diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 9c60d76746..a2cb3e4c5e 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -793,71 +793,6 @@ type entropy_test_result: record { serial_correlation: double; ##< Serial correlation coefficient. }; -# Prototypes of Bro built-in functions. -@load base/bif/strings.bif -@load base/bif/bro.bif -@load base/bif/reporter.bif - -## Deprecated. This is superseded by the new logging framework. -global log_file_name: function(tag: string): string &redef; - -## Deprecated. This is superseded by the new logging framework. -global open_log_file: function(tag: string): file &redef; - -## Specifies a directory for Bro to store its persistent state. All globals can -## be declared persistent via the :bro:attr:`&persistent` attribute. -const state_dir = ".state" &redef; - -## Length of the delays inserted when storing state incrementally. To avoid -## dropping packets when serializing larger volumes of persistent state to -## disk, Bro interleaves the operation with continued packet processing. -const state_write_delay = 0.01 secs &redef; - -global done_with_network = F; -event net_done(t: time) { done_with_network = T; } - -function log_file_name(tag: string): string - { - local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX"); - return fmt("%s.%s", tag, suffix); - } - -function open_log_file(tag: string): file - { - return open(log_file_name(tag)); - } - -## Internal function. -function add_interface(iold: string, inew: string): string - { - if ( iold == "" ) - return inew; - else - return fmt("%s %s", iold, inew); - } - -## Network interfaces to listen on. Use ``redef interfaces += "eth0"`` to -## extend. -global interfaces = "" &add_func = add_interface; - -## Internal function. -function add_signature_file(sold: string, snew: string): string - { - if ( sold == "" ) - return snew; - else - return cat(sold, " ", snew); - } - -## Signature files to read. Use ``redef signature_files += "foo.sig"`` to -## extend. Signature files added this way will be searched relative to -## ``BROPATH``. Using the ``@load-sigs`` directive instead is preferred -## since that can search paths relative to the current script. -global signature_files = "" &add_func = add_signature_file; - -## ``p0f`` fingerprint file to use. Will be searched relative to ``BROPATH``. -const passive_fingerprint_file = "base/misc/p0f.fp" &redef; - # TCP values for :bro:see:`endpoint` *state* field. # todo:: these should go into an enum to make them autodoc'able. const TCP_INACTIVE = 0; ##< Endpoint is still inactive. @@ -1768,6 +1703,71 @@ type gtp_delete_pdp_ctx_response_elements: record { ext: gtp_private_extension &optional; }; +# Prototypes of Bro built-in functions. +@load base/bif/strings.bif +@load base/bif/bro.bif +@load base/bif/reporter.bif + +## Deprecated. This is superseded by the new logging framework. +global log_file_name: function(tag: string): string &redef; + +## Deprecated. This is superseded by the new logging framework. +global open_log_file: function(tag: string): file &redef; + +## Specifies a directory for Bro to store its persistent state. All globals can +## be declared persistent via the :bro:attr:`&persistent` attribute. +const state_dir = ".state" &redef; + +## Length of the delays inserted when storing state incrementally. To avoid +## dropping packets when serializing larger volumes of persistent state to +## disk, Bro interleaves the operation with continued packet processing. +const state_write_delay = 0.01 secs &redef; + +global done_with_network = F; +event net_done(t: time) { done_with_network = T; } + +function log_file_name(tag: string): string + { + local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX"); + return fmt("%s.%s", tag, suffix); + } + +function open_log_file(tag: string): file + { + return open(log_file_name(tag)); + } + +## Internal function. +function add_interface(iold: string, inew: string): string + { + if ( iold == "" ) + return inew; + else + return fmt("%s %s", iold, inew); + } + +## Network interfaces to listen on. Use ``redef interfaces += "eth0"`` to +## extend. +global interfaces = "" &add_func = add_interface; + +## Internal function. +function add_signature_file(sold: string, snew: string): string + { + if ( sold == "" ) + return snew; + else + return cat(sold, " ", snew); + } + +## Signature files to read. Use ``redef signature_files += "foo.sig"`` to +## extend. Signature files added this way will be searched relative to +## ``BROPATH``. Using the ``@load-sigs`` directive instead is preferred +## since that can search paths relative to the current script. +global signature_files = "" &add_func = add_signature_file; + +## ``p0f`` fingerprint file to use. Will be searched relative to ``BROPATH``. +const passive_fingerprint_file = "base/misc/p0f.fp" &redef; + ## Definition of "secondary filters". A secondary filter is a BPF filter given ## as index in this table. For each such filter, the corresponding event is ## raised for all matching packets. diff --git a/src/IP.cc b/src/IP.cc index 3a19f02d23..ebe778e3d7 100644 --- a/src/IP.cc +++ b/src/IP.cc @@ -1,5 +1,9 @@ // See the file "COPYING" in the main distribution directory for copyright. +#include +#include +#include + #include "IP.h" #include "Type.h" #include "Val.h" @@ -403,6 +407,17 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const break; } + case IPPROTO_ICMPV6: + { + const struct icmp6_hdr* icmpp = (const struct icmp6_hdr*) data; + RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type); + + icmp_hdr->Assign(0, new Val(icmpp->icmp6_type, TYPE_COUNT)); + + pkt_hdr->Assign(sindex + 4, icmp_hdr); + break; + } + default: { // This is not a protocol we understand. diff --git a/src/NetVar.cc b/src/NetVar.cc index 8a901842fd..ccc94c97a6 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -15,6 +15,8 @@ RecordType* icmp_conn; RecordType* icmp_context; RecordType* SYN_packet; RecordType* pcap_packet; +RecordType* raw_pkt_hdr_type; +RecordType* l2_hdr_type; RecordType* signature_state; EnumType* transport_proto; TableType* string_set; @@ -324,6 +326,8 @@ void init_net_var() signature_state = internal_type("signature_state")->AsRecordType(); SYN_packet = internal_type("SYN_packet")->AsRecordType(); pcap_packet = internal_type("pcap_packet")->AsRecordType(); + raw_pkt_hdr_type = internal_type("raw_pkt_hdr")->AsRecordType(); + l2_hdr_type = internal_type("l2_hdr")->AsRecordType(); transport_proto = internal_type("transport_proto")->AsEnumType(); string_set = internal_type("string_set")->AsTableType(); string_array = internal_type("string_array")->AsTableType(); diff --git a/src/NetVar.h b/src/NetVar.h index 97018121f9..909a2a4c1c 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -19,6 +19,8 @@ extern RecordType* icmp_context; extern RecordType* signature_state; extern RecordType* SYN_packet; extern RecordType* pcap_packet; +extern RecordType* raw_pkt_hdr_type; +extern RecordType* l2_hdr_type; extern EnumType* transport_proto; extern TableType* string_set; extern TableType* string_array; diff --git a/src/bro.bif b/src/bro.bif index 2c55c2bc95..6360d326a1 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3458,6 +3458,26 @@ function get_current_packet%(%) : pcap_packet return pkt; %} +## Function to get the raw headers of the currently processed packet. +## +## Returns: The :bro:type:`connection` record containing the Layer 2, 3 and +## 4 headers of the currently processed packet. +## +## .. bro:see:: raw_pkt_hdr get_current_packet +function get_current_packet_header%(%) : raw_pkt_hdr + %{ + const Packet* p; + + if ( current_pktsrc && + current_pktsrc->GetCurrentPacket(&p) ) + { + return p->BuildPktHdrVal(); + } + + RecordVal* hdr = new RecordVal(raw_pkt_hdr_type); + return hdr; + %} + ## Writes a given packet to a file. ## ## pkt: The PCAP packet. diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc index 2aa7fa58c7..c75b62a832 100644 --- a/src/iosource/Packet.cc +++ b/src/iosource/Packet.cc @@ -428,15 +428,6 @@ void Packet::ProcessLayer2() RecordVal* Packet::BuildPktHdrVal() const { - static RecordType* l2_hdr_type = 0; - static RecordType* raw_pkt_hdr_type = 0; - - if ( ! raw_pkt_hdr_type ) - { - raw_pkt_hdr_type = internal_type("raw_pkt_hdr")->AsRecordType(); - l2_hdr_type = internal_type("l2_hdr")->AsRecordType(); - } - RecordVal* pkt_hdr = new RecordVal(raw_pkt_hdr_type); RecordVal* l2_hdr = new RecordVal(l2_hdr_type); diff --git a/testing/btest/Baseline/bifs.get_current_packet_header/output b/testing/btest/Baseline/bifs.get_current_packet_header/output new file mode 100644 index 0000000000..761a248077 --- /dev/null +++ b/testing/btest/Baseline/bifs.get_current_packet_header/output @@ -0,0 +1 @@ +[l2=[encap=LINK_ETHERNET, len=78, cap_len=78, src=00:00:00:00:00:00, dst=ff:ff:ff:ff:ff:ff, vlan=, inner_vlan=, eth_type=34525, proto=L3_IPV6], ip=, ip6=[class=0, flow=0, len=24, nxt=58, hlim=255, src=fe80::dead, dst=fe80::beef, exts=[]], tcp=, udp=, icmp=[icmp_type=135]] diff --git a/testing/btest/Baseline/core.ipv6_zero_len_ah/output b/testing/btest/Baseline/core.ipv6_zero_len_ah/output index d8db6a4c48..585011acbe 100644 --- a/testing/btest/Baseline/core.ipv6_zero_len_ah/output +++ b/testing/btest/Baseline/core.ipv6_zero_len_ah/output @@ -1,2 +1,2 @@ [orig_h=2000:1300::1, orig_p=128/icmp, resp_h=2000:1300::2, resp_p=129/icmp] -[ip=, ip6=[class=0, flow=0, len=166, nxt=51, hlim=255, src=2000:1300::1, dst=2000:1300::2, exts=[[id=51, hopopts=, dstopts=, routing=, fragment=, ah=[nxt=58, len=0, rsv=0, spi=0, seq=, data=], esp=, mobility=]]], tcp=, udp=, icmp=] +[ip=, ip6=[class=0, flow=0, len=166, nxt=51, hlim=255, src=2000:1300::1, dst=2000:1300::2, exts=[[id=51, hopopts=, dstopts=, routing=, fragment=, ah=[nxt=58, len=0, rsv=0, spi=0, seq=, data=], esp=, mobility=]]], tcp=, udp=, icmp=[icmp_type=128]] diff --git a/testing/btest/bifs/get_current_packet_header.bro b/testing/btest/bifs/get_current_packet_header.bro new file mode 100644 index 0000000000..24144545ef --- /dev/null +++ b/testing/btest/bifs/get_current_packet_header.bro @@ -0,0 +1,8 @@ +# @TEST-EXEC: bro -C -r $TRACES/icmp/icmp6-neighbor-solicit.pcap %INPUT > output +# @TEST-EXEC: btest-diff output + +event icmp_neighbor_solicitation(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options) + { + local hdr: raw_pkt_hdr = get_current_packet_header(); + print fmt("%s", hdr); + } \ No newline at end of file