zeek/src/packet_analysis/packet_analysis.bif

module PacketAnalyzer;

%%{

#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Manager.h"
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"

%%}

## Add an entry to parent's dispatcher that maps a protocol/index to a next-stage child analyzer.
##
## parent: The parent analyzer being modified
## identifier: The identifier for the protocol being registered
## child: The analyzer that will be called for the identifier
##
function register_packet_analyzer%(parent: PacketAnalyzer::Tag, identifier: count, child: PacketAnalyzer::Tag%): bool
	%{
	packet_analysis::AnalyzerPtr parent_analyzer = packet_mgr->GetAnalyzer(parent->AsEnumVal());
	if ( ! parent_analyzer )
		return zeek::val_mgr->False();

	packet_analysis::AnalyzerPtr child_analyzer = packet_mgr->GetAnalyzer(child->AsEnumVal());
	if ( ! child_analyzer )
		return zeek::val_mgr->False();

	parent_analyzer->RegisterProtocol(identifier, child_analyzer);
	return zeek::val_mgr->True();
	%}

## Attempts to add an entry to `parent`'s dispatcher that maps a protocol/index to a next-stage `child`
## analyzer. This may fail if either of the two names does not respond to a known analyzer.
##
## parent: The parent analyzer being modified
## identifier: The identifier for the protocol being registered
## child: The analyzer that will be called for the identifier
##
function try_register_packet_analyzer_by_name%(parent: string, identifier: count, child: string%):  bool
	%{
	packet_analysis::AnalyzerPtr parent_analyzer = packet_mgr->GetAnalyzer(parent->ToStdString());
	if ( ! parent_analyzer )
		return zeek::val_mgr->False();

	packet_analysis::AnalyzerPtr child_analyzer = packet_mgr->GetAnalyzer(child->ToStdString());
	if ( ! child_analyzer )
		return zeek::val_mgr->False();

	parent_analyzer->RegisterProtocol(identifier, child_analyzer);
	return zeek::val_mgr->True();
	%}

## Internal function that is used to update the core-mirror of the script-level `ignore_checksums_nets` variable.
function PacketAnalyzer::__set_ignore_checksums_nets%(v: subnet_set%) : bool
	%{
	if ( v->GetType()->Tag() != zeek::TYPE_TABLE )
		zeek::emit_builtin_error("update_ignore_checksums_net() requires a table/set argument");

	zeek::packet_analysis::IP::IPBasedAnalyzer::SetIgnoreChecksumsNets(zeek::IntrusivePtr{zeek::NewRef{}, v->AsTableVal()});
	return zeek::val_mgr->True();
	%}

## Registers a child analyzer with a parent analyzer to perform packet detection when determining whether
## to forward from parent to child.
##
## parent: The parent analyzer being modified
## child: The analyzer that will use protocol detection
function register_protocol_detection%(parent: PacketAnalyzer::Tag, child: PacketAnalyzer::Tag%): bool
	%{
	packet_analysis::AnalyzerPtr parent_analyzer = packet_mgr->GetAnalyzer(parent->AsEnumVal());
	if ( ! parent_analyzer )
		return zeek::val_mgr->False();

	packet_analysis::AnalyzerPtr child_analyzer = packet_mgr->GetAnalyzer(child->AsEnumVal());
	if ( ! child_analyzer )
		return zeek::val_mgr->False();

	parent_analyzer->RegisterProtocolDetection(child_analyzer);
	return zeek::val_mgr->True();
	%}

## Internal function to disable a packet analyzer.
function PacketAnalyzer::__disable_analyzer%(id: PacketAnalyzer::Tag%) : bool
	%{
	bool result = zeek::packet_mgr->DisableAnalyzer(id->AsEnumVal());
	return zeek::val_mgr->Bool(result);
	%}

## Internal function to enable a packet analyzer.
function PacketAnalyzer::__enable_analyzer%(id: PacketAnalyzer::Tag%) : bool
	%{
	bool result = zeek::packet_mgr->EnableAnalyzer(id->AsEnumVal());
	return zeek::val_mgr->Bool(result);
	%}