mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 16:18:19 +00:00
Adding the unified2 analyzer.
- This isn't connected to anything yet.
This commit is contained in:
Seth Hall
parent
e83df9487a
commit
1ebd938bed
4 changed files with 168 additions and 0 deletions
|
|
@ -209,6 +209,9 @@ binpac_target(ssl.pac
|
|||
ssl-defs.pac ssl-protocol.pac ssl-analyzer.pac)
|
||||
binpac_target(syslog.pac
|
||||
syslog-protocol.pac syslog-analyzer.pac)
|
||||
binpac_target(unified2.pac
|
||||
unified2-file.pac unified2-analyzer.pac)
|
||||
|
||||
|
||||
########################################################################
|
||||
## bro target
|
||||
|
|
|
|||
26
src/unified2-analyzer.pac
Normal file
26
src/unified2-analyzer.pac
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
|
||||
refine flow Flow += {
|
||||
|
||||
%member{
|
||||
%}
|
||||
|
||||
%init{
|
||||
%}
|
||||
|
||||
%eof{
|
||||
%}
|
||||
|
||||
%cleanup{
|
||||
%}
|
||||
|
||||
function proc_ids_event(ev: IDSEvent) : bool
|
||||
%{
|
||||
printf("woo!\n");
|
||||
return true;
|
||||
%}
|
||||
};
|
||||
|
||||
|
||||
refine typeattr IDSEvent += &let {
|
||||
proc : bool = $context.flow.proc_ids_event(this);
|
||||
};
|
||||
118
src/unified2-file.pac
Normal file
118
src/unified2-file.pac
Normal file
|
|
@ -0,0 +1,118 @@
|
|||
|
||||
enum Types {
|
||||
EVENT = 0,
|
||||
PACKET = 1,
|
||||
IDS_EVENT = 2,
|
||||
IDS_EVENT_IPV6 = 72,
|
||||
IDS_EVENT_MPLS = 99,
|
||||
IDS_EVENT_IPV6_MPLS = 100,
|
||||
IDS_EVENT_VLAN = 104,
|
||||
IDS_EVENT_IPV6_VLAN = 105,
|
||||
EXTRA_DATA = 110,
|
||||
};
|
||||
|
||||
|
||||
type Time = record {
|
||||
seconds: uint32;
|
||||
microseconds: uint32;
|
||||
} &byteorder=bigendian;
|
||||
|
||||
type v4Addr = record {
|
||||
u1: uint32;
|
||||
};
|
||||
|
||||
type v6Addr = record {
|
||||
u1: uint32;
|
||||
u2: uint32;
|
||||
u3: uint32;
|
||||
u4: uint32;
|
||||
};
|
||||
|
||||
type Addr(ip_ver: int) = case ip_ver of {
|
||||
4 -> v4: v4Addr;
|
||||
6 -> v6: v6Addr;
|
||||
} &byteorder=bigendian;
|
||||
|
||||
type Record = record {
|
||||
rtype: uint32;
|
||||
length: uint32;
|
||||
data: case rtype of {
|
||||
# EVENT -> event: Event(this);
|
||||
PACKET -> packet: Packet(this);
|
||||
IDS_EVENT -> ids_event: LegacyIDSEvent(this, 4);
|
||||
IDS_EVENT_IPV6 -> ids_event_ipv6: LegacyIDSEvent(this, 6);
|
||||
# IDS_EVENT_MPLS -> ids_event_mpls: IDSEvent(this, 4);
|
||||
# IDS_EVENT_IPV6_MPLS -> ids_event_ipv6_mpls: IDSEvent(this, 6);
|
||||
IDS_EVENT_VLAN -> ids_event_vlan: IDSEvent(this, 4);
|
||||
IDS_EVENT_IPV6_VLAN -> ids_event_ipv6_vlan: IDSEvent(this, 6);
|
||||
EXTRA_DATA -> extra_data: ExtraData(this);
|
||||
default -> unknown_record_type: UnknownRecordType(this);
|
||||
};
|
||||
} &byteorder=bigendian &length=length+8;
|
||||
|
||||
type LegacyIDSEvent(rec: Record, ip_ver: int) = record {
|
||||
sensor_id: uint32;
|
||||
event_id: uint32;
|
||||
ts: Time;
|
||||
signature_id: uint32;
|
||||
generator_id: uint32;
|
||||
signature_revision: uint32;
|
||||
classification_id: uint32;
|
||||
priority_id: uint32;
|
||||
src_ip: Addr(ip_ver);
|
||||
dst_ip: Addr(ip_ver);
|
||||
src_p: uint16;
|
||||
dst_p: uint16;
|
||||
protocol: uint8;
|
||||
packet_action: uint8;
|
||||
};
|
||||
|
||||
type IDSEvent(rec: Record, ip_ver: int) = record {
|
||||
sensor_id: uint32;
|
||||
event_id: uint32;
|
||||
ts: Time;
|
||||
signature_id: uint32;
|
||||
generator_id: uint32;
|
||||
signature_revision: uint32;
|
||||
classification_id: uint32;
|
||||
priority_id: uint32;
|
||||
src_ip: Addr(ip_ver);
|
||||
dst_ip: Addr(ip_ver);
|
||||
src_p: uint16;
|
||||
dst_p: uint16;
|
||||
protocol: uint8;
|
||||
impact_flag: uint8;
|
||||
impact: uint8;
|
||||
blocked: uint8;
|
||||
mpls_label: uint32;
|
||||
vlan_id: uint16;
|
||||
: uint16;
|
||||
} &byteorder=bigendian;
|
||||
|
||||
type Packet(rec: Record) = record {
|
||||
sensor_id: uint32;
|
||||
event_id: uint32;
|
||||
event_second: uint32;
|
||||
packet_ts: Time;
|
||||
link_type: uint32;
|
||||
packet_len: uint32;
|
||||
packet_data: bytestring &length=packet_len;
|
||||
} &byteorder=bigendian &length=rec.length;
|
||||
|
||||
type ExtraData(rec: Record) = record {
|
||||
sensor_id: uint32;
|
||||
event_id: uint32;
|
||||
event_second: uint32;
|
||||
extra_type: uint32;
|
||||
data_type: uint32;
|
||||
blob_len: uint32;
|
||||
blob: bytestring &length=blob_len;
|
||||
} &byteorder=bigendian &length=rec.length;
|
||||
|
||||
type UnknownRecordType(rec: Record) = record {
|
||||
data: bytestring &transient &length=rec.length;
|
||||
} &byteorder=bigendian &length=rec.length;
|
||||
|
||||
type File = record {
|
||||
alerts: Record[] &transient &until($element <= 0);
|
||||
} &byteorder=bigendian;
|
||||
21
src/unified2.pac
Normal file
21
src/unified2.pac
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
|
||||
%include binpac.pac
|
||||
%include bro.pac
|
||||
|
||||
analyzer Unified2 withcontext {
|
||||
analyzer: Unified2_Analyzer;
|
||||
flow: Flow;
|
||||
};
|
||||
|
||||
analyzer Unified2_Analyzer {
|
||||
downflow = Flow;
|
||||
upflow = Flow;
|
||||
};
|
||||
|
||||
%include unified2-file.pac
|
||||
|
||||
flow Flow {
|
||||
flowunit = File withcontext(connection, this);
|
||||
};
|
||||
|
||||
%include unified2-analyzer.pac
|
||||
Loading…
Add table
Add a link
Reference in a new issue