mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
59 lines
1.4 KiB
JavaScript
59 lines
1.4 KiB
JavaScript
%include binpac.pac
|
|
%include zeek.pac
|
|
|
|
%extern{
|
|
#include "foo.bif.h"
|
|
%}
|
|
|
|
analyzer FOO withcontext {
|
|
connection: FOO_Conn;
|
|
flow: FOO_Flow;
|
|
};
|
|
|
|
# Our connection consists of two flows, one in each direction.
|
|
connection FOO_Conn(bro_analyzer: ZeekAnalyzer) {
|
|
upflow = FOO_Flow(true);
|
|
downflow = FOO_Flow(false);
|
|
};
|
|
|
|
type HDR = record {
|
|
version: uint8;
|
|
reserved: uint8;
|
|
len: uint16;
|
|
} &byteorder=bigendian;
|
|
|
|
type FOO_PDU(is_orig: bool) = record {
|
|
hdr: HDR;
|
|
plen: uint8;
|
|
ptype: uint8;
|
|
something: bytestring &restofdata;
|
|
} &byteorder=bigendian, &length=hdr.len;
|
|
|
|
# Now we define the flow:
|
|
flow FOO_Flow(is_orig: bool) {
|
|
|
|
flowunit = FOO_PDU(is_orig) withcontext(connection, this);
|
|
# datagram = FOO_PDU(is_orig) withcontext(connection, this);
|
|
|
|
};
|
|
|
|
refine flow FOO_Flow += {
|
|
function proc_foo_message(msg: FOO_PDU): bool
|
|
%{
|
|
// printf("FOO %d %d\n", msg->hdr()->len(), msg->hdr_len());
|
|
connection()->bro_analyzer()->AnalyzerConfirmation();
|
|
zeek::BifEvent::Foo::enqueue_foo_message(
|
|
connection()->bro_analyzer(),
|
|
connection()->bro_analyzer()->Conn(),
|
|
is_orig(),
|
|
msg->hdr()->len(),
|
|
msg->plen(),
|
|
msg->ptype());
|
|
return true;
|
|
%}
|
|
|
|
};
|
|
|
|
refine typeattr FOO_PDU += &let {
|
|
proc: bool = $context.flow.proc_foo_message(this);
|
|
};
|