Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 15:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Base: Clean up explicit uses of namespaces in places where they're not necessary.

Browse source 
This commit covers all of the common and base classes.
This commit is contained in:
Tim Wojtulewicz 2020-08-21 09:29:37 -07:00
parent 9f802b2a4d
commit fe0c22c789
240 changed files with 6823 additions and 6787 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/file_analysis/Analyzer.cc
View file

@ -10,18 +10,18 @@ ID Analyzer::id_counter = 0;
Analyzer::~Analyzer()
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "Destroy file analyzer %s",
DBG_LOG(DBG_FILE_ANALYSIS, "Destroy file analyzer %s",
file_mgr->GetComponentName(tag).c_str());
}
void Analyzer::SetAnalyzerTag(const zeek::file_analysis::Tag& arg_tag)
void Analyzer::SetAnalyzerTag(const file_analysis::Tag& arg_tag)
{
assert(! tag || tag == arg_tag);
tag = arg_tag;
}
Analyzer::Analyzer(zeek::file_analysis::Tag arg_tag,
zeek::RecordValPtr arg_args,
Analyzer::Analyzer(file_analysis::Tag arg_tag,
RecordValPtr arg_args,
File* arg_file)
: tag(arg_tag),
args(std::move(arg_args)),
@ -32,18 +32,18 @@ Analyzer::Analyzer(zeek::file_analysis::Tag arg_tag,
id = ++id_counter;
}
Analyzer::Analyzer(zeek::RecordValPtr arg_args, File* arg_file)
Analyzer::Analyzer(RecordValPtr arg_args, File* arg_file)
: Analyzer({}, std::move(arg_args), arg_file)
{}
Analyzer::Analyzer(zeek::file_analysis::Tag arg_tag,
zeek::RecordVal* arg_args,
Analyzer::Analyzer(file_analysis::Tag arg_tag,
RecordVal* arg_args,
File* arg_file)
: Analyzer(arg_tag, {zeek::NewRef{}, arg_args}, arg_file)
: Analyzer(arg_tag, {NewRef{}, arg_args}, arg_file)
{}
Analyzer::Analyzer(zeek::RecordVal* arg_args, File* arg_file)
: Analyzer({}, {zeek::NewRef{}, arg_args}, arg_file)
Analyzer::Analyzer(RecordVal* arg_args, File* arg_file)
: Analyzer({}, {NewRef{}, arg_args}, arg_file)
{}
} // namespace zeek::file_analysis

16
src/file_analysis/Analyzer.h
View file

@ -8,7 +8,7 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
using RecordValPtr = IntrusivePtr<RecordVal>;
}
ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
@ -98,11 +98,11 @@ public:
/**
* @return the AnalyzerArgs associated with the analyzer.
*/
const zeek::RecordValPtr& GetArgs() const
const RecordValPtr& GetArgs() const
{ return args; }
[[deprecated("Remove in v4.1. Use GetArgs().")]]
zeek::RecordVal* Args() const
RecordVal* Args() const
{ return args.get(); }
/**
@ -154,10 +154,10 @@ protected:
* tunable options, if any, related to a particular analyzer type.
* @param arg_file the file to which the the analyzer is being attached.
*/
Analyzer(file_analysis::Tag arg_tag, zeek::RecordValPtr arg_args, File* arg_file);
Analyzer(file_analysis::Tag arg_tag, RecordValPtr arg_args, File* arg_file);
[[deprecated("Remove in v4.1.. Construct using IntrusivePtr instead.")]]
Analyzer(file_analysis::Tag arg_tag, zeek::RecordVal* arg_args, File* arg_file);
Analyzer(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file);
/**
* Constructor. Only derived classes are meant to be instantiated.
@ -168,16 +168,16 @@ protected:
* tunable options, if any, related to a particular analyzer type.
* @param arg_file the file to which the the analyzer is being attached.
*/
Analyzer(zeek::RecordValPtr arg_args, File* arg_file);
Analyzer(RecordValPtr arg_args, File* arg_file);
[[deprecated("Remove in v4.1.. Construct using IntrusivePtr instead.")]]
Analyzer(zeek::RecordVal* arg_args, File* arg_file);
Analyzer(RecordVal* arg_args, File* arg_file);
private:
ID id; /**< Unique instance ID. */
file_analysis::Tag tag; /**< The particular type of the analyzer instance. */
zeek::RecordValPtr args; /**< \c AnalyzerArgs val gives tunable analyzer params. */
RecordValPtr args; /**< \c AnalyzerArgs val gives tunable analyzer params. */
File* file; /**< The file to which the analyzer is attached. */
bool got_stream_delivery;
bool skip;

42
src/file_analysis/AnalyzerSet.cc
View file

@ -20,9 +20,9 @@ static void analyzer_del_func(void* v)
AnalyzerSet::AnalyzerSet(File* arg_file) : file(arg_file)
{
auto t = zeek::make_intrusive<zeek::TypeList>();
auto t = make_intrusive<TypeList>();
t->Append(file_mgr->GetTagType());
t->Append(zeek::BifType::Record::Files::AnalyzerArgs);
t->Append(BifType::Record::Files::AnalyzerArgs);
analyzer_hash = new zeek::detail::CompositeHash(std::move(t));
analyzer_map.SetDeleteFunc(analyzer_del_func);
}
@ -41,20 +41,20 @@ AnalyzerSet::~AnalyzerSet()
}
Analyzer* AnalyzerSet::Find(const file_analysis::Tag& tag,
zeek::RecordValPtr args)
RecordValPtr args)
{
auto key = GetKey(tag, std::move(args));
Analyzer* rval = analyzer_map.Lookup(key.get());
return rval;
}
bool AnalyzerSet::Add(const file_analysis::Tag& tag, zeek::RecordValPtr args)
bool AnalyzerSet::Add(const file_analysis::Tag& tag, RecordValPtr args)
{
auto key = GetKey(tag, args);
if ( analyzer_map.Lookup(key.get()) )
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Instantiate analyzer %s skipped: already exists",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Instantiate analyzer %s skipped: already exists",
file->GetID().c_str(),
file_mgr->GetComponentName(tag).c_str());
@ -72,7 +72,7 @@ bool AnalyzerSet::Add(const file_analysis::Tag& tag, zeek::RecordValPtr args)
}
Analyzer* AnalyzerSet::QueueAdd(const file_analysis::Tag& tag,
zeek::RecordValPtr args)
RecordValPtr args)
{
auto key = GetKey(tag, args);
file_analysis::Analyzer* a = InstantiateAnalyzer(tag, std::move(args));
@ -89,7 +89,7 @@ bool AnalyzerSet::AddMod::Perform(AnalyzerSet* set)
{
if ( set->analyzer_map.Lookup(key.get()) )
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Add analyzer %s skipped: already exists",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Add analyzer %s skipped: already exists",
a->GetFile()->GetID().c_str(),
file_mgr->GetComponentName(a->Tag()).c_str());
@ -108,7 +108,7 @@ void AnalyzerSet::AddMod::Abort()
}
bool AnalyzerSet::Remove(const file_analysis::Tag& tag,
zeek::RecordValPtr args)
RecordValPtr args)
{
return Remove(tag, GetKey(tag, std::move(args)));
}
@ -120,12 +120,12 @@ bool AnalyzerSet::Remove(const file_analysis::Tag& tag,
if ( ! a )
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Skip remove analyzer %s",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Skip remove analyzer %s",
file->GetID().c_str(), file_mgr->GetComponentName(tag).c_str());
return false;
}
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Remove analyzer %s",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Remove analyzer %s",
file->GetID().c_str(),
file_mgr->GetComponentName(tag).c_str());
@ -140,7 +140,7 @@ bool AnalyzerSet::Remove(const file_analysis::Tag& tag,
}
bool AnalyzerSet::QueueRemove(const file_analysis::Tag& tag,
zeek::RecordValPtr args)
RecordValPtr args)
{
auto key = GetKey(tag, std::move(args));
auto rval = analyzer_map.Lookup(key.get());
@ -154,29 +154,29 @@ bool AnalyzerSet::RemoveMod::Perform(AnalyzerSet* set)
}
std::unique_ptr<zeek::detail::HashKey> AnalyzerSet::GetKey(const file_analysis::Tag& t,
zeek::RecordValPtr args) const
RecordValPtr args) const
{
auto lv = zeek::make_intrusive<zeek::ListVal>(zeek::TYPE_ANY);
auto lv = make_intrusive<ListVal>(TYPE_ANY);
lv->Append(t.AsVal());
lv->Append(std::move(args));
auto key = analyzer_hash->MakeHashKey(*lv, true);
if ( ! key )
zeek::reporter->InternalError("AnalyzerArgs type mismatch");
reporter->InternalError("AnalyzerArgs type mismatch");
return key;
}
file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(const Tag& tag,
zeek::RecordValPtr args) const
RecordValPtr args) const
{
auto a = file_mgr->InstantiateAnalyzer(tag, std::move(args), file);
if ( ! a )
{
zeek::reporter->Error("[%s] Failed file analyzer %s instantiation",
file->GetID().c_str(),
file_mgr->GetComponentName(tag).c_str());
reporter->Error("[%s] Failed file analyzer %s instantiation",
file->GetID().c_str(),
file_mgr->GetComponentName(tag).c_str());
return nullptr;
}
@ -186,7 +186,7 @@ file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(const Tag& tag,
void AnalyzerSet::Insert(file_analysis::Analyzer* a,
std::unique_ptr<zeek::detail::HashKey> key)
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Add analyzer %s",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Add analyzer %s",
file->GetID().c_str(), file_mgr->GetComponentName(a->Tag()).c_str());
analyzer_map.Insert(key.get(), a);
@ -198,7 +198,7 @@ void AnalyzerSet::DrainModifications()
if ( mod_queue.empty() )
return;
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Start analyzer mod queue flush",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Start analyzer mod queue flush",
file->GetID().c_str());
do
{
@ -207,7 +207,7 @@ void AnalyzerSet::DrainModifications()
delete mod;
mod_queue.pop();
} while ( ! mod_queue.empty() );
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] End flushing analyzer mod queue.",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] End flushing analyzer mod queue.",
file->GetID().c_str());
}

22
src/file_analysis/AnalyzerSet.h
View file

@ -11,7 +11,7 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(CompositeHash, zeek::detail);
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<RecordVal>;
using RecordValPtr = IntrusivePtr<RecordVal>;
}
ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, file_analysis);
@ -46,7 +46,7 @@ public:
* @param args an \c AnalyzerArgs record.
* @return pointer to an analyzer instance, or a null pointer if not found.
*/
Analyzer* Find(const file_analysis::Tag& tag, zeek::RecordValPtr args);
Analyzer* Find(const file_analysis::Tag& tag, RecordValPtr args);
/**
* Attach an analyzer to #file immediately.
@ -54,7 +54,7 @@ public:
* @param args an \c AnalyzerArgs value which specifies an analyzer.
* @return true if analyzer was instantiated/attached, else false.
*/
bool Add(const file_analysis::Tag& tag, zeek::RecordValPtr args);
bool Add(const file_analysis::Tag& tag, RecordValPtr args);
/**
* Queue the attachment of an analyzer to #file.
@ -64,7 +64,7 @@ public:
* a null pointer. The caller does *not* take ownership of the memory.
*/
file_analysis::Analyzer* QueueAdd(const file_analysis::Tag& tag,
zeek::RecordValPtr args);
RecordValPtr args);
/**
* Remove an analyzer from #file immediately.
@ -72,7 +72,7 @@ public:
* @param args an \c AnalyzerArgs value which specifies an analyzer.
* @return false if analyzer didn't exist and so wasn't removed, else true.
*/
bool Remove(const file_analysis::Tag& tag, zeek::RecordValPtr args);
bool Remove(const file_analysis::Tag& tag, RecordValPtr args);
/**
* Queue the removal of an analyzer from #file.
@ -80,7 +80,7 @@ public:
* @param args an \c AnalyzerArgs value which specifies an analyzer.
* @return true if analyzer exists at time of call, else false;
*/
bool QueueRemove(const file_analysis::Tag& tag, zeek::RecordValPtr args);
bool QueueRemove(const file_analysis::Tag& tag, RecordValPtr args);
/**
* Perform all queued modifications to the current analyzer set.
@ -92,7 +92,7 @@ public:
* @see Dictionary#InitForIteration
* @return an iterator that may be used to loop over analyzers in the set.
*/
zeek::IterCookie* InitForIteration() const
IterCookie* InitForIteration() const
{ return analyzer_map.InitForIteration(); }
/**
@ -102,7 +102,7 @@ public:
* @return the next analyzer in the set or a null pointer if there is no
* more left (in that case the cookie is also deleted).
*/
file_analysis::Analyzer* NextEntry(zeek::IterCookie* c)
file_analysis::Analyzer* NextEntry(IterCookie* c)
{ return analyzer_map.NextEntry(c); }
protected:
@ -114,7 +114,7 @@ protected:
* @return the hash key calculated from \a args
*/
std::unique_ptr<zeek::detail::HashKey> GetKey(const file_analysis::Tag& tag,
zeek::RecordValPtr args) const;
RecordValPtr args) const;
/**
* Create an instance of a file analyzer.
@ -123,7 +123,7 @@ protected:
* @return a new file analyzer instance.
*/
file_analysis::Analyzer* InstantiateAnalyzer(const file_analysis::Tag& tag,
zeek::RecordValPtr args) const;
RecordValPtr args) const;
/**
* Insert an analyzer instance in to the set.
@ -144,7 +144,7 @@ private:
File* file; /**< File which owns the set */
zeek::detail::CompositeHash* analyzer_hash; /**< AnalyzerArgs hashes. */
zeek::PDict<file_analysis::Analyzer> analyzer_map; /**< Indexed by AnalyzerArgs. */
PDict<file_analysis::Analyzer> analyzer_map; /**< Indexed by AnalyzerArgs. */
/**
* Abstract base class for analyzer set modifications.

10
src/file_analysis/Component.cc
View file

@ -9,16 +9,16 @@
namespace zeek::file_analysis {
Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t subtype)
: zeek::plugin::Component(zeek::plugin::component::FILE_ANALYZER, name),
zeek::plugin::TaggedComponent<zeek::file_analysis::Tag>(subtype)
: plugin::Component(plugin::component::FILE_ANALYZER, name),
plugin::TaggedComponent<file_analysis::Tag>(subtype)
{
factory = arg_factory;
factory_func = nullptr;
}
Component::Component(const std::string& name, factory_function arg_factory, Tag::subtype_t subtype)
: zeek::plugin::Component(zeek::plugin::component::FILE_ANALYZER, name),
zeek::plugin::TaggedComponent<zeek::file_analysis::Tag>(subtype)
: plugin::Component(plugin::component::FILE_ANALYZER, name),
plugin::TaggedComponent<file_analysis::Tag>(subtype)
{
factory = nullptr;
factory_func = arg_factory;
@ -34,7 +34,7 @@ Component::~Component()
{
}
void Component::DoDescribe(zeek::ODesc* d) const
void Component::DoDescribe(ODesc* d) const
{
if ( factory || factory_func )
{

12
src/file_analysis/Component.h
View file

@ -25,11 +25,11 @@ namespace zeek::file_analysis {
* A plugin can provide a specific file analyzer by registering this
* analyzer component, describing the analyzer.
*/
class Component : public zeek::plugin::Component,
public zeek::plugin::TaggedComponent<file_analysis::Tag> {
class Component : public plugin::Component,
public plugin::TaggedComponent<file_analysis::Tag> {
public:
typedef Analyzer* (*factory_callback)(zeek::RecordVal* args, File* file);
using factory_function = Analyzer* (*)(zeek::RecordValPtr args, File* file);
typedef Analyzer* (*factory_callback)(RecordVal* args, File* file);
using factory_function = Analyzer* (*)(RecordValPtr args, File* file);
/**
* Constructor.
@ -80,10 +80,10 @@ protected:
/**
* Overriden from plugin::Component.
*/
void DoDescribe(zeek::ODesc* d) const override;
void DoDescribe(ODesc* d) const override;
private:
friend class zeek::file_analysis::Manager;
friend class Manager;
factory_callback factory; // The analyzer's factory callback (deprecated).
factory_function factory_func; // The analyzer's factory callback.

204
src/file_analysis/File.cc
View file

@ -21,22 +21,22 @@
namespace zeek::file_analysis {
static zeek::TableValPtr empty_connection_table()
static TableValPtr empty_connection_table()
{
auto tbl_index = zeek::make_intrusive<zeek::TypeList>(zeek::id::conn_id);
tbl_index->Append(zeek::id::conn_id);
auto tbl_type = zeek::make_intrusive<zeek::TableType>(std::move(tbl_index),
zeek::id::connection);
return zeek::make_intrusive<zeek::TableVal>(std::move(tbl_type));
auto tbl_index = make_intrusive<TypeList>(id::conn_id);
tbl_index->Append(id::conn_id);
auto tbl_type = make_intrusive<TableType>(std::move(tbl_index),
id::connection);
return make_intrusive<TableVal>(std::move(tbl_type));
}
static zeek::RecordValPtr get_conn_id_val(const zeek::Connection* conn)
static RecordValPtr get_conn_id_val(const Connection* conn)
{
auto v = zeek::make_intrusive<zeek::RecordVal>(zeek::id::conn_id);
v->Assign(0, zeek::make_intrusive<zeek::AddrVal>(conn->OrigAddr()));
v->Assign(1, zeek::val_mgr->Port(ntohs(conn->OrigPort()), conn->ConnTransport()));
v->Assign(2, zeek::make_intrusive<zeek::AddrVal>(conn->RespAddr()));
v->Assign(3, zeek::val_mgr->Port(ntohs(conn->RespPort()), conn->ConnTransport()));
auto v = make_intrusive<RecordVal>(id::conn_id);
v->Assign(0, make_intrusive<AddrVal>(conn->OrigAddr()));
v->Assign(1, val_mgr->Port(ntohs(conn->OrigPort()), conn->ConnTransport()));
v->Assign(2, make_intrusive<AddrVal>(conn->RespAddr()));
v->Assign(3, val_mgr->Port(ntohs(conn->RespPort()), conn->ConnTransport()));
return v;
}
@ -62,26 +62,26 @@ void File::StaticInit()
if ( id_idx != -1 )
return;
id_idx = Idx("id", zeek::id::fa_file);
parent_id_idx = Idx("parent_id", zeek::id::fa_file);
source_idx = Idx("source", zeek::id::fa_file);
is_orig_idx = Idx("is_orig", zeek::id::fa_file);
conns_idx = Idx("conns", zeek::id::fa_file);
last_active_idx = Idx("last_active", zeek::id::fa_file);
seen_bytes_idx = Idx("seen_bytes", zeek::id::fa_file);
total_bytes_idx = Idx("total_bytes", zeek::id::fa_file);
missing_bytes_idx = Idx("missing_bytes", zeek::id::fa_file);
overflow_bytes_idx = Idx("overflow_bytes", zeek::id::fa_file);
timeout_interval_idx = Idx("timeout_interval", zeek::id::fa_file);
bof_buffer_size_idx = Idx("bof_buffer_size", zeek::id::fa_file);
bof_buffer_idx = Idx("bof_buffer", zeek::id::fa_file);
meta_mime_type_idx = Idx("mime_type", zeek::id::fa_metadata);
meta_mime_types_idx = Idx("mime_types", zeek::id::fa_metadata);
meta_inferred_idx = Idx("inferred", zeek::id::fa_metadata);
id_idx = Idx("id", id::fa_file);
parent_id_idx = Idx("parent_id", id::fa_file);
source_idx = Idx("source", id::fa_file);
is_orig_idx = Idx("is_orig", id::fa_file);
conns_idx = Idx("conns", id::fa_file);
last_active_idx = Idx("last_active", id::fa_file);
seen_bytes_idx = Idx("seen_bytes", id::fa_file);
total_bytes_idx = Idx("total_bytes", id::fa_file);
missing_bytes_idx = Idx("missing_bytes", id::fa_file);
overflow_bytes_idx = Idx("overflow_bytes", id::fa_file);
timeout_interval_idx = Idx("timeout_interval", id::fa_file);
bof_buffer_size_idx = Idx("bof_buffer_size", id::fa_file);
bof_buffer_idx = Idx("bof_buffer", id::fa_file);
meta_mime_type_idx = Idx("mime_type", id::fa_metadata);
meta_mime_types_idx = Idx("mime_types", id::fa_metadata);
meta_inferred_idx = Idx("inferred", id::fa_metadata);
}
File::File(const std::string& file_id, const std::string& source_name, zeek::Connection* conn,
zeek::analyzer::Tag tag, bool is_orig)
File::File(const std::string& file_id, const std::string& source_name, Connection* conn,
analyzer::Tag tag, bool is_orig)
: id(file_id), val(nullptr), file_reassembler(nullptr), stream_offset(0),
reassembly_max_buffer(0), did_metadata_inference(false),
reassembly_enabled(false), postpone_timeout(false), done(false),
@ -89,15 +89,15 @@ File::File(const std::string& file_id, const std::string& source_name, zeek::Con
{
StaticInit();
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str());
val = zeek::make_intrusive<zeek::RecordVal>(zeek::id::fa_file);
val->Assign(id_idx, zeek::make_intrusive<zeek::StringVal>(file_id.c_str()));
val = make_intrusive<RecordVal>(id::fa_file);
val->Assign(id_idx, make_intrusive<StringVal>(file_id.c_str()));
SetSource(source_name);
if ( conn )
{
val->Assign(is_orig_idx, zeek::val_mgr->Bool(is_orig));
val->Assign(is_orig_idx, val_mgr->Bool(is_orig));
UpdateConnectionFields(conn, is_orig);
}
@ -106,7 +106,7 @@ File::File(const std::string& file_id, const std::string& source_name, zeek::Con
File::~File()
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str());
delete file_reassembler;
for ( auto a : done_analyzers )
@ -115,7 +115,7 @@ File::~File()
void File::UpdateLastActivityTime()
{
val->Assign(last_active_idx, zeek::make_intrusive<zeek::TimeVal>(zeek::run_state::network_time));
val->Assign(last_active_idx, make_intrusive<TimeVal>(run_state::network_time));
}
double File::GetLastActivityTime() const
@ -123,12 +123,12 @@ double File::GetLastActivityTime() const
return val->GetField(last_active_idx)->AsTime();
}
bool File::UpdateConnectionFields(zeek::Connection* conn, bool is_orig)
bool File::UpdateConnectionFields(Connection* conn, bool is_orig)
{
if ( ! conn )
return false;
zeek::Val* conns = val->GetField(conns_idx).get();
Val* conns = val->GetField(conns_idx).get();
if ( ! conns )
{
@ -146,14 +146,14 @@ bool File::UpdateConnectionFields(zeek::Connection* conn, bool is_orig)
return true;
}
void File::RaiseFileOverNewConnection(zeek::Connection* conn, bool is_orig)
void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig)
{
if ( conn && FileEventAvailable(file_over_new_connection) )
{
FileEvent(file_over_new_connection, {
val,
conn->ConnVal(),
zeek::val_mgr->Bool(is_orig),
val_mgr->Bool(is_orig),
});
}
}
@ -170,13 +170,13 @@ double File::LookupFieldDefaultInterval(int idx) const
return v->AsInterval();
}
int File::Idx(const std::string& field, const zeek::RecordType* type)
int File::Idx(const std::string& field, const RecordType* type)
{
int rval = type->FieldOffset(field.c_str());
if ( rval < 0 )
zeek::reporter->InternalError("Unknown %s field: %s", type->GetName().c_str(),
field.c_str());
reporter->InternalError("Unknown %s field: %s", type->GetName().c_str(),
field.c_str());
return rval;
}
@ -190,7 +190,7 @@ std::string File::GetSource() const
void File::SetSource(const std::string& source)
{
val->Assign(source_idx, zeek::make_intrusive<zeek::StringVal>(source.c_str()));
val->Assign(source_idx, make_intrusive<StringVal>(source.c_str()));
}
double File::GetTimeoutInterval() const
@ -200,13 +200,13 @@ double File::GetTimeoutInterval() const
void File::SetTimeoutInterval(double interval)
{
val->Assign(timeout_interval_idx, zeek::make_intrusive<zeek::IntervalVal>(interval));
val->Assign(timeout_interval_idx, make_intrusive<IntervalVal>(interval));
}
bool File::SetExtractionLimit(zeek::RecordVal* args, uint64_t bytes)
{ return SetExtractionLimit({zeek::NewRef{}, args}, bytes); }
bool File::SetExtractionLimit(RecordVal* args, uint64_t bytes)
{ return SetExtractionLimit({NewRef{}, args}, bytes); }
bool File::SetExtractionLimit(zeek::RecordValPtr args, uint64_t bytes)
bool File::SetExtractionLimit(RecordValPtr args, uint64_t bytes)
{
Analyzer* a = analyzers.Find(file_mgr->GetComponentTag("EXTRACT"),
std::move(args));
@ -214,7 +214,7 @@ bool File::SetExtractionLimit(zeek::RecordValPtr args, uint64_t bytes)
if ( ! a )
return false;
auto* e = dynamic_cast<zeek::file_analysis::detail::Extract*>(a);
auto* e = dynamic_cast<file_analysis::detail::Extract*>(a);
if ( ! e )
return false;
@ -226,13 +226,13 @@ bool File::SetExtractionLimit(zeek::RecordValPtr args, uint64_t bytes)
void File::IncrementByteCount(uint64_t size, int field_idx)
{
uint64_t old = LookupFieldDefaultCount(field_idx);
val->Assign(field_idx, zeek::val_mgr->Count(old + size));
val->Assign(field_idx, val_mgr->Count(old + size));
}
void File::SetTotalBytes(uint64_t size)
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Total bytes %" PRIu64, id.c_str(), size);
val->Assign(total_bytes_idx, zeek::val_mgr->Count(size));
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Total bytes %" PRIu64, id.c_str(), size);
val->Assign(total_bytes_idx, val_mgr->Count(size));
}
bool File::IsComplete() const
@ -250,15 +250,15 @@ bool File::IsComplete() const
void File::ScheduleInactivityTimer() const
{
zeek::detail::timer_mgr->Add(new detail::FileTimer(zeek::run_state::network_time, id, GetTimeoutInterval()));
zeek::detail::timer_mgr->Add(new detail::FileTimer(run_state::network_time, id, GetTimeoutInterval()));
}
bool File::AddAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args)
{ return AddAnalyzer(tag, {zeek::NewRef{}, args}); }
bool File::AddAnalyzer(file_analysis::Tag tag, RecordVal* args)
{ return AddAnalyzer(tag, {NewRef{}, args}); }
bool File::AddAnalyzer(file_analysis::Tag tag, zeek::RecordValPtr args)
bool File::AddAnalyzer(file_analysis::Tag tag, RecordValPtr args)
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Queuing addition of %s analyzer",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Queuing addition of %s analyzer",
id.c_str(), file_mgr->GetComponentName(tag).c_str());
if ( done )
@ -267,12 +267,12 @@ bool File::AddAnalyzer(file_analysis::Tag tag, zeek::RecordValPtr args)
return analyzers.QueueAdd(tag, std::move(args)) != nullptr;
}
bool File::RemoveAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args)
{ return RemoveAnalyzer(tag, {zeek::NewRef{}, args}); }
bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args)
{ return RemoveAnalyzer(tag, {NewRef{}, args}); }
bool File::RemoveAnalyzer(file_analysis::Tag tag, zeek::RecordValPtr args)
bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordValPtr args)
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Queuing remove of %s analyzer",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Queuing remove of %s analyzer",
id.c_str(), file_mgr->GetComponentName(tag).c_str());
return done ? false : analyzers.QueueRemove(tag, std::move(args));
@ -306,9 +306,9 @@ bool File::SetMime(const std::string& mime_type)
if ( ! FileEventAvailable(file_sniff) )
return false;
auto meta = zeek::make_intrusive<zeek::RecordVal>(zeek::id::fa_metadata);
meta->Assign(meta_mime_type_idx, zeek::make_intrusive<zeek::StringVal>(mime_type));
meta->Assign(meta_inferred_idx, zeek::val_mgr->False());
auto meta = make_intrusive<RecordVal>(id::fa_metadata);
meta->Assign(meta_mime_type_idx, make_intrusive<StringVal>(mime_type));
meta->Assign(meta_inferred_idx, val_mgr->False());
FileEvent(file_sniff, {val, std::move(meta)});
return true;
@ -318,15 +318,15 @@ void File::InferMetadata()
{
did_metadata_inference = true;
zeek::Val* bof_buffer_val = val->GetField(bof_buffer_idx).get();
Val* bof_buffer_val = val->GetField(bof_buffer_idx).get();
if ( ! bof_buffer_val )
{
if ( bof_buffer.size == 0 )
return;
zeek::String* bs = concatenate(bof_buffer.chunks);
val->Assign<zeek::StringVal>(bof_buffer_idx, bs);
String* bs = concatenate(bof_buffer.chunks);
val->Assign<StringVal>(bof_buffer_idx, bs);
bof_buffer_val = val->GetField(bof_buffer_idx).get();
}
@ -339,11 +339,11 @@ void File::InferMetadata()
len = std::min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
file_mgr->DetectMIME(data, len, &matches);
auto meta = zeek::make_intrusive<zeek::RecordVal>(zeek::id::fa_metadata);
auto meta = make_intrusive<RecordVal>(id::fa_metadata);
if ( ! matches.empty() )
{
meta->Assign<zeek::StringVal>(meta_mime_type_idx,
meta->Assign<StringVal>(meta_mime_type_idx,
*(matches.begin()->second.begin()));
meta->Assign(meta_mime_types_idx,
file_analysis::GenMIMEMatchesVal(matches));
@ -359,7 +359,7 @@ bool File::BufferBOF(const u_char* data, uint64_t len)
uint64_t desired_size = LookupFieldDefaultCount(bof_buffer_size_idx);
bof_buffer.chunks.push_back(new zeek::String(data, len, false));
bof_buffer.chunks.push_back(new String(data, len, false));
bof_buffer.size += len;
if ( bof_buffer.size < desired_size )
@ -369,8 +369,8 @@ bool File::BufferBOF(const u_char* data, uint64_t len)
if ( bof_buffer.size > 0 )
{
zeek::String* bs = concatenate(bof_buffer.chunks);
val->Assign(bof_buffer_idx, zeek::make_intrusive<zeek::StringVal>(bs));
String* bs = concatenate(bof_buffer.chunks);
val->Assign(bof_buffer_idx, make_intrusive<StringVal>(bs));
}
return false;
@ -386,22 +386,22 @@ void File::DeliverStream(const u_char* data, uint64_t len)
LookupFieldDefaultCount(missing_bytes_idx) == 0 )
InferMetadata();
DBG_LOG(zeek::DBG_FILE_ANALYSIS,
DBG_LOG(DBG_FILE_ANALYSIS,
"[%s] %" PRIu64 " stream bytes in at offset %" PRIu64 "; %s [%s%s]",
id.c_str(), len, stream_offset,
IsComplete() ? "complete" : "incomplete",
zeek::util::fmt_bytes((const char*) data, std::min((uint64_t)40, len)),
util::fmt_bytes((const char*) data, std::min((uint64_t)40, len)),
len > 40 ? "..." : "");
file_analysis::Analyzer* a = nullptr;
zeek::IterCookie* c = analyzers.InitForIteration();
IterCookie* c = analyzers.InitForIteration();
while ( (a = analyzers.NextEntry(c)) )
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "stream delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "stream delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str());
if ( ! a->GotStreamDelivery() )
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "skipping stream delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "skipping stream delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str());
int num_bof_chunks_behind = bof_buffer.chunks.size();
if ( ! bof_was_full )
@ -462,14 +462,14 @@ void File::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
{
FileEvent(file_reassembly_overflow, {
val,
zeek::val_mgr->Count(current_offset),
zeek::val_mgr->Count(gap_bytes)
val_mgr->Count(current_offset),
val_mgr->Count(gap_bytes)
});
}
}
// Forward data to the reassembler.
file_reassembler->NewBlock(zeek::run_state::network_time, offset, len, data);
file_reassembler->NewBlock(run_state::network_time, offset, len, data);
}
else if ( stream_offset == offset )
{
@ -482,7 +482,7 @@ void File::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
// This is data that doesn't match the offset and the reassembler
// needs to be enabled.
file_reassembler = new FileReassembler(this, stream_offset);
file_reassembler->NewBlock(zeek::run_state::network_time, offset, len, data);
file_reassembler->NewBlock(run_state::network_time, offset, len, data);
}
else
{
@ -490,19 +490,19 @@ void File::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
IncrementByteCount(len, overflow_bytes_idx);
}
DBG_LOG(zeek::DBG_FILE_ANALYSIS,
DBG_LOG(DBG_FILE_ANALYSIS,
"[%s] %" PRIu64 " chunk bytes in at offset %" PRIu64 "; %s [%s%s]",
id.c_str(), len, offset,
IsComplete() ? "complete" : "incomplete",
zeek::util::fmt_bytes((const char*) data, std::min((uint64_t)40, len)),
util::fmt_bytes((const char*) data, std::min((uint64_t)40, len)),
len > 40 ? "..." : "");
file_analysis::Analyzer* a = nullptr;
zeek::IterCookie* c = analyzers.InitForIteration();
IterCookie* c = analyzers.InitForIteration();
while ( (a = analyzers.NextEntry(c)) )
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "chunk delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "chunk delivery to analyzer %s", file_mgr->GetComponentName(a->Tag()).c_str());
if ( ! a->Skipping() )
{
if ( ! a->DeliverChunk(data, len, offset) )
@ -538,7 +538,7 @@ void File::DataIn(const u_char* data, uint64_t len)
void File::EndOfFile()
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] End of file", id.c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] End of file", id.c_str());
if ( done )
return;
@ -553,7 +553,7 @@ void File::EndOfFile()
// any stream analyzers.
if ( ! bof_buffer.full )
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] File over but bof_buffer not full.", id.c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] File over but bof_buffer not full.", id.c_str());
bof_buffer.full = true;
DeliverStream((const u_char*) "", 0);
}
@ -562,7 +562,7 @@ void File::EndOfFile()
done = true;
file_analysis::Analyzer* a = nullptr;
zeek::IterCookie* c = analyzers.InitForIteration();
IterCookie* c = analyzers.InitForIteration();
while ( (a = analyzers.NextEntry(c)) )
{
@ -577,7 +577,7 @@ void File::EndOfFile()
void File::Gap(uint64_t offset, uint64_t len)
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Gap of size %" PRIu64 " at offset %" PRIu64,
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Gap of size %" PRIu64 " at offset %" PRIu64,
id.c_str(), len, offset);
if ( file_reassembler && ! file_reassembler->IsCurrentlyFlushing() )
@ -589,13 +589,13 @@ void File::Gap(uint64_t offset, uint64_t len)
if ( ! bof_buffer.full )
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] File gap before bof_buffer filled, continued without attempting to fill bof_buffer.", id.c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] File gap before bof_buffer filled, continued without attempting to fill bof_buffer.", id.c_str());
bof_buffer.full = true;
DeliverStream((const u_char*) "", 0);
}
file_analysis::Analyzer* a = nullptr;
zeek::IterCookie* c = analyzers.InitForIteration();
IterCookie* c = analyzers.InitForIteration();
while ( (a = analyzers.NextEntry(c)) )
{
@ -604,7 +604,7 @@ void File::Gap(uint64_t offset, uint64_t len)
}
if ( FileEventAvailable(file_gap) )
FileEvent(file_gap, {val, zeek::val_mgr->Count(offset), zeek::val_mgr->Count(len)});
FileEvent(file_gap, {val, val_mgr->Count(offset), val_mgr->Count(len)});
analyzers.DrainModifications();
@ -612,40 +612,40 @@ void File::Gap(uint64_t offset, uint64_t len)
IncrementByteCount(len, missing_bytes_idx);
}
bool File::FileEventAvailable(zeek::EventHandlerPtr h)
bool File::FileEventAvailable(EventHandlerPtr h)
{
return h && ! file_mgr->IsIgnored(id);
}
void File::FileEvent(zeek::EventHandlerPtr h)
void File::FileEvent(EventHandlerPtr h)
{
if ( ! FileEventAvailable(h) )
return;
FileEvent(h, zeek::Args{val});
FileEvent(h, Args{val});
}
void File::FileEvent(zeek::EventHandlerPtr h, ValPList* vl)
void File::FileEvent(EventHandlerPtr h, ValPList* vl)
{
FileEvent(h, zeek::val_list_to_args(*vl));
FileEvent(h, val_list_to_args(*vl));
delete vl;
}
void File::FileEvent(zeek::EventHandlerPtr h, ValPList vl)
void File::FileEvent(EventHandlerPtr h, ValPList vl)
{
FileEvent(h, zeek::val_list_to_args(vl));
FileEvent(h, val_list_to_args(vl));
}
void File::FileEvent(zeek::EventHandlerPtr h, zeek::Args args)
void File::FileEvent(EventHandlerPtr h, Args args)
{
zeek::event_mgr.Enqueue(h, std::move(args));
event_mgr.Enqueue(h, std::move(args));
if ( h == file_new || h == file_over_new_connection ||
h == file_sniff ||
h == file_timeout || h == file_extraction_limit )
{
// immediate feedback is required for these events.
zeek::event_mgr.Drain();
event_mgr.Drain();
analyzers.DrainModifications();
}
}

50
src/file_analysis/File.h
View file

@ -18,8 +18,8 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(RecordType, zeek);
namespace zeek {
using RecordValPtr = zeek::IntrusivePtr<zeek::RecordVal>;
using RecordTypePtr = zeek::IntrusivePtr<zeek::RecordType>;
using RecordValPtr = IntrusivePtr<RecordVal>;
using RecordTypePtr = IntrusivePtr<RecordType>;
}
ZEEK_FORWARD_DECLARE_NAMESPACED(FileReassembler, zeek, file_analysis);
@ -42,11 +42,11 @@ public:
/**
* @return the wrapped \c fa_file record value, #val.
*/
const zeek::RecordValPtr& ToVal() const
const RecordValPtr& ToVal() const
{ return val; }
[[deprecated("Remove in v4.1. Use ToVal().")]]
zeek::RecordVal* GetVal() const
RecordVal* GetVal() const
{ return val.get(); }
/**
@ -78,10 +78,10 @@ public:
* @param bytes new limit.
* @return false if no extraction analyzer is active, else true.
*/
bool SetExtractionLimit(zeek::RecordValPtr args, uint64_t bytes);
bool SetExtractionLimit(RecordValPtr args, uint64_t bytes);
[[deprecated("Remove in v4.1. Pass an IntrusivePtr instead.")]]
bool SetExtractionLimit(zeek::RecordVal* args, uint64_t bytes);
bool SetExtractionLimit(RecordVal* args, uint64_t bytes);
/**
* @return value of the "id" field from #val record.
@ -126,10 +126,10 @@ public:
* @param args an \c AnalyzerArgs value representing a file analyzer.
* @return false if analyzer can't be instantiated, else true.
*/
bool AddAnalyzer(file_analysis::Tag tag, zeek::RecordValPtr args);
bool AddAnalyzer(file_analysis::Tag tag, RecordValPtr args);
[[deprecated("Remove in v4.1. Pass an IntrusivePtr instead.")]]
bool AddAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args);
bool AddAnalyzer(file_analysis::Tag tag, RecordVal* args);
/**
* Queues removal of an analyzer.
@ -137,10 +137,10 @@ public:
* @param args an \c AnalyzerArgs value representing a file analyzer.
* @return true if analyzer was active at time of call, else false.
*/
bool RemoveAnalyzer(file_analysis::Tag tag, zeek::RecordValPtr args);
bool RemoveAnalyzer(file_analysis::Tag tag, RecordValPtr args);
[[deprecated("Remove in v4.1. Pass an IntrusivePtr instead.")]]
bool RemoveAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args);
bool RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args);
/**
* Signal that this analyzer can be deleted once it's safe to do so.
@ -178,37 +178,37 @@ public:
* @param h pointer to an event handler.
* @return true if event has a handler and the file isn't ignored.
*/
bool FileEventAvailable(zeek::EventHandlerPtr h);
bool FileEventAvailable(EventHandlerPtr h);
/**
* Raises an event related to the file's life-cycle, the only parameter
* to that event is the \c fa_file record..
* @param h pointer to an event handler.
*/
void FileEvent(zeek::EventHandlerPtr h);
void FileEvent(EventHandlerPtr h);
/**
* Raises an event related to the file's life-cycle.
* @param h pointer to an event handler.
* @param vl list of argument values to pass to event call.
*/
[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
void FileEvent(zeek::EventHandlerPtr h, ValPList* vl);
[[deprecated("Remove in v4.1. Use Args overload instead.")]]
void FileEvent(EventHandlerPtr h, ValPList* vl);
/**
* Raises an event related to the file's life-cycle.
* @param h pointer to an event handler.
* @param vl list of argument values to pass to event call.
*/
[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
void FileEvent(zeek::EventHandlerPtr h, ValPList vl);
[[deprecated("Remove in v4.1. Use Args overload instead.")]]
void FileEvent(EventHandlerPtr h, ValPList vl);
/**
* Raises an event related to the file's life-cycle.
* @param h pointer to an event handler.
* @param args list of argument values to pass to event call.
*/
void FileEvent(zeek::EventHandlerPtr h, zeek::Args args);
void FileEvent(EventHandlerPtr h, Args args);
/**
* Sets the MIME type for a file to a specific value.
@ -252,8 +252,8 @@ protected:
* of the connection to the responder. False indicates the other
* direction.
*/
File(const std::string& file_id, const std::string& source_name, zeek::Connection* conn = nullptr,
zeek::analyzer::Tag tag = zeek::analyzer::Tag::Error, bool is_orig = false);
File(const std::string& file_id, const std::string& source_name, Connection* conn = nullptr,
analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false);
/**
* Updates the "conn_ids" and "conn_uids" fields in #val record with the
@ -262,12 +262,12 @@ protected:
* @param is_orig true if the connection originator is sending the file.
* @return true if the connection was previously unknown.
*/
bool UpdateConnectionFields(zeek::Connection* conn, bool is_orig);
bool UpdateConnectionFields(Connection* conn, bool is_orig);
/**
* Raise the file_over_new_connection event with given arguments.
*/
void RaiseFileOverNewConnection(zeek::Connection* conn, bool is_orig);
void RaiseFileOverNewConnection(Connection* conn, bool is_orig);
/**
* Increment a byte count field of #val record by \a size.
@ -340,8 +340,8 @@ protected:
* @param type the record type for which the field will be looked up.
* @return the field offset in #val record corresponding to \a field_name.
*/
static int Idx(const std::string& field_name, const zeek::RecordType* type);
static int Idx(const std::string& field_name, const zeek::RecordTypePtr& type)
static int Idx(const std::string& field_name, const RecordType* type);
static int Idx(const std::string& field_name, const RecordTypePtr& type)
{ return Idx(field_name, type.get()); }
/**
@ -351,7 +351,7 @@ protected:
protected:
std::string id; /**< A pretty hash that likely identifies file */
zeek::RecordValPtr val; /**< \c fa_file from script layer. */
RecordValPtr val; /**< \c fa_file from script layer. */
FileReassembler* file_reassembler; /**< A reassembler for the file if it's needed. */
uint64_t stream_offset; /**< The offset of the file which has been forwarded. */
uint64_t reassembly_max_buffer; /**< Maximum allowed buffer for reassembly. */
@ -369,7 +369,7 @@ protected:
bool full;
uint64_t size;
zeek::String::CVec chunks;
String::CVec chunks;
} bof_buffer; /**< Beginning of file buffer. */
zeek::detail::WeirdStateMap weird_state;

4
src/file_analysis/FileReassembler.cc
View file

@ -8,7 +8,7 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
namespace zeek::file_analysis {
FileReassembler::FileReassembler(File *f, uint64_t starting_offset)
: zeek::Reassembler(starting_offset, zeek::REASSEM_FILE), the_file(f), flushing(false)
: Reassembler(starting_offset, REASSEM_FILE), the_file(f), flushing(false)
{
}
@ -41,7 +41,7 @@ uint64_t FileReassembler::FlushTo(uint64_t sequence)
return rval;
}
void FileReassembler::BlockInserted(zeek::DataBlockMap::const_iterator it)
void FileReassembler::BlockInserted(DataBlockMap::const_iterator it)
{
const auto& start_block = it->second;

4
src/file_analysis/FileReassembler.h
View file

@ -12,7 +12,7 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
namespace zeek::file_analysis {
class FileReassembler final : public zeek::Reassembler {
class FileReassembler final : public Reassembler {
public:
FileReassembler(File* f, uint64_t starting_offset);
@ -51,7 +51,7 @@ public:
protected:
void Undelivered(uint64_t up_to_seq) override;
void BlockInserted(zeek::DataBlockMap::const_iterator it) override;
void BlockInserted(DataBlockMap::const_iterator it) override;
void Overlap(const u_char* b1, const u_char* b2, uint64_t n) override;
File* the_file = nullptr;

4
src/file_analysis/FileTimer.cc
View file

@ -9,7 +9,7 @@ namespace zeek::file_analysis::detail {
FileTimer::FileTimer(double t, const std::string& id, double interval)
: zeek::detail::Timer(t + interval, zeek::detail::TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id)
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "New %f second timeout timer for %s",
DBG_LOG(DBG_FILE_ANALYSIS, "New %f second timeout timer for %s",
interval, file_id.c_str());
}
@ -23,7 +23,7 @@ void FileTimer::Dispatch(double t, bool is_expire)
double last_active = file->GetLastActivityTime();
double inactive_time = t > last_active ? t - last_active : 0.0;
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "Checking inactivity for %s, last active at %f, "
DBG_LOG(DBG_FILE_ANALYSIS, "Checking inactivity for %s, last active at %f, "
"inactive for %f", file_id.c_str(), last_active, inactive_time);
if ( last_active == 0.0 )

120
src/file_analysis/Manager.cc
View file

@ -18,8 +18,8 @@ using namespace std;
namespace zeek::file_analysis {
Manager::Manager()
: plugin::ComponentManager<zeek::file_analysis::Tag,
zeek::file_analysis::Component>("Files", "Tag"),
: plugin::ComponentManager<file_analysis::Tag,
file_analysis::Component>("Files", "Tag"),
current_file_id(), magic_state(), cumulative_files(0), max_files(0)
{
}
@ -62,7 +62,7 @@ void Manager::Terminate()
for ( const string& key : keys )
Timeout(key, true);
zeek::event_mgr.Drain();
event_mgr.Drain();
}
string Manager::HashHandle(const string& handle) const
@ -70,7 +70,7 @@ string Manager::HashHandle(const string& handle) const
zeek::detail::hash128_t hash;
zeek::detail::KeyedHash::StaticHash128(handle.data(), handle.size(), &hash);
return zeek::UID(zeek::detail::bits_per_uid, hash, 2).Base62("F");
return UID(zeek::detail::bits_per_uid, hash, 2).Base62("F");
}
void Manager::SetHandle(const string& handle)
@ -79,11 +79,11 @@ void Manager::SetHandle(const string& handle)
return;
#ifdef DEBUG
if ( debug_logger.IsEnabled(zeek::DBG_FILE_ANALYSIS) )
if ( debug_logger.IsEnabled(DBG_FILE_ANALYSIS) )
{
zeek::String tmp{handle};
String tmp{handle};
auto rendered = tmp.Render();
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "Set current handle to %s", rendered);
DBG_LOG(DBG_FILE_ANALYSIS, "Set current handle to %s", rendered);
delete [] rendered;
}
#endif
@ -92,7 +92,7 @@ void Manager::SetHandle(const string& handle)
}
string Manager::DataIn(const u_char* data, uint64_t len, uint64_t offset,
const zeek::analyzer::Tag& tag, zeek::Connection* conn, bool is_orig,
const analyzer::Tag& tag, Connection* conn, bool is_orig,
const string& precomputed_id, const string& mime_type)
{
string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
@ -121,8 +121,8 @@ string Manager::DataIn(const u_char* data, uint64_t len, uint64_t offset,
return id;
}
string Manager::DataIn(const u_char* data, uint64_t len, const zeek::analyzer::Tag& tag,
zeek::Connection* conn, bool is_orig, const string& precomputed_id,
string Manager::DataIn(const u_char* data, uint64_t len, const analyzer::Tag& tag,
Connection* conn, bool is_orig, const string& precomputed_id,
const string& mime_type)
{
string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
@ -150,7 +150,7 @@ string Manager::DataIn(const u_char* data, uint64_t len, const zeek::analyzer::T
void Manager::DataIn(const u_char* data, uint64_t len, const string& file_id,
const string& source)
{
File* file = GetFile(file_id, nullptr, zeek::analyzer::Tag::Error, false, false,
File* file = GetFile(file_id, nullptr, analyzer::Tag::Error, false, false,
source.c_str());
if ( ! file )
@ -162,13 +162,13 @@ void Manager::DataIn(const u_char* data, uint64_t len, const string& file_id,
RemoveFile(file->GetID());
}
void Manager::EndOfFile(const zeek::analyzer::Tag& tag, zeek::Connection* conn)
void Manager::EndOfFile(const analyzer::Tag& tag, Connection* conn)
{
EndOfFile(tag, conn, true);
EndOfFile(tag, conn, false);
}
void Manager::EndOfFile(const zeek::analyzer::Tag& tag, zeek::Connection* conn, bool is_orig)
void Manager::EndOfFile(const analyzer::Tag& tag, Connection* conn, bool is_orig)
{
// Don't need to create a file if we're just going to remove it right away.
RemoveFile(GetFileID(tag, conn, is_orig));
@ -179,8 +179,8 @@ void Manager::EndOfFile(const string& file_id)
RemoveFile(file_id);
}
string Manager::Gap(uint64_t offset, uint64_t len, const zeek::analyzer::Tag& tag,
zeek::Connection* conn, bool is_orig, const string& precomputed_id)
string Manager::Gap(uint64_t offset, uint64_t len, const analyzer::Tag& tag,
Connection* conn, bool is_orig, const string& precomputed_id)
{
string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
File* file = GetFile(id, conn, tag, is_orig);
@ -192,7 +192,7 @@ string Manager::Gap(uint64_t offset, uint64_t len, const zeek::analyzer::Tag& ta
return id;
}
string Manager::SetSize(uint64_t size, const zeek::analyzer::Tag& tag, zeek::Connection* conn,
string Manager::SetSize(uint64_t size, const analyzer::Tag& tag, Connection* conn,
bool is_orig, const string& precomputed_id)
{
string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
@ -259,12 +259,12 @@ bool Manager::SetReassemblyBuffer(const string& file_id, uint64_t max)
return true;
}
bool Manager::SetExtractionLimit(const string& file_id, zeek::RecordVal* args,
bool Manager::SetExtractionLimit(const string& file_id, RecordVal* args,
uint64_t n) const
{ return SetExtractionLimit(file_id, {zeek::NewRef{}, args}, n); }
{ return SetExtractionLimit(file_id, {NewRef{}, args}, n); }
bool Manager::SetExtractionLimit(const string& file_id,
zeek::RecordValPtr args, uint64_t n) const
RecordValPtr args, uint64_t n) const
{
File* file = LookupFile(file_id);
@ -274,12 +274,12 @@ bool Manager::SetExtractionLimit(const string& file_id,
return file->SetExtractionLimit(std::move(args), n);
}
bool Manager::AddAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag,
zeek::RecordVal* args) const
{ return AddAnalyzer(file_id, tag, {zeek::NewRef{}, args}); }
bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
RecordVal* args) const
{ return AddAnalyzer(file_id, tag, {NewRef{}, args}); }
bool Manager::AddAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag,
zeek::RecordValPtr args) const
bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
RecordValPtr args) const
{
File* file = LookupFile(file_id);
@ -289,12 +289,12 @@ bool Manager::AddAnalyzer(const string& file_id, const zeek::file_analysis::Tag&
return file->AddAnalyzer(tag, std::move(args));
}
bool Manager::RemoveAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag,
zeek::RecordVal* args) const
{ return RemoveAnalyzer(file_id, tag, {zeek::NewRef{}, args}); }
bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag,
RecordVal* args) const
{ return RemoveAnalyzer(file_id, tag, {NewRef{}, args}); }
bool Manager::RemoveAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag,
zeek::RecordValPtr args) const
bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag,
RecordValPtr args) const
{
File* file = LookupFile(file_id);
@ -304,8 +304,8 @@ bool Manager::RemoveAnalyzer(const string& file_id, const zeek::file_analysis::T
return file->RemoveAnalyzer(tag, std::move(args));
}
File* Manager::GetFile(const string& file_id, zeek::Connection* conn,
const zeek::analyzer::Tag& tag, bool is_orig, bool update_conn,
File* Manager::GetFile(const string& file_id, Connection* conn,
const analyzer::Tag& tag, bool is_orig, bool update_conn,
const char* source_name)
{
if ( file_id.empty() )
@ -320,7 +320,7 @@ File* Manager::GetFile(const string& file_id, zeek::Connection* conn,
{
rval = new File(file_id,
source_name ? source_name
: zeek::analyzer_mgr->GetComponentName(tag),
: analyzer_mgr->GetComponentName(tag),
conn, tag, is_orig);
id_map[file_id] = rval;
@ -372,14 +372,14 @@ void Manager::Timeout(const string& file_id, bool is_terminating)
if ( file->postpone_timeout && ! is_terminating )
{
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "Postpone file analysis timeout for %s",
DBG_LOG(DBG_FILE_ANALYSIS, "Postpone file analysis timeout for %s",
file->GetID().c_str());
file->UpdateLastActivityTime();
file->ScheduleInactivityTimer();
return;
}
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "File analysis timeout for %s",
DBG_LOG(DBG_FILE_ANALYSIS, "File analysis timeout for %s",
file->GetID().c_str());
RemoveFile(file->GetID());
@ -390,7 +390,7 @@ bool Manager::IgnoreFile(const string& file_id)
if ( ! LookupFile(file_id) )
return false;
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "Ignore FileID %s", file_id.c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "Ignore FileID %s", file_id.c_str());
ignored.insert(file_id);
return true;
@ -406,7 +406,7 @@ bool Manager::RemoveFile(const string& file_id)
if ( ! f )
return false;
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Remove file", file_id.c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Remove file", file_id.c_str());
f->EndOfFile();
@ -421,7 +421,7 @@ bool Manager::IsIgnored(const string& file_id)
return ignored.find(file_id) != ignored.end();
}
string Manager::GetFileID(const zeek::analyzer::Tag& tag, zeek::Connection* c, bool is_orig)
string Manager::GetFileID(const analyzer::Tag& tag, Connection* c, bool is_orig)
{
current_file_id.clear();
@ -431,22 +431,22 @@ string Manager::GetFileID(const zeek::analyzer::Tag& tag, zeek::Connection* c, b
if ( ! get_file_handle )
return "";
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "Raise get_file_handle() for protocol analyzer %s",
zeek::analyzer_mgr->GetComponentName(tag).c_str());
DBG_LOG(DBG_FILE_ANALYSIS, "Raise get_file_handle() for protocol analyzer %s",
analyzer_mgr->GetComponentName(tag).c_str());
const auto& tagval = tag.AsVal();
zeek::event_mgr.Enqueue(get_file_handle, tagval, c->ConnVal(), zeek::val_mgr->Bool(is_orig));
zeek::event_mgr.Drain(); // need file handle immediately so we don't have to buffer data
event_mgr.Enqueue(get_file_handle, tagval, c->ConnVal(), val_mgr->Bool(is_orig));
event_mgr.Drain(); // need file handle immediately so we don't have to buffer data
return current_file_id;
}
bool Manager::IsDisabled(const zeek::analyzer::Tag& tag)
bool Manager::IsDisabled(const analyzer::Tag& tag)
{
if ( ! disabled )
disabled = zeek::id::find_const("Files::disable")->AsTableVal();
disabled = id::find_const("Files::disable")->AsTableVal();
auto index = zeek::val_mgr->Count(bool(tag));
auto index = val_mgr->Count(bool(tag));
auto yield = disabled->FindOrDefault(index);
if ( ! yield )
@ -455,24 +455,24 @@ bool Manager::IsDisabled(const zeek::analyzer::Tag& tag)
return yield->AsBool();
}
Analyzer* Manager::InstantiateAnalyzer(const Tag& tag, zeek::RecordVal* args, File* f) const
{ return InstantiateAnalyzer(tag, {zeek::NewRef{}, args}, f); }
Analyzer* Manager::InstantiateAnalyzer(const Tag& tag, RecordVal* args, File* f) const
{ return InstantiateAnalyzer(tag, {NewRef{}, args}, f); }
Analyzer* Manager::InstantiateAnalyzer(const Tag& tag,
zeek::RecordValPtr args,
RecordValPtr args,
File* f) const
{
Component* c = Lookup(tag);
if ( ! c )
{
zeek::reporter->InternalWarning(
reporter->InternalWarning(
"unknown file analyzer instantiation request: %s",
tag.AsString().c_str());
return nullptr;
}
DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] Instantiate analyzer %s",
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Instantiate analyzer %s",
f->id.c_str(), GetComponentName(tag).c_str());
Analyzer* a;
@ -483,13 +483,13 @@ Analyzer* Manager::InstantiateAnalyzer(const Tag& tag,
a = c->factory(args.get(), f);
else
{
zeek::reporter->InternalWarning("file analyzer %s cannot be instantiated "
"dynamically", c->CanonicalName().c_str());
reporter->InternalWarning("file analyzer %s cannot be instantiated "
"dynamically", c->CanonicalName().c_str());
return nullptr;
}
if ( ! a )
zeek::reporter->InternalError("file analyzer instantiation failed");
reporter->InternalError("file analyzer instantiation failed");
a->SetAnalyzerTag(tag);
@ -501,7 +501,7 @@ zeek::detail::RuleMatcher::MIME_Matches* Manager::DetectMIME(
zeek::detail::RuleMatcher::MIME_Matches* rval) const
{
if ( ! magic_state )
zeek::reporter->InternalError("file magic signature state not initialized");
reporter->InternalError("file magic signature state not initialized");
rval = zeek::detail::rule_matcher->Match(magic_state, data, len, rval);
zeek::detail::rule_matcher->ClearFileMagicState(magic_state);
@ -519,22 +519,22 @@ string Manager::DetectMIME(const u_char* data, uint64_t len) const
return *(matches.begin()->second.begin());
}
zeek::VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m)
VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m)
{
static auto mime_matches = zeek::id::find_type<zeek::VectorType>("mime_matches");
static auto mime_match = zeek::id::find_type<zeek::RecordType>("mime_match");
auto rval = zeek::make_intrusive<zeek::VectorVal>(mime_matches);
static auto mime_matches = id::find_type<VectorType>("mime_matches");
static auto mime_match = id::find_type<RecordType>("mime_match");
auto rval = make_intrusive<VectorVal>(mime_matches);
for ( zeek::detail::RuleMatcher::MIME_Matches::const_iterator it = m.begin();
it != m.end(); ++it )
{
auto element = zeek::make_intrusive<zeek::RecordVal>(mime_match);
auto element = make_intrusive<RecordVal>(mime_match);
for ( set<string>::const_iterator it2 = it->second.begin();
it2 != it->second.end(); ++it2 )
{
element->Assign(0, zeek::val_mgr->Int(it->first));
element->Assign(1, zeek::make_intrusive<zeek::StringVal>(*it2));
element->Assign(0, val_mgr->Int(it->first));
element->Assign(1, make_intrusive<StringVal>(*it2));
}
rval->Assign(rval->Size(), std::move(element));

52
src/file_analysis/Manager.h
View file

@ -27,7 +27,7 @@ namespace file_analysis {
/**
* Main entry point for interacting with file analysis.
*/
class Manager : public zeek::plugin::ComponentManager<Tag, Component> {
class Manager : public plugin::ComponentManager<Tag, Component> {
public:
/**
@ -104,7 +104,7 @@ public:
* indicates the associate file is not going to be analyzed further.
*/
std::string DataIn(const u_char* data, uint64_t len, uint64_t offset,
const zeek::analyzer::Tag& tag, zeek::Connection* conn, bool is_orig,
const analyzer::Tag& tag, Connection* conn, bool is_orig,
const std::string& precomputed_file_id = "",
const std::string& mime_type = "");
@ -130,8 +130,8 @@ public:
* the \c get_file_handle script-layer event). An empty string
* indicates the associated file is not going to be analyzed further.
*/
std::string DataIn(const u_char* data, uint64_t len, const zeek::analyzer::Tag& tag,
zeek::Connection* conn, bool is_orig,
std::string DataIn(const u_char* data, uint64_t len, const analyzer::Tag& tag,
Connection* conn, bool is_orig,
const std::string& precomputed_file_id = "",
const std::string& mime_type = "");
@ -153,7 +153,7 @@ public:
* @param tag network protocol over which the file data is transferred.
* @param conn network connection over which the file data is transferred.
*/
void EndOfFile(const zeek::analyzer::Tag& tag, zeek::Connection* conn);
void EndOfFile(const analyzer::Tag& tag, Connection* conn);
/**
* Signal the end of file data being transferred over a connection in
@ -161,7 +161,7 @@ public:
* @param tag network protocol over which the file data is transferred.
* @param conn network connection over which the file data is transferred.
*/
void EndOfFile(const zeek::analyzer::Tag& tag, zeek::Connection* conn, bool is_orig);
void EndOfFile(const analyzer::Tag& tag, Connection* conn, bool is_orig);
/**
* Signal the end of file data being transferred using the file identifier.
@ -185,8 +185,8 @@ public:
* the \c get_file_handle script-layer event). An empty string
* indicates the associate file is not going to be analyzed further.
*/
std::string Gap(uint64_t offset, uint64_t len, const zeek::analyzer::Tag& tag,
zeek::Connection* conn, bool is_orig,
std::string Gap(uint64_t offset, uint64_t len, const analyzer::Tag& tag,
Connection* conn, bool is_orig,
const std::string& precomputed_file_id = "");
/**
@ -204,7 +204,7 @@ public:
* the \c get_file_handle script-layer event). An empty string
* indicates the associate file is not going to be analyzed further.
*/
std::string SetSize(uint64_t size, const zeek::analyzer::Tag& tag, zeek::Connection* conn,
std::string SetSize(uint64_t size, const analyzer::Tag& tag, Connection* conn,
bool is_orig, const std::string& precomputed_file_id = "");
/**
@ -251,10 +251,10 @@ public:
* else true.
*/
bool SetExtractionLimit(const std::string& file_id,
zeek::RecordValPtr args, uint64_t n) const;
RecordValPtr args, uint64_t n) const;
[[deprecated("Remove in v4.1. Pass IntrusivePtr args param instead.")]]
bool SetExtractionLimit(const std::string& file_id, zeek::RecordVal* args,
bool SetExtractionLimit(const std::string& file_id, RecordVal* args,
uint64_t n) const;
/**
@ -275,11 +275,11 @@ public:
* @return false if the analyzer failed to be instantiated, else true.
*/
bool AddAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
zeek::RecordValPtr args) const;
RecordValPtr args) const;
[[deprecated("Remove in v4.1. Pass IntrusivePtr args param instead.")]]
bool AddAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
zeek::RecordVal* args) const;
RecordVal* args) const;
/**
* Queue removal of an analyzer for a given file identifier.
@ -289,11 +289,11 @@ public:
* @return true if the analyzer is active at the time of call, else false.
*/
bool RemoveAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
zeek::RecordValPtr args) const;
RecordValPtr args) const;
[[deprecated("Remove in v4.1. Pass IntrusivePtr args param instead.")]]
bool RemoveAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
zeek::RecordVal* args) const;
RecordVal* args) const;
/**
* Tells whether analysis for a file is active or ignored.
@ -309,11 +309,11 @@ public:
* @param f The file analzer is to be associated with.
* @return The new analyzer instance or null if tag is invalid.
*/
Analyzer* InstantiateAnalyzer(const Tag& tag, zeek::RecordValPtr args,
Analyzer* InstantiateAnalyzer(const Tag& tag, RecordValPtr args,
File* f) const;
[[deprecated("Remove in v4.1. Pass in IntrusivePtr args instead.")]]
Analyzer* InstantiateAnalyzer(const Tag& tag, zeek::RecordVal* args, File* f) const;
Analyzer* InstantiateAnalyzer(const Tag& tag, RecordVal* args, File* f) const;
/**
* Returns a set of all matching MIME magic signatures for a given
@ -349,7 +349,7 @@ public:
{ return cumulative_files; }
protected:
friend class zeek::file_analysis::detail::FileTimer;
friend class detail::FileTimer;
/**
* Create a new file to be analyzed or retrieve an existing one.
@ -369,8 +369,8 @@ protected:
* exist, the activity time is refreshed along with any
* connection-related fields.
*/
File* GetFile(const std::string& file_id, zeek::Connection* conn = nullptr,
const zeek::analyzer::Tag& tag = zeek::analyzer::Tag::Error,
File* GetFile(const std::string& file_id, Connection* conn = nullptr,
const analyzer::Tag& tag = analyzer::Tag::Error,
bool is_orig = false, bool update_conn = true,
const char* source_name = nullptr);
@ -381,7 +381,7 @@ protected:
* @param is_termination whether the Manager (and probably Bro) is in a
* terminating state. If true, then the timeout cannot be postponed.
*/
void Timeout(const std::string& file_id, bool is_terminating = zeek::run_state::terminating);
void Timeout(const std::string& file_id, bool is_terminating = run_state::terminating);
/**
* Immediately remove file_analysis::File object associated with \a file_id.
@ -401,7 +401,7 @@ protected:
* @return #current_file_id, which is a hash of a unique file handle string
* set by a \c get_file_handle event handler.
*/
std::string GetFileID(const zeek::analyzer::Tag& tag, zeek::Connection* c, bool is_orig);
std::string GetFileID(const analyzer::Tag& tag, Connection* c, bool is_orig);
/**
* Check if analysis is available for files transferred over a given
@ -411,7 +411,7 @@ protected:
* @return whether file analysis is disabled for the analyzer given by
* \a tag.
*/
static bool IsDisabled(const zeek::analyzer::Tag& tag);
static bool IsDisabled(const analyzer::Tag& tag);
private:
typedef std::set<Tag> TagSet;
@ -425,8 +425,8 @@ private:
zeek::detail::RuleFileMagicState* magic_state; /**< File magic signature match state. */
MIMEMap mime_types;/**< Mapping of MIME types to analyzers. */
inline static zeek::TableVal* disabled = nullptr; /**< Table of disabled analyzers. */
inline static zeek::TableType* tag_set_type = nullptr; /**< Type for set[tag]. */
inline static TableVal* disabled = nullptr; /**< Table of disabled analyzers. */
inline static TableType* tag_set_type = nullptr; /**< Type for set[tag]. */
size_t cumulative_files;
size_t max_files;
@ -436,7 +436,7 @@ private:
* Returns a script-layer value corresponding to the \c mime_matches type.
* @param m The MIME match information with which to populate the value.
*/
zeek::VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m);
VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m);
} // namespace file_analysis

10
src/file_analysis/Tag.cc
View file

@ -18,22 +18,22 @@ Tag& Tag::operator=(const Tag& other)
return *this;
}
const zeek::EnumValPtr& Tag::AsVal() const
const EnumValPtr& Tag::AsVal() const
{
return zeek::Tag::AsVal(file_mgr->GetTagType());
}
zeek::EnumVal* Tag::AsEnumVal() const
EnumVal* Tag::AsEnumVal() const
{
return AsVal().get();
}
Tag::Tag(zeek::EnumValPtr val)
Tag::Tag(EnumValPtr val)
: zeek::Tag(std::move(val))
{ }
Tag::Tag(zeek::EnumVal* val)
: zeek::Tag({zeek::NewRef{}, val})
Tag::Tag(EnumVal* val)
: zeek::Tag({NewRef{}, val})
{ }
} // namespace zeek::file_analysis

12
src/file_analysis/Tag.h
View file

@ -88,16 +88,16 @@ public:
*
* @param etype the script-layer enum type associated with the tag.
*/
const zeek::EnumValPtr& AsVal() const;
const EnumValPtr& AsVal() const;
[[deprecated("Remove in v4.1. Use AsVal() instead.")]]
zeek::EnumVal* AsEnumVal() const;
EnumVal* AsEnumVal() const;
static const Tag Error;
protected:
friend class zeek::plugin::ComponentManager<Tag, Component>;
friend class zeek::plugin::TaggedComponent<Tag>;
friend class plugin::ComponentManager<Tag, Component>;
friend class plugin::TaggedComponent<Tag>;
/**
* Constructor.
@ -116,10 +116,10 @@ protected:
*
* @param val An enum value of script type \c Files::Tag.
*/
explicit Tag(zeek::EnumValPtr val);
explicit Tag(EnumValPtr val);
[[deprecated("Remove in v4.1. Construct from IntrusivePtr instead.")]]
explicit Tag(zeek::EnumVal* val);
explicit Tag(EnumVal* val);
};
} // namespace zeek::file_analysis