From 17796182c6a24c2bc80e3aa96d7aa1cf22ca67f3 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 5 Jun 2015 00:00:20 -0700
Subject: [PATCH] fix acld plugin to use address instead of subnet (and add
 functions for conversion)

---
 scripts/base/frameworks/pacf/plugins/acld.bro | 25 +++++++++++++----
 src/bro.bif                                   | 27 ++++++++++++++++++-
 .../btest/Baseline/bifs.subnet_to_addr/error  |  0
 .../btest/Baseline/bifs.subnet_to_addr/output |  3 +++
 .../recv.recv.out                             |  4 +--
 testing/btest/bifs/subnet_to_addr.bro         | 14 ++++++++++
 6 files changed, 65 insertions(+), 8 deletions(-)
 create mode 100644 testing/btest/Baseline/bifs.subnet_to_addr/error
 create mode 100644 testing/btest/Baseline/bifs.subnet_to_addr/output
 create mode 100644 testing/btest/bifs/subnet_to_addr.bro

diff --git a/scripts/base/frameworks/pacf/plugins/acld.bro b/scripts/base/frameworks/pacf/plugins/acld.bro
index 25218ce470..95d8d5abed 100644
--- a/scripts/base/frameworks/pacf/plugins/acld.bro
+++ b/scripts/base/frameworks/pacf/plugins/acld.bro
@@ -102,6 +102,18 @@ function acld_name(p: PluginState) : string
 	return fmt("PACF acld plugin - using broker topic %s", p$acld_config$acld_topic);
 	}
 
+# check that subnet specifies an addr
+function check_sn(sn: subnet) : bool
+	{
+	if ( is_v4_subnet(sn) && subnet_width(sn) == 32 )
+		return T;
+	if ( is_v6_subnet(sn) && subnet_width(sn) == 128 )
+		return T;
+
+	Reporter::error(fmt("Acld: rule_to_acl_rule was given a subnet that does not specify a distinct address where needed - %s", sn));
+	return F;
+	}
+
 function rule_to_acl_rule(r: Rule) : AclRule
 	{
 	local e = r$entity;
@@ -122,8 +134,9 @@ function rule_to_acl_rule(r: Rule) : AclRule
 		local f = e$flow;
 		if ( ( ! f?$src_h ) && ( ! f?$src_p ) && f?$dst_h && f?$dst_p && ( ! f?$src_m ) && ( ! f?$dst_m ) )
 			{
-				# fixme - check if address is not a subnet
-			if ( is_tcp_port(f$dst_p) && r$ty == DROP )
+			if ( !check_sn(f$dst_h) )
+				command = ""; # invalid addr, do nothing
+			else if ( is_tcp_port(f$dst_p) && r$ty == DROP )
 				command = "droptcpdsthostport";
 			else if ( is_tcp_port(f$dst_p) && r$ty == WHITELIST )
 				command = "permittcpdsthostport";
@@ -132,13 +145,15 @@ function rule_to_acl_rule(r: Rule) : AclRule
 			else if ( is_udp_port(f$dst_p) && r$ty == WHITELIST)
 				command = "permitucpdsthostport";
 
-			arg = fmt("%s %d", f$dst_h, f$dst_p);
+			arg = fmt("%s %d", subnet_to_addr(f$dst_h), f$dst_p);
 			}
 		else if ( f?$src_h && ( ! f?$src_p ) && f?$dst_h && ( ! f?$dst_p ) && ( ! f?$src_m ) && ( ! f?$dst_m ) )
 			{
-			if ( r$ty == DROP )
+			if ( !check_sn(f$src_h) || !check_sn(f$dst_h) )
+				command = "";
+			else if ( r$ty == DROP )
 				command = "blockhosthost";
-			arg = fmt("%s %s", f$src_h, f$dst_h);
+			arg = fmt("%s %s", subnet_to_addr(f$src_h), subnet_to_addr(f$dst_h));
 			}
 		else if ( ( ! f?$src_h ) && ( ! f?$src_p ) && ( ! f?$dst_h ) && f?$dst_p && ( ! f?$src_m ) && ( ! f?$dst_m ) )
 			{
diff --git a/src/bro.bif b/src/bro.bif
index e6f6923130..6571826e87 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -2398,7 +2398,7 @@ function to_subnet%(sn: string%): subnet
 ##
 ## a: The address to convert.
 ##
-## Returns: The *sn* string as a :bro:type:`subnet`.
+## Returns: The *a* address as a :bro:type:`subnet`.
 ##
 ## .. bro:see:: to_subset
 function addr_to_subnet%(a: addr%): subnet
@@ -2407,6 +2407,31 @@ function addr_to_subnet%(a: addr%): subnet
 	return new SubNetVal(a->AsAddr(), width);
 	%}
 
+## Converts a :bro:type:`subnet` to a :bro:type:`addr` by
+## extracting the prefix.
+##
+## s: The subnet to convert.
+##
+## Returns: The *s* subnet as a :bro:type:`addr`.
+##
+## .. bro:see:: to_subset
+function subnet_to_addr%(sn: subnet%): addr
+	%{
+	return new AddrVal(sn->Prefix());
+	%}
+
+## Returns the width of a :bro:type:`subnet`.
+##
+## s: The subnet to convert.
+##
+## Returns: The width of the subnet.
+##
+## .. bro:see:: to_subset
+function subnet_width%(sn: subnet%): count
+	%{
+	return new Val(sn->Width(), TYPE_COUNT);
+	%}
+
 ## Converts a :bro:type:`string` to a :bro:type:`double`.
 ##
 ## str: The :bro:type:`string` to convert.
diff --git a/testing/btest/Baseline/bifs.subnet_to_addr/error b/testing/btest/Baseline/bifs.subnet_to_addr/error
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/bifs.subnet_to_addr/output b/testing/btest/Baseline/bifs.subnet_to_addr/output
new file mode 100644
index 0000000000..8c89b3920a
--- /dev/null
+++ b/testing/btest/Baseline/bifs.subnet_to_addr/output
@@ -0,0 +1,3 @@
+subnet_to_addr(0.0.0.0/32) = 0.0.0.0 (SUCCESS)
+subnet_to_addr(1.2.0.0/16) = 1.2.0.0 (SUCCESS)
+subnet_to_addr(2607:f8b0:4005:803::200e/128) = 2607:f8b0:4005:803::200e (SUCCESS)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.pacf.acld/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.pacf.acld/recv.recv.out
index 92ccbc6257..ad604ec09f 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.pacf.acld/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.pacf.acld/recv.recv.out
@@ -1,7 +1,7 @@
 BrokerComm::incoming_connection_established
-add_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=<uninitialized>, dst_h=74.53.140.153/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=here, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_id=1], [command=blockhosthost, cookie=2, arg=10.10.1.4/32 74.53.140.153/32, comment=here]
+add_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=<uninitialized>, dst_h=74.53.140.153/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=here, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_id=1], [command=blockhosthost, cookie=2, arg=10.10.1.4 74.53.140.153, comment=here]
 add_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=here, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_id=1], [command=droptcpport, cookie=3, arg=25, comment=here]
 add_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_id=1], [command=drop, cookie=4, arg=10.10.1.4/32, comment=]
-remove_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=<uninitialized>, dst_h=74.53.140.153/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=here, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_id=1], [command=restorehosthost, cookie=2, arg=10.10.1.4/32 74.53.140.153/32, comment=here]
+remove_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=<uninitialized>, dst_h=74.53.140.153/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=here, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, cid=2, _plugin_id=1], [command=restorehosthost, cookie=2, arg=10.10.1.4 74.53.140.153, comment=here]
 remove_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=here, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, cid=3, _plugin_id=1], [command=restoretcpport, cookie=3, arg=25, comment=here]
 remove_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=4, cid=4, _plugin_id=1], [command=restore, cookie=4, arg=10.10.1.4/32, comment=]
diff --git a/testing/btest/bifs/subnet_to_addr.bro b/testing/btest/bifs/subnet_to_addr.bro
new file mode 100644
index 0000000000..02bb6254e0
--- /dev/null
+++ b/testing/btest/bifs/subnet_to_addr.bro
@@ -0,0 +1,14 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>error
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff error
+
+function test_to_addr(sn: subnet, expect: addr)
+	{
+	local result = subnet_to_addr(sn);
+	print fmt("subnet_to_addr(%s) = %s (%s)", sn, result,
+	          result == expect ? "SUCCESS" : "FAILURE");
+	}
+
+test_to_addr(0.0.0.0/32, 0.0.0.0);
+test_to_addr(1.2.3.4/16, 1.2.0.0);
+test_to_addr([2607:f8b0:4005:803::200e]/128, [2607:f8b0:4005:803::200e]);