Merge branch 'support-zeek-3-plus' Fixes #7

.gitignore

@@ -2,3 +2,4 @@
 build/
 plugins/build
 tests/.*
+.vscode/

CMakeLists.txt

@@ -1,15 +1,14 @@
 cmake_minimum_required(VERSION 2.8)
 
-project(BroPluginHTTP2)
+project(ZeekPluginHTTP2)
 
-
-if ( NOT BRO_DIST )
-    message(FATAL_ERROR "BRO_DIST not set")
+if ( NOT ZEEK_DIST )
+    message(FATAL ERROR "ZEEK_DIST not set")
 endif ()
 
 set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH})
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 find_package(LibNGHTTP2)
 find_package(LibBROTLI)
@@ -46,21 +45,21 @@ message(STATUS "LibNGHTTP2 INC DIR  : ${LibNGHTTP2_INCLUDE_DIR}")
 message(STATUS "LibNGHTTP2 LIB DIR  : ${LibNGHTTP2_LIBRARIES}")
 
 include_directories(BEFORE ${LibNGHTTP2_INCLUDE_DIR})
-bro_plugin_begin(mitrecnd HTTP2)
+zeek_plugin_begin(mitrecnd HTTP2)
 
 include_directories(BEFORE ${LibBROTLI_INCLUDE_DIR})
-bro_plugin_link_library(${LibBROTLI_LIBRARIES})
+zeek_plugin_link_library(${LibBROTLI_LIBRARIES})
 
-bro_plugin_cc(src/Plugin.cc)
-bro_plugin_cc(src/HTTP2_Frame.cc)
-bro_plugin_cc(src/HTTP2_FrameReassembler.cc)
-bro_plugin_cc(src/HTTP2_HeaderStorage.cc)
-bro_plugin_cc(src/HTTP2_Stream.cc)
-bro_plugin_cc(src/HTTP2.cc)
-bro_plugin_bif(src/events.bif src/http2.bif)
-bro_plugin_dist_files(COPYING LICENSE README README.md VERSION)
-bro_plugin_link_library(${LibNGHTTP2_LIBRARIES})
-bro_plugin_end()
+zeek_plugin_cc(src/Plugin.cc)
+zeek_plugin_cc(src/HTTP2_Frame.cc)
+zeek_plugin_cc(src/HTTP2_FrameReassembler.cc)
+zeek_plugin_cc(src/HTTP2_HeaderStorage.cc)
+zeek_plugin_cc(src/HTTP2_Stream.cc)
+zeek_plugin_cc(src/HTTP2.cc)
+zeek_plugin_bif(src/events.bif src/http2.bif)
+zeek_plugin_dist_files(COPYING LICENSE README README.md VERSION)
+zeek_plugin_link_library(${LibNGHTTP2_LIBRARIES})
+zeek_plugin_end()
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
 

Makefile

@@ -10,7 +10,7 @@ all: build-it
 build-it:
 	@test -e $(cmake_build_dir)/config.status || ./configure
 	-@test -e $(cmake_build_dir)/CMakeCache.txt && \
-      test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep BRO_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \
+      test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep ZEEK_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \
       echo Updating stale CMake cache && \
       touch $(cmake_build_dir)/CMakeCache.txt
 

README.md

@@ -1,12 +1,9 @@
-# Bro HTTP2 Analyzer Plugin
-
-__NOTE!!__ If you are currently running versions 0.1 or 0.2, you will need to
-delete the old plugin since the namespace of the plugin has changed (from
-"http2::HTTP2" to "mitrecnd::HTTP2"). Instructions on how to do so are
-outlined below.
+# Zeek HTTP2 Analyzer Plugin
 
 This plugin provides an HTTP2 ([RFC 7540](https://tools.ietf.org/html/rfc7540))
-decoder/analyzer for [Bro](https://www.bro.org/).
+decoder/analyzer for [Zeek](https://www.zeek.org/) 3.0.x and 3.1.x. If you need
+this capability for older instances of Zeek (Bro), i.e., 2.6.x or older, please
+refer to the last `0.4.x` release of this plugin.
 
 The events exposed attempt to mimic the events exposed by the native HTTP analyzer
 
@@ -40,8 +37,8 @@ Brotli is required as it is used quite often by popular websites and the
 analyzer automatically attempts to decompress data frames. No pre-compiled
 packages could be found for the brotli library so it will need to be manually
 built and installed. The library can be found at
-https://github.com/google/brotli. The latest release can be found at
-https://github.com/google/brotli/releases/latest. After downloading the latest
+<https://github.com/google/brotli>. The latest release can be found at
+<https://github.com/google/brotli/releases/latest>. After downloading the latest
 release, follow these steps to compile and install the library:
 
     tar -zxvf <release file>
@@ -58,46 +55,46 @@ To manually build and install the plugin:
 
     cd <HTTP2 Plugin Directory>
     rm -r build # Only if build exists
-    ./configure --bro-dist=</path/to/bro/source>
+    ./configure --zeek-dist=</path/to/zeek/source>
     make
     make test
     make install
 
+### Zeek Package Manager
 
-__NOTE!!__ If you are upgrading the plugin from versions 0.1 or 0.2 please
-delete the following directory from your bro install before starting or
-restarting your cluster:
-
-    <bro_install_root>/lib/bro/plugins/http2_HTTP2
-
-
-### Bro Package Manager
-
-The Bro Package Manager can be used to install
+The Zeek Package Manager can be used to install
 this plugin in multiple ways:
 
 * From the repo clone directory:
-```
-    # bro-pkg install .
-```
+
+      # zkg install .
 
 * Using the github repo directly:
-```
-    # bro-pkg install https://github.com/MITRECND/bro-http2
-```
+
+      # zkg install https://github.com/MITRECND/bro-http2
 
 * Using the official source:
-```
-    # bro-pkg install bro/mitrecnd/bro-http2
-```
+
+      # zkg install zeek/mitrecnd/bro-http2
+
+__NOTE__ If you had an older version of zkg or the original bro package manager
+installed, the path might show up as `bro/mitrecnd/bro-http2`. Please use that
+path or update your zkg configuration located, by default, in `~/.zkg/config`.
+
+#### Installing Older Versions
+
+If you are still running an older version of Zeek (Bro 2.6.x and older), you
+can install a previous version of the plugin using zkg, utilizing the `--version`
+argument.
+
+      # zkg install zeek/mitrecnd/bro-http2 --version 0.4.2
 
 ## Usage
 
-You should see the following output from bro if successfully installed:
+You should see the following output from zeek if successfully installed:
 
-```
-    > bro -NN mitrecnd::HTTP2
-    mitrecnd::HTTP2 - Hypertext Transfer Protocol Version 2 analyzer (dynamic, version 0.4)
+    > zeek -NN mitrecnd::HTTP2
+    mitrecnd::HTTP2 - Hypertext Transfer Protocol Version 2 analyzer (dynamic, version 0.5.0)
         [Analyzer] HTTP2 (ANALYZER_HTTP2, enabled)
         [Event] http2_request
         [Event] http2_reply
@@ -123,11 +120,9 @@ You should see the following output from bro if successfully installed:
         [Type] http2_settings_unrecognized_table
         [Type] http2_settings
         [Type] http2_stream_stat
-```
-
 
 To use/load the http2 analyzer, add the following to your config
-(e.g., local.bro):
+(e.g., local.zeek):
 
     @load http2
 

VERSION

@@ -1 +1 @@
-0.4
+0.5.0

configure

@@ -29,8 +29,13 @@ cat 1>&2 <<EOF
 Usage: $0 [OPTIONS]
 
   Plugin Options:
-    --bro-dist=DIR             Path to Bro source tree
+    --zeek-dist=DIR            Path to Zeek source tree
     --install-root=DIR         Path where to install plugin into
+    --with-binpac=DIR          Path to BinPAC installation root
+    --with-broker=DIR          Path to Broker installation root
+    --with-caf=DIR             Path to CAF installation root
+    --with-bifcl=PATH          Path to bifcl executable
+    --enable-debug             Compile in debugging mode
 EOF
 
 if type plugin_usage >/dev/null 2>&1; then
@@ -53,7 +58,7 @@ append_cache_entry () {
 
 # set defaults
 builddir=build
-brodist=`cd ../../.. && pwd`
+zeekdist=""
 installroot="default"
 CMakeCacheEntries=""
 
@@ -68,14 +73,41 @@ while [ $# -ne 0 ]; do
             usage
             ;;
 
-        --bro-dist=*)
-            brodist=`cd $optarg && pwd`
+        --zeek-dist=*)
+            zeekdist=`cd $optarg && pwd`
+            ;;
+
+        --bro-dist=*) # Legacy option for backwards compability
+            zeekdist=`cd $optarg && pwd`
             ;;
 
         --install-root=*)
             installroot=$optarg
             ;;
 
+        --with-binpac=*)
+            append_cache_entry BinPAC_ROOT_DIR PATH $optarg
+            binpac_root=$optarg
+            ;;
+
+        --with-broker=*)
+            append_cache_entry BROKER_ROOT_DIR PATH $optarg
+            broker_root=$optarg
+            ;;
+
+        --with-caf=*)
+            append_cache_entry CAF_ROOT_DIR PATH $optarg
+            caf_root=$optarg
+            ;;
+
+        --with-bifcl=*)
+            append_cache_entry BifCl_EXE PATH $optarg
+            ;;
+
+        --enable-debug)
+            append_cache_entry BRO_PLUGIN_ENABLE_DEBUG         BOOL   true
+            ;;
+
         *)
             if type plugin_option >/dev/null 2>&1; then
                 plugin_option $1 && shift && continue;
@@ -88,21 +120,76 @@ while [ $# -ne 0 ]; do
     shift
 done
 
-if [ ! -e "$brodist/bro-path-dev.in" ]; then
-    echo "Cannot determine Bro source directory, use --bro-dist=DIR."
-    exit 1
-fi
+if [ -z "$zeekdist" ]; then
+    if type zeek-config >/dev/null 2>&1; then
+       zeek_config="zeek-config"
+    elif type bro-config >/dev/null 2>&1; then
+       zeek_config="bro-config"
+    fi
+
+    if [ -n "${zeek_config}" ]; then
+        if ${zeek_config} --cmake_dir >/dev/null 2>&1; then
+            # Have a newer version of zeek-config that has needed flags
+            append_cache_entry BRO_CONFIG_PREFIX PATH `${zeek_config} --prefix`
+            append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH `${zeek_config} --include_dir`
+            append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH `${zeek_config} --plugin_dir`
+            append_cache_entry BRO_CONFIG_CMAKE_DIR PATH `${zeek_config} --cmake_dir`
+            append_cache_entry CMAKE_MODULE_PATH PATH `${zeek_config} --cmake_dir`
+
+            build_type=`${zeek_config} --build_type`
+
+            if [ "$build_type" = "debug" ]; then
+                append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
+            fi
+
+            if [ -z "$binpac_root" ]; then
+                append_cache_entry BinPAC_ROOT_DIR PATH `${zeek_config} --binpac_root`
+            fi
+
+            if [ -z "$broker_root" ]; then
+                append_cache_entry BROKER_ROOT_DIR PATH `${zeek_config} --broker_root`
+            fi
 
-append_cache_entry BRO_DIST PATH $brodist
-append_cache_entry CMAKE_MODULE_PATH PATH $brodist/cmake
+            if [ -z "$caf_root" ]; then
+                append_cache_entry CAF_ROOT_DIR PATH `${zeek_config} --caf_root`
+            fi
+        else
+            # Using legacy bro-config, so we must use the "--bro_dist" option.
+            zeekdist=`${zeek_config} --bro_dist 2> /dev/null`
+
+            if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then
+                echo "$zeekdist does not appear to be a valid Zeek source tree."
+                exit 1
+            fi
+
+            # BRO_DIST is needed to support legacy Bro plugins
+            append_cache_entry BRO_DIST  PATH $zeekdist
+            append_cache_entry ZEEK_DIST PATH $zeekdist
+            append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake
+        fi
+    else
+        echo "Either 'zeek-config' must be in PATH or '--zeek-dist=<path>' used"
+        exit 1
+    fi
+else
+    if [ ! -e "$zeekdist/zeek-path-dev.in" -a ! -e "$zeekdist/bro-path-dev.in" ]; then
+      echo "$zeekdist does not appear to be a valid Zeek source tree."
+      exit 1
+    fi
+
+    # BRO_DIST is needed to support legacy Bro plugins
+    append_cache_entry BRO_DIST  PATH $zeekdist
+    append_cache_entry ZEEK_DIST PATH $zeekdist
+    append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake
+fi
 
 if [ "$installroot" != "default" ]; then
     mkdir -p $installroot
     append_cache_entry BRO_PLUGIN_INSTALL_ROOT PATH $installroot
 fi
 
 echo "Build Directory        : $builddir"
-echo "Bro Source Directory   : $brodist"
+echo "Zeek Source Directory   : $zeekdist"
 
 mkdir -p $builddir
 cd $builddir

configure.plugin

@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# Hooks to add custom options to the configure script.
+#
+
+plugin_usage()
+{
+    : # Do nothing
+#    cat <<EOF
+#    --with-foo=DIR          Path to foo
+# EOF
+}
+
+plugin_option()
+{
+    case "$1" in
+#        --with-foo=*)
+#            append_cache_entry FOO_DIR PATH $optarg
+#            return 0
+#            ;;
+
+        *)
+            return 1;
+            ;;
+    esac
+}

scripts/__load__.zeek

@@ -0,0 +1,10 @@
+#
+# This is loaded unconditionally at Zeek startup. Include scripts here that should
+# always be loaded.
+#
+# Normally, that will be only code that initializes built-in elements. Load
+# your standard scripts in
+# scripts/<plugin-namespace>/<plugin-name>/__load__.zeek instead.
+#
+
+@load ./init