Support zeek 41 (#17)

* Update event call based on error raised with Zeek 4.0.0

* Initial commit of changes to support Zeek 4.1+, compiles but untested

* Update readme, fix missing semicolon masked by preprocessor call

* Address compilation errors and warnings with zeek 4.0

* fix Whitespace issue

* Minor updates to readme, also update build process including include paths to align with zeek 4.1 package expectations

CMakeLists.txt

@@ -1,11 +1,7 @@
-cmake_minimum_required(VERSION 2.8)
+cmake_minimum_required(VERSION 3.5 FATAL_ERROR)
 
 project(ZeekPluginHTTP2)
 
-if ( NOT ZEEK_DIST )
-    message(FATAL ERROR "ZEEK_DIST not set")
-endif ()
-
 set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH})
 
 include(ZeekPlugin)

README.md

@@ -1,9 +1,9 @@
 # Zeek HTTP2 Analyzer Plugin
 
 This plugin provides an HTTP2 ([RFC 7540](https://tools.ietf.org/html/rfc7540))
-decoder/analyzer for [Zeek](https://www.zeek.org/) 3.0.x and 3.1.x. If you need
-this capability for older instances of Zeek (Bro), i.e., 2.6.x or older, please
-refer to the last `0.4.x` release of this plugin.
+decoder/analyzer for [Zeek](https://www.zeek.org/) 4.0+. If you need
+this capability for older instances of Zeek (Bro), i.e., 3.x, 2.6.x or older, please
+refer to previous versions of the plugin.
 
 The events exposed attempt to mimic the events exposed by the native HTTP analyzer
 
@@ -25,21 +25,28 @@ On CentOS 7:
 
     # sudo yum install libnghttp2-devel
 
-On Ubuntu 16.04:
+On Ubuntu 20.04:
 
-The version of `libnghttp-dev` on Ubuntu's apt repositories is too
-old (version 1.7.1 as of when this was written) so you must install the library
-manually from the [repo](https://github.com/nghttp2/nghttp2/releases/latest).
+    # apt install libnghttp2-dev
+
+Alternatively install the library manually from the [repo](https://github.com/nghttp2/nghttp2/releases/latest).
 
 #### Brotli
 
 Brotli is required as it is used quite often by popular websites and the
-analyzer automatically attempts to decompress data frames. No pre-compiled
-packages could be found for the brotli library so it will need to be manually
-built and installed. The library can be found at
-<https://github.com/google/brotli>. The latest release can be found at
-<https://github.com/google/brotli/releases/latest>. After downloading the latest
-release, follow these steps to compile and install the library:
+analyzer automatically attempts to decompress data frames.
+
+On CentOS 7:
+
+    # sudo yum install libbrotli-devel
+
+On Ubuntu 20.04:
+
+    # apt install libbrotli-dev
+
+Alternatively install the library manually. It can be found at <https://github.com/google/brotli>.
+The latest release can be found at <https://github.com/google/brotli/releases/latest>.
+After downloading the latest release, follow these steps to compile and install the library:
 
     tar -zxvf <release file>
     cd brotli-<version>
@@ -49,21 +56,16 @@ release, follow these steps to compile and install the library:
     make test
     make install
 
-### Manual Installation
+### Zeek Package Manager
 
-To manually build and install the plugin:
+Using the Zeek Package Manager is the recommended way to install this plugin.
+The Zeek Package Manager (`zkg`) is included with installations of Zeek 4.0 and newer.
 
-    cd <HTTP2 Plugin Directory>
-    rm -r build # Only if build exists
-    ./configure --zeek-dist=</path/to/zeek/source>
-    make
-    make test
-    make install
+Before attempting to install the plugin, ensure Zeek's binary path is available in your `PATH` environment variable. For example if you installed Zeek via binary package, you would need to do:
 
-### Zeek Package Manager
+    # export PATH=$PATH:/opt/zeek/bin
 
-The Zeek Package Manager can be used to install
-this plugin in multiple ways:
+After setting the `PATH` properly, you can install the plugin using one of the following methods:
 
 * From the repo clone directory:
 
@@ -81,20 +83,23 @@ __NOTE__ If you had an older version of zkg or the original bro package manager
 installed, the path might show up as `bro/mitrecnd/bro-http2`. Please use that
 path or update your zkg configuration located, by default, in `~/.zkg/config`.
 
-#### Installing Older Versions
+### Installing Older Versions
 
-If you are still running an older version of Zeek (Bro 2.6.x and older), you
+If you are still running an older version of Zeek (Zeek 3.x, Bro 2.6.x or older), you
 can install a previous version of the plugin using zkg, utilizing the `--version`
-argument.
+argument to specify a specific source tag or branch.
+The following will install a version compatible with Bro 2.6.x.
 
       # zkg install zeek/mitrecnd/bro-http2 --version 0.4.2
 
+__NOTE__ While using an older version ensures compatibility with an older version of Zeek/Bro, there have been some changes and bug fixes made to the code, so performance may not be optimal and issues may arise.
+
 ## Usage
 
 You should see the following output from zeek if successfully installed:
 
     > zeek -NN mitrecnd::HTTP2
-    mitrecnd::HTTP2 - Hypertext Transfer Protocol Version 2 analyzer (dynamic, version 0.5.1)
+    mitrecnd::HTTP2 - Hypertext Transfer Protocol Version 2 analyzer (dynamic, version 0.6.0)
         [Analyzer] HTTP2 (ANALYZER_HTTP2, enabled)
         [Event] http2_request
         [Event] http2_reply

VERSION

@@ -1 +1 @@
-0.5.3
+0.6.0

configure

@@ -14,21 +14,13 @@ if [ -e `dirname $0`/configure.plugin ]; then
     . `dirname $0`/configure.plugin
 fi
 
-# Check for `cmake` command.
-type cmake > /dev/null 2>&1 || {
-    echo "\
-This package requires CMake, please install it first, then you may
-use this configure script to access CMake equivalent functionality.\
-" >&2;
-    exit 1;
-}
-
 usage() {
 
 cat 1>&2 <<EOF
 Usage: $0 [OPTIONS]
 
   Plugin Options:
+    --cmake=PATH               Path to CMake binary
     --zeek-dist=DIR            Path to Zeek source tree
     --install-root=DIR         Path where to install plugin into
     --with-binpac=DIR          Path to BinPAC installation root
@@ -73,11 +65,11 @@ while [ $# -ne 0 ]; do
             usage
             ;;
 
-        --zeek-dist=*)
-            zeekdist=`cd $optarg && pwd`
+        --cmake=*)
+            CMakeCommand=$optarg
             ;;
 
-        --bro-dist=*) # Legacy option for backwards compability
+        --zeek-dist=*)
             zeekdist=`cd $optarg && pwd`
             ;;
 
@@ -120,64 +112,60 @@ while [ $# -ne 0 ]; do
     shift
 done
 
+if [ -z "$CMakeCommand" ]; then
+    # prefer cmake3 over "regular" cmake (cmake == cmake2 on RHEL)
+    if command -v cmake3 >/dev/null 2>&1 ; then
+        CMakeCommand="cmake3"
+    elif command -v cmake >/dev/null 2>&1 ; then
+        CMakeCommand="cmake"
+    else
+        echo "This package requires CMake, please install it first."
+        echo "Then you may use this script to configure the CMake build."
+        echo "Note: pass --cmake=PATH to use cmake in non-standard locations."
+        exit 1;
+    fi
+fi
+
 if [ -z "$zeekdist" ]; then
     if type zeek-config >/dev/null 2>&1; then
-       zeek_config="zeek-config"
-    elif type bro-config >/dev/null 2>&1; then
-       zeek_config="bro-config"
+        zeek_config="zeek-config"
+    else
+        echo "Either 'zeek-config' must be in PATH or '--zeek-dist=<path>' used"
+        exit 1
     fi
 
-    if [ -n "${zeek_config}" ]; then
-        if ${zeek_config} --cmake_dir >/dev/null 2>&1; then
-            # Have a newer version of zeek-config that has needed flags
-            append_cache_entry BRO_CONFIG_PREFIX PATH `${zeek_config} --prefix`
-            append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH `${zeek_config} --include_dir`
-            append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH `${zeek_config} --plugin_dir`
-            append_cache_entry BRO_CONFIG_CMAKE_DIR PATH `${zeek_config} --cmake_dir`
-            append_cache_entry CMAKE_MODULE_PATH PATH `${zeek_config} --cmake_dir`
-
-            build_type=`${zeek_config} --build_type`
+    append_cache_entry BRO_CONFIG_PREFIX PATH `${zeek_config} --prefix`
+    append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH `${zeek_config} --include_dir`
+    append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH `${zeek_config} --plugin_dir`
+    append_cache_entry BRO_CONFIG_LIB_DIR PATH `${zeek_config} --lib_dir`
+    append_cache_entry BRO_CONFIG_CMAKE_DIR PATH `${zeek_config} --cmake_dir`
+    append_cache_entry CMAKE_MODULE_PATH PATH `${zeek_config} --cmake_dir`
 
-            if [ "$build_type" = "debug" ]; then
-                append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
-            fi
-
-            if [ -z "$binpac_root" ]; then
-                append_cache_entry BinPAC_ROOT_DIR PATH `${zeek_config} --binpac_root`
-            fi
+    build_type=`${zeek_config} --build_type`
 
-            if [ -z "$broker_root" ]; then
-                append_cache_entry BROKER_ROOT_DIR PATH `${zeek_config} --broker_root`
-            fi
+    if [ "$build_type" = "debug" ]; then
+        append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
+    fi
 
-            if [ -z "$caf_root" ]; then
-                append_cache_entry CAF_ROOT_DIR PATH `${zeek_config} --caf_root`
-            fi
-        else
-            # Using legacy bro-config, so we must use the "--bro_dist" option.
-            zeekdist=`${zeek_config} --bro_dist 2> /dev/null`
+    if [ -z "$binpac_root" ]; then
+        append_cache_entry BinPAC_ROOT_DIR PATH `${zeek_config} --binpac_root`
+    fi
 
-            if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then
-                echo "$zeekdist does not appear to be a valid Zeek source tree."
-                exit 1
-            fi
+    if [ -z "$broker_root" ]; then
+        append_cache_entry BROKER_ROOT_DIR PATH `${zeek_config} --broker_root`
+    fi
 
-            # BRO_DIST is needed to support legacy Bro plugins
-            append_cache_entry BRO_DIST  PATH $zeekdist
-            append_cache_entry ZEEK_DIST PATH $zeekdist
-            append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake
-        fi
-    else
-        echo "Either 'zeek-config' must be in PATH or '--zeek-dist=<path>' used"
-        exit 1
+    if [ -z "$caf_root" ]; then
+        append_cache_entry CAF_ROOT_DIR PATH `${zeek_config} --caf_root`
     fi
 else
-    if [ ! -e "$zeekdist/zeek-path-dev.in" -a ! -e "$zeekdist/bro-path-dev.in" ]; then
-      echo "$zeekdist does not appear to be a valid Zeek source tree."
-      exit 1
+    if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then
+        echo "$zeekdist does not appear to be a valid Zeek source tree."
+        exit 1
     fi
 
-    # BRO_DIST is needed to support legacy Bro plugins
+    # BRO_DIST is the canonical/historical name used by plugin CMake scripts
+    # ZEEK_DIST doesn't serve a function at the moment, but set/provided anyway
     append_cache_entry BRO_DIST  PATH $zeekdist
     append_cache_entry ZEEK_DIST PATH $zeekdist
     append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake
@@ -194,7 +182,7 @@ echo "Zeek Source Directory   : $zeekdist"
 mkdir -p $builddir
 cd $builddir
 
-cmake $CMakeCacheEntries ..
+"$CMakeCommand" $CMakeCacheEntries ..
 
 echo "# This is the command used to configure this build" > config.status
 echo $command >> config.status

scripts/http2/main.zeek

@@ -157,7 +157,7 @@ event http2_request(c: connection, is_orig: bool, stream: count, method: string,
     c$http2_streams$streams[stream]$push = push;
 
     if ( method !in HTTP::http_methods )
-        event conn_weird("unknown_HTTP2_method", c, method);
+        event conn_weird("unknown_HTTP2_method", c, method, "HTTP2_Analyzer");
 }
 
 event http2_reply(c: connection, is_orig: bool, stream: count, version: string,