mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Update PacketFilter/Discarder code for IP version independence.
The signatures of script-layer functions 'discarder_check_ip', 'discarder_check_tcp', 'discarder_check_udp', and 'discarder_check_icmp' were changed to use the more general 'pkt_hdr' type as a parameter instead of individual header types.
This commit is contained in:
Jon Siwek
parent
76ef36e048
commit
0b32c980bf
13 changed files with 251 additions and 194 deletions
|
|
@ -1167,7 +1167,7 @@ global discarder_maxlen = 128 &redef;
|
|||
## analysis. If the function signals to discard a packet, no further processing
|
||||
## will be performed on it.
|
||||
##
|
||||
## i: The IP header of the considered packet.
|
||||
## p: The IP header of the considered packet.
|
||||
##
|
||||
## Returns: True if the packet should not be analyzed any further.
|
||||
##
|
||||
|
|
@ -1176,15 +1176,15 @@ global discarder_maxlen = 128 &redef;
|
|||
##
|
||||
## .. note:: This is very low-level functionality and potentially expensive.
|
||||
## Avoid using it.
|
||||
global discarder_check_ip: function(i: ip_hdr): bool;
|
||||
global discarder_check_ip: function(p: pkt_hdr): bool;
|
||||
|
||||
## Function for skipping packets based on their TCP header. If defined, this
|
||||
## function will be called for all TCP packets before Bro performs any further
|
||||
## analysis. If the function signals to discard a packet, no further processing
|
||||
## will be performed on it.
|
||||
##
|
||||
## i: The IP header of the considered packet.
|
||||
## t: The TCP header.
|
||||
## p: The IP and TCP headers of the considered packet.
|
||||
##
|
||||
## d: Up to :bro:see:`discarder_maxlen` bytes of the TCP payload.
|
||||
##
|
||||
## Returns: True if the packet should not be analyzed any further.
|
||||
|
|
@ -1194,15 +1194,15 @@ global discarder_check_ip: function(i: ip_hdr): bool;
|
|||
##
|
||||
## .. note:: This is very low-level functionality and potentially expensive.
|
||||
## Avoid using it.
|
||||
global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
|
||||
global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
|
||||
|
||||
## Function for skipping packets based on their UDP header. If defined, this
|
||||
## function will be called for all UDP packets before Bro performs any further
|
||||
## analysis. If the function signals to discard a packet, no further processing
|
||||
## will be performed on it.
|
||||
##
|
||||
## i: The IP header of the considered packet.
|
||||
## t: The UDP header.
|
||||
## p: The IP and UDP headers of the considered packet.
|
||||
##
|
||||
## d: Up to :bro:see:`discarder_maxlen` bytes of the UDP payload.
|
||||
##
|
||||
## Returns: True if the packet should not be analyzed any further.
|
||||
|
|
@ -1212,15 +1212,14 @@ global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
|
|||
##
|
||||
## .. note:: This is very low-level functionality and potentially expensive.
|
||||
## Avoid using it.
|
||||
global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
|
||||
global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
|
||||
|
||||
## Function for skipping packets based on their ICMP header. If defined, this
|
||||
## function will be called for all ICMP packets before Bro performs any further
|
||||
## analysis. If the function signals to discard a packet, no further processing
|
||||
## will be performed on it.
|
||||
##
|
||||
## i: The IP header of the considered packet.
|
||||
## ih: The ICMP header.
|
||||
## p: The IP and ICMP headers of the considered packet.
|
||||
##
|
||||
## Returns: True if the packet should not be analyzed any further.
|
||||
##
|
||||
|
|
@ -1229,7 +1228,7 @@ global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
|
|||
##
|
||||
## .. note:: This is very low-level functionality and potentially expensive.
|
||||
## Avoid using it.
|
||||
global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool;
|
||||
global discarder_check_icmp: function(p: pkt_hdr): bool;
|
||||
|
||||
## Bro's watchdog interval.
|
||||
const watchdog_interval = 10 sec &redef;
|
||||
|
|
|
|||
|
|
@ -10,11 +10,6 @@
|
|||
|
||||
Discarder::Discarder()
|
||||
{
|
||||
ip_hdr = internal_type("ip_hdr")->AsRecordType();
|
||||
tcp_hdr = internal_type("tcp_hdr")->AsRecordType();
|
||||
udp_hdr = internal_type("udp_hdr")->AsRecordType();
|
||||
icmp_hdr = internal_type("icmp_hdr")->AsRecordType();
|
||||
|
||||
check_ip = internal_func("discarder_check_ip");
|
||||
check_tcp = internal_func("discarder_check_tcp");
|
||||
check_udp = internal_func("discarder_check_udp");
|
||||
|
|
@ -36,12 +31,10 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
|
|||
{
|
||||
int discard_packet = 0;
|
||||
|
||||
const struct ip* ip4 = ip->IP4_Hdr();
|
||||
|
||||
if ( check_ip )
|
||||
{
|
||||
val_list* args = new val_list;
|
||||
args->append(BuildHeader(ip4));
|
||||
args->append(ip->BuildPktHdrVal());
|
||||
|
||||
try
|
||||
{
|
||||
|
|
@ -59,19 +52,18 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
|
|||
return discard_packet;
|
||||
}
|
||||
|
||||
int proto = ip4->ip_p;
|
||||
int proto = ip->NextProto();
|
||||
if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
|
||||
proto != IPPROTO_ICMP )
|
||||
// This is not a protocol we understand.
|
||||
return 0;
|
||||
|
||||
// XXX shall we only check the first packet???
|
||||
uint32 frag_field = ntohs(ip4->ip_off);
|
||||
if ( (frag_field & 0x3fff) != 0 )
|
||||
if ( ip->IsFragment() )
|
||||
// Never check any fragment.
|
||||
return 0;
|
||||
|
||||
int ip_hdr_len = ip4->ip_hl * 4;
|
||||
int ip_hdr_len = ip->HdrLen();
|
||||
len -= ip_hdr_len; // remove IP header
|
||||
caplen -= ip_hdr_len;
|
||||
|
||||
|
|
@ -87,7 +79,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
|
|||
|
||||
// Where the data starts - if this is a protocol we know about,
|
||||
// this gets advanced past the transport header.
|
||||
const u_char* data = ((u_char*) ip4 + ip_hdr_len);
|
||||
const u_char* data = ip->Payload();
|
||||
|
||||
if ( is_tcp )
|
||||
{
|
||||
|
|
@ -97,8 +89,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
|
|||
int th_len = tp->th_off * 4;
|
||||
|
||||
val_list* args = new val_list;
|
||||
args->append(BuildHeader(ip4));
|
||||
args->append(BuildHeader(tp, len));
|
||||
args->append(ip->BuildPktHdrVal());
|
||||
args->append(BuildData(data, th_len, len, caplen));
|
||||
|
||||
try
|
||||
|
|
@ -123,8 +114,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
|
|||
int uh_len = sizeof (struct udphdr);
|
||||
|
||||
val_list* args = new val_list;
|
||||
args->append(BuildHeader(ip4));
|
||||
args->append(BuildHeader(up));
|
||||
args->append(ip->BuildPktHdrVal());
|
||||
args->append(BuildData(data, uh_len, len, caplen));
|
||||
|
||||
try
|
||||
|
|
@ -148,8 +138,7 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
|
|||
const struct icmp* ih = (const struct icmp*) data;
|
||||
|
||||
val_list* args = new val_list;
|
||||
args->append(BuildHeader(ip4));
|
||||
args->append(BuildHeader(ih));
|
||||
args->append(ip->BuildPktHdrVal());
|
||||
|
||||
try
|
||||
{
|
||||
|
|
@ -168,62 +157,6 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
|
|||
return discard_packet;
|
||||
}
|
||||
|
||||
Val* Discarder::BuildHeader(const struct ip* ip)
|
||||
{
|
||||
RecordVal* hdr = new RecordVal(ip_hdr);
|
||||
|
||||
hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
|
||||
hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
|
||||
hdr->Assign(2, new Val(ntohs(ip->ip_len), TYPE_COUNT));
|
||||
hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
|
||||
hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
|
||||
hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
|
||||
hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
|
||||
hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
|
||||
|
||||
return hdr;
|
||||
}
|
||||
|
||||
Val* Discarder::BuildHeader(const struct tcphdr* tp, int tcp_len)
|
||||
{
|
||||
RecordVal* hdr = new RecordVal(tcp_hdr);
|
||||
|
||||
hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
|
||||
hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
|
||||
hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
|
||||
hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
|
||||
|
||||
int tcp_hdr_len = tp->th_off * 4;
|
||||
|
||||
hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
|
||||
hdr->Assign(5, new Val(tcp_len - tcp_hdr_len, TYPE_COUNT));
|
||||
|
||||
hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
|
||||
hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
|
||||
|
||||
return hdr;
|
||||
}
|
||||
|
||||
Val* Discarder::BuildHeader(const struct udphdr* up)
|
||||
{
|
||||
RecordVal* hdr = new RecordVal(udp_hdr);
|
||||
|
||||
hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
|
||||
hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
|
||||
hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
|
||||
|
||||
return hdr;
|
||||
}
|
||||
|
||||
Val* Discarder::BuildHeader(const struct icmp* icmp)
|
||||
{
|
||||
RecordVal* hdr = new RecordVal(icmp_hdr);
|
||||
|
||||
hdr->Assign(0, new Val(icmp->icmp_type, TYPE_COUNT));
|
||||
|
||||
return hdr;
|
||||
}
|
||||
|
||||
Val* Discarder::BuildData(const u_char* data, int hdrlen, int len, int caplen)
|
||||
{
|
||||
len -= hdrlen;
|
||||
|
|
|
|||
|
|
@ -25,17 +25,8 @@ public:
|
|||
int NextPacket(const IP_Hdr* ip, int len, int caplen);
|
||||
|
||||
protected:
|
||||
Val* BuildHeader(const struct ip* ip);
|
||||
Val* BuildHeader(const struct tcphdr* tp, int tcp_len);
|
||||
Val* BuildHeader(const struct udphdr* up);
|
||||
Val* BuildHeader(const struct icmp* icmp);
|
||||
Val* BuildData(const u_char* data, int hdrlen, int len, int caplen);
|
||||
|
||||
RecordType* ip_hdr;
|
||||
RecordType* tcp_hdr;
|
||||
RecordType* udp_hdr;
|
||||
RecordType* icmp_hdr;
|
||||
|
||||
Func* check_ip;
|
||||
Func* check_tcp;
|
||||
Func* check_udp;
|
||||
|
|
|
|||
84
src/IP.cc
84
src/IP.cc
|
|
@ -141,7 +141,7 @@ RecordVal* IPv6_ESP::BuildRecordVal() const
|
|||
return rv;
|
||||
}
|
||||
|
||||
RecordVal* IP_Hdr::BuildRecordVal() const
|
||||
RecordVal* IP_Hdr::BuildIPHdrVal() const
|
||||
{
|
||||
RecordVal* rval = 0;
|
||||
|
||||
|
|
@ -226,6 +226,88 @@ RecordVal* IP_Hdr::BuildRecordVal() const
|
|||
return rval;
|
||||
}
|
||||
|
||||
RecordVal* IP_Hdr::BuildPktHdrVal() const
|
||||
{
|
||||
static RecordType* pkt_hdr_type = 0;
|
||||
static RecordType* tcp_hdr_type = 0;
|
||||
static RecordType* udp_hdr_type = 0;
|
||||
static RecordType* icmp_hdr_type = 0;
|
||||
|
||||
if ( ! pkt_hdr_type )
|
||||
{
|
||||
pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
|
||||
tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
|
||||
udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
|
||||
icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
|
||||
}
|
||||
|
||||
RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
|
||||
|
||||
if ( ip4 )
|
||||
pkt_hdr->Assign(0, BuildIPHdrVal());
|
||||
else
|
||||
pkt_hdr->Assign(1, BuildIPHdrVal());
|
||||
|
||||
// L4 header.
|
||||
const u_char* data = Payload();
|
||||
|
||||
int proto = NextProto();
|
||||
switch ( proto ) {
|
||||
case IPPROTO_TCP:
|
||||
{
|
||||
const struct tcphdr* tp = (const struct tcphdr*) data;
|
||||
RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
|
||||
|
||||
int tcp_hdr_len = tp->th_off * 4;
|
||||
int data_len = PayloadLen() - tcp_hdr_len;
|
||||
|
||||
tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
|
||||
tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
|
||||
tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
|
||||
tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
|
||||
tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
|
||||
tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
|
||||
tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
|
||||
tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
|
||||
|
||||
pkt_hdr->Assign(2, tcp_hdr);
|
||||
break;
|
||||
}
|
||||
|
||||
case IPPROTO_UDP:
|
||||
{
|
||||
const struct udphdr* up = (const struct udphdr*) data;
|
||||
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
|
||||
|
||||
udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
|
||||
udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
|
||||
udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
|
||||
|
||||
pkt_hdr->Assign(3, udp_hdr);
|
||||
break;
|
||||
}
|
||||
|
||||
case IPPROTO_ICMP:
|
||||
{
|
||||
const struct icmp* icmpp = (const struct icmp *) data;
|
||||
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
|
||||
|
||||
icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
|
||||
|
||||
pkt_hdr->Assign(4, icmp_hdr);
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
{
|
||||
// This is not a protocol we understand.
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return pkt_hdr;
|
||||
}
|
||||
|
||||
static inline IPv6_Hdr* getIPv6Header(uint8 type, const u_char* d,
|
||||
bool set_next = false, uint16 nxt = 0)
|
||||
{
|
||||
|
|
|
|||
9
src/IP.h
9
src/IP.h
|
|
@ -249,7 +249,6 @@ public:
|
|||
}
|
||||
}
|
||||
|
||||
//TODO: audit usages of this for correct IPv6 support or IPv4 assumptions
|
||||
const struct ip* IP4_Hdr() const { return ip4; }
|
||||
|
||||
const struct ip6_hdr* IP6_Hdr() const { return ip6; }
|
||||
|
|
@ -355,7 +354,13 @@ public:
|
|||
/**
|
||||
* Returns an ip_hdr or ip6_hdr_chain RecordVal.
|
||||
*/
|
||||
RecordVal* BuildRecordVal() const;
|
||||
RecordVal* BuildIPHdrVal() const;
|
||||
|
||||
/**
|
||||
* Returns a pkt_hdr RecordVal, which includes not only the IP header, but
|
||||
* also upper-layer (tcp/udp/icmp) headers.
|
||||
*/
|
||||
RecordVal* BuildPktHdrVal() const;
|
||||
|
||||
private:
|
||||
const struct ip* ip4;
|
||||
|
|
|
|||
|
|
@ -71,9 +71,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
|
|||
if ( ip.NextProto() == IPPROTO_TCP && f.tcp_flags )
|
||||
{
|
||||
// Caution! The packet sanity checks have not been performed yet
|
||||
const struct ip* ip4 = ip.IP4_Hdr();
|
||||
|
||||
int ip_hdr_len = ip4->ip_hl * 4;
|
||||
int ip_hdr_len = ip.HdrLen();
|
||||
len -= ip_hdr_len; // remove IP header
|
||||
caplen -= ip_hdr_len;
|
||||
|
||||
|
|
@ -82,8 +80,7 @@ bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
|
|||
// Packet too short, will be dropped anyway.
|
||||
return false;
|
||||
|
||||
const struct tcphdr* tp =
|
||||
(const struct tcphdr*) ((u_char*) ip4 + ip_hdr_len);
|
||||
const struct tcphdr* tp = (const struct tcphdr*) ip.Payload();
|
||||
|
||||
if ( tp->th_flags & f.tcp_flags )
|
||||
// At least one of the flags is set, so don't drop
|
||||
|
|
|
|||
|
|
@ -333,7 +333,7 @@ void NetSessions::NextPacketSecondary(double /* t */, const struct pcap_pkthdr*
|
|||
new StringVal(sp->Event()->Filter());
|
||||
args->append(cmd_val);
|
||||
IP_Hdr ip_hdr(ip, false);
|
||||
args->append(BuildHeader(&ip_hdr));
|
||||
args->append(ip_hdr.BuildPktHdrVal());
|
||||
// ### Need to queue event here.
|
||||
try
|
||||
{
|
||||
|
|
@ -470,7 +470,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
|
|||
if ( esp_packet )
|
||||
{
|
||||
val_list* vl = new val_list();
|
||||
vl->append(ip_hdr->BuildRecordVal());
|
||||
vl->append(ip_hdr->BuildPktHdrVal());
|
||||
mgr.QueueEvent(esp_packet, vl);
|
||||
}
|
||||
Remove(f);
|
||||
|
|
@ -593,13 +593,13 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
|
|||
|
||||
if ( ipv6_ext_headers && ip_hdr->NumHeaders() > 1 )
|
||||
{
|
||||
pkt_hdr_val = BuildHeader(ip_hdr);
|
||||
pkt_hdr_val = ip_hdr->BuildPktHdrVal();
|
||||
conn->Event(new_packet, 0, pkt_hdr_val);
|
||||
}
|
||||
|
||||
if ( new_packet )
|
||||
conn->Event(new_packet, 0,
|
||||
pkt_hdr_val ? pkt_hdr_val->Ref() : BuildHeader(ip_hdr));
|
||||
pkt_hdr_val ? pkt_hdr_val->Ref() : ip_hdr->BuildPktHdrVal());
|
||||
|
||||
conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
|
||||
record_packet, record_content,
|
||||
|
|
@ -654,88 +654,6 @@ bool NetSessions::CheckHeaderTrunc(int proto, uint32 len, uint32 caplen,
|
|||
return false;
|
||||
}
|
||||
|
||||
|
||||
Val* NetSessions::BuildHeader(const IP_Hdr* ip)
|
||||
{
|
||||
static RecordType* pkt_hdr_type = 0;
|
||||
static RecordType* tcp_hdr_type = 0;
|
||||
static RecordType* udp_hdr_type = 0;
|
||||
static RecordType* icmp_hdr_type;
|
||||
|
||||
if ( ! pkt_hdr_type )
|
||||
{
|
||||
pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
|
||||
tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
|
||||
udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
|
||||
icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
|
||||
}
|
||||
|
||||
RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
|
||||
|
||||
if ( ip->IP4_Hdr() )
|
||||
pkt_hdr->Assign(0, ip->BuildRecordVal());
|
||||
else
|
||||
pkt_hdr->Assign(1, ip->BuildRecordVal());
|
||||
|
||||
// L4 header.
|
||||
const u_char* data = ip->Payload();
|
||||
|
||||
int proto = ip->NextProto();
|
||||
switch ( proto ) {
|
||||
case IPPROTO_TCP:
|
||||
{
|
||||
const struct tcphdr* tp = (const struct tcphdr*) data;
|
||||
RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
|
||||
|
||||
int tcp_hdr_len = tp->th_off * 4;
|
||||
int data_len = ip->PayloadLen() - tcp_hdr_len;
|
||||
|
||||
tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
|
||||
tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
|
||||
tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
|
||||
tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
|
||||
tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
|
||||
tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
|
||||
tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
|
||||
tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
|
||||
|
||||
pkt_hdr->Assign(2, tcp_hdr);
|
||||
break;
|
||||
}
|
||||
|
||||
case IPPROTO_UDP:
|
||||
{
|
||||
const struct udphdr* up = (const struct udphdr*) data;
|
||||
RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
|
||||
|
||||
udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
|
||||
udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
|
||||
udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
|
||||
|
||||
pkt_hdr->Assign(3, udp_hdr);
|
||||
break;
|
||||
}
|
||||
|
||||
case IPPROTO_ICMP:
|
||||
{
|
||||
const struct icmp* icmpp = (const struct icmp *) data;
|
||||
RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
|
||||
|
||||
icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
|
||||
|
||||
pkt_hdr->Assign(4, icmp_hdr);
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
{
|
||||
// This is not a protocol we understand.
|
||||
}
|
||||
}
|
||||
|
||||
return pkt_hdr;
|
||||
}
|
||||
|
||||
FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
|
||||
const u_char* pkt)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -190,11 +190,6 @@ protected:
|
|||
void Internal(const char* msg, const struct pcap_pkthdr* hdr,
|
||||
const u_char* pkt);
|
||||
|
||||
// Builds a record encapsulating a packet. This should be more
|
||||
// general, including the equivalent of a union of tcp/udp/icmp
|
||||
// headers .
|
||||
Val* BuildHeader(const IP_Hdr* ip);
|
||||
|
||||
// For a given protocol, checks whether the header's length as derived
|
||||
// from lower-level headers or the length actually captured is less
|
||||
// than that protocol's minimum header size.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
|
||||
24
testing/btest/Baseline/core.discarder/output
Normal file
24
testing/btest/Baseline/core.discarder/output
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
################ IP Discarder ################
|
||||
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
|
||||
################ TCP Discarder ################
|
||||
[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp]
|
||||
[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
|
||||
################ UDP Discarder ################
|
||||
[orig_h=fe80::217:f2ff:fed7:cf65, orig_p=5353/udp, resp_h=ff02::fb, resp_p=5353/udp]
|
||||
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
|
||||
[orig_h=fe80::3074:17d5:2052:c324, orig_p=65373/udp, resp_h=ff02::1:3, resp_p=5355/udp]
|
||||
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
|
||||
[orig_h=fe80::3074:17d5:2052:c324, orig_p=54213/udp, resp_h=ff02::1:3, resp_p=5355/udp]
|
||||
################ ICMP Discarder ################
|
||||
Discard icmp packet: [icmp_type=3]
|
||||
BIN
testing/btest/Traces/icmp-unreach.trace
Normal file
BIN
testing/btest/Traces/icmp-unreach.trace
Normal file
Binary file not shown.
13
testing/btest/bifs/install_src_addr_filter.test
Normal file
13
testing/btest/bifs/install_src_addr_filter.test
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
install_src_addr_filter(141.142.220.118, TH_SYN, 100.0);
|
||||
}
|
||||
|
||||
event new_packet(c: connection, p: pkt_hdr)
|
||||
{
|
||||
if ( p?$tcp && p$ip$src == 141.142.220.118 )
|
||||
print c$id;
|
||||
}
|
||||
92
testing/btest/core/discarder.bro
Normal file
92
testing/btest/core/discarder.bro
Normal file
|
|
@ -0,0 +1,92 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-ip.bro >output
|
||||
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-tcp.bro >>output
|
||||
# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace discarder-udp.bro >>output
|
||||
# @TEST-EXEC: bro -C -r $TRACES/icmp-unreach.trace discarder-icmp.bro >>output
|
||||
# @TEST-EXEC: btest-diff output
|
||||
|
||||
@TEST-START-FILE discarder-ip.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
print "################ IP Discarder ################";
|
||||
}
|
||||
|
||||
function discarder_check_ip(p: pkt_hdr): bool
|
||||
{
|
||||
if ( p?$ip && p$ip$src == 141.142.220.118 && p$ip$dst == 208.80.152.2 )
|
||||
return F;
|
||||
return T;
|
||||
}
|
||||
|
||||
|
||||
event new_packet(c: connection, p: pkt_hdr)
|
||||
{
|
||||
print c$id;
|
||||
}
|
||||
|
||||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE discarder-tcp.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
print "################ TCP Discarder ################";
|
||||
}
|
||||
|
||||
function discarder_check_tcp(p: pkt_hdr, d: string): bool
|
||||
{
|
||||
if ( p$tcp$flags == TH_SYN )
|
||||
return F;
|
||||
return T;
|
||||
}
|
||||
|
||||
event new_packet(c: connection, p: pkt_hdr)
|
||||
{
|
||||
if ( p?$tcp )
|
||||
print c$id;
|
||||
}
|
||||
|
||||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE discarder-udp.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
print "################ UDP Discarder ################";
|
||||
}
|
||||
|
||||
function discarder_check_udp(p: pkt_hdr, d: string): bool
|
||||
{
|
||||
if ( p?$ip6 )
|
||||
return F;
|
||||
return T;
|
||||
}
|
||||
|
||||
event new_packet(c: connection, p: pkt_hdr)
|
||||
{
|
||||
if ( p?$udp )
|
||||
print c$id;
|
||||
}
|
||||
|
||||
@TEST-END-FILE
|
||||
|
||||
@TEST-START-FILE discarder-icmp.bro
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
print "################ ICMP Discarder ################";
|
||||
}
|
||||
|
||||
function discarder_check_icmp(p: pkt_hdr): bool
|
||||
{
|
||||
print fmt("Discard icmp packet: %s", p$icmp);
|
||||
return T;
|
||||
}
|
||||
|
||||
event new_packet(c: connection, p: pkt_hdr)
|
||||
{
|
||||
if ( p?$icmp )
|
||||
print c$id;
|
||||
}
|
||||
|
||||
@TEST-END-FILE
|
||||
Loading…
Add table
Add a link
Reference in a new issue