Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 20:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add more data to icmp events

Browse source
This commit is contained in:
Daniel Thayer 2012-03-27 17:55:39 -05:00
parent bae6a4178e
commit 169b3c833f
3 changed files with 98 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

101
src/ICMP.cc
View file

@ -149,12 +149,20 @@ void ICMP_Analyzer::NextICMP6(double t, const struct icmp* icmpp, int len, int c
break; break;
// Router related messages. // Router related messages.
case ND_NEIGHBOR_SOLICIT:
case ND_NEIGHBOR_ADVERT:
case ND_REDIRECT: case ND_REDIRECT:
Redirect(t, icmpp, len, caplen, data, ip_hdr);
break;
case ND_ROUTER_ADVERT:
RouterAdvert(t, icmpp, len, caplen, data, ip_hdr);
break;
case ND_NEIGHBOR_ADVERT:
NeighborAdvert(t, icmpp, len, caplen, data, ip_hdr);
break;
case ND_NEIGHBOR_SOLICIT:
NeighborSolicit(t, icmpp, len, caplen, data, ip_hdr);
break;
case ND_ROUTER_SOLICIT: case ND_ROUTER_SOLICIT:
case ICMP6_ROUTER_RENUMBERING: case ICMP6_ROUTER_RENUMBERING:
case ND_ROUTER_ADVERT:
Router(t, icmpp, len, caplen, data, ip_hdr); Router(t, icmpp, len, caplen, data, ip_hdr);
break; break;
@ -489,6 +497,81 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
} }
void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
{
EventHandlerPtr f = icmp_router_advertisement;
uint32 reachable, retrans;
memcpy(&reachable, data, sizeof(reachable));
memcpy(&retrans, data + sizeof(reachable), sizeof(retrans));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1));
vl->append(new Val(icmpp->icmp_num_addrs, TYPE_COUNT));
vl->append(new Val(icmpp->icmp_wpa & 0x80, TYPE_BOOL));
vl->append(new Val(htons(icmpp->icmp_lifetime), TYPE_COUNT));
vl->append(new Val(reachable, TYPE_INTERVAL));
vl->append(new Val(retrans, TYPE_INTERVAL));
ConnectionEvent(f, vl);
}
void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
{
EventHandlerPtr f = icmp_neighbor_advertisement;
in6_addr tgtaddr;
memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1));
vl->append(new AddrVal(IPAddr(tgtaddr)));
ConnectionEvent(f, vl);
}
void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
{
EventHandlerPtr f = icmp_neighbor_solicitation;
in6_addr tgtaddr;
memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1));
vl->append(new AddrVal(IPAddr(tgtaddr)));
ConnectionEvent(f, vl);
}
void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
{
EventHandlerPtr f = icmp_redirect;
in6_addr tgtaddr, dstaddr;
memcpy(&tgtaddr.s6_addr, data, sizeof(tgtaddr.s6_addr));
memcpy(&dstaddr.s6_addr, data + sizeof(tgtaddr.s6_addr), sizeof(dstaddr.s6_addr));
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(BuildICMPVal(icmpp, len, 1));
vl->append(new AddrVal(IPAddr(tgtaddr)));
vl->append(new AddrVal(IPAddr(dstaddr)));
ConnectionEvent(f, vl);
}
void ICMP_Analyzer::Router(double t, const struct icmp* icmpp, int len, void ICMP_Analyzer::Router(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/) int caplen, const u_char*& data, const IP_Hdr* /*ip_hdr*/)
{ {
@ -496,21 +579,9 @@ void ICMP_Analyzer::Router(double t, const struct icmp* icmpp, int len,
switch ( icmpp->icmp_type ) switch ( icmpp->icmp_type )
{ {
case ND_NEIGHBOR_ADVERT:
f = icmp_neighbor_advertisement;
break;
case ND_NEIGHBOR_SOLICIT:
f = icmp_neighbor_solicitation;
break;
case ND_ROUTER_ADVERT:
f = icmp_router_advertisement;
break;
case ND_ROUTER_SOLICIT: case ND_ROUTER_SOLICIT:
f = icmp_router_solicitation; f = icmp_router_solicitation;
break; break;
case ND_REDIRECT:
f = icmp_redirect;
break;
case ICMP6_ROUTER_RENUMBERING: case ICMP6_ROUTER_RENUMBERING:
default: default:
ICMPEvent(icmp_sent, icmpp, len, 1); ICMPEvent(icmp_sent, icmpp, len, 1);

8
src/ICMP.h
View file

@ -39,6 +39,14 @@ protected:
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void Context(double t, const struct icmp* icmpp, int len, void Context(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void Redirect(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void RouterAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void NeighborAdvert(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void NeighborSolicit(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
void Router(double t, const struct icmp* icmpp, int len, void Router(double t, const struct icmp* icmpp, int len,
int caplen, const u_char*& data, const IP_Hdr* ip_hdr); int caplen, const u_char*& data, const IP_Hdr* ip_hdr);

8
src/event.bif
View file

@ -955,7 +955,7 @@ event icmp_router_solicitation%(c: connection, icmp: icmp_conn%);
## ##
## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent ## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent
## icmp_time_exceeded icmp_unreachable ## icmp_time_exceeded icmp_unreachable
event icmp_router_advertisement%(c: connection, icmp: icmp_conn%); event icmp_router_advertisement%(c: connection, icmp: icmp_conn, hop_limit: count, managed: bool, router_lifetime: count, reachable_time: interval, retrans_timer: interval%);
## Generated for ICMP *neighbor solicitation* messages. ## Generated for ICMP *neighbor solicitation* messages.
## ##
@ -970,7 +970,7 @@ event icmp_router_advertisement%(c: connection, icmp: icmp_conn%);
## ##
## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent ## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent
## icmp_time_exceeded icmp_unreachable ## icmp_time_exceeded icmp_unreachable
event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn%); event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt:addr%);
## Generated for ICMP *neighbor advertisement* messages. ## Generated for ICMP *neighbor advertisement* messages.
## ##
@ -985,7 +985,7 @@ event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn%);
## ##
## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent ## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent
## icmp_time_exceeded icmp_unreachable ## icmp_time_exceeded icmp_unreachable
event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn%); event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, tgt:addr%);
## Generated for ICMP *redirect* messages. ## Generated for ICMP *redirect* messages.
## ##
@ -1002,7 +1002,7 @@ event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn%);
## ##
## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent ## .. bro:see:: icmp_echo_reply icmp_echo_request icmp_sent
## icmp_time_exceeded icmp_unreachable ## icmp_time_exceeded icmp_unreachable
event icmp_redirect%(c: connection, icmp: icmp_conn, a: addr%); event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr%);
## Generated when a TCP connection terminated, passing on statistics about the ## Generated when a TCP connection terminated, passing on statistics about the
## two endpoints. This event is always generated when Bro flushes the internal ## two endpoints. This event is always generated when Bro flushes the internal