module PacketAnalyzer; %%{ #include "zeek/packet_analysis/Analyzer.h" #include "zeek/packet_analysis/Manager.h" #include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h" %%} ## Add an entry to parent's dispatcher that maps a protocol/index to a next-stage child analyzer. ## ## parent: The parent analyzer being modified ## identifier: The identifier for the protocol being registered ## child: The analyzer that will be called for the identifier ## function register_packet_analyzer%(parent: PacketAnalyzer::Tag, identifier: count, child: PacketAnalyzer::Tag%): bool %{ packet_analysis::AnalyzerPtr parent_analyzer = packet_mgr->GetAnalyzer(parent->AsEnumVal()); if ( ! parent_analyzer ) return zeek::val_mgr->False(); packet_analysis::AnalyzerPtr child_analyzer = packet_mgr->GetAnalyzer(child->AsEnumVal()); if ( ! child_analyzer ) return zeek::val_mgr->False(); parent_analyzer->RegisterProtocol(identifier, child_analyzer); return zeek::val_mgr->True(); %} ## Attempts to add an entry to `parent`'s dispatcher that maps a protocol/index to a next-stage `child` ## analyzer. This may fail if either of the two names does not respond to a known analyzer. ## ## parent: The parent analyzer being modified ## identifier: The identifier for the protocol being registered ## child: The analyzer that will be called for the identifier ## function try_register_packet_analyzer_by_name%(parent: string, identifier: count, child: string%): bool %{ packet_analysis::AnalyzerPtr parent_analyzer = packet_mgr->GetAnalyzer(parent->ToStdString()); if ( ! parent_analyzer ) return zeek::val_mgr->False(); packet_analysis::AnalyzerPtr child_analyzer = packet_mgr->GetAnalyzer(child->ToStdString()); if ( ! child_analyzer ) return zeek::val_mgr->False(); parent_analyzer->RegisterProtocol(identifier, child_analyzer); return zeek::val_mgr->True(); %} ## Internal function that is used to update the core-mirror of the script-level `ignore_checksums_nets` variable. function PacketAnalyzer::__set_ignore_checksums_nets%(v: subnet_set%) : bool %{ if ( v->GetType()->Tag() != zeek::TYPE_TABLE ) zeek::emit_builtin_error("update_ignore_checksums_net() requires a table/set argument"); zeek::packet_analysis::IP::IPBasedAnalyzer::SetIgnoreChecksumsNets(zeek::IntrusivePtr{zeek::NewRef{}, v->AsTableVal()}); return zeek::val_mgr->True(); %} ## Registers a child analyzer with a parent analyzer to perform packet detection when determining whether ## to forward from parent to child. ## ## parent: The parent analyzer being modified ## child: The analyzer that will use protocol detection function register_protocol_detection%(parent: PacketAnalyzer::Tag, child: PacketAnalyzer::Tag%): bool %{ packet_analysis::AnalyzerPtr parent_analyzer = packet_mgr->GetAnalyzer(parent->AsEnumVal()); if ( ! parent_analyzer ) return zeek::val_mgr->False(); packet_analysis::AnalyzerPtr child_analyzer = packet_mgr->GetAnalyzer(child->AsEnumVal()); if ( ! child_analyzer ) return zeek::val_mgr->False(); parent_analyzer->RegisterProtocolDetection(child_analyzer); return zeek::val_mgr->True(); %} ## Internal function to disable a packet analyzer. function PacketAnalyzer::__disable_analyzer%(id: PacketAnalyzer::Tag%) : bool %{ bool result = zeek::packet_mgr->DisableAnalyzer(id->AsEnumVal()); return zeek::val_mgr->Bool(result); %} ## Internal function to enable a packet analyzer. function PacketAnalyzer::__enable_analyzer%(id: PacketAnalyzer::Tag%) : bool %{ bool result = zeek::packet_mgr->EnableAnalyzer(id->AsEnumVal()); return zeek::val_mgr->Bool(result); %}