From 7dc14042d1602065d60601d193b99b005f08fe34 Mon Sep 17 00:00:00 2001 From: Murad Date: Wed, 6 Oct 2021 11:15:23 -0400 Subject: [PATCH] Support zeek 41 (#17) * Update event call based on error raised with Zeek 4.0.0 * Initial commit of changes to support Zeek 4.1+, compiles but untested * Update readme, fix missing semicolon masked by preprocessor call * Address compilation errors and warnings with zeek 4.0 * fix Whitespace issue * Minor updates to readme, also update build process including include paths to align with zeek 4.1 package expectations --- CMakeLists.txt | 6 +- README.md | 61 +++--- VERSION | 2 +- configure | 104 +++++----- scripts/http2/main.zeek | 2 +- src/HTTP2.cc | 361 ++++++++++++++++++---------------- src/HTTP2.h | 31 +-- src/HTTP2_Frame.cc | 44 ++--- src/HTTP2_Frame.h | 2 +- src/HTTP2_FrameReassembler.cc | 2 +- src/HTTP2_FrameReassembler.h | 70 +++---- src/HTTP2_HeaderStorage.cc | 36 ++-- src/HTTP2_HeaderStorage.h | 18 +- src/HTTP2_Stream.cc | 60 +++--- src/HTTP2_Stream.h | 8 +- src/Plugin.cc | 14 +- src/Plugin.h | 11 +- src/debug.h | 6 +- src/events.bif | 42 ++-- zkg.meta | 2 +- 20 files changed, 452 insertions(+), 430 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 91d2530..6f9e4c1 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,11 +1,7 @@ -cmake_minimum_required(VERSION 2.8) +cmake_minimum_required(VERSION 3.5 FATAL_ERROR) project(ZeekPluginHTTP2) -if ( NOT ZEEK_DIST ) - message(FATAL ERROR "ZEEK_DIST not set") -endif () - set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH}) include(ZeekPlugin) diff --git a/README.md b/README.md index 6b1022d..926f494 100755 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # Zeek HTTP2 Analyzer Plugin This plugin provides an HTTP2 ([RFC 7540](https://tools.ietf.org/html/rfc7540)) -decoder/analyzer for [Zeek](https://www.zeek.org/) 3.0.x and 3.1.x. If you need -this capability for older instances of Zeek (Bro), i.e., 2.6.x or older, please -refer to the last `0.4.x` release of this plugin. +decoder/analyzer for [Zeek](https://www.zeek.org/) 4.0+. If you need +this capability for older instances of Zeek (Bro), i.e., 3.x, 2.6.x or older, please +refer to previous versions of the plugin. The events exposed attempt to mimic the events exposed by the native HTTP analyzer @@ -25,21 +25,28 @@ On CentOS 7: # sudo yum install libnghttp2-devel -On Ubuntu 16.04: +On Ubuntu 20.04: -The version of `libnghttp-dev` on Ubuntu's apt repositories is too -old (version 1.7.1 as of when this was written) so you must install the library -manually from the [repo](https://github.com/nghttp2/nghttp2/releases/latest). + # apt install libnghttp2-dev + +Alternatively install the library manually from the [repo](https://github.com/nghttp2/nghttp2/releases/latest). #### Brotli Brotli is required as it is used quite often by popular websites and the -analyzer automatically attempts to decompress data frames. No pre-compiled -packages could be found for the brotli library so it will need to be manually -built and installed. The library can be found at -. The latest release can be found at -. After downloading the latest -release, follow these steps to compile and install the library: +analyzer automatically attempts to decompress data frames. + +On CentOS 7: + + # sudo yum install libbrotli-devel + +On Ubuntu 20.04: + + # apt install libbrotli-dev + +Alternatively install the library manually. It can be found at . +The latest release can be found at . +After downloading the latest release, follow these steps to compile and install the library: tar -zxvf cd brotli- @@ -49,21 +56,16 @@ release, follow these steps to compile and install the library: make test make install -### Manual Installation +### Zeek Package Manager -To manually build and install the plugin: +Using the Zeek Package Manager is the recommended way to install this plugin. +The Zeek Package Manager (`zkg`) is included with installations of Zeek 4.0 and newer. - cd - rm -r build # Only if build exists - ./configure --zeek-dist= - make - make test - make install +Before attempting to install the plugin, ensure Zeek's binary path is available in your `PATH` environment variable. For example if you installed Zeek via binary package, you would need to do: -### Zeek Package Manager + # export PATH=$PATH:/opt/zeek/bin -The Zeek Package Manager can be used to install -this plugin in multiple ways: +After setting the `PATH` properly, you can install the plugin using one of the following methods: * From the repo clone directory: @@ -81,20 +83,23 @@ __NOTE__ If you had an older version of zkg or the original bro package manager installed, the path might show up as `bro/mitrecnd/bro-http2`. Please use that path or update your zkg configuration located, by default, in `~/.zkg/config`. -#### Installing Older Versions +### Installing Older Versions -If you are still running an older version of Zeek (Bro 2.6.x and older), you +If you are still running an older version of Zeek (Zeek 3.x, Bro 2.6.x or older), you can install a previous version of the plugin using zkg, utilizing the `--version` -argument. +argument to specify a specific source tag or branch. +The following will install a version compatible with Bro 2.6.x. # zkg install zeek/mitrecnd/bro-http2 --version 0.4.2 +__NOTE__ While using an older version ensures compatibility with an older version of Zeek/Bro, there have been some changes and bug fixes made to the code, so performance may not be optimal and issues may arise. + ## Usage You should see the following output from zeek if successfully installed: > zeek -NN mitrecnd::HTTP2 - mitrecnd::HTTP2 - Hypertext Transfer Protocol Version 2 analyzer (dynamic, version 0.5.1) + mitrecnd::HTTP2 - Hypertext Transfer Protocol Version 2 analyzer (dynamic, version 0.6.0) [Analyzer] HTTP2 (ANALYZER_HTTP2, enabled) [Event] http2_request [Event] http2_reply diff --git a/VERSION b/VERSION index be14282..a918a2a 100755 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.5.3 +0.6.0 diff --git a/configure b/configure index b06992f..ba695cb 100755 --- a/configure +++ b/configure @@ -14,21 +14,13 @@ if [ -e `dirname $0`/configure.plugin ]; then . `dirname $0`/configure.plugin fi -# Check for `cmake` command. -type cmake > /dev/null 2>&1 || { - echo "\ -This package requires CMake, please install it first, then you may -use this configure script to access CMake equivalent functionality.\ -" >&2; - exit 1; -} - usage() { cat 1>&2 </dev/null 2>&1 ; then + CMakeCommand="cmake3" + elif command -v cmake >/dev/null 2>&1 ; then + CMakeCommand="cmake" + else + echo "This package requires CMake, please install it first." + echo "Then you may use this script to configure the CMake build." + echo "Note: pass --cmake=PATH to use cmake in non-standard locations." + exit 1; + fi +fi + if [ -z "$zeekdist" ]; then if type zeek-config >/dev/null 2>&1; then - zeek_config="zeek-config" - elif type bro-config >/dev/null 2>&1; then - zeek_config="bro-config" + zeek_config="zeek-config" + else + echo "Either 'zeek-config' must be in PATH or '--zeek-dist=' used" + exit 1 fi - if [ -n "${zeek_config}" ]; then - if ${zeek_config} --cmake_dir >/dev/null 2>&1; then - # Have a newer version of zeek-config that has needed flags - append_cache_entry BRO_CONFIG_PREFIX PATH `${zeek_config} --prefix` - append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH `${zeek_config} --include_dir` - append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH `${zeek_config} --plugin_dir` - append_cache_entry BRO_CONFIG_CMAKE_DIR PATH `${zeek_config} --cmake_dir` - append_cache_entry CMAKE_MODULE_PATH PATH `${zeek_config} --cmake_dir` - - build_type=`${zeek_config} --build_type` + append_cache_entry BRO_CONFIG_PREFIX PATH `${zeek_config} --prefix` + append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH `${zeek_config} --include_dir` + append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH `${zeek_config} --plugin_dir` + append_cache_entry BRO_CONFIG_LIB_DIR PATH `${zeek_config} --lib_dir` + append_cache_entry BRO_CONFIG_CMAKE_DIR PATH `${zeek_config} --cmake_dir` + append_cache_entry CMAKE_MODULE_PATH PATH `${zeek_config} --cmake_dir` - if [ "$build_type" = "debug" ]; then - append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true - fi - - if [ -z "$binpac_root" ]; then - append_cache_entry BinPAC_ROOT_DIR PATH `${zeek_config} --binpac_root` - fi + build_type=`${zeek_config} --build_type` - if [ -z "$broker_root" ]; then - append_cache_entry BROKER_ROOT_DIR PATH `${zeek_config} --broker_root` - fi + if [ "$build_type" = "debug" ]; then + append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true + fi - if [ -z "$caf_root" ]; then - append_cache_entry CAF_ROOT_DIR PATH `${zeek_config} --caf_root` - fi - else - # Using legacy bro-config, so we must use the "--bro_dist" option. - zeekdist=`${zeek_config} --bro_dist 2> /dev/null` + if [ -z "$binpac_root" ]; then + append_cache_entry BinPAC_ROOT_DIR PATH `${zeek_config} --binpac_root` + fi - if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then - echo "$zeekdist does not appear to be a valid Zeek source tree." - exit 1 - fi + if [ -z "$broker_root" ]; then + append_cache_entry BROKER_ROOT_DIR PATH `${zeek_config} --broker_root` + fi - # BRO_DIST is needed to support legacy Bro plugins - append_cache_entry BRO_DIST PATH $zeekdist - append_cache_entry ZEEK_DIST PATH $zeekdist - append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake - fi - else - echo "Either 'zeek-config' must be in PATH or '--zeek-dist=' used" - exit 1 + if [ -z "$caf_root" ]; then + append_cache_entry CAF_ROOT_DIR PATH `${zeek_config} --caf_root` fi else - if [ ! -e "$zeekdist/zeek-path-dev.in" -a ! -e "$zeekdist/bro-path-dev.in" ]; then - echo "$zeekdist does not appear to be a valid Zeek source tree." - exit 1 + if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then + echo "$zeekdist does not appear to be a valid Zeek source tree." + exit 1 fi - # BRO_DIST is needed to support legacy Bro plugins + # BRO_DIST is the canonical/historical name used by plugin CMake scripts + # ZEEK_DIST doesn't serve a function at the moment, but set/provided anyway append_cache_entry BRO_DIST PATH $zeekdist append_cache_entry ZEEK_DIST PATH $zeekdist append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake @@ -194,7 +182,7 @@ echo "Zeek Source Directory : $zeekdist" mkdir -p $builddir cd $builddir -cmake $CMakeCacheEntries .. +"$CMakeCommand" $CMakeCacheEntries .. echo "# This is the command used to configure this build" > config.status echo $command >> config.status diff --git a/scripts/http2/main.zeek b/scripts/http2/main.zeek index 7d70bf0..4b9a968 100755 --- a/scripts/http2/main.zeek +++ b/scripts/http2/main.zeek @@ -157,7 +157,7 @@ event http2_request(c: connection, is_orig: bool, stream: count, method: string, c$http2_streams$streams[stream]$push = push; if ( method !in HTTP::http_methods ) - event conn_weird("unknown_HTTP2_method", c, method); + event conn_weird("unknown_HTTP2_method", c, method, "HTTP2_Analyzer"); } event http2_reply(c: connection, is_orig: bool, stream: count, version: string, diff --git a/src/HTTP2.cc b/src/HTTP2.cc index b131337..d657863 100755 --- a/src/HTTP2.cc +++ b/src/HTTP2.cc @@ -2,12 +2,12 @@ #include "HTTP2.h" -#include "Var.h" -#include "NetVar.h" -#include "analyzer/protocol/tcp/TCP_Reassembler.h" -#include "analyzer/protocol/mime/MIME.h" +#include "zeek/Var.h" +#include "zeek/NetVar.h" +#include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h" +#include "zeek/analyzer/protocol/mime/MIME.h" #include "debug.h" -#include "Reporter.h" +#include "zeek/Reporter.h" using namespace analyzer::mitrecnd; @@ -28,8 +28,8 @@ static constexpr uint8_t CONN_PREFACE_LENGTH = static_cast(sizeof(conne ** HTTP2_Analyzer */ -HTTP2_Analyzer::HTTP2_Analyzer(Connection* conn) -: tcp::TCP_ApplicationAnalyzer("HTTP2", conn) +HTTP2_Analyzer::HTTP2_Analyzer(zeek::Connection* conn) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("HTTP2", conn) { DEBUG_INFO("Create Analyzer: [%p]\n",Conn()); this->connectionActive = false; @@ -81,16 +81,16 @@ HTTP2_Analyzer::~HTTP2_Analyzer() void HTTP2_Analyzer::Done() { - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); } void HTTP2_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); } void HTTP2_Analyzer::DeliverStream(int len, const u_char* data, bool orig){ - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); // If we see the connection Preface we will have to skip it to realign the // stream for processing @@ -199,40 +199,39 @@ void HTTP2_Analyzer::DeliverStream(int len, const u_char* data, bool orig){ } void HTTP2_Analyzer::Undelivered(uint64_t seq, int len, bool orig){ - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); this->had_gap = true; } -static inline RecordVal* generateSettingsRecord(HTTP2_Settings_Frame* frame) { +static inline zeek::RecordValPtr generateSettingsRecord(HTTP2_Settings_Frame* frame) { uint32_t val; - RecordVal* settings_rec = new RecordVal(BifType::Record::http2_settings); + auto settings_rec = zeek::make_intrusive(zeek::BifType::Record::http2_settings); if(frame->getHeaderTableSize(val)){ - settings_rec->Assign(0, val_mgr->GetCount(val)); + settings_rec->Assign(0, zeek::val_mgr->Count(val)); } if(frame->getEnablePush(val)){ - settings_rec->Assign(1, val_mgr->GetBool(val)); + settings_rec->Assign(1, zeek::val_mgr->Bool(val)); } if(frame->getMaxConcurrentStreams(val)){ - settings_rec->Assign(2, val_mgr->GetCount(val)); + settings_rec->Assign(2, zeek::val_mgr->Count(val)); } if(frame->getInitialWindowSize(val)){ - settings_rec->Assign(3, val_mgr->GetCount(val)); + settings_rec->Assign(3, zeek::val_mgr->Count(val)); } if(frame->getMaxFrameSize(val)){ - settings_rec->Assign(4, val_mgr->GetCount(val)); + settings_rec->Assign(4, zeek::val_mgr->Count(val)); } if(frame->getMaxHeaderListSize(val)){ - settings_rec->Assign(5, val_mgr->GetCount(val)); + settings_rec->Assign(5, zeek::val_mgr->Count(val)); } if(frame->unrecognizedSettings()){ - TableVal* unrec_table = new TableVal(BifType::Table::http2_settings_unrecognized_table); + auto unrec_table = zeek::make_intrusive(zeek::BifType::Table::http2_settings_unrecognized_table); auto unrec = frame->getUnrecognizedSettings(); for (auto it=unrec.begin(); it != unrec.end(); it++) { - Val* index = val_mgr->GetCount(it->first); - unrec_table->Assign(index, val_mgr->GetCount(it->second)); - Unref(index); + auto index = zeek::val_mgr->Count(it->first); + unrec_table->Assign(index, zeek::val_mgr->Count(it->second)); } settings_rec->Assign(6, unrec_table); } @@ -533,131 +532,145 @@ bool HTTP2_Analyzer::connectionPrefaceDetected(int len, const u_char* data) */ void HTTP2_Analyzer::HTTP2_Request(bool orig, unsigned stream, std::string& method, std::string& authority, std::string& host, - std::string& path, BroString* unescaped, bool push){ + std::string& path, zeek::String* unescaped, bool push){ //this->num_requests++; if ( http2_request ){ - val_list* vl = new val_list; - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(new StringVal(method)); - vl->append(new StringVal(authority)); - vl->append(new StringVal(host)); - vl->append(new StringVal(path)); - vl->append(new StringVal(unescaped)); - vl->append(new StringVal(fmt("%.1f", 2.0))); - vl->append(val_mgr->GetBool(push)); DEBUG_DBG("[%3u][%1d] http2_request\n", stream, orig); - this->ConnectionEvent(http2_request, vl); + this->EnqueueConnEvent( + http2_request, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::make_intrusive(method), + zeek::make_intrusive(authority), + zeek::make_intrusive(host), + zeek::make_intrusive(path), + zeek::make_intrusive(unescaped), + zeek::make_intrusive(zeek::util::fmt("%.1f", 2.0)), + zeek::val_mgr->Bool(push) + ); } } void HTTP2_Analyzer::HTTP2_Reply(bool orig, unsigned stream, uint16_t status){ if ( http2_reply ){ - val_list* vl = new val_list; - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(new StringVal(fmt("%.1f", 2.0))); - vl->append(val_mgr->GetCount(status)); - vl->append(new StringVal("")); DEBUG_DBG("[%3u][%1d] http2_reply\n", stream, orig); - this->ConnectionEvent(http2_reply, vl); + this->EnqueueConnEvent( + http2_reply, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::make_intrusive(zeek::util::fmt("%.1f", 2.0)), + zeek::val_mgr->Count(status), + zeek::make_intrusive("") + ); } } -void HTTP2_Analyzer::HTTP2_StreamEnd(unsigned stream, RecordVal* stream_stats){ +void HTTP2_Analyzer::HTTP2_StreamEnd(unsigned stream, zeek::RecordValPtr stream_stats){ if ( http2_stream_end ){ - val_list* vl = new val_list; - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetCount(stream)); - vl->append(stream_stats); DEBUG_DBG("[%3u] http2_stream_end\n", stream); - this->ConnectionEvent(http2_stream_end, vl); + this->EnqueueConnEvent( + http2_stream_end, + this->ConnVal(), + zeek::val_mgr->Count(stream), + stream_stats + ); } } void HTTP2_Analyzer::HTTP2_StreamStart(bool orig, unsigned stream){ if ( http2_stream_start ){ - val_list* vl = new val_list; - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); DEBUG_DBG("[%3u][%1d] http2_stream_start\n", stream, orig); - this->ConnectionEvent(http2_stream_start, vl); + this->EnqueueConnEvent( + http2_stream_start, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream) + ); } } void HTTP2_Analyzer::HTTP2_Header(bool orig, unsigned stream, std::string& name, std::string& value){ if ( http2_header ){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append((new StringVal(name))->ToUpper()); - vl->append(new StringVal(value)); + + auto upper_name = zeek::make_intrusive(name); + upper_name->ToUpper(); + DEBUG_DBG("http2_header\n"); - this->ConnectionEvent(http2_header, vl); + this->EnqueueConnEvent( + http2_header, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + std::move(upper_name), + zeek::make_intrusive(value) + ); } } -void HTTP2_Analyzer::HTTP2_AllHeaders(bool orig, unsigned stream, TableVal* hlist){ +void HTTP2_Analyzer::HTTP2_AllHeaders(bool orig, unsigned stream, zeek::TableValPtr hlist){ if ( http2_all_headers ){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(hlist); DEBUG_DBG("http2_all_headers\n"); - this->ConnectionEvent(http2_all_headers, vl); + this->EnqueueConnEvent( + http2_all_headers, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + hlist + ); } } void HTTP2_Analyzer::HTTP2_BeginEntity(bool orig, unsigned stream, std::string& contentType){ if ( http2_begin_entity ){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(new StringVal(contentType)); DEBUG_DBG("http2_begin_entity\n"); - this->ConnectionEvent(http2_begin_entity, vl); + this->EnqueueConnEvent( + http2_begin_entity, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::make_intrusive(contentType) + ); } } void HTTP2_Analyzer::HTTP2_EndEntity(bool orig, unsigned stream){ if ( http2_end_entity ){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); DEBUG_DBG("http2_end_entity\n"); - this->ConnectionEvent(http2_end_entity, vl); + this->EnqueueConnEvent( + http2_end_entity, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream) + ); } } void HTTP2_Analyzer::HTTP2_EntityData(bool orig, unsigned stream, int len, const char* data){ if ( http2_entity_data ){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(val_mgr->GetCount(len)); - vl->append(new StringVal(len, data)); DEBUG_DBG("http2_entity_data\n"); - this->ConnectionEvent(http2_entity_data, vl); + this->EnqueueConnEvent( + http2_entity_data, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::val_mgr->Count(len), + zeek::make_intrusive(len, data) + ); } } void HTTP2_Analyzer::HTTP2_ContentType(bool orig, unsigned stream, std::string& contentType){ if ( http2_content_type ){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(new StringVal(contentType)); DEBUG_DBG("http2_content_type\n"); - this->ConnectionEvent(http2_content_type, vl); + this->EnqueueConnEvent( + http2_content_type, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::make_intrusive(contentType) + ); } } @@ -666,123 +679,133 @@ void HTTP2_Analyzer::HTTP2_ContentType(bool orig, unsigned stream, std::string& */ void HTTP2_Analyzer::HTTP2_Data_Event(bool orig, unsigned stream, uint32_t len, const char* data){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(val_mgr->GetCount(len)); - vl->append(new StringVal(len, data)); DEBUG_INFO("http2_data_event\n"); - this->ConnectionEvent(http2_data_event, vl); + this->EnqueueConnEvent( + http2_data_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::val_mgr->Count(len), + zeek::make_intrusive(len, data) + ); } void HTTP2_Analyzer::HTTP2_Header_Event(bool orig, unsigned stream, uint32_t len, const char* headerData){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(val_mgr->GetCount(len)); - vl->append(new StringVal(len, headerData)); DEBUG_INFO("http2_header_event\n"); - this->ConnectionEvent(http2_header_event, vl); + this->EnqueueConnEvent( + http2_header_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::val_mgr->Count(len), + zeek::make_intrusive(len, headerData) + ); } void HTTP2_Analyzer::HTTP2_Priority_Event(bool orig, unsigned stream, bool exclusive, unsigned priStream, unsigned weight){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(val_mgr->GetBool(exclusive)); - vl->append(val_mgr->GetCount(priStream)); - vl->append(val_mgr->GetCount(weight)); DEBUG_INFO("http2_priority_event\n"); - this->ConnectionEvent(http2_priority_event, vl); + this->EnqueueConnEvent( + http2_priority_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::val_mgr->Bool(exclusive), + zeek::val_mgr->Count(priStream), + zeek::val_mgr->Count(weight) + ); } void HTTP2_Analyzer::HTTP2_RstStream_Event(bool orig, unsigned stream, const std::string& error){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(new StringVal(error)); DEBUG_INFO("http2_rststream_event\n"); - this->ConnectionEvent(http2_rststream_event, vl); + this->EnqueueConnEvent( + http2_rststream_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::make_intrusive(error) + ); } -void HTTP2_Analyzer::HTTP2_Settings_Event(bool orig, uint32_t stream, RecordVal* settingsRecord) { - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(settingsRecord); +void HTTP2_Analyzer::HTTP2_Settings_Event(bool orig, uint32_t stream, zeek::RecordValPtr settingsRecord) { DEBUG_INFO("http2_settings_event\n"); - this->ConnectionEvent(http2_settings_event, vl); + this->EnqueueConnEvent( + http2_settings_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + settingsRecord + ); } void HTTP2_Analyzer::HTTP2_PushPromise_Event(bool orig, unsigned stream, unsigned pushStream, uint32_t len, const char* headerData){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(val_mgr->GetCount(pushStream)); - vl->append(val_mgr->GetCount(len)); - vl->append(new StringVal(len, headerData)); DEBUG_INFO("http2_pushpromise_event\n"); - this->ConnectionEvent(http2_pushpromise_event, vl); + this->EnqueueConnEvent( + http2_pushpromise_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::val_mgr->Count(pushStream), + zeek::val_mgr->Count(len), + zeek::make_intrusive(len, headerData) + ); } void HTTP2_Analyzer::HTTP2_Ping_Event(bool orig, unsigned stream, uint8_t length, const char* data){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(new StringVal(length, data)); DEBUG_INFO("http2_ping_event\n"); - this->ConnectionEvent(http2_ping_event, vl); + this->EnqueueConnEvent( + http2_ping_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::make_intrusive(length, data) + ); } void HTTP2_Analyzer::HTTP2_GoAway_Event(bool orig, unsigned stream, unsigned lastStream, const std::string& error, uint32_t length, const char* data){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(val_mgr->GetCount(lastStream)); - vl->append(new StringVal(error)); DEBUG_INFO("http2_goaway_event\n"); - this->ConnectionEvent(http2_goaway_event, vl); + this->EnqueueConnEvent( + http2_goaway_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::val_mgr->Count(lastStream), + zeek::make_intrusive(error) + ); } void HTTP2_Analyzer::HTTP2_WindowUpdate_Event(bool orig, unsigned stream, unsigned increment){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(val_mgr->GetCount(increment)); DEBUG_INFO("http2_windowupdate_event\n"); - this->ConnectionEvent(http2_windowupdate_event, vl); + this->EnqueueConnEvent( + http2_windowupdate_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::val_mgr->Count(increment) + ); } void HTTP2_Analyzer::HTTP2_Continuation_Event(bool orig, unsigned stream, uint32_t len, const char* headerData){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(val_mgr->GetBool(orig)); - vl->append(val_mgr->GetCount(stream)); - vl->append(val_mgr->GetCount(len)); - vl->append(new StringVal(len, headerData)); DEBUG_INFO("http2_continuation_event\n"); - this->ConnectionEvent(http2_continuation_event, vl); + this->EnqueueConnEvent( + http2_continuation_event, + this->ConnVal(), + zeek::val_mgr->Bool(orig), + zeek::val_mgr->Count(stream), + zeek::val_mgr->Count(len), + zeek::make_intrusive(len, headerData) + ); } void HTTP2_Analyzer::HTTP2_Event(std::string& category, std::string& detail){ - if ( http2_event ){ - val_list* vl = new val_list(); - vl->append(this->BuildConnVal()); - vl->append(new StringVal(category)); - vl->append(new StringVal(detail)); - + if (http2_event) { DEBUG_DBG("http2_event\n"); - this->ConnectionEvent(http2_event, vl); + this->EnqueueConnEvent( + http2_event, + this->ConnVal(), + zeek::make_intrusive(category), + zeek::make_intrusive(detail) + ); } } diff --git a/src/HTTP2.h b/src/HTTP2.h index dea4d36..6f54d48 100755 --- a/src/HTTP2.h +++ b/src/HTTP2.h @@ -3,16 +3,17 @@ #include #include -#include "analyzer/protocol/tcp/TCP.h" -#include "analyzer/protocol/tcp/ContentLine.h" -#include "analyzer/protocol/pia/PIA.h" -#include "analyzer/protocol/zip/ZIP.h" -#include "analyzer/protocol/mime/MIME.h" -#include "IPAddr.h" +#include "zeek/ZeekString.h" +#include "zeek/analyzer/protocol/tcp/TCP.h" +#include "zeek/analyzer/protocol/tcp/ContentLine.h" +#include "zeek/analyzer/protocol/pia/PIA.h" +#include "zeek/analyzer/protocol/zip/ZIP.h" +#include "zeek/analyzer/protocol/mime/MIME.h" +#include "zeek/IPAddr.h" #include "events.bif.h" #include "http2.bif.h" #include "debug.h" -#include "Reporter.h" +#include "zeek/Reporter.h" #include "HTTP2_FrameReassembler.h" @@ -29,9 +30,9 @@ namespace analyzer { namespace mitrecnd { class HTTP2_Stream; class HTTP2_HalfStream; -class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { +class HTTP2_Analyzer : public zeek::analyzer::tcp::TCP_ApplicationAnalyzer { public: - HTTP2_Analyzer(Connection* conn); + HTTP2_Analyzer(zeek::Connection* conn); virtual ~HTTP2_Analyzer(); // Overriden from Analyzer. @@ -75,7 +76,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { */ virtual void EndpointEOF(bool is_orig); - static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn) + static zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) { return new HTTP2_Analyzer(conn); } // Utility @@ -104,7 +105,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { */ void HTTP2_Request(bool orig, unsigned stream, std::string& method, std::string& authority, std::string& host, - std::string& path, BroString* unescaped, + std::string& path, zeek::String* unescaped, bool push=false); /** * void HTTP2_Analyzer::HTTP2_Reply(bool orig, unsigned stream, Val *status) @@ -142,7 +143,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { * originator or receiver. * @param stream unique identifier for the stream. */ - void HTTP2_StreamEnd(unsigned stream, RecordVal* stream_stats); + void HTTP2_StreamEnd(unsigned stream, zeek::RecordValPtr stream_stats); /** * Description: Notification to Bro that an HTTP2 Header event * has occurred. @@ -168,7 +169,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { * @param stream unique identifier for the stream. * @param hlist reference to list of header name value pairs. */ - void HTTP2_AllHeaders(bool orig, unsigned stream, TableVal* hlist); + void HTTP2_AllHeaders(bool orig, unsigned stream, zeek::TableValPtr hlist); /** * void HTTP2_Analyzer::HTTP2_BeginEntity(bool orig, unsigned * stream, std::string contentType) @@ -288,7 +289,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { */ void HTTP2_RstStream_Event(bool orig, unsigned stream, const std::string& error); /** - * void HTTP2_Analyzer::HTTP2_Settings_Event(bool orig, unsigned stream, RecordVal* settingsRecord) + * void HTTP2_Analyzer::HTTP2_Settings_Event(bool orig, unsigned stream, RecordValPtr settingsRecord) * * Description: Notification to Bro that an HTTP2 Settings frame * has been received. @@ -299,7 +300,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { * @param stream unique identifier for the stream. * @param settingsRecord current settings configuration. */ - void HTTP2_Settings_Event(bool orig, uint32_t stream, RecordVal* settingsRecord); + void HTTP2_Settings_Event(bool orig, uint32_t stream, zeek::RecordValPtr settingsRecord); /** * void HTTP2_Analyzer::HTTP2_PushPromise_Event(bool orig, unsigned stream, unsigned pushStream) * diff --git a/src/HTTP2_Frame.cc b/src/HTTP2_Frame.cc index ea6d52e..b6c352d 100755 --- a/src/HTTP2_Frame.cc +++ b/src/HTTP2_Frame.cc @@ -5,11 +5,11 @@ #include "HTTP2.h" #include "HTTP2_Frame.h" -#include "util.h" +#include "zeek/util.h" #include "nghttp2.h" #include "nghttp2ver.h" #include "debug.h" -#include "Reporter.h" +#include "zeek/Reporter.h" using namespace analyzer::mitrecnd; @@ -95,68 +95,68 @@ bool HTTP2_Frame::checkPadding(uint8_t* payload, uint32_t len, uint8_t &padLengt */ /** * const char* HTTP2_Frame::errorToText(uint32_t error) - * + * * Description: Convert header decompression error code into * ASCII string for display. * - * + * * @param error the error code - * - * @return const char* + * + * @return const char* */ const std::string HTTP2_Frame::errorToText(uint32_t error) { std::string s = "NGHTTP2_UNKNOWN_ERROR"; switch (error) { - case NGHTTP2_NO_ERROR: + case NGHTTP2_NO_ERROR: s = "NGHTTP2_NO_ERROR"; break; - case NGHTTP2_PROTOCOL_ERROR: + case NGHTTP2_PROTOCOL_ERROR: s = "NGHTTP2_PROTOCOL_ERROR"; break; - case NGHTTP2_INTERNAL_ERROR: + case NGHTTP2_INTERNAL_ERROR: s = "NGHTTP2_INTERNAL_ERROR"; break; - case NGHTTP2_FLOW_CONTROL_ERROR: + case NGHTTP2_FLOW_CONTROL_ERROR: s = "NGHTTP2_FLOW_CONTROL_ERROR"; break; - case NGHTTP2_SETTINGS_TIMEOUT: + case NGHTTP2_SETTINGS_TIMEOUT: s = "NGHTTP2_SETTINGS_TIMEOUT"; break; - case NGHTTP2_STREAM_CLOSED: + case NGHTTP2_STREAM_CLOSED: s = "NGHTTP2_STREAM_CLOSED"; break; - case NGHTTP2_FRAME_SIZE_ERROR: + case NGHTTP2_FRAME_SIZE_ERROR: s = "NGHTTP2_FRAME_SIZE_ERROR"; break; - case NGHTTP2_REFUSED_STREAM: + case NGHTTP2_REFUSED_STREAM: s = "NGHTTP2_REFUSED_STREAM"; break; - case NGHTTP2_CANCEL: + case NGHTTP2_CANCEL: s = "NGHTTP2_CANCEL"; break; - case NGHTTP2_COMPRESSION_ERROR: + case NGHTTP2_COMPRESSION_ERROR: s = "NGHTTP2_COMPRESSION_ERROR"; break; - case NGHTTP2_CONNECT_ERROR: + case NGHTTP2_CONNECT_ERROR: s = "NGHTTP2_CONNECT_ERROR"; break; - case NGHTTP2_ENHANCE_YOUR_CALM: + case NGHTTP2_ENHANCE_YOUR_CALM: s = "NGHTTP2_ENHANCE_YOUR_CALM"; break; - case NGHTTP2_INADEQUATE_SECURITY: + case NGHTTP2_INADEQUATE_SECURITY: s = "NGHTTP2_INADEQUATE_SECURITY"; break; - case NGHTTP2_HTTP_1_1_REQUIRED: + case NGHTTP2_HTTP_1_1_REQUIRED: s = "NGHTTP2_HTTP_1_1_REQUIRED"; break; - default: + default: break; } return s; - + } diff --git a/src/HTTP2_Frame.h b/src/HTTP2_Frame.h index ffaf1c8..16ccf3a 100755 --- a/src/HTTP2_Frame.h +++ b/src/HTTP2_Frame.h @@ -3,7 +3,7 @@ static constexpr size_t MAX_FRAME_SIZE = 16777215; -#include "util.h" +#include "zeek/util.h" namespace analyzer { namespace mitrecnd { diff --git a/src/HTTP2_FrameReassembler.cc b/src/HTTP2_FrameReassembler.cc index 833c83a..5cacc41 100755 --- a/src/HTTP2_FrameReassembler.cc +++ b/src/HTTP2_FrameReassembler.cc @@ -4,7 +4,7 @@ #include "nghttp2.h" #include "nghttp2ver.h" #include "debug.h" -#include "Reporter.h" +#include "zeek/Reporter.h" using namespace analyzer::mitrecnd; using namespace std; diff --git a/src/HTTP2_FrameReassembler.h b/src/HTTP2_FrameReassembler.h index 37a3afd..d841a74 100755 --- a/src/HTTP2_FrameReassembler.h +++ b/src/HTTP2_FrameReassembler.h @@ -5,7 +5,7 @@ #include "debug.h" #include "HTTP2_Frame.h" -#include "util.h" +#include "zeek/util.h" namespace analyzer { namespace mitrecnd { @@ -13,8 +13,8 @@ static constexpr size_t MIN_BUFFER_SIZE = 65535; static constexpr size_t MAX_BUFFER_SIZE = 33554430; // ~32MB!!! /** * class HTTP2_FrameReassembler - * - * Description: class used to manage packet fragment reassembly and processing. + * + * Description: class used to manage packet fragment reassembly and processing. * */ class HTTP2_FrameReassembler{ @@ -25,7 +25,7 @@ class HTTP2_FrameReassembler{ /** * void analyzer/http2/HTTP2_FrameReassembler::resizeBuffer(uint32_t size) - * + * * Description: Function to resize the internal assembly buffer * Should be called/used when a settings frame updates * the maximum frame size, note that internal buffer starts out @@ -36,22 +36,22 @@ class HTTP2_FrameReassembler{ * somewhat safe. Even then an overflow situation could occur * triggering a fatal error * - * - * @param size + * + * @param size */ void resizeBuffer(uint32_t size); /** * std::vector analyzer/http2/HTTP2_FrameReassembler::process(const uint8_t *data, uint32_t len) - * + * * Description: Given raw packet data attempts to extract frames * from it Meant to be used per side (orig or not orig), so two * must be used to handle a full bi-directional transaction * - * + * * @param data reference to incoming packet * @param len length of the incoming packet - * + * * @return std::vector vector of HTTP2_Frame pointers * * Note! that if an error occurs the last frame pointer @@ -63,7 +63,7 @@ class HTTP2_FrameReassembler{ private: // Is packet stream currently fragmented? - bool fragmentedPacket; + bool fragmentedPacket; uint8_t* buffer; uint32_t bufferLen; uint32_t bufferSize; @@ -71,16 +71,16 @@ class HTTP2_FrameReassembler{ /** * HTTP2_Frame* analyzer/http2/HTTP2_FrameReassembler::loadFrame(HTTP2_FrameHeader *fh, uint8_t *payload, uint32_t len) - * - * Description: Factory function that generates a frame from the - * given data. * - * - * @param fh - * @param payload - * @param len - * - * @return HTTP2_Frame pointer + * Description: Factory function that generates a frame from the + * given data. + * + * + * @param fh + * @param payload + * @param len + * + * @return HTTP2_Frame pointer * * If an error occurs in attempting to craft frame, it will return nullptr * This should be considered a fatal error @@ -89,49 +89,49 @@ class HTTP2_FrameReassembler{ /** * void analyzer/http2/HTTP2_FrameReassembler::allocateBuffer(void) - * - * Description: Allocates and initializes the data buffer, + * + * Description: Allocates and initializes the data buffer, * if it has not already been done. * - * - * @param void + * + * @param void */ void allocateBuffer(void); /** * void analyzer/http2/HTTP2_FrameReassembler::setBuffer(uint8_t *data, uint32_t len) - * + * * Description: Stores incoming fragment in data buffer. * Configures FrameReassembler for packet fragment assembly. * - * - * @param data - * @param len + * + * @param data + * @param len */ void setBuffer(uint8_t* data, uint32_t len); /** * void analyzer/http2/HTTP2_FrameReassembler::appendBuffer(uint8_t *data, uint32_t len) - * + * * Description: Adds a new packet fragment to the data buffer. * - * - * @param data - * @param len + * + * @param data + * @param len */ void appendBuffer(uint8_t* data, uint32_t len); /** * void analyzer/http2/HTTP2_FrameReassembler::clearBuffer(void) - * + * * Description: Resets data buffer indexing to start of data * buffer and configures FrameReassembler for unfragmented * packet processing. * - * - * @param void + * + * @param void */ void clearBuffer(void); }; -} } // namespace analyzer::* +} } // namespace analyzer::* #endif diff --git a/src/HTTP2_HeaderStorage.cc b/src/HTTP2_HeaderStorage.cc index 30fec92..2d96aeb 100755 --- a/src/HTTP2_HeaderStorage.cc +++ b/src/HTTP2_HeaderStorage.cc @@ -1,10 +1,13 @@ #include + #include "HTTP2_HeaderStorage.h" #include "HTTP2.h" -#include "util.h" -#include "Val.h" + +#include "zeek/util.h" +#include "zeek/Val.h" +#include "zeek/Reporter.h" + #include "debug.h" -#include "Reporter.h" using namespace analyzer::mitrecnd; @@ -50,26 +53,29 @@ void HTTP2_HeaderList::flushHeaders() this->headers.clear(); } -RecordVal* HTTP2_HeaderList::BuildHeaderVal(HTTP2_HeaderStorage& h) +zeek::RecordValPtr HTTP2_HeaderList::BuildHeaderVal(HTTP2_HeaderStorage& h) { - RecordVal* header_record = new RecordVal(mime_header_rec); - header_record->Assign(0, mime::new_string_val(h.name.length(), h.name.c_str())->ToUpper()); - header_record->Assign(1, mime::new_string_val(h.val.length(), h.val.c_str())); + static auto mime_header_rec = zeek::id::find_type("mime_header_rec"); + + auto upper_name = zeek::make_intrusive(h.name); + upper_name->ToUpper(); + + auto header_record = zeek::make_intrusive(mime_header_rec); + header_record->Assign(0, std::move(upper_name)); + header_record->Assign(1, zeek::make_intrusive(h.val)); return header_record; } -TableVal* HTTP2_HeaderList::BuildHeaderTable(void) +zeek::TableValPtr HTTP2_HeaderList::BuildHeaderTable(void) { - TableVal* t = new TableVal(mime_header_list); + static auto mime_header_list = zeek::id::find_type("mime_header_list"); + auto t = zeek::make_intrusive(mime_header_list); for (unsigned int i = 0; i < this->headers.size(); ++i) { - Val* index = val_mgr->GetCount(i+1); // index starting from 1 - - RecordVal* header_record = BuildHeaderVal(this->headers[i]); - t->Assign(index, header_record); - - Unref(index); + auto index = zeek::val_mgr->Count(i+1); // index starting from 1 + auto header_record = BuildHeaderVal(this->headers[i]); + t->Assign(std::move(index), header_record); } return t; diff --git a/src/HTTP2_HeaderStorage.h b/src/HTTP2_HeaderStorage.h index 7663238..76a8eed 100755 --- a/src/HTTP2_HeaderStorage.h +++ b/src/HTTP2_HeaderStorage.h @@ -3,9 +3,9 @@ #ifndef ANALYZER_PROTOCOL_HTTP2_HTTP2_HEADER_STORAGE_H #define ANALYZER_PROTOCOL_HTTP2_HTTP2_HEADER_STORAGE_H -#include "BroString.h" -#include "util.h" -#include "Val.h" +#include "zeek/ZeekString.h" +#include "zeek/util.h" +#include "zeek/Val.h" #include "nghttp2.h" #include "nghttp2ver.h" @@ -60,28 +60,28 @@ class HTTP2_HeaderList { void flushHeaders(); /** - * RecordVal* + * zeek::RecordValPtr * HTTP2_HeaderList::BuildHeaderVal(HTTP2_HeaderStorage h) * * Description: Create a header record entry for use when - * building a header table to be consumed by bro. + * building a header table to be consumed by zeek. * * * @param h reference to the header storage * structure to use when building the * header record entry. * - * @return RecordVal* reference to resulting header record. + * @return zeek::RecordValPtr reference to resulting header record. */ - RecordVal* BuildHeaderVal(HTTP2_HeaderStorage& h); + zeek::RecordValPtr BuildHeaderVal(HTTP2_HeaderStorage& h); /** * TableVal* HTTP2_HeaderList::BuildHeaderTable(void) * - * Description: Create a header table to be consumed by bro. + * Description: Create a header table to be consumed by zeek. * * @return TableVal* reference to the resulting header table */ - TableVal* BuildHeaderTable(void); + zeek::TableValPtr BuildHeaderTable(void); std::vector headers; }; diff --git a/src/HTTP2_Stream.cc b/src/HTTP2_Stream.cc index 0e4510f..6fb7cbb 100755 --- a/src/HTTP2_Stream.cc +++ b/src/HTTP2_Stream.cc @@ -1,10 +1,14 @@ #include + #include "HTTP2_Stream.h" -#include "util.h" -#include "analyzer/protocol/http/HTTP.h" -#include "file_analysis/Manager.h" + +#include "zeek/util.h" +#include "zeek/analyzer/protocol/http/HTTP.h" +#include "zeek/file_analysis/Manager.h" +#include "zeek/Reporter.h" + #include "debug.h" -#include "Reporter.h" + using namespace analyzer::mitrecnd; @@ -14,7 +18,7 @@ using namespace analyzer::mitrecnd; * Description: The output handler type used by the zip decompression api. * */ -class HTTP2_HalfStream::UncompressedOutput : public analyzer::OutputHandler { +class HTTP2_HalfStream::UncompressedOutput : public zeek::analyzer::OutputHandler { public: UncompressedOutput(HTTP2_HalfStream* s) { stream = s; } virtual ~UncompressedOutput() { } @@ -159,14 +163,14 @@ void HTTP2_HalfStream::SubmitData(int len, const char* buf){ // if partial data if ((this->send_size && this->contentLength > 0 && len < this->contentLength) || !this->send_size) { - file_mgr->DataIn(reinterpret_cast(buf), len, this->dataOffset, + zeek::file_mgr->DataIn(reinterpret_cast(buf), len, this->dataOffset, this->analyzer->GetAnalyzerTag(), this->analyzer->Conn(), this->isOrig, this->precomputed_file_id); this->dataOffset += len; } else{ - file_mgr->DataIn(reinterpret_cast(buf), len, + zeek::file_mgr->DataIn(reinterpret_cast(buf), len, this->analyzer->GetAnalyzerTag(), this->analyzer->Conn(), this->isOrig, this->precomputed_file_id); } @@ -178,9 +182,9 @@ void HTTP2_HalfStream::EndofData(void) // relay to the file manager all information it needs to uniquely identify // the message. if (!this->precomputed_file_id.empty()) { - file_mgr->EndOfFile(this->precomputed_file_id); + zeek::file_mgr->EndOfFile(this->precomputed_file_id); } else { - file_mgr->EndOfFile(this->analyzer->GetAnalyzerTag(), + zeek::file_mgr->EndOfFile(this->analyzer->GetAnalyzerTag(), this->analyzer->Conn(), this->isOrig); } @@ -190,10 +194,10 @@ void HTTP2_HalfStream::DeliverBody(int len, const char* data, int trailing_CRLF) { switch (this->contentEncodingId) { case DATA_ENCODING_DEFLATE: - translateZipBody(len, data, zip::ZIP_Analyzer::DEFLATE); + translateZipBody(len, data, zeek::analyzer::zip::ZIP_Analyzer::DEFLATE); break; case DATA_ENCODING_GZIP: - translateZipBody(len, data, zip::ZIP_Analyzer::GZIP); + translateZipBody(len, data, zeek::analyzer::zip::ZIP_Analyzer::GZIP); break; case DATA_ENCODING_BROTLI: if (this->dataBlockCnt == 1) { // Begin Entity @@ -233,8 +237,8 @@ void HTTP2_HalfStream::translateZipBody(int len, const char* data, int method) { if (!zip){ // We don't care about the direction here. - zip = new zip::ZIP_Analyzer(this->analyzer->Conn(), false, - (zip::ZIP_Analyzer::Method) method); + zip = new zeek::analyzer::zip::ZIP_Analyzer(this->analyzer->Conn(), false, + (zeek::analyzer::zip::ZIP_Analyzer::Method) method); zip->SetOutputHandler(new UncompressedOutput(this)); } zip->NextStream(len, (const u_char*) data, false); @@ -269,7 +273,7 @@ void HTTP2_HalfStream::translateBrotliBody(int len, const char* data) { BrotliDecoderErrorCode code = BrotliDecoderGetErrorCode(this->brotli); const char* error_string = BrotliDecoderErrorString(code); - reporter->Error("Brotli decoder error: %s", error_string); + zeek::reporter->Error("Brotli decoder error: %s", error_string); break; } case BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT: @@ -288,7 +292,7 @@ void HTTP2_HalfStream::translateBrotliBody(int len, const char* data) } default: // Unexpected/undocumented result - reporter->Warning("Brotli decoder returned unexpected result"); + zeek::reporter->Warning("Brotli decoder returned unexpected result"); break; } } while (repeat); @@ -300,8 +304,8 @@ void HTTP2_HalfStream::processData(HTTP2_Data_Frame* data) // Generate a unique file id for the file being transferred if(this->precomputed_file_id.empty()){ char tmp[16]; - uint64_t uid = calculate_unique_id(UID_POOL_DEFAULT_SCRIPT); - this->precomputed_file_id = uitoa_n(uid, tmp, sizeof(tmp), 62, "F"); + uint64_t uid = zeek::util::calculate_unique_id(UID_POOL_DEFAULT_SCRIPT); + this->precomputed_file_id = zeek::util::uitoa_n(uid, tmp, sizeof(tmp), 62, "F"); } if ( http2_begin_entity ) this->analyzer->HTTP2_BeginEntity(this->isOrig, this->id, this->contentType); @@ -375,9 +379,9 @@ void HTTP2_OrigStream::handlePushRequested(HTTP2_Frame* frame) if (header->isEndHeaders()) { //Request if(http2_request) { - // unescape_URI will return a 'new' BroString, but - // a StringVal init'd with a BroString takes ownership of the BroString - BroString* unescapedPath = analyzer::http::unescape_URI((const unsigned char*)this->request_path.c_str(), + // unescape_URI will return a 'new' zeek::String, but + // a StringVal init'd with a zeek::String takes ownership of the zeek::String + zeek::String* unescapedPath = zeek::analyzer::http::unescape_URI((const unsigned char*)this->request_path.c_str(), (const unsigned char*)(this->request_path.c_str() + this->request_path.length()), this->analyzer); @@ -467,9 +471,9 @@ void HTTP2_OrigStream::Idle_State(HTTP2_Frame* frame) if (header->isEndHeaders()) { //Request if(http2_request) { - // unescape_URI will return a 'new' BroString, but - // a StringVal init'd with a BroString takes ownership of the BroString - BroString* unescapedPath = analyzer::http::unescape_URI((const unsigned char*)this->request_path.c_str(), + // unescape_URI will return a 'new' zeek::String, but + // a StringVal init'd with a zeek::String takes ownership of the zeek::String + zeek::String* unescapedPath = zeek::analyzer::http::unescape_URI((const unsigned char*)this->request_path.c_str(), (const unsigned char*)(this->request_path.c_str() + this->request_path.length()), this->analyzer); @@ -481,7 +485,7 @@ void HTTP2_OrigStream::Idle_State(HTTP2_Frame* frame) // At this point we have enough information to determine if the content-length sent is // accurate based on the encoding of the file if (this->send_size && this->contentLength > 0) { - file_mgr->SetSize(this->contentLength, this->analyzer->GetAnalyzerTag(), + zeek::file_mgr->SetSize(this->contentLength, this->analyzer->GetAnalyzerTag(), this->analyzer->Conn(), this->isOrig, this->precomputed_file_id); } @@ -724,7 +728,7 @@ void HTTP2_RespStream::Idle_State(HTTP2_Frame* frame) } if (this->send_size && this->contentLength > 0) { - file_mgr->SetSize(this->contentLength, this->analyzer->GetAnalyzerTag(), + zeek::file_mgr->SetSize(this->contentLength, this->analyzer->GetAnalyzerTag(), this->analyzer->Conn(), this->isOrig, this->precomputed_file_id); } @@ -891,16 +895,16 @@ bool HTTP2_Stream::handleFrame(HTTP2_Frame* f, bool orig) { bool HTTP2_Stream::handleStreamEnd() { if (http2_stream_end) { - RecordVal* stream_stats = new RecordVal(BifType::Record::http2_stream_stat); + auto stream_stats = zeek::make_intrusive(zeek::BifType::Record::http2_stream_stat); // process is_orig == true first stream_stats->Assign( - 0, val_mgr->GetCount( + 0, zeek::val_mgr->Count( static_cast(this->halfStreams[1]->getDataSize()) ) ); stream_stats->Assign( - 1, val_mgr->GetCount( + 1, zeek::val_mgr->Count( static_cast(this->halfStreams[0]->getDataSize()) ) ); diff --git a/src/HTTP2_Stream.h b/src/HTTP2_Stream.h index a473db7..eb50f9a 100755 --- a/src/HTTP2_Stream.h +++ b/src/HTTP2_Stream.h @@ -1,8 +1,9 @@ #ifndef ANALYZER_PROTOCOL_HTTP2_HTTP2_STREAM_H #define ANALYZER_PROTOCOL_HTTP2_HTTP2_STREAM_H -#include "analyzer/protocol/zip/ZIP.h" -#include "util.h" +#include "zeek/analyzer/protocol/zip/ZIP.h" +#include "zeek/util.h" + #include "decode.h" #include "nghttp2.h" #include "nghttp2ver.h" @@ -11,7 +12,6 @@ #include "HTTP2_Frame.h" #include "HTTP2.h" - namespace analyzer { namespace mitrecnd { static constexpr size_t BROTLI_BUFFER_SIZE = 102400; // 100KB @@ -95,7 +95,7 @@ class HTTP2_HalfStream { int dataOffset; size_t dataBlockCnt; size_t data_size; - zip::ZIP_Analyzer* zip; + zeek::analyzer::zip::ZIP_Analyzer* zip; BrotliDecoderState* brotli; uint8_t* brotli_buffer; diff --git a/src/Plugin.cc b/src/Plugin.cc index b67498d..65027c0 100755 --- a/src/Plugin.cc +++ b/src/Plugin.cc @@ -1,20 +1,20 @@ #include "Plugin.h" #include "HTTP2.h" -#include "analyzer/Component.h" +#include "zeek/analyzer/Component.h" -namespace plugin { namespace mitrecnd_HTTP2 { Plugin plugin; }} +namespace plugin::mitrecnd_HTTP2 { Plugin plugin; } using namespace plugin::mitrecnd_HTTP2; -plugin::Configuration Plugin::Configure() +zeek::plugin::Configuration Plugin::Configure() { - AddComponent(new ::analyzer::Component("HTTP2", ::analyzer::mitrecnd::HTTP2_Analyzer::InstantiateAnalyzer)); + AddComponent(new ::zeek::analyzer::Component("HTTP2", analyzer::mitrecnd::HTTP2_Analyzer::InstantiateAnalyzer)); - plugin::Configuration config; + zeek::plugin::Configuration config; config.description = "Hypertext Transfer Protocol Version 2 analyzer"; config.name = "mitrecnd::HTTP2"; config.version.major = 0; - config.version.minor = 5; - config.version.patch = 3; + config.version.minor = 6; + config.version.patch = 0; return config; } diff --git a/src/Plugin.h b/src/Plugin.h index 17946c2..0476697 100644 --- a/src/Plugin.h +++ b/src/Plugin.h @@ -1,22 +1,21 @@ #ifndef BRO_PLUGIN_MITRECND_HTTP2 #define BRO_PLUGIN_MITRECND_HTTP2 -#include +#include -namespace plugin { -namespace mitrecnd_HTTP2 { +namespace plugin::mitrecnd_HTTP2 { -class Plugin : public ::plugin::Plugin +class Plugin : public zeek::plugin::Plugin { protected: // Overridden from plugin::Plugin. - plugin::Configuration Configure() override; + zeek::plugin::Configuration Configure() override; }; extern Plugin plugin; } -} + #endif diff --git a/src/debug.h b/src/debug.h index 9fe35b8..da2bc5f 100644 --- a/src/debug.h +++ b/src/debug.h @@ -1,6 +1,6 @@ #ifndef ANALYZER_PROTOCOL_HTTP2_HTTP2_DEBUG_H #define ANALYZER_PROTOCOL_HTTP2_HTTP2_DEBUG_H -#include "Reporter.h" +#include "zeek/Reporter.h" #define HTTP2_DEBUG_LEVEL 0 #if (HTTP2_DEBUG_LEVEL > 2) @@ -13,11 +13,11 @@ #define DEBUG_DBG(format, ...) #elif (HTTP2_DEBUG_LEVEL > 0) #define DEBUG_ERR reporter->Error -#define DEBUG_INFO(format, ...) +#define DEBUG_INFO(format, ...) #define DEBUG_DBG(format, ...) #else #define DEBUG_ERR(format, ...) -#define DEBUG_INFO(format, ...) +#define DEBUG_INFO(format, ...) #define DEBUG_DBG(format, ...) #endif diff --git a/src/events.bif b/src/events.bif index 968dc84..24fac5b 100755 --- a/src/events.bif +++ b/src/events.bif @@ -2,10 +2,10 @@ # In this file, you'll define the events that your analyzer will # generate. A sample event is included. -## Generated for HTTP2 requests. Bro supports persistent and pipelined HTTP2 +## Generated for HTTP2 requests. Zeek supports persistent and pipelined HTTP2 ## sessions and raises corresponding events as it parses client/server ## dialogues. This event is generated as soon as a request's initial line has -## been parsed, and before any :bro:id:`http2_header` events are raised. +## been parsed, and before any :zeek:id:`http2_header` events are raised. ## ## See `Wikipedia `__ ## for more information about the HTTP2 protocol. @@ -30,15 +30,15 @@ ## ## push: Whether this was a push promise initiated transaction ## -## .. bro:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity +## .. zeek:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity ## http2_entity_data http2_event http2_header http2_message_done http2_reply http2_stats ## truncate_http2_URI event http2_request%(c: connection, is_orig: bool, stream: count, method: string, authority: string, host: string, original_URI: string, unescaped_URI: string, version: string, push: bool%); -## Generated for HTTP2 replies. Bro supports persistent and pipelined HTTP2 +## Generated for HTTP2 replies. Zeek supports persistent and pipelined HTTP2 ## sessions and raises corresponding events as it parses client/server ## dialogues. This event is generated as soon as a reply's initial line has -## been parsed, and before any :bro:id:`http2_header` events are raised. +## been parsed, and before any :zeek:id:`http2_header` events are raised. ## ## See `Wikipedia `__ ## for more information about the HTTP2 protocol. @@ -55,7 +55,7 @@ event http2_request%(c: connection, is_orig: bool, stream: count, method: string ## ## reason: The textual description returned by the server along with *code*. ## -## .. bro:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity +## .. zeek:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity ## http2_entity_data http2_event http2_header http2_message_done http2_request ## http2_stats event http2_reply%(c: connection, is_orig: bool, stream: count, version: string, code: count, reason: string%); @@ -88,7 +88,7 @@ event http2_stream_start%(c: connection, is_orig: bool, stream:count%); ## event http2_stream_end%(c: connection, stream: count, stats: http2_stream_stat%); -## Generated for HTTP2 headers. Bro supports persistent and pipelined HTTP2 +## Generated for HTTP2 headers. Zeek supports persistent and pipelined HTTP2 ## sessions and raises corresponding events as it parses client/server ## dialogues. ## @@ -105,7 +105,7 @@ event http2_stream_end%(c: connection, stream: count, stats: http2_stream_stat%) ## ## value: The value of the header. ## -## .. bro:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity +## .. zeek:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity ## http2_entity_data http2_event http2_message_done http2_reply http2_request ## http2_stats ## @@ -114,7 +114,7 @@ event http2_stream_end%(c: connection, stream: count, stats: http2_stream_stat%) event http2_header%(c: connection, is_orig: bool, stream: count, name: string, value: string%); ## Generated for HTTP2 headers, passing on all headers of an HTTP2 message at -## once. Bro supports persistent and pipelined HTTP2 sessions and raises +## once. Zeek supports persistent and pipelined HTTP2 sessions and raises ## corresponding events as it parses client/server dialogues. ## ## See `Wikipedia `__ @@ -130,7 +130,7 @@ event http2_header%(c: connection, is_orig: bool, stream: count, name: string, v ## The table is indexed by the position of the header (1 for the first, ## 2 for the second, etc.). ## -## .. bro:see:: http2_begin_entity http2_content_type http2_end_entity http2_entity_data +## .. zeek:see:: http2_begin_entity http2_content_type http2_end_entity http2_entity_data ## http2_event http2_header http2_message_done http2_reply http2_request http2_stats ## ## .. note:: This event is also raised for headers found in nested body @@ -140,7 +140,7 @@ event http2_all_headers%(c: connection, is_orig: bool, stream: count, hlist: mim ## Generated when starting to parse an HTTP2 body entity. This event is generated ## at least once for each non-empty (client or server) HTTP2 body; and ## potentially more than once if the body contains further nested MIME -## entities. Bro raises this event just before it starts parsing each entity's +## entities. Zeek raises this event just before it starts parsing each entity's ## content. ## ## See `Wikipedia `__ @@ -153,7 +153,7 @@ event http2_all_headers%(c: connection, is_orig: bool, stream: count, hlist: mim ## stream: Unique identifier of the stream within its associated connection. ## ## -## .. bro:see:: http2_all_headers http2_content_type http2_end_entity http2_entity_data +## .. zeek:see:: http2_all_headers http2_content_type http2_end_entity http2_entity_data ## http2_event http2_header http2_message_done http2_reply http2_request http2_stats ## mime_begin_entity event http2_begin_entity%(c: connection, is_orig: bool, stream: count, contentType: string%); @@ -161,7 +161,7 @@ event http2_begin_entity%(c: connection, is_orig: bool, stream: count, contentTy ## Generated when finishing parsing an HTTP2 body entity. This event is generated ## at least once for each non-empty (client or server) HTTP2 body; and ## potentially more than once if the body contains further nested MIME -## entities. Bro raises this event at the point when it has finished parsing an +## entities. Zeek raises this event at the point when it has finished parsing an ## entity's content. ## ## See `Wikipedia `__ @@ -174,7 +174,7 @@ event http2_begin_entity%(c: connection, is_orig: bool, stream: count, contentTy ## stream: Unique identifier of the stream within its associated connection. ## ## -## .. bro:see:: http2_all_headers http2_begin_entity http2_content_type http2_entity_data +## .. zeek:see:: http2_all_headers http2_begin_entity http2_content_type http2_entity_data ## http2_event http2_header http2_message_done http2_reply http2_request ## http2_stats mime_end_entity event http2_end_entity%(c: connection, is_orig: bool, stream: count%); @@ -186,7 +186,7 @@ event http2_end_entity%(c: connection, is_orig: bool, stream: count%); ## A common idiom for using this event is to first *reassemble* the data ## at the scripting layer by concatenating it to a successively growing ## string; and only perform further content analysis once the corresponding -## :bro:id:`http2_end_entity` event has been raised. Note, however, that doing so +## :zeek:id:`http2_end_entity` event has been raised. Note, however, that doing so ## can be quite expensive for HTTP2 tranders. At the very least, one should ## impose an upper size limit on how much data is being buffered. ## @@ -204,7 +204,7 @@ event http2_end_entity%(c: connection, is_orig: bool, stream: count%); ## ## data: One chunk of raw entity data. ## -## .. bro:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity +## .. zeek:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity ## http2_event http2_header http2_message_done http2_reply http2_request http2_stats ## mime_entity_data http2_entity_data_delivery_size skip_http2_data event http2_entity_data%(c: connection, is_orig: bool, stream: count, length: count, data: string%); @@ -227,7 +227,7 @@ event http2_entity_data%(c: connection, is_orig: bool, stream: count, length: co ## event http2_content_type%(c: connection, is_orig: bool, stream: count, contentType: string%); -## Generated once at the end of parsing an HTTP2 message. Bro supports persistent +## Generated once at the end of parsing an HTTP2 message. Zeek supports persistent ## and pipelined HTTP2 sessions and raises corresponding events as it parses ## client/server dialogues. A "message" is one top-level HTTP2 entity, such as a ## complete request or reply. Each message can have further nested sub-entities @@ -246,7 +246,7 @@ event http2_content_type%(c: connection, is_orig: bool, stream: count, contentTy ## ## stat: Further meta information about the message. ## -## .. bro:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity +## .. zeek:see:: http2_all_headers http2_begin_entity http2_content_type http2_end_entity ## http2_entity_data http2_event http2_header http2_reply http2_request http2_stats ##event http2_message_done%(c: connection, is_orig: bool, stream: count, stat: http_message_stat%); @@ -389,8 +389,8 @@ event http2_ping_event%(c: connection, is_orig: bool, stream: count, data: strin ## ## stream: Unique identifier of the stream within its associated connection. ## -## lastStream: the highest-numbered stream identifier for which the sender of -## the GOAWAY frame might have taken some action on or might yet +## lastStream: the highest-numbered stream identifier for which the sender of +## the GOAWAY frame might have taken some action on or might yet ## take action on ## ## error: the reason for closing the connection. @@ -408,7 +408,7 @@ event http2_goaway_event%(c: connection, is_orig: bool, stream: count, lastStrea ## ## stream: Unique identifier of the stream within its associated connection. ## -## increment: the number of octets that the sender can transmit in addition +## increment: the number of octets that the sender can transmit in addition ## to the existing flow-control window ## event http2_windowupdate_event%(c: connection, is_orig: bool, stream: count, increment: count%); diff --git a/zkg.meta b/zkg.meta index 93a2a13..3a2ad5e 100755 --- a/zkg.meta +++ b/zkg.meta @@ -7,5 +7,5 @@ depends = external_depends = libnghttp2>=1.11.0 libbrotlidec>=1.0.0 -build_command = ./configure --zeek-dist=%(zeek_dist)s && make +build_command = ./configure && make test_command = make test