From 49094688fdad3e513b8a0b2b8b45e901653b2f51 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 11 Nov 2020 12:58:02 -0800
Subject: [PATCH 1/2] Coverity 1436183: Initialize packet_analysis::Manager
 fields

---
 src/packet_analysis/Manager.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h
index e63d7422f4..160741c097 100644
--- a/src/packet_analysis/Manager.h
+++ b/src/packet_analysis/Manager.h
@@ -143,10 +143,10 @@ private:
 	using UnknownProtocolPair = std::pair<std::string, uint32_t>;
 	std::map<UnknownProtocolPair, uint64_t> unknown_protocols;
 
-	uint64_t unknown_sampling_threshold;
-	uint64_t unknown_sampling_rate;
-	double unknown_sampling_duration;
-	uint64_t unknown_first_bytes_count;
+	uint64_t unknown_sampling_threshold = 0;
+	uint64_t unknown_sampling_rate = 0;
+	double unknown_sampling_duration = 0;
+	uint64_t unknown_first_bytes_count = 0;
 };
 
 } // namespace packet_analysis

From 89af6f200488905ccf327cdd336cd2fb6fc1e9f7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 11 Nov 2020 12:58:38 -0800
Subject: [PATCH 2/2] Move UnknownProtocol options to init-bare.zeek

Otherwise the `unknown_protocol` event cannot be used independently
from `policy/mic/unknown-protocols.zeek`.
---
 scripts/base/init-bare.zeek                   |  22 ++++++++++++++++++
 scripts/policy/misc/unknown-protocols.zeek    |  19 ---------------
 src/packet_analysis/Manager.cc                |  11 ++++-----
 .../Baseline/core.unknown-protocol-event/out  |   2 ++
 testing/btest/Traces/lldp.pcap                | Bin 0 -> 158 bytes
 .../btest/core/unknown-protocol-event.zeek    |   6 +++++
 6 files changed, 34 insertions(+), 26 deletions(-)
 create mode 100644 testing/btest/Baseline/core.unknown-protocol-event/out
 create mode 100644 testing/btest/Traces/lldp.pcap
 create mode 100644 testing/btest/core/unknown-protocol-event.zeek

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 7257c2a16e..34795cc2da 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -5367,6 +5367,28 @@ export {
 	option sampling_duration = 10min;
 }
 
+module UnknownProtocol;
+export {
+	## How many reports for an analyzer/protocol pair will be allowed to
+	## raise events before becoming rate-limited.
+	const sampling_threshold : count = 3 &redef;
+
+	## The rate-limiting sampling rate. One out of every of this number of
+	## rate-limited pairs of a given type will be allowed to raise events
+	## for further script-layer handling. Setting the sampling rate to 0
+	## will disable all output of rate-limited pairs.
+	const sampling_rate : count = 100000 &redef;
+
+	## How long an analyzer/protocol pair is allowed to keep state/counters in
+	## in memory. Once the threshold has been hit, this is the amount of time
+	## before the rate-limiting for a pair expires and is reset.
+	const sampling_duration = 1hr &redef;
+
+	## The number of bytes to extract from the next header and log in the
+	## first bytes field.
+	const first_bytes_count = 10 &redef;
+}
+
 module BinPAC;
 export {
 	## Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to
diff --git a/scripts/policy/misc/unknown-protocols.zeek b/scripts/policy/misc/unknown-protocols.zeek
index 000fc02107..df510d9846 100644
--- a/scripts/policy/misc/unknown-protocols.zeek
+++ b/scripts/policy/misc/unknown-protocols.zeek
@@ -26,25 +26,6 @@ export {
 		## header.
 		first_bytes:  string   &log;
 	};
-
-	## How many reports for an analyzer/protocol pair will be allowed to
-	## raise events before becoming rate-limited.
-	const sampling_threshold : count = 3 &redef;
-
-	## The rate-limiting sampling rate. One out of every of this number of
-	## rate-limited pairs of a given type will be allowed to raise events
-	## for further script-layer handling. Setting the sampling rate to 0
-	## will disable all output of rate-limited pairs.
-	const sampling_rate : count = 100000 &redef;
-
-	## How long an analyzer/protocol pair is allowed to keep state/counters in
-	## in memory. Once the threshold has been hit, this is the amount of time
-	## before the rate-limiting for a pair expires and is reset.
-	const sampling_duration = 1hr &redef;
-
-	## The number of bytes to extract from the next header and log in the
-	## first bytes field.
-	const first_bytes_count = 10 &redef;
 }
 
 event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)
diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc
index b95c60a972..a6ea761331 100644
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@@ -44,13 +44,10 @@ void Manager::InitPostScript()
 		                                          detail::pkt_profile_freq,
 		                                          pkt_profile_file->AsFile());
 
-	if ( unknown_protocol )
-		{
-		unknown_sampling_rate = id::find_val("UnknownProtocol::sampling_rate")->AsCount();
-		unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
-		unknown_sampling_duration = id::find_val("UnknownProtocol::sampling_duration")->AsInterval();
-		unknown_first_bytes_count = id::find_val("UnknownProtocol::first_bytes_count")->AsCount();
-		}
+	unknown_sampling_rate = id::find_val("UnknownProtocol::sampling_rate")->AsCount();
+	unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
+	unknown_sampling_duration = id::find_val("UnknownProtocol::sampling_duration")->AsInterval();
+	unknown_first_bytes_count = id::find_val("UnknownProtocol::first_bytes_count")->AsCount();
 	}
 
 void Manager::Done()
diff --git a/testing/btest/Baseline/core.unknown-protocol-event/out b/testing/btest/Baseline/core.unknown-protocol-event/out
new file mode 100644
index 0000000000..0cdfa29213
--- /dev/null
+++ b/testing/btest/Baseline/core.unknown-protocol-event/out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ETHERNET, 35020, 02070400222d81db1004
diff --git a/testing/btest/Traces/lldp.pcap b/testing/btest/Traces/lldp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b74c247ebb9cd5fd4dd6c4b7ab93aa83a80ce9cf
GIT binary patch
literal 158
zcmca|c+)~A1{MYw`2U}Qff2}=vXa^RQ4S+R8ITRaj17kv82A{JbQ^CAbev&gXMr$T
znAi>3m>4QJ*aPy5N)(h0xp;$po!x^i0(66O6N^fClu@_}x(cZLGGjd>13ng@16Txj
TSQ!tjVB%r|*#^YBMbvcwa3v#9

literal 0
HcmV?d00001

diff --git a/testing/btest/core/unknown-protocol-event.zeek b/testing/btest/core/unknown-protocol-event.zeek
new file mode 100644
index 0000000000..c043217da4
--- /dev/null
+++ b/testing/btest/core/unknown-protocol-event.zeek
@@ -0,0 +1,6 @@
+# @TEST-EXEC: zeek -b -r $TRACES/lldp.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)
+	{ print analyzer_name, protocol, bytestring_to_hexstr(first_bytes); }
+