buf, n));
rep->Assign(1, nfs3_post_op_attr(buf, n));
}
else
{
rep->Assign(1, nullptr);
rep->Assign(2, nullptr);
}
return rep;
}
@ -536,8 +527,6 @@ RecordValPtr NFS_Interp::nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::
}
else
{
rep->Assign(0, nullptr);
rep->Assign(1, nullptr);
rep->Assign(2, nfs3_post_op_attr(buf, n));
}
return rep;
@ -565,7 +554,7 @@ RecordValPtr NFS_Interp::nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NF
rep->Assign(0, nfs3_post_op_attr(buf, n));
bytes_read = extract_XDR_uint32(buf, n);
rep->Assign(1, val_mgr->Count(bytes_read));
rep->Assign(1, bytes_read);
rep->Assign(2, ExtractBool(buf, n));
rep->Assign(3, nfs3_file_data(buf, n, offset, bytes_read));
}
@ -648,9 +637,9 @@ RecordValPtr NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
writeargs->Assign(0, nfs3_fh(buf, n));
offset = extract_XDR_uint64(buf, n);
writeargs->Assign(1, val_mgr->Count(offset)); // offset
writeargs->Assign(1, offset); // offset
bytes = extract_XDR_uint32(buf, n);
writeargs->Assign(2, val_mgr->Count(bytes)); // size
writeargs->Assign(2, bytes); // size
writeargs->Assign(3, nfs3_stable_how(buf, n));
writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes));
@ -698,8 +687,6 @@ RecordValPtr NFS_Interp::nfs3_newobj_reply(const u_char*& buf, int& n, BifEnum::
}
else
{
rep->Assign(0, nullptr);
rep->Assign(1, nullptr);
rep->Assign(2, nfs3_pre_op_attr(buf, n));
rep->Assign(3, nfs3_post_op_attr(buf, n));
}
@ -735,7 +722,7 @@ RecordValPtr NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n
{
auto args = make_intrusive<RecordVal>(BifType::Record::NFS3::readdirargs_t);
args->Assign(0, val_mgr->Bool(isplus));
args->Assign(0, isplus);
args->Assign(1, nfs3_fh(buf, n));
args->Assign(2, ExtractUint64(buf,n)); // cookie
args->Assign(3, ExtractUint64(buf,n)); // cookieverf
@ -752,7 +739,7 @@ RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
{
auto rep = make_intrusive<RecordVal>(BifType::Record::NFS3::readdir_reply_t);
rep->Assign(0, val_mgr->Bool(isplus));
rep->Assign(0, isplus);
if ( status == BifEnum::NFS3::NFS3ERR_OK )
{
@ -792,29 +779,29 @@ RecordValPtr NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
return rep;
}
ValPtr NFS_Interp::ExtractUint32(const u_char*& buf, int& n)
uint32_t NFS_Interp::ExtractUint32(const u_char*& buf, int& n)
{
return val_mgr->Count(extract_XDR_uint32(buf, n));
return extract_XDR_uint32(buf, n);
}
ValPtr NFS_Interp::ExtractUint64(const u_char*& buf, int& n)
uint64_t NFS_Interp::ExtractUint64(const u_char*& buf, int& n)
{
return val_mgr->Count(extract_XDR_uint64(buf, n));
return extract_XDR_uint64(buf, n);
}
ValPtr NFS_Interp::ExtractTime(const u_char*& buf, int& n)
double NFS_Interp::ExtractTime(const u_char*& buf, int& n)
{
return make_intrusive<TimeVal>(extract_XDR_time(buf, n));
return extract_XDR_time(buf, n);
}
ValPtr NFS_Interp::ExtractInterval(const u_char*& buf, int& n)
double NFS_Interp::ExtractInterval(const u_char*& buf, int& n)
{
return make_intrusive<IntervalVal>(double(extract_XDR_uint32(buf, n)), 1.0);
return double(extract_XDR_uint32(buf, n));
}
ValPtr NFS_Interp::ExtractBool(const u_char*& buf, int& n)
bool NFS_Interp::ExtractBool(const u_char*& buf, int& n)
{
return val_mgr->Bool(extract_XDR_uint32(buf, n));
return extract_XDR_uint32(buf, n);
}
} // namespace detail

10
src/analyzer/protocol/rpc/NFS.h
View file

@ -73,11 +73,11 @@ protected:
// * size is the amount of bytes read (or requested to be written),
StringValPtr nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size);
ValPtr ExtractUint32(const u_char*& buf, int& n);
ValPtr ExtractUint64(const u_char*& buf, int& n);
ValPtr ExtractTime(const u_char*& buf, int& n);
ValPtr ExtractInterval(const u_char*& buf, int& n);
ValPtr ExtractBool(const u_char*& buf, int& n);
uint32_t ExtractUint32(const u_char*& buf, int& n);
uint64_t ExtractUint64(const u_char*& buf, int& n);
double ExtractTime(const u_char*& buf, int& n);
double ExtractInterval(const u_char*& buf, int& n);
bool ExtractBool(const u_char*& buf, int& n);
};
} // namespace detail

22
src/analyzer/protocol/rpc/Portmap.cc
View file

@ -126,8 +126,8 @@ bool PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status statu
return false;
RecordVal* rv = c->RequestVal()->AsRecordVal();
const auto& is_tcp = rv->GetField(2);
reply = val_mgr->Port(CheckPort(port), is_tcp->IsOne() ?
auto is_tcp = rv->GetFieldAs<BoolVal>(2);
reply = val_mgr->Port(CheckPort(port), is_tcp ?
TRANSPORT_TCP : TRANSPORT_UDP);
event = pm_request_getport;
}
@ -195,8 +195,8 @@ ValPtr PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
static auto pm_mapping = id::find_type<RecordType>("pm_mapping");
auto mapping = make_intrusive<RecordVal>(pm_mapping);
mapping->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
mapping->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
mapping->Assign(0, extract_XDR_uint32(buf, len));
mapping->Assign(1, extract_XDR_uint32(buf, len));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
uint32_t port = extract_XDR_uint32(buf, len);
@ -213,11 +213,11 @@ ValPtr PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
static auto pm_port_request = id::find_type<RecordType>("pm_port_request");
auto pr = make_intrusive<RecordVal>(pm_port_request);
pr->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
pr->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
pr->Assign(0, extract_XDR_uint32(buf, len));
pr->Assign(1, extract_XDR_uint32(buf, len));
bool is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
pr->Assign(2, val_mgr->Bool(is_tcp));
pr->Assign(2, is_tcp);
(void) extract_XDR_uint32(buf, len); // consume the bogus port
if ( ! buf )
@ -231,13 +231,13 @@ ValPtr PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len)
static auto pm_callit_request = id::find_type<RecordType>("pm_callit_request");
auto c = make_intrusive<RecordVal>(pm_callit_request);
c->Assign(0, val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(1, val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(2, val_mgr->Count(extract_XDR_uint32(buf, len)));
c->Assign(0, extract_XDR_uint32(buf, len));
c->Assign(1, extract_XDR_uint32(buf, len));
c->Assign(2, extract_XDR_uint32(buf, len));
int arg_n;
(void) extract_XDR_opaque(buf, len, arg_n);
c->Assign(3, val_mgr->Count(arg_n));
c->Assign(3, arg_n);
if ( ! buf )
return nullptr;

14
src/analyzer/protocol/smb/smb-time.pac
View file

@ -1,21 +1,20 @@
%header{
zeek::ValPtr filetime2zeektime(uint64_t ts);
zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz);
double filetime2zeektime(uint64_t ts);
double time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz);
zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
uint64_t create, uint64_t change);
%}
%code{
zeek::ValPtr filetime2zeektime(uint64_t ts)
double filetime2zeektime(uint64_t ts)
{
// Zeek can't support times back to the 1600's
// so we subtract a lot of seconds.
double secs = (ts / 10000000.0L) - 11644473600.0L;
return zeek::make_intrusive<zeek::TimeVal>(secs);
return (ts / 10000000.0L) - 11644473600.0L;
}
zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz)
double time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz)
{
tm lTime;
lTime.tm_sec = ${t.two_seconds} * 2;
@ -25,8 +24,7 @@ zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz)
lTime.tm_mon = ${d.month};
lTime.tm_year = 1980 + ${d.year};
lTime.tm_isdst = -1;
double lResult = mktime(&lTime);
return zeek::make_intrusive<zeek::TimeVal>(lResult + tz);
return mktime(&lTime) + tz;
}
zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,

80
src/analyzer/protocol/smb/smb1-com-negotiate.pac
View file

@ -42,7 +42,7 @@ refine connection SMB_Conn += {
case 0x01:
{
auto core = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseCore);
core->Assign(0, zeek::val_mgr->Count(${val.dialect_index}));
core->Assign(0, ${val.dialect_index});
response->Assign(0, std::move(core));
}
@ -51,23 +51,23 @@ refine connection SMB_Conn += {
case 0x0d:
{
auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity);
security->Assign(0, zeek::val_mgr->Bool(${val.lanman.security_user_level}));
security->Assign(1, zeek::val_mgr->Bool(${val.lanman.security_challenge_response}));
security->Assign(0, ${val.lanman.security_user_level});
security->Assign(1, ${val.lanman.security_challenge_response});
auto raw = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateRawMode);
raw->Assign(0, zeek::val_mgr->Bool(${val.lanman.raw_read_supported}));
raw->Assign(1, zeek::val_mgr->Bool(${val.lanman.raw_write_supported}));
raw->Assign(0, ${val.lanman.raw_read_supported});
raw->Assign(1, ${val.lanman.raw_write_supported});
auto lanman = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseLANMAN);
lanman->Assign(0, zeek::val_mgr->Count(${val.word_count}));
lanman->Assign(1, zeek::val_mgr->Count(${val.dialect_index}));
lanman->Assign(0, ${val.word_count});
lanman->Assign(1, ${val.dialect_index});
lanman->Assign(2, std::move(security));
lanman->Assign(3, zeek::val_mgr->Count(${val.lanman.max_buffer_size}));
lanman->Assign(4, zeek::val_mgr->Count(${val.lanman.max_mpx_count}));
lanman->Assign(3, ${val.lanman.max_buffer_size});
lanman->Assign(4, ${val.lanman.max_mpx_count});
lanman->Assign(5, zeek::val_mgr->Count(${val.lanman.max_number_vcs}));
lanman->Assign(5, ${val.lanman.max_number_vcs});
lanman->Assign(6, std::move(raw));
lanman->Assign(7, zeek::val_mgr->Count(${val.lanman.session_key}));
lanman->Assign(7, ${val.lanman.session_key});
lanman->Assign(8, time_from_lanman(${val.lanman.server_time}, ${val.lanman.server_date}, ${val.lanman.server_tz}));
lanman->Assign(9, to_stringval(${val.lanman.encryption_key}));
@ -80,44 +80,44 @@ refine connection SMB_Conn += {
case 0x11:
{
auto security = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseSecurity);
security->Assign(0, zeek::val_mgr->Bool(${val.ntlm.security_user_level}));
security->Assign(1, zeek::val_mgr->Bool(${val.ntlm.security_challenge_response}));
security->Assign(2, zeek::val_mgr->Bool(${val.ntlm.security_signatures_enabled}));
security->Assign(3, zeek::val_mgr->Bool(${val.ntlm.security_signatures_required}));
security->Assign(0, ${val.ntlm.security_user_level});
security->Assign(1, ${val.ntlm.security_challenge_response});
security->Assign(2, ${val.ntlm.security_signatures_enabled});
security->Assign(3, ${val.ntlm.security_signatures_required});
auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateCapabilities);
capabilities->Assign(0, zeek::val_mgr->Bool(${val.ntlm.capabilities_raw_mode}));
capabilities->Assign(1, zeek::val_mgr->Bool(${val.ntlm.capabilities_mpx_mode}));
capabilities->Assign(2, zeek::val_mgr->Bool(${val.ntlm.capabilities_unicode}));
capabilities->Assign(3, zeek::val_mgr->Bool(${val.ntlm.capabilities_large_files}));
capabilities->Assign(4, zeek::val_mgr->Bool(${val.ntlm.capabilities_nt_smbs}));
capabilities->Assign(0, ${val.ntlm.capabilities_raw_mode});
capabilities->Assign(1, ${val.ntlm.capabilities_mpx_mode});
capabilities->Assign(2, ${val.ntlm.capabilities_unicode});
capabilities->Assign(3, ${val.ntlm.capabilities_large_files});
capabilities->Assign(4, ${val.ntlm.capabilities_nt_smbs});
capabilities->Assign(5, zeek::val_mgr->Bool(${val.ntlm.capabilities_rpc_remote_apis}));
capabilities->Assign(6, zeek::val_mgr->Bool(${val.ntlm.capabilities_status32}));
capabilities->Assign(7, zeek::val_mgr->Bool(${val.ntlm.capabilities_level_2_oplocks}));
capabilities->Assign(8, zeek::val_mgr->Bool(${val.ntlm.capabilities_lock_and_read}));
capabilities->Assign(9, zeek::val_mgr->Bool(${val.ntlm.capabilities_nt_find}));
capabilities->Assign(5, ${val.ntlm.capabilities_rpc_remote_apis});
capabilities->Assign(6, ${val.ntlm.capabilities_status32});
capabilities->Assign(7, ${val.ntlm.capabilities_level_2_oplocks});
capabilities->Assign(8, ${val.ntlm.capabilities_lock_and_read});
capabilities->Assign(9, ${val.ntlm.capabilities_nt_find});
capabilities->Assign(10, zeek::val_mgr->Bool(${val.ntlm.capabilities_dfs}));
capabilities->Assign(11, zeek::val_mgr->Bool(${val.ntlm.capabilities_infolevel_passthru}));
capabilities->Assign(12, zeek::val_mgr->Bool(${val.ntlm.capabilities_large_readx}));
capabilities->Assign(13, zeek::val_mgr->Bool(${val.ntlm.capabilities_large_writex}));
capabilities->Assign(14, zeek::val_mgr->Bool(${val.ntlm.capabilities_unix}));
capabilities->Assign(10, ${val.ntlm.capabilities_dfs});
capabilities->Assign(11, ${val.ntlm.capabilities_infolevel_passthru});
capabilities->Assign(12, ${val.ntlm.capabilities_large_readx});
capabilities->Assign(13, ${val.ntlm.capabilities_large_writex});
capabilities->Assign(14, ${val.ntlm.capabilities_unix});
capabilities->Assign(15, zeek::val_mgr->Bool(${val.ntlm.capabilities_bulk_transfer}));
capabilities->Assign(16, zeek::val_mgr->Bool(${val.ntlm.capabilities_compressed_data}));
capabilities->Assign(17, zeek::val_mgr->Bool(${val.ntlm.capabilities_extended_security}));
capabilities->Assign(15, ${val.ntlm.capabilities_bulk_transfer});
capabilities->Assign(16, ${val.ntlm.capabilities_compressed_data});
capabilities->Assign(17, ${val.ntlm.capabilities_extended_security});
auto ntlm = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::NegotiateResponseNTLM);
ntlm->Assign(0, zeek::val_mgr->Count(${val.word_count}));
ntlm->Assign(1, zeek::val_mgr->Count(${val.dialect_index}));
ntlm->Assign(0, ${val.word_count});
ntlm->Assign(1, ${val.dialect_index});
ntlm->Assign(2, std::move(security));
ntlm->Assign(3, zeek::val_mgr->Count(${val.ntlm.max_buffer_size}));
ntlm->Assign(4, zeek::val_mgr->Count(${val.ntlm.max_mpx_count}));
ntlm->Assign(3, ${val.ntlm.max_buffer_size});
ntlm->Assign(4, ${val.ntlm.max_mpx_count});
ntlm->Assign(5, zeek::val_mgr->Count(${val.ntlm.max_number_vcs}));
ntlm->Assign(6, zeek::val_mgr->Count(${val.ntlm.max_raw_size}));
ntlm->Assign(7, zeek::val_mgr->Count(${val.ntlm.session_key}));
ntlm->Assign(5, ${val.ntlm.max_number_vcs});
ntlm->Assign(6, ${val.ntlm.max_raw_size});
ntlm->Assign(7, ${val.ntlm.session_key});
ntlm->Assign(8, std::move(capabilities));
ntlm->Assign(9, filetime2zeektime(${val.ntlm.server_time}));

56
src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
View file

@ -14,13 +14,13 @@ refine connection SMB_Conn += {
{
auto request = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXRequest);
request->Assign(0, zeek::val_mgr->Count(${val.word_count}));
request->Assign(0, ${val.word_count});
switch ( ${val.word_count} ) {
case 10: // pre NT LM 0.12
request->Assign(1, zeek::val_mgr->Count(${val.lanman.max_buffer_size}));
request->Assign(2, zeek::val_mgr->Count(${val.lanman.max_mpx_count}));
request->Assign(3, zeek::val_mgr->Count(${val.lanman.vc_number}));
request->Assign(4, zeek::val_mgr->Count(${val.lanman.session_key}));
request->Assign(1, ${val.lanman.max_buffer_size});
request->Assign(2, ${val.lanman.max_mpx_count});
request->Assign(3, ${val.lanman.vc_number});
request->Assign(4, ${val.lanman.session_key});
request->Assign(5, smb_string2stringval(${val.lanman.native_os}));
request->Assign(6, smb_string2stringval(${val.lanman.native_lanman}));
@ -32,17 +32,17 @@ refine connection SMB_Conn += {
case 12: // NT LM 0.12 with extended security
{
auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities);
capabilities->Assign(0, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.unicode}));
capabilities->Assign(1, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.large_files}));
capabilities->Assign(2, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_smbs}));
capabilities->Assign(3, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.status32}));
capabilities->Assign(4, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.level_2_oplocks}));
capabilities->Assign(5, zeek::val_mgr->Bool(${val.ntlm_extended_security.capabilities.nt_find}));
capabilities->Assign(0, ${val.ntlm_extended_security.capabilities.unicode});
capabilities->Assign(1, ${val.ntlm_extended_security.capabilities.large_files});
capabilities->Assign(2, ${val.ntlm_extended_security.capabilities.nt_smbs});
capabilities->Assign(3, ${val.ntlm_extended_security.capabilities.status32});
capabilities->Assign(4, ${val.ntlm_extended_security.capabilities.level_2_oplocks});
capabilities->Assign(5, ${val.ntlm_extended_security.capabilities.nt_find});
request->Assign(1, zeek::val_mgr->Count(${val.ntlm_extended_security.max_buffer_size}));
request->Assign(2, zeek::val_mgr->Count(${val.ntlm_extended_security.max_mpx_count}));
request->Assign(3, zeek::val_mgr->Count(${val.ntlm_extended_security.vc_number}));
request->Assign(4, zeek::val_mgr->Count(${val.ntlm_extended_security.session_key}));
request->Assign(1, ${val.ntlm_extended_security.max_buffer_size});
request->Assign(2, ${val.ntlm_extended_security.max_mpx_count});
request->Assign(3, ${val.ntlm_extended_security.vc_number});
request->Assign(4, ${val.ntlm_extended_security.session_key});
request->Assign(5, smb_string2stringval(${val.ntlm_extended_security.native_os}));
request->Assign(6, smb_string2stringval(${val.ntlm_extended_security.native_lanman}));
@ -54,17 +54,17 @@ refine connection SMB_Conn += {
case 13: // NT LM 0.12 without extended security
{
auto capabilities = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXCapabilities);
capabilities->Assign(0, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.unicode}));
capabilities->Assign(1, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.large_files}));
capabilities->Assign(2, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_smbs}));
capabilities->Assign(3, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.status32}));
capabilities->Assign(4, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.level_2_oplocks}));
capabilities->Assign(5, zeek::val_mgr->Bool(${val.ntlm_nonextended_security.capabilities.nt_find}));
capabilities->Assign(0, ${val.ntlm_nonextended_security.capabilities.unicode});
capabilities->Assign(1, ${val.ntlm_nonextended_security.capabilities.large_files});
capabilities->Assign(2, ${val.ntlm_nonextended_security.capabilities.nt_smbs});
capabilities->Assign(3, ${val.ntlm_nonextended_security.capabilities.status32});
capabilities->Assign(4, ${val.ntlm_nonextended_security.capabilities.level_2_oplocks});
capabilities->Assign(5, ${val.ntlm_nonextended_security.capabilities.nt_find});
request->Assign(1, zeek::val_mgr->Count(${val.ntlm_nonextended_security.max_buffer_size}));
request->Assign(2, zeek::val_mgr->Count(${val.ntlm_nonextended_security.max_mpx_count}));
request->Assign(3, zeek::val_mgr->Count(${val.ntlm_nonextended_security.vc_number}));
request->Assign(4, zeek::val_mgr->Count(${val.ntlm_nonextended_security.session_key}));
request->Assign(1, ${val.ntlm_nonextended_security.max_buffer_size});
request->Assign(2, ${val.ntlm_nonextended_security.max_mpx_count});
request->Assign(3, ${val.ntlm_nonextended_security.vc_number});
request->Assign(4, ${val.ntlm_nonextended_security.session_key});
request->Assign(5, smb_string2stringval(${val.ntlm_nonextended_security.native_os}));
request->Assign(6, smb_string2stringval(${val.ntlm_nonextended_security.native_lanman}));
@ -91,18 +91,18 @@ refine connection SMB_Conn += {
if ( smb1_session_setup_andx_response )
{
auto response = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::SessionSetupAndXResponse);
response->Assign(0, zeek::val_mgr->Count(${val.word_count}));
response->Assign(0, ${val.word_count});
switch ( ${val.word_count} )
{
case 3: // pre NT LM 0.12
response->Assign(1, zeek::val_mgr->Bool(${val.lanman.is_guest}));
response->Assign(1, ${val.lanman.is_guest});
response->Assign(2, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_os[0]}));
response->Assign(3, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.native_lanman[0]}));
response->Assign(4, ${val.lanman.byte_count} == 0 ? zeek::val_mgr->EmptyString() : smb_string2stringval(${val.lanman.primary_domain[0]}));
break;
case 4: // NT LM 0.12
response->Assign(1, zeek::val_mgr->Bool(${val.ntlm.is_guest}));
response->Assign(1, ${val.ntlm.is_guest});
response->Assign(2, smb_string2stringval(${val.ntlm.native_os}));
response->Assign(3, smb_string2stringval(${val.ntlm.native_lanman}));
//response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));

16
src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
View file

@ -6,14 +6,14 @@ refine connection SMB_Conn += {
return false;
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans_Sec_Args);
args->Assign(0, zeek::val_mgr->Count(${val.total_param_count}));
args->Assign(1, zeek::val_mgr->Count(${val.total_data_count}));
args->Assign(2, zeek::val_mgr->Count(${val.param_count}));
args->Assign(3, zeek::val_mgr->Count(${val.param_offset}));
args->Assign(4, zeek::val_mgr->Count(${val.param_displacement}));
args->Assign(5, zeek::val_mgr->Count(${val.data_count}));
args->Assign(6, zeek::val_mgr->Count(${val.data_offset}));
args->Assign(7, zeek::val_mgr->Count(${val.data_displacement}));
args->Assign(0, ${val.total_param_count});
args->Assign(1, ${val.total_data_count});
args->Assign(2, ${val.param_count});
args->Assign(3, ${val.param_offset});
args->Assign(4, ${val.param_displacement});
args->Assign(5, ${val.data_count});
args->Assign(6, ${val.data_offset});
args->Assign(7, ${val.data_displacement});
auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(),
(const char*)${val.parameters}.data());

18
src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
View file

@ -6,15 +6,15 @@ refine connection SMB_Conn += {
return false;
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Sec_Args);
args->Assign(0, zeek::val_mgr->Count(${val.total_param_count}));
args->Assign(1, zeek::val_mgr->Count(${val.total_data_count}));
args->Assign(2, zeek::val_mgr->Count(${val.param_count}));
args->Assign(3, zeek::val_mgr->Count(${val.param_offset}));
args->Assign(4, zeek::val_mgr->Count(${val.param_displacement}));
args->Assign(5, zeek::val_mgr->Count(${val.data_count}));
args->Assign(6, zeek::val_mgr->Count(${val.data_offset}));
args->Assign(7, zeek::val_mgr->Count(${val.data_displacement}));
args->Assign(8, zeek::val_mgr->Count(${val.FID}));
args->Assign(0, ${val.total_param_count});
args->Assign(1, ${val.total_data_count});
args->Assign(2, ${val.param_count});
args->Assign(3, ${val.param_offset});
args->Assign(4, ${val.param_displacement});
args->Assign(5, ${val.data_count});
args->Assign(6, ${val.data_offset});
args->Assign(7, ${val.data_displacement});
args->Assign(8, ${val.FID});
auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), (const char*)${val.parameters}.data());
auto payload = zeek::make_intrusive<zeek::StringVal>(${val.data}.length(), (const char*)${val.data}.data());

34
src/analyzer/protocol/smb/smb1-com-transaction2.pac
View file

@ -25,18 +25,18 @@ refine connection SMB_Conn += {
if ( smb1_transaction2_request )
{
auto args = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Trans2_Args);
args->Assign(0, zeek::val_mgr->Count(${val.total_param_count}));
args->Assign(1, zeek::val_mgr->Count(${val.total_data_count}));
args->Assign(2, zeek::val_mgr->Count(${val.max_param_count}));
args->Assign(3, zeek::val_mgr->Count(${val.max_data_count}));
args->Assign(4, zeek::val_mgr->Count(${val.max_setup_count}));
args->Assign(5, zeek::val_mgr->Count(${val.flags}));
args->Assign(6, zeek::val_mgr->Count(${val.timeout}));
args->Assign(7, zeek::val_mgr->Count(${val.param_count}));
args->Assign(8, zeek::val_mgr->Count(${val.param_offset}));
args->Assign(9, zeek::val_mgr->Count(${val.data_count}));
args->Assign(10, zeek::val_mgr->Count(${val.data_offset}));
args->Assign(11, zeek::val_mgr->Count(${val.setup_count}));
args->Assign(0, ${val.total_param_count});
args->Assign(1, ${val.total_data_count});
args->Assign(2, ${val.max_param_count});
args->Assign(3, ${val.max_data_count});
args->Assign(4, ${val.max_setup_count});
args->Assign(5, ${val.flags});
args->Assign(6, ${val.timeout});
args->Assign(7, ${val.param_count});
args->Assign(8, ${val.param_offset});
args->Assign(9, ${val.data_count});
args->Assign(10, ${val.data_offset});
args->Assign(11, ${val.setup_count});
zeek::BifEvent::enqueue_smb1_transaction2_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
@ -132,11 +132,11 @@ refine connection SMB_Conn += {
if ( smb1_trans2_find_first2_request )
{
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB1::Find_First2_Request_Args);
result->Assign(0, zeek::val_mgr->Count(${val.search_attrs}));
result->Assign(1, zeek::val_mgr->Count(${val.search_count}));
result->Assign(2, zeek::val_mgr->Count(${val.flags}));
result->Assign(3, zeek::val_mgr->Count(${val.info_level}));
result->Assign(4, zeek::val_mgr->Count(${val.search_storage_type}));
result->Assign(0, ${val.search_attrs});
result->Assign(1, ${val.search_count});
result->Assign(2, ${val.flags});
result->Assign(3, ${val.info_level});
result->Assign(4, ${val.search_storage_type});
result->Assign(5, smb_string2stringval(${val.file_name}));
zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(zeek_analyzer(),
zeek_analyzer()->Conn(),

16
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -25,14 +25,14 @@
// { // do nothing
// }
r->Assign(0, zeek::val_mgr->Count(${hdr.command}));
r->Assign(1, zeek::val_mgr->Count(${hdr.status}));
r->Assign(2, zeek::val_mgr->Count(${hdr.flags}));
r->Assign(3, zeek::val_mgr->Count(${hdr.flags2}));
r->Assign(4, zeek::val_mgr->Count(${hdr.tid}));
r->Assign(5, zeek::val_mgr->Count(${hdr.pid}));
r->Assign(6, zeek::val_mgr->Count(${hdr.uid}));
r->Assign(7, zeek::val_mgr->Count(${hdr.mid}));
r->Assign(0, ${hdr.command});
r->Assign(1, ${hdr.status});
r->Assign(2, ${hdr.flags});
r->Assign(3, ${hdr.flags2});
r->Assign(4, ${hdr.tid});
r->Assign(5, ${hdr.pid});
r->Assign(6, ${hdr.uid});
r->Assign(7, ${hdr.mid});
return r;
}

4
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -22,8 +22,8 @@ refine connection SMB_Conn += {
{
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CloseResponse);
resp->Assign(0, zeek::val_mgr->Count(${val.alloc_size}));
resp->Assign(1, zeek::val_mgr->Count(${val.eof}));
resp->Assign(0, ${val.alloc_size});
resp->Assign(1, ${val.eof});
resp->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.creation_time},

8
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -18,8 +18,8 @@ refine connection SMB_Conn += {
{
auto requestinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateRequest);
requestinfo->Assign(0, std::move(filename));
requestinfo->Assign(1, zeek::val_mgr->Count(${val.disposition}));
requestinfo->Assign(2, zeek::val_mgr->Count(${val.create_options}));
requestinfo->Assign(1, ${val.disposition});
requestinfo->Assign(2, ${val.create_options});
zeek::BifEvent::enqueue_smb2_create_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),
@ -35,13 +35,13 @@ refine connection SMB_Conn += {
{
auto responseinfo = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CreateResponse);
responseinfo->Assign(0, BuildSMB2GUID(${val.file_id}));
responseinfo->Assign(1, zeek::val_mgr->Count(${val.eof}));
responseinfo->Assign(1, ${val.eof});
responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
${val.last_access_time},
${val.creation_time},
${val.change_time}));
responseinfo->Assign(3, smb2_file_attrs_to_zeek(${val.file_attrs}));
responseinfo->Assign(4, zeek::val_mgr->Count(${val.create_action}));
responseinfo->Assign(4, ${val.create_action});
zeek::BifEvent::enqueue_smb2_create_response(zeek_analyzer(),
zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h),

6
src/analyzer/protocol/smb/smb2-com-negotiate.pac
View file

@ -41,12 +41,12 @@ refine connection SMB_Conn += {
{
auto nr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateResponse);
nr->Assign(0, zeek::val_mgr->Count(${val.dialect_revision}));
nr->Assign(1, zeek::val_mgr->Count(${val.security_mode}));
nr->Assign(0, ${val.dialect_revision});
nr->Assign(1, ${val.security_mode});
nr->Assign(2, BuildSMB2GUID(${val.server_guid}));
nr->Assign(3, filetime2zeektime(${val.system_time}));
nr->Assign(4, filetime2zeektime(${val.server_start_time}));
nr->Assign(5, zeek::val_mgr->Count(${val.negotiate_context_count}));
nr->Assign(5, ${val.negotiate_context_count});
auto cv = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::SMB2::NegotiateContextValues);

8
src/analyzer/protocol/smb/smb2-com-session-setup.pac
View file

@ -5,7 +5,7 @@ refine connection SMB_Conn += {
if ( smb2_session_setup_request )
{
auto req = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupRequest);
req->Assign(0, zeek::val_mgr->Count(${val.security_mode}));
req->Assign(0, ${val.security_mode});
zeek::BifEvent::enqueue_smb2_session_setup_request(zeek_analyzer(),
zeek_analyzer()->Conn(),
@ -21,9 +21,9 @@ refine connection SMB_Conn += {
if ( smb2_session_setup_response )
{
auto flags = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupFlags);
flags->Assign(0, zeek::val_mgr->Bool(${val.flag_guest}));
flags->Assign(1, zeek::val_mgr->Bool(${val.flag_anonymous}));
flags->Assign(2, zeek::val_mgr->Bool(${val.flag_encrypt}));
flags->Assign(0, ${val.flag_guest});
flags->Assign(1, ${val.flag_anonymous});
flags->Assign(2, ${val.flag_encrypt});
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupResponse);
resp->Assign(0, std::move(flags));

12
src/analyzer/protocol/smb/smb2-com-set-info.pac
View file

@ -193,12 +193,12 @@ refine connection SMB_Conn += {
if ( smb2_file_fscontrol )
{
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Fscontrol);
r->Assign(0, zeek::val_mgr->Int(${val.free_space_start_filtering}));
r->Assign(1, zeek::val_mgr->Int(${val.free_space_start_threshold}));
r->Assign(2, zeek::val_mgr->Int(${val.free_space_stop_filtering}));
r->Assign(3, zeek::val_mgr->Count(${val.default_quota_threshold}));
r->Assign(4, zeek::val_mgr->Count(${val.default_quota_limit}));
r->Assign(5, zeek::val_mgr->Count(${val.file_system_control_flags}));
r->Assign(0, static_cast<int>(${val.free_space_start_filtering}));
r->Assign(1, static_cast<int>(${val.free_space_start_threshold}));
r->Assign(2, static_cast<int>(${val.free_space_stop_filtering}));
r->Assign(3, ${val.default_quota_threshold});
r->Assign(4, ${val.default_quota_limit});
r->Assign(5, ${val.file_system_control_flags});
zeek::BifEvent::enqueue_smb2_file_fscontrol(zeek_analyzer(),
zeek_analyzer()->Conn(),

6
src/analyzer/protocol/smb/smb2-com-transform-header.pac
View file

@ -7,9 +7,9 @@ refine connection SMB_Conn += {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Transform_header);
r->Assign(0, to_stringval(${hdr.signature}));
r->Assign(1, to_stringval(${hdr.nonce}));
r->Assign(2, zeek::val_mgr->Count(${hdr.orig_msg_size}));
r->Assign(3, zeek::val_mgr->Count(${hdr.flags}));
r->Assign(4, zeek::val_mgr->Count(${hdr.session_id}));
r->Assign(2, ${hdr.orig_msg_size});
r->Assign(3, ${hdr.flags});
r->Assign(4, ${hdr.session_id});
zeek::BifEvent::enqueue_smb2_transform_header(zeek_analyzer(),
zeek_analyzer()->Conn(),

2
src/analyzer/protocol/smb/smb2-com-tree-connect.pac
View file

@ -19,7 +19,7 @@ refine connection SMB_Conn += {
if ( smb2_tree_connect_response )
{
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::TreeConnectResponse);
resp->Assign(0, zeek::val_mgr->Count(${val.share_type}));
resp->Assign(0, ${val.share_type});
zeek::BifEvent::enqueue_smb2_tree_connect_response(zeek_analyzer(),
zeek_analyzer()->Conn(),

64
src/analyzer/protocol/smb/smb2-protocol.pac
View file

@ -12,15 +12,15 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv);
zeek::RecordValPtr BuildSMB2HeaderVal(SMB2_Header* hdr)
{
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::Header);
r->Assign(0, zeek::val_mgr->Count(${hdr.credit_charge}));
r->Assign(1, zeek::val_mgr->Count(${hdr.status}));
r->Assign(2, zeek::val_mgr->Count(${hdr.command}));
r->Assign(3, zeek::val_mgr->Count(${hdr.credits}));
r->Assign(4, zeek::val_mgr->Count(${hdr.flags}));
r->Assign(5, zeek::val_mgr->Count(${hdr.message_id}));
r->Assign(6, zeek::val_mgr->Count(${hdr.process_id}));
r->Assign(7, zeek::val_mgr->Count(${hdr.tree_id}));
r->Assign(8, zeek::val_mgr->Count(${hdr.session_id}));
r->Assign(0, ${hdr.credit_charge});
r->Assign(1, ${hdr.status});
r->Assign(2, ${hdr.command});
r->Assign(3, ${hdr.credits});
r->Assign(4, ${hdr.flags});
r->Assign(5, ${hdr.message_id});
r->Assign(6, ${hdr.process_id});
r->Assign(7, ${hdr.tree_id});
r->Assign(8, ${hdr.session_id});
r->Assign(9, to_stringval(${hdr.signature}));
return r;
}
@ -28,29 +28,29 @@ zeek::RecordValPtr BuildSMB2HeaderVal(SMB2_Header* hdr)
zeek::RecordValPtr BuildSMB2GUID(SMB2_guid* file_id)
{
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::GUID);
r->Assign(0, zeek::val_mgr->Count(${file_id.persistent}));
r->Assign(1, zeek::val_mgr->Count(${file_id._volatile}));
r->Assign(0, ${file_id.persistent});
r->Assign(1, ${file_id._volatile});
return r;
}
zeek::RecordValPtr smb2_file_attrs_to_zeek(SMB2_file_attributes* val)
{
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::FileAttrs);
r->Assign(0, zeek::val_mgr->Bool(${val.read_only}));
r->Assign(1, zeek::val_mgr->Bool(${val.hidden}));
r->Assign(2, zeek::val_mgr->Bool(${val.system}));
r->Assign(3, zeek::val_mgr->Bool(${val.directory}));
r->Assign(4, zeek::val_mgr->Bool(${val.archive}));
r->Assign(5, zeek::val_mgr->Bool(${val.normal}));
r->Assign(6, zeek::val_mgr->Bool(${val.temporary}));
r->Assign(7, zeek::val_mgr->Bool(${val.sparse_file}));
r->Assign(8, zeek::val_mgr->Bool(${val.reparse_point}));
r->Assign(9, zeek::val_mgr->Bool(${val.compressed}));
r->Assign(10, zeek::val_mgr->Bool(${val.offline}));
r->Assign(11, zeek::val_mgr->Bool(${val.not_content_indexed}));
r->Assign(12, zeek::val_mgr->Bool(${val.encrypted}));
r->Assign(13, zeek::val_mgr->Bool(${val.integrity_stream}));
r->Assign(14, zeek::val_mgr->Bool(${val.no_scrub_data}));
r->Assign(0, ${val.read_only});
r->Assign(1, ${val.hidden});
r->Assign(2, ${val.system});
r->Assign(3, ${val.directory});
r->Assign(4, ${val.archive});
r->Assign(5, ${val.normal});
r->Assign(6, ${val.temporary});
r->Assign(7, ${val.sparse_file});
r->Assign(8, ${val.reparse_point});
r->Assign(9, ${val.compressed});
r->Assign(10, ${val.offline});
r->Assign(11, ${val.not_content_indexed});
r->Assign(12, ${val.encrypted});
r->Assign(13, ${val.integrity_stream});
r->Assign(14, ${val.no_scrub_data});
return r;
}
@ -58,15 +58,15 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
{
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::NegotiateContextValue);
r->Assign(0, zeek::val_mgr->Count(${ncv.context_type}));
r->Assign(1, zeek::val_mgr->Count(${ncv.data_length}));
r->Assign(0, ${ncv.context_type});
r->Assign(1, ${ncv.data_length});
switch ( ${ncv.context_type} ) {
case SMB2_PREAUTH_INTEGRITY_CAPABILITIES:
{
auto rpreauth = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::PreAuthIntegrityCapabilities);
rpreauth->Assign(0, zeek::val_mgr->Count(${ncv.preauth_integrity_capabilities.hash_alg_count}));
rpreauth->Assign(1, zeek::val_mgr->Count(${ncv.preauth_integrity_capabilities.salt_length}));
rpreauth->Assign(0, ${ncv.preauth_integrity_capabilities.hash_alg_count});
rpreauth->Assign(1, ${ncv.preauth_integrity_capabilities.salt_length});
auto ha = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
@ -85,7 +85,7 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
case SMB2_ENCRYPTION_CAPABILITIES:
{
auto rencr = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::EncryptionCapabilities);
rencr->Assign(0, zeek::val_mgr->Count(${ncv.encryption_capabilities.cipher_count}));
rencr->Assign(0, ${ncv.encryption_capabilities.cipher_count});
auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
@ -103,7 +103,7 @@ zeek::RecordValPtr BuildSMB2ContextVal(SMB3_negotiate_context_value* ncv)
case SMB2_COMPRESSION_CAPABILITIES:
{
auto rcomp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::CompressionCapabilities);
rcomp->Assign(0, zeek::val_mgr->Count(${ncv.compression_capabilities.alg_count}));
rcomp->Assign(0, ${ncv.compression_capabilities.alg_count});
auto c = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);

12
src/analyzer/protocol/snmp/snmp-analyzer.pac
View file

@ -47,7 +47,7 @@ zeek::ValPtr asn1_obj_to_val(const ASN1Encoding* obj)
zeek::RecordValPtr rval = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::ObjectValue);
uint8 tag = obj->meta()->tag();
rval->Assign(0, zeek::val_mgr->Count(tag));
rval->Assign(0, tag);
switch ( tag ) {
case VARBIND_UNSPECIFIED_TAG:
@ -93,7 +93,7 @@ zeek::ValPtr time_ticks_to_val(const TimeTicks* tt)
zeek::RecordValPtr build_hdr(const Header* header)
{
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SNMP::Header);
rv->Assign(0, zeek::val_mgr->Count(header->version()));
rv->Assign(0, static_cast<uint64_t>(header->version()));
switch ( header->version() ) {
case SNMPV1_TAG:
@ -132,10 +132,10 @@ zeek::RecordValPtr build_hdrV3(const Header* header)
v3->Assign(0, asn1_integer_to_val(global_data->id(), zeek::TYPE_COUNT));
v3->Assign(1, asn1_integer_to_val(global_data->max_size(), zeek::TYPE_COUNT));
v3->Assign(2, zeek::val_mgr->Count(flags_byte));
v3->Assign(3, zeek::val_mgr->Bool(flags_byte & 0x01));
v3->Assign(4, zeek::val_mgr->Bool(flags_byte & 0x02));
v3->Assign(5, zeek::val_mgr->Bool(flags_byte & 0x04));
v3->Assign(2, flags_byte);
v3->Assign(3, static_cast<bool>(flags_byte & 0x01));
v3->Assign(4, static_cast<bool>(flags_byte & 0x02));
v3->Assign(5, static_cast<bool>(flags_byte & 0x04));
v3->Assign(6, asn1_integer_to_val(global_data->security_model(), zeek::TYPE_COUNT));
v3->Assign(7, asn1_octet_string_to_val(v3hdr->security_parameters()));

2
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -111,7 +111,7 @@ refine flow SSH_Flow += {
}
result->Assign(6, zeek::val_mgr->Bool(!${msg.is_orig}));
result->Assign(6, !${msg.is_orig});
zeek::BifEvent::enqueue_ssh_capabilities(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), to_stringval(${msg.cookie}),

6
src/analyzer/protocol/ssh/ssh-protocol.pac
View file

@ -456,11 +456,11 @@ refine connection SSH_Conn += {
{
for ( unsigned int j = 0; j < server_list->Size(); ++j )
{
if ( *(client_list->At(i)->AsStringVal()->AsString()) == *(server_list->At(j)->AsStringVal()->AsString()) )
if ( *(client_list->StringAt(i)) == *(server_list->StringAt(j)) )
{
kex_algorithm_.free();
kex_algorithm_.init((const uint8 *) client_list->At(i)->AsStringVal()->Bytes(),
client_list->At(i)->AsStringVal()->Len());
kex_algorithm_.init((const uint8 *) client_list->StringAt(i)->Bytes(),
client_list->StringAt(i)->Len());
// UNTESTED
if ( update_kex_state_if_equal("rsa1024-sha1", KEX_RSA) )

26
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -161,8 +161,8 @@ refine connection Handshake_Conn += {
for ( unsigned int i = 0; i < supported_signature_algorithms->size(); ++i )
{
auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm);
el->Assign(0, zeek::val_mgr->Count((*supported_signature_algorithms)[i]->HashAlgorithm()));
el->Assign(1, zeek::val_mgr->Count((*supported_signature_algorithms)[i]->SignatureAlgorithm()));
el->Assign(0, (*supported_signature_algorithms)[i]->HashAlgorithm());
el->Assign(1, (*supported_signature_algorithms)[i]->SignatureAlgorithm());
slist->Assign(i, std::move(el));
}
}
@ -345,14 +345,14 @@ refine connection Handshake_Conn += {
if ( ${kex.signed_params.uses_signature_and_hashalgorithm} )
{
ha->Assign(0, zeek::val_mgr->Count(${kex.signed_params.algorithm.HashAlgorithm}));
ha->Assign(1, zeek::val_mgr->Count(${kex.signed_params.algorithm.SignatureAlgorithm}));
ha->Assign(0, ${kex.signed_params.algorithm.HashAlgorithm});
ha->Assign(1, ${kex.signed_params.algorithm.SignatureAlgorithm});
}
else
{
// set to impossible value
ha->Assign(0, zeek::val_mgr->Count(256));
ha->Assign(1, zeek::val_mgr->Count(256));
ha->Assign(0, 256);
ha->Assign(1, 256);
}
zeek::BifEvent::enqueue_ssl_server_signature(zeek_analyzer(),
@ -414,8 +414,8 @@ refine connection Handshake_Conn += {
return true;
auto ha = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::SignatureAndHashAlgorithm);
ha->Assign(0, zeek::val_mgr->Count(digitally_signed_algorithms->HashAlgorithm()));
ha->Assign(1, zeek::val_mgr->Count(digitally_signed_algorithms->SignatureAlgorithm()));
ha->Assign(0, digitally_signed_algorithms->HashAlgorithm());
ha->Assign(1, digitally_signed_algorithms->SignatureAlgorithm());
zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(zeek_analyzer(),
zeek_analyzer()->Conn(), ${rec.is_orig},
@ -445,14 +445,14 @@ refine connection Handshake_Conn += {
if ( ${signed_params.uses_signature_and_hashalgorithm} )
{
ha->Assign(0, zeek::val_mgr->Count(${signed_params.algorithm.HashAlgorithm}));
ha->Assign(1, zeek::val_mgr->Count(${signed_params.algorithm.SignatureAlgorithm}));
ha->Assign(0, ${signed_params.algorithm.HashAlgorithm});
ha->Assign(1, ${signed_params.algorithm.SignatureAlgorithm});
}
else
{
// set to impossible value
ha->Assign(0, zeek::val_mgr->Count(256));
ha->Assign(1, zeek::val_mgr->Count(256));
ha->Assign(0, 256);
ha->Assign(1, 256);
}
zeek::BifEvent::enqueue_ssl_server_signature(zeek_analyzer(),
@ -499,7 +499,7 @@ refine connection Handshake_Conn += {
{
auto el = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SSL::PSKIdentity);
el->Assign(0, zeek::make_intrusive<zeek::StringVal>(identity->identity().length(), (const char*) identity->identity().data()));
el->Assign(1, zeek::val_mgr->Count(identity->obfuscated_ticket_age()));
el->Assign(1, identity->obfuscated_ticket_age());
slist->Assign(slist->Size(), std::move(el));
}
}

56
src/analyzer/protocol/tcp/TCP.cc
View file

@ -109,14 +109,14 @@ static RecordVal* build_syn_packet_val(bool is_orig, const IP_Hdr* ip,
static auto SYN_packet = id::find_type<RecordType>("SYN_packet");
auto* v = new RecordVal(SYN_packet);
v->Assign(0, val_mgr->Bool(is_orig));
v->Assign(1, val_mgr->Bool(int(ip->DF())));
v->Assign(2, val_mgr->Count((ip->TTL())));
v->Assign(3, val_mgr->Count((ip->TotalLen())));
v->Assign(4, val_mgr->Count(ntohs(tcp->th_win)));
v->Assign(5, val_mgr->Int(winscale));
v->Assign(6, val_mgr->Count(MSS));
v->Assign(7, val_mgr->Bool(SACK));
v->Assign(0, is_orig);
v->Assign(1, static_cast<bool>(ip->DF()));
v->Assign(2, ip->TTL());
v->Assign(3, ip->TotalLen());
v->Assign(4, ntohs(tcp->th_win));
v->Assign(5, winscale);
v->Assign(6, MSS);
v->Assign(7, static_cast<bool>(SACK));
return v;
}
@ -1099,7 +1099,7 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
{
SynWeirds(flags, endpoint, len);
RecordVal* SYN_vals = build_syn_packet_val(is_orig, ip, tp);
init_window(endpoint, peer, flags, SYN_vals->GetField(5)->CoerceToInt(),
init_window(endpoint, peer, flags, SYN_vals->GetFieldAs<IntVal>(5),
base_seq, ack_seq);
if ( connection_SYN_packet )
@ -1282,13 +1282,13 @@ void TCP_Analyzer::FlipRoles()
void TCP_Analyzer::UpdateConnVal(RecordVal *conn_val)
{
RecordVal* orig_endp_val = conn_val->GetField("orig")->AsRecordVal();
RecordVal* resp_endp_val = conn_val->GetField("resp")->AsRecordVal();
auto orig_endp_val = conn_val->GetFieldAs<RecordVal>("orig");
auto resp_endp_val = conn_val->GetFieldAs<RecordVal>("resp");
orig_endp_val->Assign(0, val_mgr->Count(orig->Size()));
orig_endp_val->Assign(1, val_mgr->Count(int(orig->state)));
resp_endp_val->Assign(0, val_mgr->Count(resp->Size()));
resp_endp_val->Assign(1, val_mgr->Count(int(resp->state)));
orig_endp_val->Assign(0, orig->Size());
orig_endp_val->Assign(1, orig->state);
resp_endp_val->Assign(0, resp->Size());
resp_endp_val->Assign(1, resp->state);
// Call children's UpdateConnVal
Analyzer::UpdateConnVal(conn_val);
@ -1369,8 +1369,8 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
auto length = kind < 2 ? 1 : o[1];
auto option_record = make_intrusive<RecordVal>(BifType::Record::TCP::Option);
option_list->Assign(option_list->Size(), option_record);
option_record->Assign(0, val_mgr->Count(kind));
option_record->Assign(1, val_mgr->Count(length));
option_record->Assign(0, kind);
option_record->Assign(1, length);
switch ( kind ) {
case 2:
@ -1378,7 +1378,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
if ( length == 4 )
{
auto mss = ntohs(*reinterpret_cast<const uint16_t*>(o + 2));
option_record->Assign(3, val_mgr->Count(mss));
option_record->Assign(3, mss);
}
else
{
@ -1392,7 +1392,7 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
if ( length == 3 )
{
auto scale = o[2];
option_record->Assign(4, val_mgr->Count(scale));
option_record->Assign(4, scale);
}
else
{
@ -1438,8 +1438,8 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
{
auto send = ntohl(*reinterpret_cast<const uint32_t*>(o + 2));
auto echo = ntohl(*reinterpret_cast<const uint32_t*>(o + 6));
option_record->Assign(6, val_mgr->Count(send));
option_record->Assign(7, val_mgr->Count(echo));
option_record->Assign(6, send);
option_record->Assign(7, echo);
}
else
{
@ -2076,13 +2076,13 @@ RecordVal* TCPStats_Endpoint::BuildStats()
static auto endpoint_stats = id::find_type<RecordType>("endpoint_stats");
auto* stats = new RecordVal(endpoint_stats);
stats->Assign(0, val_mgr->Count(num_pkts));
stats->Assign(1, val_mgr->Count(num_rxmit));
stats->Assign(2, val_mgr->Count(num_rxmit_bytes));
stats->Assign(3, val_mgr->Count(num_in_order));
stats->Assign(4, val_mgr->Count(num_OO));
stats->Assign(5, val_mgr->Count(num_repl));
stats->Assign(6, val_mgr->Count(endian_type));
stats->Assign(0, num_pkts);
stats->Assign(1, num_rxmit);
stats->Assign(2, num_rxmit_bytes);
stats->Assign(3, num_in_order);
stats->Assign(4, num_OO);
stats->Assign(5, num_repl);
stats->Assign(6, endian_type);
return stats;
}

10
src/analyzer/protocol/teredo/Teredo.cc
View file

@ -109,12 +109,10 @@ RecordValPtr TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
uint8_t au_len = *((uint8_t*)(auth + 3));
uint64_t nonce = ntohll(*((uint64_t*)(auth + 4 + id_len + au_len)));
uint8_t conf = *((uint8_t*)(auth + 4 + id_len + au_len + 8));
teredo_auth->Assign(0, make_intrusive<StringVal>(
new String(auth + 4, id_len, true)));
teredo_auth->Assign(1, make_intrusive<StringVal>(
new String(auth + 4 + id_len, au_len, true)));
teredo_auth->Assign(2, val_mgr->Count(nonce));
teredo_auth->Assign(3, val_mgr->Count(conf));
teredo_auth->Assign(0, new String(auth + 4, id_len, true));
teredo_auth->Assign(1, new String(auth + 4 + id_len, au_len, true));
teredo_auth->Assign(2, nonce);
teredo_auth->Assign(3, conf);
teredo_hdr->Assign(0, std::move(teredo_auth));
}

12
src/analyzer/protocol/udp/UDP.cc
View file

@ -220,8 +220,8 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
void UDP_Analyzer::UpdateConnVal(RecordVal* conn_val)
{
RecordVal* orig_endp = conn_val->GetField("orig")->AsRecordVal();
RecordVal* resp_endp = conn_val->GetField("resp")->AsRecordVal();
auto orig_endp = conn_val->GetFieldAs<RecordVal>("orig");
auto resp_endp = conn_val->GetFieldAs<RecordVal>("resp");
UpdateEndpointVal(orig_endp, true);
UpdateEndpointVal(resp_endp, false);
@ -235,14 +235,14 @@ void UDP_Analyzer::UpdateEndpointVal(RecordVal* endp, bool is_orig)
bro_int_t size = is_orig ? request_len : reply_len;
if ( size < 0 )
{
endp->Assign(0, val_mgr->Count(0));
endp->Assign(1, val_mgr->Count(int(UDP_INACTIVE)));
endp->Assign(0, 0);
endp->Assign(1, UDP_INACTIVE);
}
else
{
endp->Assign(0, val_mgr->Count(size));
endp->Assign(1, val_mgr->Count(int(UDP_ACTIVE)));
endp->Assign(0, static_cast<uint64_t>(size));
endp->Assign(1, UDP_ACTIVE);
}
}

4
src/broker/Data.cc
View file

@ -430,7 +430,7 @@ struct val_converter {
if ( caf::get_if<broker::none>(&a[idx]) != nullptr )
{
rval->Assign(i, nullptr);
rval->Remove(i);
++idx;
continue;
}
@ -972,7 +972,7 @@ broker::expected<broker::data> val_to_data(const Val* v)
for ( auto i = 0u; i < vec->Size(); ++i )
{
const auto& item_val = vec->At(i);
auto item_val = vec->ValAt(i);
if ( ! item_val )
continue;

20
src/broker/Manager.cc
View file

@ -433,17 +433,17 @@ bool Manager::PublishEvent(string topic, RecordVal* args)
if ( peer_count == 0 )
return true;
if ( ! args->GetField(0) )
if ( ! args->HasField(0) )
return false;
auto event_name = args->GetFieldAs<StringVal>(0)->CheckString();
auto vv = args->GetField(1)->AsVectorVal();
auto vv = args->GetFieldAs<VectorVal>(1);
broker::vector xs;
xs.reserve(vv->Size());
for ( auto i = 0u; i < vv->Size(); ++i )
{
const auto& val = vv->At(i)->AsRecordVal()->GetField(0);
const auto& val = vv->RecordValAt(i)->GetField(0);
auto data_val = static_cast<detail::DataVal*>(val.get());
xs.emplace_back(data_val->data);
}
@ -784,7 +784,7 @@ RecordVal* Manager::MakeEvent(ValPList* args, zeek::detail::Frame* frame)
return rval;
}
rval->Assign(0, make_intrusive<StringVal>(func->Name()));
rval->Assign(0, func->Name());
continue;
}
@ -793,7 +793,7 @@ RecordVal* Manager::MakeEvent(ValPList* args, zeek::detail::Frame* frame)
if ( ! same_type(got_type, expected_type) )
{
rval->Assign(0, nullptr);
rval->Remove(0);
Error("event parameter #%d type mismatch, got %s, expect %s", i,
type_name(got_type->Tag()),
type_name(expected_type->Tag()));
@ -807,9 +807,9 @@ RecordVal* Manager::MakeEvent(ValPList* args, zeek::detail::Frame* frame)
else
data_val = detail::make_data_val((*args)[i]);
if ( ! data_val->GetField(0) )
if ( ! data_val->HasField(0) )
{
rval->Assign(0, nullptr);
rval->Remove(0);
Error("failed to convert param #%d of type %s to broker data",
i, type_name(got_type->Tag()));
return rval;
@ -1453,20 +1453,20 @@ void Manager::ProcessStatus(broker::status_view stat)
if ( ctx )
{
endpoint_info->Assign(0, make_intrusive<StringVal>(to_string(ctx->node)));
endpoint_info->Assign(0, to_string(ctx->node));
static auto ni = id::find_type<RecordType>("Broker::NetworkInfo");
auto network_info = make_intrusive<RecordVal>(ni);
if ( ctx->network )
{
network_info->Assign(0, make_intrusive<StringVal>(ctx->network->address.data()));
network_info->Assign(0, ctx->network->address.data());
network_info->Assign(1, val_mgr->Port(ctx->network->port, TRANSPORT_TCP));
}
else
{
// TODO: are there any status messages where the ctx->network
// is not set and actually could be?
network_info->Assign(0, make_intrusive<StringVal>("<unknown>"));
network_info->Assign(0, "<unknown>");
network_info->Assign(1, val_mgr->Port(0, TRANSPORT_TCP));
}

2
src/broker/Store.cc
View file

@ -67,7 +67,7 @@ broker::backend_options to_backend_options(broker::backend backend,
switch ( backend ) {
case broker::backend::sqlite:
{
auto path = options->GetField(0)->AsRecordVal()
auto path = options->GetFieldAs<RecordVal>(0)
->GetFieldAs<StringVal>(0)->CheckString();
return {{"path", path}};
}

2
src/broker/comm.bif
View file

@ -126,7 +126,7 @@ function Broker::__peers%(%): PeerInfos
network_info->Assign(1, zeek::val_mgr->Port(0, TRANSPORT_TCP));
}
endpoint_info->Assign(0, zeek::make_intrusive<zeek::StringVal>(to_string(p.peer.node)));
endpoint_info->Assign(0, to_string(p.peer.node));
endpoint_info->Assign(1, std::move(network_info));
auto ps = (BifEnum::Broker::PeerStatus)p.status;

32
src/file_analysis/File.cc
View file

@ -92,12 +92,12 @@ File::File(const std::string& file_id, const std::string& source_name, Connectio
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str());
val = make_intrusive<RecordVal>(id::fa_file);
val->Assign(id_idx, make_intrusive<StringVal>(file_id.c_str()));
val->Assign(id_idx, file_id);
SetSource(source_name);
if ( conn )
{
val->Assign(is_orig_idx, val_mgr->Bool(is_orig));
val->Assign(is_orig_idx, is_orig);
UpdateConnectionFields(conn, is_orig);
}
@ -115,7 +115,7 @@ File::~File()
void File::UpdateLastActivityTime()
{
val->Assign(last_active_idx, make_intrusive<TimeVal>(run_state::network_time));
val->AssignTime(last_active_idx, run_state::network_time);
}
double File::GetLastActivityTime() const
@ -128,12 +128,12 @@ bool File::UpdateConnectionFields(Connection* conn, bool is_orig)
if ( ! conn )
return false;
Val* conns = val->GetField(conns_idx).get();
auto conns = val->GetField(conns_idx);
if ( ! conns )
{
auto ect = empty_connection_table();
conns = ect.get();
conns = ect;
val->Assign(conns_idx, std::move(ect));
}
@ -190,7 +190,7 @@ std::string File::GetSource() const
void File::SetSource(const std::string& source)
{
val->Assign(source_idx, make_intrusive<StringVal>(source.c_str()));
val->Assign(source_idx, source);
}
double File::GetTimeoutInterval() const
@ -200,7 +200,7 @@ double File::GetTimeoutInterval() const
void File::SetTimeoutInterval(double interval)
{
val->Assign(timeout_interval_idx, make_intrusive<IntervalVal>(interval));
val->AssignInterval(timeout_interval_idx, interval);
}
bool File::SetExtractionLimit(RecordValPtr args, uint64_t bytes)
@ -223,13 +223,13 @@ bool File::SetExtractionLimit(RecordValPtr args, uint64_t bytes)
void File::IncrementByteCount(uint64_t size, int field_idx)
{
uint64_t old = LookupFieldDefaultCount(field_idx);
val->Assign(field_idx, val_mgr->Count(old + size));
val->Assign(field_idx, old + size);
}
void File::SetTotalBytes(uint64_t size)
{
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Total bytes %" PRIu64, id.c_str(), size);
val->Assign(total_bytes_idx, val_mgr->Count(size));
val->Assign(total_bytes_idx, size);
}
bool File::IsComplete() const
@ -298,8 +298,8 @@ bool File::SetMime(const std::string& mime_type)
return false;
auto meta = make_intrusive<RecordVal>(id::fa_metadata);
meta->Assign(meta_mime_type_idx, make_intrusive<StringVal>(mime_type));
meta->Assign(meta_inferred_idx, val_mgr->False());
meta->Assign(meta_mime_type_idx, mime_type);
meta->Assign(meta_inferred_idx, false);
FileEvent(file_sniff, {val, std::move(meta)});
return true;
@ -309,7 +309,7 @@ void File::InferMetadata()
{
did_metadata_inference = true;
Val* bof_buffer_val = val->GetField(bof_buffer_idx).get();
auto bof_buffer_val = val->GetField(bof_buffer_idx);
if ( ! bof_buffer_val )
{
@ -317,8 +317,8 @@ void File::InferMetadata()
return;
String* bs = concatenate(bof_buffer.chunks);
val->Assign<StringVal>(bof_buffer_idx, bs);
bof_buffer_val = val->GetField(bof_buffer_idx).get();
val->Assign(bof_buffer_idx, bs);
bof_buffer_val = val->GetField(bof_buffer_idx);
}
if ( ! FileEventAvailable(file_sniff) )
@ -334,7 +334,7 @@ void File::InferMetadata()
if ( ! matches.empty() )
{
meta->Assign<StringVal>(meta_mime_type_idx,
meta->Assign(meta_mime_type_idx,
*(matches.begin()->second.begin()));
meta->Assign(meta_mime_types_idx,
file_analysis::GenMIMEMatchesVal(matches));
@ -361,7 +361,7 @@ bool File::BufferBOF(const u_char* data, uint64_t len)
if ( bof_buffer.size > 0 )
{
String* bs = concatenate(bof_buffer.chunks);
val->Assign(bof_buffer_idx, make_intrusive<StringVal>(bs));
val->Assign(bof_buffer_idx, bs);
}
return false;

4
src/file_analysis/Manager.cc
View file

@ -524,8 +524,8 @@ VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m)
for ( set<string>::const_iterator it2 = it->second.begin();
it2 != it->second.end(); ++it2 )
{
element->Assign(0, val_mgr->Int(it->first));
element->Assign(1, make_intrusive<StringVal>(*it2));
element->Assign(0, it->first);
element->Assign(1, *it2);
}
rval->Assign(rval->Size(), std::move(element));

10
src/file_analysis/analyzer/entropy/Entropy.cc
View file

@ -63,11 +63,11 @@ void Entropy::Finalize()
static auto entropy_test_result = id::find_type<RecordType>("entropy_test_result");
auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
ent_result->Assign<DoubleVal>(0, ent);
ent_result->Assign<DoubleVal>(1, chisq);
ent_result->Assign<DoubleVal>(2, mean);
ent_result->Assign<DoubleVal>(3, montepi);
ent_result->Assign<DoubleVal>(4, scc);
ent_result->Assign(0, ent);
ent_result->Assign(1, chisq);
ent_result->Assign(2, mean);
ent_result->Assign(3, montepi);
ent_result->Assign(4, scc);
event_mgr.Enqueue(file_entropy,
GetFile()->ToVal(),

2
src/file_analysis/analyzer/extract/Extract.cc
View file

@ -47,7 +47,7 @@ Extract::~Extract()
}
}
static const ValPtr& get_extract_field_val(const RecordValPtr& args,
static ValPtr get_extract_field_val(const RecordValPtr& args,
const char* name)
{
const auto& rval = args->GetField(name);

102
src/file_analysis/analyzer/pe/pe-analyzer.pac
View file

@ -49,22 +49,22 @@ refine flow File += {
{
auto dh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::DOSHeader);
dh->Assign(0, zeek::make_intrusive<zeek::StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data()));
dh->Assign(1, zeek::val_mgr->Count(${h.UsedBytesInTheLastPage}));
dh->Assign(2, zeek::val_mgr->Count(${h.FileSizeInPages}));
dh->Assign(3, zeek::val_mgr->Count(${h.NumberOfRelocationItems}));
dh->Assign(4, zeek::val_mgr->Count(${h.HeaderSizeInParagraphs}));
dh->Assign(5, zeek::val_mgr->Count(${h.MinimumExtraParagraphs}));
dh->Assign(6, zeek::val_mgr->Count(${h.MaximumExtraParagraphs}));
dh->Assign(7, zeek::val_mgr->Count(${h.InitialRelativeSS}));
dh->Assign(8, zeek::val_mgr->Count(${h.InitialSP}));
dh->Assign(9, zeek::val_mgr->Count(${h.Checksum}));
dh->Assign(10, zeek::val_mgr->Count(${h.InitialIP}));
dh->Assign(11, zeek::val_mgr->Count(${h.InitialRelativeCS}));
dh->Assign(12, zeek::val_mgr->Count(${h.AddressOfRelocationTable}));
dh->Assign(13, zeek::val_mgr->Count(${h.OverlayNumber}));
dh->Assign(14, zeek::val_mgr->Count(${h.OEMid}));
dh->Assign(15, zeek::val_mgr->Count(${h.OEMinfo}));
dh->Assign(16, zeek::val_mgr->Count(${h.AddressOfNewExeHeader}));
dh->Assign(1, ${h.UsedBytesInTheLastPage});
dh->Assign(2, ${h.FileSizeInPages});
dh->Assign(3, ${h.NumberOfRelocationItems});
dh->Assign(4, ${h.HeaderSizeInParagraphs});
dh->Assign(5, ${h.MinimumExtraParagraphs});
dh->Assign(6, ${h.MaximumExtraParagraphs});
dh->Assign(7, ${h.InitialRelativeSS});
dh->Assign(8, ${h.InitialSP});
dh->Assign(9, ${h.Checksum});
dh->Assign(10, ${h.InitialIP});
dh->Assign(11, ${h.InitialRelativeCS});
dh->Assign(12, ${h.AddressOfRelocationTable});
dh->Assign(13, ${h.OverlayNumber});
dh->Assign(14, ${h.OEMid});
dh->Assign(15, ${h.OEMinfo});
dh->Assign(16, ${h.AddressOfNewExeHeader});
zeek::event_mgr.Enqueue(pe_dos_header,
connection()->zeek_analyzer()->GetFile()->ToVal(),
@ -98,11 +98,11 @@ refine flow File += {
if ( pe_file_header )
{
auto fh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::FileHeader);
fh->Assign(0, zeek::val_mgr->Count(${h.Machine}));
fh->Assign(1, zeek::make_intrusive<zeek::TimeVal>(static_cast<double>(${h.TimeDateStamp})));
fh->Assign(2, zeek::val_mgr->Count(${h.PointerToSymbolTable}));
fh->Assign(3, zeek::val_mgr->Count(${h.NumberOfSymbols}));
fh->Assign(4, zeek::val_mgr->Count(${h.SizeOfOptionalHeader}));
fh->Assign(0, ${h.Machine});
fh->AssignTime(1, double(${h.TimeDateStamp}));
fh->Assign(2, ${h.PointerToSymbolTable});
fh->Assign(3, ${h.NumberOfSymbols});
fh->Assign(4, ${h.SizeOfOptionalHeader});
fh->Assign(5, characteristics_to_zeek(${h.Characteristics}, 16));
zeek::event_mgr.Enqueue(pe_file_header,
@ -127,31 +127,31 @@ refine flow File += {
{
auto oh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::OptionalHeader);
oh->Assign(0, zeek::val_mgr->Count(${h.magic}));
oh->Assign(1, zeek::val_mgr->Count(${h.major_linker_version}));
oh->Assign(2, zeek::val_mgr->Count(${h.minor_linker_version}));
oh->Assign(3, zeek::val_mgr->Count(${h.size_of_code}));
oh->Assign(4, zeek::val_mgr->Count(${h.size_of_init_data}));
oh->Assign(5, zeek::val_mgr->Count(${h.size_of_uninit_data}));
oh->Assign(6, zeek::val_mgr->Count(${h.addr_of_entry_point}));
oh->Assign(7, zeek::val_mgr->Count(${h.base_of_code}));
oh->Assign(0, ${h.magic});
oh->Assign(1, ${h.major_linker_version});
oh->Assign(2, ${h.minor_linker_version});
oh->Assign(3, ${h.size_of_code});
oh->Assign(4, ${h.size_of_init_data});
oh->Assign(5, ${h.size_of_uninit_data});
oh->Assign(6, ${h.addr_of_entry_point});
oh->Assign(7, ${h.base_of_code});
if ( ${h.pe_format} != PE32_PLUS )
oh->Assign(8, zeek::val_mgr->Count(${h.base_of_data}));
oh->Assign(8, ${h.base_of_data});
oh->Assign(9, zeek::val_mgr->Count(${h.image_base}));
oh->Assign(10, zeek::val_mgr->Count(${h.section_alignment}));
oh->Assign(11, zeek::val_mgr->Count(${h.file_alignment}));
oh->Assign(12, zeek::val_mgr->Count(${h.os_version_major}));
oh->Assign(13, zeek::val_mgr->Count(${h.os_version_minor}));
oh->Assign(14, zeek::val_mgr->Count(${h.major_image_version}));
oh->Assign(15, zeek::val_mgr->Count(${h.minor_image_version}));
oh->Assign(16, zeek::val_mgr->Count(${h.major_subsys_version}));
oh->Assign(17, zeek::val_mgr->Count(${h.minor_subsys_version}));
oh->Assign(18, zeek::val_mgr->Count(${h.size_of_image}));
oh->Assign(19, zeek::val_mgr->Count(${h.size_of_headers}));
oh->Assign(20, zeek::val_mgr->Count(${h.checksum}));
oh->Assign(21, zeek::val_mgr->Count(${h.subsystem}));
oh->Assign(9, ${h.image_base});
oh->Assign(10, ${h.section_alignment});
oh->Assign(11, ${h.file_alignment});
oh->Assign(12, ${h.os_version_major});
oh->Assign(13, ${h.os_version_minor});
oh->Assign(14, ${h.major_image_version});
oh->Assign(15, ${h.minor_image_version});
oh->Assign(16, ${h.major_subsys_version});
oh->Assign(17, ${h.minor_subsys_version});
oh->Assign(18, ${h.size_of_image});
oh->Assign(19, ${h.size_of_headers});
oh->Assign(20, ${h.checksum});
oh->Assign(21, ${h.subsystem});
oh->Assign(22, characteristics_to_zeek(${h.dll_characteristics}, 16));
oh->Assign(23, process_rvas(${h.rvas}));
@ -178,14 +178,14 @@ refine flow File += {
name_len = first_null - ${h.name}.data();
section_header->Assign(0, zeek::make_intrusive<zeek::StringVal>(name_len, (const char*) ${h.name}.data()));
section_header->Assign(1, zeek::val_mgr->Count(${h.virtual_size}));
section_header->Assign(2, zeek::val_mgr->Count(${h.virtual_addr}));
section_header->Assign(3, zeek::val_mgr->Count(${h.size_of_raw_data}));
section_header->Assign(4, zeek::val_mgr->Count(${h.ptr_to_raw_data}));
section_header->Assign(5, zeek::val_mgr->Count(${h.non_used_ptr_to_relocs}));
section_header->Assign(6, zeek::val_mgr->Count(${h.non_used_ptr_to_line_nums}));
section_header->Assign(7, zeek::val_mgr->Count(${h.non_used_num_of_relocs}));
section_header->Assign(8, zeek::val_mgr->Count(${h.non_used_num_of_line_nums}));
section_header->Assign(1, ${h.virtual_size});
section_header->Assign(2, ${h.virtual_addr});
section_header->Assign(3, ${h.size_of_raw_data});
section_header->Assign(4, ${h.ptr_to_raw_data});
section_header->Assign(5, ${h.non_used_ptr_to_relocs});
section_header->Assign(6, ${h.non_used_ptr_to_line_nums});
section_header->Assign(7, ${h.non_used_num_of_relocs});
section_header->Assign(8, ${h.non_used_num_of_line_nums});
section_header->Assign(9, characteristics_to_zeek(${h.characteristics}, 32));
zeek::event_mgr.Enqueue(pe_section_header,

54
src/file_analysis/analyzer/unified2/unified2-analyzer.pac
View file

@ -73,19 +73,19 @@ refine flow Flow += {
if ( ::unified2_event )
{
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
ids_event->Assign(0, zeek::val_mgr->Count(${ev.sensor_id}));
ids_event->Assign(1, zeek::val_mgr->Count(${ev.event_id}));
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts})));
ids_event->Assign(3, zeek::val_mgr->Count(${ev.signature_id}));
ids_event->Assign(4, zeek::val_mgr->Count(${ev.generator_id}));
ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision}));
ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id}));
ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id}));
ids_event->Assign(0, ${ev.sensor_id});
ids_event->Assign(1, ${ev.event_id});
ids_event->AssignTime(2, ts_to_double(${ev.ts}));
ids_event->Assign(3, ${ev.signature_id});
ids_event->Assign(4, ${ev.generator_id});
ids_event->Assign(5, ${ev.signature_revision});
ids_event->Assign(6, ${ev.classification_id});
ids_event->Assign(7, ${ev.priority_id});
ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip}));
ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip}));
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
ids_event->Assign(17, zeek::val_mgr->Count(${ev.packet_action}));
ids_event->Assign(17, ${ev.packet_action});
zeek::event_mgr.Enqueue(::unified2_event,
connection()->zeek_analyzer()->GetFile()->ToVal(),
@ -99,23 +99,23 @@ refine flow Flow += {
if ( ::unified2_event )
{
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
ids_event->Assign(0, zeek::val_mgr->Count(${ev.sensor_id}));
ids_event->Assign(1, zeek::val_mgr->Count(${ev.event_id}));
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts})));
ids_event->Assign(3, zeek::val_mgr->Count(${ev.signature_id}));
ids_event->Assign(4, zeek::val_mgr->Count(${ev.generator_id}));
ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision}));
ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id}));
ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id}));
ids_event->Assign(0, ${ev.sensor_id});
ids_event->Assign(1, ${ev.event_id});
ids_event->AssignTime(2, ts_to_double(${ev.ts}));
ids_event->Assign(3, ${ev.signature_id});
ids_event->Assign(4, ${ev.generator_id});
ids_event->Assign(5, ${ev.signature_revision});
ids_event->Assign(6, ${ev.classification_id});
ids_event->Assign(7, ${ev.priority_id});
ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip}));
ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip}));
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
ids_event->Assign(12, zeek::val_mgr->Count(${ev.impact_flag}));
ids_event->Assign(13, zeek::val_mgr->Count(${ev.impact}));
ids_event->Assign(14, zeek::val_mgr->Count(${ev.blocked}));
ids_event->Assign(15, zeek::val_mgr->Count(${ev.mpls_label}));
ids_event->Assign(16, zeek::val_mgr->Count(${ev.vlan_id}));
ids_event->Assign(12, ${ev.impact_flag});
ids_event->Assign(13, ${ev.impact});
ids_event->Assign(14, ${ev.blocked});
ids_event->Assign(15, ${ev.mpls_label});
ids_event->Assign(16, ${ev.vlan_id});
zeek::event_mgr.Enqueue(::unified2_event,
connection()->zeek_analyzer()->GetFile()->ToVal(),
@ -130,11 +130,11 @@ refine flow Flow += {
if ( ::unified2_packet )
{
auto packet = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::Packet);
packet->Assign(0, zeek::val_mgr->Count(${pkt.sensor_id}));
packet->Assign(1, zeek::val_mgr->Count(${pkt.event_id}));
packet->Assign(2, zeek::val_mgr->Count(${pkt.event_second}));
packet->Assign(3, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${pkt.packet_ts})));
packet->Assign(4, zeek::val_mgr->Count(${pkt.link_type}));
packet->Assign(0, ${pkt.sensor_id});
packet->Assign(1, ${pkt.event_id});
packet->Assign(2, ${pkt.event_second});
packet->AssignTime(3, ts_to_double(${pkt.packet_ts}));
packet->Assign(4, ${pkt.link_type});
packet->Assign(5, to_stringval(${pkt.packet_data}));
zeek::event_mgr.Enqueue(::unified2_packet,

26
src/file_analysis/analyzer/x509/X509.cc
View file

@ -124,7 +124,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
auto pX509Cert = make_intrusive<RecordVal>(BifType::Record::X509::Certificate);
BIO *bio = BIO_new(BIO_s_mem());
pX509Cert->Assign(0, val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1));
pX509Cert->Assign(0, static_cast<uint64_t>(X509_get_version(ssl_cert) + 1));
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
int len = BIO_read(bio, buf, sizeof(buf));
pX509Cert->Assign(1, make_intrusive<StringVal>(len, buf));
@ -161,8 +161,8 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
pX509Cert->Assign(3, make_intrusive<StringVal>(len, buf));
BIO_free(bio);
pX509Cert->Assign(5, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter)));
pX509Cert->Assign(6, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter)));
pX509Cert->AssignTime(5, GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter));
pX509Cert->AssignTime(6, GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter));
// we only read 255 bytes because byte 256 is always 0.
// if the string is longer than 255, that will be our null-termination,
@ -172,7 +172,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
buf[0] = 0;
pX509Cert->Assign(7, make_intrusive<StringVal>(buf));
pX509Cert->Assign(7, buf);
// Special case for RDP server certificates. For some reason some (all?) RDP server
// certificates like to specify their key algorithm as md5WithRSAEncryption, which
@ -194,25 +194,25 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) )
buf[0] = 0;
pX509Cert->Assign(8, make_intrusive<StringVal>(buf));
pX509Cert->Assign(8, buf);
// Things we can do when we have the key...
EVP_PKEY *pkey = X509_extract_key(ssl_cert);
if ( pkey != NULL )
{
if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA )
pX509Cert->Assign(9, make_intrusive<StringVal>("dsa"));
pX509Cert->Assign(9, "dsa");
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA )
{
pX509Cert->Assign(9, make_intrusive<StringVal>("rsa"));
pX509Cert->Assign(9, "rsa");
const BIGNUM *e;
RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
char *exponent = BN_bn2dec(e);
if ( exponent != NULL )
{
pX509Cert->Assign(11, make_intrusive<StringVal>(exponent));
pX509Cert->Assign(11, exponent);
OPENSSL_free(exponent);
exponent = NULL;
}
@ -220,7 +220,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
#ifndef OPENSSL_NO_EC
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC )
{
pX509Cert->Assign(9, make_intrusive<StringVal>("ecdsa"));
pX509Cert->Assign(9, "ecdsa");
pX509Cert->Assign(12, KeyCurve(pkey));
}
#endif
@ -232,7 +232,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
unsigned int length = KeyLength(pkey);
if ( length > 0 )
pX509Cert->Assign(10, val_mgr->Count(length));
pX509Cert->Assign(10, length);
EVP_PKEY_free(pkey);
}
@ -292,10 +292,10 @@ void X509::ParseBasicConstraints(X509_EXTENSION* ex)
if ( x509_ext_basic_constraints )
{
auto pBasicConstraint = make_intrusive<RecordVal>(BifType::Record::X509::BasicConstraints);
pBasicConstraint->Assign(0, val_mgr->Bool(constr->ca));
pBasicConstraint->Assign(0, constr->ca);
if ( constr->pathlen )
pBasicConstraint->Assign(1, val_mgr->Count((int32_t) ASN1_INTEGER_get(constr->pathlen)));
pBasicConstraint->Assign(1, static_cast<int32_t>(ASN1_INTEGER_get(constr->pathlen)));
event_mgr.Enqueue(x509_ext_basic_constraints,
GetFile()->ToVal(),
@ -436,7 +436,7 @@ void X509::ParseSAN(X509_EXTENSION* ext)
if ( ips != nullptr )
sanExt->Assign(3, ips);
sanExt->Assign(4, val_mgr->Bool(otherfields));
sanExt->Assign(4, otherfields);
event_mgr.Enqueue(x509_ext_subject_alternative_name,
GetFile()->ToVal(),

8
src/file_analysis/analyzer/x509/X509Common.cc
View file

@ -273,13 +273,13 @@ void X509Common::ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bo
ext_val = make_intrusive<StringVal>(0, "");
auto pX509Ext = make_intrusive<RecordVal>(BifType::Record::X509::Extension);
pX509Ext->Assign(0, make_intrusive<StringVal>(name));
pX509Ext->Assign(0, name);
if ( short_name and strlen(short_name) > 0 )
pX509Ext->Assign(1, make_intrusive<StringVal>(short_name));
pX509Ext->Assign(1, short_name);
pX509Ext->Assign(2, make_intrusive<StringVal>(oid));
pX509Ext->Assign(3, val_mgr->Bool(critical));
pX509Ext->Assign(2, oid);
pX509Ext->Assign(3, critical);
pX509Ext->Assign(4, ext_val);
// send off generic extension event

10
src/file_analysis/analyzer/x509/functions.bif
View file

@ -16,8 +16,8 @@ static zeek::RecordValPtr x509_result_record(uint64_t num, const char* reason, z
{
auto rrecord = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Result);
rrecord->Assign(0, zeek::val_mgr->Int(num));
rrecord->Assign(1, zeek::make_intrusive<zeek::StringVal>(reason));
rrecord->Assign(0, num);
rrecord->Assign(1, reason);
if ( chainVector )
rrecord->Assign(2, std::move(chainVector));
@ -37,7 +37,7 @@ STACK_OF(X509)* x509_get_untrusted_stack(zeek::VectorVal* certs_vec)
for ( int i = 1; i < (int) certs_vec->Size(); ++i ) // start at 1 - 0 is host cert
{
const auto& sv = certs_vec->At(i);
auto sv = certs_vec->ValAt(i);
if ( ! sv )
continue;
@ -232,7 +232,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
// host certificate
unsigned int index = 0; // to prevent overloading to 0pointer
const auto& sv = certs_vec->At(index);
auto sv = certs_vec->ValAt(index);
if ( ! sv )
{
zeek::emit_builtin_error("undefined value in certificate vector");
@ -518,7 +518,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
// host certificate
unsigned int index = 0; // to prevent overloading to 0pointer
const auto& sv = certs_vec->At(index);
auto sv = certs_vec->ValAt(index);
if ( !sv )
{
zeek::emit_builtin_error("undefined value in certificate vector");

10
src/iosource/Packet.cc
View file

@ -117,12 +117,12 @@ RecordValPtr Packet::ToRawPktHdrVal() const
l2_hdr->Assign(4, FmtEUI48(data)); // dst
if ( vlan )
l2_hdr->Assign(5, val_mgr->Count(vlan));
l2_hdr->Assign(5, vlan);
if ( inner_vlan )
l2_hdr->Assign(6, val_mgr->Count(inner_vlan));
l2_hdr->Assign(6, inner_vlan);
l2_hdr->Assign(7, val_mgr->Count(eth_type));
l2_hdr->Assign(7, eth_type);
if ( eth_type == ETHERTYPE_ARP || eth_type == ETHERTYPE_REVARP )
// We also identify ARP for L3 over ethernet
@ -131,8 +131,8 @@ RecordValPtr Packet::ToRawPktHdrVal() const
else
l2_hdr->Assign(0, BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_UNKNOWN));
l2_hdr->Assign(1, val_mgr->Count(len));
l2_hdr->Assign(2, val_mgr->Count(cap_len));
l2_hdr->Assign(1, len);
l2_hdr->Assign(2, cap_len);
l2_hdr->Assign(8, BifType::Enum::layer3_proto->GetEnumVal(l3));

10
src/iosource/pcap/pcap.bif
View file

@ -127,9 +127,9 @@ function findalldevs%(%): Pcap::Interfaces
{
auto r = make_intrusive<RecordVal>(iface_type);
r->Assign(0, make_intrusive<StringVal>(d->name));
r->Assign(0, d->name);
if ( d->description )
r->Assign(1, make_intrusive<StringVal>(d->description));
r->Assign(1, d->description);
auto addrs = make_intrusive<ListVal>(TYPE_ADDR);
for ( auto addr = d->addresses; addr != NULL; addr = addr->next )
@ -146,11 +146,11 @@ function findalldevs%(%): Pcap::Interfaces
}
}
r->Assign(2, addrs->ToSetVal());
r->Assign(3, val_mgr->Bool(d->flags & PCAP_IF_LOOPBACK));
r->Assign(3, static_cast<bool>(d->flags & PCAP_IF_LOOPBACK));
#ifdef PCAP_IF_UP
// These didn't become available until libpcap 1.6.1
r->Assign(4, val_mgr->Bool(d->flags & PCAP_IF_UP));
r->Assign(5, val_mgr->Bool(d->flags & PCAP_IF_RUNNING));
r->Assign(4, static_cast<bool>(d->flags & PCAP_IF_UP));
r->Assign(5, static_cast<bool>(d->flags & PCAP_IF_RUNNING));
#endif
pcap_interfaces->Assign(std::move(r), nullptr);

23
src/logging/Manager.cc
View file

@ -1045,7 +1045,7 @@ threading::Value* Manager::ValToLogVal(Val* val, Type* ty)
for ( bro_int_t i = 0; i < lval->val.vector_val.size; i++ )
{
lval->val.vector_val.vals[i] =
ValToLogVal(vec->At(i).get(),
ValToLogVal(vec->ValAt(i).get(),
vec->GetType()->Yield().get());
}
@ -1095,9 +1095,12 @@ threading::Value** Manager::RecordToFilterVals(Stream* stream, Filter* filter,
// potentially be nested inside other records.
list<int>& indices = filter->indices[i];
ValPtr val_ptr;
for ( list<int>::iterator j = indices.begin(); j != indices.end(); ++j )
{
val = val->AsRecordVal()->GetField(*j).get();
val_ptr = val->AsRecordVal()->GetField(*j);
val = val_ptr.get();
if ( ! val )
{
@ -1514,9 +1517,9 @@ std::string Manager::FormatRotationPath(EnumValPtr writer,
auto ri = make_intrusive<RecordVal>(BifType::Record::Log::RotationFmtInfo);
ri->Assign(0, std::move(writer));
ri->Assign<StringVal>(1, path.size(), path.data());
ri->Assign<TimeVal>(2, open);
ri->Assign<TimeVal>(3, close);
ri->Assign(4, val_mgr->Bool(terminating));
ri->AssignTime(2, open);
ri->AssignTime(3, close);
ri->Assign(4, terminating);
ri->Assign<FuncVal>(5, std::move(postprocessor));
std::string rval;
@ -1605,11 +1608,11 @@ bool Manager::FinishedRotation(WriterFrontend* writer, const char* new_name, con
auto info = make_intrusive<RecordVal>(BifType::Record::Log::RotationInfo);
info->Assign(0, {NewRef{}, winfo->type});
info->Assign(1, make_intrusive<StringVal>(new_name));
info->Assign(2, make_intrusive<StringVal>(winfo->writer->Info().path));
info->Assign(3, make_intrusive<TimeVal>(open));
info->Assign(4, make_intrusive<TimeVal>(close));
info->Assign(5, val_mgr->Bool(terminating));
info->Assign(1, new_name);
info->Assign(2, winfo->writer->Info().path);
info->AssignTime(3, open);
info->AssignTime(4, close);
info->Assign(5, terminating);
static auto default_ppf = id::find_func("Log::__default_rotation_postprocessor");

10
src/logging/writers/ascii/Ascii.cc
View file

@ -818,11 +818,11 @@ void Ascii::RotateLeftoverLogs()
auto rot_info = make_intrusive<RecordVal>(rot_info_type);
rot_info->Assign(0, writer_val);
rot_info->Assign<StringVal>(1, rotation_path);
rot_info->Assign<StringVal>(2, ll.Path());
rot_info->Assign<TimeVal>(3, ll.open_time);
rot_info->Assign<TimeVal>(4, ll.close_time);
rot_info->Assign(5, val_mgr->False());
rot_info->Assign(1, rotation_path);
rot_info->Assign(2, ll.Path());
rot_info->AssignTime(3, double(ll.open_time));
rot_info->AssignTime(4, double(ll.close_time));
rot_info->Assign(5, false);
if ( rename(ll.filename.data(), rotation_path.data()) != 0 )
reporter->FatalError("Found leftover/unprocessed log '%s', but "

3
src/option.bif
View file

@ -80,7 +80,8 @@ function Option::set%(ID: string, val: any, location: string &default=""%): bool
if ( same_type(val->GetType(), zeek::Broker::detail::DataVal::ScriptDataType()) )
{
auto dv = static_cast<zeek::Broker::detail::DataVal*>(val->AsRecordVal()->GetField(0).get());
auto valptr = val->AsRecordVal()->GetField(0);
auto dv = static_cast<zeek::Broker::detail::DataVal*>(valptr.get());
auto val_from_data = dv->castTo(i->GetType().get());
if ( ! val_from_data )

4
src/script_opt/DefItem.cc
View file

@ -1,7 +1,7 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "DefItem.h"
#include "Expr.h"
#include "zeek/Expr.h"
#include "zeek/script_opt/DefItem.h"
namespace zeek::detail {

2
src/script_opt/ReachingDefs.cc
View file

@ -1,7 +1,7 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/script_opt/ReachingDefs.h"
#include "Desc.h"
#include "zeek/Desc.h"
namespace zeek::detail {

124
src/stats.bif
View file

@ -57,10 +57,10 @@ function get_net_stats%(%): NetStats
auto r = zeek::make_intrusive<zeek::RecordVal>(NetStats);
int n = 0;
r->Assign(n++, zeek::val_mgr->Count(recv));
r->Assign(n++, zeek::val_mgr->Count(drop));
r->Assign(n++, zeek::val_mgr->Count(link));
r->Assign(n++, zeek::val_mgr->Count(bytes_recv));
r->Assign(n++, recv);
r->Assign(n++, drop);
r->Assign(n++, link);
r->Assign(n++, bytes_recv);
return r;
%}
@ -86,16 +86,16 @@ function get_conn_stats%(%): ConnStats
auto r = zeek::make_intrusive<zeek::RecordVal>(ConnStats);
int n = 0;
r->Assign(n++, zeek::val_mgr->Count(Connection::TotalConnections()));
r->Assign(n++, zeek::val_mgr->Count(Connection::CurrentConnections()));
r->Assign(n++, zeek::val_mgr->Count(sessions->CurrentConnections()));
r->Assign(n++, Connection::TotalConnections());
r->Assign(n++, Connection::CurrentConnections());
r->Assign(n++, sessions->CurrentConnections());
SessionStats s;
if ( sessions )
sessions->GetStats(s);
#define ADD_STAT(x) \
r->Assign(n++, zeek::val_mgr->Count(unsigned(sessions ? x : 0)));
r->Assign(n++, static_cast<uint64_t>(sessions ? x : 0));
ADD_STAT(s.num_packets);
ADD_STAT(s.num_fragments);
@ -110,7 +110,7 @@ function get_conn_stats%(%): ConnStats
ADD_STAT(s.max_ICMP_conns);
ADD_STAT(s.cumulative_ICMP_conns);
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::killed_by_inactivity));
r->Assign(n++, zeek::detail::killed_by_inactivity);
return r;
%}
@ -147,27 +147,27 @@ function get_proc_stats%(%): ProcStats
double(ru.ru_stime.tv_sec) + double(ru.ru_stime.tv_usec) / 1e6;
#ifdef DEBUG
r->Assign(n++, zeek::val_mgr->Count(1));
r->Assign(n++, true);
#else
r->Assign(n++, zeek::val_mgr->Count(0));
r->Assign(n++, false);
#endif
r->Assign(n++, zeek::make_intrusive<zeek::TimeVal>(zeek::run_state::zeek_start_time));
r->AssignTime(n++, zeek::run_state::zeek_start_time);
r->Assign(n++, zeek::make_intrusive<zeek::IntervalVal>(elapsed_time, Seconds));
r->Assign(n++, zeek::make_intrusive<zeek::IntervalVal>(user_time, Seconds));
r->Assign(n++, zeek::make_intrusive<zeek::IntervalVal>(system_time, Seconds));
r->AssignInterval(n++, elapsed_time);
r->AssignInterval(n++, user_time);
r->AssignInterval(n++, system_time);
uint64_t total_mem;
zeek::util::get_memory_usage(&total_mem, NULL);
r->Assign(n++, zeek::val_mgr->Count(unsigned(total_mem)));
r->Assign(n++, static_cast<uint64_t>(total_mem));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_minflt)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_majflt)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_nswap)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_inblock)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_oublock)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(ru.ru_nivcsw)));
r->Assign(n++, static_cast<uint64_t>(ru.ru_minflt));
r->Assign(n++, static_cast<uint64_t>(ru.ru_majflt));
r->Assign(n++, static_cast<uint64_t>(ru.ru_nswap));
r->Assign(n++, static_cast<uint64_t>(ru.ru_inblock));
r->Assign(n++, static_cast<uint64_t>(ru.ru_oublock));
r->Assign(n++, static_cast<uint64_t>(ru.ru_nivcsw));
return r;
%}
@ -193,8 +193,8 @@ function get_event_stats%(%): EventStats
auto r = zeek::make_intrusive<zeek::RecordVal>(EventStats);
int n = 0;
r->Assign(n++, zeek::val_mgr->Count(event_mgr.num_events_queued));
r->Assign(n++, zeek::val_mgr->Count(event_mgr.num_events_dispatched));
r->Assign(n++, event_mgr.num_events_queued);
r->Assign(n++, event_mgr.num_events_dispatched);
return r;
%}
@ -220,10 +220,10 @@ function get_reassembler_stats%(%): ReassemblerStats
auto r = zeek::make_intrusive<zeek::RecordVal>(ReassemblerStats);
int n = 0;
r->Assign(n++, zeek::val_mgr->Count(Reassembler::MemoryAllocation(zeek::REASSEM_FILE)));
r->Assign(n++, zeek::val_mgr->Count(Reassembler::MemoryAllocation(zeek::REASSEM_FRAG)));
r->Assign(n++, zeek::val_mgr->Count(Reassembler::MemoryAllocation(zeek::REASSEM_TCP)));
r->Assign(n++, zeek::val_mgr->Count(Reassembler::MemoryAllocation(zeek::REASSEM_UNKNOWN)));
r->Assign(n++, Reassembler::MemoryAllocation(zeek::REASSEM_FILE));
r->Assign(n++, Reassembler::MemoryAllocation(zeek::REASSEM_FRAG));
r->Assign(n++, Reassembler::MemoryAllocation(zeek::REASSEM_TCP));
r->Assign(n++, Reassembler::MemoryAllocation(zeek::REASSEM_UNKNOWN));
return r;
%}
@ -252,12 +252,12 @@ function get_dns_stats%(%): DNSStats
zeek::detail::DNS_Mgr::Stats dstats;
zeek::detail::dns_mgr->GetStats(&dstats);
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.requests)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.successful)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.failed)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.pending)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.cached_hosts)));
r->Assign(n++, zeek::val_mgr->Count(unsigned(dstats.cached_addresses)));
r->Assign(n++, static_cast<uint64_t>(dstats.requests));
r->Assign(n++, static_cast<uint64_t>(dstats.successful));
r->Assign(n++, static_cast<uint64_t>(dstats.failed));
r->Assign(n++, static_cast<uint64_t>(dstats.pending));
r->Assign(n++, static_cast<uint64_t>(dstats.cached_hosts));
r->Assign(n++, static_cast<uint64_t>(dstats.cached_addresses));
return r;
%}
@ -283,9 +283,9 @@ function get_timer_stats%(%): TimerStats
auto r = zeek::make_intrusive<zeek::RecordVal>(TimerStats);
int n = 0;
r->Assign(n++, zeek::val_mgr->Count(unsigned(zeek::detail::timer_mgr->Size())));
r->Assign(n++, zeek::val_mgr->Count(unsigned(zeek::detail::timer_mgr->PeakSize())));
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::timer_mgr->CumulativeNum()));
r->Assign(n++, static_cast<uint64_t>(zeek::detail::timer_mgr->Size()));
r->Assign(n++, static_cast<uint64_t>(zeek::detail::timer_mgr->PeakSize()));
r->Assign(n++, zeek::detail::timer_mgr->CumulativeNum());
return r;
%}
@ -311,9 +311,9 @@ function get_file_analysis_stats%(%): FileAnalysisStats
auto r = zeek::make_intrusive<zeek::RecordVal>(FileAnalysisStats);
int n = 0;
r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->CurrentFiles()));
r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->MaxFiles()));
r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->CumulativeFiles()));
r->Assign(n++, zeek::file_mgr->CurrentFiles());
r->Assign(n++, zeek::file_mgr->MaxFiles());
r->Assign(n++, zeek::file_mgr->CumulativeFiles());
return r;
%}
@ -339,7 +339,7 @@ function get_thread_stats%(%): ThreadStats
auto r = zeek::make_intrusive<zeek::RecordVal>(ThreadStats);
int n = 0;
r->Assign(n++, zeek::val_mgr->Count(zeek::thread_mgr->NumThreads()));
r->Assign(n++, zeek::thread_mgr->NumThreads());
return r;
%}
@ -365,10 +365,10 @@ function get_gap_stats%(%): GapStats
auto r = zeek::make_intrusive<zeek::RecordVal>(GapStats);
int n = 0;
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::tot_ack_events));
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::tot_ack_bytes));
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::tot_gap_events));
r->Assign(n++, zeek::val_mgr->Count(zeek::detail::tot_gap_bytes));
r->Assign(n++, zeek::detail::tot_ack_events);
r->Assign(n++, zeek::detail::tot_ack_bytes);
r->Assign(n++, zeek::detail::tot_gap_events);
r->Assign(n++, zeek::detail::tot_gap_bytes);
return r;
%}
@ -402,13 +402,13 @@ function get_matcher_stats%(%): MatcherStats
if ( zeek::detail::rule_matcher )
zeek::detail::rule_matcher->GetStats(&s);
r->Assign(n++, zeek::val_mgr->Count(s.matchers));
r->Assign(n++, zeek::val_mgr->Count(s.nfa_states));
r->Assign(n++, zeek::val_mgr->Count(s.dfa_states));
r->Assign(n++, zeek::val_mgr->Count(s.computed));
r->Assign(n++, zeek::val_mgr->Count(s.mem));
r->Assign(n++, zeek::val_mgr->Count(s.hits));
r->Assign(n++, zeek::val_mgr->Count(s.misses));
r->Assign(n++, s.matchers);
r->Assign(n++, s.nfa_states);
r->Assign(n++, s.dfa_states);
r->Assign(n++, s.computed);
r->Assign(n++, s.mem);
r->Assign(n++, s.hits);
r->Assign(n++, s.misses);
return r;
%}
@ -436,15 +436,15 @@ function get_broker_stats%(%): BrokerStats
int n = 0;
auto cs = broker_mgr->GetStatistics();
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_peers)));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_stores)));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_pending_queries)));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_events_incoming)));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_events_outgoing)));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_logs_incoming)));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_logs_outgoing)));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_ids_incoming)));
r->Assign(n++, zeek::val_mgr->Count(static_cast<uint64_t>(cs.num_ids_outgoing)));
r->Assign(n++, static_cast<uint64_t>(cs.num_peers));
r->Assign(n++, static_cast<uint64_t>(cs.num_stores));
r->Assign(n++, static_cast<uint64_t>(cs.num_pending_queries));
r->Assign(n++, static_cast<uint64_t>(cs.num_events_incoming));
r->Assign(n++, static_cast<uint64_t>(cs.num_events_outgoing));
r->Assign(n++, static_cast<uint64_t>(cs.num_logs_incoming));
r->Assign(n++, static_cast<uint64_t>(cs.num_logs_outgoing));
r->Assign(n++, static_cast<uint64_t>(cs.num_ids_incoming));
r->Assign(n++, static_cast<uint64_t>(cs.num_ids_outgoing));
return r;
%}
@ -478,7 +478,7 @@ function get_reporter_stats%(%): ReporterStats
weirds_by_type->Assign(std::move(weird), zeek::val_mgr->Count(kv.second));
}
r->Assign(n++, zeek::val_mgr->Count(reporter->GetWeirdCount()));
r->Assign(n++, reporter->GetWeirdCount());
r->Assign(n++, std::move(weirds_by_type));
return r;

2
src/strings.bif
View file

@ -104,7 +104,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string
if ( i > 0 )
d.Add(sep->CheckString(), 0);
const auto& e = v->At(i);
auto e = v->ValAt(i);
// If the element is empty, skip it.
if ( ! e )

22
src/supervisor/Supervisor.cc
View file

@ -1255,7 +1255,7 @@ Supervisor::NodeConfig Supervisor::NodeConfig::FromRecord(const RecordVal* node)
for ( auto i = 0u; i < scripts_val->Size(); ++i )
{
auto script = scripts_val->At(i)->AsStringVal()->ToStdString();
auto script = scripts_val->StringValAt(i)->ToStdString();
rval.scripts.emplace_back(std::move(script));
}
@ -1348,22 +1348,22 @@ RecordValPtr Supervisor::NodeConfig::ToRecord() const
{
const auto& rt = BifType::Record::Supervisor::NodeConfig;
auto rval = make_intrusive<RecordVal>(rt);
rval->Assign(rt->FieldOffset("name"), make_intrusive<StringVal>(name));
rval->Assign(rt->FieldOffset("name"), name);
if ( interface )
rval->Assign(rt->FieldOffset("interface"), make_intrusive<StringVal>(*interface));
rval->Assign(rt->FieldOffset("interface"), *interface);
if ( directory )
rval->Assign(rt->FieldOffset("directory"), make_intrusive<StringVal>(*directory));
rval->Assign(rt->FieldOffset("directory"), *directory);
if ( stdout_file )
rval->Assign(rt->FieldOffset("stdout_file"), make_intrusive<StringVal>(*stdout_file));
rval->Assign(rt->FieldOffset("stdout_file"), *stdout_file);
if ( stderr_file )
rval->Assign(rt->FieldOffset("stderr_file"), make_intrusive<StringVal>(*stderr_file));
rval->Assign(rt->FieldOffset("stderr_file"), *stderr_file);
if ( cpu_affinity )
rval->Assign(rt->FieldOffset("cpu_affinity"), val_mgr->Int(*cpu_affinity));
rval->Assign(rt->FieldOffset("cpu_affinity"), *cpu_affinity);
auto st = rt->GetFieldType<VectorType>("scripts");
auto scripts_val = make_intrusive<VectorVal>(std::move(st));
@ -1390,7 +1390,7 @@ RecordValPtr Supervisor::NodeConfig::ToRecord() const
val->Assign(ept->FieldOffset("p"), val_mgr->Port(ep.port, TRANSPORT_TCP));
if ( ep.interface )
val->Assign(ept->FieldOffset("interface"), make_intrusive<StringVal>(*ep.interface));
val->Assign(ept->FieldOffset("interface"), *ep.interface);
cluster_val->Assign(std::move(key), std::move(val));
}
@ -1406,7 +1406,7 @@ RecordValPtr SupervisorNode::ToRecord() const
rval->Assign(rt->FieldOffset("node"), config.ToRecord());
if ( pid )
rval->Assign(rt->FieldOffset("pid"), val_mgr->Int(pid));
rval->Assign(rt->FieldOffset("pid"), pid);
return rval;
}
@ -1464,11 +1464,11 @@ bool SupervisedNode::InitCluster() const
if ( ep.interface )
val->Assign(cluster_node_type->FieldOffset("interface"),
make_intrusive<StringVal>(*ep.interface));
*ep.interface);
if ( manager_name && ep.role != BifEnum::Supervisor::MANAGER )
val->Assign(cluster_node_type->FieldOffset("manager"),
make_intrusive<StringVal>(*manager_name));
*manager_name);
cluster_nodes->Assign(std::move(key), std::move(val));
}

2
src/supervisor/supervisor.bif
View file

@ -86,7 +86,7 @@ function Supervisor::__node%(%): Supervisor::NodeConfig
zeek::emit_builtin_error("not a supervised process");
const auto& rt = zeek::BifType::Record::Supervisor::NodeConfig;
auto rval = zeek::make_intrusive<zeek::RecordVal>(rt);
rval->Assign<zeek::StringVal>(rt->FieldOffset("name"), "<invalid>");
rval->Assign(rt->FieldOffset("name"), "<invalid>");
return rval;
}

8
src/util.cc
View file

@ -835,10 +835,10 @@ FILE* rotate_file(const char* name, RecordVal* rotate_info)
// Init rotate_info.
if ( rotate_info )
{
rotate_info->Assign<StringVal>(0, name);
rotate_info->Assign<StringVal>(1, newname);
rotate_info->Assign<TimeVal>(2, run_state::network_time);
rotate_info->Assign<TimeVal>(3, run_state::network_time);
rotate_info->Assign(0, name);
rotate_info->Assign(1, newname);
rotate_info->AssignTime(2, run_state::network_time);
rotate_info->AssignTime(3, run_state::network_time);
}
return newf;

246
src/zeek.bif
View file

@ -819,7 +819,7 @@ function paraglob_init%(v: any%) : opaque of paraglob
VectorVal* vv = v->AsVectorVal();
for ( unsigned int i = 0; i < vv->Size(); ++i )
{
const String* s = vv->At(i)->AsString();
auto s = vv->StringAt(i);
patterns.push_back(std::string(reinterpret_cast<const char*>(s->Bytes()), s->Len()));
}
@ -1057,11 +1057,11 @@ function find_entropy%(data: string%): entropy_test_result
static auto entropy_test_result = zeek::id::find_type<zeek::RecordType>("entropy_test_result");
auto ent_result = zeek::make_intrusive<zeek::RecordVal>(entropy_test_result);
ent_result->Assign(0, zeek::make_intrusive<zeek::DoubleVal>(ent));
ent_result->Assign(1, zeek::make_intrusive<zeek::DoubleVal>(chisq));
ent_result->Assign(2, zeek::make_intrusive<zeek::DoubleVal>(mean));
ent_result->Assign(3, zeek::make_intrusive<zeek::DoubleVal>(montepi));
ent_result->Assign(4, zeek::make_intrusive<zeek::DoubleVal>(scc));
ent_result->Assign(0, ent);
ent_result->Assign(1, chisq);
ent_result->Assign(2, mean);
ent_result->Assign(3, montepi);
ent_result->Assign(4, scc);
return ent_result;
%}
@ -1109,11 +1109,11 @@ function entropy_test_finish%(handle: opaque of entropy%): entropy_test_result
static auto entropy_test_result = zeek::id::find_type<zeek::RecordType>("entropy_test_result");
auto ent_result = zeek::make_intrusive<zeek::RecordVal>(entropy_test_result);
ent_result->Assign(0, zeek::make_intrusive<zeek::DoubleVal>(ent));
ent_result->Assign(1, zeek::make_intrusive<zeek::DoubleVal>(chisq));
ent_result->Assign(2, zeek::make_intrusive<zeek::DoubleVal>(mean));
ent_result->Assign(3, zeek::make_intrusive<zeek::DoubleVal>(montepi));
ent_result->Assign(4, zeek::make_intrusive<zeek::DoubleVal>(scc));
ent_result->Assign(0, ent);
ent_result->Assign(1, chisq);
ent_result->Assign(2, mean);
ent_result->Assign(3, montepi);
ent_result->Assign(4, scc);
return ent_result;
%}
@ -1297,7 +1297,7 @@ function any_set%(v: any%) : bool
VectorVal* vv = v->AsVectorVal();
for ( unsigned int i = 0; i < vv->Size(); ++i )
if ( vv->At(i) && vv->At(i)->AsBool() )
if ( vv->BoolAt(i) )
return zeek::val_mgr->True();
return zeek::val_mgr->False();
@ -1326,78 +1326,18 @@ function all_set%(v: any%) : bool
VectorVal* vv = v->AsVectorVal();
for ( unsigned int i = 0; i < vv->Size(); ++i )
if ( ! vv->At(i) || ! vv->At(i)->AsBool() )
if ( ! vv->BoolAt(i) )
return zeek::val_mgr->False();
return zeek::val_mgr->True();
%}
%%{
static zeek::Func* sort_function_comp = nullptr;
static std::vector<const zeek::ValPtr*> index_map; // used for indirect sorting to support order()
bool sort_function(const zeek::ValPtr& a, const zeek::ValPtr& b)
{
// Sort missing values as "high".
if ( ! a )
return 0;
if ( ! b )
return 1;
auto result = sort_function_comp->Invoke(a, b);
int int_result = result->CoerceToInt();
return int_result < 0;
}
bool indirect_sort_function(size_t a, size_t b)
{
return sort_function(*index_map[a], *index_map[b]);
}
bool signed_sort_function (const zeek::ValPtr& a, const zeek::ValPtr& b)
{
if ( ! a )
return 0;
if ( ! b )
return 1;
auto ia = a->CoerceToInt();
auto ib = b->CoerceToInt();
return ia < ib;
}
bool unsigned_sort_function (const zeek::ValPtr& a, const zeek::ValPtr& b)
{
if ( ! a )
return 0;
if ( ! b )
return 1;
auto ia = a->CoerceToUnsigned();
auto ib = b->CoerceToUnsigned();
return ia < ib;
}
bool indirect_signed_sort_function(size_t a, size_t b)
{
return signed_sort_function(*index_map[a], *index_map[b]);
}
bool indirect_unsigned_sort_function(size_t a, size_t b)
{
return unsigned_sort_function(*index_map[a], *index_map[b]);
}
%%}
## Sorts a vector in place. The second argument is a comparison function that
## takes two arguments: if the vector type is ``vector of T``, then the
## comparison function must be ``function(a: T, b: T): int``, which returns
## a value less than zero if ``a < b`` for some type-specific notion of the
## less-than operator. The comparison function is optional if the type
## is an integral type (int, count, etc.).
## is a numeric type (int, count, double, time, etc.).
##
## v: The vector instance to sort.
##
@ -1419,7 +1359,10 @@ function sort%(v: any, ...%) : any
zeek::Func* comp = nullptr;
if ( @ARG@.size() > 2 )
{
zeek::emit_builtin_error("sort() called with extraneous argument");
return rval;
}
if ( @ARG@.size() == 2 )
{
@ -1431,36 +1374,27 @@ function sort%(v: any, ...%) : any
}
comp = comp_val->AsFunc();
}
if ( ! comp && ! IsIntegral(elt_type->Tag()) )
zeek::emit_builtin_error("comparison function required for sort() with non-integral types");
auto vv = v->As<zeek::VectorVal*>();
if ( comp )
{
const auto& comp_type = comp->GetType();
if ( comp_type->Yield()->Tag() != zeek::TYPE_INT ||
! comp_type->ParamList()->AllMatch(elt_type, 0) )
! comp_type->ParamList()->AllMatch(elt_type, 0) ||
comp_type->ParamList()->GetTypes().size() != 2 )
{
zeek::emit_builtin_error("invalid comparison function in call to sort()");
return rval;
}
sort_function_comp = comp;
vv->Sort(sort_function);
}
else
if ( ! comp && ! IsIntegral(elt_type->Tag()) &&
elt_type->InternalType() != TYPE_INTERNAL_DOUBLE )
{
if ( elt_type->InternalType() == zeek::TYPE_INTERNAL_UNSIGNED )
vv->Sort(unsigned_sort_function);
else
vv->Sort(signed_sort_function);
zeek::emit_builtin_error("comparison function required for sort() with non-numeric types");
return rval;
}
auto vv = v->As<zeek::VectorVal*>();
vv->Sort(comp);
return rval;
%}
@ -1477,19 +1411,22 @@ function sort%(v: any, ...%) : any
## .. zeek:see:: sort
function order%(v: any, ...%) : index_vec
%{
auto result_v = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
auto err_v = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
if ( v->GetType()->Tag() != zeek::TYPE_VECTOR )
{
zeek::emit_builtin_error("order() requires vector");
return result_v;
return err_v;
}
const auto& elt_type = v->GetType()->Yield();
zeek::Func* comp = nullptr;
if ( @ARG@.size() > 2 )
{
zeek::emit_builtin_error("order() called with extraneous argument");
return err_v;
}
if ( @ARG@.size() == 2 )
{
@ -1501,57 +1438,27 @@ function order%(v: any, ...%) : index_vec
}
comp = comp_val->AsFunc();
}
if ( ! comp && ! IsIntegral(elt_type->Tag()) )
zeek::emit_builtin_error("comparison function required for order() with non-integral types");
auto vv = v->As<zeek::VectorVal*>();
auto n = vv->Size();
// Set up initial mapping of indices directly to corresponding
// elements.
vector<size_t> ind_vv(n);
index_map.reserve(n);
size_t i;
for ( i = 0; i < n; ++i )
{
ind_vv[i] = i;
index_map.emplace_back(&vv->At(i));
}
if ( comp )
{
const auto& comp_type = comp->GetType();
if ( comp_type->Yield()->Tag() != zeek::TYPE_INT ||
! comp_type->ParamList()->AllMatch(elt_type, 0) )
! comp_type->ParamList()->AllMatch(elt_type, 0) ||
comp_type->ParamList()->GetTypes().size() != 2 )
{
zeek::emit_builtin_error("invalid comparison function in call to order()");
return zeek::ValPtr{zeek::NewRef{}, v};
}
sort_function_comp = comp;
sort(ind_vv.begin(), ind_vv.end(), indirect_sort_function);
}
else
if ( ! comp && ! IsIntegral(elt_type->Tag()) &&
elt_type->InternalType() != TYPE_INTERNAL_DOUBLE )
{
if ( elt_type->InternalType() == zeek::TYPE_INTERNAL_UNSIGNED )
sort(ind_vv.begin(), ind_vv.end(), indirect_unsigned_sort_function);
else
sort(ind_vv.begin(), ind_vv.end(), indirect_signed_sort_function);
zeek::emit_builtin_error("comparison function required for order() with non-numeric types");
return err_v;
}
index_map = {};
auto vv = v->As<zeek::VectorVal*>();
// Now spin through ind_vv to read out the rearrangement.
for ( i = 0; i < n; ++i )
{
int ind = ind_vv[i];
result_v->Assign(i, zeek::val_mgr->Count(ind));
}
return result_v;
return vv->Order(comp);
%}
# ===========================================================================
@ -2023,10 +1930,10 @@ function packet_source%(%): PacketSource
if ( ps )
{
r->Assign(0, zeek::val_mgr->Bool(ps->IsLive()));
r->Assign(1, zeek::make_intrusive<zeek::StringVal>(ps->Path()));
r->Assign(2, zeek::val_mgr->Int(ps->LinkType()));
r->Assign(3, zeek::val_mgr->Count(ps->Netmask()));
r->Assign(0, ps->IsLive());
r->Assign(1, ps->Path());
r->Assign(2, ps->LinkType());
r->Assign(3, ps->Netmask());
}
return r;
@ -2076,13 +1983,13 @@ function global_ids%(%): id_table
const auto& id = global.second;
static auto script_id = zeek::id::find_type<zeek::RecordType>("script_id");
auto rec = zeek::make_intrusive<zeek::RecordVal>(script_id);
rec->Assign(0, zeek::make_intrusive<zeek::StringVal>(type_name(id->GetType()->Tag())));
rec->Assign(1, zeek::val_mgr->Bool(id->IsExport()));
rec->Assign(2, zeek::val_mgr->Bool(id->IsConst()));
rec->Assign(3, zeek::val_mgr->Bool(id->IsEnumConst()));
rec->Assign(4, zeek::val_mgr->Bool(id->IsOption()));
rec->Assign(5, zeek::val_mgr->Bool(id->IsRedefinable()));
rec->Assign(6, zeek::val_mgr->Bool(id->GetAttr(zeek::detail::ATTR_BACKEND) != zeek::detail::Attr::nil));
rec->Assign(0, type_name(id->GetType()->Tag()));
rec->Assign(1, id->IsExport());
rec->Assign(2, id->IsConst());
rec->Assign(3, id->IsEnumConst());
rec->Assign(4, id->IsOption());
rec->Assign(5, id->IsRedefinable());
rec->Assign(6, id->GetAttr(zeek::detail::ATTR_BACKEND) != zeek::detail::Attr::nil);
if ( id->HasVal() )
rec->Assign(7, id->GetVal());
@ -2332,14 +2239,14 @@ function backtrace%(%): Backtrace
const auto& params = ci.func->GetType()->Params();
auto args = MakeCallArgumentVector(ci.args, params);
elem->Assign<StringVal>(function_name_idx, ci.func->Name());
elem->Assign(function_name_idx, ci.func->Name());
elem->Assign(function_args_idx, std::move(args));
if ( ci.call )
{
auto loc = ci.call->GetLocationInfo();
elem->Assign<StringVal>(file_location_idx, loc->filename);
elem->Assign(line_location_idx, val_mgr->Count(loc->first_line));
elem->Assign(file_location_idx, loc->filename);
elem->Assign(line_location_idx, loc->first_line);
}
rval->Assign(rval->Size(), std::move(elem));
@ -3511,18 +3418,18 @@ function lookup_connection%(cid: conn_id%): connection
c->Assign(0, std::move(id_val));
auto orig_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint);
orig_endp->Assign(0, zeek::val_mgr->Count(0));
orig_endp->Assign(1, zeek::val_mgr->Count(int(0)));
orig_endp->Assign(0, 0);
orig_endp->Assign(1, 0);
auto resp_endp = zeek::make_intrusive<zeek::RecordVal>(zeek::id::endpoint);
resp_endp->Assign(0, zeek::val_mgr->Count(0));
resp_endp->Assign(1, zeek::val_mgr->Count(int(0)));
resp_endp->Assign(0, 0);
resp_endp->Assign(1, 0);
c->Assign(1, std::move(orig_endp));
c->Assign(2, std::move(resp_endp));
c->Assign(3, zeek::make_intrusive<zeek::TimeVal>(zeek::run_state::network_time));
c->Assign(4, zeek::make_intrusive<zeek::IntervalVal>(0.0));
c->AssignTime(3, zeek::run_state::network_time);
c->AssignInterval(4, 0.0);
c->Assign(5, zeek::make_intrusive<zeek::TableVal>(zeek::id::string_set)); // service
c->Assign(6, zeek::val_mgr->EmptyString()); // history
@ -3532,8 +3439,7 @@ function lookup_connection%(cid: conn_id%): connection
%%{
const char* conn_id_string(zeek::Val* c)
{
auto id = c->As<zeek::RecordVal*>()->GetField(0);
auto id_r = id->As<zeek::RecordVal*>();
auto id_r = c->As<zeek::RecordVal*>()->GetFieldAs<zeek::RecordVal>(0);
const zeek::IPAddr& orig_h = id_r->GetFieldAs<zeek::AddrVal>(0);
uint32_t orig_p = id_r->GetFieldAs<zeek::PortVal>(1)->Port();
@ -3592,19 +3498,19 @@ function get_current_packet%(%) : pcap_packet
if ( ! pkt_src || ! pkt_src->GetCurrentPacket(&p) )
{
pkt->Assign(0, zeek::val_mgr->Count(0));
pkt->Assign(1, zeek::val_mgr->Count(0));
pkt->Assign(2, zeek::val_mgr->Count(0));
pkt->Assign(3, zeek::val_mgr->Count(0));
pkt->Assign(0, 0);
pkt->Assign(1, 0);
pkt->Assign(2, 0);
pkt->Assign(3, 0);
pkt->Assign(4, zeek::val_mgr->EmptyString());
pkt->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_UNKNOWN));
return pkt;
}
pkt->Assign(0, zeek::val_mgr->Count(uint32_t(p->ts.tv_sec)));
pkt->Assign(1, zeek::val_mgr->Count(uint32_t(p->ts.tv_usec)));
pkt->Assign(2, zeek::val_mgr->Count(p->cap_len));
pkt->Assign(3, zeek::val_mgr->Count(p->len));
pkt->Assign(0, static_cast<uint32_t>(p->ts.tv_sec));
pkt->Assign(1, static_cast<uint32_t>(p->ts.tv_usec));
pkt->Assign(2, p->cap_len);
pkt->Assign(3, p->len);
pkt->Assign(4, zeek::make_intrusive<zeek::StringVal>(p->cap_len, (const char*)p->data));
pkt->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(p->link_type));
@ -4834,8 +4740,8 @@ function rotate_file%(f: file%): rotate_info
info = zeek::make_intrusive<zeek::RecordVal>(rotate_info);
info->Assign(0, zeek::val_mgr->EmptyString());
info->Assign(1, zeek::val_mgr->EmptyString());
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(0.0));
info->Assign(3, zeek::make_intrusive<zeek::TimeVal>(0.0));
info->AssignTime(2, 0.0);
info->AssignTime(3, 0.0);
return info;
%}
@ -4877,8 +4783,8 @@ function rotate_file_by_name%(f: string%): rotate_info
// Record indicating error.
info->Assign(0, zeek::val_mgr->EmptyString());
info->Assign(1, zeek::val_mgr->EmptyString());
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(0.0));
info->Assign(3, zeek::make_intrusive<zeek::TimeVal>(0.0));
info->AssignTime(2, 0.0);
info->AssignTime(3, 0.0);
return info;
}
@ -4886,12 +4792,12 @@ function rotate_file_by_name%(f: string%): rotate_info
if ( is_pkt_dumper )
{
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(zeek::run_state::detail::pkt_dumper->OpenTime()));
info->AssignTime(2, zeek::run_state::detail::pkt_dumper->OpenTime());
zeek::run_state::detail::pkt_dumper->Open();
}
if ( is_addl_pkt_dumper )
info->Assign(2, zeek::make_intrusive<zeek::TimeVal>(addl_pkt_dumper->OpenTime()));
info->AssignTime(2, addl_pkt_dumper->OpenTime());
return info;
%}

10
testing/btest/Baseline/bifs.sort/out
View file

@ -3,12 +3,14 @@
[2, 3, 5, 8]
[-7.0 mins, 1.0 sec, 5.0 hrs, 2.0 days]
[-7.0 mins, 1.0 sec, 5.0 hrs, 2.0 days]
[T, F, F, T]
[T, F, F, T]
[F, F, T, T]
[F, F, T, T]
[57/tcp, 123/tcp, 7/udp, 500/udp, 12/icmp]
[57/tcp, 123/tcp, 7/udp, 500/udp, 12/icmp]
[3.03, 3.01, 3.02, 3.015]
[3.03, 3.01, 3.02, 3.015]
[12/icmp, 123/tcp, 500/udp, 7/udp, 57/tcp]
[12/icmp, 123/tcp, 500/udp, 7/udp, 57/tcp]
[3.01, 3.015, 3.02, 3.03]
[3.01, 3.015, 3.02, 3.03]
[192.168.123.200, 10.0.0.157, 192.168.0.3]
[192.168.123.200, 10.0.0.157, 192.168.0.3]
[10.0.0.157, 192.168.0.3, 192.168.123.200]

2
testing/btest/Baseline/language.record-index-complex-fields/output
View file

@ -11,7 +11,7 @@ b
}
}
{
[a=13, tags_v=[, , 2, 3], tags_t={
[a=13, tags_v=[0, 0, 2, 3], tags_t={
[four] = 4,
[five] = 5
}, tags_s={

44
testing/btest/Baseline/language.smith-waterman-test/output
View file

@ -1,33 +1,33 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
abcdefgh - ijklmnop:
AAAabcefghij - lmnopAAAqrst:
tok 1: AAA (0/5, T)
tok 0: AAA (0/5, T)
abcAAAefghij - lmnopAAAqrst:
tok 1: AAA (3/5, T)
tok 0: AAA (3/5, T)
abcefghijAAA - lmnopAAAqrst:
tok 1: AAA (9/5, T)
tok 0: AAA (9/5, T)
xxxAAAyyy - AAAaAAAbAAA:
tok 1: AAA (3/0, T)
tok 2: AAA (3/4, T)
tok 3: AAA (3/8, T)
tok 0: AAA (3/0, T)
tok 1: AAA (3/4, T)
tok 2: AAA (3/8, T)
AAAaAAAbAAA - xxxAAAyyy:
tok 1: AAA (0/3, T)
tok 2: AAA (4/3, T)
tok 3: AAA (8/3, T)
tok 0: AAA (0/3, T)
tok 1: AAA (4/3, T)
tok 2: AAA (8/3, T)
xxCDyABzCDyABzz - ABCD:
tok 1: CD (2/2, T)
tok 2: AB (5/0, T)
tok 3: CD (8/2, F)
tok 4: AB (11/0, T)
tok 0: CD (2/2, T)
tok 1: AB (5/0, T)
tok 2: CD (8/2, F)
tok 3: AB (11/0, T)
ABCD - xxCDyABzCDyABzz:
tok 1: CD (2/2, T)
tok 2: AB (0/5, T)
tok 3: CD (2/8, F)
tok 4: AB (0/11, T)
tok 0: CD (2/2, T)
tok 1: AB (0/5, T)
tok 2: CD (2/8, F)
tok 3: AB (0/11, T)
Cache-control: no-cache^M^JAccept: - Accept-: deflate^M^JAccept-: Accept-:
tok 1: Accept (27/0, T)
tok 2: e^M^JAccept (22/15, T)
tok 3: Accept (27/29, T)
tok 0: Accept (27/0, T)
tok 1: e^M^JAccept (22/15, T)
tok 2: Accept (27/29, T)
xxAAxxAAxx - yyyyyAAyyyyy:
tok 1: AA (2/5, T)
tok 2: AA (6/5, T)
tok 0: AA (2/5, T)
tok 1: AA (6/5, T)

2
testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
{"b":true,"i":-42,"e":"SSH::LOG","c":21,"p":123,"sn":"10.0.0.0/24","a":"1.2.3.4","d":3.14,"t":XXXXXXXXXX.XXXXXX,"iv":100.0,"s":"hurz","sc":[4,2,3,1],"ss":["CC","BB","AA"],"se":[],"vc":[10,20,30],"ve":[],"vn":[0,null,2],"f":"SSH::foo\n{ \nif (0 < SSH::i) \n\treturn (Foo);\nelse\n\treturn (Bar);\n\n}"}
{"b":true,"i":-42,"e":"SSH::LOG","c":21,"p":123,"sn":"10.0.0.0/24","a":"1.2.3.4","d":3.14,"t":XXXXXXXXXX.XXXXXX,"iv":100.0,"s":"hurz","sc":[4,2,3,1],"ss":["CC","BB","AA"],"se":[],"vc":[10,20,30],"ve":[],"vn":[0,0,2],"f":"SSH::foo\n{ \nif (0 < SSH::i) \n\treturn (Foo);\nelse\n\treturn (Bar);\n\n}"}

2
testing/btest/Baseline/scripts.base.utils.json/output
View file

@ -29,7 +29,7 @@ XXXXXXXXXX.XXXXXX
["1.2.3.4"]
[[false,true]]
[{"s":"test"}]
[0,null,2]
[0,0,2]
[]
[2,1]
["1.2.3.4"]

18
testing/btest/bifs/sort.zeek
View file

@ -20,6 +20,16 @@ function myfunc2(a: double, b: double): int
return 1;
}
function myfunc3(a: bool, b: bool): int
{
if (a == b)
return 0;
else if (a)
return 1;
else
return -1;
}
event zeek_init()
{
# Tests without supplying a comparison function
@ -34,17 +44,23 @@ event zeek_init()
print a2;
print b2;
# this one is expected to fail (i.e., "sort" doesn't sort the vector)
local a3: vector of bool = vector( T, F, F, T );
local b3 = sort(a3);
print a3;
print b3;
local a3x: vector of bool = vector( T, F, F, T );
local b3x = sort(a3x, myfunc3);
print a3x;
print b3x;
# this one is expected to fail (i.e., "sort" doesn't sort the vector)
local a4: vector of port = vector( 12/icmp, 123/tcp, 500/udp, 7/udp, 57/tcp );
local b4 = sort(a4);
print a4;
print b4;
# this one is expected to fail (i.e., "sort" doesn't sort the vector)
local a5: vector of double = vector( 3.03, 3.01, 3.02, 3.015 );
local b5 = sort(a5);
print a5;

6
testing/btest/language/smith-waterman-test.zeek
View file

@ -12,7 +12,7 @@ global s1: string_vec;
global s2: string_vec;
# Single alignment, no matches:
s1[++c] = "abcdefgh";
s1[c] = "abcdefgh";
s2[c] = "ijklmnop";
min[c] = 2;;
mode[c] = 0;
@ -83,6 +83,6 @@ for ( i in s1 )
for ( j in ss )
print fmt("tok %d: %s (%d/%d, %s)",
j, ss[j]$str, ss[j]$aligns[1]$index,
ss[j]$aligns[2]$index, ss[j]$new);
j, ss[j]$str, ss[j]$aligns[0]$index,
ss[j]$aligns[1]$index, ss[j]$new);
}