From 0cec3d140323188ea0b781a195a5f272d8aba3bf Mon Sep 17 00:00:00 2001 From: Scott Campbell Date: Fri, 15 Oct 2021 17:48:34 -0700 Subject: [PATCH] Why: Update code to work with zeek v4.x * This change addresses the need by: * --- cookiecutter.json | 2 +- hooks/post_gen_project.sh | 2 +- {{ cookiecutter.project_slug }}/src/Plugin.cc | 4 +- .../src/{{ cookiecutter.protocol_name }}.cc | 18 ++-- .../src/{{ cookiecutter.protocol_name }}.h | 4 +- ...cutter.protocol_name|lower }}-analyzer.pac | 2 +- ...{{ cookiecutter.protocol_name|lower }}.pac | 4 +- .../zeek_v4.0/src/Plugin.cc | 28 ++++++ .../src/{{ cookiecutter.protocol_name }}.cc | 95 +++++++++++++++++++ .../src/{{ cookiecutter.protocol_name }}.h | 47 +++++++++ 10 files changed, 188 insertions(+), 18 deletions(-) create mode 100644 {{ cookiecutter.project_slug }}/zeek_v4.0/src/Plugin.cc create mode 100644 {{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.cc create mode 100644 {{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.h diff --git a/cookiecutter.json b/cookiecutter.json index 63c094e..8a525cc 100644 --- a/cookiecutter.json +++ b/cookiecutter.json @@ -8,7 +8,7 @@ "project_credits": "Alice , Bob ", "project_namespace": "Local", - "zeek_version": "Automatically determined from the installed version, or '3.2' if zeek-config not found", + "zeek_version": "Automatically determined from the installed version, or '4.0' if zeek-config not found", "metadata_tags": "network, evil, rfc3514", diff --git a/hooks/post_gen_project.sh b/hooks/post_gen_project.sh index adc8e0e..65bc7a6 100644 --- a/hooks/post_gen_project.sh +++ b/hooks/post_gen_project.sh @@ -4,7 +4,7 @@ if [ -d "zeek_v{{ cookiecutter.zeek_version }}" ] then SOURCE="zeek_v{{ cookiecutter.zeek_version }}" else - VERSION=$(zeek-config --version || echo "3.2") + VERSION=$(zeek-config --version || echo "4.0") VERSION=$(echo "$VERSION" | cut -f -2 -d.) SOURCE="zeek_v$VERSION" fi diff --git a/{{ cookiecutter.project_slug }}/src/Plugin.cc b/{{ cookiecutter.project_slug }}/src/Plugin.cc index 6d2eb5a..0b437ca 100644 --- a/{{ cookiecutter.project_slug }}/src/Plugin.cc +++ b/{{ cookiecutter.project_slug }}/src/Plugin.cc @@ -11,8 +11,8 @@ using namespace plugin::{{ cookiecutter.project_namespace }}_{{ cookiecutter.pro zeek::plugin::Configuration Plugin::Configure() { - AddComponent(new ::zeek::analyzer::Component("{{ cookiecutter.protocol_name }}", - ::analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Analyzer::InstantiateAnalyzer)); + AddComponent(new zeek::analyzer::Component("{{ cookiecutter.protocol_name }}", + analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Analyzer::InstantiateAnalyzer)); zeek::plugin::Configuration config; diff --git a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.cc b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.cc index 9cbdab3..3fad210 100644 --- a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.cc +++ b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.cc @@ -14,9 +14,9 @@ using namespace analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.p {{ cookiecutter.protocol_name }}_Analyzer::{{ cookiecutter.protocol_name }}_Analyzer(zeek::Connection* c) {% if tcp %} -: tcp::TCP_ApplicationAnalyzer("{{ cookiecutter.protocol_name }}", c) +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("{{ cookiecutter.protocol_name }}", c) {% elif udp %} -: analyzer::Analyzer("{{ cookiecutter.protocol_name }}", c) +: zeek::analyzer::Analyzer("{{ cookiecutter.protocol_name }}", c) {% endif %} { interp = new binpac::{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Conn(this); @@ -33,7 +33,7 @@ using namespace analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.p void {{ cookiecutter.protocol_name }}_Analyzer::Done() { {% if tcp %} - tcp::TCP_ApplicationAnalyzer::Done(); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); interp->FlowEOF(true); interp->FlowEOF(false); @@ -44,13 +44,13 @@ void {{ cookiecutter.protocol_name }}_Analyzer::Done() {% if tcp %} void {{ cookiecutter.protocol_name }}_Analyzer::EndpointEOF(bool is_orig) { - tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); interp->FlowEOF(is_orig); } void {{ cookiecutter.protocol_name }}_Analyzer::DeliverStream(int len, const u_char* data, bool orig) { - tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); assert(TCP()); if ( TCP()->IsPartial() ) @@ -67,19 +67,19 @@ void {{ cookiecutter.protocol_name }}_Analyzer::DeliverStream(int len, const u_c } catch ( const binpac::Exception& e ) { - ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); } } void {{ cookiecutter.protocol_name }}_Analyzer::Undelivered(uint64_t seq, int len, bool orig) { - tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); had_gap = true; interp->NewGap(orig, len); } {% elif udp %} void {{ cookiecutter.protocol_name }}_Analyzer::DeliverPacket(int len, const u_char* data, - bool orig, uint64_t seq, const IP_Hdr* ip, int caplen) + bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) { Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); @@ -89,7 +89,7 @@ void {{ cookiecutter.protocol_name }}_Analyzer::DeliverPacket(int len, const u_c } catch ( const binpac::Exception& e ) { - ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); + ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); } } {% endif %} diff --git a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.h b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.h index 224a2e0..0e81cf1 100644 --- a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.h +++ b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.h @@ -15,7 +15,7 @@ namespace analyzer { namespace {{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }} { -class {{ cookiecutter.protocol_name }}_Analyzer{% if tcp -%}: public tcp::TCP_ApplicationAnalyzer{% elif udp -%}: public ::zeek::analyzer::Analyzer{% endif %} +class {{ cookiecutter.protocol_name }}_Analyzer{% if tcp -%}: public zeek::analyzer::tcp::TCP_ApplicationAnalyzer{% elif udp -%}: public ::zeek::analyzer::Analyzer{% endif %} { public: {{ cookiecutter.protocol_name }}_Analyzer(zeek::Connection* conn); @@ -31,7 +31,7 @@ class {{ cookiecutter.protocol_name }}_Analyzer{% if tcp -%}: public tcp::TCP_Ap virtual void EndpointEOF(bool is_orig); {% elif udp %} virtual void DeliverPacket(int len, const u_char* data, bool orig, - uint64_t seq, const IP_Hdr* ip, int caplen); + uint64_t seq, const zeek::IP_Hdr* ip, int caplen); {% endif %} static ::zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) diff --git a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}-analyzer.pac b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}-analyzer.pac index 5adaaff..e99a905 100644 --- a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}-analyzer.pac +++ b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}-analyzer.pac @@ -3,7 +3,7 @@ refine flow {{ cookiecutter.protocol_name }}_Flow += { function proc_{{ cookiecutter.protocol_name|lower }}_message(msg: {{ cookiecutter.protocol_name }}_PDU): bool %{ - zeek::BifEvent::enqueue_{{ cookiecutter.protocol_name|lower }}_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn()); + zeek::BifEvent::enqueue_{{ cookiecutter.protocol_name|lower }}_event(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn()); return true; %} }; diff --git a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}.pac b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}.pac index 8a1e1c5..6b1a60e 100644 --- a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}.pac +++ b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}.pac @@ -5,7 +5,7 @@ # - {{ cookiecutter.protocol_name|lower }}-analyzer.pac: describes the {{ cookiecutter.protocol_name }} analyzer code %include binpac.pac -%include bro.pac +%include zeek.pac %extern{ #include "events.bif.h" @@ -17,7 +17,7 @@ analyzer {{ cookiecutter.protocol_name }} withcontext { }; # Our connection consists of two flows, one in each direction. -connection {{ cookiecutter.protocol_name }}_Conn(bro_analyzer: BroAnalyzer) { +connection {{ cookiecutter.protocol_name }}_Conn(zeek_analyzer: ZeekAnalyzer) { upflow = {{ cookiecutter.protocol_name }}_Flow(true); downflow = {{ cookiecutter.protocol_name }}_Flow(false); }; diff --git a/{{ cookiecutter.project_slug }}/zeek_v4.0/src/Plugin.cc b/{{ cookiecutter.project_slug }}/zeek_v4.0/src/Plugin.cc new file mode 100644 index 0000000..0b437ca --- /dev/null +++ b/{{ cookiecutter.project_slug }}/zeek_v4.0/src/Plugin.cc @@ -0,0 +1,28 @@ +// Generated by binpac_quickstart + +#include "Plugin.h" +#include "analyzer/Component.h" + +#include "{{ cookiecutter.protocol_name }}.h" + +namespace plugin { namespace {{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }} { Plugin plugin; } } + +using namespace plugin::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }}; + +zeek::plugin::Configuration Plugin::Configure() + { + AddComponent(new zeek::analyzer::Component("{{ cookiecutter.protocol_name }}", + analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Analyzer::InstantiateAnalyzer)); + + zeek::plugin::Configuration config; + + config.name = "{{ cookiecutter.project_namespace }}::{{ cookiecutter.protocol_name }}"; + config.description = "{{ cookiecutter.project_name }}"; + + config.version.major = 0; + config.version.minor = 1; + config.version.patch = 0; + + return config; + } + diff --git a/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.cc b/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.cc new file mode 100644 index 0000000..3fad210 --- /dev/null +++ b/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.cc @@ -0,0 +1,95 @@ +{% set tcp = cookiecutter.L4_protocol == "TCP" -%} +{% set udp = cookiecutter.L4_protocol == "UDP" -%} +// Generated by binpac_quickstart + +#include "{{ cookiecutter.protocol_name }}.h" +{% if tcp %} +#include "analyzer/protocol/tcp/TCP_Reassembler.h" +{% endif %} +#include "Reporter.h" + +#include "events.bif.h" + +using namespace analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }}; + +{{ cookiecutter.protocol_name }}_Analyzer::{{ cookiecutter.protocol_name }}_Analyzer(zeek::Connection* c) +{% if tcp %} +: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("{{ cookiecutter.protocol_name }}", c) +{% elif udp %} +: zeek::analyzer::Analyzer("{{ cookiecutter.protocol_name }}", c) +{% endif %} + { + interp = new binpac::{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Conn(this); + {% if tcp %} + had_gap = false; + {% endif %} + } + +{{ cookiecutter.protocol_name }}_Analyzer::~{{ cookiecutter.protocol_name }}_Analyzer() + { + delete interp; + } + +void {{ cookiecutter.protocol_name }}_Analyzer::Done() + { + {% if tcp %} + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done(); + + interp->FlowEOF(true); + interp->FlowEOF(false); + {% elif udp %} + Analyzer::Done(); + {% endif %} + } +{% if tcp %} +void {{ cookiecutter.protocol_name }}_Analyzer::EndpointEOF(bool is_orig) + { + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig); + interp->FlowEOF(is_orig); + } + +void {{ cookiecutter.protocol_name }}_Analyzer::DeliverStream(int len, const u_char* data, bool orig) + { + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); + + assert(TCP()); + if ( TCP()->IsPartial() ) + return; + + if ( had_gap ) + // If only one side had a content gap, we could still try to + // deliver data to the other side if the script layer can handle this. + return; + + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + } + } + +void {{ cookiecutter.protocol_name }}_Analyzer::Undelivered(uint64_t seq, int len, bool orig) + { + zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); + had_gap = true; + interp->NewGap(orig, len); + } +{% elif udp %} +void {{ cookiecutter.protocol_name }}_Analyzer::DeliverPacket(int len, const u_char* data, + bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen) + { + Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); + + try + { + interp->NewData(orig, data, data + len); + } + catch ( const binpac::Exception& e ) + { + ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg())); + } + } +{% endif %} diff --git a/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.h b/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.h new file mode 100644 index 0000000..0e81cf1 --- /dev/null +++ b/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.h @@ -0,0 +1,47 @@ +{% set tcp = cookiecutter.L4_protocol == "TCP" -%} +{% set udp = cookiecutter.L4_protocol == "UDP" -%} +// Generated by binpac_quickstart + +#pragma once + +#include "events.bif.h" + +{% if tcp %} +#include "analyzer/protocol/tcp/TCP.h" +{% elif udp %} +#include "analyzer/protocol/udp/UDP.h" +{% endif %} +#include "{{ cookiecutter.protocol_name|lower }}_pac.h" + +namespace analyzer { namespace {{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }} { + +class {{ cookiecutter.protocol_name }}_Analyzer{% if tcp -%}: public zeek::analyzer::tcp::TCP_ApplicationAnalyzer{% elif udp -%}: public ::zeek::analyzer::Analyzer{% endif %} +{ +public: + {{ cookiecutter.protocol_name }}_Analyzer(zeek::Connection* conn); + virtual ~{{ cookiecutter.protocol_name }}_Analyzer(); + + // Overriden from Analyzer. + virtual void Done(); + {% if tcp %} + virtual void DeliverStream(int len, const u_char* data, bool orig); + virtual void Undelivered(uint64_t seq, int len, bool orig); + + // Overriden from tcp::TCP_ApplicationAnalyzer. + virtual void EndpointEOF(bool is_orig); + {% elif udp %} + virtual void DeliverPacket(int len, const u_char* data, bool orig, + uint64_t seq, const zeek::IP_Hdr* ip, int caplen); + {% endif %} + + static ::zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn) + { return new {{ cookiecutter.protocol_name }}_Analyzer(conn); } + +protected: + binpac::{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Conn* interp; + {% if tcp -%} + bool had_gap; + {% endif -%} +}; + +} } // namespace analyzer::*