Upgrade to Zeek 4.0

corelight · Feb 8, 2021 · a86f595 · a86f595
1 parent 7b91c7a
commit a86f595
Show file tree

Hide file tree

Showing 25 changed files with 246 additions and 185 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1,12 +1,13 @@
 
-cmake_minimum_required(VERSION 2.8)
+cmake_minimum_required(VERSION 3.5 FATAL_ERROR)
 
-project(Plugin)
+project(ZeekPluginXorExe)
 
-include(BroPlugin)
+include(ZeekPlugin)
+
+zeek_plugin_begin(Corelight PE_XOR)
+zeek_plugin_cc(src/PE_XOR.cc src/Plugin.cc)
+zeek_plugin_bif(src/pe_xor.bif)
+zeek_plugin_dist_files(README CHANGES COPYING VERSION)
+zeek_plugin_end()
 
-bro_plugin_begin(Corelight PE_XOR)
-bro_plugin_cc(src/PE_XOR.cc src/Plugin.cc)
-bro_plugin_bif(src/pe_xor.bif)
-bro_plugin_dist_files(README CHANGES COPYING VERSION)
-bro_plugin_end()
diff --git a/Makefile b/Makefile
@@ -10,7 +10,7 @@ all: build-it
 build-it:
 	@test -e $(cmake_build_dir)/config.status || ./configure
 	-@test -e $(cmake_build_dir)/CMakeCache.txt && \
-      test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep BRO_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \
+      test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep ZEEK_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \
       echo Updating stale CMake cache && \
       touch $(cmake_build_dir)/CMakeCache.txt
 

diff --git a/VERSION b/VERSION
diff --git a/configure b/configure
@@ -14,26 +14,23 @@ if [ -e `dirname $0`/configure.plugin ]; then
     . `dirname $0`/configure.plugin
 fi
 
-# Check for `cmake` command.
-type cmake > /dev/null 2>&1 || {
-    echo "\
-This package requires CMake, please install it first, then you may
-use this configure script to access CMake equivalent functionality.\
-" >&2;
-    exit 1;
-}
-
 usage() {
 
 cat 1>&2 <<EOF
 Usage: $0 [OPTIONS]
 
   Plugin Options:
-    --bro-dist=DIR             Path to Bro source tree
+    --cmake=PATH               Path to CMake binary
+    --zeek-dist=DIR            Path to Zeek source tree
     --install-root=DIR         Path where to install plugin into
+    --with-binpac=DIR          Path to BinPAC installation root
+    --with-broker=DIR          Path to Broker installation root
+    --with-caf=DIR             Path to CAF installation root
+    --with-bifcl=PATH          Path to bifcl executable
+    --enable-debug             Compile in debugging mode
 EOF
 
-if type -t plugin_usage >/dev/null 2>&1; then
+if type plugin_usage >/dev/null 2>&1; then
     plugin_usage 1>&2
 fi
 
@@ -53,7 +50,7 @@ append_cache_entry () {
 
 # set defaults
 builddir=build
-brodist=`cd ../../.. && pwd`
+zeekdist=""
 installroot="default"
 CMakeCacheEntries=""
 
@@ -68,16 +65,43 @@ while [ $# -ne 0 ]; do
             usage
             ;;
 
-        --bro-dist=*)
-            brodist=`cd $optarg && pwd`
+        --cmake=*)
+            CMakeCommand=$optarg
+            ;;
+
+        --zeek-dist=*)
+            zeekdist=`cd $optarg && pwd`
             ;;
 
         --install-root=*)
             installroot=$optarg
             ;;
 
+        --with-binpac=*)
+            append_cache_entry BinPAC_ROOT_DIR PATH $optarg
+            binpac_root=$optarg
+            ;;
+
+        --with-broker=*)
+            append_cache_entry BROKER_ROOT_DIR PATH $optarg
+            broker_root=$optarg
+            ;;
+
+        --with-caf=*)
+            append_cache_entry CAF_ROOT_DIR PATH $optarg
+            caf_root=$optarg
+            ;;
+
+        --with-bifcl=*)
+            append_cache_entry BifCl_EXE PATH $optarg
+            ;;
+
+        --enable-debug)
+            append_cache_entry BRO_PLUGIN_ENABLE_DEBUG         BOOL   true
+            ;;
+
         *)
-            if type -t plugin_option >/dev/null 2>&1; then
+            if type plugin_option >/dev/null 2>&1; then
                 plugin_option $1 && shift && continue;
             fi
 
@@ -88,26 +112,77 @@ while [ $# -ne 0 ]; do
     shift
 done
 
-if [ ! -e "$brodist/bro-path-dev.in" ]; then
-    echo "Cannot determine Bro source directory, use --bro-dist=DIR."
-    exit 1
+if [ -z "$CMakeCommand" ]; then
+    # prefer cmake3 over "regular" cmake (cmake == cmake2 on RHEL)
+    if command -v cmake3 >/dev/null 2>&1 ; then
+        CMakeCommand="cmake3"
+    elif command -v cmake >/dev/null 2>&1 ; then
+        CMakeCommand="cmake"
+    else
+        echo "This package requires CMake, please install it first."
+        echo "Then you may use this script to configure the CMake build."
+        echo "Note: pass --cmake=PATH to use cmake in non-standard locations."
+        exit 1;
+    fi
 fi
 
-append_cache_entry BRO_DIST PATH $brodist
-append_cache_entry CMAKE_MODULE_PATH PATH $brodist/cmake
+if [ -z "$zeekdist" ]; then
+    if type zeek-config >/dev/null 2>&1; then
+        zeek_config="zeek-config"
+    else
+        echo "Either 'zeek-config' must be in PATH or '--zeek-dist=<path>' used"
+        exit 1
+    fi
+
+    append_cache_entry BRO_CONFIG_PREFIX PATH `${zeek_config} --prefix`
+    append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH `${zeek_config} --include_dir`
+    append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH `${zeek_config} --plugin_dir`
+    append_cache_entry BRO_CONFIG_LIB_DIR PATH `${zeek_config} --lib_dir`
+    append_cache_entry BRO_CONFIG_CMAKE_DIR PATH `${zeek_config} --cmake_dir`
+    append_cache_entry CMAKE_MODULE_PATH PATH `${zeek_config} --cmake_dir`
+
+    build_type=`${zeek_config} --build_type`
+
+    if [ "$build_type" = "debug" ]; then
+        append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true
+    fi
+
+    if [ -z "$binpac_root" ]; then
+        append_cache_entry BinPAC_ROOT_DIR PATH `${zeek_config} --binpac_root`
+    fi
+
+    if [ -z "$broker_root" ]; then
+        append_cache_entry BROKER_ROOT_DIR PATH `${zeek_config} --broker_root`
+    fi
+
+    if [ -z "$caf_root" ]; then
+        append_cache_entry CAF_ROOT_DIR PATH `${zeek_config} --caf_root`
+    fi
+else
+    if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then
+        echo "$zeekdist does not appear to be a valid Zeek source tree."
+        exit 1
+    fi
+
+    # BRO_DIST is the canonical/historical name used by plugin CMake scripts
+    # ZEEK_DIST doesn't serve a function at the moment, but set/provided anyway
+    append_cache_entry BRO_DIST  PATH $zeekdist
+    append_cache_entry ZEEK_DIST PATH $zeekdist
+    append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake
+fi
 
 if [ "$installroot" != "default" ]; then
     mkdir -p $installroot
     append_cache_entry BRO_PLUGIN_INSTALL_ROOT PATH $installroot
 fi
 
 echo "Build Directory        : $builddir"
-echo "Bro Source Directory   : $brodist"
+echo "Zeek Source Directory   : $zeekdist"
 
 mkdir -p $builddir
 cd $builddir
 
-cmake $CMakeCacheEntries ..
+"$CMakeCommand" $CMakeCacheEntries ..
 
 echo "# This is the command used to configure this build" > config.status
 echo $command >> config.status

diff --git a/scripts/Corelight/PE_XOR/__load__.bro → scripts/Corelight/PE_XOR/__load__.zeek b/scripts/Corelight/PE_XOR/__load__.bro → scripts/Corelight/PE_XOR/__load__.zeek
@@ -2,5 +2,5 @@
 # loaded automatically at that point.
 # 
 
-@load ./main.bro
+@load ./main
 
diff --git a/scripts/Corelight/PE_XOR/main.bro → scripts/Corelight/PE_XOR/main.zeek b/scripts/Corelight/PE_XOR/main.bro → scripts/Corelight/PE_XOR/main.zeek
@@ -1,7 +1,7 @@
 ##! Detect Windows executable (PE) files that are XOR-encrypted.
 ##! The XOR key can be up to 30 characters long.
 ##!
-##! Copyright 2017, Corelight, Inc. All rights reserved.
+##! Copyright 2017-2021, Corelight, Inc. All rights reserved.
 
 @load base/frameworks/files
 @load base/frameworks/notice

diff --git a/scripts/__load__.bro b/scripts/__load__.bro
diff --git a/scripts/__load__.zeek b/scripts/__load__.zeek
@@ -0,0 +1,8 @@
+# This is loaded unconditionally at Zeek startup. Include scripts here that should
+# always be loaded.
+
+@load ./init
+@load ./Corelight/PE_XOR
+
+
+
diff --git a/scripts/init.bro → scripts/init.zeek b/scripts/init.bro → scripts/init.zeek
diff --git a/src/PE_XOR.cc b/src/PE_XOR.cc
@@ -1,18 +1,16 @@
 // Copyright 2017, Corelight, Inc. All rights reserved.
 
-#include "BroString.h"
-
 #include "PE_XOR.h"
-#include "file_analysis/Manager.h"
+#include "zeek/file_analysis/Manager.h"
 
 #define NULL_SECTION_START 0x1a
 #define NULL_SECTION_END 0x38
 #define MAX_KEY_LEN 30
 
-using namespace file_analysis;
+namespace zeek::file_analysis::detail {
 
-PE_XOR::PE_XOR(RecordVal* args, File* file)
-	: file_analysis::Analyzer(file_mgr->GetComponentTag("PE_XOR"), args, file)
+PE_XOR::PE_XOR(RecordValPtr args, file_analysis::File* file)
+	: file_analysis::Analyzer(file_mgr->GetComponentTag("PE_XOR"), std::move(args), file)
 	{
 	offset = 0;
 	key_found = false;
@@ -30,7 +28,7 @@ bool PE_XOR::DeliverStream(const u_char* data, uint64_t len)
 
 	if ( ! key_found && len < 512 )
 		{
-		// This probably shouln't happen.
+		// This probably shouldn't happen.
 		skip = true;
 		return true;
 		}
@@ -42,11 +40,10 @@ bool PE_XOR::DeliverStream(const u_char* data, uint64_t len)
 			{
 			file_id = file_mgr->HashHandle(GetFile()->GetID());
 
-			val_list* vl = new val_list();
-			vl->append(GetFile()->GetVal()->Ref());
-			vl->append(new StringVal(new BroString((const u_char *)key, key_len, 1)));
-			vl->append(new StringVal(file_id));
-			mgr.QueueEvent(pe_xor_found, vl);
+			zeek::event_mgr.Enqueue(pe_xor_found,
+			                        GetFile()->ToVal(),
+			                        zeek::make_intrusive<zeek::StringVal>(key_len, reinterpret_cast<const char*>(key)),
+			                        zeek::make_intrusive<zeek::StringVal>(file_id));
 			}
 		else
 			{
@@ -61,14 +58,12 @@ bool PE_XOR::DeliverStream(const u_char* data, uint64_t len)
 		for ( uint64_t i = 0; i < len; ++i )
 			plaintext[i] = data[i] ^ key[(i + offset) % key_len];
 
-		file_mgr->DataIn(plaintext, len, file_id, string(fmt("XOR decrypted from ")) + GetFile()->GetID());
+		file_mgr->DataIn(plaintext, len, file_id, std::string(zeek::util::fmt("XOR decrypted from ")) + GetFile()->GetID());
 		}
 
 	else
 		{
-		val_list* vl = new val_list();
-		vl->append(GetFile()->GetVal()->Ref());
-		mgr.QueueEvent(pe_xor_not_found, vl);
+		zeek::event_mgr.Enqueue(pe_xor_not_found, GetFile()->ToVal());
 		}
 
 
@@ -149,3 +144,5 @@ bool PE_XOR::EndOfFile()
 	file_mgr->EndOfFile(file_id);
 	return false;
 	}
+
+} // namespace zeek::file_analysis::detail
diff --git a/src/PE_XOR.h b/src/PE_XOR.h
@@ -1,31 +1,31 @@
-// Copyright 2017, Corelight, Inc. All rights reserved.
+// Copyright 2017-2021, Corelight, Inc. All rights reserved.
 
 #pragma once
 
-#include "Val.h"
-#include "file_analysis/File.h"
-#include "file_analysis/Analyzer.h"
+#include <string>
+
+#include "zeek/file_analysis/File.h"
+#include "zeek/file_analysis/Analyzer.h"
 
 #include "pe_xor.bif.h"
 
-namespace file_analysis {
+namespace zeek::file_analysis::detail {
 
 /**
  * Analyze XOR-encrypted Portable Executable files
  */
 class PE_XOR : public file_analysis::Analyzer {
 public:
-	~PE_XOR();
+	~PE_XOR() override;
 
-	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
+	static file_analysis::Analyzer* Instantiate(RecordValPtr args, file_analysis::File* file)
 		{ return new PE_XOR(args, file); }
 
-	virtual bool DeliverStream(const u_char* data, uint64_t len);
-
-	virtual bool EndOfFile();
+	bool DeliverStream(const u_char* data, uint64_t len) override;
+	bool EndOfFile() override;
 
 protected:
-	PE_XOR(RecordVal* args, File* file);
+	PE_XOR(RecordValPtr args, file_analysis::File* file);
 
 	bool FindKey(const u_char* data);
 
@@ -41,8 +41,9 @@ class PE_XOR : public file_analysis::Analyzer {
 	bool key_found;
 	bool skip;
 
-	string file_id;
+	std::string file_id;
 };
 
-} // namespace file_analysis
+} // namespace zeek::file_analysis::detail
+