From 169b3c833fc66fde49fbd653c87fbf56d951b846 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@ncsa.illinois.edu>
Date: Tue, 27 Mar 2012 17:55:39 -0500
Subject: [PATCH] Add more data to icmp events

---
 src/ICMP.cc   | 101 ++++++++++++++++++++++++++++++++++++++++++--------
 src/ICMP.h    |   8 ++++
 src/event.bif |   8 ++--
 3 files changed, 98 insertions(+), 19 deletions(-)

diff --git a/src/ICMP.cc b/src/ICMP.cc
index 4df9cc049e..a5cfdbcb64 100644
--- a/src/ICMP.cc
+++ b/src/ICMP.cc
@@ -149,12 +149,20 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c
 			break;
 
 		// Router related messages.
-		case ND_NEIGHBOR_SOLICIT:
-		case ND_NEIGHBOR_ADVERT:
 		case ND_REDIRECT:
+			Redirect(t, icmpp, len, caplen, data, ip_hdr);
+			break;
+		case ND_ROUTER_ADVERT:
+			RouterAdvert(t, icmpp, len, caplen, data, ip_hdr);
+			break;
+		case ND_NEIGHBOR_ADVERT:
+			NeighborAdvert(t, icmpp, len, caplen, data, ip_hdr);
+			break;
+		case ND_NEIGHBOR_SOLICIT:
+			NeighborSolicit(t, icmpp, len, caplen, data, ip_hdr);
+			break;
 		case ND_ROUTER_SOLICIT:
 		case ICMP6_ROUTER_RENUMBERING:
-		case ND_ROUTER_ADVERT:
 			Router(t, icmpp, len, caplen, data, ip_hdr);
 			break;
 
@@ -489,6 +497,81 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
 	}
 
 
+void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
+			 int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
+	{
+	EventHandlerPtr f = icmp_router_advertisement;
+	uint32 reachable, retrans;
+
+	memcpy(&reachable, data, sizeof(reachable));
+	memcpy(&retrans, data + sizeof(reachable), sizeof(retrans));
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(BuildICMPVal(icmpp, len, 1));
+	vl->append(new Val(icmpp->icmp_num_addrs, TYPE_COUNT));
+	vl->append(new Val(icmpp->icmp_wpa & 0x80, TYPE_BOOL));
+	vl->append(new Val(htons(icmpp->icmp_lifetime), TYPE_COUNT));
+	vl->append(new Val(reachable, TYPE_INTERVAL));
+	vl->append(new Val(retrans, TYPE_INTERVAL));
+
+	ConnectionEvent(f, vl);
+	}
+
+
+void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
+			 int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
+	{
+	EventHandlerPtr f = icmp_neighbor_advertisement;
+	in6_addr tgtaddr;
+
+	memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr));
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(BuildICMPVal(icmpp, len, 1));
+	vl->append(new AddrVal(IPAddr(tgtaddr)));
+
+	ConnectionEvent(f, vl);
+	}
+
+
+void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
+			 int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
+	{
+	EventHandlerPtr f = icmp_neighbor_solicitation;
+	in6_addr tgtaddr;
+
+	memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr));
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(BuildICMPVal(icmpp, len, 1));
+	vl->append(new AddrVal(IPAddr(tgtaddr)));
+
+	ConnectionEvent(f, vl);
+	}
+
+
+void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
+			 int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
+	{
+	EventHandlerPtr f = icmp_redirect;
+	in6_addr tgtaddr, dstaddr;
+
+	memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr));
+	memcpy(&dstaddr.s6_addr, data + sizeof(tgtaddr.s6_addr), sizeof(dstaddr.s6_addr));
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(BuildICMPVal(icmpp, len, 1));
+	vl->append(new AddrVal(IPAddr(tgtaddr)));
+	vl->append(new AddrVal(IPAddr(dstaddr)));
+
+	ConnectionEvent(f, vl);
+	}
+
+
 void ICMP_Analyzer::Router(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
 	{
@@ -496,21 +579,9 @@ void ICMP_Analyzer::Router(double t, const struct icmp* icmpp, int len,
 
 	switch ( icmpp->icmp_type )
 		{
-		case ND_NEIGHBOR_ADVERT:
-			f = icmp_neighbor_advertisement;
-			break;
-		case ND_NEIGHBOR_SOLICIT:
-			f = icmp_neighbor_solicitation;
-			break;
-		case ND_ROUTER_ADVERT:
-			f = icmp_router_advertisement;
-			break;
 		case ND_ROUTER_SOLICIT:
 			f = icmp_router_solicitation;
 			break;
-		case ND_REDIRECT:
-			f = icmp_redirect;
-			break;
 		case ICMP6_ROUTER_RENUMBERING:
 		default:
 			ICMPEvent(icmp_sent, icmpp, len, 1);
diff --git a/src/ICMP.h b/src/ICMP.h
index 427c183612..59a399f74f 100644
--- a/src/ICMP.h
+++ b/src/ICMP.h
@@ -39,6 +39,14 @@ protected:
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
 	void Context(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
+	void Redirect(double t, const struct icmp* icmpp, int len,
+			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
+	void RouterAdvert(double t, const struct icmp* icmpp, int len,
+			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
+	void NeighborAdvert(double t, const struct icmp* icmpp, int len,
+			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
+	void NeighborSolicit(double t, const struct icmp* icmpp, int len,
+			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
 	void Router(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
 
diff --git a/src/event.bif b/src/event.bif
index 7d0d4b2ef5..8e7b0be8a8 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -955,7 +955,7 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn%);
 ##
 ## .. bro:see:: icmp_echo_reply icmp_echo_request  icmp_sent
 ##    icmp_time_exceeded icmp_unreachable
-event icmp_router_advertisement%(c: connection, icmp: icmp_conn%);
+event icmp_router_advertisement%(c: connection, icmp: icmp_conn, hop_limit: count, managed: bool, router_lifetime: count, reachable_time: interval, retrans_timer: interval%);
 
 ## Generated for ICMP *neighbor solicitation* messages.
 ##
@@ -970,7 +970,7 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn%);
 ##
 ## .. bro:see:: icmp_echo_reply icmp_echo_request  icmp_sent
 ##    icmp_time_exceeded icmp_unreachable
-event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn%);
+event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt:addr%);
 
 ## Generated for ICMP *neighbor advertisement* messages.
 ##
@@ -985,7 +985,7 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn%);
 ##
 ## .. bro:see:: icmp_echo_reply icmp_echo_request  icmp_sent
 ##    icmp_time_exceeded icmp_unreachable
-event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn%);
+event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, tgt:addr%);
 
 ## Generated for ICMP *redirect* messages.
 ##
@@ -1002,7 +1002,7 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn%);
 ##
 ## .. bro:see:: icmp_echo_reply icmp_echo_request  icmp_sent
 ##    icmp_time_exceeded icmp_unreachable
-event icmp_redirect%(c: connection, icmp: icmp_conn, a: addr%);
+event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr%);
 
 ## Generated when a TCP connection terminated, passing on statistics about the
 ## two endpoints. This event is always generated when Bro flushes the internal