Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'topic/bbannier/named-ctr'

Browse source 
* topic/bbannier/named-ctr:
  Prefer explicit construction to coercion in record initialization
This commit is contained in:
Christian Kreibich 2025-07-15 17:37:41 -07:00
commit fba319857b
141 changed files with 791 additions and 789 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,3 +1,7 @@
8.0.0-dev.667 | 2025-07-15 17:37:41 -0700
* GH-4559: Prefer explicit construction to coercion in record initialization (Benjamin Bannier, Corelight)
8.0.0-dev.665 | 2025-07-15 17:36:31 -0700
* Add missing header to allow std::sort() on GCC 15.1 (Christian Kreibich, Corelight)

2
VERSION
View file

@ -1 +1 @@
8.0.0-dev.665
8.0.0-dev.667

4
scripts/base/files/pe/main.zeek
View file

@ -60,13 +60,13 @@ const pe_mime_types = { "application/x-dosexec" };
event zeek_init() &priority=5
{
Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe", $policy=log_policy]);
Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_pe, $path="pe", $policy=log_policy));
}
hook set_file(f: fa_file) &priority=5
{
if ( ! f?$pe )
f$pe = [$ts=f$info$ts, $id=f$id];
f$pe = PE::Info($ts=f$info$ts, $id=f$id);
}
event pe_dos_header(f: fa_file, h: PE::DOSHeader) &priority=5

2
scripts/base/files/x509/log-ocsp.zeek
View file

@ -40,7 +40,7 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy]);
Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_ocsp, $path="ocsp", $policy=log_policy));
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
}

4
scripts/base/files/x509/main.zeek
View file

@ -117,7 +117,7 @@ redef record Files::Info += {
event zeek_init() &priority=5
{
Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509", $policy=log_policy]);
Log::create_stream(X509::LOG, Log::Stream($columns=Info, $ev=log_x509, $path="x509", $policy=log_policy));
# We use MIME types internally to distinguish between user and CA certificates.
# The first certificate in a connection always gets tagged as user-cert, all
@ -167,7 +167,7 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
{
local der_cert = x509_get_certificate_string(cert_ref);
local fp = hash_function(der_cert);
f$info$x509 = [$ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref];
f$info$x509 = X509::Info($ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref);
if ( f$info$mime_type == "application/x-x509-user-cert" )
f$info$x509$host_cert = T;
if ( f$is_orig )

2
scripts/base/frameworks/analyzer/logging.zeek
View file

@ -46,7 +46,7 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $path="analyzer", $ev=log_analyzer, $policy=log_policy]);
Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer", $ev=log_analyzer, $policy=log_policy));
}
function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)

18
scripts/base/frameworks/broker/log.zeek
View file

@ -47,17 +47,17 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(Broker::LOG, [$columns=Info, $path="broker", $policy=log_policy]);
Log::create_stream(Broker::LOG, Log::Stream($columns=Info, $path="broker", $policy=log_policy));
}
function log_status(ev: string, endpoint: EndpointInfo, msg: string)
{
local r: Info;
r = [$ts = network_time(),
$ev = ev,
$ty = STATUS,
$message = msg];
r = Broker::Info($ts = network_time(),
$ev = ev,
$ty = STATUS,
$message = msg);
if ( endpoint?$network )
r$peer = endpoint$network;
@ -87,10 +87,10 @@ event Broker::error(code: ErrorCode, msg: string)
ev = subst_string(ev, "_", "-");
ev = to_lower(ev);
Log::write(Broker::LOG, [$ts = network_time(),
Log::write(Broker::LOG, Info($ts = network_time(),
$ev = ev,
$ty = ERROR,
$message = msg]);
$message = msg));
Reporter::error(fmt("Broker error (%s): %s", code, msg));
}
@ -115,8 +115,8 @@ event Broker::internal_log_event(lvl: LogSeverityLevel, id: string, description:
severity = Broker::DEBUG_EVENT;
break;
}
Log::write(Broker::LOG, [$ts = network_time(),
Log::write(Broker::LOG, Info($ts = network_time(),
$ty = severity,
$ev = id,
$message = description]);
$message = description));
}

4
scripts/base/frameworks/cluster/broker-backpressure.zeek
View file

@ -5,13 +5,13 @@
module Cluster;
global broker_backpressure_disconnects_cf = Telemetry::register_counter_family([
global broker_backpressure_disconnects_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="broker-backpressure-disconnects",
$unit="",
$label_names=vector("peer"),
$help_text="Number of Broker peerings dropped due to a neighbor falling behind in message I/O",
]);
));
event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
{

12
scripts/base/frameworks/cluster/broker-telemetry.zeek
View file

@ -7,13 +7,13 @@ module Cluster;
## This gauge tracks the current number of locally queued messages in each
## Broker peering's send buffer. The "peer" label identifies the remote side of
## the peering, containing a Zeek cluster node name.
global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family([
global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="broker-peer-buffer-messages",
$unit="",
$label_names=vector("peer"),
$help_text="Number of messages queued in Broker's send buffers",
]);
));
## This gauge tracks recent maximum queue lengths for each Broker peering's send
## buffer. Most of the time the send buffers are nearly empty, so this gauge
@ -23,26 +23,26 @@ global broker_peer_buffer_messages_gf = Telemetry::register_gauge_family([
## observed message. That is, Zeek keeps a timestamp of when the window started,
## and once it notices that the interval has passed, it moves the start of the
## window to current time.
global broker_peer_buffer_recent_max_messages_gf = Telemetry::register_gauge_family([
global broker_peer_buffer_recent_max_messages_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="broker-peer-buffer-recent-max-messages",
$unit="",
$label_names=vector("peer"),
$help_text="Maximum number of messages recently queued in Broker's send buffers",
]);
));
## This counter tracks for each Broker peering the number of times its send
## buffer has overflowed. For the "disconnect" policy this can at most be 1,
## since Broker stops the peering at this time. For the "drop_oldest" and
## "drop_newest" policies (see :zeek:see:`Broker:peer_overflow_policy`) the count
## instead reflects the number of messages lost.
global broker_peer_buffer_overflows_cf = Telemetry::register_counter_family([
global broker_peer_buffer_overflows_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="broker-peer-buffer-overflows",
$unit="",
$label_names=vector("peer"),
$help_text="Number of overflows in Broker's send buffers",
]);
));
# A helper to track overflow counts over past peerings as well as the current

6
scripts/base/frameworks/cluster/main.zeek
View file

@ -492,7 +492,7 @@ function nodeid_to_node(id: string): NamedNode
return NamedNode($name=name, $node=n);
}
return NamedNode($name="", $node=[$node_type=NONE, $ip=0.0.0.0]);
return NamedNode($name="", $node=Node($node_type=NONE, $ip=0.0.0.0));
}
event Cluster::hello(name: string, id: string) &priority=10
@ -572,7 +572,7 @@ event zeek_init() &priority=5
terminate();
}
Log::create_stream(Cluster::LOG, [$columns=Info, $path="cluster", $policy=log_policy]);
Log::create_stream(Cluster::LOG, Log::Stream($columns=Info, $path="cluster", $policy=log_policy));
}
function create_store(name: string, persistent: bool &default=F): Cluster::StoreInfo
@ -654,7 +654,7 @@ function create_store(name: string, persistent: bool &default=F): Cluster::Store
function log(msg: string)
{
Log::write(Cluster::LOG, [$ts = network_time(), $node = node, $message = msg]);
Log::write(Cluster::LOG, Info($ts = network_time(), $node = node, $message = msg));
}
function init(): bool

2
scripts/base/frameworks/cluster/supervisor.zeek
View file

@ -42,7 +42,7 @@ function __init_cluster_nodes(): bool
if ( endp$role in rolemap )
typ = rolemap[endp$role];
cnode = [$node_type=typ, $ip=endp$host, $p=endp$p];
cnode = Cluster::Node($node_type=typ, $ip=endp$host, $p=endp$p);
if ( |manager_name| > 0 && cnode$node_type != Cluster::MANAGER )
cnode$manager = manager_name;
if ( endp?$metrics_port )

8
scripts/base/frameworks/config/input.zeek
View file

@ -40,14 +40,14 @@ event zeek_init() &priority=5
return;
for ( fi in config_files )
Input::add_table([$reader=Input::READER_CONFIG,
Input::add_table(Input::TableDescription($reader=Input::READER_CONFIG,
$mode=Input::REREAD,
$source=fi,
$name=cat("config-", fi),
$idx=ConfigItem,
$val=ConfigItem,
$want_record=F,
$destination=current_config]);
$destination=current_config));
}
event InputConfig::new_value(name: string, source: string, id: string, value: any)
@ -67,11 +67,11 @@ function read_config(filename: string)
local iname = cat("config-oneshot-", filename);
Input::add_event([$reader=Input::READER_CONFIG,
Input::add_event(Input::EventDescription($reader=Input::READER_CONFIG,
$mode=Input::MANUAL,
$source=filename,
$name=iname,
$fields=EventFields,
$ev=config_line]);
$ev=config_line));
Input::remove(iname);
}

2
scripts/base/frameworks/config/main.zeek
View file

@ -153,7 +153,7 @@ function config_option_changed(ID: string, new_value: any, location: string): an
event zeek_init() &priority=10
{
Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config", $policy=log_policy]);
Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_config, $path="config", $policy=log_policy));
# Limit logging to the manager - everyone else just feeds off it.
@if ( !Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER )

2
scripts/base/frameworks/files/main.zeek
View file

@ -341,7 +341,7 @@ global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: A
event zeek_init() &priority=5
{
Log::create_stream(Files::LOG, [$columns=Info, $ev=log_files, $path="files", $policy=log_policy]);
Log::create_stream(Files::LOG, Log::Stream($columns=Info, $ev=log_files, $path="files", $policy=log_policy));
}
function set_info(f: fa_file)

14
scripts/base/frameworks/intel/input.zeek
View file

@ -68,13 +68,13 @@ event zeek_init() &priority=5
if ( |path_prefix| > 0 && sub_bytes(a_file, 0, 1) != "/" )
source = cat(rstrip(path_prefix, "/"), "/", a_file);
Input::add_event([$source=source,
$reader=Input::READER_ASCII,
$mode=Input::REREAD,
$name=cat("intel-", a_file),
$fields=Intel::Item,
$ev=Intel::read_entry,
$error_ev=Intel::read_error]);
Input::add_event(Input::EventDescription($source=source,
$reader=Input::READER_ASCII,
$mode=Input::REREAD,
$name=cat("intel-", a_file),
$fields=Intel::Item,
$ev=Intel::read_entry,
$error_ev=Intel::read_error));
}
}
}

4
scripts/base/frameworks/intel/main.zeek
View file

@ -280,7 +280,7 @@ global min_data_store: MinDataStore &redef;
event zeek_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $ev=log_intel, $path="intel", $policy=log_policy]);
Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_intel, $path="intel", $policy=log_policy));
}
# Function that abstracts expiration of different types.
@ -289,7 +289,7 @@ function expire_item(indicator: string, indicator_type: Type, metas: set[MetaDat
if ( hook item_expired(indicator, indicator_type, metas) )
return item_expiration;
else
remove([$indicator=indicator, $indicator_type=indicator_type, $meta=[$source=""]], T);
remove(Item($indicator=indicator, $indicator_type=indicator_type, $meta=MetaData($source="")), T);
return 0 sec;
}

6
scripts/base/frameworks/logging/main.zeek
View file

@ -425,7 +425,7 @@ export {
};
## Sentinel value for indicating that a filter was not found when looked up.
const no_filter: Filter = [$name="<not found>"];
const no_filter = Filter($name="<not found>");
## Creates a new logging stream with the default filter.
##
@ -997,7 +997,7 @@ function flush(id: ID): bool
function add_default_filter(id: ID) : bool
{
return add_filter(id, [$name="default"]);
return add_filter(id, Filter($name="default"));
}
function remove_default_filter(id: ID) : bool
@ -1008,7 +1008,7 @@ function remove_default_filter(id: ID) : bool
event zeek_init() &priority=5
{
if ( print_to_log != REDIRECT_NONE )
Log::create_stream(PRINTLOG, [$columns=PrintLogInfo, $ev=log_print, $path=print_log_path]);
Log::create_stream(PRINTLOG, Log::Stream($columns=PrintLogInfo, $ev=log_print, $path=print_log_path));
}
function empty_post_delay_cb(rec: any, id: ID): bool {

6
scripts/base/frameworks/logging/writers/ascii.zeek
View file

@ -7,9 +7,9 @@
##! names is printed out as meta information, with no "# fields" prepended; no
##! other meta data gets included in that mode. Example filter using this::
##!
##! local f: Log::Filter = [$name = "my-filter",
##! $writer = Log::WRITER_ASCII,
##! $config = table(["tsv"] = "T")];
##! local f = Log::Filter($name = "my-filter",
##! $writer = Log::WRITER_ASCII,
##! $config = table(["tsv"] = "T"));
##!
module LogAscii;

10
scripts/base/frameworks/netcontrol/drop.zeek
View file

@ -59,13 +59,13 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(NetControl::DROP_LOG, [$columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop", $policy=log_policy_drop]);
Log::create_stream(NetControl::DROP_LOG, Log::Stream($columns=DropInfo, $ev=log_netcontrol_drop, $path="netcontrol_drop", $policy=log_policy_drop));
}
function drop_connection(c: conn_id, t: interval, location: string &default="") : string
{
local e: Entity = [$ty=CONNECTION, $conn=c];
local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
local e = Entity($ty=CONNECTION, $conn=c);
local r = Rule($ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location);
if ( ! hook NetControl::drop_rule_policy(r) )
return "";
@ -88,8 +88,8 @@ function drop_connection(c: conn_id, t: interval, location: string &default="")
function drop_address(a: addr, t: interval, location: string &default="") : string
{
local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
local r: Rule = [$ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location];
local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a));
local r = Rule($ty=DROP, $target=FORWARD, $entity=e, $expire=t, $location=location);
if ( ! hook NetControl::drop_rule_policy(r) )
return "";

36
scripts/base/frameworks/netcontrol/main.zeek
View file

@ -383,7 +383,7 @@ global rule_entities: table[Entity, RuleType] of Rule;
event zeek_init() &priority=5
{
Log::create_stream(NetControl::LOG, [$columns=Info, $ev=log_netcontrol, $path="netcontrol", $policy=log_policy]);
Log::create_stream(NetControl::LOG, Log::Stream($columns=Info, $ev=log_netcontrol, $path="netcontrol", $policy=log_policy));
}
function entity_to_info(info: Info, e: Entity)
@ -489,22 +489,22 @@ function rule_to_info(info: Info, r: Rule)
function log_msg(msg: string, p: PluginState)
{
Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p)]);
Log::write(LOG, Info($ts=network_time(), $category=MESSAGE, $msg=msg, $plugin=p$plugin$name(p)));
}
function log_error(msg: string, p: PluginState)
{
Log::write(LOG, [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)]);
Log::write(LOG, Info($ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)));
}
function log_msg_no_plugin(msg: string)
{
Log::write(LOG, [$ts=network_time(), $category=MESSAGE, $msg=msg]);
Log::write(LOG, Info($ts=network_time(), $category=MESSAGE, $msg=msg));
}
function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState, msg: string &default="")
{
local info: Info = [$ts=network_time()];
local info = Info($ts=network_time());
info$category = RULE;
info$cmd = cmd;
info$state = state;
@ -519,14 +519,14 @@ function log_rule(r: Rule, cmd: string, state: InfoState, p: PluginState, msg: s
function log_rule_error(r: Rule, msg: string, p: PluginState)
{
local info: Info = [$ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p)];
local info = Info($ts=network_time(), $category=ERROR, $msg=msg, $plugin=p$plugin$name(p));
rule_to_info(info, r);
Log::write(LOG, info);
}
function log_rule_no_plugin(r: Rule, state: InfoState, msg: string)
{
local info: Info = [$ts=network_time()];
local info = Info($ts=network_time());
info$category = RULE;
info$state = state;
info$msg = msg;
@ -538,16 +538,16 @@ function log_rule_no_plugin(r: Rule, state: InfoState, msg: string)
function whitelist_address(a: addr, t: interval, location: string &default="") : string
{
local e: Entity = [$ty=ADDRESS, $ip=addr_to_subnet(a)];
local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location];
local e = Entity($ty=ADDRESS, $ip=addr_to_subnet(a));
local r = Rule($ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location);
return add_rule(r);
}
function whitelist_subnet(s: subnet, t: interval, location: string &default="") : string
{
local e: Entity = [$ty=ADDRESS, $ip=s];
local r: Rule = [$ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location];
local e = Entity($ty=ADDRESS, $ip=s);
local r = Rule($ty=WHITELIST, $priority=whitelist_priority, $target=FORWARD, $entity=e, $expire=t, $location=location);
return add_rule(r);
}
@ -561,8 +561,8 @@ function redirect_flow(f: flow_id, out_port: count, t: interval, location: strin
$dst_h=addr_to_subnet(f$dst_h),
$dst_p=f$dst_p
);
local e: Entity = [$ty=FLOW, $flow=flow];
local r: Rule = [$ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $out_port=out_port];
local e = Entity($ty=FLOW, $flow=flow);
local r = Rule($ty=REDIRECT, $target=FORWARD, $entity=e, $expire=t, $location=location, $out_port=out_port);
return add_rule(r);
}
@ -570,19 +570,19 @@ function redirect_flow(f: flow_id, out_port: count, t: interval, location: strin
function quarantine_host(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string
{
local orules: vector of string = vector();
local edrop: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected))];
local rdrop: Rule = [$ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location];
local edrop = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected)));
local rdrop = Rule($ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location);
orules += add_rule(rdrop);
local todnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp)];
local todnse = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp));
local todnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=todnse, $expire=t, $location=location, $mod=FlowMod($dst_h=quarantine), $priority=+5);
orules += add_rule(todnsr);
local fromdnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected))];
local fromdnse = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected)));
local fromdnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=fromdnse, $expire=t, $location=location, $mod=FlowMod($src_h=dns), $priority=+5);
orules += add_rule(fromdnsr);
local wle: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp)];
local wle = Entity($ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp));
local wlr = Rule($ty=WHITELIST, $target=FORWARD, $entity=wle, $expire=t, $location=location, $priority=+5);
orules += add_rule(wlr);

2
scripts/base/frameworks/netcontrol/plugins/acld.zeek
View file

@ -303,7 +303,7 @@ function create_acld(config: AcldConfig) : PluginState
add netcontrol_acld_topics[config$acld_topic];
local host = cat(config$acld_host);
local p: PluginState = [$acld_config=config, $plugin=acld_plugin, $acld_id=netcontrol_acld_current_id];
local p = PluginState($acld_config=config, $plugin=acld_plugin, $acld_id=netcontrol_acld_current_id);
if ( [config$acld_port, host] in netcontrol_acld_peers )
Reporter::warning(fmt("Peer %s:%s was added to NetControl acld plugin twice.", host, config$acld_port));

6
scripts/base/frameworks/netcontrol/plugins/debug.zeek
View file

@ -117,7 +117,7 @@ global debug_plugin = Plugin(
function create_debug(do_something: bool, name: string) : PluginState
{
local p: PluginState = [$plugin=debug_plugin];
local p = PluginState($plugin=debug_plugin);
# FIXME: Why's the default not working?
p$config = table();
@ -132,7 +132,7 @@ function create_debug(do_something: bool, name: string) : PluginState
function create_debug_error(name: string) : PluginState
{
local p: PluginState = copy([$plugin=debug_plugin]);
local p = copy(PluginState($plugin=debug_plugin));
p$config["name"] = name;
p$config["all"] = "1";
p$plugin$add_rule = debug_add_rule_error;
@ -141,7 +141,7 @@ function create_debug_error(name: string) : PluginState
function create_debug_exists(name: string) : PluginState
{
local p: PluginState = copy([$plugin=debug_plugin]);
local p = copy(PluginState($plugin=debug_plugin));
p$config["name"] = name;
p$config["all"] = "1";
p$plugin$add_rule = debug_add_rule_exists;

2
scripts/base/frameworks/netcontrol/plugins/openflow.zeek
View file

@ -447,7 +447,7 @@ global openflow_plugin = Plugin(
function create_openflow(controller: OpenFlow::Controller, config: OfConfig &default=[]) : PluginState
{
local p: PluginState = [$plugin=openflow_plugin, $of_controller=controller, $of_config=config];
local p = PluginState($plugin=openflow_plugin, $of_controller=controller, $of_config=config);
return p;
}

2
scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
View file

@ -106,7 +106,7 @@ global packetfilter_plugin = Plugin(
function create_packetfilter() : PluginState
{
local p: PluginState = [$plugin=packetfilter_plugin];
local p = PluginState($plugin=packetfilter_plugin);
return p;
}

6
scripts/base/frameworks/netcontrol/shunt.zeek
View file

@ -40,7 +40,7 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(NetControl::SHUNT, [$columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt", $policy=log_policy_shunt]);
Log::create_stream(NetControl::SHUNT, Log::Stream($columns=ShuntInfo, $ev=log_netcontrol_shunt, $path="netcontrol_shunt", $policy=log_policy_shunt));
}
function shunt_flow(f: flow_id, t: interval, location: string &default="") : string
@ -51,8 +51,8 @@ function shunt_flow(f: flow_id, t: interval, location: string &default="") : str
$dst_h=addr_to_subnet(f$dst_h),
$dst_p=f$dst_p
);
local e: Entity = [$ty=FLOW, $flow=flow];
local r: Rule = [$ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location];
local e = Entity($ty=FLOW, $flow=flow);
local r = Rule($ty=DROP, $target=MONITOR, $entity=e, $expire=t, $location=location);
local id = add_rule(r);

6
scripts/base/frameworks/notice/actions/pp-alarms.zeek
View file

@ -102,9 +102,9 @@ event zeek_init()
# This replaces the standard non-pretty-printing filter.
Log::add_filter(Notice::ALARM_LOG,
[$name="alarm-mail", $writer=Log::WRITER_NONE,
$interv=Log::default_mail_alarms_interval,
$postprocessor=pp_postprocessor]);
Log::Filter($name="alarm-mail", $writer=Log::WRITER_NONE,
$interv=Log::default_mail_alarms_interval,
$postprocessor=pp_postprocessor));
}
hook notice(n: Notice::Info) &priority=-5

8
scripts/base/frameworks/notice/main.zeek
View file

@ -381,16 +381,16 @@ function log_mailing_postprocessor(info: Log::RotationInfo): bool
event zeek_init() &priority=5
{
Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice", $policy=log_policy]);
Log::create_stream(Notice::LOG, Log::Stream($columns=Info, $ev=log_notice, $path="notice", $policy=log_policy));
Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info, $path="notice_alarm", $policy=log_policy_alarm]);
Log::create_stream(Notice::ALARM_LOG, Log::Stream($columns=Notice::Info, $path="notice_alarm", $policy=log_policy_alarm));
# If Zeek is configured for mailing notices, set up mailing for alarms.
# Make sure that this alarm log is also output as text so that it can
# be packaged up and emailed later.
if ( ! reading_traces() && mail_dest != "" )
Log::add_filter(Notice::ALARM_LOG,
[$name="alarm-mail", $path="alarm-mail", $writer=Log::WRITER_ASCII,
$interv=24hrs, $postprocessor=log_mailing_postprocessor]);
Log::Filter($name="alarm-mail", $path="alarm-mail", $writer=Log::WRITER_ASCII,
$interv=24hrs, $postprocessor=log_mailing_postprocessor));
}
function email_headers(subject_desc: string, dest: string): string

2
scripts/base/frameworks/notice/weird.zeek
View file

@ -318,7 +318,7 @@ const notice_actions = {
event zeek_init() &priority=5
{
Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird", $policy=log_policy]);
Log::create_stream(Weird::LOG, Log::Stream($columns=Info, $ev=log_weird, $path="weird", $policy=log_policy));
}
function flow_id_string(src: addr, dst: addr): string

4
scripts/base/frameworks/openflow/plugins/log.zeek
View file

@ -50,12 +50,12 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(OpenFlow::LOG, [$columns=Info, $ev=log_openflow, $path="openflow", $policy=log_policy]);
Log::create_stream(OpenFlow::LOG, Log::Stream($columns=Info, $ev=log_openflow, $path="openflow", $policy=log_policy));
}
function log_flow_mod(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool
{
Log::write(OpenFlow::LOG, [$ts=network_time(), $dpid=state$log_dpid, $match=match, $flow_mod=flow_mod]);
Log::write(LOG, Info($ts=network_time(), $dpid=state$log_dpid, $match=match, $flow_mod=flow_mod));
if ( state$log_success_event )
event OpenFlow::flow_mod_success(state$_name, match, flow_mod);

18
scripts/base/frameworks/packet-filter/main.zeek
View file

@ -175,7 +175,7 @@ event filter_change_tracking()
event zeek_init() &priority=5
{
Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter", $policy=log_policy]);
Log::create_stream(PacketFilter::LOG, Log::Stream($columns=Info, $path="packet_filter", $policy=log_policy));
# Preverify the capture and restrict filters to give more granular failure messages.
for ( id, cf in capture_filters )
@ -303,9 +303,9 @@ function install(): bool
local error_string : string;
if ( state == Pcap::fatal )
{
NOTICE([$note=Compile_Failure,
$msg=fmt("Compiling packet filter failed"),
$sub=tmp_filter]);
NOTICE(Notice::Info($note=Compile_Failure,
$msg=fmt("Compiling packet filter failed"),
$sub=tmp_filter));
error_string = fmt("Bad pcap filter '%s': %s", tmp_filter,
Pcap::get_filter_state_string(DefaultPcapFilter));
@ -326,8 +326,8 @@ function install(): bool
}
local diff = current_time()-ts;
if ( diff > max_filter_compile_time )
NOTICE([$note=Too_Long_To_Compile_Filter,
$msg=fmt("A BPF filter is taking longer than %0.1f seconds to compile", diff)]);
NOTICE(Notice::Info($note=Too_Long_To_Compile_Filter,
$msg=fmt("A BPF filter is taking longer than %0.1f seconds to compile", diff)));
# Set it to the current filter if it passed precompiling
current_filter = tmp_filter;
@ -350,9 +350,9 @@ function install(): bool
info$success = F;
info$failure_reason = Pcap::get_filter_state_string(DefaultPcapFilter);
NOTICE([$note=Install_Failure,
$msg=fmt("Installing packet filter failed"),
$sub=current_filter]);
NOTICE(Notice::Info($note=Install_Failure,
$msg=fmt("Installing packet filter failed"),
$sub=current_filter));
}
if ( reading_live_traffic() || reading_traces() )

8
scripts/base/frameworks/packet-filter/netstats.zeek
View file

@ -24,10 +24,10 @@ event net_stats_update(last_stat: NetStats)
{
local new_recvd = ns$pkts_recvd - last_stat$pkts_recvd;
local new_link = ns$pkts_link - last_stat$pkts_link;
NOTICE([$note=Dropped_Packets,
$msg=fmt("%d packets dropped after filtering, %d received%s",
new_dropped, new_recvd + new_dropped,
new_link != 0 ? fmt(", %d on link", new_link) : "")]);
NOTICE(Notice::Info($note=Dropped_Packets,
$msg=fmt("%d packets dropped after filtering, %d received%s",
new_dropped, new_recvd + new_dropped,
new_link != 0 ? fmt(", %d on link", new_link) : "")));
}
schedule stats_collection_interval { net_stats_update(ns) };

8
scripts/base/frameworks/reporter/main.zeek
View file

@ -40,20 +40,20 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(Reporter::LOG, [$columns=Info, $path="reporter", $policy=log_policy]);
Log::create_stream(Reporter::LOG, Log::Stream($columns=Info, $path="reporter", $policy=log_policy));
}
event reporter_info(t: time, msg: string, location: string) &priority=-5
{
Log::write(Reporter::LOG, [$ts=t, $level=INFO, $message=msg, $location=location]);
Log::write(Reporter::LOG, Info($ts=t, $level=INFO, $message=msg, $location=location));
}
event reporter_warning(t: time, msg: string, location: string) &priority=-5
{
Log::write(Reporter::LOG, [$ts=t, $level=WARNING, $message=msg, $location=location]);
Log::write(Reporter::LOG, Info($ts=t, $level=WARNING, $message=msg, $location=location));
}
event reporter_error(t: time, msg: string, location: string) &priority=-5
{
Log::write(Reporter::LOG, [$ts=t, $level=ERROR, $message=msg, $location=location]);
Log::write(Reporter::LOG, Info($ts=t, $level=ERROR, $message=msg, $location=location));
}

76
scripts/base/frameworks/signatures/main.zeek
View file

@ -145,14 +145,14 @@ global did_sig_log: set[string] &read_expire = 1 hr;
event zeek_init() &priority=5
{
Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy]);
Log::create_stream(Signatures::LOG, Log::Stream($columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy));
}
event sig_summary(orig: addr, id: string, msg: string)
{
NOTICE([$note=Signature_Summary, $src=orig,
$msg=fmt("%s: %s", orig, msg),
$n=count_per_orig[orig,id] ]);
NOTICE(Notice::Info($note=Signature_Summary, $src=orig,
$msg=fmt("%s: %s", orig, msg),
$n=count_per_orig[orig,id]));
}
event signature_match(state: signature_state, msg: string, data: string)
@ -189,16 +189,16 @@ event signature_match(state: signature_state, msg: string, data: string)
if ( action != SIG_QUIET && action != SIG_COUNT_PER_RESP )
{
local info: Info = [$ts=network_time(),
$note=Sensitive_Signature,
$uid=state$conn$uid,
$src_addr=src_addr,
$src_port=src_port,
$dst_addr=dst_addr,
$dst_port=dst_port,
$event_msg=fmt("%s: %s", src_addr, msg),
$sig_id=sig_id,
$sub_msg=data];
local info = Info($ts=network_time(),
$note=Sensitive_Signature,
$uid=state$conn$uid,
$src_addr=src_addr,
$src_port=src_port,
$dst_addr=dst_addr,
$dst_port=dst_port,
$event_msg=fmt("%s: %s", src_addr, msg),
$sig_id=sig_id,
$sub_msg=data);
Log::write(Signatures::LOG, info);
}
@ -211,12 +211,12 @@ event signature_match(state: signature_state, msg: string, data: string)
local dst = state$conn$id$resp_h;
if ( ++count_per_resp[dst,sig_id] in count_thresholds )
{
NOTICE([$note=Count_Signature, $conn=state$conn,
$msg=msg,
$n=count_per_resp[dst,sig_id],
$sub=fmt("%d matches of signature %s on host %s",
count_per_resp[dst,sig_id],
sig_id, dst)]);
NOTICE(Notice::Info($note=Count_Signature, $conn=state$conn,
$msg=msg,
$n=count_per_resp[dst,sig_id],
$sub=fmt("%d matches of signature %s on host %s",
count_per_resp[dst,sig_id],
sig_id, dst)));
}
}
@ -241,10 +241,10 @@ event signature_match(state: signature_state, msg: string, data: string)
}
if ( notice )
NOTICE([$note=Sensitive_Signature,
$conn=state$conn, $src=src_addr,
$dst=dst_addr, $msg=fmt("%s: %s", src_addr, msg),
$sub=data]);
NOTICE(Notice::Info($note=Sensitive_Signature,
$conn=state$conn, $src=src_addr,
$dst=dst_addr, $msg=fmt("%s: %s", src_addr, msg),
$sub=data));
if ( action == SIG_FILE_BUT_NO_SCAN || action == SIG_SUMMARY )
return;
@ -273,12 +273,12 @@ event signature_match(state: signature_state, msg: string, data: string)
orig, sig_id, hcount);
Log::write(Signatures::LOG,
[$ts=network_time(), $note=Multiple_Sig_Responders,
$src_addr=orig, $sig_id=sig_id, $event_msg=msg,
$host_count=hcount, $sub_msg=horz_scan_msg]);
Info($ts=network_time(), $note=Multiple_Sig_Responders,
$src_addr=orig, $sig_id=sig_id, $event_msg=msg,
$host_count=hcount, $sub_msg=horz_scan_msg));
NOTICE([$note=Multiple_Sig_Responders, $src=orig,
$msg=msg, $n=hcount, $sub=horz_scan_msg]);
NOTICE(Notice::Info($note=Multiple_Sig_Responders, $src=orig,
$msg=msg, $n=hcount, $sub=horz_scan_msg));
last_hthresh[orig] = hcount;
}
@ -290,16 +290,16 @@ event signature_match(state: signature_state, msg: string, data: string)
orig, vcount, resp);
Log::write(Signatures::LOG,
[$ts=network_time(),
$note=Multiple_Signatures,
$src_addr=orig,
$dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
$event_msg=fmt("%s different signatures triggered", vcount),
$sub_msg=vert_scan_msg]);
Info($ts=network_time(),
$note=Multiple_Signatures,
$src_addr=orig,
$dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
$event_msg=fmt("%s different signatures triggered", vcount),
$sub_msg=vert_scan_msg));
NOTICE([$note=Multiple_Signatures, $src=orig, $dst=resp,
$msg=fmt("%s different signatures triggered", vcount),
$n=vcount, $sub=vert_scan_msg]);
NOTICE(Notice::Info($note=Multiple_Signatures, $src=orig, $dst=resp,
$msg=fmt("%s different signatures triggered", vcount),
$n=vcount, $sub=vert_scan_msg));
last_vthresh[orig] = vcount;
}

16
scripts/base/frameworks/software/main.zeek
View file

@ -126,7 +126,7 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software", $policy=log_policy]);
Log::create_stream(Software::LOG, Log::Stream($columns=Info, $ev=log_software, $path="software", $policy=log_policy));
}
type Description: record {
@ -163,7 +163,7 @@ function parse(unparsed_version: string): Description
else
v = Version($major=extract_count(vs));
return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
return Description($version=v, $unparsed_version=unparsed_version, $name=software_name);
}
}
else
@ -236,7 +236,7 @@ function parse(unparsed_version: string): Description
}
}
return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]];
return Description($version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]);
}
global parse_cache: table[string] of Description &read_expire=65secs;
@ -269,13 +269,13 @@ function parse_mozilla(unparsed_version: string): Description
{
software_name = "MSIE";
if ( /Trident\/4\.0/ in unparsed_version )
v = [$major=8,$minor=0];
v = Version($major=8,$minor=0);
else if ( /Trident\/5\.0/ in unparsed_version )
v = [$major=9,$minor=0];
v = Version($major=9,$minor=0);
else if ( /Trident\/6\.0/ in unparsed_version )
v = [$major=10,$minor=0];
v = Version($major=10,$minor=0);
else if ( /Trident\/7\.0/ in unparsed_version )
v = [$major=11,$minor=0];
v = Version($major=11,$minor=0);
else
{
parts = split_string_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/);
@ -373,7 +373,7 @@ function parse_mozilla(unparsed_version: string): Description
v = parse(parts[1])$version;
}
return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
return Description($version=v, $unparsed_version=unparsed_version, $name=software_name);
}

8
scripts/base/frameworks/spicy/main.zeek
View file

@ -8,8 +8,8 @@ export {
event max_file_depth_exceeded(f: fa_file, args: Files::AnalyzerArgs, limit: count)
{
NOTICE([
$note=Spicy::Spicy_Max_File_Depth_Exceeded,
$msg=fmt("Maximum file depth exceeded for file %s", f$id)
]);
NOTICE(Notice::Info(
$note=Spicy::Spicy_Max_File_Depth_Exceeded,
$msg=fmt("Maximum file depth exceeded for file %s", f$id)
));
}

2
scripts/base/frameworks/sumstats/main.zeek
View file

@ -312,7 +312,7 @@ event zeek_init() &priority=100000
function init_resultval(r: Reducer): ResultVal
{
local rv: ResultVal = [$begin=network_time(), $end=network_time()];
local rv = ResultVal($begin=network_time(), $end=network_time());
hook init_resultval_hook(r, rv);
return rv;
}

2
scripts/base/frameworks/sumstats/plugins/last.zeek
View file

@ -54,7 +54,7 @@ hook register_observe_plugins()
if ( r$num_last_elements > 0 )
{
if ( ! rv?$last_elements )
rv$last_elements = Queue::init([$max_len=r$num_last_elements]);
rv$last_elements = Queue::init(Queue::Settings($max_len=r$num_last_elements));
Queue::put(rv$last_elements, obs);
}
});

16
scripts/base/frameworks/telemetry/main.zeek
View file

@ -296,12 +296,12 @@ function register_counter_family(opts: MetricOpts): CounterFamily
}
# Fallback Counter returned when there are issues with the labels.
global error_counter_cf = register_counter_family([
global error_counter_cf = register_counter_family(MetricOpts(
$prefix="zeek",
$name="telemetry_counter_usage_error",
$unit="",
$help_text="This counter is returned when label usage for counters is wrong. Check reporter.log if non-zero."
]);
));
function counter_with(cf: CounterFamily, label_values: labels_vector): Counter
{
@ -355,12 +355,12 @@ function register_gauge_family(opts: MetricOpts): GaugeFamily
}
# Fallback Gauge returned when there are issues with the label usage.
global error_gauge_cf = register_gauge_family([
global error_gauge_cf = register_gauge_family(MetricOpts(
$prefix="zeek",
$name="telemetry_gauge_usage_error",
$unit="",
$help_text="This gauge is returned when label usage for gauges is wrong. Check reporter.log if non-zero."
]);
));
function gauge_with(gf: GaugeFamily, label_values: labels_vector): Gauge
{
@ -424,13 +424,13 @@ function register_histogram_family(opts: MetricOpts): HistogramFamily
}
# Fallback Histogram when there are issues with the labels.
global error_histogram_hf = register_histogram_family([
global error_histogram_hf = register_histogram_family(MetricOpts(
$prefix="zeek",
$name="telemetry_histogram_usage_error",
$unit="",
$help_text="This histogram is returned when label usage for histograms is wrong. Check reporter.log if non-zero.",
$bounds=vector(1.0)
]);
));
function histogram_with(hf: HistogramFamily, label_values: labels_vector): Histogram
{
@ -474,14 +474,14 @@ event run_sync_hook()
}
# Expose the Zeek version as Prometheus style info metric
global version_gauge_family = Telemetry::register_gauge_family([
global version_gauge_family = Telemetry::register_gauge_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="version_info",
$unit="",
$help_text="The Zeek version",
$label_names=vector("version_number", "major", "minor", "patch", "commit",
"beta", "debug","version_string")
]);
));
event zeek_init()
{

2
scripts/base/frameworks/tunnels/main.zeek
View file

@ -92,7 +92,7 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
Log::create_stream(Tunnel::LOG, Log::Stream($columns=Info, $path="tunnel", $policy=log_policy));
}
function register_all(ecv: EncapsulatingConnVector)

2
scripts/base/protocols/conn/main.zeek
View file

@ -178,7 +178,7 @@ redef record connection += {
event zeek_init() &priority=5
{
Log::create_stream(Conn::LOG, [$columns=Info, $ev=log_conn, $path="conn", $policy=log_policy]);
Log::create_stream(Conn::LOG, Log::Stream($columns=Info, $ev=log_conn, $path="conn", $policy=log_policy));
}
function conn_state(c: connection, trans: transport_proto): string

2
scripts/base/protocols/dce-rpc/main.zeek
View file

@ -66,7 +66,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(DCE_RPC::LOG, [$columns=Info, $path="dce_rpc", $policy=log_policy]);
Log::create_stream(DCE_RPC::LOG, Log::Stream($columns=Info, $path="dce_rpc", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, ports);
}

2
scripts/base/protocols/dhcp/main.zeek
View file

@ -130,7 +130,7 @@ redef likely_server_ports += { 67/udp };
event zeek_init() &priority=5
{
Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp", $policy=log_policy]);
Log::create_stream(DHCP::LOG, Log::Stream($columns=Info, $ev=log_dhcp, $path="dhcp", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
}

6
scripts/base/protocols/dnp3/main.zeek
View file

@ -42,7 +42,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(DNP3::LOG, [$columns=Info, $ev=log_dnp3, $path="dnp3", $policy=log_policy]);
Log::create_stream(DNP3::LOG, Log::Stream($columns=Info, $ev=log_dnp3, $path="dnp3", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, ports);
}
@ -50,7 +50,7 @@ event dnp3_application_request_header(c: connection, is_orig: bool, application_
{
if ( ! c?$dnp3 )
{
c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];
c$dnp3 = Info($ts=network_time(), $uid=c$uid, $id=c$id);
Conn::register_removal_hook(c, finalize_dnp3);
}
@ -62,7 +62,7 @@ event dnp3_application_response_header(c: connection, is_orig: bool, application
{
if ( ! c?$dnp3 )
{
c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];
c$dnp3 = Info($ts=network_time(), $uid=c$uid, $id=c$id);
Conn::register_removal_hook(c, finalize_dnp3);
}

2
scripts/base/protocols/dns/main.zeek
View file

@ -164,7 +164,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns, $path="dns", $policy=log_policy]);
Log::create_stream(DNS::LOG, Log::Stream($columns=Info, $ev=log_dns, $path="dns", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports);
}

4
scripts/base/protocols/ftp/files.zeek
View file

@ -43,8 +43,8 @@ function describe_file(f: fa_file): string
event zeek_init() &priority=5
{
Files::register_protocol(Analyzer::ANALYZER_FTP_DATA,
[$get_file_handle = FTP::get_file_handle,
$describe = FTP::describe_file]);
Files::ProtoRegistration($get_file_handle = FTP::get_file_handle,
$describe = FTP::describe_file));
}
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5

10
scripts/base/protocols/ftp/main.zeek
View file

@ -88,7 +88,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp, $path="ftp", $policy=log_policy]);
Log::create_stream(FTP::LOG, Log::Stream($columns=Info, $ev=log_ftp, $path="ftp", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
}
@ -307,8 +307,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
if ( data$valid )
{
add_expected_data_channel(c$ftp, [$passive=F, $orig_h=id$resp_h,
$resp_h=data$h, $resp_p=data$p]);
add_expected_data_channel(c$ftp, ExpectedDataChannel($passive=F, $orig_h=id$resp_h,
$resp_h=data$h, $resp_p=data$p));
}
else
{
@ -403,8 +403,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
if ( code == 229 && data$h == [::] )
data$h = c$id$resp_h;
add_expected_data_channel(c$ftp, [$passive=T, $orig_h=c$id$orig_h,
$resp_h=data$h, $resp_p=data$p]);
add_expected_data_channel(c$ftp, ExpectedDataChannel($passive=T, $orig_h=c$id$orig_h,
$resp_h=data$h, $resp_p=data$p));
}
else
{

2
scripts/base/protocols/ftp/utils-commands.zeek
View file

@ -80,7 +80,7 @@ export {
function add_pending_cmd(pc: PendingCmds, seq: count, cmd: string, arg: string): CmdArg
{
local ca = [$cmd = cmd, $arg = arg, $seq=seq, $ts=network_time()];
local ca = CmdArg($cmd = cmd, $arg = arg, $seq=seq, $ts=network_time());
pc[ca$seq] = ca;
return ca;

4
scripts/base/protocols/http/files.zeek
View file

@ -51,6 +51,6 @@ function describe_file(f: fa_file): string
event zeek_init() &priority=5
{
Files::register_protocol(Analyzer::ANALYZER_HTTP,
[$get_file_handle = HTTP::get_file_handle,
$describe = HTTP::describe_file]);
Files::ProtoRegistration($get_file_handle = HTTP::get_file_handle,
$describe = HTTP::describe_file));
}

4
scripts/base/protocols/http/main.zeek
View file

@ -156,7 +156,7 @@ redef likely_server_ports += { ports };
# Initialize the HTTP logging stream and ports.
event zeek_init() &priority=5
{
Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http, $path="http", $policy=log_policy]);
Log::create_stream(HTTP::LOG, Log::Stream($columns=Info, $ev=log_http, $path="http", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
}
@ -299,7 +299,7 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
# "tunnel".
local tid = copy(c$id);
tid$orig_p = 0/tcp;
Tunnel::register([$cid=tid, $tunnel_type=Tunnel::HTTP]);
Tunnel::register(Tunnel::EncapsulatingConn($cid=tid, $tunnel_type=Tunnel::HTTP));
}
}

2
scripts/base/protocols/irc/files.zeek
View file

@ -26,7 +26,7 @@ function get_file_handle(c: connection, is_orig: bool): string
event zeek_init() &priority=5
{
Files::register_protocol(Analyzer::ANALYZER_IRC_DATA,
[$get_file_handle = IRC::get_file_handle]);
Files::ProtoRegistration($get_file_handle = IRC::get_file_handle));
}
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5

2
scripts/base/protocols/irc/main.zeek
View file

@ -45,7 +45,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc", $policy=log_policy]);
Log::create_stream(IRC::LOG, Log::Stream($columns=Info, $ev=irc_log, $path="irc", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
}

8
scripts/base/protocols/krb/files.zeek
View file

@ -64,12 +64,12 @@ function describe_file(f: fa_file): string
event zeek_init() &priority=5
{
Files::register_protocol(Analyzer::ANALYZER_KRB_TCP,
[$get_file_handle = KRB::get_file_handle,
$describe = KRB::describe_file]);
Files::ProtoRegistration($get_file_handle = KRB::get_file_handle,
$describe = KRB::describe_file));
Files::register_protocol(Analyzer::ANALYZER_KRB,
[$get_file_handle = KRB::get_file_handle,
$describe = KRB::describe_file]);
Files::ProtoRegistration($get_file_handle = KRB::get_file_handle,
$describe = KRB::describe_file));
}
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5

2
scripts/base/protocols/krb/main.zeek
View file

@ -83,7 +83,7 @@ event zeek_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, udp_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, tcp_ports);
Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos", $policy=log_policy]);
Log::create_stream(KRB::LOG, Log::Stream($columns=Info, $ev=log_krb, $path="kerberos", $policy=log_policy));
}
function set_session(c: connection): bool

22
scripts/base/protocols/ldap/main.zeek
View file

@ -144,8 +144,8 @@ event zeek_init() &priority=5 {
Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_TCP, LDAP::ports_tcp);
Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_UDP, LDAP::ports_udp);
Log::create_stream(LDAP::LDAP_LOG, [$columns=MessageInfo, $ev=log_ldap, $path="ldap", $policy=log_policy]);
Log::create_stream(LDAP::LDAP_SEARCH_LOG, [$columns=SearchInfo, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search]);
Log::create_stream(LDAP::LDAP_LOG, Log::Stream($columns=MessageInfo, $ev=log_ldap, $path="ldap", $policy=log_policy));
Log::create_stream(LDAP::LDAP_SEARCH_LOG, Log::Stream($columns=SearchInfo, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search));
}
#############################################################################
@ -163,17 +163,17 @@ function set_session(c: connection, message_id: int, opcode: LDAP::ProtocolOpcod
c$ldap$searches = table();
if ((opcode in OPCODES_SEARCH) && (message_id !in c$ldap$searches)) {
c$ldap$searches[message_id] = [$ts=network_time(),
$uid=c$uid,
$id=c$id,
$message_id=message_id,
$result_count=0];
c$ldap$searches[message_id] = SearchInfo($ts=network_time(),
$uid=c$uid,
$id=c$id,
$message_id=message_id,
$result_count=0);
} else if ((opcode !in OPCODES_SEARCH) && (message_id !in c$ldap$messages)) {
c$ldap$messages[message_id] = [$ts=network_time(),
$uid=c$uid,
$id=c$id,
$message_id=message_id];
c$ldap$messages[message_id] = MessageInfo($ts=network_time(),
$uid=c$uid,
$id=c$id,
$message_id=message_id);
}
}

4
scripts/base/protocols/modbus/main.zeek
View file

@ -42,7 +42,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus, $path="modbus", $policy=log_policy]);
Log::create_stream(Modbus::LOG, Log::Stream($columns=Info, $ev=log_modbus, $path="modbus", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports);
}
@ -69,7 +69,7 @@ event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &prio
{
if ( ! c?$modbus )
{
c$modbus = [$ts=network_time(), $uid=c$uid, $id=c$id];
c$modbus = Info($ts=network_time(), $uid=c$uid, $id=c$id);
}
c$modbus$ts = network_time();

6
scripts/base/protocols/mqtt/main.zeek
View file

@ -150,9 +150,9 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(MQTT::CONNECT_LOG, [$columns=ConnectInfo, $ev=log_mqtt, $path="mqtt_connect", $policy=log_policy_connect]);
Log::create_stream(MQTT::SUBSCRIBE_LOG, [$columns=SubscribeInfo, $path="mqtt_subscribe", $policy=log_policy_subscribe]);
Log::create_stream(MQTT::PUBLISH_LOG, [$columns=PublishInfo, $path="mqtt_publish", $policy=log_policy_publish]);
Log::create_stream(MQTT::CONNECT_LOG, Log::Stream($columns=ConnectInfo, $ev=log_mqtt, $path="mqtt_connect", $policy=log_policy_connect));
Log::create_stream(MQTT::SUBSCRIBE_LOG, Log::Stream($columns=SubscribeInfo, $path="mqtt_subscribe", $policy=log_policy_subscribe));
Log::create_stream(MQTT::PUBLISH_LOG, Log::Stream($columns=PublishInfo, $path="mqtt_publish", $policy=log_policy_publish));
Analyzer::register_for_ports(Analyzer::ANALYZER_MQTT, ports);
}

2
scripts/base/protocols/mysql/main.zeek
View file

@ -45,7 +45,7 @@ const ports = { 1434/tcp, 3306/tcp };
event zeek_init() &priority=5
{
Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql, $path="mysql", $policy=log_policy]);
Log::create_stream(mysql::LOG, Log::Stream($columns=Info, $ev=log_mysql, $path="mysql", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports);
}

2
scripts/base/protocols/ntlm/main.zeek
View file

@ -49,7 +49,7 @@ redef record connection += {
event zeek_init() &priority=5
{
Log::create_stream(NTLM::LOG, [$columns=Info, $path="ntlm", $policy=log_policy]);
Log::create_stream(NTLM::LOG, Log::Stream($columns=Info, $path="ntlm", $policy=log_policy));
}
function set_session(c: connection)

2
scripts/base/protocols/ntp/main.zeek
View file

@ -61,7 +61,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp, $path="ntp", $policy=log_policy]);
Log::create_stream(NTP::LOG, Log::Stream($columns = Info, $ev = log_ntp, $path="ntp", $policy=log_policy));
}
event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5

2
scripts/base/protocols/postgresql/main.zeek
View file

@ -75,7 +75,7 @@ redef likely_server_ports += { ports };
event zeek_init() {
Analyzer::register_for_ports(Analyzer::ANALYZER_POSTGRESQL, ports);
Log::create_stream(PostgreSQL::LOG, [$columns=Info, $ev=log_postgresql, $path="postgresql"]);
Log::create_stream(PostgreSQL::LOG, Log::Stream($columns=Info, $ev=log_postgresql, $path="postgresql"));
}
hook set_session(c: connection) {

2
scripts/base/protocols/quic/main.zeek
View file

@ -236,6 +236,6 @@ hook finalize_quic(c: connection)
event zeek_init()
{
Log::create_stream(LOG, [$columns=Info, $ev=log_quic, $path="quic", $policy=log_policy]);
Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_quic, $path="quic", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_QUIC, quic_ports);
}

2
scripts/base/protocols/radius/main.zeek
View file

@ -65,7 +65,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius, $path="radius", $policy=log_policy]);
Log::create_stream(RADIUS::LOG, Log::Stream($columns=Info, $ev=log_radius, $path="radius", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
}

4
scripts/base/protocols/rdp/main.zeek
View file

@ -98,7 +98,7 @@ redef likely_server_ports += { rdp_ports, rdpeudp_ports };
event zeek_init() &priority=5
{
Log::create_stream(RDP::LOG, [$columns=RDP::Info, $ev=log_rdp, $path="rdp", $policy=log_policy]);
Log::create_stream(RDP::LOG, Log::Stream($columns=RDP::Info, $ev=log_rdp, $path="rdp", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, rdp_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_RDPEUDP, rdpeudp_ports);
}
@ -155,7 +155,7 @@ function set_session(c: connection)
{
if ( ! c?$rdp )
{
c$rdp = [$ts=network_time(),$id=c$id,$uid=c$uid];
c$rdp = Info($ts=network_time(),$id=c$id,$uid=c$uid);
Conn::register_removal_hook(c, finalize_rdp);
# The RDP session is scheduled to be logged from
# the time it is first initiated.

4
scripts/base/protocols/redis/main.zeek
View file

@ -96,8 +96,8 @@ redef likely_server_ports += {ports};
event zeek_init() &priority=5
{
Log::create_stream(Redis::LOG, [$columns=Info, $path="redis",
$policy=log_policy]);
Log::create_stream(Redis::LOG, Log::Stream($columns=Info, $path="redis",
$policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_REDIS, ports);
}

2
scripts/base/protocols/rfb/main.zeek
View file

@ -85,7 +85,7 @@ redef record connection += {
event zeek_init() &priority=5
{
Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb", $policy=log_policy]);
Log::create_stream(RFB::LOG, Log::Stream($columns=Info, $ev=log_rfb, $path="rfb", $policy=log_policy));
}
function write_log(c:connection)

2
scripts/base/protocols/sip/main.zeek
View file

@ -106,7 +106,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(SIP::LOG, [$columns=Info, $ev=log_sip, $path="sip", $policy=log_policy]);
Log::create_stream(SIP::LOG, Log::Stream($columns=Info, $ev=log_sip, $path="sip", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, ports);
}

4
scripts/base/protocols/smb/consts.zeek
View file

@ -7,8 +7,8 @@ export {
};
const statuses: table[count] of StatusCode = {
[0x00000000] = [$id="SUCCESS", $desc="The operation completed successfully."],
} &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return [$id=unknown, $desc=unknown]; };
[0x00000000] = StatusCode($id="SUCCESS", $desc="The operation completed successfully."),
} &redef &default=function(i: count):StatusCode { local unknown=fmt("unknown-%d", i); return StatusCode($id=unknown, $desc=unknown); };
## Heuristic detection of named pipes when the pipe
## mapping isn't seen. This variable is defined in

4
scripts/base/protocols/smb/files.zeek
View file

@ -50,8 +50,8 @@ function describe_file(f: fa_file): string
event zeek_init() &priority=5
{
Files::register_protocol(Analyzer::ANALYZER_SMB,
[$get_file_handle = SMB::get_file_handle,
$describe = SMB::describe_file]);
Files::ProtoRegistration($get_file_handle = SMB::get_file_handle,
$describe = SMB::describe_file ));
}
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5

4
scripts/base/protocols/smb/main.zeek
View file

@ -186,8 +186,8 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files", $policy=log_policy_files]);
Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping", $policy=log_policy_mapping]);
Log::create_stream(SMB::FILES_LOG, Log::Stream($columns=SMB::FileInfo, $path="smb_files", $policy=log_policy_files));
Log::create_stream(SMB::MAPPING_LOG, Log::Stream($columns=SMB::TreeInfo, $path="smb_mapping", $policy=log_policy_mapping));
Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, ports);
}

4
scripts/base/protocols/smtp/files.zeek
View file

@ -41,8 +41,8 @@ function describe_file(f: fa_file): string
event zeek_init() &priority=5
{
Files::register_protocol(Analyzer::ANALYZER_SMTP,
[$get_file_handle = SMTP::get_file_handle,
$describe = SMTP::describe_file]);
Files::ProtoRegistration($get_file_handle = SMTP::get_file_handle,
$describe = SMTP::describe_file));
}
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5

2
scripts/base/protocols/smtp/main.zeek
View file

@ -120,7 +120,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp, $path="smtp", $policy=log_policy]);
Log::create_stream(SMTP::LOG, Log::Stream($columns=SMTP::Info, $ev=log_smtp, $path="smtp", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
}

2
scripts/base/protocols/snmp/main.zeek
View file

@ -73,7 +73,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp, $path="snmp", $policy=log_policy]);
Log::create_stream(SNMP::LOG, Log::Stream($columns=SNMP::Info, $ev=log_snmp, $path="snmp", $policy=log_policy));
}
function init_state(c: connection, h: SNMP::Header): Info

6
scripts/base/protocols/socks/main.zeek
View file

@ -55,7 +55,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks, $path="socks", $policy=log_policy]);
Log::create_stream(SOCKS::LOG, Log::Stream($columns=Info, $ev=log_socks, $path="socks", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
}
@ -67,7 +67,7 @@ function set_session(c: connection, version: count)
{
if ( ! c?$socks )
{
c$socks = [$ts=network_time(), $id=c$id, $uid=c$uid, $version=version];
c$socks = Info($ts=network_time(), $id=c$id, $uid=c$uid, $version=version);
Conn::register_removal_hook(c, finalize_socks);
}
}
@ -85,7 +85,7 @@ event socks_request(c: connection, version: count, request_type: count,
# proxied connection. We treat this as a singular "tunnel".
local cid = copy(c$id);
cid$orig_p = 0/tcp;
Tunnel::register([$cid=cid, $tunnel_type=Tunnel::SOCKS]);
Tunnel::register(Tunnel::EncapsulatingConn($cid=cid, $tunnel_type=Tunnel::SOCKS));
}
event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Address, p: port) &priority=5

2
scripts/base/protocols/ssh/main.zeek
View file

@ -139,7 +139,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh", $policy=log_policy]);
Log::create_stream(SSH::LOG, Log::Stream($columns=Info, $ev=log_ssh, $path="ssh", $policy=log_policy));
}
function set_session(c: connection)

9
scripts/base/protocols/ssl/files.zeek
View file

@ -97,13 +97,12 @@ function describe_file(f: fa_file): string
event zeek_init() &priority=5
{
Files::register_protocol(Analyzer::ANALYZER_SSL,
[$get_file_handle = SSL::get_file_handle,
$describe = SSL::describe_file]);
Files::ProtoRegistration($get_file_handle = SSL::get_file_handle,
$describe = SSL::describe_file));
Files::register_protocol(Analyzer::ANALYZER_DTLS,
[$get_file_handle = SSL::get_file_handle,
$describe = SSL::describe_file]);
Files::ProtoRegistration($get_file_handle = SSL::get_file_handle,
$describe = SSL::describe_file));
local ssl_filter = Log::get_filter(SSL::LOG, "default");
if ( ssl_filter$name != "<not found>" )

4
scripts/base/protocols/ssl/main.zeek
View file

@ -196,7 +196,7 @@ redef likely_server_ports += { ssl_ports, dtls_ports };
# Priority needs to be higher than priority of zeek_init in ssl/files.zeek
event zeek_init() &priority=6
{
Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy]);
Log::create_stream(SSL::LOG, Log::Stream($columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
}
@ -205,7 +205,7 @@ function set_session(c: connection)
{
if ( ! c?$ssl )
{
c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id];
c$ssl = Info($ts=network_time(), $uid=c$uid, $id=c$id);
Conn::register_removal_hook(c, finalize_ssl);
}
}

2
scripts/base/protocols/syslog/main.zeek
View file

@ -38,7 +38,7 @@ redef likely_server_ports += { ports };
event zeek_init() &priority=5
{
Log::create_stream(Syslog::LOG, [$columns=Info, $path="syslog", $policy=log_policy]);
Log::create_stream(Syslog::LOG, Log::Stream($columns=Info, $path="syslog", $policy=log_policy));
Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
}

2
scripts/base/protocols/websocket/main.zeek
View file

@ -228,5 +228,5 @@ event websocket_established(c: connection, aid: count) &priority=-5
event zeek_init()
{
Log::create_stream(LOG, [$columns=Info, $ev=log_websocket, $path="websocket", $policy=log_policy]);
Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_websocket, $path="websocket", $policy=log_policy));
}

2
scripts/base/utils/active-http.zeek
View file

@ -98,7 +98,7 @@ function request(req: Request): ActiveHTTP::Response
local cmd = request2curl(req, bodyfile, headersfile);
local stdin_data = req?$client_data ? req$client_data : "";
return when [req, resp, cmd, stdin_data, bodyfile, headersfile] ( local result = Exec::run([$cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile)]) )
return when [req, resp, cmd, stdin_data, bodyfile, headersfile] ( local result = Exec::run(Exec::Command($cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile))) )
{
# If there is no response line then nothing else will work either.
if ( ! (result?$files && headersfile in result$files) )

2
scripts/base/utils/dir.zeek
View file

@ -28,7 +28,7 @@ event Dir::monitor_ev(dir: string, last_files: set[string],
callback: function(fname: string),
poll_interval: interval)
{
when [dir, last_files, callback, poll_interval] ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) )
when [dir, last_files, callback, poll_interval] ( local result = Exec::run(Exec::Command($cmd=fmt("ls -1 %s/", safe_shell_quote(dir)))) )
{
if ( result$exit_code != 0 )
{

28
scripts/base/utils/exec.zeek
View file

@ -142,12 +142,12 @@ event InputRaw::process_finished(name: string, source:string, exit_code:count, s
delete pending_commands[name];
else
for ( read_file in pending_files[name] )
Input::add_event([$source=fmt("%s", read_file),
$name=fmt("%s_%s", name, read_file),
$reader=Input::READER_RAW,
$want_record=F,
$fields=FileLine,
$ev=Exec::file_line]);
Input::add_event(Input::EventDescription($source=fmt("%s", read_file),
$name=fmt("%s_%s", name, read_file),
$reader=Input::READER_RAW,
$want_record=F,
$fields=FileLine,
$ev=Exec::file_line));
}
function run(cmd: Command): Result
@ -169,14 +169,14 @@ function run(cmd: Command): Result
["stdin"] = cmd$stdin,
["read_stderr"] = "1",
};
Input::add_event([$name=cmd$uid,
$source=fmt("%s |", cmd$cmd),
$reader=Input::READER_RAW,
$mode=Input::STREAM,
$fields=Exec::OneLine,
$ev=Exec::line,
$want_record=F,
$config=config_strings]);
Input::add_event(Input::EventDescription($name=cmd$uid,
$source=fmt("%s |", cmd$cmd),
$reader=Input::READER_RAW,
$mode=Input::STREAM,
$fields=Exec::OneLine,
$ev=Exec::line,
$want_record=F,
$config=config_strings));
return when [cmd] ( cmd$uid !in pending_commands )
{

4
scripts/base/utils/patterns.zeek
View file

@ -61,7 +61,7 @@ function match_pattern(s: string, p: pattern): PatternMatchResult
if ( |a| == 1 )
# no match
return [$matched = F, $str = "", $off = 0];
return PatternMatchResult($matched = F, $str = "", $off = 0);
else
return [$matched = T, $str = a[1], $off = |a[0]| + 1];
return PatternMatchResult($matched = T, $str = a[1], $off = |a[0]| + 1);
}

4
scripts/policy/frameworks/analyzer/debug-logging.zeek
View file

@ -69,8 +69,8 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $path="analyzer_debug", $policy=log_policy,
$event_groups=set("Analyzer::DebugLogging")]);
Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer_debug", $policy=log_policy,
$event_groups=set("Analyzer::DebugLogging")));
local enable_handler = function(id: string, new_value: bool): bool {
if ( new_value )

2
scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
View file

@ -33,7 +33,7 @@ redef record connection += {
event zeek_init() &priority=5
{
Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
Log::create_stream(DPD::LOG, Log::Stream($columns=Info, $path="dpd", $policy=log_policy));
}
# before the same event in dpd.zeek

10
scripts/policy/frameworks/analyzer/detect-protocols.zeek
View file

@ -93,7 +93,7 @@ function get_protocol(c: connection, a: AllAnalyzers::Tag) : protocol
str = |str| > 0 ? fmt("%s/%s", str, p) : p;
}
return [$a=Analyzer::name(a), $sub=str];
return protocol($a=Analyzer::name(a), $sub=str);
}
function fmt_protocol(p: protocol) : string
@ -115,9 +115,9 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
local p = get_protocol(c, a);
local s = fmt_protocol(p);
NOTICE([$note=Protocol_Found,
NOTICE(Notice::Info($note=Protocol_Found,
$msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p),
$sub=s, $conn=c]);
$sub=s, $conn=c));
# We report multiple Server_Found's per host if we find a new
# sub-protocol.
@ -130,10 +130,10 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
if ( (! known || newsub) && a !in suppress_servers )
{
NOTICE([$note=Server_Found,
NOTICE(Notice::Info($note=Server_Found,
$msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s,
c$id$resp_p, (known ? " (update)" : "")),
$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h]);
$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h));
if ( ! known )
servers[c$id$resp_h, c$id$resp_p, p$a] = set();

4
scripts/policy/frameworks/intel/seen/conn-established.zeek
View file

@ -6,7 +6,7 @@ event connection_established(c: connection)
if ( c$orig$state == TCP_ESTABLISHED &&
c$resp$state == TCP_ESTABLISHED )
{
Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);
Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
Intel::seen(Intel::Seen($host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG));
Intel::seen(Intel::Seen($host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP));
}
}

8
scripts/policy/frameworks/intel/seen/dns.zeek
View file

@ -3,8 +3,8 @@
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &group="Intel::DOMAIN"
{
Intel::seen([$indicator=query,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=DNS::IN_REQUEST]);
Intel::seen(Intel::Seen($indicator=query,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=DNS::IN_REQUEST));
}

16
scripts/policy/frameworks/intel/seen/file-names.zeek
View file

@ -10,10 +10,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME"
return;
if ( f?$info && f$info?$filename )
Intel::seen([$indicator=f$info$filename,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=Files::IN_NAME]);
Intel::seen(Intel::Seen($indicator=f$info$filename,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=Files::IN_NAME));
}
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5 &group="Intel::FILE_NAME"
@ -23,8 +23,8 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
return;
if ( f?$info && f$info?$filename )
Intel::seen([$indicator=f$info$filename,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=Files::IN_NAME]);
Intel::seen(Intel::Seen($indicator=f$info$filename,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=Files::IN_NAME));
}

46
scripts/policy/frameworks/intel/seen/http-headers.zeek
View file

@ -13,10 +13,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
# Remove the occasional port value that shows up here.
local host = gsub(value, /:[[:digit:]]+$/, "");
if ( is_valid_ip(host) )
Intel::seen([$host=to_addr(host),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
Intel::seen(Intel::Seen($host=to_addr(host),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_HOST_HEADER));
break;
case "X-FORWARDED-FOR":
@ -25,10 +25,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
local addrs = extract_ip_addresses(value);
for ( i in addrs )
{
Intel::seen([$host=to_addr(addrs[i]),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_X_FORWARDED_FOR_HEADER]);
Intel::seen(Intel::Seen($host=to_addr(addrs[i]),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_X_FORWARDED_FOR_HEADER));
}
}
break;
@ -38,36 +38,36 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::DOMAIN"
{
if ( ! is_orig || name != "HOST" )
return;
return;
# Remove the occasional port value that shows up here.
local host = gsub(value, /:[[:digit:]]+$/, "");
if ( ! is_valid_ip(host) )
Intel::seen([$indicator=host,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
Intel::seen(Intel::Seen($indicator=host,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER));
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::URL"
{
if ( ! is_orig || name != "REFERER" )
return;
return;
Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_REFERRER_HEADER]);
Intel::seen(Intel::Seen($indicator=sub(value, /^.*:\/\//, ""),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_REFERRER_HEADER));
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::SOFTWARE"
{
if ( ! is_orig || name != "USER-AGENT" )
return;
return;
Intel::seen([$indicator=value,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=HTTP::IN_USER_AGENT_HEADER]);
Intel::seen(Intel::Seen($indicator=value,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=HTTP::IN_USER_AGENT_HEADER));
}

8
scripts/policy/frameworks/intel/seen/http-url.zeek
View file

@ -5,8 +5,8 @@
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &group="Intel::URL"
{
if ( is_orig && c?$http )
Intel::seen([$indicator=HTTP::build_url(c$http),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_URL]);
Intel::seen(Intel::Seen($indicator=HTTP::build_url(c$http),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_URL));
}

8
scripts/policy/frameworks/intel/seen/smb-filenames.zeek
View file

@ -14,10 +14,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME"
{
local split_fname = split_string(c$smb_state$current_file$name, /\\/);
local fname = split_fname[|split_fname|-1];
Intel::seen([$indicator=fname,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=SMB::IN_FILE_NAME]);
Intel::seen(Intel::Seen($indicator=fname,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=SMB::IN_FILE_NAME));
}
}
}

10
scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek
View file

@ -13,10 +13,10 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
local urls = find_all_urls_without_scheme(data);
for ( url in urls )
{
Intel::seen([$indicator=url,
$indicator_type=Intel::URL,
$conn=c,
$where=SMTP::IN_MESSAGE]);
Intel::seen(Intel::Seen($indicator=url,
$indicator_type=Intel::URL,
$conn=c,
$where=SMTP::IN_MESSAGE));
}
}
}
@ -24,5 +24,5 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
event file_new(f: fa_file) &group="Intel::URL"
{
if ( f$source == "SMTP" )
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, Files::AnalyzerArgs($stream_event=intel_mime_data));
}

68
scripts/policy/frameworks/intel/seen/smtp.zeek
View file

@ -12,16 +12,16 @@ event mime_end_entity(c: connection) &group="Intel::ADDR"
local path = c$smtp$path;
for ( i in path )
{
Intel::seen([$host=path[i],
$conn=c,
$where=SMTP::IN_RECEIVED_HEADER]);
Intel::seen(Intel::Seen($host=path[i],
$conn=c,
$where=SMTP::IN_RECEIVED_HEADER));
}
}
if ( c$smtp?$x_originating_ip )
Intel::seen([$host=c$smtp$x_originating_ip,
$conn=c,
$where=SMTP::IN_X_ORIGINATING_IP_HEADER]);
Intel::seen(Intel::Seen($host=c$smtp$x_originating_ip,
$conn=c,
$where=SMTP::IN_X_ORIGINATING_IP_HEADER));
}
}
@ -30,10 +30,10 @@ event mime_end_entity(c: connection) &group="Intel::SOFTWARE"
if ( c?$smtp )
{
if ( c$smtp?$user_agent )
Intel::seen([$indicator=c$smtp$user_agent,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=SMTP::IN_HEADER]);
Intel::seen(Intel::Seen($indicator=c$smtp$user_agent,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=SMTP::IN_HEADER));
}
}
@ -43,20 +43,20 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
{
if ( c$smtp?$mailfrom )
{
Intel::seen([$indicator=c$smtp$mailfrom,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_MAIL_FROM]);
Intel::seen(Intel::Seen($indicator=c$smtp$mailfrom,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_MAIL_FROM ));
}
if ( c$smtp?$rcptto )
{
for ( rcptto_addr in c$smtp$rcptto )
{
Intel::seen([$indicator=rcptto_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_RCPT_TO]);
Intel::seen(Intel::Seen($indicator=rcptto_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_RCPT_TO));
}
}
@ -64,10 +64,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
{
for ( from_addr in extract_email_addrs_set(c$smtp$from) )
{
Intel::seen([$indicator=from_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_FROM]);
Intel::seen(Intel::Seen($indicator=from_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_FROM));
}
}
@ -75,10 +75,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
{
for ( email_to_addr in c$smtp$to )
{
Intel::seen([$indicator=extract_first_email_addr(email_to_addr),
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_TO]);
Intel::seen(Intel::Seen($indicator=extract_first_email_addr(email_to_addr),
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_TO));
}
}
@ -86,19 +86,19 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
{
for ( cc_addr in c$smtp$cc )
{
Intel::seen([$indicator=cc_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_CC]);
Intel::seen(Intel::Seen($indicator=cc_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_CC));
}
}
if ( c$smtp?$reply_to )
{
Intel::seen([$indicator=c$smtp$reply_to,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_REPLY_TO]);
Intel::seen(Intel::Seen($indicator=c$smtp$reply_to,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_REPLY_TO));
}
}
}

12
scripts/policy/frameworks/intel/seen/ssl.zeek
View file

@ -5,10 +5,10 @@
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &group="Intel::DOMAIN"
{
if ( is_orig && c?$ssl && c$ssl?$server_name )
Intel::seen([$indicator=c$ssl$server_name,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=SSL::IN_SERVER_NAME]);
Intel::seen(Intel::Seen($indicator=c$ssl$server_name,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=SSL::IN_SERVER_NAME));
}
event ssl_established(c: connection) &group="Intel::DOMAIN"
@ -18,9 +18,9 @@ event ssl_established(c: connection) &group="Intel::DOMAIN"
return;
if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn )
Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
Intel::seen(Intel::Seen($indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
$indicator_type=Intel::DOMAIN,
$fuid=c$ssl$cert_chain[0]$fuid,
$conn=c,
$where=X509::IN_CERT]);
$where=X509::IN_CERT));
}

32
scripts/policy/frameworks/intel/seen/x509.zeek
View file

@ -5,8 +5,8 @@
module Intel;
export {
## Enables the extraction of subject alternate names from the X509 SAN DNS field
option enable_x509_ext_subject_alternative_name = T;
## Enables the extraction of subject alternate names from the X509 SAN DNS field
option enable_x509_ext_subject_alternative_name = T;
}
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &group="Intel::DOMAIN"
@ -14,10 +14,10 @@ event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativ
if ( enable_x509_ext_subject_alternative_name && ext?$dns )
{
for ( i in ext$dns )
Intel::seen([$indicator=ext$dns[i],
Intel::seen(Intel::Seen($indicator=ext$dns[i],
$indicator_type=Intel::DOMAIN,
$f=f,
$where=X509::IN_CERT]);
$where=X509::IN_CERT));
}
}
@ -27,10 +27,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
{
local email = sub(cert$subject, /^.*emailAddress=/, "");
email = sub(email, /,.*$/, "");
Intel::seen([$indicator=email,
$indicator_type=Intel::EMAIL,
$f=f,
$where=X509::IN_CERT]);
Intel::seen(Intel::Seen($indicator=email,
$indicator_type=Intel::EMAIL,
$f=f,
$where=X509::IN_CERT));
}
}
@ -38,10 +38,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
{
if ( f$info?$sha1 ) # if the file_hash event was raised before the x509 event...
{
Intel::seen([$indicator=f$info$sha1,
$indicator_type=Intel::CERT_HASH,
$f=f,
$where=X509::IN_CERT]);
Intel::seen(Intel::Seen($indicator=f$info$sha1,
$indicator_type=Intel::CERT_HASH,
$f=f,
$where=X509::IN_CERT));
}
}
@ -50,8 +50,8 @@ event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::CERT_HASH
if ( ! f?$info || ! f$info?$x509 || kind != "sha1" )
return;
Intel::seen([$indicator=hash,
$indicator_type=Intel::CERT_HASH,
$f=f,
$where=X509::IN_CERT]);
Intel::seen(Intel::Seen($indicator=hash,
$indicator_type=Intel::CERT_HASH,
$f=f,
$where=X509::IN_CERT));
}

16
scripts/policy/frameworks/management/log.zeek
View file

@ -88,8 +88,8 @@ function debug(message: string)
return;
local node = Supervisor::node();
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[DEBUG],
$role=r2s[Management::role], $message=message]);
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[DEBUG],
$role=r2s[Management::role], $message=message));
}
function info(message: string)
@ -98,8 +98,8 @@ function info(message: string)
return;
local node = Supervisor::node();
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[INFO],
$role=r2s[Management::role], $message=message]);
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[INFO],
$role=r2s[Management::role], $message=message));
}
function warning(message: string)
@ -108,8 +108,8 @@ function warning(message: string)
return;
local node = Supervisor::node();
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[WARNING],
$role=r2s[Management::role], $message=message]);
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[WARNING],
$role=r2s[Management::role], $message=message));
}
function error(message: string)
@ -118,8 +118,8 @@ function error(message: string)
return;
local node = Supervisor::node();
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[ERROR],
$role=r2s[Management::role], $message=message]);
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[ERROR],
$role=r2s[Management::role], $message=message));
}
# Bump priority to ensure the log stream exists when other zeek_init handlers use it.

4
scripts/policy/frameworks/management/supervisor/main.zeek
View file

@ -29,8 +29,8 @@ global g_outputs: table[string] of NodeOutputStreams;
function make_node_output_streams(node: string): NodeOutputStreams
{
local stdout = Queue::init([$max_len = Management::Supervisor::output_max_lines]);
local stderr = Queue::init([$max_len = Management::Supervisor::output_max_lines]);
local stdout = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines));
local stderr = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines));
local res = NodeOutputStreams($stdout=stdout, $stderr=stderr);
local status = Supervisor::status(node);

2
scripts/policy/frameworks/netcontrol/catch-and-release.zeek
View file

@ -168,7 +168,7 @@ global catch_release_recently_notified: set[addr] &create_expire=30secs;
event zeek_init() &priority=5
{
Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release]);
Log::create_stream(NetControl::CATCH_RELEASE, Log::Stream($columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release));
}
function get_watch_interval(current_interval: count): interval

16
scripts/policy/frameworks/packet-filter/shunt.zeek
View file

@ -78,9 +78,9 @@ function shunt_filters()
event zeek_init() &priority=5
{
register_filter_plugin([
register_filter_plugin(FilterPlugin(
$func()={ return shunt_filters(); }
]);
));
}
function current_shunted_conns(): set[conn_id]
@ -97,8 +97,8 @@ function reached_max_shunts(): bool
{
if ( |shunted_conns| + |shunted_host_pairs| > max_bpf_shunts )
{
NOTICE([$note=No_More_Conn_Shunts_Available,
$msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)]);
NOTICE(Notice::Info($note=No_More_Conn_Shunts_Available,
$msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)));
return T;
}
else
@ -145,10 +145,10 @@ function shunt_conn(id: conn_id): bool
{
if ( is_v6_addr(id$orig_h) )
{
NOTICE([$note=Cannot_BPF_Shunt_Conn,
$msg="IPv6 connections can't be shunted with BPF due to limitations in BPF",
$sub="ipv6_conn",
$id=id, $identifier=cat(id)]);
NOTICE(Notice::Info($note=Cannot_BPF_Shunt_Conn,
$msg="IPv6 connections can't be shunted with BPF due to limitations in BPF",
$sub="ipv6_conn",
$id=id, $identifier=cat(id)));
return F;
}

6
scripts/policy/frameworks/software/version-changes.zeek
View file

@ -30,8 +30,8 @@ event Software::version_change(old: Software::Info, new: Software::Info)
local msg = fmt("%.6f %s '%s' version changed from %s to %s",
network_time(), old$software_type, old$name,
software_fmt_version(old$version),
software_fmt_version(new$version));
software_fmt_version(new$version));
NOTICE([$note=Software_Version_Change, $src=new$host,
$msg=msg, $sub=software_fmt(new)]);
NOTICE(Notice::Info($note=Software_Version_Change, $src=new$host,
$msg=msg, $sub=software_fmt(new)));
}

Some files were not shown because too many files have changed in this diff Show more