mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
98 lines
3.2 KiB
C++
98 lines
3.2 KiB
C++
// See the file "COPYING" in the main distribution directory for copyright.
|
|
|
|
#pragma once
|
|
|
|
#include "zeek/Tag.h"
|
|
#include "zeek/plugin/Component.h"
|
|
#include "zeek/util.h"
|
|
|
|
namespace zeek {
|
|
|
|
class Connection;
|
|
|
|
namespace analyzer {
|
|
|
|
class Analyzer;
|
|
|
|
/**
|
|
* Component description for plugins providing analyzers.
|
|
*
|
|
* A plugin can provide a specific protocol analyzer by registering this
|
|
* analyzer component, describing the analyzer.
|
|
*/
|
|
class Component : public plugin::Component {
|
|
public:
|
|
using factory_callback = Analyzer* (*)(Connection * conn);
|
|
|
|
/**
|
|
* Constructor.
|
|
*
|
|
* @param name The name of the provided analyzer. This name is used
|
|
* across the system to identify the analyzer, e.g., when calling
|
|
* analyzer::Manager::InstantiateAnalyzer with a name.
|
|
*
|
|
* @param factory A factory function to instantiate instances of the
|
|
* analyzer's class, which must be derived directly or indirectly
|
|
* from zeek::analyzer::Analyzer. This is typically a static \c
|
|
* Instantiate() method inside the class that just allocates and
|
|
* returns a new instance.
|
|
*
|
|
* @param subtype A subtype associated with this component that
|
|
* further distinguishes it. The subtype will be integrated into
|
|
* the Tag that the manager associates with this analyzer,
|
|
* and analyzer instances can accordingly access it via Tag().
|
|
* If not used, leave at zero.
|
|
*
|
|
* @param enabled If false the analyzer starts out as disabled and
|
|
* hence won't be used. It can still be enabled later via the
|
|
* manager, including from script-land.
|
|
*
|
|
* @param partial If true, the analyzer can deal with payload from
|
|
* partial connections, i.e., when Zeek enters the stream mid-way
|
|
* after not seeing the beginning. Note that handling of partial
|
|
* connections has generally not seen much testing yet as virtually
|
|
* no existing analyzer supports it.
|
|
*
|
|
* @param adapter If true, this analyzer is a session adapter from
|
|
* the packet analyzer framework.
|
|
*/
|
|
Component(const std::string& name, factory_callback factory, zeek::Tag::subtype_t subtype = 0, bool enabled = true,
|
|
bool partial = false, bool adapter = false);
|
|
|
|
/**
|
|
* Destructor.
|
|
*/
|
|
~Component() override = default;
|
|
|
|
/**
|
|
* Initialization function. This function has to be called before any
|
|
* plugin component functionality is used; it is used to add the
|
|
* plugin component to the list of components and to initialize tags
|
|
*/
|
|
void Initialize() override;
|
|
|
|
/**
|
|
* Returns the analyzer's factory function.
|
|
*/
|
|
factory_callback Factory() const { return factory; }
|
|
|
|
/**
|
|
* Returns whether the analyzer supports partial connections. Partial
|
|
* connections are those where Zeek starts processing payload
|
|
* mid-stream, after missing the beginning.
|
|
*/
|
|
bool Partial() const { return partial; }
|
|
|
|
protected:
|
|
/**
|
|
* Overridden from plugin::Component.
|
|
*/
|
|
void DoDescribe(ODesc* d) const override;
|
|
|
|
private:
|
|
factory_callback factory; // The analyzer's factory callback.
|
|
bool partial; // True if the analyzer supports partial connections.
|
|
};
|
|
|
|
} // namespace analyzer
|
|
} // namespace zeek
|