From 1eed8b7f679f7426ec6d0242e4443f332b82bbe8 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Wed, 26 May 2021 14:19:56 -0700 Subject: [PATCH] Move ICMP counterpart methods outside of ICMPAnalyzer class These were previously global methods in the old analyzer, and moving them to be private members of ICMPAnalyzer broke the usage of them by at least one external plugin. --- src/packet_analysis/protocol/icmp/ICMP.cc | 124 +++++++++++----------- src/packet_analysis/protocol/icmp/ICMP.h | 10 +- 2 files changed, 69 insertions(+), 65 deletions(-) diff --git a/src/packet_analysis/protocol/icmp/ICMP.cc b/src/packet_analysis/protocol/icmp/ICMP.cc index 90d5e6b079..2a68497874 100644 --- a/src/packet_analysis/protocol/icmp/ICMP.cc +++ b/src/packet_analysis/protocol/icmp/ICMP.cc @@ -801,66 +801,6 @@ zeek::VectorValPtr ICMPAnalyzer::BuildNDOptionsVal(int caplen, const u_char* dat return vv; } -int ICMPAnalyzer::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) - { - is_one_way = false; - - // Return the counterpart type if one exists. This allows us - // to track corresponding ICMP requests/replies. - // Note that for the two-way ICMP messages, icmp_code is - // always 0 (RFC 792). - switch ( icmp_type ) { - case ICMP_ECHO: return ICMP_ECHOREPLY; - case ICMP_ECHOREPLY: return ICMP_ECHO; - - case ICMP_TSTAMP: return ICMP_TSTAMPREPLY; - case ICMP_TSTAMPREPLY: return ICMP_TSTAMP; - - case ICMP_IREQ: return ICMP_IREQREPLY; - case ICMP_IREQREPLY: return ICMP_IREQ; - - case ICMP_ROUTERSOLICIT: return ICMP_ROUTERADVERT; - case ICMP_ROUTERADVERT: return ICMP_ROUTERSOLICIT; - - case ICMP_MASKREQ: return ICMP_MASKREPLY; - case ICMP_MASKREPLY: return ICMP_MASKREQ; - - default: is_one_way = true; return icmp_code; - } - } - -int ICMPAnalyzer::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) - { - is_one_way = false; - - switch ( icmp_type ) { - case ICMP6_ECHO_REQUEST: return ICMP6_ECHO_REPLY; - case ICMP6_ECHO_REPLY: return ICMP6_ECHO_REQUEST; - - case ND_ROUTER_SOLICIT: return ND_ROUTER_ADVERT; - case ND_ROUTER_ADVERT: return ND_ROUTER_SOLICIT; - - case ND_NEIGHBOR_SOLICIT: return ND_NEIGHBOR_ADVERT; - case ND_NEIGHBOR_ADVERT: return ND_NEIGHBOR_SOLICIT; - - case MLD_LISTENER_QUERY: return MLD_LISTENER_REPORT; - case MLD_LISTENER_REPORT: return MLD_LISTENER_QUERY; - - // ICMP node information query and response respectively (not defined in - // icmp6.h) - case 139: return 140; - case 140: return 139; - - // Home Agent Address Discovery Request Message and reply - case 144: return 145; - case 145: return 144; - - // TODO: Add further counterparts. - - default: is_one_way = true; return icmp_code; - } - } - void ICMPSessionAdapter::AddExtraAnalyzers(Connection* conn) { static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE"); @@ -930,3 +870,67 @@ void ICMPSessionAdapter::Done() SessionAdapter::Done(); matcher_state.FinishEndpointMatcher(); } + +namespace zeek::packet_analysis::ICMP { + +int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way) + { + is_one_way = false; + + // Return the counterpart type if one exists. This allows us + // to track corresponding ICMP requests/replies. + // Note that for the two-way ICMP messages, icmp_code is + // always 0 (RFC 792). + switch ( icmp_type ) { + case ICMP_ECHO: return ICMP_ECHOREPLY; + case ICMP_ECHOREPLY: return ICMP_ECHO; + + case ICMP_TSTAMP: return ICMP_TSTAMPREPLY; + case ICMP_TSTAMPREPLY: return ICMP_TSTAMP; + + case ICMP_IREQ: return ICMP_IREQREPLY; + case ICMP_IREQREPLY: return ICMP_IREQ; + + case ICMP_ROUTERSOLICIT: return ICMP_ROUTERADVERT; + case ICMP_ROUTERADVERT: return ICMP_ROUTERSOLICIT; + + case ICMP_MASKREQ: return ICMP_MASKREPLY; + case ICMP_MASKREPLY: return ICMP_MASKREQ; + + default: is_one_way = true; return icmp_code; + } + } + +int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way) + { + is_one_way = false; + + switch ( icmp_type ) { + case ICMP6_ECHO_REQUEST: return ICMP6_ECHO_REPLY; + case ICMP6_ECHO_REPLY: return ICMP6_ECHO_REQUEST; + + case ND_ROUTER_SOLICIT: return ND_ROUTER_ADVERT; + case ND_ROUTER_ADVERT: return ND_ROUTER_SOLICIT; + + case ND_NEIGHBOR_SOLICIT: return ND_NEIGHBOR_ADVERT; + case ND_NEIGHBOR_ADVERT: return ND_NEIGHBOR_SOLICIT; + + case MLD_LISTENER_QUERY: return MLD_LISTENER_REPORT; + case MLD_LISTENER_REPORT: return MLD_LISTENER_QUERY; + + // ICMP node information query and response respectively (not defined in + // icmp6.h) + case 139: return 140; + case 140: return 139; + + // Home Agent Address Discovery Request Message and reply + case 144: return 145; + case 145: return 144; + + // TODO: Add further counterparts. + + default: is_one_way = true; return icmp_code; + } + } + +} // namespace zeek::packet_analysis::ICMP diff --git a/src/packet_analysis/protocol/icmp/ICMP.h b/src/packet_analysis/protocol/icmp/ICMP.h index 2ba00134c8..eec1eaaac6 100644 --- a/src/packet_analysis/protocol/icmp/ICMP.h +++ b/src/packet_analysis/protocol/icmp/ICMP.h @@ -99,11 +99,6 @@ private: ICMPSessionAdapter* adapter); void UpdateEndpointVal(const ValPtr& endp, bool is_orig); - - // Returns the counterpart type to the given type (e.g., the counterpart - // to ICMP_ECHOREPLY is ICMP_ECHO). - int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); - int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); }; class ICMPSessionAdapter final : public IP::SessionAdapter { @@ -135,5 +130,10 @@ private: int reply_len = -1; }; +// Returns the counterpart type to the given type (e.g., the counterpart +// to ICMP_ECHOREPLY is ICMP_ECHO). +extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); +extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); + } // namespace packet_analysis::ICMP } // namespace zeek