diff --git a/.gitignore b/.gitignore index d4850e7..cf2250d 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ build/ plugins/build tests/.* +.vscode/ diff --git a/CMakeLists.txt b/CMakeLists.txt index 33aa5f1..91d2530 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,15 +1,14 @@ cmake_minimum_required(VERSION 2.8) -project(BroPluginHTTP2) +project(ZeekPluginHTTP2) - -if ( NOT BRO_DIST ) - message(FATAL_ERROR "BRO_DIST not set") +if ( NOT ZEEK_DIST ) + message(FATAL ERROR "ZEEK_DIST not set") endif () set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH}) -include(BroPlugin) +include(ZeekPlugin) find_package(LibNGHTTP2) find_package(LibBROTLI) @@ -46,21 +45,21 @@ message(STATUS "LibNGHTTP2 INC DIR : ${LibNGHTTP2_INCLUDE_DIR}") message(STATUS "LibNGHTTP2 LIB DIR : ${LibNGHTTP2_LIBRARIES}") include_directories(BEFORE ${LibNGHTTP2_INCLUDE_DIR}) -bro_plugin_begin(mitrecnd HTTP2) +zeek_plugin_begin(mitrecnd HTTP2) include_directories(BEFORE ${LibBROTLI_INCLUDE_DIR}) -bro_plugin_link_library(${LibBROTLI_LIBRARIES}) +zeek_plugin_link_library(${LibBROTLI_LIBRARIES}) -bro_plugin_cc(src/Plugin.cc) -bro_plugin_cc(src/HTTP2_Frame.cc) -bro_plugin_cc(src/HTTP2_FrameReassembler.cc) -bro_plugin_cc(src/HTTP2_HeaderStorage.cc) -bro_plugin_cc(src/HTTP2_Stream.cc) -bro_plugin_cc(src/HTTP2.cc) -bro_plugin_bif(src/events.bif src/http2.bif) -bro_plugin_dist_files(COPYING LICENSE README README.md VERSION) -bro_plugin_link_library(${LibNGHTTP2_LIBRARIES}) -bro_plugin_end() +zeek_plugin_cc(src/Plugin.cc) +zeek_plugin_cc(src/HTTP2_Frame.cc) +zeek_plugin_cc(src/HTTP2_FrameReassembler.cc) +zeek_plugin_cc(src/HTTP2_HeaderStorage.cc) +zeek_plugin_cc(src/HTTP2_Stream.cc) +zeek_plugin_cc(src/HTTP2.cc) +zeek_plugin_bif(src/events.bif src/http2.bif) +zeek_plugin_dist_files(COPYING LICENSE README README.md VERSION) +zeek_plugin_link_library(${LibNGHTTP2_LIBRARIES}) +zeek_plugin_end() file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1) diff --git a/Makefile b/Makefile index e083d5b..e96720f 100755 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ all: build-it build-it: @test -e $(cmake_build_dir)/config.status || ./configure -@test -e $(cmake_build_dir)/CMakeCache.txt && \ - test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep BRO_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \ + test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep ZEEK_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \ echo Updating stale CMake cache && \ touch $(cmake_build_dir)/CMakeCache.txt diff --git a/README.md b/README.md index 22fc3bc..12e439d 100755 --- a/README.md +++ b/README.md @@ -1,12 +1,9 @@ -# Bro HTTP2 Analyzer Plugin - -__NOTE!!__ If you are currently running versions 0.1 or 0.2, you will need to -delete the old plugin since the namespace of the plugin has changed (from -"http2::HTTP2" to "mitrecnd::HTTP2"). Instructions on how to do so are -outlined below. +# Zeek HTTP2 Analyzer Plugin This plugin provides an HTTP2 ([RFC 7540](https://tools.ietf.org/html/rfc7540)) -decoder/analyzer for [Bro](https://www.bro.org/). +decoder/analyzer for [Zeek](https://www.zeek.org/) 3.0.x and 3.1.x. If you need +this capability for older instances of Zeek (Bro), i.e., 2.6.x or older, please +refer to the last `0.4.x` release of this plugin. The events exposed attempt to mimic the events exposed by the native HTTP analyzer @@ -40,8 +37,8 @@ Brotli is required as it is used quite often by popular websites and the analyzer automatically attempts to decompress data frames. No pre-compiled packages could be found for the brotli library so it will need to be manually built and installed. The library can be found at -https://github.com/google/brotli. The latest release can be found at -https://github.com/google/brotli/releases/latest. After downloading the latest +. The latest release can be found at +. After downloading the latest release, follow these steps to compile and install the library: tar -zxvf @@ -58,46 +55,46 @@ To manually build and install the plugin: cd rm -r build # Only if build exists - ./configure --bro-dist= + ./configure --zeek-dist= make make test make install +### Zeek Package Manager -__NOTE!!__ If you are upgrading the plugin from versions 0.1 or 0.2 please -delete the following directory from your bro install before starting or -restarting your cluster: - - /lib/bro/plugins/http2_HTTP2 - - -### Bro Package Manager - -The Bro Package Manager can be used to install +The Zeek Package Manager can be used to install this plugin in multiple ways: * From the repo clone directory: -``` - # bro-pkg install . -``` + + # zkg install . * Using the github repo directly: -``` - # bro-pkg install https://github.com/MITRECND/bro-http2 -``` + + # zkg install https://github.com/MITRECND/bro-http2 * Using the official source: -``` - # bro-pkg install bro/mitrecnd/bro-http2 -``` + + # zkg install zeek/mitrecnd/bro-http2 + +__NOTE__ If you had an older version of zkg or the original bro package manager +installed, the path might show up as `bro/mitrecnd/bro-http2`. Please use that +path or update your zkg configuration located, by default, in `~/.zkg/config`. + +#### Installing Older Versions + +If you are still running an older version of Zeek (Bro 2.6.x and older), you +can install a previous version of the plugin using zkg, utilizing the `--version` +argument. + + # zkg install zeek/mitrecnd/bro-http2 --version 0.4.2 ## Usage -You should see the following output from bro if successfully installed: +You should see the following output from zeek if successfully installed: -``` - > bro -NN mitrecnd::HTTP2 - mitrecnd::HTTP2 - Hypertext Transfer Protocol Version 2 analyzer (dynamic, version 0.4) + > zeek -NN mitrecnd::HTTP2 + mitrecnd::HTTP2 - Hypertext Transfer Protocol Version 2 analyzer (dynamic, version 0.5.0) [Analyzer] HTTP2 (ANALYZER_HTTP2, enabled) [Event] http2_request [Event] http2_reply @@ -123,11 +120,9 @@ You should see the following output from bro if successfully installed: [Type] http2_settings_unrecognized_table [Type] http2_settings [Type] http2_stream_stat -``` - To use/load the http2 analyzer, add the following to your config -(e.g., local.bro): +(e.g., local.zeek): @load http2 diff --git a/VERSION b/VERSION index bd73f47..8f0916f 100755 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.4 +0.5.0 diff --git a/bro-pkg.meta b/bro-pkg.meta deleted file mode 100755 index 2d7f37c..0000000 --- a/bro-pkg.meta +++ /dev/null @@ -1,11 +0,0 @@ -[package] -description = A HTTP2 protocol analyzer for the Bro IDS. -tags = bro plugin, protocol analyzer, http2, intel -script_dir = scripts -depends = - bro >=2.5.0 -external_depends = - libnghttp2>=1.11.0 - libbrotlidec>=1.0.0 -build_command = ./configure --bro-dist=%(bro_dist)s && make -test_command = make test diff --git a/configure b/configure index b9addf4..b06992f 100755 --- a/configure +++ b/configure @@ -29,8 +29,13 @@ cat 1>&2 </dev/null 2>&1; then @@ -53,7 +58,7 @@ append_cache_entry () { # set defaults builddir=build -brodist=`cd ../../.. && pwd` +zeekdist="" installroot="default" CMakeCacheEntries="" @@ -68,14 +73,41 @@ while [ $# -ne 0 ]; do usage ;; - --bro-dist=*) - brodist=`cd $optarg && pwd` + --zeek-dist=*) + zeekdist=`cd $optarg && pwd` + ;; + + --bro-dist=*) # Legacy option for backwards compability + zeekdist=`cd $optarg && pwd` ;; --install-root=*) installroot=$optarg ;; + --with-binpac=*) + append_cache_entry BinPAC_ROOT_DIR PATH $optarg + binpac_root=$optarg + ;; + + --with-broker=*) + append_cache_entry BROKER_ROOT_DIR PATH $optarg + broker_root=$optarg + ;; + + --with-caf=*) + append_cache_entry CAF_ROOT_DIR PATH $optarg + caf_root=$optarg + ;; + + --with-bifcl=*) + append_cache_entry BifCl_EXE PATH $optarg + ;; + + --enable-debug) + append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true + ;; + *) if type plugin_option >/dev/null 2>&1; then plugin_option $1 && shift && continue; @@ -88,13 +120,68 @@ while [ $# -ne 0 ]; do shift done -if [ ! -e "$brodist/bro-path-dev.in" ]; then - echo "Cannot determine Bro source directory, use --bro-dist=DIR." - exit 1 -fi +if [ -z "$zeekdist" ]; then + if type zeek-config >/dev/null 2>&1; then + zeek_config="zeek-config" + elif type bro-config >/dev/null 2>&1; then + zeek_config="bro-config" + fi + + if [ -n "${zeek_config}" ]; then + if ${zeek_config} --cmake_dir >/dev/null 2>&1; then + # Have a newer version of zeek-config that has needed flags + append_cache_entry BRO_CONFIG_PREFIX PATH `${zeek_config} --prefix` + append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH `${zeek_config} --include_dir` + append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH `${zeek_config} --plugin_dir` + append_cache_entry BRO_CONFIG_CMAKE_DIR PATH `${zeek_config} --cmake_dir` + append_cache_entry CMAKE_MODULE_PATH PATH `${zeek_config} --cmake_dir` + + build_type=`${zeek_config} --build_type` + + if [ "$build_type" = "debug" ]; then + append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true + fi + + if [ -z "$binpac_root" ]; then + append_cache_entry BinPAC_ROOT_DIR PATH `${zeek_config} --binpac_root` + fi + + if [ -z "$broker_root" ]; then + append_cache_entry BROKER_ROOT_DIR PATH `${zeek_config} --broker_root` + fi -append_cache_entry BRO_DIST PATH $brodist -append_cache_entry CMAKE_MODULE_PATH PATH $brodist/cmake + if [ -z "$caf_root" ]; then + append_cache_entry CAF_ROOT_DIR PATH `${zeek_config} --caf_root` + fi + else + # Using legacy bro-config, so we must use the "--bro_dist" option. + zeekdist=`${zeek_config} --bro_dist 2> /dev/null` + + if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then + echo "$zeekdist does not appear to be a valid Zeek source tree." + exit 1 + fi + + # BRO_DIST is needed to support legacy Bro plugins + append_cache_entry BRO_DIST PATH $zeekdist + append_cache_entry ZEEK_DIST PATH $zeekdist + append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake + fi + else + echo "Either 'zeek-config' must be in PATH or '--zeek-dist=' used" + exit 1 + fi +else + if [ ! -e "$zeekdist/zeek-path-dev.in" -a ! -e "$zeekdist/bro-path-dev.in" ]; then + echo "$zeekdist does not appear to be a valid Zeek source tree." + exit 1 + fi + + # BRO_DIST is needed to support legacy Bro plugins + append_cache_entry BRO_DIST PATH $zeekdist + append_cache_entry ZEEK_DIST PATH $zeekdist + append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake +fi if [ "$installroot" != "default" ]; then mkdir -p $installroot @@ -102,7 +189,7 @@ if [ "$installroot" != "default" ]; then fi echo "Build Directory : $builddir" -echo "Bro Source Directory : $brodist" +echo "Zeek Source Directory : $zeekdist" mkdir -p $builddir cd $builddir diff --git a/configure.plugin b/configure.plugin new file mode 100644 index 0000000..057985d --- /dev/null +++ b/configure.plugin @@ -0,0 +1,26 @@ +#!/bin/sh +# +# Hooks to add custom options to the configure script. +# + +plugin_usage() +{ + : # Do nothing +# cat <//__load__.bro instead. -# - -@load ./init.bro diff --git a/scripts/__load__.zeek b/scripts/__load__.zeek new file mode 100644 index 0000000..173ff80 --- /dev/null +++ b/scripts/__load__.zeek @@ -0,0 +1,10 @@ +# +# This is loaded unconditionally at Zeek startup. Include scripts here that should +# always be loaded. +# +# Normally, that will be only code that initializes built-in elements. Load +# your standard scripts in +# scripts///__load__.zeek instead. +# + +@load ./init diff --git a/scripts/__preload__.bro b/scripts/__preload__.bro deleted file mode 100644 index d152022..0000000 --- a/scripts/__preload__.bro +++ /dev/null @@ -1,10 +0,0 @@ -# -# This is loaded unconditionally at Bro startup before any of the BiFs that the -# plugin defines become available. -# -# This is primarily for defining types that BiFs already depend on. If you need -# to do any other unconditional initialization (usually that's just for other BiF -# elemets), that should go into __load__.bro instead. -# - -@load ./types.bro diff --git a/scripts/__preload__.zeek b/scripts/__preload__.zeek new file mode 100644 index 0000000..c1589e2 --- /dev/null +++ b/scripts/__preload__.zeek @@ -0,0 +1,10 @@ +# +# This is loaded unconditionally at Zeek startup before any of the BiFs that the +# plugin defines become available. +# +# This is primarily for defining types that BiFs already depend on. If you need +# to do any other unconditional initialization (usually that's just for other BiF +# elemets), that should go into __load__.zeek instead. +# + +@load ./types diff --git a/scripts/http2/__load__.bro b/scripts/http2/__load__.zeek similarity index 100% rename from scripts/http2/__load__.bro rename to scripts/http2/__load__.zeek diff --git a/scripts/http2/files.bro b/scripts/http2/files.zeek similarity index 96% rename from scripts/http2/files.bro rename to scripts/http2/files.zeek index 023f932..deffa1f 100755 --- a/scripts/http2/files.bro +++ b/scripts/http2/files.zeek @@ -35,7 +35,7 @@ function describe_file(f: fa_file): string return ""; } -event bro_init() &priority=5 +event zeek_init() &priority=5 { Files::register_protocol(Analyzer::ANALYZER_HTTP2, [$get_file_handle = HTTP2::get_file_handle, diff --git a/scripts/http2/intel/__load__.bro b/scripts/http2/intel/__load__.zeek similarity index 100% rename from scripts/http2/intel/__load__.bro rename to scripts/http2/intel/__load__.zeek diff --git a/scripts/http2/intel/seen/http2-headers.bro b/scripts/http2/intel/seen/http2-headers.zeek similarity index 100% rename from scripts/http2/intel/seen/http2-headers.bro rename to scripts/http2/intel/seen/http2-headers.zeek diff --git a/scripts/http2/intel/seen/http2-url.bro b/scripts/http2/intel/seen/http2-url.zeek similarity index 100% rename from scripts/http2/intel/seen/http2-url.bro rename to scripts/http2/intel/seen/http2-url.zeek diff --git a/scripts/http2/main.bro b/scripts/http2/main.zeek similarity index 99% rename from scripts/http2/main.bro rename to scripts/http2/main.zeek index 2cb7e81..7d70bf0 100755 --- a/scripts/http2/main.bro +++ b/scripts/http2/main.zeek @@ -20,7 +20,7 @@ export { ## Unique ID for the stream. stream_id: count &log &optional; - + ## Verb used in the HTTP request (GET, POST, HEAD, etc.). method: string &log &optional; ## Value of the HOST header. @@ -94,7 +94,7 @@ redef record connection += { }; -event bro_init() &priority=5 +event zeek_init() &priority=5 { Log::create_stream(HTTP2::LOG, [$columns=Info, $ev=log_http2, $path="http2"]); Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP2, ports); @@ -145,7 +145,7 @@ event http2_stream_start(c: connection, is_orig: bool, stream: count) &priority= c$http2_streams$streams[stream]$stream_id = stream; } -event http2_request(c: connection, is_orig: bool, stream: count, method: string, +event http2_request(c: connection, is_orig: bool, stream: count, method: string, authority: string, host: string, original_URI: string, unescaped_URI: string, version: string, push: bool) &priority=5 { diff --git a/scripts/http2/utils.bro b/scripts/http2/utils.zeek similarity index 100% rename from scripts/http2/utils.bro rename to scripts/http2/utils.zeek diff --git a/scripts/init.bro b/scripts/init.zeek similarity index 100% rename from scripts/init.bro rename to scripts/init.zeek diff --git a/scripts/types.bro b/scripts/types.zeek similarity index 100% rename from scripts/types.bro rename to scripts/types.zeek diff --git a/src/HTTP2.cc b/src/HTTP2.cc index 3700b6f..0fb15de 100755 --- a/src/HTTP2.cc +++ b/src/HTTP2.cc @@ -92,7 +92,7 @@ void HTTP2_Analyzer::EndpointEOF(bool is_orig) void HTTP2_Analyzer::DeliverStream(int len, const u_char* data, bool orig){ tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); - // If we see the connection Preface we will have to skip it to realign the + // If we see the connection Preface we will have to skip it to realign the // stream for processing int prefaceOffset; @@ -183,7 +183,7 @@ void HTTP2_Analyzer::DeliverStream(int len, const u_char* data, bool orig){ } } -void HTTP2_Analyzer::Undelivered(uint64 seq, int len, bool orig){ +void HTTP2_Analyzer::Undelivered(uint64_t seq, int len, bool orig){ tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); this->had_gap = true; } @@ -193,30 +193,30 @@ static inline RecordVal* generateSettingsRecord(HTTP2_Settings_Frame* frame) { RecordVal* settings_rec = new RecordVal(BifType::Record::http2_settings); if(frame->getHeaderTableSize(val)){ - settings_rec->Assign(0, new Val(val, TYPE_COUNT)); + settings_rec->Assign(0, val_mgr->GetCount(val)); } if(frame->getEnablePush(val)){ - settings_rec->Assign(1, new Val((bool)val, TYPE_BOOL)); + settings_rec->Assign(1, val_mgr->GetBool(val)); } if(frame->getMaxConcurrentStreams(val)){ - settings_rec->Assign(2, new Val(val, TYPE_COUNT)); + settings_rec->Assign(2, val_mgr->GetCount(val)); } if(frame->getInitialWindowSize(val)){ - settings_rec->Assign(3, new Val(val, TYPE_COUNT)); + settings_rec->Assign(3, val_mgr->GetCount(val)); } if(frame->getMaxFrameSize(val)){ - settings_rec->Assign(4, new Val(val, TYPE_COUNT)); + settings_rec->Assign(4, val_mgr->GetCount(val)); } if(frame->getMaxHeaderListSize(val)){ - settings_rec->Assign(5, new Val(val, TYPE_COUNT)); + settings_rec->Assign(5, val_mgr->GetCount(val)); } if(frame->unrecognizedSettings()){ TableVal* unrec_table = new TableVal(BifType::Table::http2_settings_unrecognized_table); auto unrec = frame->getUnrecognizedSettings(); for (auto it=unrec.begin(); it != unrec.end(); it++) { - Val* index = new Val(it->first, TYPE_COUNT); - unrec_table->Assign(index, new Val(it->second, TYPE_COUNT)); + Val* index = val_mgr->GetCount(it->first); + unrec_table->Assign(index, val_mgr->GetCount(it->second)); Unref(index); } settings_rec->Assign(6, unrec_table); @@ -259,7 +259,7 @@ void HTTP2_Analyzer::handleFrameEvents(HTTP2_Frame* frame, bool orig, uint32_t s if (http2_priority_event) { HTTP2_Priority_Frame* pf = static_cast(frame); this->HTTP2_Priority_Event(orig, stream_id, pf->getExclusive(), - pf->getDependentStream(), pf->getWeight()); + pf->getDependentStream(), pf->getWeight()); } break; case NGHTTP2_RST_STREAM: @@ -446,7 +446,7 @@ void HTTP2_Analyzer::destroyStreams(void) auto stream = it->second; delete stream; this->streams.erase(it); - } + } this->streams.clear(); } @@ -494,8 +494,8 @@ void HTTP2_Analyzer::destroyReassemblers(void) } /* -** Utility -*/ +** Utility +*/ bool HTTP2_Analyzer::connectionPrefaceDetected(int len, const u_char* data) { @@ -510,24 +510,24 @@ bool HTTP2_Analyzer::connectionPrefaceDetected(int len, const u_char* data) } /* -** Bro Interface wrappers. +** Bro Interface wrappers. */ -void HTTP2_Analyzer::HTTP2_Request(bool orig, unsigned stream, std::string& method, - std::string& authority, std::string& host, +void HTTP2_Analyzer::HTTP2_Request(bool orig, unsigned stream, std::string& method, + std::string& authority, std::string& host, std::string& path, BroString* unescaped, bool push){ //this->num_requests++; if ( http2_request ){ val_list* vl = new val_list; vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); vl->append(new StringVal(method)); vl->append(new StringVal(authority)); vl->append(new StringVal(host)); vl->append(new StringVal(path)); vl->append(new StringVal(unescaped)); vl->append(new StringVal(fmt("%.1f", 2.0))); - vl->append(new Val(push, TYPE_BOOL)); + vl->append(val_mgr->GetBool(push)); DEBUG_DBG("[%3u][%1d] http2_request\n", stream, orig); this->ConnectionEvent(http2_request, vl); } @@ -537,10 +537,10 @@ void HTTP2_Analyzer::HTTP2_Reply(bool orig, unsigned stream, uint16_t status){ if ( http2_reply ){ val_list* vl = new val_list; vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); vl->append(new StringVal(fmt("%.1f", 2.0))); - vl->append(new Val(status, TYPE_COUNT)); + vl->append(val_mgr->GetCount(status)); vl->append(new StringVal("")); DEBUG_DBG("[%3u][%1d] http2_reply\n", stream, orig); this->ConnectionEvent(http2_reply, vl); @@ -551,7 +551,7 @@ void HTTP2_Analyzer::HTTP2_StreamEnd(unsigned stream, RecordVal* stream_stats){ if ( http2_stream_end ){ val_list* vl = new val_list; vl->append(this->BuildConnVal()); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetCount(stream)); vl->append(stream_stats); DEBUG_DBG("[%3u][%1d] http2_stream_end\n", stream, orig); this->ConnectionEvent(http2_stream_end, vl); @@ -562,8 +562,8 @@ void HTTP2_Analyzer::HTTP2_StreamStart(bool orig, unsigned stream){ if ( http2_stream_start ){ val_list* vl = new val_list; vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); DEBUG_DBG("[%3u][%1d] http2_stream_start\n", stream, orig); this->ConnectionEvent(http2_stream_start, vl); } @@ -573,8 +573,8 @@ void HTTP2_Analyzer::HTTP2_Header(bool orig, unsigned stream, std::string& name, if ( http2_header ){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); vl->append((new StringVal(name))->ToUpper()); vl->append(new StringVal(value)); DEBUG_DBG("http2_header\n"); @@ -586,8 +586,8 @@ void HTTP2_Analyzer::HTTP2_AllHeaders(bool orig, unsigned stream, TableVal* hlis if ( http2_all_headers ){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); vl->append(hlist); DEBUG_DBG("http2_all_headers\n"); this->ConnectionEvent(http2_all_headers, vl); @@ -598,8 +598,8 @@ void HTTP2_Analyzer::HTTP2_BeginEntity(bool orig, unsigned stream, std::string& if ( http2_begin_entity ){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); vl->append(new StringVal(contentType)); DEBUG_DBG("http2_begin_entity\n"); this->ConnectionEvent(http2_begin_entity, vl); @@ -610,8 +610,8 @@ void HTTP2_Analyzer::HTTP2_EndEntity(bool orig, unsigned stream){ if ( http2_end_entity ){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); DEBUG_DBG("http2_end_entity\n"); this->ConnectionEvent(http2_end_entity, vl); } @@ -621,9 +621,9 @@ void HTTP2_Analyzer::HTTP2_EntityData(bool orig, unsigned stream, int len, const if ( http2_entity_data ){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); - vl->append(new Val(len, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); + vl->append(val_mgr->GetCount(len)); vl->append(new StringVal(len, data)); DEBUG_DBG("http2_entity_data\n"); this->ConnectionEvent(http2_entity_data, vl); @@ -634,24 +634,24 @@ void HTTP2_Analyzer::HTTP2_ContentType(bool orig, unsigned stream, std::string& if ( http2_content_type ){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); vl->append(new StringVal(contentType)); DEBUG_DBG("http2_content_type\n"); this->ConnectionEvent(http2_content_type, vl); } } -/* +/* ** Frame Processing Events */ void HTTP2_Analyzer::HTTP2_Data_Event(bool orig, unsigned stream, uint32_t len, const char* data){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); - vl->append(new Val(len, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); + vl->append(val_mgr->GetCount(len)); vl->append(new StringVal(len, data)); DEBUG_INFO("http2_data_event\n"); this->ConnectionEvent(http2_data_event, vl); @@ -660,9 +660,9 @@ void HTTP2_Analyzer::HTTP2_Data_Event(bool orig, unsigned stream, uint32_t len, void HTTP2_Analyzer::HTTP2_Header_Event(bool orig, unsigned stream, uint32_t len, const char* headerData){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); - vl->append(new Val(len, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); + vl->append(val_mgr->GetCount(len)); vl->append(new StringVal(len, headerData)); DEBUG_INFO("http2_header_event\n"); this->ConnectionEvent(http2_header_event, vl); @@ -671,11 +671,11 @@ void HTTP2_Analyzer::HTTP2_Header_Event(bool orig, unsigned stream, uint32_t len void HTTP2_Analyzer::HTTP2_Priority_Event(bool orig, unsigned stream, bool exclusive, unsigned priStream, unsigned weight){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); - vl->append(new Val(exclusive, TYPE_BOOL)); - vl->append(new Val(priStream, TYPE_COUNT)); - vl->append(new Val(weight, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); + vl->append(val_mgr->GetBool(exclusive)); + vl->append(val_mgr->GetCount(priStream)); + vl->append(val_mgr->GetCount(weight)); DEBUG_INFO("http2_priority_event\n"); this->ConnectionEvent(http2_priority_event, vl); } @@ -683,8 +683,8 @@ void HTTP2_Analyzer::HTTP2_Priority_Event(bool orig, unsigned stream, bool exclu void HTTP2_Analyzer::HTTP2_RstStream_Event(bool orig, unsigned stream, const std::string& error){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); vl->append(new StringVal(error)); DEBUG_INFO("http2_rststream_event\n"); this->ConnectionEvent(http2_rststream_event, vl); @@ -693,8 +693,8 @@ void HTTP2_Analyzer::HTTP2_RstStream_Event(bool orig, unsigned stream, const std void HTTP2_Analyzer::HTTP2_Settings_Event(bool orig, uint32_t stream, RecordVal* settingsRecord) { val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); vl->append(settingsRecord); DEBUG_INFO("http2_settings_event\n"); this->ConnectionEvent(http2_settings_event, vl); @@ -704,10 +704,10 @@ void HTTP2_Analyzer::HTTP2_PushPromise_Event(bool orig, unsigned stream, unsigne uint32_t len, const char* headerData){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); - vl->append(new Val(pushStream, TYPE_COUNT)); - vl->append(new Val(len, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); + vl->append(val_mgr->GetCount(pushStream)); + vl->append(val_mgr->GetCount(len)); vl->append(new StringVal(len, headerData)); DEBUG_INFO("http2_pushpromise_event\n"); this->ConnectionEvent(http2_pushpromise_event, vl); @@ -716,8 +716,8 @@ void HTTP2_Analyzer::HTTP2_PushPromise_Event(bool orig, unsigned stream, unsigne void HTTP2_Analyzer::HTTP2_Ping_Event(bool orig, unsigned stream, uint8_t length, const char* data){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); vl->append(new StringVal(length, data)); DEBUG_INFO("http2_ping_event\n"); this->ConnectionEvent(http2_ping_event, vl); @@ -727,9 +727,9 @@ void HTTP2_Analyzer::HTTP2_GoAway_Event(bool orig, unsigned stream, unsigned las const std::string& error, uint32_t length, const char* data){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); - vl->append(new Val(lastStream, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); + vl->append(val_mgr->GetCount(lastStream)); vl->append(new StringVal(error)); DEBUG_INFO("http2_goaway_event\n"); this->ConnectionEvent(http2_goaway_event, vl); @@ -738,9 +738,9 @@ void HTTP2_Analyzer::HTTP2_GoAway_Event(bool orig, unsigned stream, unsigned las void HTTP2_Analyzer::HTTP2_WindowUpdate_Event(bool orig, unsigned stream, unsigned increment){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); - vl->append(new Val(increment, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); + vl->append(val_mgr->GetCount(increment)); DEBUG_INFO("http2_windowupdate_event\n"); this->ConnectionEvent(http2_windowupdate_event, vl); } @@ -748,9 +748,9 @@ void HTTP2_Analyzer::HTTP2_WindowUpdate_Event(bool orig, unsigned stream, unsign void HTTP2_Analyzer::HTTP2_Continuation_Event(bool orig, unsigned stream, uint32_t len, const char* headerData){ val_list* vl = new val_list(); vl->append(this->BuildConnVal()); - vl->append(new Val(orig, TYPE_BOOL)); - vl->append(new Val(stream, TYPE_COUNT)); - vl->append(new Val(len, TYPE_COUNT)); + vl->append(val_mgr->GetBool(orig)); + vl->append(val_mgr->GetCount(stream)); + vl->append(val_mgr->GetCount(len)); vl->append(new StringVal(len, headerData)); DEBUG_INFO("http2_continuation_event\n"); this->ConnectionEvent(http2_continuation_event, vl); diff --git a/src/HTTP2.h b/src/HTTP2.h index 7c8af4c..8de1285 100755 --- a/src/HTTP2.h +++ b/src/HTTP2.h @@ -37,14 +37,14 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { // Overriden from Analyzer. virtual void Done(); - + /** * void HTTP2_Analyzer::DeliverStream(int len, const u_char *data, bool orig) - * + * * Description: Point of injection for the TCP stream. This does - * not include the TCP header only the payload. + * not include the TCP header only the payload. + * * - * * @param len The length of the incoming data stream * @param data A reference to the stream data * @param orig Flag indicating whether the stream came from the @@ -52,25 +52,25 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { */ virtual void DeliverStream(int len, const u_char* data, bool orig); /** - * void HTTP2_Analyzer::Undelivered(uint64 seq, int len, bool orig) - * - * Description: + * void HTTP2_Analyzer::Undelivered(uint64_t seq, int len, bool orig) * - * - * @param seq - * @param len + * Description: + * + * + * @param seq + * @param len * @param orig Flag indicating whether the stream came from the * originator or receiver. */ - virtual void Undelivered(uint64 seq, int len, bool orig); + virtual void Undelivered(uint64_t seq, int len, bool orig); // Overriden from tcp::TCP_ApplicationAnalyzer. /** * void HTTP2_Analyzer::EndpointEOF(bool is_orig) - * + * * Description: * - * + * * @param is_orig Flag indicating whether the stream came from * the originator or receiver. */ @@ -88,11 +88,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { * stream, std::string method, std::string authority, * std::string host, std::string path, Val* unescaped, * bool push=false) - * + * * Description: Notification to Bro that an HTTP2 Request event * has occurred. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -103,17 +103,17 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { * @param unescaped description of the request unescaped path * @param push Whether this is a push promise transaction or not */ - void HTTP2_Request(bool orig, unsigned stream, std::string& method, - std::string& authority, std::string& host, + void HTTP2_Request(bool orig, unsigned stream, std::string& method, + std::string& authority, std::string& host, std::string& path, BroString* unescaped, bool push=false); /** * void HTTP2_Analyzer::HTTP2_Reply(bool orig, unsigned stream, Val *status) - * + * * Description: Notification to Bro that an HTTP2 Reply event * has occurred. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -122,11 +122,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_Reply(bool orig, unsigned stream, uint16_t status); /** * void HTTP2_Analyzer::HTTP2_StreamStart(bool orig, unsigned stream) - * + * * Description: Notification to Bro that an HTTP2 Stream has * been created. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -134,11 +134,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_StreamStart(bool orig, unsigned stream); /** * void HTTP2_Analyzer::HTTP2_StreamEnd(bool orig, unsigned stream) - * + * * Description: Notification to Bro that an HTTP2 Stream has * ended. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -148,7 +148,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { * Description: Notification to Bro that an HTTP2 Header event * has occurred. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -159,11 +159,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_Header(bool orig, unsigned stream, std::string& name, std::string& value); /** * void HTTP2_Analyzer::HTTP2_AllHeaders(bool orig, unsigned stream, HTTP2_HeaderList *hlist) - * + * * Description: Notification to Bro that an HTTP2 All Headers event * has occurred. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -173,11 +173,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { /** * void HTTP2_Analyzer::HTTP2_BeginEntity(bool orig, unsigned * stream, std::string contentType) - * + * * Description: Notification to Bro that an HTTP2 Message Entity * has been created. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -187,11 +187,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_BeginEntity(bool orig, unsigned stream, std::string& contentType); /** * void HTTP2_Analyzer::HTTP2_EndEntity(bool orig, unsigned stream) - * + * * Description: Notification to Bro that an HTTP2 Message Entity * has completed processing. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -199,11 +199,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_EndEntity(bool orig, unsigned stream); /** * void HTTP2_Analyzer::HTTP2_EntityData(bool orig, unsigned stream, int len, const char *data) - * + * * Description: Notification to Bro that an HTTP2 Message Entity * block has been processed. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -214,11 +214,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { /** * void HTTP2_Analyzer::HTTP2_ContentType(bool orig, unsigned * stream, std::string contentType) - * + * * Description: Notification to Bro that an HTTP2 Message Entity * content type has been updated. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -231,45 +231,45 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { * unsigned stream, * std::string * encodingType) - * + * * Description: Notification to Bro that an HTTP2 Message Entity * data event has occured. (i.e. a block of entity message body * data has been posted to the file manager) * - * + * * @param orig Flag indicating whether the stream came * from the originator or receiver. - * @param stream unique identifier for the stream. + * @param stream unique identifier for the stream. * @param encodingType The encoding type of the data message. */ void HTTP2_Data_Event(bool orig, unsigned stream, uint32_t len, const char* data); /** * void HTTP2_Analyzer::HTTP2_Header_Event(bool orig, unsigned * stream, uint32_t len, const char *headerData) - * + * * Description: Notification to Bro that an HTTP2 Header frame * has been received. * * @param orig Flag indicating whether the stream came * from the originator or receiver. - * @param stream unique identifier for the stream. + * @param stream unique identifier for the stream. * @param len length of the frame header. * @param headerData contents of the frame header. */ void HTTP2_Header_Event(bool orig, unsigned stream, uint32_t len, const char* headerData); /** * void HTTP2_Analyzer::HTTP2_Priority_Event(bool orig, unsigned stream, bool exclusive, unsigned priStream, unsigned weight) - * - * Description: Notification to Bro that an HTTP2 Priority frame - * has been received. - * + * + * Description: Notification to Bro that an HTTP2 Priority frame + * has been received. + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. - * @param exclusive indication of whether or not the priority is + * @param exclusive indication of whether or not the priority is * exclusive. * @param priStream the stream id associated with the stream - * that the receiving stream depends on. + * that the receiving stream depends on. * @param weight used to determine the relative proportion of * available resources that are assigned to * streams dependent on the same stream. @@ -277,11 +277,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_Priority_Event(bool orig, unsigned stream, bool exclusive, unsigned priStream, unsigned weight); /** * void HTTP2_Analyzer::HTTP2_RstStream_Event(bool orig, unsigned stream, const char *error) - * + * * Description: Notification to Bro that an HTTP2 Reset Stream * frame has been received. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -290,11 +290,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_RstStream_Event(bool orig, unsigned stream, const std::string& error); /** * void HTTP2_Analyzer::HTTP2_Settings_Event(bool orig, unsigned stream, RecordVal* settingsRecord) - * + * * Description: Notification to Bro that an HTTP2 Settings frame - * has been received. + * has been received. + * * - * * @param orig Flag indicating whether the stream * came from the originator or receiver. * @param stream unique identifier for the stream. @@ -303,11 +303,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_Settings_Event(bool orig, uint32_t stream, RecordVal* settingsRecord); /** * void HTTP2_Analyzer::HTTP2_PushPromise_Event(bool orig, unsigned stream, unsigned pushStream) - * + * * Description: Notification to Bro that an HTTP2 Push Promise * frame has been received. * - * + * * @param orig Flag indicating whether the stream came * from the originator or receiver. * @param stream unique identifier for the stream, for @@ -320,11 +320,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_PushPromise_Event(bool orig, unsigned stream, unsigned pushStream, uint32_t len, const char* headerData); /** * void HTTP2_Analyzer::HTTP2_Ping_Event(bool orig, unsigned stream, const char *data) - * - * Description: Notification to Bro that an HTTP2 Ping frame - * has been received. * - * + * Description: Notification to Bro that an HTTP2 Ping frame + * has been received. + * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -334,29 +334,29 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_Ping_Event(bool orig, unsigned stream, uint8_t length, const char* data); /** * void HTTP2_Analyzer::HTTP2_GoAway_Event(bool orig, unsigned stream, unsigned lastStream, const char *error) - * - * Description: Notification to Bro that an HTTP2 Go Away frame - * has been received. * - * + * Description: Notification to Bro that an HTTP2 Go Away frame + * has been received. + * + * * @param orig Flag indicating whether the stream came * from the originator or receiver. * @param stream unique identifier for the stream. * @param lastStream unique identifier for the last valid * stream. - * @param error reason for the goaway event. + * @param error reason for the goaway event. * @param length length of debug data. - * @param data debug data. - * + * @param data debug data. + * */ void HTTP2_GoAway_Event(bool orig, unsigned stream, unsigned lastStream, const std::string& error, uint32_t length, const char* data); /** * void HTTP2_Analyzer::HTTP2_WindowUpdate_Event(bool orig, unsigned stream, unsigned increment) - * + * * Description: Notification to Bro that an HTTP2 Window Update * frame has been received. * - * + * * @param orig Flag indicating whether the stream came from the * originator or receiver. * @param stream unique identifier for the stream. @@ -365,14 +365,14 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void HTTP2_WindowUpdate_Event(bool orig, unsigned stream, unsigned increment); /** * void HTTP2_Analyzer::HTTP2_Continuation_Event(bool orig, unsigned stream) - * + * * Description: Notification to Bro that an HTTP2 Continuation * frame has been received. * - * + * * @param orig Flag indicating whether the stream came * from the originator or receiver. - * @param stream unique identifier for the stream. + * @param stream unique identifier for the stream. * @param len length of the frame header. * @param headerData contents of the frame header. */ @@ -380,12 +380,12 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { /** * void HTTP2_Analyzer::HTTP2_Event(std::string& category, * std::string& detail) - * + * * Description: Indication that an HTTP2 event has occured. * - * + * * @param category description of the category of event - * @param detail event details + * @param detail event details */ void HTTP2_Event(std::string& category, std::string& detail); @@ -406,7 +406,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { void destroyStreams(); HTTP2_Stream* getStream(uint32_t stream_id, bool orig); void removeStream(HTTP2_Stream* s); - void flushStreams(uint32_t id); + void flushStreams(uint32_t id); // Packet fragmentation management. void initReassemblers(void); @@ -416,7 +416,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { /** * bool connectionPrefaceDetected(int len, const u_char *data) - * + * * Description: Indication of whether or not the HTTP2 * connection preface has been detected within the supplied data * stream. @@ -424,14 +424,14 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { * * @param len length of data array * @param data reference to data stream. - * + * * @return bool indication of detection. */ bool connectionPrefaceDetected(int len, const u_char* data); /** * void analyzer/http2/HTTP2_Analyzer::handleFrameEvents(HTTP2_Frame *frame, bool orig, uint32_t stream_id) - * + * * Description: Manages Posting of Bro events associated with * incoming frames on non-stream0 streams. * @@ -439,7 +439,7 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { * associated. * @param orig Flag indicating whether the stream came from * the originator or receiver. - * @param stream unique identifier for the stream. + * @param stream unique identifier for the stream. */ void handleFrameEvents(HTTP2_Frame* frame, bool orig, uint32_t stream_id); @@ -460,11 +460,11 @@ class HTTP2_Analyzer : public tcp::TCP_ApplicationAnalyzer { uint32_t lastStreams[2]; uint32_t goAwayStream; - HTTP2_FrameReassembler* reassemblers; + HTTP2_FrameReassembler* reassemblers; nghttp2_hd_inflater* inflaters[2]; std::unordered_map streams; }; -} } // namespace analyzer::* +} } // namespace analyzer::* #endif diff --git a/src/HTTP2_HeaderStorage.cc b/src/HTTP2_HeaderStorage.cc index 8150856..640d9db 100755 --- a/src/HTTP2_HeaderStorage.cc +++ b/src/HTTP2_HeaderStorage.cc @@ -64,7 +64,7 @@ TableVal* HTTP2_HeaderList::BuildHeaderTable(void) for (unsigned int i = 0; i < this->headers.size(); ++i) { - Val* index = new Val(i+1, TYPE_COUNT); // index starting from 1 + Val* index = val_mgr->GetCount(i+1); // index starting from 1 RecordVal* header_record = BuildHeaderVal(this->headers[i]); t->Assign(index, header_record); diff --git a/src/HTTP2_Stream.cc b/src/HTTP2_Stream.cc index 799e3d3..0e4510f 100755 --- a/src/HTTP2_Stream.cc +++ b/src/HTTP2_Stream.cc @@ -300,7 +300,7 @@ void HTTP2_HalfStream::processData(HTTP2_Data_Frame* data) // Generate a unique file id for the file being transferred if(this->precomputed_file_id.empty()){ char tmp[16]; - uint64 uid = calculate_unique_id(UID_POOL_DEFAULT_SCRIPT); + uint64_t uid = calculate_unique_id(UID_POOL_DEFAULT_SCRIPT); this->precomputed_file_id = uitoa_n(uid, tmp, sizeof(tmp), 62, "F"); } if ( http2_begin_entity ) @@ -893,12 +893,18 @@ bool HTTP2_Stream::handleStreamEnd() { if (http2_stream_end) { RecordVal* stream_stats = new RecordVal(BifType::Record::http2_stream_stat); // process is_orig == true first - stream_stats->Assign(0, new Val(static_cast\ - (this->halfStreams[1]->getDataSize()), - TYPE_COUNT)); - stream_stats->Assign(1, new Val(static_cast\ - (this->halfStreams[0]->getDataSize()), - TYPE_COUNT)); + stream_stats->Assign( + 0, val_mgr->GetCount( + static_cast(this->halfStreams[1]->getDataSize()) + ) + ); + + stream_stats->Assign( + 1, val_mgr->GetCount( + static_cast(this->halfStreams[0]->getDataSize()) + ) + ); + this->analyzer->HTTP2_StreamEnd(this->id, stream_stats); } diff --git a/src/Plugin.cc b/src/Plugin.cc index 57edc9b..da403ca 100755 --- a/src/Plugin.cc +++ b/src/Plugin.cc @@ -1,5 +1,6 @@ #include "Plugin.h" #include "HTTP2.h" +#include "analyzer/Component.h" namespace plugin { namespace mitrecnd_HTTP2 { Plugin plugin; }} @@ -13,6 +14,7 @@ plugin::Configuration Plugin::Configure() config.description = "Hypertext Transfer Protocol Version 2 analyzer"; config.name = "mitrecnd::HTTP2"; config.version.major = 0; - config.version.minor = 4; + config.version.minor = 5; + config.version.patch = 0; return config; } diff --git a/tests/Scripts/diff-remove-timestamps b/tests/Scripts/diff-remove-timestamps new file mode 100755 index 0000000..325268d --- /dev/null +++ b/tests/Scripts/diff-remove-timestamps @@ -0,0 +1,13 @@ +#! /usr/bin/env bash +# +# Replace anything which looks like timestamps with XXXs (including the #start/end markers in logs). + +# Get us "modern" regexps with sed. +if [ `uname` == "Linux" ]; then + sed="sed -r" +else + sed="sed -E" +fi + +$sed 's/(0\.000000)|([0-9]{9,10}\.[0-9]{2,8})/XXXXXXXXXX.XXXXXX/g' | \ +$sed 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g' diff --git a/tests/Scripts/get-bro-env b/tests/Scripts/get-bro-env deleted file mode 100755 index b568b8b..0000000 --- a/tests/Scripts/get-bro-env +++ /dev/null @@ -1,21 +0,0 @@ -#! /bin/sh -# -# BTest helper for getting values for Bro-related environment variables. - -base=`dirname $0` -bro=`cat ${base}/../../build/CMakeCache.txt | grep BRO_DIST | cut -d = -f 2` - -if [ "$1" = "brobase" ]; then - echo ${bro} -elif [ "$1" = "bropath" ]; then - ${bro}/build/bro-path-dev -elif [ "$1" = "bro_plugin_path" ]; then - ( cd ${base}/../.. && pwd ) -elif [ "$1" = "bro_seed_file" ]; then - echo ${bro}/testing/btest/random.seed -elif [ "$1" = "path" ]; then - echo ${bro}/build/src:${bro}/aux/btest:${base}/:${bro}/aux/bro-cut:$PATH -else - echo "usage: `basename $0` " >&2 - exit 1 -fi diff --git a/tests/Scripts/get-zeek-env b/tests/Scripts/get-zeek-env new file mode 100755 index 0000000..2720378 --- /dev/null +++ b/tests/Scripts/get-zeek-env @@ -0,0 +1,36 @@ +#! /bin/sh +# +# BTest helper for getting values for Zeek-related environment variables. + +base=`dirname $0` +zeek_dist=`cat ${base}/../../build/CMakeCache.txt | grep ZEEK_DIST | cut -d = -f 2` + +if [ -n "${zeek_dist}" ]; then + if [ "$1" = "zeekpath" ]; then + ${zeek_dist}/build/zeek-path-dev + elif [ "$1" = "zeek_plugin_path" ]; then + ( cd ${base}/../.. && pwd ) + elif [ "$1" = "path" ]; then + echo ${zeek_dist}/build/src:${zeek_dist}/aux/btest:${base}/:${zeek_dist}/aux/zeek-cut:$PATH + else + echo "usage: `basename $0` " >&2 + exit 1 + fi +else + # Use Zeek installation for testing. In this case zeek-config must be in PATH. + if ! which zeek-config >/dev/null; then + echo "zeek-config not found" >&2 + exit 1 + fi + + if [ "$1" = "zeekpath" ]; then + zeek-config --zeekpath + elif [ "$1" = "zeek_plugin_path" ]; then + ( cd ${base}/../.. && pwd ) + elif [ "$1" = "path" ]; then + echo ${PATH} + else + echo "usage: `basename $0` " >&2 + exit 1 + fi +fi diff --git a/tests/btest.cfg b/tests/btest.cfg index e446250..86f2362 100644 --- a/tests/btest.cfg +++ b/tests/btest.cfg @@ -6,14 +6,12 @@ IgnoreDirs = .svn CVS .tmp IgnoreFiles = *.tmp *.swp #* *.trace .DS_Store [environment] -BROBASE=`%(testbase)s/Scripts/get-bro-env brobase` -BROPATH=`%(testbase)s/Scripts/get-bro-env bropath` -BRO_PLUGIN_PATH=`%(testbase)s/Scripts/get-bro-env bro_plugin_path` -BRO_SEED_FILE=`%(testbase)s/Scripts/get-bro-env bro_seed_file` -PATH=`%(testbase)s/Scripts/get-bro-env path` +ZEEKPATH=`%(testbase)s/Scripts/get-zeek-env zeekpath` +ZEEK_PLUGIN_PATH=`%(testbase)s/Scripts/get-zeek-env zeek_plugin_path` +ZEEK_SEED_FILE=%(testbase)s/random.seed +PATH=`%(testbase)s/Scripts/get-zeek-env path` TZ=UTC LC_ALL=C TRACES=%(testbase)s/Traces TMPDIR=%(testbase)s/.tmp -BRO_TRACES=`%(testbase)s/Scripts/get-bro-env brobase`/testing/btest/Traces -TEST_DIFF_CANONIFIER=`%(testbase)s/Scripts/get-bro-env brobase`/testing/scripts/diff-canonifier +TEST_DIFF_CANONIFIER=%(testbase)s/Scripts/diff-remove-timestamps diff --git a/tests/http2/load_analyzer.bro b/tests/http2/load_analyzer.zeek similarity index 56% rename from tests/http2/load_analyzer.bro rename to tests/http2/load_analyzer.zeek index 551effb..d009165 100644 --- a/tests/http2/load_analyzer.bro +++ b/tests/http2/load_analyzer.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: zeek %INPUT >output # @TEST-EXEC: btest-diff output @load http2 diff --git a/tests/http2/load_intel.bro b/tests/http2/load_intel.zeek similarity index 64% rename from tests/http2/load_intel.bro rename to tests/http2/load_intel.zeek index 5b079be..db7ff84 100644 --- a/tests/http2/load_intel.bro +++ b/tests/http2/load_intel.zeek @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro %INPUT >output +# @TEST-EXEC: zeek %INPUT >output # @TEST-EXEC: btest-diff output @load http2 diff --git a/tests/http2/show-plugin.bro b/tests/http2/show-plugin.bro deleted file mode 100644 index df817b0..0000000 --- a/tests/http2/show-plugin.bro +++ /dev/null @@ -1,2 +0,0 @@ -# @TEST-EXEC: bro -NN mitrecnd::HTTP2 |sed -e 's/version.*)/version)/g' >output -# @TEST-EXEC: btest-diff output diff --git a/tests/http2/show-plugin.zeek b/tests/http2/show-plugin.zeek new file mode 100644 index 0000000..a35a202 --- /dev/null +++ b/tests/http2/show-plugin.zeek @@ -0,0 +1,2 @@ +# @TEST-EXEC: zeek -NN mitrecnd::HTTP2 |sed -e 's/version.*)/version)/g' >output +# @TEST-EXEC: btest-diff output diff --git a/tests/random.seed b/tests/random.seed new file mode 100644 index 0000000..6956a2c --- /dev/null +++ b/tests/random.seed @@ -0,0 +1,21 @@ +2983378351 +1299727368 +0 +310447 +0 +1409073626 +3975311262 +34130240 +1450515018 +1466150520 +1342286698 +1193956778 +2188527278 +3361989254 +3912865238 +3596260151 +517973768 +1462428821 +0 +2278350848 +32767 diff --git a/zkg.meta b/zkg.meta new file mode 100755 index 0000000..93a2a13 --- /dev/null +++ b/zkg.meta @@ -0,0 +1,11 @@ +[package] +description = A HTTP2 protocol analyzer for the Zeek NSM. +tags = zeek plugin, protocol analyzer, http2, intel +script_dir = scripts +depends = + zeek >=3.0.0 +external_depends = + libnghttp2>=1.11.0 + libbrotlidec>=1.0.0 +build_command = ./configure --zeek-dist=%(zeek_dist)s && make +test_command = make test