Unified2 file analyzer updated to new plugin style.

src/file_analysis/analyzer/CMakeLists.txt

@@ -1,3 +1,4 @@
 add_subdirectory(data_event)
 add_subdirectory(extract)
 add_subdirectory(hash)
+add_subdirectory(unified2)

src/file_analysis/analyzer/unified2/CMakeLists.txt

@@ -0,0 +1,10 @@
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
+                           ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro Unified2)
+bro_plugin_cc(Unified2.cc Plugin.cc ../../Analyzer.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(unified2.pac unified2-file.pac unified2-analyzer.pac)
+bro_plugin_end()

src/file_analysis/analyzer/unified2/Plugin.cc

@@ -0,0 +1,29 @@
+#include "plugin/Plugin.h"
+#include "file_analysis/Component.h"
+
+#include "Unified2.h"
+
+namespace plugin { namespace Bro_Unified2 {
+
+class Plugin : public plugin::Plugin {
+protected:
+	void InitPreScript()
+		{
+		SetName("Bro::Unified2");
+		SetVersion(-1);
+		SetAPIVersion(BRO_PLUGIN_API_VERSION);
+		SetDynamicPlugin(false);
+
+		SetDescription("Analyze Unified2 alert files.");
+
+		AddComponent(new ::file_analysis::Component("UNIFIED2",
+		        ::file_analysis::Unified2::Instantiate));
+
+		extern std::list<std::pair<const char*, int> > __bif_events_init();
+		AddBifInitFunction(&__bif_events_init);
+		}
+};
+
+Plugin __plugin;
+
+} }

src/file_analysis/analyzer/unified2/Unified2.cc

@@ -0,0 +1,29 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+
+#include "Unified2.h"
+#include "file_analysis/Manager.h"
+
+using namespace file_analysis;
+
+Unified2::Unified2(RecordVal* args, File* file)
+    : file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), args, file)
+	{
+	interp = new binpac::Unified2::Unified2_Analyzer(this);
+	}
+
+Unified2::~Unified2()
+	{
+	}
+
+file_analysis::Analyzer* Unified2::Instantiate(RecordVal* args, File* file)
+	{
+	return new Unified2(args, file);
+	}
+
+bool Unified2::DeliverStream(const u_char* data, uint64 len)
+	{
+	interp->NewData(true, data, data+len);
+	return true;
+	}

src/file_analysis/analyzer/unified2/Unified2.h

@@ -0,0 +1,40 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef FILE_ANALYSIS_UNIFIED2_H
+#define FILE_ANALYSIS_UNIFIED2_H
+
+#include <string>
+
+#include "Val.h"
+#include "File.h"
+#include "Analyzer.h"
+#include "unified2_pac.h"
+
+namespace file_analysis {
+
+/**
+ * An analyzer to extract content of files to local disk.
+ */
+class Unified2 : public file_analysis::Analyzer {
+public:
+
+	virtual ~Unified2();
+
+	virtual bool DeliverStream(const u_char* data, uint64 len);
+
+	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
+
+protected:
+
+	Unified2(RecordVal* args, File* file);
+
+private:
+	binpac::Unified2::Unified2_Analyzer* interp;
+
+	string filename;
+	int fd;
+};
+
+} // namespace file_analysis
+
+#endif

src/file_analysis/analyzer/unified2/events.bif

@@ -0,0 +1,2 @@
+
+event unified2_alert%(f: fa_file, alert: count%);

src/file_analysis/analyzer/unified2/types.bif

@@ -0,0 +1 @@
+type Unified2Alert: record;

src/file_analysis/analyzer/unified2/unified2-analyzer.pac

@@ -0,0 +1,35 @@
+%extern{
+#include "Event.h"
+#include "file_analysis/File.h"
+#include "events.bif.h"
+%}
+
+refine flow Flow += {
+
+	%member{
+	%}
+
+	%init{
+	%}
+
+	%eof{
+	%}
+
+	%cleanup{
+	%}
+
+	function proc_ids_event(ev: IDSEvent) : bool
+		%{
+		val_list* vl = new val_list();
+		vl->append(connection()->bro_analyzer()->GetFile()->GetVal()->Ref());
+		vl->append(new Val(${ev.signature_id}, TYPE_COUNT));
+		mgr.QueueEvent(::unified2_alert, vl, SOURCE_LOCAL);
+
+		return true;
+		%}
+};
+
+
+refine typeattr IDSEvent += &let {
+	proc : bool = $context.flow.proc_ids_event(this);
+};

src/file_analysis/analyzer/unified2/unified2-file.pac

@@ -0,0 +1,117 @@
+
+enum Types {
+	EVENT               = 0,
+	PACKET              = 1,
+	IDS_EVENT           = 2,
+	IDS_EVENT_IPV6      = 72,
+	IDS_EVENT_MPLS      = 99,
+	IDS_EVENT_IPV6_MPLS = 100,
+	IDS_EVENT_VLAN      = 104,
+	IDS_EVENT_IPV6_VLAN = 105,
+	EXTRA_DATA          = 110,
+};
+
+type Time = record {
+	seconds:      uint32;
+	microseconds: uint32;
+} &byteorder=bigendian;
+
+type v4Addr = record {
+	u1: uint32;
+};
+
+type v6Addr = record {
+	u1: uint32;
+	u2: uint32;
+	u3: uint32;
+	u4: uint32;
+};
+
+type Addr(ip_ver: int) = case ip_ver of {
+	4 -> v4: v4Addr;
+	6 -> v6: v6Addr;
+} &byteorder=bigendian;
+
+type Record = record {
+	rtype:   uint32;
+	length:  uint32;
+	data:   case rtype of {
+		# EVENT               -> event:               Event(this);
+		PACKET              -> packet:              Packet(this);
+		IDS_EVENT           -> ids_event:           LegacyIDSEvent(this, 4);
+		IDS_EVENT_IPV6      -> ids_event_ipv6:      LegacyIDSEvent(this, 6);
+		# IDS_EVENT_MPLS      -> ids_event_mpls:      IDSEvent(this, 4);
+		# IDS_EVENT_IPV6_MPLS -> ids_event_ipv6_mpls: IDSEvent(this, 6);
+		IDS_EVENT_VLAN      -> ids_event_vlan:      IDSEvent(this, 4);
+		IDS_EVENT_IPV6_VLAN -> ids_event_ipv6_vlan: IDSEvent(this, 6);
+		EXTRA_DATA          -> extra_data:          ExtraData(this);
+		default             -> unknown_record_type: UnknownRecordType(this);
+	};
+} &byteorder=bigendian &length=length+8;
+
+type LegacyIDSEvent(rec: Record, ip_ver: int) = record {
+	sensor_id:          uint32;
+	event_id:           uint32;
+	ts:                 Time;
+	signature_id:       uint32;
+	generator_id:       uint32;
+	signature_revision: uint32;
+	classification_id:  uint32;
+	priority_id:        uint32;
+	src_ip:             Addr(ip_ver);
+	dst_ip:             Addr(ip_ver);
+	src_p:              uint16;
+	dst_p:              uint16;
+	protocol:           uint8;
+	packet_action:      uint8;
+};
+
+type IDSEvent(rec: Record, ip_ver: int) = record {
+	sensor_id:          uint32;
+	event_id:           uint32;
+	ts:                 Time;
+	signature_id:       uint32;
+	generator_id:       uint32;
+	signature_revision: uint32;
+	classification_id:  uint32;
+	priority_id:        uint32;
+	src_ip:             Addr(ip_ver);
+	dst_ip:             Addr(ip_ver);
+	src_p:              uint16;
+	dst_p:              uint16;
+	protocol:           uint8;
+	impact_flag:        uint8;
+	impact:             uint8;
+	blocked:            uint8;
+	mpls_label:         uint32;
+	vlan_id:            uint16;
+	:                   uint16;
+} &byteorder=bigendian;
+
+type Packet(rec: Record) = record {
+	sensor_id:          uint32;
+	event_id:           uint32;
+	event_second:       uint32;
+	packet_ts:          Time;
+	link_type:          uint32;
+	packet_len:         uint32;
+	packet_data:        bytestring &length=packet_len;
+} &byteorder=bigendian &length=rec.length;
+
+type ExtraData(rec: Record) = record {
+	sensor_id:          uint32;
+	event_id:           uint32;
+	event_second:       uint32;
+	extra_type:         uint32;
+	data_type:          uint32;
+	blob_len:           uint32;
+	blob:               bytestring &length=blob_len;
+} &byteorder=bigendian &length=rec.length;
+
+type UnknownRecordType(rec: Record) = record {
+	data: bytestring &transient &length=rec.length;
+} &byteorder=bigendian &length=rec.length;
+
+type File = record {
+	alerts:  Record[] &transient &until($element <= 0);
+} &byteorder=bigendian;

src/file_analysis/analyzer/unified2/unified2.pac

@@ -0,0 +1,21 @@
+
+%include binpac.pac
+%include bro.pac
+
+analyzer Unified2 withcontext {
+	analyzer:   Unified2_Analyzer;
+	flow:       Flow;
+};
+
+analyzer Unified2_Analyzer(bro_analyzer: BroFileAnalyzer) {
+	downflow = Flow;
+	upflow   = Flow;
+};
+
+%include unified2-file.pac
+
+flow Flow {
+	flowunit = File withcontext(connection, this);
+};
+
+%include unified2-analyzer.pac