Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Remove encap_hdr_size (replaced by skip analyzer).

Browse source
This commit is contained in:
Jan Grashoefer 2020-08-26 15:12:49 +02:00 committed by Tim Wojtulewicz
parent aa4506ad06
commit 0925b3bbec
5 changed files with 0 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/init-bare.zeek
View file

@ -1225,10 +1225,6 @@ const rpc_timeout = 24 sec &redef;
## means "forever", which resists evasion, but can lead to state accrual. ## means "forever", which resists evasion, but can lead to state accrual.
const frag_timeout = 0.0 sec &redef; const frag_timeout = 0.0 sec &redef;
## If positive, indicates the encapsulation header size that should
## be skipped. This applies to all packets.
const encap_hdr_size = 0 &redef;
## Whether to use the ``ConnSize`` analyzer to count the number of packets and ## Whether to use the ``ConnSize`` analyzer to count the number of packets and
## IP-level bytes transferred by each endpoint. If true, these values are ## IP-level bytes transferred by each endpoint. If true, these values are
## returned in the connection's :zeek:see:`endpoint` record value. ## returned in the connection's :zeek:see:`endpoint` record value.

5
src/NetVar.cc
View file

@ -113,8 +113,6 @@ int partial_connection_ok;
int tcp_SYN_ack_ok; int tcp_SYN_ack_ok;
int tcp_match_undelivered; int tcp_match_undelivered;
int encap_hdr_size;
double frag_timeout; double frag_timeout;
double tcp_SYN_timeout; double tcp_SYN_timeout;
@ -261,8 +259,6 @@ void init_net_var()
tcp_SYN_ack_ok = id::find_val("tcp_SYN_ack_ok")->AsBool(); tcp_SYN_ack_ok = id::find_val("tcp_SYN_ack_ok")->AsBool();
tcp_match_undelivered = id::find_val("tcp_match_undelivered")->AsBool(); tcp_match_undelivered = id::find_val("tcp_match_undelivered")->AsBool();
encap_hdr_size = id::find_val("encap_hdr_size")->AsCount();
frag_timeout = id::find_val("frag_timeout")->AsInterval(); frag_timeout = id::find_val("frag_timeout")->AsInterval();
tcp_SYN_timeout = id::find_val("tcp_SYN_timeout")->AsInterval(); tcp_SYN_timeout = id::find_val("tcp_SYN_timeout")->AsInterval();
@ -365,7 +361,6 @@ int& ignore_checksums = zeek::detail::ignore_checksums;
int& partial_connection_ok = zeek::detail::partial_connection_ok; int& partial_connection_ok = zeek::detail::partial_connection_ok;
int& tcp_SYN_ack_ok = zeek::detail::tcp_SYN_ack_ok; int& tcp_SYN_ack_ok = zeek::detail::tcp_SYN_ack_ok;
int& tcp_match_undelivered = zeek::detail::tcp_match_undelivered; int& tcp_match_undelivered = zeek::detail::tcp_match_undelivered;
int& encap_hdr_size = zeek::detail::encap_hdr_size;
double& frag_timeout = zeek::detail::frag_timeout; double& frag_timeout = zeek::detail::frag_timeout;
double& tcp_SYN_timeout = zeek::detail::tcp_SYN_timeout; double& tcp_SYN_timeout = zeek::detail::tcp_SYN_timeout;
double& tcp_session_timer = zeek::detail::tcp_session_timer; double& tcp_session_timer = zeek::detail::tcp_session_timer;

3
src/NetVar.h
View file

@ -17,8 +17,6 @@ extern int partial_connection_ok;
extern int tcp_SYN_ack_ok; extern int tcp_SYN_ack_ok;
extern int tcp_match_undelivered; extern int tcp_match_undelivered;
extern int encap_hdr_size;
extern double frag_timeout; extern double frag_timeout;
extern double tcp_SYN_timeout; extern double tcp_SYN_timeout;
@ -117,7 +115,6 @@ extern int& ignore_checksums [[deprecated("Remove in v4.1. Use zeek::detail::ign
extern int& partial_connection_ok [[deprecated("Remove in v4.1. Use zeek::detail::partial_connection_ok.")]]; extern int& partial_connection_ok [[deprecated("Remove in v4.1. Use zeek::detail::partial_connection_ok.")]];
extern int& tcp_SYN_ack_ok [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_ack_ok.")]]; extern int& tcp_SYN_ack_ok [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_ack_ok.")]];
extern int& tcp_match_undelivered [[deprecated("Remove in v4.1. Use zeek::detail::tcp_match_undelivered.")]]; extern int& tcp_match_undelivered [[deprecated("Remove in v4.1. Use zeek::detail::tcp_match_undelivered.")]];
extern int& encap_hdr_size [[deprecated("Remove in v4.1. Use zeek::detail::encap_hdr_size.")]];
extern double& frag_timeout [[deprecated("Remove in v4.1. Use zeek::detail::frag_timeout.")]]; extern double& frag_timeout [[deprecated("Remove in v4.1. Use zeek::detail::frag_timeout.")]];
extern double& tcp_SYN_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_timeout.")]]; extern double& tcp_SYN_timeout [[deprecated("Remove in v4.1. Use zeek::detail::tcp_SYN_timeout.")]];
extern double& tcp_session_timer [[deprecated("Remove in v4.1. Use zeek::detail::tcp_session_timer.")]]; extern double& tcp_session_timer [[deprecated("Remove in v4.1. Use zeek::detail::tcp_session_timer.")]];

36
src/packet_analysis/Manager.cc
View file

@ -2,7 +2,6 @@
#include "Manager.h" #include "Manager.h"
#include "NetVar.h"
#include "Analyzer.h" #include "Analyzer.h"
#include "Dispatcher.h" #include "Dispatcher.h"
@ -132,8 +131,6 @@ void Manager::ProcessPacket(Packet* packet)
} }
auto result = analyzer->Analyze(packet, data); auto result = analyzer->Analyze(packet, data);
if (result == AnalyzerResult::Terminate)
CustomEncapsulationSkip(packet, data);
// Calculate header size after processing packet layers. // Calculate header size after processing packet layers.
packet->hdr_size = static_cast<uint32_t>(data - packet->data); packet->hdr_size = static_cast<uint32_t>(data - packet->data);
@ -177,36 +174,3 @@ AnalyzerPtr Manager::InstantiateAnalyzer(const std::string& name)
Tag tag = GetComponentTag(name); Tag tag = GetComponentTag(name);
return tag ? InstantiateAnalyzer(tag) : nullptr; return tag ? InstantiateAnalyzer(tag) : nullptr;
} }
void Manager::CustomEncapsulationSkip(Packet* packet, const uint8_t* data)
{
if ( zeek::detail::encap_hdr_size > 0 )
{
// Blanket encapsulation. We assume that what remains is IP.
if ( data + zeek::detail::encap_hdr_size + sizeof(struct ip) >= packet->GetEndOfData() )
{
packet->Weird("no_ip_left_after_encap");
return;
}
data += zeek::detail::encap_hdr_size;
auto ip = (const struct ip*)data;
switch ( ip->ip_v )
{
case 4:
packet->l3_proto = L3_IPV4;
break;
case 6:
packet->l3_proto = L3_IPV6;
break;
default:
{
// Neither IPv4 nor IPv6.
packet->Weird("no_ip_in_encap");
return;
}
}
}
}

10
src/packet_analysis/Manager.h
View file

@ -89,16 +89,6 @@ private:
*/ */
AnalyzerPtr InstantiateAnalyzer(const std::string& name); AnalyzerPtr InstantiateAnalyzer(const std::string& name);
/**
* Skips a fixed amount of packet data that is defined by encap_hdr_size.
* It is assumed that an IP header follows.
*
* @param packet The packet to adapt.
*
* @param data Pointer to remaining payload.
*/
void CustomEncapsulationSkip(Packet* packet, const uint8_t* data);
std::map<std::string, AnalyzerPtr> analyzers; std::map<std::string, AnalyzerPtr> analyzers;
Dispatcher root_dispatcher; Dispatcher root_dispatcher;
AnalyzerPtr default_analyzer = nullptr; AnalyzerPtr default_analyzer = nullptr;