mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 01:58:20 +00:00
a7b077aa17
This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. This also tracks the message as StringValPtr directly to avoid allocating the same StringVal for every DoAction() call. Closes #3403
100 lines
2.5 KiB
C++
100 lines
2.5 KiB
C++
#pragma once
|
|
|
|
#include <sys/types.h> // for u_char
|
|
#include <string>
|
|
|
|
#include "zeek/EventHandler.h"
|
|
#include "zeek/IntrusivePtr.h"
|
|
#include "zeek/Tag.h"
|
|
|
|
namespace zeek {
|
|
|
|
class StringVal;
|
|
using StringValPtr = IntrusivePtr<StringVal>;
|
|
|
|
namespace detail {
|
|
|
|
class Rule;
|
|
class RuleEndpointState;
|
|
|
|
// Base class of all rule actions.
|
|
class RuleAction {
|
|
public:
|
|
RuleAction() {}
|
|
virtual ~RuleAction() {}
|
|
|
|
virtual void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) = 0;
|
|
virtual void PrintDebug() = 0;
|
|
};
|
|
|
|
// Implements the "event" keyword.
|
|
class RuleActionEvent : public RuleAction {
|
|
public:
|
|
explicit RuleActionEvent(const char* arg_msg);
|
|
explicit RuleActionEvent(const char* arg_msg, const char* event_name);
|
|
|
|
void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) override;
|
|
|
|
void PrintDebug() override;
|
|
|
|
private:
|
|
StringValPtr msg;
|
|
EventHandlerPtr handler;
|
|
};
|
|
|
|
class RuleActionMIME : public RuleAction {
|
|
public:
|
|
explicit RuleActionMIME(const char* arg_mime, int arg_strength = 0);
|
|
|
|
~RuleActionMIME() override { delete[] mime; }
|
|
|
|
void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) override {}
|
|
|
|
void PrintDebug() override;
|
|
|
|
std::string GetMIME() const { return mime; }
|
|
|
|
int GetStrength() const { return strength; }
|
|
|
|
private:
|
|
const char* mime;
|
|
int strength;
|
|
};
|
|
|
|
// Base class for enable/disable actions.
|
|
class RuleActionAnalyzer : public RuleAction {
|
|
public:
|
|
explicit RuleActionAnalyzer(const char* analyzer);
|
|
|
|
void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) override = 0;
|
|
|
|
void PrintDebug() override;
|
|
|
|
zeek::Tag Analyzer() const { return analyzer; }
|
|
zeek::Tag ChildAnalyzer() const { return child_analyzer; }
|
|
|
|
private:
|
|
zeek::Tag analyzer;
|
|
zeek::Tag child_analyzer;
|
|
};
|
|
|
|
class RuleActionEnable : public RuleActionAnalyzer {
|
|
public:
|
|
explicit RuleActionEnable(const char* analyzer) : RuleActionAnalyzer(analyzer) {}
|
|
|
|
void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) override;
|
|
|
|
void PrintDebug() override;
|
|
};
|
|
|
|
class RuleActionDisable : public RuleActionAnalyzer {
|
|
public:
|
|
explicit RuleActionDisable(const char* analyzer) : RuleActionAnalyzer(analyzer) {}
|
|
|
|
void DoAction(const Rule* parent, RuleEndpointState* state, const u_char* data, int len) override;
|
|
|
|
void PrintDebug() override;
|
|
};
|
|
|
|
} // namespace detail
|
|
} // namespace zeek
|