search

zeek / zeek-agent

This project is no longer maintained. There's a successor at https://github.com/zeek/zeek-agent-v2
Other
124 stars 23 forks source link

zeek doesn't report zeek_agent_hosts.zeek at lines (168-176) has duplication of the hook #64

Closed duffy-ocraven closed 4 years ago

duffy-ocraven commented 4 years ago

https://github.com/zeek/zeek-agent-framework/blob/master/zeek-agent/framework/zeek_agent_hosts.zeek at lines (168-176) has duplication of the hook.

I confirmed by experimentation, that zeek just absorbs this silently, but should there be a check, syntax-error-wise ?

module MyHTTPAgent;

export {
    ## Hook that can be called by others to indicate that an IP address was added to a host
    global add_host_addr: hook(host_id: string, ip: addr);
}

function send_joins_new_address(host_id: string, ip: addr)
    {
    local new_groups: vector of string;
        }   

event MyHTTP::request_line(c: connection, method: string, uri: string, version: string)
    {
    print fmt("Zeek saw from %s: %s %s %s", c$id$orig_h, method, uri, version);
    }

hook MyHTTPAgent::add_host_addr(host_id: string, ip: addr)
    {
    send_joins_new_address(host_id, ip);
    }

hook MyHTTPAgent::add_host_addr(host_id: string, ip: addr)
    {
    #TODO
    }

outputs:

~/Documents/work/projects/zeek/build/src/zeek -Cr MyHTTP-request-line.pcap MyHTTP.spicy MyHTTP.evt MyHTTP_double_declaring_hook.zeek
GET, /index.html, 1.0
Zeek saw from 127.0.0.1: GET /index.html 1.0
alessandrogario commented 4 years ago

Hello @duffy-corelight

thanks for opening the bug report!

Is this issue caused or related to the Zeek Agent implementation or is it a scripting issue inside the zeek-agent-framework repository?

duffy-ocraven commented 4 years ago

It is in a script at the abovementioned URL. A trivial duplication, once as an empty hook with TODO comment, then adjacent the hook fully implemented.

duffy-ocraven commented 4 years ago

The thing about it that most caught my attention was that of .zeek file with such a duplicate I would expect would warn or fail with a syntax report. But when I ran an experiment using exactly that duplicating, I found there is silence as Zeek accepts that, though it must be in some sense an error.

alessandrogario commented 4 years ago

Hello @duffy-corelight!

thanks for the explanation! Do you think it would be better to move this issue to the zeek-agent-framework repository?

duffy-ocraven commented 4 years ago

Sorry! I hadn’t realized that the two kept Issues in different projects.

duffy-ocraven commented 4 years ago

There now as https://github.com/zeek/zeek-agent-framework/issues/8