Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/timw/rename-binpac_bro'

Browse source 
* origin/topic/timw/rename-binpac_bro:
  Rename bro-bif.h to zeek-bif.h
  Fix uses of bro.pac to use zeek.pac
  Rename the bro-related binpac files to zeek
This commit is contained in:
Jon Siwek 2020-08-26 11:20:58 -07:00
commit ff0aa6b050
142 changed files with 973 additions and 954 deletions
Download patch file Download diff file Expand all files Collapse all files

8
CHANGES
View file

@ -1,4 +1,12 @@
3.3.0-dev.206 | 2020-08-26 11:20:58 -0700
* Rename bro-bif.h to zeek-bif.h (Tim Wojtulewicz, Corelight)
* Fix uses of bro.pac to use zeek.pac (Tim Wojtulewicz, Corelight)
* Rename the bro-related binpac files to zeek (Tim Wojtulewicz, Corelight)
3.3.0-dev.202 | 2020-08-26 10:59:59 -0700 3.3.0-dev.202 | 2020-08-26 10:59:59 -0700
* GH-1145: Have mkdir in ensure_dir respect umask. (Vlad Grigorescu) * GH-1145: Have mkdir in ensure_dir respect umask. (Vlad Grigorescu)

2
VERSION
View file

@ -1 +1 @@
3.3.0-dev.202 3.3.0-dev.206

2
auxil/bifcl

@ -1 +1 @@
Subproject commit 4e768eaafb7b8b0e7adde39d90aa6805ac42d937 Subproject commit 89878a05efe2a99eb14c286716676efca6c18b71

5
src/CMakeLists.txt
View file

@ -125,14 +125,15 @@ include(BinPAC)
set(BINPAC_AUXSRC set(BINPAC_AUXSRC
${CMAKE_SOURCE_DIR}/src/binpac.pac ${CMAKE_SOURCE_DIR}/src/binpac.pac
${CMAKE_SOURCE_DIR}/src/zeek.pac
${CMAKE_SOURCE_DIR}/src/bro.pac ${CMAKE_SOURCE_DIR}/src/bro.pac
${CMAKE_SOURCE_DIR}/src/binpac_bro.h ${CMAKE_SOURCE_DIR}/src/binpac_zeek.h
) )
binpac_target(binpac-lib.pac) binpac_target(binpac-lib.pac)
list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}") list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}")
binpac_target(binpac_bro-lib.pac) binpac_target(binpac_zeek-lib.pac)
list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}") list(APPEND BINPAC_OUTPUTS "${BINPAC_OUTPUT_CC}")
######################################################################## ########################################################################

16
src/analyzer/protocol/ayiya/ayiya-analyzer.pac
View file

@ -3,7 +3,7 @@
#include "Conn.h" #include "Conn.h"
%} %}
connection AYIYA_Conn(bro_analyzer: BroAnalyzer) connection AYIYA_Conn(zeek_analyzer: ZeekAnalyzer)
{ {
upflow = AYIYA_Flow; upflow = AYIYA_Flow;
downflow = AYIYA_Flow; downflow = AYIYA_Flow;
@ -15,7 +15,7 @@ flow AYIYA_Flow
function process_ayiya(pdu: PDU): bool function process_ayiya(pdu: PDU): bool
%{ %{
zeek::Connection* c = connection()->bro_analyzer()->Conn(); zeek::Connection* c = connection()->zeek_analyzer()->Conn();
const zeek::EncapsulationStack* e = c->GetEncapsulation(); const zeek::EncapsulationStack* e = c->GetEncapsulation();
if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth ) if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth )
@ -39,7 +39,7 @@ flow AYIYA_Flow
if ( ${pdu.packet}.length() < (int)sizeof(struct ip) ) if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
{ {
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
"Truncated AYIYA", (const char*) ${pdu.packet}.data(), "Truncated AYIYA", (const char*) ${pdu.packet}.data(),
${pdu.packet}.length()); ${pdu.packet}.length());
return false; return false;
@ -50,7 +50,7 @@ flow AYIYA_Flow
if ( ( ${pdu.next_header} == IPPROTO_IPV6 && ip->ip_v != 6 ) || if ( ( ${pdu.next_header} == IPPROTO_IPV6 && ip->ip_v != 6 ) ||
( ${pdu.next_header} == IPPROTO_IPV4 && ip->ip_v != 4) ) ( ${pdu.next_header} == IPPROTO_IPV4 && ip->ip_v != 4) )
{ {
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
"AYIYA next header mismatch", (const char*)${pdu.packet}.data(), "AYIYA next header mismatch", (const char*)${pdu.packet}.data(),
${pdu.packet}.length()); ${pdu.packet}.length());
return false; return false;
@ -61,20 +61,20 @@ flow AYIYA_Flow
${pdu.packet}.data(), ${pdu.next_header}, inner); ${pdu.packet}.data(), ${pdu.next_header}, inner);
if ( result == 0 ) if ( result == 0 )
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
else if ( result == -2 ) else if ( result == -2 )
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
"AYIYA next header internal mismatch", (const char*)${pdu.packet}.data(), "AYIYA next header internal mismatch", (const char*)${pdu.packet}.data(),
${pdu.packet}.length()); ${pdu.packet}.length());
else if ( result < 0 ) else if ( result < 0 )
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
"Truncated AYIYA", (const char*) ${pdu.packet}.data(), "Truncated AYIYA", (const char*) ${pdu.packet}.data(),
${pdu.packet}.length()); ${pdu.packet}.length());
else else
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
"AYIYA payload length", (const char*) ${pdu.packet}.data(), "AYIYA payload length", (const char*) ${pdu.packet}.data(),
${pdu.packet}.length()); ${pdu.packet}.length());

2
src/analyzer/protocol/ayiya/ayiya.pac
View file

@ -1,6 +1,6 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "IP.h" #include "IP.h"

56
src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
View file

@ -1,6 +1,6 @@
# This code contributed by Nadi Sarrar. # This code contributed by Nadi Sarrar.
connection BitTorrent_Conn(bro_analyzer: BroAnalyzer) { connection BitTorrent_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = BitTorrent_Flow(true); upflow = BitTorrent_Flow(true);
downflow = BitTorrent_Flow(false); downflow = BitTorrent_Flow(false);
}; };
@ -62,15 +62,15 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_handshake ) if ( ::bittorrent_peer_handshake )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_handshake( zeek::BifEvent::enqueue_bittorrent_peer_handshake(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
to_stringval(reserved), to_stringval(reserved),
to_stringval(info_hash), to_stringval(info_hash),
to_stringval(peer_id)); to_stringval(peer_id));
} }
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
return true; return true;
%} %}
@ -80,8 +80,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_keep_alive ) if ( ::bittorrent_peer_keep_alive )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_keep_alive( zeek::BifEvent::enqueue_bittorrent_peer_keep_alive(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig()); is_orig());
} }
@ -93,8 +93,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_choke ) if ( ::bittorrent_peer_choke )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_choke( zeek::BifEvent::enqueue_bittorrent_peer_choke(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig()); is_orig());
} }
@ -106,8 +106,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_unchoke ) if ( ::bittorrent_peer_unchoke )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_unchoke( zeek::BifEvent::enqueue_bittorrent_peer_unchoke(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig()); is_orig());
} }
@ -119,8 +119,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_interested ) if ( ::bittorrent_peer_interested )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_interested( zeek::BifEvent::enqueue_bittorrent_peer_interested(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig()); is_orig());
} }
@ -132,8 +132,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_not_interested ) if ( ::bittorrent_peer_not_interested )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_not_interested( zeek::BifEvent::enqueue_bittorrent_peer_not_interested(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig()); is_orig());
} }
@ -145,8 +145,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_have ) if ( ::bittorrent_peer_have )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_have( zeek::BifEvent::enqueue_bittorrent_peer_have(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
piece_index); piece_index);
} }
@ -159,8 +159,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_bitfield ) if ( ::bittorrent_peer_bitfield )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_bitfield( zeek::BifEvent::enqueue_bittorrent_peer_bitfield(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
to_stringval(bitfield)); to_stringval(bitfield));
} }
@ -174,8 +174,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_request ) if ( ::bittorrent_peer_request )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_request( zeek::BifEvent::enqueue_bittorrent_peer_request(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
index, begin, length); index, begin, length);
} }
@ -189,8 +189,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_piece ) if ( ::bittorrent_peer_piece )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_piece( zeek::BifEvent::enqueue_bittorrent_peer_piece(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
index, begin, piece_length); index, begin, piece_length);
} }
@ -204,8 +204,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_cancel ) if ( ::bittorrent_peer_cancel )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_cancel( zeek::BifEvent::enqueue_bittorrent_peer_cancel(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
index, begin, length); index, begin, length);
} }
@ -218,8 +218,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_port ) if ( ::bittorrent_peer_port )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_port( zeek::BifEvent::enqueue_bittorrent_peer_port(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
zeek::val_mgr->Port(listen_port, TRANSPORT_TCP)); zeek::val_mgr->Port(listen_port, TRANSPORT_TCP));
} }
@ -232,8 +232,8 @@ flow BitTorrent_Flow(is_orig: bool) {
if ( ::bittorrent_peer_unknown ) if ( ::bittorrent_peer_unknown )
{ {
zeek::BifEvent::enqueue_bittorrent_peer_unknown( zeek::BifEvent::enqueue_bittorrent_peer_unknown(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
id, id,
to_stringval(data)); to_stringval(data));

5
src/analyzer/protocol/bittorrent/bittorrent.pac
View file

@ -1,7 +1,7 @@
# This code contributed to Bro by Nadi Sarrar. # This code contributed to Zeek by Nadi Sarrar.
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#define MSGLEN_LIMIT 0x40000 #define MSGLEN_LIMIT 0x40000
@ -16,4 +16,3 @@ analyzer BitTorrent withcontext {
%include bittorrent-protocol.pac %include bittorrent-protocol.pac
%include bittorrent-analyzer.pac %include bittorrent-analyzer.pac

30
src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
View file

@ -29,7 +29,7 @@ refine connection DCE_RPC_Conn += {
function proc_dce_rpc_pdu(pdu: DCE_RPC_PDU): bool function proc_dce_rpc_pdu(pdu: DCE_RPC_PDU): bool
%{ %{
// If a whole pdu message parsed ok, let's confirm the protocol // If a whole pdu message parsed ok, let's confirm the protocol
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
return true; return true;
%} %}
@ -37,8 +37,8 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_message ) if ( dce_rpc_message )
{ {
zeek::BifEvent::enqueue_dce_rpc_message(bro_analyzer(), zeek::BifEvent::enqueue_dce_rpc_message(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
${header.is_orig}, ${header.is_orig},
fid, fid,
${header.PTYPE}, ${header.PTYPE},
@ -51,8 +51,8 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_bind ) if ( dce_rpc_bind )
{ {
zeek::BifEvent::enqueue_dce_rpc_bind(bro_analyzer(), zeek::BifEvent::enqueue_dce_rpc_bind(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
fid, fid,
${req.id}, ${req.id},
to_stringval(${req.abstract_syntax.uuid}), to_stringval(${req.abstract_syntax.uuid}),
@ -67,8 +67,8 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_alter_context ) if ( dce_rpc_alter_context )
{ {
zeek::BifEvent::enqueue_dce_rpc_alter_context(bro_analyzer(), zeek::BifEvent::enqueue_dce_rpc_alter_context(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
fid, fid,
${req.id}, ${req.id},
to_stringval(${req.abstract_syntax.uuid}), to_stringval(${req.abstract_syntax.uuid}),
@ -92,8 +92,8 @@ refine connection DCE_RPC_Conn += {
else else
sec_addr = zeek::make_intrusive<zeek::StringVal>(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin()); sec_addr = zeek::make_intrusive<zeek::StringVal>(${bind.sec_addr}.length(), (const char*) ${bind.sec_addr}.begin());
zeek::BifEvent::enqueue_dce_rpc_bind_ack(bro_analyzer(), zeek::BifEvent::enqueue_dce_rpc_bind_ack(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
fid, fid,
std::move(sec_addr)); std::move(sec_addr));
} }
@ -104,8 +104,8 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_alter_context_resp ) if ( dce_rpc_alter_context_resp )
{ {
zeek::BifEvent::enqueue_dce_rpc_alter_context_resp(bro_analyzer(), zeek::BifEvent::enqueue_dce_rpc_alter_context_resp(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
fid); fid);
} }
return true; return true;
@ -115,8 +115,8 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_request ) if ( dce_rpc_request )
{ {
zeek::BifEvent::enqueue_dce_rpc_request(bro_analyzer(), zeek::BifEvent::enqueue_dce_rpc_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
fid, fid,
${req.context_id}, ${req.context_id},
${req.opnum}, ${req.opnum},
@ -132,8 +132,8 @@ refine connection DCE_RPC_Conn += {
%{ %{
if ( dce_rpc_response ) if ( dce_rpc_response )
{ {
zeek::BifEvent::enqueue_dce_rpc_response(bro_analyzer(), zeek::BifEvent::enqueue_dce_rpc_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
fid, fid,
${resp.context_id}, ${resp.context_id},
get_cont_id_opnum_map(${resp.context_id}), get_cont_id_opnum_map(${resp.context_id}),

6
src/analyzer/protocol/dce-rpc/dce_rpc-auth.pac
View file

@ -32,18 +32,18 @@ refine connection DCE_RPC_Conn += {
{ {
case 0x09: case 0x09:
if ( ! gssapi ) if ( ! gssapi )
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn()); gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
if ( gssapi ) if ( gssapi )
gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig); gssapi->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break; break;
case 0x0a: case 0x0a:
if ( ! ntlm ) if ( ! ntlm )
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn()); ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
if ( ntlm ) if ( ntlm )
ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig); ntlm->DeliverStream(${auth.blob}.length(), ${auth.blob}.begin(), is_orig);
break; break;
default: default:
bro_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type})); zeek_analyzer()->Weird("unknown_dce_rpc_auth_type", zeek::util::fmt("%d", ${auth.type}));
break; break;
} }

16
src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
View file

@ -190,9 +190,9 @@ flow DCE_RPC_Flow(is_orig: bool) {
if ( it != fb.end() ) if ( it != fb.end() )
{ {
// We already had a first frag earlier. // We already had a first frag earlier.
zeek::reporter->Weird(connection()->bro_analyzer()->Conn(), zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
"multiple_first_fragments_in_dce_rpc_reassembly"); "multiple_first_fragments_in_dce_rpc_reassembly");
connection()->bro_analyzer()->SetSkip(true); connection()->zeek_analyzer()->SetSkip(true);
return false; return false;
} }
@ -212,16 +212,16 @@ flow DCE_RPC_Flow(is_orig: bool) {
if ( fb.size() > zeek::BifConst::DCE_RPC::max_cmd_reassembly ) if ( fb.size() > zeek::BifConst::DCE_RPC::max_cmd_reassembly )
{ {
zeek::reporter->Weird(connection()->bro_analyzer()->Conn(), zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
"too_many_dce_rpc_msgs_in_reassembly"); "too_many_dce_rpc_msgs_in_reassembly");
connection()->bro_analyzer()->SetSkip(true); connection()->zeek_analyzer()->SetSkip(true);
} }
if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data ) if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data )
{ {
zeek::reporter->Weird(connection()->bro_analyzer()->Conn(), zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
"too_much_dce_rpc_fragment_data"); "too_much_dce_rpc_fragment_data");
connection()->bro_analyzer()->SetSkip(true); connection()->zeek_analyzer()->SetSkip(true);
} }
return false; return false;
@ -235,9 +235,9 @@ flow DCE_RPC_Flow(is_orig: bool) {
if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data ) if ( flowbuf->data_length() > (int)zeek::BifConst::DCE_RPC::max_frag_data )
{ {
zeek::reporter->Weird(connection()->bro_analyzer()->Conn(), zeek::reporter->Weird(connection()->zeek_analyzer()->Conn(),
"too_much_dce_rpc_fragment_data"); "too_much_dce_rpc_fragment_data");
connection()->bro_analyzer()->SetSkip(true); connection()->zeek_analyzer()->SetSkip(true);
} }
return ${header.lastfrag}; return ${header.lastfrag};

4
src/analyzer/protocol/dce-rpc/dce_rpc.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "consts.bif.h" #include "consts.bif.h"
@ -12,7 +12,7 @@ analyzer DCE_RPC withcontext {
flow : DCE_RPC_Flow; flow : DCE_RPC_Flow;
}; };
connection DCE_RPC_Conn(bro_analyzer: BroAnalyzer) { connection DCE_RPC_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = DCE_RPC_Flow(true); upflow = DCE_RPC_Flow(true);
downflow = DCE_RPC_Flow(false); downflow = DCE_RPC_Flow(false);
}; };

8
src/analyzer/protocol/dhcp/dhcp-analyzer.pac
View file

@ -44,7 +44,7 @@ refine flow DHCP_Flow += {
// the message options. // the message options.
if ( ${msg.cookie} != 0x63825363 ) if ( ${msg.cookie} != 0x63825363 )
{ {
connection()->bro_analyzer()->ProtocolViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie})); connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie}));
return false; return false;
} }
@ -91,8 +91,8 @@ refine flow DHCP_Flow += {
init_options(); init_options();
zeek::BifEvent::enqueue_dhcp_message(connection()->bro_analyzer(), zeek::BifEvent::enqueue_dhcp_message(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${msg.is_orig}, ${msg.is_orig},
std::move(dhcp_msg_val), std::move(dhcp_msg_val),
std::move(options)); std::move(options));
@ -106,7 +106,7 @@ refine flow DHCP_Flow += {
// on a "connection". // on a "connection".
// The binpac analyzer would have thrown an error before this point // The binpac analyzer would have thrown an error before this point
// if there was a problem too (and subsequently called ProtocolViolation). // if there was a problem too (and subsequently called ProtocolViolation).
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
return true; return true;
%} %}

3
src/analyzer/protocol/dhcp/dhcp-protocol.pac
View file

@ -67,9 +67,8 @@ refine flow DHCP_Flow += {
} }
if ( type == 0 ) if ( type == 0 )
connection()->bro_analyzer()->ProtocolViolation("no DHCP message type option"); connection()->zeek_analyzer()->ProtocolViolation("no DHCP message type option");
return type; return type;
%} %}
}; };

4
src/analyzer/protocol/dhcp/dhcp.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "types.bif.h" #include "types.bif.h"
@ -11,7 +11,7 @@ analyzer DHCP withcontext {
flow: DHCP_Flow; flow: DHCP_Flow;
}; };
connection DHCP_Conn(bro_analyzer: BroAnalyzer) { connection DHCP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = DHCP_Flow(true); upflow = DHCP_Flow(true);
downflow = DHCP_Flow(false); downflow = DHCP_Flow(false);
}; };

207
src/analyzer/protocol/dnp3/dnp3-analyzer.pac
View file

@ -1,5 +1,5 @@
connection DNP3_Conn(bro_analyzer: BroAnalyzer) { connection DNP3_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = DNP3_Flow(true); upflow = DNP3_Flow(true);
downflow = DNP3_Flow(false); downflow = DNP3_Flow(false);
}; };
@ -30,8 +30,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_header_block ) if ( ::dnp3_header_block )
{ {
zeek::BifEvent::enqueue_dnp3_header_block( zeek::BifEvent::enqueue_dnp3_header_block(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), len, ctrl, dest_addr, src_addr); is_orig(), len, ctrl, dest_addr, src_addr);
} }
@ -43,8 +43,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_application_request_header ) if ( ::dnp3_application_request_header )
{ {
zeek::BifEvent::enqueue_dnp3_application_request_header( zeek::BifEvent::enqueue_dnp3_application_request_header(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
application_control, application_control,
fc fc
@ -58,8 +58,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_application_response_header ) if ( ::dnp3_application_response_header )
{ {
zeek::BifEvent::enqueue_dnp3_application_response_header( zeek::BifEvent::enqueue_dnp3_application_response_header(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), is_orig(),
application_control, application_control,
fc, fc,
@ -74,8 +74,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_object_header ) if ( ::dnp3_object_header )
{ {
zeek::BifEvent::enqueue_dnp3_object_header( zeek::BifEvent::enqueue_dnp3_object_header(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), obj_type, qua_field, number, rf_low, rf_high); is_orig(), obj_type, qua_field, number, rf_low, rf_high);
} }
@ -87,8 +87,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_object_prefix ) if ( ::dnp3_object_prefix )
{ {
zeek::BifEvent::enqueue_dnp3_object_prefix( zeek::BifEvent::enqueue_dnp3_object_prefix(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), prefix_value); is_orig(), prefix_value);
} }
@ -100,8 +100,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_response_data_object ) if ( ::dnp3_response_data_object )
{ {
zeek::BifEvent::enqueue_dnp3_response_data_object( zeek::BifEvent::enqueue_dnp3_response_data_object(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), data_value); is_orig(), data_value);
} }
@ -114,8 +114,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_attribute_common ) if ( ::dnp3_attribute_common )
{ {
zeek::BifEvent::enqueue_dnp3_attribute_common( zeek::BifEvent::enqueue_dnp3_attribute_common(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), data_type_code, leng, to_stringval(attribute_obj) ); is_orig(), data_type_code, leng, to_stringval(attribute_obj) );
} }
@ -128,8 +128,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_crob ) if ( ::dnp3_crob )
{ {
zeek::BifEvent::enqueue_dnp3_crob( zeek::BifEvent::enqueue_dnp3_crob(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code); is_orig(), control_code, count8, on_time, off_time, status_code);
} }
@ -142,8 +142,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_pcb ) if ( ::dnp3_pcb )
{ {
zeek::BifEvent::enqueue_dnp3_pcb( zeek::BifEvent::enqueue_dnp3_pcb(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), control_code, count8, on_time, off_time, status_code); is_orig(), control_code, count8, on_time, off_time, status_code);
} }
@ -156,8 +156,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_counter_32wFlag ) if ( ::dnp3_counter_32wFlag )
{ {
zeek::BifEvent::enqueue_dnp3_counter_32wFlag( zeek::BifEvent::enqueue_dnp3_counter_32wFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value); is_orig(), flag, count_value);
} }
@ -170,8 +170,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_counter_16wFlag ) if ( ::dnp3_counter_16wFlag )
{ {
zeek::BifEvent::enqueue_dnp3_counter_16wFlag( zeek::BifEvent::enqueue_dnp3_counter_16wFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value); is_orig(), flag, count_value);
} }
@ -184,8 +184,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_counter_32woFlag ) if ( ::dnp3_counter_32woFlag )
{ {
zeek::BifEvent::enqueue_dnp3_counter_32woFlag( zeek::BifEvent::enqueue_dnp3_counter_32woFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), count_value); is_orig(), count_value);
} }
@ -198,8 +198,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_counter_16woFlag ) if ( ::dnp3_counter_16woFlag )
{ {
zeek::BifEvent::enqueue_dnp3_counter_16woFlag( zeek::BifEvent::enqueue_dnp3_counter_16woFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), count_value); is_orig(), count_value);
} }
@ -212,8 +212,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_32wFlag ) if ( ::dnp3_frozen_counter_32wFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_counter_32wFlag( zeek::BifEvent::enqueue_dnp3_frozen_counter_32wFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value); is_orig(), flag, count_value);
} }
@ -226,8 +226,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_16wFlag ) if ( ::dnp3_frozen_counter_16wFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_counter_16wFlag( zeek::BifEvent::enqueue_dnp3_frozen_counter_16wFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value); is_orig(), flag, count_value);
} }
@ -240,8 +240,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_32wFlagTime ) if ( ::dnp3_frozen_counter_32wFlagTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_counter_32wFlagTime( zeek::BifEvent::enqueue_dnp3_frozen_counter_32wFlagTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48)); is_orig(), flag, count_value, bytestring_to_time(time48));
} }
@ -254,8 +254,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_16wFlagTime ) if ( ::dnp3_frozen_counter_16wFlagTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_counter_16wFlagTime( zeek::BifEvent::enqueue_dnp3_frozen_counter_16wFlagTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, count_value, bytestring_to_time(time48)); is_orig(), flag, count_value, bytestring_to_time(time48));
} }
@ -268,8 +268,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_32woFlag ) if ( ::dnp3_frozen_counter_32woFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_counter_32woFlag( zeek::BifEvent::enqueue_dnp3_frozen_counter_32woFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), count_value); is_orig(), count_value);
} }
@ -282,8 +282,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_counter_16woFlag ) if ( ::dnp3_frozen_counter_16woFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_counter_16woFlag( zeek::BifEvent::enqueue_dnp3_frozen_counter_16woFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), count_value); is_orig(), count_value);
} }
@ -296,8 +296,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_32wFlag ) if ( ::dnp3_analog_input_32wFlag )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_32wFlag( zeek::BifEvent::enqueue_dnp3_analog_input_32wFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
} }
@ -310,8 +310,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_16wFlag ) if ( ::dnp3_analog_input_16wFlag )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_16wFlag( zeek::BifEvent::enqueue_dnp3_analog_input_16wFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
} }
@ -324,8 +324,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_32woFlag ) if ( ::dnp3_analog_input_32woFlag )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_32woFlag( zeek::BifEvent::enqueue_dnp3_analog_input_32woFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), value); is_orig(), value);
} }
@ -338,8 +338,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_16woFlag ) if ( ::dnp3_analog_input_16woFlag )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_16woFlag( zeek::BifEvent::enqueue_dnp3_analog_input_16woFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), value); is_orig(), value);
} }
@ -352,8 +352,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_SPwFlag ) if ( ::dnp3_analog_input_SPwFlag )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_SPwFlag( zeek::BifEvent::enqueue_dnp3_analog_input_SPwFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
} }
@ -366,8 +366,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_DPwFlag ) if ( ::dnp3_analog_input_DPwFlag )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_DPwFlag( zeek::BifEvent::enqueue_dnp3_analog_input_DPwFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value_low, value_high); is_orig(), flag, value_low, value_high);
} }
@ -380,8 +380,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_32wFlag ) if ( ::dnp3_frozen_analog_input_32wFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32wFlag( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32wFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
} }
@ -394,8 +394,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_16wFlag ) if ( ::dnp3_frozen_analog_input_16wFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16wFlag( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16wFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
} }
@ -408,8 +408,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_32wTime ) if ( ::dnp3_frozen_analog_input_32wTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32wTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32wTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
@ -422,8 +422,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_16wTime ) if ( ::dnp3_frozen_analog_input_16wTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16wTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16wTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
@ -436,8 +436,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_32woFlag ) if ( ::dnp3_frozen_analog_input_32woFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32woFlag( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_32woFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), frozen_value); is_orig(), frozen_value);
} }
@ -450,8 +450,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_16woFlag ) if ( ::dnp3_frozen_analog_input_16woFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16woFlag( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_16woFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), frozen_value); is_orig(), frozen_value);
} }
@ -464,8 +464,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_SPwFlag ) if ( ::dnp3_frozen_analog_input_SPwFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_SPwFlag( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_SPwFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
} }
@ -478,8 +478,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_DPwFlag ) if ( ::dnp3_frozen_analog_input_DPwFlag )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_DPwFlag( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_DPwFlag(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high); is_orig(), flag, frozen_value_low, frozen_value_high);
} }
@ -492,8 +492,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_32woTime ) if ( ::dnp3_analog_input_event_32woTime )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_event_32woTime( zeek::BifEvent::enqueue_dnp3_analog_input_event_32woTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
} }
@ -506,8 +506,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_16woTime ) if ( ::dnp3_analog_input_event_16woTime )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_event_16woTime( zeek::BifEvent::enqueue_dnp3_analog_input_event_16woTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
} }
@ -520,8 +520,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_32wTime ) if ( ::dnp3_analog_input_event_32wTime )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_event_32wTime( zeek::BifEvent::enqueue_dnp3_analog_input_event_32wTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48)); is_orig(), flag, value, bytestring_to_time(time48));
} }
@ -534,8 +534,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_16wTime ) if ( ::dnp3_analog_input_event_16wTime )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_event_16wTime( zeek::BifEvent::enqueue_dnp3_analog_input_event_16wTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48)); is_orig(), flag, value, bytestring_to_time(time48));
} }
@ -548,8 +548,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_SPwoTime ) if ( ::dnp3_analog_input_event_SPwoTime )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_event_SPwoTime( zeek::BifEvent::enqueue_dnp3_analog_input_event_SPwoTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value); is_orig(), flag, value);
} }
@ -562,8 +562,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_DPwoTime ) if ( ::dnp3_analog_input_event_DPwoTime )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_event_DPwoTime( zeek::BifEvent::enqueue_dnp3_analog_input_event_DPwoTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value_low, value_high); is_orig(), flag, value_low, value_high);
} }
@ -576,8 +576,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_SPwTime ) if ( ::dnp3_analog_input_event_SPwTime )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_event_SPwTime( zeek::BifEvent::enqueue_dnp3_analog_input_event_SPwTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value, bytestring_to_time(time48)); is_orig(), flag, value, bytestring_to_time(time48));
} }
@ -590,8 +590,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_analog_input_event_DPwTime ) if ( ::dnp3_analog_input_event_DPwTime )
{ {
zeek::BifEvent::enqueue_dnp3_analog_input_event_DPwTime( zeek::BifEvent::enqueue_dnp3_analog_input_event_DPwTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, value_low, value_high, bytestring_to_time(time48)); is_orig(), flag, value_low, value_high, bytestring_to_time(time48));
} }
@ -604,8 +604,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_32woTime ) if ( ::dnp3_frozen_analog_input_event_32woTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_32woTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_32woTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
} }
@ -618,8 +618,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_16woTime ) if ( ::dnp3_frozen_analog_input_event_16woTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_16woTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_16woTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
} }
@ -632,8 +632,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_32wTime ) if ( ::dnp3_frozen_analog_input_event_32wTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_32wTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_32wTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
@ -646,8 +646,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_16wTime ) if ( ::dnp3_frozen_analog_input_event_16wTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_16wTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_16wTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
@ -660,8 +660,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_SPwoTime ) if ( ::dnp3_frozen_analog_input_event_SPwoTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwoTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwoTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value); is_orig(), flag, frozen_value);
} }
@ -674,8 +674,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_DPwoTime ) if ( ::dnp3_frozen_analog_input_event_DPwoTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwoTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwoTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high); is_orig(), flag, frozen_value_low, frozen_value_high);
} }
@ -688,8 +688,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_SPwTime ) if ( ::dnp3_frozen_analog_input_event_SPwTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_SPwTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value, bytestring_to_time(time48)); is_orig(), flag, frozen_value, bytestring_to_time(time48));
} }
@ -702,8 +702,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_frozen_analog_input_event_DPwTime ) if ( ::dnp3_frozen_analog_input_event_DPwTime )
{ {
zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwTime( zeek::BifEvent::enqueue_dnp3_frozen_analog_input_event_DPwTime(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48)); is_orig(), flag, frozen_value_low, frozen_value_high, bytestring_to_time(time48));
} }
@ -716,8 +716,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_file_transport ) if ( ::dnp3_file_transport )
{ {
zeek::BifEvent::enqueue_dnp3_file_transport( zeek::BifEvent::enqueue_dnp3_file_transport(
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), file_handle, block_num, to_stringval(file_data)); is_orig(), file_handle, block_num, to_stringval(file_data));
} }
@ -730,8 +730,8 @@ flow DNP3_Flow(is_orig: bool) {
if ( ::dnp3_debug_byte ) if ( ::dnp3_debug_byte )
{ {
zeek::BifEvent::enqueue_dnp3_debug_byte ( zeek::BifEvent::enqueue_dnp3_debug_byte (
connection()->bro_analyzer(), connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), to_stringval(debug)); is_orig(), to_stringval(debug));
} }
@ -986,4 +986,3 @@ refine typeattr File_Transport += &let {
refine typeattr Debug_Byte += &let { refine typeattr Debug_Byte += &let {
process_request: bool = $context.flow.get_dnp3_debug_byte(debug); process_request: bool = $context.flow.get_dnp3_debug_byte(debug);
}; };

3
src/analyzer/protocol/dnp3/dnp3-objects.pac
View file

@ -616,7 +616,7 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
}; };
} }
&let{ &let{
data_value: uint8 = case (object_type_field) of { # this data_value is used for the Bro Event data_value: uint8 = case (object_type_field) of { # this data_value is used for the Zeek Event
0x0101 -> biwoflag; 0x0101 -> biwoflag;
0x0102 -> biwflag; 0x0102 -> biwflag;
0x0a01 -> bowoflag; 0x0a01 -> bowoflag;
@ -1504,4 +1504,3 @@ type UpdateKeySig(prefix: uint16) = record {
type UpdateKeyCon(prefix: uint16) = record { type UpdateKeyCon(prefix: uint16) = record {
mac: bytestring &length = prefix; mac: bytestring &length = prefix;
} &byteorder = littleendian; } &byteorder = littleendian;

2
src/analyzer/protocol/dnp3/dnp3-protocol.pac
View file

@ -17,7 +17,7 @@ type Header_Block = record {
} &byteorder = littleendian; } &byteorder = littleendian;
type DNP3_Request = record { type DNP3_Request = record {
addin_header: Header_Block; ## added by Hui Lin in Bro code addin_header: Header_Block; ## added by Hui Lin in Zeek code
app_header: DNP3_Application_Request_Header; app_header: DNP3_Application_Request_Header;
data: case ( app_header.function_code ) of { data: case ( app_header.function_code ) of {
CONFIRM -> none_coonfirm: empty; CONFIRM -> none_coonfirm: empty;

3
src/analyzer/protocol/dnp3/dnp3.pac
View file

@ -1,6 +1,6 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"
@ -13,4 +13,3 @@ analyzer DNP3 withcontext {
%include dnp3-protocol.pac %include dnp3-protocol.pac
%include dnp3-analyzer.pac %include dnp3-analyzer.pac

2
src/analyzer/protocol/dns/DNS.h
View file

@ -3,7 +3,7 @@
#pragma once #pragma once
#include "analyzer/protocol/tcp/TCP.h" #include "analyzer/protocol/tcp/TCP.h"
#include "binpac_bro.h" #include "binpac_zeek.h"
namespace zeek::analyzer::dns { namespace zeek::analyzer::dns {
namespace detail { namespace detail {

8
src/analyzer/protocol/gssapi/gssapi-analyzer.pac
View file

@ -34,7 +34,7 @@ refine connection GSSAPI_Conn += {
{ {
// ntlmssp // ntlmssp
if ( ! ntlm ) if ( ! ntlm )
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn()); ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
if ( ntlm ) if ( ntlm )
ntlm->DeliverStream(${val.ntlm}.length(), ntlm->DeliverStream(${val.ntlm}.length(),
@ -44,7 +44,7 @@ refine connection GSSAPI_Conn += {
else if ( ${val.has_krb} ) else if ( ${val.has_krb} )
{ {
if ( ! krb5 ) if ( ! krb5 )
krb5 = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn()); krb5 = zeek::analyzer_mgr->InstantiateAnalyzer("KRB", zeek_analyzer()->Conn());
if ( krb5 ) // accepting all KRB types (REQ, REP, etc) if ( krb5 ) // accepting all KRB types (REQ, REP, etc)
{ {
@ -61,8 +61,8 @@ refine connection GSSAPI_Conn += {
%{ %{
if ( gssapi_neg_result ) if ( gssapi_neg_result )
{ {
zeek::BifEvent::enqueue_gssapi_neg_result(bro_analyzer(), zeek::BifEvent::enqueue_gssapi_neg_result(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
binary_to_int64(${val.neg_state.encoding.content})); binary_to_int64(${val.neg_state.encoding.content}));
} }

4
src/analyzer/protocol/gssapi/gssapi.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "analyzer/Manager.h" #include "analyzer/Manager.h"
@ -13,7 +13,7 @@ analyzer GSSAPI withcontext {
flow : GSSAPI_Flow; flow : GSSAPI_Flow;
}; };
connection GSSAPI_Conn(bro_analyzer: BroAnalyzer) { connection GSSAPI_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = GSSAPI_Flow(true); upflow = GSSAPI_Flow(true);
downflow = GSSAPI_Flow(false); downflow = GSSAPI_Flow(false);
}; };

20
src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
View file

@ -233,7 +233,7 @@ static zeek::ValPtr BuildTeardownInd(const InformationElement* ie)
return zeek::val_mgr->Bool(ie->teardown_ind()->ind()); return zeek::val_mgr->Bool(ie->teardown_ind()->ind());
} }
void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) void CreatePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{ {
if ( ! ::gtpv1_create_pdp_ctx_request ) return; if ( ! ::gtpv1_create_pdp_ctx_request ) return;
@ -332,7 +332,7 @@ void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv)); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) void CreatePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{ {
if ( ! ::gtpv1_create_pdp_ctx_response ) if ( ! ::gtpv1_create_pdp_ctx_response )
return; return;
@ -401,7 +401,7 @@ void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv)); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) void UpdatePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{ {
if ( ! ::gtpv1_update_pdp_ctx_request ) if ( ! ::gtpv1_update_pdp_ctx_request )
return; return;
@ -479,7 +479,7 @@ void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv)); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) void UpdatePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{ {
if ( ! ::gtpv1_update_pdp_ctx_response ) if ( ! ::gtpv1_update_pdp_ctx_response )
return; return;
@ -539,7 +539,7 @@ void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv)); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu) void DeletePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{ {
if ( ! ::gtpv1_delete_pdp_ctx_request ) if ( ! ::gtpv1_delete_pdp_ctx_request )
return; return;
@ -573,7 +573,7 @@ void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
BuildGTPv1Hdr(pdu), std::move(rv)); BuildGTPv1Hdr(pdu), std::move(rv));
} }
void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu) void DeletePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
{ {
if ( ! ::gtpv1_delete_pdp_ctx_response ) if ( ! ::gtpv1_delete_pdp_ctx_response )
return; return;
@ -605,7 +605,7 @@ void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
} }
%} %}
connection GTPv1_Conn(bro_analyzer: BroAnalyzer) connection GTPv1_Conn(zeek_analyzer: ZeekAnalyzer)
{ {
upflow = GTPv1_Flow(true); upflow = GTPv1_Flow(true);
downflow = GTPv1_Flow(false); downflow = GTPv1_Flow(false);
@ -639,14 +639,14 @@ flow GTPv1_Flow(is_orig: bool)
function violate(r: string, pdu: GTPv1_Header): void function violate(r: string, pdu: GTPv1_Header): void
%{ %{
BroAnalyzer a = connection()->bro_analyzer(); ZeekAnalyzer a = connection()->zeek_analyzer();
const_bytestring b = ${pdu.sourcedata}; const_bytestring b = ${pdu.sourcedata};
a->ProtocolViolation(r.c_str(), (const char*) b.begin(), b.length()); a->ProtocolViolation(r.c_str(), (const char*) b.begin(), b.length());
%} %}
function process_gtpv1(pdu: GTPv1_Header): bool function process_gtpv1(pdu: GTPv1_Header): bool
%{ %{
BroAnalyzer a = connection()->bro_analyzer(); ZeekAnalyzer a = connection()->zeek_analyzer();
zeek::Connection* c = a->Conn(); zeek::Connection* c = a->Conn();
const zeek::EncapsulationStack* e = c->GetEncapsulation(); const zeek::EncapsulationStack* e = c->GetEncapsulation();
@ -711,7 +711,7 @@ flow GTPv1_Flow(is_orig: bool)
function process_g_pdu(pdu: GTPv1_Header): bool function process_g_pdu(pdu: GTPv1_Header): bool
%{ %{
BroAnalyzer a = connection()->bro_analyzer(); ZeekAnalyzer a = connection()->zeek_analyzer();
zeek::Connection* c = a->Conn(); zeek::Connection* c = a->Conn();
const zeek::EncapsulationStack* e = c->GetEncapsulation(); const zeek::EncapsulationStack* e = c->GetEncapsulation();

2
src/analyzer/protocol/gtpv1/gtpv1.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "IP.h" #include "IP.h"

2
src/analyzer/protocol/http/HTTP.h
View file

@ -7,7 +7,7 @@
#include "analyzer/protocol/pia/PIA.h" #include "analyzer/protocol/pia/PIA.h"
#include "analyzer/protocol/zip/ZIP.h" #include "analyzer/protocol/zip/ZIP.h"
#include "analyzer/protocol/mime/MIME.h" #include "analyzer/protocol/mime/MIME.h"
#include "binpac_bro.h" #include "binpac_zeek.h"
#include "IPAddr.h" #include "IPAddr.h"
#include "analyzer/protocol/http/events.bif.h" #include "analyzer/protocol/http/events.bif.h"

18
src/analyzer/protocol/imap/imap-analyzer.pac
View file

@ -17,23 +17,23 @@ refine connection IMAP_Conn += {
//printf("imap %s %s\n", commands.c_str(), tags.c_str()); //printf("imap %s %s\n", commands.c_str(), tags.c_str());
if ( !is_orig && tags == "*" && commands == "ok" ) if ( !is_orig && tags == "*" && commands == "ok" )
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
if ( is_orig && ( command == "capability" || commands == "starttls" ) ) if ( is_orig && ( command == "capability" || commands == "starttls" ) )
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" ) if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" )
{ {
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon... // Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
bro_analyzer()->SetSkip(true); zeek_analyzer()->SetSkip(true);
return true; return true;
} }
if ( is_orig && commands == "starttls" ) if ( is_orig && commands == "starttls" )
{ {
if ( !client_starttls_id.empty() ) if ( !client_starttls_id.empty() )
zeek::reporter->Weird(bro_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS"); zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS");
client_starttls_id = tags; client_starttls_id = tags;
} }
@ -42,13 +42,13 @@ refine connection IMAP_Conn += {
{ {
if ( commands == "ok" ) if ( commands == "ok" )
{ {
bro_analyzer()->StartTLS(); zeek_analyzer()->StartTLS();
if ( imap_starttls ) if ( imap_starttls )
zeek::BifEvent::enqueue_imap_starttls(bro_analyzer(), bro_analyzer()->Conn()); zeek::BifEvent::enqueue_imap_starttls(zeek_analyzer(), zeek_analyzer()->Conn());
} }
else else
zeek::reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS"); zeek::reporter->Weird(zeek_analyzer()->Conn(), "IMAP: server refused StartTLS");
} }
return true; return true;
@ -67,7 +67,7 @@ refine connection IMAP_Conn += {
capv->Assign(i, zeek::make_intrusive<zeek::StringVal>(capability.length(), (const char*)capability.data())); capv->Assign(i, zeek::make_intrusive<zeek::StringVal>(capability.length(), (const char*)capability.data()));
} }
zeek::BifEvent::enqueue_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), std::move(capv)); zeek::BifEvent::enqueue_imap_capabilities(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(capv));
return true; return true;
%} %}

4
src/analyzer/protocol/imap/imap.pac
View file

@ -4,7 +4,7 @@
# till StartTLS does (or does not) kick in. # till StartTLS does (or does not) kick in.
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "zeek-config.h" #include "zeek-config.h"
@ -25,7 +25,7 @@ analyzer IMAP withcontext {
flow: IMAP_Flow; flow: IMAP_Flow;
}; };
connection IMAP_Conn(bro_analyzer: IMAPAnalyzer) { connection IMAP_Conn(zeek_analyzer: IMAPAnalyzer) {
upflow = IMAP_Flow(true); upflow = IMAP_Flow(true);
downflow = IMAP_Flow(false); downflow = IMAP_Flow(false);
}; };

56
src/analyzer/protocol/krb/krb-analyzer.pac
View file

@ -1,6 +1,6 @@
%header{ %header{
zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts); zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts);
zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_analyzer); zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const ZeekAnalyzer zeek_analyzer);
bool proc_error_arguments(zeek::RecordVal* rv, const std::vector<KRB_ERROR_Arg*>* args, int64 error_code); bool proc_error_arguments(zeek::RecordVal* rv, const std::vector<KRB_ERROR_Arg*>* args, int64 error_code);
%} %}
@ -27,7 +27,7 @@ zeek::RecordValPtr proc_krb_kdc_options(const KRB_KDC_Options* opts)
return rv; return rv;
} }
zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyzer bro_analyzer) zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const ZeekAnalyzer zeek_analyzer)
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::KDC_Request); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::KDC_Request);
@ -35,7 +35,7 @@ zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyze
rv->Assign(1, asn1_integer_to_val(msg->msg_type()->data(), zeek::TYPE_COUNT)); rv->Assign(1, asn1_integer_to_val(msg->msg_type()->data(), zeek::TYPE_COUNT));
if ( msg->padata()->has_padata() ) if ( msg->padata()->has_padata() )
rv->Assign(2, proc_padata(msg->padata()->padata()->padata(), bro_analyzer, false)); rv->Assign(2, proc_padata(msg->padata()->padata()->padata(), zeek_analyzer, false));
for ( uint i = 0; i < msg->body_args()->size(); ++i ) for ( uint i = 0; i < msg->body_args()->size(); ++i )
{ {
@ -73,7 +73,7 @@ zeek::RecordValPtr proc_krb_kdc_req_arguments(KRB_KDC_REQ* msg, const BroAnalyze
break; break;
case 9: case 9:
if ( element->data()->addrs()->addresses()->size() ) if ( element->data()->addrs()->addresses()->size() )
rv->Assign(12, proc_host_address_list(bro_analyzer, element->data()->addrs())); rv->Assign(12, proc_host_address_list(zeek_analyzer, element->data()->addrs()));
break; break;
case 10: case 10:
@ -171,7 +171,7 @@ refine connection KRB_Conn += {
function proc_krb_kdc_req_msg(msg: KRB_KDC_REQ): bool function proc_krb_kdc_req_msg(msg: KRB_KDC_REQ): bool
%{ %{
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
auto msg_type = binary_to_int64(${msg.msg_type.data.content}); auto msg_type = binary_to_int64(${msg.msg_type.data.content});
if ( msg_type == 10 ) if ( msg_type == 10 )
@ -179,8 +179,8 @@ refine connection KRB_Conn += {
if ( ! krb_as_request ) if ( ! krb_as_request )
return false; return false;
auto rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer()); auto rv = proc_krb_kdc_req_arguments(${msg}, zeek_analyzer());
zeek::BifEvent::enqueue_krb_as_request(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv)); zeek::BifEvent::enqueue_krb_as_request(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rv));
return true; return true;
} }
@ -189,8 +189,8 @@ refine connection KRB_Conn += {
if ( ! krb_tgs_request ) if ( ! krb_tgs_request )
return false; return false;
auto rv = proc_krb_kdc_req_arguments(${msg}, bro_analyzer()); auto rv = proc_krb_kdc_req_arguments(${msg}, zeek_analyzer());
zeek::BifEvent::enqueue_krb_tgs_request(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv)); zeek::BifEvent::enqueue_krb_tgs_request(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rv));
return true; return true;
} }
@ -199,7 +199,7 @@ refine connection KRB_Conn += {
function proc_krb_kdc_rep_msg(msg: KRB_KDC_REP): bool function proc_krb_kdc_rep_msg(msg: KRB_KDC_REP): bool
%{ %{
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
auto msg_type = binary_to_int64(${msg.msg_type.data.content}); auto msg_type = binary_to_int64(${msg.msg_type.data.content});
auto make_arg = [this, msg]() -> zeek::RecordValPtr auto make_arg = [this, msg]() -> zeek::RecordValPtr
{ {
@ -209,7 +209,7 @@ refine connection KRB_Conn += {
rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, zeek::TYPE_COUNT)); rv->Assign(1, asn1_integer_to_val(${msg.msg_type.data}, zeek::TYPE_COUNT));
if ( ${msg.padata.has_padata} ) if ( ${msg.padata.has_padata} )
rv->Assign(2, proc_padata(${msg.padata.padata.padata}, bro_analyzer(), false)); rv->Assign(2, proc_padata(${msg.padata.padata.padata}, zeek_analyzer(), false));
rv->Assign(3, to_stringval(${msg.client_realm.encoding.content})); rv->Assign(3, to_stringval(${msg.client_realm.encoding.content}));
rv->Assign(4, GetStringFromPrincipalName(${msg.client_name})); rv->Assign(4, GetStringFromPrincipalName(${msg.client_name}));
@ -223,7 +223,7 @@ refine connection KRB_Conn += {
if ( ! krb_as_response ) if ( ! krb_as_response )
return false; return false;
zeek::BifEvent::enqueue_krb_as_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg()); zeek::BifEvent::enqueue_krb_as_response(zeek_analyzer(), zeek_analyzer()->Conn(), make_arg());
return true; return true;
} }
@ -232,7 +232,7 @@ refine connection KRB_Conn += {
if ( ! krb_tgs_response ) if ( ! krb_tgs_response )
return false; return false;
zeek::BifEvent::enqueue_krb_tgs_response(bro_analyzer(), bro_analyzer()->Conn(), make_arg()); zeek::BifEvent::enqueue_krb_tgs_response(zeek_analyzer(), zeek_analyzer()->Conn(), make_arg());
return true; return true;
} }
@ -241,21 +241,21 @@ refine connection KRB_Conn += {
function proc_krb_error_msg(msg: KRB_ERROR_MSG): bool function proc_krb_error_msg(msg: KRB_ERROR_MSG): bool
%{ %{
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
if ( krb_error ) if ( krb_error )
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Error_Msg); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Error_Msg);
proc_error_arguments(rv.get(), ${msg.args1}, 0); proc_error_arguments(rv.get(), ${msg.args1}, 0);
rv->Assign(4, asn1_integer_to_val(${msg.error_code}, zeek::TYPE_COUNT)); rv->Assign(4, asn1_integer_to_val(${msg.error_code}, zeek::TYPE_COUNT));
proc_error_arguments(rv.get(), ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content})); proc_error_arguments(rv.get(), ${msg.args2}, binary_to_int64(${msg.error_code.encoding.content}));
zeek::BifEvent::enqueue_krb_error(bro_analyzer(), bro_analyzer()->Conn(), std::move(rv)); zeek::BifEvent::enqueue_krb_error(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(rv));
} }
return true; return true;
%} %}
function proc_krb_ap_req_msg(msg: KRB_AP_REQ): bool function proc_krb_ap_req_msg(msg: KRB_AP_REQ): bool
%{ %{
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
if ( krb_ap_request ) if ( krb_ap_request )
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options);
@ -263,12 +263,12 @@ refine connection KRB_Conn += {
rv->Assign(1, zeek::val_mgr->Bool(${msg.ap_options.mutual_required})); rv->Assign(1, zeek::val_mgr->Bool(${msg.ap_options.mutual_required}));
auto rvticket = proc_ticket(${msg.ticket}); auto rvticket = proc_ticket(${msg.ticket});
auto authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->GetField(2)->AsString(), rvticket->GetField(4)->AsString(), rvticket->GetField(3)->AsCount()); auto authenticationinfo = zeek_analyzer()->GetAuthenticationInfo(rvticket->GetField(2)->AsString(), rvticket->GetField(4)->AsString(), rvticket->GetField(3)->AsCount());
if ( authenticationinfo ) if ( authenticationinfo )
rvticket->Assign(5, authenticationinfo); rvticket->Assign(5, authenticationinfo);
zeek::BifEvent::enqueue_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_krb_ap_request(zeek_analyzer(), zeek_analyzer()->Conn(),
std::move(rvticket), std::move(rv)); std::move(rvticket), std::move(rv));
} }
return true; return true;
@ -276,17 +276,17 @@ refine connection KRB_Conn += {
function proc_krb_ap_rep_msg(msg: KRB_AP_REP): bool function proc_krb_ap_rep_msg(msg: KRB_AP_REP): bool
%{ %{
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
if ( krb_ap_response ) if ( krb_ap_response )
{ {
zeek::BifEvent::enqueue_krb_ap_response(bro_analyzer(), bro_analyzer()->Conn()); zeek::BifEvent::enqueue_krb_ap_response(zeek_analyzer(), zeek_analyzer()->Conn());
} }
return true; return true;
%} %}
function proc_krb_safe_msg(msg: KRB_SAFE_MSG): bool function proc_krb_safe_msg(msg: KRB_SAFE_MSG): bool
%{ %{
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
if ( krb_safe ) if ( krb_safe )
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::SAFE_Msg); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::SAFE_Msg);
@ -328,36 +328,36 @@ refine connection KRB_Conn += {
rv->Assign(5, asn1_integer_to_val(${msg.safe_body.args[i].args.seq_number}, zeek::TYPE_COUNT)); rv->Assign(5, asn1_integer_to_val(${msg.safe_body.args[i].args.seq_number}, zeek::TYPE_COUNT));
break; break;
case 4: case 4:
rv->Assign(6, proc_host_address(bro_analyzer(), ${msg.safe_body.args[i].args.sender_addr})); rv->Assign(6, proc_host_address(zeek_analyzer(), ${msg.safe_body.args[i].args.sender_addr}));
break; break;
case 5: case 5:
rv->Assign(7, proc_host_address(bro_analyzer(), ${msg.safe_body.args[i].args.recp_addr})); rv->Assign(7, proc_host_address(zeek_analyzer(), ${msg.safe_body.args[i].args.recp_addr}));
break; break;
default: default:
break; break;
} }
} }
zeek::BifEvent::enqueue_krb_safe(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, std::move(rv)); zeek::BifEvent::enqueue_krb_safe(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig}, std::move(rv));
} }
return true; return true;
%} %}
function proc_krb_priv_msg(msg: KRB_PRIV_MSG): bool function proc_krb_priv_msg(msg: KRB_PRIV_MSG): bool
%{ %{
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
if ( krb_priv ) if ( krb_priv )
{ {
zeek::BifEvent::enqueue_krb_priv(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}); zeek::BifEvent::enqueue_krb_priv(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig});
} }
return true; return true;
%} %}
function proc_krb_cred_msg(msg: KRB_CRED_MSG): bool function proc_krb_cred_msg(msg: KRB_CRED_MSG): bool
%{ %{
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
if ( krb_cred ) if ( krb_cred )
{ {
zeek::BifEvent::enqueue_krb_cred(bro_analyzer(), bro_analyzer()->Conn(), ${msg.is_orig}, zeek::BifEvent::enqueue_krb_cred(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig},
proc_tickets(${msg.tickets})); proc_tickets(${msg.tickets}));
} }
return true; return true;

20
src/analyzer/protocol/krb/krb-padata.pac
View file

@ -7,11 +7,11 @@
%} %}
%header{ %header{
zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_analyzer, bool is_error); zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnalyzer zeek_analyzer, bool is_error);
%} %}
%code{ %code{
zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_analyzer, bool is_error) zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const ZeekAnalyzer zeek_analyzer, bool is_error)
{ {
auto vv = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("KRB::Type_Value_Vector")); auto vv = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("KRB::Type_Value_Vector"));
@ -64,10 +64,10 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
zeek::ODesc common; zeek::ODesc common;
common.AddRaw("Analyzer::ANALYZER_KRB"); common.AddRaw("Analyzer::ANALYZER_KRB");
common.Add(bro_analyzer->Conn()->StartTime()); common.Add(zeek_analyzer->Conn()->StartTime());
// Request means is_orig=T // Request means is_orig=T
common.AddRaw("T", 1); common.AddRaw("T", 1);
bro_analyzer->Conn()->IDString(&common); zeek_analyzer->Conn()->IDString(&common);
zeek::ODesc file_handle; zeek::ODesc file_handle;
file_handle.Add(common.Description()); file_handle.Add(common.Description());
@ -76,8 +76,8 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(), bro_analyzer->GetAnalyzerTag(), cert.length(), zeek_analyzer->GetAnalyzerTag(),
bro_analyzer->Conn(), true, file_id, zeek_analyzer->Conn(), true, file_id,
"application/x-x509-user-cert"); "application/x-x509-user-cert");
zeek::file_mgr->EndOfFile(file_id); zeek::file_mgr->EndOfFile(file_id);
@ -89,10 +89,10 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
zeek::ODesc common; zeek::ODesc common;
common.AddRaw("Analyzer::ANALYZER_KRB"); common.AddRaw("Analyzer::ANALYZER_KRB");
common.Add(bro_analyzer->Conn()->StartTime()); common.Add(zeek_analyzer->Conn()->StartTime());
// Response means is_orig=F // Response means is_orig=F
common.AddRaw("F", 1); common.AddRaw("F", 1);
bro_analyzer->Conn()->IDString(&common); zeek_analyzer->Conn()->IDString(&common);
zeek::ODesc file_handle; zeek::ODesc file_handle;
file_handle.Add(common.Description()); file_handle.Add(common.Description());
@ -101,8 +101,8 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz
string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(), bro_analyzer->GetAnalyzerTag(), cert.length(), zeek_analyzer->GetAnalyzerTag(),
bro_analyzer->Conn(), false, file_id, zeek_analyzer->Conn(), false, file_id,
"application/x-x509-user-cert"); "application/x-x509-user-cert");
zeek::file_mgr->EndOfFile(file_id); zeek::file_mgr->EndOfFile(file_id);

8
src/analyzer/protocol/krb/krb-types.pac
View file

@ -5,8 +5,8 @@ zeek::ValPtr GetStringFromPrincipalName(const KRB_Principal_Name* pname);
zeek::VectorValPtr proc_cipher_list(const Array* list); zeek::VectorValPtr proc_cipher_list(const Array* list);
zeek::VectorValPtr proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list); zeek::VectorValPtr proc_host_address_list(const ZeekAnalyzer a, const KRB_Host_Addresses* list);
zeek::RecordValPtr proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr); zeek::RecordValPtr proc_host_address(const ZeekAnalyzer a, const KRB_Host_Address* addr);
zeek::VectorValPtr proc_tickets(const KRB_Ticket_Sequence* list); zeek::VectorValPtr proc_tickets(const KRB_Ticket_Sequence* list);
zeek::RecordValPtr proc_ticket(const KRB_Ticket* ticket); zeek::RecordValPtr proc_ticket(const KRB_Ticket* ticket);
@ -33,7 +33,7 @@ zeek::VectorValPtr proc_cipher_list(const Array* list)
return ciphers; return ciphers;
} }
zeek::VectorValPtr proc_host_address_list(const BroAnalyzer a, const KRB_Host_Addresses* list) zeek::VectorValPtr proc_host_address_list(const ZeekAnalyzer a, const KRB_Host_Addresses* list)
{ {
auto addrs = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("KRB::Host_Address_Vector")); auto addrs = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("KRB::Host_Address_Vector"));
@ -45,7 +45,7 @@ zeek::VectorValPtr proc_host_address_list(const BroAnalyzer a, const KRB_Host_Ad
return addrs; return addrs;
} }
zeek::RecordValPtr proc_host_address(const BroAnalyzer a, const KRB_Host_Address* addr) zeek::RecordValPtr proc_host_address(const ZeekAnalyzer a, const KRB_Host_Address* addr)
{ {
auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Host_Address); auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Host_Address);
const auto& addr_bytes = addr->address()->data()->content(); const auto& addr_bytes = addr->address()->data()->content();

4
src/analyzer/protocol/krb/krb.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "zeek-config.h" #include "zeek-config.h"
@ -20,7 +20,7 @@ analyzer KRB withcontext {
flow: KRB_Flow; flow: KRB_Flow;
}; };
connection KRB_Conn(bro_analyzer: KRBAnalyzer) { connection KRB_Conn(zeek_analyzer: KRBAnalyzer) {
upflow = KRB_Flow(true); upflow = KRB_Flow(true);
downflow = KRB_Flow(false); downflow = KRB_Flow(false);
}; };

4
src/analyzer/protocol/krb/krb_TCP.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "zeek-config.h" #include "zeek-config.h"
@ -20,7 +20,7 @@ analyzer KRB_TCP withcontext {
flow: KRB_Flow; flow: KRB_Flow;
}; };
connection KRB_Conn(bro_analyzer: KRBTCPAnalyzer) { connection KRB_Conn(zeek_analyzer: KRBTCPAnalyzer) {
upflow = KRB_Flow(true); upflow = KRB_Flow(true);
downflow = KRB_Flow(false); downflow = KRB_Flow(false);
}; };

132
src/analyzer/protocol/modbus/modbus-analyzer.pac
View file

@ -1,5 +1,5 @@
# #
# The development of Bro's Modbus analyzer has been made possible thanks to # The development of Zeek's Modbus analyzer has been made possible thanks to
# the support of the Ministry of Security and Justice of the Kingdom of the # the support of the Ministry of Security and Justice of the Kingdom of the
# Netherlands within the projects of Hermes, Castor and Midas. # Netherlands within the projects of Hermes, Castor and Midas.
# #
@ -88,8 +88,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_message ) if ( ::modbus_message )
{ {
zeek::BifEvent::enqueue_modbus_message(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_message(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
is_orig()); is_orig());
} }
@ -106,7 +106,7 @@ refine flow ModbusTCP_Flow += {
if ( ! connection()->IsConfirmed() ) if ( ! connection()->IsConfirmed() )
{ {
connection()->SetConfirmed(); connection()->SetConfirmed();
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
} }
return true; return true;
@ -117,8 +117,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_exception ) if ( ::modbus_exception )
{ {
zeek::BifEvent::enqueue_modbus_exception(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_exception(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.code}); ${message.code});
} }
@ -131,8 +131,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_coils_request ) if ( ::modbus_read_coils_request )
{ {
zeek::BifEvent::enqueue_modbus_read_coils_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_coils_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.start_address}, ${message.start_address},
${message.quantity}); ${message.quantity});
@ -146,8 +146,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_coils_response ) if ( ::modbus_read_coils_response )
{ {
zeek::BifEvent::enqueue_modbus_read_coils_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_coils_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8)); bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
} }
@ -159,8 +159,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_discrete_inputs_request ) if ( ::modbus_read_discrete_inputs_request )
{ {
zeek::BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_discrete_inputs_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -173,8 +173,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_discrete_inputs_response ) if ( ::modbus_read_discrete_inputs_response )
{ {
zeek::BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_discrete_inputs_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
bytestring_to_coils(${message.bits}, ${message.bits}.length()*8)); bytestring_to_coils(${message.bits}, ${message.bits}.length()*8));
} }
@ -188,8 +188,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_holding_registers_request ) if ( ::modbus_read_holding_registers_request )
{ {
zeek::BifEvent::enqueue_modbus_read_holding_registers_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_holding_registers_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -202,7 +202,7 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ${message.byte_count} % 2 != 0 ) if ( ${message.byte_count} % 2 != 0 )
{ {
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read holding register response byte count %d", ${message.byte_count})); zeek::util::fmt("invalid value for modbus read holding register response byte count %d", ${message.byte_count}));
return false; return false;
} }
@ -217,8 +217,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r); t->Assign(i, r);
} }
zeek::BifEvent::enqueue_modbus_read_holding_registers_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_holding_registers_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
std::move(t)); std::move(t));
} }
@ -232,8 +232,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_input_registers_request ) if ( ::modbus_read_input_registers_request )
{ {
zeek::BifEvent::enqueue_modbus_read_input_registers_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_input_registers_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -246,7 +246,7 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ${message.byte_count} % 2 != 0 ) if ( ${message.byte_count} % 2 != 0 )
{ {
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read input register response byte count %d", ${message.byte_count})); zeek::util::fmt("invalid value for modbus read input register response byte count %d", ${message.byte_count}));
return false; return false;
} }
@ -261,8 +261,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r); t->Assign(i, r);
} }
zeek::BifEvent::enqueue_modbus_read_input_registers_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_input_registers_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
std::move(t)); std::move(t));
} }
@ -283,13 +283,13 @@ refine flow ModbusTCP_Flow += {
val = 1; val = 1;
else else
{ {
connection()->bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil request %d", connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil request %d",
${message.value})); ${message.value}));
return false; return false;
} }
zeek::BifEvent::enqueue_modbus_write_single_coil_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_single_coil_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.address}, ${message.address},
val); val);
@ -310,13 +310,13 @@ refine flow ModbusTCP_Flow += {
val = 1; val = 1;
else else
{ {
connection()->bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil response %d", connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil response %d",
${message.value})); ${message.value}));
return false; return false;
} }
zeek::BifEvent::enqueue_modbus_write_single_coil_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_single_coil_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.address}, ${message.address},
val); val);
@ -331,8 +331,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_single_register_request ) if ( ::modbus_write_single_register_request )
{ {
zeek::BifEvent::enqueue_modbus_write_single_register_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_single_register_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.address}, ${message.value}); ${message.address}, ${message.value});
} }
@ -345,8 +345,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_single_register_response ) if ( ::modbus_write_single_register_response )
{ {
zeek::BifEvent::enqueue_modbus_write_single_register_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_single_register_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.address}, ${message.value}); ${message.address}, ${message.value});
} }
@ -360,8 +360,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_multiple_coils_request ) if ( ::modbus_write_multiple_coils_request )
{ {
zeek::BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_multiple_coils_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.start_address}, ${message.start_address},
bytestring_to_coils(${message.coils}, ${message.quantity})); bytestring_to_coils(${message.coils}, ${message.quantity}));
@ -375,8 +375,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_multiple_coils_response ) if ( ::modbus_write_multiple_coils_response )
{ {
zeek::BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_multiple_coils_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -390,7 +390,7 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ${message.byte_count} % 2 != 0 ) if ( ${message.byte_count} % 2 != 0 )
{ {
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus write multiple registers request byte count %d", ${message.byte_count})); zeek::util::fmt("invalid value for modbus write multiple registers request byte count %d", ${message.byte_count}));
return false; return false;
} }
@ -405,8 +405,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r); t->Assign(i, r);
} }
zeek::BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_multiple_registers_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.start_address}, std::move(t)); ${message.start_address}, std::move(t));
} }
@ -419,8 +419,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_write_multiple_registers_response ) if ( ::modbus_write_multiple_registers_response )
{ {
zeek::BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_multiple_registers_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.start_address}, ${message.quantity}); ${message.start_address}, ${message.quantity});
} }
@ -447,8 +447,8 @@ refine flow ModbusTCP_Flow += {
// t->Assign(i, l); // t->Assign(i, l);
// } // }
zeek::BifEvent::enqueue_modbus_read_file_record_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_file_record_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header)); HeaderToVal(header));
} }
@ -468,8 +468,8 @@ refine flow ModbusTCP_Flow += {
// t->Assign(i, r); // t->Assign(i, r);
// } // }
zeek::BifEvent::enqueue_modbus_read_file_record_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_file_record_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header)); HeaderToVal(header));
} }
@ -500,8 +500,8 @@ refine flow ModbusTCP_Flow += {
// } // }
// } // }
zeek::BifEvent::enqueue_modbus_write_file_record_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_file_record_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header)); HeaderToVal(header));
} }
@ -532,8 +532,8 @@ refine flow ModbusTCP_Flow += {
// t->Assign(i, k); // t->Assign(i, k);
// } // }
zeek::BifEvent::enqueue_modbus_write_file_record_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_write_file_record_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header)); HeaderToVal(header));
} }
@ -545,8 +545,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_mask_write_register_request ) if ( ::modbus_mask_write_register_request )
{ {
zeek::BifEvent::enqueue_modbus_mask_write_register_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_mask_write_register_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.address}, ${message.address},
${message.and_mask}, ${message.or_mask}); ${message.and_mask}, ${message.or_mask});
@ -560,8 +560,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_mask_write_register_response ) if ( ::modbus_mask_write_register_response )
{ {
zeek::BifEvent::enqueue_modbus_mask_write_register_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_mask_write_register_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.address}, ${message.address},
${message.and_mask}, ${message.or_mask}); ${message.and_mask}, ${message.or_mask});
@ -575,7 +575,7 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ${message.write_byte_count} % 2 != 0 ) if ( ${message.write_byte_count} % 2 != 0 )
{ {
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read write multiple registers request write byte count %d", ${message.write_byte_count})); zeek::util::fmt("invalid value for modbus read write multiple registers request write byte count %d", ${message.write_byte_count}));
return false; return false;
} }
@ -590,8 +590,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r); t->Assign(i, r);
} }
zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.read_start_address}, ${message.read_start_address},
${message.read_quantity}, ${message.read_quantity},
@ -607,7 +607,7 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ${message.byte_count} % 2 != 0 ) if ( ${message.byte_count} % 2 != 0 )
{ {
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read write multiple registers response byte count %d", ${message.byte_count})); zeek::util::fmt("invalid value for modbus read write multiple registers response byte count %d", ${message.byte_count}));
return false; return false;
} }
@ -622,8 +622,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r); t->Assign(i, r);
} }
zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_write_multiple_registers_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
std::move(t)); std::move(t));
} }
@ -636,8 +636,8 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ::modbus_read_fifo_queue_request ) if ( ::modbus_read_fifo_queue_request )
{ {
zeek::BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_fifo_queue_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
${message.start_address}); ${message.start_address});
} }
@ -651,7 +651,7 @@ refine flow ModbusTCP_Flow += {
%{ %{
if ( ${message.byte_count} % 2 != 0 ) if ( ${message.byte_count} % 2 != 0 )
{ {
connection()->bro_analyzer()->ProtocolViolation( connection()->zeek_analyzer()->ProtocolViolation(
zeek::util::fmt("invalid value for modbus read FIFO queue response byte count %d", ${message.byte_count})); zeek::util::fmt("invalid value for modbus read FIFO queue response byte count %d", ${message.byte_count}));
return false; return false;
} }
@ -666,8 +666,8 @@ refine flow ModbusTCP_Flow += {
t->Assign(i, r); t->Assign(i, r);
} }
zeek::BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_modbus_read_fifo_queue_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
HeaderToVal(header), HeaderToVal(header),
std::move(t)); std::move(t));
} }

2
src/analyzer/protocol/modbus/modbus-protocol.pac
View file

@ -1,5 +1,5 @@
# #
# The development of Bro's Modbus analyzer has been made possible thanks to # The development of Zeek's Modbus analyzer has been made possible thanks to
# the support of the Ministry of Security and Justice of the Kingdom of the # the support of the Ministry of Security and Justice of the Kingdom of the
# Netherlands within the projects of Hermes, Castor and Midas. # Netherlands within the projects of Hermes, Castor and Midas.
# #

6
src/analyzer/protocol/modbus/modbus.pac
View file

@ -1,5 +1,5 @@
# #
# The development of Bro's Modbus analyzer has been made possible thanks to # The development of Zeek's Modbus analyzer has been made possible thanks to
# the support of the Ministry of Security and Justice of the Kingdom of the # the support of the Ministry of Security and Justice of the Kingdom of the
# Netherlands within the projects of Hermes, Castor and Midas. # Netherlands within the projects of Hermes, Castor and Midas.
# #
@ -7,7 +7,7 @@
# http://www.simplymodbus.ca/faq.htm # http://www.simplymodbus.ca/faq.htm
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"
@ -18,7 +18,7 @@ analyzer ModbusTCP withcontext {
flow: ModbusTCP_Flow; flow: ModbusTCP_Flow;
}; };
connection ModbusTCP_Conn(bro_analyzer: BroAnalyzer) { connection ModbusTCP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = ModbusTCP_Flow(true); upflow = ModbusTCP_Flow(true);
downflow = ModbusTCP_Flow(false); downflow = ModbusTCP_Flow(false);
}; };

4
src/analyzer/protocol/mqtt/commands/connack.pac
View file

@ -18,8 +18,8 @@ refine flow MQTT_Flow += {
auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectAckMsg); auto m = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::MQTT::ConnectAckMsg);
m->Assign(0, zeek::val_mgr->Count(${msg.return_code})); m->Assign(0, zeek::val_mgr->Count(${msg.return_code}));
m->Assign(1, zeek::val_mgr->Bool(${msg.session_present})); m->Assign(1, zeek::val_mgr->Bool(${msg.session_present}));
zeek::BifEvent::enqueue_mqtt_connack(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_connack(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
std::move(m)); std::move(m));
} }

6
src/analyzer/protocol/mqtt/commands/connect.pac
View file

@ -75,13 +75,13 @@ refine flow MQTT_Flow += {
reinterpret_cast<const char*>(${msg.pass.str}.begin()))); reinterpret_cast<const char*>(${msg.pass.str}.begin())));
} }
zeek::BifEvent::enqueue_mqtt_connect(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_connect(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
std::move(m)); std::move(m));
} }
// If a connect message was seen, let's say that confirms it. // If a connect message was seen, let's say that confirms it.
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
return true; return true;
%} %}
}; };

4
src/analyzer/protocol/mqtt/commands/disconnect.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_disconnect ) if ( mqtt_disconnect )
{ {
zeek::BifEvent::enqueue_mqtt_disconnect(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_disconnect(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn()); connection()->zeek_analyzer()->Conn());
} }
return true; return true;

4
src/analyzer/protocol/mqtt/commands/pingreq.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pingreq ) if ( mqtt_pingreq )
{ {
zeek::BifEvent::enqueue_mqtt_pingreq(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_pingreq(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn()); connection()->zeek_analyzer()->Conn());
} }
return true; return true;

4
src/analyzer/protocol/mqtt/commands/pingresp.pac
View file

@ -11,8 +11,8 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pingresp ) if ( mqtt_pingresp )
{ {
zeek::BifEvent::enqueue_mqtt_pingresp(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_pingresp(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn()); connection()->zeek_analyzer()->Conn());
} }
return true; return true;

4
src/analyzer/protocol/mqtt/commands/puback.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_puback ) if ( mqtt_puback )
{ {
zeek::BifEvent::enqueue_mqtt_puback(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_puback(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig, is_orig,
${msg.msg_id}); ${msg.msg_id});
} }

4
src/analyzer/protocol/mqtt/commands/pubcomp.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pubcomp ) if ( mqtt_pubcomp )
{ {
zeek::BifEvent::enqueue_mqtt_pubcomp(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_pubcomp(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig, is_orig,
${msg.msg_id}); ${msg.msg_id});
} }

6
src/analyzer/protocol/mqtt/commands/publish.pac
View file

@ -42,15 +42,15 @@ refine flow MQTT_Flow += {
m->Assign(5, zeek::val_mgr->Count(${msg.payload}.length())); m->Assign(5, zeek::val_mgr->Count(${msg.payload}.length()));
zeek::BifEvent::enqueue_mqtt_publish(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_publish(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${pdu.is_orig}, ${pdu.is_orig},
${msg.qos} == 0 ? 0 : ${msg.msg_id}, ${msg.qos} == 0 ? 0 : ${msg.msg_id},
std::move(m)); std::move(m));
} }
// If a publish message was seen, let's say that confirms it. // If a publish message was seen, let's say that confirms it.
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
return true; return true;
%} %}

4
src/analyzer/protocol/mqtt/commands/pubrec.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pubrec ) if ( mqtt_pubrec )
{ {
zeek::BifEvent::enqueue_mqtt_pubrec(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_pubrec(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig, is_orig,
${msg.msg_id}); ${msg.msg_id});
} }

4
src/analyzer/protocol/mqtt/commands/pubrel.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_pubrel ) if ( mqtt_pubrel )
{ {
zeek::BifEvent::enqueue_mqtt_pubrel(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_pubrel(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig, is_orig,
${msg.msg_id}); ${msg.msg_id});
} }

4
src/analyzer/protocol/mqtt/commands/suback.pac
View file

@ -14,8 +14,8 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_suback ) if ( mqtt_suback )
{ {
zeek::BifEvent::enqueue_mqtt_suback(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_suback(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${msg.msg_id}, ${msg.msg_id},
${msg.granted_QoS}); ${msg.granted_QoS});
} }

4
src/analyzer/protocol/mqtt/commands/subscribe.pac
View file

@ -31,8 +31,8 @@ refine flow MQTT_Flow += {
qos_levels->Assign(qos_levels->Size(), std::move(qos)); qos_levels->Assign(qos_levels->Size(), std::move(qos));
} }
zeek::BifEvent::enqueue_mqtt_subscribe(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_subscribe(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${msg.msg_id}, ${msg.msg_id},
std::move(topics), std::move(topics),
std::move(qos_levels)); std::move(qos_levels));

4
src/analyzer/protocol/mqtt/commands/unsuback.pac
View file

@ -13,8 +13,8 @@ refine flow MQTT_Flow += {
%{ %{
if ( mqtt_unsuback ) if ( mqtt_unsuback )
{ {
zeek::BifEvent::enqueue_mqtt_unsuback(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_unsuback(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${msg.msg_id}); ${msg.msg_id});
} }

4
src/analyzer/protocol/mqtt/commands/unsubscribe.pac
View file

@ -23,8 +23,8 @@ refine flow MQTT_Flow += {
topics->Assign(topics->Size(), std::move(unsubscribe_topic)); topics->Assign(topics->Size(), std::move(unsubscribe_topic));
} }
zeek::BifEvent::enqueue_mqtt_unsubscribe(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mqtt_unsubscribe(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${msg.msg_id}, ${msg.msg_id},
std::move(topics)); std::move(topics));
} }

5
src/analyzer/protocol/mqtt/mqtt-protocol.pac
View file

@ -46,7 +46,7 @@ refine connection MQTT_Conn += {
if ( vals->size() > 4 ) if ( vals->size() > 4 )
{ {
this->bro_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too many bytes"); this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too many bytes");
return 0; return 0;
} }
@ -57,7 +57,7 @@ refine connection MQTT_Conn += {
if ( multiplier > 128*128*128 ) if ( multiplier > 128*128*128 )
{ {
// This is definitely a protocol violation // This is definitely a protocol violation
this->bro_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too large"); this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too large");
return 0; return 0;
} }
} }
@ -65,4 +65,3 @@ refine connection MQTT_Conn += {
return value; return value;
%} %}
}; };

5
src/analyzer/protocol/mqtt/mqtt.pac
View file

@ -1,7 +1,7 @@
# Analyzer for MQTT Protocol (currently v3.1.1, no v5.0 support) # Analyzer for MQTT Protocol (currently v3.1.1, no v5.0 support)
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "MQTT.h" #include "MQTT.h"
@ -15,7 +15,7 @@ analyzer MQTT withcontext {
}; };
# Our connection consists of two flows, one in each direction. # Our connection consists of two flows, one in each direction.
connection MQTT_Conn(bro_analyzer: BroAnalyzer) { connection MQTT_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = MQTT_Flow(true); upflow = MQTT_Flow(true);
downflow = MQTT_Flow(false); downflow = MQTT_Flow(false);
}; };
@ -41,4 +41,3 @@ flow MQTT_Flow(is_orig: bool) {
%include commands/disconnect.pac %include commands/disconnect.pac
%include commands/pingreq.pac %include commands/pingreq.pac
%include commands/pingresp.pac %include commands/pingresp.pac

38
src/analyzer/protocol/mysql/mysql-analyzer.pac
View file

@ -6,12 +6,12 @@ refine flow MySQL_Flow += {
if ( mysql_server_version ) if ( mysql_server_version )
{ {
if ( ${msg.version} == 10 ) if ( ${msg.version} == 10 )
zeek::BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mysql_server_version(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(c_str(${msg.handshake10.server_version}))); zeek::make_intrusive<zeek::StringVal>(c_str(${msg.handshake10.server_version})));
if ( ${msg.version} == 9 ) if ( ${msg.version} == 9 )
zeek::BifEvent::enqueue_mysql_server_version(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mysql_server_version(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(c_str(${msg.handshake9.server_version}))); zeek::make_intrusive<zeek::StringVal>(c_str(${msg.handshake9.server_version})));
} }
return true; return true;
@ -20,17 +20,17 @@ refine flow MySQL_Flow += {
function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool
%{ %{
if ( ${msg.version} == 9 || ${msg.version == 10} ) if ( ${msg.version} == 9 || ${msg.version == 10} )
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
if ( mysql_handshake ) if ( mysql_handshake )
{ {
if ( ${msg.version} == 10 ) if ( ${msg.version} == 10 )
zeek::BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mysql_handshake(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(c_str(${msg.v10_response.username}))); zeek::make_intrusive<zeek::StringVal>(c_str(${msg.v10_response.username})));
if ( ${msg.version} == 9 ) if ( ${msg.version} == 9 )
zeek::BifEvent::enqueue_mysql_handshake(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mysql_handshake(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(c_str(${msg.v9_response.username}))); zeek::make_intrusive<zeek::StringVal>(c_str(${msg.v9_response.username})));
} }
return true; return true;
@ -39,8 +39,8 @@ refine flow MySQL_Flow += {
function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool
%{ %{
if ( mysql_command_request ) if ( mysql_command_request )
zeek::BifEvent::enqueue_mysql_command_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mysql_command_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${msg.command}, ${msg.command},
to_stringval(${msg.arg})); to_stringval(${msg.arg}));
return true; return true;
@ -49,8 +49,8 @@ refine flow MySQL_Flow += {
function proc_err_packet(msg: ERR_Packet): bool function proc_err_packet(msg: ERR_Packet): bool
%{ %{
if ( mysql_error ) if ( mysql_error )
zeek::BifEvent::enqueue_mysql_error(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mysql_error(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${msg.code}, ${msg.code},
to_stringval(${msg.msg})); to_stringval(${msg.msg}));
return true; return true;
@ -59,8 +59,8 @@ refine flow MySQL_Flow += {
function proc_ok_packet(msg: OK_Packet): bool function proc_ok_packet(msg: OK_Packet): bool
%{ %{
if ( mysql_ok ) if ( mysql_ok )
zeek::BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mysql_ok(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${msg.rows}); ${msg.rows});
return true; return true;
%} %}
@ -71,8 +71,8 @@ refine flow MySQL_Flow += {
{ {
// This is a bit fake... // This is a bit fake...
if ( mysql_ok ) if ( mysql_ok )
zeek::BifEvent::enqueue_mysql_ok(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mysql_ok(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
0); 0);
} }
@ -98,8 +98,8 @@ refine flow MySQL_Flow += {
vv->Assign(vv->Size(), zeek::make_intrusive<zeek::StringVal>(bstring.length(), ptr)); vv->Assign(vv->Size(), zeek::make_intrusive<zeek::StringVal>(bstring.length(), ptr));
} }
zeek::BifEvent::enqueue_mysql_result_row(connection()->bro_analyzer(), zeek::BifEvent::enqueue_mysql_result_row(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
std::move(vv)); std::move(vv));
return true; return true;

4
src/analyzer/protocol/mysql/mysql.pac
View file

@ -5,7 +5,7 @@
# - mysql-analyzer.pac: describes the MySQL analyzer code # - mysql-analyzer.pac: describes the MySQL analyzer code
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"
@ -17,7 +17,7 @@ analyzer MySQL withcontext {
}; };
# Our connection consists of two flows, one in each direction. # Our connection consists of two flows, one in each direction.
connection MySQL_Conn(bro_analyzer: BroAnalyzer) { connection MySQL_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = MySQL_Flow(true); upflow = MySQL_Flow(true);
downflow = MySQL_Flow(false); downflow = MySQL_Flow(false);
}; };

2
src/analyzer/protocol/ncp/ncp.pac
View file

@ -1,6 +1,6 @@
# Netware Core Protocol # Netware Core Protocol
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"

52
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -1,20 +1,20 @@
%header{ %header{
zeek::ValPtr filetime2brotime(uint64_t ts); zeek::ValPtr filetime2zeektime(uint64_t ts);
zeek::RecordValPtr build_version_record(NTLM_Version* val); zeek::RecordValPtr build_version_record(NTLM_Version* val);
zeek::RecordValPtr build_negotiate_flag_record(NTLM_Negotiate_Flags* val); zeek::RecordValPtr build_negotiate_flag_record(NTLM_Negotiate_Flags* val);
%} %}
%code{ %code{
// This is replicated from the SMB analyzer. :( // This is replicated from the SMB analyzer. :(
zeek::ValPtr filetime2brotime(uint64_t ts) zeek::ValPtr filetime2zeektime(uint64_t ts)
{ {
double secs = (ts / 10000000.0); double secs = (ts / 10000000.0);
// Bro can't support times back to the 1600's // Zeek can't support times back to the 1600's
// so we subtract a lot of seconds. // so we subtract a lot of seconds.
auto bro_ts = zeek::make_intrusive<zeek::TimeVal>(secs - 11644473600.0); auto zeek_ts = zeek::make_intrusive<zeek::TimeVal>(secs - 11644473600.0);
return bro_ts; return zeek_ts;
} }
zeek::RecordValPtr build_version_record(NTLM_Version* val) zeek::RecordValPtr build_version_record(NTLM_Version* val)
@ -60,7 +60,7 @@
refine connection NTLM_Conn += { refine connection NTLM_Conn += {
function build_av_record(val: NTLM_AV_Pair_Sequence, len: uint16): BroVal function build_av_record(val: NTLM_AV_Pair_Sequence, len: uint16): ZeekVal
%{ %{
zeek::RecordVal* result = new zeek::RecordVal(zeek::BifType::Record::NTLM::AVs); zeek::RecordVal* result = new zeek::RecordVal(zeek::BifType::Record::NTLM::AVs);
for ( uint i = 0; ; i++ ) for ( uint i = 0; ; i++ )
@ -71,7 +71,7 @@ refine connection NTLM_Conn += {
// According to spec, the TargetInfo MUST be a sequence of // According to spec, the TargetInfo MUST be a sequence of
// AV_PAIRs and terminated by the null AV_PAIR when the // AV_PAIRs and terminated by the null AV_PAIR when the
// TargetInfoLen is non-zero, so this is in violation. // TargetInfoLen is non-zero, so this is in violation.
bro_analyzer()->ProtocolViolation("NTLM AV Pair loop underflow"); zeek_analyzer()->ProtocolViolation("NTLM AV Pair loop underflow");
return result; return result;
} }
@ -81,31 +81,31 @@ refine connection NTLM_Conn += {
case 0: case 0:
return result; return result;
case 1: case 1:
result->Assign(0, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data})); result->Assign(0, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].nb_computer_name.data}));
break; break;
case 2: case 2:
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data})); result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].nb_domain_name.data}));
break; break;
case 3: case 3:
result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data})); result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_computer_name.data}));
break; break;
case 4: case 4:
result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data})); result->Assign(3, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_domain_name.data}));
break; break;
case 5: case 5:
result->Assign(4, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data})); result->Assign(4, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].dns_tree_name.data}));
break; break;
case 6: case 6:
result->Assign(5, zeek::val_mgr->Bool(${val.pairs[i].constrained_auth})); result->Assign(5, zeek::val_mgr->Bool(${val.pairs[i].constrained_auth}));
break; break;
case 7: case 7:
result->Assign(6, filetime2brotime(${val.pairs[i].timestamp})); result->Assign(6, filetime2zeektime(${val.pairs[i].timestamp}));
break; break;
case 8: case 8:
result->Assign(7, zeek::val_mgr->Count(${val.pairs[i].single_host.machine_id})); result->Assign(7, zeek::val_mgr->Count(${val.pairs[i].single_host.machine_id}));
break; break;
case 9: case 9:
result->Assign(8, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.pairs[i].target_name.data})); result->Assign(8, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.pairs[i].target_name.data}));
break; break;
} }
} }
@ -121,16 +121,16 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() ) if ( ${val}->has_domain_name() )
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data})); result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.domain_name.string.data}));
if ( ${val}->has_workstation() ) if ( ${val}->has_workstation() )
result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(3, build_version_record(${val.version})); result->Assign(3, build_version_record(${val.version}));
zeek::BifEvent::enqueue_ntlm_negotiate(bro_analyzer(), zeek::BifEvent::enqueue_ntlm_negotiate(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
std::move(result)); std::move(result));
return true; return true;
@ -145,7 +145,7 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_target_name() ) if ( ${val}->has_target_name() )
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.target_name.string.data})); result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.target_name.string.data}));
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(2, build_version_record(${val.version})); result->Assign(2, build_version_record(${val.version}));
@ -153,8 +153,8 @@ refine connection NTLM_Conn += {
if ( ${val}->has_target_info() ) if ( ${val}->has_target_info() )
result->Assign(3, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})}); result->Assign(3, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})});
zeek::BifEvent::enqueue_ntlm_challenge(bro_analyzer(), zeek::BifEvent::enqueue_ntlm_challenge(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
std::move(result)); std::move(result));
return true; return true;
@ -169,13 +169,13 @@ refine connection NTLM_Conn += {
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val}->has_domain_name() > 0 ) if ( ${val}->has_domain_name() > 0 )
result->Assign(1, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.domain_name.string.data})); result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.domain_name.string.data}));
if ( ${val}->has_user_name() > 0 ) if ( ${val}->has_user_name() > 0 )
result->Assign(2, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.user_name.string.data})); result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.user_name.string.data}));
if ( ${val}->has_workstation() > 0 ) if ( ${val}->has_workstation() > 0 )
result->Assign(3, utf16_to_utf8_val(bro_analyzer()->Conn(), ${val.workstation.string.data})); result->Assign(3, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.workstation.string.data}));
if ( ${val}->has_encrypted_session_key() > 0 ) if ( ${val}->has_encrypted_session_key() > 0 )
result->Assign(4, to_stringval(${val.encrypted_session_key.string.data})); result->Assign(4, to_stringval(${val.encrypted_session_key.string.data}));
@ -183,8 +183,8 @@ refine connection NTLM_Conn += {
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(5, build_version_record(${val.version})); result->Assign(5, build_version_record(${val.version}));
zeek::BifEvent::enqueue_ntlm_authenticate(bro_analyzer(), zeek::BifEvent::enqueue_ntlm_authenticate(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
std::move(result)); std::move(result));
return true; return true;
%} %}

4
src/analyzer/protocol/ntlm/ntlm.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "analyzer/Manager.h" #include "analyzer/Manager.h"
@ -14,7 +14,7 @@ analyzer NTLM withcontext {
flow : NTLM_Flow; flow : NTLM_Flow;
}; };
connection NTLM_Conn(bro_analyzer: BroAnalyzer) { connection NTLM_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = NTLM_Flow(true); upflow = NTLM_Flow(true);
downflow = NTLM_Flow(false); downflow = NTLM_Flow(false);
}; };

6
src/analyzer/protocol/ntp/ntp-analyzer.pac
View file

@ -133,7 +133,7 @@ refine flow NTP_Flow += {
function proc_ntp_message(msg: NTP_PDU): bool function proc_ntp_message(msg: NTP_PDU): bool
%{ %{
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
if ( ! ntp_message ) if ( ! ntp_message )
return false; return false;
@ -150,8 +150,8 @@ refine flow NTP_Flow += {
else if ( ${msg.mode} == 7 ) else if ( ${msg.mode} == 7 )
rv->Assign(4, BuildNTPMode7Msg(${msg.mode7})); rv->Assign(4, BuildNTPMode7Msg(${msg.mode7}));
zeek::BifEvent::enqueue_ntp_message(connection()->bro_analyzer(), zeek::BifEvent::enqueue_ntp_message(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
is_orig(), std::move(rv)); is_orig(), std::move(rv));
return true; return true;
%} %}

4
src/analyzer/protocol/ntp/ntp.pac
View file

@ -1,6 +1,6 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "types.bif.h" #include "types.bif.h"
@ -12,7 +12,7 @@ analyzer NTP withcontext {
flow: NTP_Flow; flow: NTP_Flow;
}; };
connection NTP_Conn(bro_analyzer: BroAnalyzer) { connection NTP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = NTP_Flow(true); upflow = NTP_Flow(true);
downflow = NTP_Flow(false); downflow = NTP_Flow(false);
}; };

6
src/analyzer/protocol/radius/radius-analyzer.pac
View file

@ -2,7 +2,7 @@
refine flow RADIUS_Flow += { refine flow RADIUS_Flow += {
function proc_radius_message(msg: RADIUS_PDU): bool function proc_radius_message(msg: RADIUS_PDU): bool
%{ %{
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
if ( ! radius_message ) if ( ! radius_message )
return false; return false;
@ -41,7 +41,7 @@ refine flow RADIUS_Flow += {
result->Assign(3, std::move(attributes)); result->Assign(3, std::move(attributes));
} }
zeek::BifEvent::enqueue_radius_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), std::move(result)); zeek::BifEvent::enqueue_radius_message(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), std::move(result));
return true; return true;
%} %}
@ -50,7 +50,7 @@ refine flow RADIUS_Flow += {
if ( ! radius_attribute ) if ( ! radius_attribute )
return false; return false;
zeek::BifEvent::enqueue_radius_attribute(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), zeek::BifEvent::enqueue_radius_attribute(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
${attr.code}, to_stringval(${attr.value})); ${attr.code}, to_stringval(${attr.value}));
return true; return true;
%} %}

4
src/analyzer/protocol/radius/radius.pac
View file

@ -3,7 +3,7 @@
# - radius-analyzer.pac: describes the RADIUS analyzer code # - radius-analyzer.pac: describes the RADIUS analyzer code
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"
@ -15,7 +15,7 @@ analyzer RADIUS withcontext {
}; };
# Our connection consists of two flows, one in each direction. # Our connection consists of two flows, one in each direction.
connection RADIUS_Conn(bro_analyzer: BroAnalyzer) { connection RADIUS_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = RADIUS_Flow(true); upflow = RADIUS_Flow(true);
downflow = RADIUS_Flow(false); downflow = RADIUS_Flow(false);
}; };

2
src/analyzer/protocol/rdp/RDP.cc
View file

@ -76,7 +76,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
if ( rdp_native_encrypted_data ) if ( rdp_native_encrypted_data )
BifEvent::enqueue_rdp_native_encrypted_data( BifEvent::enqueue_rdp_native_encrypted_data(
interp->bro_analyzer(), interp->bro_analyzer()->Conn(), interp->zeek_analyzer(), interp->zeek_analyzer()->Conn(),
orig, len); orig, len);
} }
} }

60
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -9,8 +9,8 @@ refine flow RDP_Flow += {
%{ %{
if ( rdp_connect_request ) if ( rdp_connect_request )
{ {
zeek::BifEvent::enqueue_rdp_connect_request(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_connect_request(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
to_stringval(${cr.cookie_value}), to_stringval(${cr.cookie_value}),
${cr.rdp_neg_req} ? ${cr.rdp_neg_req.flags} : 0); ${cr.rdp_neg_req} ? ${cr.rdp_neg_req.flags} : 0);
} }
@ -22,8 +22,8 @@ refine flow RDP_Flow += {
%{ %{
if ( rdp_negotiation_response ) if ( rdp_negotiation_response )
{ {
zeek::BifEvent::enqueue_rdp_negotiation_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_negotiation_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${nr.selected_protocol}, ${nr.selected_protocol},
${nr.flags}); ${nr.flags});
} }
@ -35,8 +35,8 @@ refine flow RDP_Flow += {
%{ %{
if ( rdp_negotiation_failure ) if ( rdp_negotiation_failure )
{ {
zeek::BifEvent::enqueue_rdp_negotiation_failure(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_negotiation_failure(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${nf.failure_code}, ${nf.failure_code},
${nf.flags}); ${nf.flags});
} }
@ -47,11 +47,11 @@ refine flow RDP_Flow += {
function proc_rdp_gcc_server_create_response(gcc_response: GCC_Server_Create_Response): bool function proc_rdp_gcc_server_create_response(gcc_response: GCC_Server_Create_Response): bool
%{ %{
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
if ( rdp_gcc_server_create_response ) if ( rdp_gcc_server_create_response )
zeek::BifEvent::enqueue_rdp_gcc_server_create_response(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_gcc_server_create_response(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${gcc_response.result}); ${gcc_response.result});
return true; return true;
@ -60,7 +60,7 @@ refine flow RDP_Flow += {
function proc_rdp_client_core_data(ccore: Client_Core_Data): bool function proc_rdp_client_core_data(ccore: Client_Core_Data): bool
%{ %{
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
if ( rdp_client_core_data ) if ( rdp_client_core_data )
{ {
@ -84,21 +84,21 @@ refine flow RDP_Flow += {
ccd->Assign(5, zeek::val_mgr->Count(${ccore.sas_sequence})); ccd->Assign(5, zeek::val_mgr->Count(${ccore.sas_sequence}));
ccd->Assign(6, zeek::val_mgr->Count(${ccore.keyboard_layout})); ccd->Assign(6, zeek::val_mgr->Count(${ccore.keyboard_layout}));
ccd->Assign(7, zeek::val_mgr->Count(${ccore.client_build})); ccd->Assign(7, zeek::val_mgr->Count(${ccore.client_build}));
ccd->Assign(8, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.client_name})); ccd->Assign(8, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.client_name}));
ccd->Assign(9, zeek::val_mgr->Count(${ccore.keyboard_type})); ccd->Assign(9, zeek::val_mgr->Count(${ccore.keyboard_type}));
ccd->Assign(10, zeek::val_mgr->Count(${ccore.keyboard_sub})); ccd->Assign(10, zeek::val_mgr->Count(${ccore.keyboard_sub}));
ccd->Assign(11, zeek::val_mgr->Count(${ccore.keyboard_function_key})); ccd->Assign(11, zeek::val_mgr->Count(${ccore.keyboard_function_key}));
ccd->Assign(12, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.ime_file_name})); ccd->Assign(12, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.ime_file_name}));
ccd->Assign(13, zeek::val_mgr->Count(${ccore.post_beta2_color_depth})); ccd->Assign(13, zeek::val_mgr->Count(${ccore.post_beta2_color_depth}));
ccd->Assign(14, zeek::val_mgr->Count(${ccore.client_product_id})); ccd->Assign(14, zeek::val_mgr->Count(${ccore.client_product_id}));
ccd->Assign(15, zeek::val_mgr->Count(${ccore.serial_number})); ccd->Assign(15, zeek::val_mgr->Count(${ccore.serial_number}));
ccd->Assign(16, zeek::val_mgr->Count(${ccore.high_color_depth})); ccd->Assign(16, zeek::val_mgr->Count(${ccore.high_color_depth}));
ccd->Assign(17, zeek::val_mgr->Count(${ccore.supported_color_depths})); ccd->Assign(17, zeek::val_mgr->Count(${ccore.supported_color_depths}));
ccd->Assign(18, std::move(ec_flags)); ccd->Assign(18, std::move(ec_flags));
ccd->Assign(19, utf16_to_utf8_val(connection()->bro_analyzer()->Conn(), ${ccore.dig_product_id})); ccd->Assign(19, utf16_to_utf8_val(connection()->zeek_analyzer()->Conn(), ${ccore.dig_product_id}));
zeek::BifEvent::enqueue_rdp_client_core_data(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_client_core_data(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
std::move(ccd)); std::move(ccd));
} }
@ -114,8 +114,8 @@ refine flow RDP_Flow += {
csd->Assign(0, zeek::val_mgr->Count(${csec.encryption_methods})); csd->Assign(0, zeek::val_mgr->Count(${csec.encryption_methods}));
csd->Assign(1, zeek::val_mgr->Count(${csec.ext_encryption_methods})); csd->Assign(1, zeek::val_mgr->Count(${csec.ext_encryption_methods}));
zeek::BifEvent::enqueue_rdp_client_security_data(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_client_security_data(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
std::move(csd)); std::move(csd));
return true; return true;
%} %}
@ -151,8 +151,8 @@ refine flow RDP_Flow += {
channels->Assign(channels->Size(), std::move(channel_def)); channels->Assign(channels->Size(), std::move(channel_def));
} }
zeek::BifEvent::enqueue_rdp_client_network_data(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_client_network_data(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
std::move(channels)); std::move(channels));
} }
@ -172,19 +172,19 @@ refine flow RDP_Flow += {
ccld->Assign(4, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID})); ccld->Assign(4, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
ccld->Assign(5, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SMARTCARD})); ccld->Assign(5, zeek::val_mgr->Bool(${ccluster.REDIRECTED_SMARTCARD}));
zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_client_cluster_data(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
std::move(ccld)); std::move(ccld));
return true; return true;
%} %}
function proc_rdp_server_security(ssd: Server_Security_Data): bool function proc_rdp_server_security(ssd: Server_Security_Data): bool
%{ %{
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
if ( rdp_server_security ) if ( rdp_server_security )
zeek::BifEvent::enqueue_rdp_server_security(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_server_security(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${ssd.encryption_method}, ${ssd.encryption_method},
${ssd.encryption_level}); ${ssd.encryption_level});
@ -195,8 +195,8 @@ refine flow RDP_Flow += {
%{ %{
if ( rdp_server_certificate ) if ( rdp_server_certificate )
{ {
zeek::BifEvent::enqueue_rdp_server_certificate(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rdp_server_certificate(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
${cert.cert_type}, ${cert.cert_type},
${cert.permanently_issued}); ${cert.permanently_issued});
} }
@ -210,14 +210,14 @@ refine flow RDP_Flow += {
zeek::ODesc file_handle; zeek::ODesc file_handle;
file_handle.AddRaw("Analyzer::ANALYZER_RDP"); file_handle.AddRaw("Analyzer::ANALYZER_RDP");
file_handle.Add(connection()->bro_analyzer()->Conn()->StartTime()); file_handle.Add(connection()->zeek_analyzer()->Conn()->StartTime());
connection()->bro_analyzer()->Conn()->IDString(&file_handle); connection()->zeek_analyzer()->Conn()->IDString(&file_handle);
string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(), cert.length(),
connection()->bro_analyzer()->GetAnalyzerTag(), connection()->zeek_analyzer()->GetAnalyzerTag(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
false, // It seems there are only server certs? false, // It seems there are only server certs?
file_id, "application/x-x509-user-cert"); file_id, "application/x-x509-user-cert");
zeek::file_mgr->EndOfFile(file_id); zeek::file_mgr->EndOfFile(file_id);

4
src/analyzer/protocol/rdp/rdp-protocol.pac
View file

@ -383,8 +383,8 @@ refine connection RDP_Conn += {
if ( rdp_begin_encryption ) if ( rdp_begin_encryption )
{ {
zeek::BifEvent::enqueue_rdp_begin_encryption(bro_analyzer(), zeek::BifEvent::enqueue_rdp_begin_encryption(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
${method}); ${method});
} }

4
src/analyzer/protocol/rdp/rdp.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"
@ -11,7 +11,7 @@ analyzer RDP withcontext {
}; };
# Our connection consists of two flows, one in each direction. # Our connection consists of two flows, one in each direction.
connection RDP_Conn(bro_analyzer: BroAnalyzer) { connection RDP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = RDP_Flow(true); upflow = RDP_Flow(true);
downflow = RDP_Flow(false); downflow = RDP_Flow(false);
}; };

18
src/analyzer/protocol/rdp/rdpeudp-analyzer.pac
View file

@ -45,7 +45,7 @@ refine connection RDPEUDP_Conn += {
orig_lossy_ = true; orig_lossy_ = true;
if ( rdpeudp_syn ) if ( rdpeudp_syn )
zeek::BifEvent::enqueue_rdpeudp_syn(bro_analyzer(), bro_analyzer()->Conn()); zeek::BifEvent::enqueue_rdpeudp_syn(zeek_analyzer(), zeek_analyzer()->Conn());
state_ = NEED_SYNACK; state_ = NEED_SYNACK;
return true; return true;
@ -60,9 +60,9 @@ refine connection RDPEUDP_Conn += {
return false; return false;
if ( rdpeudp_synack ) if ( rdpeudp_synack )
zeek::BifEvent::enqueue_rdpeudp_synack(bro_analyzer(), bro_analyzer()->Conn()); zeek::BifEvent::enqueue_rdpeudp_synack(zeek_analyzer(), zeek_analyzer()->Conn());
bro_analyzer()->ProtocolConfirmation(); zeek_analyzer()->ProtocolConfirmation();
state_ = NEED_ACK; state_ = NEED_ACK;
resp_synex_flags_ = uUdpVer; resp_synex_flags_ = uUdpVer;
@ -79,12 +79,12 @@ refine connection RDPEUDP_Conn += {
state_ = ESTABLISHED; state_ = ESTABLISHED;
if ( rdpeudp_established ) if ( rdpeudp_established )
zeek::BifEvent::enqueue_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 1); zeek::BifEvent::enqueue_rdpeudp_established(zeek_analyzer(), zeek_analyzer()->Conn(), 1);
} }
if ( state_ == ESTABLISHED && rdpeudp_data ) if ( state_ == ESTABLISHED && rdpeudp_data )
zeek::BifEvent::enqueue_rdpeudp_data(bro_analyzer(), zeek::BifEvent::enqueue_rdpeudp_data(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
is_orig, is_orig,
1, 1,
to_stringval(data) to_stringval(data)
@ -102,14 +102,14 @@ refine connection RDPEUDP_Conn += {
if ( state_ == NEED_ACK ) if ( state_ == NEED_ACK )
{ {
if ( rdpeudp_established ) if ( rdpeudp_established )
zeek::BifEvent::enqueue_rdpeudp_established(bro_analyzer(), bro_analyzer()->Conn(), 2); zeek::BifEvent::enqueue_rdpeudp_established(zeek_analyzer(), zeek_analyzer()->Conn(), 2);
state_ = ESTABLISHED; state_ = ESTABLISHED;
} }
if ( state_ == ESTABLISHED && rdpeudp_data ) if ( state_ == ESTABLISHED && rdpeudp_data )
zeek::BifEvent::enqueue_rdpeudp_data(bro_analyzer(), zeek::BifEvent::enqueue_rdpeudp_data(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
is_orig, is_orig,
2, 2,
to_stringval(data) to_stringval(data)

4
src/analyzer/protocol/rdp/rdpeudp.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"
@ -10,7 +10,7 @@ analyzer RDPEUDP withcontext {
flow: RDPEUDP_Flow; flow: RDPEUDP_Flow;
}; };
connection RDPEUDP_Conn(bro_analyzer: BroAnalyzer) { connection RDPEUDP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = RDPEUDP_Flow(true); upflow = RDPEUDP_Flow(true);
downflow = RDPEUDP_Flow(false); downflow = RDPEUDP_Flow(false);
}; };

26
src/analyzer/protocol/rfb/rfb-analyzer.pac
View file

@ -4,18 +4,18 @@ refine flow RFB_Flow += {
if ( client ) if ( client )
{ {
if ( rfb_client_version ) if ( rfb_client_version )
zeek::BifEvent::enqueue_rfb_client_version(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rfb_client_version(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
to_stringval(major), to_stringval(major),
to_stringval(minor)); to_stringval(minor));
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
} }
else else
{ {
if ( rfb_server_version ) if ( rfb_server_version )
zeek::BifEvent::enqueue_rfb_server_version(connection()->bro_analyzer(), zeek::BifEvent::enqueue_rfb_server_version(connection()->zeek_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
to_stringval(major), to_stringval(major),
to_stringval(minor)); to_stringval(minor));
} }
@ -26,21 +26,21 @@ refine flow RFB_Flow += {
function proc_rfb_share_flag(shared: bool) : bool function proc_rfb_share_flag(shared: bool) : bool
%{ %{
if ( rfb_share_flag ) if ( rfb_share_flag )
zeek::BifEvent::enqueue_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared); zeek::BifEvent::enqueue_rfb_share_flag(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), shared);
return true; return true;
%} %}
function proc_security_types(msg: RFBSecurityType) : bool function proc_security_types(msg: RFBSecurityType) : bool
%{ %{
if ( rfb_authentication_type ) if ( rfb_authentication_type )
zeek::BifEvent::enqueue_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype}); zeek::BifEvent::enqueue_rfb_authentication_type(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), ${msg.sectype});
return true; return true;
%} %}
function proc_security_types37(msg: RFBAuthTypeSelected) : bool function proc_security_types37(msg: RFBAuthTypeSelected) : bool
%{ %{
if ( rfb_authentication_type ) if ( rfb_authentication_type )
zeek::BifEvent::enqueue_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type}); zeek::BifEvent::enqueue_rfb_authentication_type(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), ${msg.type});
return true; return true;
%} %}
@ -51,7 +51,7 @@ refine flow RFB_Flow += {
auto vec_ptr = ${msg.name}; auto vec_ptr = ${msg.name};
auto name_ptr = &((*vec_ptr)[0]); auto name_ptr = &((*vec_ptr)[0]);
zeek::BifEvent::enqueue_rfb_server_parameters( zeek::BifEvent::enqueue_rfb_server_parameters(
connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
zeek::make_intrusive<zeek::StringVal>(${msg.name}->size(), (const char*)name_ptr), zeek::make_intrusive<zeek::StringVal>(${msg.name}->size(), (const char*)name_ptr),
${msg.width}, ${msg.width},
${msg.height}); ${msg.height});
@ -62,7 +62,7 @@ refine flow RFB_Flow += {
function proc_handle_security_result(result : uint32) : bool function proc_handle_security_result(result : uint32) : bool
%{ %{
if ( rfb_auth_result ) if ( rfb_auth_result )
zeek::BifEvent::enqueue_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result); zeek::BifEvent::enqueue_rfb_auth_result(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), result);
return true; return true;
%} %}
}; };
@ -181,7 +181,7 @@ refine connection RFB_Conn += {
else else
{ {
// Shouldn't be a possible. // Shouldn't be a possible.
bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype())); zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype()));
} }
return true; return true;
@ -235,7 +235,7 @@ refine connection RFB_Conn += {
} }
else else
{ {
bro_analyzer()->ProtocolViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type})); zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type}));
} }
return true; return true;
@ -277,7 +277,7 @@ refine connection RFB_Conn += {
// Failed // Failed
server_state = SERVER_AUTH_FAILURE; server_state = SERVER_AUTH_FAILURE;
else else
bro_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result})); zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result}));
return true; return true;
%} %}

4
src/analyzer/protocol/rfb/rfb.pac
View file

@ -3,7 +3,7 @@
# - rfb-analyzer.pac: describes the rfb analyzer code # - rfb-analyzer.pac: describes the rfb analyzer code
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"
@ -15,7 +15,7 @@ analyzer RFB withcontext {
}; };
# Our connection consists of two flows, one in each direction. # Our connection consists of two flows, one in each direction.
connection RFB_Conn(bro_analyzer: BroAnalyzer) { connection RFB_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = RFB_Flow(true); upflow = RFB_Flow(true);
downflow = RFB_Flow(false); downflow = RFB_Flow(false);
}; };

18
src/analyzer/protocol/sip/sip-analyzer.pac
View file

@ -20,7 +20,7 @@ refine flow SIP_Flow += {
%{ %{
if ( sip_request ) if ( sip_request )
{ {
zeek::BifEvent::enqueue_sip_request(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), zeek::BifEvent::enqueue_sip_request(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
to_stringval(method), to_stringval(uri), to_stringval(method), to_stringval(uri),
to_stringval(${vers.vers_str})); to_stringval(${vers.vers_str}));
} }
@ -32,10 +32,10 @@ refine flow SIP_Flow += {
function proc_sip_reply(vers: SIP_Version, code: int, reason: bytestring): bool function proc_sip_reply(vers: SIP_Version, code: int, reason: bytestring): bool
%{ %{
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->zeek_analyzer()->ProtocolConfirmation();
if ( sip_reply ) if ( sip_reply )
{ {
zeek::BifEvent::enqueue_sip_reply(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), zeek::BifEvent::enqueue_sip_reply(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
to_stringval(${vers.vers_str}), code, to_stringval(reason)); to_stringval(${vers.vers_str}), code, to_stringval(reason));
} }
@ -53,7 +53,7 @@ refine flow SIP_Flow += {
{ {
auto nameval = to_stringval(name); auto nameval = to_stringval(name);
nameval->ToUpper(); nameval->ToUpper();
zeek::BifEvent::enqueue_sip_header(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), zeek::BifEvent::enqueue_sip_header(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
is_orig(), std::move(nameval), to_stringval(value)); is_orig(), std::move(nameval), to_stringval(value));
} }
@ -65,7 +65,7 @@ refine flow SIP_Flow += {
return true; return true;
%} %}
function build_sip_headers_val(): BroVal function build_sip_headers_val(): ZeekVal
%{ %{
static auto mime_header_list = zeek::id::find_type<zeek::TableType>("mime_header_list"); static auto mime_header_list = zeek::id::find_type<zeek::TableType>("mime_header_list");
auto* t = new zeek::TableVal(mime_header_list); auto* t = new zeek::TableVal(mime_header_list);
@ -83,7 +83,7 @@ refine flow SIP_Flow += {
%{ %{
if ( sip_all_headers ) if ( sip_all_headers )
{ {
zeek::BifEvent::enqueue_sip_all_headers(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), zeek::BifEvent::enqueue_sip_all_headers(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
is_orig(), {zeek::AdoptRef{}, build_sip_headers_val()}); is_orig(), {zeek::AdoptRef{}, build_sip_headers_val()});
} }
@ -100,7 +100,7 @@ refine flow SIP_Flow += {
return true; return true;
%} %}
function build_sip_header_val(name: const_bytestring, value: const_bytestring): BroVal function build_sip_header_val(name: const_bytestring, value: const_bytestring): ZeekVal
%{ %{
static auto mime_header_rec = zeek::id::find_type<zeek::RecordType>("mime_header_rec"); static auto mime_header_rec = zeek::id::find_type<zeek::RecordType>("mime_header_rec");
auto* header_record = new zeek::RecordVal(mime_header_rec); auto* header_record = new zeek::RecordVal(mime_header_rec);
@ -127,7 +127,7 @@ refine flow SIP_Flow += {
%{ %{
if ( sip_begin_entity ) if ( sip_begin_entity )
{ {
zeek::BifEvent::enqueue_sip_begin_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); zeek::BifEvent::enqueue_sip_begin_entity(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), is_orig());
} }
%} %}
@ -135,7 +135,7 @@ refine flow SIP_Flow += {
%{ %{
if ( sip_end_entity ) if ( sip_end_entity )
{ {
zeek::BifEvent::enqueue_sip_end_entity(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig()); zeek::BifEvent::enqueue_sip_end_entity(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), is_orig());
} }
return true; return true;

4
src/analyzer/protocol/sip/sip.pac
View file

@ -2,7 +2,7 @@
# Based heavily on the HTTP BinPAC analyzer # Based heavily on the HTTP BinPAC analyzer
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"
@ -13,7 +13,7 @@ analyzer SIP withcontext {
flow: SIP_Flow; flow: SIP_Flow;
}; };
connection SIP_Conn(bro_analyzer: BroAnalyzer) { connection SIP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = SIP_Flow(true); upflow = SIP_Flow(true);
downflow = SIP_Flow(false); downflow = SIP_Flow(false);
}; };

4
src/analyzer/protocol/sip/sip_TCP.pac
View file

@ -5,7 +5,7 @@
# activated. We don't yet support SIP-over-TCP. # activated. We don't yet support SIP-over-TCP.
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "events.bif.h" #include "events.bif.h"
@ -16,7 +16,7 @@ analyzer SIP_TCP withcontext {
flow: SIP_Flow; flow: SIP_Flow;
}; };
connection SIP_Conn(bro_analyzer: BroAnalyzer) { connection SIP_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = SIP_Flow(true); upflow = SIP_Flow(true);
downflow = SIP_Flow(false); downflow = SIP_Flow(false);
}; };

4
src/analyzer/protocol/smb/smb-gssapi.pac
View file

@ -27,10 +27,10 @@ refine connection SMB_Conn += {
function forward_gssapi(data: bytestring, is_orig: bool): bool function forward_gssapi(data: bytestring, is_orig: bool): bool
%{ %{
if ( ! gssapi ) if ( ! gssapi )
gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", bro_analyzer()->Conn()); gssapi = zeek::analyzer_mgr->InstantiateAnalyzer("GSSAPI", zeek_analyzer()->Conn());
if ( ! ntlm ) if ( ! ntlm )
ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn()); ntlm = zeek::analyzer_mgr->InstantiateAnalyzer("NTLM", zeek_analyzer()->Conn());
// SMB allows raw NTLM instead of GSSAPI in certain messages. // SMB allows raw NTLM instead of GSSAPI in certain messages.
// We check if this is the case and run the NTLM analyzer directly. // We check if this is the case and run the NTLM analyzer directly.

2
src/analyzer/protocol/smb/smb-pipe.pac
View file

@ -49,7 +49,7 @@ refine connection SMB_Conn += {
if ( it == fid_to_analyzer_map.end() ) if ( it == fid_to_analyzer_map.end() )
{ {
auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn()); auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", zeek_analyzer()->Conn());
pipe_dcerpc = static_cast<zeek::analyzer::dce_rpc::DCE_RPC_Analyzer *>(tmp_analyzer); pipe_dcerpc = static_cast<zeek::analyzer::dce_rpc::DCE_RPC_Analyzer *>(tmp_analyzer);
if ( pipe_dcerpc ) if ( pipe_dcerpc )

4
src/analyzer/protocol/smb/smb-strings.pac
View file

@ -1,5 +1,5 @@
%extern{ %extern{
#include "binpac_bro.h" #include "binpac_zeek.h"
%} %}
%code{ %code{
@ -12,7 +12,7 @@ zeek::StringValPtr binpac::SMB::SMB_Conn::uint8s_to_stringval(std::vector<uint8_
buf[i] = (*data)[i]; buf[i] = (*data)[i];
const bytestring bs = bytestring(buf.get(), length); const bytestring bs = bytestring(buf.get(), length);
return utf16_to_utf8_val(bro_analyzer()->Conn(), bs); return utf16_to_utf8_val(zeek_analyzer()->Conn(), bs);
} }
zeek::StringValPtr binpac::SMB::SMB_Conn::extract_string(SMB_string* s) zeek::StringValPtr binpac::SMB::SMB_Conn::extract_string(SMB_string* s)

14
src/analyzer/protocol/smb/smb-time.pac
View file

@ -1,5 +1,5 @@
%header{ %header{
zeek::ValPtr filetime2brotime(uint64_t ts); zeek::ValPtr filetime2zeektime(uint64_t ts);
zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz); zeek::ValPtr time_from_lanman(SMB_time* t, SMB_date* d, uint16_t tz);
zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access, zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
@ -7,9 +7,9 @@ zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
%} %}
%code{ %code{
zeek::ValPtr filetime2brotime(uint64_t ts) zeek::ValPtr filetime2zeektime(uint64_t ts)
{ {
// Bro can't support times back to the 1600's // Zeek can't support times back to the 1600's
// so we subtract a lot of seconds. // so we subtract a lot of seconds.
double secs = (ts / 10000000.0L) - 11644473600.0L; double secs = (ts / 10000000.0L) - 11644473600.0L;
return zeek::make_intrusive<zeek::TimeVal>(secs); return zeek::make_intrusive<zeek::TimeVal>(secs);
@ -33,10 +33,10 @@ zeek::RecordValPtr SMB_BuildMACTimes(uint64_t modify, uint64_t access,
uint64_t create, uint64_t change) uint64_t create, uint64_t change)
{ {
auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB::MACTimes); auto r = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB::MACTimes);
r->Assign(0, filetime2brotime(modify)); r->Assign(0, filetime2zeektime(modify));
r->Assign(1, filetime2brotime(access)); r->Assign(1, filetime2zeektime(access));
r->Assign(2, filetime2brotime(create)); r->Assign(2, filetime2zeektime(create));
r->Assign(3, filetime2brotime(change)); r->Assign(3, filetime2zeektime(change));
return r; return r;
} }
%} %}

4
src/analyzer/protocol/smb/smb.pac
View file

@ -1,5 +1,5 @@
%include binpac.pac %include binpac.pac
%include bro.pac %include zeek.pac
%extern{ %extern{
#include "analyzer/Manager.h" #include "analyzer/Manager.h"
@ -48,7 +48,7 @@ analyzer SMB withcontext {
flow: SMB_Flow; flow: SMB_Flow;
}; };
connection SMB_Conn(bro_analyzer: BroAnalyzer) { connection SMB_Conn(zeek_analyzer: ZeekAnalyzer) {
upflow = SMB_Flow(true); upflow = SMB_Flow(true);
downflow = SMB_Flow(false); downflow = SMB_Flow(false);
}; };

8
src/analyzer/protocol/smb/smb1-com-check-directory.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_check_directory_request(header: SMB_Header, val: SMB1_check_directory_request): bool function proc_smb1_check_directory_request(header: SMB_Header, val: SMB1_check_directory_request): bool
%{ %{
if ( smb1_check_directory_request ) if ( smb1_check_directory_request )
zeek::BifEvent::enqueue_smb1_check_directory_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_check_directory_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
smb_string2stringval(${val.directory_name})); smb_string2stringval(${val.directory_name}));
return true; return true;
@ -13,8 +13,8 @@ refine connection SMB_Conn += {
function proc_smb1_check_directory_response(header: SMB_Header, val: SMB1_check_directory_response): bool function proc_smb1_check_directory_response(header: SMB_Header, val: SMB1_check_directory_response): bool
%{ %{
if ( smb1_check_directory_response ) if ( smb1_check_directory_response )
zeek::BifEvent::enqueue_smb1_check_directory_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_check_directory_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header)); SMBHeaderVal(header));
return true; return true;
%} %}

8
src/analyzer/protocol/smb/smb1-com-close.pac
View file

@ -3,13 +3,13 @@ refine connection SMB_Conn += {
function proc_smb1_close_request(h: SMB_Header, val: SMB1_close_request): bool function proc_smb1_close_request(h: SMB_Header, val: SMB1_close_request): bool
%{ %{
if ( smb1_close_request ) if ( smb1_close_request )
zeek::BifEvent::enqueue_smb1_close_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_close_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(h), SMBHeaderVal(h),
${val.file_id}); ${val.file_id});
zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), zeek::file_mgr->EndOfFile(zeek_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig()); zeek_analyzer()->Conn(), h->is_orig());
return true; return true;
%} %}

7
src/analyzer/protocol/smb/smb1-com-create-directory.pac
View file

@ -3,7 +3,7 @@ refine connection SMB_Conn += {
function proc_smb1_create_directory_request(header: SMB_Header, val: SMB1_create_directory_request): bool function proc_smb1_create_directory_request(header: SMB_Header, val: SMB1_create_directory_request): bool
%{ %{
if ( smb1_create_directory_request ) if ( smb1_create_directory_request )
zeek::BifEvent::enqueue_smb1_create_directory_request(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_smb1_create_directory_request(zeek_analyzer(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
smb_string2stringval(${val.directory_name})); smb_string2stringval(${val.directory_name}));
return true; return true;
@ -11,8 +11,8 @@ refine connection SMB_Conn += {
function proc_smb1_create_directory_response(header: SMB_Header, val: SMB1_create_directory_response): bool function proc_smb1_create_directory_response(header: SMB_Header, val: SMB1_create_directory_response): bool
%{ %{
if ( smb1_create_directory_response ) if ( smb1_create_directory_response )
zeek::BifEvent::enqueue_smb1_create_directory_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_create_directory_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header)); SMBHeaderVal(header));
return true; return true;
%} %}
@ -34,4 +34,3 @@ type SMB1_create_directory_response(header: SMB_Header) = record {
} &let { } &let {
proc : bool = $context.connection.proc_smb1_create_directory_response(header, this); proc : bool = $context.connection.proc_smb1_create_directory_response(header, this);
}; };

5
src/analyzer/protocol/smb/smb1-com-echo.pac
View file

@ -3,7 +3,7 @@ refine connection SMB_Conn += {
function proc_smb1_echo_request(header: SMB_Header, val: SMB1_echo_request): bool function proc_smb1_echo_request(header: SMB_Header, val: SMB1_echo_request): bool
%{ %{
if ( smb1_echo_request ) if ( smb1_echo_request )
zeek::BifEvent::enqueue_smb1_echo_request(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_smb1_echo_request(zeek_analyzer(), zeek_analyzer()->Conn(),
${val.echo_count}, to_stringval(${val.data})); ${val.echo_count}, to_stringval(${val.data}));
return true; return true;
%} %}
@ -11,7 +11,7 @@ refine connection SMB_Conn += {
function proc_smb1_echo_response(header: SMB_Header, val: SMB1_echo_response): bool function proc_smb1_echo_response(header: SMB_Header, val: SMB1_echo_response): bool
%{ %{
if ( smb1_echo_response ) if ( smb1_echo_response )
zeek::BifEvent::enqueue_smb1_echo_response(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_smb1_echo_response(zeek_analyzer(), zeek_analyzer()->Conn(),
${val.seq_num}, to_stringval(${val.data})); ${val.seq_num}, to_stringval(${val.data}));
return true; return true;
%} %}
@ -40,4 +40,3 @@ type SMB1_echo_response(header: SMB_Header) = record {
} &let { } &let {
proc : bool = $context.connection.proc_smb1_echo_response(header, this); proc : bool = $context.connection.proc_smb1_echo_response(header, this);
}; };

2
src/analyzer/protocol/smb/smb1-com-logoff-andx.pac
View file

@ -3,7 +3,7 @@ refine connection SMB_Conn += {
function proc_smb1_logoff_andx(header: SMB_Header, val: SMB1_logoff_andx): bool function proc_smb1_logoff_andx(header: SMB_Header, val: SMB1_logoff_andx): bool
%{ %{
if ( smb1_logoff_andx ) if ( smb1_logoff_andx )
zeek::BifEvent::enqueue_smb1_logoff_andx(bro_analyzer(), bro_analyzer()->Conn(), ${val.is_orig}); zeek::BifEvent::enqueue_smb1_logoff_andx(zeek_analyzer(), zeek_analyzer()->Conn(), ${val.is_orig});
return true; return true;
%} %}

8
src/analyzer/protocol/smb/smb1-com-negotiate.pac
View file

@ -23,7 +23,7 @@ refine connection SMB_Conn += {
dialects->Assign(i, std::move(dia)); dialects->Assign(i, std::move(dia));
} }
zeek::BifEvent::enqueue_smb1_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_smb1_negotiate_request(zeek_analyzer(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(dialects)); std::move(dialects));
} }
@ -119,7 +119,7 @@ refine connection SMB_Conn += {
ntlm->Assign(6, zeek::val_mgr->Count(${val.ntlm.max_raw_size})); ntlm->Assign(6, zeek::val_mgr->Count(${val.ntlm.max_raw_size}));
ntlm->Assign(7, zeek::val_mgr->Count(${val.ntlm.session_key})); ntlm->Assign(7, zeek::val_mgr->Count(${val.ntlm.session_key}));
ntlm->Assign(8, std::move(capabilities)); ntlm->Assign(8, std::move(capabilities));
ntlm->Assign(9, filetime2brotime(${val.ntlm.server_time})); ntlm->Assign(9, filetime2zeektime(${val.ntlm.server_time}));
if ( ${val.ntlm.capabilities_extended_security} == false ) if ( ${val.ntlm.capabilities_extended_security} == false )
{ {
@ -135,8 +135,8 @@ refine connection SMB_Conn += {
} }
break; break;
} }
zeek::BifEvent::enqueue_smb1_negotiate_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_negotiate_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(response)); std::move(response));
} }

4
src/analyzer/protocol/smb/smb1-com-nt-cancel.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_nt_cancel_request(header: SMB_Header, val: SMB1_nt_cancel_request): bool function proc_smb1_nt_cancel_request(header: SMB_Header, val: SMB1_nt_cancel_request): bool
%{ %{
if ( smb1_nt_cancel_request ) if ( smb1_nt_cancel_request )
zeek::BifEvent::enqueue_smb1_nt_cancel_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_nt_cancel_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header)); SMBHeaderVal(header));
return true; return true;
%} %}

12
src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
View file

@ -9,14 +9,14 @@ refine connection SMB_Conn += {
set_tree_is_pipe(${header.tid}); set_tree_is_pipe(${header.tid});
if ( smb_pipe_connect_heuristic ) if ( smb_pipe_connect_heuristic )
zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(bro_analyzer(), zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(zeek_analyzer(),
bro_analyzer()->Conn()); zeek_analyzer()->Conn());
} }
if ( smb1_nt_create_andx_request ) if ( smb1_nt_create_andx_request )
{ {
zeek::BifEvent::enqueue_smb1_nt_create_andx_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_nt_create_andx_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(filename)); std::move(filename));
} }
@ -28,8 +28,8 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_nt_create_andx_response ) if ( smb1_nt_create_andx_response )
{ {
zeek::BifEvent::enqueue_smb1_nt_create_andx_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_nt_create_andx_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
${val.file_id}, ${val.file_id},
${val.end_of_file}, ${val.end_of_file},

5
src/analyzer/protocol/smb/smb1-com-query-information.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_query_information_request(header: SMB_Header, val: SMB1_query_information_request): bool function proc_smb1_query_information_request(header: SMB_Header, val: SMB1_query_information_request): bool
%{ %{
if ( smb1_query_information_request ) if ( smb1_query_information_request )
zeek::BifEvent::enqueue_smb1_query_information_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_query_information_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
smb_string2stringval(${val.filename})); smb_string2stringval(${val.filename}));
return true; return true;
@ -38,4 +38,3 @@ type SMB1_query_information_response(header: SMB_Header) = record {
} &let { } &let {
proc : bool = $context.connection.proc_smb1_query_information_response(header, this); proc : bool = $context.connection.proc_smb1_query_information_response(header, this);
}; };

12
src/analyzer/protocol/smb/smb1-com-read-andx.pac
View file

@ -9,8 +9,8 @@ refine connection SMB_Conn += {
function proc_smb1_read_andx_request(h: SMB_Header, val: SMB1_read_andx_request): bool function proc_smb1_read_andx_request(h: SMB_Header, val: SMB1_read_andx_request): bool
%{ %{
if ( smb1_read_andx_request ) if ( smb1_read_andx_request )
zeek::BifEvent::enqueue_smb1_read_andx_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_read_andx_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(h), SMBHeaderVal(h),
${val.file_id}, ${val.file_id},
${val.read_offset}, ${val.read_offset},
@ -23,8 +23,8 @@ refine connection SMB_Conn += {
function proc_smb1_read_andx_response(h: SMB_Header, val: SMB1_read_andx_response): bool function proc_smb1_read_andx_response(h: SMB_Header, val: SMB1_read_andx_response): bool
%{ %{
if ( smb1_read_andx_response ) if ( smb1_read_andx_response )
zeek::BifEvent::enqueue_smb1_read_andx_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_read_andx_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(h), SMBHeaderVal(h),
${val.data_len}); ${val.data_len});
@ -34,8 +34,8 @@ refine connection SMB_Conn += {
read_offsets.erase(${h.mid}); read_offsets.erase(${h.mid});
zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
bro_analyzer()->GetAnalyzerTag(), zeek_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig()); zeek_analyzer()->Conn(), h->is_orig());
} }
return true; return true;

8
src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
View file

@ -78,8 +78,8 @@ refine connection SMB_Conn += {
break; break;
} }
zeek::BifEvent::enqueue_smb1_session_setup_andx_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_session_setup_andx_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(request)); std::move(request));
} }
@ -112,8 +112,8 @@ refine connection SMB_Conn += {
break; break;
} }
zeek::BifEvent::enqueue_smb1_session_setup_andx_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_session_setup_andx_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(response)); std::move(response));
} }

4
src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
View file

@ -45,8 +45,8 @@ refine connection SMB_Conn += {
payload_str = zeek::val_mgr->EmptyString(); payload_str = zeek::val_mgr->EmptyString();
} }
zeek::BifEvent::enqueue_smb1_transaction_secondary_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_transaction_secondary_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(args), std::move(args),
std::move(parameters), std::move(parameters),

8
src/analyzer/protocol/smb/smb1-com-transaction.pac
View file

@ -62,8 +62,8 @@ refine connection SMB_Conn += {
else else
payload_str = zeek::val_mgr->EmptyString(); payload_str = zeek::val_mgr->EmptyString();
zeek::BifEvent::enqueue_smb1_transaction_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_transaction_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
smb_string2stringval(${val.name}), smb_string2stringval(${val.name}),
${val.sub_cmd}, ${val.sub_cmd},
@ -87,8 +87,8 @@ refine connection SMB_Conn += {
else else
payload_str = zeek::val_mgr->EmptyString(); payload_str = zeek::val_mgr->EmptyString();
zeek::BifEvent::enqueue_smb1_transaction_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_transaction_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(parameters), std::move(parameters),
std::move(payload_str)); std::move(payload_str));

4
src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
View file

@ -19,8 +19,8 @@ refine connection SMB_Conn += {
auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), (const char*)${val.parameters}.data()); auto parameters = zeek::make_intrusive<zeek::StringVal>(${val.parameters}.length(), (const char*)${val.parameters}.data());
auto payload = zeek::make_intrusive<zeek::StringVal>(${val.data}.length(), (const char*)${val.data}.data()); auto payload = zeek::make_intrusive<zeek::StringVal>(${val.data}.length(), (const char*)${val.data}.data());
zeek::BifEvent::enqueue_smb1_transaction2_secondary_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_transaction2_secondary_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(args), std::move(args),
std::move(parameters), std::move(parameters),

19
src/analyzer/protocol/smb/smb1-com-transaction2.pac
View file

@ -38,8 +38,8 @@ refine connection SMB_Conn += {
args->Assign(10, zeek::val_mgr->Count(${val.data_offset})); args->Assign(10, zeek::val_mgr->Count(${val.data_offset}));
args->Assign(11, zeek::val_mgr->Count(${val.setup_count})); args->Assign(11, zeek::val_mgr->Count(${val.setup_count}));
zeek::BifEvent::enqueue_smb1_transaction2_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_transaction2_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(args), std::move(args),
${val.sub_cmd}); ${val.sub_cmd});
@ -51,7 +51,7 @@ refine connection SMB_Conn += {
function proc_smb1_transaction2_response(header: SMB_Header, val: SMB1_transaction2_response): bool function proc_smb1_transaction2_response(header: SMB_Header, val: SMB1_transaction2_response): bool
%{ %{
//if ( smb1_transaction2_response ) //if ( smb1_transaction2_response )
// zeek::BifEvent::enqueue_smb1_transaction2_response(bro_analyzer(), bro_analyzer()->Conn(), SMBHeaderVal(header), ${val.sub_cmd}); // zeek::BifEvent::enqueue_smb1_transaction2_response(zeek_analyzer(), zeek_analyzer()->Conn(), SMBHeaderVal(header), ${val.sub_cmd});
return true; return true;
%} %}
@ -138,8 +138,8 @@ refine connection SMB_Conn += {
result->Assign(3, zeek::val_mgr->Count(${val.info_level})); result->Assign(3, zeek::val_mgr->Count(${val.info_level}));
result->Assign(4, zeek::val_mgr->Count(${val.search_storage_type})); result->Assign(4, zeek::val_mgr->Count(${val.search_storage_type}));
result->Assign(5, smb_string2stringval(${val.file_name})); result->Assign(5, smb_string2stringval(${val.file_name}));
zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_trans2_find_first2_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(result)); std::move(result));
@ -217,11 +217,10 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_trans2_query_path_info_request ) if ( smb1_trans2_query_path_info_request )
{ {
zeek::BifEvent::enqueue_smb1_trans2_query_path_info_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_trans2_query_path_info_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
smb_string2stringval(${val.file_name})); smb_string2stringval(${val.file_name}));
} }
return true; return true;
%} %}
@ -322,8 +321,8 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_trans2_get_dfs_referral_request ) if ( smb1_trans2_get_dfs_referral_request )
{ {
zeek::BifEvent::enqueue_smb1_trans2_get_dfs_referral_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_trans2_get_dfs_referral_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
smb_string2stringval(${val.file_name})); smb_string2stringval(${val.file_name}));
} }

8
src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_tree_connect_andx_request(header: SMB_Header, val: SMB1_tree_connect_andx_request): bool function proc_smb1_tree_connect_andx_request(header: SMB_Header, val: SMB1_tree_connect_andx_request): bool
%{ %{
if ( smb1_tree_connect_andx_request ) if ( smb1_tree_connect_andx_request )
zeek::BifEvent::enqueue_smb1_tree_connect_andx_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_tree_connect_andx_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
smb_string2stringval(${val.path}), smb_string2stringval(${val.path}),
smb_string2stringval(${val.service})); smb_string2stringval(${val.service}));
@ -20,8 +20,8 @@ refine connection SMB_Conn += {
set_tree_is_pipe(${header.tid}); set_tree_is_pipe(${header.tid});
if ( smb1_tree_connect_andx_response ) if ( smb1_tree_connect_andx_response )
zeek::BifEvent::enqueue_smb1_tree_connect_andx_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_tree_connect_andx_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
std::move(service_string), std::move(service_string),
${val.byte_count} > ${val.service.a}->size() ? ${val.byte_count} > ${val.service.a}->size() ?

4
src/analyzer/protocol/smb/smb1-com-tree-disconnect.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_tree_disconnect(header: SMB_Header, val: SMB1_tree_disconnect): bool function proc_smb1_tree_disconnect(header: SMB_Header, val: SMB1_tree_disconnect): bool
%{ %{
if ( smb1_tree_disconnect ) if ( smb1_tree_disconnect )
zeek::BifEvent::enqueue_smb1_tree_disconnect(bro_analyzer(), zeek::BifEvent::enqueue_smb1_tree_disconnect(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header), SMBHeaderVal(header),
${val.is_orig}); ${val.is_orig});
return true; return true;

12
src/analyzer/protocol/smb/smb1-com-write-andx.pac
View file

@ -3,8 +3,8 @@ refine connection SMB_Conn += {
function proc_smb1_write_andx_request(h: SMB_Header, val: SMB1_write_andx_request): bool function proc_smb1_write_andx_request(h: SMB_Header, val: SMB1_write_andx_request): bool
%{ %{
if ( smb1_write_andx_request ) if ( smb1_write_andx_request )
zeek::BifEvent::enqueue_smb1_write_andx_request(bro_analyzer(), zeek::BifEvent::enqueue_smb1_write_andx_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(h), SMBHeaderVal(h),
${val.file_id}, ${val.file_id},
${val.write_offset}, ${val.write_offset},
@ -14,8 +14,8 @@ refine connection SMB_Conn += {
{ {
zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(), zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(),
${val.write_offset}, ${val.write_offset},
bro_analyzer()->GetAnalyzerTag(), zeek_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig()); zeek_analyzer()->Conn(), h->is_orig());
} }
return true; return true;
@ -24,8 +24,8 @@ refine connection SMB_Conn += {
function proc_smb1_write_andx_response(h: SMB_Header, val: SMB1_write_andx_response): bool function proc_smb1_write_andx_response(h: SMB_Header, val: SMB1_write_andx_response): bool
%{ %{
if ( smb1_write_andx_response ) if ( smb1_write_andx_response )
zeek::BifEvent::enqueue_smb1_write_andx_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_write_andx_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(h), SMBHeaderVal(h),
${val.written_bytes}); ${val.written_bytes});

14
src/analyzer/protocol/smb/smb1-protocol.pac
View file

@ -43,7 +43,7 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_message ) if ( smb1_message )
{ {
zeek::BifEvent::enqueue_smb1_message(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_smb1_message(zeek_analyzer(), zeek_analyzer()->Conn(),
SMBHeaderVal(h), SMBHeaderVal(h),
is_orig); is_orig);
} }
@ -54,8 +54,8 @@ refine connection SMB_Conn += {
%{ %{
if ( smb1_empty_response ) if ( smb1_empty_response )
{ {
zeek::BifEvent::enqueue_smb1_empty_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_empty_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(header)); SMBHeaderVal(header));
} }
return true; return true;
@ -67,16 +67,16 @@ refine connection SMB_Conn += {
{ {
if ( smb1_empty_response ) if ( smb1_empty_response )
{ {
zeek::BifEvent::enqueue_smb1_empty_response(bro_analyzer(), zeek::BifEvent::enqueue_smb1_empty_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(h)); SMBHeaderVal(h));
} }
} }
else else
{ {
if ( smb1_error ) if ( smb1_error )
zeek::BifEvent::enqueue_smb1_error(bro_analyzer(), zeek::BifEvent::enqueue_smb1_error(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
SMBHeaderVal(h), is_orig); SMBHeaderVal(h), is_orig);
} }
return true; return true;

14
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -4,14 +4,14 @@ refine connection SMB_Conn += {
%{ %{
if ( smb2_close_request ) if ( smb2_close_request )
{ {
zeek::BifEvent::enqueue_smb2_close_request(bro_analyzer(), zeek::BifEvent::enqueue_smb2_close_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id})); BuildSMB2GUID(${val.file_id}));
} }
zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), zeek::file_mgr->EndOfFile(zeek_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig()); zeek_analyzer()->Conn(), h->is_orig());
return true; return true;
%} %}
@ -28,10 +28,10 @@ refine connection SMB_Conn += {
${val.last_access_time}, ${val.last_access_time},
${val.creation_time}, ${val.creation_time},
${val.change_time})); ${val.change_time}));
resp->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs})); resp->Assign(3, smb2_file_attrs_to_zeek(${val.file_attrs}));
zeek::BifEvent::enqueue_smb2_close_response(bro_analyzer(), zeek::BifEvent::enqueue_smb2_close_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
std::move(resp)); std::move(resp));
} }

14
src/analyzer/protocol/smb/smb2-com-create.pac
View file

@ -10,8 +10,8 @@ refine connection SMB_Conn += {
set_tree_is_pipe(${h.tree_id}); set_tree_is_pipe(${h.tree_id});
if ( smb_pipe_connect_heuristic ) if ( smb_pipe_connect_heuristic )
zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(bro_analyzer(), zeek::BifEvent::enqueue_smb_pipe_connect_heuristic(zeek_analyzer(),
bro_analyzer()->Conn()); zeek_analyzer()->Conn());
} }
if ( smb2_create_request ) if ( smb2_create_request )
@ -20,8 +20,8 @@ refine connection SMB_Conn += {
requestinfo->Assign(0, std::move(filename)); requestinfo->Assign(0, std::move(filename));
requestinfo->Assign(1, zeek::val_mgr->Count(${val.disposition})); requestinfo->Assign(1, zeek::val_mgr->Count(${val.disposition}));
requestinfo->Assign(2, zeek::val_mgr->Count(${val.create_options})); requestinfo->Assign(2, zeek::val_mgr->Count(${val.create_options}));
zeek::BifEvent::enqueue_smb2_create_request(bro_analyzer(), zeek::BifEvent::enqueue_smb2_create_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
std::move(requestinfo)); std::move(requestinfo));
} }
@ -40,10 +40,10 @@ refine connection SMB_Conn += {
${val.last_access_time}, ${val.last_access_time},
${val.creation_time}, ${val.creation_time},
${val.change_time})); ${val.change_time}));
responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs})); responseinfo->Assign(3, smb2_file_attrs_to_zeek(${val.file_attrs}));
responseinfo->Assign(4, zeek::val_mgr->Count(${val.create_action})); responseinfo->Assign(4, zeek::val_mgr->Count(${val.create_action}));
zeek::BifEvent::enqueue_smb2_create_response(bro_analyzer(), zeek::BifEvent::enqueue_smb2_create_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
std::move(responseinfo)); std::move(responseinfo));
} }

8
src/analyzer/protocol/smb/smb2-com-negotiate.pac
View file

@ -27,7 +27,7 @@ refine connection SMB_Conn += {
for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i ) for ( unsigned int i = 0; i < ${val.dialects}->size(); ++i )
dialects->Assign(i, zeek::val_mgr->Count((*${val.dialects})[i])); dialects->Assign(i, zeek::val_mgr->Count((*${val.dialects})[i]));
zeek::BifEvent::enqueue_smb2_negotiate_request(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_smb2_negotiate_request(zeek_analyzer(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
std::move(dialects)); std::move(dialects));
} }
@ -44,8 +44,8 @@ refine connection SMB_Conn += {
nr->Assign(0, zeek::val_mgr->Count(${val.dialect_revision})); nr->Assign(0, zeek::val_mgr->Count(${val.dialect_revision}));
nr->Assign(1, zeek::val_mgr->Count(${val.security_mode})); nr->Assign(1, zeek::val_mgr->Count(${val.security_mode}));
nr->Assign(2, BuildSMB2GUID(${val.server_guid})); nr->Assign(2, BuildSMB2GUID(${val.server_guid}));
nr->Assign(3, filetime2brotime(${val.system_time})); nr->Assign(3, filetime2zeektime(${val.system_time}));
nr->Assign(4, filetime2brotime(${val.server_start_time})); nr->Assign(4, filetime2zeektime(${val.server_start_time}));
nr->Assign(5, zeek::val_mgr->Count(${val.negotiate_context_count})); nr->Assign(5, zeek::val_mgr->Count(${val.negotiate_context_count}));
auto cv = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::SMB2::NegotiateContextValues); auto cv = zeek::make_intrusive<zeek::VectorVal>(zeek::BifType::Vector::SMB2::NegotiateContextValues);
@ -60,7 +60,7 @@ refine connection SMB_Conn += {
nr->Assign(6, std::move(cv)); nr->Assign(6, std::move(cv));
zeek::BifEvent::enqueue_smb2_negotiate_response(bro_analyzer(), bro_analyzer()->Conn(), zeek::BifEvent::enqueue_smb2_negotiate_response(zeek_analyzer(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
std::move(nr)); std::move(nr));
} }

8
src/analyzer/protocol/smb/smb2-com-read.pac
View file

@ -26,8 +26,8 @@ refine connection SMB_Conn += {
%{ %{
if ( smb2_read_request ) if ( smb2_read_request )
{ {
zeek::BifEvent::enqueue_smb2_read_request(bro_analyzer(), zeek::BifEvent::enqueue_smb2_read_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
BuildSMB2GUID(${val.file_id}), BuildSMB2GUID(${val.file_id}),
${val.offset}, ${val.offset},
@ -51,8 +51,8 @@ refine connection SMB_Conn += {
if ( ! ${h.is_pipe} && ${val.data_len} > 0 ) if ( ! ${h.is_pipe} && ${val.data_len} > 0 )
{ {
zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset,
bro_analyzer()->GetAnalyzerTag(), zeek_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), h->is_orig()); zeek_analyzer()->Conn(), h->is_orig());
} }
return true; return true;

8
src/analyzer/protocol/smb/smb2-com-session-setup.pac
View file

@ -7,8 +7,8 @@ refine connection SMB_Conn += {
auto req = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupRequest); auto req = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupRequest);
req->Assign(0, zeek::val_mgr->Count(${val.security_mode})); req->Assign(0, zeek::val_mgr->Count(${val.security_mode}));
zeek::BifEvent::enqueue_smb2_session_setup_request(bro_analyzer(), zeek::BifEvent::enqueue_smb2_session_setup_request(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
std::move(req)); std::move(req));
} }
@ -28,8 +28,8 @@ refine connection SMB_Conn += {
auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupResponse); auto resp = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::SMB2::SessionSetupResponse);
resp->Assign(0, std::move(flags)); resp->Assign(0, std::move(flags));
zeek::BifEvent::enqueue_smb2_session_setup_response(bro_analyzer(), zeek::BifEvent::enqueue_smb2_session_setup_response(zeek_analyzer(),
bro_analyzer()->Conn(), zeek_analyzer()->Conn(),
BuildSMB2HeaderVal(h), BuildSMB2HeaderVal(h),
std::move(resp)); std::move(resp));
} }

Some files were not shown because too many files have changed in this diff Show more