Passing nullptr sessions to AnalyzerConfirmation and AnalyzerViolation
of protocol analyzers previously blew up - protect from that.
Related to zeek/spicy-plugin#133.
Add a test parsing a malformed PE file showing that analyzer_violation_info
is raised with the fa_file object set.
It could be interesting to pass through an optional connection if one
exists, but access is provided through f$conns, too.
Introduce two new events for analyzer confirmation and analyzer violation
reporting. The current analyzer_confirmation and analyzer_violation
events assume connection objects and analyzer ids are available which
is not always the case. We're already passing aid=0 for packet analyzers
and there's not currently a way to report violations from file analyzers
using analyzer_violation, for example.
These new events use an extensible Info record approach so that additional
(optional) information can be added later without changing the signature.
It would allow for per analyzer extensions to the info records to pass
analyzer specific info to script land. It's not clear that this would be
a good idea, however.
The previous analyzer_confirmation and analyzer_violation events
continue to exist, but are deprecated and will be removed with Zeek 6.1.
There's a logic error in the packet analyzer's AnalyzerConfirmation()
method that causes analyzer_confirmation() events to be raised for every
packet rather than stopping after the first confirmation which appears to
have been the intention. This affects, for example, VXLAN and Geneve tunnels.
The optional arg_tag parameter was used for short-circuit'ing, but the return
value of GetAnalyzerTag() used for setting the session state causing the
disconnect.
In scenarios where Zeek receives purely tunneled monitoring traffic, this may
result in a non-negligible performance impact.
Somewhat related, ensure the session state is set to violated before
short-circuiting if no analyzer_violations are installed.
Suggesting this as a 5.0.3 candidate.
* topic/awelzel/dpd-ditch-service-negation:
scripts/conn: Open-code determine_service()
Make connection$service_violation a set[string]
strings: Implement join_string_set() as bif
dpd: Replace negated service fmt() magic with dedicated field
...the only known cases where the `-` for `connection$service` was
handled is to skip/ignore these analyzers.
Slight suspicion that join_string_set() should maybe become a bif
now determine_service() runs once for each connection.
Closes#2388
* origin/topic/timw/2387-cleanup:
Dict: Mark iterator move operator/constructors as noexcept
Remove unused headers from Dict.cc
Dict: Reduce some math required in repeatedly-called functions
Dict: use std::log2, remove custom Log2 method
* 'topic/amazingpp/2384-record-deprecation' of github.com:/AmazingPP/zeek:
Replace all the Warning() calls after IsFieldDeprecated() over to Warn()
Fix deprecation not flagged and incorrect line number in record
* origin/topic/vern/cpp-maint-Sep22:
oof more manual fixups
undo inadvertently committed tweak to test
update for btest only run in some environments
btest tweaks for recent changes
updates to notes for compile-to-C++ maintenance
newly-created btest files
baseline updates for -a cpp alternative (compile-to-C++)
tweak btest so it's recognized as a candidate for C++ compilation testing
split basic "int" btests into main part versus now-separate overflow part
fix deprecated "local" scoping in test scripts
annotated scripts to skip when testing compilation-to-C++
C++ script generation fix for lambdas that have identical bodies
fix for C++ scripts that refer to "opaque" types
C++ compilation support for 2-valued vector "for" loops
C++ compilation support for RE /s operator
run-time checking of vector operations for overflows and division-by-zero
error propagation fix to avoid a crash
* origin/topic/vern/ZAM-maint-Aug22.final:
updates to ZAM btest baselines
specialized ZAM operators for speeding up cat() operations
ZAM support for two-valued "for" loops over vectors
make it non-fatal for optimized scripts to encounter an empty "for" body
script optimization fix for new-style table constructors
the data/string handling in smb1-com-transaction.pcac was improved
with c75519ca88, re-use the added
functionality also for smb1-com-transaction-secondary.pac to avoid
buffer overflows.
