grigorescu · set-element · Oct 16, 2021
diff --git a/cookiecutter.json b/cookiecutter.json
@@ -8,7 +8,7 @@
     "project_credits": "Alice <alice@email.com>, Bob <bob@email.com>",
     "project_namespace": "Local",
 
-    "zeek_version": "Automatically determined from the installed version, or '3.2' if zeek-config not found",
+    "zeek_version": "Automatically determined from the installed version, or '4.0' if zeek-config not found",
 
     "metadata_tags": "network, evil, rfc3514",
 

diff --git a/hooks/post_gen_project.sh b/hooks/post_gen_project.sh
@@ -4,7 +4,7 @@ if [ -d "zeek_v{{ cookiecutter.zeek_version }}" ]
 then
    SOURCE="zeek_v{{ cookiecutter.zeek_version }}"
 else
-   VERSION=$(zeek-config --version || echo "3.2")
+   VERSION=$(zeek-config --version || echo "4.0")
    VERSION=$(echo "$VERSION" | cut -f -2 -d.)
    SOURCE="zeek_v$VERSION"
 fi

diff --git a/{{ cookiecutter.project_slug }}/src/Plugin.cc b/{{ cookiecutter.project_slug }}/src/Plugin.cc
@@ -11,8 +11,8 @@ using namespace plugin::{{ cookiecutter.project_namespace }}_{{ cookiecutter.pro
 
 zeek::plugin::Configuration Plugin::Configure()
 	{
-	AddComponent(new ::zeek::analyzer::Component("{{ cookiecutter.protocol_name }}",
-	             ::analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Analyzer::InstantiateAnalyzer));
+	AddComponent(new zeek::analyzer::Component("{{ cookiecutter.protocol_name }}",
+	             analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Analyzer::InstantiateAnalyzer));
 
 	zeek::plugin::Configuration config;
 

diff --git a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.cc b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.cc
@@ -14,9 +14,9 @@ using namespace analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.p
 
 {{ cookiecutter.protocol_name }}_Analyzer::{{ cookiecutter.protocol_name }}_Analyzer(zeek::Connection* c)
 {% if tcp %}
-: tcp::TCP_ApplicationAnalyzer("{{ cookiecutter.protocol_name }}", c)
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("{{ cookiecutter.protocol_name }}", c)
 {% elif udp %}
-: analyzer::Analyzer("{{ cookiecutter.protocol_name }}", c)
+: zeek::analyzer::Analyzer("{{ cookiecutter.protocol_name }}", c)
 {% endif %}
 	{
 	interp = new binpac::{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Conn(this);
@@ -33,7 +33,7 @@ using namespace analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.p
 void {{ cookiecutter.protocol_name }}_Analyzer::Done()
 	{
 	{% if tcp %}
-	tcp::TCP_ApplicationAnalyzer::Done();
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
 
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@@ -44,13 +44,13 @@ void {{ cookiecutter.protocol_name }}_Analyzer::Done()
 {% if tcp %}
 void {{ cookiecutter.protocol_name }}_Analyzer::EndpointEOF(bool is_orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 
 void {{ cookiecutter.protocol_name }}_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
 	assert(TCP());
 	if ( TCP()->IsPartial() )
@@ -67,19 +67,19 @@ void {{ cookiecutter.protocol_name }}_Analyzer::DeliverStream(int len, const u_c
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
 void {{ cookiecutter.protocol_name }}_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
-	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}
 {% elif udp %}
 void {{ cookiecutter.protocol_name }}_Analyzer::DeliverPacket(int len, const u_char* data,
-	 			  bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
+	 			  bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
@@ -89,7 +89,7 @@ void {{ cookiecutter.protocol_name }}_Analyzer::DeliverPacket(int len, const u_c
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 {% endif %}
diff --git a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.h b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name }}.h
@@ -15,7 +15,7 @@
 
 namespace analyzer { namespace {{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }} {
 
-class {{ cookiecutter.protocol_name }}_Analyzer{% if tcp -%}: public tcp::TCP_ApplicationAnalyzer{% elif udp -%}: public ::zeek::analyzer::Analyzer{% endif %}
+class {{ cookiecutter.protocol_name }}_Analyzer{% if tcp -%}: public zeek::analyzer::tcp::TCP_ApplicationAnalyzer{% elif udp -%}: public ::zeek::analyzer::Analyzer{% endif %}
 {
 public:
 	{{ cookiecutter.protocol_name }}_Analyzer(zeek::Connection* conn);
@@ -31,7 +31,7 @@ class {{ cookiecutter.protocol_name }}_Analyzer{% if tcp -%}: public tcp::TCP_Ap
 	virtual void EndpointEOF(bool is_orig);
 	{% elif udp %}
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64_t seq, const IP_Hdr* ip, int caplen);
+					uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
 	{% endif %}
 
 	static ::zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn)

diff --git a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}-analyzer.pac b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}-analyzer.pac
@@ -3,7 +3,7 @@
 refine flow {{ cookiecutter.protocol_name }}_Flow += {
 	function proc_{{ cookiecutter.protocol_name|lower }}_message(msg: {{ cookiecutter.protocol_name }}_PDU): bool
 		%{
-		zeek::BifEvent::enqueue_{{ cookiecutter.protocol_name|lower }}_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn());
+		zeek::BifEvent::enqueue_{{ cookiecutter.protocol_name|lower }}_event(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn());
 		return true;
 		%}
 };

diff --git a/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}.pac b/{{ cookiecutter.project_slug }}/src/{{ cookiecutter.protocol_name|lower }}.pac
@@ -5,7 +5,7 @@
 #  - {{ cookiecutter.protocol_name|lower }}-analyzer.pac: describes the {{ cookiecutter.protocol_name }} analyzer code
 
 %include binpac.pac
-%include bro.pac
+%include zeek.pac
 
 %extern{
 	#include "events.bif.h"
@@ -17,7 +17,7 @@ analyzer {{ cookiecutter.protocol_name }} withcontext {
 };
 
 # Our connection consists of two flows, one in each direction.
-connection {{ cookiecutter.protocol_name }}_Conn(bro_analyzer: BroAnalyzer) {
+connection {{ cookiecutter.protocol_name }}_Conn(zeek_analyzer: ZeekAnalyzer) {
 	upflow   = {{ cookiecutter.protocol_name }}_Flow(true);
 	downflow = {{ cookiecutter.protocol_name }}_Flow(false);
 };

diff --git a/{{ cookiecutter.project_slug }}/zeek_v4.0/src/Plugin.cc b/{{ cookiecutter.project_slug }}/zeek_v4.0/src/Plugin.cc
@@ -0,0 +1,28 @@
+// Generated by binpac_quickstart
+
+#include "Plugin.h"
+#include "analyzer/Component.h"
+
+#include "{{ cookiecutter.protocol_name }}.h"
+
+namespace plugin { namespace {{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }} { Plugin plugin; } }
+
+using namespace plugin::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }};
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	AddComponent(new zeek::analyzer::Component("{{ cookiecutter.protocol_name }}",
+	             analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Analyzer::InstantiateAnalyzer));
+
+	zeek::plugin::Configuration config;
+
+	config.name = "{{ cookiecutter.project_namespace }}::{{ cookiecutter.protocol_name }}";
+	config.description = "{{ cookiecutter.project_name }}";
+
+	config.version.major = 0;
+	config.version.minor = 1;
+	config.version.patch = 0;
+
+	return config;
+	}
+
diff --git a/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.cc b/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.cc
@@ -0,0 +1,95 @@
+{% set tcp = cookiecutter.L4_protocol == "TCP" -%}
+{% set udp = cookiecutter.L4_protocol == "UDP" -%}
+// Generated by binpac_quickstart
+
+#include "{{ cookiecutter.protocol_name }}.h"
+{% if tcp %}
+#include "analyzer/protocol/tcp/TCP_Reassembler.h"
+{% endif %}
+#include "Reporter.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::{{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }};
+
+{{ cookiecutter.protocol_name }}_Analyzer::{{ cookiecutter.protocol_name }}_Analyzer(zeek::Connection* c)
+{% if tcp %}
+: zeek::analyzer::tcp::TCP_ApplicationAnalyzer("{{ cookiecutter.protocol_name }}", c)
+{% elif udp %}
+: zeek::analyzer::Analyzer("{{ cookiecutter.protocol_name }}", c)
+{% endif %}
+	{
+	interp = new binpac::{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Conn(this);
+	{% if tcp %}
+	had_gap = false;
+	{% endif %}
+	}
+
+{{ cookiecutter.protocol_name }}_Analyzer::~{{ cookiecutter.protocol_name }}_Analyzer()
+	{
+	delete interp;
+	}
+
+void {{ cookiecutter.protocol_name }}_Analyzer::Done()
+	{
+	{% if tcp %}
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	{% elif udp %}
+	Analyzer::Done();
+	{% endif %}
+	}
+{% if tcp %}
+void {{ cookiecutter.protocol_name }}_Analyzer::EndpointEOF(bool is_orig)
+	{
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	interp->FlowEOF(is_orig);
+	}
+
+void {{ cookiecutter.protocol_name }}_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	assert(TCP());
+	if ( TCP()->IsPartial() )
+		return;
+
+	if ( had_gap )
+		// If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can handle this.
+		return;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
+
+void {{ cookiecutter.protocol_name }}_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
+	{
+	zeek::analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	had_gap = true;
+	interp->NewGap(orig, len);
+	}
+{% elif udp %}
+void {{ cookiecutter.protocol_name }}_Analyzer::DeliverPacket(int len, const u_char* data,
+	 			  bool orig, uint64_t seq, const zeek::IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(zeek::util::fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
+{% endif %}
diff --git a/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.h b/{{ cookiecutter.project_slug }}/zeek_v4.0/src/{{ cookiecutter.protocol_name }}.h
@@ -0,0 +1,47 @@
+{% set tcp = cookiecutter.L4_protocol == "TCP" -%}
+{% set udp = cookiecutter.L4_protocol == "UDP" -%}
+// Generated by binpac_quickstart
+
+#pragma once
+
+#include "events.bif.h"
+
+{% if tcp %}
+#include "analyzer/protocol/tcp/TCP.h"
+{% elif udp %}
+#include "analyzer/protocol/udp/UDP.h"
+{% endif %}
+#include "{{ cookiecutter.protocol_name|lower }}_pac.h"
+
+namespace analyzer { namespace {{ cookiecutter.project_namespace }}_{{ cookiecutter.protocol_name }} {
+
+class {{ cookiecutter.protocol_name }}_Analyzer{% if tcp -%}: public zeek::analyzer::tcp::TCP_ApplicationAnalyzer{% elif udp -%}: public ::zeek::analyzer::Analyzer{% endif %}
+{
+public:
+	{{ cookiecutter.protocol_name }}_Analyzer(zeek::Connection* conn);
+	virtual ~{{ cookiecutter.protocol_name }}_Analyzer();
+
+	// Overriden from Analyzer.
+	virtual void Done();
+	{% if tcp %}
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(uint64_t seq, int len, bool orig);
+
+	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	virtual void EndpointEOF(bool is_orig);
+	{% elif udp %}
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64_t seq, const zeek::IP_Hdr* ip, int caplen);
+	{% endif %}
+
+	static ::zeek::analyzer::Analyzer* InstantiateAnalyzer(zeek::Connection* conn)
+		{ return new {{ cookiecutter.protocol_name }}_Analyzer(conn); }
+
+protected:
+	binpac::{{ cookiecutter.protocol_name }}::{{ cookiecutter.protocol_name }}_Conn* interp;
+	{% if tcp -%}
+	bool had_gap;
+	{% endif -%}
+};
+
+} } // namespace analyzer::*