diff --git a/scripts/base/frameworks/tunnels/main.bro b/scripts/base/frameworks/tunnels/main.bro index 987939eb6e..952f382e56 100644 --- a/scripts/base/frameworks/tunnels/main.bro +++ b/scripts/base/frameworks/tunnels/main.bro @@ -10,7 +10,7 @@ export { type Info: record { ts: time &log; - uid: string &log; + uid: string &log &optional; id: conn_id &log; action: Action &log; tunnel_type: string &log; diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 88f0910d1c..45ec94baa8 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2631,21 +2631,7 @@ module Tunnel; export { ## Whether to decapsulate IP tunnels (IPinIP, 6in4, 6to4) const decapsulate_ip = T &redef; - - ## Whether to decapsulate UDP tunnels (e.g., Teredo, IPv4 in UDP) - const decapsulate_udp = F &redef; - - ## If decapsulating UDP: the set of ports for which to do so. - ## Can be overridden by :bro:id:`Tunnel::udp_tunnel_allports` - const udp_tunnel_ports: set[port] = { - 3544/udp, # Teredo - 5072/udp, # AYIAY - } &redef; - - ## If udp_tunnel_allports is T :bro:id:`udp_tunnel_ports` is ignored and we - ## check every UDP packet for tunnels. - const udp_tunnel_allports = F &redef; - + ## The maximum depth of a tunnel to decapsulate until giving up. const max_depth: count = 2 &redef; } # end export diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index 34ec12fa56..e4dbb28790 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -101,6 +101,9 @@ export { resp_pkts: count &log &optional; ## Number IP level bytes the responder sent. See ``orig_pkts``. resp_ip_bytes: count &log &optional; + ## If this connection was over a tunnel, indicate the + ## `uid` value for the parent connection or connections. + parents: vector of string &log &optional; }; ## Event that can be handled to access the :bro:type:`Conn::Info` @@ -190,6 +193,15 @@ function set_conn(c: connection, eoc: bool) c$conn$ts=c$start_time; c$conn$uid=c$uid; c$conn$id=c$id; + if ( ! c$conn?$parents && c?$tunnel ) + { + c$conn$parents = vector(); + for ( i in c$tunnel ) + { + # TODO: maybe we should be storing uid's in the $tunnel field? + #c$conn$parents[|c$conn$parents|] = lookup_connection(c$tunnel[i]$cid)$uid; + } + } c$conn$proto=get_port_transport_proto(c$id$resp_p); if( |Site::local_nets| > 0 ) c$conn$local_orig=Site::is_local_addr(c$id$orig_h); diff --git a/src/AYIYA.cc b/src/AYIYA.cc index d69db642b3..c70af87fa8 100644 --- a/src/AYIYA.cc +++ b/src/AYIYA.cc @@ -1,13 +1,10 @@ #include "AYIYA.h" -#include "TCP_Reassembler.h" AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) : Analyzer(AnalyzerTag::SYSLOG_BINPAC, conn) { interp = new binpac::AYIYA::AYIYA_Conn(this); did_session_done = 0; - //ADD_ANALYZER_TIMER(&AYIYA_Analyzer::ExpireTimer, - // network_time + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); } AYIYA_Analyzer::~AYIYA_Analyzer() @@ -28,63 +25,3 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int s Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen); interp->NewData(orig, data, data + len); } - -//void AYIYA_Analyzer::ExpireTimer(double t) -// { -// // The - 1.0 in the following is to allow 1 second for the -// // common case of a single request followed by a single reply, -// // so we don't needlessly set the timer twice in that case. -// if ( t - Conn()->LastTime() >= Syslog_session_timeout - 1.0 || terminating ) -// { -// Event(connection_timeout); -// sessions->Remove(Conn()); -// } -// else -// ADD_ANALYZER_TIMER(&AYIYA_Analyzer::ExpireTimer, -// t + Syslog_session_timeout, 1, TIMER_Syslog_EXPIRE); -// } - -//Syslog_TCP_Analyzer_binpac::Syslog_TCP_Analyzer_binpac(Connection* conn) -//: TCP_ApplicationAnalyzer(AnalyzerTag::Syslog_TCP_BINPAC, conn) -// { -// interp = new binpac::Syslog_on_TCP::Syslog_TCP_Conn(this); -// } - -//Syslog_TCP_Analyzer_binpac::~Syslog_TCP_Analyzer_binpac() -// { -// delete interp; -// } - -//void Syslog_TCP_Analyzer_binpac::Done() -// { -// TCP_ApplicationAnalyzer::Done(); -// -// interp->FlowEOF(true); -// interp->FlowEOF(false); -// } - -//void Syslog_TCP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp) -// { -// TCP_ApplicationAnalyzer::EndpointEOF(endp); -// interp->FlowEOF(endp->IsOrig()); -// } - -//void Syslog_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data, -// bool orig) -// { -// TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); -// -// assert(TCP()); -// -// if ( TCP()->IsPartial() || TCP()->HadGap(orig) ) -// // punt-on-partial or stop-on-gap. -// return; -// -// interp->NewData(orig, data, data + len); -// } - -//void Syslog_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig) -// { -// TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); -// interp->NewGap(orig, len); -// } diff --git a/src/AYIYA.h b/src/AYIYA.h index 294eeca1ea..f7c67ced5b 100644 --- a/src/AYIYA.h +++ b/src/AYIYA.h @@ -1,9 +1,6 @@ #ifndef AYIYA_h #define AYIYA_h -#include "UDP.h" -#include "TCP.h" - #include "ayiya_pac.h" class AYIYA_Analyzer : public Analyzer { @@ -19,7 +16,7 @@ public: { return new AYIYA_Analyzer(conn); } static bool Available() - { return true; } + { return BifConst::Tunnel::decapsulate_ip; } protected: friend class AnalyzerTimer; @@ -30,26 +27,4 @@ protected: binpac::AYIYA::AYIYA_Conn* interp; }; -// #include "Syslog_tcp_pac.h" -// -//class Syslog_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer { -//public: -// Syslog_TCP_Analyzer_binpac(Connection* conn); -// virtual ~Syslog_TCP_Analyzer_binpac(); -// -// virtual void Done(); -// virtual void DeliverStream(int len, const u_char* data, bool orig); -// virtual void Undelivered(int seq, int len, bool orig); -// virtual void EndpointEOF(TCP_Reassembler* endp); -// -// static Analyzer* InstantiateAnalyzer(Connection* conn) -// { return new Syslog_TCP_Analyzer_binpac(conn); } -// -// static bool Available() -// { return (Syslog_request || Syslog_full_request) && FLAGS_use_binpac; } -// -//protected: -// binpac::Syslog_on_TCP::Syslog_TCP_Conn* interp; -//}; -// #endif diff --git a/src/Analyzer.cc b/src/Analyzer.cc index f731b36a70..f9570d707f 100644 --- a/src/Analyzer.cc +++ b/src/Analyzer.cc @@ -129,9 +129,6 @@ const Analyzer::Config Analyzer::analyzer_configs[] = { Syslog_Analyzer_binpac::InstantiateAnalyzer, Syslog_Analyzer_binpac::Available, 0, false }, - //{ AnalyzerTag::6to4, "6to4", - // 6to4_Analyzer::InstantiateAnalyzer, - // 6to4_Anylzer::Available, 0, false }, { AnalyzerTag::AYIYA, "AYIYA", AYIYA_Analyzer::InstantiateAnalyzer, AYIYA_Analyzer::Available, 0, false }, diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h index 1b65d5219e..05de68f2b3 100644 --- a/src/AnalyzerTags.h +++ b/src/AnalyzerTags.h @@ -34,7 +34,6 @@ namespace AnalyzerTag { HTTP_BINPAC, SSL, SYSLOG_BINPAC, // Decapsulation Analyzers - //6to4, AYIYA, SOCKS, //Teredo, diff --git a/src/Conn.h b/src/Conn.h index 67300601ce..7f998c9d9a 100644 --- a/src/Conn.h +++ b/src/Conn.h @@ -245,7 +245,9 @@ public: void SetTransport(TransportProto arg_proto) { proto = arg_proto; } void SetUID(uint64 arg_uid) { uid = arg_uid; } - + + Encapsulation* GetEncapsulation() { return &encapsulation; } + protected: Connection() { persistent = 0; } diff --git a/src/Sessions.h b/src/Sessions.h index e1afbeec5a..fb76d29831 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -131,6 +131,10 @@ public: return tcp_conns.Length() + udp_conns.Length() + icmp_conns.Length(); } + + void DoNextPacket(double t, const struct pcap_pkthdr* hdr, + const IP_Hdr* ip_hdr, const u_char* const pkt, + int hdr_size, Encapsulation& encapsulation); unsigned int ConnectionMemoryUsage(); unsigned int ConnectionMemoryUsageConnVals(); @@ -174,10 +178,6 @@ protected: const u_char* const pkt, int hdr_size, PacketSortElement* pkt_elem); - void DoNextPacket(double t, const struct pcap_pkthdr* hdr, - const IP_Hdr* ip_hdr, const u_char* const pkt, - int hdr_size, Encapsulation& encapsulation); - void NextPacketSecondary(double t, const struct pcap_pkthdr* hdr, const u_char* const pkt, int hdr_size, const PktSrc* src_ps); diff --git a/src/ayiya-analyzer.pac b/src/ayiya-analyzer.pac index 888cc575a5..3834ccc3b6 100644 --- a/src/ayiya-analyzer.pac +++ b/src/ayiya-analyzer.pac @@ -11,10 +11,37 @@ flow AYIYA_Flow function process_ayiya(pdu: PDU): bool %{ - connection()->bro_analyzer()->ProtocolConfirmation(); + Connection *c = connection()->bro_analyzer()->Conn(); - // Not sure what to do here. - printf("packet: %s\n", ${pdu.packet}.data()); + if ( c->GetEncapsulation()->Depth() >= BifConst::Tunnel::max_depth ) + { + reporter->Weird(c->OrigAddr(), c->RespAddr(), "tunnel_depth"); + // TODO: this should stop this analyzer instance + return false; + } + + IP_Hdr* inner_ip; + if ( ${pdu.next_header} == IPPROTO_IPV6 ) + inner_ip = new IP_Hdr((const struct ip6_hdr*) ${pdu.packet}.data(), false, ${pdu.packet}.length()); + else + inner_ip = new IP_Hdr((const struct ip*) ${pdu.packet}.data(), false); + + if ( inner_ip != 0) + connection()->bro_analyzer()->ProtocolConfirmation(); + else + connection()->bro_analyzer()->ProtocolViolation("ayiya_tunnel_non_ip"); + + struct pcap_pkthdr fake_hdr; + fake_hdr.caplen = fake_hdr.len = ${pdu.packet}.length(); + // Not sure what to do with this timestamp. + //fake_hdr.ts = network_time(); + + EncapsulatingConn ec(c->OrigAddr(), c->RespAddr(), BifEnum::Tunnel::AYIYA); + c->GetEncapsulation()->Add(ec); + + sessions->DoNextPacket(network_time(), &fake_hdr, inner_ip, ${pdu.packet}.data(), 0, *c->GetEncapsulation()); + + delete inner_ip; return true; %} diff --git a/src/const.bif b/src/const.bif index b622d52ff3..db5fbbd2cb 100644 --- a/src/const.bif +++ b/src/const.bif @@ -12,7 +12,4 @@ const NFS3::return_data_max: count; const NFS3::return_data_first_only: bool; const Tunnel::decapsulate_ip: bool; -const Tunnel::decapsulate_udp: bool; -const Tunnel::udp_tunnel_ports: any; -const Tunnel::udp_tunnel_allports: bool; const Tunnel::max_depth: count; diff --git a/src/types.bif b/src/types.bif index 60f8631a23..526198b2f5 100644 --- a/src/types.bif +++ b/src/types.bif @@ -178,8 +178,7 @@ enum Type %{ IP4_IN_IP6, IP6_IN_UDP, IP4_IN_UDP, - IP6_IN_AYIAY, - IP4_IN_AYIAY, + AYIYA, %} type EncapsulatingConn: record;